xref: /linux/net/wireless/nl80211.c (revision b74e71b6a986650ea04d99ef443c6b3b18da52c5) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <linux/random.h>
25 #include <net/net_namespace.h>
26 #include <net/genetlink.h>
27 #include <net/cfg80211.h>
28 #include <net/sock.h>
29 #include <net/inet_connection_sock.h>
30 #include "core.h"
31 #include "nl80211.h"
32 #include "reg.h"
33 #include "rdev-ops.h"
34 
35 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
36 				   struct genl_info *info,
37 				   struct cfg80211_crypto_settings *settings,
38 				   int cipher_limit);
39 
40 /* the netlink family */
41 static struct genl_family nl80211_fam;
42 
43 /* multicast groups */
44 enum nl80211_multicast_groups {
45 	NL80211_MCGRP_CONFIG,
46 	NL80211_MCGRP_SCAN,
47 	NL80211_MCGRP_REGULATORY,
48 	NL80211_MCGRP_MLME,
49 	NL80211_MCGRP_VENDOR,
50 	NL80211_MCGRP_NAN,
51 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
52 };
53 
54 static const struct genl_multicast_group nl80211_mcgrps[] = {
55 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
56 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
57 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
58 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
59 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
60 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
61 #ifdef CONFIG_NL80211_TESTMODE
62 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
63 #endif
64 };
65 
66 /* returns ERR_PTR values */
67 static struct wireless_dev *
68 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
69 			   struct net *netns, struct nlattr **attrs)
70 {
71 	struct wireless_dev *result = NULL;
72 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
73 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
74 	u64 wdev_id = 0;
75 	int wiphy_idx = -1;
76 	int ifidx = -1;
77 
78 	if (!have_ifidx && !have_wdev_id)
79 		return ERR_PTR(-EINVAL);
80 
81 	if (have_ifidx)
82 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
83 	if (have_wdev_id) {
84 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
85 		wiphy_idx = wdev_id >> 32;
86 	}
87 
88 	if (rdev) {
89 		struct wireless_dev *wdev;
90 
91 		lockdep_assert_held(&rdev->wiphy.mtx);
92 
93 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
94 			if (have_ifidx && wdev->netdev &&
95 			    wdev->netdev->ifindex == ifidx) {
96 				result = wdev;
97 				break;
98 			}
99 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
100 				result = wdev;
101 				break;
102 			}
103 		}
104 
105 		return result ?: ERR_PTR(-ENODEV);
106 	}
107 
108 	ASSERT_RTNL();
109 
110 	for_each_rdev(rdev) {
111 		struct wireless_dev *wdev;
112 
113 		if (wiphy_net(&rdev->wiphy) != netns)
114 			continue;
115 
116 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
117 			continue;
118 
119 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
120 			if (have_ifidx && wdev->netdev &&
121 			    wdev->netdev->ifindex == ifidx) {
122 				result = wdev;
123 				break;
124 			}
125 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
126 				result = wdev;
127 				break;
128 			}
129 		}
130 
131 		if (result)
132 			break;
133 	}
134 
135 	if (result)
136 		return result;
137 	return ERR_PTR(-ENODEV);
138 }
139 
140 static struct cfg80211_registered_device *
141 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
142 {
143 	struct cfg80211_registered_device *rdev = NULL, *tmp;
144 	struct net_device *netdev;
145 
146 	ASSERT_RTNL();
147 
148 	if (!attrs[NL80211_ATTR_WIPHY] &&
149 	    !attrs[NL80211_ATTR_IFINDEX] &&
150 	    !attrs[NL80211_ATTR_WDEV])
151 		return ERR_PTR(-EINVAL);
152 
153 	if (attrs[NL80211_ATTR_WIPHY])
154 		rdev = cfg80211_rdev_by_wiphy_idx(
155 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
156 
157 	if (attrs[NL80211_ATTR_WDEV]) {
158 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
159 		struct wireless_dev *wdev;
160 		bool found = false;
161 
162 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
163 		if (tmp) {
164 			/* make sure wdev exists */
165 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
166 				if (wdev->identifier != (u32)wdev_id)
167 					continue;
168 				found = true;
169 				break;
170 			}
171 
172 			if (!found)
173 				tmp = NULL;
174 
175 			if (rdev && tmp != rdev)
176 				return ERR_PTR(-EINVAL);
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (attrs[NL80211_ATTR_IFINDEX]) {
182 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
183 
184 		netdev = __dev_get_by_index(netns, ifindex);
185 		if (netdev) {
186 			if (netdev->ieee80211_ptr)
187 				tmp = wiphy_to_rdev(
188 					netdev->ieee80211_ptr->wiphy);
189 			else
190 				tmp = NULL;
191 
192 			/* not wireless device -- return error */
193 			if (!tmp)
194 				return ERR_PTR(-EINVAL);
195 
196 			/* mismatch -- return error */
197 			if (rdev && tmp != rdev)
198 				return ERR_PTR(-EINVAL);
199 
200 			rdev = tmp;
201 		}
202 	}
203 
204 	if (!rdev)
205 		return ERR_PTR(-ENODEV);
206 
207 	if (netns != wiphy_net(&rdev->wiphy))
208 		return ERR_PTR(-ENODEV);
209 
210 	return rdev;
211 }
212 
213 /*
214  * This function returns a pointer to the driver
215  * that the genl_info item that is passed refers to.
216  *
217  * The result of this can be a PTR_ERR and hence must
218  * be checked with IS_ERR() for errors.
219  */
220 static struct cfg80211_registered_device *
221 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
222 {
223 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
224 }
225 
226 static int validate_beacon_head(const struct nlattr *attr,
227 				struct netlink_ext_ack *extack)
228 {
229 	const u8 *data = nla_data(attr);
230 	unsigned int len = nla_len(attr);
231 	const struct element *elem;
232 	const struct ieee80211_mgmt *mgmt = (void *)data;
233 	const struct ieee80211_ext *ext;
234 	unsigned int fixedlen, hdrlen;
235 	bool s1g_bcn;
236 
237 	if (len < offsetofend(typeof(*mgmt), frame_control))
238 		goto err;
239 
240 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
241 	if (s1g_bcn) {
242 		ext = (struct ieee80211_ext *)mgmt;
243 		fixedlen =
244 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
245 			ieee80211_s1g_optional_len(ext->frame_control);
246 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
247 	} else {
248 		fixedlen = offsetof(struct ieee80211_mgmt,
249 				    u.beacon.variable);
250 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
251 	}
252 
253 	if (len < fixedlen)
254 		goto err;
255 
256 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
257 		goto err;
258 
259 	data += fixedlen;
260 	len -= fixedlen;
261 
262 	for_each_element(elem, data, len) {
263 		/* nothing */
264 	}
265 
266 	if (for_each_element_completed(elem, data, len))
267 		return 0;
268 
269 err:
270 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
271 	return -EINVAL;
272 }
273 
274 static int validate_ie_attr(const struct nlattr *attr,
275 			    struct netlink_ext_ack *extack)
276 {
277 	const u8 *data = nla_data(attr);
278 	unsigned int len = nla_len(attr);
279 	const struct element *elem;
280 
281 	for_each_element(elem, data, len) {
282 		/* nothing */
283 	}
284 
285 	if (for_each_element_completed(elem, data, len))
286 		return 0;
287 
288 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
289 	return -EINVAL;
290 }
291 
292 static int validate_he_capa(const struct nlattr *attr,
293 			    struct netlink_ext_ack *extack)
294 {
295 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
296 		return -EINVAL;
297 
298 	return 0;
299 }
300 
301 static int validate_supported_selectors(const struct nlattr *attr,
302 					struct netlink_ext_ack *extack)
303 {
304 	const u8 *supported_selectors = nla_data(attr);
305 	u8 supported_selectors_len = nla_len(attr);
306 
307 	/* The top bit must not be set as it is not part of the selector */
308 	for (int i = 0; i < supported_selectors_len; i++) {
309 		if (supported_selectors[i] & 0x80)
310 			return -EINVAL;
311 	}
312 
313 	return 0;
314 }
315 
316 static int validate_nan_cluster_id(const struct nlattr *attr,
317 				   struct netlink_ext_ack *extack)
318 {
319 	const u8 *data = nla_data(attr);
320 	unsigned int len = nla_len(attr);
321 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
322 
323 	if (len != ETH_ALEN) {
324 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
325 		return -EINVAL;
326 	}
327 
328 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
329 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
330 		return -EINVAL;
331 	}
332 
333 	return 0;
334 }
335 
336 static int validate_nan_avail_blob(const struct nlattr *attr,
337 				   struct netlink_ext_ack *extack)
338 {
339 	const u8 *data = nla_data(attr);
340 	unsigned int len = nla_len(attr);
341 	u16 attr_len;
342 
343 	/* Need at least: Attr ID (1) + Length (2) */
344 	if (len < 3) {
345 		NL_SET_ERR_MSG_FMT(extack,
346 				   "NAN Availability: Too short (need at least 3 bytes, have %u)",
347 				   len);
348 		return -EINVAL;
349 	}
350 
351 	if (data[0] != 0x12) {
352 		NL_SET_ERR_MSG_FMT(extack,
353 				   "NAN Availability: Invalid Attribute ID 0x%02x (expected 0x12)",
354 				   data[0]);
355 		return -EINVAL;
356 	}
357 
358 	attr_len = get_unaligned_le16(&data[1]);
359 
360 	if (attr_len != len - 3) {
361 		NL_SET_ERR_MSG_FMT(extack,
362 				   "NAN Availability: Length field (%u) doesn't match data length (%u)",
363 				   attr_len, len - 3);
364 		return -EINVAL;
365 	}
366 
367 	return 0;
368 }
369 
370 static int validate_nan_ulw(const struct nlattr *attr,
371 			    struct netlink_ext_ack *extack)
372 {
373 	const u8 *data = nla_data(attr);
374 	unsigned int len = nla_len(attr);
375 	unsigned int pos = 0;
376 
377 	while (pos < len) {
378 		u16 attr_len;
379 
380 		/* Need at least: Attr ID (1) + Length (2) */
381 		if (pos + 3 > len) {
382 			NL_SET_ERR_MSG_FMT(extack,
383 					   "ULW: Incomplete header (need 3 bytes, have %u)",
384 					   len - pos);
385 			return -EINVAL;
386 		}
387 
388 		if (data[pos] != 0x17) {
389 			NL_SET_ERR_MSG_FMT(extack,
390 					   "ULW: Invalid Attribute ID 0x%02x (expected 0x17)",
391 					   data[pos]);
392 			return -EINVAL;
393 		}
394 		pos++;
395 
396 		/* Length is in little-endian format */
397 		attr_len = get_unaligned_le16(&data[pos]);
398 		pos += 2;
399 
400 		/*
401 		 * Check if length is one of the valid values: 16 (no
402 		 * channel/band entry included), 18 (band entry included),
403 		 * 21 (channel entry included without Auxiliary channel bitmap),
404 		 * or 23 (channel entry included with Auxiliary channel bitmap).
405 		 */
406 		if (attr_len != 16 && attr_len != 18 && attr_len != 21 &&
407 		    attr_len != 23) {
408 			NL_SET_ERR_MSG_FMT(extack,
409 					   "ULW: Invalid length %u (must be 16, 18, 21, or 23)",
410 					   attr_len);
411 			return -EINVAL;
412 		}
413 
414 		if (pos + attr_len > len) {
415 			NL_SET_ERR_MSG_FMT(extack,
416 					   "ULW: Length field (%u) exceeds remaining data (%u)",
417 					   attr_len, len - pos);
418 			return -EINVAL;
419 		}
420 
421 		pos += attr_len;
422 	}
423 
424 	return 0;
425 }
426 
427 static int validate_uhr_capa(const struct nlattr *attr,
428 			     struct netlink_ext_ack *extack)
429 {
430 	const u8 *data = nla_data(attr);
431 	unsigned int len = nla_len(attr);
432 
433 	if (!ieee80211_uhr_capa_size_ok(data, len, false))
434 		return -EINVAL;
435 	return 0;
436 }
437 
438 static int validate_uhr_operation(const struct nlattr *attr,
439 				  struct netlink_ext_ack *extack)
440 {
441 	const u8 *data = nla_data(attr);
442 	unsigned int len = nla_len(attr);
443 
444 	if (!ieee80211_uhr_oper_size_ok(data, len, false))
445 		return -EINVAL;
446 	return 0;
447 }
448 
449 /* policy for the attributes */
450 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
451 
452 static const struct nla_policy
453 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
454 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
455 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
456 					.len = U8_MAX },
457 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
458 					     .len = U8_MAX },
459 };
460 
461 static const struct nla_policy
462 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
463 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
464 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
465 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
466 		NLA_POLICY_MAX(NLA_U8, 15),
467 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
468 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
469 		NLA_POLICY_MAX(NLA_U8, 15),
470 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
471 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
472 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
473 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
474 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
475 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
476 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
477 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
478 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
479 	[NL80211_PMSR_FTM_REQ_ATTR_MIN_TIME_BETWEEN_MEASUREMENTS] = {
480 		.type = NLA_U32
481 	},
482 	[NL80211_PMSR_FTM_REQ_ATTR_MAX_TIME_BETWEEN_MEASUREMENTS] = {
483 		.type = NLA_U32
484 	},
485 	[NL80211_PMSR_FTM_REQ_ATTR_NOMINAL_TIME] = { .type = NLA_U32 },
486 	[NL80211_PMSR_FTM_REQ_ATTR_AW_DURATION] = NLA_POLICY_MAX(NLA_U32, 255),
487 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_MEASUREMENTS] = { .type = NLA_U32 },
488 	[NL80211_PMSR_FTM_REQ_ATTR_INGRESS] = { .type = NLA_U64 },
489 	[NL80211_PMSR_FTM_REQ_ATTR_EGRESS] = { .type = NLA_U64 },
490 	[NL80211_PMSR_FTM_REQ_ATTR_PD_SUPPRESS_RESULTS] = { .type = NLA_FLAG },
491 };
492 
493 static const struct nla_policy
494 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
495 	[NL80211_PMSR_TYPE_FTM] =
496 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
497 };
498 
499 static const struct nla_policy
500 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
501 	[NL80211_PMSR_REQ_ATTR_DATA] =
502 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
503 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
504 };
505 
506 static const struct nla_policy
507 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
508 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
509 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
510 	[NL80211_PMSR_PEER_ATTR_REQ] =
511 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
512 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
513 	[NL80211_PMSR_PEER_ATTR_REQ_TYPE] =
514 		NLA_POLICY_MAX(NLA_U32, NL80211_PMSR_FTM_REQ_TYPE_MAX),
515 };
516 
517 static const struct nla_policy
518 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
519 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
520 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
521 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
522 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
523 	[NL80211_PMSR_ATTR_PEERS] =
524 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
525 };
526 
527 static const struct nla_policy
528 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
529 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
530 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
531 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
532 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
533 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
534 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
535 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
536 		NLA_POLICY_EXACT_LEN(8),
537 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
538 		NLA_POLICY_EXACT_LEN(8),
539 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
540 };
541 
542 static const struct nla_policy
543 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
544 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
545 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
546 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
547 };
548 
549 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
550 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
551 				    .len = NL80211_MAX_SUPP_RATES },
552 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
553 				.len = NL80211_MAX_SUPP_HT_RATES },
554 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
555 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
556 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
557 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
558 						   NL80211_RATE_INFO_HE_GI_0_8,
559 						   NL80211_RATE_INFO_HE_GI_3_2),
560 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
561 						   NL80211_RATE_INFO_HE_1XLTF,
562 						   NL80211_RATE_INFO_HE_4XLTF),
563 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
564 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
565 						   NL80211_RATE_INFO_EHT_GI_0_8,
566 						   NL80211_RATE_INFO_EHT_GI_3_2),
567 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
568 						   NL80211_RATE_INFO_EHT_1XLTF,
569 						   NL80211_RATE_INFO_EHT_8XLTF),
570 
571 };
572 
573 static const struct nla_policy
574 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
575 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
576 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
577 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
578 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
579 	[NL80211_TID_CONFIG_ATTR_NOACK] =
580 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
581 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
582 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
583 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
584 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
585 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
586 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
587 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
588 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
589 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
590 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
591 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
592 			NLA_POLICY_NESTED(nl80211_txattr_policy),
593 };
594 
595 static const struct nla_policy
596 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
597 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
598 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
599 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
600 			NLA_POLICY_RANGE(NLA_BINARY,
601 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
602 					 IEEE80211_MAX_DATA_LEN),
603 };
604 
605 static const struct nla_policy
606 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
607 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
608 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
609 						       .len = IEEE80211_MAX_DATA_LEN }
610 };
611 
612 static const struct nla_policy
613 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
614 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
615 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
616 };
617 
618 static const struct nla_policy
619 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
620 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
621 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
622 };
623 
624 static const struct nla_policy
625 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
626 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
627 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
628 						NLA_POLICY_MIN(NLA_U8, 1),
629 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
630 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
631 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
632 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
633 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
634 };
635 
636 static const struct nla_policy
637 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
638 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
639 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
640 };
641 
642 static const struct nla_policy
643 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
644 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
645 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
646 				       IEEE80211_MAX_DATA_LEN),
647 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
648 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
649 				       IEEE80211_MAX_DATA_LEN),
650 };
651 
652 static const struct nla_policy
653 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
654 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
655 						      NUM_NL80211_BANDS - 1),
656 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
657 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
658 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
659 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
660 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
661 };
662 
663 static const struct nla_policy
664 nl80211_nan_peer_map_policy[NL80211_NAN_PEER_MAP_ATTR_MAX + 1] = {
665 	[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] = NLA_POLICY_MAX(NLA_U8, 15),
666 	[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS] =
667 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
668 };
669 
670 static const struct nla_policy
671 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
672 	[NL80211_NAN_CONF_CLUSTER_ID] =
673 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
674 				       ETH_ALEN),
675 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
676 					   .len = IEEE80211_MAX_DATA_LEN},
677 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
678 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
679 				       IEEE80211_MAX_DATA_LEN),
680 	[NL80211_NAN_CONF_BAND_CONFIGS] =
681 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
682 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
683 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
684 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
685 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
686 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
687 };
688 
689 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
690 	.min = 0,
691 	.max = 0xffff,
692 };
693 
694 static const struct netlink_range_validation q_range = {
695 	.max = INT_MAX,
696 };
697 
698 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
699 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
700 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
701 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
702 				      .len = 20-1 },
703 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
704 
705 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
706 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
707 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
708 						NL80211_EDMG_CHANNELS_MIN,
709 						NL80211_EDMG_CHANNELS_MAX),
710 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
711 						NL80211_EDMG_BW_CONFIG_MIN,
712 						NL80211_EDMG_BW_CONFIG_MAX),
713 
714 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
715 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
716 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
717 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
718 
719 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
720 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
721 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
722 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
723 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
724 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
725 
726 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
727 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
728 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
729 
730 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
731 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 
733 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
734 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
735 				    .len = WLAN_MAX_KEY_LEN },
736 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
737 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
738 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
739 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
740 	[NL80211_ATTR_KEY_TYPE] =
741 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
742 
743 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
744 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
745 	[NL80211_ATTR_BEACON_HEAD] =
746 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
747 				       IEEE80211_MAX_DATA_LEN),
748 	[NL80211_ATTR_BEACON_TAIL] =
749 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
750 				       IEEE80211_MAX_DATA_LEN),
751 	[NL80211_ATTR_STA_AID] =
752 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
753 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
754 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
755 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
756 					       .len = NL80211_MAX_SUPP_RATES },
757 	[NL80211_ATTR_STA_PLINK_ACTION] =
758 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
759 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
760 		NLA_POLICY_RANGE(NLA_U8,
761 				 NL80211_TX_POWER_AUTOMATIC,
762 				 NL80211_TX_POWER_FIXED),
763 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
764 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
765 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
766 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
767 				   .len = IEEE80211_MAX_MESH_ID_LEN },
768 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
769 
770 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
771 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
772 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
773 
774 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
775 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
776 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
777 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
778 					   .len = NL80211_MAX_SUPP_RATES },
779 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
780 
781 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
782 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
783 
784 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
785 
786 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
787 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
788 						   validate_ie_attr,
789 						   IEEE80211_MAX_DATA_LEN),
790 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
791 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
792 
793 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
794 				.len = IEEE80211_MAX_SSID_LEN },
795 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
796 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
797 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
798 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
799 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
800 						  NL80211_MFP_NO,
801 						  NL80211_MFP_OPTIONAL),
802 	[NL80211_ATTR_STA_FLAGS2] =
803 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
804 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
805 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
806 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
807 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
808 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
809 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
810 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
811 	[NL80211_ATTR_WPA_VERSIONS] =
812 		NLA_POLICY_RANGE(NLA_U32, 0,
813 				 NL80211_WPA_VERSION_1 |
814 				 NL80211_WPA_VERSION_2 |
815 				 NL80211_WPA_VERSION_3),
816 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
817 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
818 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
819 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
820 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
821 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
822 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
823 				 .len = IEEE80211_MAX_DATA_LEN },
824 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
825 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
826 						   NL80211_PS_DISABLED,
827 						   NL80211_PS_ENABLED),
828 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
829 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
830 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
831 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
832 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
833 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
834 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
835 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
836 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
837 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
838 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
839 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
840 	[NL80211_ATTR_STA_PLINK_STATE] =
841 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
842 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
843 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
844 	[NL80211_ATTR_MESH_PEER_AID] =
845 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
846 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
847 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
848 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
849 	[NL80211_ATTR_HIDDEN_SSID] =
850 		NLA_POLICY_RANGE(NLA_U32,
851 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
852 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
853 	[NL80211_ATTR_IE_PROBE_RESP] =
854 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
855 				       IEEE80211_MAX_DATA_LEN),
856 	[NL80211_ATTR_IE_ASSOC_RESP] =
857 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
858 				       IEEE80211_MAX_DATA_LEN),
859 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
860 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
861 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
862 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
863 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
864 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
865 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
866 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
867 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
868 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
869 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
870 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
871 				      .len = IEEE80211_MAX_DATA_LEN },
872 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
873 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
874 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
875 		.len = NL80211_HT_CAPABILITY_LEN
876 	},
877 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
878 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
879 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
880 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
881 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
882 
883 	/* need to include at least Auth Transaction and Status Code */
884 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
885 
886 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
887 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
888 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
889 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
890 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
891 		NLA_POLICY_RANGE(NLA_U32,
892 				 NL80211_MESH_POWER_UNKNOWN + 1,
893 				 NL80211_MESH_POWER_MAX),
894 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
895 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
896 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
897 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
898 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
899 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
900 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
901 		.len = NL80211_VHT_CAPABILITY_LEN,
902 	},
903 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
904 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
905 				  .len = IEEE80211_MAX_DATA_LEN },
906 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
907 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
908 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
909 	[NL80211_ATTR_PEER_AID] =
910 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
911 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
912 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
913 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
914 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
915 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
916 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
917 	/*
918 	 * The value of the Length field of the Supported Operating
919 	 * Classes element is between 2 and 253.
920 	 */
921 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
922 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
923 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
924 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
925 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
926 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
927 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
928 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
929 						  IEEE80211_QOS_MAP_LEN_MIN,
930 						  IEEE80211_QOS_MAP_LEN_MAX),
931 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
932 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
933 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
934 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
935 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
936 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
937 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
938 	[NL80211_ATTR_USER_PRIO] =
939 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
940 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
941 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
942 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
943 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
944 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
945 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
946 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
947 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
948 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
949 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
950 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
951 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
952 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
953 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
954 	},
955 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
956 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
957 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
958 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
959 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
960 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
961 				    .len = FILS_MAX_KEK_LEN },
962 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
963 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
964 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
965 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
966 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
967 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
968 	},
969 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
970 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
971 					     .len = FILS_ERP_MAX_USERNAME_LEN },
972 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
973 					  .len = FILS_ERP_MAX_REALM_LEN },
974 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
975 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
976 					.len = FILS_ERP_MAX_RRK_LEN },
977 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
978 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
979 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
980 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
981 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
982 
983 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
984 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
985 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
986 	[NL80211_ATTR_HE_CAPABILITY] =
987 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
988 				       NL80211_HE_MAX_CAPABILITY_LEN),
989 	[NL80211_ATTR_FTM_RESPONDER] =
990 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
991 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
992 	[NL80211_ATTR_PEER_MEASUREMENTS] =
993 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
994 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
995 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
996 					.len = SAE_PASSWORD_MAX_LEN },
997 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
998 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
999 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
1000 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
1001 	[NL80211_ATTR_TID_CONFIG] =
1002 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
1003 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
1004 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
1005 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
1006 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
1007 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
1008 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
1009 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
1010 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
1011 	[NL80211_ATTR_FILS_DISCOVERY] =
1012 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
1013 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
1014 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
1015 	[NL80211_ATTR_S1G_CAPABILITY] =
1016 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1017 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
1018 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
1019 	[NL80211_ATTR_SAE_PWE] =
1020 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
1021 				 NL80211_SAE_PWE_BOTH),
1022 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
1023 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
1024 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
1025 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
1026 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
1027 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
1028 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
1029 	[NL80211_ATTR_MBSSID_CONFIG] =
1030 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
1031 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
1032 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
1033 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
1034 	[NL80211_ATTR_EHT_CAPABILITY] =
1035 		NLA_POLICY_RANGE(NLA_BINARY,
1036 				 NL80211_EHT_MIN_CAPABILITY_LEN,
1037 				 NL80211_EHT_MAX_CAPABILITY_LEN),
1038 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
1039 	[NL80211_ATTR_MLO_LINKS] =
1040 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
1041 	[NL80211_ATTR_MLO_LINK_ID] =
1042 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
1043 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
1044 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
1045 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
1046 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
1047 	[NL80211_ATTR_PUNCT_BITMAP] =
1048 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
1049 
1050 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
1051 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
1052 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
1053 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
1054 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
1055 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1056 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
1057 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
1058 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
1059 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
1060 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
1061 				       NL80211_MAX_SUPP_SELECTORS),
1062 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
1063 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
1064 	[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS] = { .type = NLA_U16 },
1065 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
1066 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
1067 	[NL80211_ATTR_S1G_SHORT_BEACON] =
1068 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
1069 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
1070 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
1071 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
1072 	[NL80211_ATTR_UHR_CAPABILITY] =
1073 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
1074 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
1075 	[NL80211_ATTR_UHR_OPERATION] =
1076 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_operation),
1077 	[NL80211_ATTR_NAN_CHANNEL] = NLA_POLICY_NESTED(nl80211_policy),
1078 	[NL80211_ATTR_NAN_CHANNEL_ENTRY] = NLA_POLICY_EXACT_LEN(6),
1079 	[NL80211_ATTR_NAN_RX_NSS] = { .type = NLA_U8 },
1080 	[NL80211_ATTR_NAN_TIME_SLOTS] =
1081 		NLA_POLICY_EXACT_LEN(CFG80211_NAN_SCHED_NUM_TIME_SLOTS),
1082 	[NL80211_ATTR_NAN_AVAIL_BLOB] =
1083 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_avail_blob),
1084 	[NL80211_ATTR_NAN_SCHED_DEFERRED] = { .type = NLA_FLAG },
1085 	[NL80211_ATTR_NAN_NMI_MAC] = NLA_POLICY_ETH_ADDR,
1086 	[NL80211_ATTR_NAN_ULW] =
1087 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_ulw),
1088 	[NL80211_ATTR_NAN_COMMITTED_DW] = { .type = NLA_U16 },
1089 	[NL80211_ATTR_NAN_SEQ_ID] = { .type = NLA_U8 },
1090 	[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME] = { .type = NLA_U16 },
1091 	[NL80211_ATTR_NAN_PEER_MAPS] =
1092 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_peer_map_policy),
1093 	[NL80211_ATTR_NPCA_PRIMARY_FREQ] = { .type = NLA_U32 },
1094 	[NL80211_ATTR_NPCA_PUNCT_BITMAP] =
1095 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
1096 };
1097 
1098 /* policy for the key attributes */
1099 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
1100 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
1101 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
1102 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
1103 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
1104 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
1105 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
1106 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
1107 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
1108 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
1109 	[NL80211_KEY_LTF_SEED] = {
1110 		.type = NLA_BINARY,
1111 		.len = WLAN_MAX_SECURE_LTF_KEYSEED_LEN,
1112 	},
1113 };
1114 
1115 /* policy for the key default flags */
1116 static const struct nla_policy
1117 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
1118 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
1119 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
1120 };
1121 
1122 #ifdef CONFIG_PM
1123 /* policy for WoWLAN attributes */
1124 static const struct nla_policy
1125 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
1126 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
1127 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
1128 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
1129 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
1130 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
1131 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
1132 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
1133 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
1134 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
1135 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
1136 };
1137 
1138 static const struct nla_policy
1139 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
1140 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
1141 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
1142 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1143 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
1144 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
1145 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1146 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
1147 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
1148 	},
1149 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
1150 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1151 	},
1152 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1153 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1154 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1155 };
1156 #endif /* CONFIG_PM */
1157 
1158 /* policy for coalesce rule attributes */
1159 static const struct nla_policy
1160 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1161 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1162 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1163 		NLA_POLICY_RANGE(NLA_U32,
1164 				 NL80211_COALESCE_CONDITION_MATCH,
1165 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1166 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1167 };
1168 
1169 /* policy for GTK rekey offload attributes */
1170 static const struct nla_policy
1171 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1172 	[NL80211_REKEY_DATA_KEK] = {
1173 		.type = NLA_BINARY,
1174 		.len = NL80211_KEK_EXT_LEN
1175 	},
1176 	[NL80211_REKEY_DATA_KCK] = {
1177 		.type = NLA_BINARY,
1178 		.len = NL80211_KCK_EXT_LEN_32
1179 	},
1180 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1181 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1182 };
1183 
1184 static const struct nla_policy
1185 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1186 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1187 						 .len = IEEE80211_MAX_SSID_LEN },
1188 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1189 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1190 };
1191 
1192 static const struct nla_policy
1193 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1194 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1195 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1196 };
1197 
1198 static const struct nla_policy
1199 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1200 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1201 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1202 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1203 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1204 	},
1205 };
1206 
1207 /* policy for NAN function attributes */
1208 static const struct nla_policy
1209 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1210 	[NL80211_NAN_FUNC_TYPE] =
1211 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1212 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1213 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1214 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1215 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1216 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1217 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1218 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1219 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1220 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1221 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1222 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1223 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1224 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1225 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1226 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1227 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1228 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1229 };
1230 
1231 /* policy for Service Response Filter attributes */
1232 static const struct nla_policy
1233 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1234 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1235 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1236 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1237 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1238 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1239 };
1240 
1241 /* policy for packet pattern attributes */
1242 static const struct nla_policy
1243 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1244 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1245 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1246 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1247 };
1248 
1249 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1250 				     struct cfg80211_registered_device **rdev,
1251 				     struct wireless_dev **wdev,
1252 				     struct nlattr **attrbuf)
1253 {
1254 	int err;
1255 
1256 	if (!cb->args[0]) {
1257 		struct nlattr **attrbuf_free = NULL;
1258 
1259 		if (!attrbuf) {
1260 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
1261 			if (!attrbuf)
1262 				return -ENOMEM;
1263 			attrbuf_free = attrbuf;
1264 		}
1265 
1266 		err = nlmsg_parse_deprecated(cb->nlh,
1267 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1268 					     attrbuf, nl80211_fam.maxattr,
1269 					     nl80211_policy, NULL);
1270 		if (err) {
1271 			kfree(attrbuf_free);
1272 			return err;
1273 		}
1274 
1275 		rtnl_lock();
1276 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1277 						   attrbuf);
1278 		kfree(attrbuf_free);
1279 		if (IS_ERR(*wdev)) {
1280 			rtnl_unlock();
1281 			return PTR_ERR(*wdev);
1282 		}
1283 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1284 		mutex_lock(&(*rdev)->wiphy.mtx);
1285 		rtnl_unlock();
1286 		/* 0 is the first index - add 1 to parse only once */
1287 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1288 		cb->args[1] = (*wdev)->identifier;
1289 	} else {
1290 		/* subtract the 1 again here */
1291 		struct wiphy *wiphy;
1292 		struct wireless_dev *tmp;
1293 
1294 		rtnl_lock();
1295 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1296 		if (!wiphy) {
1297 			rtnl_unlock();
1298 			return -ENODEV;
1299 		}
1300 
1301 		/*
1302 		 * The first invocation validated the wdev's netns against
1303 		 * the caller via __cfg80211_wdev_from_attrs(). The wiphy
1304 		 * may have moved netns between dumpit invocations (via
1305 		 * NL80211_CMD_SET_WIPHY_NETNS), so re-check here.
1306 		 */
1307 		if (!net_eq(wiphy_net(wiphy), sock_net(cb->skb->sk))) {
1308 			rtnl_unlock();
1309 			return -ENODEV;
1310 		}
1311 
1312 		*rdev = wiphy_to_rdev(wiphy);
1313 		*wdev = NULL;
1314 
1315 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1316 			if (tmp->identifier == cb->args[1]) {
1317 				*wdev = tmp;
1318 				break;
1319 			}
1320 		}
1321 
1322 		if (!*wdev) {
1323 			rtnl_unlock();
1324 			return -ENODEV;
1325 		}
1326 		mutex_lock(&(*rdev)->wiphy.mtx);
1327 		rtnl_unlock();
1328 	}
1329 
1330 	return 0;
1331 }
1332 
1333 /* message building helper */
1334 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1335 		     int flags, u8 cmd)
1336 {
1337 	/* since there is no private header just add the generic one */
1338 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1339 }
1340 
1341 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1342 				     const struct ieee80211_reg_rule *rule)
1343 {
1344 	int j;
1345 	struct nlattr *nl_wmm_rules =
1346 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1347 
1348 	if (!nl_wmm_rules)
1349 		goto nla_put_failure;
1350 
1351 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1352 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1353 
1354 		if (!nl_wmm_rule)
1355 			goto nla_put_failure;
1356 
1357 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1358 				rule->wmm_rule.client[j].cw_min) ||
1359 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1360 				rule->wmm_rule.client[j].cw_max) ||
1361 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1362 			       rule->wmm_rule.client[j].aifsn) ||
1363 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1364 			        rule->wmm_rule.client[j].cot))
1365 			goto nla_put_failure;
1366 
1367 		nla_nest_end(msg, nl_wmm_rule);
1368 	}
1369 	nla_nest_end(msg, nl_wmm_rules);
1370 
1371 	return 0;
1372 
1373 nla_put_failure:
1374 	return -ENOBUFS;
1375 }
1376 
1377 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1378 				   struct ieee80211_channel *chan,
1379 				   bool large)
1380 {
1381 	/* Some channels must be completely excluded from the
1382 	 * list to protect old user-space tools from breaking
1383 	 */
1384 	if (!large && chan->flags &
1385 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1386 		return 0;
1387 	if (!large && chan->freq_offset)
1388 		return 0;
1389 
1390 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1391 			chan->center_freq))
1392 		goto nla_put_failure;
1393 
1394 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1395 		goto nla_put_failure;
1396 
1397 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1398 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1399 		goto nla_put_failure;
1400 
1401 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1402 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1403 		goto nla_put_failure;
1404 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1405 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1406 			goto nla_put_failure;
1407 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1408 			goto nla_put_failure;
1409 	}
1410 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1411 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1412 			goto nla_put_failure;
1413 		if (large) {
1414 			u32 time;
1415 
1416 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1417 
1418 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1419 					chan->dfs_state))
1420 				goto nla_put_failure;
1421 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1422 					time))
1423 				goto nla_put_failure;
1424 			if (nla_put_u32(msg,
1425 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1426 					chan->dfs_cac_ms))
1427 				goto nla_put_failure;
1428 		}
1429 	}
1430 
1431 	if (large) {
1432 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1433 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1434 			goto nla_put_failure;
1435 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1436 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1437 			goto nla_put_failure;
1438 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1439 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1440 			goto nla_put_failure;
1441 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1442 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1443 			goto nla_put_failure;
1444 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1445 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1446 			goto nla_put_failure;
1447 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1448 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1449 			goto nla_put_failure;
1450 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1451 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1452 			goto nla_put_failure;
1453 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1454 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1455 			goto nla_put_failure;
1456 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1457 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1458 			goto nla_put_failure;
1459 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1460 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1461 			goto nla_put_failure;
1462 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1463 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1464 			goto nla_put_failure;
1465 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1466 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1467 			goto nla_put_failure;
1468 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1469 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1470 			goto nla_put_failure;
1471 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1472 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1473 			goto nla_put_failure;
1474 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1475 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1476 			goto nla_put_failure;
1477 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1478 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1479 			goto nla_put_failure;
1480 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1481 		    nla_put_flag(msg,
1482 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1483 			goto nla_put_failure;
1484 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1485 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1486 			goto nla_put_failure;
1487 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1488 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1489 			goto nla_put_failure;
1490 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1491 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1492 			goto nla_put_failure;
1493 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1494 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1495 			goto nla_put_failure;
1496 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1497 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1498 			goto nla_put_failure;
1499 		if (chan->cac_start_time &&
1500 		    nla_put_u64_64bit(msg,
1501 				      NL80211_FREQUENCY_ATTR_CAC_START_TIME,
1502 				      chan->cac_start_time,
1503 				      NL80211_FREQUENCY_ATTR_PAD))
1504 			goto nla_put_failure;
1505 	}
1506 
1507 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1508 			DBM_TO_MBM(chan->max_power)))
1509 		goto nla_put_failure;
1510 
1511 	if (large) {
1512 		const struct ieee80211_reg_rule *rule =
1513 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1514 
1515 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1516 			if (nl80211_msg_put_wmm_rules(msg, rule))
1517 				goto nla_put_failure;
1518 		}
1519 	}
1520 
1521 	return 0;
1522 
1523  nla_put_failure:
1524 	return -ENOBUFS;
1525 }
1526 
1527 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1528 				  struct cfg80211_txq_stats *txqstats,
1529 				  int attrtype)
1530 {
1531 	struct nlattr *txqattr;
1532 
1533 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1534 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1535 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1536 		return false;						  \
1537 	} while (0)
1538 
1539 	txqattr = nla_nest_start_noflag(msg, attrtype);
1540 	if (!txqattr)
1541 		return false;
1542 
1543 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1544 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1545 	PUT_TXQVAL_U32(FLOWS, flows);
1546 	PUT_TXQVAL_U32(DROPS, drops);
1547 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1548 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1549 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1550 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1551 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1552 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1553 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1554 	nla_nest_end(msg, txqattr);
1555 
1556 #undef PUT_TXQVAL_U32
1557 	return true;
1558 }
1559 
1560 /* netlink command implementations */
1561 
1562 /**
1563  * nl80211_link_id - return link ID
1564  * @attrs: attributes to look at
1565  *
1566  * Returns: the link ID or 0 if not given
1567  *
1568  * Note this function doesn't do any validation of the link
1569  * ID validity wrt. links that were actually added, so it must
1570  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1571  * or if additional validation is done.
1572  */
1573 static unsigned int nl80211_link_id(struct nlattr **attrs)
1574 {
1575 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1576 
1577 	return nla_get_u8_default(linkid, 0);
1578 }
1579 
1580 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1581 {
1582 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1583 
1584 	if (!linkid)
1585 		return -1;
1586 
1587 	return nla_get_u8(linkid);
1588 }
1589 
1590 struct key_parse {
1591 	struct key_params p;
1592 	int idx;
1593 	int type;
1594 	bool def, defmgmt, defbeacon;
1595 	bool def_uni, def_multi;
1596 };
1597 
1598 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1599 				 struct key_parse *k)
1600 {
1601 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1602 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1603 					      nl80211_key_policy,
1604 					      info->extack);
1605 	if (err)
1606 		return err;
1607 
1608 	k->def = !!tb[NL80211_KEY_DEFAULT];
1609 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1610 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1611 
1612 	if (k->def) {
1613 		k->def_uni = true;
1614 		k->def_multi = true;
1615 	}
1616 	if (k->defmgmt || k->defbeacon)
1617 		k->def_multi = true;
1618 
1619 	if (tb[NL80211_KEY_IDX])
1620 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1621 
1622 	if (tb[NL80211_KEY_DATA]) {
1623 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1624 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1625 	}
1626 
1627 	if (tb[NL80211_KEY_SEQ]) {
1628 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1629 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1630 	}
1631 
1632 	if (tb[NL80211_KEY_CIPHER])
1633 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1634 
1635 	if (tb[NL80211_KEY_TYPE])
1636 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1637 
1638 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1639 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1640 
1641 		err = nla_parse_nested_deprecated(kdt,
1642 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1643 						  tb[NL80211_KEY_DEFAULT_TYPES],
1644 						  nl80211_key_default_policy,
1645 						  info->extack);
1646 		if (err)
1647 			return err;
1648 
1649 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1650 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1651 	}
1652 
1653 	if (tb[NL80211_KEY_MODE])
1654 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1655 
1656 	if (tb[NL80211_KEY_LTF_SEED]) {
1657 		k->p.ltf_keyseed = nla_data(tb[NL80211_KEY_LTF_SEED]);
1658 		k->p.ltf_keyseed_len = nla_len(tb[NL80211_KEY_LTF_SEED]);
1659 	}
1660 
1661 	return 0;
1662 }
1663 
1664 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1665 {
1666 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1667 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1668 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1669 	}
1670 
1671 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1672 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1673 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1674 	}
1675 
1676 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1677 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1678 
1679 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1680 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1681 
1682 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1683 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1684 
1685 	if (k->def) {
1686 		k->def_uni = true;
1687 		k->def_multi = true;
1688 	}
1689 	if (k->defmgmt)
1690 		k->def_multi = true;
1691 
1692 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1693 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1694 
1695 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1696 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1697 		int err = nla_parse_nested_deprecated(kdt,
1698 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1699 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1700 						      nl80211_key_default_policy,
1701 						      info->extack);
1702 		if (err)
1703 			return err;
1704 
1705 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1706 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1707 	}
1708 
1709 	return 0;
1710 }
1711 
1712 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1713 {
1714 	int err;
1715 
1716 	memset(k, 0, sizeof(*k));
1717 	k->idx = -1;
1718 	k->type = -1;
1719 
1720 	if (info->attrs[NL80211_ATTR_KEY])
1721 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1722 	else
1723 		err = nl80211_parse_key_old(info, k);
1724 
1725 	if (err)
1726 		return err;
1727 
1728 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1729 	    (k->defbeacon ? 1 : 0) > 1) {
1730 		GENL_SET_ERR_MSG(info,
1731 				 "key with multiple default flags is invalid");
1732 		return -EINVAL;
1733 	}
1734 
1735 	if (k->defmgmt || k->defbeacon) {
1736 		if (k->def_uni || !k->def_multi) {
1737 			GENL_SET_ERR_MSG(info,
1738 					 "defmgmt/defbeacon key must be mcast");
1739 			return -EINVAL;
1740 		}
1741 	}
1742 
1743 	if (k->idx != -1) {
1744 		if (k->defmgmt) {
1745 			if (k->idx < 4 || k->idx > 5) {
1746 				GENL_SET_ERR_MSG(info,
1747 						 "defmgmt key idx not 4 or 5");
1748 				return -EINVAL;
1749 			}
1750 		} else if (k->defbeacon) {
1751 			if (k->idx < 6 || k->idx > 7) {
1752 				GENL_SET_ERR_MSG(info,
1753 						 "defbeacon key idx not 6 or 7");
1754 				return -EINVAL;
1755 			}
1756 		} else if (k->def) {
1757 			if (k->idx < 0 || k->idx > 3) {
1758 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1759 				return -EINVAL;
1760 			}
1761 		} else {
1762 			if (k->idx < 0 || k->idx > 7) {
1763 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1764 				return -EINVAL;
1765 			}
1766 		}
1767 	}
1768 
1769 	return 0;
1770 }
1771 
1772 static struct cfg80211_cached_keys *
1773 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1774 		       struct wireless_dev *wdev,
1775 		       struct genl_info *info, bool *no_ht)
1776 {
1777 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1778 	struct key_parse parse;
1779 	struct nlattr *key;
1780 	struct cfg80211_cached_keys *result;
1781 	int rem, err, def = 0;
1782 	bool have_key = false;
1783 
1784 	nla_for_each_nested(key, keys, rem) {
1785 		have_key = true;
1786 		break;
1787 	}
1788 
1789 	if (!have_key)
1790 		return NULL;
1791 
1792 	result = kzalloc_obj(*result);
1793 	if (!result)
1794 		return ERR_PTR(-ENOMEM);
1795 
1796 	result->def = -1;
1797 
1798 	nla_for_each_nested(key, keys, rem) {
1799 		memset(&parse, 0, sizeof(parse));
1800 		parse.idx = -1;
1801 
1802 		err = nl80211_parse_key_new(info, key, &parse);
1803 		if (err)
1804 			goto error;
1805 		err = -EINVAL;
1806 		if (!parse.p.key)
1807 			goto error;
1808 		if (parse.idx < 0 || parse.idx > 3) {
1809 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1810 			goto error;
1811 		}
1812 		if (parse.def) {
1813 			if (def) {
1814 				GENL_SET_ERR_MSG(info,
1815 						 "only one key can be default");
1816 				goto error;
1817 			}
1818 			def = 1;
1819 			result->def = parse.idx;
1820 			if (!parse.def_uni || !parse.def_multi)
1821 				goto error;
1822 		} else if (parse.defmgmt)
1823 			goto error;
1824 		err = cfg80211_validate_key_settings(rdev, wdev, &parse.p,
1825 						     parse.idx, false, NULL);
1826 		if (err)
1827 			goto error;
1828 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1829 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1830 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1831 			err = -EINVAL;
1832 			goto error;
1833 		}
1834 		result->params[parse.idx].cipher = parse.p.cipher;
1835 		result->params[parse.idx].key_len = parse.p.key_len;
1836 		result->params[parse.idx].key = result->data[parse.idx];
1837 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1838 
1839 		/* must be WEP key if we got here */
1840 		if (no_ht)
1841 			*no_ht = true;
1842 	}
1843 
1844 	if (result->def < 0) {
1845 		err = -EINVAL;
1846 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1847 		goto error;
1848 	}
1849 
1850 	return result;
1851  error:
1852 	kfree_sensitive(result);
1853 	return ERR_PTR(err);
1854 }
1855 
1856 static int nl80211_key_allowed(struct wireless_dev *wdev)
1857 {
1858 	lockdep_assert_wiphy(wdev->wiphy);
1859 
1860 	switch (wdev->iftype) {
1861 	case NL80211_IFTYPE_AP:
1862 	case NL80211_IFTYPE_AP_VLAN:
1863 	case NL80211_IFTYPE_P2P_GO:
1864 	case NL80211_IFTYPE_MESH_POINT:
1865 		break;
1866 	case NL80211_IFTYPE_ADHOC:
1867 		if (wdev->u.ibss.current_bss)
1868 			return 0;
1869 		return -ENOLINK;
1870 	case NL80211_IFTYPE_STATION:
1871 	case NL80211_IFTYPE_P2P_CLIENT:
1872 		if (wdev->connected ||
1873 		    (wiphy_ext_feature_isset(wdev->wiphy,
1874 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1875 			return 0;
1876 		return -ENOLINK;
1877 	case NL80211_IFTYPE_NAN:
1878 	case NL80211_IFTYPE_NAN_DATA:
1879 		if (wiphy_ext_feature_isset(wdev->wiphy,
1880 					    NL80211_EXT_FEATURE_SECURE_NAN))
1881 			return 0;
1882 		return -EINVAL;
1883 	case NL80211_IFTYPE_PD:
1884 		if (wiphy_ext_feature_isset(wdev->wiphy,
1885 					    NL80211_EXT_FEATURE_SECURE_RTT))
1886 			return 0;
1887 		return -EINVAL;
1888 	case NL80211_IFTYPE_UNSPECIFIED:
1889 	case NL80211_IFTYPE_OCB:
1890 	case NL80211_IFTYPE_MONITOR:
1891 	case NL80211_IFTYPE_P2P_DEVICE:
1892 	case NL80211_IFTYPE_WDS:
1893 	case NUM_NL80211_IFTYPES:
1894 		return -EINVAL;
1895 	}
1896 
1897 	return 0;
1898 }
1899 
1900 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1901 							u32 freq)
1902 {
1903 	struct ieee80211_channel *chan;
1904 
1905 	chan = ieee80211_get_channel_khz(wiphy, freq);
1906 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1907 		return NULL;
1908 	return chan;
1909 }
1910 
1911 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1912 {
1913 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1914 	int i;
1915 
1916 	if (!nl_modes)
1917 		goto nla_put_failure;
1918 
1919 	i = 0;
1920 	while (ifmodes) {
1921 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1922 			goto nla_put_failure;
1923 		ifmodes >>= 1;
1924 		i++;
1925 	}
1926 
1927 	nla_nest_end(msg, nl_modes);
1928 	return 0;
1929 
1930 nla_put_failure:
1931 	return -ENOBUFS;
1932 }
1933 
1934 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1935 				   const struct ieee80211_iface_combination *c,
1936 				   u16 nested)
1937 {
1938 	struct nlattr *nl_combi, *nl_limits;
1939 	int i;
1940 
1941 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1942 	if (!nl_combi)
1943 		goto nla_put_failure;
1944 
1945 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1946 					       nested);
1947 	if (!nl_limits)
1948 		goto nla_put_failure;
1949 
1950 	for (i = 0; i < c->n_limits; i++) {
1951 		struct nlattr *nl_limit;
1952 
1953 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1954 		if (!nl_limit)
1955 			goto nla_put_failure;
1956 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1957 			goto nla_put_failure;
1958 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1959 					c->limits[i].types))
1960 			goto nla_put_failure;
1961 		nla_nest_end(msg, nl_limit);
1962 	}
1963 
1964 	nla_nest_end(msg, nl_limits);
1965 
1966 	if (c->beacon_int_infra_match &&
1967 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1968 		goto nla_put_failure;
1969 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1970 			c->num_different_channels) ||
1971 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1972 			c->max_interfaces))
1973 		goto nla_put_failure;
1974 	if (large &&
1975 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1976 			c->radar_detect_widths) ||
1977 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1978 			c->radar_detect_regions)))
1979 		goto nla_put_failure;
1980 	if (c->beacon_int_min_gcd &&
1981 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1982 			c->beacon_int_min_gcd))
1983 		goto nla_put_failure;
1984 
1985 	nla_nest_end(msg, nl_combi);
1986 
1987 	return 0;
1988 nla_put_failure:
1989 	return -ENOBUFS;
1990 }
1991 
1992 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1993 					  struct sk_buff *msg,
1994 					  int attr, int radio,
1995 					  bool large, u16 nested)
1996 {
1997 	const struct ieee80211_iface_combination *c;
1998 	struct nlattr *nl_combis;
1999 	int i, n;
2000 
2001 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
2002 	if (!nl_combis)
2003 		goto nla_put_failure;
2004 
2005 	if (radio >= 0) {
2006 		c = wiphy->radio[0].iface_combinations;
2007 		n = wiphy->radio[0].n_iface_combinations;
2008 	} else {
2009 		c = wiphy->iface_combinations;
2010 		n = wiphy->n_iface_combinations;
2011 	}
2012 	for (i = 0; i < n; i++)
2013 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
2014 			goto nla_put_failure;
2015 
2016 	nla_nest_end(msg, nl_combis);
2017 
2018 	return 0;
2019 nla_put_failure:
2020 	return -ENOBUFS;
2021 }
2022 
2023 #ifdef CONFIG_PM
2024 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
2025 					struct sk_buff *msg)
2026 {
2027 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
2028 	struct nlattr *nl_tcp;
2029 
2030 	if (!tcp)
2031 		return 0;
2032 
2033 	nl_tcp = nla_nest_start_noflag(msg,
2034 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
2035 	if (!nl_tcp)
2036 		return -ENOBUFS;
2037 
2038 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
2039 			tcp->data_payload_max))
2040 		return -ENOBUFS;
2041 
2042 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
2043 			tcp->data_payload_max))
2044 		return -ENOBUFS;
2045 
2046 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
2047 		return -ENOBUFS;
2048 
2049 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
2050 				sizeof(*tcp->tok), tcp->tok))
2051 		return -ENOBUFS;
2052 
2053 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
2054 			tcp->data_interval_max))
2055 		return -ENOBUFS;
2056 
2057 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
2058 			tcp->wake_payload_max))
2059 		return -ENOBUFS;
2060 
2061 	nla_nest_end(msg, nl_tcp);
2062 	return 0;
2063 }
2064 
2065 static int nl80211_send_wowlan(struct sk_buff *msg,
2066 			       struct cfg80211_registered_device *rdev,
2067 			       bool large)
2068 {
2069 	struct nlattr *nl_wowlan;
2070 
2071 	if (!rdev->wiphy.wowlan)
2072 		return 0;
2073 
2074 	nl_wowlan = nla_nest_start_noflag(msg,
2075 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
2076 	if (!nl_wowlan)
2077 		return -ENOBUFS;
2078 
2079 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
2080 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
2081 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
2082 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
2083 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
2084 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
2085 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
2086 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
2087 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
2088 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
2089 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
2090 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
2091 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
2092 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
2093 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
2094 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
2095 		return -ENOBUFS;
2096 
2097 	if (rdev->wiphy.wowlan->n_patterns) {
2098 		struct nl80211_pattern_support pat = {
2099 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
2100 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
2101 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
2102 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
2103 		};
2104 
2105 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
2106 			    sizeof(pat), &pat))
2107 			return -ENOBUFS;
2108 	}
2109 
2110 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
2111 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
2112 			rdev->wiphy.wowlan->max_nd_match_sets))
2113 		return -ENOBUFS;
2114 
2115 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
2116 		return -ENOBUFS;
2117 
2118 	nla_nest_end(msg, nl_wowlan);
2119 
2120 	return 0;
2121 }
2122 #endif
2123 
2124 static int nl80211_send_coalesce(struct sk_buff *msg,
2125 				 struct cfg80211_registered_device *rdev)
2126 {
2127 	struct nl80211_coalesce_rule_support rule;
2128 
2129 	if (!rdev->wiphy.coalesce)
2130 		return 0;
2131 
2132 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
2133 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
2134 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
2135 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
2136 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
2137 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
2138 
2139 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
2140 		return -ENOBUFS;
2141 
2142 	return 0;
2143 }
2144 
2145 static int
2146 nl80211_send_iftype_data(struct sk_buff *msg,
2147 			 const struct ieee80211_supported_band *sband,
2148 			 const struct ieee80211_sband_iftype_data *iftdata)
2149 {
2150 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
2151 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
2152 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
2153 
2154 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
2155 				iftdata->types_mask))
2156 		return -ENOBUFS;
2157 
2158 	if (he_cap->has_he) {
2159 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
2160 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2161 			    he_cap->he_cap_elem.mac_cap_info) ||
2162 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
2163 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2164 			    he_cap->he_cap_elem.phy_cap_info) ||
2165 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
2166 			    sizeof(he_cap->he_mcs_nss_supp),
2167 			    &he_cap->he_mcs_nss_supp) ||
2168 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
2169 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2170 			return -ENOBUFS;
2171 	}
2172 
2173 	if (eht_cap->has_eht && he_cap->has_he) {
2174 		u8 mcs_nss_size, ppe_thresh_size;
2175 		u16 ppe_thres_hdr;
2176 		bool is_ap;
2177 
2178 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
2179 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2180 
2181 		mcs_nss_size =
2182 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2183 						   &eht_cap->eht_cap_elem,
2184 						   is_ap);
2185 
2186 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2187 		ppe_thresh_size =
2188 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2189 					       eht_cap->eht_cap_elem.phy_cap_info);
2190 
2191 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2192 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2193 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2194 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2195 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2196 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2197 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2198 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2199 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2200 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2201 			return -ENOBUFS;
2202 	}
2203 
2204 	if (uhr_cap->has_uhr) {
2205 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2206 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2207 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2208 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2209 			return -ENOBUFS;
2210 	}
2211 
2212 	if (sband->band == NL80211_BAND_6GHZ &&
2213 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2214 		    sizeof(iftdata->he_6ghz_capa),
2215 		    &iftdata->he_6ghz_capa))
2216 		return -ENOBUFS;
2217 
2218 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2219 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2220 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2221 		return -ENOBUFS;
2222 
2223 	return 0;
2224 }
2225 
2226 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2227 				      struct ieee80211_supported_band *sband,
2228 				      bool large)
2229 {
2230 	struct nlattr *nl_rates, *nl_rate;
2231 	struct ieee80211_rate *rate;
2232 	int i;
2233 
2234 	/* add HT info */
2235 	if (sband->ht_cap.ht_supported &&
2236 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2237 		     sizeof(sband->ht_cap.mcs),
2238 		     &sband->ht_cap.mcs) ||
2239 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2240 			 sband->ht_cap.cap) ||
2241 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2242 			sband->ht_cap.ampdu_factor) ||
2243 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2244 			sband->ht_cap.ampdu_density)))
2245 		return -ENOBUFS;
2246 
2247 	/* add VHT info */
2248 	if (sband->vht_cap.vht_supported &&
2249 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2250 		     sizeof(sband->vht_cap.vht_mcs),
2251 		     &sband->vht_cap.vht_mcs) ||
2252 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2253 			 sband->vht_cap.cap)))
2254 		return -ENOBUFS;
2255 
2256 	if (large && sband->n_iftype_data) {
2257 		struct nlattr *nl_iftype_data =
2258 			nla_nest_start_noflag(msg,
2259 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2260 		const struct ieee80211_sband_iftype_data *iftd;
2261 		int err;
2262 
2263 		if (!nl_iftype_data)
2264 			return -ENOBUFS;
2265 
2266 		for_each_sband_iftype_data(sband, i, iftd) {
2267 			struct nlattr *iftdata;
2268 
2269 			iftdata = nla_nest_start_noflag(msg, i + 1);
2270 			if (!iftdata)
2271 				return -ENOBUFS;
2272 
2273 			err = nl80211_send_iftype_data(msg, sband, iftd);
2274 			if (err)
2275 				return err;
2276 
2277 			nla_nest_end(msg, iftdata);
2278 		}
2279 
2280 		nla_nest_end(msg, nl_iftype_data);
2281 	}
2282 
2283 	/* add EDMG info */
2284 	if (large && sband->edmg_cap.channels &&
2285 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2286 		       sband->edmg_cap.channels) ||
2287 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2288 		       sband->edmg_cap.bw_config)))
2289 
2290 		return -ENOBUFS;
2291 
2292 	/* add bitrates */
2293 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2294 	if (!nl_rates)
2295 		return -ENOBUFS;
2296 
2297 	for (i = 0; i < sband->n_bitrates; i++) {
2298 		nl_rate = nla_nest_start_noflag(msg, i);
2299 		if (!nl_rate)
2300 			return -ENOBUFS;
2301 
2302 		rate = &sband->bitrates[i];
2303 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2304 				rate->bitrate))
2305 			return -ENOBUFS;
2306 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2307 		    nla_put_flag(msg,
2308 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2309 			return -ENOBUFS;
2310 
2311 		nla_nest_end(msg, nl_rate);
2312 	}
2313 
2314 	nla_nest_end(msg, nl_rates);
2315 
2316 	/* S1G capabilities */
2317 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2318 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2319 		     sizeof(sband->s1g_cap.cap),
2320 		     sband->s1g_cap.cap) ||
2321 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2322 		     sizeof(sband->s1g_cap.nss_mcs),
2323 		     sband->s1g_cap.nss_mcs)))
2324 		return -ENOBUFS;
2325 
2326 	return 0;
2327 }
2328 
2329 static int
2330 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2331 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2332 {
2333 	u16 stypes;
2334 	struct nlattr *nl_ftypes, *nl_ifs;
2335 	enum nl80211_iftype ift;
2336 	int i;
2337 
2338 	if (!mgmt_stypes)
2339 		return 0;
2340 
2341 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2342 	if (!nl_ifs)
2343 		return -ENOBUFS;
2344 
2345 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2346 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2347 		if (!nl_ftypes)
2348 			return -ENOBUFS;
2349 		i = 0;
2350 		stypes = mgmt_stypes[ift].tx;
2351 		while (stypes) {
2352 			if ((stypes & 1) &&
2353 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2354 					(i << 4) | IEEE80211_FTYPE_MGMT))
2355 				return -ENOBUFS;
2356 			stypes >>= 1;
2357 			i++;
2358 		}
2359 		nla_nest_end(msg, nl_ftypes);
2360 	}
2361 
2362 	nla_nest_end(msg, nl_ifs);
2363 
2364 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2365 	if (!nl_ifs)
2366 		return -ENOBUFS;
2367 
2368 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2369 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2370 		if (!nl_ftypes)
2371 			return -ENOBUFS;
2372 		i = 0;
2373 		stypes = mgmt_stypes[ift].rx;
2374 		while (stypes) {
2375 			if ((stypes & 1) &&
2376 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2377 					(i << 4) | IEEE80211_FTYPE_MGMT))
2378 				return -ENOBUFS;
2379 			stypes >>= 1;
2380 			i++;
2381 		}
2382 		nla_nest_end(msg, nl_ftypes);
2383 	}
2384 	nla_nest_end(msg, nl_ifs);
2385 
2386 	return 0;
2387 }
2388 
2389 #define CMD(op, n)							\
2390 	 do {								\
2391 		if (rdev->ops->op) {					\
2392 			i++;						\
2393 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2394 				goto nla_put_failure;			\
2395 		}							\
2396 	} while (0)
2397 
2398 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2399 					struct sk_buff *msg)
2400 {
2401 	int i = 0;
2402 
2403 	/*
2404 	 * do *NOT* add anything into this function, new things need to be
2405 	 * advertised only to new versions of userspace that can deal with
2406 	 * the split (and they can't possibly care about new features...
2407 	 */
2408 	CMD(add_virtual_intf, NEW_INTERFACE);
2409 	CMD(change_virtual_intf, SET_INTERFACE);
2410 	CMD(add_key, NEW_KEY);
2411 	CMD(start_ap, START_AP);
2412 	CMD(add_station, NEW_STATION);
2413 	CMD(add_mpath, NEW_MPATH);
2414 	CMD(update_mesh_config, SET_MESH_CONFIG);
2415 	CMD(change_bss, SET_BSS);
2416 	CMD(auth, AUTHENTICATE);
2417 	CMD(assoc, ASSOCIATE);
2418 	CMD(deauth, DEAUTHENTICATE);
2419 	CMD(disassoc, DISASSOCIATE);
2420 	CMD(join_ibss, JOIN_IBSS);
2421 	CMD(join_mesh, JOIN_MESH);
2422 	CMD(set_pmksa, SET_PMKSA);
2423 	CMD(del_pmksa, DEL_PMKSA);
2424 	CMD(flush_pmksa, FLUSH_PMKSA);
2425 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2426 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2427 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2428 	CMD(mgmt_tx, FRAME);
2429 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2430 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2431 		i++;
2432 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2433 			goto nla_put_failure;
2434 	}
2435 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2436 	    rdev->ops->join_mesh) {
2437 		i++;
2438 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2439 			goto nla_put_failure;
2440 	}
2441 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2442 		CMD(tdls_mgmt, TDLS_MGMT);
2443 		CMD(tdls_oper, TDLS_OPER);
2444 	}
2445 	if (rdev->wiphy.max_sched_scan_reqs)
2446 		CMD(sched_scan_start, START_SCHED_SCAN);
2447 	CMD(probe_client, PROBE_CLIENT);
2448 	CMD(set_noack_map, SET_NOACK_MAP);
2449 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2450 		i++;
2451 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2452 			goto nla_put_failure;
2453 	}
2454 	CMD(start_p2p_device, START_P2P_DEVICE);
2455 	CMD(set_mcast_rate, SET_MCAST_RATE);
2456 #ifdef CONFIG_NL80211_TESTMODE
2457 	CMD(testmode_cmd, TESTMODE);
2458 #endif
2459 
2460 	if (rdev->ops->connect || rdev->ops->auth) {
2461 		i++;
2462 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2463 			goto nla_put_failure;
2464 	}
2465 
2466 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2467 		i++;
2468 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2469 			goto nla_put_failure;
2470 	}
2471 
2472 	return i;
2473  nla_put_failure:
2474 	return -ENOBUFS;
2475 }
2476 
2477 static int
2478 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2479 			   struct sk_buff *msg)
2480 {
2481 	struct nlattr *ftm;
2482 
2483 	if (!cap->ftm.supported)
2484 		return 0;
2485 
2486 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2487 	if (!ftm)
2488 		return -ENOBUFS;
2489 
2490 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2491 		return -ENOBUFS;
2492 	if (cap->ftm.non_asap &&
2493 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2494 		return -ENOBUFS;
2495 	if (cap->ftm.request_lci &&
2496 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2497 		return -ENOBUFS;
2498 	if (cap->ftm.request_civicloc &&
2499 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2500 		return -ENOBUFS;
2501 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2502 			cap->ftm.preambles))
2503 		return -ENOBUFS;
2504 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2505 			cap->ftm.bandwidths))
2506 		return -ENOBUFS;
2507 	if (cap->ftm.max_bursts_exponent >= 0 &&
2508 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2509 			cap->ftm.max_bursts_exponent))
2510 		return -ENOBUFS;
2511 	if (cap->ftm.max_ftms_per_burst &&
2512 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2513 			cap->ftm.max_ftms_per_burst))
2514 		return -ENOBUFS;
2515 	if (cap->ftm.trigger_based &&
2516 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2517 		return -ENOBUFS;
2518 	if (cap->ftm.non_trigger_based &&
2519 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2520 		return -ENOBUFS;
2521 	if (cap->ftm.support_6ghz &&
2522 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2523 		return -ENOBUFS;
2524 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2525 			cap->ftm.max_tx_ltf_rep))
2526 		return -ENOBUFS;
2527 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2528 			cap->ftm.max_rx_ltf_rep))
2529 		return -ENOBUFS;
2530 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2531 			cap->ftm.max_tx_sts))
2532 		return -ENOBUFS;
2533 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2534 			cap->ftm.max_rx_sts))
2535 		return -ENOBUFS;
2536 	if (cap->ftm.max_total_ltf_tx > 0 &&
2537 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2538 			cap->ftm.max_total_ltf_tx))
2539 		return -ENOBUFS;
2540 	if (cap->ftm.max_total_ltf_rx > 0 &&
2541 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2542 			cap->ftm.max_total_ltf_rx))
2543 		return -ENOBUFS;
2544 
2545 	if (cap->ftm.ista.support_ntb || cap->ftm.ista.support_tb ||
2546 	    cap->ftm.ista.support_edca) {
2547 		struct nlattr *ista_caps;
2548 
2549 		ista_caps = nla_nest_start_noflag(msg,
2550 						  NL80211_PMSR_FTM_CAPA_ATTR_ISTA_CAPS);
2551 		if (!ista_caps)
2552 			return -ENOBUFS;
2553 		if (cap->ftm.ista.support_ntb &&
2554 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_NTB))
2555 			return -ENOBUFS;
2556 		if (cap->ftm.ista.support_tb &&
2557 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_TB))
2558 			return -ENOBUFS;
2559 		if (cap->ftm.ista.support_edca &&
2560 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_EDCA))
2561 			return -ENOBUFS;
2562 		if (cap->ftm.ista.max_peers &&
2563 		    nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEER_ISTA_ROLE,
2564 				cap->ftm.ista.max_peers))
2565 			return -ENOBUFS;
2566 		nla_nest_end(msg, ista_caps);
2567 	}
2568 
2569 	if (cap->ftm.rsta.support_ntb || cap->ftm.rsta.support_tb ||
2570 	    cap->ftm.rsta.support_edca) {
2571 		struct nlattr *rsta_caps;
2572 
2573 		/*
2574 		 * Set the generic RSTA_SUPPORT flag if any of the specific
2575 		 * ranging modes is supported to maintain the backward
2576 		 * compatibility.
2577 		 */
2578 		if (nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2579 			return -ENOBUFS;
2580 
2581 		rsta_caps = nla_nest_start_noflag(msg,
2582 						  NL80211_PMSR_FTM_CAPA_ATTR_RSTA_CAPS);
2583 		if (!rsta_caps)
2584 			return -ENOBUFS;
2585 		if (cap->ftm.rsta.support_ntb &&
2586 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_NTB))
2587 			return -ENOBUFS;
2588 		if (cap->ftm.rsta.support_tb &&
2589 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_TB))
2590 			return -ENOBUFS;
2591 		if (cap->ftm.rsta.support_edca &&
2592 		    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_SUPPORT_EDCA))
2593 			return -ENOBUFS;
2594 		if (cap->ftm.rsta.max_peers &&
2595 		    nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEER_RSTA_ROLE,
2596 				cap->ftm.rsta.max_peers))
2597 			return -ENOBUFS;
2598 		nla_nest_end(msg, rsta_caps);
2599 	}
2600 
2601 	if (cap->ftm.max_no_of_tx_antennas &&
2602 	    nla_put_u8(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_NUM_TX_ANTENNAS,
2603 		       cap->ftm.max_no_of_tx_antennas))
2604 		return -ENOBUFS;
2605 
2606 	if (cap->ftm.max_no_of_rx_antennas &&
2607 	    nla_put_u8(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_NUM_RX_ANTENNAS,
2608 		       cap->ftm.max_no_of_rx_antennas))
2609 		return -ENOBUFS;
2610 
2611 	if (cap->ftm.min_allowed_ranging_interval_edca &&
2612 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MIN_INTERVAL_EDCA,
2613 			cap->ftm.min_allowed_ranging_interval_edca))
2614 		return -ENOBUFS;
2615 
2616 	if (cap->ftm.min_allowed_ranging_interval_ntb &&
2617 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MIN_INTERVAL_NTB,
2618 			cap->ftm.min_allowed_ranging_interval_ntb))
2619 		return -ENOBUFS;
2620 
2621 	if (cap->ftm.type.infra_support || cap->ftm.type.pd_support) {
2622 		struct nlattr *pd_caps;
2623 
2624 		pd_caps = nla_nest_start_noflag(msg,
2625 						NL80211_PMSR_FTM_CAPA_ATTR_TYPE_CAPS);
2626 		if (!pd_caps)
2627 			return -ENOBUFS;
2628 
2629 		if (cap->ftm.type.infra_support &&
2630 		    nla_put_flag(msg, NL80211_PMSR_FTM_TYPE_CAPA_ATTR_INFRA_SUPPORT))
2631 			return -ENOBUFS;
2632 
2633 		if (cap->ftm.type.pd_support &&
2634 		    nla_put_flag(msg, NL80211_PMSR_FTM_TYPE_CAPA_ATTR_PD_SUPPORT))
2635 			return -ENOBUFS;
2636 
2637 		nla_nest_end(msg, pd_caps);
2638 	}
2639 
2640 	if (cap->ftm.concurrent_ista_rsta_support &&
2641 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_CONCURRENT_ISTA_RSTA_SUPPORT))
2642 		return -ENOBUFS;
2643 
2644 	if (cap->ftm.type.pd_support) {
2645 		if (cap->ftm.pd_preambles &&
2646 		    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PD_PREAMBLES,
2647 				cap->ftm.pd_preambles))
2648 			return -ENOBUFS;
2649 		if (cap->ftm.pd_bandwidths &&
2650 		    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PD_BANDWIDTHS,
2651 				cap->ftm.pd_bandwidths))
2652 			return -ENOBUFS;
2653 	}
2654 
2655 	nla_nest_end(msg, ftm);
2656 	return 0;
2657 }
2658 
2659 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2660 				  struct sk_buff *msg)
2661 {
2662 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2663 	struct nlattr *pmsr, *caps;
2664 
2665 	if (!cap)
2666 		return 0;
2667 
2668 	/*
2669 	 * we don't need to clean up anything here since the caller
2670 	 * will genlmsg_cancel() if we fail
2671 	 */
2672 
2673 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2674 	if (!pmsr)
2675 		return -ENOBUFS;
2676 
2677 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2678 		return -ENOBUFS;
2679 
2680 	if (cap->report_ap_tsf &&
2681 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2682 		return -ENOBUFS;
2683 
2684 	if (cap->randomize_mac_addr &&
2685 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2686 		return -ENOBUFS;
2687 
2688 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2689 	if (!caps)
2690 		return -ENOBUFS;
2691 
2692 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2693 		return -ENOBUFS;
2694 
2695 	nla_nest_end(msg, caps);
2696 	nla_nest_end(msg, pmsr);
2697 
2698 	return 0;
2699 }
2700 
2701 static int
2702 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2703 			      struct sk_buff *msg)
2704 {
2705 	int i;
2706 	struct nlattr *nested, *nested_akms;
2707 	const struct wiphy_iftype_akm_suites *iftype_akms;
2708 
2709 	if (!rdev->wiphy.num_iftype_akm_suites ||
2710 	    !rdev->wiphy.iftype_akm_suites)
2711 		return 0;
2712 
2713 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2714 	if (!nested)
2715 		return -ENOBUFS;
2716 
2717 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2718 		nested_akms = nla_nest_start(msg, i + 1);
2719 		if (!nested_akms)
2720 			return -ENOBUFS;
2721 
2722 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2723 
2724 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2725 					iftype_akms->iftypes_mask))
2726 			return -ENOBUFS;
2727 
2728 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2729 			    sizeof(u32) * iftype_akms->n_akm_suites,
2730 			    iftype_akms->akm_suites)) {
2731 			return -ENOBUFS;
2732 		}
2733 		nla_nest_end(msg, nested_akms);
2734 	}
2735 
2736 	nla_nest_end(msg, nested);
2737 
2738 	return 0;
2739 }
2740 
2741 static int
2742 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2743 			       struct sk_buff *msg)
2744 {
2745 	struct nlattr *supp;
2746 
2747 	if (!rdev->wiphy.tid_config_support.vif &&
2748 	    !rdev->wiphy.tid_config_support.peer)
2749 		return 0;
2750 
2751 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2752 	if (!supp)
2753 		return -ENOSPC;
2754 
2755 	if (rdev->wiphy.tid_config_support.vif &&
2756 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2757 			      rdev->wiphy.tid_config_support.vif,
2758 			      NL80211_TID_CONFIG_ATTR_PAD))
2759 		goto fail;
2760 
2761 	if (rdev->wiphy.tid_config_support.peer &&
2762 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2763 			      rdev->wiphy.tid_config_support.peer,
2764 			      NL80211_TID_CONFIG_ATTR_PAD))
2765 		goto fail;
2766 
2767 	/* for now we just use the same value ... makes more sense */
2768 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2769 		       rdev->wiphy.tid_config_support.max_retry))
2770 		goto fail;
2771 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2772 		       rdev->wiphy.tid_config_support.max_retry))
2773 		goto fail;
2774 
2775 	nla_nest_end(msg, supp);
2776 
2777 	return 0;
2778 fail:
2779 	nla_nest_cancel(msg, supp);
2780 	return -ENOBUFS;
2781 }
2782 
2783 static int
2784 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2785 		      struct sk_buff *msg)
2786 {
2787 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2788 	u8 num_freq_ranges;
2789 	int i;
2790 
2791 	if (!rdev->wiphy.sar_capa)
2792 		return 0;
2793 
2794 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2795 
2796 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2797 	if (!sar_capa)
2798 		return -ENOSPC;
2799 
2800 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2801 		goto fail;
2802 
2803 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2804 	if (!specs)
2805 		goto fail;
2806 
2807 	/* report supported freq_ranges */
2808 	for (i = 0; i < num_freq_ranges; i++) {
2809 		sub_freq_range = nla_nest_start(msg, i + 1);
2810 		if (!sub_freq_range)
2811 			goto fail;
2812 
2813 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2814 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2815 			goto fail;
2816 
2817 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2818 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2819 			goto fail;
2820 
2821 		nla_nest_end(msg, sub_freq_range);
2822 	}
2823 
2824 	nla_nest_end(msg, specs);
2825 	nla_nest_end(msg, sar_capa);
2826 
2827 	return 0;
2828 fail:
2829 	nla_nest_cancel(msg, sar_capa);
2830 	return -ENOBUFS;
2831 }
2832 
2833 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2834 {
2835 	struct nlattr *config;
2836 
2837 	if (!wiphy->mbssid_max_interfaces)
2838 		return 0;
2839 
2840 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2841 	if (!config)
2842 		return -ENOBUFS;
2843 
2844 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2845 		       wiphy->mbssid_max_interfaces))
2846 		goto fail;
2847 
2848 	if (wiphy->ema_max_profile_periodicity &&
2849 	    nla_put_u8(msg,
2850 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2851 		       wiphy->ema_max_profile_periodicity))
2852 		goto fail;
2853 
2854 	nla_nest_end(msg, config);
2855 	return 0;
2856 
2857 fail:
2858 	nla_nest_cancel(msg, config);
2859 	return -ENOBUFS;
2860 }
2861 
2862 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2863 {
2864 	const struct wiphy_radio *r = &wiphy->radio[idx];
2865 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2866 	struct nlattr *radio, *freq;
2867 	int i;
2868 
2869 	radio = nla_nest_start(msg, idx);
2870 	if (!radio)
2871 		return -ENOBUFS;
2872 
2873 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2874 		goto nla_put_failure;
2875 
2876 	if (rcfg->rts_threshold &&
2877 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2878 			rcfg->rts_threshold))
2879 		goto nla_put_failure;
2880 
2881 	if (r->antenna_mask &&
2882 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2883 			r->antenna_mask))
2884 		goto nla_put_failure;
2885 
2886 	for (i = 0; i < r->n_freq_range; i++) {
2887 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2888 
2889 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2890 		if (!freq)
2891 			goto nla_put_failure;
2892 
2893 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2894 				range->start_freq) ||
2895 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2896 				range->end_freq))
2897 			goto nla_put_failure;
2898 
2899 		nla_nest_end(msg, freq);
2900 	}
2901 
2902 	for (i = 0; i < r->n_iface_combinations; i++)
2903 		if (nl80211_put_ifcomb_data(msg, true,
2904 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2905 					    &r->iface_combinations[i],
2906 					    NLA_F_NESTED))
2907 			goto nla_put_failure;
2908 
2909 	nla_nest_end(msg, radio);
2910 
2911 	return 0;
2912 
2913 nla_put_failure:
2914 	return -ENOBUFS;
2915 }
2916 
2917 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2918 {
2919 	struct nlattr *radios;
2920 	int i;
2921 
2922 	if (!wiphy->n_radio)
2923 		return 0;
2924 
2925 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2926 	if (!radios)
2927 		return -ENOBUFS;
2928 
2929 	for (i = 0; i < wiphy->n_radio; i++)
2930 		if (nl80211_put_radio(wiphy, msg, i))
2931 			goto fail;
2932 
2933 	nla_nest_end(msg, radios);
2934 
2935 	if (nl80211_put_iface_combinations(wiphy, msg,
2936 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2937 					   -1, true, NLA_F_NESTED))
2938 		return -ENOBUFS;
2939 
2940 	return 0;
2941 
2942 fail:
2943 	nla_nest_cancel(msg, radios);
2944 	return -ENOBUFS;
2945 }
2946 
2947 static int nl80211_put_nan_phy_cap(struct wiphy *wiphy, struct sk_buff *msg)
2948 {
2949 	struct nlattr *nl_phy_cap;
2950 	const struct ieee80211_sta_ht_cap *ht_cap;
2951 	const struct ieee80211_sta_vht_cap *vht_cap;
2952 	const struct ieee80211_sta_he_cap *he_cap;
2953 
2954 	if (!cfg80211_iftype_allowed(wiphy, NL80211_IFTYPE_NAN_DATA, false, 0))
2955 		return 0;
2956 
2957 	ht_cap = &wiphy->nan_capa.phy.ht;
2958 	vht_cap = &wiphy->nan_capa.phy.vht;
2959 	he_cap = &wiphy->nan_capa.phy.he;
2960 
2961 	/* HT is mandatory */
2962 	if (WARN_ON(!ht_cap->ht_supported))
2963 		return 0;
2964 
2965 	nl_phy_cap = nla_nest_start_noflag(msg, NL80211_NAN_CAPA_PHY);
2966 	if (!nl_phy_cap)
2967 		return -ENOBUFS;
2968 
2969 	if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HT_MCS_SET,
2970 		    sizeof(ht_cap->mcs), &ht_cap->mcs) ||
2971 	    nla_put_u16(msg, NL80211_NAN_PHY_CAP_ATTR_HT_CAPA, ht_cap->cap) ||
2972 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_FACTOR,
2973 		       ht_cap->ampdu_factor) ||
2974 	    nla_put_u8(msg, NL80211_NAN_PHY_CAP_ATTR_HT_AMPDU_DENSITY,
2975 		       ht_cap->ampdu_density))
2976 		goto fail;
2977 
2978 	if (vht_cap->vht_supported) {
2979 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_MCS_SET,
2980 			    sizeof(vht_cap->vht_mcs), &vht_cap->vht_mcs) ||
2981 		    nla_put_u32(msg, NL80211_NAN_PHY_CAP_ATTR_VHT_CAPA,
2982 				vht_cap->cap))
2983 			goto fail;
2984 	}
2985 
2986 	if (he_cap->has_he) {
2987 		if (nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MAC,
2988 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
2989 			    he_cap->he_cap_elem.mac_cap_info) ||
2990 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PHY,
2991 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
2992 			    he_cap->he_cap_elem.phy_cap_info) ||
2993 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_MCS_SET,
2994 			    sizeof(he_cap->he_mcs_nss_supp),
2995 			    &he_cap->he_mcs_nss_supp) ||
2996 		    nla_put(msg, NL80211_NAN_PHY_CAP_ATTR_HE_PPE,
2997 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
2998 			goto fail;
2999 	}
3000 
3001 	nla_nest_end(msg, nl_phy_cap);
3002 	return 0;
3003 
3004 fail:
3005 	nla_nest_cancel(msg, nl_phy_cap);
3006 	return -ENOBUFS;
3007 }
3008 
3009 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
3010 {
3011 	struct nlattr *nan_caps;
3012 
3013 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
3014 	if (!nan_caps)
3015 		return -ENOBUFS;
3016 
3017 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
3018 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
3019 		goto fail;
3020 
3021 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
3022 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
3023 		goto fail;
3024 
3025 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
3026 		       wiphy->nan_capa.op_mode) ||
3027 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
3028 		       wiphy->nan_capa.n_antennas) ||
3029 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
3030 			wiphy->nan_capa.max_channel_switch_time) ||
3031 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
3032 		       wiphy->nan_capa.dev_capabilities))
3033 		goto fail;
3034 
3035 	if (nl80211_put_nan_phy_cap(wiphy, msg))
3036 		goto fail;
3037 
3038 	nla_nest_end(msg, nan_caps);
3039 
3040 	return 0;
3041 
3042 fail:
3043 	nla_nest_cancel(msg, nan_caps);
3044 	return -ENOBUFS;
3045 }
3046 
3047 struct nl80211_dump_wiphy_state {
3048 	s64 filter_wiphy;
3049 	long start;
3050 	long split_start, band_start, chan_start, capa_start;
3051 	bool split;
3052 };
3053 
3054 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
3055 			      enum nl80211_commands cmd,
3056 			      struct sk_buff *msg, u32 portid, u32 seq,
3057 			      int flags, struct nl80211_dump_wiphy_state *state)
3058 {
3059 	void *hdr;
3060 	struct nlattr *nl_bands, *nl_band;
3061 	struct nlattr *nl_freqs, *nl_freq;
3062 	struct nlattr *nl_cmds;
3063 	enum nl80211_band band;
3064 	struct ieee80211_channel *chan;
3065 	int i;
3066 	const struct ieee80211_txrx_stypes *mgmt_stypes =
3067 				rdev->wiphy.mgmt_stypes;
3068 	u32 features;
3069 
3070 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3071 	if (!hdr)
3072 		return -ENOBUFS;
3073 
3074 	if (WARN_ON(!state))
3075 		return -EINVAL;
3076 
3077 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3078 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
3079 			   wiphy_name(&rdev->wiphy)) ||
3080 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3081 			cfg80211_rdev_list_generation))
3082 		goto nla_put_failure;
3083 
3084 	if (cmd != NL80211_CMD_NEW_WIPHY)
3085 		goto finish;
3086 
3087 	switch (state->split_start) {
3088 	case 0:
3089 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
3090 			       rdev->wiphy.retry_short) ||
3091 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
3092 			       rdev->wiphy.retry_long) ||
3093 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
3094 				rdev->wiphy.frag_threshold) ||
3095 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
3096 				rdev->wiphy.rts_threshold) ||
3097 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
3098 			       rdev->wiphy.coverage_class) ||
3099 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
3100 			       rdev->wiphy.max_scan_ssids) ||
3101 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
3102 			       rdev->wiphy.max_sched_scan_ssids) ||
3103 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
3104 				rdev->wiphy.max_scan_ie_len) ||
3105 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
3106 				rdev->wiphy.max_sched_scan_ie_len) ||
3107 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
3108 			       rdev->wiphy.max_match_sets))
3109 			goto nla_put_failure;
3110 
3111 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
3112 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
3113 			goto nla_put_failure;
3114 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
3115 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
3116 			goto nla_put_failure;
3117 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
3118 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
3119 			goto nla_put_failure;
3120 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
3121 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
3122 			goto nla_put_failure;
3123 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
3124 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
3125 			goto nla_put_failure;
3126 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
3127 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
3128 			goto nla_put_failure;
3129 		state->split_start++;
3130 		if (state->split)
3131 			break;
3132 		fallthrough;
3133 	case 1:
3134 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
3135 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
3136 			    rdev->wiphy.cipher_suites))
3137 			goto nla_put_failure;
3138 
3139 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
3140 			       rdev->wiphy.max_num_pmkids))
3141 			goto nla_put_failure;
3142 
3143 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
3144 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
3145 			goto nla_put_failure;
3146 
3147 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
3148 				rdev->wiphy.available_antennas_tx) ||
3149 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
3150 				rdev->wiphy.available_antennas_rx))
3151 			goto nla_put_failure;
3152 
3153 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
3154 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
3155 				rdev->wiphy.probe_resp_offload))
3156 			goto nla_put_failure;
3157 
3158 		if ((rdev->wiphy.available_antennas_tx ||
3159 		     rdev->wiphy.available_antennas_rx) &&
3160 		    rdev->ops->get_antenna) {
3161 			u32 tx_ant = 0, rx_ant = 0;
3162 			int res;
3163 
3164 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
3165 			if (!res) {
3166 				if (nla_put_u32(msg,
3167 						NL80211_ATTR_WIPHY_ANTENNA_TX,
3168 						tx_ant) ||
3169 				    nla_put_u32(msg,
3170 						NL80211_ATTR_WIPHY_ANTENNA_RX,
3171 						rx_ant))
3172 					goto nla_put_failure;
3173 			}
3174 		}
3175 
3176 		state->split_start++;
3177 		if (state->split)
3178 			break;
3179 		fallthrough;
3180 	case 2:
3181 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
3182 					rdev->wiphy.interface_modes))
3183 				goto nla_put_failure;
3184 		state->split_start++;
3185 		if (state->split)
3186 			break;
3187 		fallthrough;
3188 	case 3:
3189 		nl_bands = nla_nest_start_noflag(msg,
3190 						 NL80211_ATTR_WIPHY_BANDS);
3191 		if (!nl_bands)
3192 			goto nla_put_failure;
3193 
3194 		for (band = state->band_start;
3195 		     band < (state->split ?
3196 				NUM_NL80211_BANDS :
3197 				NL80211_BAND_60GHZ + 1);
3198 		     band++) {
3199 			struct ieee80211_supported_band *sband;
3200 
3201 			/* omit higher bands for ancient software */
3202 			if (band > NL80211_BAND_5GHZ && !state->split)
3203 				break;
3204 
3205 			sband = rdev->wiphy.bands[band];
3206 
3207 			if (!sband)
3208 				continue;
3209 
3210 			nl_band = nla_nest_start_noflag(msg, band);
3211 			if (!nl_band)
3212 				goto nla_put_failure;
3213 
3214 			switch (state->chan_start) {
3215 			case 0:
3216 				if (nl80211_send_band_rateinfo(msg, sband,
3217 							       state->split))
3218 					goto nla_put_failure;
3219 				state->chan_start++;
3220 				if (state->split)
3221 					break;
3222 				fallthrough;
3223 			default:
3224 				/* add frequencies */
3225 				nl_freqs = nla_nest_start_noflag(msg,
3226 								 NL80211_BAND_ATTR_FREQS);
3227 				if (!nl_freqs)
3228 					goto nla_put_failure;
3229 
3230 				for (i = state->chan_start - 1;
3231 				     i < sband->n_channels;
3232 				     i++) {
3233 					nl_freq = nla_nest_start_noflag(msg,
3234 									i);
3235 					if (!nl_freq)
3236 						goto nla_put_failure;
3237 
3238 					chan = &sband->channels[i];
3239 
3240 					if (nl80211_msg_put_channel(
3241 							msg, &rdev->wiphy, chan,
3242 							state->split))
3243 						goto nla_put_failure;
3244 
3245 					nla_nest_end(msg, nl_freq);
3246 					if (state->split)
3247 						break;
3248 				}
3249 				if (i < sband->n_channels)
3250 					state->chan_start = i + 2;
3251 				else
3252 					state->chan_start = 0;
3253 				nla_nest_end(msg, nl_freqs);
3254 			}
3255 
3256 			nla_nest_end(msg, nl_band);
3257 
3258 			if (state->split) {
3259 				/* start again here */
3260 				if (state->chan_start)
3261 					band--;
3262 				break;
3263 			}
3264 		}
3265 		nla_nest_end(msg, nl_bands);
3266 
3267 		if (band < NUM_NL80211_BANDS)
3268 			state->band_start = band + 1;
3269 		else
3270 			state->band_start = 0;
3271 
3272 		/* if bands & channels are done, continue outside */
3273 		if (state->band_start == 0 && state->chan_start == 0)
3274 			state->split_start++;
3275 		if (state->split)
3276 			break;
3277 		fallthrough;
3278 	case 4:
3279 		nl_cmds = nla_nest_start_noflag(msg,
3280 						NL80211_ATTR_SUPPORTED_COMMANDS);
3281 		if (!nl_cmds)
3282 			goto nla_put_failure;
3283 
3284 		i = nl80211_add_commands_unsplit(rdev, msg);
3285 		if (i < 0)
3286 			goto nla_put_failure;
3287 		if (state->split) {
3288 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
3289 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
3290 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
3291 				CMD(channel_switch, CHANNEL_SWITCH);
3292 			CMD(set_qos_map, SET_QOS_MAP);
3293 			if (rdev->wiphy.features &
3294 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
3295 				CMD(add_tx_ts, ADD_TX_TS);
3296 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
3297 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
3298 			CMD(update_ft_ies, UPDATE_FT_IES);
3299 			if (rdev->wiphy.sar_capa)
3300 				CMD(set_sar_specs, SET_SAR_SPECS);
3301 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
3302 		}
3303 #undef CMD
3304 
3305 		nla_nest_end(msg, nl_cmds);
3306 		state->split_start++;
3307 		if (state->split)
3308 			break;
3309 		fallthrough;
3310 	case 5:
3311 		if (rdev->ops->remain_on_channel &&
3312 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
3313 		    nla_put_u32(msg,
3314 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
3315 				rdev->wiphy.max_remain_on_channel_duration))
3316 			goto nla_put_failure;
3317 
3318 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
3319 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
3320 			goto nla_put_failure;
3321 
3322 		state->split_start++;
3323 		if (state->split)
3324 			break;
3325 		fallthrough;
3326 	case 6:
3327 #ifdef CONFIG_PM
3328 		if (nl80211_send_wowlan(msg, rdev, state->split))
3329 			goto nla_put_failure;
3330 		state->split_start++;
3331 		if (state->split)
3332 			break;
3333 #else
3334 		state->split_start++;
3335 #endif
3336 		fallthrough;
3337 	case 7:
3338 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
3339 					rdev->wiphy.software_iftypes))
3340 			goto nla_put_failure;
3341 
3342 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
3343 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
3344 						   rdev->wiphy.n_radio ? 0 : -1,
3345 						   state->split, 0))
3346 			goto nla_put_failure;
3347 
3348 		state->split_start++;
3349 		if (state->split)
3350 			break;
3351 		fallthrough;
3352 	case 8:
3353 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3354 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3355 				rdev->wiphy.ap_sme_capa))
3356 			goto nla_put_failure;
3357 
3358 		features = rdev->wiphy.features;
3359 		/*
3360 		 * We can only add the per-channel limit information if the
3361 		 * dump is split, otherwise it makes it too big. Therefore
3362 		 * only advertise it in that case.
3363 		 */
3364 		if (state->split)
3365 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3366 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3367 			goto nla_put_failure;
3368 
3369 		if (rdev->wiphy.ht_capa_mod_mask &&
3370 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3371 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3372 			    rdev->wiphy.ht_capa_mod_mask))
3373 			goto nla_put_failure;
3374 
3375 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3376 		    rdev->wiphy.max_acl_mac_addrs &&
3377 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3378 				rdev->wiphy.max_acl_mac_addrs))
3379 			goto nla_put_failure;
3380 
3381 		/*
3382 		 * Any information below this point is only available to
3383 		 * applications that can deal with it being split. This
3384 		 * helps ensure that newly added capabilities don't break
3385 		 * older tools by overrunning their buffers.
3386 		 *
3387 		 * We still increment split_start so that in the split
3388 		 * case we'll continue with more data in the next round,
3389 		 * but break unconditionally so unsplit data stops here.
3390 		 */
3391 		if (state->split)
3392 			state->split_start++;
3393 		else
3394 			state->split_start = 0;
3395 		break;
3396 	case 9:
3397 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3398 			goto nla_put_failure;
3399 
3400 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3401 				rdev->wiphy.max_sched_scan_plans) ||
3402 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3403 				rdev->wiphy.max_sched_scan_plan_interval) ||
3404 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3405 				rdev->wiphy.max_sched_scan_plan_iterations))
3406 			goto nla_put_failure;
3407 
3408 		if (rdev->wiphy.extended_capabilities &&
3409 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3410 			     rdev->wiphy.extended_capabilities_len,
3411 			     rdev->wiphy.extended_capabilities) ||
3412 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3413 			     rdev->wiphy.extended_capabilities_len,
3414 			     rdev->wiphy.extended_capabilities_mask)))
3415 			goto nla_put_failure;
3416 
3417 		if (rdev->wiphy.vht_capa_mod_mask &&
3418 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3419 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3420 			    rdev->wiphy.vht_capa_mod_mask))
3421 			goto nla_put_failure;
3422 
3423 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3424 			    rdev->wiphy.perm_addr))
3425 			goto nla_put_failure;
3426 
3427 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3428 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3429 			    rdev->wiphy.addr_mask))
3430 			goto nla_put_failure;
3431 
3432 		if (rdev->wiphy.n_addresses > 1) {
3433 			void *attr;
3434 
3435 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3436 			if (!attr)
3437 				goto nla_put_failure;
3438 
3439 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3440 				if (nla_put(msg, i + 1, ETH_ALEN,
3441 					    rdev->wiphy.addresses[i].addr))
3442 					goto nla_put_failure;
3443 
3444 			nla_nest_end(msg, attr);
3445 		}
3446 
3447 		state->split_start++;
3448 		break;
3449 	case 10:
3450 		if (nl80211_send_coalesce(msg, rdev))
3451 			goto nla_put_failure;
3452 
3453 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3454 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3455 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3456 			goto nla_put_failure;
3457 
3458 		if (rdev->wiphy.max_ap_assoc_sta &&
3459 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3460 				rdev->wiphy.max_ap_assoc_sta))
3461 			goto nla_put_failure;
3462 
3463 		state->split_start++;
3464 		break;
3465 	case 11:
3466 		if (rdev->wiphy.n_vendor_commands) {
3467 			const struct nl80211_vendor_cmd_info *info;
3468 			struct nlattr *nested;
3469 
3470 			nested = nla_nest_start_noflag(msg,
3471 						       NL80211_ATTR_VENDOR_DATA);
3472 			if (!nested)
3473 				goto nla_put_failure;
3474 
3475 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3476 				info = &rdev->wiphy.vendor_commands[i].info;
3477 				if (nla_put(msg, i + 1, sizeof(*info), info))
3478 					goto nla_put_failure;
3479 			}
3480 			nla_nest_end(msg, nested);
3481 		}
3482 
3483 		if (rdev->wiphy.n_vendor_events) {
3484 			const struct nl80211_vendor_cmd_info *info;
3485 			struct nlattr *nested;
3486 
3487 			nested = nla_nest_start_noflag(msg,
3488 						       NL80211_ATTR_VENDOR_EVENTS);
3489 			if (!nested)
3490 				goto nla_put_failure;
3491 
3492 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3493 				info = &rdev->wiphy.vendor_events[i];
3494 				if (nla_put(msg, i + 1, sizeof(*info), info))
3495 					goto nla_put_failure;
3496 			}
3497 			nla_nest_end(msg, nested);
3498 		}
3499 		state->split_start++;
3500 		break;
3501 	case 12:
3502 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3503 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3504 			       rdev->wiphy.max_num_csa_counters))
3505 			goto nla_put_failure;
3506 
3507 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3508 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3509 			goto nla_put_failure;
3510 
3511 		if (rdev->wiphy.max_sched_scan_reqs &&
3512 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3513 				rdev->wiphy.max_sched_scan_reqs))
3514 			goto nla_put_failure;
3515 
3516 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3517 			    sizeof(rdev->wiphy.ext_features),
3518 			    rdev->wiphy.ext_features))
3519 			goto nla_put_failure;
3520 
3521 		if (rdev->wiphy.bss_param_support) {
3522 			struct nlattr *nested;
3523 			u32 parsup = rdev->wiphy.bss_param_support;
3524 
3525 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3526 			if (!nested)
3527 				goto nla_put_failure;
3528 
3529 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3530 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3531 				goto nla_put_failure;
3532 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3533 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3534 				goto nla_put_failure;
3535 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3536 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3537 				goto nla_put_failure;
3538 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3539 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3540 				goto nla_put_failure;
3541 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3542 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3543 				goto nla_put_failure;
3544 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3545 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3546 				goto nla_put_failure;
3547 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3548 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3549 				goto nla_put_failure;
3550 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3551 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3552 				goto nla_put_failure;
3553 			nla_nest_end(msg, nested);
3554 		}
3555 		if (rdev->wiphy.bss_select_support) {
3556 			struct nlattr *nested;
3557 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3558 
3559 			nested = nla_nest_start_noflag(msg,
3560 						       NL80211_ATTR_BSS_SELECT);
3561 			if (!nested)
3562 				goto nla_put_failure;
3563 
3564 			i = 0;
3565 			while (bss_select_support) {
3566 				if ((bss_select_support & 1) &&
3567 				    nla_put_flag(msg, i))
3568 					goto nla_put_failure;
3569 				i++;
3570 				bss_select_support >>= 1;
3571 			}
3572 			nla_nest_end(msg, nested);
3573 		}
3574 
3575 		state->split_start++;
3576 		break;
3577 	case 13:
3578 		if (rdev->wiphy.num_iftype_ext_capab &&
3579 		    rdev->wiphy.iftype_ext_capab) {
3580 			struct nlattr *nested_ext_capab, *nested;
3581 
3582 			nested = nla_nest_start_noflag(msg,
3583 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3584 			if (!nested)
3585 				goto nla_put_failure;
3586 
3587 			for (i = state->capa_start;
3588 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3589 				const struct wiphy_iftype_ext_capab *capab;
3590 
3591 				capab = &rdev->wiphy.iftype_ext_capab[i];
3592 
3593 				nested_ext_capab = nla_nest_start_noflag(msg,
3594 									 i);
3595 				if (!nested_ext_capab ||
3596 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3597 						capab->iftype) ||
3598 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3599 					    capab->extended_capabilities_len,
3600 					    capab->extended_capabilities) ||
3601 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3602 					    capab->extended_capabilities_len,
3603 					    capab->extended_capabilities_mask))
3604 					goto nla_put_failure;
3605 
3606 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3607 				    (nla_put_u16(msg,
3608 						 NL80211_ATTR_EML_CAPABILITY,
3609 						 capab->eml_capabilities) ||
3610 				     nla_put_u16(msg,
3611 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3612 						 capab->mld_capa_and_ops)))
3613 					goto nla_put_failure;
3614 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3615 				    capab->ext_mld_capa_and_ops &&
3616 				    nla_put_u16(msg,
3617 						NL80211_ATTR_EXT_MLD_CAPA_AND_OPS,
3618 						capab->ext_mld_capa_and_ops))
3619 					goto nla_put_failure;
3620 
3621 				nla_nest_end(msg, nested_ext_capab);
3622 				if (state->split)
3623 					break;
3624 			}
3625 			nla_nest_end(msg, nested);
3626 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3627 				state->capa_start = i + 1;
3628 				break;
3629 			}
3630 		}
3631 
3632 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3633 				rdev->wiphy.nan_supported_bands))
3634 			goto nla_put_failure;
3635 
3636 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3637 					    NL80211_EXT_FEATURE_TXQS)) {
3638 			struct cfg80211_txq_stats txqstats = {};
3639 			int res;
3640 
3641 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3642 			if (!res &&
3643 			    !nl80211_put_txq_stats(msg, &txqstats,
3644 						   NL80211_ATTR_TXQ_STATS))
3645 				goto nla_put_failure;
3646 
3647 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3648 					rdev->wiphy.txq_limit))
3649 				goto nla_put_failure;
3650 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3651 					rdev->wiphy.txq_memory_limit))
3652 				goto nla_put_failure;
3653 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3654 					rdev->wiphy.txq_quantum))
3655 				goto nla_put_failure;
3656 		}
3657 
3658 		state->split_start++;
3659 		break;
3660 	case 14:
3661 		if (nl80211_send_pmsr_capa(rdev, msg))
3662 			goto nla_put_failure;
3663 
3664 		state->split_start++;
3665 		break;
3666 	case 15:
3667 		if (rdev->wiphy.akm_suites &&
3668 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3669 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3670 			    rdev->wiphy.akm_suites))
3671 			goto nla_put_failure;
3672 
3673 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3674 			goto nla_put_failure;
3675 
3676 		if (nl80211_put_tid_config_support(rdev, msg))
3677 			goto nla_put_failure;
3678 		state->split_start++;
3679 		break;
3680 	case 16:
3681 		if (nl80211_put_sar_specs(rdev, msg))
3682 			goto nla_put_failure;
3683 
3684 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3685 			goto nla_put_failure;
3686 
3687 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3688 				rdev->wiphy.max_num_akm_suites))
3689 			goto nla_put_failure;
3690 
3691 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3692 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3693 
3694 		if (rdev->wiphy.hw_timestamp_max_peers &&
3695 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3696 				rdev->wiphy.hw_timestamp_max_peers))
3697 			goto nla_put_failure;
3698 
3699 		state->split_start++;
3700 		break;
3701 	case 17:
3702 		if (nl80211_put_radios(&rdev->wiphy, msg))
3703 			goto nla_put_failure;
3704 
3705 		state->split_start++;
3706 		break;
3707 	case 18:
3708 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3709 			goto nla_put_failure;
3710 
3711 		/* done */
3712 		state->split_start = 0;
3713 		break;
3714 	}
3715  finish:
3716 	genlmsg_end(msg, hdr);
3717 	return 0;
3718 
3719  nla_put_failure:
3720 	genlmsg_cancel(msg, hdr);
3721 	return -EMSGSIZE;
3722 }
3723 
3724 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3725 				    struct netlink_callback *cb,
3726 				    struct nl80211_dump_wiphy_state *state)
3727 {
3728 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3729 	int ret;
3730 
3731 	if (!tb)
3732 		return -ENOMEM;
3733 
3734 	ret = nlmsg_parse_deprecated(cb->nlh,
3735 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3736 				     tb, nl80211_fam.maxattr,
3737 				     nl80211_policy, NULL);
3738 	/* ignore parse errors for backward compatibility */
3739 	if (ret) {
3740 		ret = 0;
3741 		goto out;
3742 	}
3743 
3744 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3745 	if (tb[NL80211_ATTR_WIPHY])
3746 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3747 	if (tb[NL80211_ATTR_WDEV])
3748 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3749 	if (tb[NL80211_ATTR_IFINDEX]) {
3750 		struct net_device *netdev;
3751 		struct cfg80211_registered_device *rdev;
3752 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3753 
3754 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3755 		if (!netdev) {
3756 			ret = -ENODEV;
3757 			goto out;
3758 		}
3759 		if (netdev->ieee80211_ptr) {
3760 			rdev = wiphy_to_rdev(
3761 				netdev->ieee80211_ptr->wiphy);
3762 			state->filter_wiphy = rdev->wiphy_idx;
3763 		}
3764 	}
3765 
3766 	ret = 0;
3767 out:
3768 	kfree(tb);
3769 	return ret;
3770 }
3771 
3772 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3773 {
3774 	int idx = 0, ret;
3775 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3776 	struct cfg80211_registered_device *rdev;
3777 
3778 	rtnl_lock();
3779 	if (!state) {
3780 		state = kzalloc_obj(*state);
3781 		if (!state) {
3782 			rtnl_unlock();
3783 			return -ENOMEM;
3784 		}
3785 		state->filter_wiphy = -1;
3786 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3787 		if (ret) {
3788 			kfree(state);
3789 			rtnl_unlock();
3790 			return ret;
3791 		}
3792 		cb->args[0] = (long)state;
3793 	}
3794 
3795 	for_each_rdev(rdev) {
3796 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3797 			continue;
3798 		if (++idx <= state->start)
3799 			continue;
3800 		if (state->filter_wiphy != -1 &&
3801 		    state->filter_wiphy != rdev->wiphy_idx)
3802 			continue;
3803 		wiphy_lock(&rdev->wiphy);
3804 		/* attempt to fit multiple wiphy data chunks into the skb */
3805 		do {
3806 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3807 						 skb,
3808 						 NETLINK_CB(cb->skb).portid,
3809 						 cb->nlh->nlmsg_seq,
3810 						 NLM_F_MULTI, state);
3811 			if (ret < 0) {
3812 				/*
3813 				 * If sending the wiphy data didn't fit (ENOBUFS
3814 				 * or EMSGSIZE returned), this SKB is still
3815 				 * empty (so it's not too big because another
3816 				 * wiphy dataset is already in the skb) and
3817 				 * we've not tried to adjust the dump allocation
3818 				 * yet ... then adjust the alloc size to be
3819 				 * bigger, and return 1 but with the empty skb.
3820 				 * This results in an empty message being RX'ed
3821 				 * in userspace, but that is ignored.
3822 				 *
3823 				 * We can then retry with the larger buffer.
3824 				 */
3825 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3826 				    !skb->len && !state->split &&
3827 				    cb->min_dump_alloc < 4096) {
3828 					cb->min_dump_alloc = 4096;
3829 					state->split_start = 0;
3830 					wiphy_unlock(&rdev->wiphy);
3831 					rtnl_unlock();
3832 					return 1;
3833 				}
3834 				idx--;
3835 				break;
3836 			}
3837 		} while (state->split_start > 0);
3838 		wiphy_unlock(&rdev->wiphy);
3839 		break;
3840 	}
3841 	rtnl_unlock();
3842 
3843 	state->start = idx;
3844 
3845 	return skb->len;
3846 }
3847 
3848 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3849 {
3850 	kfree((void *)cb->args[0]);
3851 	return 0;
3852 }
3853 
3854 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3855 {
3856 	struct sk_buff *msg;
3857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3858 	struct nl80211_dump_wiphy_state state = {};
3859 
3860 	msg = nlmsg_new(4096, GFP_KERNEL);
3861 	if (!msg)
3862 		return -ENOMEM;
3863 
3864 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3865 			       info->snd_portid, info->snd_seq, 0,
3866 			       &state) < 0) {
3867 		nlmsg_free(msg);
3868 		return -ENOBUFS;
3869 	}
3870 
3871 	return genlmsg_reply(msg, info);
3872 }
3873 
3874 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3875 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3876 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3877 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3878 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3879 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3880 };
3881 
3882 static int parse_txq_params(struct nlattr *tb[],
3883 			    struct ieee80211_txq_params *txq_params)
3884 {
3885 	u8 ac;
3886 
3887 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3888 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3889 	    !tb[NL80211_TXQ_ATTR_AIFS])
3890 		return -EINVAL;
3891 
3892 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3893 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3894 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3895 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3896 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3897 
3898 	if (ac >= NL80211_NUM_ACS)
3899 		return -EINVAL;
3900 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3901 	return 0;
3902 }
3903 
3904 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3905 {
3906 	/*
3907 	 * You can only set the channel explicitly for some interfaces,
3908 	 * most have their channel managed via their respective
3909 	 * "establish a connection" command (connect, join, ...)
3910 	 *
3911 	 * For AP/GO and mesh mode, the channel can be set with the
3912 	 * channel userspace API, but is only stored and passed to the
3913 	 * low-level driver when the AP starts or the mesh is joined.
3914 	 * This is for backward compatibility, userspace can also give
3915 	 * the channel in the start-ap or join-mesh commands instead.
3916 	 *
3917 	 * Monitors are special as they are normally slaved to
3918 	 * whatever else is going on, so they have their own special
3919 	 * operation to set the monitor channel if possible.
3920 	 */
3921 	return !wdev ||
3922 		wdev->iftype == NL80211_IFTYPE_AP ||
3923 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3924 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3925 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3926 }
3927 
3928 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3929 				  struct netlink_ext_ack *extack,
3930 				  struct nlattr **attrs, bool monitor,
3931 				  struct cfg80211_chan_def *chandef,
3932 				  bool permit_npca)
3933 {
3934 	u32 control_freq;
3935 
3936 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3937 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3938 				    "Frequency is missing");
3939 		return -EINVAL;
3940 	}
3941 
3942 	control_freq = MHZ_TO_KHZ(
3943 			nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
3944 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3945 		control_freq +=
3946 		    nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3947 
3948 	memset(chandef, 0, sizeof(*chandef));
3949 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3950 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3951 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3952 	chandef->freq1_offset = control_freq % 1000;
3953 	chandef->center_freq2 = 0;
3954 	chandef->s1g_primary_2mhz = false;
3955 
3956 	if (!chandef->chan) {
3957 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3958 				    "Unknown channel");
3959 		return -EINVAL;
3960 	}
3961 
3962 	if (cfg80211_chandef_is_s1g(chandef))
3963 		chandef->width = NL80211_CHAN_WIDTH_1;
3964 
3965 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3966 		enum nl80211_channel_type chantype;
3967 
3968 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3969 
3970 		switch (chantype) {
3971 		case NL80211_CHAN_NO_HT:
3972 		case NL80211_CHAN_HT20:
3973 		case NL80211_CHAN_HT40PLUS:
3974 		case NL80211_CHAN_HT40MINUS:
3975 			if (chandef->chan->band == NL80211_BAND_60GHZ ||
3976 			    chandef->chan->band == NL80211_BAND_S1GHZ)
3977 				return -EINVAL;
3978 			cfg80211_chandef_create(chandef, chandef->chan,
3979 						chantype);
3980 			/* user input for center_freq is incorrect */
3981 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3982 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3983 				NL_SET_ERR_MSG_ATTR(extack,
3984 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3985 						    "bad center frequency 1");
3986 				return -EINVAL;
3987 			}
3988 			/* center_freq2 must be zero */
3989 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3990 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3991 				NL_SET_ERR_MSG_ATTR(extack,
3992 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3993 						    "center frequency 2 can't be used");
3994 				return -EINVAL;
3995 			}
3996 			break;
3997 		default:
3998 			NL_SET_ERR_MSG_ATTR(extack,
3999 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
4000 					    "invalid channel type");
4001 			return -EINVAL;
4002 		}
4003 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
4004 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
4005 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
4006 			chandef->center_freq1 =
4007 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
4008 			chandef->freq1_offset = nla_get_u32_default(
4009 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
4010 		}
4011 
4012 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
4013 			chandef->center_freq2 =
4014 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
4015 
4016 		chandef->s1g_primary_2mhz = nla_get_flag(
4017 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
4018 	}
4019 
4020 	if (attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
4021 		chandef->edmg.channels =
4022 		      nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
4023 
4024 		if (attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
4025 			chandef->edmg.bw_config =
4026 		     nla_get_u8(attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
4027 	} else {
4028 		chandef->edmg.bw_config = 0;
4029 		chandef->edmg.channels = 0;
4030 	}
4031 
4032 	if (attrs[NL80211_ATTR_PUNCT_BITMAP]) {
4033 		chandef->punctured =
4034 			nla_get_u32(attrs[NL80211_ATTR_PUNCT_BITMAP]);
4035 
4036 		if (chandef->punctured &&
4037 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4038 					     NL80211_EXT_FEATURE_PUNCT)) {
4039 			NL_SET_ERR_MSG_ATTR(extack,
4040 					    attrs[NL80211_ATTR_WIPHY_FREQ],
4041 					    "driver doesn't support puncturing");
4042 			return -EINVAL;
4043 		}
4044 	}
4045 
4046 	if (attrs[NL80211_ATTR_NPCA_PRIMARY_FREQ]) {
4047 		if (!permit_npca) {
4048 			NL_SET_ERR_MSG_ATTR(extack,
4049 					    attrs[NL80211_ATTR_NPCA_PRIMARY_FREQ],
4050 					    "NPCA not supported");
4051 			return -EINVAL;
4052 		}
4053 
4054 		chandef->npca_chan =
4055 			ieee80211_get_channel(&rdev->wiphy,
4056 					      nla_get_u32(attrs[NL80211_ATTR_NPCA_PRIMARY_FREQ]));
4057 		if (!chandef->npca_chan) {
4058 			NL_SET_ERR_MSG_ATTR(extack,
4059 					    attrs[NL80211_ATTR_NPCA_PRIMARY_FREQ],
4060 					    "invalid NPCA primary channel");
4061 			return -EINVAL;
4062 		}
4063 
4064 		chandef->npca_punctured =
4065 			nla_get_u32_default(attrs[NL80211_ATTR_NPCA_PUNCT_BITMAP],
4066 					    chandef->punctured);
4067 	} else if (attrs[NL80211_ATTR_NPCA_PUNCT_BITMAP]) {
4068 		NL_SET_ERR_MSG_ATTR(extack,
4069 				    attrs[NL80211_ATTR_NPCA_PUNCT_BITMAP],
4070 				    "NPCA puncturing only valid with NPCA");
4071 		return -EINVAL;
4072 	}
4073 
4074 	if (!cfg80211_chandef_valid(chandef)) {
4075 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
4076 				    "invalid channel definition");
4077 		return -EINVAL;
4078 	}
4079 
4080 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
4081 				      IEEE80211_CHAN_DISABLED,
4082 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
4083 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
4084 				    "(extension) channel is disabled");
4085 		return -EINVAL;
4086 	}
4087 
4088 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
4089 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
4090 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
4091 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
4092 		return -EINVAL;
4093 	}
4094 
4095 	return 0;
4096 }
4097 
4098 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
4099 			  struct netlink_ext_ack *extack,
4100 			  struct nlattr **attrs,
4101 			  struct cfg80211_chan_def *chandef,
4102 			  bool permit_npca)
4103 {
4104 	return _nl80211_parse_chandef(rdev, extack, attrs, false, chandef,
4105 				      permit_npca);
4106 }
4107 
4108 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
4109 				 struct net_device *dev,
4110 				 struct genl_info *info,
4111 				 int _link_id)
4112 {
4113 	struct cfg80211_chan_def chandef;
4114 	int result;
4115 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
4116 	struct wireless_dev *wdev = NULL;
4117 	int link_id = _link_id;
4118 	bool permit_npca;
4119 
4120 	if (dev)
4121 		wdev = dev->ieee80211_ptr;
4122 	if (!nl80211_can_set_dev_channel(wdev))
4123 		return -EOPNOTSUPP;
4124 	if (wdev)
4125 		iftype = wdev->iftype;
4126 
4127 	if (link_id < 0) {
4128 		if (wdev && wdev->valid_links)
4129 			return -EINVAL;
4130 		link_id = 0;
4131 	}
4132 
4133 	/* allow parsing it - will check on start_ap or below */
4134 	permit_npca = iftype == NL80211_IFTYPE_AP ||
4135 		      iftype == NL80211_IFTYPE_P2P_GO;
4136 
4137 	result = _nl80211_parse_chandef(rdev, info->extack, info->attrs,
4138 					iftype == NL80211_IFTYPE_MONITOR,
4139 					&chandef, permit_npca);
4140 	if (result)
4141 		return result;
4142 
4143 	switch (iftype) {
4144 	case NL80211_IFTYPE_AP:
4145 	case NL80211_IFTYPE_P2P_GO:
4146 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
4147 						   iftype))
4148 			return -EINVAL;
4149 		if (wdev->links[link_id].ap.beacon_interval) {
4150 			struct ieee80211_channel *cur_chan;
4151 
4152 			if (!dev || !rdev->ops->set_ap_chanwidth ||
4153 			    !(rdev->wiphy.features &
4154 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
4155 				return -EBUSY;
4156 
4157 			/* Only allow dynamic channel width changes */
4158 			cur_chan = wdev->links[link_id].ap.chandef.npca_chan;
4159 			if (chandef.npca_chan != cur_chan)
4160 				return -EBUSY;
4161 			cur_chan = wdev->links[link_id].ap.chandef.chan;
4162 			if (chandef.chan != cur_chan)
4163 				return -EBUSY;
4164 
4165 			/* only allow this for regular channel widths */
4166 			switch (wdev->links[link_id].ap.chandef.width) {
4167 			case NL80211_CHAN_WIDTH_20_NOHT:
4168 			case NL80211_CHAN_WIDTH_20:
4169 			case NL80211_CHAN_WIDTH_40:
4170 			case NL80211_CHAN_WIDTH_80:
4171 			case NL80211_CHAN_WIDTH_80P80:
4172 			case NL80211_CHAN_WIDTH_160:
4173 			case NL80211_CHAN_WIDTH_320:
4174 				break;
4175 			default:
4176 				return -EINVAL;
4177 			}
4178 
4179 			switch (chandef.width) {
4180 			case NL80211_CHAN_WIDTH_20_NOHT:
4181 			case NL80211_CHAN_WIDTH_20:
4182 			case NL80211_CHAN_WIDTH_40:
4183 			case NL80211_CHAN_WIDTH_80:
4184 			case NL80211_CHAN_WIDTH_80P80:
4185 			case NL80211_CHAN_WIDTH_160:
4186 			case NL80211_CHAN_WIDTH_320:
4187 				break;
4188 			default:
4189 				return -EINVAL;
4190 			}
4191 
4192 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
4193 						       &chandef);
4194 			if (result)
4195 				return result;
4196 			wdev->links[link_id].ap.chandef = chandef;
4197 		} else {
4198 			wdev->u.ap.preset_chandef = chandef;
4199 		}
4200 		return 0;
4201 	case NL80211_IFTYPE_MESH_POINT:
4202 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
4203 	case NL80211_IFTYPE_MONITOR:
4204 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
4205 	default:
4206 		break;
4207 	}
4208 
4209 	return -EINVAL;
4210 }
4211 
4212 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
4213 {
4214 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4215 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4216 	struct net_device *netdev = info->user_ptr[1];
4217 
4218 	return __nl80211_set_channel(rdev, netdev, info, link_id);
4219 }
4220 
4221 static int nl80211_set_wiphy_radio(struct genl_info *info,
4222 				   struct cfg80211_registered_device *rdev,
4223 				   int radio_idx)
4224 {
4225 	u32 rts_threshold = 0, old_rts, changed = 0;
4226 	int result;
4227 
4228 	if (!rdev->ops->set_wiphy_params)
4229 		return -EOPNOTSUPP;
4230 
4231 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4232 		rts_threshold = nla_get_u32(
4233 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4234 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4235 	}
4236 
4237 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
4238 
4239 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
4240 
4241 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4242 	if (result)
4243 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
4244 
4245 	return 0;
4246 }
4247 
4248 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
4249 {
4250 	struct cfg80211_registered_device *rdev = NULL;
4251 	struct net_device *netdev = NULL;
4252 	struct wireless_dev *wdev;
4253 	int result = 0, rem_txq_params = 0;
4254 	struct nlattr *nl_txq_params;
4255 	u32 changed;
4256 	u8 retry_short = 0, retry_long = 0;
4257 	u32 frag_threshold = 0, rts_threshold = 0;
4258 	u8 coverage_class = 0;
4259 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
4260 	int radio_idx = -1;
4261 
4262 	rtnl_lock();
4263 	/*
4264 	 * Try to find the wiphy and netdev. Normally this
4265 	 * function shouldn't need the netdev, but this is
4266 	 * done for backward compatibility -- previously
4267 	 * setting the channel was done per wiphy, but now
4268 	 * it is per netdev. Previous userland like hostapd
4269 	 * also passed a netdev to set_wiphy, so that it is
4270 	 * possible to let that go to the right netdev!
4271 	 */
4272 
4273 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
4274 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
4275 
4276 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
4277 		if (netdev && netdev->ieee80211_ptr)
4278 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
4279 		else
4280 			netdev = NULL;
4281 	}
4282 
4283 	if (!netdev) {
4284 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
4285 						  info->attrs);
4286 		if (IS_ERR(rdev)) {
4287 			rtnl_unlock();
4288 			return PTR_ERR(rdev);
4289 		}
4290 		wdev = NULL;
4291 		netdev = NULL;
4292 		result = 0;
4293 	} else
4294 		wdev = netdev->ieee80211_ptr;
4295 
4296 	guard(wiphy)(&rdev->wiphy);
4297 
4298 	/*
4299 	 * end workaround code, by now the rdev is available
4300 	 * and locked, and wdev may or may not be NULL.
4301 	 */
4302 
4303 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
4304 		result = cfg80211_dev_rename(
4305 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
4306 	rtnl_unlock();
4307 
4308 	if (result)
4309 		return result;
4310 
4311 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
4312 		/* Radio idx is not expected for non-multi radio wiphy */
4313 		if (rdev->wiphy.n_radio <= 0)
4314 			return -EINVAL;
4315 
4316 		radio_idx = nla_get_u8(
4317 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
4318 		if (radio_idx >= rdev->wiphy.n_radio)
4319 			return -EINVAL;
4320 
4321 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
4322 	}
4323 
4324 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
4325 		struct ieee80211_txq_params txq_params;
4326 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
4327 
4328 		if (!rdev->ops->set_txq_params)
4329 			return -EOPNOTSUPP;
4330 
4331 		if (!netdev)
4332 			return -EINVAL;
4333 
4334 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4335 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4336 			return -EINVAL;
4337 
4338 		if (!netif_running(netdev))
4339 			return -ENETDOWN;
4340 
4341 		nla_for_each_nested(nl_txq_params,
4342 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
4343 				    rem_txq_params) {
4344 			result = nla_parse_nested_deprecated(tb,
4345 							     NL80211_TXQ_ATTR_MAX,
4346 							     nl_txq_params,
4347 							     txq_params_policy,
4348 							     info->extack);
4349 			if (result)
4350 				return result;
4351 
4352 			result = parse_txq_params(tb, &txq_params);
4353 			if (result)
4354 				return result;
4355 
4356 			txq_params.link_id =
4357 				nl80211_link_id_or_invalid(info->attrs);
4358 
4359 			if (txq_params.link_id >= 0 &&
4360 			    !(netdev->ieee80211_ptr->valid_links &
4361 			      BIT(txq_params.link_id)))
4362 				result = -ENOLINK;
4363 			else if (txq_params.link_id >= 0 &&
4364 				 !netdev->ieee80211_ptr->valid_links)
4365 				result = -EINVAL;
4366 			else
4367 				result = rdev_set_txq_params(rdev, netdev,
4368 							     &txq_params);
4369 			if (result)
4370 				return result;
4371 		}
4372 	}
4373 
4374 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4375 		int link_id = nl80211_link_id_or_invalid(info->attrs);
4376 
4377 		if (wdev) {
4378 			result = __nl80211_set_channel(
4379 				rdev,
4380 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
4381 				info, link_id);
4382 		} else {
4383 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
4384 		}
4385 
4386 		if (result)
4387 			return result;
4388 	}
4389 
4390 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
4391 		struct wireless_dev *txp_wdev = wdev;
4392 		enum nl80211_tx_power_setting type;
4393 		int idx, mbm = 0;
4394 
4395 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
4396 			txp_wdev = NULL;
4397 
4398 		if (!rdev->ops->set_tx_power)
4399 			return -EOPNOTSUPP;
4400 
4401 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
4402 		type = nla_get_u32(info->attrs[idx]);
4403 
4404 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4405 		    (type != NL80211_TX_POWER_AUTOMATIC))
4406 			return -EINVAL;
4407 
4408 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4409 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4410 			mbm = nla_get_u32(info->attrs[idx]);
4411 		}
4412 
4413 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4414 					   mbm);
4415 		if (result)
4416 			return result;
4417 	}
4418 
4419 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4420 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4421 		u32 tx_ant, rx_ant;
4422 
4423 		if ((!rdev->wiphy.available_antennas_tx &&
4424 		     !rdev->wiphy.available_antennas_rx) ||
4425 		    !rdev->ops->set_antenna)
4426 			return -EOPNOTSUPP;
4427 
4428 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4429 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4430 
4431 		/* reject antenna configurations which don't match the
4432 		 * available antenna masks, except for the "all" mask */
4433 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4434 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4435 			return -EINVAL;
4436 
4437 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4438 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4439 
4440 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4441 		if (result)
4442 			return result;
4443 	}
4444 
4445 	changed = 0;
4446 
4447 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4448 		retry_short = nla_get_u8(
4449 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4450 
4451 		changed |= WIPHY_PARAM_RETRY_SHORT;
4452 	}
4453 
4454 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4455 		retry_long = nla_get_u8(
4456 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4457 
4458 		changed |= WIPHY_PARAM_RETRY_LONG;
4459 	}
4460 
4461 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4462 		frag_threshold = nla_get_u32(
4463 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4464 		if (frag_threshold < 256)
4465 			return -EINVAL;
4466 
4467 		if (frag_threshold != (u32) -1) {
4468 			/*
4469 			 * Fragments (apart from the last one) are required to
4470 			 * have even length. Make the fragmentation code
4471 			 * simpler by stripping LSB should someone try to use
4472 			 * odd threshold value.
4473 			 */
4474 			frag_threshold &= ~0x1;
4475 		}
4476 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4477 	}
4478 
4479 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4480 		rts_threshold = nla_get_u32(
4481 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4482 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4483 	}
4484 
4485 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4486 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4487 			return -EINVAL;
4488 
4489 		coverage_class = nla_get_u8(
4490 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4491 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4492 	}
4493 
4494 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4495 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4496 			return -EOPNOTSUPP;
4497 
4498 		changed |= WIPHY_PARAM_DYN_ACK;
4499 	}
4500 
4501 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4502 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4503 					     NL80211_EXT_FEATURE_TXQS))
4504 			return -EOPNOTSUPP;
4505 
4506 		txq_limit = nla_get_u32(
4507 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4508 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4509 	}
4510 
4511 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4512 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4513 					     NL80211_EXT_FEATURE_TXQS))
4514 			return -EOPNOTSUPP;
4515 
4516 		txq_memory_limit = nla_get_u32(
4517 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4518 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4519 	}
4520 
4521 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4522 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4523 					     NL80211_EXT_FEATURE_TXQS))
4524 			return -EOPNOTSUPP;
4525 
4526 		txq_quantum = nla_get_u32(
4527 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4528 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4529 	}
4530 
4531 	if (changed) {
4532 		u8 old_retry_short, old_retry_long;
4533 		u32 old_frag_threshold, old_rts_threshold;
4534 		u8 old_coverage_class, i;
4535 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4536 		u32 *old_radio_rts_threshold = NULL;
4537 
4538 		if (!rdev->ops->set_wiphy_params)
4539 			return -EOPNOTSUPP;
4540 
4541 		if (rdev->wiphy.n_radio) {
4542 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4543 							  sizeof(u32),
4544 							  GFP_KERNEL);
4545 			if (!old_radio_rts_threshold)
4546 				return -ENOMEM;
4547 		}
4548 
4549 		old_retry_short = rdev->wiphy.retry_short;
4550 		old_retry_long = rdev->wiphy.retry_long;
4551 		old_frag_threshold = rdev->wiphy.frag_threshold;
4552 		old_rts_threshold = rdev->wiphy.rts_threshold;
4553 		if (old_radio_rts_threshold) {
4554 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4555 				old_radio_rts_threshold[i] =
4556 					rdev->wiphy.radio_cfg[i].rts_threshold;
4557 		}
4558 		old_coverage_class = rdev->wiphy.coverage_class;
4559 		old_txq_limit = rdev->wiphy.txq_limit;
4560 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4561 		old_txq_quantum = rdev->wiphy.txq_quantum;
4562 
4563 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4564 			rdev->wiphy.retry_short = retry_short;
4565 		if (changed & WIPHY_PARAM_RETRY_LONG)
4566 			rdev->wiphy.retry_long = retry_long;
4567 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4568 			rdev->wiphy.frag_threshold = frag_threshold;
4569 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4570 		    old_radio_rts_threshold) {
4571 			rdev->wiphy.rts_threshold = rts_threshold;
4572 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4573 				rdev->wiphy.radio_cfg[i].rts_threshold =
4574 					rdev->wiphy.rts_threshold;
4575 		}
4576 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4577 			rdev->wiphy.coverage_class = coverage_class;
4578 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4579 			rdev->wiphy.txq_limit = txq_limit;
4580 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4581 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4582 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4583 			rdev->wiphy.txq_quantum = txq_quantum;
4584 
4585 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4586 		if (result) {
4587 			rdev->wiphy.retry_short = old_retry_short;
4588 			rdev->wiphy.retry_long = old_retry_long;
4589 			rdev->wiphy.frag_threshold = old_frag_threshold;
4590 			rdev->wiphy.rts_threshold = old_rts_threshold;
4591 			if (old_radio_rts_threshold) {
4592 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4593 					rdev->wiphy.radio_cfg[i].rts_threshold =
4594 						old_radio_rts_threshold[i];
4595 			}
4596 			rdev->wiphy.coverage_class = old_coverage_class;
4597 			rdev->wiphy.txq_limit = old_txq_limit;
4598 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4599 			rdev->wiphy.txq_quantum = old_txq_quantum;
4600 		}
4601 
4602 		kfree(old_radio_rts_threshold);
4603 		return result;
4604 	}
4605 
4606 	return 0;
4607 }
4608 
4609 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4610 {
4611 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4612 		return -EINVAL;
4613 
4614 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4615 			chandef->chan->center_freq))
4616 		return -ENOBUFS;
4617 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4618 			chandef->chan->freq_offset))
4619 		return -ENOBUFS;
4620 	switch (chandef->width) {
4621 	case NL80211_CHAN_WIDTH_20_NOHT:
4622 	case NL80211_CHAN_WIDTH_20:
4623 	case NL80211_CHAN_WIDTH_40:
4624 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4625 				cfg80211_get_chandef_type(chandef)))
4626 			return -ENOBUFS;
4627 		break;
4628 	default:
4629 		break;
4630 	}
4631 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4632 		return -ENOBUFS;
4633 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4634 		return -ENOBUFS;
4635 	if (chandef->center_freq2 &&
4636 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4637 		return -ENOBUFS;
4638 	if (chandef->punctured &&
4639 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4640 		return -ENOBUFS;
4641 	if (chandef->s1g_primary_2mhz &&
4642 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4643 		return -ENOBUFS;
4644 
4645 	if (chandef->npca_chan &&
4646 	    nla_put_u32(msg, NL80211_ATTR_NPCA_PRIMARY_FREQ,
4647 			chandef->npca_chan->center_freq))
4648 		return -ENOBUFS;
4649 	if (chandef->npca_punctured &&
4650 	    nla_put_u32(msg, NL80211_ATTR_NPCA_PUNCT_BITMAP,
4651 			chandef->npca_punctured))
4652 		return -ENOBUFS;
4653 
4654 	return 0;
4655 }
4656 EXPORT_SYMBOL(nl80211_send_chandef);
4657 
4658 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4659 			      struct cfg80211_registered_device *rdev,
4660 			      struct wireless_dev *wdev,
4661 			      enum nl80211_commands cmd)
4662 {
4663 	struct net_device *dev = wdev->netdev;
4664 	void *hdr;
4665 
4666 	lockdep_assert_wiphy(&rdev->wiphy);
4667 
4668 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4669 		cmd != NL80211_CMD_DEL_INTERFACE &&
4670 		cmd != NL80211_CMD_SET_INTERFACE);
4671 
4672 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4673 	if (!hdr)
4674 		return -1;
4675 
4676 	if (dev &&
4677 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4678 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4679 		goto nla_put_failure;
4680 
4681 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4682 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4683 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4684 			      NL80211_ATTR_PAD) ||
4685 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4686 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4687 			rdev->devlist_generation ^
4688 			(cfg80211_rdev_list_generation << 2)) ||
4689 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4690 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4691 		goto nla_put_failure;
4692 
4693 	if (rdev->ops->get_channel && !wdev->valid_links) {
4694 		struct cfg80211_chan_def chandef = {};
4695 		int ret;
4696 
4697 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4698 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4699 			goto nla_put_failure;
4700 	}
4701 
4702 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4703 		int dbm, ret;
4704 
4705 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4706 		if (ret == 0 &&
4707 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4708 				DBM_TO_MBM(dbm)))
4709 			goto nla_put_failure;
4710 	}
4711 
4712 	switch (wdev->iftype) {
4713 	case NL80211_IFTYPE_AP:
4714 	case NL80211_IFTYPE_P2P_GO:
4715 		if (wdev->u.ap.ssid_len &&
4716 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4717 			    wdev->u.ap.ssid))
4718 			goto nla_put_failure;
4719 		break;
4720 	case NL80211_IFTYPE_STATION:
4721 	case NL80211_IFTYPE_P2P_CLIENT:
4722 		if (wdev->u.client.ssid_len &&
4723 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4724 			    wdev->u.client.ssid))
4725 			goto nla_put_failure;
4726 		break;
4727 	case NL80211_IFTYPE_ADHOC:
4728 		if (wdev->u.ibss.ssid_len &&
4729 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4730 			    wdev->u.ibss.ssid))
4731 			goto nla_put_failure;
4732 		break;
4733 	default:
4734 		/* nothing */
4735 		break;
4736 	}
4737 
4738 	if (rdev->ops->get_txq_stats) {
4739 		struct cfg80211_txq_stats txqstats = {};
4740 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4741 
4742 		if (ret == 0 &&
4743 		    !nl80211_put_txq_stats(msg, &txqstats,
4744 					   NL80211_ATTR_TXQ_STATS))
4745 			goto nla_put_failure;
4746 	}
4747 
4748 	if (wdev->valid_links) {
4749 		unsigned int link_id;
4750 		struct nlattr *links = nla_nest_start(msg,
4751 						      NL80211_ATTR_MLO_LINKS);
4752 
4753 		if (!links)
4754 			goto nla_put_failure;
4755 
4756 		for_each_valid_link(wdev, link_id) {
4757 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4758 			struct cfg80211_chan_def chandef = {};
4759 			int ret;
4760 
4761 			if (!link)
4762 				goto nla_put_failure;
4763 
4764 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4765 				goto nla_put_failure;
4766 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4767 				    wdev->links[link_id].addr))
4768 				goto nla_put_failure;
4769 
4770 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4771 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4772 				goto nla_put_failure;
4773 
4774 			if (rdev->ops->get_tx_power) {
4775 				int dbm, ret;
4776 
4777 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4778 				if (ret == 0 &&
4779 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4780 						DBM_TO_MBM(dbm)))
4781 					goto nla_put_failure;
4782 			}
4783 			nla_nest_end(msg, link);
4784 		}
4785 
4786 		nla_nest_end(msg, links);
4787 	}
4788 
4789 	genlmsg_end(msg, hdr);
4790 	return 0;
4791 
4792  nla_put_failure:
4793 	genlmsg_cancel(msg, hdr);
4794 	return -EMSGSIZE;
4795 }
4796 
4797 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4798 {
4799 	int wp_idx = 0;
4800 	int if_idx = 0;
4801 	int wp_start = cb->args[0];
4802 	int if_start = cb->args[1];
4803 	int filter_wiphy = -1;
4804 	struct cfg80211_registered_device *rdev;
4805 	struct wireless_dev *wdev;
4806 	int ret;
4807 
4808 	rtnl_lock();
4809 	if (!cb->args[2]) {
4810 		struct nl80211_dump_wiphy_state state = {
4811 			.filter_wiphy = -1,
4812 		};
4813 
4814 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4815 		if (ret)
4816 			goto out_unlock;
4817 
4818 		filter_wiphy = state.filter_wiphy;
4819 
4820 		/*
4821 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4822 		 * value needed to determine that parsing is necessary.
4823 		 */
4824 		if (filter_wiphy >= 0)
4825 			cb->args[2] = filter_wiphy + 1;
4826 		else
4827 			cb->args[2] = -1;
4828 	} else if (cb->args[2] > 0) {
4829 		filter_wiphy = cb->args[2] - 1;
4830 	}
4831 
4832 	for_each_rdev(rdev) {
4833 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4834 			continue;
4835 		if (wp_idx < wp_start) {
4836 			wp_idx++;
4837 			continue;
4838 		}
4839 
4840 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4841 			continue;
4842 
4843 		if_idx = 0;
4844 
4845 		guard(wiphy)(&rdev->wiphy);
4846 
4847 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4848 			if (if_idx < if_start) {
4849 				if_idx++;
4850 				continue;
4851 			}
4852 
4853 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4854 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4855 					       rdev, wdev,
4856 					       NL80211_CMD_NEW_INTERFACE) < 0)
4857 				goto out;
4858 
4859 			if_idx++;
4860 		}
4861 
4862 		if_start = 0;
4863 		wp_idx++;
4864 	}
4865  out:
4866 	cb->args[0] = wp_idx;
4867 	cb->args[1] = if_idx;
4868 
4869 	ret = skb->len;
4870  out_unlock:
4871 	rtnl_unlock();
4872 
4873 	return ret;
4874 }
4875 
4876 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4877 {
4878 	struct sk_buff *msg;
4879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4880 	struct wireless_dev *wdev = info->user_ptr[1];
4881 
4882 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4883 	if (!msg)
4884 		return -ENOMEM;
4885 
4886 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4887 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4888 		nlmsg_free(msg);
4889 		return -ENOBUFS;
4890 	}
4891 
4892 	return genlmsg_reply(msg, info);
4893 }
4894 
4895 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4896 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4897 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4898 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4899 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4900 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4901 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4902 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4903 };
4904 
4905 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4906 {
4907 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4908 	int flag;
4909 
4910 	*mntrflags = 0;
4911 
4912 	if (!nla)
4913 		return -EINVAL;
4914 
4915 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4916 		return -EINVAL;
4917 
4918 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4919 		if (flags[flag])
4920 			*mntrflags |= (1<<flag);
4921 
4922 	/* cooked monitor mode is incompatible with other modes */
4923 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4924 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4925 		return -EOPNOTSUPP;
4926 
4927 	*mntrflags |= MONITOR_FLAG_CHANGED;
4928 
4929 	return 0;
4930 }
4931 
4932 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4933 				     enum nl80211_iftype type,
4934 				     struct genl_info *info,
4935 				     struct vif_params *params)
4936 {
4937 	bool change = false;
4938 	int err;
4939 
4940 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4941 		if (type != NL80211_IFTYPE_MONITOR)
4942 			return -EINVAL;
4943 
4944 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4945 					  &params->flags);
4946 		if (err)
4947 			return err;
4948 
4949 		change = true;
4950 	}
4951 
4952 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4953 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4954 		return -EOPNOTSUPP;
4955 
4956 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4957 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4958 		return -EOPNOTSUPP;
4959 
4960 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4961 		const u8 *mumimo_groups;
4962 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4963 
4964 		if (type != NL80211_IFTYPE_MONITOR)
4965 			return -EINVAL;
4966 
4967 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4968 			return -EOPNOTSUPP;
4969 
4970 		mumimo_groups =
4971 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4972 
4973 		/* bits 0 and 63 are reserved and must be zero */
4974 		if ((mumimo_groups[0] & BIT(0)) ||
4975 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4976 			return -EINVAL;
4977 
4978 		params->vht_mumimo_groups = mumimo_groups;
4979 		change = true;
4980 	}
4981 
4982 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4983 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4984 
4985 		if (type != NL80211_IFTYPE_MONITOR)
4986 			return -EINVAL;
4987 
4988 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4989 			return -EOPNOTSUPP;
4990 
4991 		params->vht_mumimo_follow_addr =
4992 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4993 		change = true;
4994 	}
4995 
4996 	return change ? 1 : 0;
4997 }
4998 
4999 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
5000 			       struct net_device *netdev, u8 use_4addr,
5001 			       enum nl80211_iftype iftype)
5002 {
5003 	if (!use_4addr) {
5004 		if (netdev && netif_is_bridge_port(netdev))
5005 			return -EBUSY;
5006 		return 0;
5007 	}
5008 
5009 	switch (iftype) {
5010 	case NL80211_IFTYPE_AP_VLAN:
5011 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
5012 			return 0;
5013 		break;
5014 	case NL80211_IFTYPE_STATION:
5015 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
5016 			return 0;
5017 		break;
5018 	default:
5019 		break;
5020 	}
5021 
5022 	return -EOPNOTSUPP;
5023 }
5024 
5025 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
5026 					u32 *radio_mask)
5027 {
5028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5029 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
5030 	u32 mask, allowed;
5031 
5032 	if (!attr) {
5033 		*radio_mask = 0;
5034 		return 0;
5035 	}
5036 
5037 	allowed = BIT(rdev->wiphy.n_radio) - 1;
5038 	mask = nla_get_u32(attr);
5039 	if (mask & ~allowed)
5040 		return -EINVAL;
5041 	if (!mask)
5042 		mask = allowed;
5043 	*radio_mask = mask;
5044 
5045 	return 1;
5046 }
5047 
5048 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
5049 {
5050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5051 	struct vif_params params;
5052 	int err;
5053 	enum nl80211_iftype otype, ntype;
5054 	struct net_device *dev = info->user_ptr[1];
5055 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5056 	u32 radio_mask = 0;
5057 	bool change = false;
5058 
5059 	memset(&params, 0, sizeof(params));
5060 
5061 	otype = ntype = dev->ieee80211_ptr->iftype;
5062 
5063 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
5064 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
5065 		if (otype != ntype)
5066 			change = true;
5067 	}
5068 
5069 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
5070 		if (ntype != NL80211_IFTYPE_MESH_POINT)
5071 			return -EINVAL;
5072 		if (otype != NL80211_IFTYPE_MESH_POINT)
5073 			return -EINVAL;
5074 		if (netif_running(dev))
5075 			return -EBUSY;
5076 
5077 		wdev->u.mesh.id_up_len =
5078 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
5079 		memcpy(wdev->u.mesh.id,
5080 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
5081 		       wdev->u.mesh.id_up_len);
5082 	}
5083 
5084 	if (info->attrs[NL80211_ATTR_4ADDR]) {
5085 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
5086 		change = true;
5087 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
5088 		if (err)
5089 			return err;
5090 	} else {
5091 		params.use_4addr = -1;
5092 	}
5093 
5094 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
5095 	if (err < 0)
5096 		return err;
5097 	if (err > 0)
5098 		change = true;
5099 
5100 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
5101 	if (err < 0)
5102 		return err;
5103 	if (err && netif_running(dev))
5104 		return -EBUSY;
5105 
5106 	if (change)
5107 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
5108 	else
5109 		err = 0;
5110 
5111 	if (!err && params.use_4addr != -1)
5112 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
5113 
5114 	if (radio_mask)
5115 		wdev->radio_mask = radio_mask;
5116 
5117 	if (change && !err)
5118 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
5119 
5120 	return err;
5121 }
5122 
5123 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
5124 {
5125 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5126 	struct vif_params params;
5127 	struct wireless_dev *wdev;
5128 	struct sk_buff *msg;
5129 	u32 radio_mask;
5130 	int err;
5131 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
5132 
5133 	memset(&params, 0, sizeof(params));
5134 
5135 	if (!info->attrs[NL80211_ATTR_IFNAME])
5136 		return -EINVAL;
5137 
5138 	if (info->attrs[NL80211_ATTR_IFTYPE])
5139 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
5140 
5141 	if (!rdev->ops->add_virtual_intf)
5142 		return -EOPNOTSUPP;
5143 
5144 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
5145 	     type == NL80211_IFTYPE_PD ||
5146 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
5147 	    info->attrs[NL80211_ATTR_MAC]) {
5148 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
5149 			   ETH_ALEN);
5150 		if (!is_valid_ether_addr(params.macaddr))
5151 			return -EADDRNOTAVAIL;
5152 	}
5153 
5154 	if (info->attrs[NL80211_ATTR_4ADDR]) {
5155 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
5156 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
5157 		if (err)
5158 			return err;
5159 	}
5160 
5161 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
5162 		return -EOPNOTSUPP;
5163 
5164 	err = nl80211_parse_mon_options(rdev, type, info, &params);
5165 	if (err < 0)
5166 		return err;
5167 
5168 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
5169 	if (err < 0)
5170 		return err;
5171 
5172 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5173 	if (!msg)
5174 		return -ENOMEM;
5175 
5176 	wdev = rdev_add_virtual_intf(rdev,
5177 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
5178 				NET_NAME_USER, type, &params);
5179 	if (WARN_ON(!wdev)) {
5180 		nlmsg_free(msg);
5181 		return -EPROTO;
5182 	} else if (IS_ERR(wdev)) {
5183 		nlmsg_free(msg);
5184 		return PTR_ERR(wdev);
5185 	}
5186 
5187 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5188 		wdev->owner_nlportid = info->snd_portid;
5189 
5190 	switch (type) {
5191 	case NL80211_IFTYPE_MESH_POINT:
5192 		if (!info->attrs[NL80211_ATTR_MESH_ID])
5193 			break;
5194 		wdev->u.mesh.id_up_len =
5195 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
5196 		memcpy(wdev->u.mesh.id,
5197 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
5198 		       wdev->u.mesh.id_up_len);
5199 		break;
5200 	case NL80211_IFTYPE_NAN:
5201 	case NL80211_IFTYPE_P2P_DEVICE:
5202 	case NL80211_IFTYPE_PD:
5203 		/*
5204 		 * P2P Device, NAN and PD do not have a netdev, so don't go
5205 		 * through the netdev notifier and must be added here
5206 		 */
5207 		cfg80211_init_wdev(wdev);
5208 		cfg80211_register_wdev(rdev, wdev);
5209 		break;
5210 	default:
5211 		break;
5212 	}
5213 
5214 	if (radio_mask)
5215 		wdev->radio_mask = radio_mask;
5216 
5217 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
5218 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
5219 		nlmsg_free(msg);
5220 		return -ENOBUFS;
5221 	}
5222 
5223 	return genlmsg_reply(msg, info);
5224 }
5225 
5226 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
5227 {
5228 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5229 
5230 	/* to avoid failing a new interface creation due to pending removal */
5231 	cfg80211_destroy_ifaces(rdev);
5232 
5233 	guard(wiphy)(&rdev->wiphy);
5234 
5235 	return _nl80211_new_interface(skb, info);
5236 }
5237 
5238 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
5239 {
5240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5241 	struct wireless_dev *wdev = info->user_ptr[1];
5242 
5243 	if (!rdev->ops->del_virtual_intf)
5244 		return -EOPNOTSUPP;
5245 
5246 	/*
5247 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
5248 	 * reach 0, and thus the rdev cannot be deleted.
5249 	 *
5250 	 * We need to do it for the dev_close(), since that will call
5251 	 * the netdev notifiers, and we need to acquire the mutex there
5252 	 * but don't know if we get there from here or from some other
5253 	 * place (e.g. "ip link set ... down").
5254 	 */
5255 	mutex_unlock(&rdev->wiphy.mtx);
5256 
5257 	/*
5258 	 * If we remove a wireless device without a netdev then clear
5259 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
5260 	 * to check if it needs to do dev_put(). Otherwise it crashes
5261 	 * since the wdev has been freed, unlike with a netdev where
5262 	 * we need the dev_put() for the netdev to really be freed.
5263 	 */
5264 	if (!wdev->netdev)
5265 		info->user_ptr[1] = NULL;
5266 	else
5267 		dev_close(wdev->netdev);
5268 
5269 	cfg80211_close_dependents(rdev, wdev);
5270 
5271 	mutex_lock(&rdev->wiphy.mtx);
5272 
5273 	return cfg80211_remove_virtual_intf(rdev, wdev);
5274 }
5275 
5276 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
5277 {
5278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5279 	struct net_device *dev = info->user_ptr[1];
5280 	u16 noack_map;
5281 
5282 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
5283 		return -EINVAL;
5284 
5285 	if (!rdev->ops->set_noack_map)
5286 		return -EOPNOTSUPP;
5287 
5288 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
5289 
5290 	return rdev_set_noack_map(rdev, dev, noack_map);
5291 }
5292 
5293 static int nl80211_validate_key_link_id(struct genl_info *info,
5294 					struct wireless_dev *wdev,
5295 					int link_id, bool pairwise)
5296 {
5297 	if (pairwise) {
5298 		if (link_id != -1) {
5299 			GENL_SET_ERR_MSG(info,
5300 					 "link ID not allowed for pairwise key");
5301 			return -EINVAL;
5302 		}
5303 
5304 		return 0;
5305 	}
5306 
5307 	if (wdev->valid_links) {
5308 		if (link_id == -1) {
5309 			GENL_SET_ERR_MSG(info,
5310 					 "link ID must be set for MLO group key");
5311 			return -EINVAL;
5312 		}
5313 		if (!(wdev->valid_links & BIT(link_id))) {
5314 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
5315 			return -EINVAL;
5316 		}
5317 	} else if (link_id != -1) {
5318 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
5319 		return -EINVAL;
5320 	}
5321 
5322 	return 0;
5323 }
5324 
5325 struct get_key_cookie {
5326 	struct sk_buff *msg;
5327 	int error;
5328 	int idx;
5329 };
5330 
5331 static void get_key_callback(void *c, struct key_params *params)
5332 {
5333 	struct nlattr *key;
5334 	struct get_key_cookie *cookie = c;
5335 
5336 	if ((params->seq &&
5337 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
5338 		     params->seq_len, params->seq)) ||
5339 	    (params->cipher &&
5340 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
5341 			 params->cipher)))
5342 		goto nla_put_failure;
5343 
5344 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
5345 	if (!key)
5346 		goto nla_put_failure;
5347 
5348 	if ((params->seq &&
5349 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
5350 		     params->seq_len, params->seq)) ||
5351 	    (params->cipher &&
5352 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
5353 			 params->cipher)))
5354 		goto nla_put_failure;
5355 
5356 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
5357 		goto nla_put_failure;
5358 
5359 	nla_nest_end(cookie->msg, key);
5360 
5361 	return;
5362  nla_put_failure:
5363 	cookie->error = 1;
5364 }
5365 
5366 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
5367 {
5368 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5369 	int err;
5370 	struct wireless_dev *wdev = info->user_ptr[1];
5371 	u8 key_idx = 0;
5372 	const u8 *mac_addr = NULL;
5373 	bool pairwise;
5374 	struct get_key_cookie cookie = {
5375 		.error = 0,
5376 	};
5377 	void *hdr;
5378 	struct sk_buff *msg;
5379 	bool bigtk_support = false;
5380 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5381 
5382 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5383 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
5384 		bigtk_support = true;
5385 
5386 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
5387 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
5388 	    wiphy_ext_feature_isset(&rdev->wiphy,
5389 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
5390 		bigtk_support = true;
5391 
5392 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
5393 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
5394 
5395 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
5396 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
5397 			return -EINVAL;
5398 		}
5399 	}
5400 
5401 	if (info->attrs[NL80211_ATTR_MAC])
5402 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5403 
5404 	pairwise = !!mac_addr;
5405 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
5406 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
5407 
5408 		if (kt != NL80211_KEYTYPE_GROUP &&
5409 		    kt != NL80211_KEYTYPE_PAIRWISE)
5410 			return -EINVAL;
5411 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
5412 	}
5413 
5414 	if (!rdev->ops->get_key)
5415 		return -EOPNOTSUPP;
5416 
5417 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5418 		return -ENOENT;
5419 
5420 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5421 	if (!msg)
5422 		return -ENOMEM;
5423 
5424 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5425 			     NL80211_CMD_NEW_KEY);
5426 	if (!hdr)
5427 		goto nla_put_failure;
5428 
5429 	cookie.msg = msg;
5430 	cookie.idx = key_idx;
5431 
5432 	if ((wdev->netdev &&
5433 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
5434 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5435 			      NL80211_ATTR_PAD) ||
5436 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5437 		goto nla_put_failure;
5438 	if (mac_addr &&
5439 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5440 		goto nla_put_failure;
5441 
5442 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5443 	if (err)
5444 		goto free_msg;
5445 
5446 	err = rdev_get_key(rdev, wdev, link_id, key_idx, pairwise, mac_addr,
5447 			   &cookie, get_key_callback);
5448 
5449 	if (err)
5450 		goto free_msg;
5451 
5452 	if (cookie.error)
5453 		goto nla_put_failure;
5454 
5455 	genlmsg_end(msg, hdr);
5456 	return genlmsg_reply(msg, info);
5457 
5458  nla_put_failure:
5459 	err = -ENOBUFS;
5460  free_msg:
5461 	nlmsg_free(msg);
5462 	return err;
5463 }
5464 
5465 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5466 {
5467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5468 	struct key_parse key;
5469 	int err;
5470 	struct wireless_dev *wdev = info->user_ptr[1];
5471 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5472 
5473 	err = nl80211_parse_key(info, &key);
5474 	if (err)
5475 		return err;
5476 
5477 	if (key.idx < 0)
5478 		return -EINVAL;
5479 
5480 	/* Only support setting default key and
5481 	 * Extended Key ID action NL80211_KEY_SET_TX.
5482 	 */
5483 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5484 	    !(key.p.mode == NL80211_KEY_SET_TX))
5485 		return -EINVAL;
5486 
5487 	if (key.def) {
5488 		if (!rdev->ops->set_default_key)
5489 			return -EOPNOTSUPP;
5490 
5491 		if (!wdev->netdev)
5492 			return -EINVAL;
5493 
5494 		err = nl80211_key_allowed(wdev);
5495 		if (err)
5496 			return err;
5497 
5498 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5499 		if (err)
5500 			return err;
5501 
5502 		err = rdev_set_default_key(rdev, wdev->netdev, link_id, key.idx,
5503 					   key.def_uni, key.def_multi);
5504 
5505 		if (err)
5506 			return err;
5507 
5508 #ifdef CONFIG_CFG80211_WEXT
5509 		wdev->wext.default_key = key.idx;
5510 #endif
5511 		return 0;
5512 	} else if (key.defmgmt) {
5513 		if (key.def_uni || !key.def_multi)
5514 			return -EINVAL;
5515 
5516 		if (!rdev->ops->set_default_mgmt_key)
5517 			return -EOPNOTSUPP;
5518 
5519 		err = nl80211_key_allowed(wdev);
5520 		if (err)
5521 			return err;
5522 
5523 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5524 		if (err)
5525 			return err;
5526 
5527 		err = rdev_set_default_mgmt_key(rdev, wdev, link_id, key.idx);
5528 		if (err)
5529 			return err;
5530 
5531 #ifdef CONFIG_CFG80211_WEXT
5532 		wdev->wext.default_mgmt_key = key.idx;
5533 #endif
5534 		return 0;
5535 	} else if (key.defbeacon) {
5536 		if (key.def_uni || !key.def_multi)
5537 			return -EINVAL;
5538 
5539 		if (!rdev->ops->set_default_beacon_key)
5540 			return -EOPNOTSUPP;
5541 
5542 		err = nl80211_key_allowed(wdev);
5543 		if (err)
5544 			return err;
5545 
5546 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5547 		if (err)
5548 			return err;
5549 
5550 		return rdev_set_default_beacon_key(rdev, wdev, link_id,
5551 						   key.idx);
5552 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5553 		   wiphy_ext_feature_isset(&rdev->wiphy,
5554 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5555 		u8 *mac_addr = NULL;
5556 
5557 		if (info->attrs[NL80211_ATTR_MAC])
5558 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5559 
5560 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5561 			return -EINVAL;
5562 
5563 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5564 		if (err)
5565 			return err;
5566 
5567 		return rdev_add_key(rdev, wdev, link_id, key.idx,
5568 				    NL80211_KEYTYPE_PAIRWISE,
5569 				    mac_addr, &key.p);
5570 	}
5571 
5572 	return -EINVAL;
5573 }
5574 
5575 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5576 {
5577 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5578 	int err;
5579 	struct wireless_dev *wdev = info->user_ptr[1];
5580 	struct key_parse key;
5581 	const u8 *mac_addr = NULL;
5582 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5583 
5584 	err = nl80211_parse_key(info, &key);
5585 	if (err)
5586 		return err;
5587 
5588 	if (!key.p.key) {
5589 		GENL_SET_ERR_MSG(info, "no key");
5590 		return -EINVAL;
5591 	}
5592 
5593 	if (info->attrs[NL80211_ATTR_MAC])
5594 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5595 
5596 	if (key.type == -1) {
5597 		if (mac_addr)
5598 			key.type = NL80211_KEYTYPE_PAIRWISE;
5599 		else
5600 			key.type = NL80211_KEYTYPE_GROUP;
5601 	}
5602 
5603 	/* for now */
5604 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5605 	    key.type != NL80211_KEYTYPE_GROUP) {
5606 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5607 		return -EINVAL;
5608 	}
5609 
5610 	if (key.type == NL80211_KEYTYPE_GROUP &&
5611 	    info->attrs[NL80211_ATTR_VLAN_ID])
5612 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5613 
5614 	if (!rdev->ops->add_key)
5615 		return -EOPNOTSUPP;
5616 
5617 	if (cfg80211_validate_key_settings(rdev, wdev, &key.p, key.idx,
5618 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5619 					   mac_addr)) {
5620 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5621 		return -EINVAL;
5622 	}
5623 
5624 	err = nl80211_key_allowed(wdev);
5625 	if (err)
5626 		GENL_SET_ERR_MSG(info, "key not allowed");
5627 
5628 	if (!err)
5629 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5630 				key.type == NL80211_KEYTYPE_PAIRWISE);
5631 
5632 	if (!err) {
5633 		err = rdev_add_key(rdev, wdev, link_id, key.idx,
5634 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5635 				    mac_addr, &key.p);
5636 		if (err)
5637 			GENL_SET_ERR_MSG(info, "key addition failed");
5638 	}
5639 
5640 	return err;
5641 }
5642 
5643 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5644 {
5645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5646 	int err;
5647 	struct wireless_dev *wdev = info->user_ptr[1];
5648 	u8 *mac_addr = NULL;
5649 	struct key_parse key;
5650 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5651 
5652 	err = nl80211_parse_key(info, &key);
5653 	if (err)
5654 		return err;
5655 
5656 	if (info->attrs[NL80211_ATTR_MAC])
5657 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5658 
5659 	if (key.type == -1) {
5660 		if (mac_addr)
5661 			key.type = NL80211_KEYTYPE_PAIRWISE;
5662 		else
5663 			key.type = NL80211_KEYTYPE_GROUP;
5664 	}
5665 
5666 	/* for now */
5667 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5668 	    key.type != NL80211_KEYTYPE_GROUP)
5669 		return -EINVAL;
5670 
5671 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5672 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5673 		return -EINVAL;
5674 
5675 	if (!rdev->ops->del_key)
5676 		return -EOPNOTSUPP;
5677 
5678 	err = nl80211_key_allowed(wdev);
5679 
5680 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5681 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5682 		err = -ENOENT;
5683 
5684 	if (!err)
5685 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5686 				key.type == NL80211_KEYTYPE_PAIRWISE);
5687 
5688 	if (!err)
5689 		err = rdev_del_key(rdev, wdev, link_id, key.idx,
5690 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5691 				   mac_addr);
5692 
5693 #ifdef CONFIG_CFG80211_WEXT
5694 	if (!err) {
5695 		if (key.idx == wdev->wext.default_key)
5696 			wdev->wext.default_key = -1;
5697 		else if (key.idx == wdev->wext.default_mgmt_key)
5698 			wdev->wext.default_mgmt_key = -1;
5699 	}
5700 #endif
5701 
5702 	return err;
5703 }
5704 
5705 /* This function returns an error or the number of nested attributes */
5706 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5707 {
5708 	struct nlattr *attr;
5709 	int n_entries = 0, tmp;
5710 
5711 	nla_for_each_nested(attr, nl_attr, tmp) {
5712 		if (nla_len(attr) != ETH_ALEN)
5713 			return -EINVAL;
5714 
5715 		n_entries++;
5716 	}
5717 
5718 	return n_entries;
5719 }
5720 
5721 /*
5722  * This function parses ACL information and allocates memory for ACL data.
5723  * On successful return, the calling function is responsible to free the
5724  * ACL buffer returned by this function.
5725  */
5726 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5727 						struct genl_info *info)
5728 {
5729 	enum nl80211_acl_policy acl_policy;
5730 	struct nlattr *attr;
5731 	struct cfg80211_acl_data *acl;
5732 	int i = 0, n_entries, tmp;
5733 
5734 	if (!wiphy->max_acl_mac_addrs)
5735 		return ERR_PTR(-EOPNOTSUPP);
5736 
5737 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5738 		return ERR_PTR(-EINVAL);
5739 
5740 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5741 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5742 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5743 		return ERR_PTR(-EINVAL);
5744 
5745 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5746 		return ERR_PTR(-EINVAL);
5747 
5748 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5749 	if (n_entries < 0)
5750 		return ERR_PTR(n_entries);
5751 
5752 	if (n_entries > wiphy->max_acl_mac_addrs)
5753 		return ERR_PTR(-EOPNOTSUPP);
5754 
5755 	acl = kzalloc_flex(*acl, mac_addrs, n_entries);
5756 	if (!acl)
5757 		return ERR_PTR(-ENOMEM);
5758 	acl->n_acl_entries = n_entries;
5759 
5760 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5761 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5762 		i++;
5763 	}
5764 	acl->acl_policy = acl_policy;
5765 
5766 	return acl;
5767 }
5768 
5769 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5770 {
5771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5772 	struct net_device *dev = info->user_ptr[1];
5773 	struct cfg80211_acl_data *acl;
5774 	int err;
5775 
5776 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5777 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5778 		return -EOPNOTSUPP;
5779 
5780 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5781 		return -EINVAL;
5782 
5783 	acl = parse_acl_data(&rdev->wiphy, info);
5784 	if (IS_ERR(acl))
5785 		return PTR_ERR(acl);
5786 
5787 	err = rdev_set_mac_acl(rdev, dev, acl);
5788 
5789 	kfree(acl);
5790 
5791 	return err;
5792 }
5793 
5794 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5795 			   u8 *rates, u8 rates_len)
5796 {
5797 	u8 i;
5798 	u32 mask = 0;
5799 
5800 	for (i = 0; i < rates_len; i++) {
5801 		int rate = (rates[i] & 0x7f) * 5;
5802 		int ridx;
5803 
5804 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5805 			struct ieee80211_rate *srate =
5806 				&sband->bitrates[ridx];
5807 			if (rate == srate->bitrate) {
5808 				mask |= 1 << ridx;
5809 				break;
5810 			}
5811 		}
5812 		if (ridx == sband->n_bitrates)
5813 			return 0; /* rate not found */
5814 	}
5815 
5816 	return mask;
5817 }
5818 
5819 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5820 			       u8 *rates, u8 rates_len,
5821 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5822 {
5823 	u8 i;
5824 
5825 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5826 
5827 	for (i = 0; i < rates_len; i++) {
5828 		int ridx, rbit;
5829 
5830 		ridx = rates[i] / 8;
5831 		rbit = BIT(rates[i] % 8);
5832 
5833 		/* check validity */
5834 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5835 			return false;
5836 
5837 		/* check availability */
5838 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5839 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5840 			mcs[ridx] |= rbit;
5841 		else
5842 			return false;
5843 	}
5844 
5845 	return true;
5846 }
5847 
5848 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5849 {
5850 	u16 mcs_mask = 0;
5851 
5852 	switch (vht_mcs_map) {
5853 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5854 		break;
5855 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5856 		mcs_mask = 0x00FF;
5857 		break;
5858 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5859 		mcs_mask = 0x01FF;
5860 		break;
5861 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5862 		mcs_mask = 0x03FF;
5863 		break;
5864 	default:
5865 		break;
5866 	}
5867 
5868 	return mcs_mask;
5869 }
5870 
5871 static void vht_build_mcs_mask(u16 vht_mcs_map,
5872 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5873 {
5874 	u8 nss;
5875 
5876 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5877 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5878 		vht_mcs_map >>= 2;
5879 	}
5880 }
5881 
5882 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5883 			     struct nl80211_txrate_vht *txrate,
5884 			     u16 mcs[NL80211_VHT_NSS_MAX])
5885 {
5886 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5887 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5888 	u8 i;
5889 
5890 	if (!sband->vht_cap.vht_supported)
5891 		return false;
5892 
5893 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5894 
5895 	/* Build vht_mcs_mask from VHT capabilities */
5896 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5897 
5898 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5899 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5900 			mcs[i] = txrate->mcs[i];
5901 		else
5902 			return false;
5903 	}
5904 
5905 	return true;
5906 }
5907 
5908 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5909 {
5910 	switch (he_mcs_map) {
5911 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5912 		return 0;
5913 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5914 		return 0x00FF;
5915 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5916 		return 0x03FF;
5917 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5918 		return 0xFFF;
5919 	default:
5920 		break;
5921 	}
5922 	return 0;
5923 }
5924 
5925 static void he_build_mcs_mask(u16 he_mcs_map,
5926 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5927 {
5928 	u8 nss;
5929 
5930 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5931 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5932 		he_mcs_map >>= 2;
5933 	}
5934 }
5935 
5936 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5937 			   const struct ieee80211_sta_he_cap *he_cap)
5938 {
5939 	struct net_device *dev = info->user_ptr[1];
5940 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5941 	struct cfg80211_chan_def *chandef;
5942 	__le16 tx_mcs;
5943 
5944 	chandef = wdev_chandef(wdev, link_id);
5945 	if (!chandef) {
5946 		/*
5947 		 * This is probably broken, but we never maintained
5948 		 * a chandef in these cases, so it always was.
5949 		 */
5950 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5951 	}
5952 
5953 	switch (chandef->width) {
5954 	case NL80211_CHAN_WIDTH_80P80:
5955 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5956 		break;
5957 	case NL80211_CHAN_WIDTH_160:
5958 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5959 		break;
5960 	default:
5961 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5962 		break;
5963 	}
5964 
5965 	return le16_to_cpu(tx_mcs);
5966 }
5967 
5968 static bool he_set_mcs_mask(struct genl_info *info,
5969 			    struct wireless_dev *wdev,
5970 			    struct ieee80211_supported_band *sband,
5971 			    struct nl80211_txrate_he *txrate,
5972 			    u16 mcs[NL80211_HE_NSS_MAX],
5973 			    unsigned int link_id)
5974 {
5975 	const struct ieee80211_sta_he_cap *he_cap;
5976 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5977 	u16 tx_mcs_map = 0;
5978 	u8 i;
5979 
5980 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5981 	if (!he_cap)
5982 		return false;
5983 
5984 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5985 
5986 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5987 
5988 	/* Build he_mcs_mask from HE capabilities */
5989 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5990 
5991 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5992 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5993 			mcs[i] = txrate->mcs[i];
5994 		else
5995 			return false;
5996 	}
5997 
5998 	return true;
5999 }
6000 
6001 static void eht_build_mcs_mask(struct genl_info *info,
6002 			       const struct ieee80211_sta_eht_cap *eht_cap,
6003 			       u8 mcs_nss_len, u16 *mcs_mask)
6004 {
6005 	struct net_device *dev = info->user_ptr[1];
6006 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6007 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
6008 	unsigned int link_id = nl80211_link_id(info->attrs);
6009 
6010 	if (mcs_nss_len == 4) {
6011 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
6012 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
6013 
6014 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
6015 				    IEEE80211_EHT_MCS_NSS_TX);
6016 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
6017 				    IEEE80211_EHT_MCS_NSS_TX);
6018 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
6019 				     IEEE80211_EHT_MCS_NSS_TX);
6020 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
6021 				     IEEE80211_EHT_MCS_NSS_TX);
6022 
6023 	} else {
6024 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
6025 		enum nl80211_chan_width width;
6026 
6027 		switch (wdev->iftype) {
6028 		case NL80211_IFTYPE_ADHOC:
6029 			width = wdev->u.ibss.chandef.width;
6030 			break;
6031 		case NL80211_IFTYPE_MESH_POINT:
6032 			width = wdev->u.mesh.chandef.width;
6033 			break;
6034 		case NL80211_IFTYPE_OCB:
6035 			width = wdev->u.ocb.chandef.width;
6036 			break;
6037 		default:
6038 			if (wdev->valid_links)
6039 				width = wdev->links[link_id].ap.chandef.width;
6040 			else
6041 				width = wdev->u.ap.preset_chandef.width;
6042 			break;
6043 		}
6044 
6045 		switch (width) {
6046 		case NL80211_CHAN_WIDTH_320:
6047 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
6048 			break;
6049 		case NL80211_CHAN_WIDTH_160:
6050 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
6051 			break;
6052 		default:
6053 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
6054 			break;
6055 		}
6056 
6057 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
6058 				    IEEE80211_EHT_MCS_NSS_TX);
6059 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
6060 				    IEEE80211_EHT_MCS_NSS_TX);
6061 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
6062 				     IEEE80211_EHT_MCS_NSS_TX);
6063 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
6064 				     IEEE80211_EHT_MCS_NSS_TX);
6065 	}
6066 
6067 	/* Enable MCS 14 for NSS 0 */
6068 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
6069 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
6070 		mcs_mask[0] |= 0x4000;
6071 
6072 	/* Enable MCS 15 for NSS 0 */
6073 	mcs_mask[0] |= 0x8000;
6074 
6075 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
6076 		if (!mcs_7)
6077 			continue;
6078 		mcs_mask[nss] |= 0x00FF;
6079 		mcs_7--;
6080 
6081 		if (!mcs_9)
6082 			continue;
6083 		mcs_mask[nss] |= 0x0300;
6084 		mcs_9--;
6085 
6086 		if (!mcs_11)
6087 			continue;
6088 		mcs_mask[nss] |= 0x0C00;
6089 		mcs_11--;
6090 
6091 		if (!mcs_13)
6092 			continue;
6093 		mcs_mask[nss] |= 0x3000;
6094 		mcs_13--;
6095 	}
6096 }
6097 
6098 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
6099 			     struct ieee80211_supported_band *sband,
6100 			     struct nl80211_txrate_eht *txrate,
6101 			     u16 mcs[NL80211_EHT_NSS_MAX])
6102 {
6103 	const struct ieee80211_sta_he_cap *he_cap;
6104 	const struct ieee80211_sta_eht_cap *eht_cap;
6105 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
6106 	u8 i, mcs_nss_len;
6107 
6108 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
6109 	if (!he_cap)
6110 		return false;
6111 
6112 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
6113 	if (!eht_cap)
6114 		return false;
6115 
6116 	/* Checks for MCS 14 */
6117 	if (txrate->mcs[0] & 0x4000) {
6118 		if (sband->band != NL80211_BAND_6GHZ)
6119 			return false;
6120 
6121 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
6122 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
6123 			return false;
6124 	}
6125 
6126 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
6127 						 &eht_cap->eht_cap_elem,
6128 						 wdev->iftype ==
6129 							NL80211_IFTYPE_STATION);
6130 
6131 	if (mcs_nss_len == 3) {
6132 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
6133 		switch (wdev->iftype) {
6134 		case NL80211_IFTYPE_ADHOC:
6135 		case NL80211_IFTYPE_AP:
6136 		case NL80211_IFTYPE_P2P_GO:
6137 		case NL80211_IFTYPE_MESH_POINT:
6138 		case NL80211_IFTYPE_OCB:
6139 			break;
6140 		default:
6141 			return false;
6142 		}
6143 	}
6144 
6145 	/* Build eht_mcs_mask from EHT and HE capabilities */
6146 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
6147 
6148 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
6149 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
6150 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
6151 			mcs[i] = txrate->mcs[i];
6152 		else
6153 			return false;
6154 	}
6155 
6156 	return true;
6157 }
6158 
6159 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
6160 					 struct nlattr *attrs[],
6161 					 enum nl80211_attrs attr,
6162 					 struct cfg80211_bitrate_mask *mask,
6163 					 struct net_device *dev,
6164 					 bool default_all_enabled,
6165 					 unsigned int link_id)
6166 {
6167 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
6168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6169 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6170 	int rem, i;
6171 	struct nlattr *tx_rates;
6172 	struct ieee80211_supported_band *sband;
6173 	u16 vht_tx_mcs_map, he_tx_mcs_map;
6174 
6175 	memset(mask, 0, sizeof(*mask));
6176 	/* Default to all rates enabled */
6177 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
6178 		const struct ieee80211_sta_he_cap *he_cap;
6179 		const struct ieee80211_sta_eht_cap *eht_cap;
6180 		u8 mcs_nss_len;
6181 
6182 		if (!default_all_enabled)
6183 			break;
6184 
6185 		sband = rdev->wiphy.bands[i];
6186 
6187 		if (!sband)
6188 			continue;
6189 
6190 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
6191 		memcpy(mask->control[i].ht_mcs,
6192 		       sband->ht_cap.mcs.rx_mask,
6193 		       sizeof(mask->control[i].ht_mcs));
6194 
6195 		if (sband->vht_cap.vht_supported) {
6196 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
6197 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
6198 		}
6199 
6200 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
6201 		if (!he_cap)
6202 			continue;
6203 
6204 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
6205 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
6206 
6207 		mask->control[i].he_gi = 0xFF;
6208 		mask->control[i].he_ltf = 0xFF;
6209 
6210 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
6211 		if (!eht_cap)
6212 			continue;
6213 
6214 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
6215 							 &eht_cap->eht_cap_elem,
6216 							 wdev->iftype ==
6217 							 NL80211_IFTYPE_STATION);
6218 
6219 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
6220 				   mask->control[i].eht_mcs);
6221 
6222 		mask->control[i].eht_gi = 0xFF;
6223 		mask->control[i].eht_ltf = 0xFF;
6224 	}
6225 
6226 	/* if no rates are given set it back to the defaults */
6227 	if (!attrs[attr])
6228 		goto out;
6229 
6230 	/* The nested attribute uses enum nl80211_band as the index. This maps
6231 	 * directly to the enum nl80211_band values used in cfg80211.
6232 	 */
6233 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
6234 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
6235 		int band = nla_type(tx_rates);
6236 		int err;
6237 
6238 		if (band < 0 || band >= NUM_NL80211_BANDS)
6239 			return -EINVAL;
6240 		sband = rdev->wiphy.bands[band];
6241 		if (sband == NULL)
6242 			return -EINVAL;
6243 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
6244 						  tx_rates,
6245 						  nl80211_txattr_policy,
6246 						  info->extack);
6247 		if (err)
6248 			return err;
6249 		if (tb[NL80211_TXRATE_LEGACY]) {
6250 			mask->control[band].legacy = rateset_to_mask(
6251 				sband,
6252 				nla_data(tb[NL80211_TXRATE_LEGACY]),
6253 				nla_len(tb[NL80211_TXRATE_LEGACY]));
6254 			if ((mask->control[band].legacy == 0) &&
6255 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
6256 				return -EINVAL;
6257 		}
6258 		if (tb[NL80211_TXRATE_HT]) {
6259 			if (!ht_rateset_to_mask(
6260 					sband,
6261 					nla_data(tb[NL80211_TXRATE_HT]),
6262 					nla_len(tb[NL80211_TXRATE_HT]),
6263 					mask->control[band].ht_mcs))
6264 				return -EINVAL;
6265 		}
6266 
6267 		if (tb[NL80211_TXRATE_VHT]) {
6268 			if (!vht_set_mcs_mask(
6269 					sband,
6270 					nla_data(tb[NL80211_TXRATE_VHT]),
6271 					mask->control[band].vht_mcs))
6272 				return -EINVAL;
6273 		}
6274 
6275 		if (tb[NL80211_TXRATE_GI]) {
6276 			mask->control[band].gi =
6277 				nla_get_u8(tb[NL80211_TXRATE_GI]);
6278 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
6279 				return -EINVAL;
6280 		}
6281 		if (tb[NL80211_TXRATE_HE] &&
6282 		    !he_set_mcs_mask(info, wdev, sband,
6283 				     nla_data(tb[NL80211_TXRATE_HE]),
6284 				     mask->control[band].he_mcs,
6285 				     link_id))
6286 			return -EINVAL;
6287 
6288 		if (tb[NL80211_TXRATE_HE_GI])
6289 			mask->control[band].he_gi =
6290 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
6291 		if (tb[NL80211_TXRATE_HE_LTF])
6292 			mask->control[band].he_ltf =
6293 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
6294 
6295 		if (tb[NL80211_TXRATE_EHT] &&
6296 		    !eht_set_mcs_mask(info, wdev, sband,
6297 				      nla_data(tb[NL80211_TXRATE_EHT]),
6298 				      mask->control[band].eht_mcs))
6299 			return -EINVAL;
6300 
6301 		if (tb[NL80211_TXRATE_EHT_GI])
6302 			mask->control[band].eht_gi =
6303 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
6304 		if (tb[NL80211_TXRATE_EHT_LTF])
6305 			mask->control[band].eht_ltf =
6306 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
6307 
6308 		if (mask->control[band].legacy == 0) {
6309 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
6310 			 * are not even supported.
6311 			 */
6312 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
6313 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
6314 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
6315 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
6316 				return -EINVAL;
6317 
6318 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
6319 				if (mask->control[band].ht_mcs[i])
6320 					goto out;
6321 
6322 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
6323 				if (mask->control[band].vht_mcs[i])
6324 					goto out;
6325 
6326 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
6327 				if (mask->control[band].he_mcs[i])
6328 					goto out;
6329 
6330 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
6331 				if (mask->control[band].eht_mcs[i])
6332 					goto out;
6333 
6334 			/* legacy and mcs rates may not be both empty */
6335 			return -EINVAL;
6336 		}
6337 	}
6338 
6339 out:
6340 	return 0;
6341 }
6342 
6343 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
6344 				   enum nl80211_band band,
6345 				   struct cfg80211_bitrate_mask *beacon_rate)
6346 {
6347 	u32 count_ht, count_vht, count_he, count_eht, i;
6348 	u32 rate = beacon_rate->control[band].legacy;
6349 
6350 	/* Allow only one rate */
6351 	if (hweight32(rate) > 1)
6352 		return -EINVAL;
6353 
6354 	count_ht = 0;
6355 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
6356 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
6357 			return -EINVAL;
6358 		} else if (beacon_rate->control[band].ht_mcs[i]) {
6359 			count_ht++;
6360 			if (count_ht > 1)
6361 				return -EINVAL;
6362 		}
6363 		if (count_ht && rate)
6364 			return -EINVAL;
6365 	}
6366 
6367 	count_vht = 0;
6368 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
6369 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
6370 			return -EINVAL;
6371 		} else if (beacon_rate->control[band].vht_mcs[i]) {
6372 			count_vht++;
6373 			if (count_vht > 1)
6374 				return -EINVAL;
6375 		}
6376 		if (count_vht && rate)
6377 			return -EINVAL;
6378 	}
6379 
6380 	count_he = 0;
6381 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
6382 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
6383 			return -EINVAL;
6384 		} else if (beacon_rate->control[band].he_mcs[i]) {
6385 			count_he++;
6386 			if (count_he > 1)
6387 				return -EINVAL;
6388 		}
6389 		if (count_he && rate)
6390 			return -EINVAL;
6391 	}
6392 
6393 	count_eht = 0;
6394 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
6395 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
6396 			return -EINVAL;
6397 		} else if (beacon_rate->control[band].eht_mcs[i]) {
6398 			count_eht++;
6399 			if (count_eht > 1)
6400 				return -EINVAL;
6401 		}
6402 		if (count_eht && rate)
6403 			return -EINVAL;
6404 	}
6405 
6406 	if ((count_ht && count_vht && count_he && count_eht) ||
6407 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
6408 		return -EINVAL;
6409 
6410 	if (rate &&
6411 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6412 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
6413 		return -EINVAL;
6414 	if (count_ht &&
6415 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6416 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
6417 		return -EINVAL;
6418 	if (count_vht &&
6419 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6420 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6421 		return -EINVAL;
6422 	if (count_he &&
6423 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6424 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6425 		return -EINVAL;
6426 
6427 	if (count_eht &&
6428 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6429 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6430 		return -EINVAL;
6431 
6432 	return 0;
6433 }
6434 
6435 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6436 				       struct net_device *dev,
6437 				       unsigned int link_id,
6438 				       struct nlattr *attrs,
6439 				       struct cfg80211_mbssid_config *config,
6440 				       u8 num_elems)
6441 {
6442 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6443 	int tx_link_id = -1;
6444 
6445 	if (!wiphy->mbssid_max_interfaces)
6446 		return -EOPNOTSUPP;
6447 
6448 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6449 			     NULL) ||
6450 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6451 		return -EINVAL;
6452 
6453 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6454 	if (config->ema) {
6455 		if (!wiphy->ema_max_profile_periodicity)
6456 			return -EOPNOTSUPP;
6457 
6458 		if (num_elems > wiphy->ema_max_profile_periodicity)
6459 			return -EINVAL;
6460 	}
6461 
6462 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6463 	if (config->index >= wiphy->mbssid_max_interfaces ||
6464 	    (!config->index && !num_elems))
6465 		return -EINVAL;
6466 
6467 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6468 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6469 
6470 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6471 		u32 tx_ifindex =
6472 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6473 
6474 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6475 		    (config->index && tx_ifindex == dev->ifindex))
6476 			return -EINVAL;
6477 
6478 		if (tx_ifindex != dev->ifindex) {
6479 			struct net_device *tx_netdev =
6480 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6481 
6482 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6483 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6484 			    tx_netdev->ieee80211_ptr->iftype !=
6485 							NL80211_IFTYPE_AP) {
6486 				dev_put(tx_netdev);
6487 				return -EINVAL;
6488 			}
6489 
6490 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6491 			/* Caller should call dev_put(config->tx_wdev) from this point */
6492 
6493 			if (config->tx_wdev->valid_links) {
6494 				if (tx_link_id == -1 ||
6495 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6496 					return -ENOLINK;
6497 
6498 				config->tx_link_id = tx_link_id;
6499 			}
6500 		} else {
6501 			if (tx_link_id >= 0 && tx_link_id != link_id)
6502 				return -EINVAL;
6503 
6504 			config->tx_wdev = dev->ieee80211_ptr;
6505 		}
6506 	} else if (!config->index) {
6507 		if (tx_link_id >= 0 && tx_link_id != link_id)
6508 			return -EINVAL;
6509 
6510 		config->tx_wdev = dev->ieee80211_ptr;
6511 	} else {
6512 		return -EINVAL;
6513 	}
6514 
6515 	return 0;
6516 }
6517 
6518 static struct cfg80211_mbssid_elems *
6519 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6520 {
6521 	struct nlattr *nl_elems;
6522 	struct cfg80211_mbssid_elems *elems;
6523 	int rem_elems;
6524 	u8 i = 0, num_elems = 0;
6525 
6526 	if (!wiphy->mbssid_max_interfaces)
6527 		return ERR_PTR(-EINVAL);
6528 
6529 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6530 		if (num_elems >= 255)
6531 			return ERR_PTR(-EINVAL);
6532 		num_elems++;
6533 	}
6534 
6535 	elems = kzalloc_flex(*elems, elem, num_elems);
6536 	if (!elems)
6537 		return ERR_PTR(-ENOMEM);
6538 	elems->cnt = num_elems;
6539 
6540 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6541 		elems->elem[i].data = nla_data(nl_elems);
6542 		elems->elem[i].len = nla_len(nl_elems);
6543 		i++;
6544 	}
6545 	return elems;
6546 }
6547 
6548 static struct cfg80211_rnr_elems *
6549 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6550 			struct netlink_ext_ack *extack)
6551 {
6552 	struct nlattr *nl_elems;
6553 	struct cfg80211_rnr_elems *elems;
6554 	int rem_elems;
6555 	u8 i = 0, num_elems = 0;
6556 
6557 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6558 		int ret;
6559 
6560 		ret = validate_ie_attr(nl_elems, extack);
6561 		if (ret)
6562 			return ERR_PTR(ret);
6563 
6564 		num_elems++;
6565 	}
6566 
6567 	elems = kzalloc_flex(*elems, elem, num_elems);
6568 	if (!elems)
6569 		return ERR_PTR(-ENOMEM);
6570 	elems->cnt = num_elems;
6571 
6572 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6573 		elems->elem[i].data = nla_data(nl_elems);
6574 		elems->elem[i].len = nla_len(nl_elems);
6575 		i++;
6576 	}
6577 	return elems;
6578 }
6579 
6580 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6581 				      struct cfg80211_he_bss_color *he_bss_color)
6582 {
6583 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6584 	int err;
6585 
6586 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6587 			       he_bss_color_policy, NULL);
6588 	if (err)
6589 		return err;
6590 
6591 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6592 		return -EINVAL;
6593 
6594 	he_bss_color->color =
6595 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6596 	he_bss_color->enabled =
6597 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6598 	he_bss_color->partial =
6599 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6600 
6601 	return 0;
6602 }
6603 
6604 static void nl80211_check_ap_rate_selectors(struct cfg80211_beacon_data *bcn,
6605 					    const struct element *rates)
6606 {
6607 	int i;
6608 
6609 	if (!rates)
6610 		return;
6611 
6612 	for (i = 0; i < rates->datalen; i++) {
6613 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6614 			bcn->ht_required = true;
6615 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6616 			bcn->vht_required = true;
6617 	}
6618 }
6619 
6620 /*
6621  * Since the nl80211 API didn't include, from the beginning, attributes about
6622  * HT/VHT/... operation, we parse them out of the elements and check for
6623  * validity for use by drivers/mac80211.
6624  */
6625 static int nl80211_calculate_ap_operation(struct nlattr *attrs[],
6626 					  struct cfg80211_beacon_data *bcn,
6627 					  struct netlink_ext_ack *extack)
6628 {
6629 	size_t ies_len = bcn->tail_len;
6630 	const u8 *ies = bcn->tail;
6631 	const struct element *rates;
6632 	const struct element *op;
6633 
6634 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6635 	nl80211_check_ap_rate_selectors(bcn, rates);
6636 
6637 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6638 	nl80211_check_ap_rate_selectors(bcn, rates);
6639 
6640 	op = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6641 	if (op) {
6642 		if (op->datalen < sizeof(*bcn->he_oper) + 1) {
6643 			NL_SET_ERR_MSG(extack, "bad HE operation in beacon");
6644 			return -EINVAL;
6645 		}
6646 		bcn->he_oper = (void *)(op->data + 1);
6647 		/* takes extension ID into account */
6648 		if (op->datalen < ieee80211_he_oper_size((void *)bcn->he_oper)) {
6649 			NL_SET_ERR_MSG(extack, "bad HE operation in beacon");
6650 			return -EINVAL;
6651 		}
6652 	}
6653 
6654 	op = cfg80211_find_elem(WLAN_EID_HT_OPERATION, ies, ies_len);
6655 	if (op) {
6656 		if (op->datalen < sizeof(*bcn->ht_oper)) {
6657 			NL_SET_ERR_MSG(extack, "bad HT operation in beacon");
6658 			return -EINVAL;
6659 		}
6660 		bcn->ht_oper = (void *)op->data;
6661 	}
6662 
6663 	op = cfg80211_find_elem(WLAN_EID_VHT_OPERATION, ies, ies_len);
6664 	if (op) {
6665 		if (op->datalen < sizeof(*bcn->vht_oper)) {
6666 			NL_SET_ERR_MSG(extack, "bad VHT operation in beacon");
6667 			return -EINVAL;
6668 		}
6669 		bcn->vht_oper = (void *)op->data;
6670 	}
6671 
6672 	op = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6673 	if (op) {
6674 		if (!ieee80211_eht_oper_size_ok(op->data + 1,
6675 						op->datalen - 1)) {
6676 			NL_SET_ERR_MSG(extack, "bad EHT operation in beacon");
6677 			return -EINVAL;
6678 		}
6679 		bcn->eht_oper = (void *)(op->data + 1);
6680 	}
6681 
6682 	op = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
6683 	if (op) {
6684 		/* need full UHR operation separately */
6685 		if (!attrs[NL80211_ATTR_UHR_OPERATION]) {
6686 			NL_SET_ERR_MSG(extack, "missing UHR operation");
6687 			return -EINVAL;
6688 		}
6689 		bcn->uhr_oper = nla_data(attrs[NL80211_ATTR_UHR_OPERATION]);
6690 	} else if (attrs[NL80211_ATTR_UHR_OPERATION]) {
6691 		NL_SET_ERR_MSG(extack, "unexpected UHR operation");
6692 		return -EINVAL;
6693 	}
6694 
6695 	return 0;
6696 }
6697 
6698 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6699 				struct nlattr *attrs[],
6700 				struct cfg80211_beacon_data *bcn,
6701 				struct ieee80211_channel *chan,
6702 				struct netlink_ext_ack *extack)
6703 {
6704 	bool haveinfo = false;
6705 	int err;
6706 
6707 	memset(bcn, 0, sizeof(*bcn));
6708 
6709 	bcn->link_id = nl80211_link_id(attrs);
6710 
6711 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6712 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6713 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6714 		if (!bcn->head_len)
6715 			return -EINVAL;
6716 		haveinfo = true;
6717 	}
6718 
6719 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6720 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6721 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6722 		haveinfo = true;
6723 	}
6724 
6725 	if (!haveinfo)
6726 		return -EINVAL;
6727 
6728 	if (attrs[NL80211_ATTR_IE]) {
6729 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6730 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6731 	}
6732 
6733 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6734 		bcn->proberesp_ies =
6735 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6736 		bcn->proberesp_ies_len =
6737 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6738 	}
6739 
6740 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6741 		bcn->assocresp_ies =
6742 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6743 		bcn->assocresp_ies_len =
6744 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6745 	}
6746 
6747 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6748 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6749 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6750 	}
6751 
6752 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6753 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6754 
6755 		err = nla_parse_nested_deprecated(tb,
6756 						  NL80211_FTM_RESP_ATTR_MAX,
6757 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6758 						  NULL, NULL);
6759 		if (err)
6760 			return err;
6761 
6762 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6763 		    wiphy_ext_feature_isset(&rdev->wiphy,
6764 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6765 			bcn->ftm_responder = 1;
6766 		else
6767 			return -EOPNOTSUPP;
6768 
6769 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6770 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6771 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6772 		}
6773 
6774 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6775 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6776 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6777 		}
6778 	} else {
6779 		bcn->ftm_responder = -1;
6780 	}
6781 
6782 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6783 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6784 						 &bcn->he_bss_color);
6785 		if (err)
6786 			return err;
6787 		bcn->he_bss_color_valid = true;
6788 	}
6789 
6790 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6791 		struct cfg80211_mbssid_elems *mbssid =
6792 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6793 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6794 
6795 		if (IS_ERR(mbssid))
6796 			return PTR_ERR(mbssid);
6797 
6798 		bcn->mbssid_ies = mbssid;
6799 
6800 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6801 			struct cfg80211_rnr_elems *rnr =
6802 				nl80211_parse_rnr_elems(&rdev->wiphy,
6803 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6804 							extack);
6805 
6806 			if (IS_ERR(rnr))
6807 				return PTR_ERR(rnr);
6808 
6809 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6810 				return -EINVAL;
6811 
6812 			bcn->rnr_ies = rnr;
6813 		}
6814 	}
6815 
6816 	err = nl80211_calculate_ap_operation(attrs, bcn, extack);
6817 	if (err)
6818 		return err;
6819 
6820 	if (bcn->he_oper && (chan->flags & IEEE80211_CHAN_NO_HE))
6821 		return -EOPNOTSUPP;
6822 
6823 	if (bcn->eht_oper && (chan->flags & IEEE80211_CHAN_NO_EHT))
6824 		return -EOPNOTSUPP;
6825 
6826 	if (bcn->uhr_oper && (chan->flags & IEEE80211_CHAN_NO_UHR))
6827 		return -EOPNOTSUPP;
6828 
6829 	return 0;
6830 }
6831 
6832 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6833 				    struct ieee80211_he_obss_pd *he_obss_pd)
6834 {
6835 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6836 	int err;
6837 
6838 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6839 			       he_obss_pd_policy, NULL);
6840 	if (err)
6841 		return err;
6842 
6843 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6844 		return -EINVAL;
6845 
6846 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6847 
6848 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6849 		he_obss_pd->min_offset =
6850 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6851 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6852 		he_obss_pd->max_offset =
6853 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6854 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6855 		he_obss_pd->non_srg_max_offset =
6856 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6857 
6858 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6859 		return -EINVAL;
6860 
6861 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6862 		memcpy(he_obss_pd->bss_color_bitmap,
6863 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6864 		       sizeof(he_obss_pd->bss_color_bitmap));
6865 
6866 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6867 		memcpy(he_obss_pd->partial_bssid_bitmap,
6868 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6869 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6870 
6871 	he_obss_pd->enable = true;
6872 
6873 	return 0;
6874 }
6875 
6876 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6877 					struct nlattr *attrs,
6878 					struct cfg80211_fils_discovery *fd)
6879 {
6880 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6881 	int ret;
6882 
6883 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6884 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6885 		return -EINVAL;
6886 
6887 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6888 			       NULL, NULL);
6889 	if (ret)
6890 		return ret;
6891 
6892 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6893 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6894 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6895 		fd->update = true;
6896 		return 0;
6897 	}
6898 
6899 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6900 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6901 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6902 		return -EINVAL;
6903 
6904 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6905 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6906 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6907 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6908 	fd->update = true;
6909 	return 0;
6910 }
6911 
6912 static int
6913 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6914 				     struct nlattr *attrs,
6915 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6916 {
6917 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6918 	int ret;
6919 
6920 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6921 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6922 		return -EINVAL;
6923 
6924 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6925 			       attrs, NULL, NULL);
6926 	if (ret)
6927 		return ret;
6928 
6929 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6930 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6931 		presp->update = true;
6932 		return 0;
6933 	}
6934 
6935 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6936 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6937 		return -EINVAL;
6938 
6939 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6940 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6941 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6942 	presp->update = true;
6943 	return 0;
6944 }
6945 
6946 /*
6947  * Since the nl80211 API didn't include, from the beginning, attributes about
6948  * HT/VHT/... capabilities, we parse them out of the elements and check for
6949  * validity for use by drivers/mac80211.
6950  */
6951 static int nl80211_calculate_ap_capabilities(struct genl_info *info,
6952 					     struct cfg80211_ap_settings *params)
6953 {
6954 	size_t ies_len = params->beacon.tail_len;
6955 	const u8 *ies = params->beacon.tail;
6956 	const struct element *cap;
6957 
6958 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6959 	if (cap) {
6960 		if (cap->datalen < sizeof(*params->ht_cap)) {
6961 			GENL_SET_ERR_MSG(info, "bad HT capability in beacon");
6962 			return -EINVAL;
6963 		}
6964 		params->ht_cap = (void *)cap->data;
6965 	}
6966 
6967 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6968 	if (cap) {
6969 		if (cap->datalen < sizeof(*params->vht_cap)) {
6970 			GENL_SET_ERR_MSG(info, "bad VHT capability in beacon");
6971 			return -EINVAL;
6972 		}
6973 		params->vht_cap = (void *)cap->data;
6974 	}
6975 
6976 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6977 	if (cap) {
6978 		if (cap->datalen < sizeof(*params->he_cap) + 1) {
6979 			GENL_SET_ERR_MSG(info, "bad HE capability in beacon");
6980 			return -EINVAL;
6981 		}
6982 		params->he_cap = (void *)(cap->data + 1);
6983 	}
6984 
6985 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6986 	if (cap) {
6987 		params->eht_cap = (void *)(cap->data + 1);
6988 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6989 						(const u8 *)params->eht_cap,
6990 						cap->datalen - 1, true)) {
6991 			GENL_SET_ERR_MSG(info, "bad EHT capability in beacon");
6992 			return -EINVAL;
6993 		}
6994 	}
6995 
6996 	return 0;
6997 }
6998 
6999 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
7000 				   struct cfg80211_ap_settings *params)
7001 {
7002 	struct wireless_dev *wdev;
7003 
7004 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
7005 		if (wdev->iftype != NL80211_IFTYPE_AP &&
7006 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
7007 			continue;
7008 
7009 		if (!wdev->u.ap.preset_chandef.chan)
7010 			continue;
7011 
7012 		params->chandef = wdev->u.ap.preset_chandef;
7013 		return true;
7014 	}
7015 
7016 	return false;
7017 }
7018 
7019 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
7020 				    enum nl80211_auth_type auth_type,
7021 				    enum nl80211_commands cmd)
7022 {
7023 	if (auth_type > NL80211_AUTHTYPE_MAX)
7024 		return false;
7025 
7026 	switch (cmd) {
7027 	case NL80211_CMD_AUTHENTICATE:
7028 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
7029 		    auth_type == NL80211_AUTHTYPE_SAE)
7030 			return false;
7031 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7032 					     NL80211_EXT_FEATURE_FILS_STA) &&
7033 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
7034 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
7035 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
7036 			return false;
7037 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7038 					     NL80211_EXT_FEATURE_EPPKE) &&
7039 		    auth_type == NL80211_AUTHTYPE_EPPKE)
7040 			return false;
7041 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7042 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
7043 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
7044 			return false;
7045 		return true;
7046 	case NL80211_CMD_CONNECT:
7047 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
7048 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7049 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
7050 		    auth_type == NL80211_AUTHTYPE_SAE)
7051 			return false;
7052 
7053 		/* FILS with SK PFS or PK not supported yet */
7054 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
7055 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
7056 			return false;
7057 		if (!wiphy_ext_feature_isset(
7058 			    &rdev->wiphy,
7059 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
7060 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
7061 			return false;
7062 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7063 					     NL80211_EXT_FEATURE_EPPKE) &&
7064 		    auth_type == NL80211_AUTHTYPE_EPPKE)
7065 			return false;
7066 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7067 					     NL80211_EXT_FEATURE_IEEE8021X_AUTH) &&
7068 		    auth_type == NL80211_AUTHTYPE_IEEE8021X)
7069 			return false;
7070 		return true;
7071 	case NL80211_CMD_START_AP:
7072 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7073 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
7074 		    auth_type == NL80211_AUTHTYPE_SAE)
7075 			return false;
7076 		/* FILS not supported yet */
7077 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
7078 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
7079 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
7080 			return false;
7081 		return true;
7082 	default:
7083 		return false;
7084 	}
7085 }
7086 
7087 static void nl80211_send_ap_started(struct wireless_dev *wdev,
7088 				    unsigned int link_id)
7089 {
7090 	struct wiphy *wiphy = wdev->wiphy;
7091 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
7092 	struct sk_buff *msg;
7093 	void *hdr;
7094 
7095 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7096 	if (!msg)
7097 		return;
7098 
7099 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
7100 	if (!hdr)
7101 		goto out;
7102 
7103 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
7104 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
7105 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7106 			      NL80211_ATTR_PAD) ||
7107 	    (wdev->u.ap.ssid_len &&
7108 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
7109 		     wdev->u.ap.ssid)) ||
7110 	    (wdev->valid_links &&
7111 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
7112 		goto out;
7113 
7114 	genlmsg_end(msg, hdr);
7115 
7116 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
7117 				NL80211_MCGRP_MLME, GFP_KERNEL);
7118 	return;
7119 out:
7120 	nlmsg_free(msg);
7121 }
7122 
7123 static int
7124 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
7125 			       struct nlattr *attrs,
7126 			       struct cfg80211_s1g_short_beacon *sb)
7127 {
7128 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
7129 	int ret;
7130 
7131 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
7132 		return -EINVAL;
7133 
7134 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
7135 			       NULL, NULL);
7136 	if (ret)
7137 		return ret;
7138 
7139 	/* Short beacon tail is optional (i.e might only include the TIM) */
7140 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
7141 		return -EINVAL;
7142 
7143 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
7144 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
7145 	sb->short_tail_len = 0;
7146 
7147 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
7148 		sb->short_tail =
7149 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
7150 		sb->short_tail_len =
7151 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
7152 	}
7153 
7154 	sb->update = true;
7155 	return 0;
7156 }
7157 
7158 static int nl80211_check_npca(struct cfg80211_registered_device *rdev,
7159 			      const struct cfg80211_chan_def *chandef,
7160 			      enum nl80211_iftype iftype,
7161 			      struct netlink_ext_ack *extack)
7162 {
7163 	const struct ieee80211_supported_band *sband;
7164 	const struct ieee80211_sta_uhr_cap *uhr_cap;
7165 
7166 	if (!chandef->npca_chan)
7167 		return 0;
7168 
7169 	sband = rdev->wiphy.bands[chandef->chan->band];
7170 	uhr_cap = ieee80211_get_uhr_iftype_cap(sband, iftype);
7171 
7172 	if (uhr_cap &&
7173 	    (uhr_cap->mac.mac_cap[0] & IEEE80211_UHR_MAC_CAP0_NPCA_SUPP))
7174 		return 0;
7175 
7176 	NL_SET_ERR_MSG(extack, "NPCA not supported");
7177 	return -EINVAL;
7178 }
7179 
7180 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
7181 {
7182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7183 	struct cfg80211_beaconing_check_config beacon_check = {};
7184 	unsigned int link_id = nl80211_link_id(info->attrs);
7185 	struct net_device *dev = info->user_ptr[1];
7186 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7187 	struct cfg80211_ap_settings *params;
7188 	int err;
7189 
7190 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7191 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7192 		return -EOPNOTSUPP;
7193 
7194 	if (!rdev->ops->start_ap)
7195 		return -EOPNOTSUPP;
7196 
7197 	if (wdev->links[link_id].cac_started)
7198 		return -EBUSY;
7199 
7200 	if (wdev->links[link_id].ap.beacon_interval)
7201 		return -EALREADY;
7202 
7203 	/* these are required for START_AP */
7204 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
7205 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
7206 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
7207 		return -EINVAL;
7208 
7209 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
7210 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
7211 		return -EOPNOTSUPP;
7212 
7213 	params = kzalloc_obj(*params);
7214 	if (!params)
7215 		return -ENOMEM;
7216 
7217 	params->beacon_interval =
7218 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
7219 	params->dtim_period =
7220 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
7221 
7222 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
7223 					   params->beacon_interval);
7224 	if (err)
7225 		goto out;
7226 
7227 	/*
7228 	 * In theory, some of these attributes should be required here
7229 	 * but since they were not used when the command was originally
7230 	 * added, keep them optional for old user space programs to let
7231 	 * them continue to work with drivers that do not need the
7232 	 * additional information -- drivers must check!
7233 	 */
7234 	if (info->attrs[NL80211_ATTR_SSID]) {
7235 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
7236 		params->ssid_len =
7237 			nla_len(info->attrs[NL80211_ATTR_SSID]);
7238 		if (params->ssid_len == 0) {
7239 			err = -EINVAL;
7240 			goto out;
7241 		}
7242 
7243 		if (wdev->u.ap.ssid_len &&
7244 		    (wdev->u.ap.ssid_len != params->ssid_len ||
7245 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
7246 			/* require identical SSID for MLO */
7247 			err = -EINVAL;
7248 			goto out;
7249 		}
7250 	} else if (wdev->valid_links) {
7251 		/* require SSID for MLO */
7252 		err = -EINVAL;
7253 		goto out;
7254 	}
7255 
7256 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
7257 		params->hidden_ssid = nla_get_u32(
7258 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
7259 
7260 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
7261 
7262 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
7263 		params->auth_type = nla_get_u32(
7264 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
7265 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
7266 					     NL80211_CMD_START_AP)) {
7267 			err = -EINVAL;
7268 			goto out;
7269 		}
7270 	} else
7271 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
7272 
7273 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
7274 				      NL80211_MAX_NR_CIPHER_SUITES);
7275 	if (err)
7276 		goto out;
7277 
7278 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
7279 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
7280 			err = -EOPNOTSUPP;
7281 			goto out;
7282 		}
7283 		params->inactivity_timeout = nla_get_u16(
7284 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
7285 	}
7286 
7287 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7288 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7289 			err = -EINVAL;
7290 			goto out;
7291 		}
7292 		params->p2p_ctwindow =
7293 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7294 		if (params->p2p_ctwindow != 0 &&
7295 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
7296 			err = -EINVAL;
7297 			goto out;
7298 		}
7299 	}
7300 
7301 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7302 		u8 tmp;
7303 
7304 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7305 			err = -EINVAL;
7306 			goto out;
7307 		}
7308 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7309 		params->p2p_opp_ps = tmp;
7310 		if (params->p2p_opp_ps != 0 &&
7311 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
7312 			err = -EINVAL;
7313 			goto out;
7314 		}
7315 	}
7316 
7317 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
7318 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
7319 					    &params->chandef, true);
7320 		if (err)
7321 			goto out;
7322 	} else if (wdev->valid_links) {
7323 		/* with MLD need to specify the channel configuration */
7324 		err = -EINVAL;
7325 		goto out;
7326 	} else if (wdev->u.ap.preset_chandef.chan) {
7327 		params->chandef = wdev->u.ap.preset_chandef;
7328 	} else if (!nl80211_get_ap_channel(rdev, params)) {
7329 		err = -EINVAL;
7330 		goto out;
7331 	}
7332 
7333 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7334 				   params->chandef.chan, info->extack);
7335 	if (err)
7336 		goto out;
7337 
7338 	err = nl80211_check_npca(rdev, &params->chandef, wdev->iftype,
7339 				 info->extack);
7340 	if (err)
7341 		goto out;
7342 
7343 	beacon_check.iftype = wdev->iftype;
7344 	beacon_check.relax = true;
7345 	beacon_check.reg_power =
7346 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7347 					     params->beacon.tail_len, 0);
7348 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
7349 					  &beacon_check)) {
7350 		err = -EINVAL;
7351 		goto out;
7352 	}
7353 
7354 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
7355 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
7356 						    NL80211_ATTR_TX_RATES,
7357 						    &params->beacon_rate,
7358 						    dev, false, link_id);
7359 		if (err)
7360 			goto out;
7361 
7362 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
7363 					      &params->beacon_rate);
7364 		if (err)
7365 			goto out;
7366 	}
7367 
7368 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
7369 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
7370 		err = -EOPNOTSUPP;
7371 		goto out;
7372 	}
7373 
7374 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
7375 		params->acl = parse_acl_data(&rdev->wiphy, info);
7376 		if (IS_ERR(params->acl)) {
7377 			err = PTR_ERR(params->acl);
7378 			params->acl = NULL;
7379 			goto out;
7380 		}
7381 	}
7382 
7383 	params->twt_responder =
7384 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
7385 
7386 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
7387 		err = nl80211_parse_he_obss_pd(
7388 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
7389 					&params->he_obss_pd);
7390 		if (err)
7391 			goto out;
7392 	}
7393 
7394 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
7395 		err = nl80211_parse_fils_discovery(rdev,
7396 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
7397 						   &params->fils_discovery);
7398 		if (err)
7399 			goto out;
7400 	}
7401 
7402 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
7403 		err = nl80211_parse_unsol_bcast_probe_resp(
7404 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
7405 			&params->unsol_bcast_probe_resp);
7406 		if (err)
7407 			goto out;
7408 	}
7409 
7410 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
7411 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
7412 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
7413 						  &params->mbssid_config,
7414 						  params->beacon.mbssid_ies ?
7415 							params->beacon.mbssid_ies->cnt :
7416 							0);
7417 		if (err)
7418 			goto out;
7419 	}
7420 
7421 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
7422 		err = -EINVAL;
7423 		goto out;
7424 	}
7425 
7426 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
7427 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
7428 			err = -EINVAL;
7429 			goto out;
7430 		}
7431 
7432 		params->s1g_long_beacon_period = nla_get_u8(
7433 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
7434 
7435 		err = nl80211_parse_s1g_short_beacon(
7436 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
7437 			&params->s1g_short_beacon);
7438 		if (err)
7439 			goto out;
7440 	}
7441 
7442 	err = nl80211_calculate_ap_capabilities(info, params);
7443 	if (err)
7444 		goto out;
7445 
7446 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
7447 		params->flags = nla_get_u32(
7448 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
7449 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
7450 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
7451 
7452 	if (wdev->conn_owner_nlportid &&
7453 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
7454 	    wdev->conn_owner_nlportid != info->snd_portid) {
7455 		err = -EINVAL;
7456 		goto out;
7457 	}
7458 
7459 	/* FIXME: validate MLO/link-id against driver capabilities */
7460 
7461 	err = rdev_start_ap(rdev, dev, params);
7462 	if (!err) {
7463 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
7464 		wdev->links[link_id].ap.chandef = params->chandef;
7465 		wdev->u.ap.ssid_len = params->ssid_len;
7466 		memcpy(wdev->u.ap.ssid, params->ssid,
7467 		       params->ssid_len);
7468 
7469 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7470 			wdev->conn_owner_nlportid = info->snd_portid;
7471 
7472 		nl80211_send_ap_started(wdev, link_id);
7473 	}
7474 out:
7475 	kfree(params->acl);
7476 	kfree(params->beacon.mbssid_ies);
7477 	if (params->mbssid_config.tx_wdev &&
7478 	    params->mbssid_config.tx_wdev->netdev &&
7479 	    params->mbssid_config.tx_wdev->netdev != dev)
7480 		dev_put(params->mbssid_config.tx_wdev->netdev);
7481 	kfree(params->beacon.rnr_ies);
7482 	kfree(params);
7483 
7484 	return err;
7485 }
7486 
7487 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
7488 {
7489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7490 	struct cfg80211_beaconing_check_config beacon_check = {};
7491 	unsigned int link_id = nl80211_link_id(info->attrs);
7492 	struct net_device *dev = info->user_ptr[1];
7493 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7494 	struct cfg80211_ap_update *params;
7495 	struct nlattr *attr;
7496 	int err;
7497 
7498 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7499 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7500 		return -EOPNOTSUPP;
7501 
7502 	if (!rdev->ops->change_beacon)
7503 		return -EOPNOTSUPP;
7504 
7505 	if (!wdev->links[link_id].ap.beacon_interval)
7506 		return -EINVAL;
7507 
7508 	params = kzalloc_obj(*params);
7509 	if (!params)
7510 		return -ENOMEM;
7511 
7512 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7513 				   wdev->links[link_id].ap.chandef.chan,
7514 				   info->extack);
7515 	if (err)
7516 		goto out;
7517 
7518 	/* recheck beaconing is permitted with possibly changed power type */
7519 	beacon_check.iftype = wdev->iftype;
7520 	beacon_check.relax = true;
7521 	beacon_check.reg_power =
7522 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7523 					     params->beacon.tail_len, 0);
7524 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7525 					  &wdev->links[link_id].ap.chandef,
7526 					  &beacon_check)) {
7527 		err = -EINVAL;
7528 		goto out;
7529 	}
7530 
7531 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7532 	if (attr) {
7533 		err = nl80211_parse_fils_discovery(rdev, attr,
7534 						   &params->fils_discovery);
7535 		if (err)
7536 			goto out;
7537 	}
7538 
7539 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7540 	if (attr) {
7541 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7542 							   &params->unsol_bcast_probe_resp);
7543 		if (err)
7544 			goto out;
7545 	}
7546 
7547 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7548 	if (attr) {
7549 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7550 						     &params->s1g_short_beacon);
7551 		if (err)
7552 			goto out;
7553 	}
7554 
7555 	err = rdev_change_beacon(rdev, dev, params);
7556 
7557 out:
7558 	kfree(params->beacon.mbssid_ies);
7559 	kfree(params->beacon.rnr_ies);
7560 	kfree(params);
7561 	return err;
7562 }
7563 
7564 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7565 {
7566 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7567 	unsigned int link_id = nl80211_link_id(info->attrs);
7568 	struct net_device *dev = info->user_ptr[1];
7569 
7570 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7571 }
7572 
7573 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7574 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7575 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7576 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7577 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7578 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7579 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7580 };
7581 
7582 static int parse_station_flags(struct genl_info *info,
7583 			       enum nl80211_iftype iftype,
7584 			       struct station_parameters *params)
7585 {
7586 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7587 	struct nlattr *nla;
7588 	int flag;
7589 
7590 	/*
7591 	 * Try parsing the new attribute first so userspace
7592 	 * can specify both for older kernels.
7593 	 */
7594 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7595 	if (nla) {
7596 		struct nl80211_sta_flag_update *sta_flags;
7597 
7598 		sta_flags = nla_data(nla);
7599 		params->sta_flags_mask = sta_flags->mask;
7600 		params->sta_flags_set = sta_flags->set;
7601 		params->sta_flags_set &= params->sta_flags_mask;
7602 		if ((params->sta_flags_mask |
7603 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7604 			return -EINVAL;
7605 
7606 		if ((iftype == NL80211_IFTYPE_NAN ||
7607 		     iftype == NL80211_IFTYPE_NAN_DATA) &&
7608 		    params->sta_flags_mask &
7609 		    ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7610 		      BIT(NL80211_STA_FLAG_ASSOCIATED) |
7611 		      BIT(NL80211_STA_FLAG_AUTHORIZED) |
7612 		      BIT(NL80211_STA_FLAG_MFP)))
7613 				return -EINVAL;
7614 
7615 		/* WME is always used in NAN */
7616 		if (iftype == NL80211_IFTYPE_NAN_DATA) {
7617 			/* but don't let userspace control it */
7618 			if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_WME))
7619 				return -EINVAL;
7620 
7621 			params->sta_flags_mask |= BIT(NL80211_STA_FLAG_WME);
7622 			params->sta_flags_set |= BIT(NL80211_STA_FLAG_WME);
7623 		}
7624 
7625 		return 0;
7626 	}
7627 
7628 	/* if present, parse the old attribute */
7629 
7630 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7631 	if (!nla)
7632 		return 0;
7633 
7634 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7635 		return -EINVAL;
7636 
7637 	/*
7638 	 * Only allow certain flags for interface types so that
7639 	 * other attributes are silently ignored. Remember that
7640 	 * this is backward compatibility code with old userspace
7641 	 * and shouldn't be hit in other cases anyway.
7642 	 */
7643 	switch (iftype) {
7644 	case NL80211_IFTYPE_AP:
7645 	case NL80211_IFTYPE_AP_VLAN:
7646 	case NL80211_IFTYPE_P2P_GO:
7647 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7648 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7649 					 BIT(NL80211_STA_FLAG_WME) |
7650 					 BIT(NL80211_STA_FLAG_MFP);
7651 		break;
7652 	case NL80211_IFTYPE_P2P_CLIENT:
7653 	case NL80211_IFTYPE_STATION:
7654 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7655 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7656 		break;
7657 	case NL80211_IFTYPE_MESH_POINT:
7658 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7659 					 BIT(NL80211_STA_FLAG_MFP) |
7660 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7661 		break;
7662 	default:
7663 		return -EINVAL;
7664 	}
7665 
7666 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7667 		if (flags[flag]) {
7668 			params->sta_flags_set |= (1<<flag);
7669 
7670 			/* no longer support new API additions in old API */
7671 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7672 				return -EINVAL;
7673 		}
7674 	}
7675 
7676 	return 0;
7677 }
7678 
7679 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7680 {
7681 	struct nlattr *rate;
7682 	u32 bitrate;
7683 	u16 bitrate_compat;
7684 	enum nl80211_rate_info rate_flg;
7685 
7686 	rate = nla_nest_start_noflag(msg, attr);
7687 	if (!rate)
7688 		return false;
7689 
7690 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7691 	bitrate = cfg80211_calculate_bitrate(info);
7692 	/* report 16-bit bitrate only if we can */
7693 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7694 	if (bitrate > 0 &&
7695 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7696 		return false;
7697 	if (bitrate_compat > 0 &&
7698 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7699 		return false;
7700 
7701 	switch (info->bw) {
7702 	case RATE_INFO_BW_1:
7703 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7704 		break;
7705 	case RATE_INFO_BW_2:
7706 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7707 		break;
7708 	case RATE_INFO_BW_4:
7709 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7710 		break;
7711 	case RATE_INFO_BW_5:
7712 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7713 		break;
7714 	case RATE_INFO_BW_8:
7715 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7716 		break;
7717 	case RATE_INFO_BW_10:
7718 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7719 		break;
7720 	case RATE_INFO_BW_16:
7721 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7722 		break;
7723 	default:
7724 		WARN_ON(1);
7725 		fallthrough;
7726 	case RATE_INFO_BW_20:
7727 		rate_flg = 0;
7728 		break;
7729 	case RATE_INFO_BW_40:
7730 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7731 		break;
7732 	case RATE_INFO_BW_80:
7733 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7734 		break;
7735 	case RATE_INFO_BW_160:
7736 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7737 		break;
7738 	case RATE_INFO_BW_HE_RU:
7739 		rate_flg = 0;
7740 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7741 		break;
7742 	case RATE_INFO_BW_320:
7743 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7744 		break;
7745 	case RATE_INFO_BW_EHT_RU:
7746 		rate_flg = 0;
7747 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7748 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7749 		break;
7750 	}
7751 
7752 	if (rate_flg && nla_put_flag(msg, rate_flg))
7753 		return false;
7754 
7755 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7756 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7757 			return false;
7758 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7759 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7760 			return false;
7761 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7762 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7763 			return false;
7764 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7765 			return false;
7766 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7767 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7768 			return false;
7769 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7770 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7771 			return false;
7772 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7773 			return false;
7774 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7775 			return false;
7776 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7777 			return false;
7778 		if (info->bw == RATE_INFO_BW_HE_RU &&
7779 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7780 			       info->he_ru_alloc))
7781 			return false;
7782 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7783 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7784 			return false;
7785 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7786 			return false;
7787 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7788 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7789 			return false;
7790 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7791 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7792 			return false;
7793 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7794 			return false;
7795 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7796 			return false;
7797 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7798 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7799 			       info->eht_ru_alloc))
7800 			return false;
7801 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7802 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7803 			return false;
7804 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7805 			return false;
7806 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7807 			return false;
7808 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7809 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7810 			       info->eht_ru_alloc))
7811 			return false;
7812 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7813 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7814 			return false;
7815 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7816 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7817 			return false;
7818 	}
7819 
7820 	nla_nest_end(msg, rate);
7821 	return true;
7822 }
7823 
7824 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7825 			       int id)
7826 {
7827 	void *attr;
7828 	int i = 0;
7829 
7830 	if (!mask)
7831 		return true;
7832 
7833 	attr = nla_nest_start_noflag(msg, id);
7834 	if (!attr)
7835 		return false;
7836 
7837 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7838 		if (!(mask & BIT(i)))
7839 			continue;
7840 
7841 		if (nla_put_u8(msg, i, signal[i]))
7842 			return false;
7843 	}
7844 
7845 	nla_nest_end(msg, attr);
7846 
7847 	return true;
7848 }
7849 
7850 static int nl80211_fill_link_station(struct sk_buff *msg,
7851 				     struct cfg80211_registered_device *rdev,
7852 				     struct link_station_info *link_sinfo)
7853 {
7854 	struct nlattr *bss_param, *link_sinfoattr;
7855 
7856 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7857 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7858 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7859 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7860 			     link_sinfo->memb))				\
7861 		goto nla_put_failure;					\
7862 	} while (0)
7863 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7864 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7865 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7866 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7867 		goto nla_put_failure;					\
7868 	} while (0)
7869 
7870 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7871 	if (!link_sinfoattr)
7872 		goto nla_put_failure;
7873 
7874 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7875 
7876 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7877 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7878 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7879 			(u32)link_sinfo->rx_bytes))
7880 		goto nla_put_failure;
7881 
7882 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7883 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7884 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7885 			(u32)link_sinfo->tx_bytes))
7886 		goto nla_put_failure;
7887 
7888 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7889 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7890 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7891 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7892 
7893 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7894 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7895 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7896 
7897 	switch (rdev->wiphy.signal_type) {
7898 	case CFG80211_SIGNAL_TYPE_MBM:
7899 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7900 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7901 		break;
7902 	default:
7903 		break;
7904 	}
7905 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7906 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7907 					link_sinfo->chain_signal,
7908 					NL80211_STA_INFO_CHAIN_SIGNAL))
7909 			goto nla_put_failure;
7910 	}
7911 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7912 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7913 					link_sinfo->chain_signal_avg,
7914 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7915 			goto nla_put_failure;
7916 	}
7917 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7918 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7919 					  NL80211_STA_INFO_TX_BITRATE))
7920 			goto nla_put_failure;
7921 	}
7922 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7923 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7924 					  NL80211_STA_INFO_RX_BITRATE))
7925 			goto nla_put_failure;
7926 	}
7927 
7928 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7929 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7930 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7931 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7932 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7933 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7934 
7935 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7936 		bss_param = nla_nest_start_noflag(msg,
7937 						  NL80211_STA_INFO_BSS_PARAM);
7938 		if (!bss_param)
7939 			goto nla_put_failure;
7940 
7941 		if (((link_sinfo->bss_param.flags &
7942 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7943 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7944 		    ((link_sinfo->bss_param.flags &
7945 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7946 		     nla_put_flag(msg,
7947 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7948 		    ((link_sinfo->bss_param.flags &
7949 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7950 		     nla_put_flag(msg,
7951 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7952 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7953 			       link_sinfo->bss_param.dtim_period) ||
7954 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7955 				link_sinfo->bss_param.beacon_interval))
7956 			goto nla_put_failure;
7957 
7958 		nla_nest_end(msg, bss_param);
7959 	}
7960 
7961 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7962 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7963 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7964 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7965 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7966 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7967 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7968 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7969 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7970 	}
7971 
7972 #undef PUT_LINK_SINFO
7973 #undef PUT_LINK_SINFO_U64
7974 
7975 	if (link_sinfo->pertid) {
7976 		struct nlattr *tidsattr;
7977 		int tid;
7978 
7979 		tidsattr = nla_nest_start_noflag(msg,
7980 						 NL80211_STA_INFO_TID_STATS);
7981 		if (!tidsattr)
7982 			goto nla_put_failure;
7983 
7984 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7985 			struct cfg80211_tid_stats *tidstats;
7986 			struct nlattr *tidattr;
7987 
7988 			tidstats = &link_sinfo->pertid[tid];
7989 
7990 			if (!tidstats->filled)
7991 				continue;
7992 
7993 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7994 			if (!tidattr)
7995 				goto nla_put_failure;
7996 
7997 #define PUT_TIDVAL_U64(attr, memb) do {					\
7998 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7999 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
8000 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
8001 		goto nla_put_failure;					\
8002 	} while (0)
8003 
8004 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
8005 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
8006 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
8007 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
8008 
8009 #undef PUT_TIDVAL_U64
8010 			if ((tidstats->filled &
8011 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
8012 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
8013 						   NL80211_TID_STATS_TXQ_STATS))
8014 				goto nla_put_failure;
8015 
8016 			nla_nest_end(msg, tidattr);
8017 		}
8018 
8019 		nla_nest_end(msg, tidsattr);
8020 	}
8021 
8022 	nla_nest_end(msg, link_sinfoattr);
8023 	return 0;
8024 
8025 nla_put_failure:
8026 	return -EMSGSIZE;
8027 }
8028 
8029 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
8030 				u32 seq, int flags,
8031 				struct cfg80211_registered_device *rdev,
8032 				struct wireless_dev *wdev,
8033 				const u8 *mac_addr, struct station_info *sinfo,
8034 				bool link_stats)
8035 {
8036 	void *hdr;
8037 	struct nlattr *sinfoattr, *bss_param;
8038 	struct link_station_info *link_sinfo;
8039 	struct nlattr *links, *link;
8040 	int link_id;
8041 
8042 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
8043 	if (!hdr) {
8044 		cfg80211_sinfo_release_content(sinfo);
8045 		return -1;
8046 	}
8047 
8048 	if ((wdev->netdev &&
8049 	     nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex)) ||
8050 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8051 			      NL80211_ATTR_PAD) ||
8052 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
8053 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
8054 		goto nla_put_failure;
8055 
8056 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
8057 	if (!sinfoattr)
8058 		goto nla_put_failure;
8059 
8060 #define PUT_SINFO(attr, memb, type) do {				\
8061 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
8062 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
8063 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
8064 			     sinfo->memb))				\
8065 		goto nla_put_failure;					\
8066 	} while (0)
8067 #define PUT_SINFO_U64(attr, memb) do {					\
8068 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
8069 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
8070 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
8071 		goto nla_put_failure;					\
8072 	} while (0)
8073 
8074 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
8075 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
8076 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
8077 
8078 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
8079 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
8080 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
8081 			(u32)sinfo->rx_bytes))
8082 		goto nla_put_failure;
8083 
8084 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
8085 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
8086 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
8087 			(u32)sinfo->tx_bytes))
8088 		goto nla_put_failure;
8089 
8090 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
8091 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
8092 	PUT_SINFO_U64(RX_DURATION, rx_duration);
8093 	PUT_SINFO_U64(TX_DURATION, tx_duration);
8094 
8095 	if (wiphy_ext_feature_isset(&rdev->wiphy,
8096 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8097 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
8098 
8099 	switch (rdev->wiphy.signal_type) {
8100 	case CFG80211_SIGNAL_TYPE_MBM:
8101 		PUT_SINFO(SIGNAL, signal, u8);
8102 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
8103 		break;
8104 	default:
8105 		break;
8106 	}
8107 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
8108 		if (!nl80211_put_signal(msg, sinfo->chains,
8109 					sinfo->chain_signal,
8110 					NL80211_STA_INFO_CHAIN_SIGNAL))
8111 			goto nla_put_failure;
8112 	}
8113 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
8114 		if (!nl80211_put_signal(msg, sinfo->chains,
8115 					sinfo->chain_signal_avg,
8116 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
8117 			goto nla_put_failure;
8118 	}
8119 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
8120 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
8121 					  NL80211_STA_INFO_TX_BITRATE))
8122 			goto nla_put_failure;
8123 	}
8124 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
8125 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
8126 					  NL80211_STA_INFO_RX_BITRATE))
8127 			goto nla_put_failure;
8128 	}
8129 
8130 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
8131 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
8132 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
8133 	PUT_SINFO(TX_FAILED, tx_failed, u32);
8134 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
8135 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
8136 
8137 	PUT_SINFO(LLID, llid, u16);
8138 	PUT_SINFO(PLID, plid, u16);
8139 	PUT_SINFO(PLINK_STATE, plink_state, u8);
8140 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
8141 	PUT_SINFO(LOCAL_PM, local_pm, u32);
8142 	PUT_SINFO(PEER_PM, peer_pm, u32);
8143 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
8144 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
8145 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
8146 	PUT_SINFO_U64(T_OFFSET, t_offset);
8147 
8148 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
8149 		bss_param = nla_nest_start_noflag(msg,
8150 						  NL80211_STA_INFO_BSS_PARAM);
8151 		if (!bss_param)
8152 			goto nla_put_failure;
8153 
8154 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
8155 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
8156 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
8157 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
8158 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
8159 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
8160 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
8161 			       sinfo->bss_param.dtim_period) ||
8162 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
8163 				sinfo->bss_param.beacon_interval))
8164 			goto nla_put_failure;
8165 
8166 		nla_nest_end(msg, bss_param);
8167 	}
8168 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
8169 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
8170 		    sizeof(struct nl80211_sta_flag_update),
8171 		    &sinfo->sta_flags))
8172 		goto nla_put_failure;
8173 
8174 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
8175 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
8176 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
8177 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
8178 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
8179 	if (wiphy_ext_feature_isset(&rdev->wiphy,
8180 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
8181 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
8182 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
8183 	}
8184 
8185 #undef PUT_SINFO
8186 #undef PUT_SINFO_U64
8187 
8188 	if (sinfo->pertid) {
8189 		struct nlattr *tidsattr;
8190 		int tid;
8191 
8192 		tidsattr = nla_nest_start_noflag(msg,
8193 						 NL80211_STA_INFO_TID_STATS);
8194 		if (!tidsattr)
8195 			goto nla_put_failure;
8196 
8197 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
8198 			struct cfg80211_tid_stats *tidstats;
8199 			struct nlattr *tidattr;
8200 
8201 			tidstats = &sinfo->pertid[tid];
8202 
8203 			if (!tidstats->filled)
8204 				continue;
8205 
8206 			tidattr = nla_nest_start_noflag(msg, tid + 1);
8207 			if (!tidattr)
8208 				goto nla_put_failure;
8209 
8210 #define PUT_TIDVAL_U64(attr, memb) do {					\
8211 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
8212 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
8213 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
8214 		goto nla_put_failure;					\
8215 	} while (0)
8216 
8217 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
8218 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
8219 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
8220 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
8221 
8222 #undef PUT_TIDVAL_U64
8223 			if ((tidstats->filled &
8224 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
8225 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
8226 						   NL80211_TID_STATS_TXQ_STATS))
8227 				goto nla_put_failure;
8228 
8229 			nla_nest_end(msg, tidattr);
8230 		}
8231 
8232 		nla_nest_end(msg, tidsattr);
8233 	}
8234 
8235 	nla_nest_end(msg, sinfoattr);
8236 
8237 	if (sinfo->assoc_req_ies_len &&
8238 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
8239 		    sinfo->assoc_req_ies))
8240 		goto nla_put_failure;
8241 
8242 	if (sinfo->assoc_resp_ies_len &&
8243 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
8244 		    sinfo->assoc_resp_ies))
8245 		goto nla_put_failure;
8246 
8247 	if (sinfo->mlo_params_valid) {
8248 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
8249 			       sinfo->assoc_link_id))
8250 			goto nla_put_failure;
8251 
8252 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
8253 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
8254 			    sinfo->mld_addr))
8255 			goto nla_put_failure;
8256 	}
8257 
8258 	if (link_stats && sinfo->valid_links) {
8259 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
8260 		if (!links)
8261 			goto nla_put_failure;
8262 
8263 		for_each_valid_link(sinfo, link_id) {
8264 			link_sinfo = sinfo->links[link_id];
8265 
8266 			if (WARN_ON_ONCE(!link_sinfo))
8267 				continue;
8268 
8269 			if (!is_valid_ether_addr(link_sinfo->addr))
8270 				continue;
8271 
8272 			link = nla_nest_start(msg, link_id + 1);
8273 			if (!link)
8274 				goto nla_put_failure;
8275 
8276 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
8277 				       link_id))
8278 				goto nla_put_failure;
8279 
8280 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
8281 				    link_sinfo->addr))
8282 				goto nla_put_failure;
8283 
8284 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
8285 				goto nla_put_failure;
8286 
8287 			nla_nest_end(msg, link);
8288 		}
8289 		nla_nest_end(msg, links);
8290 	}
8291 
8292 	cfg80211_sinfo_release_content(sinfo);
8293 	genlmsg_end(msg, hdr);
8294 	return 0;
8295 
8296  nla_put_failure:
8297 	cfg80211_sinfo_release_content(sinfo);
8298 	genlmsg_cancel(msg, hdr);
8299 	return -EMSGSIZE;
8300 }
8301 
8302 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
8303 {
8304 	struct link_station_info *link_sinfo;
8305 	int link_id, init = 0;
8306 	u32 link_inactive_time;
8307 
8308 	sinfo->signal = -99;
8309 
8310 	for_each_valid_link(sinfo, link_id) {
8311 		link_sinfo = sinfo->links[link_id];
8312 		if (!link_sinfo)
8313 			continue;
8314 
8315 		if ((link_sinfo->filled &
8316 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
8317 			sinfo->tx_packets += link_sinfo->tx_packets;
8318 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
8319 		}
8320 
8321 		if ((link_sinfo->filled &
8322 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
8323 			sinfo->rx_packets += link_sinfo->rx_packets;
8324 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
8325 		}
8326 
8327 		if (link_sinfo->filled &
8328 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
8329 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8330 			sinfo->tx_bytes += link_sinfo->tx_bytes;
8331 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
8332 		}
8333 
8334 		if (link_sinfo->filled &
8335 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
8336 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
8337 			sinfo->rx_bytes += link_sinfo->rx_bytes;
8338 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
8339 		}
8340 
8341 		if (link_sinfo->filled &
8342 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
8343 			sinfo->tx_retries += link_sinfo->tx_retries;
8344 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
8345 		}
8346 
8347 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
8348 			sinfo->tx_failed += link_sinfo->tx_failed;
8349 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
8350 		}
8351 
8352 		if (link_sinfo->filled &
8353 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
8354 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
8355 			sinfo->filled |=
8356 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
8357 		}
8358 
8359 		if (link_sinfo->filled &
8360 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
8361 			sinfo->beacon_loss_count +=
8362 				link_sinfo->beacon_loss_count;
8363 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
8364 		}
8365 
8366 		if (link_sinfo->filled &
8367 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
8368 			sinfo->expected_throughput +=
8369 				link_sinfo->expected_throughput;
8370 			sinfo->filled |=
8371 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
8372 		}
8373 
8374 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
8375 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
8376 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
8377 		}
8378 
8379 		if (link_sinfo->filled &
8380 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
8381 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
8382 			sinfo->filled |=
8383 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
8384 		}
8385 
8386 		if (link_sinfo->filled &
8387 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
8388 			sinfo->rx_beacon += link_sinfo->rx_beacon;
8389 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
8390 		}
8391 
8392 		/* Update MLO signal, signal_avg as best among links */
8393 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
8394 		    link_sinfo->signal > sinfo->signal) {
8395 			sinfo->signal = link_sinfo->signal;
8396 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
8397 		}
8398 
8399 		if ((link_sinfo->filled &
8400 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
8401 		    link_sinfo->signal_avg > sinfo->signal_avg) {
8402 			sinfo->signal_avg = link_sinfo->signal_avg;
8403 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
8404 		}
8405 
8406 		/* Update MLO inactive_time, bss_param based on least
8407 		 * value for corresponding field of link.
8408 		 */
8409 		if ((link_sinfo->filled &
8410 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
8411 		    (!init ||
8412 		     link_inactive_time > link_sinfo->inactive_time)) {
8413 			link_inactive_time = link_sinfo->inactive_time;
8414 			sinfo->inactive_time = link_sinfo->inactive_time;
8415 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
8416 		}
8417 
8418 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
8419 		    (!init ||
8420 		     sinfo->bss_param.dtim_period >
8421 		      link_sinfo->bss_param.dtim_period)) {
8422 			sinfo->bss_param.dtim_period =
8423 				link_sinfo->bss_param.dtim_period;
8424 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
8425 			sinfo->bss_param.beacon_interval =
8426 				link_sinfo->bss_param.beacon_interval;
8427 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
8428 		}
8429 
8430 		/* Update MLO rates as per last updated link rate */
8431 		if ((link_sinfo->filled &
8432 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
8433 		    (!init ||
8434 		     link_inactive_time > link_sinfo->inactive_time)) {
8435 			sinfo->txrate = link_sinfo->txrate;
8436 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
8437 		}
8438 		if ((link_sinfo->filled &
8439 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
8440 		    (!init ||
8441 		     link_inactive_time > link_sinfo->inactive_time)) {
8442 			sinfo->rxrate = link_sinfo->rxrate;
8443 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
8444 		}
8445 
8446 		if (link_sinfo->filled &
8447 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
8448 		    (!init ||
8449 		     link_inactive_time > link_sinfo->inactive_time)) {
8450 			sinfo->tx_duration += link_sinfo->tx_duration;
8451 			sinfo->filled |=
8452 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
8453 		}
8454 		if (link_sinfo->filled &
8455 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
8456 		    (!init ||
8457 		     link_inactive_time > link_sinfo->inactive_time)) {
8458 			sinfo->rx_duration += link_sinfo->rx_duration;
8459 			sinfo->filled |=
8460 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
8461 		}
8462 		init++;
8463 
8464 		/* pertid stats accumulate for rx/tx fields */
8465 		if (sinfo->pertid) {
8466 			sinfo->pertid->rx_msdu +=
8467 				link_sinfo->pertid->rx_msdu;
8468 			sinfo->pertid->tx_msdu +=
8469 				link_sinfo->pertid->tx_msdu;
8470 			sinfo->pertid->tx_msdu_retries +=
8471 				link_sinfo->pertid->tx_msdu_retries;
8472 			sinfo->pertid->tx_msdu_failed +=
8473 				link_sinfo->pertid->tx_msdu_failed;
8474 
8475 			sinfo->pertid->filled |=
8476 				BIT(NL80211_TID_STATS_RX_MSDU) |
8477 				BIT(NL80211_TID_STATS_TX_MSDU) |
8478 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
8479 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
8480 		}
8481 	}
8482 
8483 	/* Reset sinfo->filled bits to exclude fields which don't make
8484 	 * much sense at the MLO level.
8485 	 */
8486 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
8487 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
8488 }
8489 
8490 static int nl80211_dump_station(struct sk_buff *skb,
8491 				struct netlink_callback *cb)
8492 {
8493 	struct station_info sinfo;
8494 	struct cfg80211_registered_device *rdev;
8495 	struct wireless_dev *wdev;
8496 	u8 mac_addr[ETH_ALEN];
8497 	int sta_idx = cb->args[2];
8498 	bool sinfo_alloc = false;
8499 	int err, i;
8500 
8501 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8502 	if (err)
8503 		return err;
8504 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8505 	__acquire(&rdev->wiphy.mtx);
8506 
8507 	if (!wdev->netdev && wdev->iftype != NL80211_IFTYPE_NAN) {
8508 		err = -EINVAL;
8509 		goto out_err;
8510 	}
8511 
8512 	if (!rdev->ops->dump_station) {
8513 		err = -EOPNOTSUPP;
8514 		goto out_err;
8515 	}
8516 
8517 	while (1) {
8518 		memset(&sinfo, 0, sizeof(sinfo));
8519 
8520 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8521 			sinfo.links[i] =
8522 				kzalloc_obj(*sinfo.links[0]);
8523 			if (!sinfo.links[i]) {
8524 				err = -ENOMEM;
8525 				goto out_err;
8526 			}
8527 			sinfo_alloc = true;
8528 		}
8529 
8530 		err = rdev_dump_station(rdev, wdev, sta_idx,
8531 					mac_addr, &sinfo);
8532 		if (err == -ENOENT)
8533 			break;
8534 		if (err)
8535 			goto out_err;
8536 
8537 		if (sinfo.valid_links)
8538 			cfg80211_sta_set_mld_sinfo(&sinfo);
8539 
8540 		/* reset the sinfo_alloc flag as nl80211_send_station()
8541 		 * always releases sinfo
8542 		 */
8543 		sinfo_alloc = false;
8544 
8545 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8546 				NETLINK_CB(cb->skb).portid,
8547 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8548 				rdev, wdev, mac_addr,
8549 				&sinfo, false) < 0)
8550 			goto out;
8551 
8552 		sta_idx++;
8553 	}
8554 
8555  out:
8556 	cb->args[2] = sta_idx;
8557 	err = skb->len;
8558  out_err:
8559 	if (sinfo_alloc)
8560 		cfg80211_sinfo_release_content(&sinfo);
8561 	wiphy_unlock(&rdev->wiphy);
8562 
8563 	return err;
8564 }
8565 
8566 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8567 {
8568 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8569 	struct wireless_dev *wdev = info->user_ptr[1];
8570 	struct station_info sinfo;
8571 	struct sk_buff *msg;
8572 	u8 *mac_addr = NULL;
8573 	int err, i;
8574 
8575 	memset(&sinfo, 0, sizeof(sinfo));
8576 
8577 	if (!wdev->netdev)
8578 		return -EINVAL;
8579 
8580 	if (!info->attrs[NL80211_ATTR_MAC])
8581 		return -EINVAL;
8582 
8583 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8584 
8585 	if (!rdev->ops->get_station)
8586 		return -EOPNOTSUPP;
8587 
8588 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8589 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8590 		if (!sinfo.links[i]) {
8591 			cfg80211_sinfo_release_content(&sinfo);
8592 			return -ENOMEM;
8593 		}
8594 	}
8595 
8596 	err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
8597 	if (err) {
8598 		cfg80211_sinfo_release_content(&sinfo);
8599 		return err;
8600 	}
8601 
8602 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8603 	if (!msg) {
8604 		cfg80211_sinfo_release_content(&sinfo);
8605 		return -ENOMEM;
8606 	}
8607 
8608 	if (sinfo.valid_links)
8609 		cfg80211_sta_set_mld_sinfo(&sinfo);
8610 
8611 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8612 				 info->snd_portid, info->snd_seq, 0,
8613 				 rdev, wdev, mac_addr, &sinfo, false) < 0) {
8614 		nlmsg_free(msg);
8615 		return -ENOBUFS;
8616 	}
8617 
8618 	return genlmsg_reply(msg, info);
8619 }
8620 
8621 int cfg80211_check_station_change(struct wiphy *wiphy,
8622 				  struct station_parameters *params,
8623 				  enum cfg80211_station_type statype)
8624 {
8625 	if (params->listen_interval != -1 &&
8626 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8627 		return -EINVAL;
8628 
8629 	if (params->support_p2p_ps != -1 &&
8630 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8631 		return -EINVAL;
8632 
8633 	if (params->aid &&
8634 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8635 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8636 		return -EINVAL;
8637 
8638 	/* When you run into this, adjust the code below for the new flag */
8639 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8640 
8641 	switch (statype) {
8642 	case CFG80211_STA_MESH_PEER_KERNEL:
8643 	case CFG80211_STA_MESH_PEER_USER:
8644 		/*
8645 		 * No ignoring the TDLS flag here -- the userspace mesh
8646 		 * code doesn't have the bug of including TDLS in the
8647 		 * mask everywhere.
8648 		 */
8649 		if (params->sta_flags_mask &
8650 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8651 				  BIT(NL80211_STA_FLAG_MFP) |
8652 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8653 			return -EINVAL;
8654 		break;
8655 	case CFG80211_STA_TDLS_PEER_SETUP:
8656 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8657 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8658 			return -EINVAL;
8659 		/* ignore since it can't change */
8660 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8661 		break;
8662 	default:
8663 		/* disallow mesh-specific things */
8664 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8665 			return -EINVAL;
8666 		if (params->local_pm)
8667 			return -EINVAL;
8668 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8669 			return -EINVAL;
8670 	}
8671 
8672 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8673 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8674 		/* TDLS can't be set, ... */
8675 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8676 			return -EINVAL;
8677 		/*
8678 		 * ... but don't bother the driver with it. This works around
8679 		 * a hostapd/wpa_supplicant issue -- it always includes the
8680 		 * TLDS_PEER flag in the mask even for AP mode.
8681 		 */
8682 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8683 	}
8684 
8685 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8686 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8687 		/* reject other things that can't change */
8688 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8689 			return -EINVAL;
8690 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8691 			return -EINVAL;
8692 		if (params->link_sta_params.supported_rates)
8693 			return -EINVAL;
8694 		if (statype != CFG80211_STA_NAN_MGMT &&
8695 		    (params->link_sta_params.ht_capa ||
8696 		     params->link_sta_params.vht_capa ||
8697 		     params->link_sta_params.he_capa))
8698 			return -EINVAL;
8699 		if (params->ext_capab || params->link_sta_params.eht_capa ||
8700 		    params->link_sta_params.uhr_capa)
8701 			return -EINVAL;
8702 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8703 			return -EINVAL;
8704 	}
8705 
8706 	if (statype != CFG80211_STA_AP_CLIENT &&
8707 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8708 		if (params->vlan)
8709 			return -EINVAL;
8710 	}
8711 
8712 	/* Accept EMLSR capabilities only for AP client before association */
8713 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8714 	    params->eml_cap_present)
8715 		return -EINVAL;
8716 
8717 	switch (statype) {
8718 	case CFG80211_STA_AP_MLME_CLIENT:
8719 		/* Use this only for authorizing/unauthorizing a station */
8720 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8721 			return -EOPNOTSUPP;
8722 		break;
8723 	case CFG80211_STA_AP_CLIENT:
8724 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8725 		/* accept only the listed bits */
8726 		if (params->sta_flags_mask &
8727 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8728 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8729 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8730 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8731 				  BIT(NL80211_STA_FLAG_WME) |
8732 				  BIT(NL80211_STA_FLAG_MFP) |
8733 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8734 			return -EINVAL;
8735 
8736 		/* but authenticated/associated only if driver handles it */
8737 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8738 		    params->sta_flags_mask &
8739 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8740 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8741 			return -EINVAL;
8742 		break;
8743 	case CFG80211_STA_IBSS:
8744 	case CFG80211_STA_AP_STA:
8745 		/* reject any changes other than AUTHORIZED */
8746 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8747 			return -EINVAL;
8748 		break;
8749 	case CFG80211_STA_TDLS_PEER_SETUP:
8750 		/* reject any changes other than AUTHORIZED or WME */
8751 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8752 					       BIT(NL80211_STA_FLAG_WME)))
8753 			return -EINVAL;
8754 		/* force (at least) rates when authorizing */
8755 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8756 		    !params->link_sta_params.supported_rates)
8757 			return -EINVAL;
8758 		break;
8759 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8760 		/* reject any changes */
8761 		return -EINVAL;
8762 	case CFG80211_STA_MESH_PEER_KERNEL:
8763 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8764 			return -EINVAL;
8765 		break;
8766 	case CFG80211_STA_MESH_PEER_USER:
8767 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8768 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8769 			return -EINVAL;
8770 		break;
8771 	case CFG80211_STA_NAN_MGMT:
8772 		if (params->sta_flags_mask &
8773 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8774 		      BIT(NL80211_STA_FLAG_MFP)))
8775 			return -EINVAL;
8776 		break;
8777 	case CFG80211_STA_NAN_DATA:
8778 		if (params->sta_flags_mask &
8779 		    ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8780 		      BIT(NL80211_STA_FLAG_MFP) |
8781 		      BIT(NL80211_STA_FLAG_WME)))
8782 			return -EINVAL;
8783 		break;
8784 	}
8785 
8786 	/*
8787 	 * Older kernel versions ignored this attribute entirely, so don't
8788 	 * reject attempts to update it but mark it as unused instead so the
8789 	 * driver won't look at the data.
8790 	 */
8791 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8792 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8793 		params->link_sta_params.opmode_notif_used = false;
8794 
8795 	return 0;
8796 }
8797 EXPORT_SYMBOL(cfg80211_check_station_change);
8798 
8799 /*
8800  * Get vlan interface making sure it is running and on the right wiphy.
8801  */
8802 static struct net_device *get_vlan(struct genl_info *info,
8803 				   struct cfg80211_registered_device *rdev)
8804 {
8805 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8806 	struct net_device *v;
8807 	int ret;
8808 
8809 	if (!vlanattr)
8810 		return NULL;
8811 
8812 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8813 	if (!v)
8814 		return ERR_PTR(-ENODEV);
8815 
8816 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8817 		ret = -EINVAL;
8818 		goto error;
8819 	}
8820 
8821 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8822 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8823 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8824 		ret = -EINVAL;
8825 		goto error;
8826 	}
8827 
8828 	if (!netif_running(v)) {
8829 		ret = -ENETDOWN;
8830 		goto error;
8831 	}
8832 
8833 	return v;
8834  error:
8835 	dev_put(v);
8836 	return ERR_PTR(ret);
8837 }
8838 
8839 static int nl80211_parse_sta_wme(struct genl_info *info,
8840 				 struct station_parameters *params)
8841 {
8842 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8843 	struct nlattr *nla;
8844 	int err;
8845 
8846 	/* parse WME attributes if present */
8847 	if (!info->attrs[NL80211_ATTR_STA_WME])
8848 		return 0;
8849 
8850 	nla = info->attrs[NL80211_ATTR_STA_WME];
8851 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8852 					  nl80211_sta_wme_policy,
8853 					  info->extack);
8854 	if (err)
8855 		return err;
8856 
8857 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8858 		params->uapsd_queues = nla_get_u8(
8859 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8860 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8861 		return -EINVAL;
8862 
8863 	if (tb[NL80211_STA_WME_MAX_SP])
8864 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8865 
8866 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8867 		return -EINVAL;
8868 
8869 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8870 
8871 	return 0;
8872 }
8873 
8874 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8875 				      struct station_parameters *params)
8876 {
8877 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8878 		params->supported_channels =
8879 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8880 		params->supported_channels_len =
8881 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8882 		/*
8883 		 * Need to include at least one (first channel, number of
8884 		 * channels) tuple for each subband (checked in policy),
8885 		 * and must have proper tuples for the rest of the data as well.
8886 		 */
8887 		if (params->supported_channels_len % 2)
8888 			return -EINVAL;
8889 	}
8890 
8891 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8892 		params->supported_oper_classes =
8893 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8894 		params->supported_oper_classes_len =
8895 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8896 	}
8897 	return 0;
8898 }
8899 
8900 static int nl80211_set_station_tdls(struct genl_info *info,
8901 				    struct station_parameters *params)
8902 {
8903 	int err;
8904 	/* Dummy STA entry gets updated once the peer capabilities are known */
8905 	if (info->attrs[NL80211_ATTR_PEER_AID])
8906 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8907 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8908 		params->link_sta_params.ht_capa =
8909 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8910 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8911 		params->link_sta_params.vht_capa =
8912 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8913 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8914 		params->link_sta_params.he_capa =
8915 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8916 		params->link_sta_params.he_capa_len =
8917 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8918 
8919 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8920 			params->link_sta_params.eht_capa =
8921 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8922 			params->link_sta_params.eht_capa_len =
8923 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8924 
8925 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8926 							(const u8 *)params->link_sta_params.eht_capa,
8927 							params->link_sta_params.eht_capa_len,
8928 							false))
8929 				return -EINVAL;
8930 		}
8931 	}
8932 
8933 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8934 		if (!params->link_sta_params.eht_capa)
8935 			return -EINVAL;
8936 
8937 		params->link_sta_params.uhr_capa =
8938 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8939 		params->link_sta_params.uhr_capa_len =
8940 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8941 	}
8942 
8943 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8944 		params->link_sta_params.s1g_capa =
8945 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8946 
8947 	err = nl80211_parse_sta_channel_info(info, params);
8948 	if (err)
8949 		return err;
8950 
8951 	return nl80211_parse_sta_wme(info, params);
8952 }
8953 
8954 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8955 					     struct sta_txpwr *txpwr,
8956 					     bool *txpwr_set)
8957 {
8958 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8959 	int idx;
8960 
8961 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8962 		if (!rdev->ops->set_tx_power ||
8963 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8964 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8965 			return -EOPNOTSUPP;
8966 
8967 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8968 		txpwr->type = nla_get_u8(info->attrs[idx]);
8969 
8970 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8971 			idx = NL80211_ATTR_STA_TX_POWER;
8972 
8973 			if (info->attrs[idx])
8974 				txpwr->power = nla_get_s16(info->attrs[idx]);
8975 			else
8976 				return -EINVAL;
8977 		}
8978 
8979 		*txpwr_set = true;
8980 	} else {
8981 		*txpwr_set = false;
8982 	}
8983 
8984 	return 0;
8985 }
8986 
8987 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8988 {
8989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8990 	struct wireless_dev *wdev = info->user_ptr[1];
8991 	struct net_device *dev = wdev->netdev;
8992 	struct station_parameters params;
8993 	u8 *mac_addr;
8994 	int err;
8995 
8996 	memset(&params, 0, sizeof(params));
8997 
8998 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN &&
8999 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
9000 		return -EINVAL;
9001 
9002 	if (!rdev->ops->change_station)
9003 		return -EOPNOTSUPP;
9004 
9005 	/*
9006 	 * AID and listen_interval properties can be set only for unassociated
9007 	 * station. Include these parameters here and will check them in
9008 	 * cfg80211_check_station_change().
9009 	 */
9010 	if (info->attrs[NL80211_ATTR_STA_AID])
9011 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
9012 
9013 	if (info->attrs[NL80211_ATTR_VLAN_ID])
9014 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
9015 
9016 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
9017 		params.listen_interval =
9018 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
9019 	else
9020 		params.listen_interval = -1;
9021 
9022 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
9023 		params.support_p2p_ps =
9024 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
9025 	else
9026 		params.support_p2p_ps = -1;
9027 
9028 	if (!info->attrs[NL80211_ATTR_MAC])
9029 		return -EINVAL;
9030 
9031 	params.link_sta_params.link_id =
9032 		nl80211_link_id_or_invalid(info->attrs);
9033 
9034 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
9035 		/* If MLD_ADDR attribute is set then this is an MLD station
9036 		 * and the MLD_ADDR attribute holds the MLD address and the
9037 		 * MAC attribute holds for the LINK address.
9038 		 * In that case, the link_id is also expected to be valid.
9039 		 */
9040 		if (params.link_sta_params.link_id < 0)
9041 			return -EINVAL;
9042 
9043 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
9044 		params.link_sta_params.mld_mac = mac_addr;
9045 		params.link_sta_params.link_mac =
9046 			nla_data(info->attrs[NL80211_ATTR_MAC]);
9047 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
9048 			return -EINVAL;
9049 	} else {
9050 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9051 	}
9052 
9053 
9054 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
9055 		params.link_sta_params.supported_rates =
9056 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
9057 		params.link_sta_params.supported_rates_len =
9058 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
9059 	}
9060 
9061 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
9062 		params.capability =
9063 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
9064 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
9065 	}
9066 
9067 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
9068 		params.ext_capab =
9069 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
9070 		params.ext_capab_len =
9071 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
9072 	}
9073 
9074 	if (parse_station_flags(info, wdev->iftype, &params))
9075 		return -EINVAL;
9076 
9077 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
9078 		params.plink_action =
9079 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
9080 
9081 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
9082 		params.plink_state =
9083 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
9084 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
9085 			params.peer_aid = nla_get_u16(
9086 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
9087 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
9088 	}
9089 
9090 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
9091 		params.local_pm = nla_get_u32(
9092 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
9093 
9094 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
9095 		params.link_sta_params.opmode_notif_used = true;
9096 		params.link_sta_params.opmode_notif =
9097 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
9098 	}
9099 
9100 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
9101 		params.link_sta_params.he_6ghz_capa =
9102 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
9103 
9104 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
9105 		params.eml_cap_present = true;
9106 		params.eml_cap =
9107 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
9108 	}
9109 
9110 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
9111 		params.airtime_weight =
9112 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
9113 
9114 	if (params.airtime_weight &&
9115 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9116 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
9117 		return -EOPNOTSUPP;
9118 
9119 	err = nl80211_parse_sta_txpower_setting(info,
9120 						&params.link_sta_params.txpwr,
9121 						&params.link_sta_params.txpwr_set);
9122 	if (err)
9123 		return err;
9124 
9125 	/* Include parameters for TDLS peer (will check later) */
9126 	err = nl80211_set_station_tdls(info, &params);
9127 	if (err)
9128 		return err;
9129 
9130 	params.vlan = get_vlan(info, rdev);
9131 	if (IS_ERR(params.vlan))
9132 		return PTR_ERR(params.vlan);
9133 
9134 	switch (wdev->iftype) {
9135 	case NL80211_IFTYPE_AP:
9136 	case NL80211_IFTYPE_AP_VLAN:
9137 	case NL80211_IFTYPE_P2P_GO:
9138 	case NL80211_IFTYPE_P2P_CLIENT:
9139 	case NL80211_IFTYPE_STATION:
9140 	case NL80211_IFTYPE_ADHOC:
9141 	case NL80211_IFTYPE_MESH_POINT:
9142 	case NL80211_IFTYPE_NAN:
9143 	case NL80211_IFTYPE_NAN_DATA:
9144 		break;
9145 	default:
9146 		err = -EOPNOTSUPP;
9147 		goto out_put_vlan;
9148 	}
9149 
9150 	/* driver will call cfg80211_check_station_change() */
9151 	err = rdev_change_station(rdev, wdev, mac_addr, &params);
9152 
9153  out_put_vlan:
9154 	dev_put(params.vlan);
9155 
9156 	return err;
9157 }
9158 
9159 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
9160 {
9161 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9162 	int err;
9163 	struct wireless_dev *wdev = info->user_ptr[1];
9164 	struct net_device *dev = wdev->netdev;
9165 	struct station_parameters params;
9166 	u8 *mac_addr = NULL;
9167 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
9168 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
9169 
9170 	memset(&params, 0, sizeof(params));
9171 
9172 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
9173 		return -EINVAL;
9174 
9175 	if (!rdev->ops->add_station)
9176 		return -EOPNOTSUPP;
9177 
9178 	if (!info->attrs[NL80211_ATTR_MAC])
9179 		return -EINVAL;
9180 
9181 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
9182 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
9183 		if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
9184 			return -EINVAL;
9185 		if (wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
9186 			if (!info->attrs[NL80211_ATTR_NAN_NMI_MAC])
9187 				return -EINVAL;
9188 
9189 			/* Only NMI stations receive the HT/VHT/HE capabilities */
9190 			if (info->attrs[NL80211_ATTR_HT_CAPABILITY] ||
9191 			    info->attrs[NL80211_ATTR_VHT_CAPABILITY] ||
9192 			    info->attrs[NL80211_ATTR_HE_CAPABILITY])
9193 				return -EINVAL;
9194 		}
9195 	} else {
9196 		if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
9197 			return -EINVAL;
9198 
9199 		if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
9200 			return -EINVAL;
9201 
9202 		if (!info->attrs[NL80211_ATTR_STA_AID] &&
9203 		    !info->attrs[NL80211_ATTR_PEER_AID])
9204 			return -EINVAL;
9205 	}
9206 
9207 	params.link_sta_params.link_id =
9208 		nl80211_link_id_or_invalid(info->attrs);
9209 
9210 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
9211 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
9212 		params.link_sta_params.mld_mac = mac_addr;
9213 		params.link_sta_params.link_mac =
9214 			nla_data(info->attrs[NL80211_ATTR_MAC]);
9215 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
9216 			return -EINVAL;
9217 	} else {
9218 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
9219 	}
9220 
9221 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
9222 		params.link_sta_params.supported_rates =
9223 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
9224 		params.link_sta_params.supported_rates_len =
9225 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
9226 	}
9227 
9228 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
9229 		params.listen_interval =
9230 			nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
9231 
9232 	if (info->attrs[NL80211_ATTR_VLAN_ID])
9233 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
9234 
9235 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
9236 		params.support_p2p_ps =
9237 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
9238 	} else {
9239 		/*
9240 		 * if not specified, assume it's supported for P2P GO interface,
9241 		 * and is NOT supported for AP interface
9242 		 */
9243 		params.support_p2p_ps =
9244 			wdev->iftype == NL80211_IFTYPE_P2P_GO;
9245 	}
9246 
9247 	if (info->attrs[NL80211_ATTR_PEER_AID])
9248 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
9249 	else if (info->attrs[NL80211_ATTR_STA_AID])
9250 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
9251 
9252 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
9253 		params.capability =
9254 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
9255 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
9256 	}
9257 
9258 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
9259 		params.ext_capab =
9260 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
9261 		params.ext_capab_len =
9262 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
9263 	}
9264 
9265 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
9266 		params.link_sta_params.ht_capa =
9267 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
9268 
9269 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
9270 		params.link_sta_params.vht_capa =
9271 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
9272 
9273 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
9274 		params.link_sta_params.he_capa =
9275 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
9276 		params.link_sta_params.he_capa_len =
9277 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
9278 
9279 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
9280 			params.link_sta_params.eht_capa =
9281 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
9282 			params.link_sta_params.eht_capa_len =
9283 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
9284 
9285 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
9286 							(const u8 *)params.link_sta_params.eht_capa,
9287 							params.link_sta_params.eht_capa_len,
9288 							false))
9289 				return -EINVAL;
9290 		}
9291 	}
9292 
9293 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
9294 		if (!params.link_sta_params.eht_capa)
9295 			return -EINVAL;
9296 
9297 		params.link_sta_params.uhr_capa =
9298 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9299 		params.link_sta_params.uhr_capa_len =
9300 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
9301 	}
9302 
9303 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
9304 		params.eml_cap_present = true;
9305 		params.eml_cap =
9306 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
9307 	}
9308 
9309 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
9310 		params.link_sta_params.he_6ghz_capa =
9311 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
9312 
9313 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
9314 		params.link_sta_params.s1g_capa =
9315 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
9316 
9317 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
9318 		params.link_sta_params.opmode_notif_used = true;
9319 		params.link_sta_params.opmode_notif =
9320 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
9321 	}
9322 
9323 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
9324 		params.plink_action =
9325 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
9326 
9327 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
9328 		params.airtime_weight =
9329 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
9330 
9331 	if (params.airtime_weight &&
9332 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9333 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
9334 		return -EOPNOTSUPP;
9335 
9336 	err = nl80211_parse_sta_txpower_setting(info,
9337 						&params.link_sta_params.txpwr,
9338 						&params.link_sta_params.txpwr_set);
9339 	if (err)
9340 		return err;
9341 
9342 	err = nl80211_parse_sta_channel_info(info, &params);
9343 	if (err)
9344 		return err;
9345 
9346 	err = nl80211_parse_sta_wme(info, &params);
9347 	if (err)
9348 		return err;
9349 
9350 	if (parse_station_flags(info, wdev->iftype, &params))
9351 		return -EINVAL;
9352 
9353 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
9354 	 * as userspace might just pass through the capabilities from the IEs
9355 	 * directly, rather than enforcing this restriction and returning an
9356 	 * error in this case.
9357 	 */
9358 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
9359 		params.link_sta_params.ht_capa = NULL;
9360 		params.link_sta_params.vht_capa = NULL;
9361 
9362 		/* HE, EHT and UHR require WME */
9363 		if (params.link_sta_params.he_capa_len ||
9364 		    params.link_sta_params.he_6ghz_capa ||
9365 		    params.link_sta_params.eht_capa_len ||
9366 		    params.link_sta_params.uhr_capa_len)
9367 			return -EINVAL;
9368 	}
9369 
9370 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
9371 	    wdev->iftype == NL80211_IFTYPE_NAN_DATA) {
9372 		if (params.sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
9373 			return -EINVAL;
9374 		/* NAN NMI station must be added in associated or authorized state */
9375 		if (!(params.sta_flags_set & (BIT(NL80211_STA_FLAG_ASSOCIATED) |
9376 					      BIT(NL80211_STA_FLAG_AUTHENTICATED))))
9377 			return -EINVAL;
9378 	}
9379 
9380 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
9381 	if (params.link_sta_params.he_6ghz_capa &&
9382 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
9383 		return -EINVAL;
9384 
9385 	/* When you run into this, adjust the code below for the new flag */
9386 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
9387 
9388 	switch (wdev->iftype) {
9389 	case NL80211_IFTYPE_AP:
9390 	case NL80211_IFTYPE_AP_VLAN:
9391 	case NL80211_IFTYPE_P2P_GO:
9392 		/* ignore WME attributes if iface/sta is not capable */
9393 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
9394 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
9395 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9396 
9397 		/* TDLS peers cannot be added */
9398 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9399 		    info->attrs[NL80211_ATTR_PEER_AID])
9400 			return -EINVAL;
9401 		/* but don't bother the driver with it */
9402 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
9403 
9404 		/* allow authenticated/associated only if driver handles it */
9405 		if (!(rdev->wiphy.features &
9406 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
9407 		    params.sta_flags_mask & auth_assoc)
9408 			return -EINVAL;
9409 
9410 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9411 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
9412 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
9413 			return -EINVAL;
9414 
9415 		/* Older userspace, or userspace wanting to be compatible with
9416 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
9417 		 * and assoc flags in the mask, but assumes the station will be
9418 		 * added as associated anyway since this was the required driver
9419 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
9420 		 * introduced.
9421 		 * In order to not bother drivers with this quirk in the API
9422 		 * set the flags in both the mask and set for new stations in
9423 		 * this case.
9424 		 */
9425 		if (!(params.sta_flags_mask & auth_assoc)) {
9426 			params.sta_flags_mask |= auth_assoc;
9427 			params.sta_flags_set |= auth_assoc;
9428 		}
9429 
9430 		/* must be last in here for error handling */
9431 		params.vlan = get_vlan(info, rdev);
9432 		if (IS_ERR(params.vlan))
9433 			return PTR_ERR(params.vlan);
9434 		break;
9435 	case NL80211_IFTYPE_MESH_POINT:
9436 		/* ignore uAPSD data */
9437 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9438 
9439 		/* associated is disallowed */
9440 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
9441 			return -EINVAL;
9442 		/* TDLS peers cannot be added */
9443 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
9444 		    info->attrs[NL80211_ATTR_PEER_AID])
9445 			return -EINVAL;
9446 		break;
9447 	case NL80211_IFTYPE_STATION:
9448 	case NL80211_IFTYPE_P2P_CLIENT:
9449 		/* ignore uAPSD data */
9450 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
9451 
9452 		/* these are disallowed */
9453 		if (params.sta_flags_mask &
9454 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
9455 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
9456 			return -EINVAL;
9457 		/* Only TDLS peers can be added */
9458 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
9459 			return -EINVAL;
9460 		/* Can only add if TDLS ... */
9461 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
9462 			return -EOPNOTSUPP;
9463 		/* ... with external setup is supported */
9464 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
9465 			return -EOPNOTSUPP;
9466 		/*
9467 		 * Older wpa_supplicant versions always mark the TDLS peer
9468 		 * as authorized, but it shouldn't yet be.
9469 		 */
9470 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
9471 		break;
9472 	case NL80211_IFTYPE_NAN:
9473 		break;
9474 	case NL80211_IFTYPE_NAN_DATA:
9475 		params.nmi_mac = nla_data(info->attrs[NL80211_ATTR_NAN_NMI_MAC]);
9476 		break;
9477 	default:
9478 		return -EOPNOTSUPP;
9479 	}
9480 
9481 	/* be aware of params.vlan when changing code here */
9482 
9483 	if (wdev->valid_links) {
9484 		if (params.link_sta_params.link_id < 0) {
9485 			err = -EINVAL;
9486 			goto out;
9487 		}
9488 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
9489 			err = -ENOLINK;
9490 			goto out;
9491 		}
9492 	} else {
9493 		if (params.link_sta_params.link_id >= 0) {
9494 			err = -EINVAL;
9495 			goto out;
9496 		}
9497 	}
9498 
9499 	params.epp_peer =
9500 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
9501 
9502 	err = rdev_add_station(rdev, wdev, mac_addr, &params);
9503 out:
9504 	dev_put(params.vlan);
9505 	return err;
9506 }
9507 
9508 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
9509 {
9510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9511 	struct wireless_dev *wdev = info->user_ptr[1];
9512 	struct net_device *dev = wdev->netdev;
9513 	struct station_del_parameters params;
9514 	int link_id = nl80211_link_id_or_invalid(info->attrs);
9515 
9516 	memset(&params, 0, sizeof(params));
9517 
9518 	if (!dev && wdev->iftype != NL80211_IFTYPE_NAN)
9519 		return -EINVAL;
9520 
9521 	if (info->attrs[NL80211_ATTR_MAC])
9522 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
9523 
9524 	switch (wdev->iftype) {
9525 	case NL80211_IFTYPE_AP:
9526 	case NL80211_IFTYPE_AP_VLAN:
9527 	case NL80211_IFTYPE_MESH_POINT:
9528 	case NL80211_IFTYPE_P2P_GO:
9529 	case NL80211_IFTYPE_NAN:
9530 	case NL80211_IFTYPE_NAN_DATA:
9531 		/* always accept these */
9532 		break;
9533 	case NL80211_IFTYPE_ADHOC:
9534 		/* conditionally accept */
9535 		if (wiphy_ext_feature_isset(&rdev->wiphy,
9536 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
9537 			break;
9538 		return -EINVAL;
9539 	default:
9540 		return -EINVAL;
9541 	}
9542 
9543 	if (!rdev->ops->del_station)
9544 		return -EOPNOTSUPP;
9545 
9546 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
9547 		params.subtype =
9548 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
9549 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
9550 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
9551 			return -EINVAL;
9552 	} else {
9553 		/* Default to Deauthentication frame */
9554 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
9555 	}
9556 
9557 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
9558 		params.reason_code =
9559 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9560 		if (params.reason_code == 0)
9561 			return -EINVAL; /* 0 is reserved */
9562 	} else {
9563 		/* Default to reason code 2 */
9564 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
9565 	}
9566 
9567 	/* Link ID not expected in case of non-ML operation */
9568 	if (!wdev->valid_links && link_id != -1)
9569 		return -EINVAL;
9570 
9571 	/* If given, a valid link ID should be passed during MLO */
9572 	if (wdev->valid_links && link_id >= 0 &&
9573 	    !(wdev->valid_links & BIT(link_id)))
9574 		return -EINVAL;
9575 
9576 	params.link_id = link_id;
9577 
9578 	return rdev_del_station(rdev, wdev, &params);
9579 }
9580 
9581 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
9582 				int flags, struct net_device *dev,
9583 				u8 *dst, u8 *next_hop,
9584 				struct mpath_info *pinfo)
9585 {
9586 	void *hdr;
9587 	struct nlattr *pinfoattr;
9588 
9589 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
9590 	if (!hdr)
9591 		return -1;
9592 
9593 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9594 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
9595 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
9596 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
9597 		goto nla_put_failure;
9598 
9599 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
9600 	if (!pinfoattr)
9601 		goto nla_put_failure;
9602 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9603 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9604 			pinfo->frame_qlen))
9605 		goto nla_put_failure;
9606 	if (((pinfo->filled & MPATH_INFO_SN) &&
9607 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9608 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9609 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9610 			 pinfo->metric)) ||
9611 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9612 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9613 			 pinfo->exptime)) ||
9614 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9615 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9616 			pinfo->flags)) ||
9617 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9618 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9619 			 pinfo->discovery_timeout)) ||
9620 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9621 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9622 			pinfo->discovery_retries)) ||
9623 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9624 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9625 			pinfo->hop_count)) ||
9626 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9627 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9628 			 pinfo->path_change_count)))
9629 		goto nla_put_failure;
9630 
9631 	nla_nest_end(msg, pinfoattr);
9632 
9633 	genlmsg_end(msg, hdr);
9634 	return 0;
9635 
9636  nla_put_failure:
9637 	genlmsg_cancel(msg, hdr);
9638 	return -EMSGSIZE;
9639 }
9640 
9641 static int nl80211_dump_mpath(struct sk_buff *skb,
9642 			      struct netlink_callback *cb)
9643 {
9644 	struct mpath_info pinfo;
9645 	struct cfg80211_registered_device *rdev;
9646 	struct wireless_dev *wdev;
9647 	u8 dst[ETH_ALEN];
9648 	u8 next_hop[ETH_ALEN];
9649 	int path_idx = cb->args[2];
9650 	int err;
9651 
9652 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9653 	if (err)
9654 		return err;
9655 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9656 	__acquire(&rdev->wiphy.mtx);
9657 
9658 	if (!rdev->ops->dump_mpath) {
9659 		err = -EOPNOTSUPP;
9660 		goto out_err;
9661 	}
9662 
9663 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9664 		err = -EOPNOTSUPP;
9665 		goto out_err;
9666 	}
9667 
9668 	while (1) {
9669 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9670 				      next_hop, &pinfo);
9671 		if (err == -ENOENT)
9672 			break;
9673 		if (err)
9674 			goto out_err;
9675 
9676 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9677 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9678 				       wdev->netdev, dst, next_hop,
9679 				       &pinfo) < 0)
9680 			goto out;
9681 
9682 		path_idx++;
9683 	}
9684 
9685  out:
9686 	cb->args[2] = path_idx;
9687 	err = skb->len;
9688  out_err:
9689 	wiphy_unlock(&rdev->wiphy);
9690 	return err;
9691 }
9692 
9693 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9694 {
9695 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9696 	int err;
9697 	struct net_device *dev = info->user_ptr[1];
9698 	struct mpath_info pinfo;
9699 	struct sk_buff *msg;
9700 	u8 *dst = NULL;
9701 	u8 next_hop[ETH_ALEN];
9702 
9703 	memset(&pinfo, 0, sizeof(pinfo));
9704 
9705 	if (!info->attrs[NL80211_ATTR_MAC])
9706 		return -EINVAL;
9707 
9708 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9709 
9710 	if (!rdev->ops->get_mpath)
9711 		return -EOPNOTSUPP;
9712 
9713 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9714 		return -EOPNOTSUPP;
9715 
9716 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9717 	if (err)
9718 		return err;
9719 
9720 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9721 	if (!msg)
9722 		return -ENOMEM;
9723 
9724 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9725 				 dev, dst, next_hop, &pinfo) < 0) {
9726 		nlmsg_free(msg);
9727 		return -ENOBUFS;
9728 	}
9729 
9730 	return genlmsg_reply(msg, info);
9731 }
9732 
9733 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9734 {
9735 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9736 	struct net_device *dev = info->user_ptr[1];
9737 	u8 *dst = NULL;
9738 	u8 *next_hop = NULL;
9739 
9740 	if (!info->attrs[NL80211_ATTR_MAC])
9741 		return -EINVAL;
9742 
9743 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9744 		return -EINVAL;
9745 
9746 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9747 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9748 
9749 	if (!rdev->ops->change_mpath)
9750 		return -EOPNOTSUPP;
9751 
9752 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9753 		return -EOPNOTSUPP;
9754 
9755 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9756 }
9757 
9758 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9759 {
9760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9761 	struct net_device *dev = info->user_ptr[1];
9762 	u8 *dst = NULL;
9763 	u8 *next_hop = NULL;
9764 
9765 	if (!info->attrs[NL80211_ATTR_MAC])
9766 		return -EINVAL;
9767 
9768 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9769 		return -EINVAL;
9770 
9771 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9772 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9773 
9774 	if (!rdev->ops->add_mpath)
9775 		return -EOPNOTSUPP;
9776 
9777 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9778 		return -EOPNOTSUPP;
9779 
9780 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9781 }
9782 
9783 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9784 {
9785 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9786 	struct net_device *dev = info->user_ptr[1];
9787 	u8 *dst = NULL;
9788 
9789 	if (info->attrs[NL80211_ATTR_MAC])
9790 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9791 
9792 	if (!rdev->ops->del_mpath)
9793 		return -EOPNOTSUPP;
9794 
9795 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9796 		return -EOPNOTSUPP;
9797 
9798 	return rdev_del_mpath(rdev, dev, dst);
9799 }
9800 
9801 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9802 {
9803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9804 	int err;
9805 	struct net_device *dev = info->user_ptr[1];
9806 	struct mpath_info pinfo;
9807 	struct sk_buff *msg;
9808 	u8 *dst = NULL;
9809 	u8 mpp[ETH_ALEN];
9810 
9811 	memset(&pinfo, 0, sizeof(pinfo));
9812 
9813 	if (!info->attrs[NL80211_ATTR_MAC])
9814 		return -EINVAL;
9815 
9816 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9817 
9818 	if (!rdev->ops->get_mpp)
9819 		return -EOPNOTSUPP;
9820 
9821 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9822 		return -EOPNOTSUPP;
9823 
9824 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9825 	if (err)
9826 		return err;
9827 
9828 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9829 	if (!msg)
9830 		return -ENOMEM;
9831 
9832 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9833 			       dev, dst, mpp, &pinfo) < 0) {
9834 		nlmsg_free(msg);
9835 		return -ENOBUFS;
9836 	}
9837 
9838 	return genlmsg_reply(msg, info);
9839 }
9840 
9841 static int nl80211_dump_mpp(struct sk_buff *skb,
9842 			    struct netlink_callback *cb)
9843 {
9844 	struct mpath_info pinfo;
9845 	struct cfg80211_registered_device *rdev;
9846 	struct wireless_dev *wdev;
9847 	u8 dst[ETH_ALEN];
9848 	u8 mpp[ETH_ALEN];
9849 	int path_idx = cb->args[2];
9850 	int err;
9851 
9852 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9853 	if (err)
9854 		return err;
9855 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9856 	__acquire(&rdev->wiphy.mtx);
9857 
9858 	if (!rdev->ops->dump_mpp) {
9859 		err = -EOPNOTSUPP;
9860 		goto out_err;
9861 	}
9862 
9863 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9864 		err = -EOPNOTSUPP;
9865 		goto out_err;
9866 	}
9867 
9868 	while (1) {
9869 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9870 				    mpp, &pinfo);
9871 		if (err == -ENOENT)
9872 			break;
9873 		if (err)
9874 			goto out_err;
9875 
9876 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9877 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9878 				       wdev->netdev, dst, mpp,
9879 				       &pinfo) < 0)
9880 			goto out;
9881 
9882 		path_idx++;
9883 	}
9884 
9885  out:
9886 	cb->args[2] = path_idx;
9887 	err = skb->len;
9888  out_err:
9889 	wiphy_unlock(&rdev->wiphy);
9890 	return err;
9891 }
9892 
9893 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9894 {
9895 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9896 	struct net_device *dev = info->user_ptr[1];
9897 	struct bss_parameters params;
9898 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9899 	u32 changed = 0;
9900 	bool strict;
9901 
9902 	memset(&params, 0, sizeof(params));
9903 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9904 	/* default to not changing parameters */
9905 	params.use_cts_prot = -1;
9906 	params.use_short_preamble = -1;
9907 	params.use_short_slot_time = -1;
9908 	params.ap_isolate = -1;
9909 	params.ht_opmode = -1;
9910 	params.p2p_ctwindow = -1;
9911 	params.p2p_opp_ps = -1;
9912 
9913 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9914 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9915 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9916 			return -EINVAL;
9917 		params.use_cts_prot =
9918 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9919 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9920 	}
9921 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9922 		if (strict &&
9923 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9924 			return -EINVAL;
9925 		params.use_short_preamble =
9926 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9927 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9928 	}
9929 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9930 		if (strict &&
9931 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9932 			return -EINVAL;
9933 		params.use_short_slot_time =
9934 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9935 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9936 	}
9937 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9938 		if (strict &&
9939 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9940 			return -EINVAL;
9941 		params.basic_rates =
9942 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9943 		params.basic_rates_len =
9944 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9945 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9946 	}
9947 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9948 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9949 			return -EINVAL;
9950 		params.ap_isolate =
9951 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9952 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9953 	}
9954 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9955 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9956 			return -EINVAL;
9957 		params.ht_opmode =
9958 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9959 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9960 	}
9961 
9962 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9963 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9964 			return -EINVAL;
9965 		params.p2p_ctwindow =
9966 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9967 		if (params.p2p_ctwindow != 0 &&
9968 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9969 			return -EINVAL;
9970 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9971 	}
9972 
9973 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9974 		u8 tmp;
9975 
9976 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9977 			return -EINVAL;
9978 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9979 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9980 			return -EINVAL;
9981 		params.p2p_opp_ps = tmp;
9982 		if (params.p2p_opp_ps &&
9983 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9984 			return -EINVAL;
9985 	}
9986 
9987 	if (!rdev->ops->change_bss)
9988 		return -EOPNOTSUPP;
9989 
9990 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9991 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9992 		return -EOPNOTSUPP;
9993 
9994 	changed &= rdev->wiphy.bss_param_support;
9995 	if (!changed)
9996 		return 0;
9997 
9998 	return rdev_change_bss(rdev, dev, &params);
9999 }
10000 
10001 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
10002 {
10003 	char *data = NULL;
10004 	bool is_indoor;
10005 	enum nl80211_user_reg_hint_type user_reg_hint_type;
10006 	u32 owner_nlportid;
10007 
10008 	/*
10009 	 * You should only get this when cfg80211 hasn't yet initialized
10010 	 * completely when built-in to the kernel right between the time
10011 	 * window between nl80211_init() and regulatory_init(), if that is
10012 	 * even possible.
10013 	 */
10014 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
10015 		return -EINPROGRESS;
10016 
10017 	user_reg_hint_type =
10018 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
10019 				    NL80211_USER_REG_HINT_USER);
10020 
10021 	switch (user_reg_hint_type) {
10022 	case NL80211_USER_REG_HINT_USER:
10023 	case NL80211_USER_REG_HINT_CELL_BASE:
10024 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10025 			return -EINVAL;
10026 
10027 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10028 		return regulatory_hint_user(data, user_reg_hint_type);
10029 	case NL80211_USER_REG_HINT_INDOOR:
10030 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10031 			owner_nlportid = info->snd_portid;
10032 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
10033 		} else {
10034 			owner_nlportid = 0;
10035 			is_indoor = true;
10036 		}
10037 
10038 		regulatory_hint_indoor(is_indoor, owner_nlportid);
10039 		return 0;
10040 	default:
10041 		return -EINVAL;
10042 	}
10043 }
10044 
10045 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
10046 {
10047 	return reg_reload_regdb();
10048 }
10049 
10050 static int nl80211_get_mesh_config(struct sk_buff *skb,
10051 				   struct genl_info *info)
10052 {
10053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10054 	struct net_device *dev = info->user_ptr[1];
10055 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10056 	struct mesh_config cur_params;
10057 	int err = 0;
10058 	void *hdr;
10059 	struct nlattr *pinfoattr;
10060 	struct sk_buff *msg;
10061 
10062 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
10063 		return -EOPNOTSUPP;
10064 
10065 	if (!rdev->ops->get_mesh_config)
10066 		return -EOPNOTSUPP;
10067 
10068 	/* If not connected, get default parameters */
10069 	if (!wdev->u.mesh.id_len)
10070 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
10071 	else
10072 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
10073 
10074 	if (err)
10075 		return err;
10076 
10077 	/* Draw up a netlink message to send back */
10078 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10079 	if (!msg)
10080 		return -ENOMEM;
10081 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10082 			     NL80211_CMD_GET_MESH_CONFIG);
10083 	if (!hdr)
10084 		goto out;
10085 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
10086 	if (!pinfoattr)
10087 		goto nla_put_failure;
10088 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
10089 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
10090 			cur_params.dot11MeshRetryTimeout) ||
10091 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
10092 			cur_params.dot11MeshConfirmTimeout) ||
10093 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
10094 			cur_params.dot11MeshHoldingTimeout) ||
10095 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
10096 			cur_params.dot11MeshMaxPeerLinks) ||
10097 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
10098 		       cur_params.dot11MeshMaxRetries) ||
10099 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
10100 		       cur_params.dot11MeshTTL) ||
10101 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
10102 		       cur_params.element_ttl) ||
10103 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
10104 		       cur_params.auto_open_plinks) ||
10105 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
10106 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
10107 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
10108 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
10109 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
10110 			cur_params.path_refresh_time) ||
10111 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
10112 			cur_params.min_discovery_timeout) ||
10113 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
10114 			cur_params.dot11MeshHWMPactivePathTimeout) ||
10115 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
10116 			cur_params.dot11MeshHWMPpreqMinInterval) ||
10117 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
10118 			cur_params.dot11MeshHWMPperrMinInterval) ||
10119 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
10120 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
10121 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
10122 		       cur_params.dot11MeshHWMPRootMode) ||
10123 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
10124 			cur_params.dot11MeshHWMPRannInterval) ||
10125 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
10126 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
10127 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
10128 		       cur_params.dot11MeshForwarding) ||
10129 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
10130 			cur_params.rssi_threshold) ||
10131 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
10132 			cur_params.ht_opmode) ||
10133 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
10134 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
10135 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
10136 			cur_params.dot11MeshHWMProotInterval) ||
10137 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
10138 			cur_params.dot11MeshHWMPconfirmationInterval) ||
10139 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
10140 			cur_params.power_mode) ||
10141 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
10142 			cur_params.dot11MeshAwakeWindowDuration) ||
10143 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
10144 			cur_params.plink_timeout) ||
10145 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
10146 		       cur_params.dot11MeshConnectedToMeshGate) ||
10147 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
10148 		       cur_params.dot11MeshNolearn) ||
10149 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
10150 		       cur_params.dot11MeshConnectedToAuthServer))
10151 		goto nla_put_failure;
10152 	nla_nest_end(msg, pinfoattr);
10153 	genlmsg_end(msg, hdr);
10154 	return genlmsg_reply(msg, info);
10155 
10156  nla_put_failure:
10157  out:
10158 	nlmsg_free(msg);
10159 	return -ENOBUFS;
10160 }
10161 
10162 static const struct nla_policy
10163 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
10164 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
10165 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
10166 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
10167 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
10168 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
10169 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
10170 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
10171 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
10172 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
10173 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
10174 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
10175 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
10176 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
10177 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
10178 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
10179 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
10180 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
10181 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
10182 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
10183 		NLA_POLICY_MIN(NLA_U16, 1),
10184 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
10185 		NLA_POLICY_MIN(NLA_U16, 1),
10186 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
10187 		NLA_POLICY_MIN(NLA_U16, 1),
10188 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
10189 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
10190 		NLA_POLICY_MIN(NLA_U16, 1),
10191 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
10192 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
10193 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
10194 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
10195 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
10196 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
10197 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
10198 		NLA_POLICY_MIN(NLA_U16, 1),
10199 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
10200 		NLA_POLICY_MIN(NLA_U16, 1),
10201 	[NL80211_MESHCONF_POWER_MODE] =
10202 		NLA_POLICY_RANGE(NLA_U32,
10203 				 NL80211_MESH_POWER_ACTIVE,
10204 				 NL80211_MESH_POWER_MAX),
10205 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
10206 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
10207 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
10208 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
10209 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
10210 };
10211 
10212 static const struct nla_policy
10213 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
10214 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
10215 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
10216 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
10217 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
10218 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
10219 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
10220 	[NL80211_MESH_SETUP_IE] =
10221 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
10222 				       IEEE80211_MAX_DATA_LEN),
10223 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
10224 };
10225 
10226 static int nl80211_parse_mesh_config(struct genl_info *info,
10227 				     struct mesh_config *cfg,
10228 				     u32 *mask_out)
10229 {
10230 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
10231 	u32 mask = 0;
10232 	u16 ht_opmode;
10233 
10234 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
10235 do {									\
10236 	if (tb[attr]) {							\
10237 		cfg->param = fn(tb[attr]);				\
10238 		mask |= BIT((attr) - 1);				\
10239 	}								\
10240 } while (0)
10241 
10242 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
10243 		return -EINVAL;
10244 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
10245 		return -EINVAL;
10246 
10247 	/* This makes sure that there aren't more than 32 mesh config
10248 	 * parameters (otherwise our bitfield scheme would not work.) */
10249 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
10250 
10251 	/* Fill in the params struct */
10252 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
10253 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
10254 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
10255 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
10256 				  nla_get_u16);
10257 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
10258 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
10259 				  nla_get_u16);
10260 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
10261 				  NL80211_MESHCONF_MAX_PEER_LINKS,
10262 				  nla_get_u16);
10263 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
10264 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
10265 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
10266 				  NL80211_MESHCONF_TTL, nla_get_u8);
10267 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
10268 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
10269 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
10270 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
10271 				  nla_get_u8);
10272 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
10273 				  mask,
10274 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
10275 				  nla_get_u32);
10276 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
10277 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
10278 				  nla_get_u8);
10279 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
10280 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
10281 				  nla_get_u32);
10282 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
10283 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
10284 		return -EINVAL;
10285 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
10286 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
10287 				  nla_get_u16);
10288 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
10289 				  mask,
10290 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
10291 				  nla_get_u32);
10292 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
10293 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
10294 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
10295 		return -EINVAL;
10296 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
10297 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
10298 				  nla_get_u16);
10299 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
10300 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
10301 				  nla_get_u16);
10302 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10303 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
10304 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
10305 				  nla_get_u16);
10306 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
10307 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
10308 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
10309 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
10310 				  nla_get_u16);
10311 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
10312 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
10313 				  nla_get_u8);
10314 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
10315 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
10316 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
10317 				  NL80211_MESHCONF_RSSI_THRESHOLD,
10318 				  nla_get_s32);
10319 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
10320 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
10321 				  nla_get_u8);
10322 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
10323 				  NL80211_MESHCONF_CONNECTED_TO_AS,
10324 				  nla_get_u8);
10325 	/*
10326 	 * Check HT operation mode based on
10327 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
10328 	 */
10329 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
10330 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
10331 
10332 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
10333 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
10334 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
10335 			return -EINVAL;
10336 
10337 		/* NON_HT_STA bit is reserved, but some programs set it */
10338 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
10339 
10340 		cfg->ht_opmode = ht_opmode;
10341 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
10342 	}
10343 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
10344 				  dot11MeshHWMPactivePathToRootTimeout, mask,
10345 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
10346 				  nla_get_u32);
10347 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
10348 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
10349 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
10350 		return -EINVAL;
10351 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
10352 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
10353 				  nla_get_u16);
10354 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
10355 				  mask,
10356 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
10357 				  nla_get_u16);
10358 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
10359 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
10360 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
10361 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
10362 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
10363 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
10364 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
10365 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
10366 	if (mask_out)
10367 		*mask_out = mask;
10368 
10369 	return 0;
10370 
10371 #undef FILL_IN_MESH_PARAM_IF_SET
10372 }
10373 
10374 static int nl80211_parse_mesh_setup(struct genl_info *info,
10375 				     struct mesh_setup *setup)
10376 {
10377 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10378 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
10379 
10380 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
10381 		return -EINVAL;
10382 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
10383 		return -EINVAL;
10384 
10385 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
10386 		setup->sync_method =
10387 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
10388 		 IEEE80211_SYNC_METHOD_VENDOR :
10389 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
10390 
10391 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
10392 		setup->path_sel_proto =
10393 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
10394 		 IEEE80211_PATH_PROTOCOL_VENDOR :
10395 		 IEEE80211_PATH_PROTOCOL_HWMP;
10396 
10397 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
10398 		setup->path_metric =
10399 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
10400 		 IEEE80211_PATH_METRIC_VENDOR :
10401 		 IEEE80211_PATH_METRIC_AIRTIME;
10402 
10403 	if (tb[NL80211_MESH_SETUP_IE]) {
10404 		struct nlattr *ieattr =
10405 			tb[NL80211_MESH_SETUP_IE];
10406 		setup->ie = nla_data(ieattr);
10407 		setup->ie_len = nla_len(ieattr);
10408 	}
10409 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
10410 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
10411 		return -EINVAL;
10412 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
10413 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
10414 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
10415 	if (setup->is_secure)
10416 		setup->user_mpm = true;
10417 
10418 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
10419 		if (!setup->user_mpm)
10420 			return -EINVAL;
10421 		setup->auth_id =
10422 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
10423 	}
10424 
10425 	return 0;
10426 }
10427 
10428 static int nl80211_update_mesh_config(struct sk_buff *skb,
10429 				      struct genl_info *info)
10430 {
10431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10432 	struct net_device *dev = info->user_ptr[1];
10433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10434 	struct mesh_config cfg = {};
10435 	u32 mask;
10436 	int err;
10437 
10438 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
10439 		return -EOPNOTSUPP;
10440 
10441 	if (!rdev->ops->update_mesh_config)
10442 		return -EOPNOTSUPP;
10443 
10444 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
10445 	if (err)
10446 		return err;
10447 
10448 	if (!wdev->u.mesh.id_len)
10449 		err = -ENOLINK;
10450 
10451 	if (!err)
10452 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
10453 
10454 	return err;
10455 }
10456 
10457 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
10458 			      struct sk_buff *msg)
10459 {
10460 	struct nlattr *nl_reg_rules;
10461 	unsigned int i;
10462 
10463 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
10464 	    (regdom->dfs_region &&
10465 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
10466 		goto nla_put_failure;
10467 
10468 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
10469 	if (!nl_reg_rules)
10470 		goto nla_put_failure;
10471 
10472 	for (i = 0; i < regdom->n_reg_rules; i++) {
10473 		struct nlattr *nl_reg_rule;
10474 		const struct ieee80211_reg_rule *reg_rule;
10475 		const struct ieee80211_freq_range *freq_range;
10476 		const struct ieee80211_power_rule *power_rule;
10477 		unsigned int max_bandwidth_khz;
10478 
10479 		reg_rule = &regdom->reg_rules[i];
10480 		freq_range = &reg_rule->freq_range;
10481 		power_rule = &reg_rule->power_rule;
10482 
10483 		nl_reg_rule = nla_nest_start_noflag(msg, i);
10484 		if (!nl_reg_rule)
10485 			goto nla_put_failure;
10486 
10487 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
10488 		if (!max_bandwidth_khz)
10489 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
10490 								  reg_rule);
10491 
10492 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
10493 				reg_rule->flags) ||
10494 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
10495 				freq_range->start_freq_khz) ||
10496 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
10497 				freq_range->end_freq_khz) ||
10498 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
10499 				max_bandwidth_khz) ||
10500 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
10501 				power_rule->max_antenna_gain) ||
10502 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
10503 				power_rule->max_eirp) ||
10504 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
10505 				reg_rule->dfs_cac_ms))
10506 			goto nla_put_failure;
10507 
10508 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
10509 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
10510 			       reg_rule->psd))
10511 			goto nla_put_failure;
10512 
10513 		nla_nest_end(msg, nl_reg_rule);
10514 	}
10515 
10516 	nla_nest_end(msg, nl_reg_rules);
10517 	return 0;
10518 
10519 nla_put_failure:
10520 	return -EMSGSIZE;
10521 }
10522 
10523 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
10524 {
10525 	const struct ieee80211_regdomain *regdom = NULL;
10526 	struct cfg80211_registered_device *rdev;
10527 	struct wiphy *wiphy = NULL;
10528 	struct sk_buff *msg;
10529 	int err = -EMSGSIZE;
10530 	void *hdr;
10531 
10532 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10533 	if (!msg)
10534 		return -ENOBUFS;
10535 
10536 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10537 			     NL80211_CMD_GET_REG);
10538 	if (!hdr)
10539 		goto put_failure;
10540 
10541 	rtnl_lock();
10542 
10543 	if (info->attrs[NL80211_ATTR_WIPHY]) {
10544 		bool self_managed;
10545 
10546 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
10547 		if (IS_ERR(rdev)) {
10548 			err = PTR_ERR(rdev);
10549 			goto nla_put_failure;
10550 		}
10551 
10552 		wiphy = &rdev->wiphy;
10553 		self_managed = wiphy->regulatory_flags &
10554 			       REGULATORY_WIPHY_SELF_MANAGED;
10555 
10556 		rcu_read_lock();
10557 
10558 		regdom = get_wiphy_regdom(wiphy);
10559 
10560 		/* a self-managed-reg device must have a private regdom */
10561 		if (WARN_ON(!regdom && self_managed)) {
10562 			err = -EINVAL;
10563 			goto nla_put_failure_rcu;
10564 		}
10565 
10566 		if (regdom &&
10567 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10568 			goto nla_put_failure_rcu;
10569 	} else {
10570 		rcu_read_lock();
10571 	}
10572 
10573 	if (!wiphy && reg_last_request_cell_base() &&
10574 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10575 			NL80211_USER_REG_HINT_CELL_BASE))
10576 		goto nla_put_failure_rcu;
10577 
10578 	if (!regdom)
10579 		regdom = rcu_dereference(cfg80211_regdomain);
10580 
10581 	if (nl80211_put_regdom(regdom, msg))
10582 		goto nla_put_failure_rcu;
10583 
10584 	rcu_read_unlock();
10585 
10586 	genlmsg_end(msg, hdr);
10587 	rtnl_unlock();
10588 	return genlmsg_reply(msg, info);
10589 
10590 nla_put_failure_rcu:
10591 	rcu_read_unlock();
10592 nla_put_failure:
10593 	rtnl_unlock();
10594 put_failure:
10595 	nlmsg_free(msg);
10596 	return err;
10597 }
10598 
10599 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
10600 			       u32 seq, int flags, struct wiphy *wiphy,
10601 			       const struct ieee80211_regdomain *regdom)
10602 {
10603 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10604 				   NL80211_CMD_GET_REG);
10605 
10606 	if (!hdr)
10607 		return -1;
10608 
10609 	genl_dump_check_consistent(cb, hdr);
10610 
10611 	if (nl80211_put_regdom(regdom, msg))
10612 		goto nla_put_failure;
10613 
10614 	if (!wiphy && reg_last_request_cell_base() &&
10615 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10616 			NL80211_USER_REG_HINT_CELL_BASE))
10617 		goto nla_put_failure;
10618 
10619 	if (wiphy &&
10620 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10621 		goto nla_put_failure;
10622 
10623 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10624 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10625 		goto nla_put_failure;
10626 
10627 	genlmsg_end(msg, hdr);
10628 	return 0;
10629 
10630 nla_put_failure:
10631 	genlmsg_cancel(msg, hdr);
10632 	return -EMSGSIZE;
10633 }
10634 
10635 static int nl80211_get_reg_dump(struct sk_buff *skb,
10636 				struct netlink_callback *cb)
10637 {
10638 	const struct ieee80211_regdomain *regdom = NULL;
10639 	struct cfg80211_registered_device *rdev;
10640 	int err, reg_idx, start = cb->args[2];
10641 
10642 	rcu_read_lock();
10643 
10644 	if (cfg80211_regdomain && start == 0) {
10645 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10646 					  NLM_F_MULTI, NULL,
10647 					  rcu_dereference(cfg80211_regdomain));
10648 		if (err < 0)
10649 			goto out_err;
10650 	}
10651 
10652 	/* the global regdom is idx 0 */
10653 	reg_idx = 1;
10654 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10655 		regdom = get_wiphy_regdom(&rdev->wiphy);
10656 		if (!regdom)
10657 			continue;
10658 
10659 		if (++reg_idx <= start)
10660 			continue;
10661 
10662 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10663 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10664 		if (err < 0) {
10665 			reg_idx--;
10666 			break;
10667 		}
10668 	}
10669 
10670 	cb->args[2] = reg_idx;
10671 	err = skb->len;
10672 out_err:
10673 	rcu_read_unlock();
10674 	return err;
10675 }
10676 
10677 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10678 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10679 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10680 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10681 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10682 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10683 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10684 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10685 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10686 };
10687 
10688 static int parse_reg_rule(struct nlattr *tb[],
10689 	struct ieee80211_reg_rule *reg_rule)
10690 {
10691 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10692 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10693 
10694 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10695 		return -EINVAL;
10696 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10697 		return -EINVAL;
10698 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10699 		return -EINVAL;
10700 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10701 		return -EINVAL;
10702 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10703 		return -EINVAL;
10704 
10705 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10706 
10707 	freq_range->start_freq_khz =
10708 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10709 	freq_range->end_freq_khz =
10710 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10711 	freq_range->max_bandwidth_khz =
10712 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10713 
10714 	power_rule->max_eirp =
10715 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10716 
10717 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10718 		power_rule->max_antenna_gain =
10719 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10720 
10721 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10722 		reg_rule->dfs_cac_ms =
10723 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10724 
10725 	return 0;
10726 }
10727 
10728 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10729 {
10730 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10731 	struct nlattr *nl_reg_rule;
10732 	char *alpha2;
10733 	int rem_reg_rules, r;
10734 	u32 num_rules = 0, rule_idx = 0;
10735 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10736 	struct ieee80211_regdomain *rd;
10737 
10738 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10739 		return -EINVAL;
10740 
10741 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10742 		return -EINVAL;
10743 
10744 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10745 
10746 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10747 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10748 
10749 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10750 			    rem_reg_rules) {
10751 		num_rules++;
10752 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10753 			return -EINVAL;
10754 	}
10755 
10756 	rtnl_lock();
10757 	if (!reg_is_valid_request(alpha2)) {
10758 		r = -EINVAL;
10759 		goto out;
10760 	}
10761 
10762 	rd = kzalloc_flex(*rd, reg_rules, num_rules);
10763 	if (!rd) {
10764 		r = -ENOMEM;
10765 		goto out;
10766 	}
10767 
10768 	rd->n_reg_rules = num_rules;
10769 	rd->alpha2[0] = alpha2[0];
10770 	rd->alpha2[1] = alpha2[1];
10771 
10772 	/*
10773 	 * Disable DFS master mode if the DFS region was
10774 	 * not supported or known on this kernel.
10775 	 */
10776 	if (reg_supported_dfs_region(dfs_region))
10777 		rd->dfs_region = dfs_region;
10778 
10779 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10780 			    rem_reg_rules) {
10781 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10782 						nl_reg_rule, reg_rule_policy,
10783 						info->extack);
10784 		if (r)
10785 			goto bad_reg;
10786 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10787 		if (r)
10788 			goto bad_reg;
10789 
10790 		rule_idx++;
10791 
10792 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10793 			r = -EINVAL;
10794 			goto bad_reg;
10795 		}
10796 	}
10797 
10798 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10799 	/* set_regdom takes ownership of rd */
10800 	rd = NULL;
10801  bad_reg:
10802 	kfree(rd);
10803  out:
10804 	rtnl_unlock();
10805 	return r;
10806 }
10807 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10808 
10809 static int validate_scan_freqs(struct nlattr *freqs)
10810 {
10811 	struct nlattr *attr1, *attr2;
10812 	int n_channels = 0, tmp1, tmp2;
10813 
10814 	nla_for_each_nested(attr1, freqs, tmp1)
10815 		if (nla_len(attr1) != sizeof(u32))
10816 			return 0;
10817 
10818 	nla_for_each_nested(attr1, freqs, tmp1) {
10819 		n_channels++;
10820 		/*
10821 		 * Some hardware has a limited channel list for
10822 		 * scanning, and it is pretty much nonsensical
10823 		 * to scan for a channel twice, so disallow that
10824 		 * and don't require drivers to check that the
10825 		 * channel list they get isn't longer than what
10826 		 * they can scan, as long as they can scan all
10827 		 * the channels they registered at once.
10828 		 */
10829 		nla_for_each_nested(attr2, freqs, tmp2)
10830 			if (attr1 != attr2 &&
10831 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10832 				return 0;
10833 	}
10834 
10835 	return n_channels;
10836 }
10837 
10838 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10839 {
10840 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10841 }
10842 
10843 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10844 			    struct cfg80211_bss_selection *bss_select)
10845 {
10846 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10847 	struct nlattr *nest;
10848 	int err;
10849 	bool found = false;
10850 	int i;
10851 
10852 	/* only process one nested attribute */
10853 	nest = nla_data(nla);
10854 	if (!nla_ok(nest, nla_len(nest)))
10855 		return -EINVAL;
10856 
10857 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10858 					  nest, nl80211_bss_select_policy,
10859 					  NULL);
10860 	if (err)
10861 		return err;
10862 
10863 	/* only one attribute may be given */
10864 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10865 		if (attr[i]) {
10866 			if (found)
10867 				return -EINVAL;
10868 			found = true;
10869 		}
10870 	}
10871 
10872 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10873 
10874 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10875 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10876 
10877 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10878 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10879 		bss_select->param.band_pref =
10880 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10881 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10882 			return -EINVAL;
10883 	}
10884 
10885 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10886 		struct nl80211_bss_select_rssi_adjust *adj_param;
10887 
10888 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10889 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10890 		bss_select->param.adjust.band = adj_param->band;
10891 		bss_select->param.adjust.delta = adj_param->delta;
10892 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10893 			return -EINVAL;
10894 	}
10895 
10896 	/* user-space did not provide behaviour attribute */
10897 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10898 		return -EINVAL;
10899 
10900 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10901 		return -EINVAL;
10902 
10903 	return 0;
10904 }
10905 
10906 int nl80211_parse_random_mac(struct nlattr **attrs,
10907 			     u8 *mac_addr, u8 *mac_addr_mask)
10908 {
10909 	int i;
10910 
10911 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10912 		eth_zero_addr(mac_addr);
10913 		eth_zero_addr(mac_addr_mask);
10914 		mac_addr[0] = 0x2;
10915 		mac_addr_mask[0] = 0x3;
10916 
10917 		return 0;
10918 	}
10919 
10920 	/* need both or none */
10921 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10922 		return -EINVAL;
10923 
10924 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10925 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10926 
10927 	/* don't allow or configure an mcast address */
10928 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10929 	    is_multicast_ether_addr(mac_addr))
10930 		return -EINVAL;
10931 
10932 	/*
10933 	 * allow users to pass a MAC address that has bits set outside
10934 	 * of the mask, but don't bother drivers with having to deal
10935 	 * with such bits
10936 	 */
10937 	for (i = 0; i < ETH_ALEN; i++)
10938 		mac_addr[i] &= mac_addr_mask[i];
10939 
10940 	return 0;
10941 }
10942 
10943 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10944 					      struct ieee80211_channel *chan)
10945 {
10946 	unsigned int link_id;
10947 	bool all_ok = true;
10948 	int radio_idx;
10949 
10950 	lockdep_assert_wiphy(wdev->wiphy);
10951 
10952 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10953 		return false;
10954 
10955 	if (!cfg80211_beaconing_iface_active(wdev))
10956 		return true;
10957 
10958 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10959 
10960 	/*
10961 	 * FIXME: check if we have a free radio/link for chan
10962 	 *
10963 	 * This, as well as the FIXME below, requires knowing the link
10964 	 * capabilities of the hardware.
10965 	 */
10966 
10967 	/* we cannot leave radar channels */
10968 	for_each_valid_link(wdev, link_id) {
10969 		struct cfg80211_chan_def *chandef;
10970 		int link_radio_idx;
10971 
10972 		chandef = wdev_chandef(wdev, link_id);
10973 		if (!chandef || !chandef->chan)
10974 			continue;
10975 
10976 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10977 			continue;
10978 
10979 		/*
10980 		 * chandef->chan is a radar channel. If the radio/link onto
10981 		 * which this radar channel falls is the same radio/link onto
10982 		 * which the input 'chan' falls, off-channel operation should
10983 		 * not be allowed. Hence, set 'all_ok' to false.
10984 		 */
10985 
10986 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10987 								chandef->chan);
10988 		if (link_radio_idx == radio_idx) {
10989 			all_ok = false;
10990 			break;
10991 		}
10992 	}
10993 
10994 	if (all_ok)
10995 		return true;
10996 
10997 	return regulatory_pre_cac_allowed(wdev->wiphy);
10998 }
10999 
11000 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
11001 				    enum nl80211_ext_feature_index feat)
11002 {
11003 	if (!(flags & flag))
11004 		return true;
11005 	if (wiphy_ext_feature_isset(wiphy, feat))
11006 		return true;
11007 	return false;
11008 }
11009 
11010 static int
11011 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
11012 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
11013 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
11014 {
11015 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
11016 		return 0;
11017 
11018 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
11019 
11020 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
11021 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
11022 	    !nl80211_check_scan_feat(wiphy, *flags,
11023 				     NL80211_SCAN_FLAG_LOW_SPAN,
11024 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
11025 	    !nl80211_check_scan_feat(wiphy, *flags,
11026 				     NL80211_SCAN_FLAG_LOW_POWER,
11027 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
11028 	    !nl80211_check_scan_feat(wiphy, *flags,
11029 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
11030 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
11031 	    !nl80211_check_scan_feat(wiphy, *flags,
11032 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
11033 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
11034 	    !nl80211_check_scan_feat(wiphy, *flags,
11035 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
11036 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
11037 	    !nl80211_check_scan_feat(wiphy, *flags,
11038 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
11039 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
11040 	    !nl80211_check_scan_feat(wiphy, *flags,
11041 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
11042 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
11043 	    !nl80211_check_scan_feat(wiphy, *flags,
11044 				     NL80211_SCAN_FLAG_RANDOM_SN,
11045 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
11046 	    !nl80211_check_scan_feat(wiphy, *flags,
11047 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
11048 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
11049 		return -EOPNOTSUPP;
11050 
11051 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
11052 		int err;
11053 
11054 		if (!(wiphy->features & randomness_flag) ||
11055 		    (wdev && wdev->connected))
11056 			return -EOPNOTSUPP;
11057 
11058 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
11059 		if (err)
11060 			return err;
11061 	}
11062 
11063 	return 0;
11064 }
11065 
11066 static int
11067 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
11068 			       struct nlattr **attrs,
11069 			       struct cfg80211_sched_scan_request *req)
11070 {
11071 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
11072 					req->mac_addr, req->mac_addr_mask,
11073 					&req->flags,
11074 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
11075 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
11076 }
11077 
11078 static int
11079 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
11080 			     struct nlattr **attrs,
11081 			     struct cfg80211_scan_request_int *req)
11082 {
11083 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
11084 					req->req.mac_addr,
11085 					req->req.mac_addr_mask,
11086 					&req->req.flags,
11087 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
11088 }
11089 
11090 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
11091 {
11092 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11093 	struct wireless_dev *wdev = info->user_ptr[1];
11094 	struct cfg80211_scan_request_int *request;
11095 	struct nlattr *scan_freqs = NULL;
11096 	bool scan_freqs_khz = false;
11097 	struct nlattr *attr;
11098 	struct wiphy *wiphy;
11099 	int err, tmp, n_ssids = 0, n_channels, i;
11100 	size_t ie_len, size;
11101 	size_t ssids_offset, ie_offset;
11102 
11103 	wiphy = &rdev->wiphy;
11104 
11105 	if (wdev->iftype == NL80211_IFTYPE_NAN ||
11106 	    wdev->iftype == NL80211_IFTYPE_PD)
11107 		return -EOPNOTSUPP;
11108 
11109 	if (!rdev->ops->scan)
11110 		return -EOPNOTSUPP;
11111 
11112 	if (rdev->scan_req || rdev->scan_msg)
11113 		return -EBUSY;
11114 
11115 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
11116 		if (!wiphy_ext_feature_isset(wiphy,
11117 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
11118 			return -EOPNOTSUPP;
11119 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
11120 		scan_freqs_khz = true;
11121 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
11122 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
11123 
11124 	if (scan_freqs) {
11125 		n_channels = validate_scan_freqs(scan_freqs);
11126 		if (!n_channels)
11127 			return -EINVAL;
11128 	} else {
11129 		n_channels = ieee80211_get_num_supported_channels(wiphy);
11130 	}
11131 
11132 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
11133 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
11134 			n_ssids++;
11135 
11136 	if (n_ssids > wiphy->max_scan_ssids)
11137 		return -EINVAL;
11138 
11139 	if (info->attrs[NL80211_ATTR_IE])
11140 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11141 	else
11142 		ie_len = 0;
11143 
11144 	if (ie_len > wiphy->max_scan_ie_len)
11145 		return -EINVAL;
11146 
11147 	size = struct_size(request, req.channels, n_channels);
11148 	ssids_offset = size;
11149 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
11150 	ie_offset = size;
11151 	size = size_add(size, ie_len);
11152 	request = kzalloc(size, GFP_KERNEL);
11153 	if (!request)
11154 		return -ENOMEM;
11155 
11156 	if (n_ssids)
11157 		request->req.ssids = (void *)request + ssids_offset;
11158 	request->req.n_ssids = n_ssids;
11159 	if (ie_len)
11160 		request->req.ie = (void *)request + ie_offset;
11161 
11162 	i = 0;
11163 	if (scan_freqs) {
11164 		/* user specified, bail out if channel not found */
11165 		nla_for_each_nested(attr, scan_freqs, tmp) {
11166 			struct ieee80211_channel *chan;
11167 			int freq = nla_get_u32(attr);
11168 
11169 			if (!scan_freqs_khz)
11170 				freq = MHZ_TO_KHZ(freq);
11171 
11172 			chan = ieee80211_get_channel_khz(wiphy, freq);
11173 			if (!chan) {
11174 				err = -EINVAL;
11175 				goto out_free;
11176 			}
11177 
11178 			/* Ignore disabled / no primary channels */
11179 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
11180 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
11181 			    !cfg80211_wdev_channel_allowed(wdev, chan))
11182 				continue;
11183 
11184 			request->req.channels[i] = chan;
11185 			i++;
11186 		}
11187 	} else {
11188 		enum nl80211_band band;
11189 
11190 		/* all channels */
11191 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11192 			int j;
11193 
11194 			if (!wiphy->bands[band])
11195 				continue;
11196 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11197 				struct ieee80211_channel *chan;
11198 
11199 				chan = &wiphy->bands[band]->channels[j];
11200 
11201 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
11202 				    chan->flags &
11203 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
11204 				    !cfg80211_wdev_channel_allowed(wdev, chan))
11205 					continue;
11206 
11207 				request->req.channels[i] = chan;
11208 				i++;
11209 			}
11210 		}
11211 	}
11212 
11213 	if (!i) {
11214 		err = -EINVAL;
11215 		goto out_free;
11216 	}
11217 
11218 	request->req.n_channels = i;
11219 
11220 	for (i = 0; i < request->req.n_channels; i++) {
11221 		struct ieee80211_channel *chan = request->req.channels[i];
11222 
11223 		/* if we can go off-channel to the target channel we're good */
11224 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
11225 			continue;
11226 
11227 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
11228 			err = -EBUSY;
11229 			goto out_free;
11230 		}
11231 	}
11232 
11233 	i = 0;
11234 	if (n_ssids) {
11235 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
11236 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11237 				err = -EINVAL;
11238 				goto out_free;
11239 			}
11240 			request->req.ssids[i].ssid_len = nla_len(attr);
11241 			memcpy(request->req.ssids[i].ssid,
11242 			       nla_data(attr), nla_len(attr));
11243 			i++;
11244 		}
11245 	}
11246 
11247 	if (info->attrs[NL80211_ATTR_IE]) {
11248 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11249 		memcpy((void *)request->req.ie,
11250 		       nla_data(info->attrs[NL80211_ATTR_IE]),
11251 		       request->req.ie_len);
11252 	}
11253 
11254 	for (i = 0; i < NUM_NL80211_BANDS; i++)
11255 		if (wiphy->bands[i])
11256 			request->req.rates[i] =
11257 				(1 << wiphy->bands[i]->n_bitrates) - 1;
11258 
11259 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
11260 		nla_for_each_nested(attr,
11261 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
11262 				    tmp) {
11263 			int band = nla_type(attr);
11264 
11265 			if (band < 0 || band >= NUM_NL80211_BANDS) {
11266 				err = -EINVAL;
11267 				goto out_free;
11268 			}
11269 
11270 			if (!wiphy->bands[band])
11271 				continue;
11272 
11273 			err = ieee80211_get_ratemask(wiphy->bands[band],
11274 						     nla_data(attr),
11275 						     nla_len(attr),
11276 						     &request->req.rates[band]);
11277 			if (err)
11278 				goto out_free;
11279 		}
11280 	}
11281 
11282 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
11283 		request->req.duration =
11284 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
11285 		request->req.duration_mandatory =
11286 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
11287 	}
11288 
11289 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
11290 	if (err)
11291 		goto out_free;
11292 
11293 	request->req.no_cck =
11294 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11295 
11296 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
11297 	 * BSSID to scan for. This was problematic because that same attribute
11298 	 * was already used for another purpose (local random MAC address). The
11299 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
11300 	 * compatibility with older userspace components, also use the
11301 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
11302 	 * the specific BSSID use case instead of the random MAC address
11303 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
11304 	 */
11305 	if (info->attrs[NL80211_ATTR_BSSID])
11306 		memcpy(request->req.bssid,
11307 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
11308 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
11309 		 info->attrs[NL80211_ATTR_MAC])
11310 		memcpy(request->req.bssid,
11311 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
11312 		       ETH_ALEN);
11313 	else
11314 		eth_broadcast_addr(request->req.bssid);
11315 
11316 	request->req.tsf_report_link_id =
11317 		nl80211_link_id_or_invalid(info->attrs);
11318 	request->req.wdev = wdev;
11319 	request->req.wiphy = &rdev->wiphy;
11320 	request->req.scan_start = jiffies;
11321 
11322 	rdev->scan_req = request;
11323 	err = cfg80211_scan(rdev);
11324 
11325 	if (err)
11326 		goto out_free;
11327 
11328 	nl80211_send_scan_start(rdev, wdev);
11329 	dev_hold(wdev->netdev);
11330 
11331 	return 0;
11332 
11333  out_free:
11334 	rdev->scan_req = NULL;
11335 	kfree(request);
11336 
11337 	return err;
11338 }
11339 
11340 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
11341 {
11342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11343 	struct wireless_dev *wdev = info->user_ptr[1];
11344 
11345 	if (!rdev->ops->abort_scan)
11346 		return -EOPNOTSUPP;
11347 
11348 	if (rdev->scan_msg)
11349 		return 0;
11350 
11351 	if (!rdev->scan_req)
11352 		return -ENOENT;
11353 
11354 	rdev_abort_scan(rdev, wdev);
11355 	return 0;
11356 }
11357 
11358 static int
11359 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
11360 			       struct cfg80211_sched_scan_request *request,
11361 			       struct nlattr **attrs)
11362 {
11363 	int tmp, err, i = 0;
11364 	struct nlattr *attr;
11365 
11366 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11367 		u32 interval;
11368 
11369 		/*
11370 		 * If scan plans are not specified,
11371 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
11372 		 * case one scan plan will be set with the specified scan
11373 		 * interval and infinite number of iterations.
11374 		 */
11375 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
11376 		if (!interval)
11377 			return -EINVAL;
11378 
11379 		request->scan_plans[0].interval =
11380 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
11381 		if (!request->scan_plans[0].interval)
11382 			return -EINVAL;
11383 
11384 		if (request->scan_plans[0].interval >
11385 		    wiphy->max_sched_scan_plan_interval)
11386 			request->scan_plans[0].interval =
11387 				wiphy->max_sched_scan_plan_interval;
11388 
11389 		return 0;
11390 	}
11391 
11392 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
11393 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
11394 
11395 		if (WARN_ON(i >= n_plans))
11396 			return -EINVAL;
11397 
11398 		err = nla_parse_nested_deprecated(plan,
11399 						  NL80211_SCHED_SCAN_PLAN_MAX,
11400 						  attr, nl80211_plan_policy,
11401 						  NULL);
11402 		if (err)
11403 			return err;
11404 
11405 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
11406 			return -EINVAL;
11407 
11408 		request->scan_plans[i].interval =
11409 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
11410 		if (!request->scan_plans[i].interval ||
11411 		    request->scan_plans[i].interval >
11412 		    wiphy->max_sched_scan_plan_interval)
11413 			return -EINVAL;
11414 
11415 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
11416 			request->scan_plans[i].iterations =
11417 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
11418 			if (!request->scan_plans[i].iterations ||
11419 			    (request->scan_plans[i].iterations >
11420 			     wiphy->max_sched_scan_plan_iterations))
11421 				return -EINVAL;
11422 		} else if (i < n_plans - 1) {
11423 			/*
11424 			 * All scan plans but the last one must specify
11425 			 * a finite number of iterations
11426 			 */
11427 			return -EINVAL;
11428 		}
11429 
11430 		i++;
11431 	}
11432 
11433 	/*
11434 	 * The last scan plan must not specify the number of
11435 	 * iterations, it is supposed to run infinitely
11436 	 */
11437 	if (request->scan_plans[n_plans - 1].iterations)
11438 		return  -EINVAL;
11439 
11440 	return 0;
11441 }
11442 
11443 static struct cfg80211_sched_scan_request *
11444 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
11445 			 struct nlattr **attrs, int max_match_sets)
11446 {
11447 	struct cfg80211_sched_scan_request *request;
11448 	struct nlattr *attr;
11449 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
11450 	enum nl80211_band band;
11451 	size_t ie_len, size;
11452 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
11453 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
11454 
11455 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11456 		n_channels = validate_scan_freqs(
11457 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
11458 		if (!n_channels)
11459 			return ERR_PTR(-EINVAL);
11460 	} else {
11461 		n_channels = ieee80211_get_num_supported_channels(wiphy);
11462 	}
11463 
11464 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
11465 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11466 				    tmp)
11467 			n_ssids++;
11468 
11469 	if (n_ssids > wiphy->max_sched_scan_ssids)
11470 		return ERR_PTR(-EINVAL);
11471 
11472 	/*
11473 	 * First, count the number of 'real' matchsets. Due to an issue with
11474 	 * the old implementation, matchsets containing only the RSSI attribute
11475 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
11476 	 * RSSI for all matchsets, rather than their own matchset for reporting
11477 	 * all APs with a strong RSSI. This is needed to be compatible with
11478 	 * older userspace that treated a matchset with only the RSSI as the
11479 	 * global RSSI for all other matchsets - if there are other matchsets.
11480 	 */
11481 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11482 		nla_for_each_nested(attr,
11483 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11484 				    tmp) {
11485 			struct nlattr *rssi;
11486 
11487 			err = nla_parse_nested_deprecated(tb,
11488 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11489 							  attr,
11490 							  nl80211_match_policy,
11491 							  NULL);
11492 			if (err)
11493 				return ERR_PTR(err);
11494 
11495 			/* SSID and BSSID are mutually exclusive */
11496 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
11497 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
11498 				return ERR_PTR(-EINVAL);
11499 
11500 			/* add other standalone attributes here */
11501 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
11502 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
11503 				n_match_sets++;
11504 				continue;
11505 			}
11506 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11507 			if (rssi)
11508 				default_match_rssi = nla_get_s32(rssi);
11509 		}
11510 	}
11511 
11512 	/* However, if there's no other matchset, add the RSSI one */
11513 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
11514 		n_match_sets = 1;
11515 
11516 	if (n_match_sets > max_match_sets)
11517 		return ERR_PTR(-EINVAL);
11518 
11519 	if (attrs[NL80211_ATTR_IE])
11520 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
11521 	else
11522 		ie_len = 0;
11523 
11524 	if (ie_len > wiphy->max_sched_scan_ie_len)
11525 		return ERR_PTR(-EINVAL);
11526 
11527 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
11528 		/*
11529 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
11530 		 * each scan plan already specifies its own interval
11531 		 */
11532 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11533 			return ERR_PTR(-EINVAL);
11534 
11535 		nla_for_each_nested(attr,
11536 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
11537 			n_plans++;
11538 	} else {
11539 		/*
11540 		 * The scan interval attribute is kept for backward
11541 		 * compatibility. If no scan plans are specified and sched scan
11542 		 * interval is specified, one scan plan will be set with this
11543 		 * scan interval and infinite number of iterations.
11544 		 */
11545 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
11546 			return ERR_PTR(-EINVAL);
11547 
11548 		n_plans = 1;
11549 	}
11550 
11551 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
11552 		return ERR_PTR(-EINVAL);
11553 
11554 	if (!wiphy_ext_feature_isset(
11555 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
11556 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
11557 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
11558 		return ERR_PTR(-EINVAL);
11559 
11560 	size = struct_size(request, channels, n_channels);
11561 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
11562 	size = size_add(size, array_size(sizeof(*request->match_sets),
11563 					 n_match_sets));
11564 	size = size_add(size, array_size(sizeof(*request->scan_plans),
11565 					 n_plans));
11566 	size = size_add(size, ie_len);
11567 	request = kzalloc(size, GFP_KERNEL);
11568 	if (!request)
11569 		return ERR_PTR(-ENOMEM);
11570 	request->n_channels = n_channels;
11571 
11572 	if (n_ssids)
11573 		request->ssids = (void *)request +
11574 			struct_size(request, channels, n_channels);
11575 	request->n_ssids = n_ssids;
11576 	if (ie_len) {
11577 		if (n_ssids)
11578 			request->ie = (void *)(request->ssids + n_ssids);
11579 		else
11580 			request->ie = (void *)(request->channels + n_channels);
11581 	}
11582 
11583 	if (n_match_sets) {
11584 		if (request->ie)
11585 			request->match_sets = (void *)(request->ie + ie_len);
11586 		else if (n_ssids)
11587 			request->match_sets =
11588 				(void *)(request->ssids + n_ssids);
11589 		else
11590 			request->match_sets =
11591 				(void *)(request->channels + n_channels);
11592 	}
11593 	request->n_match_sets = n_match_sets;
11594 
11595 	if (n_match_sets)
11596 		request->scan_plans = (void *)(request->match_sets +
11597 					       n_match_sets);
11598 	else if (request->ie)
11599 		request->scan_plans = (void *)(request->ie + ie_len);
11600 	else if (n_ssids)
11601 		request->scan_plans = (void *)(request->ssids + n_ssids);
11602 	else
11603 		request->scan_plans = (void *)(request->channels + n_channels);
11604 
11605 	request->n_scan_plans = n_plans;
11606 
11607 	i = 0;
11608 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11609 		/* user specified, bail out if channel not found */
11610 		nla_for_each_nested(attr,
11611 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11612 				    tmp) {
11613 			struct ieee80211_channel *chan;
11614 
11615 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11616 
11617 			if (!chan) {
11618 				err = -EINVAL;
11619 				goto out_free;
11620 			}
11621 
11622 			/* ignore disabled channels */
11623 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11624 				continue;
11625 
11626 			request->channels[i] = chan;
11627 			i++;
11628 		}
11629 	} else {
11630 		/* all channels */
11631 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11632 			int j;
11633 
11634 			if (!wiphy->bands[band])
11635 				continue;
11636 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11637 				struct ieee80211_channel *chan;
11638 
11639 				chan = &wiphy->bands[band]->channels[j];
11640 
11641 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11642 					continue;
11643 
11644 				request->channels[i] = chan;
11645 				i++;
11646 			}
11647 		}
11648 	}
11649 
11650 	if (!i) {
11651 		err = -EINVAL;
11652 		goto out_free;
11653 	}
11654 
11655 	request->n_channels = i;
11656 
11657 	i = 0;
11658 	if (n_ssids) {
11659 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11660 				    tmp) {
11661 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11662 				err = -EINVAL;
11663 				goto out_free;
11664 			}
11665 			request->ssids[i].ssid_len = nla_len(attr);
11666 			memcpy(request->ssids[i].ssid, nla_data(attr),
11667 			       nla_len(attr));
11668 			i++;
11669 		}
11670 	}
11671 
11672 	i = 0;
11673 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11674 		nla_for_each_nested(attr,
11675 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11676 				    tmp) {
11677 			struct nlattr *ssid, *bssid, *rssi;
11678 
11679 			err = nla_parse_nested_deprecated(tb,
11680 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11681 							  attr,
11682 							  nl80211_match_policy,
11683 							  NULL);
11684 			if (err)
11685 				goto out_free;
11686 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11687 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11688 
11689 			if (!ssid && !bssid) {
11690 				i++;
11691 				continue;
11692 			}
11693 
11694 			if (WARN_ON(i >= n_match_sets)) {
11695 				/* this indicates a programming error,
11696 				 * the loop above should have verified
11697 				 * things properly
11698 				 */
11699 				err = -EINVAL;
11700 				goto out_free;
11701 			}
11702 
11703 			if (ssid) {
11704 				memcpy(request->match_sets[i].ssid.ssid,
11705 				       nla_data(ssid), nla_len(ssid));
11706 				request->match_sets[i].ssid.ssid_len =
11707 					nla_len(ssid);
11708 			}
11709 			if (bssid)
11710 				memcpy(request->match_sets[i].bssid,
11711 				       nla_data(bssid), ETH_ALEN);
11712 
11713 			/* special attribute - old implementation w/a */
11714 			request->match_sets[i].rssi_thold = default_match_rssi;
11715 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11716 			if (rssi)
11717 				request->match_sets[i].rssi_thold =
11718 					nla_get_s32(rssi);
11719 			i++;
11720 		}
11721 
11722 		/* there was no other matchset, so the RSSI one is alone */
11723 		if (i == 0 && n_match_sets)
11724 			request->match_sets[0].rssi_thold = default_match_rssi;
11725 
11726 		request->min_rssi_thold = INT_MAX;
11727 		for (i = 0; i < n_match_sets; i++)
11728 			request->min_rssi_thold =
11729 				min(request->match_sets[i].rssi_thold,
11730 				    request->min_rssi_thold);
11731 	} else {
11732 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11733 	}
11734 
11735 	if (ie_len) {
11736 		request->ie_len = ie_len;
11737 		memcpy((void *)request->ie,
11738 		       nla_data(attrs[NL80211_ATTR_IE]),
11739 		       request->ie_len);
11740 	}
11741 
11742 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11743 	if (err)
11744 		goto out_free;
11745 
11746 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11747 		request->delay =
11748 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11749 
11750 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11751 		request->relative_rssi = nla_get_s8(
11752 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11753 		request->relative_rssi_set = true;
11754 	}
11755 
11756 	if (request->relative_rssi_set &&
11757 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11758 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11759 
11760 		rssi_adjust = nla_data(
11761 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11762 		request->rssi_adjust.band = rssi_adjust->band;
11763 		request->rssi_adjust.delta = rssi_adjust->delta;
11764 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11765 			err = -EINVAL;
11766 			goto out_free;
11767 		}
11768 	}
11769 
11770 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11771 	if (err)
11772 		goto out_free;
11773 
11774 	request->scan_start = jiffies;
11775 
11776 	return request;
11777 
11778 out_free:
11779 	kfree(request);
11780 	return ERR_PTR(err);
11781 }
11782 
11783 static int nl80211_start_sched_scan(struct sk_buff *skb,
11784 				    struct genl_info *info)
11785 {
11786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11787 	struct net_device *dev = info->user_ptr[1];
11788 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11789 	struct cfg80211_sched_scan_request *sched_scan_req;
11790 	bool want_multi;
11791 	int err;
11792 
11793 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11794 		return -EOPNOTSUPP;
11795 
11796 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11797 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11798 	if (err)
11799 		return err;
11800 
11801 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11802 						  info->attrs,
11803 						  rdev->wiphy.max_match_sets);
11804 
11805 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11806 	if (err)
11807 		goto out_err;
11808 
11809 	/* leave request id zero for legacy request
11810 	 * or if driver does not support multi-scheduled scan
11811 	 */
11812 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11813 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11814 
11815 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11816 	if (err)
11817 		goto out_free;
11818 
11819 	sched_scan_req->dev = dev;
11820 	sched_scan_req->wiphy = &rdev->wiphy;
11821 
11822 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11823 		sched_scan_req->owner_nlportid = info->snd_portid;
11824 
11825 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11826 
11827 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11828 	return 0;
11829 
11830 out_free:
11831 	kfree(sched_scan_req);
11832 out_err:
11833 	return err;
11834 }
11835 
11836 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11837 				   struct genl_info *info)
11838 {
11839 	struct cfg80211_sched_scan_request *req;
11840 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11841 	u64 cookie;
11842 
11843 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11844 		return -EOPNOTSUPP;
11845 
11846 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11847 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11848 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11849 	}
11850 
11851 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11852 				     struct cfg80211_sched_scan_request,
11853 				     list);
11854 	if (!req || req->reqid ||
11855 	    (req->owner_nlportid &&
11856 	     req->owner_nlportid != info->snd_portid))
11857 		return -ENOENT;
11858 
11859 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11860 }
11861 
11862 static int nl80211_start_radar_detection(struct sk_buff *skb,
11863 					 struct genl_info *info)
11864 {
11865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11866 	struct net_device *dev = info->user_ptr[1];
11867 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11868 	int link_id = nl80211_link_id(info->attrs);
11869 	struct wiphy *wiphy = wdev->wiphy;
11870 	struct cfg80211_chan_def chandef;
11871 	enum nl80211_dfs_regions dfs_region;
11872 	unsigned int cac_time_ms;
11873 	int err;
11874 
11875 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11876 
11877 	switch (wdev->iftype) {
11878 	case NL80211_IFTYPE_AP:
11879 	case NL80211_IFTYPE_P2P_GO:
11880 	case NL80211_IFTYPE_MESH_POINT:
11881 	case NL80211_IFTYPE_ADHOC:
11882 		break;
11883 	default:
11884 		/* caution - see cfg80211_beaconing_iface_active() below */
11885 		return -EINVAL;
11886 	}
11887 
11888 	guard(wiphy)(wiphy);
11889 
11890 	dfs_region = reg_get_dfs_region(wiphy);
11891 	if (dfs_region == NL80211_DFS_UNSET)
11892 		return -EINVAL;
11893 
11894 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef,
11895 				    false);
11896 	if (err)
11897 		return err;
11898 
11899 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11900 	if (err < 0)
11901 		return err;
11902 
11903 	if (err == 0)
11904 		return -EINVAL;
11905 
11906 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11907 		return -EINVAL;
11908 
11909 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11910 		return cfg80211_start_background_radar_detection(rdev, wdev,
11911 								 &chandef);
11912 
11913 	if (cfg80211_beaconing_iface_active(wdev)) {
11914 		/* During MLO other link(s) can beacon, only the current link
11915 		 * can not already beacon
11916 		 */
11917 		if (wdev->valid_links &&
11918 		    !wdev->links[link_id].ap.beacon_interval) {
11919 			/* nothing */
11920 		} else {
11921 			return -EBUSY;
11922 		}
11923 	}
11924 
11925 	if (wdev->links[link_id].cac_started)
11926 		return -EBUSY;
11927 
11928 	/* CAC start is offloaded to HW and can't be started manually */
11929 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11930 		return -EOPNOTSUPP;
11931 
11932 	if (!rdev->ops->start_radar_detection)
11933 		return -EOPNOTSUPP;
11934 
11935 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11936 	if (WARN_ON(!cac_time_ms))
11937 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11938 
11939 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11940 					 link_id);
11941 	if (err)
11942 		return err;
11943 
11944 	switch (wdev->iftype) {
11945 	case NL80211_IFTYPE_AP:
11946 	case NL80211_IFTYPE_P2P_GO:
11947 		wdev->links[link_id].ap.chandef = chandef;
11948 		break;
11949 	case NL80211_IFTYPE_ADHOC:
11950 		wdev->u.ibss.chandef = chandef;
11951 		break;
11952 	case NL80211_IFTYPE_MESH_POINT:
11953 		wdev->u.mesh.chandef = chandef;
11954 		break;
11955 	default:
11956 		break;
11957 	}
11958 	wdev->links[link_id].cac_started = true;
11959 	wdev->links[link_id].cac_start_time = jiffies;
11960 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11961 	cfg80211_set_cac_state(wiphy, &chandef, true);
11962 
11963 	return 0;
11964 }
11965 
11966 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11967 					  struct genl_info *info)
11968 {
11969 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11970 	struct net_device *dev = info->user_ptr[1];
11971 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11972 	struct wiphy *wiphy = wdev->wiphy;
11973 	struct cfg80211_chan_def chandef;
11974 	enum nl80211_dfs_regions dfs_region;
11975 	int err;
11976 
11977 	dfs_region = reg_get_dfs_region(wiphy);
11978 	if (dfs_region == NL80211_DFS_UNSET) {
11979 		GENL_SET_ERR_MSG(info,
11980 				 "DFS Region is not set. Unexpected Radar indication");
11981 		return -EINVAL;
11982 	}
11983 
11984 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef,
11985 				    false);
11986 	if (err) {
11987 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11988 		return err;
11989 	}
11990 
11991 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11992 	if (err < 0) {
11993 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11994 		return err;
11995 	}
11996 
11997 	if (err == 0) {
11998 		GENL_SET_ERR_MSG(info,
11999 				 "Unexpected Radar indication for chandef/iftype");
12000 		return -EINVAL;
12001 	}
12002 
12003 	/* Do not process this notification if radar is already detected
12004 	 * by kernel on this channel, and return success.
12005 	 */
12006 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
12007 		return 0;
12008 
12009 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
12010 
12011 	cfg80211_sched_dfs_chan_update(rdev);
12012 
12013 	rdev->radar_chandef = chandef;
12014 
12015 	/* Propagate this notification to other radios as well */
12016 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
12017 
12018 	return 0;
12019 }
12020 
12021 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
12022 					 const u8 *data, size_t datalen,
12023 					 int first_count, struct nlattr *attr,
12024 					 const u16 **offsets, unsigned int *n_offsets)
12025 {
12026 	int i;
12027 
12028 	*n_offsets = 0;
12029 
12030 	if (!attr)
12031 		return 0;
12032 
12033 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
12034 		return -EINVAL;
12035 
12036 	*n_offsets = nla_len(attr) / sizeof(u16);
12037 	if (rdev->wiphy.max_num_csa_counters &&
12038 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
12039 		return -EINVAL;
12040 
12041 	*offsets = nla_data(attr);
12042 
12043 	/* sanity checks - counters should fit and be the same */
12044 	for (i = 0; i < *n_offsets; i++) {
12045 		u16 offset = (*offsets)[i];
12046 
12047 		if (offset >= datalen)
12048 			return -EINVAL;
12049 
12050 		if (first_count != -1 && data[offset] != first_count)
12051 			return -EINVAL;
12052 	}
12053 
12054 	return 0;
12055 }
12056 
12057 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
12058 {
12059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12060 	unsigned int link_id = nl80211_link_id(info->attrs);
12061 	struct net_device *dev = info->user_ptr[1];
12062 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12063 	struct cfg80211_csa_settings params;
12064 	struct nlattr **csa_attrs = NULL;
12065 	int err;
12066 	bool need_new_beacon = false;
12067 	bool need_handle_dfs_flag = true;
12068 	bool permit_npca = false;
12069 	u32 cs_count;
12070 
12071 	if (!rdev->ops->channel_switch ||
12072 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
12073 		return -EOPNOTSUPP;
12074 
12075 	switch (dev->ieee80211_ptr->iftype) {
12076 	case NL80211_IFTYPE_AP:
12077 	case NL80211_IFTYPE_P2P_GO:
12078 		need_new_beacon = true;
12079 		/* For all modes except AP the handle_dfs flag needs to be
12080 		 * supplied to tell the kernel that userspace will handle radar
12081 		 * events when they happen. Otherwise a switch to a channel
12082 		 * requiring DFS will be rejected.
12083 		 */
12084 		need_handle_dfs_flag = false;
12085 
12086 		permit_npca = true;
12087 
12088 		/* useless if AP is not running */
12089 		if (!wdev->links[link_id].ap.beacon_interval)
12090 			return -ENOTCONN;
12091 		break;
12092 	case NL80211_IFTYPE_ADHOC:
12093 		if (!wdev->u.ibss.ssid_len)
12094 			return -ENOTCONN;
12095 		break;
12096 	case NL80211_IFTYPE_MESH_POINT:
12097 		if (!wdev->u.mesh.id_len)
12098 			return -ENOTCONN;
12099 		break;
12100 	default:
12101 		return -EOPNOTSUPP;
12102 	}
12103 
12104 	memset(&params, 0, sizeof(params));
12105 	params.beacon_csa.ftm_responder = -1;
12106 
12107 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12108 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
12109 		return -EINVAL;
12110 
12111 	/* only important for AP, IBSS and mesh create IEs internally */
12112 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
12113 		return -EINVAL;
12114 
12115 	/* Even though the attribute is u32, the specification says
12116 	 * u8, so let's make sure we don't overflow.
12117 	 */
12118 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
12119 	if (cs_count > 255)
12120 		return -EINVAL;
12121 
12122 	params.count = cs_count;
12123 
12124 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
12125 				    &params.chandef, permit_npca);
12126 	if (err)
12127 		goto free;
12128 
12129 	err = nl80211_check_npca(rdev, &params.chandef, wdev->iftype,
12130 				 info->extack);
12131 	if (err)
12132 		goto free;
12133 
12134 	if (!need_new_beacon)
12135 		goto skip_beacons;
12136 
12137 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
12138 				   params.chandef.chan, info->extack);
12139 	if (err)
12140 		goto free;
12141 
12142 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
12143 	if (!csa_attrs) {
12144 		err = -ENOMEM;
12145 		goto free;
12146 	}
12147 
12148 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
12149 					  info->attrs[NL80211_ATTR_CSA_IES],
12150 					  nl80211_policy, info->extack);
12151 	if (err)
12152 		goto free;
12153 
12154 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
12155 				   wdev->links[link_id].ap.chandef.chan,
12156 				   info->extack);
12157 	if (err)
12158 		goto free;
12159 
12160 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
12161 		err = -EINVAL;
12162 		goto free;
12163 	}
12164 
12165 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
12166 					    params.beacon_csa.tail_len,
12167 					    params.count,
12168 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
12169 					    &params.counter_offsets_beacon,
12170 					    &params.n_counter_offsets_beacon);
12171 	if (err)
12172 		goto free;
12173 
12174 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
12175 					    params.beacon_csa.probe_resp_len,
12176 					    params.count,
12177 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
12178 					    &params.counter_offsets_presp,
12179 					    &params.n_counter_offsets_presp);
12180 	if (err)
12181 		goto free;
12182 
12183 skip_beacons:
12184 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
12185 					   wdev->iftype)) {
12186 		err = -EINVAL;
12187 		goto free;
12188 	}
12189 
12190 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
12191 					    &params.chandef,
12192 					    wdev->iftype);
12193 	if (err < 0)
12194 		goto free;
12195 
12196 	if (err > 0) {
12197 		params.radar_required = true;
12198 		if (need_handle_dfs_flag &&
12199 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
12200 			err = -EINVAL;
12201 			goto free;
12202 		}
12203 	}
12204 
12205 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
12206 		params.block_tx = true;
12207 
12208 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
12209 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
12210 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
12211 		err = nl80211_parse_unsol_bcast_probe_resp(
12212 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
12213 			&params.unsol_bcast_probe_resp);
12214 		if (err)
12215 			goto free;
12216 	}
12217 
12218 	params.link_id = link_id;
12219 	err = rdev_channel_switch(rdev, dev, &params);
12220 
12221 free:
12222 	kfree(params.beacon_after.mbssid_ies);
12223 	kfree(params.beacon_csa.mbssid_ies);
12224 	kfree(params.beacon_after.rnr_ies);
12225 	kfree(params.beacon_csa.rnr_ies);
12226 	kfree(csa_attrs);
12227 	return err;
12228 }
12229 
12230 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
12231 			    u32 seq, int flags,
12232 			    struct cfg80211_registered_device *rdev,
12233 			    struct wireless_dev *wdev,
12234 			    struct cfg80211_internal_bss *intbss)
12235 {
12236 	struct cfg80211_bss *res = &intbss->pub;
12237 	const struct cfg80211_bss_ies *ies;
12238 	unsigned int link_id;
12239 	void *hdr;
12240 	struct nlattr *bss;
12241 
12242 	lockdep_assert_wiphy(wdev->wiphy);
12243 
12244 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
12245 			     NL80211_CMD_NEW_SCAN_RESULTS);
12246 	if (!hdr)
12247 		return -1;
12248 
12249 	genl_dump_check_consistent(cb, hdr);
12250 
12251 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
12252 		goto nla_put_failure;
12253 	if (wdev->netdev &&
12254 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
12255 		goto nla_put_failure;
12256 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12257 			      NL80211_ATTR_PAD))
12258 		goto nla_put_failure;
12259 
12260 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
12261 	if (!bss)
12262 		goto nla_put_failure;
12263 	if ((!is_zero_ether_addr(res->bssid) &&
12264 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
12265 		goto nla_put_failure;
12266 
12267 	rcu_read_lock();
12268 	/* indicate whether we have probe response data or not */
12269 	if (rcu_access_pointer(res->proberesp_ies) &&
12270 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
12271 		goto fail_unlock_rcu;
12272 
12273 	/* this pointer prefers to be pointed to probe response data
12274 	 * but is always valid
12275 	 */
12276 	ies = rcu_dereference(res->ies);
12277 	if (ies) {
12278 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
12279 				      NL80211_BSS_PAD))
12280 			goto fail_unlock_rcu;
12281 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
12282 					ies->len, ies->data))
12283 			goto fail_unlock_rcu;
12284 	}
12285 
12286 	/* and this pointer is always (unless driver didn't know) beacon data */
12287 	ies = rcu_dereference(res->beacon_ies);
12288 	if (ies && ies->from_beacon) {
12289 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
12290 				      NL80211_BSS_PAD))
12291 			goto fail_unlock_rcu;
12292 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
12293 					ies->len, ies->data))
12294 			goto fail_unlock_rcu;
12295 	}
12296 	rcu_read_unlock();
12297 
12298 	if (res->beacon_interval &&
12299 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
12300 		goto nla_put_failure;
12301 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
12302 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
12303 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
12304 			res->channel->freq_offset) ||
12305 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
12306 			jiffies_to_msecs(jiffies - intbss->ts)))
12307 		goto nla_put_failure;
12308 
12309 	if (intbss->parent_tsf &&
12310 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
12311 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
12312 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
12313 		     intbss->parent_bssid)))
12314 		goto nla_put_failure;
12315 
12316 	if (res->ts_boottime &&
12317 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
12318 			      res->ts_boottime, NL80211_BSS_PAD))
12319 		goto nla_put_failure;
12320 
12321 	if (!nl80211_put_signal(msg, intbss->pub.chains,
12322 				intbss->pub.chain_signal,
12323 				NL80211_BSS_CHAIN_SIGNAL))
12324 		goto nla_put_failure;
12325 
12326 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
12327 		switch (rdev->wiphy.signal_type) {
12328 		case CFG80211_SIGNAL_TYPE_MBM:
12329 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
12330 					res->signal))
12331 				goto nla_put_failure;
12332 			break;
12333 		case CFG80211_SIGNAL_TYPE_UNSPEC:
12334 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
12335 				       res->signal))
12336 				goto nla_put_failure;
12337 			break;
12338 		default:
12339 			break;
12340 		}
12341 	}
12342 
12343 	switch (wdev->iftype) {
12344 	case NL80211_IFTYPE_P2P_CLIENT:
12345 	case NL80211_IFTYPE_STATION:
12346 		for_each_valid_link(wdev, link_id) {
12347 			if (intbss == wdev->links[link_id].client.current_bss &&
12348 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
12349 					 NL80211_BSS_STATUS_ASSOCIATED) ||
12350 			     (wdev->valid_links &&
12351 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
12352 					  link_id) ||
12353 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
12354 				       wdev->u.client.connected_addr)))))
12355 				goto nla_put_failure;
12356 		}
12357 		break;
12358 	case NL80211_IFTYPE_ADHOC:
12359 		if (intbss == wdev->u.ibss.current_bss &&
12360 		    nla_put_u32(msg, NL80211_BSS_STATUS,
12361 				NL80211_BSS_STATUS_IBSS_JOINED))
12362 			goto nla_put_failure;
12363 		break;
12364 	default:
12365 		break;
12366 	}
12367 
12368 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
12369 		goto nla_put_failure;
12370 
12371 	if (res->cannot_use_reasons &&
12372 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
12373 			      res->cannot_use_reasons,
12374 			      NL80211_BSS_PAD))
12375 		goto nla_put_failure;
12376 
12377 	nla_nest_end(msg, bss);
12378 
12379 	genlmsg_end(msg, hdr);
12380 	return 0;
12381 
12382  fail_unlock_rcu:
12383 	rcu_read_unlock();
12384  nla_put_failure:
12385 	genlmsg_cancel(msg, hdr);
12386 	return -EMSGSIZE;
12387 }
12388 
12389 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
12390 {
12391 	struct cfg80211_registered_device *rdev;
12392 	struct cfg80211_internal_bss *scan;
12393 	struct wireless_dev *wdev;
12394 	struct nlattr **attrbuf;
12395 	int start = cb->args[2], idx = 0;
12396 	bool dump_include_use_data;
12397 	int err;
12398 
12399 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12400 	if (!attrbuf)
12401 		return -ENOMEM;
12402 
12403 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12404 	if (err) {
12405 		kfree(attrbuf);
12406 		return err;
12407 	}
12408 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12409 	__acquire(&rdev->wiphy.mtx);
12410 
12411 	dump_include_use_data =
12412 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
12413 	kfree(attrbuf);
12414 
12415 	spin_lock_bh(&rdev->bss_lock);
12416 
12417 	/*
12418 	 * dump_scan will be called multiple times to break up the scan results
12419 	 * into multiple messages.  It is unlikely that any more bss-es will be
12420 	 * expired after the first call, so only call only call this on the
12421 	 * first dump_scan invocation.
12422 	 */
12423 	if (start == 0)
12424 		cfg80211_bss_expire(rdev);
12425 
12426 	cb->seq = rdev->bss_generation;
12427 
12428 	list_for_each_entry(scan, &rdev->bss_list, list) {
12429 		if (++idx <= start)
12430 			continue;
12431 		if (!dump_include_use_data &&
12432 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
12433 			continue;
12434 		if (nl80211_send_bss(skb, cb,
12435 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12436 				rdev, wdev, scan) < 0) {
12437 			idx--;
12438 			break;
12439 		}
12440 	}
12441 
12442 	spin_unlock_bh(&rdev->bss_lock);
12443 
12444 	cb->args[2] = idx;
12445 	wiphy_unlock(&rdev->wiphy);
12446 
12447 	return skb->len;
12448 }
12449 
12450 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
12451 			       int flags, struct net_device *dev,
12452 			       bool allow_radio_stats,
12453 			       struct survey_info *survey)
12454 {
12455 	void *hdr;
12456 	struct nlattr *infoattr;
12457 
12458 	/* skip radio stats if userspace didn't request them */
12459 	if (!survey->channel && !allow_radio_stats)
12460 		return 0;
12461 
12462 	hdr = nl80211hdr_put(msg, portid, seq, flags,
12463 			     NL80211_CMD_NEW_SURVEY_RESULTS);
12464 	if (!hdr)
12465 		return -ENOMEM;
12466 
12467 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
12468 		goto nla_put_failure;
12469 
12470 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
12471 	if (!infoattr)
12472 		goto nla_put_failure;
12473 
12474 	if (survey->channel &&
12475 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
12476 			survey->channel->center_freq))
12477 		goto nla_put_failure;
12478 
12479 	if (survey->channel && survey->channel->freq_offset &&
12480 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
12481 			survey->channel->freq_offset))
12482 		goto nla_put_failure;
12483 
12484 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
12485 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
12486 		goto nla_put_failure;
12487 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
12488 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
12489 		goto nla_put_failure;
12490 	if ((survey->filled & SURVEY_INFO_TIME) &&
12491 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
12492 			survey->time, NL80211_SURVEY_INFO_PAD))
12493 		goto nla_put_failure;
12494 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
12495 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
12496 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
12497 		goto nla_put_failure;
12498 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
12499 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
12500 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
12501 		goto nla_put_failure;
12502 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
12503 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
12504 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
12505 		goto nla_put_failure;
12506 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
12507 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
12508 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
12509 		goto nla_put_failure;
12510 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
12511 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
12512 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
12513 		goto nla_put_failure;
12514 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
12515 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
12516 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
12517 		goto nla_put_failure;
12518 
12519 	nla_nest_end(msg, infoattr);
12520 
12521 	genlmsg_end(msg, hdr);
12522 	return 0;
12523 
12524  nla_put_failure:
12525 	genlmsg_cancel(msg, hdr);
12526 	return -EMSGSIZE;
12527 }
12528 
12529 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
12530 {
12531 	struct nlattr **attrbuf;
12532 	struct survey_info survey;
12533 	struct cfg80211_registered_device *rdev;
12534 	struct wireless_dev *wdev;
12535 	int survey_idx = cb->args[2];
12536 	int res;
12537 	bool radio_stats;
12538 
12539 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
12540 	if (!attrbuf)
12541 		return -ENOMEM;
12542 
12543 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
12544 	if (res) {
12545 		kfree(attrbuf);
12546 		return res;
12547 	}
12548 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
12549 	__acquire(&rdev->wiphy.mtx);
12550 
12551 	/* prepare_wdev_dump parsed the attributes */
12552 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
12553 
12554 	if (!wdev->netdev) {
12555 		res = -EINVAL;
12556 		goto out_err;
12557 	}
12558 
12559 	if (!rdev->ops->dump_survey) {
12560 		res = -EOPNOTSUPP;
12561 		goto out_err;
12562 	}
12563 
12564 	while (1) {
12565 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
12566 		if (res == -ENOENT)
12567 			break;
12568 		if (res)
12569 			goto out_err;
12570 
12571 		/* don't send disabled channels, but do send non-channel data */
12572 		if (survey.channel &&
12573 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
12574 			survey_idx++;
12575 			continue;
12576 		}
12577 
12578 		if (nl80211_send_survey(skb,
12579 				NETLINK_CB(cb->skb).portid,
12580 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
12581 				wdev->netdev, radio_stats, &survey) < 0)
12582 			goto out;
12583 		survey_idx++;
12584 	}
12585 
12586  out:
12587 	cb->args[2] = survey_idx;
12588 	res = skb->len;
12589  out_err:
12590 	kfree(attrbuf);
12591 	wiphy_unlock(&rdev->wiphy);
12592 	return res;
12593 }
12594 
12595 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
12596 {
12597 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12598 	struct net_device *dev = info->user_ptr[1];
12599 	struct ieee80211_channel *chan;
12600 	const u8 *bssid, *ssid;
12601 	int err, ssid_len;
12602 	enum nl80211_auth_type auth_type;
12603 	struct key_parse key;
12604 	bool local_state_change;
12605 	struct cfg80211_auth_request req = {};
12606 	u32 freq;
12607 
12608 	if (!info->attrs[NL80211_ATTR_MAC])
12609 		return -EINVAL;
12610 
12611 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
12612 		return -EINVAL;
12613 
12614 	if (!info->attrs[NL80211_ATTR_SSID])
12615 		return -EINVAL;
12616 
12617 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12618 		return -EINVAL;
12619 
12620 	err = nl80211_parse_key(info, &key);
12621 	if (err)
12622 		return err;
12623 
12624 	if (key.idx >= 0) {
12625 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12626 			return -EINVAL;
12627 		if (!key.p.key || !key.p.key_len)
12628 			return -EINVAL;
12629 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12630 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12631 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12632 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12633 			return -EINVAL;
12634 		if (key.idx > 3)
12635 			return -EINVAL;
12636 	} else {
12637 		key.p.key_len = 0;
12638 		key.p.key = NULL;
12639 	}
12640 
12641 	if (key.idx >= 0) {
12642 		int i;
12643 		bool ok = false;
12644 
12645 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12646 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12647 				ok = true;
12648 				break;
12649 			}
12650 		}
12651 		if (!ok)
12652 			return -EINVAL;
12653 	}
12654 
12655 	if (!rdev->ops->auth)
12656 		return -EOPNOTSUPP;
12657 
12658 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12659 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12660 		return -EOPNOTSUPP;
12661 
12662 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12663 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12664 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12665 		freq +=
12666 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12667 
12668 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12669 	if (!chan)
12670 		return -EINVAL;
12671 
12672 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12673 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12674 
12675 	if (info->attrs[NL80211_ATTR_IE]) {
12676 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12677 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12678 	}
12679 
12680 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12681 		req.supported_selectors =
12682 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12683 		req.supported_selectors_len =
12684 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12685 	}
12686 
12687 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12688 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12689 		return -EINVAL;
12690 
12691 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12692 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12693 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12694 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12695 	     auth_type == NL80211_AUTHTYPE_EPPKE ||
12696 	     auth_type == NL80211_AUTHTYPE_IEEE8021X) &&
12697 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12698 		return -EINVAL;
12699 
12700 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12701 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12702 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12703 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12704 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12705 		    auth_type != NL80211_AUTHTYPE_EPPKE &&
12706 		    auth_type != NL80211_AUTHTYPE_IEEE8021X)
12707 			return -EINVAL;
12708 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12709 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12710 	}
12711 
12712 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12713 
12714 	/*
12715 	 * Since we no longer track auth state, ignore
12716 	 * requests to only change local state.
12717 	 */
12718 	if (local_state_change)
12719 		return 0;
12720 
12721 	req.auth_type = auth_type;
12722 	req.key = key.p.key;
12723 	req.key_len = key.p.key_len;
12724 	req.key_idx = key.idx;
12725 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12726 	if (req.link_id >= 0) {
12727 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12728 			return -EINVAL;
12729 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12730 			return -EINVAL;
12731 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12732 		if (!is_valid_ether_addr(req.ap_mld_addr))
12733 			return -EINVAL;
12734 	}
12735 
12736 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12737 				   IEEE80211_BSS_TYPE_ESS,
12738 				   IEEE80211_PRIVACY_ANY);
12739 	if (!req.bss)
12740 		return -ENOENT;
12741 
12742 	err = cfg80211_mlme_auth(rdev, dev, &req);
12743 
12744 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12745 
12746 	return err;
12747 }
12748 
12749 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12750 				     struct genl_info *info)
12751 {
12752 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12753 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12754 		return -EINVAL;
12755 	}
12756 
12757 	if (!rdev->ops->tx_control_port ||
12758 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12759 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12760 		return -EOPNOTSUPP;
12761 
12762 	return 0;
12763 }
12764 
12765 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12766 				   struct genl_info *info,
12767 				   struct cfg80211_crypto_settings *settings,
12768 				   int cipher_limit)
12769 {
12770 	memset(settings, 0, sizeof(*settings));
12771 
12772 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12773 
12774 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12775 		u16 proto;
12776 
12777 		proto = nla_get_u16(
12778 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12779 		settings->control_port_ethertype = cpu_to_be16(proto);
12780 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12781 		    proto != ETH_P_PAE)
12782 			return -EINVAL;
12783 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12784 			settings->control_port_no_encrypt = true;
12785 	} else
12786 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12787 
12788 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12789 		int r = validate_pae_over_nl80211(rdev, info);
12790 
12791 		if (r < 0)
12792 			return r;
12793 
12794 		settings->control_port_over_nl80211 = true;
12795 
12796 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12797 			settings->control_port_no_preauth = true;
12798 	}
12799 
12800 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12801 		void *data;
12802 		int len, i;
12803 
12804 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12805 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12806 		settings->n_ciphers_pairwise = len / sizeof(u32);
12807 
12808 		if (len % sizeof(u32))
12809 			return -EINVAL;
12810 
12811 		if (settings->n_ciphers_pairwise > cipher_limit)
12812 			return -EINVAL;
12813 
12814 		memcpy(settings->ciphers_pairwise, data, len);
12815 
12816 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12817 			if (!cfg80211_supported_cipher_suite(
12818 					&rdev->wiphy,
12819 					settings->ciphers_pairwise[i]))
12820 				return -EINVAL;
12821 	}
12822 
12823 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12824 		settings->cipher_group =
12825 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12826 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12827 						     settings->cipher_group))
12828 			return -EINVAL;
12829 	}
12830 
12831 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12832 		settings->wpa_versions =
12833 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12834 
12835 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12836 		void *data;
12837 		int len;
12838 
12839 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12840 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12841 		settings->n_akm_suites = len / sizeof(u32);
12842 
12843 		if (len % sizeof(u32))
12844 			return -EINVAL;
12845 
12846 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12847 			return -EINVAL;
12848 
12849 		memcpy(settings->akm_suites, data, len);
12850 	}
12851 
12852 	if (info->attrs[NL80211_ATTR_PMK]) {
12853 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12854 			return -EINVAL;
12855 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12856 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12857 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12858 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12859 			return -EINVAL;
12860 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12861 	}
12862 
12863 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12864 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12865 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12866 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12867 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12868 			return -EINVAL;
12869 		settings->sae_pwd =
12870 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12871 		settings->sae_pwd_len =
12872 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12873 	}
12874 
12875 	settings->sae_pwe =
12876 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12877 				   NL80211_SAE_PWE_UNSPECIFIED);
12878 
12879 	return 0;
12880 }
12881 
12882 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12883 					      const u8 *ssid, int ssid_len,
12884 					      struct nlattr **attrs,
12885 					      int assoc_link_id, int link_id)
12886 {
12887 	struct ieee80211_channel *chan;
12888 	struct cfg80211_bss *bss;
12889 	const u8 *bssid;
12890 	u32 freq, use_for = 0;
12891 
12892 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12893 		return ERR_PTR(-EINVAL);
12894 
12895 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12896 
12897 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12898 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12899 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12900 
12901 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12902 	if (!chan)
12903 		return ERR_PTR(-EINVAL);
12904 
12905 	if (assoc_link_id >= 0)
12906 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12907 	if (assoc_link_id == link_id)
12908 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12909 
12910 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12911 				 ssid, ssid_len,
12912 				 IEEE80211_BSS_TYPE_ESS,
12913 				 IEEE80211_PRIVACY_ANY,
12914 				 use_for);
12915 	if (!bss)
12916 		return ERR_PTR(-ENOENT);
12917 
12918 	return bss;
12919 }
12920 
12921 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12922 				 struct cfg80211_assoc_link *links,
12923 				 int assoc_link_id,
12924 				 const u8 *ssid, int ssid_len,
12925 				 struct genl_info *info)
12926 {
12927 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12928 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12929 	struct nlattr *link;
12930 	unsigned int link_id;
12931 	int rem, err;
12932 
12933 	if (!attrs)
12934 		return -ENOMEM;
12935 
12936 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12937 		memset(attrs, 0, attrsize);
12938 
12939 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12940 
12941 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12942 			NL_SET_BAD_ATTR(info->extack, link);
12943 			return -EINVAL;
12944 		}
12945 
12946 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12947 		/* cannot use the same link ID again */
12948 		if (links[link_id].bss) {
12949 			NL_SET_BAD_ATTR(info->extack, link);
12950 			return -EINVAL;
12951 		}
12952 		links[link_id].bss =
12953 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12954 					  assoc_link_id, link_id);
12955 		if (IS_ERR(links[link_id].bss)) {
12956 			err = PTR_ERR(links[link_id].bss);
12957 			links[link_id].bss = NULL;
12958 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12959 					    "Error fetching BSS for link");
12960 			return err;
12961 		}
12962 
12963 		if (attrs[NL80211_ATTR_IE]) {
12964 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12965 			links[link_id].elems_len =
12966 				nla_len(attrs[NL80211_ATTR_IE]);
12967 
12968 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12969 					       links[link_id].elems,
12970 					       links[link_id].elems_len)) {
12971 				NL_SET_ERR_MSG_ATTR(info->extack,
12972 						    attrs[NL80211_ATTR_IE],
12973 						    "cannot deal with fragmentation");
12974 				return -EINVAL;
12975 			}
12976 
12977 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12978 						   links[link_id].elems,
12979 						   links[link_id].elems_len)) {
12980 				NL_SET_ERR_MSG_ATTR(info->extack,
12981 						    attrs[NL80211_ATTR_IE],
12982 						    "cannot deal with non-inheritance");
12983 				return -EINVAL;
12984 			}
12985 		}
12986 	}
12987 
12988 	return 0;
12989 }
12990 
12991 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12992 {
12993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12994 	struct net_device *dev = info->user_ptr[1];
12995 	struct cfg80211_assoc_request req = {};
12996 	const u8 *ap_addr, *ssid;
12997 	unsigned int link_id;
12998 	int err, ssid_len;
12999 
13000 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13001 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13002 		return -EPERM;
13003 
13004 	if (!info->attrs[NL80211_ATTR_SSID])
13005 		return -EINVAL;
13006 
13007 	if (!rdev->ops->assoc)
13008 		return -EOPNOTSUPP;
13009 
13010 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13011 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13012 		return -EOPNOTSUPP;
13013 
13014 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13015 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13016 
13017 	if (info->attrs[NL80211_ATTR_IE]) {
13018 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13019 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13020 
13021 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
13022 					   req.ie, req.ie_len)) {
13023 			NL_SET_ERR_MSG_ATTR(info->extack,
13024 					    info->attrs[NL80211_ATTR_IE],
13025 					    "non-inheritance makes no sense");
13026 			return -EINVAL;
13027 		}
13028 	}
13029 
13030 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13031 		enum nl80211_mfp mfp =
13032 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13033 		if (mfp == NL80211_MFP_REQUIRED)
13034 			req.use_mfp = true;
13035 		else if (mfp != NL80211_MFP_NO)
13036 			return -EINVAL;
13037 	}
13038 
13039 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13040 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13041 
13042 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
13043 		req.supported_selectors =
13044 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
13045 		req.supported_selectors_len =
13046 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
13047 	}
13048 
13049 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13050 		req.flags |= ASSOC_REQ_DISABLE_HT;
13051 
13052 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13053 		memcpy(&req.ht_capa_mask,
13054 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13055 		       sizeof(req.ht_capa_mask));
13056 
13057 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13058 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13059 			return -EINVAL;
13060 		memcpy(&req.ht_capa,
13061 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13062 		       sizeof(req.ht_capa));
13063 	}
13064 
13065 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13066 		req.flags |= ASSOC_REQ_DISABLE_VHT;
13067 
13068 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13069 		req.flags |= ASSOC_REQ_DISABLE_HE;
13070 
13071 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13072 		req.flags |= ASSOC_REQ_DISABLE_EHT;
13073 
13074 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13075 		req.flags |= ASSOC_REQ_DISABLE_UHR;
13076 
13077 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13078 		memcpy(&req.vht_capa_mask,
13079 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13080 		       sizeof(req.vht_capa_mask));
13081 
13082 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13083 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13084 			return -EINVAL;
13085 		memcpy(&req.vht_capa,
13086 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13087 		       sizeof(req.vht_capa));
13088 	}
13089 
13090 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13091 		if (!((rdev->wiphy.features &
13092 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13093 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13094 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13095 					     NL80211_EXT_FEATURE_RRM))
13096 			return -EINVAL;
13097 		req.flags |= ASSOC_REQ_USE_RRM;
13098 	}
13099 
13100 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
13101 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
13102 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
13103 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
13104 			return -EINVAL;
13105 		req.fils_nonces =
13106 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
13107 	}
13108 
13109 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
13110 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
13111 			return -EINVAL;
13112 		memcpy(&req.s1g_capa_mask,
13113 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
13114 		       sizeof(req.s1g_capa_mask));
13115 	}
13116 
13117 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
13118 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
13119 			return -EINVAL;
13120 		memcpy(&req.s1g_capa,
13121 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
13122 		       sizeof(req.s1g_capa));
13123 	}
13124 
13125 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
13126 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13127 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
13128 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
13129 			return -EINVAL;
13130 		}
13131 		req.flags |= ASSOC_REQ_SPP_AMSDU;
13132 	}
13133 
13134 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
13135 
13136 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
13137 		if (req.link_id < 0)
13138 			return -EINVAL;
13139 
13140 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
13141 			return -EINVAL;
13142 
13143 		if (info->attrs[NL80211_ATTR_MAC] ||
13144 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13145 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
13146 			return -EINVAL;
13147 
13148 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
13149 		ap_addr = req.ap_mld_addr;
13150 
13151 		err = nl80211_process_links(rdev, req.links, req.link_id,
13152 					    ssid, ssid_len, info);
13153 		if (err)
13154 			goto free;
13155 
13156 		if (!req.links[req.link_id].bss) {
13157 			err = -EINVAL;
13158 			goto free;
13159 		}
13160 
13161 		if (req.links[req.link_id].elems_len) {
13162 			GENL_SET_ERR_MSG(info,
13163 					 "cannot have per-link elems on assoc link");
13164 			err = -EINVAL;
13165 			goto free;
13166 		}
13167 
13168 		if (info->attrs[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS])
13169 			req.ext_mld_capa_ops =
13170 				nla_get_u16(info->attrs[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS]);
13171 	} else {
13172 		if (req.link_id >= 0)
13173 			return -EINVAL;
13174 
13175 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
13176 					    -1, -1);
13177 		if (IS_ERR(req.bss))
13178 			return PTR_ERR(req.bss);
13179 		ap_addr = req.bss->bssid;
13180 
13181 		if (info->attrs[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS])
13182 			return -EINVAL;
13183 	}
13184 
13185 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
13186 	if (!err) {
13187 		struct nlattr *link;
13188 		int rem = 0;
13189 
13190 		err = cfg80211_mlme_assoc(rdev, dev, &req,
13191 					  info->extack);
13192 
13193 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13194 			dev->ieee80211_ptr->conn_owner_nlportid =
13195 				info->snd_portid;
13196 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13197 			       ap_addr, ETH_ALEN);
13198 		}
13199 
13200 		/* Report error from first problematic link */
13201 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
13202 			nla_for_each_nested(link,
13203 					    info->attrs[NL80211_ATTR_MLO_LINKS],
13204 					    rem) {
13205 				struct nlattr *link_id_attr =
13206 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
13207 
13208 				if (!link_id_attr)
13209 					continue;
13210 
13211 				link_id = nla_get_u8(link_id_attr);
13212 
13213 				if (link_id == req.link_id)
13214 					continue;
13215 
13216 				if (!req.links[link_id].error ||
13217 				    WARN_ON(req.links[link_id].error > 0))
13218 					continue;
13219 
13220 				WARN_ON(err >= 0);
13221 
13222 				NL_SET_BAD_ATTR(info->extack, link);
13223 				err = req.links[link_id].error;
13224 				break;
13225 			}
13226 		}
13227 	}
13228 
13229 free:
13230 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
13231 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
13232 	cfg80211_put_bss(&rdev->wiphy, req.bss);
13233 
13234 	return err;
13235 }
13236 
13237 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
13238 {
13239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13240 	struct net_device *dev = info->user_ptr[1];
13241 	const u8 *ie = NULL, *bssid;
13242 	int ie_len = 0;
13243 	u16 reason_code;
13244 	bool local_state_change;
13245 
13246 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13247 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13248 		return -EPERM;
13249 
13250 	if (!info->attrs[NL80211_ATTR_MAC])
13251 		return -EINVAL;
13252 
13253 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
13254 		return -EINVAL;
13255 
13256 	if (!rdev->ops->deauth)
13257 		return -EOPNOTSUPP;
13258 
13259 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13260 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13261 		return -EOPNOTSUPP;
13262 
13263 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13264 
13265 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
13266 	if (reason_code == 0) {
13267 		/* Reason Code 0 is reserved */
13268 		return -EINVAL;
13269 	}
13270 
13271 	if (info->attrs[NL80211_ATTR_IE]) {
13272 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13273 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13274 	}
13275 
13276 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
13277 
13278 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
13279 				    local_state_change);
13280 }
13281 
13282 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
13283 {
13284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13285 	struct net_device *dev = info->user_ptr[1];
13286 	const u8 *ie = NULL, *bssid;
13287 	int ie_len = 0;
13288 	u16 reason_code;
13289 	bool local_state_change;
13290 
13291 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13292 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13293 		return -EPERM;
13294 
13295 	if (!info->attrs[NL80211_ATTR_MAC])
13296 		return -EINVAL;
13297 
13298 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
13299 		return -EINVAL;
13300 
13301 	if (!rdev->ops->disassoc)
13302 		return -EOPNOTSUPP;
13303 
13304 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13305 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13306 		return -EOPNOTSUPP;
13307 
13308 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13309 
13310 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
13311 	if (reason_code == 0) {
13312 		/* Reason Code 0 is reserved */
13313 		return -EINVAL;
13314 	}
13315 
13316 	if (info->attrs[NL80211_ATTR_IE]) {
13317 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13318 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13319 	}
13320 
13321 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
13322 
13323 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
13324 				      local_state_change);
13325 }
13326 
13327 static bool
13328 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
13329 			 int mcast_rate[NUM_NL80211_BANDS],
13330 			 int rateval)
13331 {
13332 	struct wiphy *wiphy = &rdev->wiphy;
13333 	bool found = false;
13334 	int band, i;
13335 
13336 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
13337 		struct ieee80211_supported_band *sband;
13338 
13339 		sband = wiphy->bands[band];
13340 		if (!sband)
13341 			continue;
13342 
13343 		for (i = 0; i < sband->n_bitrates; i++) {
13344 			if (sband->bitrates[i].bitrate == rateval) {
13345 				mcast_rate[band] = i + 1;
13346 				found = true;
13347 				break;
13348 			}
13349 		}
13350 	}
13351 
13352 	return found;
13353 }
13354 
13355 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
13356 {
13357 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13358 	struct net_device *dev = info->user_ptr[1];
13359 	struct cfg80211_ibss_params ibss;
13360 	struct wiphy *wiphy;
13361 	struct cfg80211_cached_keys *connkeys = NULL;
13362 	int err;
13363 
13364 	memset(&ibss, 0, sizeof(ibss));
13365 
13366 	if (!info->attrs[NL80211_ATTR_SSID] ||
13367 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13368 		return -EINVAL;
13369 
13370 	ibss.beacon_interval = 100;
13371 
13372 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
13373 		ibss.beacon_interval =
13374 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13375 
13376 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
13377 					   ibss.beacon_interval);
13378 	if (err)
13379 		return err;
13380 
13381 	if (!rdev->ops->join_ibss)
13382 		return -EOPNOTSUPP;
13383 
13384 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13385 		return -EOPNOTSUPP;
13386 
13387 	wiphy = &rdev->wiphy;
13388 
13389 	if (info->attrs[NL80211_ATTR_MAC]) {
13390 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13391 
13392 		if (!is_valid_ether_addr(ibss.bssid))
13393 			return -EINVAL;
13394 	}
13395 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13396 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13397 
13398 	if (info->attrs[NL80211_ATTR_IE]) {
13399 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13400 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13401 	}
13402 
13403 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
13404 				    &ibss.chandef, false);
13405 	if (err)
13406 		return err;
13407 
13408 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
13409 				     NL80211_IFTYPE_ADHOC))
13410 		return -EINVAL;
13411 
13412 	switch (ibss.chandef.width) {
13413 	case NL80211_CHAN_WIDTH_5:
13414 	case NL80211_CHAN_WIDTH_10:
13415 	case NL80211_CHAN_WIDTH_20_NOHT:
13416 		break;
13417 	case NL80211_CHAN_WIDTH_20:
13418 	case NL80211_CHAN_WIDTH_40:
13419 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13420 			return -EINVAL;
13421 		break;
13422 	case NL80211_CHAN_WIDTH_80:
13423 	case NL80211_CHAN_WIDTH_80P80:
13424 	case NL80211_CHAN_WIDTH_160:
13425 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
13426 			return -EINVAL;
13427 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13428 					     NL80211_EXT_FEATURE_VHT_IBSS))
13429 			return -EINVAL;
13430 		break;
13431 	case NL80211_CHAN_WIDTH_320:
13432 		return -EINVAL;
13433 	default:
13434 		return -EINVAL;
13435 	}
13436 
13437 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
13438 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
13439 
13440 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13441 		u8 *rates =
13442 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13443 		int n_rates =
13444 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13445 		struct ieee80211_supported_band *sband =
13446 			wiphy->bands[ibss.chandef.chan->band];
13447 
13448 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13449 					     &ibss.basic_rates);
13450 		if (err)
13451 			return err;
13452 	}
13453 
13454 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13455 		memcpy(&ibss.ht_capa_mask,
13456 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13457 		       sizeof(ibss.ht_capa_mask));
13458 
13459 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13460 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13461 			return -EINVAL;
13462 		memcpy(&ibss.ht_capa,
13463 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13464 		       sizeof(ibss.ht_capa));
13465 	}
13466 
13467 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13468 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
13469 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13470 		return -EINVAL;
13471 
13472 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13473 		bool no_ht = false;
13474 
13475 		connkeys = nl80211_parse_connkeys(rdev, dev->ieee80211_ptr,
13476 						  info, &no_ht);
13477 		if (IS_ERR(connkeys))
13478 			return PTR_ERR(connkeys);
13479 
13480 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
13481 		    no_ht) {
13482 			kfree_sensitive(connkeys);
13483 			return -EINVAL;
13484 		}
13485 	}
13486 
13487 	ibss.control_port =
13488 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
13489 
13490 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13491 		int r = validate_pae_over_nl80211(rdev, info);
13492 
13493 		if (r < 0) {
13494 			kfree_sensitive(connkeys);
13495 			return r;
13496 		}
13497 
13498 		ibss.control_port_over_nl80211 = true;
13499 	}
13500 
13501 	ibss.userspace_handles_dfs =
13502 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13503 
13504 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
13505 	if (err)
13506 		kfree_sensitive(connkeys);
13507 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
13508 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13509 
13510 	return err;
13511 }
13512 
13513 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
13514 {
13515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13516 	struct net_device *dev = info->user_ptr[1];
13517 
13518 	if (!rdev->ops->leave_ibss)
13519 		return -EOPNOTSUPP;
13520 
13521 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
13522 		return -EOPNOTSUPP;
13523 
13524 	return cfg80211_leave_ibss(rdev, dev, false);
13525 }
13526 
13527 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
13528 {
13529 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13530 	struct net_device *dev = info->user_ptr[1];
13531 	int mcast_rate[NUM_NL80211_BANDS];
13532 	u32 nla_rate;
13533 
13534 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
13535 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
13536 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
13537 		return -EOPNOTSUPP;
13538 
13539 	if (!rdev->ops->set_mcast_rate)
13540 		return -EOPNOTSUPP;
13541 
13542 	memset(mcast_rate, 0, sizeof(mcast_rate));
13543 
13544 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
13545 		return -EINVAL;
13546 
13547 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
13548 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
13549 		return -EINVAL;
13550 
13551 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
13552 }
13553 
13554 static struct sk_buff *
13555 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
13556 			    struct wireless_dev *wdev, int approxlen,
13557 			    u32 portid, u32 seq, enum nl80211_commands cmd,
13558 			    enum nl80211_attrs attr,
13559 			    const struct nl80211_vendor_cmd_info *info,
13560 			    gfp_t gfp)
13561 {
13562 	struct sk_buff *skb;
13563 	void *hdr;
13564 	struct nlattr *data;
13565 
13566 	skb = nlmsg_new(approxlen + 100, gfp);
13567 	if (!skb)
13568 		return NULL;
13569 
13570 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
13571 	if (!hdr) {
13572 		kfree_skb(skb);
13573 		return NULL;
13574 	}
13575 
13576 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
13577 		goto nla_put_failure;
13578 
13579 	if (info) {
13580 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
13581 				info->vendor_id))
13582 			goto nla_put_failure;
13583 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
13584 				info->subcmd))
13585 			goto nla_put_failure;
13586 	}
13587 
13588 	if (wdev) {
13589 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13590 				      wdev_id(wdev), NL80211_ATTR_PAD))
13591 			goto nla_put_failure;
13592 		if (wdev->netdev &&
13593 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
13594 				wdev->netdev->ifindex))
13595 			goto nla_put_failure;
13596 	}
13597 
13598 	data = nla_nest_start_noflag(skb, attr);
13599 	if (!data)
13600 		goto nla_put_failure;
13601 
13602 	((void **)skb->cb)[0] = rdev;
13603 	((void **)skb->cb)[1] = hdr;
13604 	((void **)skb->cb)[2] = data;
13605 
13606 	return skb;
13607 
13608  nla_put_failure:
13609 	kfree_skb(skb);
13610 	return NULL;
13611 }
13612 
13613 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
13614 					   struct wireless_dev *wdev,
13615 					   enum nl80211_commands cmd,
13616 					   enum nl80211_attrs attr,
13617 					   unsigned int portid,
13618 					   int vendor_event_idx,
13619 					   int approxlen, gfp_t gfp)
13620 {
13621 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13622 	const struct nl80211_vendor_cmd_info *info;
13623 
13624 	switch (cmd) {
13625 	case NL80211_CMD_TESTMODE:
13626 		if (WARN_ON(vendor_event_idx != -1))
13627 			return NULL;
13628 		info = NULL;
13629 		break;
13630 	case NL80211_CMD_VENDOR:
13631 		if (WARN_ON(vendor_event_idx < 0 ||
13632 			    vendor_event_idx >= wiphy->n_vendor_events))
13633 			return NULL;
13634 		info = &wiphy->vendor_events[vendor_event_idx];
13635 		break;
13636 	default:
13637 		WARN_ON(1);
13638 		return NULL;
13639 	}
13640 
13641 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13642 					   cmd, attr, info, gfp);
13643 }
13644 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13645 
13646 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13647 {
13648 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13649 	void *hdr = ((void **)skb->cb)[1];
13650 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13651 	struct nlattr *data = ((void **)skb->cb)[2];
13652 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13653 
13654 	/* clear CB data for netlink core to own from now on */
13655 	memset(skb->cb, 0, sizeof(skb->cb));
13656 
13657 	nla_nest_end(skb, data);
13658 	genlmsg_end(skb, hdr);
13659 
13660 	if (nlhdr->nlmsg_pid) {
13661 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13662 				nlhdr->nlmsg_pid);
13663 	} else {
13664 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13665 			mcgrp = NL80211_MCGRP_VENDOR;
13666 
13667 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13668 					skb, 0, mcgrp, gfp);
13669 	}
13670 }
13671 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13672 
13673 #ifdef CONFIG_NL80211_TESTMODE
13674 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13675 {
13676 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13677 	struct wireless_dev *wdev;
13678 	int err;
13679 
13680 	lockdep_assert_held(&rdev->wiphy.mtx);
13681 
13682 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13683 					  info->attrs);
13684 
13685 	if (!rdev->ops->testmode_cmd)
13686 		return -EOPNOTSUPP;
13687 
13688 	if (IS_ERR(wdev)) {
13689 		err = PTR_ERR(wdev);
13690 		if (err != -EINVAL)
13691 			return err;
13692 		wdev = NULL;
13693 	} else if (wdev->wiphy != &rdev->wiphy) {
13694 		return -EINVAL;
13695 	}
13696 
13697 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13698 		return -EINVAL;
13699 
13700 	rdev->cur_cmd_info = info;
13701 	err = rdev_testmode_cmd(rdev, wdev,
13702 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13703 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13704 	rdev->cur_cmd_info = NULL;
13705 
13706 	return err;
13707 }
13708 
13709 static int nl80211_testmode_dump(struct sk_buff *skb,
13710 				 struct netlink_callback *cb)
13711 {
13712 	struct cfg80211_registered_device *rdev;
13713 	struct nlattr **attrbuf = NULL;
13714 	int err;
13715 	long phy_idx;
13716 	void *data = NULL;
13717 	int data_len = 0;
13718 
13719 	rtnl_lock();
13720 
13721 	if (cb->args[0]) {
13722 		/*
13723 		 * 0 is a valid index, but not valid for args[0],
13724 		 * so we need to offset by 1.
13725 		 */
13726 		phy_idx = cb->args[0] - 1;
13727 
13728 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13729 		if (!rdev) {
13730 			err = -ENOENT;
13731 			goto out_err;
13732 		}
13733 	} else {
13734 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13735 		if (!attrbuf) {
13736 			err = -ENOMEM;
13737 			goto out_err;
13738 		}
13739 
13740 		err = nlmsg_parse_deprecated(cb->nlh,
13741 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13742 					     attrbuf, nl80211_fam.maxattr,
13743 					     nl80211_policy, NULL);
13744 		if (err)
13745 			goto out_err;
13746 
13747 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13748 		if (IS_ERR(rdev)) {
13749 			err = PTR_ERR(rdev);
13750 			goto out_err;
13751 		}
13752 		phy_idx = rdev->wiphy_idx;
13753 
13754 		if (attrbuf[NL80211_ATTR_TESTDATA])
13755 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13756 	}
13757 
13758 	if (cb->args[1]) {
13759 		data = nla_data((void *)cb->args[1]);
13760 		data_len = nla_len((void *)cb->args[1]);
13761 	}
13762 
13763 	if (!rdev->ops->testmode_dump) {
13764 		err = -EOPNOTSUPP;
13765 		goto out_err;
13766 	}
13767 
13768 	while (1) {
13769 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13770 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13771 					   NL80211_CMD_TESTMODE);
13772 		struct nlattr *tmdata;
13773 
13774 		if (!hdr)
13775 			break;
13776 
13777 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13778 			genlmsg_cancel(skb, hdr);
13779 			break;
13780 		}
13781 
13782 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13783 		if (!tmdata) {
13784 			genlmsg_cancel(skb, hdr);
13785 			break;
13786 		}
13787 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13788 		nla_nest_end(skb, tmdata);
13789 
13790 		if (err == -ENOBUFS || err == -ENOENT) {
13791 			genlmsg_cancel(skb, hdr);
13792 			break;
13793 		} else if (err) {
13794 			genlmsg_cancel(skb, hdr);
13795 			goto out_err;
13796 		}
13797 
13798 		genlmsg_end(skb, hdr);
13799 	}
13800 
13801 	err = skb->len;
13802 	/* see above */
13803 	cb->args[0] = phy_idx + 1;
13804  out_err:
13805 	kfree(attrbuf);
13806 	rtnl_unlock();
13807 	return err;
13808 }
13809 #endif
13810 
13811 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13812 {
13813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13814 	struct net_device *dev = info->user_ptr[1];
13815 	struct cfg80211_connect_params connect;
13816 	struct wiphy *wiphy;
13817 	struct cfg80211_cached_keys *connkeys = NULL;
13818 	u32 freq = 0;
13819 	int err;
13820 
13821 	memset(&connect, 0, sizeof(connect));
13822 
13823 	if (!info->attrs[NL80211_ATTR_SSID] ||
13824 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13825 		return -EINVAL;
13826 
13827 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13828 		connect.auth_type =
13829 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13830 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13831 					     NL80211_CMD_CONNECT))
13832 			return -EINVAL;
13833 	} else
13834 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13835 
13836 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13837 
13838 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13839 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13840 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13841 		return -EINVAL;
13842 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13843 
13844 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13845 				      NL80211_MAX_NR_CIPHER_SUITES);
13846 	if (err)
13847 		return err;
13848 
13849 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13850 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13851 		return -EOPNOTSUPP;
13852 
13853 	wiphy = &rdev->wiphy;
13854 
13855 	connect.bg_scan_period = -1;
13856 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13857 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13858 		connect.bg_scan_period =
13859 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13860 	}
13861 
13862 	if (info->attrs[NL80211_ATTR_MAC])
13863 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13864 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13865 		connect.bssid_hint =
13866 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13867 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13868 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13869 
13870 	if (info->attrs[NL80211_ATTR_IE]) {
13871 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13872 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13873 	}
13874 
13875 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13876 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13877 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13878 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13879 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13880 			return -EOPNOTSUPP;
13881 	} else {
13882 		connect.mfp = NL80211_MFP_NO;
13883 	}
13884 
13885 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13886 		connect.prev_bssid =
13887 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13888 
13889 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13890 		freq = MHZ_TO_KHZ(nla_get_u32(
13891 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13892 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13893 		freq +=
13894 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13895 
13896 	if (freq) {
13897 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13898 		if (!connect.channel)
13899 			return -EINVAL;
13900 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13901 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13902 		freq = MHZ_TO_KHZ(freq);
13903 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13904 		if (!connect.channel_hint)
13905 			return -EINVAL;
13906 	}
13907 
13908 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13909 		connect.edmg.channels =
13910 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13911 
13912 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13913 			connect.edmg.bw_config =
13914 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13915 	}
13916 
13917 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13918 		connkeys = nl80211_parse_connkeys(rdev, dev->ieee80211_ptr,
13919 						  info, NULL);
13920 		if (IS_ERR(connkeys))
13921 			return PTR_ERR(connkeys);
13922 	}
13923 
13924 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13925 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13926 
13927 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13928 		memcpy(&connect.ht_capa_mask,
13929 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13930 		       sizeof(connect.ht_capa_mask));
13931 
13932 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13933 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13934 			kfree_sensitive(connkeys);
13935 			return -EINVAL;
13936 		}
13937 		memcpy(&connect.ht_capa,
13938 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13939 		       sizeof(connect.ht_capa));
13940 	}
13941 
13942 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13943 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13944 
13945 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13946 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13947 
13948 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13949 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13950 
13951 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13952 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13953 
13954 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13955 		memcpy(&connect.vht_capa_mask,
13956 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13957 		       sizeof(connect.vht_capa_mask));
13958 
13959 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13960 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13961 			kfree_sensitive(connkeys);
13962 			return -EINVAL;
13963 		}
13964 		memcpy(&connect.vht_capa,
13965 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13966 		       sizeof(connect.vht_capa));
13967 	}
13968 
13969 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13970 		if (!((rdev->wiphy.features &
13971 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13972 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13973 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13974 					     NL80211_EXT_FEATURE_RRM)) {
13975 			kfree_sensitive(connkeys);
13976 			return -EINVAL;
13977 		}
13978 		connect.flags |= ASSOC_REQ_USE_RRM;
13979 	}
13980 
13981 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13982 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13983 		kfree_sensitive(connkeys);
13984 		return -EOPNOTSUPP;
13985 	}
13986 
13987 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13988 		/* bss selection makes no sense if bssid is set */
13989 		if (connect.bssid) {
13990 			kfree_sensitive(connkeys);
13991 			return -EINVAL;
13992 		}
13993 
13994 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13995 				       wiphy, &connect.bss_select);
13996 		if (err) {
13997 			kfree_sensitive(connkeys);
13998 			return err;
13999 		}
14000 	}
14001 
14002 	if (wiphy_ext_feature_isset(&rdev->wiphy,
14003 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
14004 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
14005 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
14006 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
14007 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
14008 		connect.fils_erp_username =
14009 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
14010 		connect.fils_erp_username_len =
14011 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
14012 		connect.fils_erp_realm =
14013 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
14014 		connect.fils_erp_realm_len =
14015 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
14016 		connect.fils_erp_next_seq_num =
14017 			nla_get_u16(
14018 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
14019 		connect.fils_erp_rrk =
14020 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
14021 		connect.fils_erp_rrk_len =
14022 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
14023 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
14024 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
14025 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
14026 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
14027 		kfree_sensitive(connkeys);
14028 		return -EINVAL;
14029 	}
14030 
14031 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
14032 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
14033 			kfree_sensitive(connkeys);
14034 			GENL_SET_ERR_MSG(info,
14035 					 "external auth requires connection ownership");
14036 			return -EINVAL;
14037 		}
14038 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
14039 	}
14040 
14041 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
14042 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
14043 
14044 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
14045 			       connect.prev_bssid);
14046 	if (err)
14047 		kfree_sensitive(connkeys);
14048 
14049 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
14050 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14051 		if (connect.bssid)
14052 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
14053 			       connect.bssid, ETH_ALEN);
14054 		else
14055 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
14056 	}
14057 
14058 	return err;
14059 }
14060 
14061 static int nl80211_update_connect_params(struct sk_buff *skb,
14062 					 struct genl_info *info)
14063 {
14064 	struct cfg80211_connect_params connect = {};
14065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14066 	struct net_device *dev = info->user_ptr[1];
14067 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14068 	bool fils_sk_offload;
14069 	u32 auth_type;
14070 	u32 changed = 0;
14071 
14072 	if (!rdev->ops->update_connect_params)
14073 		return -EOPNOTSUPP;
14074 
14075 	if (info->attrs[NL80211_ATTR_IE]) {
14076 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14077 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14078 		changed |= UPDATE_ASSOC_IES;
14079 	}
14080 
14081 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
14082 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
14083 
14084 	/*
14085 	 * when driver supports fils-sk offload all attributes must be
14086 	 * provided. So the else covers "fils-sk-not-all" and
14087 	 * "no-fils-sk-any".
14088 	 */
14089 	if (fils_sk_offload &&
14090 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
14091 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
14092 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
14093 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
14094 		connect.fils_erp_username =
14095 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
14096 		connect.fils_erp_username_len =
14097 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
14098 		connect.fils_erp_realm =
14099 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
14100 		connect.fils_erp_realm_len =
14101 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
14102 		connect.fils_erp_next_seq_num =
14103 			nla_get_u16(
14104 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
14105 		connect.fils_erp_rrk =
14106 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
14107 		connect.fils_erp_rrk_len =
14108 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
14109 		changed |= UPDATE_FILS_ERP_INFO;
14110 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
14111 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
14112 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
14113 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
14114 		return -EINVAL;
14115 	}
14116 
14117 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
14118 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
14119 		if (!nl80211_valid_auth_type(rdev, auth_type,
14120 					     NL80211_CMD_CONNECT))
14121 			return -EINVAL;
14122 
14123 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
14124 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
14125 			return -EINVAL;
14126 
14127 		connect.auth_type = auth_type;
14128 		changed |= UPDATE_AUTH_TYPE;
14129 	}
14130 
14131 	if (!wdev->connected)
14132 		return -ENOLINK;
14133 
14134 	return rdev_update_connect_params(rdev, dev, &connect, changed);
14135 }
14136 
14137 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
14138 {
14139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14140 	struct net_device *dev = info->user_ptr[1];
14141 	u16 reason;
14142 
14143 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
14144 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
14145 		return -EPERM;
14146 
14147 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
14148 				     WLAN_REASON_DEAUTH_LEAVING);
14149 
14150 	if (reason == 0)
14151 		return -EINVAL;
14152 
14153 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14154 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
14155 		return -EOPNOTSUPP;
14156 
14157 	return cfg80211_disconnect(rdev, dev, reason, true);
14158 }
14159 
14160 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
14161 {
14162 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14163 	struct net *net;
14164 	int err;
14165 
14166 	if (info->attrs[NL80211_ATTR_PID]) {
14167 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
14168 
14169 		net = get_net_ns_by_pid(pid);
14170 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
14171 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
14172 
14173 		net = get_net_ns_by_fd(fd);
14174 	} else {
14175 		return -EINVAL;
14176 	}
14177 
14178 	if (IS_ERR(net))
14179 		return PTR_ERR(net);
14180 
14181 	/*
14182 	 * The caller already has CAP_NET_ADMIN over the source netns
14183 	 * (enforced by GENL_UNS_ADMIN_PERM on the genl op). Mirror the
14184 	 * convention used by net/core/rtnetlink.c::rtnl_get_net_ns_capable()
14185 	 * and require CAP_NET_ADMIN over the target netns as well, so that
14186 	 * a caller that is privileged in their own user namespace cannot
14187 	 * push a wiphy into a netns where they have no privilege.
14188 	 */
14189 	if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) {
14190 		put_net(net);
14191 		return -EPERM;
14192 	}
14193 
14194 	err = 0;
14195 
14196 	/* check if anything to do */
14197 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
14198 		err = cfg80211_switch_netns(rdev, net);
14199 
14200 	put_net(net);
14201 	return err;
14202 }
14203 
14204 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
14205 {
14206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14207 	struct net_device *dev = info->user_ptr[1];
14208 	struct cfg80211_pmksa pmksa;
14209 	bool ap_pmksa_caching_support = false;
14210 
14211 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
14212 
14213 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
14214 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
14215 
14216 	if (!info->attrs[NL80211_ATTR_PMKID])
14217 		return -EINVAL;
14218 
14219 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14220 
14221 	if (info->attrs[NL80211_ATTR_MAC]) {
14222 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
14223 	} else if (info->attrs[NL80211_ATTR_SSID] &&
14224 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
14225 	           info->attrs[NL80211_ATTR_PMK]) {
14226 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
14227 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14228 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
14229 	} else {
14230 		return -EINVAL;
14231 	}
14232 
14233 	if (info->attrs[NL80211_ATTR_PMK]) {
14234 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14235 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14236 	}
14237 
14238 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
14239 		pmksa.pmk_lifetime =
14240 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
14241 
14242 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
14243 		pmksa.pmk_reauth_threshold =
14244 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
14245 
14246 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14247 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
14248 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
14249 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
14250 	       ap_pmksa_caching_support))
14251 		return -EOPNOTSUPP;
14252 
14253 	if (!rdev->ops->set_pmksa)
14254 		return -EOPNOTSUPP;
14255 
14256 	return rdev_set_pmksa(rdev, dev, &pmksa);
14257 }
14258 
14259 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
14260 {
14261 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14262 	struct net_device *dev = info->user_ptr[1];
14263 	struct cfg80211_pmksa pmksa;
14264 	bool sae_offload_support = false;
14265 	bool owe_offload_support = false;
14266 	bool ap_pmksa_caching_support = false;
14267 
14268 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
14269 
14270 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
14271 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
14272 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
14273 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
14274 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
14275 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
14276 
14277 	if (info->attrs[NL80211_ATTR_PMKID])
14278 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14279 
14280 	if (info->attrs[NL80211_ATTR_MAC]) {
14281 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
14282 	} else if (info->attrs[NL80211_ATTR_SSID]) {
14283 		/* SSID based pmksa flush supported only for FILS,
14284 		 * OWE/SAE OFFLOAD cases
14285 		 */
14286 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
14287 		    info->attrs[NL80211_ATTR_PMK]) {
14288 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
14289 		} else if (!sae_offload_support && !owe_offload_support) {
14290 			return -EINVAL;
14291 		}
14292 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
14293 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14294 	} else {
14295 		return -EINVAL;
14296 	}
14297 
14298 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14299 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
14300 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
14301 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
14302 	       ap_pmksa_caching_support))
14303 		return -EOPNOTSUPP;
14304 
14305 	if (!rdev->ops->del_pmksa)
14306 		return -EOPNOTSUPP;
14307 
14308 	return rdev_del_pmksa(rdev, dev, &pmksa);
14309 }
14310 
14311 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
14312 {
14313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14314 	struct net_device *dev = info->user_ptr[1];
14315 
14316 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
14317 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
14318 		return -EOPNOTSUPP;
14319 
14320 	if (!rdev->ops->flush_pmksa)
14321 		return -EOPNOTSUPP;
14322 
14323 	return rdev_flush_pmksa(rdev, dev);
14324 }
14325 
14326 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
14327 {
14328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14329 	struct net_device *dev = info->user_ptr[1];
14330 	u8 action_code, dialog_token;
14331 	u32 peer_capability = 0;
14332 	u16 status_code;
14333 	u8 *peer;
14334 	int link_id;
14335 	bool initiator;
14336 
14337 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14338 	    !rdev->ops->tdls_mgmt)
14339 		return -EOPNOTSUPP;
14340 
14341 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
14342 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
14343 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
14344 	    !info->attrs[NL80211_ATTR_IE] ||
14345 	    !info->attrs[NL80211_ATTR_MAC])
14346 		return -EINVAL;
14347 
14348 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14349 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
14350 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14351 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
14352 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
14353 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
14354 		peer_capability =
14355 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
14356 	link_id = nl80211_link_id_or_invalid(info->attrs);
14357 
14358 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
14359 			      dialog_token, status_code, peer_capability,
14360 			      initiator,
14361 			      nla_data(info->attrs[NL80211_ATTR_IE]),
14362 			      nla_len(info->attrs[NL80211_ATTR_IE]));
14363 }
14364 
14365 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
14366 {
14367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14368 	struct net_device *dev = info->user_ptr[1];
14369 	enum nl80211_tdls_operation operation;
14370 	u8 *peer;
14371 
14372 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
14373 	    !rdev->ops->tdls_oper)
14374 		return -EOPNOTSUPP;
14375 
14376 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
14377 	    !info->attrs[NL80211_ATTR_MAC])
14378 		return -EINVAL;
14379 
14380 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
14381 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14382 
14383 	return rdev_tdls_oper(rdev, dev, peer, operation);
14384 }
14385 
14386 static int nl80211_remain_on_channel(struct sk_buff *skb,
14387 				     struct genl_info *info)
14388 {
14389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14390 	unsigned int link_id = nl80211_link_id(info->attrs);
14391 	struct wireless_dev *wdev = info->user_ptr[1];
14392 	struct cfg80211_chan_def chandef;
14393 	const u8 *rx_addr = NULL;
14394 	struct sk_buff *msg;
14395 	void *hdr;
14396 	u64 cookie;
14397 	u32 duration;
14398 	int err;
14399 
14400 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
14401 	    !info->attrs[NL80211_ATTR_DURATION])
14402 		return -EINVAL;
14403 
14404 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14405 
14406 	if (info->attrs[NL80211_ATTR_MAC])
14407 		rx_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14408 
14409 	if (rx_addr &&
14410 	    !wiphy_ext_feature_isset(wdev->wiphy,
14411 				     NL80211_EXT_FEATURE_ROC_ADDR_FILTER))
14412 		return -EOPNOTSUPP;
14413 
14414 	if (!rdev->ops->remain_on_channel ||
14415 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
14416 		return -EOPNOTSUPP;
14417 
14418 	/*
14419 	 * We should be on that channel for at least a minimum amount of
14420 	 * time (10ms) but no longer than the driver supports.
14421 	 */
14422 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14423 	    duration > rdev->wiphy.max_remain_on_channel_duration)
14424 		return -EINVAL;
14425 
14426 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef,
14427 				    false);
14428 	if (err)
14429 		return err;
14430 
14431 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
14432 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
14433 
14434 		oper_chandef = wdev_chandef(wdev, link_id);
14435 
14436 		if (WARN_ON(!oper_chandef)) {
14437 			/* cannot happen since we must beacon to get here */
14438 			WARN_ON(1);
14439 			return -EBUSY;
14440 		}
14441 
14442 		/* note: returns first one if identical chandefs */
14443 		compat_chandef = cfg80211_chandef_compatible(&chandef,
14444 							     oper_chandef);
14445 
14446 		if (compat_chandef != &chandef)
14447 			return -EBUSY;
14448 	}
14449 
14450 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14451 	if (!msg)
14452 		return -ENOMEM;
14453 
14454 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14455 			     NL80211_CMD_REMAIN_ON_CHANNEL);
14456 	if (!hdr) {
14457 		err = -ENOBUFS;
14458 		goto free_msg;
14459 	}
14460 
14461 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
14462 				     duration, &cookie, rx_addr);
14463 
14464 	if (err)
14465 		goto free_msg;
14466 
14467 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14468 			      NL80211_ATTR_PAD))
14469 		goto nla_put_failure;
14470 
14471 	genlmsg_end(msg, hdr);
14472 
14473 	return genlmsg_reply(msg, info);
14474 
14475  nla_put_failure:
14476 	err = -ENOBUFS;
14477  free_msg:
14478 	nlmsg_free(msg);
14479 	return err;
14480 }
14481 
14482 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
14483 					    struct genl_info *info)
14484 {
14485 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14486 	struct wireless_dev *wdev = info->user_ptr[1];
14487 	u64 cookie;
14488 
14489 	if (!info->attrs[NL80211_ATTR_COOKIE])
14490 		return -EINVAL;
14491 
14492 	if (!rdev->ops->cancel_remain_on_channel)
14493 		return -EOPNOTSUPP;
14494 
14495 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14496 
14497 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
14498 }
14499 
14500 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
14501 				       struct genl_info *info)
14502 {
14503 	struct cfg80211_bitrate_mask mask;
14504 	unsigned int link_id = nl80211_link_id(info->attrs);
14505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14506 	struct net_device *dev = info->user_ptr[1];
14507 	int err;
14508 
14509 	if (!rdev->ops->set_bitrate_mask)
14510 		return -EOPNOTSUPP;
14511 
14512 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14513 					    NL80211_ATTR_TX_RATES, &mask,
14514 					    dev, true, link_id);
14515 	if (err)
14516 		return err;
14517 
14518 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
14519 }
14520 
14521 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
14522 {
14523 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14524 	struct wireless_dev *wdev = info->user_ptr[1];
14525 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
14526 
14527 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
14528 		return -EINVAL;
14529 
14530 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
14531 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
14532 
14533 	switch (wdev->iftype) {
14534 	case NL80211_IFTYPE_STATION:
14535 	case NL80211_IFTYPE_ADHOC:
14536 	case NL80211_IFTYPE_P2P_CLIENT:
14537 	case NL80211_IFTYPE_AP:
14538 	case NL80211_IFTYPE_AP_VLAN:
14539 	case NL80211_IFTYPE_MESH_POINT:
14540 	case NL80211_IFTYPE_P2P_GO:
14541 	case NL80211_IFTYPE_P2P_DEVICE:
14542 		break;
14543 	case NL80211_IFTYPE_NAN:
14544 	case NL80211_IFTYPE_NAN_DATA:
14545 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14546 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14547 		    !(wdev->wiphy->nan_capa.flags &
14548 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14549 			return -EOPNOTSUPP;
14550 		break;
14551 	case NL80211_IFTYPE_PD:
14552 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14553 					     NL80211_EXT_FEATURE_SECURE_RTT))
14554 			return -EOPNOTSUPP;
14555 		break;
14556 	default:
14557 		return -EOPNOTSUPP;
14558 	}
14559 
14560 	/* not much point in registering if we can't reply */
14561 	if (!rdev->ops->mgmt_tx)
14562 		return -EOPNOTSUPP;
14563 
14564 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
14565 	    !wiphy_ext_feature_isset(&rdev->wiphy,
14566 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
14567 		GENL_SET_ERR_MSG(info,
14568 				 "multicast RX registrations are not supported");
14569 		return -EOPNOTSUPP;
14570 	}
14571 
14572 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
14573 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14574 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
14575 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
14576 					   info->extack);
14577 }
14578 
14579 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
14580 {
14581 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14582 	struct wireless_dev *wdev = info->user_ptr[1];
14583 	struct cfg80211_chan_def chandef;
14584 	int err;
14585 	void *hdr = NULL;
14586 	u64 cookie;
14587 	struct sk_buff *msg = NULL;
14588 	struct cfg80211_mgmt_tx_params params = {
14589 		.dont_wait_for_ack =
14590 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
14591 	};
14592 
14593 	if (!info->attrs[NL80211_ATTR_FRAME])
14594 		return -EINVAL;
14595 
14596 	if (!rdev->ops->mgmt_tx)
14597 		return -EOPNOTSUPP;
14598 
14599 	switch (wdev->iftype) {
14600 	case NL80211_IFTYPE_P2P_DEVICE:
14601 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
14602 			return -EINVAL;
14603 		break;
14604 	case NL80211_IFTYPE_STATION:
14605 	case NL80211_IFTYPE_ADHOC:
14606 	case NL80211_IFTYPE_P2P_CLIENT:
14607 	case NL80211_IFTYPE_AP:
14608 	case NL80211_IFTYPE_AP_VLAN:
14609 	case NL80211_IFTYPE_MESH_POINT:
14610 	case NL80211_IFTYPE_P2P_GO:
14611 		break;
14612 	case NL80211_IFTYPE_NAN:
14613 	case NL80211_IFTYPE_NAN_DATA:
14614 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14615 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
14616 		    !(wdev->wiphy->nan_capa.flags &
14617 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
14618 			return -EOPNOTSUPP;
14619 		break;
14620 	case NL80211_IFTYPE_PD:
14621 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14622 					     NL80211_EXT_FEATURE_SECURE_RTT))
14623 			return -EOPNOTSUPP;
14624 		break;
14625 	default:
14626 		return -EOPNOTSUPP;
14627 	}
14628 
14629 	if (info->attrs[NL80211_ATTR_DURATION]) {
14630 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14631 			return -EINVAL;
14632 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
14633 
14634 		/*
14635 		 * We should wait on the channel for at least a minimum amount
14636 		 * of time (10ms) but no longer than the driver supports.
14637 		 */
14638 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
14639 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
14640 			return -EINVAL;
14641 	}
14642 
14643 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
14644 
14645 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
14646 		return -EINVAL;
14647 
14648 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
14649 
14650 	/* get the channel if any has been specified, otherwise pass NULL to
14651 	 * the driver. The latter will use the current one
14652 	 */
14653 	chandef.chan = NULL;
14654 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14655 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
14656 					    &chandef, false);
14657 		if (err)
14658 			return err;
14659 	}
14660 
14661 	if (!chandef.chan && params.offchan)
14662 		return -EINVAL;
14663 
14664 	if (params.offchan &&
14665 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14666 		return -EBUSY;
14667 
14668 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14669 	/*
14670 	 * This now races due to the unlock, but we cannot check
14671 	 * the valid links for the _station_ anyway, so that's up
14672 	 * to the driver.
14673 	 */
14674 	if (params.link_id >= 0 &&
14675 	    !(wdev->valid_links & BIT(params.link_id)))
14676 		return -EINVAL;
14677 
14678 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14679 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14680 
14681 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14682 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14683 					    &params.csa_offsets,
14684 					    &params.n_csa_offsets);
14685 	if (err)
14686 		return err;
14687 
14688 	if (!params.dont_wait_for_ack) {
14689 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14690 		if (!msg)
14691 			return -ENOMEM;
14692 
14693 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14694 				     NL80211_CMD_FRAME);
14695 		if (!hdr) {
14696 			err = -ENOBUFS;
14697 			goto free_msg;
14698 		}
14699 	}
14700 
14701 	params.chan = chandef.chan;
14702 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14703 	if (err)
14704 		goto free_msg;
14705 
14706 	if (msg) {
14707 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14708 				      NL80211_ATTR_PAD))
14709 			goto nla_put_failure;
14710 
14711 		genlmsg_end(msg, hdr);
14712 		return genlmsg_reply(msg, info);
14713 	}
14714 
14715 	return 0;
14716 
14717  nla_put_failure:
14718 	err = -ENOBUFS;
14719  free_msg:
14720 	nlmsg_free(msg);
14721 	return err;
14722 }
14723 
14724 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14725 {
14726 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14727 	struct wireless_dev *wdev = info->user_ptr[1];
14728 	u64 cookie;
14729 
14730 	if (!info->attrs[NL80211_ATTR_COOKIE])
14731 		return -EINVAL;
14732 
14733 	if (!rdev->ops->mgmt_tx_cancel_wait)
14734 		return -EOPNOTSUPP;
14735 
14736 	switch (wdev->iftype) {
14737 	case NL80211_IFTYPE_STATION:
14738 	case NL80211_IFTYPE_ADHOC:
14739 	case NL80211_IFTYPE_P2P_CLIENT:
14740 	case NL80211_IFTYPE_AP:
14741 	case NL80211_IFTYPE_AP_VLAN:
14742 	case NL80211_IFTYPE_P2P_GO:
14743 	case NL80211_IFTYPE_P2P_DEVICE:
14744 		break;
14745 	case NL80211_IFTYPE_NAN:
14746 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14747 					     NL80211_EXT_FEATURE_SECURE_NAN))
14748 			return -EOPNOTSUPP;
14749 		break;
14750 	case NL80211_IFTYPE_PD:
14751 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14752 					     NL80211_EXT_FEATURE_SECURE_RTT))
14753 			return -EOPNOTSUPP;
14754 		break;
14755 	default:
14756 		return -EOPNOTSUPP;
14757 	}
14758 
14759 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14760 
14761 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14762 }
14763 
14764 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14765 {
14766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14767 	struct wireless_dev *wdev;
14768 	struct net_device *dev = info->user_ptr[1];
14769 	u8 ps_state;
14770 	bool state;
14771 	int err;
14772 
14773 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14774 		return -EINVAL;
14775 
14776 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14777 
14778 	wdev = dev->ieee80211_ptr;
14779 
14780 	if (!rdev->ops->set_power_mgmt)
14781 		return -EOPNOTSUPP;
14782 
14783 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14784 
14785 	if (state == wdev->ps)
14786 		return 0;
14787 
14788 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14789 	if (!err)
14790 		wdev->ps = state;
14791 	return err;
14792 }
14793 
14794 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14795 {
14796 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14797 	enum nl80211_ps_state ps_state;
14798 	struct wireless_dev *wdev;
14799 	struct net_device *dev = info->user_ptr[1];
14800 	struct sk_buff *msg;
14801 	void *hdr;
14802 	int err;
14803 
14804 	wdev = dev->ieee80211_ptr;
14805 
14806 	if (!rdev->ops->set_power_mgmt)
14807 		return -EOPNOTSUPP;
14808 
14809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14810 	if (!msg)
14811 		return -ENOMEM;
14812 
14813 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14814 			     NL80211_CMD_GET_POWER_SAVE);
14815 	if (!hdr) {
14816 		err = -ENOBUFS;
14817 		goto free_msg;
14818 	}
14819 
14820 	if (wdev->ps)
14821 		ps_state = NL80211_PS_ENABLED;
14822 	else
14823 		ps_state = NL80211_PS_DISABLED;
14824 
14825 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14826 		goto nla_put_failure;
14827 
14828 	genlmsg_end(msg, hdr);
14829 	return genlmsg_reply(msg, info);
14830 
14831  nla_put_failure:
14832 	err = -ENOBUFS;
14833  free_msg:
14834 	nlmsg_free(msg);
14835 	return err;
14836 }
14837 
14838 static const struct nla_policy
14839 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14840 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14841 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14842 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14843 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14844 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14845 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14846 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14847 };
14848 
14849 static int nl80211_set_cqm_txe(struct genl_info *info,
14850 			       u32 rate, u32 pkts, u32 intvl)
14851 {
14852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14853 	struct net_device *dev = info->user_ptr[1];
14854 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14855 
14856 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14857 		return -EINVAL;
14858 
14859 	if (!rdev->ops->set_cqm_txe_config)
14860 		return -EOPNOTSUPP;
14861 
14862 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14863 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14864 		return -EOPNOTSUPP;
14865 
14866 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14867 }
14868 
14869 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14870 				    struct net_device *dev,
14871 				    struct cfg80211_cqm_config *cqm_config)
14872 {
14873 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14874 	s32 last, low, high;
14875 	u32 hyst;
14876 	int i, n, low_index;
14877 	int err;
14878 
14879 	/*
14880 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14881 	 * event has been received yet, we should receive an event after a
14882 	 * connection is established and enough beacons received to calculate
14883 	 * the average.
14884 	 */
14885 	if (!cqm_config->last_rssi_event_value &&
14886 	    wdev->links[0].client.current_bss &&
14887 	    rdev->ops->get_station) {
14888 		struct station_info sinfo = {};
14889 		u8 *mac_addr;
14890 
14891 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14892 
14893 		err = rdev_get_station(rdev, wdev, mac_addr, &sinfo);
14894 		if (err)
14895 			return err;
14896 
14897 		cfg80211_sinfo_release_content(&sinfo);
14898 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14899 			cqm_config->last_rssi_event_value =
14900 				(s8) sinfo.rx_beacon_signal_avg;
14901 	}
14902 
14903 	last = cqm_config->last_rssi_event_value;
14904 	hyst = cqm_config->rssi_hyst;
14905 	n = cqm_config->n_rssi_thresholds;
14906 
14907 	for (i = 0; i < n; i++) {
14908 		i = array_index_nospec(i, n);
14909 		if (last < cqm_config->rssi_thresholds[i])
14910 			break;
14911 	}
14912 
14913 	low_index = i - 1;
14914 	if (low_index >= 0) {
14915 		low_index = array_index_nospec(low_index, n);
14916 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14917 	} else {
14918 		low = S32_MIN;
14919 	}
14920 	if (i < n) {
14921 		i = array_index_nospec(i, n);
14922 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14923 	} else {
14924 		high = S32_MAX;
14925 	}
14926 
14927 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14928 }
14929 
14930 static int nl80211_set_cqm_rssi(struct genl_info *info,
14931 				const s32 *thresholds, int n_thresholds,
14932 				u32 hysteresis)
14933 {
14934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14935 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14936 	struct net_device *dev = info->user_ptr[1];
14937 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14938 	s32 prev = S32_MIN;
14939 	int i, err;
14940 
14941 	/* Check all values negative and sorted */
14942 	for (i = 0; i < n_thresholds; i++) {
14943 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14944 			return -EINVAL;
14945 
14946 		prev = thresholds[i];
14947 	}
14948 
14949 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14950 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14951 		return -EOPNOTSUPP;
14952 
14953 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14954 		n_thresholds = 0;
14955 
14956 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14957 
14958 	/* if already disabled just succeed */
14959 	if (!n_thresholds && !old)
14960 		return 0;
14961 
14962 	if (n_thresholds > 1) {
14963 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14964 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14965 		    !rdev->ops->set_cqm_rssi_range_config)
14966 			return -EOPNOTSUPP;
14967 	} else {
14968 		if (!rdev->ops->set_cqm_rssi_config)
14969 			return -EOPNOTSUPP;
14970 	}
14971 
14972 	if (n_thresholds) {
14973 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14974 					  n_thresholds);
14975 		if (!cqm_config)
14976 			return -ENOMEM;
14977 
14978 		cqm_config->rssi_hyst = hysteresis;
14979 		cqm_config->n_rssi_thresholds = n_thresholds;
14980 		memcpy(cqm_config->rssi_thresholds, thresholds,
14981 		       flex_array_size(cqm_config, rssi_thresholds,
14982 				       n_thresholds));
14983 		cqm_config->use_range_api = n_thresholds > 1 ||
14984 					    !rdev->ops->set_cqm_rssi_config;
14985 
14986 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14987 
14988 		if (cqm_config->use_range_api)
14989 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14990 		else
14991 			err = rdev_set_cqm_rssi_config(rdev, dev,
14992 						       thresholds[0],
14993 						       hysteresis);
14994 	} else {
14995 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14996 		/* if enabled as range also disable via range */
14997 		if (old->use_range_api)
14998 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14999 		else
15000 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
15001 	}
15002 
15003 	if (err) {
15004 		rcu_assign_pointer(wdev->cqm_config, old);
15005 		kfree_rcu(cqm_config, rcu_head);
15006 	} else {
15007 		kfree_rcu(old, rcu_head);
15008 	}
15009 
15010 	return err;
15011 }
15012 
15013 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
15014 {
15015 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
15016 	struct nlattr *cqm;
15017 	int err;
15018 
15019 	cqm = info->attrs[NL80211_ATTR_CQM];
15020 	if (!cqm)
15021 		return -EINVAL;
15022 
15023 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
15024 					  nl80211_attr_cqm_policy,
15025 					  info->extack);
15026 	if (err)
15027 		return err;
15028 
15029 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
15030 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
15031 		const s32 *thresholds =
15032 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
15033 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
15034 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
15035 
15036 		if (len % 4)
15037 			return -EINVAL;
15038 
15039 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
15040 					    hysteresis);
15041 	}
15042 
15043 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
15044 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
15045 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
15046 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
15047 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
15048 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
15049 
15050 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
15051 	}
15052 
15053 	return -EINVAL;
15054 }
15055 
15056 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
15057 {
15058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15059 	struct net_device *dev = info->user_ptr[1];
15060 	struct ocb_setup setup = {};
15061 	int err;
15062 
15063 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
15064 				    &setup.chandef, false);
15065 	if (err)
15066 		return err;
15067 
15068 	return cfg80211_join_ocb(rdev, dev, &setup);
15069 }
15070 
15071 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
15072 {
15073 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15074 	struct net_device *dev = info->user_ptr[1];
15075 
15076 	return cfg80211_leave_ocb(rdev, dev);
15077 }
15078 
15079 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
15080 {
15081 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15082 	struct net_device *dev = info->user_ptr[1];
15083 	struct mesh_config cfg;
15084 	struct mesh_setup setup;
15085 	int err;
15086 
15087 	/* start with default */
15088 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
15089 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
15090 
15091 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
15092 		/* and parse parameters if given */
15093 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
15094 		if (err)
15095 			return err;
15096 	}
15097 
15098 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
15099 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
15100 		return -EINVAL;
15101 
15102 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
15103 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
15104 
15105 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
15106 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
15107 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
15108 			return -EINVAL;
15109 
15110 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
15111 		setup.beacon_interval =
15112 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
15113 
15114 		err = cfg80211_validate_beacon_int(rdev,
15115 						   NL80211_IFTYPE_MESH_POINT,
15116 						   setup.beacon_interval);
15117 		if (err)
15118 			return err;
15119 	}
15120 
15121 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
15122 		setup.dtim_period =
15123 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
15124 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
15125 			return -EINVAL;
15126 	}
15127 
15128 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
15129 		/* parse additional setup parameters if given */
15130 		err = nl80211_parse_mesh_setup(info, &setup);
15131 		if (err)
15132 			return err;
15133 	}
15134 
15135 	if (setup.user_mpm)
15136 		cfg.auto_open_plinks = false;
15137 
15138 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
15139 		err = nl80211_parse_chandef(rdev, info->extack, info->attrs,
15140 					    &setup.chandef, false);
15141 		if (err)
15142 			return err;
15143 	} else {
15144 		/* __cfg80211_join_mesh() will sort it out */
15145 		setup.chandef.chan = NULL;
15146 	}
15147 
15148 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
15149 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
15150 		int n_rates =
15151 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
15152 		struct ieee80211_supported_band *sband;
15153 
15154 		if (!setup.chandef.chan)
15155 			return -EINVAL;
15156 
15157 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
15158 
15159 		err = ieee80211_get_ratemask(sband, rates, n_rates,
15160 					     &setup.basic_rates);
15161 		if (err)
15162 			return err;
15163 	}
15164 
15165 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
15166 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
15167 						    NL80211_ATTR_TX_RATES,
15168 						    &setup.beacon_rate,
15169 						    dev, false, 0);
15170 		if (err)
15171 			return err;
15172 
15173 		if (!setup.chandef.chan)
15174 			return -EINVAL;
15175 
15176 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
15177 					      &setup.beacon_rate);
15178 		if (err)
15179 			return err;
15180 	}
15181 
15182 	setup.userspace_handles_dfs =
15183 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
15184 
15185 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
15186 		int r = validate_pae_over_nl80211(rdev, info);
15187 
15188 		if (r < 0)
15189 			return r;
15190 
15191 		setup.control_port_over_nl80211 = true;
15192 	}
15193 
15194 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
15195 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
15196 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
15197 
15198 	return err;
15199 }
15200 
15201 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
15202 {
15203 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15204 	struct net_device *dev = info->user_ptr[1];
15205 
15206 	return cfg80211_leave_mesh(rdev, dev);
15207 }
15208 
15209 #ifdef CONFIG_PM
15210 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
15211 					struct cfg80211_registered_device *rdev)
15212 {
15213 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
15214 	struct nlattr *nl_pats, *nl_pat;
15215 	int i, pat_len;
15216 
15217 	if (!wowlan->n_patterns)
15218 		return 0;
15219 
15220 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
15221 	if (!nl_pats)
15222 		return -ENOBUFS;
15223 
15224 	for (i = 0; i < wowlan->n_patterns; i++) {
15225 		nl_pat = nla_nest_start_noflag(msg, i + 1);
15226 		if (!nl_pat)
15227 			return -ENOBUFS;
15228 		pat_len = wowlan->patterns[i].pattern_len;
15229 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
15230 			    wowlan->patterns[i].mask) ||
15231 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15232 			    wowlan->patterns[i].pattern) ||
15233 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15234 				wowlan->patterns[i].pkt_offset))
15235 			return -ENOBUFS;
15236 		nla_nest_end(msg, nl_pat);
15237 	}
15238 	nla_nest_end(msg, nl_pats);
15239 
15240 	return 0;
15241 }
15242 
15243 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
15244 				   struct cfg80211_wowlan_tcp *tcp)
15245 {
15246 	struct nlattr *nl_tcp;
15247 
15248 	if (!tcp)
15249 		return 0;
15250 
15251 	nl_tcp = nla_nest_start_noflag(msg,
15252 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
15253 	if (!nl_tcp)
15254 		return -ENOBUFS;
15255 
15256 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
15257 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
15258 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
15259 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
15260 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
15261 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
15262 		    tcp->payload_len, tcp->payload) ||
15263 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
15264 			tcp->data_interval) ||
15265 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
15266 		    tcp->wake_len, tcp->wake_data) ||
15267 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
15268 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
15269 		return -ENOBUFS;
15270 
15271 	if (tcp->payload_seq.len &&
15272 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
15273 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
15274 		return -ENOBUFS;
15275 
15276 	if (tcp->payload_tok.len &&
15277 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
15278 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
15279 		    &tcp->payload_tok))
15280 		return -ENOBUFS;
15281 
15282 	nla_nest_end(msg, nl_tcp);
15283 
15284 	return 0;
15285 }
15286 
15287 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
15288 				  struct cfg80211_sched_scan_request *req)
15289 {
15290 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
15291 	int i;
15292 
15293 	if (!req)
15294 		return 0;
15295 
15296 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
15297 	if (!nd)
15298 		return -ENOBUFS;
15299 
15300 	if (req->n_scan_plans == 1 &&
15301 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
15302 			req->scan_plans[0].interval * 1000))
15303 		return -ENOBUFS;
15304 
15305 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
15306 		return -ENOBUFS;
15307 
15308 	if (req->relative_rssi_set) {
15309 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
15310 
15311 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
15312 			       req->relative_rssi))
15313 			return -ENOBUFS;
15314 
15315 		rssi_adjust.band = req->rssi_adjust.band;
15316 		rssi_adjust.delta = req->rssi_adjust.delta;
15317 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
15318 			    sizeof(rssi_adjust), &rssi_adjust))
15319 			return -ENOBUFS;
15320 	}
15321 
15322 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
15323 	if (!freqs)
15324 		return -ENOBUFS;
15325 
15326 	for (i = 0; i < req->n_channels; i++) {
15327 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15328 			return -ENOBUFS;
15329 	}
15330 
15331 	nla_nest_end(msg, freqs);
15332 
15333 	if (req->n_match_sets) {
15334 		matches = nla_nest_start_noflag(msg,
15335 						NL80211_ATTR_SCHED_SCAN_MATCH);
15336 		if (!matches)
15337 			return -ENOBUFS;
15338 
15339 		for (i = 0; i < req->n_match_sets; i++) {
15340 			match = nla_nest_start_noflag(msg, i);
15341 			if (!match)
15342 				return -ENOBUFS;
15343 
15344 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
15345 				    req->match_sets[i].ssid.ssid_len,
15346 				    req->match_sets[i].ssid.ssid))
15347 				return -ENOBUFS;
15348 			nla_nest_end(msg, match);
15349 		}
15350 		nla_nest_end(msg, matches);
15351 	}
15352 
15353 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
15354 	if (!scan_plans)
15355 		return -ENOBUFS;
15356 
15357 	for (i = 0; i < req->n_scan_plans; i++) {
15358 		scan_plan = nla_nest_start_noflag(msg, i + 1);
15359 		if (!scan_plan)
15360 			return -ENOBUFS;
15361 
15362 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
15363 				req->scan_plans[i].interval) ||
15364 		    (req->scan_plans[i].iterations &&
15365 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
15366 				 req->scan_plans[i].iterations)))
15367 			return -ENOBUFS;
15368 		nla_nest_end(msg, scan_plan);
15369 	}
15370 	nla_nest_end(msg, scan_plans);
15371 
15372 	nla_nest_end(msg, nd);
15373 
15374 	return 0;
15375 }
15376 
15377 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
15378 {
15379 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15380 	struct sk_buff *msg;
15381 	void *hdr;
15382 	u32 size = NLMSG_DEFAULT_SIZE;
15383 
15384 	if (!rdev->wiphy.wowlan)
15385 		return -EOPNOTSUPP;
15386 
15387 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
15388 		/* adjust size to have room for all the data */
15389 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
15390 			rdev->wiphy.wowlan_config->tcp->payload_len +
15391 			rdev->wiphy.wowlan_config->tcp->wake_len +
15392 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
15393 	}
15394 
15395 	msg = nlmsg_new(size, GFP_KERNEL);
15396 	if (!msg)
15397 		return -ENOMEM;
15398 
15399 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15400 			     NL80211_CMD_GET_WOWLAN);
15401 	if (!hdr)
15402 		goto nla_put_failure;
15403 
15404 	if (rdev->wiphy.wowlan_config) {
15405 		struct nlattr *nl_wowlan;
15406 
15407 		nl_wowlan = nla_nest_start_noflag(msg,
15408 						  NL80211_ATTR_WOWLAN_TRIGGERS);
15409 		if (!nl_wowlan)
15410 			goto nla_put_failure;
15411 
15412 		if ((rdev->wiphy.wowlan_config->any &&
15413 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
15414 		    (rdev->wiphy.wowlan_config->disconnect &&
15415 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
15416 		    (rdev->wiphy.wowlan_config->magic_pkt &&
15417 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
15418 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
15419 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
15420 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
15421 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
15422 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
15423 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
15424 		    (rdev->wiphy.wowlan_config->rfkill_release &&
15425 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
15426 			goto nla_put_failure;
15427 
15428 		if (nl80211_send_wowlan_patterns(msg, rdev))
15429 			goto nla_put_failure;
15430 
15431 		if (nl80211_send_wowlan_tcp(msg,
15432 					    rdev->wiphy.wowlan_config->tcp))
15433 			goto nla_put_failure;
15434 
15435 		if (nl80211_send_wowlan_nd(
15436 			    msg,
15437 			    rdev->wiphy.wowlan_config->nd_config))
15438 			goto nla_put_failure;
15439 
15440 		nla_nest_end(msg, nl_wowlan);
15441 	}
15442 
15443 	genlmsg_end(msg, hdr);
15444 	return genlmsg_reply(msg, info);
15445 
15446 nla_put_failure:
15447 	nlmsg_free(msg);
15448 	return -ENOBUFS;
15449 }
15450 
15451 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
15452 				    struct nlattr *attr,
15453 				    struct cfg80211_wowlan *trig)
15454 {
15455 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
15456 	struct cfg80211_wowlan_tcp *cfg;
15457 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
15458 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
15459 	u32 size;
15460 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
15461 	int err, port;
15462 
15463 	if (!rdev->wiphy.wowlan->tcp)
15464 		return -EINVAL;
15465 
15466 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
15467 					  nl80211_wowlan_tcp_policy, NULL);
15468 	if (err)
15469 		return err;
15470 
15471 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
15472 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
15473 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
15474 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
15475 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
15476 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
15477 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
15478 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
15479 		return -EINVAL;
15480 
15481 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
15482 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
15483 		return -EINVAL;
15484 
15485 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
15486 			rdev->wiphy.wowlan->tcp->data_interval_max ||
15487 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
15488 		return -EINVAL;
15489 
15490 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
15491 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
15492 		return -EINVAL;
15493 
15494 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
15495 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
15496 		return -EINVAL;
15497 
15498 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
15499 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15500 
15501 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
15502 		tokens_size = tokln - sizeof(*tok);
15503 
15504 		if (!tok->len || tokens_size % tok->len)
15505 			return -EINVAL;
15506 		if (!rdev->wiphy.wowlan->tcp->tok)
15507 			return -EINVAL;
15508 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
15509 			return -EINVAL;
15510 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
15511 			return -EINVAL;
15512 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
15513 			return -EINVAL;
15514 		if (tok->offset + tok->len > data_size)
15515 			return -EINVAL;
15516 	}
15517 
15518 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
15519 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
15520 		if (!rdev->wiphy.wowlan->tcp->seq)
15521 			return -EINVAL;
15522 		if (seq->len == 0 || seq->len > 4)
15523 			return -EINVAL;
15524 		if (seq->len + seq->offset > data_size)
15525 			return -EINVAL;
15526 	}
15527 
15528 	size = sizeof(*cfg);
15529 	size += data_size;
15530 	size += wake_size + wake_mask_size;
15531 	size += tokens_size;
15532 
15533 	cfg = kzalloc(size, GFP_KERNEL);
15534 	if (!cfg)
15535 		return -ENOMEM;
15536 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
15537 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
15538 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
15539 	       ETH_ALEN);
15540 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
15541 #ifdef CONFIG_INET
15542 	/* allocate a socket and port for it and use it */
15543 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
15544 			    IPPROTO_TCP, &cfg->sock, 1);
15545 	if (err) {
15546 		kfree(cfg);
15547 		return err;
15548 	}
15549 	if (inet_csk_get_port(cfg->sock->sk, port)) {
15550 		sock_release(cfg->sock);
15551 		kfree(cfg);
15552 		return -EADDRINUSE;
15553 	}
15554 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
15555 #else
15556 	if (!port) {
15557 		kfree(cfg);
15558 		return -EINVAL;
15559 	}
15560 	cfg->src_port = port;
15561 #endif
15562 
15563 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
15564 	cfg->payload_len = data_size;
15565 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
15566 	memcpy((void *)cfg->payload,
15567 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
15568 	       data_size);
15569 	if (seq)
15570 		cfg->payload_seq = *seq;
15571 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
15572 	cfg->wake_len = wake_size;
15573 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
15574 	memcpy((void *)cfg->wake_data,
15575 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
15576 	       wake_size);
15577 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
15578 			 data_size + wake_size;
15579 	memcpy((void *)cfg->wake_mask,
15580 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
15581 	       wake_mask_size);
15582 	if (tok) {
15583 		cfg->tokens_size = tokens_size;
15584 		cfg->payload_tok = *tok;
15585 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
15586 		       tokens_size);
15587 	}
15588 
15589 	trig->tcp = cfg;
15590 
15591 	return 0;
15592 }
15593 
15594 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
15595 				   const struct wiphy_wowlan_support *wowlan,
15596 				   struct nlattr *attr,
15597 				   struct cfg80211_wowlan *trig)
15598 {
15599 	struct nlattr **tb;
15600 	int err;
15601 
15602 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
15603 	if (!tb)
15604 		return -ENOMEM;
15605 
15606 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
15607 		err = -EOPNOTSUPP;
15608 		goto out;
15609 	}
15610 
15611 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
15612 					  nl80211_policy, NULL);
15613 	if (err)
15614 		goto out;
15615 
15616 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
15617 						   wowlan->max_nd_match_sets);
15618 	err = PTR_ERR_OR_ZERO(trig->nd_config);
15619 	if (err)
15620 		trig->nd_config = NULL;
15621 
15622 out:
15623 	kfree(tb);
15624 	return err;
15625 }
15626 
15627 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
15628 {
15629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15630 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
15631 	struct cfg80211_wowlan new_triggers = {};
15632 	struct cfg80211_wowlan *ntrig;
15633 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
15634 	int err, i;
15635 	bool prev_enabled = rdev->wiphy.wowlan_config;
15636 	bool regular = false;
15637 
15638 	if (!wowlan)
15639 		return -EOPNOTSUPP;
15640 
15641 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
15642 		cfg80211_rdev_free_wowlan(rdev);
15643 		rdev->wiphy.wowlan_config = NULL;
15644 		goto set_wakeup;
15645 	}
15646 
15647 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
15648 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
15649 					  nl80211_wowlan_policy, info->extack);
15650 	if (err)
15651 		return err;
15652 
15653 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
15654 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
15655 			return -EINVAL;
15656 		new_triggers.any = true;
15657 	}
15658 
15659 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
15660 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
15661 			return -EINVAL;
15662 		new_triggers.disconnect = true;
15663 		regular = true;
15664 	}
15665 
15666 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15667 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15668 			return -EINVAL;
15669 		new_triggers.magic_pkt = true;
15670 		regular = true;
15671 	}
15672 
15673 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15674 		return -EINVAL;
15675 
15676 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15677 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15678 			return -EINVAL;
15679 		new_triggers.gtk_rekey_failure = true;
15680 		regular = true;
15681 	}
15682 
15683 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15684 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15685 			return -EINVAL;
15686 		new_triggers.eap_identity_req = true;
15687 		regular = true;
15688 	}
15689 
15690 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15691 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15692 			return -EINVAL;
15693 		new_triggers.four_way_handshake = true;
15694 		regular = true;
15695 	}
15696 
15697 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15698 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15699 			return -EINVAL;
15700 		new_triggers.rfkill_release = true;
15701 		regular = true;
15702 	}
15703 
15704 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15705 		struct nlattr *pat;
15706 		int n_patterns = 0;
15707 		int rem, pat_len, mask_len, pkt_offset;
15708 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15709 
15710 		regular = true;
15711 
15712 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15713 				    rem)
15714 			n_patterns++;
15715 		if (n_patterns > wowlan->n_patterns)
15716 			return -EINVAL;
15717 
15718 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15719 						     n_patterns);
15720 		if (!new_triggers.patterns)
15721 			return -ENOMEM;
15722 
15723 		new_triggers.n_patterns = n_patterns;
15724 		i = 0;
15725 
15726 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15727 				    rem) {
15728 			u8 *mask_pat;
15729 
15730 			err = nla_parse_nested_deprecated(pat_tb,
15731 							  MAX_NL80211_PKTPAT,
15732 							  pat,
15733 							  nl80211_packet_pattern_policy,
15734 							  info->extack);
15735 			if (err)
15736 				goto error;
15737 
15738 			err = -EINVAL;
15739 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15740 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15741 				goto error;
15742 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15743 			mask_len = DIV_ROUND_UP(pat_len, 8);
15744 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15745 				goto error;
15746 			if (pat_len > wowlan->pattern_max_len ||
15747 			    pat_len < wowlan->pattern_min_len)
15748 				goto error;
15749 
15750 			pkt_offset =
15751 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15752 						    0);
15753 			if (pkt_offset > wowlan->max_pkt_offset)
15754 				goto error;
15755 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15756 
15757 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15758 			if (!mask_pat) {
15759 				err = -ENOMEM;
15760 				goto error;
15761 			}
15762 			new_triggers.patterns[i].mask = mask_pat;
15763 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15764 			       mask_len);
15765 			mask_pat += mask_len;
15766 			new_triggers.patterns[i].pattern = mask_pat;
15767 			new_triggers.patterns[i].pattern_len = pat_len;
15768 			memcpy(mask_pat,
15769 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15770 			       pat_len);
15771 			i++;
15772 		}
15773 	}
15774 
15775 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15776 		regular = true;
15777 		err = nl80211_parse_wowlan_tcp(
15778 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15779 			&new_triggers);
15780 		if (err)
15781 			goto error;
15782 	}
15783 
15784 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15785 		regular = true;
15786 		err = nl80211_parse_wowlan_nd(
15787 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15788 			&new_triggers);
15789 		if (err)
15790 			goto error;
15791 	}
15792 
15793 	/* The 'any' trigger means the device continues operating more or less
15794 	 * as in its normal operation mode and wakes up the host on most of the
15795 	 * normal interrupts (like packet RX, ...)
15796 	 * It therefore makes little sense to combine with the more constrained
15797 	 * wakeup trigger modes.
15798 	 */
15799 	if (new_triggers.any && regular) {
15800 		err = -EINVAL;
15801 		goto error;
15802 	}
15803 
15804 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15805 	if (!ntrig) {
15806 		err = -ENOMEM;
15807 		goto error;
15808 	}
15809 	cfg80211_rdev_free_wowlan(rdev);
15810 	rdev->wiphy.wowlan_config = ntrig;
15811 
15812  set_wakeup:
15813 	if (rdev->ops->set_wakeup &&
15814 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15815 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15816 
15817 	return 0;
15818  error:
15819 	for (i = 0; i < new_triggers.n_patterns; i++)
15820 		kfree(new_triggers.patterns[i].mask);
15821 	kfree(new_triggers.patterns);
15822 	if (new_triggers.tcp && new_triggers.tcp->sock)
15823 		sock_release(new_triggers.tcp->sock);
15824 	kfree(new_triggers.tcp);
15825 	kfree(new_triggers.nd_config);
15826 	return err;
15827 }
15828 #endif
15829 
15830 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15831 				       struct cfg80211_registered_device *rdev)
15832 {
15833 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15834 	int i, j, pat_len;
15835 	struct cfg80211_coalesce_rules *rule;
15836 
15837 	if (!rdev->coalesce->n_rules)
15838 		return 0;
15839 
15840 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15841 	if (!nl_rules)
15842 		return -ENOBUFS;
15843 
15844 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15845 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15846 		if (!nl_rule)
15847 			return -ENOBUFS;
15848 
15849 		rule = &rdev->coalesce->rules[i];
15850 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15851 				rule->delay))
15852 			return -ENOBUFS;
15853 
15854 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15855 				rule->condition))
15856 			return -ENOBUFS;
15857 
15858 		nl_pats = nla_nest_start_noflag(msg,
15859 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15860 		if (!nl_pats)
15861 			return -ENOBUFS;
15862 
15863 		for (j = 0; j < rule->n_patterns; j++) {
15864 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15865 			if (!nl_pat)
15866 				return -ENOBUFS;
15867 			pat_len = rule->patterns[j].pattern_len;
15868 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15869 				    DIV_ROUND_UP(pat_len, 8),
15870 				    rule->patterns[j].mask) ||
15871 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15872 				    rule->patterns[j].pattern) ||
15873 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15874 					rule->patterns[j].pkt_offset))
15875 				return -ENOBUFS;
15876 			nla_nest_end(msg, nl_pat);
15877 		}
15878 		nla_nest_end(msg, nl_pats);
15879 		nla_nest_end(msg, nl_rule);
15880 	}
15881 	nla_nest_end(msg, nl_rules);
15882 
15883 	return 0;
15884 }
15885 
15886 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15887 {
15888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15889 	struct sk_buff *msg;
15890 	void *hdr;
15891 
15892 	if (!rdev->wiphy.coalesce)
15893 		return -EOPNOTSUPP;
15894 
15895 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15896 	if (!msg)
15897 		return -ENOMEM;
15898 
15899 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15900 			     NL80211_CMD_GET_COALESCE);
15901 	if (!hdr)
15902 		goto nla_put_failure;
15903 
15904 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15905 		goto nla_put_failure;
15906 
15907 	genlmsg_end(msg, hdr);
15908 	return genlmsg_reply(msg, info);
15909 
15910 nla_put_failure:
15911 	nlmsg_free(msg);
15912 	return -ENOBUFS;
15913 }
15914 
15915 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15916 {
15917 	int i, j;
15918 	struct cfg80211_coalesce_rules *rule;
15919 
15920 	if (!coalesce)
15921 		return;
15922 
15923 	for (i = 0; i < coalesce->n_rules; i++) {
15924 		rule = &coalesce->rules[i];
15925 		for (j = 0; j < rule->n_patterns; j++)
15926 			kfree(rule->patterns[j].mask);
15927 		kfree(rule->patterns);
15928 	}
15929 	kfree(coalesce);
15930 }
15931 
15932 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15933 				       struct nlattr *rule,
15934 				       struct cfg80211_coalesce_rules *new_rule)
15935 {
15936 	int err, i;
15937 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15938 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15939 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15940 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15941 
15942 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15943 					  rule, nl80211_coalesce_policy, NULL);
15944 	if (err)
15945 		return err;
15946 
15947 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15948 		new_rule->delay =
15949 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15950 	if (new_rule->delay > coalesce->max_delay)
15951 		return -EINVAL;
15952 
15953 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15954 		new_rule->condition =
15955 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15956 
15957 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15958 		return -EINVAL;
15959 
15960 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15961 			    rem)
15962 		n_patterns++;
15963 	if (n_patterns > coalesce->n_patterns)
15964 		return -EINVAL;
15965 
15966 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns);
15967 	if (!new_rule->patterns)
15968 		return -ENOMEM;
15969 
15970 	new_rule->n_patterns = n_patterns;
15971 	i = 0;
15972 
15973 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15974 			    rem) {
15975 		u8 *mask_pat;
15976 
15977 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15978 						  pat,
15979 						  nl80211_packet_pattern_policy,
15980 						  NULL);
15981 		if (err)
15982 			return err;
15983 
15984 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15985 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15986 			return -EINVAL;
15987 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15988 		mask_len = DIV_ROUND_UP(pat_len, 8);
15989 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15990 			return -EINVAL;
15991 		if (pat_len > coalesce->pattern_max_len ||
15992 		    pat_len < coalesce->pattern_min_len)
15993 			return -EINVAL;
15994 
15995 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15996 						 0);
15997 		if (pkt_offset > coalesce->max_pkt_offset)
15998 			return -EINVAL;
15999 		new_rule->patterns[i].pkt_offset = pkt_offset;
16000 
16001 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
16002 		if (!mask_pat)
16003 			return -ENOMEM;
16004 
16005 		new_rule->patterns[i].mask = mask_pat;
16006 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
16007 		       mask_len);
16008 
16009 		mask_pat += mask_len;
16010 		new_rule->patterns[i].pattern = mask_pat;
16011 		new_rule->patterns[i].pattern_len = pat_len;
16012 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
16013 		       pat_len);
16014 		i++;
16015 	}
16016 
16017 	return 0;
16018 }
16019 
16020 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
16021 {
16022 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16023 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
16024 	struct cfg80211_coalesce *new_coalesce;
16025 	int err, rem_rule, n_rules = 0, i;
16026 	struct nlattr *rule;
16027 
16028 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
16029 		return -EOPNOTSUPP;
16030 
16031 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
16032 		cfg80211_free_coalesce(rdev->coalesce);
16033 		rdev->coalesce = NULL;
16034 		rdev_set_coalesce(rdev, NULL);
16035 		return 0;
16036 	}
16037 
16038 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
16039 			    rem_rule)
16040 		n_rules++;
16041 	if (n_rules > coalesce->n_rules)
16042 		return -EINVAL;
16043 
16044 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules);
16045 	if (!new_coalesce)
16046 		return -ENOMEM;
16047 
16048 	new_coalesce->n_rules = n_rules;
16049 	i = 0;
16050 
16051 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
16052 			    rem_rule) {
16053 		err = nl80211_parse_coalesce_rule(rdev, rule,
16054 						  &new_coalesce->rules[i]);
16055 		if (err)
16056 			goto error;
16057 
16058 		i++;
16059 	}
16060 
16061 	err = rdev_set_coalesce(rdev, new_coalesce);
16062 	if (err)
16063 		goto error;
16064 
16065 	cfg80211_free_coalesce(rdev->coalesce);
16066 	rdev->coalesce = new_coalesce;
16067 
16068 	return 0;
16069 error:
16070 	cfg80211_free_coalesce(new_coalesce);
16071 
16072 	return err;
16073 }
16074 
16075 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
16076 {
16077 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16078 	struct net_device *dev = info->user_ptr[1];
16079 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16080 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
16081 	struct cfg80211_gtk_rekey_data rekey_data = {};
16082 	int err;
16083 
16084 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
16085 		return -EINVAL;
16086 
16087 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
16088 					  info->attrs[NL80211_ATTR_REKEY_DATA],
16089 					  nl80211_rekey_policy, info->extack);
16090 	if (err)
16091 		return err;
16092 
16093 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
16094 	    !tb[NL80211_REKEY_DATA_KCK])
16095 		return -EINVAL;
16096 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
16097 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
16098 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
16099 		return -ERANGE;
16100 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
16101 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
16102 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
16103 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
16104 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
16105 		return -ERANGE;
16106 
16107 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
16108 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
16109 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
16110 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
16111 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
16112 	if (tb[NL80211_REKEY_DATA_AKM])
16113 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
16114 
16115 	if (!wdev->connected)
16116 		return -ENOTCONN;
16117 
16118 	if (!rdev->ops->set_rekey_data)
16119 		return -EOPNOTSUPP;
16120 
16121 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
16122 }
16123 
16124 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
16125 					     struct genl_info *info)
16126 {
16127 	struct net_device *dev = info->user_ptr[1];
16128 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16129 
16130 	if (wdev->iftype != NL80211_IFTYPE_AP &&
16131 	    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16132 	    wdev->iftype != NL80211_IFTYPE_NAN_DATA)
16133 		return -EINVAL;
16134 
16135 	if (wdev->unexpected_nlportid)
16136 		return -EBUSY;
16137 
16138 	wdev->unexpected_nlportid = info->snd_portid;
16139 	return 0;
16140 }
16141 
16142 static int nl80211_probe_client(struct sk_buff *skb,
16143 				struct genl_info *info)
16144 {
16145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16146 	struct net_device *dev = info->user_ptr[1];
16147 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16148 	struct sk_buff *msg;
16149 	void *hdr;
16150 	const u8 *addr;
16151 	u64 cookie;
16152 	int err;
16153 
16154 	if (wdev->iftype != NL80211_IFTYPE_AP &&
16155 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
16156 		return -EOPNOTSUPP;
16157 
16158 	if (!info->attrs[NL80211_ATTR_MAC])
16159 		return -EINVAL;
16160 
16161 	if (!rdev->ops->probe_client)
16162 		return -EOPNOTSUPP;
16163 
16164 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16165 	if (!msg)
16166 		return -ENOMEM;
16167 
16168 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16169 			     NL80211_CMD_PROBE_CLIENT);
16170 	if (!hdr) {
16171 		err = -ENOBUFS;
16172 		goto free_msg;
16173 	}
16174 
16175 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16176 
16177 	err = rdev_probe_client(rdev, dev, addr, &cookie);
16178 	if (err)
16179 		goto free_msg;
16180 
16181 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16182 			      NL80211_ATTR_PAD))
16183 		goto nla_put_failure;
16184 
16185 	genlmsg_end(msg, hdr);
16186 
16187 	return genlmsg_reply(msg, info);
16188 
16189  nla_put_failure:
16190 	err = -ENOBUFS;
16191  free_msg:
16192 	nlmsg_free(msg);
16193 	return err;
16194 }
16195 
16196 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
16197 {
16198 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16199 	struct cfg80211_beacon_registration *reg, *nreg;
16200 	int rv;
16201 
16202 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
16203 		return -EOPNOTSUPP;
16204 
16205 	nreg = kzalloc_obj(*nreg);
16206 	if (!nreg)
16207 		return -ENOMEM;
16208 
16209 	/* First, check if already registered. */
16210 	spin_lock_bh(&rdev->beacon_registrations_lock);
16211 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16212 		if (reg->nlportid == info->snd_portid) {
16213 			rv = -EALREADY;
16214 			goto out_err;
16215 		}
16216 	}
16217 	/* Add it to the list */
16218 	nreg->nlportid = info->snd_portid;
16219 	list_add(&nreg->list, &rdev->beacon_registrations);
16220 
16221 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16222 
16223 	return 0;
16224 out_err:
16225 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16226 	kfree(nreg);
16227 	return rv;
16228 }
16229 
16230 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
16231 {
16232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16233 	struct wireless_dev *wdev = info->user_ptr[1];
16234 	int err;
16235 
16236 	if (!rdev->ops->start_p2p_device)
16237 		return -EOPNOTSUPP;
16238 
16239 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
16240 		return -EOPNOTSUPP;
16241 
16242 	if (wdev_running(wdev))
16243 		return 0;
16244 
16245 	if (rfkill_blocked(rdev->wiphy.rfkill))
16246 		return -ERFKILL;
16247 
16248 	err = rdev_start_p2p_device(rdev, wdev);
16249 	if (err)
16250 		return err;
16251 
16252 	wdev->is_running = true;
16253 	rdev->opencount++;
16254 
16255 	return 0;
16256 }
16257 
16258 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
16259 {
16260 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16261 	struct wireless_dev *wdev = info->user_ptr[1];
16262 
16263 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
16264 		return -EOPNOTSUPP;
16265 
16266 	if (!rdev->ops->stop_p2p_device)
16267 		return -EOPNOTSUPP;
16268 
16269 	cfg80211_stop_p2p_device(rdev, wdev);
16270 
16271 	return 0;
16272 }
16273 
16274 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
16275 							 int freq)
16276 {
16277 	struct ieee80211_channel *chan;
16278 	struct cfg80211_chan_def def;
16279 
16280 	/* Check if the frequency is valid for NAN */
16281 	if (freq != 5220 && freq != 5745 && freq != 2437)
16282 		return NULL;
16283 
16284 	chan = ieee80211_get_channel(wiphy, freq);
16285 	if (!chan)
16286 		return NULL;
16287 
16288 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
16289 
16290 	/* Check if the channel is allowed */
16291 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
16292 		return chan;
16293 
16294 	return NULL;
16295 }
16296 
16297 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
16298 					 struct nlattr **tb,
16299 					 struct cfg80211_nan_band_config *cfg,
16300 					 enum nl80211_band band)
16301 {
16302 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
16303 		return -EINVAL;
16304 
16305 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
16306 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
16307 
16308 		if (band != NL80211_BAND_5GHZ)
16309 			return -EINVAL;
16310 
16311 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
16312 		if (!cfg->chan)
16313 			return -EINVAL;
16314 	}
16315 
16316 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
16317 		cfg->rssi_close =
16318 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
16319 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
16320 			return -EINVAL;
16321 	}
16322 
16323 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
16324 		cfg->rssi_middle =
16325 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
16326 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
16327 			return -EINVAL;
16328 	}
16329 
16330 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
16331 		cfg->awake_dw_interval =
16332 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
16333 
16334 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
16335 			return -EINVAL;
16336 	}
16337 
16338 	cfg->disable_scan =
16339 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
16340 	return 0;
16341 }
16342 
16343 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
16344 				  struct genl_info *info,
16345 				  struct cfg80211_nan_conf *conf,
16346 				  u32 *changed_flags,
16347 				  bool start)
16348 {
16349 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
16350 	int err, rem;
16351 	u32 changed = 0;
16352 	struct nlattr *band_config;
16353 
16354 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
16355 		conf->master_pref =
16356 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
16357 
16358 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
16359 	}
16360 
16361 	if (info->attrs[NL80211_ATTR_BANDS]) {
16362 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
16363 
16364 		if (bands & ~(u32)wiphy->nan_supported_bands)
16365 			return -EOPNOTSUPP;
16366 
16367 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
16368 			return -EINVAL;
16369 
16370 		conf->bands = bands;
16371 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
16372 	}
16373 
16374 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
16375 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
16376 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
16377 
16378 	/* On 2.4 GHz band use channel 6 */
16379 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
16380 		nl80211_get_nan_channel(wiphy, 2437);
16381 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
16382 		return -EINVAL;
16383 
16384 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
16385 		goto out;
16386 
16387 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
16388 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
16389 			       info->extack);
16390 	if (err)
16391 		return err;
16392 
16393 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
16394 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start) {
16395 		ether_addr_copy(conf->cluster_id,
16396 				nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]));
16397 	} else if (start) {
16398 		conf->cluster_id[0] = 0x50;
16399 		conf->cluster_id[1] = 0x6f;
16400 		conf->cluster_id[2] = 0x9a;
16401 		conf->cluster_id[3] = 0x01;
16402 		get_random_bytes(&conf->cluster_id[4], 2);
16403 	}
16404 
16405 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
16406 		conf->extra_nan_attrs =
16407 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16408 		conf->extra_nan_attrs_len =
16409 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
16410 	}
16411 
16412 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
16413 		conf->vendor_elems =
16414 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16415 		conf->vendor_elems_len =
16416 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
16417 	}
16418 
16419 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
16420 		nla_for_each_nested(band_config,
16421 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
16422 				    rem) {
16423 			enum nl80211_band band;
16424 			struct cfg80211_nan_band_config *cfg;
16425 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
16426 
16427 			err = nla_parse_nested(tb,
16428 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
16429 					       band_config, NULL,
16430 					       info->extack);
16431 			if (err)
16432 				return err;
16433 
16434 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
16435 				return -EINVAL;
16436 
16437 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
16438 			if (conf->bands && !(conf->bands & BIT(band)))
16439 				return -EINVAL;
16440 
16441 			cfg = &conf->band_cfgs[band];
16442 
16443 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
16444 							    band);
16445 			if (err)
16446 				return err;
16447 		}
16448 	}
16449 
16450 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
16451 		conf->scan_period =
16452 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
16453 
16454 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
16455 		conf->scan_dwell_time =
16456 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
16457 
16458 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
16459 		conf->discovery_beacon_interval =
16460 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
16461 
16462 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
16463 		conf->enable_dw_notification =
16464 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
16465 
16466 out:
16467 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16468 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
16469 		/* If no 5GHz channel is specified use default, if possible */
16470 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16471 				nl80211_get_nan_channel(wiphy, 5745);
16472 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
16473 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
16474 					nl80211_get_nan_channel(wiphy, 5220);
16475 
16476 		/* Return error if user space asked explicitly for 5 GHz */
16477 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
16478 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
16479 			NL_SET_ERR_MSG_ATTR(info->extack,
16480 					    info->attrs[NL80211_ATTR_BANDS],
16481 					    "5 GHz band operation is not allowed");
16482 			return -EINVAL;
16483 		}
16484 	}
16485 
16486 	if (changed_flags)
16487 		*changed_flags = changed;
16488 
16489 	return 0;
16490 }
16491 
16492 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
16493 {
16494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16495 	struct wireless_dev *wdev = info->user_ptr[1];
16496 	struct cfg80211_nan_conf conf = {};
16497 	int err;
16498 
16499 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16500 		return -EOPNOTSUPP;
16501 
16502 	if (wdev_running(wdev))
16503 		return -EEXIST;
16504 
16505 	if (rfkill_blocked(rdev->wiphy.rfkill))
16506 		return -ERFKILL;
16507 
16508 	/* Master preference is mandatory for START_NAN */
16509 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
16510 		return -EINVAL;
16511 
16512 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
16513 	if (err)
16514 		return err;
16515 
16516 	err = rdev_start_nan(rdev, wdev, &conf);
16517 	if (err)
16518 		return err;
16519 
16520 	wdev->is_running = true;
16521 	rdev->opencount++;
16522 
16523 	return 0;
16524 }
16525 
16526 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
16527 {
16528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16529 	struct wireless_dev *wdev = info->user_ptr[1];
16530 
16531 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16532 		return -EOPNOTSUPP;
16533 
16534 	cfg80211_close_dependents(rdev, wdev);
16535 
16536 	guard(wiphy)(&rdev->wiphy);
16537 
16538 	cfg80211_stop_nan(rdev, wdev);
16539 
16540 	return 0;
16541 }
16542 
16543 static int validate_nan_filter(struct nlattr *filter_attr)
16544 {
16545 	struct nlattr *attr;
16546 	int len = 0, n_entries = 0, rem;
16547 
16548 	nla_for_each_nested(attr, filter_attr, rem) {
16549 		len += nla_len(attr);
16550 		n_entries++;
16551 	}
16552 
16553 	if (len >= U8_MAX)
16554 		return -EINVAL;
16555 
16556 	return n_entries;
16557 }
16558 
16559 static int handle_nan_filter(struct nlattr *attr_filter,
16560 			     struct cfg80211_nan_func *func,
16561 			     bool tx)
16562 {
16563 	struct nlattr *attr;
16564 	int n_entries, rem, i;
16565 	struct cfg80211_nan_func_filter *filter;
16566 
16567 	n_entries = validate_nan_filter(attr_filter);
16568 	if (n_entries < 0)
16569 		return n_entries;
16570 
16571 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
16572 
16573 	filter = kzalloc_objs(*func->rx_filters, n_entries);
16574 	if (!filter)
16575 		return -ENOMEM;
16576 
16577 	i = 0;
16578 	nla_for_each_nested(attr, attr_filter, rem) {
16579 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
16580 		if (!filter[i].filter)
16581 			goto err;
16582 
16583 		filter[i].len = nla_len(attr);
16584 		i++;
16585 	}
16586 	if (tx) {
16587 		func->num_tx_filters = n_entries;
16588 		func->tx_filters = filter;
16589 	} else {
16590 		func->num_rx_filters = n_entries;
16591 		func->rx_filters = filter;
16592 	}
16593 
16594 	return 0;
16595 
16596 err:
16597 	i = 0;
16598 	nla_for_each_nested(attr, attr_filter, rem) {
16599 		kfree(filter[i].filter);
16600 		i++;
16601 	}
16602 	kfree(filter);
16603 	return -ENOMEM;
16604 }
16605 
16606 static int nl80211_nan_add_func(struct sk_buff *skb,
16607 				struct genl_info *info)
16608 {
16609 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16610 	struct wireless_dev *wdev = info->user_ptr[1];
16611 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
16612 	struct cfg80211_nan_func *func;
16613 	struct sk_buff *msg = NULL;
16614 	void *hdr = NULL;
16615 	int err = 0;
16616 
16617 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16618 		return -EOPNOTSUPP;
16619 
16620 	if (!wdev_running(wdev))
16621 		return -ENOTCONN;
16622 
16623 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
16624 		return -EINVAL;
16625 
16626 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
16627 					  info->attrs[NL80211_ATTR_NAN_FUNC],
16628 					  nl80211_nan_func_policy,
16629 					  info->extack);
16630 	if (err)
16631 		return err;
16632 
16633 	func = kzalloc_obj(*func);
16634 	if (!func)
16635 		return -ENOMEM;
16636 
16637 	func->cookie = cfg80211_assign_cookie(rdev);
16638 
16639 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
16640 		err = -EINVAL;
16641 		goto out;
16642 	}
16643 
16644 
16645 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
16646 
16647 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
16648 		err = -EINVAL;
16649 		goto out;
16650 	}
16651 
16652 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
16653 	       sizeof(func->service_id));
16654 
16655 	func->close_range =
16656 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
16657 
16658 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
16659 		func->serv_spec_info_len =
16660 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
16661 		func->serv_spec_info =
16662 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
16663 				func->serv_spec_info_len,
16664 				GFP_KERNEL);
16665 		if (!func->serv_spec_info) {
16666 			err = -ENOMEM;
16667 			goto out;
16668 		}
16669 	}
16670 
16671 	if (tb[NL80211_NAN_FUNC_TTL])
16672 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
16673 
16674 	switch (func->type) {
16675 	case NL80211_NAN_FUNC_PUBLISH:
16676 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16677 			err = -EINVAL;
16678 			goto out;
16679 		}
16680 
16681 		func->publish_type =
16682 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16683 		func->publish_bcast =
16684 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16685 
16686 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16687 			func->publish_bcast) {
16688 			err = -EINVAL;
16689 			goto out;
16690 		}
16691 		break;
16692 	case NL80211_NAN_FUNC_SUBSCRIBE:
16693 		func->subscribe_active =
16694 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16695 		break;
16696 	case NL80211_NAN_FUNC_FOLLOW_UP:
16697 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16698 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16699 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16700 			err = -EINVAL;
16701 			goto out;
16702 		}
16703 
16704 		func->followup_id =
16705 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16706 		func->followup_reqid =
16707 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16708 		memcpy(func->followup_dest.addr,
16709 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16710 		       sizeof(func->followup_dest.addr));
16711 		if (func->ttl) {
16712 			err = -EINVAL;
16713 			goto out;
16714 		}
16715 		break;
16716 	default:
16717 		err = -EINVAL;
16718 		goto out;
16719 	}
16720 
16721 	if (tb[NL80211_NAN_FUNC_SRF]) {
16722 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16723 
16724 		err = nla_parse_nested_deprecated(srf_tb,
16725 						  NL80211_NAN_SRF_ATTR_MAX,
16726 						  tb[NL80211_NAN_FUNC_SRF],
16727 						  nl80211_nan_srf_policy,
16728 						  info->extack);
16729 		if (err)
16730 			goto out;
16731 
16732 		func->srf_include =
16733 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16734 
16735 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16736 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16737 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16738 				err = -EINVAL;
16739 				goto out;
16740 			}
16741 
16742 			func->srf_bf_len =
16743 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16744 			func->srf_bf =
16745 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16746 					func->srf_bf_len, GFP_KERNEL);
16747 			if (!func->srf_bf) {
16748 				err = -ENOMEM;
16749 				goto out;
16750 			}
16751 
16752 			func->srf_bf_idx =
16753 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16754 		} else {
16755 			struct nlattr *attr, *mac_attr =
16756 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16757 			int n_entries, rem, i = 0;
16758 
16759 			if (!mac_attr) {
16760 				err = -EINVAL;
16761 				goto out;
16762 			}
16763 
16764 			n_entries = validate_acl_mac_addrs(mac_attr);
16765 			if (n_entries <= 0) {
16766 				err = -EINVAL;
16767 				goto out;
16768 			}
16769 
16770 			func->srf_num_macs = n_entries;
16771 			func->srf_macs =
16772 				kzalloc_objs(*func->srf_macs, n_entries);
16773 			if (!func->srf_macs) {
16774 				err = -ENOMEM;
16775 				goto out;
16776 			}
16777 
16778 			nla_for_each_nested(attr, mac_attr, rem)
16779 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16780 				       sizeof(*func->srf_macs));
16781 		}
16782 	}
16783 
16784 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16785 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16786 					func, true);
16787 		if (err)
16788 			goto out;
16789 	}
16790 
16791 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16792 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16793 					func, false);
16794 		if (err)
16795 			goto out;
16796 	}
16797 
16798 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16799 	if (!msg) {
16800 		err = -ENOMEM;
16801 		goto out;
16802 	}
16803 
16804 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16805 			     NL80211_CMD_ADD_NAN_FUNCTION);
16806 	/* This can't really happen - we just allocated 4KB */
16807 	if (WARN_ON(!hdr)) {
16808 		err = -ENOMEM;
16809 		goto out;
16810 	}
16811 
16812 	err = rdev_add_nan_func(rdev, wdev, func);
16813 out:
16814 	if (err < 0) {
16815 		cfg80211_free_nan_func(func);
16816 		nlmsg_free(msg);
16817 		return err;
16818 	}
16819 
16820 	/* propagate the instance id and cookie to userspace  */
16821 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16822 			      NL80211_ATTR_PAD))
16823 		goto nla_put_failure;
16824 
16825 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16826 	if (!func_attr)
16827 		goto nla_put_failure;
16828 
16829 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16830 		       func->instance_id))
16831 		goto nla_put_failure;
16832 
16833 	nla_nest_end(msg, func_attr);
16834 
16835 	genlmsg_end(msg, hdr);
16836 	return genlmsg_reply(msg, info);
16837 
16838 nla_put_failure:
16839 	nlmsg_free(msg);
16840 	return -ENOBUFS;
16841 }
16842 
16843 static int nl80211_nan_del_func(struct sk_buff *skb,
16844 			       struct genl_info *info)
16845 {
16846 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16847 	struct wireless_dev *wdev = info->user_ptr[1];
16848 	u64 cookie;
16849 
16850 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16851 		return -EOPNOTSUPP;
16852 
16853 	if (!wdev_running(wdev))
16854 		return -ENOTCONN;
16855 
16856 	if (!info->attrs[NL80211_ATTR_COOKIE])
16857 		return -EINVAL;
16858 
16859 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16860 
16861 	rdev_del_nan_func(rdev, wdev, cookie);
16862 
16863 	return 0;
16864 }
16865 
16866 static int nl80211_nan_change_config(struct sk_buff *skb,
16867 				     struct genl_info *info)
16868 {
16869 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16870 	struct wireless_dev *wdev = info->user_ptr[1];
16871 	struct cfg80211_nan_conf conf = {};
16872 	u32 changed = 0;
16873 	int err;
16874 
16875 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16876 		return -EOPNOTSUPP;
16877 
16878 	if (!wdev_running(wdev))
16879 		return -ENOTCONN;
16880 
16881 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16882 	if (err)
16883 		return err;
16884 
16885 	if (!changed)
16886 		return -EINVAL;
16887 
16888 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16889 }
16890 
16891 static int nl80211_start_pd(struct sk_buff *skb, struct genl_info *info)
16892 {
16893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16894 	struct wireless_dev *wdev = info->user_ptr[1];
16895 	int err;
16896 
16897 	if (wdev->iftype != NL80211_IFTYPE_PD)
16898 		return -EOPNOTSUPP;
16899 
16900 	if (wdev_running(wdev))
16901 		return -EEXIST;
16902 
16903 	if (rfkill_blocked(rdev->wiphy.rfkill))
16904 		return -ERFKILL;
16905 
16906 	if (!rdev->ops->start_pd)
16907 		return -EOPNOTSUPP;
16908 
16909 	err = rdev_start_pd(rdev, wdev);
16910 	if (err)
16911 		return err;
16912 	wdev->is_running = true;
16913 	rdev->opencount++;
16914 
16915 	return 0;
16916 }
16917 
16918 static int nl80211_stop_pd(struct sk_buff *skb, struct genl_info *info)
16919 {
16920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16921 	struct wireless_dev *wdev = info->user_ptr[1];
16922 
16923 	if (wdev->iftype != NL80211_IFTYPE_PD)
16924 		return -EOPNOTSUPP;
16925 
16926 	cfg80211_stop_pd(rdev, wdev);
16927 
16928 	return 0;
16929 }
16930 
16931 void cfg80211_nan_match(struct wireless_dev *wdev,
16932 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16933 {
16934 	struct wiphy *wiphy = wdev->wiphy;
16935 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16936 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16937 	struct sk_buff *msg;
16938 	void *hdr;
16939 
16940 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16941 		return;
16942 
16943 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16944 		return;
16945 
16946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16947 	if (!msg)
16948 		return;
16949 
16950 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16951 	if (!hdr) {
16952 		nlmsg_free(msg);
16953 		return;
16954 	}
16955 
16956 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16957 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16958 					 wdev->netdev->ifindex)) ||
16959 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16960 			      NL80211_ATTR_PAD))
16961 		goto nla_put_failure;
16962 
16963 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16964 			      NL80211_ATTR_PAD) ||
16965 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16966 		goto nla_put_failure;
16967 
16968 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16969 	if (!match_attr)
16970 		goto nla_put_failure;
16971 
16972 	local_func_attr = nla_nest_start_noflag(msg,
16973 						NL80211_NAN_MATCH_FUNC_LOCAL);
16974 	if (!local_func_attr)
16975 		goto nla_put_failure;
16976 
16977 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16978 		goto nla_put_failure;
16979 
16980 	nla_nest_end(msg, local_func_attr);
16981 
16982 	peer_func_attr = nla_nest_start_noflag(msg,
16983 					       NL80211_NAN_MATCH_FUNC_PEER);
16984 	if (!peer_func_attr)
16985 		goto nla_put_failure;
16986 
16987 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16988 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16989 		goto nla_put_failure;
16990 
16991 	if (match->info && match->info_len &&
16992 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16993 		    match->info))
16994 		goto nla_put_failure;
16995 
16996 	nla_nest_end(msg, peer_func_attr);
16997 	nla_nest_end(msg, match_attr);
16998 	genlmsg_end(msg, hdr);
16999 
17000 	if (!wdev->owner_nlportid)
17001 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17002 					msg, 0, NL80211_MCGRP_NAN, gfp);
17003 	else
17004 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17005 				wdev->owner_nlportid);
17006 
17007 	return;
17008 
17009 nla_put_failure:
17010 	nlmsg_free(msg);
17011 }
17012 EXPORT_SYMBOL(cfg80211_nan_match);
17013 
17014 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
17015 				  u8 inst_id,
17016 				  enum nl80211_nan_func_term_reason reason,
17017 				  u64 cookie, gfp_t gfp)
17018 {
17019 	struct wiphy *wiphy = wdev->wiphy;
17020 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17021 	struct sk_buff *msg;
17022 	struct nlattr *func_attr;
17023 	void *hdr;
17024 
17025 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
17026 		return;
17027 
17028 	if (WARN_ON(!inst_id))
17029 		return;
17030 
17031 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17032 	if (!msg)
17033 		return;
17034 
17035 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
17036 	if (!hdr) {
17037 		nlmsg_free(msg);
17038 		return;
17039 	}
17040 
17041 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17042 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17043 					 wdev->netdev->ifindex)) ||
17044 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17045 			      NL80211_ATTR_PAD))
17046 		goto nla_put_failure;
17047 
17048 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17049 			      NL80211_ATTR_PAD))
17050 		goto nla_put_failure;
17051 
17052 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
17053 	if (!func_attr)
17054 		goto nla_put_failure;
17055 
17056 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
17057 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
17058 		goto nla_put_failure;
17059 
17060 	nla_nest_end(msg, func_attr);
17061 	genlmsg_end(msg, hdr);
17062 
17063 	if (!wdev->owner_nlportid)
17064 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17065 					msg, 0, NL80211_MCGRP_NAN, gfp);
17066 	else
17067 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17068 				wdev->owner_nlportid);
17069 
17070 	return;
17071 
17072 nla_put_failure:
17073 	nlmsg_free(msg);
17074 }
17075 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
17076 
17077 void cfg80211_nan_sched_update_done(struct wireless_dev *wdev, bool success,
17078 				    gfp_t gfp)
17079 {
17080 	struct wiphy *wiphy = wdev->wiphy;
17081 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17082 	struct sk_buff *msg;
17083 	void *hdr;
17084 
17085 	trace_cfg80211_nan_sched_update_done(wiphy, wdev, success);
17086 
17087 	/* Can happen if we stopped NAN */
17088 	if (!wdev->u.nan.sched_update_pending)
17089 		return;
17090 
17091 	wdev->u.nan.sched_update_pending = false;
17092 
17093 	if (!wdev->owner_nlportid)
17094 		return;
17095 
17096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17097 	if (!msg)
17098 		return;
17099 
17100 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_SCHED_UPDATE_DONE);
17101 	if (!hdr)
17102 		goto nla_put_failure;
17103 
17104 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17105 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17106 			      NL80211_ATTR_PAD) ||
17107 	    (success &&
17108 	     nla_put_flag(msg, NL80211_ATTR_NAN_SCHED_UPDATE_SUCCESS)))
17109 		goto nla_put_failure;
17110 
17111 	genlmsg_end(msg, hdr);
17112 
17113 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
17114 
17115 	return;
17116 
17117 nla_put_failure:
17118 	nlmsg_free(msg);
17119 }
17120 EXPORT_SYMBOL(cfg80211_nan_sched_update_done);
17121 
17122 static int nl80211_parse_nan_channel(struct cfg80211_registered_device *rdev,
17123 				     struct nlattr *channel,
17124 				     struct genl_info *info,
17125 				     struct cfg80211_nan_channel *nan_channels,
17126 				     u8 index, bool local)
17127 {
17128 	struct nlattr **channel_parsed __free(kfree) = NULL;
17129 	struct cfg80211_chan_def chandef;
17130 	u8 n_rx_nss;
17131 	int ret;
17132 
17133 	channel_parsed = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*channel_parsed),
17134 				 GFP_KERNEL);
17135 	if (!channel_parsed)
17136 		return -ENOMEM;
17137 
17138 	ret = nla_parse_nested(channel_parsed, NL80211_ATTR_MAX, channel, NULL,
17139 			       info->extack);
17140 	if (ret)
17141 		return ret;
17142 
17143 	ret = nl80211_parse_chandef(rdev, info->extack, channel_parsed,
17144 				    &chandef, false);
17145 	if (ret)
17146 		return ret;
17147 
17148 	if (chandef.chan->band == NL80211_BAND_6GHZ) {
17149 		NL_SET_ERR_MSG(info->extack,
17150 			       "6 GHz band is not supported");
17151 		return -EOPNOTSUPP;
17152 	}
17153 
17154 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &chandef,
17155 				     NL80211_IFTYPE_NAN)) {
17156 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
17157 				    "Channel in NAN schedule is not allowed for NAN operation");
17158 		return -EINVAL;
17159 	}
17160 
17161 	if (local) {
17162 		for (int i = 0; i < index; i++) {
17163 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
17164 							&chandef)) {
17165 				NL_SET_ERR_MSG_ATTR(info->extack, channel,
17166 						    "Channels in NAN schedule must be mutually incompatible");
17167 				return -EINVAL;
17168 			}
17169 		}
17170 	}
17171 
17172 	if (!channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]) {
17173 		NL_SET_ERR_MSG(info->extack,
17174 			       "Missing NAN channel entry attribute");
17175 		return -EINVAL;
17176 	}
17177 
17178 	nan_channels[index].channel_entry =
17179 		nla_data(channel_parsed[NL80211_ATTR_NAN_CHANNEL_ENTRY]);
17180 
17181 	if (!channel_parsed[NL80211_ATTR_NAN_RX_NSS]) {
17182 		NL_SET_ERR_MSG(info->extack,
17183 			       "Missing NAN RX NSS attribute");
17184 		return -EINVAL;
17185 	}
17186 
17187 	nan_channels[index].rx_nss =
17188 		nla_get_u8(channel_parsed[NL80211_ATTR_NAN_RX_NSS]);
17189 
17190 	n_rx_nss = u8_get_bits(rdev->wiphy.nan_capa.n_antennas, 0x03);
17191 	if ((local && nan_channels[index].rx_nss > n_rx_nss) ||
17192 	    !nan_channels[index].rx_nss) {
17193 		NL_SET_ERR_MSG_ATTR(info->extack, channel,
17194 				    "Invalid RX NSS in NAN channel definition");
17195 		return -EINVAL;
17196 	}
17197 
17198 	nan_channels[index].chandef = chandef;
17199 
17200 	return 0;
17201 }
17202 
17203 static int
17204 nl80211_parse_nan_schedule(struct genl_info *info, struct nlattr *slots_attr,
17205 			   u8 schedule[CFG80211_NAN_SCHED_NUM_TIME_SLOTS],
17206 			   u8 n_channels)
17207 {
17208 	if (WARN_ON(nla_len(slots_attr) != CFG80211_NAN_SCHED_NUM_TIME_SLOTS))
17209 		return -EINVAL;
17210 
17211 	memcpy(schedule, nla_data(slots_attr), nla_len(slots_attr));
17212 
17213 	for (int slot = 0; slot < CFG80211_NAN_SCHED_NUM_TIME_SLOTS; slot++) {
17214 		if (schedule[slot] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
17215 		    schedule[slot] >= n_channels) {
17216 			NL_SET_ERR_MSG_FMT(info->extack,
17217 					   "Invalid time slot: slot %d refers to channel index %d, n_channels=%d",
17218 					   slot, schedule[slot], n_channels);
17219 			return -EINVAL;
17220 		}
17221 	}
17222 
17223 	return 0;
17224 }
17225 
17226 static int
17227 nl80211_parse_nan_peer_map(struct genl_info *info, struct nlattr *map_attr,
17228 			   struct cfg80211_nan_peer_map *map, u8 n_channels)
17229 {
17230 	struct nlattr *tb[NL80211_NAN_PEER_MAP_ATTR_MAX + 1];
17231 	int ret;
17232 
17233 	ret = nla_parse_nested(tb, NL80211_NAN_PEER_MAP_ATTR_MAX, map_attr,
17234 			       nl80211_nan_peer_map_policy, info->extack);
17235 	if (ret)
17236 		return ret;
17237 
17238 	if (!tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID] ||
17239 	    !tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS]) {
17240 		NL_SET_ERR_MSG(info->extack,
17241 			       "Missing required peer map attributes");
17242 		return -EINVAL;
17243 	}
17244 
17245 	map->map_id = nla_get_u8(tb[NL80211_NAN_PEER_MAP_ATTR_MAP_ID]);
17246 
17247 	/* Parse schedule */
17248 	return nl80211_parse_nan_schedule(info,
17249 					  tb[NL80211_NAN_PEER_MAP_ATTR_TIME_SLOTS],
17250 					  map->schedule, n_channels);
17251 }
17252 
17253 static int nl80211_nan_validate_map_pair(struct wiphy *wiphy,
17254 					 struct genl_info *info,
17255 					 const struct cfg80211_nan_peer_map *map1,
17256 					 const struct cfg80211_nan_peer_map *map2,
17257 					 struct cfg80211_nan_channel *nan_channels)
17258 {
17259 	/* Check for duplicate map_id */
17260 	if (map1->map_id == map2->map_id) {
17261 		NL_SET_ERR_MSG_FMT(info->extack, "Duplicate map_id %u",
17262 				   map1->map_id);
17263 		return -EINVAL;
17264 	}
17265 
17266 	/* Check for compatible channels between maps */
17267 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
17268 		if (map1->schedule[i] == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
17269 			continue;
17270 
17271 		for (int j = 0; j < ARRAY_SIZE(map2->schedule); j++) {
17272 			u8 ch1 = map1->schedule[i];
17273 			u8 ch2 = map2->schedule[j];
17274 
17275 			if (ch2 == NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
17276 				continue;
17277 
17278 			if (cfg80211_chandef_compatible(&nan_channels[ch1].chandef,
17279 							&nan_channels[ch2].chandef)) {
17280 				NL_SET_ERR_MSG_FMT(info->extack,
17281 						   "Maps %u and %u have compatible channels %d and %d",
17282 						   map1->map_id, map2->map_id,
17283 						   ch1, ch2);
17284 				return -EINVAL;
17285 			}
17286 		}
17287 	}
17288 
17289 	/*
17290 	 * Check for conflicting time slots between maps.
17291 	 * Only check for single-radio devices (n_radio <= 1) which cannot
17292 	 * operate on multiple channels simultaneously.
17293 	 */
17294 	if (wiphy->n_radio > 1)
17295 		return 0;
17296 
17297 	for (int i = 0; i < ARRAY_SIZE(map1->schedule); i++) {
17298 		if (map1->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT &&
17299 		    map2->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT) {
17300 			NL_SET_ERR_MSG_FMT(info->extack,
17301 					   "Maps %u and %u both schedule slot %d",
17302 					   map1->map_id, map2->map_id, i);
17303 			return -EINVAL;
17304 		}
17305 	}
17306 
17307 	return 0;
17308 }
17309 
17310 static int nl80211_nan_set_peer_sched(struct sk_buff *skb,
17311 				      struct genl_info *info)
17312 {
17313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17314 	struct cfg80211_nan_channel *nan_channels __free(kfree) = NULL;
17315 	struct cfg80211_nan_peer_sched sched = {};
17316 	struct wireless_dev *wdev = info->user_ptr[1];
17317 	struct nlattr *map_attr, *channel;
17318 	int ret, n_maps = 0, n_channels = 0, i = 0, rem;
17319 
17320 	if (wdev->iftype != NL80211_IFTYPE_NAN)
17321 		return -EOPNOTSUPP;
17322 
17323 	if (!info->attrs[NL80211_ATTR_MAC] ||
17324 	    !info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]) {
17325 		NL_SET_ERR_MSG(info->extack,
17326 			       "Required NAN peer schedule attributes are missing");
17327 		return -EINVAL;
17328 	}
17329 
17330 	/* First count how many channel attributes we got */
17331 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17332 				 info->nlhdr, GENL_HDRLEN, rem)
17333 		n_channels++;
17334 
17335 	if (!((info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
17336 	       info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && n_channels) ||
17337 	      ((!info->attrs[NL80211_ATTR_NAN_SEQ_ID] &&
17338 		!info->attrs[NL80211_ATTR_NAN_PEER_MAPS] && !n_channels)))) {
17339 		NL_SET_ERR_MSG(info->extack,
17340 			       "Either provide all of: seq id, channels and maps, or none");
17341 		return -EINVAL;
17342 	}
17343 
17344 	/*
17345 	 * Limit the number of peer channels to:
17346 	 * local_channels * 4 (possible BWs) * 2 (possible NSS values)
17347 	 */
17348 	if (n_channels && n_channels > wdev->u.nan.n_channels * 4 * 2) {
17349 		NL_SET_ERR_MSG_FMT(info->extack,
17350 				   "Too many peer channels: %d (max %d)",
17351 				   n_channels,
17352 				   wdev->u.nan.n_channels * 4 * 2);
17353 		return -EINVAL;
17354 	}
17355 
17356 	if (n_channels) {
17357 		nan_channels = kcalloc(n_channels, sizeof(*nan_channels),
17358 				       GFP_KERNEL);
17359 		if (!nan_channels)
17360 			return -ENOMEM;
17361 	}
17362 
17363 	/* Parse peer channels */
17364 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17365 				 info->nlhdr, GENL_HDRLEN, rem) {
17366 		bool compatible = false;
17367 
17368 		ret = nl80211_parse_nan_channel(rdev, channel, info,
17369 						nan_channels, i, false);
17370 		if (ret)
17371 			return ret;
17372 
17373 		/* Verify channel is compatible with at least one local channel */
17374 		for (int j = 0; j < wdev->u.nan.n_channels; j++) {
17375 			if (cfg80211_chandef_compatible(&nan_channels[i].chandef,
17376 							&wdev->u.nan.chandefs[j])) {
17377 				compatible = true;
17378 				break;
17379 			}
17380 		}
17381 		if (!compatible) {
17382 			NL_SET_ERR_MSG_FMT(info->extack,
17383 					   "Channel %d not compatible with any local channel",
17384 					   i);
17385 			return -EINVAL;
17386 		}
17387 		i++;
17388 	}
17389 
17390 	sched.n_channels = n_channels;
17391 	sched.nan_channels = nan_channels;
17392 	sched.peer_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17393 	sched.seq_id = nla_get_u8_default(info->attrs[NL80211_ATTR_NAN_SEQ_ID], 0);
17394 	sched.committed_dw = nla_get_u16(info->attrs[NL80211_ATTR_NAN_COMMITTED_DW]);
17395 	sched.max_chan_switch =
17396 		nla_get_u16_default(info->attrs[NL80211_ATTR_NAN_MAX_CHAN_SWITCH_TIME], 0);
17397 
17398 	if (info->attrs[NL80211_ATTR_NAN_ULW]) {
17399 		sched.ulw_size = nla_len(info->attrs[NL80211_ATTR_NAN_ULW]);
17400 		sched.init_ulw = nla_data(info->attrs[NL80211_ATTR_NAN_ULW]);
17401 	}
17402 
17403 	/* Initialize all maps as invalid */
17404 	for (int j = 0; j < ARRAY_SIZE(sched.maps); j++)
17405 		sched.maps[j].map_id = CFG80211_NAN_INVALID_MAP_ID;
17406 
17407 	if (info->attrs[NL80211_ATTR_NAN_PEER_MAPS]) {
17408 		/* Parse each map */
17409 		nla_for_each_nested(map_attr, info->attrs[NL80211_ATTR_NAN_PEER_MAPS],
17410 				    rem) {
17411 			if (n_maps >= ARRAY_SIZE(sched.maps)) {
17412 				NL_SET_ERR_MSG(info->extack, "Too many peer maps");
17413 				return -EINVAL;
17414 			}
17415 
17416 			ret = nl80211_parse_nan_peer_map(info, map_attr,
17417 							 &sched.maps[n_maps],
17418 							 n_channels);
17419 			if (ret)
17420 				return ret;
17421 
17422 			/* Validate against previous maps */
17423 			for (int j = 0; j < n_maps; j++) {
17424 				ret = nl80211_nan_validate_map_pair(&rdev->wiphy, info,
17425 								    &sched.maps[j],
17426 								    &sched.maps[n_maps],
17427 								    nan_channels);
17428 				if (ret)
17429 					return ret;
17430 			}
17431 
17432 			n_maps++;
17433 		}
17434 	}
17435 
17436 	/* Verify each channel is scheduled at least once */
17437 	for (int ch = 0; ch < n_channels; ch++) {
17438 		bool scheduled = false;
17439 
17440 		for (int m = 0; m < n_maps && !scheduled; m++) {
17441 			for (int s = 0; s < ARRAY_SIZE(sched.maps[m].schedule); s++) {
17442 				if (sched.maps[m].schedule[s] == ch) {
17443 					scheduled = true;
17444 					break;
17445 				}
17446 			}
17447 		}
17448 		if (!scheduled) {
17449 			NL_SET_ERR_MSG_FMT(info->extack,
17450 					   "Channel %d is not scheduled in any map",
17451 					   ch);
17452 			return -EINVAL;
17453 		}
17454 	}
17455 
17456 	return rdev_nan_set_peer_sched(rdev, wdev, &sched);
17457 }
17458 
17459 static bool nl80211_nan_is_sched_empty(struct cfg80211_nan_local_sched *sched)
17460 {
17461 	if (!sched->n_channels)
17462 		return true;
17463 
17464 	for (int i = 0; i < ARRAY_SIZE(sched->schedule); i++) {
17465 		if (sched->schedule[i] != NL80211_NAN_SCHED_NOT_AVAIL_SLOT)
17466 			return false;
17467 	}
17468 
17469 	return true;
17470 }
17471 
17472 static int nl80211_nan_set_local_sched(struct sk_buff *skb,
17473 				       struct genl_info *info)
17474 {
17475 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17476 	struct cfg80211_nan_local_sched *sched __free(kfree) = NULL;
17477 	struct wireless_dev *wdev = info->user_ptr[1];
17478 	int rem, i = 0, n_channels = 0, ret;
17479 	struct nlattr *channel;
17480 	bool sched_empty;
17481 
17482 	if (wdev->iftype != NL80211_IFTYPE_NAN)
17483 		return -EOPNOTSUPP;
17484 
17485 	if (!wdev_running(wdev))
17486 		return -ENOTCONN;
17487 
17488 	if (!info->attrs[NL80211_ATTR_NAN_TIME_SLOTS])
17489 		return -EINVAL;
17490 
17491 	/* First count how many channel attributes we got */
17492 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17493 				 info->nlhdr, GENL_HDRLEN, rem)
17494 		n_channels++;
17495 
17496 	sched = kzalloc(struct_size(sched, nan_channels, n_channels),
17497 			GFP_KERNEL);
17498 	if (!sched)
17499 		return -ENOMEM;
17500 
17501 	sched->n_channels = n_channels;
17502 
17503 	nlmsg_for_each_attr_type(channel, NL80211_ATTR_NAN_CHANNEL,
17504 				 info->nlhdr, GENL_HDRLEN, rem) {
17505 		ret = nl80211_parse_nan_channel(rdev, channel, info,
17506 						sched->nan_channels, i, true);
17507 
17508 		if (ret)
17509 			return ret;
17510 		i++;
17511 	}
17512 
17513 	/* Parse and validate schedule */
17514 	ret = nl80211_parse_nan_schedule(info,
17515 					 info->attrs[NL80211_ATTR_NAN_TIME_SLOTS],
17516 					 sched->schedule, sched->n_channels);
17517 	if (ret)
17518 		return ret;
17519 
17520 	sched_empty = nl80211_nan_is_sched_empty(sched);
17521 
17522 	sched->deferred =
17523 		nla_get_flag(info->attrs[NL80211_ATTR_NAN_SCHED_DEFERRED]);
17524 
17525 	if (sched_empty) {
17526 		if (sched->deferred) {
17527 			NL_SET_ERR_MSG(info->extack,
17528 				       "Schedule cannot be deferred if all time slots are unavailable");
17529 			return -EINVAL;
17530 		}
17531 
17532 		if (info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17533 			NL_SET_ERR_MSG(info->extack,
17534 				       "NAN Availability blob must be empty if all time slots are unavailable");
17535 			return -EINVAL;
17536 		}
17537 	} else {
17538 		if (!info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]) {
17539 			NL_SET_ERR_MSG(info->extack,
17540 				       "NAN Availability blob attribute is required");
17541 			return -EINVAL;
17542 		}
17543 
17544 		sched->nan_avail_blob =
17545 			nla_data(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17546 		sched->nan_avail_blob_len =
17547 			nla_len(info->attrs[NL80211_ATTR_NAN_AVAIL_BLOB]);
17548 	}
17549 
17550 	return cfg80211_nan_set_local_schedule(rdev, wdev, sched);
17551 }
17552 
17553 static int nl80211_get_protocol_features(struct sk_buff *skb,
17554 					 struct genl_info *info)
17555 {
17556 	void *hdr;
17557 	struct sk_buff *msg;
17558 
17559 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17560 	if (!msg)
17561 		return -ENOMEM;
17562 
17563 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17564 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
17565 	if (!hdr)
17566 		goto nla_put_failure;
17567 
17568 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
17569 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
17570 		goto nla_put_failure;
17571 
17572 	genlmsg_end(msg, hdr);
17573 	return genlmsg_reply(msg, info);
17574 
17575  nla_put_failure:
17576 	kfree_skb(msg);
17577 	return -ENOBUFS;
17578 }
17579 
17580 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
17581 {
17582 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17583 	struct cfg80211_update_ft_ies_params ft_params;
17584 	struct net_device *dev = info->user_ptr[1];
17585 
17586 	if (!rdev->ops->update_ft_ies)
17587 		return -EOPNOTSUPP;
17588 
17589 	if (!info->attrs[NL80211_ATTR_MDID] ||
17590 	    !info->attrs[NL80211_ATTR_IE])
17591 		return -EINVAL;
17592 
17593 	memset(&ft_params, 0, sizeof(ft_params));
17594 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
17595 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17596 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17597 
17598 	return rdev_update_ft_ies(rdev, dev, &ft_params);
17599 }
17600 
17601 static int nl80211_crit_protocol_start(struct sk_buff *skb,
17602 				       struct genl_info *info)
17603 {
17604 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17605 	struct wireless_dev *wdev = info->user_ptr[1];
17606 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
17607 	u16 duration;
17608 	int ret;
17609 
17610 	if (!rdev->ops->crit_proto_start)
17611 		return -EOPNOTSUPP;
17612 
17613 	if (WARN_ON(!rdev->ops->crit_proto_stop))
17614 		return -EINVAL;
17615 
17616 	if (rdev->crit_proto_nlportid)
17617 		return -EBUSY;
17618 
17619 	/* determine protocol if provided */
17620 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
17621 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
17622 
17623 	if (proto >= NUM_NL80211_CRIT_PROTO)
17624 		return -EINVAL;
17625 
17626 	/* timeout must be provided */
17627 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
17628 		return -EINVAL;
17629 
17630 	duration =
17631 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
17632 
17633 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
17634 	if (!ret)
17635 		rdev->crit_proto_nlportid = info->snd_portid;
17636 
17637 	return ret;
17638 }
17639 
17640 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
17641 				      struct genl_info *info)
17642 {
17643 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17644 	struct wireless_dev *wdev = info->user_ptr[1];
17645 
17646 	if (!rdev->ops->crit_proto_stop)
17647 		return -EOPNOTSUPP;
17648 
17649 	if (rdev->crit_proto_nlportid) {
17650 		rdev->crit_proto_nlportid = 0;
17651 		rdev_crit_proto_stop(rdev, wdev);
17652 	}
17653 	return 0;
17654 }
17655 
17656 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
17657 				       struct nlattr *attr,
17658 				       struct netlink_ext_ack *extack)
17659 {
17660 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
17661 		if (attr->nla_type & NLA_F_NESTED) {
17662 			NL_SET_ERR_MSG_ATTR(extack, attr,
17663 					    "unexpected nested data");
17664 			return -EINVAL;
17665 		}
17666 
17667 		return 0;
17668 	}
17669 
17670 	if (!(attr->nla_type & NLA_F_NESTED)) {
17671 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
17672 		return -EINVAL;
17673 	}
17674 
17675 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
17676 }
17677 
17678 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
17679 {
17680 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17681 	struct wireless_dev *wdev =
17682 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
17683 					   info->attrs);
17684 	int i, err;
17685 	u32 vid, subcmd;
17686 
17687 	if (!rdev->wiphy.vendor_commands)
17688 		return -EOPNOTSUPP;
17689 
17690 	if (IS_ERR(wdev)) {
17691 		err = PTR_ERR(wdev);
17692 		if (err != -EINVAL)
17693 			return err;
17694 		wdev = NULL;
17695 	} else if (wdev->wiphy != &rdev->wiphy) {
17696 		return -EINVAL;
17697 	}
17698 
17699 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
17700 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
17701 		return -EINVAL;
17702 
17703 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
17704 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
17705 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
17706 		const struct wiphy_vendor_command *vcmd;
17707 		void *data = NULL;
17708 		int len = 0;
17709 
17710 		vcmd = &rdev->wiphy.vendor_commands[i];
17711 
17712 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17713 			continue;
17714 
17715 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17716 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17717 			if (!wdev)
17718 				return -EINVAL;
17719 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17720 			    !wdev->netdev)
17721 				return -EINVAL;
17722 
17723 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17724 				if (!wdev_running(wdev))
17725 					return -ENETDOWN;
17726 			}
17727 		} else {
17728 			wdev = NULL;
17729 		}
17730 
17731 		if (!vcmd->doit)
17732 			return -EOPNOTSUPP;
17733 
17734 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
17735 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17736 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
17737 
17738 			err = nl80211_vendor_check_policy(vcmd,
17739 					info->attrs[NL80211_ATTR_VENDOR_DATA],
17740 					info->extack);
17741 			if (err)
17742 				return err;
17743 		}
17744 
17745 		rdev->cur_cmd_info = info;
17746 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
17747 		rdev->cur_cmd_info = NULL;
17748 		return err;
17749 	}
17750 
17751 	return -EOPNOTSUPP;
17752 }
17753 
17754 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
17755 				       struct netlink_callback *cb,
17756 				       struct cfg80211_registered_device **rdev,
17757 				       struct wireless_dev **wdev)
17758 {
17759 	struct nlattr **attrbuf;
17760 	u32 vid, subcmd;
17761 	unsigned int i;
17762 	int vcmd_idx = -1;
17763 	int err;
17764 	void *data = NULL;
17765 	unsigned int data_len = 0;
17766 
17767 	if (cb->args[0]) {
17768 		/* subtract the 1 again here */
17769 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
17770 		struct wireless_dev *tmp;
17771 
17772 		if (!wiphy)
17773 			return -ENODEV;
17774 		*rdev = wiphy_to_rdev(wiphy);
17775 		*wdev = NULL;
17776 
17777 		if (cb->args[1]) {
17778 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
17779 				if (tmp->identifier == cb->args[1] - 1) {
17780 					*wdev = tmp;
17781 					break;
17782 				}
17783 			}
17784 		}
17785 
17786 		/* keep rtnl locked in successful case */
17787 		return 0;
17788 	}
17789 
17790 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
17791 	if (!attrbuf)
17792 		return -ENOMEM;
17793 
17794 	err = nlmsg_parse_deprecated(cb->nlh,
17795 				     GENL_HDRLEN + nl80211_fam.hdrsize,
17796 				     attrbuf, nl80211_fam.maxattr,
17797 				     nl80211_policy, NULL);
17798 	if (err)
17799 		goto out;
17800 
17801 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
17802 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
17803 		err = -EINVAL;
17804 		goto out;
17805 	}
17806 
17807 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
17808 	if (IS_ERR(*wdev))
17809 		*wdev = NULL;
17810 
17811 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
17812 	if (IS_ERR(*rdev)) {
17813 		err = PTR_ERR(*rdev);
17814 		goto out;
17815 	}
17816 
17817 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
17818 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
17819 
17820 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
17821 		const struct wiphy_vendor_command *vcmd;
17822 
17823 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
17824 
17825 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
17826 			continue;
17827 
17828 		if (!vcmd->dumpit) {
17829 			err = -EOPNOTSUPP;
17830 			goto out;
17831 		}
17832 
17833 		vcmd_idx = i;
17834 		break;
17835 	}
17836 
17837 	if (vcmd_idx < 0) {
17838 		err = -EOPNOTSUPP;
17839 		goto out;
17840 	}
17841 
17842 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
17843 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17844 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
17845 
17846 		err = nl80211_vendor_check_policy(
17847 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
17848 				attrbuf[NL80211_ATTR_VENDOR_DATA],
17849 				cb->extack);
17850 		if (err)
17851 			goto out;
17852 	}
17853 
17854 	/* 0 is the first index - add 1 to parse only once */
17855 	cb->args[0] = (*rdev)->wiphy_idx + 1;
17856 	/* add 1 to know if it was NULL */
17857 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
17858 	cb->args[2] = vcmd_idx;
17859 	cb->args[3] = (unsigned long)data;
17860 	cb->args[4] = data_len;
17861 
17862 	/* keep rtnl locked in successful case */
17863 	err = 0;
17864 out:
17865 	kfree(attrbuf);
17866 	return err;
17867 }
17868 
17869 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
17870 				   struct netlink_callback *cb)
17871 {
17872 	struct cfg80211_registered_device *rdev;
17873 	struct wireless_dev *wdev;
17874 	unsigned int vcmd_idx;
17875 	const struct wiphy_vendor_command *vcmd;
17876 	void *data;
17877 	int data_len;
17878 	int err;
17879 	struct nlattr *vendor_data;
17880 
17881 	rtnl_lock();
17882 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
17883 	if (err)
17884 		goto out;
17885 
17886 	vcmd_idx = cb->args[2];
17887 	data = (void *)cb->args[3];
17888 	data_len = cb->args[4];
17889 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
17890 
17891 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
17892 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
17893 		if (!wdev) {
17894 			err = -EINVAL;
17895 			goto out;
17896 		}
17897 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
17898 		    !wdev->netdev) {
17899 			err = -EINVAL;
17900 			goto out;
17901 		}
17902 
17903 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
17904 			if (!wdev_running(wdev)) {
17905 				err = -ENETDOWN;
17906 				goto out;
17907 			}
17908 		}
17909 	}
17910 
17911 	while (1) {
17912 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
17913 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
17914 					   NL80211_CMD_VENDOR);
17915 		if (!hdr)
17916 			break;
17917 
17918 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17919 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
17920 					       wdev_id(wdev),
17921 					       NL80211_ATTR_PAD))) {
17922 			genlmsg_cancel(skb, hdr);
17923 			break;
17924 		}
17925 
17926 		vendor_data = nla_nest_start_noflag(skb,
17927 						    NL80211_ATTR_VENDOR_DATA);
17928 		if (!vendor_data) {
17929 			genlmsg_cancel(skb, hdr);
17930 			break;
17931 		}
17932 
17933 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
17934 				   (unsigned long *)&cb->args[5]);
17935 		nla_nest_end(skb, vendor_data);
17936 
17937 		if (err == -ENOBUFS || err == -ENOENT) {
17938 			genlmsg_cancel(skb, hdr);
17939 			break;
17940 		} else if (err <= 0) {
17941 			genlmsg_cancel(skb, hdr);
17942 			goto out;
17943 		}
17944 
17945 		genlmsg_end(skb, hdr);
17946 	}
17947 
17948 	err = skb->len;
17949  out:
17950 	rtnl_unlock();
17951 	return err;
17952 }
17953 
17954 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
17955 					   enum nl80211_commands cmd,
17956 					   enum nl80211_attrs attr,
17957 					   int approxlen)
17958 {
17959 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17960 
17961 	if (WARN_ON(!rdev->cur_cmd_info))
17962 		return NULL;
17963 
17964 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
17965 					   rdev->cur_cmd_info->snd_portid,
17966 					   rdev->cur_cmd_info->snd_seq,
17967 					   cmd, attr, NULL, GFP_KERNEL);
17968 }
17969 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
17970 
17971 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
17972 {
17973 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
17974 	void *hdr = ((void **)skb->cb)[1];
17975 	struct nlattr *data = ((void **)skb->cb)[2];
17976 
17977 	/* clear CB data for netlink core to own from now on */
17978 	memset(skb->cb, 0, sizeof(skb->cb));
17979 
17980 	if (WARN_ON(!rdev->cur_cmd_info)) {
17981 		kfree_skb(skb);
17982 		return -EINVAL;
17983 	}
17984 
17985 	nla_nest_end(skb, data);
17986 	genlmsg_end(skb, hdr);
17987 	return genlmsg_reply(skb, rdev->cur_cmd_info);
17988 }
17989 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
17990 
17991 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
17992 {
17993 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17994 
17995 	if (WARN_ON(!rdev->cur_cmd_info))
17996 		return 0;
17997 
17998 	return rdev->cur_cmd_info->snd_portid;
17999 }
18000 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
18001 
18002 static int nl80211_set_qos_map(struct sk_buff *skb,
18003 			       struct genl_info *info)
18004 {
18005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18006 	struct cfg80211_qos_map *qos_map = NULL;
18007 	struct net_device *dev = info->user_ptr[1];
18008 	u8 *pos, len, num_des, des_len, des;
18009 	int ret;
18010 
18011 	if (!rdev->ops->set_qos_map)
18012 		return -EOPNOTSUPP;
18013 
18014 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
18015 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
18016 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
18017 
18018 		if (len % 2)
18019 			return -EINVAL;
18020 
18021 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
18022 		if (!qos_map)
18023 			return -ENOMEM;
18024 
18025 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
18026 		if (num_des) {
18027 			des_len = num_des *
18028 				sizeof(struct cfg80211_dscp_exception);
18029 			memcpy(qos_map->dscp_exception, pos, des_len);
18030 			qos_map->num_des = num_des;
18031 			for (des = 0; des < num_des; des++) {
18032 				if (qos_map->dscp_exception[des].up > 7) {
18033 					kfree(qos_map);
18034 					return -EINVAL;
18035 				}
18036 			}
18037 			pos += des_len;
18038 		}
18039 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
18040 	}
18041 
18042 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
18043 	if (!ret)
18044 		ret = rdev_set_qos_map(rdev, dev, qos_map);
18045 
18046 	kfree(qos_map);
18047 	return ret;
18048 }
18049 
18050 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
18051 {
18052 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18053 	struct net_device *dev = info->user_ptr[1];
18054 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18055 	const u8 *peer;
18056 	u8 tsid, up;
18057 	u16 admitted_time = 0;
18058 
18059 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
18060 		return -EOPNOTSUPP;
18061 
18062 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
18063 	    !info->attrs[NL80211_ATTR_USER_PRIO])
18064 		return -EINVAL;
18065 
18066 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
18067 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
18068 
18069 	/* WMM uses TIDs 0-7 even for TSPEC */
18070 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
18071 		/* TODO: handle 802.11 TSPEC/admission control
18072 		 * need more attributes for that (e.g. BA session requirement);
18073 		 * change the WMM admission test above to allow both then
18074 		 */
18075 		return -EINVAL;
18076 	}
18077 
18078 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
18079 
18080 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
18081 		admitted_time =
18082 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
18083 		if (!admitted_time)
18084 			return -EINVAL;
18085 	}
18086 
18087 	switch (wdev->iftype) {
18088 	case NL80211_IFTYPE_STATION:
18089 	case NL80211_IFTYPE_P2P_CLIENT:
18090 		if (wdev->connected)
18091 			break;
18092 		return -ENOTCONN;
18093 	default:
18094 		return -EOPNOTSUPP;
18095 	}
18096 
18097 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
18098 }
18099 
18100 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
18101 {
18102 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18103 	struct net_device *dev = info->user_ptr[1];
18104 	const u8 *peer;
18105 	u8 tsid;
18106 
18107 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
18108 		return -EINVAL;
18109 
18110 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
18111 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
18112 
18113 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
18114 }
18115 
18116 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
18117 				       struct genl_info *info)
18118 {
18119 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18120 	struct net_device *dev = info->user_ptr[1];
18121 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18122 	struct cfg80211_chan_def chandef = {};
18123 	const u8 *addr;
18124 	u8 oper_class;
18125 	int err;
18126 
18127 	if (!rdev->ops->tdls_channel_switch ||
18128 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
18129 		return -EOPNOTSUPP;
18130 
18131 	switch (dev->ieee80211_ptr->iftype) {
18132 	case NL80211_IFTYPE_STATION:
18133 	case NL80211_IFTYPE_P2P_CLIENT:
18134 		break;
18135 	default:
18136 		return -EOPNOTSUPP;
18137 	}
18138 
18139 	if (!info->attrs[NL80211_ATTR_MAC] ||
18140 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
18141 		return -EINVAL;
18142 
18143 	err = nl80211_parse_chandef(rdev, info->extack, info->attrs, &chandef,
18144 				    false);
18145 	if (err)
18146 		return err;
18147 
18148 	/*
18149 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
18150 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
18151 	 * specification is not defined for them.
18152 	 */
18153 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
18154 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
18155 	    chandef.width != NL80211_CHAN_WIDTH_20)
18156 		return -EINVAL;
18157 
18158 	/* we will be active on the TDLS link */
18159 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
18160 					   wdev->iftype))
18161 		return -EINVAL;
18162 
18163 	/* don't allow switching to DFS channels */
18164 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
18165 		return -EINVAL;
18166 
18167 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18168 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
18169 
18170 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
18171 }
18172 
18173 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
18174 					      struct genl_info *info)
18175 {
18176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18177 	struct net_device *dev = info->user_ptr[1];
18178 	const u8 *addr;
18179 
18180 	if (!rdev->ops->tdls_channel_switch ||
18181 	    !rdev->ops->tdls_cancel_channel_switch ||
18182 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
18183 		return -EOPNOTSUPP;
18184 
18185 	switch (dev->ieee80211_ptr->iftype) {
18186 	case NL80211_IFTYPE_STATION:
18187 	case NL80211_IFTYPE_P2P_CLIENT:
18188 		break;
18189 	default:
18190 		return -EOPNOTSUPP;
18191 	}
18192 
18193 	if (!info->attrs[NL80211_ATTR_MAC])
18194 		return -EINVAL;
18195 
18196 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18197 
18198 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
18199 
18200 	return 0;
18201 }
18202 
18203 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
18204 					    struct genl_info *info)
18205 {
18206 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18207 	struct net_device *dev = info->user_ptr[1];
18208 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18209 	const struct nlattr *nla;
18210 	bool enabled;
18211 
18212 	if (!rdev->ops->set_multicast_to_unicast)
18213 		return -EOPNOTSUPP;
18214 
18215 	if (wdev->iftype != NL80211_IFTYPE_AP &&
18216 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
18217 		return -EOPNOTSUPP;
18218 
18219 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
18220 	enabled = nla_get_flag(nla);
18221 
18222 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
18223 }
18224 
18225 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
18226 {
18227 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18228 	struct net_device *dev = info->user_ptr[1];
18229 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18230 	struct cfg80211_pmk_conf pmk_conf = {};
18231 
18232 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18233 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18234 		return -EOPNOTSUPP;
18235 
18236 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18237 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
18238 		return -EOPNOTSUPP;
18239 
18240 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
18241 		return -EINVAL;
18242 
18243 	if (!wdev->connected)
18244 		return -ENOTCONN;
18245 
18246 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
18247 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
18248 		return -EINVAL;
18249 
18250 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
18251 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
18252 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
18253 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
18254 		return -EINVAL;
18255 
18256 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
18257 		pmk_conf.pmk_r0_name =
18258 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
18259 
18260 	return rdev_set_pmk(rdev, dev, &pmk_conf);
18261 }
18262 
18263 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
18264 {
18265 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18266 	struct net_device *dev = info->user_ptr[1];
18267 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18268 	const u8 *aa;
18269 
18270 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
18271 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
18272 		return -EOPNOTSUPP;
18273 
18274 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18275 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
18276 		return -EOPNOTSUPP;
18277 
18278 	if (!info->attrs[NL80211_ATTR_MAC])
18279 		return -EINVAL;
18280 
18281 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
18282 	return rdev_del_pmk(rdev, dev, aa);
18283 }
18284 
18285 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
18286 {
18287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18288 	struct net_device *dev = info->user_ptr[1];
18289 	struct cfg80211_external_auth_params params;
18290 
18291 	if (!rdev->ops->external_auth)
18292 		return -EOPNOTSUPP;
18293 
18294 	if (!info->attrs[NL80211_ATTR_SSID] &&
18295 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
18296 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
18297 		return -EINVAL;
18298 
18299 	if (!info->attrs[NL80211_ATTR_BSSID])
18300 		return -EINVAL;
18301 
18302 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
18303 		return -EINVAL;
18304 
18305 	memset(&params, 0, sizeof(params));
18306 
18307 	if (info->attrs[NL80211_ATTR_SSID]) {
18308 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
18309 		if (params.ssid.ssid_len == 0)
18310 			return -EINVAL;
18311 		memcpy(params.ssid.ssid,
18312 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
18313 		       params.ssid.ssid_len);
18314 	}
18315 
18316 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
18317 	       ETH_ALEN);
18318 
18319 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
18320 
18321 	if (info->attrs[NL80211_ATTR_PMKID])
18322 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
18323 
18324 	return rdev_external_auth(rdev, dev, &params);
18325 }
18326 
18327 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
18328 {
18329 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
18330 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18331 	struct net_device *dev = info->user_ptr[1];
18332 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18333 	const u8 *buf;
18334 	size_t len;
18335 	u8 *dest;
18336 	u16 proto;
18337 	bool noencrypt;
18338 	u64 cookie = 0;
18339 	int link_id;
18340 	int err;
18341 
18342 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18343 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
18344 		return -EOPNOTSUPP;
18345 
18346 	if (!rdev->ops->tx_control_port)
18347 		return -EOPNOTSUPP;
18348 
18349 	if (!info->attrs[NL80211_ATTR_FRAME] ||
18350 	    !info->attrs[NL80211_ATTR_MAC] ||
18351 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
18352 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
18353 		return -EINVAL;
18354 	}
18355 
18356 	switch (wdev->iftype) {
18357 	case NL80211_IFTYPE_AP:
18358 	case NL80211_IFTYPE_P2P_GO:
18359 	case NL80211_IFTYPE_MESH_POINT:
18360 		break;
18361 	case NL80211_IFTYPE_ADHOC:
18362 		if (wdev->u.ibss.current_bss)
18363 			break;
18364 		return -ENOTCONN;
18365 	case NL80211_IFTYPE_STATION:
18366 	case NL80211_IFTYPE_P2P_CLIENT:
18367 		if (wdev->connected)
18368 			break;
18369 		return -ENOTCONN;
18370 	default:
18371 		return -EOPNOTSUPP;
18372 	}
18373 
18374 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
18375 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
18376 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
18377 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
18378 	noencrypt =
18379 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
18380 
18381 	link_id = nl80211_link_id_or_invalid(info->attrs);
18382 
18383 	err = rdev_tx_control_port(rdev, dev, buf, len,
18384 				   dest, cpu_to_be16(proto), noencrypt, link_id,
18385 				   dont_wait_for_ack ? NULL : &cookie);
18386 	if (!err && !dont_wait_for_ack)
18387 		nl_set_extack_cookie_u64(info->extack, cookie);
18388 	return err;
18389 }
18390 
18391 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
18392 					   struct genl_info *info)
18393 {
18394 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18395 	struct net_device *dev = info->user_ptr[1];
18396 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18397 	struct cfg80211_ftm_responder_stats ftm_stats = {};
18398 	unsigned int link_id = nl80211_link_id(info->attrs);
18399 	struct sk_buff *msg;
18400 	void *hdr;
18401 	struct nlattr *ftm_stats_attr;
18402 	int err;
18403 
18404 	if (wdev->iftype != NL80211_IFTYPE_AP ||
18405 	    !wdev->links[link_id].ap.beacon_interval)
18406 		return -EOPNOTSUPP;
18407 
18408 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
18409 	if (err)
18410 		return err;
18411 
18412 	if (!ftm_stats.filled)
18413 		return -ENODATA;
18414 
18415 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18416 	if (!msg)
18417 		return -ENOMEM;
18418 
18419 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
18420 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
18421 	if (!hdr)
18422 		goto nla_put_failure;
18423 
18424 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18425 		goto nla_put_failure;
18426 
18427 	ftm_stats_attr = nla_nest_start_noflag(msg,
18428 					       NL80211_ATTR_FTM_RESPONDER_STATS);
18429 	if (!ftm_stats_attr)
18430 		goto nla_put_failure;
18431 
18432 #define SET_FTM(field, name, type)					 \
18433 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18434 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
18435 			     ftm_stats.field))				 \
18436 		goto nla_put_failure; } while (0)
18437 #define SET_FTM_U64(field, name)					 \
18438 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
18439 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
18440 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
18441 		goto nla_put_failure; } while (0)
18442 
18443 	SET_FTM(success_num, SUCCESS_NUM, u32);
18444 	SET_FTM(partial_num, PARTIAL_NUM, u32);
18445 	SET_FTM(failed_num, FAILED_NUM, u32);
18446 	SET_FTM(asap_num, ASAP_NUM, u32);
18447 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
18448 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
18449 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
18450 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
18451 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
18452 #undef SET_FTM
18453 
18454 	nla_nest_end(msg, ftm_stats_attr);
18455 
18456 	genlmsg_end(msg, hdr);
18457 	return genlmsg_reply(msg, info);
18458 
18459 nla_put_failure:
18460 	nlmsg_free(msg);
18461 	return -ENOBUFS;
18462 }
18463 
18464 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
18465 {
18466 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18467 	struct cfg80211_update_owe_info owe_info;
18468 	struct net_device *dev = info->user_ptr[1];
18469 
18470 	if (!rdev->ops->update_owe_info)
18471 		return -EOPNOTSUPP;
18472 
18473 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
18474 	    !info->attrs[NL80211_ATTR_MAC])
18475 		return -EINVAL;
18476 
18477 	memset(&owe_info, 0, sizeof(owe_info));
18478 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
18479 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
18480 
18481 	if (info->attrs[NL80211_ATTR_IE]) {
18482 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
18483 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
18484 	}
18485 
18486 	return rdev_update_owe_info(rdev, dev, &owe_info);
18487 }
18488 
18489 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
18490 {
18491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18492 	struct net_device *dev = info->user_ptr[1];
18493 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18494 	struct station_info sinfo = {};
18495 	const u8 *buf;
18496 	size_t len;
18497 	u8 *dest;
18498 	int err;
18499 
18500 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
18501 		return -EOPNOTSUPP;
18502 
18503 	if (!info->attrs[NL80211_ATTR_MAC] ||
18504 	    !info->attrs[NL80211_ATTR_FRAME]) {
18505 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
18506 		return -EINVAL;
18507 	}
18508 
18509 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
18510 		return -EOPNOTSUPP;
18511 
18512 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
18513 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
18514 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
18515 
18516 	if (len < sizeof(struct ethhdr))
18517 		return -EINVAL;
18518 
18519 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
18520 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
18521 		return -EINVAL;
18522 
18523 	err = rdev_get_station(rdev, wdev, dest, &sinfo);
18524 	if (err)
18525 		return err;
18526 
18527 	cfg80211_sinfo_release_content(&sinfo);
18528 
18529 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
18530 }
18531 
18532 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
18533 			  struct nlattr *attrs[], struct net_device *dev,
18534 			  struct cfg80211_tid_cfg *tid_conf,
18535 			  struct genl_info *info, const u8 *peer,
18536 			  unsigned int link_id)
18537 {
18538 	struct netlink_ext_ack *extack = info->extack;
18539 	u64 mask;
18540 	int err;
18541 
18542 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
18543 		return -EINVAL;
18544 
18545 	tid_conf->config_override =
18546 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
18547 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
18548 
18549 	if (tid_conf->config_override) {
18550 		if (rdev->ops->reset_tid_config) {
18551 			err = rdev_reset_tid_config(rdev, dev, peer,
18552 						    tid_conf->tids);
18553 			if (err)
18554 				return err;
18555 		} else {
18556 			return -EINVAL;
18557 		}
18558 	}
18559 
18560 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
18561 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
18562 		tid_conf->noack =
18563 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
18564 	}
18565 
18566 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
18567 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
18568 		tid_conf->retry_short =
18569 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
18570 
18571 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
18572 			return -EINVAL;
18573 	}
18574 
18575 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
18576 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
18577 		tid_conf->retry_long =
18578 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
18579 
18580 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
18581 			return -EINVAL;
18582 	}
18583 
18584 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
18585 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
18586 		tid_conf->ampdu =
18587 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
18588 	}
18589 
18590 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
18591 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
18592 		tid_conf->rtscts =
18593 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
18594 	}
18595 
18596 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
18597 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
18598 		tid_conf->amsdu =
18599 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
18600 	}
18601 
18602 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
18603 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
18604 
18605 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
18606 
18607 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
18608 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
18609 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
18610 						    &tid_conf->txrate_mask, dev,
18611 						    true, link_id);
18612 			if (err)
18613 				return err;
18614 
18615 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
18616 		}
18617 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
18618 	}
18619 
18620 	if (peer)
18621 		mask = rdev->wiphy.tid_config_support.peer;
18622 	else
18623 		mask = rdev->wiphy.tid_config_support.vif;
18624 
18625 	if (tid_conf->mask & ~mask) {
18626 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
18627 		return -EOPNOTSUPP;
18628 	}
18629 
18630 	return 0;
18631 }
18632 
18633 static int nl80211_set_tid_config(struct sk_buff *skb,
18634 				  struct genl_info *info)
18635 {
18636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18637 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
18638 	unsigned int link_id = nl80211_link_id(info->attrs);
18639 	struct net_device *dev = info->user_ptr[1];
18640 	struct cfg80211_tid_config *tid_config;
18641 	struct nlattr *tid;
18642 	int conf_idx = 0, rem_conf;
18643 	int ret = -EINVAL;
18644 	u32 num_conf = 0;
18645 
18646 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
18647 		return -EINVAL;
18648 
18649 	if (!rdev->ops->set_tid_config)
18650 		return -EOPNOTSUPP;
18651 
18652 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18653 			    rem_conf)
18654 		num_conf++;
18655 
18656 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf);
18657 	if (!tid_config)
18658 		return -ENOMEM;
18659 
18660 	tid_config->n_tid_conf = num_conf;
18661 
18662 	if (info->attrs[NL80211_ATTR_MAC])
18663 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
18664 
18665 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
18666 			    rem_conf) {
18667 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
18668 				       tid, NULL, NULL);
18669 
18670 		if (ret)
18671 			goto bad_tid_conf;
18672 
18673 		ret = parse_tid_conf(rdev, attrs, dev,
18674 				     &tid_config->tid_conf[conf_idx],
18675 				     info, tid_config->peer, link_id);
18676 		if (ret)
18677 			goto bad_tid_conf;
18678 
18679 		conf_idx++;
18680 	}
18681 
18682 	ret = rdev_set_tid_config(rdev, dev, tid_config);
18683 
18684 bad_tid_conf:
18685 	kfree(tid_config);
18686 	return ret;
18687 }
18688 
18689 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
18690 {
18691 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18692 	struct cfg80211_color_change_settings params = {};
18693 	struct net_device *dev = info->user_ptr[1];
18694 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18695 	struct nlattr **tb;
18696 	u16 offset;
18697 	int err;
18698 
18699 	if (!rdev->ops->color_change)
18700 		return -EOPNOTSUPP;
18701 
18702 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
18703 				     NL80211_EXT_FEATURE_BSS_COLOR))
18704 		return -EOPNOTSUPP;
18705 
18706 	if (wdev->iftype != NL80211_IFTYPE_AP)
18707 		return -EOPNOTSUPP;
18708 
18709 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
18710 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
18711 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
18712 		return -EINVAL;
18713 
18714 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
18715 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
18716 
18717 	params.link_id = nl80211_link_id(info->attrs);
18718 	if (!wdev->links[params.link_id].ap.beacon_interval)
18719 		return -EINVAL;
18720 
18721 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
18722 				   wdev->links[params.link_id].ap.chandef.chan,
18723 				   info->extack);
18724 	if (err)
18725 		return err;
18726 
18727 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
18728 	if (!tb)
18729 		return -ENOMEM;
18730 
18731 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
18732 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
18733 			       nl80211_policy, info->extack);
18734 	if (err)
18735 		goto out;
18736 
18737 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
18738 				   wdev->links[params.link_id].ap.chandef.chan,
18739 				   info->extack);
18740 	if (err)
18741 		goto out;
18742 
18743 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
18744 		err = -EINVAL;
18745 		goto out;
18746 	}
18747 
18748 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
18749 		err = -EINVAL;
18750 		goto out;
18751 	}
18752 
18753 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
18754 	if (offset >= params.beacon_color_change.tail_len) {
18755 		err = -EINVAL;
18756 		goto out;
18757 	}
18758 
18759 	if (params.beacon_color_change.tail[offset] != params.count) {
18760 		err = -EINVAL;
18761 		goto out;
18762 	}
18763 
18764 	params.counter_offset_beacon = offset;
18765 
18766 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
18767 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
18768 		    sizeof(u16)) {
18769 			err = -EINVAL;
18770 			goto out;
18771 		}
18772 
18773 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
18774 		if (offset >= params.beacon_color_change.probe_resp_len) {
18775 			err = -EINVAL;
18776 			goto out;
18777 		}
18778 
18779 		if (params.beacon_color_change.probe_resp[offset] !=
18780 		    params.count) {
18781 			err = -EINVAL;
18782 			goto out;
18783 		}
18784 
18785 		params.counter_offset_presp = offset;
18786 	}
18787 
18788 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
18789 		err = nl80211_parse_unsol_bcast_probe_resp(
18790 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
18791 			&params.unsol_bcast_probe_resp);
18792 		if (err)
18793 			goto out;
18794 	}
18795 
18796 	err = rdev_color_change(rdev, dev, &params);
18797 
18798 out:
18799 	kfree(params.beacon_next.mbssid_ies);
18800 	kfree(params.beacon_color_change.mbssid_ies);
18801 	kfree(params.beacon_next.rnr_ies);
18802 	kfree(params.beacon_color_change.rnr_ies);
18803 	kfree(tb);
18804 	return err;
18805 }
18806 
18807 static int nl80211_set_fils_aad(struct sk_buff *skb,
18808 				struct genl_info *info)
18809 {
18810 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18811 	struct net_device *dev = info->user_ptr[1];
18812 	struct cfg80211_fils_aad fils_aad = {};
18813 	u8 *nonces;
18814 
18815 	if (!info->attrs[NL80211_ATTR_MAC] ||
18816 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
18817 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
18818 		return -EINVAL;
18819 
18820 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
18821 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
18822 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
18823 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
18824 	fils_aad.snonce = nonces;
18825 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
18826 
18827 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
18828 }
18829 
18830 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
18831 {
18832 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18833 	unsigned int link_id = nl80211_link_id(info->attrs);
18834 	struct net_device *dev = info->user_ptr[1];
18835 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18836 	int ret;
18837 
18838 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
18839 		return -EINVAL;
18840 
18841 	switch (wdev->iftype) {
18842 	case NL80211_IFTYPE_AP:
18843 		break;
18844 	default:
18845 		return -EINVAL;
18846 	}
18847 
18848 	if (!info->attrs[NL80211_ATTR_MAC] ||
18849 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
18850 		return -EINVAL;
18851 
18852 	wdev->valid_links |= BIT(link_id);
18853 	ether_addr_copy(wdev->links[link_id].addr,
18854 			nla_data(info->attrs[NL80211_ATTR_MAC]));
18855 
18856 	ret = rdev_add_intf_link(rdev, wdev, link_id);
18857 	if (ret) {
18858 		wdev->valid_links &= ~BIT(link_id);
18859 		eth_zero_addr(wdev->links[link_id].addr);
18860 	}
18861 
18862 	return ret;
18863 }
18864 
18865 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
18866 {
18867 	unsigned int link_id = nl80211_link_id(info->attrs);
18868 	struct net_device *dev = info->user_ptr[1];
18869 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18870 
18871 	/* cannot remove if there's no link */
18872 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18873 		return -EINVAL;
18874 
18875 	switch (wdev->iftype) {
18876 	case NL80211_IFTYPE_AP:
18877 		break;
18878 	default:
18879 		return -EINVAL;
18880 	}
18881 
18882 	cfg80211_remove_link(wdev, link_id);
18883 
18884 	return 0;
18885 }
18886 
18887 static int
18888 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
18889 			     bool add)
18890 {
18891 	struct link_station_parameters params = {};
18892 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18893 	struct net_device *dev = info->user_ptr[1];
18894 	int err;
18895 
18896 	if ((add && !rdev->ops->add_link_station) ||
18897 	    (!add && !rdev->ops->mod_link_station))
18898 		return -EOPNOTSUPP;
18899 
18900 	if (add && !info->attrs[NL80211_ATTR_MAC])
18901 		return -EINVAL;
18902 
18903 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
18904 		return -EINVAL;
18905 
18906 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
18907 		return -EINVAL;
18908 
18909 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
18910 
18911 	if (info->attrs[NL80211_ATTR_MAC]) {
18912 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
18913 		if (!is_valid_ether_addr(params.link_mac))
18914 			return -EINVAL;
18915 	}
18916 
18917 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
18918 		return -EINVAL;
18919 
18920 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
18921 
18922 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
18923 		params.supported_rates =
18924 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18925 		params.supported_rates_len =
18926 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
18927 	}
18928 
18929 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
18930 		params.ht_capa =
18931 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
18932 
18933 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
18934 		params.vht_capa =
18935 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
18936 
18937 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
18938 		params.he_capa =
18939 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18940 		params.he_capa_len =
18941 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
18942 
18943 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
18944 			params.eht_capa =
18945 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18946 			params.eht_capa_len =
18947 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
18948 
18949 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
18950 							(const u8 *)params.eht_capa,
18951 							params.eht_capa_len,
18952 							false))
18953 				return -EINVAL;
18954 		}
18955 	}
18956 
18957 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
18958 		if (!params.eht_capa)
18959 			return -EINVAL;
18960 
18961 		params.uhr_capa =
18962 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18963 		params.uhr_capa_len =
18964 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
18965 	}
18966 
18967 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
18968 		params.he_6ghz_capa =
18969 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
18970 
18971 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
18972 		params.opmode_notif_used = true;
18973 		params.opmode_notif =
18974 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
18975 	}
18976 
18977 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
18978 						&params.txpwr_set);
18979 	if (err)
18980 		return err;
18981 
18982 	if (add)
18983 		return rdev_add_link_station(rdev, dev, &params);
18984 
18985 	return rdev_mod_link_station(rdev, dev, &params);
18986 }
18987 
18988 static int
18989 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
18990 {
18991 	return nl80211_add_mod_link_station(skb, info, true);
18992 }
18993 
18994 static int
18995 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
18996 {
18997 	return nl80211_add_mod_link_station(skb, info, false);
18998 }
18999 
19000 static int
19001 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
19002 {
19003 	struct link_station_del_parameters params = {};
19004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19005 	struct net_device *dev = info->user_ptr[1];
19006 
19007 	if (!rdev->ops->del_link_station)
19008 		return -EOPNOTSUPP;
19009 
19010 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
19011 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
19012 		return -EINVAL;
19013 
19014 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
19015 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
19016 
19017 	return rdev_del_link_station(rdev, dev, &params);
19018 }
19019 
19020 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
19021 				    struct genl_info *info)
19022 {
19023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19024 	struct net_device *dev = info->user_ptr[1];
19025 	struct cfg80211_set_hw_timestamp hwts = {};
19026 
19027 	if (!rdev->wiphy.hw_timestamp_max_peers)
19028 		return -EOPNOTSUPP;
19029 
19030 	if (!info->attrs[NL80211_ATTR_MAC] &&
19031 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
19032 		return -EOPNOTSUPP;
19033 
19034 	if (info->attrs[NL80211_ATTR_MAC])
19035 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
19036 
19037 	hwts.enable =
19038 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
19039 
19040 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
19041 }
19042 
19043 static int
19044 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
19045 {
19046 	struct cfg80211_ttlm_params params = {};
19047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19048 	struct net_device *dev = info->user_ptr[1];
19049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19050 
19051 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
19052 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
19053 		return -EOPNOTSUPP;
19054 
19055 	if (!wdev->connected)
19056 		return -ENOLINK;
19057 
19058 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
19059 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
19060 		return -EINVAL;
19061 
19062 	nla_memcpy(params.dlink,
19063 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
19064 		   sizeof(params.dlink));
19065 	nla_memcpy(params.ulink,
19066 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
19067 		   sizeof(params.ulink));
19068 
19069 	return rdev_set_ttlm(rdev, dev, &params);
19070 }
19071 
19072 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
19073 {
19074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19075 	struct net_device *dev = info->user_ptr[1];
19076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19077 	struct cfg80211_ml_reconf_req req = {};
19078 	unsigned int link_id;
19079 	u16 add_links;
19080 	int err;
19081 
19082 	if (!wdev->valid_links)
19083 		return -EINVAL;
19084 
19085 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
19086 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
19087 		return -EPERM;
19088 
19089 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
19090 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
19091 		return -EOPNOTSUPP;
19092 
19093 	add_links = 0;
19094 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
19095 		err = nl80211_process_links(rdev, req.add_links,
19096 					    /* mark as MLO, but not assoc */
19097 					    IEEE80211_MLD_MAX_NUM_LINKS,
19098 					    NULL, 0, info);
19099 		if (err)
19100 			return err;
19101 
19102 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
19103 		     link_id++) {
19104 			if (!req.add_links[link_id].bss)
19105 				continue;
19106 			add_links |= BIT(link_id);
19107 		}
19108 	}
19109 
19110 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
19111 		req.rem_links =
19112 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
19113 
19114 	/* Validate that existing links are not added, removed links are valid
19115 	 * and don't allow adding and removing the same links
19116 	 */
19117 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
19118 	    (wdev->valid_links & add_links) ||
19119 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
19120 		err = -EINVAL;
19121 		goto out;
19122 	}
19123 
19124 	if (info->attrs[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS])
19125 		req.ext_mld_capa_ops =
19126 			nla_get_u16(info->attrs[NL80211_ATTR_EXT_MLD_CAPA_AND_OPS]);
19127 
19128 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
19129 
19130 out:
19131 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
19132 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
19133 
19134 	return err;
19135 }
19136 
19137 static int
19138 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
19139 {
19140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19141 	struct net_device *dev = info->user_ptr[1];
19142 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19143 	bool val;
19144 
19145 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
19146 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
19147 		return -EOPNOTSUPP;
19148 
19149 	if (!wdev->connected)
19150 		return -ENOLINK;
19151 
19152 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
19153 
19154 	return rdev_set_epcs(rdev, dev, val);
19155 }
19156 
19157 #define NL80211_FLAG_NEED_WIPHY		0x01
19158 #define NL80211_FLAG_NEED_NETDEV	0x02
19159 #define NL80211_FLAG_NEED_RTNL		0x04
19160 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
19161 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
19162 					 NL80211_FLAG_CHECK_NETDEV_UP)
19163 #define NL80211_FLAG_NEED_WDEV		0x10
19164 /* If a netdev is associated, it must be UP, P2P must be started */
19165 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
19166 					 NL80211_FLAG_CHECK_NETDEV_UP)
19167 #define NL80211_FLAG_CLEAR_SKB		0x20
19168 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
19169 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
19170 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
19171 
19172 #define INTERNAL_FLAG_SELECTORS(__sel)			\
19173 	SELECTOR(__sel, NONE, 0) /* must be first */	\
19174 	SELECTOR(__sel, WIPHY,				\
19175 		 NL80211_FLAG_NEED_WIPHY)		\
19176 	SELECTOR(__sel, WDEV,				\
19177 		 NL80211_FLAG_NEED_WDEV)		\
19178 	SELECTOR(__sel, NETDEV,				\
19179 		 NL80211_FLAG_NEED_NETDEV)		\
19180 	SELECTOR(__sel, NETDEV_LINK,			\
19181 		 NL80211_FLAG_NEED_NETDEV |		\
19182 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
19183 	SELECTOR(__sel, NETDEV_NO_MLO,			\
19184 		 NL80211_FLAG_NEED_NETDEV |		\
19185 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
19186 	SELECTOR(__sel, WIPHY_RTNL,			\
19187 		 NL80211_FLAG_NEED_WIPHY |		\
19188 		 NL80211_FLAG_NEED_RTNL)		\
19189 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
19190 		 NL80211_FLAG_NEED_WIPHY |		\
19191 		 NL80211_FLAG_NEED_RTNL |		\
19192 		 NL80211_FLAG_NO_WIPHY_MTX)		\
19193 	SELECTOR(__sel, WDEV_RTNL,			\
19194 		 NL80211_FLAG_NEED_WDEV |		\
19195 		 NL80211_FLAG_NEED_RTNL)		\
19196 	SELECTOR(__sel, NETDEV_RTNL,			\
19197 		 NL80211_FLAG_NEED_NETDEV |		\
19198 		 NL80211_FLAG_NEED_RTNL)		\
19199 	SELECTOR(__sel, NETDEV_UP,			\
19200 		 NL80211_FLAG_NEED_NETDEV_UP)		\
19201 	SELECTOR(__sel, NETDEV_UP_LINK,			\
19202 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19203 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
19204 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
19205 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19206 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
19207 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
19208 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19209 		 NL80211_FLAG_CLEAR_SKB |		\
19210 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
19211 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
19212 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19213 		 NL80211_FLAG_NO_WIPHY_MTX)		\
19214 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
19215 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19216 		 NL80211_FLAG_NO_WIPHY_MTX |		\
19217 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
19218 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
19219 		 NL80211_FLAG_NEED_NETDEV_UP |		\
19220 		 NL80211_FLAG_CLEAR_SKB)		\
19221 	SELECTOR(__sel, WDEV_UP,			\
19222 		 NL80211_FLAG_NEED_WDEV_UP)		\
19223 	SELECTOR(__sel, WDEV_UP_CLEAR,			\
19224 		 NL80211_FLAG_NEED_WDEV_UP |		\
19225 		 NL80211_FLAG_CLEAR_SKB)		\
19226 	SELECTOR(__sel, WDEV_UP_LINK,			\
19227 		 NL80211_FLAG_NEED_WDEV_UP |		\
19228 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
19229 	SELECTOR(__sel, WDEV_UP_RTNL,			\
19230 		 NL80211_FLAG_NEED_WDEV_UP |		\
19231 		 NL80211_FLAG_NEED_RTNL)		\
19232 	SELECTOR(__sel, WIPHY_CLEAR,			\
19233 		 NL80211_FLAG_NEED_WIPHY |		\
19234 		 NL80211_FLAG_CLEAR_SKB)		\
19235 	SELECTOR(__sel, WDEV_UP_RTNL_NOMTX,		\
19236 		 NL80211_FLAG_NEED_WDEV_UP |		\
19237 		 NL80211_FLAG_NO_WIPHY_MTX |		\
19238 		 NL80211_FLAG_NEED_RTNL)
19239 
19240 enum nl80211_internal_flags_selector {
19241 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
19242 	INTERNAL_FLAG_SELECTORS(_)
19243 #undef SELECTOR
19244 };
19245 
19246 static u32 nl80211_internal_flags[] = {
19247 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
19248 	INTERNAL_FLAG_SELECTORS(_)
19249 #undef SELECTOR
19250 };
19251 
19252 static int nl80211_pre_doit(const struct genl_split_ops *ops,
19253 			    struct sk_buff *skb,
19254 			    struct genl_info *info)
19255 {
19256 	struct cfg80211_registered_device *rdev = NULL;
19257 	struct wireless_dev *wdev = NULL;
19258 	struct net_device *dev = NULL;
19259 	u32 internal_flags;
19260 	int err;
19261 
19262 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
19263 		return -EINVAL;
19264 
19265 	internal_flags = nl80211_internal_flags[ops->internal_flags];
19266 
19267 	rtnl_lock();
19268 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
19269 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
19270 		if (IS_ERR(rdev)) {
19271 			err = PTR_ERR(rdev);
19272 			goto out_unlock;
19273 		}
19274 		info->user_ptr[0] = rdev;
19275 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
19276 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
19277 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
19278 						  info->attrs);
19279 		if (IS_ERR(wdev)) {
19280 			err = PTR_ERR(wdev);
19281 			goto out_unlock;
19282 		}
19283 
19284 		dev = wdev->netdev;
19285 		dev_hold(dev);
19286 		rdev = wiphy_to_rdev(wdev->wiphy);
19287 
19288 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
19289 			if (!dev) {
19290 				err = -EINVAL;
19291 				goto out_unlock;
19292 			}
19293 
19294 			info->user_ptr[1] = dev;
19295 		} else {
19296 			info->user_ptr[1] = wdev;
19297 		}
19298 
19299 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
19300 		    !wdev_running(wdev)) {
19301 			err = -ENETDOWN;
19302 			goto out_unlock;
19303 		}
19304 
19305 		info->user_ptr[0] = rdev;
19306 	}
19307 
19308 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
19309 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
19310 
19311 		if (!wdev) {
19312 			err = -EINVAL;
19313 			goto out_unlock;
19314 		}
19315 
19316 		/* MLO -> require valid link ID */
19317 		if (wdev->valid_links &&
19318 		    (!link_id ||
19319 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
19320 			err = -EINVAL;
19321 			goto out_unlock;
19322 		}
19323 
19324 		/* non-MLO -> no link ID attribute accepted */
19325 		if (!wdev->valid_links && link_id) {
19326 			err = -EINVAL;
19327 			goto out_unlock;
19328 		}
19329 	}
19330 
19331 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
19332 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
19333 		    (wdev && wdev->valid_links)) {
19334 			err = -EINVAL;
19335 			goto out_unlock;
19336 		}
19337 	}
19338 
19339 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
19340 		wiphy_lock(&rdev->wiphy);
19341 		/* we keep the mutex locked until post_doit */
19342 		__release(&rdev->wiphy.mtx);
19343 	}
19344 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
19345 		rtnl_unlock();
19346 
19347 	return 0;
19348 out_unlock:
19349 	rtnl_unlock();
19350 	dev_put(dev);
19351 	return err;
19352 }
19353 
19354 static void nl80211_post_doit(const struct genl_split_ops *ops,
19355 			      struct sk_buff *skb,
19356 			      struct genl_info *info)
19357 {
19358 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
19359 
19360 	if (info->user_ptr[1]) {
19361 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
19362 			struct wireless_dev *wdev = info->user_ptr[1];
19363 
19364 			dev_put(wdev->netdev);
19365 		} else {
19366 			dev_put(info->user_ptr[1]);
19367 		}
19368 	}
19369 
19370 	if (info->user_ptr[0] &&
19371 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
19372 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
19373 
19374 		/* we kept the mutex locked since pre_doit */
19375 		__acquire(&rdev->wiphy.mtx);
19376 		wiphy_unlock(&rdev->wiphy);
19377 	}
19378 
19379 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
19380 		rtnl_unlock();
19381 
19382 	/* If needed, clear the netlink message payload from the SKB
19383 	 * as it might contain key data that shouldn't stick around on
19384 	 * the heap after the SKB is freed. The netlink message header
19385 	 * is still needed for further processing, so leave it intact.
19386 	 */
19387 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
19388 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
19389 
19390 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
19391 	}
19392 }
19393 
19394 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
19395 				     struct cfg80211_sar_specs *sar_specs,
19396 				     struct nlattr *spec[], int index)
19397 {
19398 	u32 range_index, i;
19399 
19400 	if (!sar_specs || !spec)
19401 		return -EINVAL;
19402 
19403 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
19404 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
19405 		return -EINVAL;
19406 
19407 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
19408 
19409 	/* check if range_index exceeds num_freq_ranges */
19410 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
19411 		return -EINVAL;
19412 
19413 	/* check if range_index duplicates */
19414 	for (i = 0; i < index; i++) {
19415 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
19416 			return -EINVAL;
19417 	}
19418 
19419 	sar_specs->sub_specs[index].power =
19420 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
19421 
19422 	sar_specs->sub_specs[index].freq_range_index = range_index;
19423 
19424 	return 0;
19425 }
19426 
19427 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
19428 {
19429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
19430 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
19431 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
19432 	struct cfg80211_sar_specs *sar_spec;
19433 	enum nl80211_sar_type type;
19434 	struct nlattr *spec_list;
19435 	u32 specs;
19436 	int rem, err;
19437 
19438 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
19439 		return -EOPNOTSUPP;
19440 
19441 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
19442 		return -EINVAL;
19443 
19444 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
19445 			 info->attrs[NL80211_ATTR_SAR_SPEC],
19446 			 NULL, NULL);
19447 
19448 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
19449 		return -EINVAL;
19450 
19451 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
19452 	if (type != rdev->wiphy.sar_capa->type)
19453 		return -EINVAL;
19454 
19455 	specs = 0;
19456 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
19457 		specs++;
19458 
19459 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
19460 		return -EINVAL;
19461 
19462 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs);
19463 	if (!sar_spec)
19464 		return -ENOMEM;
19465 
19466 	sar_spec->num_sub_specs = specs;
19467 	sar_spec->type = type;
19468 	specs = 0;
19469 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
19470 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
19471 				 spec_list, NULL, NULL);
19472 
19473 		switch (type) {
19474 		case NL80211_SAR_TYPE_POWER:
19475 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
19476 						      spec, specs)) {
19477 				err = -EINVAL;
19478 				goto error;
19479 			}
19480 			break;
19481 		default:
19482 			err = -EINVAL;
19483 			goto error;
19484 		}
19485 		specs++;
19486 	}
19487 
19488 	sar_spec->num_sub_specs = specs;
19489 
19490 	rdev->cur_cmd_info = info;
19491 	err = rdev_set_sar_specs(rdev, sar_spec);
19492 	rdev->cur_cmd_info = NULL;
19493 error:
19494 	kfree(sar_spec);
19495 	return err;
19496 }
19497 
19498 #define SELECTOR(__sel, name, value) \
19499 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
19500 int __missing_selector(void);
19501 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
19502 
19503 static const struct genl_ops nl80211_ops[] = {
19504 	{
19505 		.cmd = NL80211_CMD_GET_WIPHY,
19506 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19507 		.doit = nl80211_get_wiphy,
19508 		.dumpit = nl80211_dump_wiphy,
19509 		.done = nl80211_dump_wiphy_done,
19510 		/* can be retrieved by unprivileged users */
19511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19512 	},
19513 };
19514 
19515 static const struct genl_small_ops nl80211_small_ops[] = {
19516 	{
19517 		.cmd = NL80211_CMD_SET_WIPHY,
19518 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19519 		.doit = nl80211_set_wiphy,
19520 		.flags = GENL_UNS_ADMIN_PERM,
19521 	},
19522 	{
19523 		.cmd = NL80211_CMD_GET_INTERFACE,
19524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19525 		.doit = nl80211_get_interface,
19526 		.dumpit = nl80211_dump_interface,
19527 		/* can be retrieved by unprivileged users */
19528 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19529 	},
19530 	{
19531 		.cmd = NL80211_CMD_SET_INTERFACE,
19532 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19533 		.doit = nl80211_set_interface,
19534 		.flags = GENL_UNS_ADMIN_PERM,
19535 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19536 					 NL80211_FLAG_NEED_RTNL),
19537 	},
19538 	{
19539 		.cmd = NL80211_CMD_NEW_INTERFACE,
19540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19541 		.doit = nl80211_new_interface,
19542 		.flags = GENL_UNS_ADMIN_PERM,
19543 		.internal_flags =
19544 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
19545 			       NL80211_FLAG_NEED_RTNL |
19546 			       /* we take the wiphy mutex later ourselves */
19547 			       NL80211_FLAG_NO_WIPHY_MTX),
19548 	},
19549 	{
19550 		.cmd = NL80211_CMD_DEL_INTERFACE,
19551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19552 		.doit = nl80211_del_interface,
19553 		.flags = GENL_UNS_ADMIN_PERM,
19554 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
19555 					 NL80211_FLAG_NEED_RTNL),
19556 	},
19557 	{
19558 		.cmd = NL80211_CMD_GET_KEY,
19559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19560 		.doit = nl80211_get_key,
19561 		.flags = GENL_UNS_ADMIN_PERM,
19562 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19563 	},
19564 	{
19565 		.cmd = NL80211_CMD_SET_KEY,
19566 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19567 		.doit = nl80211_set_key,
19568 		.flags = GENL_UNS_ADMIN_PERM,
19569 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
19570 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19571 					 NL80211_FLAG_CLEAR_SKB),
19572 	},
19573 	{
19574 		.cmd = NL80211_CMD_NEW_KEY,
19575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19576 		.doit = nl80211_new_key,
19577 		.flags = GENL_UNS_ADMIN_PERM,
19578 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19579 					 NL80211_FLAG_CLEAR_SKB),
19580 	},
19581 	{
19582 		.cmd = NL80211_CMD_DEL_KEY,
19583 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19584 		.doit = nl80211_del_key,
19585 		.flags = GENL_UNS_ADMIN_PERM,
19586 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19587 	},
19588 	{
19589 		.cmd = NL80211_CMD_SET_BEACON,
19590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19591 		.flags = GENL_UNS_ADMIN_PERM,
19592 		.doit = nl80211_set_beacon,
19593 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19594 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19595 	},
19596 	{
19597 		.cmd = NL80211_CMD_START_AP,
19598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19599 		.flags = GENL_UNS_ADMIN_PERM,
19600 		.doit = nl80211_start_ap,
19601 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19602 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19603 	},
19604 	{
19605 		.cmd = NL80211_CMD_STOP_AP,
19606 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19607 		.flags = GENL_UNS_ADMIN_PERM,
19608 		.doit = nl80211_stop_ap,
19609 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19610 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19611 	},
19612 	{
19613 		.cmd = NL80211_CMD_GET_STATION,
19614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19615 		.doit = nl80211_get_station,
19616 		.dumpit = nl80211_dump_station,
19617 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19618 	},
19619 	{
19620 		.cmd = NL80211_CMD_SET_STATION,
19621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19622 		.doit = nl80211_set_station,
19623 		.flags = GENL_UNS_ADMIN_PERM,
19624 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19625 	},
19626 	{
19627 		.cmd = NL80211_CMD_NEW_STATION,
19628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19629 		.doit = nl80211_new_station,
19630 		.flags = GENL_UNS_ADMIN_PERM,
19631 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19632 	},
19633 	{
19634 		.cmd = NL80211_CMD_DEL_STATION,
19635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19636 		.doit = nl80211_del_station,
19637 		.flags = GENL_UNS_ADMIN_PERM,
19638 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
19639 		 * whether MAC address is passed or not. If MAC address is
19640 		 * passed, then even during MLO, link ID is not required.
19641 		 */
19642 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19643 	},
19644 	{
19645 		.cmd = NL80211_CMD_GET_MPATH,
19646 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19647 		.doit = nl80211_get_mpath,
19648 		.dumpit = nl80211_dump_mpath,
19649 		.flags = GENL_UNS_ADMIN_PERM,
19650 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19651 	},
19652 	{
19653 		.cmd = NL80211_CMD_GET_MPP,
19654 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19655 		.doit = nl80211_get_mpp,
19656 		.dumpit = nl80211_dump_mpp,
19657 		.flags = GENL_UNS_ADMIN_PERM,
19658 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19659 	},
19660 	{
19661 		.cmd = NL80211_CMD_SET_MPATH,
19662 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19663 		.doit = nl80211_set_mpath,
19664 		.flags = GENL_UNS_ADMIN_PERM,
19665 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19666 	},
19667 	{
19668 		.cmd = NL80211_CMD_NEW_MPATH,
19669 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19670 		.doit = nl80211_new_mpath,
19671 		.flags = GENL_UNS_ADMIN_PERM,
19672 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19673 	},
19674 	{
19675 		.cmd = NL80211_CMD_DEL_MPATH,
19676 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19677 		.doit = nl80211_del_mpath,
19678 		.flags = GENL_UNS_ADMIN_PERM,
19679 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19680 	},
19681 	{
19682 		.cmd = NL80211_CMD_SET_BSS,
19683 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19684 		.doit = nl80211_set_bss,
19685 		.flags = GENL_UNS_ADMIN_PERM,
19686 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19687 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19688 	},
19689 	{
19690 		.cmd = NL80211_CMD_GET_REG,
19691 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19692 		.doit = nl80211_get_reg_do,
19693 		.dumpit = nl80211_get_reg_dump,
19694 		/* can be retrieved by unprivileged users */
19695 	},
19696 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
19697 	{
19698 		.cmd = NL80211_CMD_SET_REG,
19699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19700 		.doit = nl80211_set_reg,
19701 		.flags = GENL_ADMIN_PERM,
19702 	},
19703 #endif
19704 	{
19705 		.cmd = NL80211_CMD_REQ_SET_REG,
19706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19707 		.doit = nl80211_req_set_reg,
19708 		.flags = GENL_ADMIN_PERM,
19709 	},
19710 	{
19711 		.cmd = NL80211_CMD_RELOAD_REGDB,
19712 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19713 		.doit = nl80211_reload_regdb,
19714 		.flags = GENL_ADMIN_PERM,
19715 	},
19716 	{
19717 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
19718 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19719 		.doit = nl80211_get_mesh_config,
19720 		/* can be retrieved by unprivileged users */
19721 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19722 	},
19723 	{
19724 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
19725 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19726 		.doit = nl80211_update_mesh_config,
19727 		.flags = GENL_UNS_ADMIN_PERM,
19728 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19729 	},
19730 	{
19731 		.cmd = NL80211_CMD_TRIGGER_SCAN,
19732 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19733 		.doit = nl80211_trigger_scan,
19734 		.flags = GENL_UNS_ADMIN_PERM,
19735 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19736 	},
19737 	{
19738 		.cmd = NL80211_CMD_ABORT_SCAN,
19739 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19740 		.doit = nl80211_abort_scan,
19741 		.flags = GENL_UNS_ADMIN_PERM,
19742 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19743 	},
19744 	{
19745 		.cmd = NL80211_CMD_GET_SCAN,
19746 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19747 		.dumpit = nl80211_dump_scan,
19748 	},
19749 	{
19750 		.cmd = NL80211_CMD_START_SCHED_SCAN,
19751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19752 		.doit = nl80211_start_sched_scan,
19753 		.flags = GENL_UNS_ADMIN_PERM,
19754 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19755 	},
19756 	{
19757 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
19758 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19759 		.doit = nl80211_stop_sched_scan,
19760 		.flags = GENL_UNS_ADMIN_PERM,
19761 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19762 	},
19763 	{
19764 		.cmd = NL80211_CMD_AUTHENTICATE,
19765 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19766 		.doit = nl80211_authenticate,
19767 		.flags = GENL_UNS_ADMIN_PERM,
19768 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19769 					 NL80211_FLAG_CLEAR_SKB),
19770 	},
19771 	{
19772 		.cmd = NL80211_CMD_ASSOCIATE,
19773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19774 		.doit = nl80211_associate,
19775 		.flags = GENL_UNS_ADMIN_PERM,
19776 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19777 					 NL80211_FLAG_CLEAR_SKB),
19778 	},
19779 	{
19780 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19782 		.doit = nl80211_deauthenticate,
19783 		.flags = GENL_UNS_ADMIN_PERM,
19784 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19785 	},
19786 	{
19787 		.cmd = NL80211_CMD_DISASSOCIATE,
19788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19789 		.doit = nl80211_disassociate,
19790 		.flags = GENL_UNS_ADMIN_PERM,
19791 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19792 	},
19793 	{
19794 		.cmd = NL80211_CMD_JOIN_IBSS,
19795 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19796 		.doit = nl80211_join_ibss,
19797 		.flags = GENL_UNS_ADMIN_PERM,
19798 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19799 	},
19800 	{
19801 		.cmd = NL80211_CMD_LEAVE_IBSS,
19802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19803 		.doit = nl80211_leave_ibss,
19804 		.flags = GENL_UNS_ADMIN_PERM,
19805 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19806 	},
19807 #ifdef CONFIG_NL80211_TESTMODE
19808 	{
19809 		.cmd = NL80211_CMD_TESTMODE,
19810 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19811 		.doit = nl80211_testmode_do,
19812 		.dumpit = nl80211_testmode_dump,
19813 		.flags = GENL_UNS_ADMIN_PERM,
19814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19815 	},
19816 #endif
19817 	{
19818 		.cmd = NL80211_CMD_CONNECT,
19819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19820 		.doit = nl80211_connect,
19821 		.flags = GENL_UNS_ADMIN_PERM,
19822 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19823 					 NL80211_FLAG_CLEAR_SKB),
19824 	},
19825 	{
19826 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
19827 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19828 		.doit = nl80211_update_connect_params,
19829 		.flags = GENL_ADMIN_PERM,
19830 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19831 					 NL80211_FLAG_CLEAR_SKB),
19832 	},
19833 	{
19834 		.cmd = NL80211_CMD_DISCONNECT,
19835 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19836 		.doit = nl80211_disconnect,
19837 		.flags = GENL_UNS_ADMIN_PERM,
19838 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19839 	},
19840 	{
19841 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
19842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19843 		.doit = nl80211_wiphy_netns,
19844 		.flags = GENL_UNS_ADMIN_PERM,
19845 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19846 					 NL80211_FLAG_NEED_RTNL |
19847 					 NL80211_FLAG_NO_WIPHY_MTX),
19848 	},
19849 	{
19850 		.cmd = NL80211_CMD_GET_SURVEY,
19851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19852 		.dumpit = nl80211_dump_survey,
19853 	},
19854 	{
19855 		.cmd = NL80211_CMD_SET_PMKSA,
19856 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19857 		.doit = nl80211_set_pmksa,
19858 		.flags = GENL_UNS_ADMIN_PERM,
19859 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19860 					 NL80211_FLAG_CLEAR_SKB),
19861 	},
19862 	{
19863 		.cmd = NL80211_CMD_DEL_PMKSA,
19864 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19865 		.doit = nl80211_del_pmksa,
19866 		.flags = GENL_UNS_ADMIN_PERM,
19867 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19868 	},
19869 	{
19870 		.cmd = NL80211_CMD_FLUSH_PMKSA,
19871 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19872 		.doit = nl80211_flush_pmksa,
19873 		.flags = GENL_UNS_ADMIN_PERM,
19874 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19875 	},
19876 	{
19877 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
19878 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19879 		.doit = nl80211_remain_on_channel,
19880 		.flags = GENL_UNS_ADMIN_PERM,
19881 		/* FIXME: requiring a link ID here is probably not good */
19882 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
19883 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19884 	},
19885 	{
19886 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
19887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19888 		.doit = nl80211_cancel_remain_on_channel,
19889 		.flags = GENL_UNS_ADMIN_PERM,
19890 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19891 	},
19892 	{
19893 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
19894 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19895 		.doit = nl80211_set_tx_bitrate_mask,
19896 		.flags = GENL_UNS_ADMIN_PERM,
19897 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19898 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19899 	},
19900 	{
19901 		.cmd = NL80211_CMD_REGISTER_FRAME,
19902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19903 		.doit = nl80211_register_mgmt,
19904 		.flags = GENL_UNS_ADMIN_PERM,
19905 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
19906 	},
19907 	{
19908 		.cmd = NL80211_CMD_FRAME,
19909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19910 		.doit = nl80211_tx_mgmt,
19911 		.flags = GENL_UNS_ADMIN_PERM,
19912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19913 	},
19914 	{
19915 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
19916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19917 		.doit = nl80211_tx_mgmt_cancel_wait,
19918 		.flags = GENL_UNS_ADMIN_PERM,
19919 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19920 	},
19921 	{
19922 		.cmd = NL80211_CMD_SET_POWER_SAVE,
19923 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19924 		.doit = nl80211_set_power_save,
19925 		.flags = GENL_UNS_ADMIN_PERM,
19926 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19927 	},
19928 	{
19929 		.cmd = NL80211_CMD_GET_POWER_SAVE,
19930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19931 		.doit = nl80211_get_power_save,
19932 		/* can be retrieved by unprivileged users */
19933 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19934 	},
19935 	{
19936 		.cmd = NL80211_CMD_SET_CQM,
19937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19938 		.doit = nl80211_set_cqm,
19939 		.flags = GENL_UNS_ADMIN_PERM,
19940 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19941 	},
19942 	{
19943 		.cmd = NL80211_CMD_SET_CHANNEL,
19944 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19945 		.doit = nl80211_set_channel,
19946 		.flags = GENL_UNS_ADMIN_PERM,
19947 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19948 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19949 	},
19950 	{
19951 		.cmd = NL80211_CMD_JOIN_MESH,
19952 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19953 		.doit = nl80211_join_mesh,
19954 		.flags = GENL_UNS_ADMIN_PERM,
19955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19956 	},
19957 	{
19958 		.cmd = NL80211_CMD_LEAVE_MESH,
19959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19960 		.doit = nl80211_leave_mesh,
19961 		.flags = GENL_UNS_ADMIN_PERM,
19962 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19963 	},
19964 	{
19965 		.cmd = NL80211_CMD_JOIN_OCB,
19966 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19967 		.doit = nl80211_join_ocb,
19968 		.flags = GENL_UNS_ADMIN_PERM,
19969 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19970 	},
19971 	{
19972 		.cmd = NL80211_CMD_LEAVE_OCB,
19973 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19974 		.doit = nl80211_leave_ocb,
19975 		.flags = GENL_UNS_ADMIN_PERM,
19976 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19977 	},
19978 #ifdef CONFIG_PM
19979 	{
19980 		.cmd = NL80211_CMD_GET_WOWLAN,
19981 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19982 		.doit = nl80211_get_wowlan,
19983 		/* can be retrieved by unprivileged users */
19984 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19985 	},
19986 	{
19987 		.cmd = NL80211_CMD_SET_WOWLAN,
19988 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19989 		.doit = nl80211_set_wowlan,
19990 		.flags = GENL_UNS_ADMIN_PERM,
19991 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
19992 	},
19993 #endif
19994 	{
19995 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
19996 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19997 		.doit = nl80211_set_rekey_data,
19998 		.flags = GENL_UNS_ADMIN_PERM,
19999 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20000 					 NL80211_FLAG_CLEAR_SKB),
20001 	},
20002 	{
20003 		.cmd = NL80211_CMD_TDLS_MGMT,
20004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20005 		.doit = nl80211_tdls_mgmt,
20006 		.flags = GENL_UNS_ADMIN_PERM,
20007 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20008 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20009 	},
20010 	{
20011 		.cmd = NL80211_CMD_TDLS_OPER,
20012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20013 		.doit = nl80211_tdls_oper,
20014 		.flags = GENL_UNS_ADMIN_PERM,
20015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20016 	},
20017 	{
20018 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
20019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20020 		.doit = nl80211_register_unexpected_frame,
20021 		.flags = GENL_UNS_ADMIN_PERM,
20022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
20023 	},
20024 	{
20025 		.cmd = NL80211_CMD_PROBE_CLIENT,
20026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20027 		.doit = nl80211_probe_client,
20028 		.flags = GENL_UNS_ADMIN_PERM,
20029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20030 	},
20031 	{
20032 		.cmd = NL80211_CMD_REGISTER_BEACONS,
20033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20034 		.doit = nl80211_register_beacons,
20035 		.flags = GENL_UNS_ADMIN_PERM,
20036 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
20037 	},
20038 	{
20039 		.cmd = NL80211_CMD_SET_NOACK_MAP,
20040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20041 		.doit = nl80211_set_noack_map,
20042 		.flags = GENL_UNS_ADMIN_PERM,
20043 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
20044 	},
20045 	{
20046 		.cmd = NL80211_CMD_START_P2P_DEVICE,
20047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20048 		.doit = nl80211_start_p2p_device,
20049 		.flags = GENL_UNS_ADMIN_PERM,
20050 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
20051 					 NL80211_FLAG_NEED_RTNL),
20052 	},
20053 	{
20054 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
20055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20056 		.doit = nl80211_stop_p2p_device,
20057 		.flags = GENL_UNS_ADMIN_PERM,
20058 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
20059 					 NL80211_FLAG_NEED_RTNL),
20060 	},
20061 	{
20062 		.cmd = NL80211_CMD_START_NAN,
20063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20064 		.doit = nl80211_start_nan,
20065 		.flags = GENL_ADMIN_PERM,
20066 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
20067 					 NL80211_FLAG_NEED_RTNL),
20068 	},
20069 	{
20070 		.cmd = NL80211_CMD_STOP_NAN,
20071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20072 		.doit = nl80211_stop_nan,
20073 		.flags = GENL_ADMIN_PERM,
20074 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
20075 					 NL80211_FLAG_NO_WIPHY_MTX |
20076 					 NL80211_FLAG_NEED_RTNL),
20077 	},
20078 	{
20079 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
20080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20081 		.doit = nl80211_nan_add_func,
20082 		.flags = GENL_ADMIN_PERM,
20083 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20084 	},
20085 	{
20086 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
20087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20088 		.doit = nl80211_nan_del_func,
20089 		.flags = GENL_ADMIN_PERM,
20090 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20091 	},
20092 	{
20093 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
20094 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20095 		.doit = nl80211_nan_change_config,
20096 		.flags = GENL_ADMIN_PERM,
20097 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20098 	},
20099 	{
20100 		.cmd = NL80211_CMD_START_PD,
20101 		.doit = nl80211_start_pd,
20102 		.flags = GENL_ADMIN_PERM,
20103 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
20104 					 NL80211_FLAG_NEED_RTNL),
20105 	},
20106 	{
20107 		.cmd = NL80211_CMD_STOP_PD,
20108 		.doit = nl80211_stop_pd,
20109 		.flags = GENL_ADMIN_PERM,
20110 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
20111 					 NL80211_FLAG_NEED_RTNL),
20112 	},
20113 	{
20114 		.cmd = NL80211_CMD_SET_MCAST_RATE,
20115 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20116 		.doit = nl80211_set_mcast_rate,
20117 		.flags = GENL_UNS_ADMIN_PERM,
20118 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
20119 	},
20120 	{
20121 		.cmd = NL80211_CMD_SET_MAC_ACL,
20122 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20123 		.doit = nl80211_set_mac_acl,
20124 		.flags = GENL_UNS_ADMIN_PERM,
20125 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
20126 					 NL80211_FLAG_MLO_UNSUPPORTED),
20127 	},
20128 	{
20129 		.cmd = NL80211_CMD_RADAR_DETECT,
20130 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20131 		.doit = nl80211_start_radar_detection,
20132 		.flags = GENL_UNS_ADMIN_PERM,
20133 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20134 					 NL80211_FLAG_NO_WIPHY_MTX |
20135 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20136 	},
20137 	{
20138 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
20139 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20140 		.doit = nl80211_get_protocol_features,
20141 	},
20142 	{
20143 		.cmd = NL80211_CMD_UPDATE_FT_IES,
20144 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20145 		.doit = nl80211_update_ft_ies,
20146 		.flags = GENL_UNS_ADMIN_PERM,
20147 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20148 	},
20149 	{
20150 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
20151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20152 		.doit = nl80211_crit_protocol_start,
20153 		.flags = GENL_UNS_ADMIN_PERM,
20154 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20155 	},
20156 	{
20157 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
20158 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20159 		.doit = nl80211_crit_protocol_stop,
20160 		.flags = GENL_UNS_ADMIN_PERM,
20161 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20162 	},
20163 	{
20164 		.cmd = NL80211_CMD_GET_COALESCE,
20165 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20166 		.doit = nl80211_get_coalesce,
20167 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
20168 	},
20169 	{
20170 		.cmd = NL80211_CMD_SET_COALESCE,
20171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20172 		.doit = nl80211_set_coalesce,
20173 		.flags = GENL_UNS_ADMIN_PERM,
20174 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
20175 	},
20176 	{
20177 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
20178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20179 		.doit = nl80211_channel_switch,
20180 		.flags = GENL_UNS_ADMIN_PERM,
20181 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20182 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20183 	},
20184 	{
20185 		.cmd = NL80211_CMD_VENDOR,
20186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20187 		.doit = nl80211_vendor_cmd,
20188 		.dumpit = nl80211_vendor_cmd_dump,
20189 		.flags = GENL_UNS_ADMIN_PERM,
20190 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
20191 					 NL80211_FLAG_CLEAR_SKB),
20192 	},
20193 	{
20194 		.cmd = NL80211_CMD_SET_QOS_MAP,
20195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20196 		.doit = nl80211_set_qos_map,
20197 		.flags = GENL_UNS_ADMIN_PERM,
20198 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20199 	},
20200 	{
20201 		.cmd = NL80211_CMD_ADD_TX_TS,
20202 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20203 		.doit = nl80211_add_tx_ts,
20204 		.flags = GENL_UNS_ADMIN_PERM,
20205 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20206 					 NL80211_FLAG_MLO_UNSUPPORTED),
20207 	},
20208 	{
20209 		.cmd = NL80211_CMD_DEL_TX_TS,
20210 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20211 		.doit = nl80211_del_tx_ts,
20212 		.flags = GENL_UNS_ADMIN_PERM,
20213 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20214 	},
20215 	{
20216 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
20217 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20218 		.doit = nl80211_tdls_channel_switch,
20219 		.flags = GENL_UNS_ADMIN_PERM,
20220 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20221 	},
20222 	{
20223 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
20224 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20225 		.doit = nl80211_tdls_cancel_channel_switch,
20226 		.flags = GENL_UNS_ADMIN_PERM,
20227 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20228 	},
20229 	{
20230 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
20231 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20232 		.doit = nl80211_set_multicast_to_unicast,
20233 		.flags = GENL_UNS_ADMIN_PERM,
20234 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
20235 	},
20236 	{
20237 		.cmd = NL80211_CMD_SET_PMK,
20238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20239 		.doit = nl80211_set_pmk,
20240 		.flags = GENL_UNS_ADMIN_PERM,
20241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20242 					 NL80211_FLAG_CLEAR_SKB),
20243 	},
20244 	{
20245 		.cmd = NL80211_CMD_DEL_PMK,
20246 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20247 		.doit = nl80211_del_pmk,
20248 		.flags = GENL_UNS_ADMIN_PERM,
20249 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20250 	},
20251 	{
20252 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
20253 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20254 		.doit = nl80211_external_auth,
20255 		.flags = GENL_ADMIN_PERM,
20256 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20257 	},
20258 	{
20259 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
20260 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20261 		.doit = nl80211_tx_control_port,
20262 		.flags = GENL_UNS_ADMIN_PERM,
20263 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20264 	},
20265 	{
20266 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
20267 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20268 		.doit = nl80211_get_ftm_responder_stats,
20269 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
20270 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20271 	},
20272 	{
20273 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
20274 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20275 		.doit = nl80211_pmsr_start,
20276 		.flags = GENL_UNS_ADMIN_PERM,
20277 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20278 	},
20279 	{
20280 		.cmd = NL80211_CMD_NOTIFY_RADAR,
20281 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20282 		.doit = nl80211_notify_radar_detection,
20283 		.flags = GENL_UNS_ADMIN_PERM,
20284 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20285 	},
20286 	{
20287 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
20288 		.doit = nl80211_update_owe_info,
20289 		.flags = GENL_ADMIN_PERM,
20290 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20291 	},
20292 	{
20293 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
20294 		.doit = nl80211_probe_mesh_link,
20295 		.flags = GENL_UNS_ADMIN_PERM,
20296 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20297 	},
20298 	{
20299 		.cmd = NL80211_CMD_SET_TID_CONFIG,
20300 		.doit = nl80211_set_tid_config,
20301 		.flags = GENL_UNS_ADMIN_PERM,
20302 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
20303 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20304 	},
20305 	{
20306 		.cmd = NL80211_CMD_SET_SAR_SPECS,
20307 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20308 		.doit = nl80211_set_sar_specs,
20309 		.flags = GENL_UNS_ADMIN_PERM,
20310 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
20311 					 NL80211_FLAG_NEED_RTNL),
20312 	},
20313 	{
20314 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
20315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20316 		.doit = nl80211_color_change,
20317 		.flags = GENL_UNS_ADMIN_PERM,
20318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20319 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20320 	},
20321 	{
20322 		.cmd = NL80211_CMD_SET_FILS_AAD,
20323 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
20324 		.doit = nl80211_set_fils_aad,
20325 		.flags = GENL_UNS_ADMIN_PERM,
20326 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20327 	},
20328 	{
20329 		.cmd = NL80211_CMD_ADD_LINK,
20330 		.doit = nl80211_add_link,
20331 		.flags = GENL_UNS_ADMIN_PERM,
20332 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20333 	},
20334 	{
20335 		.cmd = NL80211_CMD_REMOVE_LINK,
20336 		.doit = nl80211_remove_link,
20337 		.flags = GENL_UNS_ADMIN_PERM,
20338 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20339 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20340 	},
20341 	{
20342 		.cmd = NL80211_CMD_ADD_LINK_STA,
20343 		.doit = nl80211_add_link_station,
20344 		.flags = GENL_UNS_ADMIN_PERM,
20345 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20346 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20347 	},
20348 	{
20349 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
20350 		.doit = nl80211_modify_link_station,
20351 		.flags = GENL_UNS_ADMIN_PERM,
20352 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20353 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20354 	},
20355 	{
20356 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
20357 		.doit = nl80211_remove_link_station,
20358 		.flags = GENL_UNS_ADMIN_PERM,
20359 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
20360 					 NL80211_FLAG_MLO_VALID_LINK_ID),
20361 	},
20362 	{
20363 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
20364 		.doit = nl80211_set_hw_timestamp,
20365 		.flags = GENL_UNS_ADMIN_PERM,
20366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20367 	},
20368 	{
20369 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
20370 		.doit = nl80211_set_ttlm,
20371 		.flags = GENL_UNS_ADMIN_PERM,
20372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20373 	},
20374 	{
20375 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20376 		.doit = nl80211_assoc_ml_reconf,
20377 		.flags = GENL_UNS_ADMIN_PERM,
20378 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20379 	},
20380 	{
20381 		.cmd = NL80211_CMD_EPCS_CFG,
20382 		.doit = nl80211_epcs_cfg,
20383 		.flags = GENL_UNS_ADMIN_PERM,
20384 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
20385 	},
20386 	{
20387 		.cmd = NL80211_CMD_NAN_SET_LOCAL_SCHED,
20388 		.doit = nl80211_nan_set_local_sched,
20389 		.flags = GENL_ADMIN_PERM,
20390 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20391 	},
20392 	{
20393 		.cmd = NL80211_CMD_NAN_SET_PEER_SCHED,
20394 		.doit = nl80211_nan_set_peer_sched,
20395 		.flags = GENL_ADMIN_PERM,
20396 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
20397 	},
20398 };
20399 
20400 static struct genl_family nl80211_fam __ro_after_init = {
20401 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
20402 	.hdrsize = 0,			/* no private header */
20403 	.version = 1,			/* no particular meaning now */
20404 	.maxattr = NL80211_ATTR_MAX,
20405 	.policy = nl80211_policy,
20406 	.netnsok = true,
20407 	.pre_doit = nl80211_pre_doit,
20408 	.post_doit = nl80211_post_doit,
20409 	.module = THIS_MODULE,
20410 	.ops = nl80211_ops,
20411 	.n_ops = ARRAY_SIZE(nl80211_ops),
20412 	.small_ops = nl80211_small_ops,
20413 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
20414 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
20415 	.mcgrps = nl80211_mcgrps,
20416 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
20417 	.parallel_ops = true,
20418 };
20419 
20420 /* notification functions */
20421 
20422 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
20423 			  enum nl80211_commands cmd)
20424 {
20425 	struct sk_buff *msg;
20426 	struct nl80211_dump_wiphy_state state = {};
20427 
20428 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
20429 		cmd != NL80211_CMD_DEL_WIPHY);
20430 
20431 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20432 	if (!msg)
20433 		return;
20434 
20435 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
20436 		nlmsg_free(msg);
20437 		return;
20438 	}
20439 
20440 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20441 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20442 }
20443 
20444 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
20445 				struct wireless_dev *wdev,
20446 				enum nl80211_commands cmd)
20447 {
20448 	struct sk_buff *msg;
20449 
20450 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20451 	if (!msg)
20452 		return;
20453 
20454 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
20455 		nlmsg_free(msg);
20456 		return;
20457 	}
20458 
20459 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20460 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
20461 }
20462 
20463 static int nl80211_add_scan_req(struct sk_buff *msg,
20464 				struct cfg80211_registered_device *rdev)
20465 {
20466 	struct cfg80211_scan_request_int *req = rdev->scan_req;
20467 	struct nlattr *nest;
20468 	int i;
20469 	struct cfg80211_scan_info *info;
20470 
20471 	if (WARN_ON(!req))
20472 		return 0;
20473 
20474 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
20475 	if (!nest)
20476 		goto nla_put_failure;
20477 	for (i = 0; i < req->req.n_ssids; i++) {
20478 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
20479 			    req->req.ssids[i].ssid))
20480 			goto nla_put_failure;
20481 	}
20482 	nla_nest_end(msg, nest);
20483 
20484 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
20485 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
20486 		if (!nest)
20487 			goto nla_put_failure;
20488 		for (i = 0; i < req->req.n_channels; i++) {
20489 			if (nla_put_u32(msg, i,
20490 					ieee80211_channel_to_khz(req->req.channels[i])))
20491 				goto nla_put_failure;
20492 		}
20493 		nla_nest_end(msg, nest);
20494 	} else {
20495 		nest = nla_nest_start_noflag(msg,
20496 					     NL80211_ATTR_SCAN_FREQUENCIES);
20497 		if (!nest)
20498 			goto nla_put_failure;
20499 		for (i = 0; i < req->req.n_channels; i++) {
20500 			if (nla_put_u32(msg, i,
20501 					req->req.channels[i]->center_freq))
20502 				goto nla_put_failure;
20503 		}
20504 		nla_nest_end(msg, nest);
20505 	}
20506 
20507 	if (req->req.ie &&
20508 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
20509 		goto nla_put_failure;
20510 
20511 	if (req->req.flags &&
20512 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
20513 		goto nla_put_failure;
20514 
20515 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
20516 		&rdev->scan_req->info;
20517 	if (info->scan_start_tsf &&
20518 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
20519 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
20520 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
20521 		     info->tsf_bssid)))
20522 		goto nla_put_failure;
20523 
20524 	return 0;
20525  nla_put_failure:
20526 	return -ENOBUFS;
20527 }
20528 
20529 static int nl80211_prep_scan_msg(struct sk_buff *msg,
20530 				 struct cfg80211_registered_device *rdev,
20531 				 struct wireless_dev *wdev,
20532 				 u32 portid, u32 seq, int flags,
20533 				 u32 cmd)
20534 {
20535 	void *hdr;
20536 
20537 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
20538 	if (!hdr)
20539 		return -1;
20540 
20541 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20542 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20543 					 wdev->netdev->ifindex)) ||
20544 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20545 			      NL80211_ATTR_PAD))
20546 		goto nla_put_failure;
20547 
20548 	/* ignore errors and send incomplete event anyway */
20549 	nl80211_add_scan_req(msg, rdev);
20550 
20551 	genlmsg_end(msg, hdr);
20552 	return 0;
20553 
20554  nla_put_failure:
20555 	genlmsg_cancel(msg, hdr);
20556 	return -EMSGSIZE;
20557 }
20558 
20559 static int
20560 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
20561 			    struct cfg80211_sched_scan_request *req, u32 cmd)
20562 {
20563 	void *hdr;
20564 
20565 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20566 	if (!hdr)
20567 		return -1;
20568 
20569 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
20570 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
20571 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
20572 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
20573 			      NL80211_ATTR_PAD))
20574 		goto nla_put_failure;
20575 
20576 	genlmsg_end(msg, hdr);
20577 	return 0;
20578 
20579  nla_put_failure:
20580 	genlmsg_cancel(msg, hdr);
20581 	return -EMSGSIZE;
20582 }
20583 
20584 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
20585 			     struct wireless_dev *wdev)
20586 {
20587 	struct sk_buff *msg;
20588 
20589 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20590 	if (!msg)
20591 		return;
20592 
20593 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20594 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
20595 		nlmsg_free(msg);
20596 		return;
20597 	}
20598 
20599 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20600 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20601 }
20602 
20603 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
20604 				       struct wireless_dev *wdev, bool aborted)
20605 {
20606 	struct sk_buff *msg;
20607 
20608 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20609 	if (!msg)
20610 		return NULL;
20611 
20612 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
20613 				  aborted ? NL80211_CMD_SCAN_ABORTED :
20614 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
20615 		nlmsg_free(msg);
20616 		return NULL;
20617 	}
20618 
20619 	return msg;
20620 }
20621 
20622 /* send message created by nl80211_build_scan_msg() */
20623 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
20624 			   struct sk_buff *msg)
20625 {
20626 	if (!msg)
20627 		return;
20628 
20629 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20630 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20631 }
20632 
20633 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
20634 {
20635 	struct sk_buff *msg;
20636 
20637 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20638 	if (!msg)
20639 		return;
20640 
20641 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
20642 		nlmsg_free(msg);
20643 		return;
20644 	}
20645 
20646 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
20647 				NL80211_MCGRP_SCAN, GFP_KERNEL);
20648 }
20649 
20650 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
20651 					  struct regulatory_request *request)
20652 {
20653 	/* Userspace can always count this one always being set */
20654 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
20655 		goto nla_put_failure;
20656 
20657 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
20658 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20659 			       NL80211_REGDOM_TYPE_WORLD))
20660 			goto nla_put_failure;
20661 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
20662 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20663 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
20664 			goto nla_put_failure;
20665 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
20666 		   request->intersect) {
20667 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20668 			       NL80211_REGDOM_TYPE_INTERSECTION))
20669 			goto nla_put_failure;
20670 	} else {
20671 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
20672 			       NL80211_REGDOM_TYPE_COUNTRY) ||
20673 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
20674 				   request->alpha2))
20675 			goto nla_put_failure;
20676 	}
20677 
20678 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
20679 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
20680 
20681 		if (wiphy &&
20682 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
20683 			goto nla_put_failure;
20684 
20685 		if (wiphy &&
20686 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
20687 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
20688 			goto nla_put_failure;
20689 	}
20690 
20691 	return true;
20692 
20693 nla_put_failure:
20694 	return false;
20695 }
20696 
20697 /*
20698  * This can happen on global regulatory changes or device specific settings
20699  * based on custom regulatory domains.
20700  */
20701 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
20702 				     struct regulatory_request *request)
20703 {
20704 	struct sk_buff *msg;
20705 	void *hdr;
20706 
20707 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20708 	if (!msg)
20709 		return;
20710 
20711 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
20712 	if (!hdr)
20713 		goto nla_put_failure;
20714 
20715 	if (!nl80211_reg_change_event_fill(msg, request))
20716 		goto nla_put_failure;
20717 
20718 	genlmsg_end(msg, hdr);
20719 
20720 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20721 				NL80211_MCGRP_REGULATORY);
20722 
20723 	return;
20724 
20725 nla_put_failure:
20726 	nlmsg_free(msg);
20727 }
20728 
20729 struct nl80211_mlme_event {
20730 	enum nl80211_commands cmd;
20731 	const u8 *buf;
20732 	size_t buf_len;
20733 	int uapsd_queues;
20734 	const u8 *req_ies;
20735 	size_t req_ies_len;
20736 	bool reconnect;
20737 };
20738 
20739 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
20740 				    struct net_device *netdev,
20741 				    const struct nl80211_mlme_event *event,
20742 				    gfp_t gfp)
20743 {
20744 	struct sk_buff *msg;
20745 	void *hdr;
20746 
20747 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
20748 	if (!msg)
20749 		return;
20750 
20751 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
20752 	if (!hdr) {
20753 		nlmsg_free(msg);
20754 		return;
20755 	}
20756 
20757 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20758 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20759 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
20760 	    (event->req_ies &&
20761 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
20762 		     event->req_ies)))
20763 		goto nla_put_failure;
20764 
20765 	if (event->reconnect &&
20766 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
20767 		goto nla_put_failure;
20768 
20769 	if (event->uapsd_queues >= 0) {
20770 		struct nlattr *nla_wmm =
20771 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
20772 		if (!nla_wmm)
20773 			goto nla_put_failure;
20774 
20775 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
20776 			       event->uapsd_queues))
20777 			goto nla_put_failure;
20778 
20779 		nla_nest_end(msg, nla_wmm);
20780 	}
20781 
20782 	genlmsg_end(msg, hdr);
20783 
20784 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20785 				NL80211_MCGRP_MLME, gfp);
20786 	return;
20787 
20788  nla_put_failure:
20789 	nlmsg_free(msg);
20790 }
20791 
20792 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
20793 			  struct net_device *netdev, const u8 *buf,
20794 			  size_t len, gfp_t gfp)
20795 {
20796 	struct nl80211_mlme_event event = {
20797 		.cmd = NL80211_CMD_AUTHENTICATE,
20798 		.buf = buf,
20799 		.buf_len = len,
20800 		.uapsd_queues = -1,
20801 	};
20802 
20803 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20804 }
20805 
20806 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
20807 			   struct net_device *netdev,
20808 			   const struct cfg80211_rx_assoc_resp_data *data)
20809 {
20810 	struct nl80211_mlme_event event = {
20811 		.cmd = NL80211_CMD_ASSOCIATE,
20812 		.buf = data->buf,
20813 		.buf_len = data->len,
20814 		.uapsd_queues = data->uapsd_queues,
20815 		.req_ies = data->req_ies,
20816 		.req_ies_len = data->req_ies_len,
20817 	};
20818 
20819 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
20820 }
20821 
20822 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
20823 			 struct net_device *netdev, const u8 *buf,
20824 			 size_t len, bool reconnect, gfp_t gfp)
20825 {
20826 	struct nl80211_mlme_event event = {
20827 		.cmd = NL80211_CMD_DEAUTHENTICATE,
20828 		.buf = buf,
20829 		.buf_len = len,
20830 		.reconnect = reconnect,
20831 		.uapsd_queues = -1,
20832 	};
20833 
20834 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20835 }
20836 
20837 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
20838 			   struct net_device *netdev, const u8 *buf,
20839 			   size_t len, bool reconnect, gfp_t gfp)
20840 {
20841 	struct nl80211_mlme_event event = {
20842 		.cmd = NL80211_CMD_DISASSOCIATE,
20843 		.buf = buf,
20844 		.buf_len = len,
20845 		.reconnect = reconnect,
20846 		.uapsd_queues = -1,
20847 	};
20848 
20849 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
20850 }
20851 
20852 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
20853 				  size_t len)
20854 {
20855 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20856 	struct wiphy *wiphy = wdev->wiphy;
20857 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20858 	const struct ieee80211_mgmt *mgmt = (void *)buf;
20859 	struct nl80211_mlme_event event = {
20860 		.buf = buf,
20861 		.buf_len = len,
20862 		.uapsd_queues = -1,
20863 	};
20864 
20865 	if (WARN_ON(len < 2))
20866 		return;
20867 
20868 	if (ieee80211_is_deauth(mgmt->frame_control)) {
20869 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
20870 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
20871 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
20872 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
20873 		if (wdev->unprot_beacon_reported &&
20874 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
20875 			return;
20876 		event.cmd = NL80211_CMD_UNPROT_BEACON;
20877 		wdev->unprot_beacon_reported = jiffies;
20878 	} else {
20879 		return;
20880 	}
20881 
20882 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
20883 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
20884 }
20885 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
20886 
20887 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
20888 				      struct net_device *netdev, int cmd,
20889 				      const u8 *addr, gfp_t gfp)
20890 {
20891 	struct sk_buff *msg;
20892 	void *hdr;
20893 
20894 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20895 	if (!msg)
20896 		return;
20897 
20898 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20899 	if (!hdr) {
20900 		nlmsg_free(msg);
20901 		return;
20902 	}
20903 
20904 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20905 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20906 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20907 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
20908 		goto nla_put_failure;
20909 
20910 	genlmsg_end(msg, hdr);
20911 
20912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20913 				NL80211_MCGRP_MLME, gfp);
20914 	return;
20915 
20916  nla_put_failure:
20917 	nlmsg_free(msg);
20918 }
20919 
20920 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
20921 			       struct net_device *netdev, const u8 *addr,
20922 			       gfp_t gfp)
20923 {
20924 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
20925 				  addr, gfp);
20926 }
20927 
20928 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
20929 				struct net_device *netdev, const u8 *addr,
20930 				gfp_t gfp)
20931 {
20932 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
20933 				  addr, gfp);
20934 }
20935 
20936 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
20937 				 struct net_device *netdev,
20938 				 struct cfg80211_connect_resp_params *cr,
20939 				 gfp_t gfp)
20940 {
20941 	struct sk_buff *msg;
20942 	void *hdr;
20943 	unsigned int link;
20944 	size_t link_info_size = 0;
20945 	const u8 *connected_addr = cr->valid_links ?
20946 				   cr->ap_mld_addr : cr->links[0].bssid;
20947 
20948 	if (cr->valid_links) {
20949 		for_each_valid_link(cr, link) {
20950 			/* Nested attribute header */
20951 			link_info_size += NLA_HDRLEN;
20952 			/* Link ID */
20953 			link_info_size += nla_total_size(sizeof(u8));
20954 			link_info_size += cr->links[link].addr ?
20955 					  nla_total_size(ETH_ALEN) : 0;
20956 			link_info_size += (cr->links[link].bssid ||
20957 					   cr->links[link].bss) ?
20958 					  nla_total_size(ETH_ALEN) : 0;
20959 			link_info_size += nla_total_size(sizeof(u16));
20960 		}
20961 	}
20962 
20963 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
20964 			cr->fils.kek_len + cr->fils.pmk_len +
20965 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
20966 			gfp);
20967 	if (!msg)
20968 		return;
20969 
20970 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
20971 	if (!hdr) {
20972 		nlmsg_free(msg);
20973 		return;
20974 	}
20975 
20976 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20977 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20978 	    (connected_addr &&
20979 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
20980 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
20981 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
20982 			cr->status) ||
20983 	    (cr->status < 0 &&
20984 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
20985 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
20986 			  cr->timeout_reason))) ||
20987 	    (cr->req_ie &&
20988 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
20989 	    (cr->resp_ie &&
20990 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
20991 		     cr->resp_ie)) ||
20992 	    (cr->fils.update_erp_next_seq_num &&
20993 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
20994 			 cr->fils.erp_next_seq_num)) ||
20995 	    (cr->status == WLAN_STATUS_SUCCESS &&
20996 	     ((cr->fils.kek &&
20997 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
20998 		       cr->fils.kek)) ||
20999 	      (cr->fils.pmk &&
21000 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
21001 	      (cr->fils.pmkid &&
21002 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))) ||
21003 	    (cr->assoc_encrypted &&
21004 	     nla_put_flag(msg, NL80211_ATTR_ASSOC_ENCRYPTED)))
21005 		goto nla_put_failure;
21006 
21007 	if (cr->valid_links) {
21008 		int i = 1;
21009 		struct nlattr *nested;
21010 
21011 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
21012 		if (!nested)
21013 			goto nla_put_failure;
21014 
21015 		for_each_valid_link(cr, link) {
21016 			struct nlattr *nested_mlo_links;
21017 			const u8 *bssid = cr->links[link].bss ?
21018 					  cr->links[link].bss->bssid :
21019 					  cr->links[link].bssid;
21020 
21021 			nested_mlo_links = nla_nest_start(msg, i);
21022 			if (!nested_mlo_links)
21023 				goto nla_put_failure;
21024 
21025 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
21026 			    (bssid &&
21027 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
21028 			    (cr->links[link].addr &&
21029 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
21030 				     cr->links[link].addr)) ||
21031 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
21032 					cr->links[link].status))
21033 				goto nla_put_failure;
21034 
21035 			nla_nest_end(msg, nested_mlo_links);
21036 			i++;
21037 		}
21038 		nla_nest_end(msg, nested);
21039 	}
21040 
21041 	genlmsg_end(msg, hdr);
21042 
21043 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21044 				NL80211_MCGRP_MLME, gfp);
21045 	return;
21046 
21047  nla_put_failure:
21048 	nlmsg_free(msg);
21049 }
21050 
21051 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
21052 			 struct net_device *netdev,
21053 			 struct cfg80211_roam_info *info, gfp_t gfp)
21054 {
21055 	struct sk_buff *msg;
21056 	void *hdr;
21057 	size_t link_info_size = 0;
21058 	unsigned int link;
21059 	const u8 *connected_addr = info->ap_mld_addr ?
21060 				   info->ap_mld_addr :
21061 				   (info->links[0].bss ?
21062 				    info->links[0].bss->bssid :
21063 				    info->links[0].bssid);
21064 
21065 	if (info->valid_links) {
21066 		for_each_valid_link(info, link) {
21067 			/* Nested attribute header */
21068 			link_info_size += NLA_HDRLEN;
21069 			/* Link ID */
21070 			link_info_size += nla_total_size(sizeof(u8));
21071 			link_info_size += info->links[link].addr ?
21072 					  nla_total_size(ETH_ALEN) : 0;
21073 			link_info_size += (info->links[link].bssid ||
21074 					   info->links[link].bss) ?
21075 					  nla_total_size(ETH_ALEN) : 0;
21076 		}
21077 	}
21078 
21079 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
21080 			info->fils.kek_len + info->fils.pmk_len +
21081 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
21082 			link_info_size, gfp);
21083 	if (!msg)
21084 		return;
21085 
21086 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
21087 	if (!hdr) {
21088 		nlmsg_free(msg);
21089 		return;
21090 	}
21091 
21092 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21093 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21094 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
21095 	    (info->req_ie &&
21096 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
21097 		     info->req_ie)) ||
21098 	    (info->resp_ie &&
21099 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
21100 		     info->resp_ie)) ||
21101 	    (info->fils.update_erp_next_seq_num &&
21102 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
21103 			 info->fils.erp_next_seq_num)) ||
21104 	    (info->fils.kek &&
21105 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
21106 		     info->fils.kek)) ||
21107 	    (info->fils.pmk &&
21108 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
21109 	    (info->fils.pmkid &&
21110 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
21111 		goto nla_put_failure;
21112 
21113 	if (info->valid_links) {
21114 		int i = 1;
21115 		struct nlattr *nested;
21116 
21117 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
21118 		if (!nested)
21119 			goto nla_put_failure;
21120 
21121 		for_each_valid_link(info, link) {
21122 			struct nlattr *nested_mlo_links;
21123 			const u8 *bssid = info->links[link].bss ?
21124 					  info->links[link].bss->bssid :
21125 					  info->links[link].bssid;
21126 
21127 			nested_mlo_links = nla_nest_start(msg, i);
21128 			if (!nested_mlo_links)
21129 				goto nla_put_failure;
21130 
21131 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
21132 			    (bssid &&
21133 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
21134 			    (info->links[link].addr &&
21135 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
21136 				     info->links[link].addr)))
21137 				goto nla_put_failure;
21138 
21139 			nla_nest_end(msg, nested_mlo_links);
21140 			i++;
21141 		}
21142 		nla_nest_end(msg, nested);
21143 	}
21144 
21145 	genlmsg_end(msg, hdr);
21146 
21147 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21148 				NL80211_MCGRP_MLME, gfp);
21149 	return;
21150 
21151  nla_put_failure:
21152 	nlmsg_free(msg);
21153 }
21154 
21155 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
21156 				  struct net_device *netdev, const u8 *peer_addr,
21157 				  const u8 *td_bitmap, u8 td_bitmap_len)
21158 {
21159 	struct sk_buff *msg;
21160 	void *hdr;
21161 
21162 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21163 	if (!msg)
21164 		return;
21165 
21166 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
21167 	if (!hdr) {
21168 		nlmsg_free(msg);
21169 		return;
21170 	}
21171 
21172 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21173 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21174 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
21175 		goto nla_put_failure;
21176 
21177 	if (td_bitmap_len > 0 && td_bitmap &&
21178 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
21179 		goto nla_put_failure;
21180 
21181 	genlmsg_end(msg, hdr);
21182 
21183 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21184 				NL80211_MCGRP_MLME, GFP_KERNEL);
21185 	return;
21186 
21187  nla_put_failure:
21188 	nlmsg_free(msg);
21189 }
21190 
21191 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
21192 			       struct net_device *netdev, u16 reason,
21193 			       const u8 *ie, size_t ie_len, bool from_ap)
21194 {
21195 	struct sk_buff *msg;
21196 	void *hdr;
21197 
21198 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
21199 	if (!msg)
21200 		return;
21201 
21202 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
21203 	if (!hdr) {
21204 		nlmsg_free(msg);
21205 		return;
21206 	}
21207 
21208 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21209 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21210 	    (reason &&
21211 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
21212 	    (from_ap &&
21213 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
21214 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
21215 		goto nla_put_failure;
21216 
21217 	genlmsg_end(msg, hdr);
21218 
21219 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21220 				NL80211_MCGRP_MLME, GFP_KERNEL);
21221 	return;
21222 
21223  nla_put_failure:
21224 	nlmsg_free(msg);
21225 }
21226 
21227 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
21228 {
21229 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21230 	struct wiphy *wiphy = wdev->wiphy;
21231 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21232 	struct sk_buff *msg;
21233 	struct nlattr *links;
21234 	void *hdr;
21235 
21236 	lockdep_assert_wiphy(wdev->wiphy);
21237 	trace_cfg80211_links_removed(dev, link_mask);
21238 
21239 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
21240 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
21241 		return;
21242 
21243 	if (WARN_ON(!wdev->valid_links || !link_mask ||
21244 		    (wdev->valid_links & link_mask) != link_mask ||
21245 		    wdev->valid_links == link_mask))
21246 		return;
21247 
21248 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
21249 	wdev->valid_links &= ~link_mask;
21250 
21251 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21252 	if (!msg)
21253 		return;
21254 
21255 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
21256 	if (!hdr) {
21257 		nlmsg_free(msg);
21258 		return;
21259 	}
21260 
21261 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21262 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21263 		goto nla_put_failure;
21264 
21265 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
21266 	if (!links)
21267 		goto nla_put_failure;
21268 
21269 	while (link_mask) {
21270 		struct nlattr *link;
21271 		int link_id = __ffs(link_mask);
21272 
21273 		link = nla_nest_start(msg, link_id + 1);
21274 		if (!link)
21275 			goto nla_put_failure;
21276 
21277 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21278 			goto nla_put_failure;
21279 
21280 		nla_nest_end(msg, link);
21281 		link_mask &= ~(1 << link_id);
21282 	}
21283 
21284 	nla_nest_end(msg, links);
21285 
21286 	genlmsg_end(msg, hdr);
21287 
21288 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21289 				NL80211_MCGRP_MLME, GFP_KERNEL);
21290 	return;
21291 
21292  nla_put_failure:
21293 	nlmsg_free(msg);
21294 }
21295 EXPORT_SYMBOL(cfg80211_links_removed);
21296 
21297 void nl80211_mlo_reconf_add_done(struct net_device *dev,
21298 				 struct cfg80211_mlo_reconf_done_data *data)
21299 {
21300 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21301 	struct wiphy *wiphy = wdev->wiphy;
21302 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21303 	struct nl80211_mlme_event event = {
21304 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
21305 		.buf = data->buf,
21306 		.buf_len = data->len,
21307 		.uapsd_queues = -1,
21308 	};
21309 
21310 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
21311 }
21312 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
21313 
21314 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
21315 			     struct net_device *netdev, const u8 *bssid,
21316 			     gfp_t gfp)
21317 {
21318 	struct sk_buff *msg;
21319 	void *hdr;
21320 
21321 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21322 	if (!msg)
21323 		return;
21324 
21325 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
21326 	if (!hdr) {
21327 		nlmsg_free(msg);
21328 		return;
21329 	}
21330 
21331 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21332 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21333 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
21334 		goto nla_put_failure;
21335 
21336 	genlmsg_end(msg, hdr);
21337 
21338 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21339 				NL80211_MCGRP_MLME, gfp);
21340 	return;
21341 
21342  nla_put_failure:
21343 	nlmsg_free(msg);
21344 }
21345 
21346 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
21347 					const u8 *ie, u8 ie_len,
21348 					int sig_dbm, gfp_t gfp)
21349 {
21350 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21351 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21352 	struct sk_buff *msg;
21353 	void *hdr;
21354 
21355 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
21356 		return;
21357 
21358 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
21359 
21360 	msg = nlmsg_new(100 + ie_len, gfp);
21361 	if (!msg)
21362 		return;
21363 
21364 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
21365 	if (!hdr) {
21366 		nlmsg_free(msg);
21367 		return;
21368 	}
21369 
21370 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21371 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21372 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21373 	    (ie_len && ie &&
21374 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
21375 	    (sig_dbm &&
21376 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
21377 		goto nla_put_failure;
21378 
21379 	genlmsg_end(msg, hdr);
21380 
21381 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21382 				NL80211_MCGRP_MLME, gfp);
21383 	return;
21384 
21385  nla_put_failure:
21386 	nlmsg_free(msg);
21387 }
21388 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
21389 
21390 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
21391 				 struct net_device *netdev, const u8 *addr,
21392 				 enum nl80211_key_type key_type, int key_id,
21393 				 const u8 *tsc, gfp_t gfp)
21394 {
21395 	struct sk_buff *msg;
21396 	void *hdr;
21397 
21398 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21399 	if (!msg)
21400 		return;
21401 
21402 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
21403 	if (!hdr) {
21404 		nlmsg_free(msg);
21405 		return;
21406 	}
21407 
21408 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21409 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21410 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
21411 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
21412 	    (key_id != -1 &&
21413 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
21414 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
21415 		goto nla_put_failure;
21416 
21417 	genlmsg_end(msg, hdr);
21418 
21419 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21420 				NL80211_MCGRP_MLME, gfp);
21421 	return;
21422 
21423  nla_put_failure:
21424 	nlmsg_free(msg);
21425 }
21426 
21427 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
21428 				    struct ieee80211_channel *channel_before,
21429 				    struct ieee80211_channel *channel_after)
21430 {
21431 	struct sk_buff *msg;
21432 	void *hdr;
21433 	struct nlattr *nl_freq;
21434 
21435 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
21436 	if (!msg)
21437 		return;
21438 
21439 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
21440 	if (!hdr) {
21441 		nlmsg_free(msg);
21442 		return;
21443 	}
21444 
21445 	/*
21446 	 * Since we are applying the beacon hint to a wiphy we know its
21447 	 * wiphy_idx is valid
21448 	 */
21449 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
21450 		goto nla_put_failure;
21451 
21452 	/* Before */
21453 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
21454 	if (!nl_freq)
21455 		goto nla_put_failure;
21456 
21457 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
21458 		goto nla_put_failure;
21459 	nla_nest_end(msg, nl_freq);
21460 
21461 	/* After */
21462 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
21463 	if (!nl_freq)
21464 		goto nla_put_failure;
21465 
21466 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
21467 		goto nla_put_failure;
21468 	nla_nest_end(msg, nl_freq);
21469 
21470 	genlmsg_end(msg, hdr);
21471 
21472 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
21473 				NL80211_MCGRP_REGULATORY);
21474 
21475 	return;
21476 
21477 nla_put_failure:
21478 	nlmsg_free(msg);
21479 }
21480 
21481 static void nl80211_send_remain_on_chan_event(
21482 	int cmd, struct cfg80211_registered_device *rdev,
21483 	struct wireless_dev *wdev, u64 cookie,
21484 	struct ieee80211_channel *chan,
21485 	unsigned int duration, gfp_t gfp)
21486 {
21487 	struct sk_buff *msg;
21488 	void *hdr;
21489 
21490 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21491 	if (!msg)
21492 		return;
21493 
21494 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21495 	if (!hdr) {
21496 		nlmsg_free(msg);
21497 		return;
21498 	}
21499 
21500 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21501 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21502 					 wdev->netdev->ifindex)) ||
21503 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21504 			      NL80211_ATTR_PAD) ||
21505 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
21506 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
21507 			NL80211_CHAN_NO_HT) ||
21508 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21509 			      NL80211_ATTR_PAD))
21510 		goto nla_put_failure;
21511 
21512 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
21513 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
21514 		goto nla_put_failure;
21515 
21516 	genlmsg_end(msg, hdr);
21517 
21518 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21519 				NL80211_MCGRP_MLME, gfp);
21520 	return;
21521 
21522  nla_put_failure:
21523 	nlmsg_free(msg);
21524 }
21525 
21526 void cfg80211_assoc_comeback(struct net_device *netdev,
21527 			     const u8 *ap_addr, u32 timeout)
21528 {
21529 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21530 	struct wiphy *wiphy = wdev->wiphy;
21531 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21532 	struct sk_buff *msg;
21533 	void *hdr;
21534 
21535 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
21536 
21537 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21538 	if (!msg)
21539 		return;
21540 
21541 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
21542 	if (!hdr) {
21543 		nlmsg_free(msg);
21544 		return;
21545 	}
21546 
21547 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21548 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21549 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
21550 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
21551 		goto nla_put_failure;
21552 
21553 	genlmsg_end(msg, hdr);
21554 
21555 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21556 				NL80211_MCGRP_MLME, GFP_KERNEL);
21557 	return;
21558 
21559  nla_put_failure:
21560 	nlmsg_free(msg);
21561 }
21562 EXPORT_SYMBOL(cfg80211_assoc_comeback);
21563 
21564 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
21565 			       struct ieee80211_channel *chan,
21566 			       unsigned int duration, gfp_t gfp)
21567 {
21568 	struct wiphy *wiphy = wdev->wiphy;
21569 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21570 
21571 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
21572 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
21573 					  rdev, wdev, cookie, chan,
21574 					  duration, gfp);
21575 }
21576 EXPORT_SYMBOL(cfg80211_ready_on_channel);
21577 
21578 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
21579 					struct ieee80211_channel *chan,
21580 					gfp_t gfp)
21581 {
21582 	struct wiphy *wiphy = wdev->wiphy;
21583 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21584 
21585 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
21586 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
21587 					  rdev, wdev, cookie, chan, 0, gfp);
21588 }
21589 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
21590 
21591 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
21592 					struct ieee80211_channel *chan,
21593 					gfp_t gfp)
21594 {
21595 	struct wiphy *wiphy = wdev->wiphy;
21596 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21597 
21598 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
21599 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
21600 					  rdev, wdev, cookie, chan, 0, gfp);
21601 }
21602 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
21603 
21604 void cfg80211_new_sta(struct wireless_dev *wdev, const u8 *mac_addr,
21605 		      struct station_info *sinfo, gfp_t gfp)
21606 {
21607 	struct wiphy *wiphy = wdev->wiphy;
21608 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21609 	struct sk_buff *msg;
21610 
21611 	trace_cfg80211_new_sta(wdev, mac_addr, sinfo);
21612 
21613 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21614 	if (!msg)
21615 		return;
21616 
21617 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
21618 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21619 		nlmsg_free(msg);
21620 		return;
21621 	}
21622 
21623 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21624 				NL80211_MCGRP_MLME, gfp);
21625 }
21626 EXPORT_SYMBOL(cfg80211_new_sta);
21627 
21628 void cfg80211_del_sta_sinfo(struct wireless_dev *wdev, const u8 *mac_addr,
21629 			    struct station_info *sinfo, gfp_t gfp)
21630 {
21631 	struct wiphy *wiphy = wdev->wiphy;
21632 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21633 	struct sk_buff *msg;
21634 	struct station_info empty_sinfo = {};
21635 
21636 	if (!sinfo)
21637 		sinfo = &empty_sinfo;
21638 
21639 	trace_cfg80211_del_sta(wdev, mac_addr);
21640 
21641 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21642 	if (!msg) {
21643 		cfg80211_sinfo_release_content(sinfo);
21644 		return;
21645 	}
21646 
21647 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
21648 				 rdev, wdev, mac_addr, sinfo, false) < 0) {
21649 		nlmsg_free(msg);
21650 		return;
21651 	}
21652 
21653 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21654 				NL80211_MCGRP_MLME, gfp);
21655 }
21656 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
21657 
21658 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
21659 			  enum nl80211_connect_failed_reason reason,
21660 			  gfp_t gfp)
21661 {
21662 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
21663 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21664 	struct sk_buff *msg;
21665 	void *hdr;
21666 
21667 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
21668 	if (!msg)
21669 		return;
21670 
21671 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
21672 	if (!hdr) {
21673 		nlmsg_free(msg);
21674 		return;
21675 	}
21676 
21677 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21678 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
21679 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
21680 		goto nla_put_failure;
21681 
21682 	genlmsg_end(msg, hdr);
21683 
21684 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21685 				NL80211_MCGRP_MLME, gfp);
21686 	return;
21687 
21688  nla_put_failure:
21689 	nlmsg_free(msg);
21690 }
21691 EXPORT_SYMBOL(cfg80211_conn_failed);
21692 
21693 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
21694 				       const u8 *addr, int link_id, gfp_t gfp)
21695 {
21696 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21697 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21698 	struct sk_buff *msg;
21699 	void *hdr;
21700 	u32 nlportid = READ_ONCE(wdev->unexpected_nlportid);
21701 
21702 	if (!nlportid)
21703 		return false;
21704 
21705 	msg = nlmsg_new(100, gfp);
21706 	if (!msg)
21707 		return true;
21708 
21709 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21710 	if (!hdr) {
21711 		nlmsg_free(msg);
21712 		return true;
21713 	}
21714 
21715 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21716 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21717 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21718 	    (link_id >= 0 &&
21719 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21720 		goto nla_put_failure;
21721 
21722 	genlmsg_end(msg, hdr);
21723 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21724 	return true;
21725 
21726  nla_put_failure:
21727 	nlmsg_free(msg);
21728 	return true;
21729 }
21730 
21731 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
21732 				int link_id, gfp_t gfp)
21733 {
21734 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21735 	bool ret;
21736 
21737 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
21738 
21739 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21740 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21741 		    wdev->iftype != NL80211_IFTYPE_NAN_DATA)) {
21742 		trace_cfg80211_return_bool(false);
21743 		return false;
21744 	}
21745 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
21746 					 addr, link_id, gfp);
21747 	trace_cfg80211_return_bool(ret);
21748 	return ret;
21749 }
21750 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
21751 
21752 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
21753 					int link_id, gfp_t gfp)
21754 {
21755 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21756 	bool ret;
21757 
21758 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
21759 
21760 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
21761 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
21762 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
21763 		trace_cfg80211_return_bool(false);
21764 		return false;
21765 	}
21766 	ret = __nl80211_unexpected_frame(dev,
21767 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
21768 					 addr, link_id, gfp);
21769 	trace_cfg80211_return_bool(ret);
21770 	return ret;
21771 }
21772 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
21773 
21774 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
21775 		      struct wireless_dev *wdev, u32 nlportid,
21776 		      struct cfg80211_rx_info *info, gfp_t gfp)
21777 {
21778 	struct net_device *netdev = wdev->netdev;
21779 	struct sk_buff *msg;
21780 	void *hdr;
21781 
21782 	msg = nlmsg_new(100 + info->len, gfp);
21783 	if (!msg)
21784 		return -ENOMEM;
21785 
21786 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21787 	if (!hdr) {
21788 		nlmsg_free(msg);
21789 		return -ENOMEM;
21790 	}
21791 
21792 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21793 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21794 					netdev->ifindex)) ||
21795 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21796 			      NL80211_ATTR_PAD) ||
21797 	    (info->have_link_id &&
21798 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
21799 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
21800 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
21801 	    (info->sig_dbm &&
21802 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
21803 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
21804 	    (info->flags &&
21805 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
21806 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
21807 						  NL80211_ATTR_RX_HW_TIMESTAMP,
21808 						  info->rx_tstamp,
21809 						  NL80211_ATTR_PAD)) ||
21810 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
21811 						   NL80211_ATTR_TX_HW_TIMESTAMP,
21812 						   info->ack_tstamp,
21813 						   NL80211_ATTR_PAD)))
21814 		goto nla_put_failure;
21815 
21816 	genlmsg_end(msg, hdr);
21817 
21818 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21819 
21820  nla_put_failure:
21821 	nlmsg_free(msg);
21822 	return -ENOBUFS;
21823 }
21824 
21825 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
21826 				    struct cfg80211_tx_status *status,
21827 				    gfp_t gfp, enum nl80211_commands command)
21828 {
21829 	struct wiphy *wiphy = wdev->wiphy;
21830 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21831 	struct net_device *netdev = wdev->netdev;
21832 	struct sk_buff *msg;
21833 	void *hdr;
21834 
21835 	if (command == NL80211_CMD_FRAME_TX_STATUS)
21836 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
21837 					      status->ack);
21838 	else
21839 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
21840 						      status->ack);
21841 
21842 	msg = nlmsg_new(100 + status->len, gfp);
21843 	if (!msg)
21844 		return;
21845 
21846 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
21847 	if (!hdr) {
21848 		nlmsg_free(msg);
21849 		return;
21850 	}
21851 
21852 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21853 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21854 				   netdev->ifindex)) ||
21855 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21856 			      NL80211_ATTR_PAD) ||
21857 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
21858 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
21859 			      NL80211_ATTR_PAD) ||
21860 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21861 	    (status->tx_tstamp &&
21862 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
21863 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
21864 	    (status->ack_tstamp &&
21865 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
21866 			       status->ack_tstamp, NL80211_ATTR_PAD)))
21867 		goto nla_put_failure;
21868 
21869 	genlmsg_end(msg, hdr);
21870 
21871 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21872 				NL80211_MCGRP_MLME, gfp);
21873 	return;
21874 
21875 nla_put_failure:
21876 	nlmsg_free(msg);
21877 }
21878 
21879 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
21880 				     const u8 *buf, size_t len, bool ack,
21881 				     gfp_t gfp)
21882 {
21883 	struct cfg80211_tx_status status = {
21884 		.cookie = cookie,
21885 		.buf = buf,
21886 		.len = len,
21887 		.ack = ack
21888 	};
21889 
21890 	nl80211_frame_tx_status(wdev, &status, gfp,
21891 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
21892 }
21893 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
21894 
21895 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
21896 				 struct cfg80211_tx_status *status, gfp_t gfp)
21897 {
21898 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
21899 }
21900 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
21901 
21902 static int __nl80211_rx_control_port(struct net_device *dev,
21903 				     struct sk_buff *skb,
21904 				     bool unencrypted,
21905 				     int link_id,
21906 				     gfp_t gfp)
21907 {
21908 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21909 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21910 	struct ethhdr *ehdr = eth_hdr(skb);
21911 	const u8 *addr = ehdr->h_source;
21912 	u16 proto = be16_to_cpu(skb->protocol);
21913 	struct sk_buff *msg;
21914 	void *hdr;
21915 	struct nlattr *frame;
21916 
21917 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
21918 
21919 	if (!nlportid)
21920 		return -ENOENT;
21921 
21922 	msg = nlmsg_new(100 + skb->len, gfp);
21923 	if (!msg)
21924 		return -ENOMEM;
21925 
21926 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
21927 	if (!hdr) {
21928 		nlmsg_free(msg);
21929 		return -ENOBUFS;
21930 	}
21931 
21932 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21933 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21934 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21935 			      NL80211_ATTR_PAD) ||
21936 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21937 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
21938 	    (link_id >= 0 &&
21939 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
21940 	    (unencrypted && nla_put_flag(msg,
21941 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
21942 		goto nla_put_failure;
21943 
21944 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
21945 	if (!frame)
21946 		goto nla_put_failure;
21947 
21948 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
21949 	genlmsg_end(msg, hdr);
21950 
21951 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21952 
21953  nla_put_failure:
21954 	nlmsg_free(msg);
21955 	return -ENOBUFS;
21956 }
21957 
21958 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
21959 			      bool unencrypted, int link_id)
21960 {
21961 	int ret;
21962 
21963 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
21964 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
21965 					GFP_ATOMIC);
21966 	trace_cfg80211_return_bool(ret == 0);
21967 	return ret == 0;
21968 }
21969 EXPORT_SYMBOL(cfg80211_rx_control_port);
21970 
21971 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
21972 					    const char *mac, gfp_t gfp)
21973 {
21974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21975 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21976 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21977 	void **cb;
21978 
21979 	if (!msg)
21980 		return NULL;
21981 
21982 	cb = (void **)msg->cb;
21983 
21984 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
21985 	if (!cb[0]) {
21986 		nlmsg_free(msg);
21987 		return NULL;
21988 	}
21989 
21990 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21991 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21992 		goto nla_put_failure;
21993 
21994 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21995 		goto nla_put_failure;
21996 
21997 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
21998 	if (!cb[1])
21999 		goto nla_put_failure;
22000 
22001 	cb[2] = rdev;
22002 
22003 	return msg;
22004  nla_put_failure:
22005 	nlmsg_free(msg);
22006 	return NULL;
22007 }
22008 
22009 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
22010 {
22011 	void **cb = (void **)msg->cb;
22012 	struct cfg80211_registered_device *rdev = cb[2];
22013 
22014 	nla_nest_end(msg, cb[1]);
22015 	genlmsg_end(msg, cb[0]);
22016 
22017 	memset(msg->cb, 0, sizeof(msg->cb));
22018 
22019 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22020 				NL80211_MCGRP_MLME, gfp);
22021 }
22022 
22023 void cfg80211_cqm_rssi_notify(struct net_device *dev,
22024 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
22025 			      s32 rssi_level, gfp_t gfp)
22026 {
22027 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22028 	struct cfg80211_cqm_config *cqm_config;
22029 
22030 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
22031 
22032 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
22033 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
22034 		return;
22035 
22036 	rcu_read_lock();
22037 	cqm_config = rcu_dereference(wdev->cqm_config);
22038 	if (cqm_config) {
22039 		cqm_config->last_rssi_event_value = rssi_level;
22040 		cqm_config->last_rssi_event_type = rssi_event;
22041 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
22042 	}
22043 	rcu_read_unlock();
22044 }
22045 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
22046 
22047 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
22048 {
22049 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
22050 						 cqm_rssi_work);
22051 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22052 	enum nl80211_cqm_rssi_threshold_event rssi_event;
22053 	struct cfg80211_cqm_config *cqm_config;
22054 	struct sk_buff *msg;
22055 	s32 rssi_level;
22056 
22057 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
22058 	if (!cqm_config)
22059 		return;
22060 
22061 	if (cqm_config->use_range_api)
22062 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
22063 
22064 	rssi_level = cqm_config->last_rssi_event_value;
22065 	rssi_event = cqm_config->last_rssi_event_type;
22066 
22067 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
22068 	if (!msg)
22069 		return;
22070 
22071 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
22072 			rssi_event))
22073 		goto nla_put_failure;
22074 
22075 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
22076 				      rssi_level))
22077 		goto nla_put_failure;
22078 
22079 	cfg80211_send_cqm(msg, GFP_KERNEL);
22080 
22081 	return;
22082 
22083  nla_put_failure:
22084 	nlmsg_free(msg);
22085 }
22086 
22087 void cfg80211_cqm_txe_notify(struct net_device *dev,
22088 			     const u8 *peer, u32 num_packets,
22089 			     u32 rate, u32 intvl, gfp_t gfp)
22090 {
22091 	struct sk_buff *msg;
22092 
22093 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
22094 	if (!msg)
22095 		return;
22096 
22097 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
22098 		goto nla_put_failure;
22099 
22100 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
22101 		goto nla_put_failure;
22102 
22103 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
22104 		goto nla_put_failure;
22105 
22106 	cfg80211_send_cqm(msg, gfp);
22107 	return;
22108 
22109  nla_put_failure:
22110 	nlmsg_free(msg);
22111 }
22112 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
22113 
22114 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
22115 				 const u8 *peer, u32 num_packets, gfp_t gfp)
22116 {
22117 	struct sk_buff *msg;
22118 
22119 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
22120 
22121 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
22122 	if (!msg)
22123 		return;
22124 
22125 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
22126 		goto nla_put_failure;
22127 
22128 	cfg80211_send_cqm(msg, gfp);
22129 	return;
22130 
22131  nla_put_failure:
22132 	nlmsg_free(msg);
22133 }
22134 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
22135 
22136 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
22137 {
22138 	struct sk_buff *msg;
22139 
22140 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
22141 	if (!msg)
22142 		return;
22143 
22144 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
22145 		goto nla_put_failure;
22146 
22147 	cfg80211_send_cqm(msg, gfp);
22148 	return;
22149 
22150  nla_put_failure:
22151 	nlmsg_free(msg);
22152 }
22153 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
22154 
22155 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
22156 				     struct net_device *netdev, const u8 *bssid,
22157 				     const u8 *replay_ctr, gfp_t gfp)
22158 {
22159 	struct sk_buff *msg;
22160 	struct nlattr *rekey_attr;
22161 	void *hdr;
22162 
22163 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22164 	if (!msg)
22165 		return;
22166 
22167 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
22168 	if (!hdr) {
22169 		nlmsg_free(msg);
22170 		return;
22171 	}
22172 
22173 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22174 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22175 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
22176 		goto nla_put_failure;
22177 
22178 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
22179 	if (!rekey_attr)
22180 		goto nla_put_failure;
22181 
22182 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
22183 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
22184 		goto nla_put_failure;
22185 
22186 	nla_nest_end(msg, rekey_attr);
22187 
22188 	genlmsg_end(msg, hdr);
22189 
22190 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22191 				NL80211_MCGRP_MLME, gfp);
22192 	return;
22193 
22194  nla_put_failure:
22195 	nlmsg_free(msg);
22196 }
22197 
22198 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
22199 			       const u8 *replay_ctr, gfp_t gfp)
22200 {
22201 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22202 	struct wiphy *wiphy = wdev->wiphy;
22203 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22204 
22205 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
22206 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
22207 }
22208 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
22209 
22210 static void
22211 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
22212 			       struct net_device *netdev, int index,
22213 			       const u8 *bssid, bool preauth, gfp_t gfp)
22214 {
22215 	struct sk_buff *msg;
22216 	struct nlattr *attr;
22217 	void *hdr;
22218 
22219 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22220 	if (!msg)
22221 		return;
22222 
22223 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
22224 	if (!hdr) {
22225 		nlmsg_free(msg);
22226 		return;
22227 	}
22228 
22229 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22230 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
22231 		goto nla_put_failure;
22232 
22233 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
22234 	if (!attr)
22235 		goto nla_put_failure;
22236 
22237 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
22238 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
22239 	    (preauth &&
22240 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
22241 		goto nla_put_failure;
22242 
22243 	nla_nest_end(msg, attr);
22244 
22245 	genlmsg_end(msg, hdr);
22246 
22247 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22248 				NL80211_MCGRP_MLME, gfp);
22249 	return;
22250 
22251  nla_put_failure:
22252 	nlmsg_free(msg);
22253 }
22254 
22255 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
22256 				     const u8 *bssid, bool preauth, gfp_t gfp)
22257 {
22258 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22259 	struct wiphy *wiphy = wdev->wiphy;
22260 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22261 
22262 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
22263 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
22264 }
22265 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
22266 
22267 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
22268 				     struct net_device *netdev,
22269 				     unsigned int link_id,
22270 				     struct cfg80211_chan_def *chandef,
22271 				     gfp_t gfp,
22272 				     enum nl80211_commands notif,
22273 				     u8 count, bool quiet)
22274 {
22275 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
22276 	struct sk_buff *msg;
22277 	void *hdr;
22278 
22279 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22280 	if (!msg)
22281 		return;
22282 
22283 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
22284 	if (!hdr) {
22285 		nlmsg_free(msg);
22286 		return;
22287 	}
22288 
22289 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
22290 		goto nla_put_failure;
22291 
22292 	if (wdev->valid_links &&
22293 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
22294 		goto nla_put_failure;
22295 
22296 	if (nl80211_send_chandef(msg, chandef))
22297 		goto nla_put_failure;
22298 
22299 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
22300 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
22301 			goto nla_put_failure;
22302 		if (quiet &&
22303 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
22304 			goto nla_put_failure;
22305 	}
22306 
22307 	genlmsg_end(msg, hdr);
22308 
22309 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22310 				NL80211_MCGRP_MLME, gfp);
22311 	return;
22312 
22313  nla_put_failure:
22314 	nlmsg_free(msg);
22315 }
22316 
22317 void cfg80211_ch_switch_notify(struct net_device *dev,
22318 			       struct cfg80211_chan_def *chandef,
22319 			       unsigned int link_id)
22320 {
22321 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22322 	struct wiphy *wiphy = wdev->wiphy;
22323 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22324 
22325 	lockdep_assert_wiphy(wdev->wiphy);
22326 	WARN_INVALID_LINK_ID(wdev, link_id);
22327 
22328 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
22329 
22330 	switch (wdev->iftype) {
22331 	case NL80211_IFTYPE_STATION:
22332 	case NL80211_IFTYPE_P2P_CLIENT:
22333 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
22334 			cfg80211_update_assoc_bss_entry(wdev, link_id,
22335 							chandef->chan);
22336 		break;
22337 	case NL80211_IFTYPE_MESH_POINT:
22338 		wdev->u.mesh.chandef = *chandef;
22339 		wdev->u.mesh.preset_chandef = *chandef;
22340 		break;
22341 	case NL80211_IFTYPE_AP:
22342 	case NL80211_IFTYPE_P2P_GO:
22343 		wdev->links[link_id].ap.chandef = *chandef;
22344 		break;
22345 	case NL80211_IFTYPE_ADHOC:
22346 		wdev->u.ibss.chandef = *chandef;
22347 		break;
22348 	default:
22349 		WARN_ON(1);
22350 		break;
22351 	}
22352 
22353 	cfg80211_schedule_channels_check(wdev);
22354 	cfg80211_sched_dfs_chan_update(rdev);
22355 
22356 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
22357 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
22358 }
22359 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
22360 
22361 void cfg80211_incumbent_signal_notify(struct wiphy *wiphy,
22362 				      const struct cfg80211_chan_def *chandef,
22363 				      u32 signal_interference_bitmap,
22364 				      gfp_t gfp)
22365 {
22366 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22367 	struct sk_buff *msg;
22368 	void *hdr;
22369 
22370 	trace_cfg80211_incumbent_signal_notify(wiphy, chandef, signal_interference_bitmap);
22371 
22372 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22373 	if (!msg)
22374 		return;
22375 
22376 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_INCUMBENT_SIGNAL_DETECT);
22377 	if (!hdr)
22378 		goto nla_put_failure;
22379 
22380 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22381 		goto nla_put_failure;
22382 
22383 	if (nl80211_send_chandef(msg, chandef))
22384 		goto nla_put_failure;
22385 
22386 	if (nla_put_u32(msg, NL80211_ATTR_INCUMBENT_SIGNAL_INTERFERENCE_BITMAP,
22387 			signal_interference_bitmap))
22388 		goto nla_put_failure;
22389 
22390 	genlmsg_end(msg, hdr);
22391 
22392 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22393 				NL80211_MCGRP_MLME, gfp);
22394 	return;
22395 
22396 nla_put_failure:
22397 	nlmsg_free(msg);
22398 }
22399 EXPORT_SYMBOL(cfg80211_incumbent_signal_notify);
22400 
22401 void cfg80211_ch_switch_started_notify(struct net_device *dev,
22402 				       struct cfg80211_chan_def *chandef,
22403 				       unsigned int link_id, u8 count,
22404 				       bool quiet)
22405 {
22406 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22407 	struct wiphy *wiphy = wdev->wiphy;
22408 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22409 
22410 	lockdep_assert_wiphy(wdev->wiphy);
22411 	WARN_INVALID_LINK_ID(wdev, link_id);
22412 
22413 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
22414 
22415 
22416 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
22417 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
22418 				 count, quiet);
22419 }
22420 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
22421 
22422 int cfg80211_bss_color_notify(struct net_device *dev,
22423 			      enum nl80211_commands cmd, u8 count,
22424 			      u64 color_bitmap, u8 link_id)
22425 {
22426 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22427 	struct wiphy *wiphy = wdev->wiphy;
22428 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22429 	struct sk_buff *msg;
22430 	void *hdr;
22431 
22432 	lockdep_assert_wiphy(wdev->wiphy);
22433 
22434 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
22435 
22436 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
22437 	if (!msg)
22438 		return -ENOMEM;
22439 
22440 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
22441 	if (!hdr)
22442 		goto nla_put_failure;
22443 
22444 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22445 		goto nla_put_failure;
22446 
22447 	if (wdev->valid_links &&
22448 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
22449 		goto nla_put_failure;
22450 
22451 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
22452 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
22453 		goto nla_put_failure;
22454 
22455 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
22456 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
22457 			      color_bitmap, NL80211_ATTR_PAD))
22458 		goto nla_put_failure;
22459 
22460 	genlmsg_end(msg, hdr);
22461 
22462 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
22463 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
22464 
22465 nla_put_failure:
22466 	nlmsg_free(msg);
22467 	return -EINVAL;
22468 }
22469 EXPORT_SYMBOL(cfg80211_bss_color_notify);
22470 
22471 void
22472 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
22473 		     const struct cfg80211_chan_def *chandef,
22474 		     enum nl80211_radar_event event,
22475 		     struct net_device *netdev, gfp_t gfp)
22476 {
22477 	struct sk_buff *msg;
22478 	void *hdr;
22479 
22480 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22481 	if (!msg)
22482 		return;
22483 
22484 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
22485 	if (!hdr) {
22486 		nlmsg_free(msg);
22487 		return;
22488 	}
22489 
22490 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22491 		goto nla_put_failure;
22492 
22493 	/* NOP and radar events don't need a netdev parameter */
22494 	if (netdev) {
22495 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
22496 
22497 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22498 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22499 				      NL80211_ATTR_PAD))
22500 			goto nla_put_failure;
22501 	}
22502 
22503 	if (rdev->background_radar_wdev &&
22504 	    cfg80211_chandef_identical(&rdev->background_radar_chandef,
22505 				       chandef)) {
22506 		if (nla_put_flag(msg, NL80211_ATTR_RADAR_BACKGROUND))
22507 			goto nla_put_failure;
22508 	}
22509 
22510 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
22511 		goto nla_put_failure;
22512 
22513 	if (nl80211_send_chandef(msg, chandef))
22514 		goto nla_put_failure;
22515 
22516 	genlmsg_end(msg, hdr);
22517 
22518 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22519 				NL80211_MCGRP_MLME, gfp);
22520 	return;
22521 
22522  nla_put_failure:
22523 	nlmsg_free(msg);
22524 }
22525 
22526 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
22527 				       struct sta_opmode_info *sta_opmode,
22528 				       gfp_t gfp)
22529 {
22530 	struct sk_buff *msg;
22531 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22532 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22533 	void *hdr;
22534 
22535 	if (WARN_ON(!mac))
22536 		return;
22537 
22538 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22539 	if (!msg)
22540 		return;
22541 
22542 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
22543 	if (!hdr) {
22544 		nlmsg_free(msg);
22545 		return;
22546 	}
22547 
22548 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
22549 		goto nla_put_failure;
22550 
22551 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
22552 		goto nla_put_failure;
22553 
22554 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
22555 		goto nla_put_failure;
22556 
22557 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
22558 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
22559 		goto nla_put_failure;
22560 
22561 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
22562 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
22563 		goto nla_put_failure;
22564 
22565 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
22566 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
22567 		goto nla_put_failure;
22568 
22569 	genlmsg_end(msg, hdr);
22570 
22571 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22572 				NL80211_MCGRP_MLME, gfp);
22573 
22574 	return;
22575 
22576 nla_put_failure:
22577 	nlmsg_free(msg);
22578 }
22579 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
22580 
22581 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
22582 			   u64 cookie, bool acked, s32 ack_signal,
22583 			   bool is_valid_ack_signal, gfp_t gfp)
22584 {
22585 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22586 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22587 	struct sk_buff *msg;
22588 	void *hdr;
22589 
22590 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
22591 
22592 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22593 
22594 	if (!msg)
22595 		return;
22596 
22597 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
22598 	if (!hdr) {
22599 		nlmsg_free(msg);
22600 		return;
22601 	}
22602 
22603 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22604 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22605 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
22606 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
22607 			      NL80211_ATTR_PAD) ||
22608 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
22609 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
22610 						ack_signal)))
22611 		goto nla_put_failure;
22612 
22613 	genlmsg_end(msg, hdr);
22614 
22615 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22616 				NL80211_MCGRP_MLME, gfp);
22617 	return;
22618 
22619  nla_put_failure:
22620 	nlmsg_free(msg);
22621 }
22622 EXPORT_SYMBOL(cfg80211_probe_status);
22623 
22624 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
22625 				     size_t len, int freq, int sig_dbm)
22626 {
22627 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22628 	struct sk_buff *msg;
22629 	void *hdr;
22630 	struct cfg80211_beacon_registration *reg;
22631 
22632 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
22633 
22634 	spin_lock_bh(&rdev->beacon_registrations_lock);
22635 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
22636 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
22637 		if (!msg) {
22638 			spin_unlock_bh(&rdev->beacon_registrations_lock);
22639 			return;
22640 		}
22641 
22642 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
22643 		if (!hdr)
22644 			goto nla_put_failure;
22645 
22646 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22647 		    (freq &&
22648 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
22649 				  KHZ_TO_MHZ(freq)) ||
22650 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
22651 				  freq % 1000))) ||
22652 		    (sig_dbm &&
22653 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
22654 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
22655 			goto nla_put_failure;
22656 
22657 		genlmsg_end(msg, hdr);
22658 
22659 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
22660 	}
22661 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22662 	return;
22663 
22664  nla_put_failure:
22665 	spin_unlock_bh(&rdev->beacon_registrations_lock);
22666 	nlmsg_free(msg);
22667 }
22668 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
22669 
22670 #ifdef CONFIG_PM
22671 static int cfg80211_net_detect_results(struct sk_buff *msg,
22672 				       struct cfg80211_wowlan_wakeup *wakeup)
22673 {
22674 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
22675 	struct nlattr *nl_results, *nl_match, *nl_freqs;
22676 	int i, j;
22677 
22678 	nl_results = nla_nest_start_noflag(msg,
22679 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
22680 	if (!nl_results)
22681 		return -EMSGSIZE;
22682 
22683 	for (i = 0; i < nd->n_matches; i++) {
22684 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
22685 
22686 		nl_match = nla_nest_start_noflag(msg, i);
22687 		if (!nl_match)
22688 			break;
22689 
22690 		/* The SSID attribute is optional in nl80211, but for
22691 		 * simplicity reasons it's always present in the
22692 		 * cfg80211 structure.  If a driver can't pass the
22693 		 * SSID, that needs to be changed.  A zero length SSID
22694 		 * is still a valid SSID (wildcard), so it cannot be
22695 		 * used for this purpose.
22696 		 */
22697 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
22698 			    match->ssid.ssid)) {
22699 			nla_nest_cancel(msg, nl_match);
22700 			goto out;
22701 		}
22702 
22703 		if (match->n_channels) {
22704 			nl_freqs = nla_nest_start_noflag(msg,
22705 							 NL80211_ATTR_SCAN_FREQUENCIES);
22706 			if (!nl_freqs) {
22707 				nla_nest_cancel(msg, nl_match);
22708 				goto out;
22709 			}
22710 
22711 			for (j = 0; j < match->n_channels; j++) {
22712 				if (nla_put_u32(msg, j, match->channels[j])) {
22713 					nla_nest_cancel(msg, nl_freqs);
22714 					nla_nest_cancel(msg, nl_match);
22715 					goto out;
22716 				}
22717 			}
22718 
22719 			nla_nest_end(msg, nl_freqs);
22720 		}
22721 
22722 		nla_nest_end(msg, nl_match);
22723 	}
22724 
22725 out:
22726 	nla_nest_end(msg, nl_results);
22727 	return 0;
22728 }
22729 
22730 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
22731 				   struct cfg80211_wowlan_wakeup *wakeup,
22732 				   gfp_t gfp)
22733 {
22734 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22735 	struct sk_buff *msg;
22736 	void *hdr;
22737 	int size = 200;
22738 
22739 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
22740 
22741 	if (wakeup)
22742 		size += wakeup->packet_present_len;
22743 
22744 	msg = nlmsg_new(size, gfp);
22745 	if (!msg)
22746 		return;
22747 
22748 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
22749 	if (!hdr)
22750 		goto free_msg;
22751 
22752 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22753 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22754 			      NL80211_ATTR_PAD))
22755 		goto free_msg;
22756 
22757 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
22758 					wdev->netdev->ifindex))
22759 		goto free_msg;
22760 
22761 	if (wakeup) {
22762 		struct nlattr *reasons;
22763 
22764 		reasons = nla_nest_start_noflag(msg,
22765 						NL80211_ATTR_WOWLAN_TRIGGERS);
22766 		if (!reasons)
22767 			goto free_msg;
22768 
22769 		if (wakeup->disconnect &&
22770 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
22771 			goto free_msg;
22772 		if (wakeup->magic_pkt &&
22773 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
22774 			goto free_msg;
22775 		if (wakeup->gtk_rekey_failure &&
22776 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
22777 			goto free_msg;
22778 		if (wakeup->eap_identity_req &&
22779 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
22780 			goto free_msg;
22781 		if (wakeup->four_way_handshake &&
22782 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
22783 			goto free_msg;
22784 		if (wakeup->rfkill_release &&
22785 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
22786 			goto free_msg;
22787 
22788 		if (wakeup->pattern_idx >= 0 &&
22789 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
22790 				wakeup->pattern_idx))
22791 			goto free_msg;
22792 
22793 		if (wakeup->tcp_match &&
22794 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
22795 			goto free_msg;
22796 
22797 		if (wakeup->tcp_connlost &&
22798 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
22799 			goto free_msg;
22800 
22801 		if (wakeup->tcp_nomoretokens &&
22802 		    nla_put_flag(msg,
22803 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
22804 			goto free_msg;
22805 
22806 		if (wakeup->unprot_deauth_disassoc &&
22807 		    nla_put_flag(msg,
22808 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
22809 			goto free_msg;
22810 
22811 		if (wakeup->packet) {
22812 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
22813 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
22814 
22815 			if (!wakeup->packet_80211) {
22816 				pkt_attr =
22817 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
22818 				len_attr =
22819 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
22820 			}
22821 
22822 			if (wakeup->packet_len &&
22823 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
22824 				goto free_msg;
22825 
22826 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
22827 				    wakeup->packet))
22828 				goto free_msg;
22829 		}
22830 
22831 		if (wakeup->net_detect &&
22832 		    cfg80211_net_detect_results(msg, wakeup))
22833 				goto free_msg;
22834 
22835 		nla_nest_end(msg, reasons);
22836 	}
22837 
22838 	genlmsg_end(msg, hdr);
22839 
22840 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22841 				NL80211_MCGRP_MLME, gfp);
22842 	return;
22843 
22844  free_msg:
22845 	nlmsg_free(msg);
22846 }
22847 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
22848 #endif
22849 
22850 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
22851 				enum nl80211_tdls_operation oper,
22852 				u16 reason_code, gfp_t gfp)
22853 {
22854 	struct wireless_dev *wdev = dev->ieee80211_ptr;
22855 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
22856 	struct sk_buff *msg;
22857 	void *hdr;
22858 
22859 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
22860 					 reason_code);
22861 
22862 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22863 	if (!msg)
22864 		return;
22865 
22866 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
22867 	if (!hdr) {
22868 		nlmsg_free(msg);
22869 		return;
22870 	}
22871 
22872 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22873 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
22874 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
22875 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
22876 	    (reason_code > 0 &&
22877 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
22878 		goto nla_put_failure;
22879 
22880 	genlmsg_end(msg, hdr);
22881 
22882 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22883 				NL80211_MCGRP_MLME, gfp);
22884 	return;
22885 
22886  nla_put_failure:
22887 	nlmsg_free(msg);
22888 }
22889 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
22890 
22891 static int nl80211_netlink_notify(struct notifier_block * nb,
22892 				  unsigned long state,
22893 				  void *_notify)
22894 {
22895 	struct netlink_notify *notify = _notify;
22896 	struct cfg80211_registered_device *rdev;
22897 	struct wireless_dev *wdev;
22898 	struct cfg80211_beacon_registration *reg, *tmp;
22899 
22900 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
22901 		return NOTIFY_DONE;
22902 
22903 	rcu_read_lock();
22904 
22905 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
22906 		struct cfg80211_sched_scan_request *sched_scan_req;
22907 
22908 		list_for_each_entry_rcu(sched_scan_req,
22909 					&rdev->sched_scan_req_list,
22910 					list) {
22911 			if (sched_scan_req->owner_nlportid == notify->portid) {
22912 				sched_scan_req->nl_owner_dead = true;
22913 				wiphy_work_queue(&rdev->wiphy,
22914 						 &rdev->sched_scan_stop_wk);
22915 			}
22916 		}
22917 
22918 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
22919 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
22920 
22921 			if (wdev->owner_nlportid == notify->portid) {
22922 				wdev->nl_owner_dead = true;
22923 				schedule_work(&rdev->destroy_work);
22924 			} else if (wdev->conn_owner_nlportid == notify->portid) {
22925 				schedule_work(&wdev->disconnect_wk);
22926 			}
22927 
22928 			cfg80211_release_pmsr(wdev, notify->portid);
22929 		}
22930 
22931 		spin_lock_bh(&rdev->beacon_registrations_lock);
22932 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
22933 					 list) {
22934 			if (reg->nlportid == notify->portid) {
22935 				list_del(&reg->list);
22936 				kfree(reg);
22937 				break;
22938 			}
22939 		}
22940 		spin_unlock_bh(&rdev->beacon_registrations_lock);
22941 	}
22942 
22943 	rcu_read_unlock();
22944 
22945 	/*
22946 	 * It is possible that the user space process that is controlling the
22947 	 * indoor setting disappeared, so notify the regulatory core.
22948 	 */
22949 	regulatory_netlink_notify(notify->portid);
22950 	return NOTIFY_OK;
22951 }
22952 
22953 static struct notifier_block nl80211_netlink_notifier = {
22954 	.notifier_call = nl80211_netlink_notify,
22955 };
22956 
22957 void cfg80211_ft_event(struct net_device *netdev,
22958 		       struct cfg80211_ft_event_params *ft_event)
22959 {
22960 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
22961 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
22962 	struct sk_buff *msg;
22963 	void *hdr;
22964 
22965 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
22966 
22967 	if (!ft_event->target_ap)
22968 		return;
22969 
22970 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
22971 			GFP_KERNEL);
22972 	if (!msg)
22973 		return;
22974 
22975 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
22976 	if (!hdr)
22977 		goto out;
22978 
22979 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22980 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
22981 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
22982 		goto out;
22983 
22984 	if (ft_event->ies &&
22985 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
22986 		goto out;
22987 	if (ft_event->ric_ies &&
22988 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
22989 		    ft_event->ric_ies))
22990 		goto out;
22991 
22992 	genlmsg_end(msg, hdr);
22993 
22994 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
22995 				NL80211_MCGRP_MLME, GFP_KERNEL);
22996 	return;
22997  out:
22998 	nlmsg_free(msg);
22999 }
23000 EXPORT_SYMBOL(cfg80211_ft_event);
23001 
23002 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
23003 {
23004 	struct cfg80211_registered_device *rdev;
23005 	struct sk_buff *msg;
23006 	void *hdr;
23007 	u32 nlportid;
23008 
23009 	rdev = wiphy_to_rdev(wdev->wiphy);
23010 	if (!rdev->crit_proto_nlportid)
23011 		return;
23012 
23013 	nlportid = rdev->crit_proto_nlportid;
23014 	rdev->crit_proto_nlportid = 0;
23015 
23016 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23017 	if (!msg)
23018 		return;
23019 
23020 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
23021 	if (!hdr)
23022 		goto nla_put_failure;
23023 
23024 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23025 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23026 			      NL80211_ATTR_PAD))
23027 		goto nla_put_failure;
23028 
23029 	genlmsg_end(msg, hdr);
23030 
23031 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
23032 	return;
23033 
23034  nla_put_failure:
23035 	nlmsg_free(msg);
23036 }
23037 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
23038 
23039 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
23040 {
23041 	struct wiphy *wiphy = wdev->wiphy;
23042 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23043 	struct sk_buff *msg;
23044 	void *hdr;
23045 
23046 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
23047 	if (!msg)
23048 		return;
23049 
23050 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
23051 	if (!hdr)
23052 		goto out;
23053 
23054 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23055 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
23056 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23057 			      NL80211_ATTR_PAD) ||
23058 	    (wdev->valid_links &&
23059 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
23060 		goto out;
23061 
23062 	genlmsg_end(msg, hdr);
23063 
23064 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
23065 				NL80211_MCGRP_MLME, GFP_KERNEL);
23066 	return;
23067  out:
23068 	nlmsg_free(msg);
23069 }
23070 
23071 int cfg80211_external_auth_request(struct net_device *dev,
23072 				   struct cfg80211_external_auth_params *params,
23073 				   gfp_t gfp)
23074 {
23075 	struct wireless_dev *wdev = dev->ieee80211_ptr;
23076 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
23077 	struct sk_buff *msg;
23078 	void *hdr;
23079 
23080 	if (!wdev->conn_owner_nlportid)
23081 		return -EINVAL;
23082 
23083 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23084 	if (!msg)
23085 		return -ENOMEM;
23086 
23087 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
23088 	if (!hdr)
23089 		goto nla_put_failure;
23090 
23091 	/* Some historical mistakes in drivers <-> userspace interface (notably
23092 	 * between drivers and wpa_supplicant) led to a big-endian conversion
23093 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
23094 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
23095 	 * benefit of older wpa_supplicant versions, send this particular value
23096 	 * in big-endian. Note that newer wpa_supplicant will also detect this
23097 	 * particular value in big endian still, so it all continues to work.
23098 	 */
23099 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
23100 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
23101 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
23102 			goto nla_put_failure;
23103 	} else {
23104 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
23105 				params->key_mgmt_suite))
23106 			goto nla_put_failure;
23107 	}
23108 
23109 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23110 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
23111 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
23112 			params->action) ||
23113 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
23114 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
23115 		    params->ssid.ssid) ||
23116 	    (!is_zero_ether_addr(params->mld_addr) &&
23117 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
23118 		goto nla_put_failure;
23119 
23120 	genlmsg_end(msg, hdr);
23121 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
23122 			wdev->conn_owner_nlportid);
23123 	return 0;
23124 
23125  nla_put_failure:
23126 	nlmsg_free(msg);
23127 	return -ENOBUFS;
23128 }
23129 EXPORT_SYMBOL(cfg80211_external_auth_request);
23130 
23131 void cfg80211_update_owe_info_event(struct net_device *netdev,
23132 				    struct cfg80211_update_owe_info *owe_info,
23133 				    gfp_t gfp)
23134 {
23135 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
23136 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23137 	struct sk_buff *msg;
23138 	void *hdr;
23139 
23140 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
23141 
23142 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23143 	if (!msg)
23144 		return;
23145 
23146 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
23147 	if (!hdr)
23148 		goto nla_put_failure;
23149 
23150 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23151 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
23152 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
23153 		goto nla_put_failure;
23154 
23155 	if (!owe_info->ie_len ||
23156 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
23157 		goto nla_put_failure;
23158 
23159 	if (owe_info->assoc_link_id != -1) {
23160 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
23161 			       owe_info->assoc_link_id))
23162 			goto nla_put_failure;
23163 
23164 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
23165 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
23166 			    owe_info->peer_mld_addr))
23167 			goto nla_put_failure;
23168 	}
23169 
23170 	genlmsg_end(msg, hdr);
23171 
23172 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
23173 				NL80211_MCGRP_MLME, gfp);
23174 	return;
23175 
23176 nla_put_failure:
23177 	genlmsg_cancel(msg, hdr);
23178 	nlmsg_free(msg);
23179 }
23180 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
23181 
23182 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
23183 {
23184 	struct wiphy *wiphy = wdev->wiphy;
23185 
23186 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
23187 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
23188 	    (wiphy_ext_feature_isset(wiphy,
23189 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
23190 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
23191 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
23192 		reg_check_channels();
23193 }
23194 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
23195 
23196 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
23197 {
23198 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
23199 	struct wiphy *wiphy = wdev->wiphy;
23200 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23201 	struct sk_buff *msg;
23202 	void *hdr;
23203 
23204 	trace_cfg80211_epcs_changed(wdev, enabled);
23205 
23206 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
23207 	if (!msg)
23208 		return;
23209 
23210 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
23211 	if (!hdr) {
23212 		nlmsg_free(msg);
23213 		return;
23214 	}
23215 
23216 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
23217 		goto nla_put_failure;
23218 
23219 	genlmsg_end(msg, hdr);
23220 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
23221 				NL80211_MCGRP_MLME, GFP_KERNEL);
23222 	return;
23223 
23224  nla_put_failure:
23225 	nlmsg_free(msg);
23226 }
23227 EXPORT_SYMBOL(cfg80211_epcs_changed);
23228 
23229 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
23230 				struct ieee80211_channel *chan, gfp_t gfp)
23231 {
23232 	struct wiphy *wiphy = wdev->wiphy;
23233 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23234 	struct sk_buff *msg;
23235 	void *hdr;
23236 
23237 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
23238 
23239 	if (!wdev->owner_nlportid)
23240 		return;
23241 
23242 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23243 	if (!msg)
23244 		return;
23245 
23246 	hdr = nl80211hdr_put(msg, 0, 0, 0,
23247 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
23248 	if (!hdr)
23249 		goto nla_put_failure;
23250 
23251 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23252 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23253 			      NL80211_ATTR_PAD) ||
23254 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
23255 		goto nla_put_failure;
23256 
23257 	genlmsg_end(msg, hdr);
23258 
23259 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
23260 
23261 	return;
23262 
23263  nla_put_failure:
23264 	nlmsg_free(msg);
23265 }
23266 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
23267 
23268 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
23269 				 const u8 *cluster_id, bool new_cluster,
23270 				 gfp_t gfp)
23271 {
23272 	struct wiphy *wiphy = wdev->wiphy;
23273 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23274 	struct sk_buff *msg;
23275 	void *hdr;
23276 
23277 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
23278 
23279 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
23280 
23281 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23282 	if (!msg)
23283 		return;
23284 
23285 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
23286 	if (!hdr)
23287 		goto nla_put_failure;
23288 
23289 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23290 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23291 			      NL80211_ATTR_PAD) ||
23292 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
23293 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
23294 		goto nla_put_failure;
23295 
23296 	genlmsg_end(msg, hdr);
23297 
23298 	if (!wdev->owner_nlportid)
23299 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
23300 					msg, 0, NL80211_MCGRP_NAN, gfp);
23301 	else
23302 		genlmsg_unicast(wiphy_net(wiphy), msg,
23303 				wdev->owner_nlportid);
23304 	return;
23305 
23306  nla_put_failure:
23307 	nlmsg_free(msg);
23308 }
23309 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
23310 
23311 void cfg80211_nan_ulw_update(struct wireless_dev *wdev,
23312 			     const u8 *ulw, size_t ulw_len, gfp_t gfp)
23313 {
23314 	struct wiphy *wiphy = wdev->wiphy;
23315 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23316 	struct sk_buff *msg;
23317 	void *hdr;
23318 
23319 	trace_cfg80211_nan_ulw_update(wiphy, wdev, ulw, ulw_len);
23320 
23321 	if (!wdev->owner_nlportid)
23322 		return;
23323 
23324 	/* 32 for the wiphy idx, 64 for the wdev id, 100 for padding */
23325 	msg = nlmsg_new(nla_total_size(sizeof(u32)) +
23326 			nla_total_size(ulw_len) +
23327 			nla_total_size(sizeof(u64)) + 100,
23328 			gfp);
23329 	if (!msg)
23330 		return;
23331 
23332 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_ULW_UPDATE);
23333 	if (!hdr)
23334 		goto nla_put_failure;
23335 
23336 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23337 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23338 			      NL80211_ATTR_PAD) ||
23339 	    (ulw && ulw_len &&
23340 	     nla_put(msg, NL80211_ATTR_NAN_ULW, ulw_len, ulw)))
23341 		goto nla_put_failure;
23342 
23343 	genlmsg_end(msg, hdr);
23344 
23345 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
23346 
23347 	return;
23348 
23349  nla_put_failure:
23350 	nlmsg_free(msg);
23351 }
23352 EXPORT_SYMBOL(cfg80211_nan_ulw_update);
23353 
23354 void cfg80211_nan_channel_evac(struct wireless_dev *wdev,
23355 			       const struct cfg80211_chan_def *chandef,
23356 			       gfp_t gfp)
23357 {
23358 	struct wiphy *wiphy = wdev->wiphy;
23359 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
23360 	struct sk_buff *msg;
23361 	struct nlattr *chan_attr;
23362 	void *hdr;
23363 
23364 	trace_cfg80211_nan_channel_evac(wiphy, wdev, chandef);
23365 
23366 	if (!wdev->owner_nlportid)
23367 		return;
23368 
23369 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
23370 	if (!msg)
23371 		return;
23372 
23373 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CHANNEL_EVAC);
23374 	if (!hdr)
23375 		goto nla_put_failure;
23376 
23377 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
23378 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
23379 			      NL80211_ATTR_PAD))
23380 		goto nla_put_failure;
23381 
23382 	chan_attr = nla_nest_start(msg, NL80211_ATTR_NAN_CHANNEL);
23383 	if (!chan_attr)
23384 		goto nla_put_failure;
23385 
23386 	if (nl80211_send_chandef(msg, chandef))
23387 		goto nla_put_failure;
23388 
23389 	nla_nest_end(msg, chan_attr);
23390 
23391 	genlmsg_end(msg, hdr);
23392 
23393 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
23394 
23395 	return;
23396 
23397  nla_put_failure:
23398 	nlmsg_free(msg);
23399 }
23400 EXPORT_SYMBOL(cfg80211_nan_channel_evac);
23401 
23402 /* initialisation/exit functions */
23403 
23404 int __init nl80211_init(void)
23405 {
23406 	int err;
23407 
23408 	err = genl_register_family(&nl80211_fam);
23409 	if (err)
23410 		return err;
23411 
23412 	err = netlink_register_notifier(&nl80211_netlink_notifier);
23413 	if (err)
23414 		goto err_out;
23415 
23416 	return 0;
23417  err_out:
23418 	genl_unregister_family(&nl80211_fam);
23419 	return err;
23420 }
23421 
23422 void nl80211_exit(void)
23423 {
23424 	netlink_unregister_notifier(&nl80211_netlink_notifier);
23425 	genl_unregister_family(&nl80211_fam);
23426 }
23427