xref: /linux/net/wireless/nl80211.c (revision b9b77222d4ff6b5bb8f5d87fca20de0910618bb9) 
1 /*
2  * This is the new netlink-based wireless configuration interface.
3  *
4  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
5  * Copyright 2013-2014  Intel Mobile Communications GmbH
6  * Copyright 2015-2017	Intel Deutschland GmbH
7  * Copyright (C) 2018 Intel Corporation
8  */
9 
10 #include <linux/if.h>
11 #include <linux/module.h>
12 #include <linux/err.h>
13 #include <linux/slab.h>
14 #include <linux/list.h>
15 #include <linux/if_ether.h>
16 #include <linux/ieee80211.h>
17 #include <linux/nl80211.h>
18 #include <linux/rtnetlink.h>
19 #include <linux/netlink.h>
20 #include <linux/nospec.h>
21 #include <linux/etherdevice.h>
22 #include <net/net_namespace.h>
23 #include <net/genetlink.h>
24 #include <net/cfg80211.h>
25 #include <net/sock.h>
26 #include <net/inet_connection_sock.h>
27 #include "core.h"
28 #include "nl80211.h"
29 #include "reg.h"
30 #include "rdev-ops.h"
31 
32 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
33 				   struct genl_info *info,
34 				   struct cfg80211_crypto_settings *settings,
35 				   int cipher_limit);
36 
37 /* the netlink family */
38 static struct genl_family nl80211_fam;
39 
40 /* multicast groups */
41 enum nl80211_multicast_groups {
42 	NL80211_MCGRP_CONFIG,
43 	NL80211_MCGRP_SCAN,
44 	NL80211_MCGRP_REGULATORY,
45 	NL80211_MCGRP_MLME,
46 	NL80211_MCGRP_VENDOR,
47 	NL80211_MCGRP_NAN,
48 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
49 };
50 
51 static const struct genl_multicast_group nl80211_mcgrps[] = {
52 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
53 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
54 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
55 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
56 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
57 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
58 #ifdef CONFIG_NL80211_TESTMODE
59 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
60 #endif
61 };
62 
63 /* returns ERR_PTR values */
64 static struct wireless_dev *
65 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
66 {
67 	struct cfg80211_registered_device *rdev;
68 	struct wireless_dev *result = NULL;
69 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
70 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
71 	u64 wdev_id;
72 	int wiphy_idx = -1;
73 	int ifidx = -1;
74 
75 	ASSERT_RTNL();
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
88 		struct wireless_dev *wdev;
89 
90 		if (wiphy_net(&rdev->wiphy) != netns)
91 			continue;
92 
93 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
94 			continue;
95 
96 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
97 			if (have_ifidx && wdev->netdev &&
98 			    wdev->netdev->ifindex == ifidx) {
99 				result = wdev;
100 				break;
101 			}
102 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
103 				result = wdev;
104 				break;
105 			}
106 		}
107 
108 		if (result)
109 			break;
110 	}
111 
112 	if (result)
113 		return result;
114 	return ERR_PTR(-ENODEV);
115 }
116 
117 static struct cfg80211_registered_device *
118 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
119 {
120 	struct cfg80211_registered_device *rdev = NULL, *tmp;
121 	struct net_device *netdev;
122 
123 	ASSERT_RTNL();
124 
125 	if (!attrs[NL80211_ATTR_WIPHY] &&
126 	    !attrs[NL80211_ATTR_IFINDEX] &&
127 	    !attrs[NL80211_ATTR_WDEV])
128 		return ERR_PTR(-EINVAL);
129 
130 	if (attrs[NL80211_ATTR_WIPHY])
131 		rdev = cfg80211_rdev_by_wiphy_idx(
132 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
133 
134 	if (attrs[NL80211_ATTR_WDEV]) {
135 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
136 		struct wireless_dev *wdev;
137 		bool found = false;
138 
139 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
140 		if (tmp) {
141 			/* make sure wdev exists */
142 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
143 				if (wdev->identifier != (u32)wdev_id)
144 					continue;
145 				found = true;
146 				break;
147 			}
148 
149 			if (!found)
150 				tmp = NULL;
151 
152 			if (rdev && tmp != rdev)
153 				return ERR_PTR(-EINVAL);
154 			rdev = tmp;
155 		}
156 	}
157 
158 	if (attrs[NL80211_ATTR_IFINDEX]) {
159 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
160 
161 		netdev = __dev_get_by_index(netns, ifindex);
162 		if (netdev) {
163 			if (netdev->ieee80211_ptr)
164 				tmp = wiphy_to_rdev(
165 					netdev->ieee80211_ptr->wiphy);
166 			else
167 				tmp = NULL;
168 
169 			/* not wireless device -- return error */
170 			if (!tmp)
171 				return ERR_PTR(-EINVAL);
172 
173 			/* mismatch -- return error */
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 
177 			rdev = tmp;
178 		}
179 	}
180 
181 	if (!rdev)
182 		return ERR_PTR(-ENODEV);
183 
184 	if (netns != wiphy_net(&rdev->wiphy))
185 		return ERR_PTR(-ENODEV);
186 
187 	return rdev;
188 }
189 
190 /*
191  * This function returns a pointer to the driver
192  * that the genl_info item that is passed refers to.
193  *
194  * The result of this can be a PTR_ERR and hence must
195  * be checked with IS_ERR() for errors.
196  */
197 static struct cfg80211_registered_device *
198 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
199 {
200 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
201 }
202 
203 /* policy for the attributes */
204 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
205 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
206 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
207 				      .len = 20-1 },
208 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
209 
210 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
211 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
212 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
213 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
214 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
215 
216 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = { .type = NLA_U8 },
217 	[NL80211_ATTR_WIPHY_RETRY_LONG] = { .type = NLA_U8 },
218 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
219 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
220 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
221 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
222 
223 	[NL80211_ATTR_IFTYPE] = { .type = NLA_U32 },
224 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
225 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
226 
227 	[NL80211_ATTR_MAC] = { .len = ETH_ALEN },
228 	[NL80211_ATTR_PREV_BSSID] = { .len = ETH_ALEN },
229 
230 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
231 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
232 				    .len = WLAN_MAX_KEY_LEN },
233 	[NL80211_ATTR_KEY_IDX] = { .type = NLA_U8 },
234 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
235 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
236 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
237 	[NL80211_ATTR_KEY_TYPE] = { .type = NLA_U32 },
238 
239 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
240 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
241 	[NL80211_ATTR_BEACON_HEAD] = { .type = NLA_BINARY,
242 				       .len = IEEE80211_MAX_DATA_LEN },
243 	[NL80211_ATTR_BEACON_TAIL] = { .type = NLA_BINARY,
244 				       .len = IEEE80211_MAX_DATA_LEN },
245 	[NL80211_ATTR_STA_AID] = { .type = NLA_U16 },
246 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
247 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
248 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
249 					       .len = NL80211_MAX_SUPP_RATES },
250 	[NL80211_ATTR_STA_PLINK_ACTION] = { .type = NLA_U8 },
251 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
252 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
253 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
254 				   .len = IEEE80211_MAX_MESH_ID_LEN },
255 	[NL80211_ATTR_MPATH_NEXT_HOP] = { .type = NLA_U32 },
256 
257 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
258 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
259 
260 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
261 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
262 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
263 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
264 					   .len = NL80211_MAX_SUPP_RATES },
265 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
266 
267 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
268 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
269 
270 	[NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
271 
272 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
273 	[NL80211_ATTR_IE] = { .type = NLA_BINARY,
274 			      .len = IEEE80211_MAX_DATA_LEN },
275 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
276 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
277 
278 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
279 				.len = IEEE80211_MAX_SSID_LEN },
280 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
281 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
282 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
283 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
284 	[NL80211_ATTR_USE_MFP] = { .type = NLA_U32 },
285 	[NL80211_ATTR_STA_FLAGS2] = {
286 		.len = sizeof(struct nl80211_sta_flag_update),
287 	},
288 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
289 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
290 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
291 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
292 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
293 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
294 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
295 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
296 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
297 	[NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN },
298 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
299 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
300 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
301 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
302 				 .len = IEEE80211_MAX_DATA_LEN },
303 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
304 	[NL80211_ATTR_PS_STATE] = { .type = NLA_U32 },
305 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
306 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
307 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
308 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
309 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
310 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
311 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
312 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
313 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
314 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
315 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
316 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
317 	[NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
318 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
319 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
320 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
321 	[NL80211_ATTR_HIDDEN_SSID] = { .type = NLA_U32 },
322 	[NL80211_ATTR_IE_PROBE_RESP] = { .type = NLA_BINARY,
323 					 .len = IEEE80211_MAX_DATA_LEN },
324 	[NL80211_ATTR_IE_ASSOC_RESP] = { .type = NLA_BINARY,
325 					 .len = IEEE80211_MAX_DATA_LEN },
326 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
327 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
328 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
329 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
330 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
331 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
332 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
333 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
334 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
335 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
336 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
337 				      .len = IEEE80211_MAX_DATA_LEN },
338 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
339 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
340 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
341 		.len = NL80211_HT_CAPABILITY_LEN
342 	},
343 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
344 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
345 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
346 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
347 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
348 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
349 	[NL80211_ATTR_VHT_CAPABILITY] = { .len = NL80211_VHT_CAPABILITY_LEN },
350 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
351 	[NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 },
352 	[NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 },
353 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 },
354 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
355 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
356 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
357 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
358 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
359 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
360 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
361 		.len = NL80211_VHT_CAPABILITY_LEN,
362 	},
363 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
364 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
365 				  .len = IEEE80211_MAX_DATA_LEN },
366 	[NL80211_ATTR_PEER_AID] = { .type = NLA_U16 },
367 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
368 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
369 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
370 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
371 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
372 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
373 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
374 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
375 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
376 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
377 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
378 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
379 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
380 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
381 	[NL80211_ATTR_MAC_HINT] = { .len = ETH_ALEN },
382 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
383 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
384 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
385 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
386 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
387 	[NL80211_ATTR_TSID] = { .type = NLA_U8 },
388 	[NL80211_ATTR_USER_PRIO] = { .type = NLA_U8 },
389 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
390 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
391 	[NL80211_ATTR_MAC_MASK] = { .len = ETH_ALEN },
392 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
394 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
395 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
396 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
397 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
398 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] = { .type = NLA_U8 },
399 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
400 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
401 	},
402 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = { .len = ETH_ALEN },
403 	[NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 },
404 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
405 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
406 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
407 				    .len = FILS_MAX_KEK_LEN },
408 	[NL80211_ATTR_FILS_NONCES] = { .len = 2 * FILS_NONCE_LEN },
409 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
410 	[NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
411 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
412 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
413 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
414 	},
415 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
416 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
417 					     .len = FILS_ERP_MAX_USERNAME_LEN },
418 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
419 					  .len = FILS_ERP_MAX_REALM_LEN },
420 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
421 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
422 					.len = FILS_ERP_MAX_RRK_LEN },
423 	[NL80211_ATTR_FILS_CACHE_ID] = { .len = 2 },
424 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
425 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
426 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
427 
428 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
429 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
430 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
431 };
432 
433 /* policy for the key attributes */
434 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
435 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
436 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
437 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
438 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
439 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
440 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
441 	[NL80211_KEY_TYPE] = { .type = NLA_U32 },
442 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
443 };
444 
445 /* policy for the key default flags */
446 static const struct nla_policy
447 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
448 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
449 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
450 };
451 
452 #ifdef CONFIG_PM
453 /* policy for WoWLAN attributes */
454 static const struct nla_policy
455 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
456 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
457 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
458 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
459 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
460 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
461 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
462 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
463 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
464 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
465 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
466 };
467 
468 static const struct nla_policy
469 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
470 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
471 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
472 	[NL80211_WOWLAN_TCP_DST_MAC] = { .len = ETH_ALEN },
473 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
474 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
475 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .len = 1 },
476 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
477 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
478 	},
479 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
480 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
481 	},
482 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
483 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .len = 1 },
484 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .len = 1 },
485 };
486 #endif /* CONFIG_PM */
487 
488 /* policy for coalesce rule attributes */
489 static const struct nla_policy
490 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
491 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
492 	[NL80211_ATTR_COALESCE_RULE_CONDITION] = { .type = NLA_U32 },
493 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
494 };
495 
496 /* policy for GTK rekey offload attributes */
497 static const struct nla_policy
498 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
499 	[NL80211_REKEY_DATA_KEK] = { .len = NL80211_KEK_LEN },
500 	[NL80211_REKEY_DATA_KCK] = { .len = NL80211_KCK_LEN },
501 	[NL80211_REKEY_DATA_REPLAY_CTR] = { .len = NL80211_REPLAY_CTR_LEN },
502 };
503 
504 static const struct nla_policy
505 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
506 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
507 						 .len = IEEE80211_MAX_SSID_LEN },
508 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = { .len = ETH_ALEN },
509 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
510 };
511 
512 static const struct nla_policy
513 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
514 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
515 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
516 };
517 
518 static const struct nla_policy
519 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
520 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
521 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
522 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
523 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
524 	},
525 };
526 
527 /* policy for NAN function attributes */
528 static const struct nla_policy
529 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
530 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
531 	[NL80211_NAN_FUNC_SERVICE_ID] = {
532 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
533 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
534 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
535 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
536 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
537 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
538 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = { .len = ETH_ALEN },
539 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
540 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
541 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
542 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
543 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
544 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
545 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
546 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
547 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
548 };
549 
550 /* policy for Service Response Filter attributes */
551 static const struct nla_policy
552 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
553 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
554 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
555 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
556 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
557 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
558 };
559 
560 /* policy for packet pattern attributes */
561 static const struct nla_policy
562 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
563 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
564 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
565 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
566 };
567 
568 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
569 				     struct netlink_callback *cb,
570 				     struct cfg80211_registered_device **rdev,
571 				     struct wireless_dev **wdev)
572 {
573 	int err;
574 
575 	if (!cb->args[0]) {
576 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
577 				  genl_family_attrbuf(&nl80211_fam),
578 				  nl80211_fam.maxattr, nl80211_policy, NULL);
579 		if (err)
580 			return err;
581 
582 		*wdev = __cfg80211_wdev_from_attrs(
583 					sock_net(skb->sk),
584 					genl_family_attrbuf(&nl80211_fam));
585 		if (IS_ERR(*wdev))
586 			return PTR_ERR(*wdev);
587 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
588 		/* 0 is the first index - add 1 to parse only once */
589 		cb->args[0] = (*rdev)->wiphy_idx + 1;
590 		cb->args[1] = (*wdev)->identifier;
591 	} else {
592 		/* subtract the 1 again here */
593 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
594 		struct wireless_dev *tmp;
595 
596 		if (!wiphy)
597 			return -ENODEV;
598 		*rdev = wiphy_to_rdev(wiphy);
599 		*wdev = NULL;
600 
601 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
602 			if (tmp->identifier == cb->args[1]) {
603 				*wdev = tmp;
604 				break;
605 			}
606 		}
607 
608 		if (!*wdev)
609 			return -ENODEV;
610 	}
611 
612 	return 0;
613 }
614 
615 /* IE validation */
616 static bool is_valid_ie_attr(const struct nlattr *attr)
617 {
618 	const u8 *pos;
619 	int len;
620 
621 	if (!attr)
622 		return true;
623 
624 	pos = nla_data(attr);
625 	len = nla_len(attr);
626 
627 	while (len) {
628 		u8 elemlen;
629 
630 		if (len < 2)
631 			return false;
632 		len -= 2;
633 
634 		elemlen = pos[1];
635 		if (elemlen > len)
636 			return false;
637 
638 		len -= elemlen;
639 		pos += 2 + elemlen;
640 	}
641 
642 	return true;
643 }
644 
645 /* message building helper */
646 static inline void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
647 				   int flags, u8 cmd)
648 {
649 	/* since there is no private header just add the generic one */
650 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
651 }
652 
653 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
654 				     const struct ieee80211_reg_rule *rule)
655 {
656 	int j;
657 	struct nlattr *nl_wmm_rules =
658 		nla_nest_start(msg, NL80211_FREQUENCY_ATTR_WMM);
659 
660 	if (!nl_wmm_rules)
661 		goto nla_put_failure;
662 
663 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
664 		struct nlattr *nl_wmm_rule = nla_nest_start(msg, j);
665 
666 		if (!nl_wmm_rule)
667 			goto nla_put_failure;
668 
669 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
670 				rule->wmm_rule->client[j].cw_min) ||
671 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
672 				rule->wmm_rule->client[j].cw_max) ||
673 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
674 			       rule->wmm_rule->client[j].aifsn) ||
675 		    nla_put_u8(msg, NL80211_WMMR_TXOP,
676 			       rule->wmm_rule->client[j].cot))
677 			goto nla_put_failure;
678 
679 		nla_nest_end(msg, nl_wmm_rule);
680 	}
681 	nla_nest_end(msg, nl_wmm_rules);
682 
683 	return 0;
684 
685 nla_put_failure:
686 	return -ENOBUFS;
687 }
688 
689 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
690 				   struct ieee80211_channel *chan,
691 				   bool large)
692 {
693 	/* Some channels must be completely excluded from the
694 	 * list to protect old user-space tools from breaking
695 	 */
696 	if (!large && chan->flags &
697 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
698 		return 0;
699 
700 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
701 			chan->center_freq))
702 		goto nla_put_failure;
703 
704 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
705 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
706 		goto nla_put_failure;
707 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
708 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
709 			goto nla_put_failure;
710 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
711 			goto nla_put_failure;
712 	}
713 	if (chan->flags & IEEE80211_CHAN_RADAR) {
714 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
715 			goto nla_put_failure;
716 		if (large) {
717 			u32 time;
718 
719 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
720 
721 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
722 					chan->dfs_state))
723 				goto nla_put_failure;
724 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
725 					time))
726 				goto nla_put_failure;
727 			if (nla_put_u32(msg,
728 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
729 					chan->dfs_cac_ms))
730 				goto nla_put_failure;
731 		}
732 	}
733 
734 	if (large) {
735 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
736 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
737 			goto nla_put_failure;
738 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
739 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
740 			goto nla_put_failure;
741 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
742 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
743 			goto nla_put_failure;
744 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
745 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
746 			goto nla_put_failure;
747 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
748 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
749 			goto nla_put_failure;
750 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
751 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
752 			goto nla_put_failure;
753 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
754 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
755 			goto nla_put_failure;
756 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
757 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
758 			goto nla_put_failure;
759 	}
760 
761 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
762 			DBM_TO_MBM(chan->max_power)))
763 		goto nla_put_failure;
764 
765 	if (large) {
766 		const struct ieee80211_reg_rule *rule =
767 			freq_reg_info(wiphy, chan->center_freq);
768 
769 		if (!IS_ERR(rule) && rule->wmm_rule) {
770 			if (nl80211_msg_put_wmm_rules(msg, rule))
771 				goto nla_put_failure;
772 		}
773 	}
774 
775 	return 0;
776 
777  nla_put_failure:
778 	return -ENOBUFS;
779 }
780 
781 static bool nl80211_put_txq_stats(struct sk_buff *msg,
782 				  struct cfg80211_txq_stats *txqstats,
783 				  int attrtype)
784 {
785 	struct nlattr *txqattr;
786 
787 #define PUT_TXQVAL_U32(attr, memb) do {					  \
788 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
789 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
790 		return false;						  \
791 	} while (0)
792 
793 	txqattr = nla_nest_start(msg, attrtype);
794 	if (!txqattr)
795 		return false;
796 
797 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
798 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
799 	PUT_TXQVAL_U32(FLOWS, flows);
800 	PUT_TXQVAL_U32(DROPS, drops);
801 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
802 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
803 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
804 	PUT_TXQVAL_U32(COLLISIONS, collisions);
805 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
806 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
807 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
808 	nla_nest_end(msg, txqattr);
809 
810 #undef PUT_TXQVAL_U32
811 	return true;
812 }
813 
814 /* netlink command implementations */
815 
816 struct key_parse {
817 	struct key_params p;
818 	int idx;
819 	int type;
820 	bool def, defmgmt;
821 	bool def_uni, def_multi;
822 };
823 
824 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
825 				 struct key_parse *k)
826 {
827 	struct nlattr *tb[NL80211_KEY_MAX + 1];
828 	int err = nla_parse_nested(tb, NL80211_KEY_MAX, key,
829 				   nl80211_key_policy, info->extack);
830 	if (err)
831 		return err;
832 
833 	k->def = !!tb[NL80211_KEY_DEFAULT];
834 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
835 
836 	if (k->def) {
837 		k->def_uni = true;
838 		k->def_multi = true;
839 	}
840 	if (k->defmgmt)
841 		k->def_multi = true;
842 
843 	if (tb[NL80211_KEY_IDX])
844 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
845 
846 	if (tb[NL80211_KEY_DATA]) {
847 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
848 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
849 	}
850 
851 	if (tb[NL80211_KEY_SEQ]) {
852 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
853 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
854 	}
855 
856 	if (tb[NL80211_KEY_CIPHER])
857 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
858 
859 	if (tb[NL80211_KEY_TYPE]) {
860 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
861 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES)
862 			return genl_err_attr(info, -EINVAL,
863 					     tb[NL80211_KEY_TYPE]);
864 	}
865 
866 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
867 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
868 
869 		err = nla_parse_nested(kdt, NUM_NL80211_KEY_DEFAULT_TYPES - 1,
870 				       tb[NL80211_KEY_DEFAULT_TYPES],
871 				       nl80211_key_default_policy,
872 				       info->extack);
873 		if (err)
874 			return err;
875 
876 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
877 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
878 	}
879 
880 	return 0;
881 }
882 
883 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
884 {
885 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
886 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
887 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
888 	}
889 
890 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
891 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
892 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
893 	}
894 
895 	if (info->attrs[NL80211_ATTR_KEY_IDX])
896 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
897 
898 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
899 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
900 
901 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
902 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
903 
904 	if (k->def) {
905 		k->def_uni = true;
906 		k->def_multi = true;
907 	}
908 	if (k->defmgmt)
909 		k->def_multi = true;
910 
911 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
912 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
913 		if (k->type < 0 || k->type >= NUM_NL80211_KEYTYPES) {
914 			GENL_SET_ERR_MSG(info, "key type out of range");
915 			return -EINVAL;
916 		}
917 	}
918 
919 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
920 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
921 		int err = nla_parse_nested(kdt,
922 					   NUM_NL80211_KEY_DEFAULT_TYPES - 1,
923 					   info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
924 					   nl80211_key_default_policy,
925 					   info->extack);
926 		if (err)
927 			return err;
928 
929 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
930 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
931 	}
932 
933 	return 0;
934 }
935 
936 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
937 {
938 	int err;
939 
940 	memset(k, 0, sizeof(*k));
941 	k->idx = -1;
942 	k->type = -1;
943 
944 	if (info->attrs[NL80211_ATTR_KEY])
945 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
946 	else
947 		err = nl80211_parse_key_old(info, k);
948 
949 	if (err)
950 		return err;
951 
952 	if (k->def && k->defmgmt) {
953 		GENL_SET_ERR_MSG(info, "key with def && defmgmt is invalid");
954 		return -EINVAL;
955 	}
956 
957 	if (k->defmgmt) {
958 		if (k->def_uni || !k->def_multi) {
959 			GENL_SET_ERR_MSG(info, "defmgmt key must be mcast");
960 			return -EINVAL;
961 		}
962 	}
963 
964 	if (k->idx != -1) {
965 		if (k->defmgmt) {
966 			if (k->idx < 4 || k->idx > 5) {
967 				GENL_SET_ERR_MSG(info,
968 						 "defmgmt key idx not 4 or 5");
969 				return -EINVAL;
970 			}
971 		} else if (k->def) {
972 			if (k->idx < 0 || k->idx > 3) {
973 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
974 				return -EINVAL;
975 			}
976 		} else {
977 			if (k->idx < 0 || k->idx > 5) {
978 				GENL_SET_ERR_MSG(info, "key idx not 0-5");
979 				return -EINVAL;
980 			}
981 		}
982 	}
983 
984 	return 0;
985 }
986 
987 static struct cfg80211_cached_keys *
988 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
989 		       struct genl_info *info, bool *no_ht)
990 {
991 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
992 	struct key_parse parse;
993 	struct nlattr *key;
994 	struct cfg80211_cached_keys *result;
995 	int rem, err, def = 0;
996 	bool have_key = false;
997 
998 	nla_for_each_nested(key, keys, rem) {
999 		have_key = true;
1000 		break;
1001 	}
1002 
1003 	if (!have_key)
1004 		return NULL;
1005 
1006 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1007 	if (!result)
1008 		return ERR_PTR(-ENOMEM);
1009 
1010 	result->def = -1;
1011 
1012 	nla_for_each_nested(key, keys, rem) {
1013 		memset(&parse, 0, sizeof(parse));
1014 		parse.idx = -1;
1015 
1016 		err = nl80211_parse_key_new(info, key, &parse);
1017 		if (err)
1018 			goto error;
1019 		err = -EINVAL;
1020 		if (!parse.p.key)
1021 			goto error;
1022 		if (parse.idx < 0 || parse.idx > 3) {
1023 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1024 			goto error;
1025 		}
1026 		if (parse.def) {
1027 			if (def) {
1028 				GENL_SET_ERR_MSG(info,
1029 						 "only one key can be default");
1030 				goto error;
1031 			}
1032 			def = 1;
1033 			result->def = parse.idx;
1034 			if (!parse.def_uni || !parse.def_multi)
1035 				goto error;
1036 		} else if (parse.defmgmt)
1037 			goto error;
1038 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1039 						     parse.idx, false, NULL);
1040 		if (err)
1041 			goto error;
1042 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1043 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1044 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1045 			err = -EINVAL;
1046 			goto error;
1047 		}
1048 		result->params[parse.idx].cipher = parse.p.cipher;
1049 		result->params[parse.idx].key_len = parse.p.key_len;
1050 		result->params[parse.idx].key = result->data[parse.idx];
1051 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1052 
1053 		/* must be WEP key if we got here */
1054 		if (no_ht)
1055 			*no_ht = true;
1056 	}
1057 
1058 	if (result->def < 0) {
1059 		err = -EINVAL;
1060 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1061 		goto error;
1062 	}
1063 
1064 	return result;
1065  error:
1066 	kfree(result);
1067 	return ERR_PTR(err);
1068 }
1069 
1070 static int nl80211_key_allowed(struct wireless_dev *wdev)
1071 {
1072 	ASSERT_WDEV_LOCK(wdev);
1073 
1074 	switch (wdev->iftype) {
1075 	case NL80211_IFTYPE_AP:
1076 	case NL80211_IFTYPE_AP_VLAN:
1077 	case NL80211_IFTYPE_P2P_GO:
1078 	case NL80211_IFTYPE_MESH_POINT:
1079 		break;
1080 	case NL80211_IFTYPE_ADHOC:
1081 	case NL80211_IFTYPE_STATION:
1082 	case NL80211_IFTYPE_P2P_CLIENT:
1083 		if (!wdev->current_bss)
1084 			return -ENOLINK;
1085 		break;
1086 	case NL80211_IFTYPE_UNSPECIFIED:
1087 	case NL80211_IFTYPE_OCB:
1088 	case NL80211_IFTYPE_MONITOR:
1089 	case NL80211_IFTYPE_NAN:
1090 	case NL80211_IFTYPE_P2P_DEVICE:
1091 	case NL80211_IFTYPE_WDS:
1092 	case NUM_NL80211_IFTYPES:
1093 		return -EINVAL;
1094 	}
1095 
1096 	return 0;
1097 }
1098 
1099 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1100 							struct nlattr *tb)
1101 {
1102 	struct ieee80211_channel *chan;
1103 
1104 	if (tb == NULL)
1105 		return NULL;
1106 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1107 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1108 		return NULL;
1109 	return chan;
1110 }
1111 
1112 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1113 {
1114 	struct nlattr *nl_modes = nla_nest_start(msg, attr);
1115 	int i;
1116 
1117 	if (!nl_modes)
1118 		goto nla_put_failure;
1119 
1120 	i = 0;
1121 	while (ifmodes) {
1122 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1123 			goto nla_put_failure;
1124 		ifmodes >>= 1;
1125 		i++;
1126 	}
1127 
1128 	nla_nest_end(msg, nl_modes);
1129 	return 0;
1130 
1131 nla_put_failure:
1132 	return -ENOBUFS;
1133 }
1134 
1135 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1136 					  struct sk_buff *msg,
1137 					  bool large)
1138 {
1139 	struct nlattr *nl_combis;
1140 	int i, j;
1141 
1142 	nl_combis = nla_nest_start(msg,
1143 				NL80211_ATTR_INTERFACE_COMBINATIONS);
1144 	if (!nl_combis)
1145 		goto nla_put_failure;
1146 
1147 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1148 		const struct ieee80211_iface_combination *c;
1149 		struct nlattr *nl_combi, *nl_limits;
1150 
1151 		c = &wiphy->iface_combinations[i];
1152 
1153 		nl_combi = nla_nest_start(msg, i + 1);
1154 		if (!nl_combi)
1155 			goto nla_put_failure;
1156 
1157 		nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
1158 		if (!nl_limits)
1159 			goto nla_put_failure;
1160 
1161 		for (j = 0; j < c->n_limits; j++) {
1162 			struct nlattr *nl_limit;
1163 
1164 			nl_limit = nla_nest_start(msg, j + 1);
1165 			if (!nl_limit)
1166 				goto nla_put_failure;
1167 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1168 					c->limits[j].max))
1169 				goto nla_put_failure;
1170 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1171 						c->limits[j].types))
1172 				goto nla_put_failure;
1173 			nla_nest_end(msg, nl_limit);
1174 		}
1175 
1176 		nla_nest_end(msg, nl_limits);
1177 
1178 		if (c->beacon_int_infra_match &&
1179 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1180 			goto nla_put_failure;
1181 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1182 				c->num_different_channels) ||
1183 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1184 				c->max_interfaces))
1185 			goto nla_put_failure;
1186 		if (large &&
1187 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1188 				c->radar_detect_widths) ||
1189 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1190 				c->radar_detect_regions)))
1191 			goto nla_put_failure;
1192 		if (c->beacon_int_min_gcd &&
1193 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1194 				c->beacon_int_min_gcd))
1195 			goto nla_put_failure;
1196 
1197 		nla_nest_end(msg, nl_combi);
1198 	}
1199 
1200 	nla_nest_end(msg, nl_combis);
1201 
1202 	return 0;
1203 nla_put_failure:
1204 	return -ENOBUFS;
1205 }
1206 
1207 #ifdef CONFIG_PM
1208 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1209 					struct sk_buff *msg)
1210 {
1211 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1212 	struct nlattr *nl_tcp;
1213 
1214 	if (!tcp)
1215 		return 0;
1216 
1217 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1218 	if (!nl_tcp)
1219 		return -ENOBUFS;
1220 
1221 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1222 			tcp->data_payload_max))
1223 		return -ENOBUFS;
1224 
1225 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1226 			tcp->data_payload_max))
1227 		return -ENOBUFS;
1228 
1229 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1230 		return -ENOBUFS;
1231 
1232 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1233 				sizeof(*tcp->tok), tcp->tok))
1234 		return -ENOBUFS;
1235 
1236 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1237 			tcp->data_interval_max))
1238 		return -ENOBUFS;
1239 
1240 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1241 			tcp->wake_payload_max))
1242 		return -ENOBUFS;
1243 
1244 	nla_nest_end(msg, nl_tcp);
1245 	return 0;
1246 }
1247 
1248 static int nl80211_send_wowlan(struct sk_buff *msg,
1249 			       struct cfg80211_registered_device *rdev,
1250 			       bool large)
1251 {
1252 	struct nlattr *nl_wowlan;
1253 
1254 	if (!rdev->wiphy.wowlan)
1255 		return 0;
1256 
1257 	nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1258 	if (!nl_wowlan)
1259 		return -ENOBUFS;
1260 
1261 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1262 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1263 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1264 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1265 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1266 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1267 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1268 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1269 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1270 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1271 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1272 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1273 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1274 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1275 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1276 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1277 		return -ENOBUFS;
1278 
1279 	if (rdev->wiphy.wowlan->n_patterns) {
1280 		struct nl80211_pattern_support pat = {
1281 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1282 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1283 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1284 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1285 		};
1286 
1287 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1288 			    sizeof(pat), &pat))
1289 			return -ENOBUFS;
1290 	}
1291 
1292 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1293 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1294 			rdev->wiphy.wowlan->max_nd_match_sets))
1295 		return -ENOBUFS;
1296 
1297 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1298 		return -ENOBUFS;
1299 
1300 	nla_nest_end(msg, nl_wowlan);
1301 
1302 	return 0;
1303 }
1304 #endif
1305 
1306 static int nl80211_send_coalesce(struct sk_buff *msg,
1307 				 struct cfg80211_registered_device *rdev)
1308 {
1309 	struct nl80211_coalesce_rule_support rule;
1310 
1311 	if (!rdev->wiphy.coalesce)
1312 		return 0;
1313 
1314 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1315 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1316 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1317 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1318 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1319 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1320 
1321 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1322 		return -ENOBUFS;
1323 
1324 	return 0;
1325 }
1326 
1327 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1328 				      struct ieee80211_supported_band *sband)
1329 {
1330 	struct nlattr *nl_rates, *nl_rate;
1331 	struct ieee80211_rate *rate;
1332 	int i;
1333 
1334 	/* add HT info */
1335 	if (sband->ht_cap.ht_supported &&
1336 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1337 		     sizeof(sband->ht_cap.mcs),
1338 		     &sband->ht_cap.mcs) ||
1339 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1340 			 sband->ht_cap.cap) ||
1341 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1342 			sband->ht_cap.ampdu_factor) ||
1343 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1344 			sband->ht_cap.ampdu_density)))
1345 		return -ENOBUFS;
1346 
1347 	/* add VHT info */
1348 	if (sband->vht_cap.vht_supported &&
1349 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1350 		     sizeof(sband->vht_cap.vht_mcs),
1351 		     &sband->vht_cap.vht_mcs) ||
1352 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1353 			 sband->vht_cap.cap)))
1354 		return -ENOBUFS;
1355 
1356 	/* add bitrates */
1357 	nl_rates = nla_nest_start(msg, NL80211_BAND_ATTR_RATES);
1358 	if (!nl_rates)
1359 		return -ENOBUFS;
1360 
1361 	for (i = 0; i < sband->n_bitrates; i++) {
1362 		nl_rate = nla_nest_start(msg, i);
1363 		if (!nl_rate)
1364 			return -ENOBUFS;
1365 
1366 		rate = &sband->bitrates[i];
1367 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1368 				rate->bitrate))
1369 			return -ENOBUFS;
1370 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1371 		    nla_put_flag(msg,
1372 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1373 			return -ENOBUFS;
1374 
1375 		nla_nest_end(msg, nl_rate);
1376 	}
1377 
1378 	nla_nest_end(msg, nl_rates);
1379 
1380 	return 0;
1381 }
1382 
1383 static int
1384 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1385 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1386 {
1387 	u16 stypes;
1388 	struct nlattr *nl_ftypes, *nl_ifs;
1389 	enum nl80211_iftype ift;
1390 	int i;
1391 
1392 	if (!mgmt_stypes)
1393 		return 0;
1394 
1395 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_TX_FRAME_TYPES);
1396 	if (!nl_ifs)
1397 		return -ENOBUFS;
1398 
1399 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1400 		nl_ftypes = nla_nest_start(msg, ift);
1401 		if (!nl_ftypes)
1402 			return -ENOBUFS;
1403 		i = 0;
1404 		stypes = mgmt_stypes[ift].tx;
1405 		while (stypes) {
1406 			if ((stypes & 1) &&
1407 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1408 					(i << 4) | IEEE80211_FTYPE_MGMT))
1409 				return -ENOBUFS;
1410 			stypes >>= 1;
1411 			i++;
1412 		}
1413 		nla_nest_end(msg, nl_ftypes);
1414 	}
1415 
1416 	nla_nest_end(msg, nl_ifs);
1417 
1418 	nl_ifs = nla_nest_start(msg, NL80211_ATTR_RX_FRAME_TYPES);
1419 	if (!nl_ifs)
1420 		return -ENOBUFS;
1421 
1422 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1423 		nl_ftypes = nla_nest_start(msg, ift);
1424 		if (!nl_ftypes)
1425 			return -ENOBUFS;
1426 		i = 0;
1427 		stypes = mgmt_stypes[ift].rx;
1428 		while (stypes) {
1429 			if ((stypes & 1) &&
1430 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1431 					(i << 4) | IEEE80211_FTYPE_MGMT))
1432 				return -ENOBUFS;
1433 			stypes >>= 1;
1434 			i++;
1435 		}
1436 		nla_nest_end(msg, nl_ftypes);
1437 	}
1438 	nla_nest_end(msg, nl_ifs);
1439 
1440 	return 0;
1441 }
1442 
1443 #define CMD(op, n)							\
1444 	 do {								\
1445 		if (rdev->ops->op) {					\
1446 			i++;						\
1447 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1448 				goto nla_put_failure;			\
1449 		}							\
1450 	} while (0)
1451 
1452 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1453 					struct sk_buff *msg)
1454 {
1455 	int i = 0;
1456 
1457 	/*
1458 	 * do *NOT* add anything into this function, new things need to be
1459 	 * advertised only to new versions of userspace that can deal with
1460 	 * the split (and they can't possibly care about new features...
1461 	 */
1462 	CMD(add_virtual_intf, NEW_INTERFACE);
1463 	CMD(change_virtual_intf, SET_INTERFACE);
1464 	CMD(add_key, NEW_KEY);
1465 	CMD(start_ap, START_AP);
1466 	CMD(add_station, NEW_STATION);
1467 	CMD(add_mpath, NEW_MPATH);
1468 	CMD(update_mesh_config, SET_MESH_CONFIG);
1469 	CMD(change_bss, SET_BSS);
1470 	CMD(auth, AUTHENTICATE);
1471 	CMD(assoc, ASSOCIATE);
1472 	CMD(deauth, DEAUTHENTICATE);
1473 	CMD(disassoc, DISASSOCIATE);
1474 	CMD(join_ibss, JOIN_IBSS);
1475 	CMD(join_mesh, JOIN_MESH);
1476 	CMD(set_pmksa, SET_PMKSA);
1477 	CMD(del_pmksa, DEL_PMKSA);
1478 	CMD(flush_pmksa, FLUSH_PMKSA);
1479 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1480 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1481 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1482 	CMD(mgmt_tx, FRAME);
1483 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1484 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1485 		i++;
1486 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1487 			goto nla_put_failure;
1488 	}
1489 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1490 	    rdev->ops->join_mesh) {
1491 		i++;
1492 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1493 			goto nla_put_failure;
1494 	}
1495 	CMD(set_wds_peer, SET_WDS_PEER);
1496 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1497 		CMD(tdls_mgmt, TDLS_MGMT);
1498 		CMD(tdls_oper, TDLS_OPER);
1499 	}
1500 	if (rdev->wiphy.max_sched_scan_reqs)
1501 		CMD(sched_scan_start, START_SCHED_SCAN);
1502 	CMD(probe_client, PROBE_CLIENT);
1503 	CMD(set_noack_map, SET_NOACK_MAP);
1504 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1505 		i++;
1506 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1507 			goto nla_put_failure;
1508 	}
1509 	CMD(start_p2p_device, START_P2P_DEVICE);
1510 	CMD(set_mcast_rate, SET_MCAST_RATE);
1511 #ifdef CONFIG_NL80211_TESTMODE
1512 	CMD(testmode_cmd, TESTMODE);
1513 #endif
1514 
1515 	if (rdev->ops->connect || rdev->ops->auth) {
1516 		i++;
1517 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1518 			goto nla_put_failure;
1519 	}
1520 
1521 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1522 		i++;
1523 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1524 			goto nla_put_failure;
1525 	}
1526 
1527 	return i;
1528  nla_put_failure:
1529 	return -ENOBUFS;
1530 }
1531 
1532 struct nl80211_dump_wiphy_state {
1533 	s64 filter_wiphy;
1534 	long start;
1535 	long split_start, band_start, chan_start, capa_start;
1536 	bool split;
1537 };
1538 
1539 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
1540 			      enum nl80211_commands cmd,
1541 			      struct sk_buff *msg, u32 portid, u32 seq,
1542 			      int flags, struct nl80211_dump_wiphy_state *state)
1543 {
1544 	void *hdr;
1545 	struct nlattr *nl_bands, *nl_band;
1546 	struct nlattr *nl_freqs, *nl_freq;
1547 	struct nlattr *nl_cmds;
1548 	enum nl80211_band band;
1549 	struct ieee80211_channel *chan;
1550 	int i;
1551 	const struct ieee80211_txrx_stypes *mgmt_stypes =
1552 				rdev->wiphy.mgmt_stypes;
1553 	u32 features;
1554 
1555 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
1556 	if (!hdr)
1557 		return -ENOBUFS;
1558 
1559 	if (WARN_ON(!state))
1560 		return -EINVAL;
1561 
1562 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1563 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
1564 			   wiphy_name(&rdev->wiphy)) ||
1565 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
1566 			cfg80211_rdev_list_generation))
1567 		goto nla_put_failure;
1568 
1569 	if (cmd != NL80211_CMD_NEW_WIPHY)
1570 		goto finish;
1571 
1572 	switch (state->split_start) {
1573 	case 0:
1574 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
1575 			       rdev->wiphy.retry_short) ||
1576 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
1577 			       rdev->wiphy.retry_long) ||
1578 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
1579 				rdev->wiphy.frag_threshold) ||
1580 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
1581 				rdev->wiphy.rts_threshold) ||
1582 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
1583 			       rdev->wiphy.coverage_class) ||
1584 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
1585 			       rdev->wiphy.max_scan_ssids) ||
1586 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
1587 			       rdev->wiphy.max_sched_scan_ssids) ||
1588 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
1589 				rdev->wiphy.max_scan_ie_len) ||
1590 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
1591 				rdev->wiphy.max_sched_scan_ie_len) ||
1592 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
1593 			       rdev->wiphy.max_match_sets) ||
1594 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
1595 				rdev->wiphy.max_sched_scan_plans) ||
1596 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
1597 				rdev->wiphy.max_sched_scan_plan_interval) ||
1598 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
1599 				rdev->wiphy.max_sched_scan_plan_iterations))
1600 			goto nla_put_failure;
1601 
1602 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
1603 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
1604 			goto nla_put_failure;
1605 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
1606 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
1607 			goto nla_put_failure;
1608 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
1609 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
1610 			goto nla_put_failure;
1611 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
1612 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
1613 			goto nla_put_failure;
1614 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
1615 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
1616 			goto nla_put_failure;
1617 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
1618 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
1619 			goto nla_put_failure;
1620 		state->split_start++;
1621 		if (state->split)
1622 			break;
1623 	case 1:
1624 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
1625 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
1626 			    rdev->wiphy.cipher_suites))
1627 			goto nla_put_failure;
1628 
1629 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
1630 			       rdev->wiphy.max_num_pmkids))
1631 			goto nla_put_failure;
1632 
1633 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
1634 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
1635 			goto nla_put_failure;
1636 
1637 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
1638 				rdev->wiphy.available_antennas_tx) ||
1639 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
1640 				rdev->wiphy.available_antennas_rx))
1641 			goto nla_put_failure;
1642 
1643 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
1644 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
1645 				rdev->wiphy.probe_resp_offload))
1646 			goto nla_put_failure;
1647 
1648 		if ((rdev->wiphy.available_antennas_tx ||
1649 		     rdev->wiphy.available_antennas_rx) &&
1650 		    rdev->ops->get_antenna) {
1651 			u32 tx_ant = 0, rx_ant = 0;
1652 			int res;
1653 
1654 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
1655 			if (!res) {
1656 				if (nla_put_u32(msg,
1657 						NL80211_ATTR_WIPHY_ANTENNA_TX,
1658 						tx_ant) ||
1659 				    nla_put_u32(msg,
1660 						NL80211_ATTR_WIPHY_ANTENNA_RX,
1661 						rx_ant))
1662 					goto nla_put_failure;
1663 			}
1664 		}
1665 
1666 		state->split_start++;
1667 		if (state->split)
1668 			break;
1669 	case 2:
1670 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
1671 					rdev->wiphy.interface_modes))
1672 				goto nla_put_failure;
1673 		state->split_start++;
1674 		if (state->split)
1675 			break;
1676 	case 3:
1677 		nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
1678 		if (!nl_bands)
1679 			goto nla_put_failure;
1680 
1681 		for (band = state->band_start;
1682 		     band < NUM_NL80211_BANDS; band++) {
1683 			struct ieee80211_supported_band *sband;
1684 
1685 			sband = rdev->wiphy.bands[band];
1686 
1687 			if (!sband)
1688 				continue;
1689 
1690 			nl_band = nla_nest_start(msg, band);
1691 			if (!nl_band)
1692 				goto nla_put_failure;
1693 
1694 			switch (state->chan_start) {
1695 			case 0:
1696 				if (nl80211_send_band_rateinfo(msg, sband))
1697 					goto nla_put_failure;
1698 				state->chan_start++;
1699 				if (state->split)
1700 					break;
1701 			default:
1702 				/* add frequencies */
1703 				nl_freqs = nla_nest_start(
1704 					msg, NL80211_BAND_ATTR_FREQS);
1705 				if (!nl_freqs)
1706 					goto nla_put_failure;
1707 
1708 				for (i = state->chan_start - 1;
1709 				     i < sband->n_channels;
1710 				     i++) {
1711 					nl_freq = nla_nest_start(msg, i);
1712 					if (!nl_freq)
1713 						goto nla_put_failure;
1714 
1715 					chan = &sband->channels[i];
1716 
1717 					if (nl80211_msg_put_channel(
1718 							msg, &rdev->wiphy, chan,
1719 							state->split))
1720 						goto nla_put_failure;
1721 
1722 					nla_nest_end(msg, nl_freq);
1723 					if (state->split)
1724 						break;
1725 				}
1726 				if (i < sband->n_channels)
1727 					state->chan_start = i + 2;
1728 				else
1729 					state->chan_start = 0;
1730 				nla_nest_end(msg, nl_freqs);
1731 			}
1732 
1733 			nla_nest_end(msg, nl_band);
1734 
1735 			if (state->split) {
1736 				/* start again here */
1737 				if (state->chan_start)
1738 					band--;
1739 				break;
1740 			}
1741 		}
1742 		nla_nest_end(msg, nl_bands);
1743 
1744 		if (band < NUM_NL80211_BANDS)
1745 			state->band_start = band + 1;
1746 		else
1747 			state->band_start = 0;
1748 
1749 		/* if bands & channels are done, continue outside */
1750 		if (state->band_start == 0 && state->chan_start == 0)
1751 			state->split_start++;
1752 		if (state->split)
1753 			break;
1754 	case 4:
1755 		nl_cmds = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_COMMANDS);
1756 		if (!nl_cmds)
1757 			goto nla_put_failure;
1758 
1759 		i = nl80211_add_commands_unsplit(rdev, msg);
1760 		if (i < 0)
1761 			goto nla_put_failure;
1762 		if (state->split) {
1763 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
1764 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
1765 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
1766 				CMD(channel_switch, CHANNEL_SWITCH);
1767 			CMD(set_qos_map, SET_QOS_MAP);
1768 			if (rdev->wiphy.features &
1769 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
1770 				CMD(add_tx_ts, ADD_TX_TS);
1771 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
1772 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
1773 		}
1774 #undef CMD
1775 
1776 		nla_nest_end(msg, nl_cmds);
1777 		state->split_start++;
1778 		if (state->split)
1779 			break;
1780 	case 5:
1781 		if (rdev->ops->remain_on_channel &&
1782 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
1783 		    nla_put_u32(msg,
1784 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
1785 				rdev->wiphy.max_remain_on_channel_duration))
1786 			goto nla_put_failure;
1787 
1788 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
1789 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
1790 			goto nla_put_failure;
1791 
1792 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
1793 			goto nla_put_failure;
1794 		state->split_start++;
1795 		if (state->split)
1796 			break;
1797 	case 6:
1798 #ifdef CONFIG_PM
1799 		if (nl80211_send_wowlan(msg, rdev, state->split))
1800 			goto nla_put_failure;
1801 		state->split_start++;
1802 		if (state->split)
1803 			break;
1804 #else
1805 		state->split_start++;
1806 #endif
1807 	case 7:
1808 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
1809 					rdev->wiphy.software_iftypes))
1810 			goto nla_put_failure;
1811 
1812 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
1813 						   state->split))
1814 			goto nla_put_failure;
1815 
1816 		state->split_start++;
1817 		if (state->split)
1818 			break;
1819 	case 8:
1820 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
1821 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
1822 				rdev->wiphy.ap_sme_capa))
1823 			goto nla_put_failure;
1824 
1825 		features = rdev->wiphy.features;
1826 		/*
1827 		 * We can only add the per-channel limit information if the
1828 		 * dump is split, otherwise it makes it too big. Therefore
1829 		 * only advertise it in that case.
1830 		 */
1831 		if (state->split)
1832 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
1833 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
1834 			goto nla_put_failure;
1835 
1836 		if (rdev->wiphy.ht_capa_mod_mask &&
1837 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
1838 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
1839 			    rdev->wiphy.ht_capa_mod_mask))
1840 			goto nla_put_failure;
1841 
1842 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
1843 		    rdev->wiphy.max_acl_mac_addrs &&
1844 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
1845 				rdev->wiphy.max_acl_mac_addrs))
1846 			goto nla_put_failure;
1847 
1848 		/*
1849 		 * Any information below this point is only available to
1850 		 * applications that can deal with it being split. This
1851 		 * helps ensure that newly added capabilities don't break
1852 		 * older tools by overrunning their buffers.
1853 		 *
1854 		 * We still increment split_start so that in the split
1855 		 * case we'll continue with more data in the next round,
1856 		 * but break unconditionally so unsplit data stops here.
1857 		 */
1858 		state->split_start++;
1859 		break;
1860 	case 9:
1861 		if (rdev->wiphy.extended_capabilities &&
1862 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
1863 			     rdev->wiphy.extended_capabilities_len,
1864 			     rdev->wiphy.extended_capabilities) ||
1865 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1866 			     rdev->wiphy.extended_capabilities_len,
1867 			     rdev->wiphy.extended_capabilities_mask)))
1868 			goto nla_put_failure;
1869 
1870 		if (rdev->wiphy.vht_capa_mod_mask &&
1871 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
1872 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
1873 			    rdev->wiphy.vht_capa_mod_mask))
1874 			goto nla_put_failure;
1875 
1876 		state->split_start++;
1877 		break;
1878 	case 10:
1879 		if (nl80211_send_coalesce(msg, rdev))
1880 			goto nla_put_failure;
1881 
1882 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
1883 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
1884 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
1885 			goto nla_put_failure;
1886 
1887 		if (rdev->wiphy.max_ap_assoc_sta &&
1888 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
1889 				rdev->wiphy.max_ap_assoc_sta))
1890 			goto nla_put_failure;
1891 
1892 		state->split_start++;
1893 		break;
1894 	case 11:
1895 		if (rdev->wiphy.n_vendor_commands) {
1896 			const struct nl80211_vendor_cmd_info *info;
1897 			struct nlattr *nested;
1898 
1899 			nested = nla_nest_start(msg, NL80211_ATTR_VENDOR_DATA);
1900 			if (!nested)
1901 				goto nla_put_failure;
1902 
1903 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
1904 				info = &rdev->wiphy.vendor_commands[i].info;
1905 				if (nla_put(msg, i + 1, sizeof(*info), info))
1906 					goto nla_put_failure;
1907 			}
1908 			nla_nest_end(msg, nested);
1909 		}
1910 
1911 		if (rdev->wiphy.n_vendor_events) {
1912 			const struct nl80211_vendor_cmd_info *info;
1913 			struct nlattr *nested;
1914 
1915 			nested = nla_nest_start(msg,
1916 						NL80211_ATTR_VENDOR_EVENTS);
1917 			if (!nested)
1918 				goto nla_put_failure;
1919 
1920 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
1921 				info = &rdev->wiphy.vendor_events[i];
1922 				if (nla_put(msg, i + 1, sizeof(*info), info))
1923 					goto nla_put_failure;
1924 			}
1925 			nla_nest_end(msg, nested);
1926 		}
1927 		state->split_start++;
1928 		break;
1929 	case 12:
1930 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
1931 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
1932 			       rdev->wiphy.max_num_csa_counters))
1933 			goto nla_put_failure;
1934 
1935 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
1936 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
1937 			goto nla_put_failure;
1938 
1939 		if (rdev->wiphy.max_sched_scan_reqs &&
1940 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
1941 				rdev->wiphy.max_sched_scan_reqs))
1942 			goto nla_put_failure;
1943 
1944 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
1945 			    sizeof(rdev->wiphy.ext_features),
1946 			    rdev->wiphy.ext_features))
1947 			goto nla_put_failure;
1948 
1949 		if (rdev->wiphy.bss_select_support) {
1950 			struct nlattr *nested;
1951 			u32 bss_select_support = rdev->wiphy.bss_select_support;
1952 
1953 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_SELECT);
1954 			if (!nested)
1955 				goto nla_put_failure;
1956 
1957 			i = 0;
1958 			while (bss_select_support) {
1959 				if ((bss_select_support & 1) &&
1960 				    nla_put_flag(msg, i))
1961 					goto nla_put_failure;
1962 				i++;
1963 				bss_select_support >>= 1;
1964 			}
1965 			nla_nest_end(msg, nested);
1966 		}
1967 
1968 		state->split_start++;
1969 		break;
1970 	case 13:
1971 		if (rdev->wiphy.num_iftype_ext_capab &&
1972 		    rdev->wiphy.iftype_ext_capab) {
1973 			struct nlattr *nested_ext_capab, *nested;
1974 
1975 			nested = nla_nest_start(msg,
1976 						NL80211_ATTR_IFTYPE_EXT_CAPA);
1977 			if (!nested)
1978 				goto nla_put_failure;
1979 
1980 			for (i = state->capa_start;
1981 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
1982 				const struct wiphy_iftype_ext_capab *capab;
1983 
1984 				capab = &rdev->wiphy.iftype_ext_capab[i];
1985 
1986 				nested_ext_capab = nla_nest_start(msg, i);
1987 				if (!nested_ext_capab ||
1988 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
1989 						capab->iftype) ||
1990 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
1991 					    capab->extended_capabilities_len,
1992 					    capab->extended_capabilities) ||
1993 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
1994 					    capab->extended_capabilities_len,
1995 					    capab->extended_capabilities_mask))
1996 					goto nla_put_failure;
1997 
1998 				nla_nest_end(msg, nested_ext_capab);
1999 				if (state->split)
2000 					break;
2001 			}
2002 			nla_nest_end(msg, nested);
2003 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2004 				state->capa_start = i + 1;
2005 				break;
2006 			}
2007 		}
2008 
2009 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2010 				rdev->wiphy.nan_supported_bands))
2011 			goto nla_put_failure;
2012 
2013 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2014 					    NL80211_EXT_FEATURE_TXQS)) {
2015 			struct cfg80211_txq_stats txqstats = {};
2016 			int res;
2017 
2018 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2019 			if (!res &&
2020 			    !nl80211_put_txq_stats(msg, &txqstats,
2021 						   NL80211_ATTR_TXQ_STATS))
2022 				goto nla_put_failure;
2023 
2024 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2025 					rdev->wiphy.txq_limit))
2026 				goto nla_put_failure;
2027 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2028 					rdev->wiphy.txq_memory_limit))
2029 				goto nla_put_failure;
2030 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2031 					rdev->wiphy.txq_quantum))
2032 				goto nla_put_failure;
2033 		}
2034 
2035 		/* done */
2036 		state->split_start = 0;
2037 		break;
2038 	}
2039  finish:
2040 	genlmsg_end(msg, hdr);
2041 	return 0;
2042 
2043  nla_put_failure:
2044 	genlmsg_cancel(msg, hdr);
2045 	return -EMSGSIZE;
2046 }
2047 
2048 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2049 				    struct netlink_callback *cb,
2050 				    struct nl80211_dump_wiphy_state *state)
2051 {
2052 	struct nlattr **tb = genl_family_attrbuf(&nl80211_fam);
2053 	int ret = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, tb,
2054 			      nl80211_fam.maxattr, nl80211_policy, NULL);
2055 	/* ignore parse errors for backward compatibility */
2056 	if (ret)
2057 		return 0;
2058 
2059 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2060 	if (tb[NL80211_ATTR_WIPHY])
2061 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2062 	if (tb[NL80211_ATTR_WDEV])
2063 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2064 	if (tb[NL80211_ATTR_IFINDEX]) {
2065 		struct net_device *netdev;
2066 		struct cfg80211_registered_device *rdev;
2067 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2068 
2069 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2070 		if (!netdev)
2071 			return -ENODEV;
2072 		if (netdev->ieee80211_ptr) {
2073 			rdev = wiphy_to_rdev(
2074 				netdev->ieee80211_ptr->wiphy);
2075 			state->filter_wiphy = rdev->wiphy_idx;
2076 		}
2077 	}
2078 
2079 	return 0;
2080 }
2081 
2082 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2083 {
2084 	int idx = 0, ret;
2085 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2086 	struct cfg80211_registered_device *rdev;
2087 
2088 	rtnl_lock();
2089 	if (!state) {
2090 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2091 		if (!state) {
2092 			rtnl_unlock();
2093 			return -ENOMEM;
2094 		}
2095 		state->filter_wiphy = -1;
2096 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2097 		if (ret) {
2098 			kfree(state);
2099 			rtnl_unlock();
2100 			return ret;
2101 		}
2102 		cb->args[0] = (long)state;
2103 	}
2104 
2105 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2106 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2107 			continue;
2108 		if (++idx <= state->start)
2109 			continue;
2110 		if (state->filter_wiphy != -1 &&
2111 		    state->filter_wiphy != rdev->wiphy_idx)
2112 			continue;
2113 		/* attempt to fit multiple wiphy data chunks into the skb */
2114 		do {
2115 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2116 						 skb,
2117 						 NETLINK_CB(cb->skb).portid,
2118 						 cb->nlh->nlmsg_seq,
2119 						 NLM_F_MULTI, state);
2120 			if (ret < 0) {
2121 				/*
2122 				 * If sending the wiphy data didn't fit (ENOBUFS
2123 				 * or EMSGSIZE returned), this SKB is still
2124 				 * empty (so it's not too big because another
2125 				 * wiphy dataset is already in the skb) and
2126 				 * we've not tried to adjust the dump allocation
2127 				 * yet ... then adjust the alloc size to be
2128 				 * bigger, and return 1 but with the empty skb.
2129 				 * This results in an empty message being RX'ed
2130 				 * in userspace, but that is ignored.
2131 				 *
2132 				 * We can then retry with the larger buffer.
2133 				 */
2134 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2135 				    !skb->len && !state->split &&
2136 				    cb->min_dump_alloc < 4096) {
2137 					cb->min_dump_alloc = 4096;
2138 					state->split_start = 0;
2139 					rtnl_unlock();
2140 					return 1;
2141 				}
2142 				idx--;
2143 				break;
2144 			}
2145 		} while (state->split_start > 0);
2146 		break;
2147 	}
2148 	rtnl_unlock();
2149 
2150 	state->start = idx;
2151 
2152 	return skb->len;
2153 }
2154 
2155 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2156 {
2157 	kfree((void *)cb->args[0]);
2158 	return 0;
2159 }
2160 
2161 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2162 {
2163 	struct sk_buff *msg;
2164 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2165 	struct nl80211_dump_wiphy_state state = {};
2166 
2167 	msg = nlmsg_new(4096, GFP_KERNEL);
2168 	if (!msg)
2169 		return -ENOMEM;
2170 
2171 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2172 			       info->snd_portid, info->snd_seq, 0,
2173 			       &state) < 0) {
2174 		nlmsg_free(msg);
2175 		return -ENOBUFS;
2176 	}
2177 
2178 	return genlmsg_reply(msg, info);
2179 }
2180 
2181 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2182 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2183 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2184 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2185 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2186 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2187 };
2188 
2189 static int parse_txq_params(struct nlattr *tb[],
2190 			    struct ieee80211_txq_params *txq_params)
2191 {
2192 	u8 ac;
2193 
2194 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2195 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2196 	    !tb[NL80211_TXQ_ATTR_AIFS])
2197 		return -EINVAL;
2198 
2199 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2200 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2201 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2202 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2203 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2204 
2205 	if (ac >= NL80211_NUM_ACS)
2206 		return -EINVAL;
2207 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2208 	return 0;
2209 }
2210 
2211 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2212 {
2213 	/*
2214 	 * You can only set the channel explicitly for WDS interfaces,
2215 	 * all others have their channel managed via their respective
2216 	 * "establish a connection" command (connect, join, ...)
2217 	 *
2218 	 * For AP/GO and mesh mode, the channel can be set with the
2219 	 * channel userspace API, but is only stored and passed to the
2220 	 * low-level driver when the AP starts or the mesh is joined.
2221 	 * This is for backward compatibility, userspace can also give
2222 	 * the channel in the start-ap or join-mesh commands instead.
2223 	 *
2224 	 * Monitors are special as they are normally slaved to
2225 	 * whatever else is going on, so they have their own special
2226 	 * operation to set the monitor channel if possible.
2227 	 */
2228 	return !wdev ||
2229 		wdev->iftype == NL80211_IFTYPE_AP ||
2230 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2231 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2232 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2233 }
2234 
2235 static int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2236 				 struct genl_info *info,
2237 				 struct cfg80211_chan_def *chandef)
2238 {
2239 	u32 control_freq;
2240 
2241 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
2242 		return -EINVAL;
2243 
2244 	control_freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
2245 
2246 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2247 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2248 	chandef->center_freq1 = control_freq;
2249 	chandef->center_freq2 = 0;
2250 
2251 	/* Primary channel not allowed */
2252 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED)
2253 		return -EINVAL;
2254 
2255 	if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2256 		enum nl80211_channel_type chantype;
2257 
2258 		chantype = nla_get_u32(
2259 				info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2260 
2261 		switch (chantype) {
2262 		case NL80211_CHAN_NO_HT:
2263 		case NL80211_CHAN_HT20:
2264 		case NL80211_CHAN_HT40PLUS:
2265 		case NL80211_CHAN_HT40MINUS:
2266 			cfg80211_chandef_create(chandef, chandef->chan,
2267 						chantype);
2268 			/* user input for center_freq is incorrect */
2269 			if (info->attrs[NL80211_ATTR_CENTER_FREQ1] &&
2270 			    chandef->center_freq1 != nla_get_u32(
2271 					info->attrs[NL80211_ATTR_CENTER_FREQ1]))
2272 				return -EINVAL;
2273 			/* center_freq2 must be zero */
2274 			if (info->attrs[NL80211_ATTR_CENTER_FREQ2] &&
2275 			    nla_get_u32(info->attrs[NL80211_ATTR_CENTER_FREQ2]))
2276 				return -EINVAL;
2277 			break;
2278 		default:
2279 			return -EINVAL;
2280 		}
2281 	} else if (info->attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2282 		chandef->width =
2283 			nla_get_u32(info->attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2284 		if (info->attrs[NL80211_ATTR_CENTER_FREQ1])
2285 			chandef->center_freq1 =
2286 				nla_get_u32(
2287 					info->attrs[NL80211_ATTR_CENTER_FREQ1]);
2288 		if (info->attrs[NL80211_ATTR_CENTER_FREQ2])
2289 			chandef->center_freq2 =
2290 				nla_get_u32(
2291 					info->attrs[NL80211_ATTR_CENTER_FREQ2]);
2292 	}
2293 
2294 	if (!cfg80211_chandef_valid(chandef))
2295 		return -EINVAL;
2296 
2297 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2298 				     IEEE80211_CHAN_DISABLED))
2299 		return -EINVAL;
2300 
2301 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2302 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2303 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ))
2304 		return -EINVAL;
2305 
2306 	return 0;
2307 }
2308 
2309 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2310 				 struct net_device *dev,
2311 				 struct genl_info *info)
2312 {
2313 	struct cfg80211_chan_def chandef;
2314 	int result;
2315 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2316 	struct wireless_dev *wdev = NULL;
2317 
2318 	if (dev)
2319 		wdev = dev->ieee80211_ptr;
2320 	if (!nl80211_can_set_dev_channel(wdev))
2321 		return -EOPNOTSUPP;
2322 	if (wdev)
2323 		iftype = wdev->iftype;
2324 
2325 	result = nl80211_parse_chandef(rdev, info, &chandef);
2326 	if (result)
2327 		return result;
2328 
2329 	switch (iftype) {
2330 	case NL80211_IFTYPE_AP:
2331 	case NL80211_IFTYPE_P2P_GO:
2332 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2333 						   iftype)) {
2334 			result = -EINVAL;
2335 			break;
2336 		}
2337 		if (wdev->beacon_interval) {
2338 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2339 			    !(rdev->wiphy.features &
2340 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2341 				result = -EBUSY;
2342 				break;
2343 			}
2344 
2345 			/* Only allow dynamic channel width changes */
2346 			if (chandef.chan != wdev->preset_chandef.chan) {
2347 				result = -EBUSY;
2348 				break;
2349 			}
2350 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2351 			if (result)
2352 				break;
2353 		}
2354 		wdev->preset_chandef = chandef;
2355 		result = 0;
2356 		break;
2357 	case NL80211_IFTYPE_MESH_POINT:
2358 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2359 		break;
2360 	case NL80211_IFTYPE_MONITOR:
2361 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2362 		break;
2363 	default:
2364 		result = -EINVAL;
2365 	}
2366 
2367 	return result;
2368 }
2369 
2370 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2371 {
2372 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2373 	struct net_device *netdev = info->user_ptr[1];
2374 
2375 	return __nl80211_set_channel(rdev, netdev, info);
2376 }
2377 
2378 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2379 {
2380 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2381 	struct net_device *dev = info->user_ptr[1];
2382 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2383 	const u8 *bssid;
2384 
2385 	if (!info->attrs[NL80211_ATTR_MAC])
2386 		return -EINVAL;
2387 
2388 	if (netif_running(dev))
2389 		return -EBUSY;
2390 
2391 	if (!rdev->ops->set_wds_peer)
2392 		return -EOPNOTSUPP;
2393 
2394 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2395 		return -EOPNOTSUPP;
2396 
2397 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
2398 	return rdev_set_wds_peer(rdev, dev, bssid);
2399 }
2400 
2401 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
2402 {
2403 	struct cfg80211_registered_device *rdev;
2404 	struct net_device *netdev = NULL;
2405 	struct wireless_dev *wdev;
2406 	int result = 0, rem_txq_params = 0;
2407 	struct nlattr *nl_txq_params;
2408 	u32 changed;
2409 	u8 retry_short = 0, retry_long = 0;
2410 	u32 frag_threshold = 0, rts_threshold = 0;
2411 	u8 coverage_class = 0;
2412 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
2413 
2414 	ASSERT_RTNL();
2415 
2416 	/*
2417 	 * Try to find the wiphy and netdev. Normally this
2418 	 * function shouldn't need the netdev, but this is
2419 	 * done for backward compatibility -- previously
2420 	 * setting the channel was done per wiphy, but now
2421 	 * it is per netdev. Previous userland like hostapd
2422 	 * also passed a netdev to set_wiphy, so that it is
2423 	 * possible to let that go to the right netdev!
2424 	 */
2425 
2426 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
2427 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
2428 
2429 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
2430 		if (netdev && netdev->ieee80211_ptr)
2431 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
2432 		else
2433 			netdev = NULL;
2434 	}
2435 
2436 	if (!netdev) {
2437 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
2438 						  info->attrs);
2439 		if (IS_ERR(rdev))
2440 			return PTR_ERR(rdev);
2441 		wdev = NULL;
2442 		netdev = NULL;
2443 		result = 0;
2444 	} else
2445 		wdev = netdev->ieee80211_ptr;
2446 
2447 	/*
2448 	 * end workaround code, by now the rdev is available
2449 	 * and locked, and wdev may or may not be NULL.
2450 	 */
2451 
2452 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
2453 		result = cfg80211_dev_rename(
2454 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
2455 
2456 	if (result)
2457 		return result;
2458 
2459 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
2460 		struct ieee80211_txq_params txq_params;
2461 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
2462 
2463 		if (!rdev->ops->set_txq_params)
2464 			return -EOPNOTSUPP;
2465 
2466 		if (!netdev)
2467 			return -EINVAL;
2468 
2469 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
2470 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
2471 			return -EINVAL;
2472 
2473 		if (!netif_running(netdev))
2474 			return -ENETDOWN;
2475 
2476 		nla_for_each_nested(nl_txq_params,
2477 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2478 				    rem_txq_params) {
2479 			result = nla_parse_nested(tb, NL80211_TXQ_ATTR_MAX,
2480 						  nl_txq_params,
2481 						  txq_params_policy,
2482 						  info->extack);
2483 			if (result)
2484 				return result;
2485 			result = parse_txq_params(tb, &txq_params);
2486 			if (result)
2487 				return result;
2488 
2489 			result = rdev_set_txq_params(rdev, netdev,
2490 						     &txq_params);
2491 			if (result)
2492 				return result;
2493 		}
2494 	}
2495 
2496 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
2497 		result = __nl80211_set_channel(
2498 			rdev,
2499 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
2500 			info);
2501 		if (result)
2502 			return result;
2503 	}
2504 
2505 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
2506 		struct wireless_dev *txp_wdev = wdev;
2507 		enum nl80211_tx_power_setting type;
2508 		int idx, mbm = 0;
2509 
2510 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
2511 			txp_wdev = NULL;
2512 
2513 		if (!rdev->ops->set_tx_power)
2514 			return -EOPNOTSUPP;
2515 
2516 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
2517 		type = nla_get_u32(info->attrs[idx]);
2518 
2519 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
2520 		    (type != NL80211_TX_POWER_AUTOMATIC))
2521 			return -EINVAL;
2522 
2523 		if (type != NL80211_TX_POWER_AUTOMATIC) {
2524 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
2525 			mbm = nla_get_u32(info->attrs[idx]);
2526 		}
2527 
2528 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
2529 		if (result)
2530 			return result;
2531 	}
2532 
2533 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
2534 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
2535 		u32 tx_ant, rx_ant;
2536 
2537 		if ((!rdev->wiphy.available_antennas_tx &&
2538 		     !rdev->wiphy.available_antennas_rx) ||
2539 		    !rdev->ops->set_antenna)
2540 			return -EOPNOTSUPP;
2541 
2542 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
2543 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
2544 
2545 		/* reject antenna configurations which don't match the
2546 		 * available antenna masks, except for the "all" mask */
2547 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
2548 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
2549 			return -EINVAL;
2550 
2551 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
2552 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
2553 
2554 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
2555 		if (result)
2556 			return result;
2557 	}
2558 
2559 	changed = 0;
2560 
2561 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
2562 		retry_short = nla_get_u8(
2563 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
2564 		if (retry_short == 0)
2565 			return -EINVAL;
2566 
2567 		changed |= WIPHY_PARAM_RETRY_SHORT;
2568 	}
2569 
2570 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
2571 		retry_long = nla_get_u8(
2572 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
2573 		if (retry_long == 0)
2574 			return -EINVAL;
2575 
2576 		changed |= WIPHY_PARAM_RETRY_LONG;
2577 	}
2578 
2579 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
2580 		frag_threshold = nla_get_u32(
2581 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
2582 		if (frag_threshold < 256)
2583 			return -EINVAL;
2584 
2585 		if (frag_threshold != (u32) -1) {
2586 			/*
2587 			 * Fragments (apart from the last one) are required to
2588 			 * have even length. Make the fragmentation code
2589 			 * simpler by stripping LSB should someone try to use
2590 			 * odd threshold value.
2591 			 */
2592 			frag_threshold &= ~0x1;
2593 		}
2594 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
2595 	}
2596 
2597 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
2598 		rts_threshold = nla_get_u32(
2599 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
2600 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
2601 	}
2602 
2603 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
2604 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
2605 			return -EINVAL;
2606 
2607 		coverage_class = nla_get_u8(
2608 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
2609 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
2610 	}
2611 
2612 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
2613 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
2614 			return -EOPNOTSUPP;
2615 
2616 		changed |= WIPHY_PARAM_DYN_ACK;
2617 	}
2618 
2619 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
2620 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2621 					     NL80211_EXT_FEATURE_TXQS))
2622 			return -EOPNOTSUPP;
2623 		txq_limit = nla_get_u32(
2624 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
2625 		changed |= WIPHY_PARAM_TXQ_LIMIT;
2626 	}
2627 
2628 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
2629 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2630 					     NL80211_EXT_FEATURE_TXQS))
2631 			return -EOPNOTSUPP;
2632 		txq_memory_limit = nla_get_u32(
2633 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
2634 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
2635 	}
2636 
2637 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
2638 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
2639 					     NL80211_EXT_FEATURE_TXQS))
2640 			return -EOPNOTSUPP;
2641 		txq_quantum = nla_get_u32(
2642 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
2643 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
2644 	}
2645 
2646 	if (changed) {
2647 		u8 old_retry_short, old_retry_long;
2648 		u32 old_frag_threshold, old_rts_threshold;
2649 		u8 old_coverage_class;
2650 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
2651 
2652 		if (!rdev->ops->set_wiphy_params)
2653 			return -EOPNOTSUPP;
2654 
2655 		old_retry_short = rdev->wiphy.retry_short;
2656 		old_retry_long = rdev->wiphy.retry_long;
2657 		old_frag_threshold = rdev->wiphy.frag_threshold;
2658 		old_rts_threshold = rdev->wiphy.rts_threshold;
2659 		old_coverage_class = rdev->wiphy.coverage_class;
2660 		old_txq_limit = rdev->wiphy.txq_limit;
2661 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
2662 		old_txq_quantum = rdev->wiphy.txq_quantum;
2663 
2664 		if (changed & WIPHY_PARAM_RETRY_SHORT)
2665 			rdev->wiphy.retry_short = retry_short;
2666 		if (changed & WIPHY_PARAM_RETRY_LONG)
2667 			rdev->wiphy.retry_long = retry_long;
2668 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
2669 			rdev->wiphy.frag_threshold = frag_threshold;
2670 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
2671 			rdev->wiphy.rts_threshold = rts_threshold;
2672 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
2673 			rdev->wiphy.coverage_class = coverage_class;
2674 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
2675 			rdev->wiphy.txq_limit = txq_limit;
2676 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
2677 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
2678 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
2679 			rdev->wiphy.txq_quantum = txq_quantum;
2680 
2681 		result = rdev_set_wiphy_params(rdev, changed);
2682 		if (result) {
2683 			rdev->wiphy.retry_short = old_retry_short;
2684 			rdev->wiphy.retry_long = old_retry_long;
2685 			rdev->wiphy.frag_threshold = old_frag_threshold;
2686 			rdev->wiphy.rts_threshold = old_rts_threshold;
2687 			rdev->wiphy.coverage_class = old_coverage_class;
2688 			rdev->wiphy.txq_limit = old_txq_limit;
2689 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
2690 			rdev->wiphy.txq_quantum = old_txq_quantum;
2691 			return result;
2692 		}
2693 	}
2694 	return 0;
2695 }
2696 
2697 static inline u64 wdev_id(struct wireless_dev *wdev)
2698 {
2699 	return (u64)wdev->identifier |
2700 	       ((u64)wiphy_to_rdev(wdev->wiphy)->wiphy_idx << 32);
2701 }
2702 
2703 static int nl80211_send_chandef(struct sk_buff *msg,
2704 				const struct cfg80211_chan_def *chandef)
2705 {
2706 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
2707 		return -EINVAL;
2708 
2709 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
2710 			chandef->chan->center_freq))
2711 		return -ENOBUFS;
2712 	switch (chandef->width) {
2713 	case NL80211_CHAN_WIDTH_20_NOHT:
2714 	case NL80211_CHAN_WIDTH_20:
2715 	case NL80211_CHAN_WIDTH_40:
2716 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
2717 				cfg80211_get_chandef_type(chandef)))
2718 			return -ENOBUFS;
2719 		break;
2720 	default:
2721 		break;
2722 	}
2723 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
2724 		return -ENOBUFS;
2725 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
2726 		return -ENOBUFS;
2727 	if (chandef->center_freq2 &&
2728 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
2729 		return -ENOBUFS;
2730 	return 0;
2731 }
2732 
2733 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
2734 			      struct cfg80211_registered_device *rdev,
2735 			      struct wireless_dev *wdev, bool removal)
2736 {
2737 	struct net_device *dev = wdev->netdev;
2738 	u8 cmd = NL80211_CMD_NEW_INTERFACE;
2739 	void *hdr;
2740 
2741 	if (removal)
2742 		cmd = NL80211_CMD_DEL_INTERFACE;
2743 
2744 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2745 	if (!hdr)
2746 		return -1;
2747 
2748 	if (dev &&
2749 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
2750 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
2751 		goto nla_put_failure;
2752 
2753 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2754 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
2755 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
2756 			      NL80211_ATTR_PAD) ||
2757 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
2758 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2759 			rdev->devlist_generation ^
2760 			(cfg80211_rdev_list_generation << 2)))
2761 		goto nla_put_failure;
2762 
2763 	if (rdev->ops->get_channel) {
2764 		int ret;
2765 		struct cfg80211_chan_def chandef;
2766 
2767 		ret = rdev_get_channel(rdev, wdev, &chandef);
2768 		if (ret == 0) {
2769 			if (nl80211_send_chandef(msg, &chandef))
2770 				goto nla_put_failure;
2771 		}
2772 	}
2773 
2774 	if (rdev->ops->get_tx_power) {
2775 		int dbm, ret;
2776 
2777 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
2778 		if (ret == 0 &&
2779 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
2780 				DBM_TO_MBM(dbm)))
2781 			goto nla_put_failure;
2782 	}
2783 
2784 	wdev_lock(wdev);
2785 	switch (wdev->iftype) {
2786 	case NL80211_IFTYPE_AP:
2787 		if (wdev->ssid_len &&
2788 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
2789 			goto nla_put_failure_locked;
2790 		break;
2791 	case NL80211_IFTYPE_STATION:
2792 	case NL80211_IFTYPE_P2P_CLIENT:
2793 	case NL80211_IFTYPE_ADHOC: {
2794 		const u8 *ssid_ie;
2795 		if (!wdev->current_bss)
2796 			break;
2797 		rcu_read_lock();
2798 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
2799 					       WLAN_EID_SSID);
2800 		if (ssid_ie &&
2801 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
2802 			goto nla_put_failure_rcu_locked;
2803 		rcu_read_unlock();
2804 		break;
2805 		}
2806 	default:
2807 		/* nothing */
2808 		break;
2809 	}
2810 	wdev_unlock(wdev);
2811 
2812 	if (rdev->ops->get_txq_stats) {
2813 		struct cfg80211_txq_stats txqstats = {};
2814 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
2815 
2816 		if (ret == 0 &&
2817 		    !nl80211_put_txq_stats(msg, &txqstats,
2818 					   NL80211_ATTR_TXQ_STATS))
2819 			goto nla_put_failure;
2820 	}
2821 
2822 	genlmsg_end(msg, hdr);
2823 	return 0;
2824 
2825  nla_put_failure_rcu_locked:
2826 	rcu_read_unlock();
2827  nla_put_failure_locked:
2828 	wdev_unlock(wdev);
2829  nla_put_failure:
2830 	genlmsg_cancel(msg, hdr);
2831 	return -EMSGSIZE;
2832 }
2833 
2834 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
2835 {
2836 	int wp_idx = 0;
2837 	int if_idx = 0;
2838 	int wp_start = cb->args[0];
2839 	int if_start = cb->args[1];
2840 	int filter_wiphy = -1;
2841 	struct cfg80211_registered_device *rdev;
2842 	struct wireless_dev *wdev;
2843 	int ret;
2844 
2845 	rtnl_lock();
2846 	if (!cb->args[2]) {
2847 		struct nl80211_dump_wiphy_state state = {
2848 			.filter_wiphy = -1,
2849 		};
2850 
2851 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
2852 		if (ret)
2853 			goto out_unlock;
2854 
2855 		filter_wiphy = state.filter_wiphy;
2856 
2857 		/*
2858 		 * if filtering, set cb->args[2] to +1 since 0 is the default
2859 		 * value needed to determine that parsing is necessary.
2860 		 */
2861 		if (filter_wiphy >= 0)
2862 			cb->args[2] = filter_wiphy + 1;
2863 		else
2864 			cb->args[2] = -1;
2865 	} else if (cb->args[2] > 0) {
2866 		filter_wiphy = cb->args[2] - 1;
2867 	}
2868 
2869 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2870 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2871 			continue;
2872 		if (wp_idx < wp_start) {
2873 			wp_idx++;
2874 			continue;
2875 		}
2876 
2877 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
2878 			continue;
2879 
2880 		if_idx = 0;
2881 
2882 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
2883 			if (if_idx < if_start) {
2884 				if_idx++;
2885 				continue;
2886 			}
2887 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
2888 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
2889 					       rdev, wdev, false) < 0) {
2890 				goto out;
2891 			}
2892 			if_idx++;
2893 		}
2894 
2895 		wp_idx++;
2896 	}
2897  out:
2898 	cb->args[0] = wp_idx;
2899 	cb->args[1] = if_idx;
2900 
2901 	ret = skb->len;
2902  out_unlock:
2903 	rtnl_unlock();
2904 
2905 	return ret;
2906 }
2907 
2908 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
2909 {
2910 	struct sk_buff *msg;
2911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2912 	struct wireless_dev *wdev = info->user_ptr[1];
2913 
2914 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2915 	if (!msg)
2916 		return -ENOMEM;
2917 
2918 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
2919 			       rdev, wdev, false) < 0) {
2920 		nlmsg_free(msg);
2921 		return -ENOBUFS;
2922 	}
2923 
2924 	return genlmsg_reply(msg, info);
2925 }
2926 
2927 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
2928 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
2929 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
2930 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
2931 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
2932 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
2933 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
2934 };
2935 
2936 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
2937 {
2938 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
2939 	int flag;
2940 
2941 	*mntrflags = 0;
2942 
2943 	if (!nla)
2944 		return -EINVAL;
2945 
2946 	if (nla_parse_nested(flags, NL80211_MNTR_FLAG_MAX, nla,
2947 			     mntr_flags_policy, NULL))
2948 		return -EINVAL;
2949 
2950 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
2951 		if (flags[flag])
2952 			*mntrflags |= (1<<flag);
2953 
2954 	*mntrflags |= MONITOR_FLAG_CHANGED;
2955 
2956 	return 0;
2957 }
2958 
2959 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
2960 				     enum nl80211_iftype type,
2961 				     struct genl_info *info,
2962 				     struct vif_params *params)
2963 {
2964 	bool change = false;
2965 	int err;
2966 
2967 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
2968 		if (type != NL80211_IFTYPE_MONITOR)
2969 			return -EINVAL;
2970 
2971 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
2972 					  &params->flags);
2973 		if (err)
2974 			return err;
2975 
2976 		change = true;
2977 	}
2978 
2979 	if (params->flags & MONITOR_FLAG_ACTIVE &&
2980 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
2981 		return -EOPNOTSUPP;
2982 
2983 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
2984 		const u8 *mumimo_groups;
2985 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
2986 
2987 		if (type != NL80211_IFTYPE_MONITOR)
2988 			return -EINVAL;
2989 
2990 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
2991 			return -EOPNOTSUPP;
2992 
2993 		mumimo_groups =
2994 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
2995 
2996 		/* bits 0 and 63 are reserved and must be zero */
2997 		if ((mumimo_groups[0] & BIT(0)) ||
2998 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
2999 			return -EINVAL;
3000 
3001 		params->vht_mumimo_groups = mumimo_groups;
3002 		change = true;
3003 	}
3004 
3005 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3006 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3007 
3008 		if (type != NL80211_IFTYPE_MONITOR)
3009 			return -EINVAL;
3010 
3011 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3012 			return -EOPNOTSUPP;
3013 
3014 		params->vht_mumimo_follow_addr =
3015 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3016 		change = true;
3017 	}
3018 
3019 	return change ? 1 : 0;
3020 }
3021 
3022 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3023 			       struct net_device *netdev, u8 use_4addr,
3024 			       enum nl80211_iftype iftype)
3025 {
3026 	if (!use_4addr) {
3027 		if (netdev && (netdev->priv_flags & IFF_BRIDGE_PORT))
3028 			return -EBUSY;
3029 		return 0;
3030 	}
3031 
3032 	switch (iftype) {
3033 	case NL80211_IFTYPE_AP_VLAN:
3034 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3035 			return 0;
3036 		break;
3037 	case NL80211_IFTYPE_STATION:
3038 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3039 			return 0;
3040 		break;
3041 	default:
3042 		break;
3043 	}
3044 
3045 	return -EOPNOTSUPP;
3046 }
3047 
3048 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3049 {
3050 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3051 	struct vif_params params;
3052 	int err;
3053 	enum nl80211_iftype otype, ntype;
3054 	struct net_device *dev = info->user_ptr[1];
3055 	bool change = false;
3056 
3057 	memset(&params, 0, sizeof(params));
3058 
3059 	otype = ntype = dev->ieee80211_ptr->iftype;
3060 
3061 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3062 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3063 		if (otype != ntype)
3064 			change = true;
3065 		if (ntype > NL80211_IFTYPE_MAX)
3066 			return -EINVAL;
3067 	}
3068 
3069 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3070 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3071 
3072 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3073 			return -EINVAL;
3074 		if (netif_running(dev))
3075 			return -EBUSY;
3076 
3077 		wdev_lock(wdev);
3078 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3079 			     IEEE80211_MAX_MESH_ID_LEN);
3080 		wdev->mesh_id_up_len =
3081 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3082 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3083 		       wdev->mesh_id_up_len);
3084 		wdev_unlock(wdev);
3085 	}
3086 
3087 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3088 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3089 		change = true;
3090 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3091 		if (err)
3092 			return err;
3093 	} else {
3094 		params.use_4addr = -1;
3095 	}
3096 
3097 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3098 	if (err < 0)
3099 		return err;
3100 	if (err > 0)
3101 		change = true;
3102 
3103 	if (change)
3104 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3105 	else
3106 		err = 0;
3107 
3108 	if (!err && params.use_4addr != -1)
3109 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3110 
3111 	return err;
3112 }
3113 
3114 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3115 {
3116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3117 	struct vif_params params;
3118 	struct wireless_dev *wdev;
3119 	struct sk_buff *msg;
3120 	int err;
3121 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3122 
3123 	/* to avoid failing a new interface creation due to pending removal */
3124 	cfg80211_destroy_ifaces(rdev);
3125 
3126 	memset(&params, 0, sizeof(params));
3127 
3128 	if (!info->attrs[NL80211_ATTR_IFNAME])
3129 		return -EINVAL;
3130 
3131 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3132 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3133 		if (type > NL80211_IFTYPE_MAX)
3134 			return -EINVAL;
3135 	}
3136 
3137 	if (!rdev->ops->add_virtual_intf ||
3138 	    !(rdev->wiphy.interface_modes & (1 << type)))
3139 		return -EOPNOTSUPP;
3140 
3141 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3142 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3143 	    info->attrs[NL80211_ATTR_MAC]) {
3144 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3145 			   ETH_ALEN);
3146 		if (!is_valid_ether_addr(params.macaddr))
3147 			return -EADDRNOTAVAIL;
3148 	}
3149 
3150 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3151 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3152 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3153 		if (err)
3154 			return err;
3155 	}
3156 
3157 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3158 	if (err < 0)
3159 		return err;
3160 
3161 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3162 	if (!msg)
3163 		return -ENOMEM;
3164 
3165 	wdev = rdev_add_virtual_intf(rdev,
3166 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3167 				NET_NAME_USER, type, &params);
3168 	if (WARN_ON(!wdev)) {
3169 		nlmsg_free(msg);
3170 		return -EPROTO;
3171 	} else if (IS_ERR(wdev)) {
3172 		nlmsg_free(msg);
3173 		return PTR_ERR(wdev);
3174 	}
3175 
3176 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3177 		wdev->owner_nlportid = info->snd_portid;
3178 
3179 	switch (type) {
3180 	case NL80211_IFTYPE_MESH_POINT:
3181 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3182 			break;
3183 		wdev_lock(wdev);
3184 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3185 			     IEEE80211_MAX_MESH_ID_LEN);
3186 		wdev->mesh_id_up_len =
3187 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3188 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3189 		       wdev->mesh_id_up_len);
3190 		wdev_unlock(wdev);
3191 		break;
3192 	case NL80211_IFTYPE_NAN:
3193 	case NL80211_IFTYPE_P2P_DEVICE:
3194 		/*
3195 		 * P2P Device and NAN do not have a netdev, so don't go
3196 		 * through the netdev notifier and must be added here
3197 		 */
3198 		mutex_init(&wdev->mtx);
3199 		INIT_LIST_HEAD(&wdev->event_list);
3200 		spin_lock_init(&wdev->event_lock);
3201 		INIT_LIST_HEAD(&wdev->mgmt_registrations);
3202 		spin_lock_init(&wdev->mgmt_registrations_lock);
3203 
3204 		wdev->identifier = ++rdev->wdev_id;
3205 		list_add_rcu(&wdev->list, &rdev->wiphy.wdev_list);
3206 		rdev->devlist_generation++;
3207 		break;
3208 	default:
3209 		break;
3210 	}
3211 
3212 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3213 			       rdev, wdev, false) < 0) {
3214 		nlmsg_free(msg);
3215 		return -ENOBUFS;
3216 	}
3217 
3218 	/*
3219 	 * For wdevs which have no associated netdev object (e.g. of type
3220 	 * NL80211_IFTYPE_P2P_DEVICE), emit the NEW_INTERFACE event here.
3221 	 * For all other types, the event will be generated from the
3222 	 * netdev notifier
3223 	 */
3224 	if (!wdev->netdev)
3225 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);
3226 
3227 	return genlmsg_reply(msg, info);
3228 }
3229 
3230 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3231 {
3232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3233 	struct wireless_dev *wdev = info->user_ptr[1];
3234 
3235 	if (!rdev->ops->del_virtual_intf)
3236 		return -EOPNOTSUPP;
3237 
3238 	/*
3239 	 * If we remove a wireless device without a netdev then clear
3240 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3241 	 * to check if it needs to do dev_put(). Otherwise it crashes
3242 	 * since the wdev has been freed, unlike with a netdev where
3243 	 * we need the dev_put() for the netdev to really be freed.
3244 	 */
3245 	if (!wdev->netdev)
3246 		info->user_ptr[1] = NULL;
3247 
3248 	return rdev_del_virtual_intf(rdev, wdev);
3249 }
3250 
3251 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3252 {
3253 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3254 	struct net_device *dev = info->user_ptr[1];
3255 	u16 noack_map;
3256 
3257 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3258 		return -EINVAL;
3259 
3260 	if (!rdev->ops->set_noack_map)
3261 		return -EOPNOTSUPP;
3262 
3263 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3264 
3265 	return rdev_set_noack_map(rdev, dev, noack_map);
3266 }
3267 
3268 struct get_key_cookie {
3269 	struct sk_buff *msg;
3270 	int error;
3271 	int idx;
3272 };
3273 
3274 static void get_key_callback(void *c, struct key_params *params)
3275 {
3276 	struct nlattr *key;
3277 	struct get_key_cookie *cookie = c;
3278 
3279 	if ((params->key &&
3280 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3281 		     params->key_len, params->key)) ||
3282 	    (params->seq &&
3283 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3284 		     params->seq_len, params->seq)) ||
3285 	    (params->cipher &&
3286 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3287 			 params->cipher)))
3288 		goto nla_put_failure;
3289 
3290 	key = nla_nest_start(cookie->msg, NL80211_ATTR_KEY);
3291 	if (!key)
3292 		goto nla_put_failure;
3293 
3294 	if ((params->key &&
3295 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3296 		     params->key_len, params->key)) ||
3297 	    (params->seq &&
3298 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3299 		     params->seq_len, params->seq)) ||
3300 	    (params->cipher &&
3301 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3302 			 params->cipher)))
3303 		goto nla_put_failure;
3304 
3305 	if (nla_put_u8(cookie->msg, NL80211_ATTR_KEY_IDX, cookie->idx))
3306 		goto nla_put_failure;
3307 
3308 	nla_nest_end(cookie->msg, key);
3309 
3310 	return;
3311  nla_put_failure:
3312 	cookie->error = 1;
3313 }
3314 
3315 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3316 {
3317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3318 	int err;
3319 	struct net_device *dev = info->user_ptr[1];
3320 	u8 key_idx = 0;
3321 	const u8 *mac_addr = NULL;
3322 	bool pairwise;
3323 	struct get_key_cookie cookie = {
3324 		.error = 0,
3325 	};
3326 	void *hdr;
3327 	struct sk_buff *msg;
3328 
3329 	if (info->attrs[NL80211_ATTR_KEY_IDX])
3330 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3331 
3332 	if (key_idx > 5)
3333 		return -EINVAL;
3334 
3335 	if (info->attrs[NL80211_ATTR_MAC])
3336 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3337 
3338 	pairwise = !!mac_addr;
3339 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3340 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3341 
3342 		if (kt >= NUM_NL80211_KEYTYPES)
3343 			return -EINVAL;
3344 		if (kt != NL80211_KEYTYPE_GROUP &&
3345 		    kt != NL80211_KEYTYPE_PAIRWISE)
3346 			return -EINVAL;
3347 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3348 	}
3349 
3350 	if (!rdev->ops->get_key)
3351 		return -EOPNOTSUPP;
3352 
3353 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3354 		return -ENOENT;
3355 
3356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3357 	if (!msg)
3358 		return -ENOMEM;
3359 
3360 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3361 			     NL80211_CMD_NEW_KEY);
3362 	if (!hdr)
3363 		goto nla_put_failure;
3364 
3365 	cookie.msg = msg;
3366 	cookie.idx = key_idx;
3367 
3368 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3369 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3370 		goto nla_put_failure;
3371 	if (mac_addr &&
3372 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3373 		goto nla_put_failure;
3374 
3375 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3376 			   get_key_callback);
3377 
3378 	if (err)
3379 		goto free_msg;
3380 
3381 	if (cookie.error)
3382 		goto nla_put_failure;
3383 
3384 	genlmsg_end(msg, hdr);
3385 	return genlmsg_reply(msg, info);
3386 
3387  nla_put_failure:
3388 	err = -ENOBUFS;
3389  free_msg:
3390 	nlmsg_free(msg);
3391 	return err;
3392 }
3393 
3394 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3395 {
3396 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3397 	struct key_parse key;
3398 	int err;
3399 	struct net_device *dev = info->user_ptr[1];
3400 
3401 	err = nl80211_parse_key(info, &key);
3402 	if (err)
3403 		return err;
3404 
3405 	if (key.idx < 0)
3406 		return -EINVAL;
3407 
3408 	/* only support setting default key */
3409 	if (!key.def && !key.defmgmt)
3410 		return -EINVAL;
3411 
3412 	wdev_lock(dev->ieee80211_ptr);
3413 
3414 	if (key.def) {
3415 		if (!rdev->ops->set_default_key) {
3416 			err = -EOPNOTSUPP;
3417 			goto out;
3418 		}
3419 
3420 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3421 		if (err)
3422 			goto out;
3423 
3424 		err = rdev_set_default_key(rdev, dev, key.idx,
3425 						 key.def_uni, key.def_multi);
3426 
3427 		if (err)
3428 			goto out;
3429 
3430 #ifdef CONFIG_CFG80211_WEXT
3431 		dev->ieee80211_ptr->wext.default_key = key.idx;
3432 #endif
3433 	} else {
3434 		if (key.def_uni || !key.def_multi) {
3435 			err = -EINVAL;
3436 			goto out;
3437 		}
3438 
3439 		if (!rdev->ops->set_default_mgmt_key) {
3440 			err = -EOPNOTSUPP;
3441 			goto out;
3442 		}
3443 
3444 		err = nl80211_key_allowed(dev->ieee80211_ptr);
3445 		if (err)
3446 			goto out;
3447 
3448 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
3449 		if (err)
3450 			goto out;
3451 
3452 #ifdef CONFIG_CFG80211_WEXT
3453 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
3454 #endif
3455 	}
3456 
3457  out:
3458 	wdev_unlock(dev->ieee80211_ptr);
3459 
3460 	return err;
3461 }
3462 
3463 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
3464 {
3465 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3466 	int err;
3467 	struct net_device *dev = info->user_ptr[1];
3468 	struct key_parse key;
3469 	const u8 *mac_addr = NULL;
3470 
3471 	err = nl80211_parse_key(info, &key);
3472 	if (err)
3473 		return err;
3474 
3475 	if (!key.p.key)
3476 		return -EINVAL;
3477 
3478 	if (info->attrs[NL80211_ATTR_MAC])
3479 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3480 
3481 	if (key.type == -1) {
3482 		if (mac_addr)
3483 			key.type = NL80211_KEYTYPE_PAIRWISE;
3484 		else
3485 			key.type = NL80211_KEYTYPE_GROUP;
3486 	}
3487 
3488 	/* for now */
3489 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3490 	    key.type != NL80211_KEYTYPE_GROUP)
3491 		return -EINVAL;
3492 
3493 	if (!rdev->ops->add_key)
3494 		return -EOPNOTSUPP;
3495 
3496 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
3497 					   key.type == NL80211_KEYTYPE_PAIRWISE,
3498 					   mac_addr))
3499 		return -EINVAL;
3500 
3501 	wdev_lock(dev->ieee80211_ptr);
3502 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3503 	if (!err)
3504 		err = rdev_add_key(rdev, dev, key.idx,
3505 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3506 				    mac_addr, &key.p);
3507 	wdev_unlock(dev->ieee80211_ptr);
3508 
3509 	return err;
3510 }
3511 
3512 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
3513 {
3514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3515 	int err;
3516 	struct net_device *dev = info->user_ptr[1];
3517 	u8 *mac_addr = NULL;
3518 	struct key_parse key;
3519 
3520 	err = nl80211_parse_key(info, &key);
3521 	if (err)
3522 		return err;
3523 
3524 	if (info->attrs[NL80211_ATTR_MAC])
3525 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3526 
3527 	if (key.type == -1) {
3528 		if (mac_addr)
3529 			key.type = NL80211_KEYTYPE_PAIRWISE;
3530 		else
3531 			key.type = NL80211_KEYTYPE_GROUP;
3532 	}
3533 
3534 	/* for now */
3535 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
3536 	    key.type != NL80211_KEYTYPE_GROUP)
3537 		return -EINVAL;
3538 
3539 	if (!rdev->ops->del_key)
3540 		return -EOPNOTSUPP;
3541 
3542 	wdev_lock(dev->ieee80211_ptr);
3543 	err = nl80211_key_allowed(dev->ieee80211_ptr);
3544 
3545 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
3546 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3547 		err = -ENOENT;
3548 
3549 	if (!err)
3550 		err = rdev_del_key(rdev, dev, key.idx,
3551 				   key.type == NL80211_KEYTYPE_PAIRWISE,
3552 				   mac_addr);
3553 
3554 #ifdef CONFIG_CFG80211_WEXT
3555 	if (!err) {
3556 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
3557 			dev->ieee80211_ptr->wext.default_key = -1;
3558 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
3559 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
3560 	}
3561 #endif
3562 	wdev_unlock(dev->ieee80211_ptr);
3563 
3564 	return err;
3565 }
3566 
3567 /* This function returns an error or the number of nested attributes */
3568 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
3569 {
3570 	struct nlattr *attr;
3571 	int n_entries = 0, tmp;
3572 
3573 	nla_for_each_nested(attr, nl_attr, tmp) {
3574 		if (nla_len(attr) != ETH_ALEN)
3575 			return -EINVAL;
3576 
3577 		n_entries++;
3578 	}
3579 
3580 	return n_entries;
3581 }
3582 
3583 /*
3584  * This function parses ACL information and allocates memory for ACL data.
3585  * On successful return, the calling function is responsible to free the
3586  * ACL buffer returned by this function.
3587  */
3588 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
3589 						struct genl_info *info)
3590 {
3591 	enum nl80211_acl_policy acl_policy;
3592 	struct nlattr *attr;
3593 	struct cfg80211_acl_data *acl;
3594 	int i = 0, n_entries, tmp;
3595 
3596 	if (!wiphy->max_acl_mac_addrs)
3597 		return ERR_PTR(-EOPNOTSUPP);
3598 
3599 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
3600 		return ERR_PTR(-EINVAL);
3601 
3602 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
3603 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
3604 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
3605 		return ERR_PTR(-EINVAL);
3606 
3607 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
3608 		return ERR_PTR(-EINVAL);
3609 
3610 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
3611 	if (n_entries < 0)
3612 		return ERR_PTR(n_entries);
3613 
3614 	if (n_entries > wiphy->max_acl_mac_addrs)
3615 		return ERR_PTR(-ENOTSUPP);
3616 
3617 	acl = kzalloc(sizeof(*acl) + (sizeof(struct mac_address) * n_entries),
3618 		      GFP_KERNEL);
3619 	if (!acl)
3620 		return ERR_PTR(-ENOMEM);
3621 
3622 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
3623 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
3624 		i++;
3625 	}
3626 
3627 	acl->n_acl_entries = n_entries;
3628 	acl->acl_policy = acl_policy;
3629 
3630 	return acl;
3631 }
3632 
3633 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
3634 {
3635 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3636 	struct net_device *dev = info->user_ptr[1];
3637 	struct cfg80211_acl_data *acl;
3638 	int err;
3639 
3640 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3641 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3642 		return -EOPNOTSUPP;
3643 
3644 	if (!dev->ieee80211_ptr->beacon_interval)
3645 		return -EINVAL;
3646 
3647 	acl = parse_acl_data(&rdev->wiphy, info);
3648 	if (IS_ERR(acl))
3649 		return PTR_ERR(acl);
3650 
3651 	err = rdev_set_mac_acl(rdev, dev, acl);
3652 
3653 	kfree(acl);
3654 
3655 	return err;
3656 }
3657 
3658 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
3659 			   u8 *rates, u8 rates_len)
3660 {
3661 	u8 i;
3662 	u32 mask = 0;
3663 
3664 	for (i = 0; i < rates_len; i++) {
3665 		int rate = (rates[i] & 0x7f) * 5;
3666 		int ridx;
3667 
3668 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
3669 			struct ieee80211_rate *srate =
3670 				&sband->bitrates[ridx];
3671 			if (rate == srate->bitrate) {
3672 				mask |= 1 << ridx;
3673 				break;
3674 			}
3675 		}
3676 		if (ridx == sband->n_bitrates)
3677 			return 0; /* rate not found */
3678 	}
3679 
3680 	return mask;
3681 }
3682 
3683 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
3684 			       u8 *rates, u8 rates_len,
3685 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
3686 {
3687 	u8 i;
3688 
3689 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
3690 
3691 	for (i = 0; i < rates_len; i++) {
3692 		int ridx, rbit;
3693 
3694 		ridx = rates[i] / 8;
3695 		rbit = BIT(rates[i] % 8);
3696 
3697 		/* check validity */
3698 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
3699 			return false;
3700 
3701 		/* check availability */
3702 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
3703 			mcs[ridx] |= rbit;
3704 		else
3705 			return false;
3706 	}
3707 
3708 	return true;
3709 }
3710 
3711 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
3712 {
3713 	u16 mcs_mask = 0;
3714 
3715 	switch (vht_mcs_map) {
3716 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
3717 		break;
3718 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
3719 		mcs_mask = 0x00FF;
3720 		break;
3721 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
3722 		mcs_mask = 0x01FF;
3723 		break;
3724 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
3725 		mcs_mask = 0x03FF;
3726 		break;
3727 	default:
3728 		break;
3729 	}
3730 
3731 	return mcs_mask;
3732 }
3733 
3734 static void vht_build_mcs_mask(u16 vht_mcs_map,
3735 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
3736 {
3737 	u8 nss;
3738 
3739 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
3740 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
3741 		vht_mcs_map >>= 2;
3742 	}
3743 }
3744 
3745 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
3746 			     struct nl80211_txrate_vht *txrate,
3747 			     u16 mcs[NL80211_VHT_NSS_MAX])
3748 {
3749 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3750 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
3751 	u8 i;
3752 
3753 	if (!sband->vht_cap.vht_supported)
3754 		return false;
3755 
3756 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
3757 
3758 	/* Build vht_mcs_mask from VHT capabilities */
3759 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
3760 
3761 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3762 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
3763 			mcs[i] = txrate->mcs[i];
3764 		else
3765 			return false;
3766 	}
3767 
3768 	return true;
3769 }
3770 
3771 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
3772 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
3773 				    .len = NL80211_MAX_SUPP_RATES },
3774 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
3775 				.len = NL80211_MAX_SUPP_HT_RATES },
3776 	[NL80211_TXRATE_VHT] = { .len = sizeof(struct nl80211_txrate_vht)},
3777 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
3778 };
3779 
3780 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
3781 					 struct cfg80211_bitrate_mask *mask)
3782 {
3783 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
3784 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3785 	int rem, i;
3786 	struct nlattr *tx_rates;
3787 	struct ieee80211_supported_band *sband;
3788 	u16 vht_tx_mcs_map;
3789 
3790 	memset(mask, 0, sizeof(*mask));
3791 	/* Default to all rates enabled */
3792 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
3793 		sband = rdev->wiphy.bands[i];
3794 
3795 		if (!sband)
3796 			continue;
3797 
3798 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
3799 		memcpy(mask->control[i].ht_mcs,
3800 		       sband->ht_cap.mcs.rx_mask,
3801 		       sizeof(mask->control[i].ht_mcs));
3802 
3803 		if (!sband->vht_cap.vht_supported)
3804 			continue;
3805 
3806 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
3807 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
3808 	}
3809 
3810 	/* if no rates are given set it back to the defaults */
3811 	if (!info->attrs[NL80211_ATTR_TX_RATES])
3812 		goto out;
3813 
3814 	/* The nested attribute uses enum nl80211_band as the index. This maps
3815 	 * directly to the enum nl80211_band values used in cfg80211.
3816 	 */
3817 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
3818 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
3819 		enum nl80211_band band = nla_type(tx_rates);
3820 		int err;
3821 
3822 		if (band < 0 || band >= NUM_NL80211_BANDS)
3823 			return -EINVAL;
3824 		sband = rdev->wiphy.bands[band];
3825 		if (sband == NULL)
3826 			return -EINVAL;
3827 		err = nla_parse_nested(tb, NL80211_TXRATE_MAX, tx_rates,
3828 				       nl80211_txattr_policy, info->extack);
3829 		if (err)
3830 			return err;
3831 		if (tb[NL80211_TXRATE_LEGACY]) {
3832 			mask->control[band].legacy = rateset_to_mask(
3833 				sband,
3834 				nla_data(tb[NL80211_TXRATE_LEGACY]),
3835 				nla_len(tb[NL80211_TXRATE_LEGACY]));
3836 			if ((mask->control[band].legacy == 0) &&
3837 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
3838 				return -EINVAL;
3839 		}
3840 		if (tb[NL80211_TXRATE_HT]) {
3841 			if (!ht_rateset_to_mask(
3842 					sband,
3843 					nla_data(tb[NL80211_TXRATE_HT]),
3844 					nla_len(tb[NL80211_TXRATE_HT]),
3845 					mask->control[band].ht_mcs))
3846 				return -EINVAL;
3847 		}
3848 		if (tb[NL80211_TXRATE_VHT]) {
3849 			if (!vht_set_mcs_mask(
3850 					sband,
3851 					nla_data(tb[NL80211_TXRATE_VHT]),
3852 					mask->control[band].vht_mcs))
3853 				return -EINVAL;
3854 		}
3855 		if (tb[NL80211_TXRATE_GI]) {
3856 			mask->control[band].gi =
3857 				nla_get_u8(tb[NL80211_TXRATE_GI]);
3858 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
3859 				return -EINVAL;
3860 		}
3861 
3862 		if (mask->control[band].legacy == 0) {
3863 			/* don't allow empty legacy rates if HT or VHT
3864 			 * are not even supported.
3865 			 */
3866 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
3867 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
3868 				return -EINVAL;
3869 
3870 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
3871 				if (mask->control[band].ht_mcs[i])
3872 					goto out;
3873 
3874 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
3875 				if (mask->control[band].vht_mcs[i])
3876 					goto out;
3877 
3878 			/* legacy and mcs rates may not be both empty */
3879 			return -EINVAL;
3880 		}
3881 	}
3882 
3883 out:
3884 	return 0;
3885 }
3886 
3887 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
3888 				   enum nl80211_band band,
3889 				   struct cfg80211_bitrate_mask *beacon_rate)
3890 {
3891 	u32 count_ht, count_vht, i;
3892 	u32 rate = beacon_rate->control[band].legacy;
3893 
3894 	/* Allow only one rate */
3895 	if (hweight32(rate) > 1)
3896 		return -EINVAL;
3897 
3898 	count_ht = 0;
3899 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
3900 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
3901 			return -EINVAL;
3902 		} else if (beacon_rate->control[band].ht_mcs[i]) {
3903 			count_ht++;
3904 			if (count_ht > 1)
3905 				return -EINVAL;
3906 		}
3907 		if (count_ht && rate)
3908 			return -EINVAL;
3909 	}
3910 
3911 	count_vht = 0;
3912 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
3913 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
3914 			return -EINVAL;
3915 		} else if (beacon_rate->control[band].vht_mcs[i]) {
3916 			count_vht++;
3917 			if (count_vht > 1)
3918 				return -EINVAL;
3919 		}
3920 		if (count_vht && rate)
3921 			return -EINVAL;
3922 	}
3923 
3924 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
3925 		return -EINVAL;
3926 
3927 	if (rate &&
3928 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3929 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
3930 		return -EINVAL;
3931 	if (count_ht &&
3932 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3933 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
3934 		return -EINVAL;
3935 	if (count_vht &&
3936 	    !wiphy_ext_feature_isset(&rdev->wiphy,
3937 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
3938 		return -EINVAL;
3939 
3940 	return 0;
3941 }
3942 
3943 static int nl80211_parse_beacon(struct nlattr *attrs[],
3944 				struct cfg80211_beacon_data *bcn)
3945 {
3946 	bool haveinfo = false;
3947 
3948 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_BEACON_TAIL]) ||
3949 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE]) ||
3950 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_PROBE_RESP]) ||
3951 	    !is_valid_ie_attr(attrs[NL80211_ATTR_IE_ASSOC_RESP]))
3952 		return -EINVAL;
3953 
3954 	memset(bcn, 0, sizeof(*bcn));
3955 
3956 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
3957 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
3958 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
3959 		if (!bcn->head_len)
3960 			return -EINVAL;
3961 		haveinfo = true;
3962 	}
3963 
3964 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
3965 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
3966 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
3967 		haveinfo = true;
3968 	}
3969 
3970 	if (!haveinfo)
3971 		return -EINVAL;
3972 
3973 	if (attrs[NL80211_ATTR_IE]) {
3974 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
3975 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
3976 	}
3977 
3978 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
3979 		bcn->proberesp_ies =
3980 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3981 		bcn->proberesp_ies_len =
3982 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
3983 	}
3984 
3985 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
3986 		bcn->assocresp_ies =
3987 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3988 		bcn->assocresp_ies_len =
3989 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
3990 	}
3991 
3992 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
3993 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
3994 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
3995 	}
3996 
3997 	return 0;
3998 }
3999 
4000 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4001 					    const u8 *rates)
4002 {
4003 	int i;
4004 
4005 	if (!rates)
4006 		return;
4007 
4008 	for (i = 0; i < rates[1]; i++) {
4009 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4010 			params->ht_required = true;
4011 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4012 			params->vht_required = true;
4013 	}
4014 }
4015 
4016 /*
4017  * Since the nl80211 API didn't include, from the beginning, attributes about
4018  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4019  * benefit of drivers that rebuild IEs in the firmware.
4020  */
4021 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4022 {
4023 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4024 	size_t ies_len = bcn->tail_len;
4025 	const u8 *ies = bcn->tail;
4026 	const u8 *rates;
4027 	const u8 *cap;
4028 
4029 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4030 	nl80211_check_ap_rate_selectors(params, rates);
4031 
4032 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4033 	nl80211_check_ap_rate_selectors(params, rates);
4034 
4035 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4036 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4037 		params->ht_cap = (void *)(cap + 2);
4038 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4039 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4040 		params->vht_cap = (void *)(cap + 2);
4041 }
4042 
4043 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4044 				   struct cfg80211_ap_settings *params)
4045 {
4046 	struct wireless_dev *wdev;
4047 	bool ret = false;
4048 
4049 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4050 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4051 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4052 			continue;
4053 
4054 		if (!wdev->preset_chandef.chan)
4055 			continue;
4056 
4057 		params->chandef = wdev->preset_chandef;
4058 		ret = true;
4059 		break;
4060 	}
4061 
4062 	return ret;
4063 }
4064 
4065 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4066 				    enum nl80211_auth_type auth_type,
4067 				    enum nl80211_commands cmd)
4068 {
4069 	if (auth_type > NL80211_AUTHTYPE_MAX)
4070 		return false;
4071 
4072 	switch (cmd) {
4073 	case NL80211_CMD_AUTHENTICATE:
4074 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4075 		    auth_type == NL80211_AUTHTYPE_SAE)
4076 			return false;
4077 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4078 					     NL80211_EXT_FEATURE_FILS_STA) &&
4079 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4080 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4081 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4082 			return false;
4083 		return true;
4084 	case NL80211_CMD_CONNECT:
4085 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4086 		    auth_type == NL80211_AUTHTYPE_SAE)
4087 			return false;
4088 
4089 		/* FILS with SK PFS or PK not supported yet */
4090 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4091 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4092 			return false;
4093 		if (!wiphy_ext_feature_isset(
4094 			    &rdev->wiphy,
4095 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4096 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4097 			return false;
4098 		return true;
4099 	case NL80211_CMD_START_AP:
4100 		/* SAE not supported yet */
4101 		if (auth_type == NL80211_AUTHTYPE_SAE)
4102 			return false;
4103 		/* FILS not supported yet */
4104 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4105 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4106 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4107 			return false;
4108 		return true;
4109 	default:
4110 		return false;
4111 	}
4112 }
4113 
4114 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4115 {
4116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4117 	struct net_device *dev = info->user_ptr[1];
4118 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4119 	struct cfg80211_ap_settings params;
4120 	int err;
4121 
4122 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4123 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4124 		return -EOPNOTSUPP;
4125 
4126 	if (!rdev->ops->start_ap)
4127 		return -EOPNOTSUPP;
4128 
4129 	if (wdev->beacon_interval)
4130 		return -EALREADY;
4131 
4132 	memset(&params, 0, sizeof(params));
4133 
4134 	/* these are required for START_AP */
4135 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4136 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4137 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4138 		return -EINVAL;
4139 
4140 	err = nl80211_parse_beacon(info->attrs, &params.beacon);
4141 	if (err)
4142 		return err;
4143 
4144 	params.beacon_interval =
4145 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4146 	params.dtim_period =
4147 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4148 
4149 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4150 					   params.beacon_interval);
4151 	if (err)
4152 		return err;
4153 
4154 	/*
4155 	 * In theory, some of these attributes should be required here
4156 	 * but since they were not used when the command was originally
4157 	 * added, keep them optional for old user space programs to let
4158 	 * them continue to work with drivers that do not need the
4159 	 * additional information -- drivers must check!
4160 	 */
4161 	if (info->attrs[NL80211_ATTR_SSID]) {
4162 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4163 		params.ssid_len =
4164 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4165 		if (params.ssid_len == 0 ||
4166 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4167 			return -EINVAL;
4168 	}
4169 
4170 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID]) {
4171 		params.hidden_ssid = nla_get_u32(
4172 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4173 		if (params.hidden_ssid != NL80211_HIDDEN_SSID_NOT_IN_USE &&
4174 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_LEN &&
4175 		    params.hidden_ssid != NL80211_HIDDEN_SSID_ZERO_CONTENTS)
4176 			return -EINVAL;
4177 	}
4178 
4179 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4180 
4181 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4182 		params.auth_type = nla_get_u32(
4183 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4184 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4185 					     NL80211_CMD_START_AP))
4186 			return -EINVAL;
4187 	} else
4188 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4189 
4190 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4191 				      NL80211_MAX_NR_CIPHER_SUITES);
4192 	if (err)
4193 		return err;
4194 
4195 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4196 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4197 			return -EOPNOTSUPP;
4198 		params.inactivity_timeout = nla_get_u16(
4199 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4200 	}
4201 
4202 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4203 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4204 			return -EINVAL;
4205 		params.p2p_ctwindow =
4206 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4207 		if (params.p2p_ctwindow > 127)
4208 			return -EINVAL;
4209 		if (params.p2p_ctwindow != 0 &&
4210 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4211 			return -EINVAL;
4212 	}
4213 
4214 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4215 		u8 tmp;
4216 
4217 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4218 			return -EINVAL;
4219 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4220 		if (tmp > 1)
4221 			return -EINVAL;
4222 		params.p2p_opp_ps = tmp;
4223 		if (params.p2p_opp_ps != 0 &&
4224 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4225 			return -EINVAL;
4226 	}
4227 
4228 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4229 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4230 		if (err)
4231 			return err;
4232 	} else if (wdev->preset_chandef.chan) {
4233 		params.chandef = wdev->preset_chandef;
4234 	} else if (!nl80211_get_ap_channel(rdev, &params))
4235 		return -EINVAL;
4236 
4237 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4238 					   wdev->iftype))
4239 		return -EINVAL;
4240 
4241 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4242 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4243 		if (err)
4244 			return err;
4245 
4246 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4247 					      &params.beacon_rate);
4248 		if (err)
4249 			return err;
4250 	}
4251 
4252 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4253 		params.smps_mode =
4254 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4255 		switch (params.smps_mode) {
4256 		case NL80211_SMPS_OFF:
4257 			break;
4258 		case NL80211_SMPS_STATIC:
4259 			if (!(rdev->wiphy.features &
4260 			      NL80211_FEATURE_STATIC_SMPS))
4261 				return -EINVAL;
4262 			break;
4263 		case NL80211_SMPS_DYNAMIC:
4264 			if (!(rdev->wiphy.features &
4265 			      NL80211_FEATURE_DYNAMIC_SMPS))
4266 				return -EINVAL;
4267 			break;
4268 		default:
4269 			return -EINVAL;
4270 		}
4271 	} else {
4272 		params.smps_mode = NL80211_SMPS_OFF;
4273 	}
4274 
4275 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4276 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4277 		return -EOPNOTSUPP;
4278 
4279 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4280 		params.acl = parse_acl_data(&rdev->wiphy, info);
4281 		if (IS_ERR(params.acl))
4282 			return PTR_ERR(params.acl);
4283 	}
4284 
4285 	nl80211_calculate_ap_params(&params);
4286 
4287 	wdev_lock(wdev);
4288 	err = rdev_start_ap(rdev, dev, &params);
4289 	if (!err) {
4290 		wdev->preset_chandef = params.chandef;
4291 		wdev->beacon_interval = params.beacon_interval;
4292 		wdev->chandef = params.chandef;
4293 		wdev->ssid_len = params.ssid_len;
4294 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
4295 
4296 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4297 			wdev->conn_owner_nlportid = info->snd_portid;
4298 	}
4299 	wdev_unlock(wdev);
4300 
4301 	kfree(params.acl);
4302 
4303 	return err;
4304 }
4305 
4306 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
4307 {
4308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4309 	struct net_device *dev = info->user_ptr[1];
4310 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4311 	struct cfg80211_beacon_data params;
4312 	int err;
4313 
4314 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4315 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4316 		return -EOPNOTSUPP;
4317 
4318 	if (!rdev->ops->change_beacon)
4319 		return -EOPNOTSUPP;
4320 
4321 	if (!wdev->beacon_interval)
4322 		return -EINVAL;
4323 
4324 	err = nl80211_parse_beacon(info->attrs, &params);
4325 	if (err)
4326 		return err;
4327 
4328 	wdev_lock(wdev);
4329 	err = rdev_change_beacon(rdev, dev, &params);
4330 	wdev_unlock(wdev);
4331 
4332 	return err;
4333 }
4334 
4335 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
4336 {
4337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4338 	struct net_device *dev = info->user_ptr[1];
4339 
4340 	return cfg80211_stop_ap(rdev, dev, false);
4341 }
4342 
4343 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
4344 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
4345 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
4346 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
4347 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
4348 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
4349 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
4350 };
4351 
4352 static int parse_station_flags(struct genl_info *info,
4353 			       enum nl80211_iftype iftype,
4354 			       struct station_parameters *params)
4355 {
4356 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
4357 	struct nlattr *nla;
4358 	int flag;
4359 
4360 	/*
4361 	 * Try parsing the new attribute first so userspace
4362 	 * can specify both for older kernels.
4363 	 */
4364 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
4365 	if (nla) {
4366 		struct nl80211_sta_flag_update *sta_flags;
4367 
4368 		sta_flags = nla_data(nla);
4369 		params->sta_flags_mask = sta_flags->mask;
4370 		params->sta_flags_set = sta_flags->set;
4371 		params->sta_flags_set &= params->sta_flags_mask;
4372 		if ((params->sta_flags_mask |
4373 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
4374 			return -EINVAL;
4375 		return 0;
4376 	}
4377 
4378 	/* if present, parse the old attribute */
4379 
4380 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
4381 	if (!nla)
4382 		return 0;
4383 
4384 	if (nla_parse_nested(flags, NL80211_STA_FLAG_MAX, nla,
4385 			     sta_flags_policy, info->extack))
4386 		return -EINVAL;
4387 
4388 	/*
4389 	 * Only allow certain flags for interface types so that
4390 	 * other attributes are silently ignored. Remember that
4391 	 * this is backward compatibility code with old userspace
4392 	 * and shouldn't be hit in other cases anyway.
4393 	 */
4394 	switch (iftype) {
4395 	case NL80211_IFTYPE_AP:
4396 	case NL80211_IFTYPE_AP_VLAN:
4397 	case NL80211_IFTYPE_P2P_GO:
4398 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4399 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4400 					 BIT(NL80211_STA_FLAG_WME) |
4401 					 BIT(NL80211_STA_FLAG_MFP);
4402 		break;
4403 	case NL80211_IFTYPE_P2P_CLIENT:
4404 	case NL80211_IFTYPE_STATION:
4405 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
4406 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
4407 		break;
4408 	case NL80211_IFTYPE_MESH_POINT:
4409 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4410 					 BIT(NL80211_STA_FLAG_MFP) |
4411 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
4412 		break;
4413 	default:
4414 		return -EINVAL;
4415 	}
4416 
4417 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
4418 		if (flags[flag]) {
4419 			params->sta_flags_set |= (1<<flag);
4420 
4421 			/* no longer support new API additions in old API */
4422 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
4423 				return -EINVAL;
4424 		}
4425 	}
4426 
4427 	return 0;
4428 }
4429 
4430 static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
4431 				 int attr)
4432 {
4433 	struct nlattr *rate;
4434 	u32 bitrate;
4435 	u16 bitrate_compat;
4436 	enum nl80211_rate_info rate_flg;
4437 
4438 	rate = nla_nest_start(msg, attr);
4439 	if (!rate)
4440 		return false;
4441 
4442 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
4443 	bitrate = cfg80211_calculate_bitrate(info);
4444 	/* report 16-bit bitrate only if we can */
4445 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
4446 	if (bitrate > 0 &&
4447 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
4448 		return false;
4449 	if (bitrate_compat > 0 &&
4450 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
4451 		return false;
4452 
4453 	switch (info->bw) {
4454 	case RATE_INFO_BW_5:
4455 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
4456 		break;
4457 	case RATE_INFO_BW_10:
4458 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
4459 		break;
4460 	default:
4461 		WARN_ON(1);
4462 		/* fall through */
4463 	case RATE_INFO_BW_20:
4464 		rate_flg = 0;
4465 		break;
4466 	case RATE_INFO_BW_40:
4467 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
4468 		break;
4469 	case RATE_INFO_BW_80:
4470 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
4471 		break;
4472 	case RATE_INFO_BW_160:
4473 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
4474 		break;
4475 	}
4476 
4477 	if (rate_flg && nla_put_flag(msg, rate_flg))
4478 		return false;
4479 
4480 	if (info->flags & RATE_INFO_FLAGS_MCS) {
4481 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
4482 			return false;
4483 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4484 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4485 			return false;
4486 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
4487 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
4488 			return false;
4489 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
4490 			return false;
4491 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
4492 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
4493 			return false;
4494 	}
4495 
4496 	nla_nest_end(msg, rate);
4497 	return true;
4498 }
4499 
4500 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
4501 			       int id)
4502 {
4503 	void *attr;
4504 	int i = 0;
4505 
4506 	if (!mask)
4507 		return true;
4508 
4509 	attr = nla_nest_start(msg, id);
4510 	if (!attr)
4511 		return false;
4512 
4513 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
4514 		if (!(mask & BIT(i)))
4515 			continue;
4516 
4517 		if (nla_put_u8(msg, i, signal[i]))
4518 			return false;
4519 	}
4520 
4521 	nla_nest_end(msg, attr);
4522 
4523 	return true;
4524 }
4525 
4526 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
4527 				u32 seq, int flags,
4528 				struct cfg80211_registered_device *rdev,
4529 				struct net_device *dev,
4530 				const u8 *mac_addr, struct station_info *sinfo)
4531 {
4532 	void *hdr;
4533 	struct nlattr *sinfoattr, *bss_param;
4534 
4535 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4536 	if (!hdr)
4537 		return -1;
4538 
4539 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4540 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
4541 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
4542 		goto nla_put_failure;
4543 
4544 	sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
4545 	if (!sinfoattr)
4546 		goto nla_put_failure;
4547 
4548 #define PUT_SINFO(attr, memb, type) do {				\
4549 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
4550 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
4551 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
4552 			     sinfo->memb))				\
4553 		goto nla_put_failure;					\
4554 	} while (0)
4555 #define PUT_SINFO_U64(attr, memb) do {					\
4556 	if (sinfo->filled & (1ULL << NL80211_STA_INFO_ ## attr) &&	\
4557 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
4558 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
4559 		goto nla_put_failure;					\
4560 	} while (0)
4561 
4562 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
4563 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
4564 
4565 	if (sinfo->filled & (BIT(NL80211_STA_INFO_RX_BYTES) |
4566 			     BIT(NL80211_STA_INFO_RX_BYTES64)) &&
4567 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
4568 			(u32)sinfo->rx_bytes))
4569 		goto nla_put_failure;
4570 
4571 	if (sinfo->filled & (BIT(NL80211_STA_INFO_TX_BYTES) |
4572 			     BIT(NL80211_STA_INFO_TX_BYTES64)) &&
4573 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
4574 			(u32)sinfo->tx_bytes))
4575 		goto nla_put_failure;
4576 
4577 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
4578 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
4579 	PUT_SINFO(LLID, llid, u16);
4580 	PUT_SINFO(PLID, plid, u16);
4581 	PUT_SINFO(PLINK_STATE, plink_state, u8);
4582 	PUT_SINFO_U64(RX_DURATION, rx_duration);
4583 
4584 	switch (rdev->wiphy.signal_type) {
4585 	case CFG80211_SIGNAL_TYPE_MBM:
4586 		PUT_SINFO(SIGNAL, signal, u8);
4587 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
4588 		break;
4589 	default:
4590 		break;
4591 	}
4592 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL)) {
4593 		if (!nl80211_put_signal(msg, sinfo->chains,
4594 					sinfo->chain_signal,
4595 					NL80211_STA_INFO_CHAIN_SIGNAL))
4596 			goto nla_put_failure;
4597 	}
4598 	if (sinfo->filled & BIT(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
4599 		if (!nl80211_put_signal(msg, sinfo->chains,
4600 					sinfo->chain_signal_avg,
4601 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
4602 			goto nla_put_failure;
4603 	}
4604 	if (sinfo->filled & BIT(NL80211_STA_INFO_TX_BITRATE)) {
4605 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
4606 					  NL80211_STA_INFO_TX_BITRATE))
4607 			goto nla_put_failure;
4608 	}
4609 	if (sinfo->filled & BIT(NL80211_STA_INFO_RX_BITRATE)) {
4610 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
4611 					  NL80211_STA_INFO_RX_BITRATE))
4612 			goto nla_put_failure;
4613 	}
4614 
4615 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
4616 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
4617 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
4618 	PUT_SINFO(TX_FAILED, tx_failed, u32);
4619 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
4620 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
4621 	PUT_SINFO(LOCAL_PM, local_pm, u32);
4622 	PUT_SINFO(PEER_PM, peer_pm, u32);
4623 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
4624 
4625 	if (sinfo->filled & BIT(NL80211_STA_INFO_BSS_PARAM)) {
4626 		bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
4627 		if (!bss_param)
4628 			goto nla_put_failure;
4629 
4630 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
4631 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
4632 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
4633 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
4634 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
4635 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
4636 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
4637 			       sinfo->bss_param.dtim_period) ||
4638 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
4639 				sinfo->bss_param.beacon_interval))
4640 			goto nla_put_failure;
4641 
4642 		nla_nest_end(msg, bss_param);
4643 	}
4644 	if ((sinfo->filled & BIT(NL80211_STA_INFO_STA_FLAGS)) &&
4645 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
4646 		    sizeof(struct nl80211_sta_flag_update),
4647 		    &sinfo->sta_flags))
4648 		goto nla_put_failure;
4649 
4650 	PUT_SINFO_U64(T_OFFSET, t_offset);
4651 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
4652 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
4653 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
4654 	PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
4655 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4656 				    NL80211_EXT_FEATURE_DATA_ACK_SIGNAL_SUPPORT))
4657 		PUT_SINFO(DATA_ACK_SIGNAL_AVG, avg_ack_signal, s8);
4658 
4659 #undef PUT_SINFO
4660 #undef PUT_SINFO_U64
4661 
4662 	if (sinfo->pertid) {
4663 		struct nlattr *tidsattr;
4664 		int tid;
4665 
4666 		tidsattr = nla_nest_start(msg, NL80211_STA_INFO_TID_STATS);
4667 		if (!tidsattr)
4668 			goto nla_put_failure;
4669 
4670 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
4671 			struct cfg80211_tid_stats *tidstats;
4672 			struct nlattr *tidattr;
4673 
4674 			tidstats = &sinfo->pertid[tid];
4675 
4676 			if (!tidstats->filled)
4677 				continue;
4678 
4679 			tidattr = nla_nest_start(msg, tid + 1);
4680 			if (!tidattr)
4681 				goto nla_put_failure;
4682 
4683 #define PUT_TIDVAL_U64(attr, memb) do {					\
4684 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
4685 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
4686 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
4687 		goto nla_put_failure;					\
4688 	} while (0)
4689 
4690 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
4691 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
4692 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
4693 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
4694 
4695 #undef PUT_TIDVAL_U64
4696 			if ((tidstats->filled &
4697 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
4698 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
4699 						   NL80211_TID_STATS_TXQ_STATS))
4700 				goto nla_put_failure;
4701 
4702 			nla_nest_end(msg, tidattr);
4703 		}
4704 
4705 		nla_nest_end(msg, tidsattr);
4706 	}
4707 
4708 	nla_nest_end(msg, sinfoattr);
4709 
4710 	if (sinfo->assoc_req_ies_len &&
4711 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
4712 		    sinfo->assoc_req_ies))
4713 		goto nla_put_failure;
4714 
4715 	cfg80211_sinfo_release_content(sinfo);
4716 	genlmsg_end(msg, hdr);
4717 	return 0;
4718 
4719  nla_put_failure:
4720 	cfg80211_sinfo_release_content(sinfo);
4721 	genlmsg_cancel(msg, hdr);
4722 	return -EMSGSIZE;
4723 }
4724 
4725 static int nl80211_dump_station(struct sk_buff *skb,
4726 				struct netlink_callback *cb)
4727 {
4728 	struct station_info sinfo;
4729 	struct cfg80211_registered_device *rdev;
4730 	struct wireless_dev *wdev;
4731 	u8 mac_addr[ETH_ALEN];
4732 	int sta_idx = cb->args[2];
4733 	int err;
4734 
4735 	rtnl_lock();
4736 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
4737 	if (err)
4738 		goto out_err;
4739 
4740 	if (!wdev->netdev) {
4741 		err = -EINVAL;
4742 		goto out_err;
4743 	}
4744 
4745 	if (!rdev->ops->dump_station) {
4746 		err = -EOPNOTSUPP;
4747 		goto out_err;
4748 	}
4749 
4750 	while (1) {
4751 		memset(&sinfo, 0, sizeof(sinfo));
4752 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
4753 					mac_addr, &sinfo);
4754 		if (err == -ENOENT)
4755 			break;
4756 		if (err)
4757 			goto out_err;
4758 
4759 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
4760 				NETLINK_CB(cb->skb).portid,
4761 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
4762 				rdev, wdev->netdev, mac_addr,
4763 				&sinfo) < 0)
4764 			goto out;
4765 
4766 		sta_idx++;
4767 	}
4768 
4769  out:
4770 	cb->args[2] = sta_idx;
4771 	err = skb->len;
4772  out_err:
4773 	rtnl_unlock();
4774 
4775 	return err;
4776 }
4777 
4778 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
4779 {
4780 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4781 	struct net_device *dev = info->user_ptr[1];
4782 	struct station_info sinfo;
4783 	struct sk_buff *msg;
4784 	u8 *mac_addr = NULL;
4785 	int err;
4786 
4787 	memset(&sinfo, 0, sizeof(sinfo));
4788 
4789 	if (!info->attrs[NL80211_ATTR_MAC])
4790 		return -EINVAL;
4791 
4792 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4793 
4794 	if (!rdev->ops->get_station)
4795 		return -EOPNOTSUPP;
4796 
4797 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
4798 	if (err)
4799 		return err;
4800 
4801 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4802 	if (!msg) {
4803 		cfg80211_sinfo_release_content(&sinfo);
4804 		return -ENOMEM;
4805 	}
4806 
4807 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
4808 				 info->snd_portid, info->snd_seq, 0,
4809 				 rdev, dev, mac_addr, &sinfo) < 0) {
4810 		nlmsg_free(msg);
4811 		return -ENOBUFS;
4812 	}
4813 
4814 	return genlmsg_reply(msg, info);
4815 }
4816 
4817 int cfg80211_check_station_change(struct wiphy *wiphy,
4818 				  struct station_parameters *params,
4819 				  enum cfg80211_station_type statype)
4820 {
4821 	if (params->listen_interval != -1 &&
4822 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4823 		return -EINVAL;
4824 
4825 	if (params->support_p2p_ps != -1 &&
4826 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4827 		return -EINVAL;
4828 
4829 	if (params->aid &&
4830 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
4831 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
4832 		return -EINVAL;
4833 
4834 	/* When you run into this, adjust the code below for the new flag */
4835 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
4836 
4837 	switch (statype) {
4838 	case CFG80211_STA_MESH_PEER_KERNEL:
4839 	case CFG80211_STA_MESH_PEER_USER:
4840 		/*
4841 		 * No ignoring the TDLS flag here -- the userspace mesh
4842 		 * code doesn't have the bug of including TDLS in the
4843 		 * mask everywhere.
4844 		 */
4845 		if (params->sta_flags_mask &
4846 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4847 				  BIT(NL80211_STA_FLAG_MFP) |
4848 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
4849 			return -EINVAL;
4850 		break;
4851 	case CFG80211_STA_TDLS_PEER_SETUP:
4852 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4853 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
4854 			return -EINVAL;
4855 		/* ignore since it can't change */
4856 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4857 		break;
4858 	default:
4859 		/* disallow mesh-specific things */
4860 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
4861 			return -EINVAL;
4862 		if (params->local_pm)
4863 			return -EINVAL;
4864 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4865 			return -EINVAL;
4866 	}
4867 
4868 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4869 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
4870 		/* TDLS can't be set, ... */
4871 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
4872 			return -EINVAL;
4873 		/*
4874 		 * ... but don't bother the driver with it. This works around
4875 		 * a hostapd/wpa_supplicant issue -- it always includes the
4876 		 * TLDS_PEER flag in the mask even for AP mode.
4877 		 */
4878 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
4879 	}
4880 
4881 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
4882 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4883 		/* reject other things that can't change */
4884 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
4885 			return -EINVAL;
4886 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
4887 			return -EINVAL;
4888 		if (params->supported_rates)
4889 			return -EINVAL;
4890 		if (params->ext_capab || params->ht_capa || params->vht_capa)
4891 			return -EINVAL;
4892 	}
4893 
4894 	if (statype != CFG80211_STA_AP_CLIENT &&
4895 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
4896 		if (params->vlan)
4897 			return -EINVAL;
4898 	}
4899 
4900 	switch (statype) {
4901 	case CFG80211_STA_AP_MLME_CLIENT:
4902 		/* Use this only for authorizing/unauthorizing a station */
4903 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
4904 			return -EOPNOTSUPP;
4905 		break;
4906 	case CFG80211_STA_AP_CLIENT:
4907 	case CFG80211_STA_AP_CLIENT_UNASSOC:
4908 		/* accept only the listed bits */
4909 		if (params->sta_flags_mask &
4910 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4911 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4912 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
4913 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
4914 				  BIT(NL80211_STA_FLAG_WME) |
4915 				  BIT(NL80211_STA_FLAG_MFP)))
4916 			return -EINVAL;
4917 
4918 		/* but authenticated/associated only if driver handles it */
4919 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
4920 		    params->sta_flags_mask &
4921 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
4922 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
4923 			return -EINVAL;
4924 		break;
4925 	case CFG80211_STA_IBSS:
4926 	case CFG80211_STA_AP_STA:
4927 		/* reject any changes other than AUTHORIZED */
4928 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
4929 			return -EINVAL;
4930 		break;
4931 	case CFG80211_STA_TDLS_PEER_SETUP:
4932 		/* reject any changes other than AUTHORIZED or WME */
4933 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
4934 					       BIT(NL80211_STA_FLAG_WME)))
4935 			return -EINVAL;
4936 		/* force (at least) rates when authorizing */
4937 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
4938 		    !params->supported_rates)
4939 			return -EINVAL;
4940 		break;
4941 	case CFG80211_STA_TDLS_PEER_ACTIVE:
4942 		/* reject any changes */
4943 		return -EINVAL;
4944 	case CFG80211_STA_MESH_PEER_KERNEL:
4945 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
4946 			return -EINVAL;
4947 		break;
4948 	case CFG80211_STA_MESH_PEER_USER:
4949 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
4950 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
4951 			return -EINVAL;
4952 		break;
4953 	}
4954 
4955 	/*
4956 	 * Older kernel versions ignored this attribute entirely, so don't
4957 	 * reject attempts to update it but mark it as unused instead so the
4958 	 * driver won't look at the data.
4959 	 */
4960 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
4961 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
4962 		params->opmode_notif_used = false;
4963 
4964 	return 0;
4965 }
4966 EXPORT_SYMBOL(cfg80211_check_station_change);
4967 
4968 /*
4969  * Get vlan interface making sure it is running and on the right wiphy.
4970  */
4971 static struct net_device *get_vlan(struct genl_info *info,
4972 				   struct cfg80211_registered_device *rdev)
4973 {
4974 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
4975 	struct net_device *v;
4976 	int ret;
4977 
4978 	if (!vlanattr)
4979 		return NULL;
4980 
4981 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
4982 	if (!v)
4983 		return ERR_PTR(-ENODEV);
4984 
4985 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
4986 		ret = -EINVAL;
4987 		goto error;
4988 	}
4989 
4990 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
4991 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4992 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
4993 		ret = -EINVAL;
4994 		goto error;
4995 	}
4996 
4997 	if (!netif_running(v)) {
4998 		ret = -ENETDOWN;
4999 		goto error;
5000 	}
5001 
5002 	return v;
5003  error:
5004 	dev_put(v);
5005 	return ERR_PTR(ret);
5006 }
5007 
5008 static const struct nla_policy
5009 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5010 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5011 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5012 };
5013 
5014 static int nl80211_parse_sta_wme(struct genl_info *info,
5015 				 struct station_parameters *params)
5016 {
5017 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5018 	struct nlattr *nla;
5019 	int err;
5020 
5021 	/* parse WME attributes if present */
5022 	if (!info->attrs[NL80211_ATTR_STA_WME])
5023 		return 0;
5024 
5025 	nla = info->attrs[NL80211_ATTR_STA_WME];
5026 	err = nla_parse_nested(tb, NL80211_STA_WME_MAX, nla,
5027 			       nl80211_sta_wme_policy, info->extack);
5028 	if (err)
5029 		return err;
5030 
5031 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5032 		params->uapsd_queues = nla_get_u8(
5033 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5034 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5035 		return -EINVAL;
5036 
5037 	if (tb[NL80211_STA_WME_MAX_SP])
5038 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5039 
5040 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5041 		return -EINVAL;
5042 
5043 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5044 
5045 	return 0;
5046 }
5047 
5048 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5049 				      struct station_parameters *params)
5050 {
5051 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5052 		params->supported_channels =
5053 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5054 		params->supported_channels_len =
5055 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5056 		/*
5057 		 * Need to include at least one (first channel, number of
5058 		 * channels) tuple for each subband, and must have proper
5059 		 * tuples for the rest of the data as well.
5060 		 */
5061 		if (params->supported_channels_len < 2)
5062 			return -EINVAL;
5063 		if (params->supported_channels_len % 2)
5064 			return -EINVAL;
5065 	}
5066 
5067 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5068 		params->supported_oper_classes =
5069 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5070 		params->supported_oper_classes_len =
5071 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5072 		/*
5073 		 * The value of the Length field of the Supported Operating
5074 		 * Classes element is between 2 and 253.
5075 		 */
5076 		if (params->supported_oper_classes_len < 2 ||
5077 		    params->supported_oper_classes_len > 253)
5078 			return -EINVAL;
5079 	}
5080 	return 0;
5081 }
5082 
5083 static int nl80211_set_station_tdls(struct genl_info *info,
5084 				    struct station_parameters *params)
5085 {
5086 	int err;
5087 	/* Dummy STA entry gets updated once the peer capabilities are known */
5088 	if (info->attrs[NL80211_ATTR_PEER_AID])
5089 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5090 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5091 		params->ht_capa =
5092 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5093 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5094 		params->vht_capa =
5095 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5096 
5097 	err = nl80211_parse_sta_channel_info(info, params);
5098 	if (err)
5099 		return err;
5100 
5101 	return nl80211_parse_sta_wme(info, params);
5102 }
5103 
5104 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5105 {
5106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5107 	struct net_device *dev = info->user_ptr[1];
5108 	struct station_parameters params;
5109 	u8 *mac_addr;
5110 	int err;
5111 
5112 	memset(&params, 0, sizeof(params));
5113 
5114 	if (!rdev->ops->change_station)
5115 		return -EOPNOTSUPP;
5116 
5117 	/*
5118 	 * AID and listen_interval properties can be set only for unassociated
5119 	 * station. Include these parameters here and will check them in
5120 	 * cfg80211_check_station_change().
5121 	 */
5122 	if (info->attrs[NL80211_ATTR_STA_AID])
5123 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5124 
5125 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5126 		params.listen_interval =
5127 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5128 	else
5129 		params.listen_interval = -1;
5130 
5131 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5132 		u8 tmp;
5133 
5134 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5135 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
5136 			return -EINVAL;
5137 
5138 		params.support_p2p_ps = tmp;
5139 	} else {
5140 		params.support_p2p_ps = -1;
5141 	}
5142 
5143 	if (!info->attrs[NL80211_ATTR_MAC])
5144 		return -EINVAL;
5145 
5146 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5147 
5148 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5149 		params.supported_rates =
5150 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5151 		params.supported_rates_len =
5152 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5153 	}
5154 
5155 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5156 		params.capability =
5157 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5158 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5159 	}
5160 
5161 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5162 		params.ext_capab =
5163 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5164 		params.ext_capab_len =
5165 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5166 	}
5167 
5168 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5169 		return -EINVAL;
5170 
5171 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
5172 		params.plink_action =
5173 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5174 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
5175 			return -EINVAL;
5176 	}
5177 
5178 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5179 		params.plink_state =
5180 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5181 		if (params.plink_state >= NUM_NL80211_PLINK_STATES)
5182 			return -EINVAL;
5183 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID]) {
5184 			params.peer_aid = nla_get_u16(
5185 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5186 			if (params.peer_aid > IEEE80211_MAX_AID)
5187 				return -EINVAL;
5188 		}
5189 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5190 	}
5191 
5192 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]) {
5193 		enum nl80211_mesh_power_mode pm = nla_get_u32(
5194 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5195 
5196 		if (pm <= NL80211_MESH_POWER_UNKNOWN ||
5197 		    pm > NL80211_MESH_POWER_MAX)
5198 			return -EINVAL;
5199 
5200 		params.local_pm = pm;
5201 	}
5202 
5203 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5204 		params.opmode_notif_used = true;
5205 		params.opmode_notif =
5206 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5207 	}
5208 
5209 	/* Include parameters for TDLS peer (will check later) */
5210 	err = nl80211_set_station_tdls(info, &params);
5211 	if (err)
5212 		return err;
5213 
5214 	params.vlan = get_vlan(info, rdev);
5215 	if (IS_ERR(params.vlan))
5216 		return PTR_ERR(params.vlan);
5217 
5218 	switch (dev->ieee80211_ptr->iftype) {
5219 	case NL80211_IFTYPE_AP:
5220 	case NL80211_IFTYPE_AP_VLAN:
5221 	case NL80211_IFTYPE_P2P_GO:
5222 	case NL80211_IFTYPE_P2P_CLIENT:
5223 	case NL80211_IFTYPE_STATION:
5224 	case NL80211_IFTYPE_ADHOC:
5225 	case NL80211_IFTYPE_MESH_POINT:
5226 		break;
5227 	default:
5228 		err = -EOPNOTSUPP;
5229 		goto out_put_vlan;
5230 	}
5231 
5232 	/* driver will call cfg80211_check_station_change() */
5233 	err = rdev_change_station(rdev, dev, mac_addr, &params);
5234 
5235  out_put_vlan:
5236 	if (params.vlan)
5237 		dev_put(params.vlan);
5238 
5239 	return err;
5240 }
5241 
5242 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
5243 {
5244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5245 	int err;
5246 	struct net_device *dev = info->user_ptr[1];
5247 	struct station_parameters params;
5248 	u8 *mac_addr = NULL;
5249 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5250 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
5251 
5252 	memset(&params, 0, sizeof(params));
5253 
5254 	if (!rdev->ops->add_station)
5255 		return -EOPNOTSUPP;
5256 
5257 	if (!info->attrs[NL80211_ATTR_MAC])
5258 		return -EINVAL;
5259 
5260 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5261 		return -EINVAL;
5262 
5263 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
5264 		return -EINVAL;
5265 
5266 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
5267 	    !info->attrs[NL80211_ATTR_PEER_AID])
5268 		return -EINVAL;
5269 
5270 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5271 	params.supported_rates =
5272 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5273 	params.supported_rates_len =
5274 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5275 	params.listen_interval =
5276 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5277 
5278 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
5279 		u8 tmp;
5280 
5281 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5282 		if (tmp >= NUM_NL80211_P2P_PS_STATUS)
5283 			return -EINVAL;
5284 
5285 		params.support_p2p_ps = tmp;
5286 	} else {
5287 		/*
5288 		 * if not specified, assume it's supported for P2P GO interface,
5289 		 * and is NOT supported for AP interface
5290 		 */
5291 		params.support_p2p_ps =
5292 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
5293 	}
5294 
5295 	if (info->attrs[NL80211_ATTR_PEER_AID])
5296 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5297 	else
5298 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5299 	if (!params.aid || params.aid > IEEE80211_MAX_AID)
5300 		return -EINVAL;
5301 
5302 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5303 		params.capability =
5304 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5305 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5306 	}
5307 
5308 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5309 		params.ext_capab =
5310 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5311 		params.ext_capab_len =
5312 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5313 	}
5314 
5315 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5316 		params.ht_capa =
5317 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5318 
5319 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5320 		params.vht_capa =
5321 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5322 
5323 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5324 		params.opmode_notif_used = true;
5325 		params.opmode_notif =
5326 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5327 	}
5328 
5329 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION]) {
5330 		params.plink_action =
5331 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5332 		if (params.plink_action >= NUM_NL80211_PLINK_ACTIONS)
5333 			return -EINVAL;
5334 	}
5335 
5336 	err = nl80211_parse_sta_channel_info(info, &params);
5337 	if (err)
5338 		return err;
5339 
5340 	err = nl80211_parse_sta_wme(info, &params);
5341 	if (err)
5342 		return err;
5343 
5344 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5345 		return -EINVAL;
5346 
5347 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
5348 	 * as userspace might just pass through the capabilities from the IEs
5349 	 * directly, rather than enforcing this restriction and returning an
5350 	 * error in this case.
5351 	 */
5352 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
5353 		params.ht_capa = NULL;
5354 		params.vht_capa = NULL;
5355 	}
5356 
5357 	/* When you run into this, adjust the code below for the new flag */
5358 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5359 
5360 	switch (dev->ieee80211_ptr->iftype) {
5361 	case NL80211_IFTYPE_AP:
5362 	case NL80211_IFTYPE_AP_VLAN:
5363 	case NL80211_IFTYPE_P2P_GO:
5364 		/* ignore WME attributes if iface/sta is not capable */
5365 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
5366 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
5367 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5368 
5369 		/* TDLS peers cannot be added */
5370 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5371 		    info->attrs[NL80211_ATTR_PEER_AID])
5372 			return -EINVAL;
5373 		/* but don't bother the driver with it */
5374 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5375 
5376 		/* allow authenticated/associated only if driver handles it */
5377 		if (!(rdev->wiphy.features &
5378 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5379 		    params.sta_flags_mask & auth_assoc)
5380 			return -EINVAL;
5381 
5382 		/* Older userspace, or userspace wanting to be compatible with
5383 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
5384 		 * and assoc flags in the mask, but assumes the station will be
5385 		 * added as associated anyway since this was the required driver
5386 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
5387 		 * introduced.
5388 		 * In order to not bother drivers with this quirk in the API
5389 		 * set the flags in both the mask and set for new stations in
5390 		 * this case.
5391 		 */
5392 		if (!(params.sta_flags_mask & auth_assoc)) {
5393 			params.sta_flags_mask |= auth_assoc;
5394 			params.sta_flags_set |= auth_assoc;
5395 		}
5396 
5397 		/* must be last in here for error handling */
5398 		params.vlan = get_vlan(info, rdev);
5399 		if (IS_ERR(params.vlan))
5400 			return PTR_ERR(params.vlan);
5401 		break;
5402 	case NL80211_IFTYPE_MESH_POINT:
5403 		/* ignore uAPSD data */
5404 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5405 
5406 		/* associated is disallowed */
5407 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
5408 			return -EINVAL;
5409 		/* TDLS peers cannot be added */
5410 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
5411 		    info->attrs[NL80211_ATTR_PEER_AID])
5412 			return -EINVAL;
5413 		break;
5414 	case NL80211_IFTYPE_STATION:
5415 	case NL80211_IFTYPE_P2P_CLIENT:
5416 		/* ignore uAPSD data */
5417 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
5418 
5419 		/* these are disallowed */
5420 		if (params.sta_flags_mask &
5421 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
5422 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
5423 			return -EINVAL;
5424 		/* Only TDLS peers can be added */
5425 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5426 			return -EINVAL;
5427 		/* Can only add if TDLS ... */
5428 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
5429 			return -EOPNOTSUPP;
5430 		/* ... with external setup is supported */
5431 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
5432 			return -EOPNOTSUPP;
5433 		/*
5434 		 * Older wpa_supplicant versions always mark the TDLS peer
5435 		 * as authorized, but it shouldn't yet be.
5436 		 */
5437 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
5438 		break;
5439 	default:
5440 		return -EOPNOTSUPP;
5441 	}
5442 
5443 	/* be aware of params.vlan when changing code here */
5444 
5445 	err = rdev_add_station(rdev, dev, mac_addr, &params);
5446 
5447 	if (params.vlan)
5448 		dev_put(params.vlan);
5449 	return err;
5450 }
5451 
5452 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
5453 {
5454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5455 	struct net_device *dev = info->user_ptr[1];
5456 	struct station_del_parameters params;
5457 
5458 	memset(&params, 0, sizeof(params));
5459 
5460 	if (info->attrs[NL80211_ATTR_MAC])
5461 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
5462 
5463 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5464 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5465 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
5466 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5467 		return -EINVAL;
5468 
5469 	if (!rdev->ops->del_station)
5470 		return -EOPNOTSUPP;
5471 
5472 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
5473 		params.subtype =
5474 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
5475 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
5476 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
5477 			return -EINVAL;
5478 	} else {
5479 		/* Default to Deauthentication frame */
5480 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
5481 	}
5482 
5483 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
5484 		params.reason_code =
5485 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
5486 		if (params.reason_code == 0)
5487 			return -EINVAL; /* 0 is reserved */
5488 	} else {
5489 		/* Default to reason code 2 */
5490 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
5491 	}
5492 
5493 	return rdev_del_station(rdev, dev, &params);
5494 }
5495 
5496 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
5497 				int flags, struct net_device *dev,
5498 				u8 *dst, u8 *next_hop,
5499 				struct mpath_info *pinfo)
5500 {
5501 	void *hdr;
5502 	struct nlattr *pinfoattr;
5503 
5504 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
5505 	if (!hdr)
5506 		return -1;
5507 
5508 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5509 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
5510 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
5511 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
5512 		goto nla_put_failure;
5513 
5514 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MPATH_INFO);
5515 	if (!pinfoattr)
5516 		goto nla_put_failure;
5517 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
5518 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
5519 			pinfo->frame_qlen))
5520 		goto nla_put_failure;
5521 	if (((pinfo->filled & MPATH_INFO_SN) &&
5522 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
5523 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
5524 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
5525 			 pinfo->metric)) ||
5526 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
5527 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
5528 			 pinfo->exptime)) ||
5529 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
5530 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
5531 			pinfo->flags)) ||
5532 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
5533 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
5534 			 pinfo->discovery_timeout)) ||
5535 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
5536 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
5537 			pinfo->discovery_retries)))
5538 		goto nla_put_failure;
5539 
5540 	nla_nest_end(msg, pinfoattr);
5541 
5542 	genlmsg_end(msg, hdr);
5543 	return 0;
5544 
5545  nla_put_failure:
5546 	genlmsg_cancel(msg, hdr);
5547 	return -EMSGSIZE;
5548 }
5549 
5550 static int nl80211_dump_mpath(struct sk_buff *skb,
5551 			      struct netlink_callback *cb)
5552 {
5553 	struct mpath_info pinfo;
5554 	struct cfg80211_registered_device *rdev;
5555 	struct wireless_dev *wdev;
5556 	u8 dst[ETH_ALEN];
5557 	u8 next_hop[ETH_ALEN];
5558 	int path_idx = cb->args[2];
5559 	int err;
5560 
5561 	rtnl_lock();
5562 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5563 	if (err)
5564 		goto out_err;
5565 
5566 	if (!rdev->ops->dump_mpath) {
5567 		err = -EOPNOTSUPP;
5568 		goto out_err;
5569 	}
5570 
5571 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5572 		err = -EOPNOTSUPP;
5573 		goto out_err;
5574 	}
5575 
5576 	while (1) {
5577 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
5578 				      next_hop, &pinfo);
5579 		if (err == -ENOENT)
5580 			break;
5581 		if (err)
5582 			goto out_err;
5583 
5584 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5585 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5586 				       wdev->netdev, dst, next_hop,
5587 				       &pinfo) < 0)
5588 			goto out;
5589 
5590 		path_idx++;
5591 	}
5592 
5593  out:
5594 	cb->args[2] = path_idx;
5595 	err = skb->len;
5596  out_err:
5597 	rtnl_unlock();
5598 	return err;
5599 }
5600 
5601 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
5602 {
5603 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5604 	int err;
5605 	struct net_device *dev = info->user_ptr[1];
5606 	struct mpath_info pinfo;
5607 	struct sk_buff *msg;
5608 	u8 *dst = NULL;
5609 	u8 next_hop[ETH_ALEN];
5610 
5611 	memset(&pinfo, 0, sizeof(pinfo));
5612 
5613 	if (!info->attrs[NL80211_ATTR_MAC])
5614 		return -EINVAL;
5615 
5616 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5617 
5618 	if (!rdev->ops->get_mpath)
5619 		return -EOPNOTSUPP;
5620 
5621 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5622 		return -EOPNOTSUPP;
5623 
5624 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
5625 	if (err)
5626 		return err;
5627 
5628 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5629 	if (!msg)
5630 		return -ENOMEM;
5631 
5632 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5633 				 dev, dst, next_hop, &pinfo) < 0) {
5634 		nlmsg_free(msg);
5635 		return -ENOBUFS;
5636 	}
5637 
5638 	return genlmsg_reply(msg, info);
5639 }
5640 
5641 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
5642 {
5643 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5644 	struct net_device *dev = info->user_ptr[1];
5645 	u8 *dst = NULL;
5646 	u8 *next_hop = NULL;
5647 
5648 	if (!info->attrs[NL80211_ATTR_MAC])
5649 		return -EINVAL;
5650 
5651 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5652 		return -EINVAL;
5653 
5654 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5655 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5656 
5657 	if (!rdev->ops->change_mpath)
5658 		return -EOPNOTSUPP;
5659 
5660 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5661 		return -EOPNOTSUPP;
5662 
5663 	return rdev_change_mpath(rdev, dev, dst, next_hop);
5664 }
5665 
5666 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
5667 {
5668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5669 	struct net_device *dev = info->user_ptr[1];
5670 	u8 *dst = NULL;
5671 	u8 *next_hop = NULL;
5672 
5673 	if (!info->attrs[NL80211_ATTR_MAC])
5674 		return -EINVAL;
5675 
5676 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
5677 		return -EINVAL;
5678 
5679 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5680 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
5681 
5682 	if (!rdev->ops->add_mpath)
5683 		return -EOPNOTSUPP;
5684 
5685 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5686 		return -EOPNOTSUPP;
5687 
5688 	return rdev_add_mpath(rdev, dev, dst, next_hop);
5689 }
5690 
5691 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
5692 {
5693 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5694 	struct net_device *dev = info->user_ptr[1];
5695 	u8 *dst = NULL;
5696 
5697 	if (info->attrs[NL80211_ATTR_MAC])
5698 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5699 
5700 	if (!rdev->ops->del_mpath)
5701 		return -EOPNOTSUPP;
5702 
5703 	return rdev_del_mpath(rdev, dev, dst);
5704 }
5705 
5706 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
5707 {
5708 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5709 	int err;
5710 	struct net_device *dev = info->user_ptr[1];
5711 	struct mpath_info pinfo;
5712 	struct sk_buff *msg;
5713 	u8 *dst = NULL;
5714 	u8 mpp[ETH_ALEN];
5715 
5716 	memset(&pinfo, 0, sizeof(pinfo));
5717 
5718 	if (!info->attrs[NL80211_ATTR_MAC])
5719 		return -EINVAL;
5720 
5721 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
5722 
5723 	if (!rdev->ops->get_mpp)
5724 		return -EOPNOTSUPP;
5725 
5726 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
5727 		return -EOPNOTSUPP;
5728 
5729 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
5730 	if (err)
5731 		return err;
5732 
5733 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5734 	if (!msg)
5735 		return -ENOMEM;
5736 
5737 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
5738 			       dev, dst, mpp, &pinfo) < 0) {
5739 		nlmsg_free(msg);
5740 		return -ENOBUFS;
5741 	}
5742 
5743 	return genlmsg_reply(msg, info);
5744 }
5745 
5746 static int nl80211_dump_mpp(struct sk_buff *skb,
5747 			    struct netlink_callback *cb)
5748 {
5749 	struct mpath_info pinfo;
5750 	struct cfg80211_registered_device *rdev;
5751 	struct wireless_dev *wdev;
5752 	u8 dst[ETH_ALEN];
5753 	u8 mpp[ETH_ALEN];
5754 	int path_idx = cb->args[2];
5755 	int err;
5756 
5757 	rtnl_lock();
5758 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
5759 	if (err)
5760 		goto out_err;
5761 
5762 	if (!rdev->ops->dump_mpp) {
5763 		err = -EOPNOTSUPP;
5764 		goto out_err;
5765 	}
5766 
5767 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
5768 		err = -EOPNOTSUPP;
5769 		goto out_err;
5770 	}
5771 
5772 	while (1) {
5773 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
5774 				    mpp, &pinfo);
5775 		if (err == -ENOENT)
5776 			break;
5777 		if (err)
5778 			goto out_err;
5779 
5780 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
5781 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
5782 				       wdev->netdev, dst, mpp,
5783 				       &pinfo) < 0)
5784 			goto out;
5785 
5786 		path_idx++;
5787 	}
5788 
5789  out:
5790 	cb->args[2] = path_idx;
5791 	err = skb->len;
5792  out_err:
5793 	rtnl_unlock();
5794 	return err;
5795 }
5796 
5797 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
5798 {
5799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5800 	struct net_device *dev = info->user_ptr[1];
5801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5802 	struct bss_parameters params;
5803 	int err;
5804 
5805 	memset(&params, 0, sizeof(params));
5806 	/* default to not changing parameters */
5807 	params.use_cts_prot = -1;
5808 	params.use_short_preamble = -1;
5809 	params.use_short_slot_time = -1;
5810 	params.ap_isolate = -1;
5811 	params.ht_opmode = -1;
5812 	params.p2p_ctwindow = -1;
5813 	params.p2p_opp_ps = -1;
5814 
5815 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
5816 		params.use_cts_prot =
5817 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
5818 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
5819 		params.use_short_preamble =
5820 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
5821 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
5822 		params.use_short_slot_time =
5823 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
5824 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
5825 		params.basic_rates =
5826 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5827 		params.basic_rates_len =
5828 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
5829 	}
5830 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
5831 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
5832 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
5833 		params.ht_opmode =
5834 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
5835 
5836 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5837 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5838 			return -EINVAL;
5839 		params.p2p_ctwindow =
5840 			nla_get_s8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5841 		if (params.p2p_ctwindow < 0)
5842 			return -EINVAL;
5843 		if (params.p2p_ctwindow != 0 &&
5844 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5845 			return -EINVAL;
5846 	}
5847 
5848 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5849 		u8 tmp;
5850 
5851 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5852 			return -EINVAL;
5853 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5854 		if (tmp > 1)
5855 			return -EINVAL;
5856 		params.p2p_opp_ps = tmp;
5857 		if (params.p2p_opp_ps &&
5858 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5859 			return -EINVAL;
5860 	}
5861 
5862 	if (!rdev->ops->change_bss)
5863 		return -EOPNOTSUPP;
5864 
5865 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5866 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5867 		return -EOPNOTSUPP;
5868 
5869 	wdev_lock(wdev);
5870 	err = rdev_change_bss(rdev, dev, &params);
5871 	wdev_unlock(wdev);
5872 
5873 	return err;
5874 }
5875 
5876 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
5877 {
5878 	char *data = NULL;
5879 	bool is_indoor;
5880 	enum nl80211_user_reg_hint_type user_reg_hint_type;
5881 	u32 owner_nlportid;
5882 
5883 	/*
5884 	 * You should only get this when cfg80211 hasn't yet initialized
5885 	 * completely when built-in to the kernel right between the time
5886 	 * window between nl80211_init() and regulatory_init(), if that is
5887 	 * even possible.
5888 	 */
5889 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
5890 		return -EINPROGRESS;
5891 
5892 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
5893 		user_reg_hint_type =
5894 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
5895 	else
5896 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
5897 
5898 	switch (user_reg_hint_type) {
5899 	case NL80211_USER_REG_HINT_USER:
5900 	case NL80211_USER_REG_HINT_CELL_BASE:
5901 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
5902 			return -EINVAL;
5903 
5904 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
5905 		return regulatory_hint_user(data, user_reg_hint_type);
5906 	case NL80211_USER_REG_HINT_INDOOR:
5907 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
5908 			owner_nlportid = info->snd_portid;
5909 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
5910 		} else {
5911 			owner_nlportid = 0;
5912 			is_indoor = true;
5913 		}
5914 
5915 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
5916 	default:
5917 		return -EINVAL;
5918 	}
5919 }
5920 
5921 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
5922 {
5923 	return reg_reload_regdb();
5924 }
5925 
5926 static int nl80211_get_mesh_config(struct sk_buff *skb,
5927 				   struct genl_info *info)
5928 {
5929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5930 	struct net_device *dev = info->user_ptr[1];
5931 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5932 	struct mesh_config cur_params;
5933 	int err = 0;
5934 	void *hdr;
5935 	struct nlattr *pinfoattr;
5936 	struct sk_buff *msg;
5937 
5938 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
5939 		return -EOPNOTSUPP;
5940 
5941 	if (!rdev->ops->get_mesh_config)
5942 		return -EOPNOTSUPP;
5943 
5944 	wdev_lock(wdev);
5945 	/* If not connected, get default parameters */
5946 	if (!wdev->mesh_id_len)
5947 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
5948 	else
5949 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
5950 	wdev_unlock(wdev);
5951 
5952 	if (err)
5953 		return err;
5954 
5955 	/* Draw up a netlink message to send back */
5956 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5957 	if (!msg)
5958 		return -ENOMEM;
5959 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5960 			     NL80211_CMD_GET_MESH_CONFIG);
5961 	if (!hdr)
5962 		goto out;
5963 	pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
5964 	if (!pinfoattr)
5965 		goto nla_put_failure;
5966 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5967 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
5968 			cur_params.dot11MeshRetryTimeout) ||
5969 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
5970 			cur_params.dot11MeshConfirmTimeout) ||
5971 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
5972 			cur_params.dot11MeshHoldingTimeout) ||
5973 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
5974 			cur_params.dot11MeshMaxPeerLinks) ||
5975 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
5976 		       cur_params.dot11MeshMaxRetries) ||
5977 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
5978 		       cur_params.dot11MeshTTL) ||
5979 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
5980 		       cur_params.element_ttl) ||
5981 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
5982 		       cur_params.auto_open_plinks) ||
5983 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
5984 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
5985 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
5986 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
5987 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
5988 			cur_params.path_refresh_time) ||
5989 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
5990 			cur_params.min_discovery_timeout) ||
5991 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
5992 			cur_params.dot11MeshHWMPactivePathTimeout) ||
5993 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
5994 			cur_params.dot11MeshHWMPpreqMinInterval) ||
5995 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
5996 			cur_params.dot11MeshHWMPperrMinInterval) ||
5997 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
5998 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
5999 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6000 		       cur_params.dot11MeshHWMPRootMode) ||
6001 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6002 			cur_params.dot11MeshHWMPRannInterval) ||
6003 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6004 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6005 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6006 		       cur_params.dot11MeshForwarding) ||
6007 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6008 			cur_params.rssi_threshold) ||
6009 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6010 			cur_params.ht_opmode) ||
6011 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6012 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6013 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6014 			cur_params.dot11MeshHWMProotInterval) ||
6015 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6016 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6017 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6018 			cur_params.power_mode) ||
6019 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6020 			cur_params.dot11MeshAwakeWindowDuration) ||
6021 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6022 			cur_params.plink_timeout))
6023 		goto nla_put_failure;
6024 	nla_nest_end(msg, pinfoattr);
6025 	genlmsg_end(msg, hdr);
6026 	return genlmsg_reply(msg, info);
6027 
6028  nla_put_failure:
6029  out:
6030 	nlmsg_free(msg);
6031 	return -ENOBUFS;
6032 }
6033 
6034 static const struct nla_policy nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6035 	[NL80211_MESHCONF_RETRY_TIMEOUT] = { .type = NLA_U16 },
6036 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] = { .type = NLA_U16 },
6037 	[NL80211_MESHCONF_HOLDING_TIMEOUT] = { .type = NLA_U16 },
6038 	[NL80211_MESHCONF_MAX_PEER_LINKS] = { .type = NLA_U16 },
6039 	[NL80211_MESHCONF_MAX_RETRIES] = { .type = NLA_U8 },
6040 	[NL80211_MESHCONF_TTL] = { .type = NLA_U8 },
6041 	[NL80211_MESHCONF_ELEMENT_TTL] = { .type = NLA_U8 },
6042 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = { .type = NLA_U8 },
6043 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] = { .type = NLA_U32 },
6044 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6045 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6046 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = { .type = NLA_U16 },
6047 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6048 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] = { .type = NLA_U16 },
6049 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] = { .type = NLA_U16 },
6050 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] = { .type = NLA_U16 },
6051 	[NL80211_MESHCONF_HWMP_ROOTMODE] = { .type = NLA_U8 },
6052 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] = { .type = NLA_U16 },
6053 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = { .type = NLA_U8 },
6054 	[NL80211_MESHCONF_FORWARDING] = { .type = NLA_U8 },
6055 	[NL80211_MESHCONF_RSSI_THRESHOLD] = { .type = NLA_U32 },
6056 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6057 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6058 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] = { .type = NLA_U16 },
6059 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] = { .type = NLA_U16 },
6060 	[NL80211_MESHCONF_POWER_MODE] = { .type = NLA_U32 },
6061 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6062 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6063 };
6064 
6065 static const struct nla_policy
6066 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6067 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6068 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6069 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6070 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6071 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6072 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6073 	[NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
6074 				    .len = IEEE80211_MAX_DATA_LEN },
6075 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6076 };
6077 
6078 static int nl80211_check_bool(const struct nlattr *nla, u8 min, u8 max, bool *out)
6079 {
6080 	u8 val = nla_get_u8(nla);
6081 	if (val < min || val > max)
6082 		return -EINVAL;
6083 	*out = val;
6084 	return 0;
6085 }
6086 
6087 static int nl80211_check_u8(const struct nlattr *nla, u8 min, u8 max, u8 *out)
6088 {
6089 	u8 val = nla_get_u8(nla);
6090 	if (val < min || val > max)
6091 		return -EINVAL;
6092 	*out = val;
6093 	return 0;
6094 }
6095 
6096 static int nl80211_check_u16(const struct nlattr *nla, u16 min, u16 max, u16 *out)
6097 {
6098 	u16 val = nla_get_u16(nla);
6099 	if (val < min || val > max)
6100 		return -EINVAL;
6101 	*out = val;
6102 	return 0;
6103 }
6104 
6105 static int nl80211_check_u32(const struct nlattr *nla, u32 min, u32 max, u32 *out)
6106 {
6107 	u32 val = nla_get_u32(nla);
6108 	if (val < min || val > max)
6109 		return -EINVAL;
6110 	*out = val;
6111 	return 0;
6112 }
6113 
6114 static int nl80211_check_s32(const struct nlattr *nla, s32 min, s32 max, s32 *out)
6115 {
6116 	s32 val = nla_get_s32(nla);
6117 	if (val < min || val > max)
6118 		return -EINVAL;
6119 	*out = val;
6120 	return 0;
6121 }
6122 
6123 static int nl80211_check_power_mode(const struct nlattr *nla,
6124 				    enum nl80211_mesh_power_mode min,
6125 				    enum nl80211_mesh_power_mode max,
6126 				    enum nl80211_mesh_power_mode *out)
6127 {
6128 	u32 val = nla_get_u32(nla);
6129 	if (val < min || val > max)
6130 		return -EINVAL;
6131 	*out = val;
6132 	return 0;
6133 }
6134 
6135 static int nl80211_parse_mesh_config(struct genl_info *info,
6136 				     struct mesh_config *cfg,
6137 				     u32 *mask_out)
6138 {
6139 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6140 	u32 mask = 0;
6141 	u16 ht_opmode;
6142 
6143 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
6144 do {									    \
6145 	if (tb[attr]) {							    \
6146 		if (fn(tb[attr], min, max, &cfg->param))		    \
6147 			return -EINVAL;					    \
6148 		mask |= (1 << (attr - 1));				    \
6149 	}								    \
6150 } while (0)
6151 
6152 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6153 		return -EINVAL;
6154 	if (nla_parse_nested(tb, NL80211_MESHCONF_ATTR_MAX,
6155 			     info->attrs[NL80211_ATTR_MESH_CONFIG],
6156 			     nl80211_meshconf_params_policy, info->extack))
6157 		return -EINVAL;
6158 
6159 	/* This makes sure that there aren't more than 32 mesh config
6160 	 * parameters (otherwise our bitfield scheme would not work.) */
6161 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6162 
6163 	/* Fill in the params struct */
6164 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, 1, 255,
6165 				  mask, NL80211_MESHCONF_RETRY_TIMEOUT,
6166 				  nl80211_check_u16);
6167 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, 1, 255,
6168 				  mask, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6169 				  nl80211_check_u16);
6170 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, 1, 255,
6171 				  mask, NL80211_MESHCONF_HOLDING_TIMEOUT,
6172 				  nl80211_check_u16);
6173 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, 0, 255,
6174 				  mask, NL80211_MESHCONF_MAX_PEER_LINKS,
6175 				  nl80211_check_u16);
6176 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, 0, 16,
6177 				  mask, NL80211_MESHCONF_MAX_RETRIES,
6178 				  nl80211_check_u8);
6179 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, 1, 255,
6180 				  mask, NL80211_MESHCONF_TTL, nl80211_check_u8);
6181 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, 1, 255,
6182 				  mask, NL80211_MESHCONF_ELEMENT_TTL,
6183 				  nl80211_check_u8);
6184 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, 0, 1,
6185 				  mask, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6186 				  nl80211_check_bool);
6187 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6188 				  1, 255, mask,
6189 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6190 				  nl80211_check_u32);
6191 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, 0, 255,
6192 				  mask, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6193 				  nl80211_check_u8);
6194 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, 1, 65535,
6195 				  mask, NL80211_MESHCONF_PATH_REFRESH_TIME,
6196 				  nl80211_check_u32);
6197 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, 1, 65535,
6198 				  mask, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6199 				  nl80211_check_u16);
6200 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
6201 				  1, 65535, mask,
6202 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6203 				  nl80211_check_u32);
6204 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval,
6205 				  1, 65535, mask,
6206 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6207 				  nl80211_check_u16);
6208 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval,
6209 				  1, 65535, mask,
6210 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6211 				  nl80211_check_u16);
6212 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6213 				  dot11MeshHWMPnetDiameterTraversalTime,
6214 				  1, 65535, mask,
6215 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6216 				  nl80211_check_u16);
6217 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, 0, 4,
6218 				  mask, NL80211_MESHCONF_HWMP_ROOTMODE,
6219 				  nl80211_check_u8);
6220 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, 1, 65535,
6221 				  mask, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6222 				  nl80211_check_u16);
6223 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6224 				  dot11MeshGateAnnouncementProtocol, 0, 1,
6225 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6226 				  nl80211_check_bool);
6227 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, 0, 1,
6228 				  mask, NL80211_MESHCONF_FORWARDING,
6229 				  nl80211_check_bool);
6230 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
6231 				  mask, NL80211_MESHCONF_RSSI_THRESHOLD,
6232 				  nl80211_check_s32);
6233 	/*
6234 	 * Check HT operation mode based on
6235 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
6236 	 */
6237 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
6238 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
6239 
6240 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
6241 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
6242 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
6243 			return -EINVAL;
6244 
6245 		/* NON_HT_STA bit is reserved, but some programs set it */
6246 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
6247 
6248 		cfg->ht_opmode = ht_opmode;
6249 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
6250 	}
6251 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
6252 				  1, 65535, mask,
6253 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6254 				  nl80211_check_u32);
6255 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, 1, 65535,
6256 				  mask, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6257 				  nl80211_check_u16);
6258 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
6259 				  dot11MeshHWMPconfirmationInterval,
6260 				  1, 65535, mask,
6261 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6262 				  nl80211_check_u16);
6263 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode,
6264 				  NL80211_MESH_POWER_ACTIVE,
6265 				  NL80211_MESH_POWER_MAX,
6266 				  mask, NL80211_MESHCONF_POWER_MODE,
6267 				  nl80211_check_power_mode);
6268 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration,
6269 				  0, 65535, mask,
6270 				  NL80211_MESHCONF_AWAKE_WINDOW, nl80211_check_u16);
6271 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, 0, 0xffffffff,
6272 				  mask, NL80211_MESHCONF_PLINK_TIMEOUT,
6273 				  nl80211_check_u32);
6274 	if (mask_out)
6275 		*mask_out = mask;
6276 
6277 	return 0;
6278 
6279 #undef FILL_IN_MESH_PARAM_IF_SET
6280 }
6281 
6282 static int nl80211_parse_mesh_setup(struct genl_info *info,
6283 				     struct mesh_setup *setup)
6284 {
6285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6286 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
6287 
6288 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
6289 		return -EINVAL;
6290 	if (nla_parse_nested(tb, NL80211_MESH_SETUP_ATTR_MAX,
6291 			     info->attrs[NL80211_ATTR_MESH_SETUP],
6292 			     nl80211_mesh_setup_params_policy, info->extack))
6293 		return -EINVAL;
6294 
6295 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
6296 		setup->sync_method =
6297 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
6298 		 IEEE80211_SYNC_METHOD_VENDOR :
6299 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
6300 
6301 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
6302 		setup->path_sel_proto =
6303 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
6304 		 IEEE80211_PATH_PROTOCOL_VENDOR :
6305 		 IEEE80211_PATH_PROTOCOL_HWMP;
6306 
6307 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
6308 		setup->path_metric =
6309 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
6310 		 IEEE80211_PATH_METRIC_VENDOR :
6311 		 IEEE80211_PATH_METRIC_AIRTIME;
6312 
6313 	if (tb[NL80211_MESH_SETUP_IE]) {
6314 		struct nlattr *ieattr =
6315 			tb[NL80211_MESH_SETUP_IE];
6316 		if (!is_valid_ie_attr(ieattr))
6317 			return -EINVAL;
6318 		setup->ie = nla_data(ieattr);
6319 		setup->ie_len = nla_len(ieattr);
6320 	}
6321 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
6322 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
6323 		return -EINVAL;
6324 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
6325 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
6326 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
6327 	if (setup->is_secure)
6328 		setup->user_mpm = true;
6329 
6330 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
6331 		if (!setup->user_mpm)
6332 			return -EINVAL;
6333 		setup->auth_id =
6334 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
6335 	}
6336 
6337 	return 0;
6338 }
6339 
6340 static int nl80211_update_mesh_config(struct sk_buff *skb,
6341 				      struct genl_info *info)
6342 {
6343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6344 	struct net_device *dev = info->user_ptr[1];
6345 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6346 	struct mesh_config cfg;
6347 	u32 mask;
6348 	int err;
6349 
6350 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6351 		return -EOPNOTSUPP;
6352 
6353 	if (!rdev->ops->update_mesh_config)
6354 		return -EOPNOTSUPP;
6355 
6356 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
6357 	if (err)
6358 		return err;
6359 
6360 	wdev_lock(wdev);
6361 	if (!wdev->mesh_id_len)
6362 		err = -ENOLINK;
6363 
6364 	if (!err)
6365 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
6366 
6367 	wdev_unlock(wdev);
6368 
6369 	return err;
6370 }
6371 
6372 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
6373 			      struct sk_buff *msg)
6374 {
6375 	struct nlattr *nl_reg_rules;
6376 	unsigned int i;
6377 
6378 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
6379 	    (regdom->dfs_region &&
6380 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
6381 		goto nla_put_failure;
6382 
6383 	nl_reg_rules = nla_nest_start(msg, NL80211_ATTR_REG_RULES);
6384 	if (!nl_reg_rules)
6385 		goto nla_put_failure;
6386 
6387 	for (i = 0; i < regdom->n_reg_rules; i++) {
6388 		struct nlattr *nl_reg_rule;
6389 		const struct ieee80211_reg_rule *reg_rule;
6390 		const struct ieee80211_freq_range *freq_range;
6391 		const struct ieee80211_power_rule *power_rule;
6392 		unsigned int max_bandwidth_khz;
6393 
6394 		reg_rule = &regdom->reg_rules[i];
6395 		freq_range = &reg_rule->freq_range;
6396 		power_rule = &reg_rule->power_rule;
6397 
6398 		nl_reg_rule = nla_nest_start(msg, i);
6399 		if (!nl_reg_rule)
6400 			goto nla_put_failure;
6401 
6402 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
6403 		if (!max_bandwidth_khz)
6404 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
6405 								  reg_rule);
6406 
6407 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
6408 				reg_rule->flags) ||
6409 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
6410 				freq_range->start_freq_khz) ||
6411 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
6412 				freq_range->end_freq_khz) ||
6413 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
6414 				max_bandwidth_khz) ||
6415 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
6416 				power_rule->max_antenna_gain) ||
6417 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
6418 				power_rule->max_eirp) ||
6419 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
6420 				reg_rule->dfs_cac_ms))
6421 			goto nla_put_failure;
6422 
6423 		nla_nest_end(msg, nl_reg_rule);
6424 	}
6425 
6426 	nla_nest_end(msg, nl_reg_rules);
6427 	return 0;
6428 
6429 nla_put_failure:
6430 	return -EMSGSIZE;
6431 }
6432 
6433 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
6434 {
6435 	const struct ieee80211_regdomain *regdom = NULL;
6436 	struct cfg80211_registered_device *rdev;
6437 	struct wiphy *wiphy = NULL;
6438 	struct sk_buff *msg;
6439 	void *hdr;
6440 
6441 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6442 	if (!msg)
6443 		return -ENOBUFS;
6444 
6445 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6446 			     NL80211_CMD_GET_REG);
6447 	if (!hdr)
6448 		goto put_failure;
6449 
6450 	if (info->attrs[NL80211_ATTR_WIPHY]) {
6451 		bool self_managed;
6452 
6453 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
6454 		if (IS_ERR(rdev)) {
6455 			nlmsg_free(msg);
6456 			return PTR_ERR(rdev);
6457 		}
6458 
6459 		wiphy = &rdev->wiphy;
6460 		self_managed = wiphy->regulatory_flags &
6461 			       REGULATORY_WIPHY_SELF_MANAGED;
6462 		regdom = get_wiphy_regdom(wiphy);
6463 
6464 		/* a self-managed-reg device must have a private regdom */
6465 		if (WARN_ON(!regdom && self_managed)) {
6466 			nlmsg_free(msg);
6467 			return -EINVAL;
6468 		}
6469 
6470 		if (regdom &&
6471 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6472 			goto nla_put_failure;
6473 	}
6474 
6475 	if (!wiphy && reg_last_request_cell_base() &&
6476 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6477 			NL80211_USER_REG_HINT_CELL_BASE))
6478 		goto nla_put_failure;
6479 
6480 	rcu_read_lock();
6481 
6482 	if (!regdom)
6483 		regdom = rcu_dereference(cfg80211_regdomain);
6484 
6485 	if (nl80211_put_regdom(regdom, msg))
6486 		goto nla_put_failure_rcu;
6487 
6488 	rcu_read_unlock();
6489 
6490 	genlmsg_end(msg, hdr);
6491 	return genlmsg_reply(msg, info);
6492 
6493 nla_put_failure_rcu:
6494 	rcu_read_unlock();
6495 nla_put_failure:
6496 put_failure:
6497 	nlmsg_free(msg);
6498 	return -EMSGSIZE;
6499 }
6500 
6501 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
6502 			       u32 seq, int flags, struct wiphy *wiphy,
6503 			       const struct ieee80211_regdomain *regdom)
6504 {
6505 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
6506 				   NL80211_CMD_GET_REG);
6507 
6508 	if (!hdr)
6509 		return -1;
6510 
6511 	genl_dump_check_consistent(cb, hdr);
6512 
6513 	if (nl80211_put_regdom(regdom, msg))
6514 		goto nla_put_failure;
6515 
6516 	if (!wiphy && reg_last_request_cell_base() &&
6517 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
6518 			NL80211_USER_REG_HINT_CELL_BASE))
6519 		goto nla_put_failure;
6520 
6521 	if (wiphy &&
6522 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
6523 		goto nla_put_failure;
6524 
6525 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
6526 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
6527 		goto nla_put_failure;
6528 
6529 	genlmsg_end(msg, hdr);
6530 	return 0;
6531 
6532 nla_put_failure:
6533 	genlmsg_cancel(msg, hdr);
6534 	return -EMSGSIZE;
6535 }
6536 
6537 static int nl80211_get_reg_dump(struct sk_buff *skb,
6538 				struct netlink_callback *cb)
6539 {
6540 	const struct ieee80211_regdomain *regdom = NULL;
6541 	struct cfg80211_registered_device *rdev;
6542 	int err, reg_idx, start = cb->args[2];
6543 
6544 	rtnl_lock();
6545 
6546 	if (cfg80211_regdomain && start == 0) {
6547 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6548 					  NLM_F_MULTI, NULL,
6549 					  rtnl_dereference(cfg80211_regdomain));
6550 		if (err < 0)
6551 			goto out_err;
6552 	}
6553 
6554 	/* the global regdom is idx 0 */
6555 	reg_idx = 1;
6556 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
6557 		regdom = get_wiphy_regdom(&rdev->wiphy);
6558 		if (!regdom)
6559 			continue;
6560 
6561 		if (++reg_idx <= start)
6562 			continue;
6563 
6564 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
6565 					  NLM_F_MULTI, &rdev->wiphy, regdom);
6566 		if (err < 0) {
6567 			reg_idx--;
6568 			break;
6569 		}
6570 	}
6571 
6572 	cb->args[2] = reg_idx;
6573 	err = skb->len;
6574 out_err:
6575 	rtnl_unlock();
6576 	return err;
6577 }
6578 
6579 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
6580 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
6581 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
6582 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
6583 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
6584 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
6585 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
6586 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
6587 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
6588 };
6589 
6590 static int parse_reg_rule(struct nlattr *tb[],
6591 	struct ieee80211_reg_rule *reg_rule)
6592 {
6593 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
6594 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
6595 
6596 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
6597 		return -EINVAL;
6598 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
6599 		return -EINVAL;
6600 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
6601 		return -EINVAL;
6602 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
6603 		return -EINVAL;
6604 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
6605 		return -EINVAL;
6606 
6607 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
6608 
6609 	freq_range->start_freq_khz =
6610 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
6611 	freq_range->end_freq_khz =
6612 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
6613 	freq_range->max_bandwidth_khz =
6614 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
6615 
6616 	power_rule->max_eirp =
6617 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
6618 
6619 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
6620 		power_rule->max_antenna_gain =
6621 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
6622 
6623 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
6624 		reg_rule->dfs_cac_ms =
6625 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
6626 
6627 	return 0;
6628 }
6629 
6630 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
6631 {
6632 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
6633 	struct nlattr *nl_reg_rule;
6634 	char *alpha2;
6635 	int rem_reg_rules, r;
6636 	u32 num_rules = 0, rule_idx = 0, size_of_regd;
6637 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
6638 	struct ieee80211_regdomain *rd;
6639 
6640 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6641 		return -EINVAL;
6642 
6643 	if (!info->attrs[NL80211_ATTR_REG_RULES])
6644 		return -EINVAL;
6645 
6646 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6647 
6648 	if (info->attrs[NL80211_ATTR_DFS_REGION])
6649 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
6650 
6651 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6652 			    rem_reg_rules) {
6653 		num_rules++;
6654 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
6655 			return -EINVAL;
6656 	}
6657 
6658 	if (!reg_is_valid_request(alpha2))
6659 		return -EINVAL;
6660 
6661 	size_of_regd = sizeof(struct ieee80211_regdomain) +
6662 		       num_rules * sizeof(struct ieee80211_reg_rule);
6663 
6664 	rd = kzalloc(size_of_regd, GFP_KERNEL);
6665 	if (!rd)
6666 		return -ENOMEM;
6667 
6668 	rd->n_reg_rules = num_rules;
6669 	rd->alpha2[0] = alpha2[0];
6670 	rd->alpha2[1] = alpha2[1];
6671 
6672 	/*
6673 	 * Disable DFS master mode if the DFS region was
6674 	 * not supported or known on this kernel.
6675 	 */
6676 	if (reg_supported_dfs_region(dfs_region))
6677 		rd->dfs_region = dfs_region;
6678 
6679 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
6680 			    rem_reg_rules) {
6681 		r = nla_parse_nested(tb, NL80211_REG_RULE_ATTR_MAX,
6682 				     nl_reg_rule, reg_rule_policy,
6683 				     info->extack);
6684 		if (r)
6685 			goto bad_reg;
6686 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
6687 		if (r)
6688 			goto bad_reg;
6689 
6690 		rule_idx++;
6691 
6692 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
6693 			r = -EINVAL;
6694 			goto bad_reg;
6695 		}
6696 	}
6697 
6698 	/* set_regdom takes ownership of rd */
6699 	return set_regdom(rd, REGD_SOURCE_CRDA);
6700  bad_reg:
6701 	kfree(rd);
6702 	return r;
6703 }
6704 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
6705 
6706 static int validate_scan_freqs(struct nlattr *freqs)
6707 {
6708 	struct nlattr *attr1, *attr2;
6709 	int n_channels = 0, tmp1, tmp2;
6710 
6711 	nla_for_each_nested(attr1, freqs, tmp1)
6712 		if (nla_len(attr1) != sizeof(u32))
6713 			return 0;
6714 
6715 	nla_for_each_nested(attr1, freqs, tmp1) {
6716 		n_channels++;
6717 		/*
6718 		 * Some hardware has a limited channel list for
6719 		 * scanning, and it is pretty much nonsensical
6720 		 * to scan for a channel twice, so disallow that
6721 		 * and don't require drivers to check that the
6722 		 * channel list they get isn't longer than what
6723 		 * they can scan, as long as they can scan all
6724 		 * the channels they registered at once.
6725 		 */
6726 		nla_for_each_nested(attr2, freqs, tmp2)
6727 			if (attr1 != attr2 &&
6728 			    nla_get_u32(attr1) == nla_get_u32(attr2))
6729 				return 0;
6730 	}
6731 
6732 	return n_channels;
6733 }
6734 
6735 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
6736 {
6737 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
6738 }
6739 
6740 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
6741 			    struct cfg80211_bss_selection *bss_select)
6742 {
6743 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
6744 	struct nlattr *nest;
6745 	int err;
6746 	bool found = false;
6747 	int i;
6748 
6749 	/* only process one nested attribute */
6750 	nest = nla_data(nla);
6751 	if (!nla_ok(nest, nla_len(nest)))
6752 		return -EINVAL;
6753 
6754 	err = nla_parse_nested(attr, NL80211_BSS_SELECT_ATTR_MAX, nest,
6755 			       nl80211_bss_select_policy, NULL);
6756 	if (err)
6757 		return err;
6758 
6759 	/* only one attribute may be given */
6760 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
6761 		if (attr[i]) {
6762 			if (found)
6763 				return -EINVAL;
6764 			found = true;
6765 		}
6766 	}
6767 
6768 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
6769 
6770 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
6771 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
6772 
6773 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
6774 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
6775 		bss_select->param.band_pref =
6776 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
6777 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
6778 			return -EINVAL;
6779 	}
6780 
6781 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
6782 		struct nl80211_bss_select_rssi_adjust *adj_param;
6783 
6784 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
6785 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
6786 		bss_select->param.adjust.band = adj_param->band;
6787 		bss_select->param.adjust.delta = adj_param->delta;
6788 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
6789 			return -EINVAL;
6790 	}
6791 
6792 	/* user-space did not provide behaviour attribute */
6793 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
6794 		return -EINVAL;
6795 
6796 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
6797 		return -EINVAL;
6798 
6799 	return 0;
6800 }
6801 
6802 static int nl80211_parse_random_mac(struct nlattr **attrs,
6803 				    u8 *mac_addr, u8 *mac_addr_mask)
6804 {
6805 	int i;
6806 
6807 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
6808 		eth_zero_addr(mac_addr);
6809 		eth_zero_addr(mac_addr_mask);
6810 		mac_addr[0] = 0x2;
6811 		mac_addr_mask[0] = 0x3;
6812 
6813 		return 0;
6814 	}
6815 
6816 	/* need both or none */
6817 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
6818 		return -EINVAL;
6819 
6820 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
6821 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
6822 
6823 	/* don't allow or configure an mcast address */
6824 	if (!is_multicast_ether_addr(mac_addr_mask) ||
6825 	    is_multicast_ether_addr(mac_addr))
6826 		return -EINVAL;
6827 
6828 	/*
6829 	 * allow users to pass a MAC address that has bits set outside
6830 	 * of the mask, but don't bother drivers with having to deal
6831 	 * with such bits
6832 	 */
6833 	for (i = 0; i < ETH_ALEN; i++)
6834 		mac_addr[i] &= mac_addr_mask[i];
6835 
6836 	return 0;
6837 }
6838 
6839 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
6840 {
6841 	ASSERT_WDEV_LOCK(wdev);
6842 
6843 	if (!cfg80211_beaconing_iface_active(wdev))
6844 		return true;
6845 
6846 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
6847 		return true;
6848 
6849 	return regulatory_pre_cac_allowed(wdev->wiphy);
6850 }
6851 
6852 static int
6853 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
6854 			 void *request, struct nlattr **attrs,
6855 			 bool is_sched_scan)
6856 {
6857 	u8 *mac_addr, *mac_addr_mask;
6858 	u32 *flags;
6859 	enum nl80211_feature_flags randomness_flag;
6860 
6861 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
6862 		return 0;
6863 
6864 	if (is_sched_scan) {
6865 		struct cfg80211_sched_scan_request *req = request;
6866 
6867 		randomness_flag = wdev ?
6868 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
6869 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
6870 		flags = &req->flags;
6871 		mac_addr = req->mac_addr;
6872 		mac_addr_mask = req->mac_addr_mask;
6873 	} else {
6874 		struct cfg80211_scan_request *req = request;
6875 
6876 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
6877 		flags = &req->flags;
6878 		mac_addr = req->mac_addr;
6879 		mac_addr_mask = req->mac_addr_mask;
6880 	}
6881 
6882 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
6883 
6884 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
6885 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
6886 	    ((*flags & NL80211_SCAN_FLAG_LOW_SPAN) &&
6887 	     !wiphy_ext_feature_isset(wiphy,
6888 				      NL80211_EXT_FEATURE_LOW_SPAN_SCAN)) ||
6889 	    ((*flags & NL80211_SCAN_FLAG_LOW_POWER) &&
6890 	     !wiphy_ext_feature_isset(wiphy,
6891 				      NL80211_EXT_FEATURE_LOW_POWER_SCAN)) ||
6892 	    ((*flags & NL80211_SCAN_FLAG_HIGH_ACCURACY) &&
6893 	     !wiphy_ext_feature_isset(wiphy,
6894 				      NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN)))
6895 		return -EOPNOTSUPP;
6896 
6897 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
6898 		int err;
6899 
6900 		if (!(wiphy->features & randomness_flag) ||
6901 		    (wdev && wdev->current_bss))
6902 			return -EOPNOTSUPP;
6903 
6904 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
6905 		if (err)
6906 			return err;
6907 	}
6908 
6909 	if ((*flags & NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME) &&
6910 	    !wiphy_ext_feature_isset(wiphy,
6911 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME))
6912 		return -EOPNOTSUPP;
6913 
6914 	if ((*flags & NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP) &&
6915 	   !wiphy_ext_feature_isset(wiphy,
6916 				    NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP))
6917 		return -EOPNOTSUPP;
6918 
6919 	if ((*flags & NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) &&
6920 	    !wiphy_ext_feature_isset(wiphy,
6921 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION))
6922 		return -EOPNOTSUPP;
6923 
6924 	if ((*flags & NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE) &&
6925 	    !wiphy_ext_feature_isset(wiphy,
6926 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE))
6927 		return -EOPNOTSUPP;
6928 
6929 	return 0;
6930 }
6931 
6932 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
6933 {
6934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6935 	struct wireless_dev *wdev = info->user_ptr[1];
6936 	struct cfg80211_scan_request *request;
6937 	struct nlattr *attr;
6938 	struct wiphy *wiphy;
6939 	int err, tmp, n_ssids = 0, n_channels, i;
6940 	size_t ie_len;
6941 
6942 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
6943 		return -EINVAL;
6944 
6945 	wiphy = &rdev->wiphy;
6946 
6947 	if (wdev->iftype == NL80211_IFTYPE_NAN)
6948 		return -EOPNOTSUPP;
6949 
6950 	if (!rdev->ops->scan)
6951 		return -EOPNOTSUPP;
6952 
6953 	if (rdev->scan_req || rdev->scan_msg) {
6954 		err = -EBUSY;
6955 		goto unlock;
6956 	}
6957 
6958 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
6959 		n_channels = validate_scan_freqs(
6960 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
6961 		if (!n_channels) {
6962 			err = -EINVAL;
6963 			goto unlock;
6964 		}
6965 	} else {
6966 		n_channels = ieee80211_get_num_supported_channels(wiphy);
6967 	}
6968 
6969 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
6970 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
6971 			n_ssids++;
6972 
6973 	if (n_ssids > wiphy->max_scan_ssids) {
6974 		err = -EINVAL;
6975 		goto unlock;
6976 	}
6977 
6978 	if (info->attrs[NL80211_ATTR_IE])
6979 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
6980 	else
6981 		ie_len = 0;
6982 
6983 	if (ie_len > wiphy->max_scan_ie_len) {
6984 		err = -EINVAL;
6985 		goto unlock;
6986 	}
6987 
6988 	request = kzalloc(sizeof(*request)
6989 			+ sizeof(*request->ssids) * n_ssids
6990 			+ sizeof(*request->channels) * n_channels
6991 			+ ie_len, GFP_KERNEL);
6992 	if (!request) {
6993 		err = -ENOMEM;
6994 		goto unlock;
6995 	}
6996 
6997 	if (n_ssids)
6998 		request->ssids = (void *)&request->channels[n_channels];
6999 	request->n_ssids = n_ssids;
7000 	if (ie_len) {
7001 		if (n_ssids)
7002 			request->ie = (void *)(request->ssids + n_ssids);
7003 		else
7004 			request->ie = (void *)(request->channels + n_channels);
7005 	}
7006 
7007 	i = 0;
7008 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7009 		/* user specified, bail out if channel not found */
7010 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7011 			struct ieee80211_channel *chan;
7012 
7013 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7014 
7015 			if (!chan) {
7016 				err = -EINVAL;
7017 				goto out_free;
7018 			}
7019 
7020 			/* ignore disabled channels */
7021 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7022 				continue;
7023 
7024 			request->channels[i] = chan;
7025 			i++;
7026 		}
7027 	} else {
7028 		enum nl80211_band band;
7029 
7030 		/* all channels */
7031 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7032 			int j;
7033 
7034 			if (!wiphy->bands[band])
7035 				continue;
7036 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7037 				struct ieee80211_channel *chan;
7038 
7039 				chan = &wiphy->bands[band]->channels[j];
7040 
7041 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7042 					continue;
7043 
7044 				request->channels[i] = chan;
7045 				i++;
7046 			}
7047 		}
7048 	}
7049 
7050 	if (!i) {
7051 		err = -EINVAL;
7052 		goto out_free;
7053 	}
7054 
7055 	request->n_channels = i;
7056 
7057 	wdev_lock(wdev);
7058 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7059 		struct ieee80211_channel *chan;
7060 
7061 		if (request->n_channels != 1) {
7062 			wdev_unlock(wdev);
7063 			err = -EBUSY;
7064 			goto out_free;
7065 		}
7066 
7067 		chan = request->channels[0];
7068 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7069 			wdev_unlock(wdev);
7070 			err = -EBUSY;
7071 			goto out_free;
7072 		}
7073 	}
7074 	wdev_unlock(wdev);
7075 
7076 	i = 0;
7077 	if (n_ssids) {
7078 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7079 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7080 				err = -EINVAL;
7081 				goto out_free;
7082 			}
7083 			request->ssids[i].ssid_len = nla_len(attr);
7084 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7085 			i++;
7086 		}
7087 	}
7088 
7089 	if (info->attrs[NL80211_ATTR_IE]) {
7090 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7091 		memcpy((void *)request->ie,
7092 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7093 		       request->ie_len);
7094 	}
7095 
7096 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7097 		if (wiphy->bands[i])
7098 			request->rates[i] =
7099 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7100 
7101 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7102 		nla_for_each_nested(attr,
7103 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7104 				    tmp) {
7105 			enum nl80211_band band = nla_type(attr);
7106 
7107 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7108 				err = -EINVAL;
7109 				goto out_free;
7110 			}
7111 
7112 			if (!wiphy->bands[band])
7113 				continue;
7114 
7115 			err = ieee80211_get_ratemask(wiphy->bands[band],
7116 						     nla_data(attr),
7117 						     nla_len(attr),
7118 						     &request->rates[band]);
7119 			if (err)
7120 				goto out_free;
7121 		}
7122 	}
7123 
7124 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7125 		if (!wiphy_ext_feature_isset(wiphy,
7126 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7127 			err = -EOPNOTSUPP;
7128 			goto out_free;
7129 		}
7130 
7131 		request->duration =
7132 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7133 		request->duration_mandatory =
7134 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7135 	}
7136 
7137 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7138 				       false);
7139 	if (err)
7140 		goto out_free;
7141 
7142 	request->no_cck =
7143 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7144 
7145 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7146 	 * BSSID to scan for. This was problematic because that same attribute
7147 	 * was already used for another purpose (local random MAC address). The
7148 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7149 	 * compatibility with older userspace components, also use the
7150 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7151 	 * the specific BSSID use case instead of the random MAC address
7152 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7153 	 */
7154 	if (info->attrs[NL80211_ATTR_BSSID])
7155 		memcpy(request->bssid,
7156 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7157 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7158 		 info->attrs[NL80211_ATTR_MAC])
7159 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7160 		       ETH_ALEN);
7161 	else
7162 		eth_broadcast_addr(request->bssid);
7163 
7164 	request->wdev = wdev;
7165 	request->wiphy = &rdev->wiphy;
7166 	request->scan_start = jiffies;
7167 
7168 	rdev->scan_req = request;
7169 	err = rdev_scan(rdev, request);
7170 
7171 	if (!err) {
7172 		nl80211_send_scan_start(rdev, wdev);
7173 		if (wdev->netdev)
7174 			dev_hold(wdev->netdev);
7175 	} else {
7176  out_free:
7177 		rdev->scan_req = NULL;
7178 		kfree(request);
7179 	}
7180 
7181  unlock:
7182 	return err;
7183 }
7184 
7185 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7186 {
7187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7188 	struct wireless_dev *wdev = info->user_ptr[1];
7189 
7190 	if (!rdev->ops->abort_scan)
7191 		return -EOPNOTSUPP;
7192 
7193 	if (rdev->scan_msg)
7194 		return 0;
7195 
7196 	if (!rdev->scan_req)
7197 		return -ENOENT;
7198 
7199 	rdev_abort_scan(rdev, wdev);
7200 	return 0;
7201 }
7202 
7203 static int
7204 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
7205 			       struct cfg80211_sched_scan_request *request,
7206 			       struct nlattr **attrs)
7207 {
7208 	int tmp, err, i = 0;
7209 	struct nlattr *attr;
7210 
7211 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7212 		u32 interval;
7213 
7214 		/*
7215 		 * If scan plans are not specified,
7216 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
7217 		 * case one scan plan will be set with the specified scan
7218 		 * interval and infinite number of iterations.
7219 		 */
7220 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
7221 		if (!interval)
7222 			return -EINVAL;
7223 
7224 		request->scan_plans[0].interval =
7225 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
7226 		if (!request->scan_plans[0].interval)
7227 			return -EINVAL;
7228 
7229 		if (request->scan_plans[0].interval >
7230 		    wiphy->max_sched_scan_plan_interval)
7231 			request->scan_plans[0].interval =
7232 				wiphy->max_sched_scan_plan_interval;
7233 
7234 		return 0;
7235 	}
7236 
7237 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
7238 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
7239 
7240 		if (WARN_ON(i >= n_plans))
7241 			return -EINVAL;
7242 
7243 		err = nla_parse_nested(plan, NL80211_SCHED_SCAN_PLAN_MAX,
7244 				       attr, nl80211_plan_policy, NULL);
7245 		if (err)
7246 			return err;
7247 
7248 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
7249 			return -EINVAL;
7250 
7251 		request->scan_plans[i].interval =
7252 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
7253 		if (!request->scan_plans[i].interval ||
7254 		    request->scan_plans[i].interval >
7255 		    wiphy->max_sched_scan_plan_interval)
7256 			return -EINVAL;
7257 
7258 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
7259 			request->scan_plans[i].iterations =
7260 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
7261 			if (!request->scan_plans[i].iterations ||
7262 			    (request->scan_plans[i].iterations >
7263 			     wiphy->max_sched_scan_plan_iterations))
7264 				return -EINVAL;
7265 		} else if (i < n_plans - 1) {
7266 			/*
7267 			 * All scan plans but the last one must specify
7268 			 * a finite number of iterations
7269 			 */
7270 			return -EINVAL;
7271 		}
7272 
7273 		i++;
7274 	}
7275 
7276 	/*
7277 	 * The last scan plan must not specify the number of
7278 	 * iterations, it is supposed to run infinitely
7279 	 */
7280 	if (request->scan_plans[n_plans - 1].iterations)
7281 		return  -EINVAL;
7282 
7283 	return 0;
7284 }
7285 
7286 static struct cfg80211_sched_scan_request *
7287 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
7288 			 struct nlattr **attrs, int max_match_sets)
7289 {
7290 	struct cfg80211_sched_scan_request *request;
7291 	struct nlattr *attr;
7292 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
7293 	enum nl80211_band band;
7294 	size_t ie_len;
7295 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
7296 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
7297 
7298 	if (!is_valid_ie_attr(attrs[NL80211_ATTR_IE]))
7299 		return ERR_PTR(-EINVAL);
7300 
7301 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7302 		n_channels = validate_scan_freqs(
7303 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7304 		if (!n_channels)
7305 			return ERR_PTR(-EINVAL);
7306 	} else {
7307 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7308 	}
7309 
7310 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
7311 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7312 				    tmp)
7313 			n_ssids++;
7314 
7315 	if (n_ssids > wiphy->max_sched_scan_ssids)
7316 		return ERR_PTR(-EINVAL);
7317 
7318 	/*
7319 	 * First, count the number of 'real' matchsets. Due to an issue with
7320 	 * the old implementation, matchsets containing only the RSSI attribute
7321 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
7322 	 * RSSI for all matchsets, rather than their own matchset for reporting
7323 	 * all APs with a strong RSSI. This is needed to be compatible with
7324 	 * older userspace that treated a matchset with only the RSSI as the
7325 	 * global RSSI for all other matchsets - if there are other matchsets.
7326 	 */
7327 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7328 		nla_for_each_nested(attr,
7329 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7330 				    tmp) {
7331 			struct nlattr *rssi;
7332 
7333 			err = nla_parse_nested(tb,
7334 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7335 					       attr, nl80211_match_policy,
7336 					       NULL);
7337 			if (err)
7338 				return ERR_PTR(err);
7339 
7340 			/* SSID and BSSID are mutually exclusive */
7341 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
7342 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
7343 				return ERR_PTR(-EINVAL);
7344 
7345 			/* add other standalone attributes here */
7346 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
7347 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
7348 				n_match_sets++;
7349 				continue;
7350 			}
7351 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7352 			if (rssi)
7353 				default_match_rssi = nla_get_s32(rssi);
7354 		}
7355 	}
7356 
7357 	/* However, if there's no other matchset, add the RSSI one */
7358 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
7359 		n_match_sets = 1;
7360 
7361 	if (n_match_sets > max_match_sets)
7362 		return ERR_PTR(-EINVAL);
7363 
7364 	if (attrs[NL80211_ATTR_IE])
7365 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
7366 	else
7367 		ie_len = 0;
7368 
7369 	if (ie_len > wiphy->max_sched_scan_ie_len)
7370 		return ERR_PTR(-EINVAL);
7371 
7372 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
7373 		/*
7374 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
7375 		 * each scan plan already specifies its own interval
7376 		 */
7377 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7378 			return ERR_PTR(-EINVAL);
7379 
7380 		nla_for_each_nested(attr,
7381 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
7382 			n_plans++;
7383 	} else {
7384 		/*
7385 		 * The scan interval attribute is kept for backward
7386 		 * compatibility. If no scan plans are specified and sched scan
7387 		 * interval is specified, one scan plan will be set with this
7388 		 * scan interval and infinite number of iterations.
7389 		 */
7390 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
7391 			return ERR_PTR(-EINVAL);
7392 
7393 		n_plans = 1;
7394 	}
7395 
7396 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
7397 		return ERR_PTR(-EINVAL);
7398 
7399 	if (!wiphy_ext_feature_isset(
7400 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
7401 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
7402 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
7403 		return ERR_PTR(-EINVAL);
7404 
7405 	request = kzalloc(sizeof(*request)
7406 			+ sizeof(*request->ssids) * n_ssids
7407 			+ sizeof(*request->match_sets) * n_match_sets
7408 			+ sizeof(*request->scan_plans) * n_plans
7409 			+ sizeof(*request->channels) * n_channels
7410 			+ ie_len, GFP_KERNEL);
7411 	if (!request)
7412 		return ERR_PTR(-ENOMEM);
7413 
7414 	if (n_ssids)
7415 		request->ssids = (void *)&request->channels[n_channels];
7416 	request->n_ssids = n_ssids;
7417 	if (ie_len) {
7418 		if (n_ssids)
7419 			request->ie = (void *)(request->ssids + n_ssids);
7420 		else
7421 			request->ie = (void *)(request->channels + n_channels);
7422 	}
7423 
7424 	if (n_match_sets) {
7425 		if (request->ie)
7426 			request->match_sets = (void *)(request->ie + ie_len);
7427 		else if (n_ssids)
7428 			request->match_sets =
7429 				(void *)(request->ssids + n_ssids);
7430 		else
7431 			request->match_sets =
7432 				(void *)(request->channels + n_channels);
7433 	}
7434 	request->n_match_sets = n_match_sets;
7435 
7436 	if (n_match_sets)
7437 		request->scan_plans = (void *)(request->match_sets +
7438 					       n_match_sets);
7439 	else if (request->ie)
7440 		request->scan_plans = (void *)(request->ie + ie_len);
7441 	else if (n_ssids)
7442 		request->scan_plans = (void *)(request->ssids + n_ssids);
7443 	else
7444 		request->scan_plans = (void *)(request->channels + n_channels);
7445 
7446 	request->n_scan_plans = n_plans;
7447 
7448 	i = 0;
7449 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7450 		/* user specified, bail out if channel not found */
7451 		nla_for_each_nested(attr,
7452 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
7453 				    tmp) {
7454 			struct ieee80211_channel *chan;
7455 
7456 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7457 
7458 			if (!chan) {
7459 				err = -EINVAL;
7460 				goto out_free;
7461 			}
7462 
7463 			/* ignore disabled channels */
7464 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7465 				continue;
7466 
7467 			request->channels[i] = chan;
7468 			i++;
7469 		}
7470 	} else {
7471 		/* all channels */
7472 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7473 			int j;
7474 
7475 			if (!wiphy->bands[band])
7476 				continue;
7477 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7478 				struct ieee80211_channel *chan;
7479 
7480 				chan = &wiphy->bands[band]->channels[j];
7481 
7482 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7483 					continue;
7484 
7485 				request->channels[i] = chan;
7486 				i++;
7487 			}
7488 		}
7489 	}
7490 
7491 	if (!i) {
7492 		err = -EINVAL;
7493 		goto out_free;
7494 	}
7495 
7496 	request->n_channels = i;
7497 
7498 	i = 0;
7499 	if (n_ssids) {
7500 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
7501 				    tmp) {
7502 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7503 				err = -EINVAL;
7504 				goto out_free;
7505 			}
7506 			request->ssids[i].ssid_len = nla_len(attr);
7507 			memcpy(request->ssids[i].ssid, nla_data(attr),
7508 			       nla_len(attr));
7509 			i++;
7510 		}
7511 	}
7512 
7513 	i = 0;
7514 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
7515 		nla_for_each_nested(attr,
7516 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
7517 				    tmp) {
7518 			struct nlattr *ssid, *bssid, *rssi;
7519 
7520 			err = nla_parse_nested(tb,
7521 					       NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
7522 					       attr, nl80211_match_policy,
7523 					       NULL);
7524 			if (err)
7525 				goto out_free;
7526 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
7527 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
7528 			if (ssid || bssid) {
7529 				if (WARN_ON(i >= n_match_sets)) {
7530 					/* this indicates a programming error,
7531 					 * the loop above should have verified
7532 					 * things properly
7533 					 */
7534 					err = -EINVAL;
7535 					goto out_free;
7536 				}
7537 
7538 				if (ssid) {
7539 					if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
7540 						err = -EINVAL;
7541 						goto out_free;
7542 					}
7543 					memcpy(request->match_sets[i].ssid.ssid,
7544 					       nla_data(ssid), nla_len(ssid));
7545 					request->match_sets[i].ssid.ssid_len =
7546 						nla_len(ssid);
7547 				}
7548 				if (bssid) {
7549 					if (nla_len(bssid) != ETH_ALEN) {
7550 						err = -EINVAL;
7551 						goto out_free;
7552 					}
7553 					memcpy(request->match_sets[i].bssid,
7554 					       nla_data(bssid), ETH_ALEN);
7555 				}
7556 
7557 				/* special attribute - old implementation w/a */
7558 				request->match_sets[i].rssi_thold =
7559 					default_match_rssi;
7560 				rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
7561 				if (rssi)
7562 					request->match_sets[i].rssi_thold =
7563 						nla_get_s32(rssi);
7564 			}
7565 			i++;
7566 		}
7567 
7568 		/* there was no other matchset, so the RSSI one is alone */
7569 		if (i == 0 && n_match_sets)
7570 			request->match_sets[0].rssi_thold = default_match_rssi;
7571 
7572 		request->min_rssi_thold = INT_MAX;
7573 		for (i = 0; i < n_match_sets; i++)
7574 			request->min_rssi_thold =
7575 				min(request->match_sets[i].rssi_thold,
7576 				    request->min_rssi_thold);
7577 	} else {
7578 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
7579 	}
7580 
7581 	if (ie_len) {
7582 		request->ie_len = ie_len;
7583 		memcpy((void *)request->ie,
7584 		       nla_data(attrs[NL80211_ATTR_IE]),
7585 		       request->ie_len);
7586 	}
7587 
7588 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
7589 	if (err)
7590 		goto out_free;
7591 
7592 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
7593 		request->delay =
7594 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
7595 
7596 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
7597 		request->relative_rssi = nla_get_s8(
7598 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
7599 		request->relative_rssi_set = true;
7600 	}
7601 
7602 	if (request->relative_rssi_set &&
7603 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
7604 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
7605 
7606 		rssi_adjust = nla_data(
7607 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
7608 		request->rssi_adjust.band = rssi_adjust->band;
7609 		request->rssi_adjust.delta = rssi_adjust->delta;
7610 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
7611 			err = -EINVAL;
7612 			goto out_free;
7613 		}
7614 	}
7615 
7616 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
7617 	if (err)
7618 		goto out_free;
7619 
7620 	request->scan_start = jiffies;
7621 
7622 	return request;
7623 
7624 out_free:
7625 	kfree(request);
7626 	return ERR_PTR(err);
7627 }
7628 
7629 static int nl80211_start_sched_scan(struct sk_buff *skb,
7630 				    struct genl_info *info)
7631 {
7632 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7633 	struct net_device *dev = info->user_ptr[1];
7634 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7635 	struct cfg80211_sched_scan_request *sched_scan_req;
7636 	bool want_multi;
7637 	int err;
7638 
7639 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
7640 		return -EOPNOTSUPP;
7641 
7642 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
7643 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
7644 	if (err)
7645 		return err;
7646 
7647 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
7648 						  info->attrs,
7649 						  rdev->wiphy.max_match_sets);
7650 
7651 	err = PTR_ERR_OR_ZERO(sched_scan_req);
7652 	if (err)
7653 		goto out_err;
7654 
7655 	/* leave request id zero for legacy request
7656 	 * or if driver does not support multi-scheduled scan
7657 	 */
7658 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1) {
7659 		while (!sched_scan_req->reqid)
7660 			sched_scan_req->reqid = rdev->wiphy.cookie_counter++;
7661 	}
7662 
7663 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
7664 	if (err)
7665 		goto out_free;
7666 
7667 	sched_scan_req->dev = dev;
7668 	sched_scan_req->wiphy = &rdev->wiphy;
7669 
7670 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
7671 		sched_scan_req->owner_nlportid = info->snd_portid;
7672 
7673 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
7674 
7675 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
7676 	return 0;
7677 
7678 out_free:
7679 	kfree(sched_scan_req);
7680 out_err:
7681 	return err;
7682 }
7683 
7684 static int nl80211_stop_sched_scan(struct sk_buff *skb,
7685 				   struct genl_info *info)
7686 {
7687 	struct cfg80211_sched_scan_request *req;
7688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7689 	u64 cookie;
7690 
7691 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
7692 		return -EOPNOTSUPP;
7693 
7694 	if (info->attrs[NL80211_ATTR_COOKIE]) {
7695 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
7696 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
7697 	}
7698 
7699 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
7700 				     struct cfg80211_sched_scan_request,
7701 				     list);
7702 	if (!req || req->reqid ||
7703 	    (req->owner_nlportid &&
7704 	     req->owner_nlportid != info->snd_portid))
7705 		return -ENOENT;
7706 
7707 	return cfg80211_stop_sched_scan_req(rdev, req, false);
7708 }
7709 
7710 static int nl80211_start_radar_detection(struct sk_buff *skb,
7711 					 struct genl_info *info)
7712 {
7713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7714 	struct net_device *dev = info->user_ptr[1];
7715 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7716 	struct wiphy *wiphy = wdev->wiphy;
7717 	struct cfg80211_chan_def chandef;
7718 	enum nl80211_dfs_regions dfs_region;
7719 	unsigned int cac_time_ms;
7720 	int err;
7721 
7722 	dfs_region = reg_get_dfs_region(wiphy);
7723 	if (dfs_region == NL80211_DFS_UNSET)
7724 		return -EINVAL;
7725 
7726 	err = nl80211_parse_chandef(rdev, info, &chandef);
7727 	if (err)
7728 		return err;
7729 
7730 	if (netif_carrier_ok(dev))
7731 		return -EBUSY;
7732 
7733 	if (wdev->cac_started)
7734 		return -EBUSY;
7735 
7736 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
7737 	if (err < 0)
7738 		return err;
7739 
7740 	if (err == 0)
7741 		return -EINVAL;
7742 
7743 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
7744 		return -EINVAL;
7745 
7746 	/* CAC start is offloaded to HW and can't be started manually */
7747 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
7748 		return -EOPNOTSUPP;
7749 
7750 	if (!rdev->ops->start_radar_detection)
7751 		return -EOPNOTSUPP;
7752 
7753 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
7754 	if (WARN_ON(!cac_time_ms))
7755 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
7756 
7757 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
7758 	if (!err) {
7759 		wdev->chandef = chandef;
7760 		wdev->cac_started = true;
7761 		wdev->cac_start_time = jiffies;
7762 		wdev->cac_time_ms = cac_time_ms;
7763 	}
7764 	return err;
7765 }
7766 
7767 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
7768 {
7769 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7770 	struct net_device *dev = info->user_ptr[1];
7771 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7772 	struct cfg80211_csa_settings params;
7773 	/* csa_attrs is defined static to avoid waste of stack size - this
7774 	 * function is called under RTNL lock, so this should not be a problem.
7775 	 */
7776 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
7777 	int err;
7778 	bool need_new_beacon = false;
7779 	bool need_handle_dfs_flag = true;
7780 	int len, i;
7781 	u32 cs_count;
7782 
7783 	if (!rdev->ops->channel_switch ||
7784 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
7785 		return -EOPNOTSUPP;
7786 
7787 	switch (dev->ieee80211_ptr->iftype) {
7788 	case NL80211_IFTYPE_AP:
7789 	case NL80211_IFTYPE_P2P_GO:
7790 		need_new_beacon = true;
7791 		/* For all modes except AP the handle_dfs flag needs to be
7792 		 * supplied to tell the kernel that userspace will handle radar
7793 		 * events when they happen. Otherwise a switch to a channel
7794 		 * requiring DFS will be rejected.
7795 		 */
7796 		need_handle_dfs_flag = false;
7797 
7798 		/* useless if AP is not running */
7799 		if (!wdev->beacon_interval)
7800 			return -ENOTCONN;
7801 		break;
7802 	case NL80211_IFTYPE_ADHOC:
7803 		if (!wdev->ssid_len)
7804 			return -ENOTCONN;
7805 		break;
7806 	case NL80211_IFTYPE_MESH_POINT:
7807 		if (!wdev->mesh_id_len)
7808 			return -ENOTCONN;
7809 		break;
7810 	default:
7811 		return -EOPNOTSUPP;
7812 	}
7813 
7814 	memset(&params, 0, sizeof(params));
7815 
7816 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
7817 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
7818 		return -EINVAL;
7819 
7820 	/* only important for AP, IBSS and mesh create IEs internally */
7821 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
7822 		return -EINVAL;
7823 
7824 	/* Even though the attribute is u32, the specification says
7825 	 * u8, so let's make sure we don't overflow.
7826 	 */
7827 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
7828 	if (cs_count > 255)
7829 		return -EINVAL;
7830 
7831 	params.count = cs_count;
7832 
7833 	if (!need_new_beacon)
7834 		goto skip_beacons;
7835 
7836 	err = nl80211_parse_beacon(info->attrs, &params.beacon_after);
7837 	if (err)
7838 		return err;
7839 
7840 	err = nla_parse_nested(csa_attrs, NL80211_ATTR_MAX,
7841 			       info->attrs[NL80211_ATTR_CSA_IES],
7842 			       nl80211_policy, info->extack);
7843 	if (err)
7844 		return err;
7845 
7846 	err = nl80211_parse_beacon(csa_attrs, &params.beacon_csa);
7847 	if (err)
7848 		return err;
7849 
7850 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
7851 		return -EINVAL;
7852 
7853 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
7854 	if (!len || (len % sizeof(u16)))
7855 		return -EINVAL;
7856 
7857 	params.n_counter_offsets_beacon = len / sizeof(u16);
7858 	if (rdev->wiphy.max_num_csa_counters &&
7859 	    (params.n_counter_offsets_beacon >
7860 	     rdev->wiphy.max_num_csa_counters))
7861 		return -EINVAL;
7862 
7863 	params.counter_offsets_beacon =
7864 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
7865 
7866 	/* sanity checks - counters should fit and be the same */
7867 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
7868 		u16 offset = params.counter_offsets_beacon[i];
7869 
7870 		if (offset >= params.beacon_csa.tail_len)
7871 			return -EINVAL;
7872 
7873 		if (params.beacon_csa.tail[offset] != params.count)
7874 			return -EINVAL;
7875 	}
7876 
7877 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
7878 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
7879 		if (!len || (len % sizeof(u16)))
7880 			return -EINVAL;
7881 
7882 		params.n_counter_offsets_presp = len / sizeof(u16);
7883 		if (rdev->wiphy.max_num_csa_counters &&
7884 		    (params.n_counter_offsets_presp >
7885 		     rdev->wiphy.max_num_csa_counters))
7886 			return -EINVAL;
7887 
7888 		params.counter_offsets_presp =
7889 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
7890 
7891 		/* sanity checks - counters should fit and be the same */
7892 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
7893 			u16 offset = params.counter_offsets_presp[i];
7894 
7895 			if (offset >= params.beacon_csa.probe_resp_len)
7896 				return -EINVAL;
7897 
7898 			if (params.beacon_csa.probe_resp[offset] !=
7899 			    params.count)
7900 				return -EINVAL;
7901 		}
7902 	}
7903 
7904 skip_beacons:
7905 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
7906 	if (err)
7907 		return err;
7908 
7909 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
7910 					   wdev->iftype))
7911 		return -EINVAL;
7912 
7913 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
7914 					    &params.chandef,
7915 					    wdev->iftype);
7916 	if (err < 0)
7917 		return err;
7918 
7919 	if (err > 0) {
7920 		params.radar_required = true;
7921 		if (need_handle_dfs_flag &&
7922 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
7923 			return -EINVAL;
7924 		}
7925 	}
7926 
7927 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
7928 		params.block_tx = true;
7929 
7930 	wdev_lock(wdev);
7931 	err = rdev_channel_switch(rdev, dev, &params);
7932 	wdev_unlock(wdev);
7933 
7934 	return err;
7935 }
7936 
7937 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
7938 			    u32 seq, int flags,
7939 			    struct cfg80211_registered_device *rdev,
7940 			    struct wireless_dev *wdev,
7941 			    struct cfg80211_internal_bss *intbss)
7942 {
7943 	struct cfg80211_bss *res = &intbss->pub;
7944 	const struct cfg80211_bss_ies *ies;
7945 	void *hdr;
7946 	struct nlattr *bss;
7947 
7948 	ASSERT_WDEV_LOCK(wdev);
7949 
7950 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7951 			     NL80211_CMD_NEW_SCAN_RESULTS);
7952 	if (!hdr)
7953 		return -1;
7954 
7955 	genl_dump_check_consistent(cb, hdr);
7956 
7957 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
7958 		goto nla_put_failure;
7959 	if (wdev->netdev &&
7960 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
7961 		goto nla_put_failure;
7962 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
7963 			      NL80211_ATTR_PAD))
7964 		goto nla_put_failure;
7965 
7966 	bss = nla_nest_start(msg, NL80211_ATTR_BSS);
7967 	if (!bss)
7968 		goto nla_put_failure;
7969 	if ((!is_zero_ether_addr(res->bssid) &&
7970 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
7971 		goto nla_put_failure;
7972 
7973 	rcu_read_lock();
7974 	/* indicate whether we have probe response data or not */
7975 	if (rcu_access_pointer(res->proberesp_ies) &&
7976 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
7977 		goto fail_unlock_rcu;
7978 
7979 	/* this pointer prefers to be pointed to probe response data
7980 	 * but is always valid
7981 	 */
7982 	ies = rcu_dereference(res->ies);
7983 	if (ies) {
7984 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
7985 				      NL80211_BSS_PAD))
7986 			goto fail_unlock_rcu;
7987 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
7988 					ies->len, ies->data))
7989 			goto fail_unlock_rcu;
7990 	}
7991 
7992 	/* and this pointer is always (unless driver didn't know) beacon data */
7993 	ies = rcu_dereference(res->beacon_ies);
7994 	if (ies && ies->from_beacon) {
7995 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
7996 				      NL80211_BSS_PAD))
7997 			goto fail_unlock_rcu;
7998 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
7999 					ies->len, ies->data))
8000 			goto fail_unlock_rcu;
8001 	}
8002 	rcu_read_unlock();
8003 
8004 	if (res->beacon_interval &&
8005 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8006 		goto nla_put_failure;
8007 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8008 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8009 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8010 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8011 			jiffies_to_msecs(jiffies - intbss->ts)))
8012 		goto nla_put_failure;
8013 
8014 	if (intbss->parent_tsf &&
8015 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8016 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8017 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8018 		     intbss->parent_bssid)))
8019 		goto nla_put_failure;
8020 
8021 	if (intbss->ts_boottime &&
8022 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8023 			      intbss->ts_boottime, NL80211_BSS_PAD))
8024 		goto nla_put_failure;
8025 
8026 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8027 				intbss->pub.chain_signal,
8028 				NL80211_BSS_CHAIN_SIGNAL))
8029 		goto nla_put_failure;
8030 
8031 	switch (rdev->wiphy.signal_type) {
8032 	case CFG80211_SIGNAL_TYPE_MBM:
8033 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8034 			goto nla_put_failure;
8035 		break;
8036 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8037 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8038 			goto nla_put_failure;
8039 		break;
8040 	default:
8041 		break;
8042 	}
8043 
8044 	switch (wdev->iftype) {
8045 	case NL80211_IFTYPE_P2P_CLIENT:
8046 	case NL80211_IFTYPE_STATION:
8047 		if (intbss == wdev->current_bss &&
8048 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8049 				NL80211_BSS_STATUS_ASSOCIATED))
8050 			goto nla_put_failure;
8051 		break;
8052 	case NL80211_IFTYPE_ADHOC:
8053 		if (intbss == wdev->current_bss &&
8054 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8055 				NL80211_BSS_STATUS_IBSS_JOINED))
8056 			goto nla_put_failure;
8057 		break;
8058 	default:
8059 		break;
8060 	}
8061 
8062 	nla_nest_end(msg, bss);
8063 
8064 	genlmsg_end(msg, hdr);
8065 	return 0;
8066 
8067  fail_unlock_rcu:
8068 	rcu_read_unlock();
8069  nla_put_failure:
8070 	genlmsg_cancel(msg, hdr);
8071 	return -EMSGSIZE;
8072 }
8073 
8074 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8075 {
8076 	struct cfg80211_registered_device *rdev;
8077 	struct cfg80211_internal_bss *scan;
8078 	struct wireless_dev *wdev;
8079 	int start = cb->args[2], idx = 0;
8080 	int err;
8081 
8082 	rtnl_lock();
8083 	err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
8084 	if (err) {
8085 		rtnl_unlock();
8086 		return err;
8087 	}
8088 
8089 	wdev_lock(wdev);
8090 	spin_lock_bh(&rdev->bss_lock);
8091 
8092 	/*
8093 	 * dump_scan will be called multiple times to break up the scan results
8094 	 * into multiple messages.  It is unlikely that any more bss-es will be
8095 	 * expired after the first call, so only call only call this on the
8096 	 * first dump_scan invocation.
8097 	 */
8098 	if (start == 0)
8099 		cfg80211_bss_expire(rdev);
8100 
8101 	cb->seq = rdev->bss_generation;
8102 
8103 	list_for_each_entry(scan, &rdev->bss_list, list) {
8104 		if (++idx <= start)
8105 			continue;
8106 		if (nl80211_send_bss(skb, cb,
8107 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8108 				rdev, wdev, scan) < 0) {
8109 			idx--;
8110 			break;
8111 		}
8112 	}
8113 
8114 	spin_unlock_bh(&rdev->bss_lock);
8115 	wdev_unlock(wdev);
8116 
8117 	cb->args[2] = idx;
8118 	rtnl_unlock();
8119 
8120 	return skb->len;
8121 }
8122 
8123 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
8124 			       int flags, struct net_device *dev,
8125 			       bool allow_radio_stats,
8126 			       struct survey_info *survey)
8127 {
8128 	void *hdr;
8129 	struct nlattr *infoattr;
8130 
8131 	/* skip radio stats if userspace didn't request them */
8132 	if (!survey->channel && !allow_radio_stats)
8133 		return 0;
8134 
8135 	hdr = nl80211hdr_put(msg, portid, seq, flags,
8136 			     NL80211_CMD_NEW_SURVEY_RESULTS);
8137 	if (!hdr)
8138 		return -ENOMEM;
8139 
8140 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
8141 		goto nla_put_failure;
8142 
8143 	infoattr = nla_nest_start(msg, NL80211_ATTR_SURVEY_INFO);
8144 	if (!infoattr)
8145 		goto nla_put_failure;
8146 
8147 	if (survey->channel &&
8148 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
8149 			survey->channel->center_freq))
8150 		goto nla_put_failure;
8151 
8152 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
8153 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
8154 		goto nla_put_failure;
8155 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
8156 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
8157 		goto nla_put_failure;
8158 	if ((survey->filled & SURVEY_INFO_TIME) &&
8159 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
8160 			survey->time, NL80211_SURVEY_INFO_PAD))
8161 		goto nla_put_failure;
8162 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
8163 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
8164 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
8165 		goto nla_put_failure;
8166 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
8167 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
8168 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
8169 		goto nla_put_failure;
8170 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
8171 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
8172 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
8173 		goto nla_put_failure;
8174 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
8175 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
8176 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
8177 		goto nla_put_failure;
8178 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
8179 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
8180 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
8181 		goto nla_put_failure;
8182 
8183 	nla_nest_end(msg, infoattr);
8184 
8185 	genlmsg_end(msg, hdr);
8186 	return 0;
8187 
8188  nla_put_failure:
8189 	genlmsg_cancel(msg, hdr);
8190 	return -EMSGSIZE;
8191 }
8192 
8193 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
8194 {
8195 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
8196 	struct survey_info survey;
8197 	struct cfg80211_registered_device *rdev;
8198 	struct wireless_dev *wdev;
8199 	int survey_idx = cb->args[2];
8200 	int res;
8201 	bool radio_stats;
8202 
8203 	rtnl_lock();
8204 	res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
8205 	if (res)
8206 		goto out_err;
8207 
8208 	/* prepare_wdev_dump parsed the attributes */
8209 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
8210 
8211 	if (!wdev->netdev) {
8212 		res = -EINVAL;
8213 		goto out_err;
8214 	}
8215 
8216 	if (!rdev->ops->dump_survey) {
8217 		res = -EOPNOTSUPP;
8218 		goto out_err;
8219 	}
8220 
8221 	while (1) {
8222 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
8223 		if (res == -ENOENT)
8224 			break;
8225 		if (res)
8226 			goto out_err;
8227 
8228 		/* don't send disabled channels, but do send non-channel data */
8229 		if (survey.channel &&
8230 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
8231 			survey_idx++;
8232 			continue;
8233 		}
8234 
8235 		if (nl80211_send_survey(skb,
8236 				NETLINK_CB(cb->skb).portid,
8237 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8238 				wdev->netdev, radio_stats, &survey) < 0)
8239 			goto out;
8240 		survey_idx++;
8241 	}
8242 
8243  out:
8244 	cb->args[2] = survey_idx;
8245 	res = skb->len;
8246  out_err:
8247 	rtnl_unlock();
8248 	return res;
8249 }
8250 
8251 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
8252 {
8253 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
8254 				  NL80211_WPA_VERSION_2));
8255 }
8256 
8257 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
8258 {
8259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8260 	struct net_device *dev = info->user_ptr[1];
8261 	struct ieee80211_channel *chan;
8262 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
8263 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
8264 	enum nl80211_auth_type auth_type;
8265 	struct key_parse key;
8266 	bool local_state_change;
8267 
8268 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8269 		return -EINVAL;
8270 
8271 	if (!info->attrs[NL80211_ATTR_MAC])
8272 		return -EINVAL;
8273 
8274 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
8275 		return -EINVAL;
8276 
8277 	if (!info->attrs[NL80211_ATTR_SSID])
8278 		return -EINVAL;
8279 
8280 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
8281 		return -EINVAL;
8282 
8283 	err = nl80211_parse_key(info, &key);
8284 	if (err)
8285 		return err;
8286 
8287 	if (key.idx >= 0) {
8288 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
8289 			return -EINVAL;
8290 		if (!key.p.key || !key.p.key_len)
8291 			return -EINVAL;
8292 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
8293 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
8294 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
8295 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
8296 			return -EINVAL;
8297 		if (key.idx > 3)
8298 			return -EINVAL;
8299 	} else {
8300 		key.p.key_len = 0;
8301 		key.p.key = NULL;
8302 	}
8303 
8304 	if (key.idx >= 0) {
8305 		int i;
8306 		bool ok = false;
8307 
8308 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
8309 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
8310 				ok = true;
8311 				break;
8312 			}
8313 		}
8314 		if (!ok)
8315 			return -EINVAL;
8316 	}
8317 
8318 	if (!rdev->ops->auth)
8319 		return -EOPNOTSUPP;
8320 
8321 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8322 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8323 		return -EOPNOTSUPP;
8324 
8325 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8326 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8327 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8328 	if (!chan)
8329 		return -EINVAL;
8330 
8331 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8332 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8333 
8334 	if (info->attrs[NL80211_ATTR_IE]) {
8335 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8336 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8337 	}
8338 
8339 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
8340 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
8341 		return -EINVAL;
8342 
8343 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
8344 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
8345 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
8346 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
8347 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
8348 		return -EINVAL;
8349 
8350 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
8351 		if (auth_type != NL80211_AUTHTYPE_SAE &&
8352 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
8353 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
8354 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
8355 			return -EINVAL;
8356 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
8357 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
8358 		/* need to include at least Auth Transaction and Status Code */
8359 		if (auth_data_len < 4)
8360 			return -EINVAL;
8361 	}
8362 
8363 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8364 
8365 	/*
8366 	 * Since we no longer track auth state, ignore
8367 	 * requests to only change local state.
8368 	 */
8369 	if (local_state_change)
8370 		return 0;
8371 
8372 	wdev_lock(dev->ieee80211_ptr);
8373 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
8374 				 ssid, ssid_len, ie, ie_len,
8375 				 key.p.key, key.p.key_len, key.idx,
8376 				 auth_data, auth_data_len);
8377 	wdev_unlock(dev->ieee80211_ptr);
8378 	return err;
8379 }
8380 
8381 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
8382 				     struct genl_info *info)
8383 {
8384 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8385 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
8386 		return -EINVAL;
8387 	}
8388 
8389 	if (!rdev->ops->tx_control_port ||
8390 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8391 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
8392 		return -EOPNOTSUPP;
8393 
8394 	return 0;
8395 }
8396 
8397 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
8398 				   struct genl_info *info,
8399 				   struct cfg80211_crypto_settings *settings,
8400 				   int cipher_limit)
8401 {
8402 	memset(settings, 0, sizeof(*settings));
8403 
8404 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
8405 
8406 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
8407 		u16 proto;
8408 
8409 		proto = nla_get_u16(
8410 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
8411 		settings->control_port_ethertype = cpu_to_be16(proto);
8412 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
8413 		    proto != ETH_P_PAE)
8414 			return -EINVAL;
8415 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
8416 			settings->control_port_no_encrypt = true;
8417 	} else
8418 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
8419 
8420 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8421 		int r = validate_pae_over_nl80211(rdev, info);
8422 
8423 		if (r < 0)
8424 			return r;
8425 
8426 		settings->control_port_over_nl80211 = true;
8427 	}
8428 
8429 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
8430 		void *data;
8431 		int len, i;
8432 
8433 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8434 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
8435 		settings->n_ciphers_pairwise = len / sizeof(u32);
8436 
8437 		if (len % sizeof(u32))
8438 			return -EINVAL;
8439 
8440 		if (settings->n_ciphers_pairwise > cipher_limit)
8441 			return -EINVAL;
8442 
8443 		memcpy(settings->ciphers_pairwise, data, len);
8444 
8445 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
8446 			if (!cfg80211_supported_cipher_suite(
8447 					&rdev->wiphy,
8448 					settings->ciphers_pairwise[i]))
8449 				return -EINVAL;
8450 	}
8451 
8452 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
8453 		settings->cipher_group =
8454 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
8455 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
8456 						     settings->cipher_group))
8457 			return -EINVAL;
8458 	}
8459 
8460 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
8461 		settings->wpa_versions =
8462 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
8463 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
8464 			return -EINVAL;
8465 	}
8466 
8467 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
8468 		void *data;
8469 		int len;
8470 
8471 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
8472 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
8473 		settings->n_akm_suites = len / sizeof(u32);
8474 
8475 		if (len % sizeof(u32))
8476 			return -EINVAL;
8477 
8478 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
8479 			return -EINVAL;
8480 
8481 		memcpy(settings->akm_suites, data, len);
8482 	}
8483 
8484 	if (info->attrs[NL80211_ATTR_PMK]) {
8485 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
8486 			return -EINVAL;
8487 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8488 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
8489 			return -EINVAL;
8490 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
8491 	}
8492 
8493 	return 0;
8494 }
8495 
8496 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
8497 {
8498 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8499 	struct net_device *dev = info->user_ptr[1];
8500 	struct ieee80211_channel *chan;
8501 	struct cfg80211_assoc_request req = {};
8502 	const u8 *bssid, *ssid;
8503 	int err, ssid_len = 0;
8504 
8505 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8506 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8507 		return -EPERM;
8508 
8509 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8510 		return -EINVAL;
8511 
8512 	if (!info->attrs[NL80211_ATTR_MAC] ||
8513 	    !info->attrs[NL80211_ATTR_SSID] ||
8514 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
8515 		return -EINVAL;
8516 
8517 	if (!rdev->ops->assoc)
8518 		return -EOPNOTSUPP;
8519 
8520 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8521 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8522 		return -EOPNOTSUPP;
8523 
8524 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8525 
8526 	chan = nl80211_get_valid_chan(&rdev->wiphy,
8527 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
8528 	if (!chan)
8529 		return -EINVAL;
8530 
8531 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8532 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8533 
8534 	if (info->attrs[NL80211_ATTR_IE]) {
8535 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8536 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8537 	}
8538 
8539 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
8540 		enum nl80211_mfp mfp =
8541 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
8542 		if (mfp == NL80211_MFP_REQUIRED)
8543 			req.use_mfp = true;
8544 		else if (mfp != NL80211_MFP_NO)
8545 			return -EINVAL;
8546 	}
8547 
8548 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
8549 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
8550 
8551 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
8552 		req.flags |= ASSOC_REQ_DISABLE_HT;
8553 
8554 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8555 		memcpy(&req.ht_capa_mask,
8556 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8557 		       sizeof(req.ht_capa_mask));
8558 
8559 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8560 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8561 			return -EINVAL;
8562 		memcpy(&req.ht_capa,
8563 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8564 		       sizeof(req.ht_capa));
8565 	}
8566 
8567 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
8568 		req.flags |= ASSOC_REQ_DISABLE_VHT;
8569 
8570 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8571 		memcpy(&req.vht_capa_mask,
8572 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
8573 		       sizeof(req.vht_capa_mask));
8574 
8575 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
8576 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
8577 			return -EINVAL;
8578 		memcpy(&req.vht_capa,
8579 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
8580 		       sizeof(req.vht_capa));
8581 	}
8582 
8583 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
8584 		if (!((rdev->wiphy.features &
8585 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
8586 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
8587 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8588 					     NL80211_EXT_FEATURE_RRM))
8589 			return -EINVAL;
8590 		req.flags |= ASSOC_REQ_USE_RRM;
8591 	}
8592 
8593 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
8594 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
8595 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
8596 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
8597 			return -EINVAL;
8598 		req.fils_nonces =
8599 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
8600 	}
8601 
8602 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
8603 	if (!err) {
8604 		wdev_lock(dev->ieee80211_ptr);
8605 
8606 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
8607 					  ssid, ssid_len, &req);
8608 
8609 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8610 			dev->ieee80211_ptr->conn_owner_nlportid =
8611 				info->snd_portid;
8612 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
8613 			       bssid, ETH_ALEN);
8614 		}
8615 
8616 		wdev_unlock(dev->ieee80211_ptr);
8617 	}
8618 
8619 	return err;
8620 }
8621 
8622 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
8623 {
8624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8625 	struct net_device *dev = info->user_ptr[1];
8626 	const u8 *ie = NULL, *bssid;
8627 	int ie_len = 0, err;
8628 	u16 reason_code;
8629 	bool local_state_change;
8630 
8631 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8632 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8633 		return -EPERM;
8634 
8635 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8636 		return -EINVAL;
8637 
8638 	if (!info->attrs[NL80211_ATTR_MAC])
8639 		return -EINVAL;
8640 
8641 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8642 		return -EINVAL;
8643 
8644 	if (!rdev->ops->deauth)
8645 		return -EOPNOTSUPP;
8646 
8647 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8648 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8649 		return -EOPNOTSUPP;
8650 
8651 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8652 
8653 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8654 	if (reason_code == 0) {
8655 		/* Reason Code 0 is reserved */
8656 		return -EINVAL;
8657 	}
8658 
8659 	if (info->attrs[NL80211_ATTR_IE]) {
8660 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8661 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8662 	}
8663 
8664 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8665 
8666 	wdev_lock(dev->ieee80211_ptr);
8667 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
8668 				   local_state_change);
8669 	wdev_unlock(dev->ieee80211_ptr);
8670 	return err;
8671 }
8672 
8673 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
8674 {
8675 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8676 	struct net_device *dev = info->user_ptr[1];
8677 	const u8 *ie = NULL, *bssid;
8678 	int ie_len = 0, err;
8679 	u16 reason_code;
8680 	bool local_state_change;
8681 
8682 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
8683 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
8684 		return -EPERM;
8685 
8686 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8687 		return -EINVAL;
8688 
8689 	if (!info->attrs[NL80211_ATTR_MAC])
8690 		return -EINVAL;
8691 
8692 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
8693 		return -EINVAL;
8694 
8695 	if (!rdev->ops->disassoc)
8696 		return -EOPNOTSUPP;
8697 
8698 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
8699 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
8700 		return -EOPNOTSUPP;
8701 
8702 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8703 
8704 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8705 	if (reason_code == 0) {
8706 		/* Reason Code 0 is reserved */
8707 		return -EINVAL;
8708 	}
8709 
8710 	if (info->attrs[NL80211_ATTR_IE]) {
8711 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8712 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8713 	}
8714 
8715 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
8716 
8717 	wdev_lock(dev->ieee80211_ptr);
8718 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
8719 				     local_state_change);
8720 	wdev_unlock(dev->ieee80211_ptr);
8721 	return err;
8722 }
8723 
8724 static bool
8725 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
8726 			 int mcast_rate[NUM_NL80211_BANDS],
8727 			 int rateval)
8728 {
8729 	struct wiphy *wiphy = &rdev->wiphy;
8730 	bool found = false;
8731 	int band, i;
8732 
8733 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
8734 		struct ieee80211_supported_band *sband;
8735 
8736 		sband = wiphy->bands[band];
8737 		if (!sband)
8738 			continue;
8739 
8740 		for (i = 0; i < sband->n_bitrates; i++) {
8741 			if (sband->bitrates[i].bitrate == rateval) {
8742 				mcast_rate[band] = i + 1;
8743 				found = true;
8744 				break;
8745 			}
8746 		}
8747 	}
8748 
8749 	return found;
8750 }
8751 
8752 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
8753 {
8754 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8755 	struct net_device *dev = info->user_ptr[1];
8756 	struct cfg80211_ibss_params ibss;
8757 	struct wiphy *wiphy;
8758 	struct cfg80211_cached_keys *connkeys = NULL;
8759 	int err;
8760 
8761 	memset(&ibss, 0, sizeof(ibss));
8762 
8763 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
8764 		return -EINVAL;
8765 
8766 	if (!info->attrs[NL80211_ATTR_SSID] ||
8767 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
8768 		return -EINVAL;
8769 
8770 	ibss.beacon_interval = 100;
8771 
8772 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
8773 		ibss.beacon_interval =
8774 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
8775 
8776 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
8777 					   ibss.beacon_interval);
8778 	if (err)
8779 		return err;
8780 
8781 	if (!rdev->ops->join_ibss)
8782 		return -EOPNOTSUPP;
8783 
8784 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
8785 		return -EOPNOTSUPP;
8786 
8787 	wiphy = &rdev->wiphy;
8788 
8789 	if (info->attrs[NL80211_ATTR_MAC]) {
8790 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
8791 
8792 		if (!is_valid_ether_addr(ibss.bssid))
8793 			return -EINVAL;
8794 	}
8795 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
8796 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
8797 
8798 	if (info->attrs[NL80211_ATTR_IE]) {
8799 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
8800 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8801 	}
8802 
8803 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
8804 	if (err)
8805 		return err;
8806 
8807 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
8808 				     NL80211_IFTYPE_ADHOC))
8809 		return -EINVAL;
8810 
8811 	switch (ibss.chandef.width) {
8812 	case NL80211_CHAN_WIDTH_5:
8813 	case NL80211_CHAN_WIDTH_10:
8814 	case NL80211_CHAN_WIDTH_20_NOHT:
8815 		break;
8816 	case NL80211_CHAN_WIDTH_20:
8817 	case NL80211_CHAN_WIDTH_40:
8818 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8819 			return -EINVAL;
8820 		break;
8821 	case NL80211_CHAN_WIDTH_80:
8822 	case NL80211_CHAN_WIDTH_80P80:
8823 	case NL80211_CHAN_WIDTH_160:
8824 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
8825 			return -EINVAL;
8826 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8827 					     NL80211_EXT_FEATURE_VHT_IBSS))
8828 			return -EINVAL;
8829 		break;
8830 	default:
8831 		return -EINVAL;
8832 	}
8833 
8834 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
8835 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
8836 
8837 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8838 		u8 *rates =
8839 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8840 		int n_rates =
8841 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8842 		struct ieee80211_supported_band *sband =
8843 			wiphy->bands[ibss.chandef.chan->band];
8844 
8845 		err = ieee80211_get_ratemask(sband, rates, n_rates,
8846 					     &ibss.basic_rates);
8847 		if (err)
8848 			return err;
8849 	}
8850 
8851 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8852 		memcpy(&ibss.ht_capa_mask,
8853 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
8854 		       sizeof(ibss.ht_capa_mask));
8855 
8856 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
8857 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
8858 			return -EINVAL;
8859 		memcpy(&ibss.ht_capa,
8860 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
8861 		       sizeof(ibss.ht_capa));
8862 	}
8863 
8864 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
8865 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
8866 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
8867 		return -EINVAL;
8868 
8869 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
8870 		bool no_ht = false;
8871 
8872 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
8873 		if (IS_ERR(connkeys))
8874 			return PTR_ERR(connkeys);
8875 
8876 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
8877 		    no_ht) {
8878 			kzfree(connkeys);
8879 			return -EINVAL;
8880 		}
8881 	}
8882 
8883 	ibss.control_port =
8884 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
8885 
8886 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
8887 		int r = validate_pae_over_nl80211(rdev, info);
8888 
8889 		if (r < 0)
8890 			return r;
8891 
8892 		ibss.control_port_over_nl80211 = true;
8893 	}
8894 
8895 	ibss.userspace_handles_dfs =
8896 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
8897 
8898 	wdev_lock(dev->ieee80211_ptr);
8899 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
8900 	if (err)
8901 		kzfree(connkeys);
8902 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8903 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
8904 	wdev_unlock(dev->ieee80211_ptr);
8905 
8906 	return err;
8907 }
8908 
8909 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
8910 {
8911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8912 	struct net_device *dev = info->user_ptr[1];
8913 
8914 	if (!rdev->ops->leave_ibss)
8915 		return -EOPNOTSUPP;
8916 
8917 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
8918 		return -EOPNOTSUPP;
8919 
8920 	return cfg80211_leave_ibss(rdev, dev, false);
8921 }
8922 
8923 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
8924 {
8925 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8926 	struct net_device *dev = info->user_ptr[1];
8927 	int mcast_rate[NUM_NL80211_BANDS];
8928 	u32 nla_rate;
8929 	int err;
8930 
8931 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
8932 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
8933 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
8934 		return -EOPNOTSUPP;
8935 
8936 	if (!rdev->ops->set_mcast_rate)
8937 		return -EOPNOTSUPP;
8938 
8939 	memset(mcast_rate, 0, sizeof(mcast_rate));
8940 
8941 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
8942 		return -EINVAL;
8943 
8944 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
8945 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
8946 		return -EINVAL;
8947 
8948 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
8949 
8950 	return err;
8951 }
8952 
8953 static struct sk_buff *
8954 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
8955 			    struct wireless_dev *wdev, int approxlen,
8956 			    u32 portid, u32 seq, enum nl80211_commands cmd,
8957 			    enum nl80211_attrs attr,
8958 			    const struct nl80211_vendor_cmd_info *info,
8959 			    gfp_t gfp)
8960 {
8961 	struct sk_buff *skb;
8962 	void *hdr;
8963 	struct nlattr *data;
8964 
8965 	skb = nlmsg_new(approxlen + 100, gfp);
8966 	if (!skb)
8967 		return NULL;
8968 
8969 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
8970 	if (!hdr) {
8971 		kfree_skb(skb);
8972 		return NULL;
8973 	}
8974 
8975 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
8976 		goto nla_put_failure;
8977 
8978 	if (info) {
8979 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
8980 				info->vendor_id))
8981 			goto nla_put_failure;
8982 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
8983 				info->subcmd))
8984 			goto nla_put_failure;
8985 	}
8986 
8987 	if (wdev) {
8988 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
8989 				      wdev_id(wdev), NL80211_ATTR_PAD))
8990 			goto nla_put_failure;
8991 		if (wdev->netdev &&
8992 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
8993 				wdev->netdev->ifindex))
8994 			goto nla_put_failure;
8995 	}
8996 
8997 	data = nla_nest_start(skb, attr);
8998 	if (!data)
8999 		goto nla_put_failure;
9000 
9001 	((void **)skb->cb)[0] = rdev;
9002 	((void **)skb->cb)[1] = hdr;
9003 	((void **)skb->cb)[2] = data;
9004 
9005 	return skb;
9006 
9007  nla_put_failure:
9008 	kfree_skb(skb);
9009 	return NULL;
9010 }
9011 
9012 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9013 					   struct wireless_dev *wdev,
9014 					   enum nl80211_commands cmd,
9015 					   enum nl80211_attrs attr,
9016 					   int vendor_event_idx,
9017 					   int approxlen, gfp_t gfp)
9018 {
9019 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9020 	const struct nl80211_vendor_cmd_info *info;
9021 
9022 	switch (cmd) {
9023 	case NL80211_CMD_TESTMODE:
9024 		if (WARN_ON(vendor_event_idx != -1))
9025 			return NULL;
9026 		info = NULL;
9027 		break;
9028 	case NL80211_CMD_VENDOR:
9029 		if (WARN_ON(vendor_event_idx < 0 ||
9030 			    vendor_event_idx >= wiphy->n_vendor_events))
9031 			return NULL;
9032 		info = &wiphy->vendor_events[vendor_event_idx];
9033 		break;
9034 	default:
9035 		WARN_ON(1);
9036 		return NULL;
9037 	}
9038 
9039 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, 0, 0,
9040 					   cmd, attr, info, gfp);
9041 }
9042 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9043 
9044 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9045 {
9046 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9047 	void *hdr = ((void **)skb->cb)[1];
9048 	struct nlattr *data = ((void **)skb->cb)[2];
9049 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9050 
9051 	/* clear CB data for netlink core to own from now on */
9052 	memset(skb->cb, 0, sizeof(skb->cb));
9053 
9054 	nla_nest_end(skb, data);
9055 	genlmsg_end(skb, hdr);
9056 
9057 	if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9058 		mcgrp = NL80211_MCGRP_VENDOR;
9059 
9060 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), skb, 0,
9061 				mcgrp, gfp);
9062 }
9063 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9064 
9065 #ifdef CONFIG_NL80211_TESTMODE
9066 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9067 {
9068 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9069 	struct wireless_dev *wdev =
9070 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9071 	int err;
9072 
9073 	if (!rdev->ops->testmode_cmd)
9074 		return -EOPNOTSUPP;
9075 
9076 	if (IS_ERR(wdev)) {
9077 		err = PTR_ERR(wdev);
9078 		if (err != -EINVAL)
9079 			return err;
9080 		wdev = NULL;
9081 	} else if (wdev->wiphy != &rdev->wiphy) {
9082 		return -EINVAL;
9083 	}
9084 
9085 	if (!info->attrs[NL80211_ATTR_TESTDATA])
9086 		return -EINVAL;
9087 
9088 	rdev->cur_cmd_info = info;
9089 	err = rdev_testmode_cmd(rdev, wdev,
9090 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
9091 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
9092 	rdev->cur_cmd_info = NULL;
9093 
9094 	return err;
9095 }
9096 
9097 static int nl80211_testmode_dump(struct sk_buff *skb,
9098 				 struct netlink_callback *cb)
9099 {
9100 	struct cfg80211_registered_device *rdev;
9101 	int err;
9102 	long phy_idx;
9103 	void *data = NULL;
9104 	int data_len = 0;
9105 
9106 	rtnl_lock();
9107 
9108 	if (cb->args[0]) {
9109 		/*
9110 		 * 0 is a valid index, but not valid for args[0],
9111 		 * so we need to offset by 1.
9112 		 */
9113 		phy_idx = cb->args[0] - 1;
9114 
9115 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
9116 		if (!rdev) {
9117 			err = -ENOENT;
9118 			goto out_err;
9119 		}
9120 	} else {
9121 		struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
9122 
9123 		err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
9124 				  attrbuf, nl80211_fam.maxattr,
9125 				  nl80211_policy, NULL);
9126 		if (err)
9127 			goto out_err;
9128 
9129 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
9130 		if (IS_ERR(rdev)) {
9131 			err = PTR_ERR(rdev);
9132 			goto out_err;
9133 		}
9134 		phy_idx = rdev->wiphy_idx;
9135 
9136 		if (attrbuf[NL80211_ATTR_TESTDATA])
9137 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
9138 	}
9139 
9140 	if (cb->args[1]) {
9141 		data = nla_data((void *)cb->args[1]);
9142 		data_len = nla_len((void *)cb->args[1]);
9143 	}
9144 
9145 	if (!rdev->ops->testmode_dump) {
9146 		err = -EOPNOTSUPP;
9147 		goto out_err;
9148 	}
9149 
9150 	while (1) {
9151 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
9152 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
9153 					   NL80211_CMD_TESTMODE);
9154 		struct nlattr *tmdata;
9155 
9156 		if (!hdr)
9157 			break;
9158 
9159 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
9160 			genlmsg_cancel(skb, hdr);
9161 			break;
9162 		}
9163 
9164 		tmdata = nla_nest_start(skb, NL80211_ATTR_TESTDATA);
9165 		if (!tmdata) {
9166 			genlmsg_cancel(skb, hdr);
9167 			break;
9168 		}
9169 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
9170 		nla_nest_end(skb, tmdata);
9171 
9172 		if (err == -ENOBUFS || err == -ENOENT) {
9173 			genlmsg_cancel(skb, hdr);
9174 			break;
9175 		} else if (err) {
9176 			genlmsg_cancel(skb, hdr);
9177 			goto out_err;
9178 		}
9179 
9180 		genlmsg_end(skb, hdr);
9181 	}
9182 
9183 	err = skb->len;
9184 	/* see above */
9185 	cb->args[0] = phy_idx + 1;
9186  out_err:
9187 	rtnl_unlock();
9188 	return err;
9189 }
9190 #endif
9191 
9192 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
9193 {
9194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9195 	struct net_device *dev = info->user_ptr[1];
9196 	struct cfg80211_connect_params connect;
9197 	struct wiphy *wiphy;
9198 	struct cfg80211_cached_keys *connkeys = NULL;
9199 	int err;
9200 
9201 	memset(&connect, 0, sizeof(connect));
9202 
9203 	if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9204 		return -EINVAL;
9205 
9206 	if (!info->attrs[NL80211_ATTR_SSID] ||
9207 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9208 		return -EINVAL;
9209 
9210 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9211 		connect.auth_type =
9212 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9213 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
9214 					     NL80211_CMD_CONNECT))
9215 			return -EINVAL;
9216 	} else
9217 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
9218 
9219 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
9220 
9221 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
9222 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9223 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
9224 		return -EINVAL;
9225 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
9226 
9227 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
9228 				      NL80211_MAX_NR_CIPHER_SUITES);
9229 	if (err)
9230 		return err;
9231 
9232 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9233 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9234 		return -EOPNOTSUPP;
9235 
9236 	wiphy = &rdev->wiphy;
9237 
9238 	connect.bg_scan_period = -1;
9239 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
9240 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
9241 		connect.bg_scan_period =
9242 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
9243 	}
9244 
9245 	if (info->attrs[NL80211_ATTR_MAC])
9246 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9247 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
9248 		connect.bssid_hint =
9249 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
9250 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9251 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9252 
9253 	if (info->attrs[NL80211_ATTR_IE]) {
9254 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9255 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9256 	}
9257 
9258 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9259 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9260 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
9261 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9262 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
9263 			return -EOPNOTSUPP;
9264 
9265 		if (connect.mfp != NL80211_MFP_REQUIRED &&
9266 		    connect.mfp != NL80211_MFP_NO &&
9267 		    connect.mfp != NL80211_MFP_OPTIONAL)
9268 			return -EINVAL;
9269 	} else {
9270 		connect.mfp = NL80211_MFP_NO;
9271 	}
9272 
9273 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9274 		connect.prev_bssid =
9275 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9276 
9277 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9278 		connect.channel = nl80211_get_valid_chan(
9279 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9280 		if (!connect.channel)
9281 			return -EINVAL;
9282 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
9283 		connect.channel_hint = nl80211_get_valid_chan(
9284 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
9285 		if (!connect.channel_hint)
9286 			return -EINVAL;
9287 	}
9288 
9289 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9290 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
9291 		if (IS_ERR(connkeys))
9292 			return PTR_ERR(connkeys);
9293 	}
9294 
9295 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9296 		connect.flags |= ASSOC_REQ_DISABLE_HT;
9297 
9298 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9299 		memcpy(&connect.ht_capa_mask,
9300 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9301 		       sizeof(connect.ht_capa_mask));
9302 
9303 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9304 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
9305 			kzfree(connkeys);
9306 			return -EINVAL;
9307 		}
9308 		memcpy(&connect.ht_capa,
9309 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9310 		       sizeof(connect.ht_capa));
9311 	}
9312 
9313 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9314 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
9315 
9316 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9317 		memcpy(&connect.vht_capa_mask,
9318 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9319 		       sizeof(connect.vht_capa_mask));
9320 
9321 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9322 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
9323 			kzfree(connkeys);
9324 			return -EINVAL;
9325 		}
9326 		memcpy(&connect.vht_capa,
9327 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9328 		       sizeof(connect.vht_capa));
9329 	}
9330 
9331 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9332 		if (!((rdev->wiphy.features &
9333 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9334 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9335 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9336 					     NL80211_EXT_FEATURE_RRM)) {
9337 			kzfree(connkeys);
9338 			return -EINVAL;
9339 		}
9340 		connect.flags |= ASSOC_REQ_USE_RRM;
9341 	}
9342 
9343 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
9344 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
9345 		kzfree(connkeys);
9346 		return -EOPNOTSUPP;
9347 	}
9348 
9349 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
9350 		/* bss selection makes no sense if bssid is set */
9351 		if (connect.bssid) {
9352 			kzfree(connkeys);
9353 			return -EINVAL;
9354 		}
9355 
9356 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
9357 				       wiphy, &connect.bss_select);
9358 		if (err) {
9359 			kzfree(connkeys);
9360 			return err;
9361 		}
9362 	}
9363 
9364 	if (wiphy_ext_feature_isset(&rdev->wiphy,
9365 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
9366 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9367 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9368 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9369 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9370 		connect.fils_erp_username =
9371 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9372 		connect.fils_erp_username_len =
9373 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9374 		connect.fils_erp_realm =
9375 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9376 		connect.fils_erp_realm_len =
9377 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9378 		connect.fils_erp_next_seq_num =
9379 			nla_get_u16(
9380 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9381 		connect.fils_erp_rrk =
9382 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9383 		connect.fils_erp_rrk_len =
9384 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9385 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9386 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9387 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9388 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9389 		kzfree(connkeys);
9390 		return -EINVAL;
9391 	}
9392 
9393 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
9394 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9395 			kzfree(connkeys);
9396 			GENL_SET_ERR_MSG(info,
9397 					 "external auth requires connection ownership");
9398 			return -EINVAL;
9399 		}
9400 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
9401 	}
9402 
9403 	wdev_lock(dev->ieee80211_ptr);
9404 
9405 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
9406 			       connect.prev_bssid);
9407 	if (err)
9408 		kzfree(connkeys);
9409 
9410 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9411 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9412 		if (connect.bssid)
9413 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9414 			       connect.bssid, ETH_ALEN);
9415 		else
9416 			memset(dev->ieee80211_ptr->disconnect_bssid,
9417 			       0, ETH_ALEN);
9418 	}
9419 
9420 	wdev_unlock(dev->ieee80211_ptr);
9421 
9422 	return err;
9423 }
9424 
9425 static int nl80211_update_connect_params(struct sk_buff *skb,
9426 					 struct genl_info *info)
9427 {
9428 	struct cfg80211_connect_params connect = {};
9429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9430 	struct net_device *dev = info->user_ptr[1];
9431 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9432 	bool fils_sk_offload;
9433 	u32 auth_type;
9434 	u32 changed = 0;
9435 	int ret;
9436 
9437 	if (!rdev->ops->update_connect_params)
9438 		return -EOPNOTSUPP;
9439 
9440 	if (info->attrs[NL80211_ATTR_IE]) {
9441 		if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
9442 			return -EINVAL;
9443 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9444 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9445 		changed |= UPDATE_ASSOC_IES;
9446 	}
9447 
9448 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
9449 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
9450 
9451 	/*
9452 	 * when driver supports fils-sk offload all attributes must be
9453 	 * provided. So the else covers "fils-sk-not-all" and
9454 	 * "no-fils-sk-any".
9455 	 */
9456 	if (fils_sk_offload &&
9457 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
9458 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
9459 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
9460 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9461 		connect.fils_erp_username =
9462 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9463 		connect.fils_erp_username_len =
9464 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
9465 		connect.fils_erp_realm =
9466 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9467 		connect.fils_erp_realm_len =
9468 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
9469 		connect.fils_erp_next_seq_num =
9470 			nla_get_u16(
9471 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
9472 		connect.fils_erp_rrk =
9473 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9474 		connect.fils_erp_rrk_len =
9475 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
9476 		changed |= UPDATE_FILS_ERP_INFO;
9477 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
9478 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
9479 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
9480 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
9481 		return -EINVAL;
9482 	}
9483 
9484 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
9485 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9486 		if (!nl80211_valid_auth_type(rdev, auth_type,
9487 					     NL80211_CMD_CONNECT))
9488 			return -EINVAL;
9489 
9490 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
9491 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
9492 			return -EINVAL;
9493 
9494 		connect.auth_type = auth_type;
9495 		changed |= UPDATE_AUTH_TYPE;
9496 	}
9497 
9498 	wdev_lock(dev->ieee80211_ptr);
9499 	if (!wdev->current_bss)
9500 		ret = -ENOLINK;
9501 	else
9502 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
9503 	wdev_unlock(dev->ieee80211_ptr);
9504 
9505 	return ret;
9506 }
9507 
9508 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
9509 {
9510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9511 	struct net_device *dev = info->user_ptr[1];
9512 	u16 reason;
9513 	int ret;
9514 
9515 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9516 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9517 		return -EPERM;
9518 
9519 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9520 		reason = WLAN_REASON_DEAUTH_LEAVING;
9521 	else
9522 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9523 
9524 	if (reason == 0)
9525 		return -EINVAL;
9526 
9527 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9528 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9529 		return -EOPNOTSUPP;
9530 
9531 	wdev_lock(dev->ieee80211_ptr);
9532 	ret = cfg80211_disconnect(rdev, dev, reason, true);
9533 	wdev_unlock(dev->ieee80211_ptr);
9534 	return ret;
9535 }
9536 
9537 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
9538 {
9539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9540 	struct net *net;
9541 	int err;
9542 
9543 	if (info->attrs[NL80211_ATTR_PID]) {
9544 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
9545 
9546 		net = get_net_ns_by_pid(pid);
9547 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
9548 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
9549 
9550 		net = get_net_ns_by_fd(fd);
9551 	} else {
9552 		return -EINVAL;
9553 	}
9554 
9555 	if (IS_ERR(net))
9556 		return PTR_ERR(net);
9557 
9558 	err = 0;
9559 
9560 	/* check if anything to do */
9561 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
9562 		err = cfg80211_switch_netns(rdev, net);
9563 
9564 	put_net(net);
9565 	return err;
9566 }
9567 
9568 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
9569 {
9570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9571 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
9572 			struct cfg80211_pmksa *pmksa) = NULL;
9573 	struct net_device *dev = info->user_ptr[1];
9574 	struct cfg80211_pmksa pmksa;
9575 
9576 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
9577 
9578 	if (!info->attrs[NL80211_ATTR_PMKID])
9579 		return -EINVAL;
9580 
9581 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
9582 
9583 	if (info->attrs[NL80211_ATTR_MAC]) {
9584 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9585 	} else if (info->attrs[NL80211_ATTR_SSID] &&
9586 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
9587 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
9588 		    info->attrs[NL80211_ATTR_PMK])) {
9589 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9590 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9591 		pmksa.cache_id =
9592 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
9593 	} else {
9594 		return -EINVAL;
9595 	}
9596 	if (info->attrs[NL80211_ATTR_PMK]) {
9597 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9598 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
9599 	}
9600 
9601 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9602 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9603 		return -EOPNOTSUPP;
9604 
9605 	switch (info->genlhdr->cmd) {
9606 	case NL80211_CMD_SET_PMKSA:
9607 		rdev_ops = rdev->ops->set_pmksa;
9608 		break;
9609 	case NL80211_CMD_DEL_PMKSA:
9610 		rdev_ops = rdev->ops->del_pmksa;
9611 		break;
9612 	default:
9613 		WARN_ON(1);
9614 		break;
9615 	}
9616 
9617 	if (!rdev_ops)
9618 		return -EOPNOTSUPP;
9619 
9620 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
9621 }
9622 
9623 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
9624 {
9625 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9626 	struct net_device *dev = info->user_ptr[1];
9627 
9628 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9629 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9630 		return -EOPNOTSUPP;
9631 
9632 	if (!rdev->ops->flush_pmksa)
9633 		return -EOPNOTSUPP;
9634 
9635 	return rdev_flush_pmksa(rdev, dev);
9636 }
9637 
9638 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
9639 {
9640 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9641 	struct net_device *dev = info->user_ptr[1];
9642 	u8 action_code, dialog_token;
9643 	u32 peer_capability = 0;
9644 	u16 status_code;
9645 	u8 *peer;
9646 	bool initiator;
9647 
9648 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9649 	    !rdev->ops->tdls_mgmt)
9650 		return -EOPNOTSUPP;
9651 
9652 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
9653 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
9654 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
9655 	    !info->attrs[NL80211_ATTR_IE] ||
9656 	    !info->attrs[NL80211_ATTR_MAC])
9657 		return -EINVAL;
9658 
9659 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9660 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
9661 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
9662 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
9663 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
9664 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
9665 		peer_capability =
9666 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
9667 
9668 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
9669 			      dialog_token, status_code, peer_capability,
9670 			      initiator,
9671 			      nla_data(info->attrs[NL80211_ATTR_IE]),
9672 			      nla_len(info->attrs[NL80211_ATTR_IE]));
9673 }
9674 
9675 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
9676 {
9677 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9678 	struct net_device *dev = info->user_ptr[1];
9679 	enum nl80211_tdls_operation operation;
9680 	u8 *peer;
9681 
9682 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
9683 	    !rdev->ops->tdls_oper)
9684 		return -EOPNOTSUPP;
9685 
9686 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
9687 	    !info->attrs[NL80211_ATTR_MAC])
9688 		return -EINVAL;
9689 
9690 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
9691 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
9692 
9693 	return rdev_tdls_oper(rdev, dev, peer, operation);
9694 }
9695 
9696 static int nl80211_remain_on_channel(struct sk_buff *skb,
9697 				     struct genl_info *info)
9698 {
9699 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9700 	struct wireless_dev *wdev = info->user_ptr[1];
9701 	struct cfg80211_chan_def chandef;
9702 	const struct cfg80211_chan_def *compat_chandef;
9703 	struct sk_buff *msg;
9704 	void *hdr;
9705 	u64 cookie;
9706 	u32 duration;
9707 	int err;
9708 
9709 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9710 	    !info->attrs[NL80211_ATTR_DURATION])
9711 		return -EINVAL;
9712 
9713 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
9714 
9715 	if (!rdev->ops->remain_on_channel ||
9716 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
9717 		return -EOPNOTSUPP;
9718 
9719 	/*
9720 	 * We should be on that channel for at least a minimum amount of
9721 	 * time (10ms) but no longer than the driver supports.
9722 	 */
9723 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
9724 	    duration > rdev->wiphy.max_remain_on_channel_duration)
9725 		return -EINVAL;
9726 
9727 	err = nl80211_parse_chandef(rdev, info, &chandef);
9728 	if (err)
9729 		return err;
9730 
9731 	wdev_lock(wdev);
9732 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
9733 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
9734 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
9735 							     &chandef);
9736 		if (compat_chandef != &chandef) {
9737 			wdev_unlock(wdev);
9738 			return -EBUSY;
9739 		}
9740 	}
9741 	wdev_unlock(wdev);
9742 
9743 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9744 	if (!msg)
9745 		return -ENOMEM;
9746 
9747 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9748 			     NL80211_CMD_REMAIN_ON_CHANNEL);
9749 	if (!hdr) {
9750 		err = -ENOBUFS;
9751 		goto free_msg;
9752 	}
9753 
9754 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
9755 				     duration, &cookie);
9756 
9757 	if (err)
9758 		goto free_msg;
9759 
9760 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
9761 			      NL80211_ATTR_PAD))
9762 		goto nla_put_failure;
9763 
9764 	genlmsg_end(msg, hdr);
9765 
9766 	return genlmsg_reply(msg, info);
9767 
9768  nla_put_failure:
9769 	err = -ENOBUFS;
9770  free_msg:
9771 	nlmsg_free(msg);
9772 	return err;
9773 }
9774 
9775 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
9776 					    struct genl_info *info)
9777 {
9778 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9779 	struct wireless_dev *wdev = info->user_ptr[1];
9780 	u64 cookie;
9781 
9782 	if (!info->attrs[NL80211_ATTR_COOKIE])
9783 		return -EINVAL;
9784 
9785 	if (!rdev->ops->cancel_remain_on_channel)
9786 		return -EOPNOTSUPP;
9787 
9788 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9789 
9790 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
9791 }
9792 
9793 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
9794 				       struct genl_info *info)
9795 {
9796 	struct cfg80211_bitrate_mask mask;
9797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9798 	struct net_device *dev = info->user_ptr[1];
9799 	int err;
9800 
9801 	if (!rdev->ops->set_bitrate_mask)
9802 		return -EOPNOTSUPP;
9803 
9804 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
9805 	if (err)
9806 		return err;
9807 
9808 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
9809 }
9810 
9811 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
9812 {
9813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9814 	struct wireless_dev *wdev = info->user_ptr[1];
9815 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
9816 
9817 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
9818 		return -EINVAL;
9819 
9820 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
9821 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
9822 
9823 	switch (wdev->iftype) {
9824 	case NL80211_IFTYPE_STATION:
9825 	case NL80211_IFTYPE_ADHOC:
9826 	case NL80211_IFTYPE_P2P_CLIENT:
9827 	case NL80211_IFTYPE_AP:
9828 	case NL80211_IFTYPE_AP_VLAN:
9829 	case NL80211_IFTYPE_MESH_POINT:
9830 	case NL80211_IFTYPE_P2P_GO:
9831 	case NL80211_IFTYPE_P2P_DEVICE:
9832 		break;
9833 	case NL80211_IFTYPE_NAN:
9834 	default:
9835 		return -EOPNOTSUPP;
9836 	}
9837 
9838 	/* not much point in registering if we can't reply */
9839 	if (!rdev->ops->mgmt_tx)
9840 		return -EOPNOTSUPP;
9841 
9842 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
9843 			nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
9844 			nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]));
9845 }
9846 
9847 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
9848 {
9849 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9850 	struct wireless_dev *wdev = info->user_ptr[1];
9851 	struct cfg80211_chan_def chandef;
9852 	int err;
9853 	void *hdr = NULL;
9854 	u64 cookie;
9855 	struct sk_buff *msg = NULL;
9856 	struct cfg80211_mgmt_tx_params params = {
9857 		.dont_wait_for_ack =
9858 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
9859 	};
9860 
9861 	if (!info->attrs[NL80211_ATTR_FRAME])
9862 		return -EINVAL;
9863 
9864 	if (!rdev->ops->mgmt_tx)
9865 		return -EOPNOTSUPP;
9866 
9867 	switch (wdev->iftype) {
9868 	case NL80211_IFTYPE_P2P_DEVICE:
9869 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9870 			return -EINVAL;
9871 	case NL80211_IFTYPE_STATION:
9872 	case NL80211_IFTYPE_ADHOC:
9873 	case NL80211_IFTYPE_P2P_CLIENT:
9874 	case NL80211_IFTYPE_AP:
9875 	case NL80211_IFTYPE_AP_VLAN:
9876 	case NL80211_IFTYPE_MESH_POINT:
9877 	case NL80211_IFTYPE_P2P_GO:
9878 		break;
9879 	case NL80211_IFTYPE_NAN:
9880 	default:
9881 		return -EOPNOTSUPP;
9882 	}
9883 
9884 	if (info->attrs[NL80211_ATTR_DURATION]) {
9885 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
9886 			return -EINVAL;
9887 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
9888 
9889 		/*
9890 		 * We should wait on the channel for at least a minimum amount
9891 		 * of time (10ms) but no longer than the driver supports.
9892 		 */
9893 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
9894 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
9895 			return -EINVAL;
9896 	}
9897 
9898 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
9899 
9900 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
9901 		return -EINVAL;
9902 
9903 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9904 
9905 	/* get the channel if any has been specified, otherwise pass NULL to
9906 	 * the driver. The latter will use the current one
9907 	 */
9908 	chandef.chan = NULL;
9909 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
9910 		err = nl80211_parse_chandef(rdev, info, &chandef);
9911 		if (err)
9912 			return err;
9913 	}
9914 
9915 	if (!chandef.chan && params.offchan)
9916 		return -EINVAL;
9917 
9918 	wdev_lock(wdev);
9919 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
9920 		wdev_unlock(wdev);
9921 		return -EBUSY;
9922 	}
9923 	wdev_unlock(wdev);
9924 
9925 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
9926 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
9927 
9928 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
9929 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
9930 		int i;
9931 
9932 		if (len % sizeof(u16))
9933 			return -EINVAL;
9934 
9935 		params.n_csa_offsets = len / sizeof(u16);
9936 		params.csa_offsets =
9937 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
9938 
9939 		/* check that all the offsets fit the frame */
9940 		for (i = 0; i < params.n_csa_offsets; i++) {
9941 			if (params.csa_offsets[i] >= params.len)
9942 				return -EINVAL;
9943 		}
9944 	}
9945 
9946 	if (!params.dont_wait_for_ack) {
9947 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9948 		if (!msg)
9949 			return -ENOMEM;
9950 
9951 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9952 				     NL80211_CMD_FRAME);
9953 		if (!hdr) {
9954 			err = -ENOBUFS;
9955 			goto free_msg;
9956 		}
9957 	}
9958 
9959 	params.chan = chandef.chan;
9960 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
9961 	if (err)
9962 		goto free_msg;
9963 
9964 	if (msg) {
9965 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
9966 				      NL80211_ATTR_PAD))
9967 			goto nla_put_failure;
9968 
9969 		genlmsg_end(msg, hdr);
9970 		return genlmsg_reply(msg, info);
9971 	}
9972 
9973 	return 0;
9974 
9975  nla_put_failure:
9976 	err = -ENOBUFS;
9977  free_msg:
9978 	nlmsg_free(msg);
9979 	return err;
9980 }
9981 
9982 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
9983 {
9984 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9985 	struct wireless_dev *wdev = info->user_ptr[1];
9986 	u64 cookie;
9987 
9988 	if (!info->attrs[NL80211_ATTR_COOKIE])
9989 		return -EINVAL;
9990 
9991 	if (!rdev->ops->mgmt_tx_cancel_wait)
9992 		return -EOPNOTSUPP;
9993 
9994 	switch (wdev->iftype) {
9995 	case NL80211_IFTYPE_STATION:
9996 	case NL80211_IFTYPE_ADHOC:
9997 	case NL80211_IFTYPE_P2P_CLIENT:
9998 	case NL80211_IFTYPE_AP:
9999 	case NL80211_IFTYPE_AP_VLAN:
10000 	case NL80211_IFTYPE_P2P_GO:
10001 	case NL80211_IFTYPE_P2P_DEVICE:
10002 		break;
10003 	case NL80211_IFTYPE_NAN:
10004 	default:
10005 		return -EOPNOTSUPP;
10006 	}
10007 
10008 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10009 
10010 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10011 }
10012 
10013 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10014 {
10015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10016 	struct wireless_dev *wdev;
10017 	struct net_device *dev = info->user_ptr[1];
10018 	u8 ps_state;
10019 	bool state;
10020 	int err;
10021 
10022 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10023 		return -EINVAL;
10024 
10025 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10026 
10027 	if (ps_state != NL80211_PS_DISABLED && ps_state != NL80211_PS_ENABLED)
10028 		return -EINVAL;
10029 
10030 	wdev = dev->ieee80211_ptr;
10031 
10032 	if (!rdev->ops->set_power_mgmt)
10033 		return -EOPNOTSUPP;
10034 
10035 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10036 
10037 	if (state == wdev->ps)
10038 		return 0;
10039 
10040 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10041 	if (!err)
10042 		wdev->ps = state;
10043 	return err;
10044 }
10045 
10046 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10047 {
10048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10049 	enum nl80211_ps_state ps_state;
10050 	struct wireless_dev *wdev;
10051 	struct net_device *dev = info->user_ptr[1];
10052 	struct sk_buff *msg;
10053 	void *hdr;
10054 	int err;
10055 
10056 	wdev = dev->ieee80211_ptr;
10057 
10058 	if (!rdev->ops->set_power_mgmt)
10059 		return -EOPNOTSUPP;
10060 
10061 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10062 	if (!msg)
10063 		return -ENOMEM;
10064 
10065 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10066 			     NL80211_CMD_GET_POWER_SAVE);
10067 	if (!hdr) {
10068 		err = -ENOBUFS;
10069 		goto free_msg;
10070 	}
10071 
10072 	if (wdev->ps)
10073 		ps_state = NL80211_PS_ENABLED;
10074 	else
10075 		ps_state = NL80211_PS_DISABLED;
10076 
10077 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
10078 		goto nla_put_failure;
10079 
10080 	genlmsg_end(msg, hdr);
10081 	return genlmsg_reply(msg, info);
10082 
10083  nla_put_failure:
10084 	err = -ENOBUFS;
10085  free_msg:
10086 	nlmsg_free(msg);
10087 	return err;
10088 }
10089 
10090 static const struct nla_policy
10091 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
10092 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
10093 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
10094 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
10095 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
10096 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
10097 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
10098 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
10099 };
10100 
10101 static int nl80211_set_cqm_txe(struct genl_info *info,
10102 			       u32 rate, u32 pkts, u32 intvl)
10103 {
10104 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10105 	struct net_device *dev = info->user_ptr[1];
10106 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10107 
10108 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
10109 		return -EINVAL;
10110 
10111 	if (!rdev->ops->set_cqm_txe_config)
10112 		return -EOPNOTSUPP;
10113 
10114 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10115 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10116 		return -EOPNOTSUPP;
10117 
10118 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
10119 }
10120 
10121 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
10122 				    struct net_device *dev)
10123 {
10124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10125 	s32 last, low, high;
10126 	u32 hyst;
10127 	int i, n;
10128 	int err;
10129 
10130 	/* RSSI reporting disabled? */
10131 	if (!wdev->cqm_config)
10132 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
10133 
10134 	/*
10135 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
10136 	 * event has been received yet, we should receive an event after a
10137 	 * connection is established and enough beacons received to calculate
10138 	 * the average.
10139 	 */
10140 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
10141 	    rdev->ops->get_station) {
10142 		struct station_info sinfo = {};
10143 		u8 *mac_addr;
10144 
10145 		mac_addr = wdev->current_bss->pub.bssid;
10146 
10147 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
10148 		if (err)
10149 			return err;
10150 
10151 		if (sinfo.filled & BIT(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
10152 			wdev->cqm_config->last_rssi_event_value =
10153 				(s8) sinfo.rx_beacon_signal_avg;
10154 	}
10155 
10156 	last = wdev->cqm_config->last_rssi_event_value;
10157 	hyst = wdev->cqm_config->rssi_hyst;
10158 	n = wdev->cqm_config->n_rssi_thresholds;
10159 
10160 	for (i = 0; i < n; i++)
10161 		if (last < wdev->cqm_config->rssi_thresholds[i])
10162 			break;
10163 
10164 	low = i > 0 ?
10165 		(wdev->cqm_config->rssi_thresholds[i - 1] - hyst) : S32_MIN;
10166 	high = i < n ?
10167 		(wdev->cqm_config->rssi_thresholds[i] + hyst - 1) : S32_MAX;
10168 
10169 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
10170 }
10171 
10172 static int nl80211_set_cqm_rssi(struct genl_info *info,
10173 				const s32 *thresholds, int n_thresholds,
10174 				u32 hysteresis)
10175 {
10176 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10177 	struct net_device *dev = info->user_ptr[1];
10178 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10179 	int i, err;
10180 	s32 prev = S32_MIN;
10181 
10182 	/* Check all values negative and sorted */
10183 	for (i = 0; i < n_thresholds; i++) {
10184 		if (thresholds[i] > 0 || thresholds[i] <= prev)
10185 			return -EINVAL;
10186 
10187 		prev = thresholds[i];
10188 	}
10189 
10190 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
10191 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
10192 		return -EOPNOTSUPP;
10193 
10194 	wdev_lock(wdev);
10195 	cfg80211_cqm_config_free(wdev);
10196 	wdev_unlock(wdev);
10197 
10198 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
10199 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
10200 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
10201 
10202 		return rdev_set_cqm_rssi_config(rdev, dev,
10203 						thresholds[0], hysteresis);
10204 	}
10205 
10206 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
10207 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
10208 		return -EOPNOTSUPP;
10209 
10210 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
10211 		n_thresholds = 0;
10212 
10213 	wdev_lock(wdev);
10214 	if (n_thresholds) {
10215 		struct cfg80211_cqm_config *cqm_config;
10216 
10217 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
10218 				     n_thresholds * sizeof(s32), GFP_KERNEL);
10219 		if (!cqm_config) {
10220 			err = -ENOMEM;
10221 			goto unlock;
10222 		}
10223 
10224 		cqm_config->rssi_hyst = hysteresis;
10225 		cqm_config->n_rssi_thresholds = n_thresholds;
10226 		memcpy(cqm_config->rssi_thresholds, thresholds,
10227 		       n_thresholds * sizeof(s32));
10228 
10229 		wdev->cqm_config = cqm_config;
10230 	}
10231 
10232 	err = cfg80211_cqm_rssi_update(rdev, dev);
10233 
10234 unlock:
10235 	wdev_unlock(wdev);
10236 
10237 	return err;
10238 }
10239 
10240 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
10241 {
10242 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
10243 	struct nlattr *cqm;
10244 	int err;
10245 
10246 	cqm = info->attrs[NL80211_ATTR_CQM];
10247 	if (!cqm)
10248 		return -EINVAL;
10249 
10250 	err = nla_parse_nested(attrs, NL80211_ATTR_CQM_MAX, cqm,
10251 			       nl80211_attr_cqm_policy, info->extack);
10252 	if (err)
10253 		return err;
10254 
10255 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
10256 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
10257 		const s32 *thresholds =
10258 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10259 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
10260 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
10261 
10262 		if (len % 4)
10263 			return -EINVAL;
10264 
10265 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
10266 					    hysteresis);
10267 	}
10268 
10269 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
10270 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
10271 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
10272 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
10273 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
10274 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
10275 
10276 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
10277 	}
10278 
10279 	return -EINVAL;
10280 }
10281 
10282 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
10283 {
10284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10285 	struct net_device *dev = info->user_ptr[1];
10286 	struct ocb_setup setup = {};
10287 	int err;
10288 
10289 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10290 	if (err)
10291 		return err;
10292 
10293 	return cfg80211_join_ocb(rdev, dev, &setup);
10294 }
10295 
10296 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
10297 {
10298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10299 	struct net_device *dev = info->user_ptr[1];
10300 
10301 	return cfg80211_leave_ocb(rdev, dev);
10302 }
10303 
10304 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
10305 {
10306 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10307 	struct net_device *dev = info->user_ptr[1];
10308 	struct mesh_config cfg;
10309 	struct mesh_setup setup;
10310 	int err;
10311 
10312 	/* start with default */
10313 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
10314 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
10315 
10316 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
10317 		/* and parse parameters if given */
10318 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
10319 		if (err)
10320 			return err;
10321 	}
10322 
10323 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
10324 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
10325 		return -EINVAL;
10326 
10327 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
10328 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
10329 
10330 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10331 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
10332 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10333 			return -EINVAL;
10334 
10335 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
10336 		setup.beacon_interval =
10337 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10338 
10339 		err = cfg80211_validate_beacon_int(rdev,
10340 						   NL80211_IFTYPE_MESH_POINT,
10341 						   setup.beacon_interval);
10342 		if (err)
10343 			return err;
10344 	}
10345 
10346 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
10347 		setup.dtim_period =
10348 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
10349 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
10350 			return -EINVAL;
10351 	}
10352 
10353 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
10354 		/* parse additional setup parameters if given */
10355 		err = nl80211_parse_mesh_setup(info, &setup);
10356 		if (err)
10357 			return err;
10358 	}
10359 
10360 	if (setup.user_mpm)
10361 		cfg.auto_open_plinks = false;
10362 
10363 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10364 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
10365 		if (err)
10366 			return err;
10367 	} else {
10368 		/* __cfg80211_join_mesh() will sort it out */
10369 		setup.chandef.chan = NULL;
10370 	}
10371 
10372 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10373 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10374 		int n_rates =
10375 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10376 		struct ieee80211_supported_band *sband;
10377 
10378 		if (!setup.chandef.chan)
10379 			return -EINVAL;
10380 
10381 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
10382 
10383 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10384 					     &setup.basic_rates);
10385 		if (err)
10386 			return err;
10387 	}
10388 
10389 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
10390 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
10391 		if (err)
10392 			return err;
10393 
10394 		if (!setup.chandef.chan)
10395 			return -EINVAL;
10396 
10397 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
10398 					      &setup.beacon_rate);
10399 		if (err)
10400 			return err;
10401 	}
10402 
10403 	setup.userspace_handles_dfs =
10404 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10405 
10406 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10407 		int r = validate_pae_over_nl80211(rdev, info);
10408 
10409 		if (r < 0)
10410 			return r;
10411 
10412 		setup.control_port_over_nl80211 = true;
10413 	}
10414 
10415 	wdev_lock(dev->ieee80211_ptr);
10416 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
10417 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
10418 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10419 	wdev_unlock(dev->ieee80211_ptr);
10420 
10421 	return err;
10422 }
10423 
10424 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
10425 {
10426 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10427 	struct net_device *dev = info->user_ptr[1];
10428 
10429 	return cfg80211_leave_mesh(rdev, dev);
10430 }
10431 
10432 #ifdef CONFIG_PM
10433 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
10434 					struct cfg80211_registered_device *rdev)
10435 {
10436 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
10437 	struct nlattr *nl_pats, *nl_pat;
10438 	int i, pat_len;
10439 
10440 	if (!wowlan->n_patterns)
10441 		return 0;
10442 
10443 	nl_pats = nla_nest_start(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
10444 	if (!nl_pats)
10445 		return -ENOBUFS;
10446 
10447 	for (i = 0; i < wowlan->n_patterns; i++) {
10448 		nl_pat = nla_nest_start(msg, i + 1);
10449 		if (!nl_pat)
10450 			return -ENOBUFS;
10451 		pat_len = wowlan->patterns[i].pattern_len;
10452 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
10453 			    wowlan->patterns[i].mask) ||
10454 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
10455 			    wowlan->patterns[i].pattern) ||
10456 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
10457 				wowlan->patterns[i].pkt_offset))
10458 			return -ENOBUFS;
10459 		nla_nest_end(msg, nl_pat);
10460 	}
10461 	nla_nest_end(msg, nl_pats);
10462 
10463 	return 0;
10464 }
10465 
10466 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
10467 				   struct cfg80211_wowlan_tcp *tcp)
10468 {
10469 	struct nlattr *nl_tcp;
10470 
10471 	if (!tcp)
10472 		return 0;
10473 
10474 	nl_tcp = nla_nest_start(msg, NL80211_WOWLAN_TRIG_TCP_CONNECTION);
10475 	if (!nl_tcp)
10476 		return -ENOBUFS;
10477 
10478 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
10479 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
10480 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
10481 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
10482 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
10483 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
10484 		    tcp->payload_len, tcp->payload) ||
10485 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
10486 			tcp->data_interval) ||
10487 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
10488 		    tcp->wake_len, tcp->wake_data) ||
10489 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
10490 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
10491 		return -ENOBUFS;
10492 
10493 	if (tcp->payload_seq.len &&
10494 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
10495 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
10496 		return -ENOBUFS;
10497 
10498 	if (tcp->payload_tok.len &&
10499 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
10500 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
10501 		    &tcp->payload_tok))
10502 		return -ENOBUFS;
10503 
10504 	nla_nest_end(msg, nl_tcp);
10505 
10506 	return 0;
10507 }
10508 
10509 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
10510 				  struct cfg80211_sched_scan_request *req)
10511 {
10512 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
10513 	int i;
10514 
10515 	if (!req)
10516 		return 0;
10517 
10518 	nd = nla_nest_start(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
10519 	if (!nd)
10520 		return -ENOBUFS;
10521 
10522 	if (req->n_scan_plans == 1 &&
10523 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
10524 			req->scan_plans[0].interval * 1000))
10525 		return -ENOBUFS;
10526 
10527 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
10528 		return -ENOBUFS;
10529 
10530 	if (req->relative_rssi_set) {
10531 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
10532 
10533 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
10534 			       req->relative_rssi))
10535 			return -ENOBUFS;
10536 
10537 		rssi_adjust.band = req->rssi_adjust.band;
10538 		rssi_adjust.delta = req->rssi_adjust.delta;
10539 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
10540 			    sizeof(rssi_adjust), &rssi_adjust))
10541 			return -ENOBUFS;
10542 	}
10543 
10544 	freqs = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
10545 	if (!freqs)
10546 		return -ENOBUFS;
10547 
10548 	for (i = 0; i < req->n_channels; i++) {
10549 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
10550 			return -ENOBUFS;
10551 	}
10552 
10553 	nla_nest_end(msg, freqs);
10554 
10555 	if (req->n_match_sets) {
10556 		matches = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_MATCH);
10557 		if (!matches)
10558 			return -ENOBUFS;
10559 
10560 		for (i = 0; i < req->n_match_sets; i++) {
10561 			match = nla_nest_start(msg, i);
10562 			if (!match)
10563 				return -ENOBUFS;
10564 
10565 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
10566 				    req->match_sets[i].ssid.ssid_len,
10567 				    req->match_sets[i].ssid.ssid))
10568 				return -ENOBUFS;
10569 			nla_nest_end(msg, match);
10570 		}
10571 		nla_nest_end(msg, matches);
10572 	}
10573 
10574 	scan_plans = nla_nest_start(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
10575 	if (!scan_plans)
10576 		return -ENOBUFS;
10577 
10578 	for (i = 0; i < req->n_scan_plans; i++) {
10579 		scan_plan = nla_nest_start(msg, i + 1);
10580 		if (!scan_plan)
10581 			return -ENOBUFS;
10582 
10583 		if (!scan_plan ||
10584 		    nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
10585 				req->scan_plans[i].interval) ||
10586 		    (req->scan_plans[i].iterations &&
10587 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
10588 				 req->scan_plans[i].iterations)))
10589 			return -ENOBUFS;
10590 		nla_nest_end(msg, scan_plan);
10591 	}
10592 	nla_nest_end(msg, scan_plans);
10593 
10594 	nla_nest_end(msg, nd);
10595 
10596 	return 0;
10597 }
10598 
10599 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
10600 {
10601 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10602 	struct sk_buff *msg;
10603 	void *hdr;
10604 	u32 size = NLMSG_DEFAULT_SIZE;
10605 
10606 	if (!rdev->wiphy.wowlan)
10607 		return -EOPNOTSUPP;
10608 
10609 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
10610 		/* adjust size to have room for all the data */
10611 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
10612 			rdev->wiphy.wowlan_config->tcp->payload_len +
10613 			rdev->wiphy.wowlan_config->tcp->wake_len +
10614 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
10615 	}
10616 
10617 	msg = nlmsg_new(size, GFP_KERNEL);
10618 	if (!msg)
10619 		return -ENOMEM;
10620 
10621 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10622 			     NL80211_CMD_GET_WOWLAN);
10623 	if (!hdr)
10624 		goto nla_put_failure;
10625 
10626 	if (rdev->wiphy.wowlan_config) {
10627 		struct nlattr *nl_wowlan;
10628 
10629 		nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
10630 		if (!nl_wowlan)
10631 			goto nla_put_failure;
10632 
10633 		if ((rdev->wiphy.wowlan_config->any &&
10634 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
10635 		    (rdev->wiphy.wowlan_config->disconnect &&
10636 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
10637 		    (rdev->wiphy.wowlan_config->magic_pkt &&
10638 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
10639 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
10640 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
10641 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
10642 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
10643 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
10644 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
10645 		    (rdev->wiphy.wowlan_config->rfkill_release &&
10646 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
10647 			goto nla_put_failure;
10648 
10649 		if (nl80211_send_wowlan_patterns(msg, rdev))
10650 			goto nla_put_failure;
10651 
10652 		if (nl80211_send_wowlan_tcp(msg,
10653 					    rdev->wiphy.wowlan_config->tcp))
10654 			goto nla_put_failure;
10655 
10656 		if (nl80211_send_wowlan_nd(
10657 			    msg,
10658 			    rdev->wiphy.wowlan_config->nd_config))
10659 			goto nla_put_failure;
10660 
10661 		nla_nest_end(msg, nl_wowlan);
10662 	}
10663 
10664 	genlmsg_end(msg, hdr);
10665 	return genlmsg_reply(msg, info);
10666 
10667 nla_put_failure:
10668 	nlmsg_free(msg);
10669 	return -ENOBUFS;
10670 }
10671 
10672 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
10673 				    struct nlattr *attr,
10674 				    struct cfg80211_wowlan *trig)
10675 {
10676 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
10677 	struct cfg80211_wowlan_tcp *cfg;
10678 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
10679 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
10680 	u32 size;
10681 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
10682 	int err, port;
10683 
10684 	if (!rdev->wiphy.wowlan->tcp)
10685 		return -EINVAL;
10686 
10687 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TCP, attr,
10688 			       nl80211_wowlan_tcp_policy, NULL);
10689 	if (err)
10690 		return err;
10691 
10692 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
10693 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
10694 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
10695 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
10696 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
10697 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
10698 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
10699 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
10700 		return -EINVAL;
10701 
10702 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
10703 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
10704 		return -EINVAL;
10705 
10706 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
10707 			rdev->wiphy.wowlan->tcp->data_interval_max ||
10708 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
10709 		return -EINVAL;
10710 
10711 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
10712 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
10713 		return -EINVAL;
10714 
10715 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
10716 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
10717 		return -EINVAL;
10718 
10719 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
10720 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10721 
10722 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
10723 		tokens_size = tokln - sizeof(*tok);
10724 
10725 		if (!tok->len || tokens_size % tok->len)
10726 			return -EINVAL;
10727 		if (!rdev->wiphy.wowlan->tcp->tok)
10728 			return -EINVAL;
10729 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
10730 			return -EINVAL;
10731 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
10732 			return -EINVAL;
10733 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
10734 			return -EINVAL;
10735 		if (tok->offset + tok->len > data_size)
10736 			return -EINVAL;
10737 	}
10738 
10739 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
10740 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
10741 		if (!rdev->wiphy.wowlan->tcp->seq)
10742 			return -EINVAL;
10743 		if (seq->len == 0 || seq->len > 4)
10744 			return -EINVAL;
10745 		if (seq->len + seq->offset > data_size)
10746 			return -EINVAL;
10747 	}
10748 
10749 	size = sizeof(*cfg);
10750 	size += data_size;
10751 	size += wake_size + wake_mask_size;
10752 	size += tokens_size;
10753 
10754 	cfg = kzalloc(size, GFP_KERNEL);
10755 	if (!cfg)
10756 		return -ENOMEM;
10757 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
10758 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
10759 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
10760 	       ETH_ALEN);
10761 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
10762 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
10763 	else
10764 		port = 0;
10765 #ifdef CONFIG_INET
10766 	/* allocate a socket and port for it and use it */
10767 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
10768 			    IPPROTO_TCP, &cfg->sock, 1);
10769 	if (err) {
10770 		kfree(cfg);
10771 		return err;
10772 	}
10773 	if (inet_csk_get_port(cfg->sock->sk, port)) {
10774 		sock_release(cfg->sock);
10775 		kfree(cfg);
10776 		return -EADDRINUSE;
10777 	}
10778 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
10779 #else
10780 	if (!port) {
10781 		kfree(cfg);
10782 		return -EINVAL;
10783 	}
10784 	cfg->src_port = port;
10785 #endif
10786 
10787 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
10788 	cfg->payload_len = data_size;
10789 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
10790 	memcpy((void *)cfg->payload,
10791 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
10792 	       data_size);
10793 	if (seq)
10794 		cfg->payload_seq = *seq;
10795 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
10796 	cfg->wake_len = wake_size;
10797 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
10798 	memcpy((void *)cfg->wake_data,
10799 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
10800 	       wake_size);
10801 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
10802 			 data_size + wake_size;
10803 	memcpy((void *)cfg->wake_mask,
10804 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
10805 	       wake_mask_size);
10806 	if (tok) {
10807 		cfg->tokens_size = tokens_size;
10808 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
10809 	}
10810 
10811 	trig->tcp = cfg;
10812 
10813 	return 0;
10814 }
10815 
10816 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
10817 				   const struct wiphy_wowlan_support *wowlan,
10818 				   struct nlattr *attr,
10819 				   struct cfg80211_wowlan *trig)
10820 {
10821 	struct nlattr **tb;
10822 	int err;
10823 
10824 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
10825 	if (!tb)
10826 		return -ENOMEM;
10827 
10828 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
10829 		err = -EOPNOTSUPP;
10830 		goto out;
10831 	}
10832 
10833 	err = nla_parse_nested(tb, NL80211_ATTR_MAX, attr, nl80211_policy,
10834 			       NULL);
10835 	if (err)
10836 		goto out;
10837 
10838 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
10839 						   wowlan->max_nd_match_sets);
10840 	err = PTR_ERR_OR_ZERO(trig->nd_config);
10841 	if (err)
10842 		trig->nd_config = NULL;
10843 
10844 out:
10845 	kfree(tb);
10846 	return err;
10847 }
10848 
10849 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
10850 {
10851 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10852 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
10853 	struct cfg80211_wowlan new_triggers = {};
10854 	struct cfg80211_wowlan *ntrig;
10855 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
10856 	int err, i;
10857 	bool prev_enabled = rdev->wiphy.wowlan_config;
10858 	bool regular = false;
10859 
10860 	if (!wowlan)
10861 		return -EOPNOTSUPP;
10862 
10863 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
10864 		cfg80211_rdev_free_wowlan(rdev);
10865 		rdev->wiphy.wowlan_config = NULL;
10866 		goto set_wakeup;
10867 	}
10868 
10869 	err = nla_parse_nested(tb, MAX_NL80211_WOWLAN_TRIG,
10870 			       info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
10871 			       nl80211_wowlan_policy, info->extack);
10872 	if (err)
10873 		return err;
10874 
10875 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
10876 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
10877 			return -EINVAL;
10878 		new_triggers.any = true;
10879 	}
10880 
10881 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
10882 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
10883 			return -EINVAL;
10884 		new_triggers.disconnect = true;
10885 		regular = true;
10886 	}
10887 
10888 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
10889 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
10890 			return -EINVAL;
10891 		new_triggers.magic_pkt = true;
10892 		regular = true;
10893 	}
10894 
10895 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
10896 		return -EINVAL;
10897 
10898 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
10899 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
10900 			return -EINVAL;
10901 		new_triggers.gtk_rekey_failure = true;
10902 		regular = true;
10903 	}
10904 
10905 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
10906 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
10907 			return -EINVAL;
10908 		new_triggers.eap_identity_req = true;
10909 		regular = true;
10910 	}
10911 
10912 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
10913 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
10914 			return -EINVAL;
10915 		new_triggers.four_way_handshake = true;
10916 		regular = true;
10917 	}
10918 
10919 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
10920 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
10921 			return -EINVAL;
10922 		new_triggers.rfkill_release = true;
10923 		regular = true;
10924 	}
10925 
10926 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
10927 		struct nlattr *pat;
10928 		int n_patterns = 0;
10929 		int rem, pat_len, mask_len, pkt_offset;
10930 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
10931 
10932 		regular = true;
10933 
10934 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
10935 				    rem)
10936 			n_patterns++;
10937 		if (n_patterns > wowlan->n_patterns)
10938 			return -EINVAL;
10939 
10940 		new_triggers.patterns = kcalloc(n_patterns,
10941 						sizeof(new_triggers.patterns[0]),
10942 						GFP_KERNEL);
10943 		if (!new_triggers.patterns)
10944 			return -ENOMEM;
10945 
10946 		new_triggers.n_patterns = n_patterns;
10947 		i = 0;
10948 
10949 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
10950 				    rem) {
10951 			u8 *mask_pat;
10952 
10953 			err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
10954 					       nl80211_packet_pattern_policy,
10955 					       info->extack);
10956 			if (err)
10957 				goto error;
10958 
10959 			err = -EINVAL;
10960 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
10961 			    !pat_tb[NL80211_PKTPAT_PATTERN])
10962 				goto error;
10963 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
10964 			mask_len = DIV_ROUND_UP(pat_len, 8);
10965 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
10966 				goto error;
10967 			if (pat_len > wowlan->pattern_max_len ||
10968 			    pat_len < wowlan->pattern_min_len)
10969 				goto error;
10970 
10971 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
10972 				pkt_offset = 0;
10973 			else
10974 				pkt_offset = nla_get_u32(
10975 					pat_tb[NL80211_PKTPAT_OFFSET]);
10976 			if (pkt_offset > wowlan->max_pkt_offset)
10977 				goto error;
10978 			new_triggers.patterns[i].pkt_offset = pkt_offset;
10979 
10980 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
10981 			if (!mask_pat) {
10982 				err = -ENOMEM;
10983 				goto error;
10984 			}
10985 			new_triggers.patterns[i].mask = mask_pat;
10986 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
10987 			       mask_len);
10988 			mask_pat += mask_len;
10989 			new_triggers.patterns[i].pattern = mask_pat;
10990 			new_triggers.patterns[i].pattern_len = pat_len;
10991 			memcpy(mask_pat,
10992 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
10993 			       pat_len);
10994 			i++;
10995 		}
10996 	}
10997 
10998 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
10999 		regular = true;
11000 		err = nl80211_parse_wowlan_tcp(
11001 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11002 			&new_triggers);
11003 		if (err)
11004 			goto error;
11005 	}
11006 
11007 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11008 		regular = true;
11009 		err = nl80211_parse_wowlan_nd(
11010 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11011 			&new_triggers);
11012 		if (err)
11013 			goto error;
11014 	}
11015 
11016 	/* The 'any' trigger means the device continues operating more or less
11017 	 * as in its normal operation mode and wakes up the host on most of the
11018 	 * normal interrupts (like packet RX, ...)
11019 	 * It therefore makes little sense to combine with the more constrained
11020 	 * wakeup trigger modes.
11021 	 */
11022 	if (new_triggers.any && regular) {
11023 		err = -EINVAL;
11024 		goto error;
11025 	}
11026 
11027 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11028 	if (!ntrig) {
11029 		err = -ENOMEM;
11030 		goto error;
11031 	}
11032 	cfg80211_rdev_free_wowlan(rdev);
11033 	rdev->wiphy.wowlan_config = ntrig;
11034 
11035  set_wakeup:
11036 	if (rdev->ops->set_wakeup &&
11037 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11038 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11039 
11040 	return 0;
11041  error:
11042 	for (i = 0; i < new_triggers.n_patterns; i++)
11043 		kfree(new_triggers.patterns[i].mask);
11044 	kfree(new_triggers.patterns);
11045 	if (new_triggers.tcp && new_triggers.tcp->sock)
11046 		sock_release(new_triggers.tcp->sock);
11047 	kfree(new_triggers.tcp);
11048 	kfree(new_triggers.nd_config);
11049 	return err;
11050 }
11051 #endif
11052 
11053 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
11054 				       struct cfg80211_registered_device *rdev)
11055 {
11056 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
11057 	int i, j, pat_len;
11058 	struct cfg80211_coalesce_rules *rule;
11059 
11060 	if (!rdev->coalesce->n_rules)
11061 		return 0;
11062 
11063 	nl_rules = nla_nest_start(msg, NL80211_ATTR_COALESCE_RULE);
11064 	if (!nl_rules)
11065 		return -ENOBUFS;
11066 
11067 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
11068 		nl_rule = nla_nest_start(msg, i + 1);
11069 		if (!nl_rule)
11070 			return -ENOBUFS;
11071 
11072 		rule = &rdev->coalesce->rules[i];
11073 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
11074 				rule->delay))
11075 			return -ENOBUFS;
11076 
11077 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
11078 				rule->condition))
11079 			return -ENOBUFS;
11080 
11081 		nl_pats = nla_nest_start(msg,
11082 				NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
11083 		if (!nl_pats)
11084 			return -ENOBUFS;
11085 
11086 		for (j = 0; j < rule->n_patterns; j++) {
11087 			nl_pat = nla_nest_start(msg, j + 1);
11088 			if (!nl_pat)
11089 				return -ENOBUFS;
11090 			pat_len = rule->patterns[j].pattern_len;
11091 			if (nla_put(msg, NL80211_PKTPAT_MASK,
11092 				    DIV_ROUND_UP(pat_len, 8),
11093 				    rule->patterns[j].mask) ||
11094 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11095 				    rule->patterns[j].pattern) ||
11096 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11097 					rule->patterns[j].pkt_offset))
11098 				return -ENOBUFS;
11099 			nla_nest_end(msg, nl_pat);
11100 		}
11101 		nla_nest_end(msg, nl_pats);
11102 		nla_nest_end(msg, nl_rule);
11103 	}
11104 	nla_nest_end(msg, nl_rules);
11105 
11106 	return 0;
11107 }
11108 
11109 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
11110 {
11111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11112 	struct sk_buff *msg;
11113 	void *hdr;
11114 
11115 	if (!rdev->wiphy.coalesce)
11116 		return -EOPNOTSUPP;
11117 
11118 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11119 	if (!msg)
11120 		return -ENOMEM;
11121 
11122 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11123 			     NL80211_CMD_GET_COALESCE);
11124 	if (!hdr)
11125 		goto nla_put_failure;
11126 
11127 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
11128 		goto nla_put_failure;
11129 
11130 	genlmsg_end(msg, hdr);
11131 	return genlmsg_reply(msg, info);
11132 
11133 nla_put_failure:
11134 	nlmsg_free(msg);
11135 	return -ENOBUFS;
11136 }
11137 
11138 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
11139 {
11140 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
11141 	int i, j;
11142 	struct cfg80211_coalesce_rules *rule;
11143 
11144 	if (!coalesce)
11145 		return;
11146 
11147 	for (i = 0; i < coalesce->n_rules; i++) {
11148 		rule = &coalesce->rules[i];
11149 		for (j = 0; j < rule->n_patterns; j++)
11150 			kfree(rule->patterns[j].mask);
11151 		kfree(rule->patterns);
11152 	}
11153 	kfree(coalesce->rules);
11154 	kfree(coalesce);
11155 	rdev->coalesce = NULL;
11156 }
11157 
11158 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
11159 				       struct nlattr *rule,
11160 				       struct cfg80211_coalesce_rules *new_rule)
11161 {
11162 	int err, i;
11163 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11164 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
11165 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
11166 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11167 
11168 	err = nla_parse_nested(tb, NL80211_ATTR_COALESCE_RULE_MAX, rule,
11169 			       nl80211_coalesce_policy, NULL);
11170 	if (err)
11171 		return err;
11172 
11173 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
11174 		new_rule->delay =
11175 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
11176 	if (new_rule->delay > coalesce->max_delay)
11177 		return -EINVAL;
11178 
11179 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
11180 		new_rule->condition =
11181 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
11182 	if (new_rule->condition != NL80211_COALESCE_CONDITION_MATCH &&
11183 	    new_rule->condition != NL80211_COALESCE_CONDITION_NO_MATCH)
11184 		return -EINVAL;
11185 
11186 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
11187 		return -EINVAL;
11188 
11189 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11190 			    rem)
11191 		n_patterns++;
11192 	if (n_patterns > coalesce->n_patterns)
11193 		return -EINVAL;
11194 
11195 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
11196 				     GFP_KERNEL);
11197 	if (!new_rule->patterns)
11198 		return -ENOMEM;
11199 
11200 	new_rule->n_patterns = n_patterns;
11201 	i = 0;
11202 
11203 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
11204 			    rem) {
11205 		u8 *mask_pat;
11206 
11207 		err = nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
11208 				       nl80211_packet_pattern_policy, NULL);
11209 		if (err)
11210 			return err;
11211 
11212 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
11213 		    !pat_tb[NL80211_PKTPAT_PATTERN])
11214 			return -EINVAL;
11215 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11216 		mask_len = DIV_ROUND_UP(pat_len, 8);
11217 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11218 			return -EINVAL;
11219 		if (pat_len > coalesce->pattern_max_len ||
11220 		    pat_len < coalesce->pattern_min_len)
11221 			return -EINVAL;
11222 
11223 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
11224 			pkt_offset = 0;
11225 		else
11226 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
11227 		if (pkt_offset > coalesce->max_pkt_offset)
11228 			return -EINVAL;
11229 		new_rule->patterns[i].pkt_offset = pkt_offset;
11230 
11231 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11232 		if (!mask_pat)
11233 			return -ENOMEM;
11234 
11235 		new_rule->patterns[i].mask = mask_pat;
11236 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11237 		       mask_len);
11238 
11239 		mask_pat += mask_len;
11240 		new_rule->patterns[i].pattern = mask_pat;
11241 		new_rule->patterns[i].pattern_len = pat_len;
11242 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11243 		       pat_len);
11244 		i++;
11245 	}
11246 
11247 	return 0;
11248 }
11249 
11250 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
11251 {
11252 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11253 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
11254 	struct cfg80211_coalesce new_coalesce = {};
11255 	struct cfg80211_coalesce *n_coalesce;
11256 	int err, rem_rule, n_rules = 0, i, j;
11257 	struct nlattr *rule;
11258 	struct cfg80211_coalesce_rules *tmp_rule;
11259 
11260 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
11261 		return -EOPNOTSUPP;
11262 
11263 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
11264 		cfg80211_rdev_free_coalesce(rdev);
11265 		rdev_set_coalesce(rdev, NULL);
11266 		return 0;
11267 	}
11268 
11269 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11270 			    rem_rule)
11271 		n_rules++;
11272 	if (n_rules > coalesce->n_rules)
11273 		return -EINVAL;
11274 
11275 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
11276 				     GFP_KERNEL);
11277 	if (!new_coalesce.rules)
11278 		return -ENOMEM;
11279 
11280 	new_coalesce.n_rules = n_rules;
11281 	i = 0;
11282 
11283 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
11284 			    rem_rule) {
11285 		err = nl80211_parse_coalesce_rule(rdev, rule,
11286 						  &new_coalesce.rules[i]);
11287 		if (err)
11288 			goto error;
11289 
11290 		i++;
11291 	}
11292 
11293 	err = rdev_set_coalesce(rdev, &new_coalesce);
11294 	if (err)
11295 		goto error;
11296 
11297 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
11298 	if (!n_coalesce) {
11299 		err = -ENOMEM;
11300 		goto error;
11301 	}
11302 	cfg80211_rdev_free_coalesce(rdev);
11303 	rdev->coalesce = n_coalesce;
11304 
11305 	return 0;
11306 error:
11307 	for (i = 0; i < new_coalesce.n_rules; i++) {
11308 		tmp_rule = &new_coalesce.rules[i];
11309 		for (j = 0; j < tmp_rule->n_patterns; j++)
11310 			kfree(tmp_rule->patterns[j].mask);
11311 		kfree(tmp_rule->patterns);
11312 	}
11313 	kfree(new_coalesce.rules);
11314 
11315 	return err;
11316 }
11317 
11318 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
11319 {
11320 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11321 	struct net_device *dev = info->user_ptr[1];
11322 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11323 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
11324 	struct cfg80211_gtk_rekey_data rekey_data;
11325 	int err;
11326 
11327 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
11328 		return -EINVAL;
11329 
11330 	err = nla_parse_nested(tb, MAX_NL80211_REKEY_DATA,
11331 			       info->attrs[NL80211_ATTR_REKEY_DATA],
11332 			       nl80211_rekey_policy, info->extack);
11333 	if (err)
11334 		return err;
11335 
11336 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
11337 	    !tb[NL80211_REKEY_DATA_KCK])
11338 		return -EINVAL;
11339 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
11340 		return -ERANGE;
11341 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
11342 		return -ERANGE;
11343 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
11344 		return -ERANGE;
11345 
11346 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
11347 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
11348 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
11349 
11350 	wdev_lock(wdev);
11351 	if (!wdev->current_bss) {
11352 		err = -ENOTCONN;
11353 		goto out;
11354 	}
11355 
11356 	if (!rdev->ops->set_rekey_data) {
11357 		err = -EOPNOTSUPP;
11358 		goto out;
11359 	}
11360 
11361 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
11362  out:
11363 	wdev_unlock(wdev);
11364 	return err;
11365 }
11366 
11367 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
11368 					     struct genl_info *info)
11369 {
11370 	struct net_device *dev = info->user_ptr[1];
11371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11372 
11373 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11374 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11375 		return -EINVAL;
11376 
11377 	if (wdev->ap_unexpected_nlportid)
11378 		return -EBUSY;
11379 
11380 	wdev->ap_unexpected_nlportid = info->snd_portid;
11381 	return 0;
11382 }
11383 
11384 static int nl80211_probe_client(struct sk_buff *skb,
11385 				struct genl_info *info)
11386 {
11387 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11388 	struct net_device *dev = info->user_ptr[1];
11389 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11390 	struct sk_buff *msg;
11391 	void *hdr;
11392 	const u8 *addr;
11393 	u64 cookie;
11394 	int err;
11395 
11396 	if (wdev->iftype != NL80211_IFTYPE_AP &&
11397 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
11398 		return -EOPNOTSUPP;
11399 
11400 	if (!info->attrs[NL80211_ATTR_MAC])
11401 		return -EINVAL;
11402 
11403 	if (!rdev->ops->probe_client)
11404 		return -EOPNOTSUPP;
11405 
11406 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11407 	if (!msg)
11408 		return -ENOMEM;
11409 
11410 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11411 			     NL80211_CMD_PROBE_CLIENT);
11412 	if (!hdr) {
11413 		err = -ENOBUFS;
11414 		goto free_msg;
11415 	}
11416 
11417 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
11418 
11419 	err = rdev_probe_client(rdev, dev, addr, &cookie);
11420 	if (err)
11421 		goto free_msg;
11422 
11423 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11424 			      NL80211_ATTR_PAD))
11425 		goto nla_put_failure;
11426 
11427 	genlmsg_end(msg, hdr);
11428 
11429 	return genlmsg_reply(msg, info);
11430 
11431  nla_put_failure:
11432 	err = -ENOBUFS;
11433  free_msg:
11434 	nlmsg_free(msg);
11435 	return err;
11436 }
11437 
11438 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
11439 {
11440 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11441 	struct cfg80211_beacon_registration *reg, *nreg;
11442 	int rv;
11443 
11444 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
11445 		return -EOPNOTSUPP;
11446 
11447 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
11448 	if (!nreg)
11449 		return -ENOMEM;
11450 
11451 	/* First, check if already registered. */
11452 	spin_lock_bh(&rdev->beacon_registrations_lock);
11453 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
11454 		if (reg->nlportid == info->snd_portid) {
11455 			rv = -EALREADY;
11456 			goto out_err;
11457 		}
11458 	}
11459 	/* Add it to the list */
11460 	nreg->nlportid = info->snd_portid;
11461 	list_add(&nreg->list, &rdev->beacon_registrations);
11462 
11463 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11464 
11465 	return 0;
11466 out_err:
11467 	spin_unlock_bh(&rdev->beacon_registrations_lock);
11468 	kfree(nreg);
11469 	return rv;
11470 }
11471 
11472 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
11473 {
11474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11475 	struct wireless_dev *wdev = info->user_ptr[1];
11476 	int err;
11477 
11478 	if (!rdev->ops->start_p2p_device)
11479 		return -EOPNOTSUPP;
11480 
11481 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11482 		return -EOPNOTSUPP;
11483 
11484 	if (wdev_running(wdev))
11485 		return 0;
11486 
11487 	if (rfkill_blocked(rdev->rfkill))
11488 		return -ERFKILL;
11489 
11490 	err = rdev_start_p2p_device(rdev, wdev);
11491 	if (err)
11492 		return err;
11493 
11494 	wdev->is_running = true;
11495 	rdev->opencount++;
11496 
11497 	return 0;
11498 }
11499 
11500 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
11501 {
11502 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11503 	struct wireless_dev *wdev = info->user_ptr[1];
11504 
11505 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
11506 		return -EOPNOTSUPP;
11507 
11508 	if (!rdev->ops->stop_p2p_device)
11509 		return -EOPNOTSUPP;
11510 
11511 	cfg80211_stop_p2p_device(rdev, wdev);
11512 
11513 	return 0;
11514 }
11515 
11516 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
11517 {
11518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11519 	struct wireless_dev *wdev = info->user_ptr[1];
11520 	struct cfg80211_nan_conf conf = {};
11521 	int err;
11522 
11523 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11524 		return -EOPNOTSUPP;
11525 
11526 	if (wdev_running(wdev))
11527 		return -EEXIST;
11528 
11529 	if (rfkill_blocked(rdev->rfkill))
11530 		return -ERFKILL;
11531 
11532 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
11533 		return -EINVAL;
11534 
11535 	conf.master_pref =
11536 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11537 	if (!conf.master_pref)
11538 		return -EINVAL;
11539 
11540 	if (info->attrs[NL80211_ATTR_BANDS]) {
11541 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11542 
11543 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11544 			return -EOPNOTSUPP;
11545 
11546 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11547 			return -EINVAL;
11548 
11549 		conf.bands = bands;
11550 	}
11551 
11552 	err = rdev_start_nan(rdev, wdev, &conf);
11553 	if (err)
11554 		return err;
11555 
11556 	wdev->is_running = true;
11557 	rdev->opencount++;
11558 
11559 	return 0;
11560 }
11561 
11562 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
11563 {
11564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11565 	struct wireless_dev *wdev = info->user_ptr[1];
11566 
11567 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11568 		return -EOPNOTSUPP;
11569 
11570 	cfg80211_stop_nan(rdev, wdev);
11571 
11572 	return 0;
11573 }
11574 
11575 static int validate_nan_filter(struct nlattr *filter_attr)
11576 {
11577 	struct nlattr *attr;
11578 	int len = 0, n_entries = 0, rem;
11579 
11580 	nla_for_each_nested(attr, filter_attr, rem) {
11581 		len += nla_len(attr);
11582 		n_entries++;
11583 	}
11584 
11585 	if (len >= U8_MAX)
11586 		return -EINVAL;
11587 
11588 	return n_entries;
11589 }
11590 
11591 static int handle_nan_filter(struct nlattr *attr_filter,
11592 			     struct cfg80211_nan_func *func,
11593 			     bool tx)
11594 {
11595 	struct nlattr *attr;
11596 	int n_entries, rem, i;
11597 	struct cfg80211_nan_func_filter *filter;
11598 
11599 	n_entries = validate_nan_filter(attr_filter);
11600 	if (n_entries < 0)
11601 		return n_entries;
11602 
11603 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
11604 
11605 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
11606 	if (!filter)
11607 		return -ENOMEM;
11608 
11609 	i = 0;
11610 	nla_for_each_nested(attr, attr_filter, rem) {
11611 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
11612 		filter[i].len = nla_len(attr);
11613 		i++;
11614 	}
11615 	if (tx) {
11616 		func->num_tx_filters = n_entries;
11617 		func->tx_filters = filter;
11618 	} else {
11619 		func->num_rx_filters = n_entries;
11620 		func->rx_filters = filter;
11621 	}
11622 
11623 	return 0;
11624 }
11625 
11626 static int nl80211_nan_add_func(struct sk_buff *skb,
11627 				struct genl_info *info)
11628 {
11629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11630 	struct wireless_dev *wdev = info->user_ptr[1];
11631 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
11632 	struct cfg80211_nan_func *func;
11633 	struct sk_buff *msg = NULL;
11634 	void *hdr = NULL;
11635 	int err = 0;
11636 
11637 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11638 		return -EOPNOTSUPP;
11639 
11640 	if (!wdev_running(wdev))
11641 		return -ENOTCONN;
11642 
11643 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
11644 		return -EINVAL;
11645 
11646 	err = nla_parse_nested(tb, NL80211_NAN_FUNC_ATTR_MAX,
11647 			       info->attrs[NL80211_ATTR_NAN_FUNC],
11648 			       nl80211_nan_func_policy, info->extack);
11649 	if (err)
11650 		return err;
11651 
11652 	func = kzalloc(sizeof(*func), GFP_KERNEL);
11653 	if (!func)
11654 		return -ENOMEM;
11655 
11656 	func->cookie = wdev->wiphy->cookie_counter++;
11657 
11658 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
11659 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
11660 		err = -EINVAL;
11661 		goto out;
11662 	}
11663 
11664 
11665 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
11666 
11667 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
11668 		err = -EINVAL;
11669 		goto out;
11670 	}
11671 
11672 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
11673 	       sizeof(func->service_id));
11674 
11675 	func->close_range =
11676 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
11677 
11678 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
11679 		func->serv_spec_info_len =
11680 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
11681 		func->serv_spec_info =
11682 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
11683 				func->serv_spec_info_len,
11684 				GFP_KERNEL);
11685 		if (!func->serv_spec_info) {
11686 			err = -ENOMEM;
11687 			goto out;
11688 		}
11689 	}
11690 
11691 	if (tb[NL80211_NAN_FUNC_TTL])
11692 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
11693 
11694 	switch (func->type) {
11695 	case NL80211_NAN_FUNC_PUBLISH:
11696 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
11697 			err = -EINVAL;
11698 			goto out;
11699 		}
11700 
11701 		func->publish_type =
11702 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
11703 		func->publish_bcast =
11704 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
11705 
11706 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
11707 			func->publish_bcast) {
11708 			err = -EINVAL;
11709 			goto out;
11710 		}
11711 		break;
11712 	case NL80211_NAN_FUNC_SUBSCRIBE:
11713 		func->subscribe_active =
11714 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
11715 		break;
11716 	case NL80211_NAN_FUNC_FOLLOW_UP:
11717 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
11718 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
11719 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
11720 			err = -EINVAL;
11721 			goto out;
11722 		}
11723 
11724 		func->followup_id =
11725 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
11726 		func->followup_reqid =
11727 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
11728 		memcpy(func->followup_dest.addr,
11729 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
11730 		       sizeof(func->followup_dest.addr));
11731 		if (func->ttl) {
11732 			err = -EINVAL;
11733 			goto out;
11734 		}
11735 		break;
11736 	default:
11737 		err = -EINVAL;
11738 		goto out;
11739 	}
11740 
11741 	if (tb[NL80211_NAN_FUNC_SRF]) {
11742 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
11743 
11744 		err = nla_parse_nested(srf_tb, NL80211_NAN_SRF_ATTR_MAX,
11745 				       tb[NL80211_NAN_FUNC_SRF],
11746 				       nl80211_nan_srf_policy, info->extack);
11747 		if (err)
11748 			goto out;
11749 
11750 		func->srf_include =
11751 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
11752 
11753 		if (srf_tb[NL80211_NAN_SRF_BF]) {
11754 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
11755 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
11756 				err = -EINVAL;
11757 				goto out;
11758 			}
11759 
11760 			func->srf_bf_len =
11761 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
11762 			func->srf_bf =
11763 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
11764 					func->srf_bf_len, GFP_KERNEL);
11765 			if (!func->srf_bf) {
11766 				err = -ENOMEM;
11767 				goto out;
11768 			}
11769 
11770 			func->srf_bf_idx =
11771 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
11772 		} else {
11773 			struct nlattr *attr, *mac_attr =
11774 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
11775 			int n_entries, rem, i = 0;
11776 
11777 			if (!mac_attr) {
11778 				err = -EINVAL;
11779 				goto out;
11780 			}
11781 
11782 			n_entries = validate_acl_mac_addrs(mac_attr);
11783 			if (n_entries <= 0) {
11784 				err = -EINVAL;
11785 				goto out;
11786 			}
11787 
11788 			func->srf_num_macs = n_entries;
11789 			func->srf_macs =
11790 				kcalloc(n_entries, sizeof(*func->srf_macs),
11791 					GFP_KERNEL);
11792 			if (!func->srf_macs) {
11793 				err = -ENOMEM;
11794 				goto out;
11795 			}
11796 
11797 			nla_for_each_nested(attr, mac_attr, rem)
11798 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
11799 				       sizeof(*func->srf_macs));
11800 		}
11801 	}
11802 
11803 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
11804 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
11805 					func, true);
11806 		if (err)
11807 			goto out;
11808 	}
11809 
11810 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
11811 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
11812 					func, false);
11813 		if (err)
11814 			goto out;
11815 	}
11816 
11817 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11818 	if (!msg) {
11819 		err = -ENOMEM;
11820 		goto out;
11821 	}
11822 
11823 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11824 			     NL80211_CMD_ADD_NAN_FUNCTION);
11825 	/* This can't really happen - we just allocated 4KB */
11826 	if (WARN_ON(!hdr)) {
11827 		err = -ENOMEM;
11828 		goto out;
11829 	}
11830 
11831 	err = rdev_add_nan_func(rdev, wdev, func);
11832 out:
11833 	if (err < 0) {
11834 		cfg80211_free_nan_func(func);
11835 		nlmsg_free(msg);
11836 		return err;
11837 	}
11838 
11839 	/* propagate the instance id and cookie to userspace  */
11840 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
11841 			      NL80211_ATTR_PAD))
11842 		goto nla_put_failure;
11843 
11844 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
11845 	if (!func_attr)
11846 		goto nla_put_failure;
11847 
11848 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
11849 		       func->instance_id))
11850 		goto nla_put_failure;
11851 
11852 	nla_nest_end(msg, func_attr);
11853 
11854 	genlmsg_end(msg, hdr);
11855 	return genlmsg_reply(msg, info);
11856 
11857 nla_put_failure:
11858 	nlmsg_free(msg);
11859 	return -ENOBUFS;
11860 }
11861 
11862 static int nl80211_nan_del_func(struct sk_buff *skb,
11863 			       struct genl_info *info)
11864 {
11865 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11866 	struct wireless_dev *wdev = info->user_ptr[1];
11867 	u64 cookie;
11868 
11869 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11870 		return -EOPNOTSUPP;
11871 
11872 	if (!wdev_running(wdev))
11873 		return -ENOTCONN;
11874 
11875 	if (!info->attrs[NL80211_ATTR_COOKIE])
11876 		return -EINVAL;
11877 
11878 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11879 
11880 	rdev_del_nan_func(rdev, wdev, cookie);
11881 
11882 	return 0;
11883 }
11884 
11885 static int nl80211_nan_change_config(struct sk_buff *skb,
11886 				     struct genl_info *info)
11887 {
11888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11889 	struct wireless_dev *wdev = info->user_ptr[1];
11890 	struct cfg80211_nan_conf conf = {};
11891 	u32 changed = 0;
11892 
11893 	if (wdev->iftype != NL80211_IFTYPE_NAN)
11894 		return -EOPNOTSUPP;
11895 
11896 	if (!wdev_running(wdev))
11897 		return -ENOTCONN;
11898 
11899 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
11900 		conf.master_pref =
11901 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
11902 		if (conf.master_pref <= 1 || conf.master_pref == 255)
11903 			return -EINVAL;
11904 
11905 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
11906 	}
11907 
11908 	if (info->attrs[NL80211_ATTR_BANDS]) {
11909 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
11910 
11911 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
11912 			return -EOPNOTSUPP;
11913 
11914 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
11915 			return -EINVAL;
11916 
11917 		conf.bands = bands;
11918 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
11919 	}
11920 
11921 	if (!changed)
11922 		return -EINVAL;
11923 
11924 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
11925 }
11926 
11927 void cfg80211_nan_match(struct wireless_dev *wdev,
11928 			struct cfg80211_nan_match_params *match, gfp_t gfp)
11929 {
11930 	struct wiphy *wiphy = wdev->wiphy;
11931 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11932 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
11933 	struct sk_buff *msg;
11934 	void *hdr;
11935 
11936 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
11937 		return;
11938 
11939 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
11940 	if (!msg)
11941 		return;
11942 
11943 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
11944 	if (!hdr) {
11945 		nlmsg_free(msg);
11946 		return;
11947 	}
11948 
11949 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
11950 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
11951 					 wdev->netdev->ifindex)) ||
11952 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11953 			      NL80211_ATTR_PAD))
11954 		goto nla_put_failure;
11955 
11956 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
11957 			      NL80211_ATTR_PAD) ||
11958 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
11959 		goto nla_put_failure;
11960 
11961 	match_attr = nla_nest_start(msg, NL80211_ATTR_NAN_MATCH);
11962 	if (!match_attr)
11963 		goto nla_put_failure;
11964 
11965 	local_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_LOCAL);
11966 	if (!local_func_attr)
11967 		goto nla_put_failure;
11968 
11969 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
11970 		goto nla_put_failure;
11971 
11972 	nla_nest_end(msg, local_func_attr);
11973 
11974 	peer_func_attr = nla_nest_start(msg, NL80211_NAN_MATCH_FUNC_PEER);
11975 	if (!peer_func_attr)
11976 		goto nla_put_failure;
11977 
11978 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
11979 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
11980 		goto nla_put_failure;
11981 
11982 	if (match->info && match->info_len &&
11983 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
11984 		    match->info))
11985 		goto nla_put_failure;
11986 
11987 	nla_nest_end(msg, peer_func_attr);
11988 	nla_nest_end(msg, match_attr);
11989 	genlmsg_end(msg, hdr);
11990 
11991 	if (!wdev->owner_nlportid)
11992 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11993 					msg, 0, NL80211_MCGRP_NAN, gfp);
11994 	else
11995 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
11996 				wdev->owner_nlportid);
11997 
11998 	return;
11999 
12000 nla_put_failure:
12001 	nlmsg_free(msg);
12002 }
12003 EXPORT_SYMBOL(cfg80211_nan_match);
12004 
12005 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12006 				  u8 inst_id,
12007 				  enum nl80211_nan_func_term_reason reason,
12008 				  u64 cookie, gfp_t gfp)
12009 {
12010 	struct wiphy *wiphy = wdev->wiphy;
12011 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12012 	struct sk_buff *msg;
12013 	struct nlattr *func_attr;
12014 	void *hdr;
12015 
12016 	if (WARN_ON(!inst_id))
12017 		return;
12018 
12019 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12020 	if (!msg)
12021 		return;
12022 
12023 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12024 	if (!hdr) {
12025 		nlmsg_free(msg);
12026 		return;
12027 	}
12028 
12029 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12030 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12031 					 wdev->netdev->ifindex)) ||
12032 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12033 			      NL80211_ATTR_PAD))
12034 		goto nla_put_failure;
12035 
12036 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12037 			      NL80211_ATTR_PAD))
12038 		goto nla_put_failure;
12039 
12040 	func_attr = nla_nest_start(msg, NL80211_ATTR_NAN_FUNC);
12041 	if (!func_attr)
12042 		goto nla_put_failure;
12043 
12044 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12045 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12046 		goto nla_put_failure;
12047 
12048 	nla_nest_end(msg, func_attr);
12049 	genlmsg_end(msg, hdr);
12050 
12051 	if (!wdev->owner_nlportid)
12052 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12053 					msg, 0, NL80211_MCGRP_NAN, gfp);
12054 	else
12055 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12056 				wdev->owner_nlportid);
12057 
12058 	return;
12059 
12060 nla_put_failure:
12061 	nlmsg_free(msg);
12062 }
12063 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
12064 
12065 static int nl80211_get_protocol_features(struct sk_buff *skb,
12066 					 struct genl_info *info)
12067 {
12068 	void *hdr;
12069 	struct sk_buff *msg;
12070 
12071 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12072 	if (!msg)
12073 		return -ENOMEM;
12074 
12075 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12076 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
12077 	if (!hdr)
12078 		goto nla_put_failure;
12079 
12080 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
12081 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
12082 		goto nla_put_failure;
12083 
12084 	genlmsg_end(msg, hdr);
12085 	return genlmsg_reply(msg, info);
12086 
12087  nla_put_failure:
12088 	kfree_skb(msg);
12089 	return -ENOBUFS;
12090 }
12091 
12092 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
12093 {
12094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12095 	struct cfg80211_update_ft_ies_params ft_params;
12096 	struct net_device *dev = info->user_ptr[1];
12097 
12098 	if (!rdev->ops->update_ft_ies)
12099 		return -EOPNOTSUPP;
12100 
12101 	if (!info->attrs[NL80211_ATTR_MDID] ||
12102 	    !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
12103 		return -EINVAL;
12104 
12105 	memset(&ft_params, 0, sizeof(ft_params));
12106 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
12107 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12108 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12109 
12110 	return rdev_update_ft_ies(rdev, dev, &ft_params);
12111 }
12112 
12113 static int nl80211_crit_protocol_start(struct sk_buff *skb,
12114 				       struct genl_info *info)
12115 {
12116 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12117 	struct wireless_dev *wdev = info->user_ptr[1];
12118 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
12119 	u16 duration;
12120 	int ret;
12121 
12122 	if (!rdev->ops->crit_proto_start)
12123 		return -EOPNOTSUPP;
12124 
12125 	if (WARN_ON(!rdev->ops->crit_proto_stop))
12126 		return -EINVAL;
12127 
12128 	if (rdev->crit_proto_nlportid)
12129 		return -EBUSY;
12130 
12131 	/* determine protocol if provided */
12132 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
12133 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
12134 
12135 	if (proto >= NUM_NL80211_CRIT_PROTO)
12136 		return -EINVAL;
12137 
12138 	/* timeout must be provided */
12139 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
12140 		return -EINVAL;
12141 
12142 	duration =
12143 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
12144 
12145 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
12146 		return -ERANGE;
12147 
12148 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
12149 	if (!ret)
12150 		rdev->crit_proto_nlportid = info->snd_portid;
12151 
12152 	return ret;
12153 }
12154 
12155 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
12156 				      struct genl_info *info)
12157 {
12158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12159 	struct wireless_dev *wdev = info->user_ptr[1];
12160 
12161 	if (!rdev->ops->crit_proto_stop)
12162 		return -EOPNOTSUPP;
12163 
12164 	if (rdev->crit_proto_nlportid) {
12165 		rdev->crit_proto_nlportid = 0;
12166 		rdev_crit_proto_stop(rdev, wdev);
12167 	}
12168 	return 0;
12169 }
12170 
12171 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
12172 {
12173 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12174 	struct wireless_dev *wdev =
12175 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
12176 	int i, err;
12177 	u32 vid, subcmd;
12178 
12179 	if (!rdev->wiphy.vendor_commands)
12180 		return -EOPNOTSUPP;
12181 
12182 	if (IS_ERR(wdev)) {
12183 		err = PTR_ERR(wdev);
12184 		if (err != -EINVAL)
12185 			return err;
12186 		wdev = NULL;
12187 	} else if (wdev->wiphy != &rdev->wiphy) {
12188 		return -EINVAL;
12189 	}
12190 
12191 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
12192 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
12193 		return -EINVAL;
12194 
12195 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
12196 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
12197 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
12198 		const struct wiphy_vendor_command *vcmd;
12199 		void *data = NULL;
12200 		int len = 0;
12201 
12202 		vcmd = &rdev->wiphy.vendor_commands[i];
12203 
12204 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12205 			continue;
12206 
12207 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12208 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12209 			if (!wdev)
12210 				return -EINVAL;
12211 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12212 			    !wdev->netdev)
12213 				return -EINVAL;
12214 
12215 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12216 				if (!wdev_running(wdev))
12217 					return -ENETDOWN;
12218 			}
12219 
12220 			if (!vcmd->doit)
12221 				return -EOPNOTSUPP;
12222 		} else {
12223 			wdev = NULL;
12224 		}
12225 
12226 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
12227 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12228 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
12229 		}
12230 
12231 		rdev->cur_cmd_info = info;
12232 		err = rdev->wiphy.vendor_commands[i].doit(&rdev->wiphy, wdev,
12233 							  data, len);
12234 		rdev->cur_cmd_info = NULL;
12235 		return err;
12236 	}
12237 
12238 	return -EOPNOTSUPP;
12239 }
12240 
12241 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
12242 				       struct netlink_callback *cb,
12243 				       struct cfg80211_registered_device **rdev,
12244 				       struct wireless_dev **wdev)
12245 {
12246 	struct nlattr **attrbuf = genl_family_attrbuf(&nl80211_fam);
12247 	u32 vid, subcmd;
12248 	unsigned int i;
12249 	int vcmd_idx = -1;
12250 	int err;
12251 	void *data = NULL;
12252 	unsigned int data_len = 0;
12253 
12254 	if (cb->args[0]) {
12255 		/* subtract the 1 again here */
12256 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
12257 		struct wireless_dev *tmp;
12258 
12259 		if (!wiphy)
12260 			return -ENODEV;
12261 		*rdev = wiphy_to_rdev(wiphy);
12262 		*wdev = NULL;
12263 
12264 		if (cb->args[1]) {
12265 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
12266 				if (tmp->identifier == cb->args[1] - 1) {
12267 					*wdev = tmp;
12268 					break;
12269 				}
12270 			}
12271 		}
12272 
12273 		/* keep rtnl locked in successful case */
12274 		return 0;
12275 	}
12276 
12277 	err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, attrbuf,
12278 			  nl80211_fam.maxattr, nl80211_policy, NULL);
12279 	if (err)
12280 		return err;
12281 
12282 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
12283 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
12284 		return -EINVAL;
12285 
12286 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
12287 	if (IS_ERR(*wdev))
12288 		*wdev = NULL;
12289 
12290 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
12291 	if (IS_ERR(*rdev))
12292 		return PTR_ERR(*rdev);
12293 
12294 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
12295 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
12296 
12297 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
12298 		const struct wiphy_vendor_command *vcmd;
12299 
12300 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
12301 
12302 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
12303 			continue;
12304 
12305 		if (!vcmd->dumpit)
12306 			return -EOPNOTSUPP;
12307 
12308 		vcmd_idx = i;
12309 		break;
12310 	}
12311 
12312 	if (vcmd_idx < 0)
12313 		return -EOPNOTSUPP;
12314 
12315 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
12316 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12317 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
12318 	}
12319 
12320 	/* 0 is the first index - add 1 to parse only once */
12321 	cb->args[0] = (*rdev)->wiphy_idx + 1;
12322 	/* add 1 to know if it was NULL */
12323 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
12324 	cb->args[2] = vcmd_idx;
12325 	cb->args[3] = (unsigned long)data;
12326 	cb->args[4] = data_len;
12327 
12328 	/* keep rtnl locked in successful case */
12329 	return 0;
12330 }
12331 
12332 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
12333 				   struct netlink_callback *cb)
12334 {
12335 	struct cfg80211_registered_device *rdev;
12336 	struct wireless_dev *wdev;
12337 	unsigned int vcmd_idx;
12338 	const struct wiphy_vendor_command *vcmd;
12339 	void *data;
12340 	int data_len;
12341 	int err;
12342 	struct nlattr *vendor_data;
12343 
12344 	rtnl_lock();
12345 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
12346 	if (err)
12347 		goto out;
12348 
12349 	vcmd_idx = cb->args[2];
12350 	data = (void *)cb->args[3];
12351 	data_len = cb->args[4];
12352 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
12353 
12354 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
12355 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
12356 		if (!wdev) {
12357 			err = -EINVAL;
12358 			goto out;
12359 		}
12360 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
12361 		    !wdev->netdev) {
12362 			err = -EINVAL;
12363 			goto out;
12364 		}
12365 
12366 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
12367 			if (!wdev_running(wdev)) {
12368 				err = -ENETDOWN;
12369 				goto out;
12370 			}
12371 		}
12372 	}
12373 
12374 	while (1) {
12375 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
12376 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
12377 					   NL80211_CMD_VENDOR);
12378 		if (!hdr)
12379 			break;
12380 
12381 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12382 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12383 					       wdev_id(wdev),
12384 					       NL80211_ATTR_PAD))) {
12385 			genlmsg_cancel(skb, hdr);
12386 			break;
12387 		}
12388 
12389 		vendor_data = nla_nest_start(skb, NL80211_ATTR_VENDOR_DATA);
12390 		if (!vendor_data) {
12391 			genlmsg_cancel(skb, hdr);
12392 			break;
12393 		}
12394 
12395 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
12396 				   (unsigned long *)&cb->args[5]);
12397 		nla_nest_end(skb, vendor_data);
12398 
12399 		if (err == -ENOBUFS || err == -ENOENT) {
12400 			genlmsg_cancel(skb, hdr);
12401 			break;
12402 		} else if (err) {
12403 			genlmsg_cancel(skb, hdr);
12404 			goto out;
12405 		}
12406 
12407 		genlmsg_end(skb, hdr);
12408 	}
12409 
12410 	err = skb->len;
12411  out:
12412 	rtnl_unlock();
12413 	return err;
12414 }
12415 
12416 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
12417 					   enum nl80211_commands cmd,
12418 					   enum nl80211_attrs attr,
12419 					   int approxlen)
12420 {
12421 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12422 
12423 	if (WARN_ON(!rdev->cur_cmd_info))
12424 		return NULL;
12425 
12426 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
12427 					   rdev->cur_cmd_info->snd_portid,
12428 					   rdev->cur_cmd_info->snd_seq,
12429 					   cmd, attr, NULL, GFP_KERNEL);
12430 }
12431 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
12432 
12433 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
12434 {
12435 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
12436 	void *hdr = ((void **)skb->cb)[1];
12437 	struct nlattr *data = ((void **)skb->cb)[2];
12438 
12439 	/* clear CB data for netlink core to own from now on */
12440 	memset(skb->cb, 0, sizeof(skb->cb));
12441 
12442 	if (WARN_ON(!rdev->cur_cmd_info)) {
12443 		kfree_skb(skb);
12444 		return -EINVAL;
12445 	}
12446 
12447 	nla_nest_end(skb, data);
12448 	genlmsg_end(skb, hdr);
12449 	return genlmsg_reply(skb, rdev->cur_cmd_info);
12450 }
12451 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
12452 
12453 static int nl80211_set_qos_map(struct sk_buff *skb,
12454 			       struct genl_info *info)
12455 {
12456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12457 	struct cfg80211_qos_map *qos_map = NULL;
12458 	struct net_device *dev = info->user_ptr[1];
12459 	u8 *pos, len, num_des, des_len, des;
12460 	int ret;
12461 
12462 	if (!rdev->ops->set_qos_map)
12463 		return -EOPNOTSUPP;
12464 
12465 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
12466 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
12467 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
12468 
12469 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
12470 		    len > IEEE80211_QOS_MAP_LEN_MAX)
12471 			return -EINVAL;
12472 
12473 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
12474 		if (!qos_map)
12475 			return -ENOMEM;
12476 
12477 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
12478 		if (num_des) {
12479 			des_len = num_des *
12480 				sizeof(struct cfg80211_dscp_exception);
12481 			memcpy(qos_map->dscp_exception, pos, des_len);
12482 			qos_map->num_des = num_des;
12483 			for (des = 0; des < num_des; des++) {
12484 				if (qos_map->dscp_exception[des].up > 7) {
12485 					kfree(qos_map);
12486 					return -EINVAL;
12487 				}
12488 			}
12489 			pos += des_len;
12490 		}
12491 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
12492 	}
12493 
12494 	wdev_lock(dev->ieee80211_ptr);
12495 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
12496 	if (!ret)
12497 		ret = rdev_set_qos_map(rdev, dev, qos_map);
12498 	wdev_unlock(dev->ieee80211_ptr);
12499 
12500 	kfree(qos_map);
12501 	return ret;
12502 }
12503 
12504 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
12505 {
12506 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12507 	struct net_device *dev = info->user_ptr[1];
12508 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12509 	const u8 *peer;
12510 	u8 tsid, up;
12511 	u16 admitted_time = 0;
12512 	int err;
12513 
12514 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
12515 		return -EOPNOTSUPP;
12516 
12517 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
12518 	    !info->attrs[NL80211_ATTR_USER_PRIO])
12519 		return -EINVAL;
12520 
12521 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12522 	if (tsid >= IEEE80211_NUM_TIDS)
12523 		return -EINVAL;
12524 
12525 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
12526 	if (up >= IEEE80211_NUM_UPS)
12527 		return -EINVAL;
12528 
12529 	/* WMM uses TIDs 0-7 even for TSPEC */
12530 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
12531 		/* TODO: handle 802.11 TSPEC/admission control
12532 		 * need more attributes for that (e.g. BA session requirement);
12533 		 * change the WMM adminssion test above to allow both then
12534 		 */
12535 		return -EINVAL;
12536 	}
12537 
12538 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12539 
12540 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
12541 		admitted_time =
12542 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
12543 		if (!admitted_time)
12544 			return -EINVAL;
12545 	}
12546 
12547 	wdev_lock(wdev);
12548 	switch (wdev->iftype) {
12549 	case NL80211_IFTYPE_STATION:
12550 	case NL80211_IFTYPE_P2P_CLIENT:
12551 		if (wdev->current_bss)
12552 			break;
12553 		err = -ENOTCONN;
12554 		goto out;
12555 	default:
12556 		err = -EOPNOTSUPP;
12557 		goto out;
12558 	}
12559 
12560 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
12561 
12562  out:
12563 	wdev_unlock(wdev);
12564 	return err;
12565 }
12566 
12567 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
12568 {
12569 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12570 	struct net_device *dev = info->user_ptr[1];
12571 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12572 	const u8 *peer;
12573 	u8 tsid;
12574 	int err;
12575 
12576 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
12577 		return -EINVAL;
12578 
12579 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
12580 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12581 
12582 	wdev_lock(wdev);
12583 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
12584 	wdev_unlock(wdev);
12585 
12586 	return err;
12587 }
12588 
12589 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
12590 				       struct genl_info *info)
12591 {
12592 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12593 	struct net_device *dev = info->user_ptr[1];
12594 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12595 	struct cfg80211_chan_def chandef = {};
12596 	const u8 *addr;
12597 	u8 oper_class;
12598 	int err;
12599 
12600 	if (!rdev->ops->tdls_channel_switch ||
12601 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12602 		return -EOPNOTSUPP;
12603 
12604 	switch (dev->ieee80211_ptr->iftype) {
12605 	case NL80211_IFTYPE_STATION:
12606 	case NL80211_IFTYPE_P2P_CLIENT:
12607 		break;
12608 	default:
12609 		return -EOPNOTSUPP;
12610 	}
12611 
12612 	if (!info->attrs[NL80211_ATTR_MAC] ||
12613 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
12614 		return -EINVAL;
12615 
12616 	err = nl80211_parse_chandef(rdev, info, &chandef);
12617 	if (err)
12618 		return err;
12619 
12620 	/*
12621 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
12622 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
12623 	 * specification is not defined for them.
12624 	 */
12625 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
12626 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
12627 	    chandef.width != NL80211_CHAN_WIDTH_20)
12628 		return -EINVAL;
12629 
12630 	/* we will be active on the TDLS link */
12631 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
12632 					   wdev->iftype))
12633 		return -EINVAL;
12634 
12635 	/* don't allow switching to DFS channels */
12636 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
12637 		return -EINVAL;
12638 
12639 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12640 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
12641 
12642 	wdev_lock(wdev);
12643 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
12644 	wdev_unlock(wdev);
12645 
12646 	return err;
12647 }
12648 
12649 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
12650 					      struct genl_info *info)
12651 {
12652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12653 	struct net_device *dev = info->user_ptr[1];
12654 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12655 	const u8 *addr;
12656 
12657 	if (!rdev->ops->tdls_channel_switch ||
12658 	    !rdev->ops->tdls_cancel_channel_switch ||
12659 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
12660 		return -EOPNOTSUPP;
12661 
12662 	switch (dev->ieee80211_ptr->iftype) {
12663 	case NL80211_IFTYPE_STATION:
12664 	case NL80211_IFTYPE_P2P_CLIENT:
12665 		break;
12666 	default:
12667 		return -EOPNOTSUPP;
12668 	}
12669 
12670 	if (!info->attrs[NL80211_ATTR_MAC])
12671 		return -EINVAL;
12672 
12673 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12674 
12675 	wdev_lock(wdev);
12676 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
12677 	wdev_unlock(wdev);
12678 
12679 	return 0;
12680 }
12681 
12682 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
12683 					    struct genl_info *info)
12684 {
12685 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12686 	struct net_device *dev = info->user_ptr[1];
12687 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12688 	const struct nlattr *nla;
12689 	bool enabled;
12690 
12691 	if (!rdev->ops->set_multicast_to_unicast)
12692 		return -EOPNOTSUPP;
12693 
12694 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12695 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12696 		return -EOPNOTSUPP;
12697 
12698 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
12699 	enabled = nla_get_flag(nla);
12700 
12701 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
12702 }
12703 
12704 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
12705 {
12706 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12707 	struct net_device *dev = info->user_ptr[1];
12708 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12709 	struct cfg80211_pmk_conf pmk_conf = {};
12710 	int ret;
12711 
12712 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12713 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12714 		return -EOPNOTSUPP;
12715 
12716 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12717 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12718 		return -EOPNOTSUPP;
12719 
12720 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
12721 		return -EINVAL;
12722 
12723 	wdev_lock(wdev);
12724 	if (!wdev->current_bss) {
12725 		ret = -ENOTCONN;
12726 		goto out;
12727 	}
12728 
12729 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
12730 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
12731 		ret = -EINVAL;
12732 		goto out;
12733 	}
12734 
12735 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12736 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12737 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
12738 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
12739 		ret = -EINVAL;
12740 		goto out;
12741 	}
12742 
12743 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
12744 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
12745 
12746 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
12747 			ret = -EINVAL;
12748 			goto out;
12749 		}
12750 
12751 		pmk_conf.pmk_r0_name =
12752 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
12753 	}
12754 
12755 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
12756 out:
12757 	wdev_unlock(wdev);
12758 	return ret;
12759 }
12760 
12761 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
12762 {
12763 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12764 	struct net_device *dev = info->user_ptr[1];
12765 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12766 	const u8 *aa;
12767 	int ret;
12768 
12769 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12770 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12771 		return -EOPNOTSUPP;
12772 
12773 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12774 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12775 		return -EOPNOTSUPP;
12776 
12777 	if (!info->attrs[NL80211_ATTR_MAC])
12778 		return -EINVAL;
12779 
12780 	wdev_lock(wdev);
12781 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
12782 	ret = rdev_del_pmk(rdev, dev, aa);
12783 	wdev_unlock(wdev);
12784 
12785 	return ret;
12786 }
12787 
12788 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
12789 {
12790 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12791 	struct net_device *dev = info->user_ptr[1];
12792 	struct cfg80211_external_auth_params params;
12793 
12794 	if (!rdev->ops->external_auth)
12795 		return -EOPNOTSUPP;
12796 
12797 	if (!info->attrs[NL80211_ATTR_SSID])
12798 		return -EINVAL;
12799 
12800 	if (!info->attrs[NL80211_ATTR_BSSID])
12801 		return -EINVAL;
12802 
12803 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
12804 		return -EINVAL;
12805 
12806 	memset(&params, 0, sizeof(params));
12807 
12808 	params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12809 	if (params.ssid.ssid_len == 0 ||
12810 	    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
12811 		return -EINVAL;
12812 	memcpy(params.ssid.ssid, nla_data(info->attrs[NL80211_ATTR_SSID]),
12813 	       params.ssid.ssid_len);
12814 
12815 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
12816 	       ETH_ALEN);
12817 
12818 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12819 
12820 	return rdev_external_auth(rdev, dev, &params);
12821 }
12822 
12823 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
12824 {
12825 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12826 	struct net_device *dev = info->user_ptr[1];
12827 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12828 	const u8 *buf;
12829 	size_t len;
12830 	u8 *dest;
12831 	u16 proto;
12832 	bool noencrypt;
12833 	int err;
12834 
12835 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12836 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12837 		return -EOPNOTSUPP;
12838 
12839 	if (!rdev->ops->tx_control_port)
12840 		return -EOPNOTSUPP;
12841 
12842 	if (!info->attrs[NL80211_ATTR_FRAME] ||
12843 	    !info->attrs[NL80211_ATTR_MAC] ||
12844 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12845 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
12846 		return -EINVAL;
12847 	}
12848 
12849 	wdev_lock(wdev);
12850 
12851 	switch (wdev->iftype) {
12852 	case NL80211_IFTYPE_AP:
12853 	case NL80211_IFTYPE_P2P_GO:
12854 	case NL80211_IFTYPE_MESH_POINT:
12855 		break;
12856 	case NL80211_IFTYPE_ADHOC:
12857 	case NL80211_IFTYPE_STATION:
12858 	case NL80211_IFTYPE_P2P_CLIENT:
12859 		if (wdev->current_bss)
12860 			break;
12861 		err = -ENOTCONN;
12862 		goto out;
12863 	default:
12864 		err = -EOPNOTSUPP;
12865 		goto out;
12866 	}
12867 
12868 	wdev_unlock(wdev);
12869 
12870 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12871 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12872 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
12873 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12874 	noencrypt =
12875 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
12876 
12877 	return rdev_tx_control_port(rdev, dev, buf, len,
12878 				    dest, cpu_to_be16(proto), noencrypt);
12879 
12880  out:
12881 	wdev_unlock(wdev);
12882 	return err;
12883 }
12884 
12885 #define NL80211_FLAG_NEED_WIPHY		0x01
12886 #define NL80211_FLAG_NEED_NETDEV	0x02
12887 #define NL80211_FLAG_NEED_RTNL		0x04
12888 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
12889 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
12890 					 NL80211_FLAG_CHECK_NETDEV_UP)
12891 #define NL80211_FLAG_NEED_WDEV		0x10
12892 /* If a netdev is associated, it must be UP, P2P must be started */
12893 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
12894 					 NL80211_FLAG_CHECK_NETDEV_UP)
12895 #define NL80211_FLAG_CLEAR_SKB		0x20
12896 
12897 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
12898 			    struct genl_info *info)
12899 {
12900 	struct cfg80211_registered_device *rdev;
12901 	struct wireless_dev *wdev;
12902 	struct net_device *dev;
12903 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
12904 
12905 	if (rtnl)
12906 		rtnl_lock();
12907 
12908 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
12909 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
12910 		if (IS_ERR(rdev)) {
12911 			if (rtnl)
12912 				rtnl_unlock();
12913 			return PTR_ERR(rdev);
12914 		}
12915 		info->user_ptr[0] = rdev;
12916 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
12917 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
12918 		ASSERT_RTNL();
12919 
12920 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
12921 						  info->attrs);
12922 		if (IS_ERR(wdev)) {
12923 			if (rtnl)
12924 				rtnl_unlock();
12925 			return PTR_ERR(wdev);
12926 		}
12927 
12928 		dev = wdev->netdev;
12929 		rdev = wiphy_to_rdev(wdev->wiphy);
12930 
12931 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
12932 			if (!dev) {
12933 				if (rtnl)
12934 					rtnl_unlock();
12935 				return -EINVAL;
12936 			}
12937 
12938 			info->user_ptr[1] = dev;
12939 		} else {
12940 			info->user_ptr[1] = wdev;
12941 		}
12942 
12943 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
12944 		    !wdev_running(wdev)) {
12945 			if (rtnl)
12946 				rtnl_unlock();
12947 			return -ENETDOWN;
12948 		}
12949 
12950 		if (dev)
12951 			dev_hold(dev);
12952 
12953 		info->user_ptr[0] = rdev;
12954 	}
12955 
12956 	return 0;
12957 }
12958 
12959 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
12960 			      struct genl_info *info)
12961 {
12962 	if (info->user_ptr[1]) {
12963 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
12964 			struct wireless_dev *wdev = info->user_ptr[1];
12965 
12966 			if (wdev->netdev)
12967 				dev_put(wdev->netdev);
12968 		} else {
12969 			dev_put(info->user_ptr[1]);
12970 		}
12971 	}
12972 
12973 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
12974 		rtnl_unlock();
12975 
12976 	/* If needed, clear the netlink message payload from the SKB
12977 	 * as it might contain key data that shouldn't stick around on
12978 	 * the heap after the SKB is freed. The netlink message header
12979 	 * is still needed for further processing, so leave it intact.
12980 	 */
12981 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
12982 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
12983 
12984 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
12985 	}
12986 }
12987 
12988 static const struct genl_ops nl80211_ops[] = {
12989 	{
12990 		.cmd = NL80211_CMD_GET_WIPHY,
12991 		.doit = nl80211_get_wiphy,
12992 		.dumpit = nl80211_dump_wiphy,
12993 		.done = nl80211_dump_wiphy_done,
12994 		.policy = nl80211_policy,
12995 		/* can be retrieved by unprivileged users */
12996 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
12997 				  NL80211_FLAG_NEED_RTNL,
12998 	},
12999 	{
13000 		.cmd = NL80211_CMD_SET_WIPHY,
13001 		.doit = nl80211_set_wiphy,
13002 		.policy = nl80211_policy,
13003 		.flags = GENL_UNS_ADMIN_PERM,
13004 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13005 	},
13006 	{
13007 		.cmd = NL80211_CMD_GET_INTERFACE,
13008 		.doit = nl80211_get_interface,
13009 		.dumpit = nl80211_dump_interface,
13010 		.policy = nl80211_policy,
13011 		/* can be retrieved by unprivileged users */
13012 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13013 				  NL80211_FLAG_NEED_RTNL,
13014 	},
13015 	{
13016 		.cmd = NL80211_CMD_SET_INTERFACE,
13017 		.doit = nl80211_set_interface,
13018 		.policy = nl80211_policy,
13019 		.flags = GENL_UNS_ADMIN_PERM,
13020 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13021 				  NL80211_FLAG_NEED_RTNL,
13022 	},
13023 	{
13024 		.cmd = NL80211_CMD_NEW_INTERFACE,
13025 		.doit = nl80211_new_interface,
13026 		.policy = nl80211_policy,
13027 		.flags = GENL_UNS_ADMIN_PERM,
13028 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13029 				  NL80211_FLAG_NEED_RTNL,
13030 	},
13031 	{
13032 		.cmd = NL80211_CMD_DEL_INTERFACE,
13033 		.doit = nl80211_del_interface,
13034 		.policy = nl80211_policy,
13035 		.flags = GENL_UNS_ADMIN_PERM,
13036 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13037 				  NL80211_FLAG_NEED_RTNL,
13038 	},
13039 	{
13040 		.cmd = NL80211_CMD_GET_KEY,
13041 		.doit = nl80211_get_key,
13042 		.policy = nl80211_policy,
13043 		.flags = GENL_UNS_ADMIN_PERM,
13044 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13045 				  NL80211_FLAG_NEED_RTNL,
13046 	},
13047 	{
13048 		.cmd = NL80211_CMD_SET_KEY,
13049 		.doit = nl80211_set_key,
13050 		.policy = nl80211_policy,
13051 		.flags = GENL_UNS_ADMIN_PERM,
13052 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13053 				  NL80211_FLAG_NEED_RTNL |
13054 				  NL80211_FLAG_CLEAR_SKB,
13055 	},
13056 	{
13057 		.cmd = NL80211_CMD_NEW_KEY,
13058 		.doit = nl80211_new_key,
13059 		.policy = nl80211_policy,
13060 		.flags = GENL_UNS_ADMIN_PERM,
13061 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13062 				  NL80211_FLAG_NEED_RTNL |
13063 				  NL80211_FLAG_CLEAR_SKB,
13064 	},
13065 	{
13066 		.cmd = NL80211_CMD_DEL_KEY,
13067 		.doit = nl80211_del_key,
13068 		.policy = nl80211_policy,
13069 		.flags = GENL_UNS_ADMIN_PERM,
13070 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13071 				  NL80211_FLAG_NEED_RTNL,
13072 	},
13073 	{
13074 		.cmd = NL80211_CMD_SET_BEACON,
13075 		.policy = nl80211_policy,
13076 		.flags = GENL_UNS_ADMIN_PERM,
13077 		.doit = nl80211_set_beacon,
13078 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13079 				  NL80211_FLAG_NEED_RTNL,
13080 	},
13081 	{
13082 		.cmd = NL80211_CMD_START_AP,
13083 		.policy = nl80211_policy,
13084 		.flags = GENL_UNS_ADMIN_PERM,
13085 		.doit = nl80211_start_ap,
13086 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13087 				  NL80211_FLAG_NEED_RTNL,
13088 	},
13089 	{
13090 		.cmd = NL80211_CMD_STOP_AP,
13091 		.policy = nl80211_policy,
13092 		.flags = GENL_UNS_ADMIN_PERM,
13093 		.doit = nl80211_stop_ap,
13094 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13095 				  NL80211_FLAG_NEED_RTNL,
13096 	},
13097 	{
13098 		.cmd = NL80211_CMD_GET_STATION,
13099 		.doit = nl80211_get_station,
13100 		.dumpit = nl80211_dump_station,
13101 		.policy = nl80211_policy,
13102 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13103 				  NL80211_FLAG_NEED_RTNL,
13104 	},
13105 	{
13106 		.cmd = NL80211_CMD_SET_STATION,
13107 		.doit = nl80211_set_station,
13108 		.policy = nl80211_policy,
13109 		.flags = GENL_UNS_ADMIN_PERM,
13110 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13111 				  NL80211_FLAG_NEED_RTNL,
13112 	},
13113 	{
13114 		.cmd = NL80211_CMD_NEW_STATION,
13115 		.doit = nl80211_new_station,
13116 		.policy = nl80211_policy,
13117 		.flags = GENL_UNS_ADMIN_PERM,
13118 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13119 				  NL80211_FLAG_NEED_RTNL,
13120 	},
13121 	{
13122 		.cmd = NL80211_CMD_DEL_STATION,
13123 		.doit = nl80211_del_station,
13124 		.policy = nl80211_policy,
13125 		.flags = GENL_UNS_ADMIN_PERM,
13126 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13127 				  NL80211_FLAG_NEED_RTNL,
13128 	},
13129 	{
13130 		.cmd = NL80211_CMD_GET_MPATH,
13131 		.doit = nl80211_get_mpath,
13132 		.dumpit = nl80211_dump_mpath,
13133 		.policy = nl80211_policy,
13134 		.flags = GENL_UNS_ADMIN_PERM,
13135 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13136 				  NL80211_FLAG_NEED_RTNL,
13137 	},
13138 	{
13139 		.cmd = NL80211_CMD_GET_MPP,
13140 		.doit = nl80211_get_mpp,
13141 		.dumpit = nl80211_dump_mpp,
13142 		.policy = nl80211_policy,
13143 		.flags = GENL_UNS_ADMIN_PERM,
13144 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13145 				  NL80211_FLAG_NEED_RTNL,
13146 	},
13147 	{
13148 		.cmd = NL80211_CMD_SET_MPATH,
13149 		.doit = nl80211_set_mpath,
13150 		.policy = nl80211_policy,
13151 		.flags = GENL_UNS_ADMIN_PERM,
13152 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13153 				  NL80211_FLAG_NEED_RTNL,
13154 	},
13155 	{
13156 		.cmd = NL80211_CMD_NEW_MPATH,
13157 		.doit = nl80211_new_mpath,
13158 		.policy = nl80211_policy,
13159 		.flags = GENL_UNS_ADMIN_PERM,
13160 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13161 				  NL80211_FLAG_NEED_RTNL,
13162 	},
13163 	{
13164 		.cmd = NL80211_CMD_DEL_MPATH,
13165 		.doit = nl80211_del_mpath,
13166 		.policy = nl80211_policy,
13167 		.flags = GENL_UNS_ADMIN_PERM,
13168 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13169 				  NL80211_FLAG_NEED_RTNL,
13170 	},
13171 	{
13172 		.cmd = NL80211_CMD_SET_BSS,
13173 		.doit = nl80211_set_bss,
13174 		.policy = nl80211_policy,
13175 		.flags = GENL_UNS_ADMIN_PERM,
13176 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13177 				  NL80211_FLAG_NEED_RTNL,
13178 	},
13179 	{
13180 		.cmd = NL80211_CMD_GET_REG,
13181 		.doit = nl80211_get_reg_do,
13182 		.dumpit = nl80211_get_reg_dump,
13183 		.policy = nl80211_policy,
13184 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13185 		/* can be retrieved by unprivileged users */
13186 	},
13187 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
13188 	{
13189 		.cmd = NL80211_CMD_SET_REG,
13190 		.doit = nl80211_set_reg,
13191 		.policy = nl80211_policy,
13192 		.flags = GENL_ADMIN_PERM,
13193 		.internal_flags = NL80211_FLAG_NEED_RTNL,
13194 	},
13195 #endif
13196 	{
13197 		.cmd = NL80211_CMD_REQ_SET_REG,
13198 		.doit = nl80211_req_set_reg,
13199 		.policy = nl80211_policy,
13200 		.flags = GENL_ADMIN_PERM,
13201 	},
13202 	{
13203 		.cmd = NL80211_CMD_RELOAD_REGDB,
13204 		.doit = nl80211_reload_regdb,
13205 		.policy = nl80211_policy,
13206 		.flags = GENL_ADMIN_PERM,
13207 	},
13208 	{
13209 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
13210 		.doit = nl80211_get_mesh_config,
13211 		.policy = nl80211_policy,
13212 		/* can be retrieved by unprivileged users */
13213 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13214 				  NL80211_FLAG_NEED_RTNL,
13215 	},
13216 	{
13217 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
13218 		.doit = nl80211_update_mesh_config,
13219 		.policy = nl80211_policy,
13220 		.flags = GENL_UNS_ADMIN_PERM,
13221 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13222 				  NL80211_FLAG_NEED_RTNL,
13223 	},
13224 	{
13225 		.cmd = NL80211_CMD_TRIGGER_SCAN,
13226 		.doit = nl80211_trigger_scan,
13227 		.policy = nl80211_policy,
13228 		.flags = GENL_UNS_ADMIN_PERM,
13229 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13230 				  NL80211_FLAG_NEED_RTNL,
13231 	},
13232 	{
13233 		.cmd = NL80211_CMD_ABORT_SCAN,
13234 		.doit = nl80211_abort_scan,
13235 		.policy = nl80211_policy,
13236 		.flags = GENL_UNS_ADMIN_PERM,
13237 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13238 				  NL80211_FLAG_NEED_RTNL,
13239 	},
13240 	{
13241 		.cmd = NL80211_CMD_GET_SCAN,
13242 		.policy = nl80211_policy,
13243 		.dumpit = nl80211_dump_scan,
13244 	},
13245 	{
13246 		.cmd = NL80211_CMD_START_SCHED_SCAN,
13247 		.doit = nl80211_start_sched_scan,
13248 		.policy = nl80211_policy,
13249 		.flags = GENL_UNS_ADMIN_PERM,
13250 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13251 				  NL80211_FLAG_NEED_RTNL,
13252 	},
13253 	{
13254 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
13255 		.doit = nl80211_stop_sched_scan,
13256 		.policy = nl80211_policy,
13257 		.flags = GENL_UNS_ADMIN_PERM,
13258 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13259 				  NL80211_FLAG_NEED_RTNL,
13260 	},
13261 	{
13262 		.cmd = NL80211_CMD_AUTHENTICATE,
13263 		.doit = nl80211_authenticate,
13264 		.policy = nl80211_policy,
13265 		.flags = GENL_UNS_ADMIN_PERM,
13266 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13267 				  NL80211_FLAG_NEED_RTNL |
13268 				  NL80211_FLAG_CLEAR_SKB,
13269 	},
13270 	{
13271 		.cmd = NL80211_CMD_ASSOCIATE,
13272 		.doit = nl80211_associate,
13273 		.policy = nl80211_policy,
13274 		.flags = GENL_UNS_ADMIN_PERM,
13275 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13276 				  NL80211_FLAG_NEED_RTNL,
13277 	},
13278 	{
13279 		.cmd = NL80211_CMD_DEAUTHENTICATE,
13280 		.doit = nl80211_deauthenticate,
13281 		.policy = nl80211_policy,
13282 		.flags = GENL_UNS_ADMIN_PERM,
13283 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13284 				  NL80211_FLAG_NEED_RTNL,
13285 	},
13286 	{
13287 		.cmd = NL80211_CMD_DISASSOCIATE,
13288 		.doit = nl80211_disassociate,
13289 		.policy = nl80211_policy,
13290 		.flags = GENL_UNS_ADMIN_PERM,
13291 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13292 				  NL80211_FLAG_NEED_RTNL,
13293 	},
13294 	{
13295 		.cmd = NL80211_CMD_JOIN_IBSS,
13296 		.doit = nl80211_join_ibss,
13297 		.policy = nl80211_policy,
13298 		.flags = GENL_UNS_ADMIN_PERM,
13299 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13300 				  NL80211_FLAG_NEED_RTNL,
13301 	},
13302 	{
13303 		.cmd = NL80211_CMD_LEAVE_IBSS,
13304 		.doit = nl80211_leave_ibss,
13305 		.policy = nl80211_policy,
13306 		.flags = GENL_UNS_ADMIN_PERM,
13307 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13308 				  NL80211_FLAG_NEED_RTNL,
13309 	},
13310 #ifdef CONFIG_NL80211_TESTMODE
13311 	{
13312 		.cmd = NL80211_CMD_TESTMODE,
13313 		.doit = nl80211_testmode_do,
13314 		.dumpit = nl80211_testmode_dump,
13315 		.policy = nl80211_policy,
13316 		.flags = GENL_UNS_ADMIN_PERM,
13317 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13318 				  NL80211_FLAG_NEED_RTNL,
13319 	},
13320 #endif
13321 	{
13322 		.cmd = NL80211_CMD_CONNECT,
13323 		.doit = nl80211_connect,
13324 		.policy = nl80211_policy,
13325 		.flags = GENL_UNS_ADMIN_PERM,
13326 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13327 				  NL80211_FLAG_NEED_RTNL,
13328 	},
13329 	{
13330 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
13331 		.doit = nl80211_update_connect_params,
13332 		.policy = nl80211_policy,
13333 		.flags = GENL_ADMIN_PERM,
13334 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13335 				  NL80211_FLAG_NEED_RTNL,
13336 	},
13337 	{
13338 		.cmd = NL80211_CMD_DISCONNECT,
13339 		.doit = nl80211_disconnect,
13340 		.policy = nl80211_policy,
13341 		.flags = GENL_UNS_ADMIN_PERM,
13342 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13343 				  NL80211_FLAG_NEED_RTNL,
13344 	},
13345 	{
13346 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
13347 		.doit = nl80211_wiphy_netns,
13348 		.policy = nl80211_policy,
13349 		.flags = GENL_UNS_ADMIN_PERM,
13350 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13351 				  NL80211_FLAG_NEED_RTNL,
13352 	},
13353 	{
13354 		.cmd = NL80211_CMD_GET_SURVEY,
13355 		.policy = nl80211_policy,
13356 		.dumpit = nl80211_dump_survey,
13357 	},
13358 	{
13359 		.cmd = NL80211_CMD_SET_PMKSA,
13360 		.doit = nl80211_setdel_pmksa,
13361 		.policy = nl80211_policy,
13362 		.flags = GENL_UNS_ADMIN_PERM,
13363 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13364 				  NL80211_FLAG_NEED_RTNL,
13365 	},
13366 	{
13367 		.cmd = NL80211_CMD_DEL_PMKSA,
13368 		.doit = nl80211_setdel_pmksa,
13369 		.policy = nl80211_policy,
13370 		.flags = GENL_UNS_ADMIN_PERM,
13371 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13372 				  NL80211_FLAG_NEED_RTNL,
13373 	},
13374 	{
13375 		.cmd = NL80211_CMD_FLUSH_PMKSA,
13376 		.doit = nl80211_flush_pmksa,
13377 		.policy = nl80211_policy,
13378 		.flags = GENL_UNS_ADMIN_PERM,
13379 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13380 				  NL80211_FLAG_NEED_RTNL,
13381 	},
13382 	{
13383 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
13384 		.doit = nl80211_remain_on_channel,
13385 		.policy = nl80211_policy,
13386 		.flags = GENL_UNS_ADMIN_PERM,
13387 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13388 				  NL80211_FLAG_NEED_RTNL,
13389 	},
13390 	{
13391 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
13392 		.doit = nl80211_cancel_remain_on_channel,
13393 		.policy = nl80211_policy,
13394 		.flags = GENL_UNS_ADMIN_PERM,
13395 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13396 				  NL80211_FLAG_NEED_RTNL,
13397 	},
13398 	{
13399 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
13400 		.doit = nl80211_set_tx_bitrate_mask,
13401 		.policy = nl80211_policy,
13402 		.flags = GENL_UNS_ADMIN_PERM,
13403 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13404 				  NL80211_FLAG_NEED_RTNL,
13405 	},
13406 	{
13407 		.cmd = NL80211_CMD_REGISTER_FRAME,
13408 		.doit = nl80211_register_mgmt,
13409 		.policy = nl80211_policy,
13410 		.flags = GENL_UNS_ADMIN_PERM,
13411 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13412 				  NL80211_FLAG_NEED_RTNL,
13413 	},
13414 	{
13415 		.cmd = NL80211_CMD_FRAME,
13416 		.doit = nl80211_tx_mgmt,
13417 		.policy = nl80211_policy,
13418 		.flags = GENL_UNS_ADMIN_PERM,
13419 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13420 				  NL80211_FLAG_NEED_RTNL,
13421 	},
13422 	{
13423 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
13424 		.doit = nl80211_tx_mgmt_cancel_wait,
13425 		.policy = nl80211_policy,
13426 		.flags = GENL_UNS_ADMIN_PERM,
13427 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13428 				  NL80211_FLAG_NEED_RTNL,
13429 	},
13430 	{
13431 		.cmd = NL80211_CMD_SET_POWER_SAVE,
13432 		.doit = nl80211_set_power_save,
13433 		.policy = nl80211_policy,
13434 		.flags = GENL_UNS_ADMIN_PERM,
13435 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13436 				  NL80211_FLAG_NEED_RTNL,
13437 	},
13438 	{
13439 		.cmd = NL80211_CMD_GET_POWER_SAVE,
13440 		.doit = nl80211_get_power_save,
13441 		.policy = nl80211_policy,
13442 		/* can be retrieved by unprivileged users */
13443 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13444 				  NL80211_FLAG_NEED_RTNL,
13445 	},
13446 	{
13447 		.cmd = NL80211_CMD_SET_CQM,
13448 		.doit = nl80211_set_cqm,
13449 		.policy = nl80211_policy,
13450 		.flags = GENL_UNS_ADMIN_PERM,
13451 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13452 				  NL80211_FLAG_NEED_RTNL,
13453 	},
13454 	{
13455 		.cmd = NL80211_CMD_SET_CHANNEL,
13456 		.doit = nl80211_set_channel,
13457 		.policy = nl80211_policy,
13458 		.flags = GENL_UNS_ADMIN_PERM,
13459 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13460 				  NL80211_FLAG_NEED_RTNL,
13461 	},
13462 	{
13463 		.cmd = NL80211_CMD_SET_WDS_PEER,
13464 		.doit = nl80211_set_wds_peer,
13465 		.policy = nl80211_policy,
13466 		.flags = GENL_UNS_ADMIN_PERM,
13467 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13468 				  NL80211_FLAG_NEED_RTNL,
13469 	},
13470 	{
13471 		.cmd = NL80211_CMD_JOIN_MESH,
13472 		.doit = nl80211_join_mesh,
13473 		.policy = nl80211_policy,
13474 		.flags = GENL_UNS_ADMIN_PERM,
13475 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13476 				  NL80211_FLAG_NEED_RTNL,
13477 	},
13478 	{
13479 		.cmd = NL80211_CMD_LEAVE_MESH,
13480 		.doit = nl80211_leave_mesh,
13481 		.policy = nl80211_policy,
13482 		.flags = GENL_UNS_ADMIN_PERM,
13483 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13484 				  NL80211_FLAG_NEED_RTNL,
13485 	},
13486 	{
13487 		.cmd = NL80211_CMD_JOIN_OCB,
13488 		.doit = nl80211_join_ocb,
13489 		.policy = nl80211_policy,
13490 		.flags = GENL_UNS_ADMIN_PERM,
13491 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13492 				  NL80211_FLAG_NEED_RTNL,
13493 	},
13494 	{
13495 		.cmd = NL80211_CMD_LEAVE_OCB,
13496 		.doit = nl80211_leave_ocb,
13497 		.policy = nl80211_policy,
13498 		.flags = GENL_UNS_ADMIN_PERM,
13499 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13500 				  NL80211_FLAG_NEED_RTNL,
13501 	},
13502 #ifdef CONFIG_PM
13503 	{
13504 		.cmd = NL80211_CMD_GET_WOWLAN,
13505 		.doit = nl80211_get_wowlan,
13506 		.policy = nl80211_policy,
13507 		/* can be retrieved by unprivileged users */
13508 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13509 				  NL80211_FLAG_NEED_RTNL,
13510 	},
13511 	{
13512 		.cmd = NL80211_CMD_SET_WOWLAN,
13513 		.doit = nl80211_set_wowlan,
13514 		.policy = nl80211_policy,
13515 		.flags = GENL_UNS_ADMIN_PERM,
13516 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13517 				  NL80211_FLAG_NEED_RTNL,
13518 	},
13519 #endif
13520 	{
13521 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
13522 		.doit = nl80211_set_rekey_data,
13523 		.policy = nl80211_policy,
13524 		.flags = GENL_UNS_ADMIN_PERM,
13525 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13526 				  NL80211_FLAG_NEED_RTNL |
13527 				  NL80211_FLAG_CLEAR_SKB,
13528 	},
13529 	{
13530 		.cmd = NL80211_CMD_TDLS_MGMT,
13531 		.doit = nl80211_tdls_mgmt,
13532 		.policy = nl80211_policy,
13533 		.flags = GENL_UNS_ADMIN_PERM,
13534 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13535 				  NL80211_FLAG_NEED_RTNL,
13536 	},
13537 	{
13538 		.cmd = NL80211_CMD_TDLS_OPER,
13539 		.doit = nl80211_tdls_oper,
13540 		.policy = nl80211_policy,
13541 		.flags = GENL_UNS_ADMIN_PERM,
13542 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13543 				  NL80211_FLAG_NEED_RTNL,
13544 	},
13545 	{
13546 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
13547 		.doit = nl80211_register_unexpected_frame,
13548 		.policy = nl80211_policy,
13549 		.flags = GENL_UNS_ADMIN_PERM,
13550 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13551 				  NL80211_FLAG_NEED_RTNL,
13552 	},
13553 	{
13554 		.cmd = NL80211_CMD_PROBE_CLIENT,
13555 		.doit = nl80211_probe_client,
13556 		.policy = nl80211_policy,
13557 		.flags = GENL_UNS_ADMIN_PERM,
13558 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13559 				  NL80211_FLAG_NEED_RTNL,
13560 	},
13561 	{
13562 		.cmd = NL80211_CMD_REGISTER_BEACONS,
13563 		.doit = nl80211_register_beacons,
13564 		.policy = nl80211_policy,
13565 		.flags = GENL_UNS_ADMIN_PERM,
13566 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13567 				  NL80211_FLAG_NEED_RTNL,
13568 	},
13569 	{
13570 		.cmd = NL80211_CMD_SET_NOACK_MAP,
13571 		.doit = nl80211_set_noack_map,
13572 		.policy = nl80211_policy,
13573 		.flags = GENL_UNS_ADMIN_PERM,
13574 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13575 				  NL80211_FLAG_NEED_RTNL,
13576 	},
13577 	{
13578 		.cmd = NL80211_CMD_START_P2P_DEVICE,
13579 		.doit = nl80211_start_p2p_device,
13580 		.policy = nl80211_policy,
13581 		.flags = GENL_UNS_ADMIN_PERM,
13582 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13583 				  NL80211_FLAG_NEED_RTNL,
13584 	},
13585 	{
13586 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
13587 		.doit = nl80211_stop_p2p_device,
13588 		.policy = nl80211_policy,
13589 		.flags = GENL_UNS_ADMIN_PERM,
13590 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13591 				  NL80211_FLAG_NEED_RTNL,
13592 	},
13593 	{
13594 		.cmd = NL80211_CMD_START_NAN,
13595 		.doit = nl80211_start_nan,
13596 		.policy = nl80211_policy,
13597 		.flags = GENL_ADMIN_PERM,
13598 		.internal_flags = NL80211_FLAG_NEED_WDEV |
13599 				  NL80211_FLAG_NEED_RTNL,
13600 	},
13601 	{
13602 		.cmd = NL80211_CMD_STOP_NAN,
13603 		.doit = nl80211_stop_nan,
13604 		.policy = nl80211_policy,
13605 		.flags = GENL_ADMIN_PERM,
13606 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13607 				  NL80211_FLAG_NEED_RTNL,
13608 	},
13609 	{
13610 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
13611 		.doit = nl80211_nan_add_func,
13612 		.policy = nl80211_policy,
13613 		.flags = GENL_ADMIN_PERM,
13614 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13615 				  NL80211_FLAG_NEED_RTNL,
13616 	},
13617 	{
13618 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
13619 		.doit = nl80211_nan_del_func,
13620 		.policy = nl80211_policy,
13621 		.flags = GENL_ADMIN_PERM,
13622 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13623 				  NL80211_FLAG_NEED_RTNL,
13624 	},
13625 	{
13626 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
13627 		.doit = nl80211_nan_change_config,
13628 		.policy = nl80211_policy,
13629 		.flags = GENL_ADMIN_PERM,
13630 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13631 				  NL80211_FLAG_NEED_RTNL,
13632 	},
13633 	{
13634 		.cmd = NL80211_CMD_SET_MCAST_RATE,
13635 		.doit = nl80211_set_mcast_rate,
13636 		.policy = nl80211_policy,
13637 		.flags = GENL_UNS_ADMIN_PERM,
13638 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13639 				  NL80211_FLAG_NEED_RTNL,
13640 	},
13641 	{
13642 		.cmd = NL80211_CMD_SET_MAC_ACL,
13643 		.doit = nl80211_set_mac_acl,
13644 		.policy = nl80211_policy,
13645 		.flags = GENL_UNS_ADMIN_PERM,
13646 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13647 				  NL80211_FLAG_NEED_RTNL,
13648 	},
13649 	{
13650 		.cmd = NL80211_CMD_RADAR_DETECT,
13651 		.doit = nl80211_start_radar_detection,
13652 		.policy = nl80211_policy,
13653 		.flags = GENL_UNS_ADMIN_PERM,
13654 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13655 				  NL80211_FLAG_NEED_RTNL,
13656 	},
13657 	{
13658 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
13659 		.doit = nl80211_get_protocol_features,
13660 		.policy = nl80211_policy,
13661 	},
13662 	{
13663 		.cmd = NL80211_CMD_UPDATE_FT_IES,
13664 		.doit = nl80211_update_ft_ies,
13665 		.policy = nl80211_policy,
13666 		.flags = GENL_UNS_ADMIN_PERM,
13667 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13668 				  NL80211_FLAG_NEED_RTNL,
13669 	},
13670 	{
13671 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
13672 		.doit = nl80211_crit_protocol_start,
13673 		.policy = nl80211_policy,
13674 		.flags = GENL_UNS_ADMIN_PERM,
13675 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13676 				  NL80211_FLAG_NEED_RTNL,
13677 	},
13678 	{
13679 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
13680 		.doit = nl80211_crit_protocol_stop,
13681 		.policy = nl80211_policy,
13682 		.flags = GENL_UNS_ADMIN_PERM,
13683 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
13684 				  NL80211_FLAG_NEED_RTNL,
13685 	},
13686 	{
13687 		.cmd = NL80211_CMD_GET_COALESCE,
13688 		.doit = nl80211_get_coalesce,
13689 		.policy = nl80211_policy,
13690 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13691 				  NL80211_FLAG_NEED_RTNL,
13692 	},
13693 	{
13694 		.cmd = NL80211_CMD_SET_COALESCE,
13695 		.doit = nl80211_set_coalesce,
13696 		.policy = nl80211_policy,
13697 		.flags = GENL_UNS_ADMIN_PERM,
13698 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13699 				  NL80211_FLAG_NEED_RTNL,
13700 	},
13701 	{
13702 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
13703 		.doit = nl80211_channel_switch,
13704 		.policy = nl80211_policy,
13705 		.flags = GENL_UNS_ADMIN_PERM,
13706 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13707 				  NL80211_FLAG_NEED_RTNL,
13708 	},
13709 	{
13710 		.cmd = NL80211_CMD_VENDOR,
13711 		.doit = nl80211_vendor_cmd,
13712 		.dumpit = nl80211_vendor_cmd_dump,
13713 		.policy = nl80211_policy,
13714 		.flags = GENL_UNS_ADMIN_PERM,
13715 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
13716 				  NL80211_FLAG_NEED_RTNL,
13717 	},
13718 	{
13719 		.cmd = NL80211_CMD_SET_QOS_MAP,
13720 		.doit = nl80211_set_qos_map,
13721 		.policy = nl80211_policy,
13722 		.flags = GENL_UNS_ADMIN_PERM,
13723 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13724 				  NL80211_FLAG_NEED_RTNL,
13725 	},
13726 	{
13727 		.cmd = NL80211_CMD_ADD_TX_TS,
13728 		.doit = nl80211_add_tx_ts,
13729 		.policy = nl80211_policy,
13730 		.flags = GENL_UNS_ADMIN_PERM,
13731 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13732 				  NL80211_FLAG_NEED_RTNL,
13733 	},
13734 	{
13735 		.cmd = NL80211_CMD_DEL_TX_TS,
13736 		.doit = nl80211_del_tx_ts,
13737 		.policy = nl80211_policy,
13738 		.flags = GENL_UNS_ADMIN_PERM,
13739 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13740 				  NL80211_FLAG_NEED_RTNL,
13741 	},
13742 	{
13743 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
13744 		.doit = nl80211_tdls_channel_switch,
13745 		.policy = nl80211_policy,
13746 		.flags = GENL_UNS_ADMIN_PERM,
13747 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13748 				  NL80211_FLAG_NEED_RTNL,
13749 	},
13750 	{
13751 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
13752 		.doit = nl80211_tdls_cancel_channel_switch,
13753 		.policy = nl80211_policy,
13754 		.flags = GENL_UNS_ADMIN_PERM,
13755 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13756 				  NL80211_FLAG_NEED_RTNL,
13757 	},
13758 	{
13759 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
13760 		.doit = nl80211_set_multicast_to_unicast,
13761 		.policy = nl80211_policy,
13762 		.flags = GENL_UNS_ADMIN_PERM,
13763 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
13764 				  NL80211_FLAG_NEED_RTNL,
13765 	},
13766 	{
13767 		.cmd = NL80211_CMD_SET_PMK,
13768 		.doit = nl80211_set_pmk,
13769 		.policy = nl80211_policy,
13770 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13771 				  NL80211_FLAG_NEED_RTNL,
13772 	},
13773 	{
13774 		.cmd = NL80211_CMD_DEL_PMK,
13775 		.doit = nl80211_del_pmk,
13776 		.policy = nl80211_policy,
13777 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13778 				  NL80211_FLAG_NEED_RTNL,
13779 	},
13780 	{
13781 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
13782 		.doit = nl80211_external_auth,
13783 		.policy = nl80211_policy,
13784 		.flags = GENL_ADMIN_PERM,
13785 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13786 				  NL80211_FLAG_NEED_RTNL,
13787 	},
13788 	{
13789 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
13790 		.doit = nl80211_tx_control_port,
13791 		.policy = nl80211_policy,
13792 		.flags = GENL_UNS_ADMIN_PERM,
13793 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
13794 				  NL80211_FLAG_NEED_RTNL,
13795 	},
13796 };
13797 
13798 static struct genl_family nl80211_fam __ro_after_init = {
13799 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
13800 	.hdrsize = 0,			/* no private header */
13801 	.version = 1,			/* no particular meaning now */
13802 	.maxattr = NL80211_ATTR_MAX,
13803 	.netnsok = true,
13804 	.pre_doit = nl80211_pre_doit,
13805 	.post_doit = nl80211_post_doit,
13806 	.module = THIS_MODULE,
13807 	.ops = nl80211_ops,
13808 	.n_ops = ARRAY_SIZE(nl80211_ops),
13809 	.mcgrps = nl80211_mcgrps,
13810 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
13811 };
13812 
13813 /* notification functions */
13814 
13815 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
13816 			  enum nl80211_commands cmd)
13817 {
13818 	struct sk_buff *msg;
13819 	struct nl80211_dump_wiphy_state state = {};
13820 
13821 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
13822 		cmd != NL80211_CMD_DEL_WIPHY);
13823 
13824 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13825 	if (!msg)
13826 		return;
13827 
13828 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
13829 		nlmsg_free(msg);
13830 		return;
13831 	}
13832 
13833 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13834 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
13835 }
13836 
13837 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
13838 				struct wireless_dev *wdev,
13839 				enum nl80211_commands cmd)
13840 {
13841 	struct sk_buff *msg;
13842 
13843 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
13844 		cmd != NL80211_CMD_DEL_INTERFACE);
13845 
13846 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13847 	if (!msg)
13848 		return;
13849 
13850 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev,
13851 			       cmd == NL80211_CMD_DEL_INTERFACE) < 0) {
13852 		nlmsg_free(msg);
13853 		return;
13854 	}
13855 
13856 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13857 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
13858 }
13859 
13860 static int nl80211_add_scan_req(struct sk_buff *msg,
13861 				struct cfg80211_registered_device *rdev)
13862 {
13863 	struct cfg80211_scan_request *req = rdev->scan_req;
13864 	struct nlattr *nest;
13865 	int i;
13866 
13867 	if (WARN_ON(!req))
13868 		return 0;
13869 
13870 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_SSIDS);
13871 	if (!nest)
13872 		goto nla_put_failure;
13873 	for (i = 0; i < req->n_ssids; i++) {
13874 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
13875 			goto nla_put_failure;
13876 	}
13877 	nla_nest_end(msg, nest);
13878 
13879 	nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13880 	if (!nest)
13881 		goto nla_put_failure;
13882 	for (i = 0; i < req->n_channels; i++) {
13883 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13884 			goto nla_put_failure;
13885 	}
13886 	nla_nest_end(msg, nest);
13887 
13888 	if (req->ie &&
13889 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
13890 		goto nla_put_failure;
13891 
13892 	if (req->flags &&
13893 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
13894 		goto nla_put_failure;
13895 
13896 	if (req->info.scan_start_tsf &&
13897 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
13898 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
13899 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
13900 		     req->info.tsf_bssid)))
13901 		goto nla_put_failure;
13902 
13903 	return 0;
13904  nla_put_failure:
13905 	return -ENOBUFS;
13906 }
13907 
13908 static int nl80211_prep_scan_msg(struct sk_buff *msg,
13909 				 struct cfg80211_registered_device *rdev,
13910 				 struct wireless_dev *wdev,
13911 				 u32 portid, u32 seq, int flags,
13912 				 u32 cmd)
13913 {
13914 	void *hdr;
13915 
13916 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
13917 	if (!hdr)
13918 		return -1;
13919 
13920 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13921 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13922 					 wdev->netdev->ifindex)) ||
13923 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13924 			      NL80211_ATTR_PAD))
13925 		goto nla_put_failure;
13926 
13927 	/* ignore errors and send incomplete event anyway */
13928 	nl80211_add_scan_req(msg, rdev);
13929 
13930 	genlmsg_end(msg, hdr);
13931 	return 0;
13932 
13933  nla_put_failure:
13934 	genlmsg_cancel(msg, hdr);
13935 	return -EMSGSIZE;
13936 }
13937 
13938 static int
13939 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
13940 			    struct cfg80211_sched_scan_request *req, u32 cmd)
13941 {
13942 	void *hdr;
13943 
13944 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
13945 	if (!hdr)
13946 		return -1;
13947 
13948 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
13949 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
13950 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
13951 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
13952 			      NL80211_ATTR_PAD))
13953 		goto nla_put_failure;
13954 
13955 	genlmsg_end(msg, hdr);
13956 	return 0;
13957 
13958  nla_put_failure:
13959 	genlmsg_cancel(msg, hdr);
13960 	return -EMSGSIZE;
13961 }
13962 
13963 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
13964 			     struct wireless_dev *wdev)
13965 {
13966 	struct sk_buff *msg;
13967 
13968 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13969 	if (!msg)
13970 		return;
13971 
13972 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
13973 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
13974 		nlmsg_free(msg);
13975 		return;
13976 	}
13977 
13978 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
13979 				NL80211_MCGRP_SCAN, GFP_KERNEL);
13980 }
13981 
13982 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
13983 				       struct wireless_dev *wdev, bool aborted)
13984 {
13985 	struct sk_buff *msg;
13986 
13987 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13988 	if (!msg)
13989 		return NULL;
13990 
13991 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
13992 				  aborted ? NL80211_CMD_SCAN_ABORTED :
13993 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
13994 		nlmsg_free(msg);
13995 		return NULL;
13996 	}
13997 
13998 	return msg;
13999 }
14000 
14001 /* send message created by nl80211_build_scan_msg() */
14002 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
14003 			   struct sk_buff *msg)
14004 {
14005 	if (!msg)
14006 		return;
14007 
14008 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14009 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14010 }
14011 
14012 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
14013 {
14014 	struct sk_buff *msg;
14015 
14016 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14017 	if (!msg)
14018 		return;
14019 
14020 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
14021 		nlmsg_free(msg);
14022 		return;
14023 	}
14024 
14025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
14026 				NL80211_MCGRP_SCAN, GFP_KERNEL);
14027 }
14028 
14029 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
14030 					  struct regulatory_request *request)
14031 {
14032 	/* Userspace can always count this one always being set */
14033 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
14034 		goto nla_put_failure;
14035 
14036 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
14037 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14038 			       NL80211_REGDOM_TYPE_WORLD))
14039 			goto nla_put_failure;
14040 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
14041 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14042 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
14043 			goto nla_put_failure;
14044 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
14045 		   request->intersect) {
14046 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14047 			       NL80211_REGDOM_TYPE_INTERSECTION))
14048 			goto nla_put_failure;
14049 	} else {
14050 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
14051 			       NL80211_REGDOM_TYPE_COUNTRY) ||
14052 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
14053 				   request->alpha2))
14054 			goto nla_put_failure;
14055 	}
14056 
14057 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
14058 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
14059 
14060 		if (wiphy &&
14061 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
14062 			goto nla_put_failure;
14063 
14064 		if (wiphy &&
14065 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
14066 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
14067 			goto nla_put_failure;
14068 	}
14069 
14070 	return true;
14071 
14072 nla_put_failure:
14073 	return false;
14074 }
14075 
14076 /*
14077  * This can happen on global regulatory changes or device specific settings
14078  * based on custom regulatory domains.
14079  */
14080 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
14081 				     struct regulatory_request *request)
14082 {
14083 	struct sk_buff *msg;
14084 	void *hdr;
14085 
14086 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14087 	if (!msg)
14088 		return;
14089 
14090 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
14091 	if (!hdr) {
14092 		nlmsg_free(msg);
14093 		return;
14094 	}
14095 
14096 	if (nl80211_reg_change_event_fill(msg, request) == false)
14097 		goto nla_put_failure;
14098 
14099 	genlmsg_end(msg, hdr);
14100 
14101 	rcu_read_lock();
14102 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14103 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14104 	rcu_read_unlock();
14105 
14106 	return;
14107 
14108 nla_put_failure:
14109 	nlmsg_free(msg);
14110 }
14111 
14112 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
14113 				    struct net_device *netdev,
14114 				    const u8 *buf, size_t len,
14115 				    enum nl80211_commands cmd, gfp_t gfp,
14116 				    int uapsd_queues)
14117 {
14118 	struct sk_buff *msg;
14119 	void *hdr;
14120 
14121 	msg = nlmsg_new(100 + len, gfp);
14122 	if (!msg)
14123 		return;
14124 
14125 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14126 	if (!hdr) {
14127 		nlmsg_free(msg);
14128 		return;
14129 	}
14130 
14131 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14132 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14133 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf))
14134 		goto nla_put_failure;
14135 
14136 	if (uapsd_queues >= 0) {
14137 		struct nlattr *nla_wmm =
14138 			nla_nest_start(msg, NL80211_ATTR_STA_WME);
14139 		if (!nla_wmm)
14140 			goto nla_put_failure;
14141 
14142 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
14143 			       uapsd_queues))
14144 			goto nla_put_failure;
14145 
14146 		nla_nest_end(msg, nla_wmm);
14147 	}
14148 
14149 	genlmsg_end(msg, hdr);
14150 
14151 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14152 				NL80211_MCGRP_MLME, gfp);
14153 	return;
14154 
14155  nla_put_failure:
14156 	nlmsg_free(msg);
14157 }
14158 
14159 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
14160 			  struct net_device *netdev, const u8 *buf,
14161 			  size_t len, gfp_t gfp)
14162 {
14163 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14164 				NL80211_CMD_AUTHENTICATE, gfp, -1);
14165 }
14166 
14167 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
14168 			   struct net_device *netdev, const u8 *buf,
14169 			   size_t len, gfp_t gfp, int uapsd_queues)
14170 {
14171 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14172 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues);
14173 }
14174 
14175 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
14176 			 struct net_device *netdev, const u8 *buf,
14177 			 size_t len, gfp_t gfp)
14178 {
14179 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14180 				NL80211_CMD_DEAUTHENTICATE, gfp, -1);
14181 }
14182 
14183 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
14184 			   struct net_device *netdev, const u8 *buf,
14185 			   size_t len, gfp_t gfp)
14186 {
14187 	nl80211_send_mlme_event(rdev, netdev, buf, len,
14188 				NL80211_CMD_DISASSOCIATE, gfp, -1);
14189 }
14190 
14191 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
14192 				  size_t len)
14193 {
14194 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14195 	struct wiphy *wiphy = wdev->wiphy;
14196 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14197 	const struct ieee80211_mgmt *mgmt = (void *)buf;
14198 	u32 cmd;
14199 
14200 	if (WARN_ON(len < 2))
14201 		return;
14202 
14203 	if (ieee80211_is_deauth(mgmt->frame_control))
14204 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
14205 	else
14206 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
14207 
14208 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
14209 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1);
14210 }
14211 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
14212 
14213 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
14214 				      struct net_device *netdev, int cmd,
14215 				      const u8 *addr, gfp_t gfp)
14216 {
14217 	struct sk_buff *msg;
14218 	void *hdr;
14219 
14220 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14221 	if (!msg)
14222 		return;
14223 
14224 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14225 	if (!hdr) {
14226 		nlmsg_free(msg);
14227 		return;
14228 	}
14229 
14230 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14231 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14232 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14233 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14234 		goto nla_put_failure;
14235 
14236 	genlmsg_end(msg, hdr);
14237 
14238 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14239 				NL80211_MCGRP_MLME, gfp);
14240 	return;
14241 
14242  nla_put_failure:
14243 	nlmsg_free(msg);
14244 }
14245 
14246 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
14247 			       struct net_device *netdev, const u8 *addr,
14248 			       gfp_t gfp)
14249 {
14250 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
14251 				  addr, gfp);
14252 }
14253 
14254 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
14255 				struct net_device *netdev, const u8 *addr,
14256 				gfp_t gfp)
14257 {
14258 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
14259 				  addr, gfp);
14260 }
14261 
14262 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
14263 				 struct net_device *netdev,
14264 				 struct cfg80211_connect_resp_params *cr,
14265 				 gfp_t gfp)
14266 {
14267 	struct sk_buff *msg;
14268 	void *hdr;
14269 
14270 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
14271 			cr->fils.kek_len + cr->fils.pmk_len +
14272 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14273 	if (!msg)
14274 		return;
14275 
14276 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
14277 	if (!hdr) {
14278 		nlmsg_free(msg);
14279 		return;
14280 	}
14281 
14282 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14283 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14284 	    (cr->bssid &&
14285 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
14286 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
14287 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
14288 			cr->status) ||
14289 	    (cr->status < 0 &&
14290 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
14291 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
14292 			  cr->timeout_reason))) ||
14293 	    (cr->req_ie &&
14294 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
14295 	    (cr->resp_ie &&
14296 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
14297 		     cr->resp_ie)) ||
14298 	    (cr->fils.update_erp_next_seq_num &&
14299 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14300 			 cr->fils.erp_next_seq_num)) ||
14301 	    (cr->status == WLAN_STATUS_SUCCESS &&
14302 	     ((cr->fils.kek &&
14303 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
14304 		       cr->fils.kek)) ||
14305 	      (cr->fils.pmk &&
14306 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
14307 	      (cr->fils.pmkid &&
14308 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
14309 		goto nla_put_failure;
14310 
14311 	genlmsg_end(msg, hdr);
14312 
14313 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14314 				NL80211_MCGRP_MLME, gfp);
14315 	return;
14316 
14317  nla_put_failure:
14318 	nlmsg_free(msg);
14319 }
14320 
14321 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
14322 			 struct net_device *netdev,
14323 			 struct cfg80211_roam_info *info, gfp_t gfp)
14324 {
14325 	struct sk_buff *msg;
14326 	void *hdr;
14327 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
14328 
14329 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
14330 			info->fils.kek_len + info->fils.pmk_len +
14331 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
14332 	if (!msg)
14333 		return;
14334 
14335 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
14336 	if (!hdr) {
14337 		nlmsg_free(msg);
14338 		return;
14339 	}
14340 
14341 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14342 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14343 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
14344 	    (info->req_ie &&
14345 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
14346 		     info->req_ie)) ||
14347 	    (info->resp_ie &&
14348 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
14349 		     info->resp_ie)) ||
14350 	    (info->fils.update_erp_next_seq_num &&
14351 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
14352 			 info->fils.erp_next_seq_num)) ||
14353 	    (info->fils.kek &&
14354 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
14355 		     info->fils.kek)) ||
14356 	    (info->fils.pmk &&
14357 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
14358 	    (info->fils.pmkid &&
14359 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
14360 		goto nla_put_failure;
14361 
14362 	genlmsg_end(msg, hdr);
14363 
14364 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14365 				NL80211_MCGRP_MLME, gfp);
14366 	return;
14367 
14368  nla_put_failure:
14369 	nlmsg_free(msg);
14370 }
14371 
14372 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
14373 				  struct net_device *netdev, const u8 *bssid)
14374 {
14375 	struct sk_buff *msg;
14376 	void *hdr;
14377 
14378 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14379 	if (!msg)
14380 		return;
14381 
14382 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
14383 	if (!hdr) {
14384 		nlmsg_free(msg);
14385 		return;
14386 	}
14387 
14388 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14389 		goto nla_put_failure;
14390 
14391 	genlmsg_end(msg, hdr);
14392 
14393 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14394 				NL80211_MCGRP_MLME, GFP_KERNEL);
14395 	return;
14396 
14397  nla_put_failure:
14398 	nlmsg_free(msg);
14399 }
14400 
14401 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
14402 			       struct net_device *netdev, u16 reason,
14403 			       const u8 *ie, size_t ie_len, bool from_ap)
14404 {
14405 	struct sk_buff *msg;
14406 	void *hdr;
14407 
14408 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
14409 	if (!msg)
14410 		return;
14411 
14412 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
14413 	if (!hdr) {
14414 		nlmsg_free(msg);
14415 		return;
14416 	}
14417 
14418 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14419 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14420 	    (reason &&
14421 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
14422 	    (from_ap &&
14423 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
14424 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
14425 		goto nla_put_failure;
14426 
14427 	genlmsg_end(msg, hdr);
14428 
14429 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14430 				NL80211_MCGRP_MLME, GFP_KERNEL);
14431 	return;
14432 
14433  nla_put_failure:
14434 	nlmsg_free(msg);
14435 }
14436 
14437 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
14438 			     struct net_device *netdev, const u8 *bssid,
14439 			     gfp_t gfp)
14440 {
14441 	struct sk_buff *msg;
14442 	void *hdr;
14443 
14444 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14445 	if (!msg)
14446 		return;
14447 
14448 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
14449 	if (!hdr) {
14450 		nlmsg_free(msg);
14451 		return;
14452 	}
14453 
14454 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14455 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14456 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
14457 		goto nla_put_failure;
14458 
14459 	genlmsg_end(msg, hdr);
14460 
14461 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14462 				NL80211_MCGRP_MLME, gfp);
14463 	return;
14464 
14465  nla_put_failure:
14466 	nlmsg_free(msg);
14467 }
14468 
14469 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
14470 					const u8* ie, u8 ie_len, gfp_t gfp)
14471 {
14472 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14473 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14474 	struct sk_buff *msg;
14475 	void *hdr;
14476 
14477 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
14478 		return;
14479 
14480 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
14481 
14482 	msg = nlmsg_new(100 + ie_len, gfp);
14483 	if (!msg)
14484 		return;
14485 
14486 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
14487 	if (!hdr) {
14488 		nlmsg_free(msg);
14489 		return;
14490 	}
14491 
14492 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14493 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14494 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
14495 	    (ie_len && ie &&
14496 	     nla_put(msg, NL80211_ATTR_IE, ie_len , ie)))
14497 		goto nla_put_failure;
14498 
14499 	genlmsg_end(msg, hdr);
14500 
14501 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14502 				NL80211_MCGRP_MLME, gfp);
14503 	return;
14504 
14505  nla_put_failure:
14506 	nlmsg_free(msg);
14507 }
14508 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
14509 
14510 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
14511 				 struct net_device *netdev, const u8 *addr,
14512 				 enum nl80211_key_type key_type, int key_id,
14513 				 const u8 *tsc, gfp_t gfp)
14514 {
14515 	struct sk_buff *msg;
14516 	void *hdr;
14517 
14518 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14519 	if (!msg)
14520 		return;
14521 
14522 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
14523 	if (!hdr) {
14524 		nlmsg_free(msg);
14525 		return;
14526 	}
14527 
14528 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14529 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
14530 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
14531 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
14532 	    (key_id != -1 &&
14533 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
14534 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
14535 		goto nla_put_failure;
14536 
14537 	genlmsg_end(msg, hdr);
14538 
14539 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14540 				NL80211_MCGRP_MLME, gfp);
14541 	return;
14542 
14543  nla_put_failure:
14544 	nlmsg_free(msg);
14545 }
14546 
14547 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
14548 				    struct ieee80211_channel *channel_before,
14549 				    struct ieee80211_channel *channel_after)
14550 {
14551 	struct sk_buff *msg;
14552 	void *hdr;
14553 	struct nlattr *nl_freq;
14554 
14555 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
14556 	if (!msg)
14557 		return;
14558 
14559 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
14560 	if (!hdr) {
14561 		nlmsg_free(msg);
14562 		return;
14563 	}
14564 
14565 	/*
14566 	 * Since we are applying the beacon hint to a wiphy we know its
14567 	 * wiphy_idx is valid
14568 	 */
14569 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
14570 		goto nla_put_failure;
14571 
14572 	/* Before */
14573 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_BEFORE);
14574 	if (!nl_freq)
14575 		goto nla_put_failure;
14576 
14577 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
14578 		goto nla_put_failure;
14579 	nla_nest_end(msg, nl_freq);
14580 
14581 	/* After */
14582 	nl_freq = nla_nest_start(msg, NL80211_ATTR_FREQ_AFTER);
14583 	if (!nl_freq)
14584 		goto nla_put_failure;
14585 
14586 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
14587 		goto nla_put_failure;
14588 	nla_nest_end(msg, nl_freq);
14589 
14590 	genlmsg_end(msg, hdr);
14591 
14592 	rcu_read_lock();
14593 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
14594 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
14595 	rcu_read_unlock();
14596 
14597 	return;
14598 
14599 nla_put_failure:
14600 	nlmsg_free(msg);
14601 }
14602 
14603 static void nl80211_send_remain_on_chan_event(
14604 	int cmd, struct cfg80211_registered_device *rdev,
14605 	struct wireless_dev *wdev, u64 cookie,
14606 	struct ieee80211_channel *chan,
14607 	unsigned int duration, gfp_t gfp)
14608 {
14609 	struct sk_buff *msg;
14610 	void *hdr;
14611 
14612 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14613 	if (!msg)
14614 		return;
14615 
14616 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14617 	if (!hdr) {
14618 		nlmsg_free(msg);
14619 		return;
14620 	}
14621 
14622 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14623 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14624 					 wdev->netdev->ifindex)) ||
14625 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14626 			      NL80211_ATTR_PAD) ||
14627 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
14628 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
14629 			NL80211_CHAN_NO_HT) ||
14630 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14631 			      NL80211_ATTR_PAD))
14632 		goto nla_put_failure;
14633 
14634 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
14635 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
14636 		goto nla_put_failure;
14637 
14638 	genlmsg_end(msg, hdr);
14639 
14640 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14641 				NL80211_MCGRP_MLME, gfp);
14642 	return;
14643 
14644  nla_put_failure:
14645 	nlmsg_free(msg);
14646 }
14647 
14648 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
14649 			       struct ieee80211_channel *chan,
14650 			       unsigned int duration, gfp_t gfp)
14651 {
14652 	struct wiphy *wiphy = wdev->wiphy;
14653 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14654 
14655 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
14656 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
14657 					  rdev, wdev, cookie, chan,
14658 					  duration, gfp);
14659 }
14660 EXPORT_SYMBOL(cfg80211_ready_on_channel);
14661 
14662 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
14663 					struct ieee80211_channel *chan,
14664 					gfp_t gfp)
14665 {
14666 	struct wiphy *wiphy = wdev->wiphy;
14667 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14668 
14669 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
14670 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14671 					  rdev, wdev, cookie, chan, 0, gfp);
14672 }
14673 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
14674 
14675 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
14676 		      struct station_info *sinfo, gfp_t gfp)
14677 {
14678 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14679 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14680 	struct sk_buff *msg;
14681 
14682 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
14683 
14684 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14685 	if (!msg)
14686 		return;
14687 
14688 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
14689 				 rdev, dev, mac_addr, sinfo) < 0) {
14690 		nlmsg_free(msg);
14691 		return;
14692 	}
14693 
14694 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14695 				NL80211_MCGRP_MLME, gfp);
14696 }
14697 EXPORT_SYMBOL(cfg80211_new_sta);
14698 
14699 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
14700 			    struct station_info *sinfo, gfp_t gfp)
14701 {
14702 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14703 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14704 	struct sk_buff *msg;
14705 	struct station_info empty_sinfo = {};
14706 
14707 	if (!sinfo)
14708 		sinfo = &empty_sinfo;
14709 
14710 	trace_cfg80211_del_sta(dev, mac_addr);
14711 
14712 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14713 	if (!msg) {
14714 		cfg80211_sinfo_release_content(sinfo);
14715 		return;
14716 	}
14717 
14718 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
14719 				 rdev, dev, mac_addr, sinfo) < 0) {
14720 		nlmsg_free(msg);
14721 		return;
14722 	}
14723 
14724 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14725 				NL80211_MCGRP_MLME, gfp);
14726 }
14727 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
14728 
14729 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
14730 			  enum nl80211_connect_failed_reason reason,
14731 			  gfp_t gfp)
14732 {
14733 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
14734 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14735 	struct sk_buff *msg;
14736 	void *hdr;
14737 
14738 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
14739 	if (!msg)
14740 		return;
14741 
14742 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
14743 	if (!hdr) {
14744 		nlmsg_free(msg);
14745 		return;
14746 	}
14747 
14748 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14749 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
14750 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
14751 		goto nla_put_failure;
14752 
14753 	genlmsg_end(msg, hdr);
14754 
14755 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14756 				NL80211_MCGRP_MLME, gfp);
14757 	return;
14758 
14759  nla_put_failure:
14760 	nlmsg_free(msg);
14761 }
14762 EXPORT_SYMBOL(cfg80211_conn_failed);
14763 
14764 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
14765 				       const u8 *addr, gfp_t gfp)
14766 {
14767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14768 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14769 	struct sk_buff *msg;
14770 	void *hdr;
14771 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
14772 
14773 	if (!nlportid)
14774 		return false;
14775 
14776 	msg = nlmsg_new(100, gfp);
14777 	if (!msg)
14778 		return true;
14779 
14780 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
14781 	if (!hdr) {
14782 		nlmsg_free(msg);
14783 		return true;
14784 	}
14785 
14786 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14787 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14788 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
14789 		goto nla_put_failure;
14790 
14791 	genlmsg_end(msg, hdr);
14792 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
14793 	return true;
14794 
14795  nla_put_failure:
14796 	nlmsg_free(msg);
14797 	return true;
14798 }
14799 
14800 bool cfg80211_rx_spurious_frame(struct net_device *dev,
14801 				const u8 *addr, gfp_t gfp)
14802 {
14803 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14804 	bool ret;
14805 
14806 	trace_cfg80211_rx_spurious_frame(dev, addr);
14807 
14808 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
14809 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
14810 		trace_cfg80211_return_bool(false);
14811 		return false;
14812 	}
14813 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
14814 					 addr, gfp);
14815 	trace_cfg80211_return_bool(ret);
14816 	return ret;
14817 }
14818 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
14819 
14820 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
14821 					const u8 *addr, gfp_t gfp)
14822 {
14823 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14824 	bool ret;
14825 
14826 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
14827 
14828 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
14829 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
14830 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
14831 		trace_cfg80211_return_bool(false);
14832 		return false;
14833 	}
14834 	ret = __nl80211_unexpected_frame(dev,
14835 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
14836 					 addr, gfp);
14837 	trace_cfg80211_return_bool(ret);
14838 	return ret;
14839 }
14840 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
14841 
14842 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
14843 		      struct wireless_dev *wdev, u32 nlportid,
14844 		      int freq, int sig_dbm,
14845 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
14846 {
14847 	struct net_device *netdev = wdev->netdev;
14848 	struct sk_buff *msg;
14849 	void *hdr;
14850 
14851 	msg = nlmsg_new(100 + len, gfp);
14852 	if (!msg)
14853 		return -ENOMEM;
14854 
14855 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
14856 	if (!hdr) {
14857 		nlmsg_free(msg);
14858 		return -ENOMEM;
14859 	}
14860 
14861 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14862 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14863 					netdev->ifindex)) ||
14864 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14865 			      NL80211_ATTR_PAD) ||
14866 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
14867 	    (sig_dbm &&
14868 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
14869 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
14870 	    (flags &&
14871 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
14872 		goto nla_put_failure;
14873 
14874 	genlmsg_end(msg, hdr);
14875 
14876 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
14877 
14878  nla_put_failure:
14879 	nlmsg_free(msg);
14880 	return -ENOBUFS;
14881 }
14882 
14883 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
14884 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
14885 {
14886 	struct wiphy *wiphy = wdev->wiphy;
14887 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14888 	struct net_device *netdev = wdev->netdev;
14889 	struct sk_buff *msg;
14890 	void *hdr;
14891 
14892 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
14893 
14894 	msg = nlmsg_new(100 + len, gfp);
14895 	if (!msg)
14896 		return;
14897 
14898 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
14899 	if (!hdr) {
14900 		nlmsg_free(msg);
14901 		return;
14902 	}
14903 
14904 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14905 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14906 				   netdev->ifindex)) ||
14907 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14908 			      NL80211_ATTR_PAD) ||
14909 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
14910 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14911 			      NL80211_ATTR_PAD) ||
14912 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
14913 		goto nla_put_failure;
14914 
14915 	genlmsg_end(msg, hdr);
14916 
14917 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
14918 				NL80211_MCGRP_MLME, gfp);
14919 	return;
14920 
14921  nla_put_failure:
14922 	nlmsg_free(msg);
14923 }
14924 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
14925 
14926 static int __nl80211_rx_control_port(struct net_device *dev,
14927 				     struct sk_buff *skb,
14928 				     bool unencrypted, gfp_t gfp)
14929 {
14930 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14931 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14932 	struct ethhdr *ehdr = eth_hdr(skb);
14933 	const u8 *addr = ehdr->h_source;
14934 	u16 proto = be16_to_cpu(skb->protocol);
14935 	struct sk_buff *msg;
14936 	void *hdr;
14937 	struct nlattr *frame;
14938 
14939 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
14940 
14941 	if (!nlportid)
14942 		return -ENOENT;
14943 
14944 	msg = nlmsg_new(100 + skb->len, gfp);
14945 	if (!msg)
14946 		return -ENOMEM;
14947 
14948 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
14949 	if (!hdr) {
14950 		nlmsg_free(msg);
14951 		return -ENOBUFS;
14952 	}
14953 
14954 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14955 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
14956 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14957 			      NL80211_ATTR_PAD) ||
14958 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
14959 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
14960 	    (unencrypted && nla_put_flag(msg,
14961 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
14962 		goto nla_put_failure;
14963 
14964 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
14965 	if (!frame)
14966 		goto nla_put_failure;
14967 
14968 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
14969 	genlmsg_end(msg, hdr);
14970 
14971 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
14972 
14973  nla_put_failure:
14974 	nlmsg_free(msg);
14975 	return -ENOBUFS;
14976 }
14977 
14978 bool cfg80211_rx_control_port(struct net_device *dev,
14979 			      struct sk_buff *skb, bool unencrypted)
14980 {
14981 	int ret;
14982 
14983 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
14984 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
14985 	trace_cfg80211_return_bool(ret == 0);
14986 	return ret == 0;
14987 }
14988 EXPORT_SYMBOL(cfg80211_rx_control_port);
14989 
14990 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
14991 					    const char *mac, gfp_t gfp)
14992 {
14993 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14994 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
14995 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14996 	void **cb;
14997 
14998 	if (!msg)
14999 		return NULL;
15000 
15001 	cb = (void **)msg->cb;
15002 
15003 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
15004 	if (!cb[0]) {
15005 		nlmsg_free(msg);
15006 		return NULL;
15007 	}
15008 
15009 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15010 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15011 		goto nla_put_failure;
15012 
15013 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15014 		goto nla_put_failure;
15015 
15016 	cb[1] = nla_nest_start(msg, NL80211_ATTR_CQM);
15017 	if (!cb[1])
15018 		goto nla_put_failure;
15019 
15020 	cb[2] = rdev;
15021 
15022 	return msg;
15023  nla_put_failure:
15024 	nlmsg_free(msg);
15025 	return NULL;
15026 }
15027 
15028 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
15029 {
15030 	void **cb = (void **)msg->cb;
15031 	struct cfg80211_registered_device *rdev = cb[2];
15032 
15033 	nla_nest_end(msg, cb[1]);
15034 	genlmsg_end(msg, cb[0]);
15035 
15036 	memset(msg->cb, 0, sizeof(msg->cb));
15037 
15038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15039 				NL80211_MCGRP_MLME, gfp);
15040 }
15041 
15042 void cfg80211_cqm_rssi_notify(struct net_device *dev,
15043 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
15044 			      s32 rssi_level, gfp_t gfp)
15045 {
15046 	struct sk_buff *msg;
15047 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15048 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15049 
15050 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
15051 
15052 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
15053 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
15054 		return;
15055 
15056 	if (wdev->cqm_config) {
15057 		wdev->cqm_config->last_rssi_event_value = rssi_level;
15058 
15059 		cfg80211_cqm_rssi_update(rdev, dev);
15060 
15061 		if (rssi_level == 0)
15062 			rssi_level = wdev->cqm_config->last_rssi_event_value;
15063 	}
15064 
15065 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15066 	if (!msg)
15067 		return;
15068 
15069 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
15070 			rssi_event))
15071 		goto nla_put_failure;
15072 
15073 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
15074 				      rssi_level))
15075 		goto nla_put_failure;
15076 
15077 	cfg80211_send_cqm(msg, gfp);
15078 
15079 	return;
15080 
15081  nla_put_failure:
15082 	nlmsg_free(msg);
15083 }
15084 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
15085 
15086 void cfg80211_cqm_txe_notify(struct net_device *dev,
15087 			     const u8 *peer, u32 num_packets,
15088 			     u32 rate, u32 intvl, gfp_t gfp)
15089 {
15090 	struct sk_buff *msg;
15091 
15092 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15093 	if (!msg)
15094 		return;
15095 
15096 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
15097 		goto nla_put_failure;
15098 
15099 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
15100 		goto nla_put_failure;
15101 
15102 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
15103 		goto nla_put_failure;
15104 
15105 	cfg80211_send_cqm(msg, gfp);
15106 	return;
15107 
15108  nla_put_failure:
15109 	nlmsg_free(msg);
15110 }
15111 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
15112 
15113 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
15114 				 const u8 *peer, u32 num_packets, gfp_t gfp)
15115 {
15116 	struct sk_buff *msg;
15117 
15118 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
15119 
15120 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
15121 	if (!msg)
15122 		return;
15123 
15124 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
15125 		goto nla_put_failure;
15126 
15127 	cfg80211_send_cqm(msg, gfp);
15128 	return;
15129 
15130  nla_put_failure:
15131 	nlmsg_free(msg);
15132 }
15133 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
15134 
15135 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
15136 {
15137 	struct sk_buff *msg;
15138 
15139 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
15140 	if (!msg)
15141 		return;
15142 
15143 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
15144 		goto nla_put_failure;
15145 
15146 	cfg80211_send_cqm(msg, gfp);
15147 	return;
15148 
15149  nla_put_failure:
15150 	nlmsg_free(msg);
15151 }
15152 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
15153 
15154 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
15155 				     struct net_device *netdev, const u8 *bssid,
15156 				     const u8 *replay_ctr, gfp_t gfp)
15157 {
15158 	struct sk_buff *msg;
15159 	struct nlattr *rekey_attr;
15160 	void *hdr;
15161 
15162 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15163 	if (!msg)
15164 		return;
15165 
15166 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
15167 	if (!hdr) {
15168 		nlmsg_free(msg);
15169 		return;
15170 	}
15171 
15172 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15173 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15174 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15175 		goto nla_put_failure;
15176 
15177 	rekey_attr = nla_nest_start(msg, NL80211_ATTR_REKEY_DATA);
15178 	if (!rekey_attr)
15179 		goto nla_put_failure;
15180 
15181 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
15182 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
15183 		goto nla_put_failure;
15184 
15185 	nla_nest_end(msg, rekey_attr);
15186 
15187 	genlmsg_end(msg, hdr);
15188 
15189 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15190 				NL80211_MCGRP_MLME, gfp);
15191 	return;
15192 
15193  nla_put_failure:
15194 	nlmsg_free(msg);
15195 }
15196 
15197 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
15198 			       const u8 *replay_ctr, gfp_t gfp)
15199 {
15200 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15201 	struct wiphy *wiphy = wdev->wiphy;
15202 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15203 
15204 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
15205 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
15206 }
15207 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
15208 
15209 static void
15210 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
15211 			       struct net_device *netdev, int index,
15212 			       const u8 *bssid, bool preauth, gfp_t gfp)
15213 {
15214 	struct sk_buff *msg;
15215 	struct nlattr *attr;
15216 	void *hdr;
15217 
15218 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15219 	if (!msg)
15220 		return;
15221 
15222 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
15223 	if (!hdr) {
15224 		nlmsg_free(msg);
15225 		return;
15226 	}
15227 
15228 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15229 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15230 		goto nla_put_failure;
15231 
15232 	attr = nla_nest_start(msg, NL80211_ATTR_PMKSA_CANDIDATE);
15233 	if (!attr)
15234 		goto nla_put_failure;
15235 
15236 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
15237 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
15238 	    (preauth &&
15239 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
15240 		goto nla_put_failure;
15241 
15242 	nla_nest_end(msg, attr);
15243 
15244 	genlmsg_end(msg, hdr);
15245 
15246 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15247 				NL80211_MCGRP_MLME, gfp);
15248 	return;
15249 
15250  nla_put_failure:
15251 	nlmsg_free(msg);
15252 }
15253 
15254 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
15255 				     const u8 *bssid, bool preauth, gfp_t gfp)
15256 {
15257 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15258 	struct wiphy *wiphy = wdev->wiphy;
15259 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15260 
15261 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
15262 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
15263 }
15264 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
15265 
15266 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
15267 				     struct net_device *netdev,
15268 				     struct cfg80211_chan_def *chandef,
15269 				     gfp_t gfp,
15270 				     enum nl80211_commands notif,
15271 				     u8 count)
15272 {
15273 	struct sk_buff *msg;
15274 	void *hdr;
15275 
15276 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15277 	if (!msg)
15278 		return;
15279 
15280 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
15281 	if (!hdr) {
15282 		nlmsg_free(msg);
15283 		return;
15284 	}
15285 
15286 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
15287 		goto nla_put_failure;
15288 
15289 	if (nl80211_send_chandef(msg, chandef))
15290 		goto nla_put_failure;
15291 
15292 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
15293 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
15294 			goto nla_put_failure;
15295 
15296 	genlmsg_end(msg, hdr);
15297 
15298 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15299 				NL80211_MCGRP_MLME, gfp);
15300 	return;
15301 
15302  nla_put_failure:
15303 	nlmsg_free(msg);
15304 }
15305 
15306 void cfg80211_ch_switch_notify(struct net_device *dev,
15307 			       struct cfg80211_chan_def *chandef)
15308 {
15309 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15310 	struct wiphy *wiphy = wdev->wiphy;
15311 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15312 
15313 	ASSERT_WDEV_LOCK(wdev);
15314 
15315 	trace_cfg80211_ch_switch_notify(dev, chandef);
15316 
15317 	wdev->chandef = *chandef;
15318 	wdev->preset_chandef = *chandef;
15319 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15320 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
15321 }
15322 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
15323 
15324 void cfg80211_ch_switch_started_notify(struct net_device *dev,
15325 				       struct cfg80211_chan_def *chandef,
15326 				       u8 count)
15327 {
15328 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15329 	struct wiphy *wiphy = wdev->wiphy;
15330 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15331 
15332 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
15333 
15334 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
15335 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
15336 }
15337 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
15338 
15339 void
15340 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
15341 		     const struct cfg80211_chan_def *chandef,
15342 		     enum nl80211_radar_event event,
15343 		     struct net_device *netdev, gfp_t gfp)
15344 {
15345 	struct sk_buff *msg;
15346 	void *hdr;
15347 
15348 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15349 	if (!msg)
15350 		return;
15351 
15352 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
15353 	if (!hdr) {
15354 		nlmsg_free(msg);
15355 		return;
15356 	}
15357 
15358 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15359 		goto nla_put_failure;
15360 
15361 	/* NOP and radar events don't need a netdev parameter */
15362 	if (netdev) {
15363 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
15364 
15365 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15366 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15367 				      NL80211_ATTR_PAD))
15368 			goto nla_put_failure;
15369 	}
15370 
15371 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
15372 		goto nla_put_failure;
15373 
15374 	if (nl80211_send_chandef(msg, chandef))
15375 		goto nla_put_failure;
15376 
15377 	genlmsg_end(msg, hdr);
15378 
15379 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15380 				NL80211_MCGRP_MLME, gfp);
15381 	return;
15382 
15383  nla_put_failure:
15384 	nlmsg_free(msg);
15385 }
15386 
15387 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
15388 				       struct sta_opmode_info *sta_opmode,
15389 				       gfp_t gfp)
15390 {
15391 	struct sk_buff *msg;
15392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15393 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15394 	void *hdr;
15395 
15396 	if (WARN_ON(!mac))
15397 		return;
15398 
15399 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15400 	if (!msg)
15401 		return;
15402 
15403 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
15404 	if (!hdr) {
15405 		nlmsg_free(msg);
15406 		return;
15407 	}
15408 
15409 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
15410 		goto nla_put_failure;
15411 
15412 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15413 		goto nla_put_failure;
15414 
15415 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
15416 		goto nla_put_failure;
15417 
15418 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
15419 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
15420 		goto nla_put_failure;
15421 
15422 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
15423 	    nla_put_u8(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
15424 		goto nla_put_failure;
15425 
15426 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
15427 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
15428 		goto nla_put_failure;
15429 
15430 	genlmsg_end(msg, hdr);
15431 
15432 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15433 				NL80211_MCGRP_MLME, gfp);
15434 
15435 	return;
15436 
15437 nla_put_failure:
15438 	nlmsg_free(msg);
15439 }
15440 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
15441 
15442 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
15443 			   u64 cookie, bool acked, s32 ack_signal,
15444 			   bool is_valid_ack_signal, gfp_t gfp)
15445 {
15446 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15447 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15448 	struct sk_buff *msg;
15449 	void *hdr;
15450 
15451 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
15452 
15453 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15454 
15455 	if (!msg)
15456 		return;
15457 
15458 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
15459 	if (!hdr) {
15460 		nlmsg_free(msg);
15461 		return;
15462 	}
15463 
15464 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15465 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15466 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15467 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15468 			      NL80211_ATTR_PAD) ||
15469 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
15470 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
15471 						ack_signal)))
15472 		goto nla_put_failure;
15473 
15474 	genlmsg_end(msg, hdr);
15475 
15476 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15477 				NL80211_MCGRP_MLME, gfp);
15478 	return;
15479 
15480  nla_put_failure:
15481 	nlmsg_free(msg);
15482 }
15483 EXPORT_SYMBOL(cfg80211_probe_status);
15484 
15485 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
15486 				 const u8 *frame, size_t len,
15487 				 int freq, int sig_dbm)
15488 {
15489 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15490 	struct sk_buff *msg;
15491 	void *hdr;
15492 	struct cfg80211_beacon_registration *reg;
15493 
15494 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
15495 
15496 	spin_lock_bh(&rdev->beacon_registrations_lock);
15497 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15498 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
15499 		if (!msg) {
15500 			spin_unlock_bh(&rdev->beacon_registrations_lock);
15501 			return;
15502 		}
15503 
15504 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
15505 		if (!hdr)
15506 			goto nla_put_failure;
15507 
15508 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15509 		    (freq &&
15510 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
15511 		    (sig_dbm &&
15512 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
15513 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
15514 			goto nla_put_failure;
15515 
15516 		genlmsg_end(msg, hdr);
15517 
15518 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
15519 	}
15520 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15521 	return;
15522 
15523  nla_put_failure:
15524 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15525 	nlmsg_free(msg);
15526 }
15527 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
15528 
15529 #ifdef CONFIG_PM
15530 static int cfg80211_net_detect_results(struct sk_buff *msg,
15531 				       struct cfg80211_wowlan_wakeup *wakeup)
15532 {
15533 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
15534 	struct nlattr *nl_results, *nl_match, *nl_freqs;
15535 	int i, j;
15536 
15537 	nl_results = nla_nest_start(
15538 		msg, NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
15539 	if (!nl_results)
15540 		return -EMSGSIZE;
15541 
15542 	for (i = 0; i < nd->n_matches; i++) {
15543 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
15544 
15545 		nl_match = nla_nest_start(msg, i);
15546 		if (!nl_match)
15547 			break;
15548 
15549 		/* The SSID attribute is optional in nl80211, but for
15550 		 * simplicity reasons it's always present in the
15551 		 * cfg80211 structure.  If a driver can't pass the
15552 		 * SSID, that needs to be changed.  A zero length SSID
15553 		 * is still a valid SSID (wildcard), so it cannot be
15554 		 * used for this purpose.
15555 		 */
15556 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
15557 			    match->ssid.ssid)) {
15558 			nla_nest_cancel(msg, nl_match);
15559 			goto out;
15560 		}
15561 
15562 		if (match->n_channels) {
15563 			nl_freqs = nla_nest_start(
15564 				msg, NL80211_ATTR_SCAN_FREQUENCIES);
15565 			if (!nl_freqs) {
15566 				nla_nest_cancel(msg, nl_match);
15567 				goto out;
15568 			}
15569 
15570 			for (j = 0; j < match->n_channels; j++) {
15571 				if (nla_put_u32(msg, j, match->channels[j])) {
15572 					nla_nest_cancel(msg, nl_freqs);
15573 					nla_nest_cancel(msg, nl_match);
15574 					goto out;
15575 				}
15576 			}
15577 
15578 			nla_nest_end(msg, nl_freqs);
15579 		}
15580 
15581 		nla_nest_end(msg, nl_match);
15582 	}
15583 
15584 out:
15585 	nla_nest_end(msg, nl_results);
15586 	return 0;
15587 }
15588 
15589 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
15590 				   struct cfg80211_wowlan_wakeup *wakeup,
15591 				   gfp_t gfp)
15592 {
15593 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15594 	struct sk_buff *msg;
15595 	void *hdr;
15596 	int size = 200;
15597 
15598 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
15599 
15600 	if (wakeup)
15601 		size += wakeup->packet_present_len;
15602 
15603 	msg = nlmsg_new(size, gfp);
15604 	if (!msg)
15605 		return;
15606 
15607 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
15608 	if (!hdr)
15609 		goto free_msg;
15610 
15611 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15612 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15613 			      NL80211_ATTR_PAD))
15614 		goto free_msg;
15615 
15616 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15617 					wdev->netdev->ifindex))
15618 		goto free_msg;
15619 
15620 	if (wakeup) {
15621 		struct nlattr *reasons;
15622 
15623 		reasons = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
15624 		if (!reasons)
15625 			goto free_msg;
15626 
15627 		if (wakeup->disconnect &&
15628 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
15629 			goto free_msg;
15630 		if (wakeup->magic_pkt &&
15631 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
15632 			goto free_msg;
15633 		if (wakeup->gtk_rekey_failure &&
15634 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
15635 			goto free_msg;
15636 		if (wakeup->eap_identity_req &&
15637 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
15638 			goto free_msg;
15639 		if (wakeup->four_way_handshake &&
15640 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
15641 			goto free_msg;
15642 		if (wakeup->rfkill_release &&
15643 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
15644 			goto free_msg;
15645 
15646 		if (wakeup->pattern_idx >= 0 &&
15647 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
15648 				wakeup->pattern_idx))
15649 			goto free_msg;
15650 
15651 		if (wakeup->tcp_match &&
15652 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
15653 			goto free_msg;
15654 
15655 		if (wakeup->tcp_connlost &&
15656 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
15657 			goto free_msg;
15658 
15659 		if (wakeup->tcp_nomoretokens &&
15660 		    nla_put_flag(msg,
15661 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
15662 			goto free_msg;
15663 
15664 		if (wakeup->packet) {
15665 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
15666 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
15667 
15668 			if (!wakeup->packet_80211) {
15669 				pkt_attr =
15670 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
15671 				len_attr =
15672 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
15673 			}
15674 
15675 			if (wakeup->packet_len &&
15676 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
15677 				goto free_msg;
15678 
15679 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
15680 				    wakeup->packet))
15681 				goto free_msg;
15682 		}
15683 
15684 		if (wakeup->net_detect &&
15685 		    cfg80211_net_detect_results(msg, wakeup))
15686 				goto free_msg;
15687 
15688 		nla_nest_end(msg, reasons);
15689 	}
15690 
15691 	genlmsg_end(msg, hdr);
15692 
15693 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15694 				NL80211_MCGRP_MLME, gfp);
15695 	return;
15696 
15697  free_msg:
15698 	nlmsg_free(msg);
15699 }
15700 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
15701 #endif
15702 
15703 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
15704 				enum nl80211_tdls_operation oper,
15705 				u16 reason_code, gfp_t gfp)
15706 {
15707 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15708 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15709 	struct sk_buff *msg;
15710 	void *hdr;
15711 
15712 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
15713 					 reason_code);
15714 
15715 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15716 	if (!msg)
15717 		return;
15718 
15719 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
15720 	if (!hdr) {
15721 		nlmsg_free(msg);
15722 		return;
15723 	}
15724 
15725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15726 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15727 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
15728 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
15729 	    (reason_code > 0 &&
15730 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
15731 		goto nla_put_failure;
15732 
15733 	genlmsg_end(msg, hdr);
15734 
15735 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15736 				NL80211_MCGRP_MLME, gfp);
15737 	return;
15738 
15739  nla_put_failure:
15740 	nlmsg_free(msg);
15741 }
15742 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
15743 
15744 static int nl80211_netlink_notify(struct notifier_block * nb,
15745 				  unsigned long state,
15746 				  void *_notify)
15747 {
15748 	struct netlink_notify *notify = _notify;
15749 	struct cfg80211_registered_device *rdev;
15750 	struct wireless_dev *wdev;
15751 	struct cfg80211_beacon_registration *reg, *tmp;
15752 
15753 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
15754 		return NOTIFY_DONE;
15755 
15756 	rcu_read_lock();
15757 
15758 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
15759 		struct cfg80211_sched_scan_request *sched_scan_req;
15760 
15761 		list_for_each_entry_rcu(sched_scan_req,
15762 					&rdev->sched_scan_req_list,
15763 					list) {
15764 			if (sched_scan_req->owner_nlportid == notify->portid) {
15765 				sched_scan_req->nl_owner_dead = true;
15766 				schedule_work(&rdev->sched_scan_stop_wk);
15767 			}
15768 		}
15769 
15770 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
15771 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
15772 
15773 			if (wdev->owner_nlportid == notify->portid) {
15774 				wdev->nl_owner_dead = true;
15775 				schedule_work(&rdev->destroy_work);
15776 			} else if (wdev->conn_owner_nlportid == notify->portid) {
15777 				schedule_work(&wdev->disconnect_wk);
15778 			}
15779 		}
15780 
15781 		spin_lock_bh(&rdev->beacon_registrations_lock);
15782 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
15783 					 list) {
15784 			if (reg->nlportid == notify->portid) {
15785 				list_del(&reg->list);
15786 				kfree(reg);
15787 				break;
15788 			}
15789 		}
15790 		spin_unlock_bh(&rdev->beacon_registrations_lock);
15791 	}
15792 
15793 	rcu_read_unlock();
15794 
15795 	/*
15796 	 * It is possible that the user space process that is controlling the
15797 	 * indoor setting disappeared, so notify the regulatory core.
15798 	 */
15799 	regulatory_netlink_notify(notify->portid);
15800 	return NOTIFY_OK;
15801 }
15802 
15803 static struct notifier_block nl80211_netlink_notifier = {
15804 	.notifier_call = nl80211_netlink_notify,
15805 };
15806 
15807 void cfg80211_ft_event(struct net_device *netdev,
15808 		       struct cfg80211_ft_event_params *ft_event)
15809 {
15810 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
15811 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15812 	struct sk_buff *msg;
15813 	void *hdr;
15814 
15815 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
15816 
15817 	if (!ft_event->target_ap)
15818 		return;
15819 
15820 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
15821 			GFP_KERNEL);
15822 	if (!msg)
15823 		return;
15824 
15825 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
15826 	if (!hdr)
15827 		goto out;
15828 
15829 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15830 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15831 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
15832 		goto out;
15833 
15834 	if (ft_event->ies &&
15835 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
15836 		goto out;
15837 	if (ft_event->ric_ies &&
15838 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
15839 		    ft_event->ric_ies))
15840 		goto out;
15841 
15842 	genlmsg_end(msg, hdr);
15843 
15844 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15845 				NL80211_MCGRP_MLME, GFP_KERNEL);
15846 	return;
15847  out:
15848 	nlmsg_free(msg);
15849 }
15850 EXPORT_SYMBOL(cfg80211_ft_event);
15851 
15852 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
15853 {
15854 	struct cfg80211_registered_device *rdev;
15855 	struct sk_buff *msg;
15856 	void *hdr;
15857 	u32 nlportid;
15858 
15859 	rdev = wiphy_to_rdev(wdev->wiphy);
15860 	if (!rdev->crit_proto_nlportid)
15861 		return;
15862 
15863 	nlportid = rdev->crit_proto_nlportid;
15864 	rdev->crit_proto_nlportid = 0;
15865 
15866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15867 	if (!msg)
15868 		return;
15869 
15870 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
15871 	if (!hdr)
15872 		goto nla_put_failure;
15873 
15874 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15875 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15876 			      NL80211_ATTR_PAD))
15877 		goto nla_put_failure;
15878 
15879 	genlmsg_end(msg, hdr);
15880 
15881 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
15882 	return;
15883 
15884  nla_put_failure:
15885 	nlmsg_free(msg);
15886 }
15887 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
15888 
15889 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
15890 {
15891 	struct wiphy *wiphy = wdev->wiphy;
15892 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15893 	struct sk_buff *msg;
15894 	void *hdr;
15895 
15896 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15897 	if (!msg)
15898 		return;
15899 
15900 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
15901 	if (!hdr)
15902 		goto out;
15903 
15904 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15905 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
15906 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15907 			      NL80211_ATTR_PAD))
15908 		goto out;
15909 
15910 	genlmsg_end(msg, hdr);
15911 
15912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
15913 				NL80211_MCGRP_MLME, GFP_KERNEL);
15914 	return;
15915  out:
15916 	nlmsg_free(msg);
15917 }
15918 
15919 int cfg80211_external_auth_request(struct net_device *dev,
15920 				   struct cfg80211_external_auth_params *params,
15921 				   gfp_t gfp)
15922 {
15923 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15924 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15925 	struct sk_buff *msg;
15926 	void *hdr;
15927 
15928 	if (!wdev->conn_owner_nlportid)
15929 		return -EINVAL;
15930 
15931 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15932 	if (!msg)
15933 		return -ENOMEM;
15934 
15935 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
15936 	if (!hdr)
15937 		goto nla_put_failure;
15938 
15939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15940 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15941 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
15942 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
15943 			params->action) ||
15944 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
15945 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
15946 		    params->ssid.ssid))
15947 		goto nla_put_failure;
15948 
15949 	genlmsg_end(msg, hdr);
15950 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
15951 			wdev->conn_owner_nlportid);
15952 	return 0;
15953 
15954  nla_put_failure:
15955 	nlmsg_free(msg);
15956 	return -ENOBUFS;
15957 }
15958 EXPORT_SYMBOL(cfg80211_external_auth_request);
15959 
15960 /* initialisation/exit functions */
15961 
15962 int __init nl80211_init(void)
15963 {
15964 	int err;
15965 
15966 	err = genl_register_family(&nl80211_fam);
15967 	if (err)
15968 		return err;
15969 
15970 	err = netlink_register_notifier(&nl80211_netlink_notifier);
15971 	if (err)
15972 		goto err_out;
15973 
15974 	return 0;
15975  err_out:
15976 	genl_unregister_family(&nl80211_fam);
15977 	return err;
15978 }
15979 
15980 void nl80211_exit(void)
15981 {
15982 	netlink_unregister_notifier(&nl80211_netlink_notifier);
15983 	genl_unregister_family(&nl80211_fam);
15984 }
15985