xref: /linux/net/wireless/nl80211.c (revision bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2026 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	const struct ieee80211_ext *ext;
233 	unsigned int fixedlen, hdrlen;
234 	bool s1g_bcn;
235 
236 	if (len < offsetofend(typeof(*mgmt), frame_control))
237 		goto err;
238 
239 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
240 	if (s1g_bcn) {
241 		ext = (struct ieee80211_ext *)mgmt;
242 		fixedlen =
243 			offsetof(struct ieee80211_ext, u.s1g_beacon.variable) +
244 			ieee80211_s1g_optional_len(ext->frame_control);
245 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
246 	} else {
247 		fixedlen = offsetof(struct ieee80211_mgmt,
248 				    u.beacon.variable);
249 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
250 	}
251 
252 	if (len < fixedlen)
253 		goto err;
254 
255 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
256 		goto err;
257 
258 	data += fixedlen;
259 	len -= fixedlen;
260 
261 	for_each_element(elem, data, len) {
262 		/* nothing */
263 	}
264 
265 	if (for_each_element_completed(elem, data, len))
266 		return 0;
267 
268 err:
269 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
270 	return -EINVAL;
271 }
272 
273 static int validate_ie_attr(const struct nlattr *attr,
274 			    struct netlink_ext_ack *extack)
275 {
276 	const u8 *data = nla_data(attr);
277 	unsigned int len = nla_len(attr);
278 	const struct element *elem;
279 
280 	for_each_element(elem, data, len) {
281 		/* nothing */
282 	}
283 
284 	if (for_each_element_completed(elem, data, len))
285 		return 0;
286 
287 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
288 	return -EINVAL;
289 }
290 
291 static int validate_he_capa(const struct nlattr *attr,
292 			    struct netlink_ext_ack *extack)
293 {
294 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
295 		return -EINVAL;
296 
297 	return 0;
298 }
299 
300 static int validate_supported_selectors(const struct nlattr *attr,
301 					struct netlink_ext_ack *extack)
302 {
303 	const u8 *supported_selectors = nla_data(attr);
304 	u8 supported_selectors_len = nla_len(attr);
305 
306 	/* The top bit must not be set as it is not part of the selector */
307 	for (int i = 0; i < supported_selectors_len; i++) {
308 		if (supported_selectors[i] & 0x80)
309 			return -EINVAL;
310 	}
311 
312 	return 0;
313 }
314 
315 static int validate_nan_cluster_id(const struct nlattr *attr,
316 				   struct netlink_ext_ack *extack)
317 {
318 	const u8 *data = nla_data(attr);
319 	unsigned int len = nla_len(attr);
320 	static const u8 cluster_id_prefix[4] = {0x50, 0x6f, 0x9a, 0x1};
321 
322 	if (len != ETH_ALEN) {
323 		NL_SET_ERR_MSG_ATTR(extack, attr, "bad cluster id length");
324 		return -EINVAL;
325 	}
326 
327 	if (memcmp(data, cluster_id_prefix, sizeof(cluster_id_prefix))) {
328 		NL_SET_ERR_MSG_ATTR(extack, attr, "invalid cluster id prefix");
329 		return -EINVAL;
330 	}
331 
332 	return 0;
333 }
334 
335 static int validate_uhr_capa(const struct nlattr *attr,
336 			     struct netlink_ext_ack *extack)
337 {
338 	const u8 *data = nla_data(attr);
339 	unsigned int len = nla_len(attr);
340 
341 	return ieee80211_uhr_capa_size_ok(data, len, false);
342 }
343 
344 /* policy for the attributes */
345 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
346 
347 static const struct nla_policy
348 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
349 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
350 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
351 					.len = U8_MAX },
352 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
353 					     .len = U8_MAX },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
359 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
360 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
361 		NLA_POLICY_MAX(NLA_U8, 15),
362 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
363 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
364 		NLA_POLICY_MAX(NLA_U8, 15),
365 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
366 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
367 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
368 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
369 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
370 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
371 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
372 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
373 	[NL80211_PMSR_FTM_REQ_ATTR_RSTA] = { .type = NLA_FLAG },
374 };
375 
376 static const struct nla_policy
377 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
378 	[NL80211_PMSR_TYPE_FTM] =
379 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
380 };
381 
382 static const struct nla_policy
383 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
384 	[NL80211_PMSR_REQ_ATTR_DATA] =
385 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
386 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
387 };
388 
389 static const struct nla_policy
390 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
391 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
392 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
393 	[NL80211_PMSR_PEER_ATTR_REQ] =
394 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
395 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
396 };
397 
398 static const struct nla_policy
399 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
400 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
401 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
402 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
403 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
404 	[NL80211_PMSR_ATTR_PEERS] =
405 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
406 };
407 
408 static const struct nla_policy
409 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
410 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
411 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
412 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
413 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
414 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
415 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
416 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
417 		NLA_POLICY_EXACT_LEN(8),
418 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
419 		NLA_POLICY_EXACT_LEN(8),
420 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
421 };
422 
423 static const struct nla_policy
424 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
425 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
426 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
427 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
428 };
429 
430 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
431 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
432 				    .len = NL80211_MAX_SUPP_RATES },
433 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
434 				.len = NL80211_MAX_SUPP_HT_RATES },
435 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
436 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
437 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
438 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
439 						   NL80211_RATE_INFO_HE_GI_0_8,
440 						   NL80211_RATE_INFO_HE_GI_3_2),
441 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
442 						   NL80211_RATE_INFO_HE_1XLTF,
443 						   NL80211_RATE_INFO_HE_4XLTF),
444 	[NL80211_TXRATE_EHT] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_eht)),
445 	[NL80211_TXRATE_EHT_GI] =  NLA_POLICY_RANGE(NLA_U8,
446 						   NL80211_RATE_INFO_EHT_GI_0_8,
447 						   NL80211_RATE_INFO_EHT_GI_3_2),
448 	[NL80211_TXRATE_EHT_LTF] = NLA_POLICY_RANGE(NLA_U8,
449 						   NL80211_RATE_INFO_EHT_1XLTF,
450 						   NL80211_RATE_INFO_EHT_8XLTF),
451 
452 };
453 
454 static const struct nla_policy
455 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
456 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
457 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
458 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
459 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
460 	[NL80211_TID_CONFIG_ATTR_NOACK] =
461 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
462 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
463 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
464 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
465 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
466 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
467 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
468 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
469 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
470 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
471 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
472 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
473 			NLA_POLICY_NESTED(nl80211_txattr_policy),
474 };
475 
476 static const struct nla_policy
477 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
478 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
479 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
480 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
481 			NLA_POLICY_RANGE(NLA_BINARY,
482 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
483 					 IEEE80211_MAX_DATA_LEN),
484 };
485 
486 static const struct nla_policy
487 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
488 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
489 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
490 						       .len = IEEE80211_MAX_DATA_LEN }
491 };
492 
493 static const struct nla_policy
494 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
495 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
496 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
497 };
498 
499 static const struct nla_policy
500 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
501 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
502 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
503 };
504 
505 static const struct nla_policy
506 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
507 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
508 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
509 						NLA_POLICY_MIN(NLA_U8, 1),
510 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
511 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
512 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
513 	[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID] =
514 		NLA_POLICY_MAX(NLA_U8, IEEE80211_MLD_MAX_NUM_LINKS),
515 };
516 
517 static const struct nla_policy
518 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
519 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
520 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
521 };
522 
523 static const struct nla_policy
524 nl80211_s1g_short_beacon[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1] = {
525 	[NL80211_S1G_SHORT_BEACON_ATTR_HEAD] =
526 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
527 				       IEEE80211_MAX_DATA_LEN),
528 	[NL80211_S1G_SHORT_BEACON_ATTR_TAIL] =
529 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
530 				       IEEE80211_MAX_DATA_LEN),
531 };
532 
533 static const struct nla_policy
534 nl80211_nan_band_conf_policy[NL80211_NAN_BAND_CONF_ATTR_MAX + 1] = {
535 	[NL80211_NAN_BAND_CONF_BAND] = NLA_POLICY_MAX(NLA_U8,
536 						      NUM_NL80211_BANDS - 1),
537 	[NL80211_NAN_BAND_CONF_FREQ] = { .type = NLA_U16 },
538 	[NL80211_NAN_BAND_CONF_RSSI_CLOSE] = NLA_POLICY_MIN(NLA_S8, -59),
539 	[NL80211_NAN_BAND_CONF_RSSI_MIDDLE] = NLA_POLICY_MIN(NLA_S8, -74),
540 	[NL80211_NAN_BAND_CONF_WAKE_DW] = NLA_POLICY_MAX(NLA_U8, 5),
541 	[NL80211_NAN_BAND_CONF_DISABLE_SCAN] = { .type = NLA_FLAG },
542 };
543 
544 static const struct nla_policy
545 nl80211_nan_conf_policy[NL80211_NAN_CONF_ATTR_MAX + 1] = {
546 	[NL80211_NAN_CONF_CLUSTER_ID] =
547 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_nan_cluster_id,
548 				       ETH_ALEN),
549 	[NL80211_NAN_CONF_EXTRA_ATTRS] = { .type = NLA_BINARY,
550 					   .len = IEEE80211_MAX_DATA_LEN},
551 	[NL80211_NAN_CONF_VENDOR_ELEMS] =
552 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
553 				       IEEE80211_MAX_DATA_LEN),
554 	[NL80211_NAN_CONF_BAND_CONFIGS] =
555 		NLA_POLICY_NESTED_ARRAY(nl80211_nan_band_conf_policy),
556 	[NL80211_NAN_CONF_SCAN_PERIOD] = { .type = NLA_U16 },
557 	[NL80211_NAN_CONF_SCAN_DWELL_TIME] = NLA_POLICY_RANGE(NLA_U16, 50, 512),
558 	[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL] =
559 		NLA_POLICY_RANGE(NLA_U8, 50, 200),
560 	[NL80211_NAN_CONF_NOTIFY_DW] = { .type = NLA_FLAG },
561 };
562 
563 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
564 	.min = 0,
565 	.max = 0xffff,
566 };
567 
568 static const struct netlink_range_validation q_range = {
569 	.max = INT_MAX,
570 };
571 
572 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
573 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
574 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
575 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
576 				      .len = 20-1 },
577 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
578 
579 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
580 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
581 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
582 						NL80211_EDMG_CHANNELS_MIN,
583 						NL80211_EDMG_CHANNELS_MAX),
584 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
585 						NL80211_EDMG_BW_CONFIG_MIN,
586 						NL80211_EDMG_BW_CONFIG_MAX),
587 
588 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
589 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
590 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
591 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
592 
593 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
594 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
595 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
596 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
597 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
598 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
599 
600 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
601 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
602 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
603 
604 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
605 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
606 
607 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
608 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
609 				    .len = WLAN_MAX_KEY_LEN },
610 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
611 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
612 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
613 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
614 	[NL80211_ATTR_KEY_TYPE] =
615 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
616 
617 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
618 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
619 	[NL80211_ATTR_BEACON_HEAD] =
620 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
621 				       IEEE80211_MAX_DATA_LEN),
622 	[NL80211_ATTR_BEACON_TAIL] =
623 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
624 				       IEEE80211_MAX_DATA_LEN),
625 	[NL80211_ATTR_STA_AID] =
626 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
627 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
628 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
629 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
630 					       .len = NL80211_MAX_SUPP_RATES },
631 	[NL80211_ATTR_STA_PLINK_ACTION] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
633 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
634 		NLA_POLICY_RANGE(NLA_U8,
635 				 NL80211_TX_POWER_AUTOMATIC,
636 				 NL80211_TX_POWER_FIXED),
637 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
638 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
639 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
640 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
641 				   .len = IEEE80211_MAX_MESH_ID_LEN },
642 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
643 
644 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
645 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
646 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
647 
648 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
649 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
650 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
651 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
652 					   .len = NL80211_MAX_SUPP_RATES },
653 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
654 
655 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
656 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
657 
658 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
659 
660 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
661 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
662 						   validate_ie_attr,
663 						   IEEE80211_MAX_DATA_LEN),
664 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
665 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
666 
667 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
668 				.len = IEEE80211_MAX_SSID_LEN },
669 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
670 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
671 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
672 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
673 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
674 						  NL80211_MFP_NO,
675 						  NL80211_MFP_OPTIONAL),
676 	[NL80211_ATTR_STA_FLAGS2] =
677 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
678 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
679 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
680 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
682 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
683 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
684 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
685 	[NL80211_ATTR_WPA_VERSIONS] =
686 		NLA_POLICY_RANGE(NLA_U32, 0,
687 				 NL80211_WPA_VERSION_1 |
688 				 NL80211_WPA_VERSION_2 |
689 				 NL80211_WPA_VERSION_3),
690 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
691 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
692 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
693 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
694 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
695 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
696 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
697 				 .len = IEEE80211_MAX_DATA_LEN },
698 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
699 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
700 						   NL80211_PS_DISABLED,
701 						   NL80211_PS_ENABLED),
702 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
703 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
705 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
706 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
707 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
708 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
709 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
710 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
711 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
712 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
713 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
714 	[NL80211_ATTR_STA_PLINK_STATE] =
715 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
716 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
717 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
718 	[NL80211_ATTR_MESH_PEER_AID] =
719 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
720 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
721 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
722 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
723 	[NL80211_ATTR_HIDDEN_SSID] =
724 		NLA_POLICY_RANGE(NLA_U32,
725 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
726 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
727 	[NL80211_ATTR_IE_PROBE_RESP] =
728 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
729 				       IEEE80211_MAX_DATA_LEN),
730 	[NL80211_ATTR_IE_ASSOC_RESP] =
731 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
732 				       IEEE80211_MAX_DATA_LEN),
733 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
734 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
735 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
736 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
737 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
738 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
739 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
740 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
741 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
742 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
743 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
744 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
745 				      .len = IEEE80211_MAX_DATA_LEN },
746 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
747 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
748 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
749 		.len = NL80211_HT_CAPABILITY_LEN
750 	},
751 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
752 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
753 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
754 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
755 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
756 
757 	/* need to include at least Auth Transaction and Status Code */
758 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
759 
760 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
761 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
762 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
763 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
764 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
765 		NLA_POLICY_RANGE(NLA_U32,
766 				 NL80211_MESH_POWER_UNKNOWN + 1,
767 				 NL80211_MESH_POWER_MAX),
768 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
769 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
770 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
771 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
772 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
773 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
774 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
775 		.len = NL80211_VHT_CAPABILITY_LEN,
776 	},
777 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
778 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
779 				  .len = IEEE80211_MAX_DATA_LEN },
780 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
781 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
782 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
783 	[NL80211_ATTR_PEER_AID] =
784 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
785 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
786 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
787 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
788 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
789 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
790 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
791 	/*
792 	 * The value of the Length field of the Supported Operating
793 	 * Classes element is between 2 and 253.
794 	 */
795 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
796 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
797 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
798 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
799 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
800 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
801 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
802 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
803 						  IEEE80211_QOS_MAP_LEN_MIN,
804 						  IEEE80211_QOS_MAP_LEN_MAX),
805 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
806 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
807 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
808 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
809 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
810 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
811 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
812 	[NL80211_ATTR_USER_PRIO] =
813 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
814 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
815 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
816 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
817 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
818 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
819 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
820 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
821 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
822 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
824 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
825 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
826 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
827 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
828 	},
829 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
830 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
831 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
832 	[NL80211_ATTR_NAN_CONFIG] = NLA_POLICY_NESTED(nl80211_nan_conf_policy),
833 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
834 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
835 				    .len = FILS_MAX_KEK_LEN },
836 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
837 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
838 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
839 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
840 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
841 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
842 	},
843 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
844 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
845 					     .len = FILS_ERP_MAX_USERNAME_LEN },
846 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
847 					  .len = FILS_ERP_MAX_REALM_LEN },
848 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
849 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
850 					.len = FILS_ERP_MAX_RRK_LEN },
851 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
852 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
853 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
854 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
855 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
856 
857 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
858 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
859 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
860 	[NL80211_ATTR_HE_CAPABILITY] =
861 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
862 				       NL80211_HE_MAX_CAPABILITY_LEN),
863 	[NL80211_ATTR_FTM_RESPONDER] =
864 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
865 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
866 	[NL80211_ATTR_PEER_MEASUREMENTS] =
867 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
868 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
869 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
870 					.len = SAE_PASSWORD_MAX_LEN },
871 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
872 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
873 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
874 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
875 	[NL80211_ATTR_TID_CONFIG] =
876 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
877 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
878 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
879 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
880 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
881 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
882 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
883 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
884 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
885 	[NL80211_ATTR_FILS_DISCOVERY] =
886 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
887 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
888 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
889 	[NL80211_ATTR_S1G_CAPABILITY] =
890 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
891 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
892 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
893 	[NL80211_ATTR_SAE_PWE] =
894 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
895 				 NL80211_SAE_PWE_BOTH),
896 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
897 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
898 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
899 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
900 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
901 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
902 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
903 	[NL80211_ATTR_MBSSID_CONFIG] =
904 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
905 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
906 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
907 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
908 	[NL80211_ATTR_EHT_CAPABILITY] =
909 		NLA_POLICY_RANGE(NLA_BINARY,
910 				 NL80211_EHT_MIN_CAPABILITY_LEN,
911 				 NL80211_EHT_MAX_CAPABILITY_LEN),
912 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
913 	[NL80211_ATTR_MLO_LINKS] =
914 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
915 	[NL80211_ATTR_MLO_LINK_ID] =
916 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
917 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
918 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
919 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
920 	[NL80211_ATTR_EML_CAPABILITY] = { .type = NLA_U16 },
921 	[NL80211_ATTR_PUNCT_BITMAP] =
922 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
923 
924 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
925 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
926 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
927 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
928 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
929 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
930 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
931 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
932 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
933 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
934 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
935 				       NL80211_MAX_SUPP_SELECTORS),
936 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
937 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
938 	[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS] = { .type = NLA_U16 },
939 	[NL80211_ATTR_WIPHY_RADIO_INDEX] = { .type = NLA_U8 },
940 	[NL80211_ATTR_S1G_LONG_BEACON_PERIOD] = NLA_POLICY_MIN(NLA_U8, 2),
941 	[NL80211_ATTR_S1G_SHORT_BEACON] =
942 		NLA_POLICY_NESTED(nl80211_s1g_short_beacon),
943 	[NL80211_ATTR_BSS_PARAM] = { .type = NLA_FLAG },
944 	[NL80211_ATTR_S1G_PRIMARY_2MHZ] = { .type = NLA_FLAG },
945 	[NL80211_ATTR_EPP_PEER] = { .type = NLA_FLAG },
946 	[NL80211_ATTR_UHR_CAPABILITY] =
947 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_uhr_capa, 255),
948 	[NL80211_ATTR_DISABLE_UHR] = { .type = NLA_FLAG },
949 };
950 
951 /* policy for the key attributes */
952 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
953 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
954 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
955 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
956 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
957 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
958 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
959 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
960 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
961 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
962 };
963 
964 /* policy for the key default flags */
965 static const struct nla_policy
966 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
967 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
968 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
969 };
970 
971 #ifdef CONFIG_PM
972 /* policy for WoWLAN attributes */
973 static const struct nla_policy
974 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
975 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
976 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
977 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
978 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
979 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
980 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
981 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
982 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
983 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
984 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
985 };
986 
987 static const struct nla_policy
988 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
989 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
990 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
991 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
992 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
993 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
994 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
995 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
996 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
997 	},
998 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
999 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
1000 	},
1001 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
1002 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
1003 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
1004 };
1005 #endif /* CONFIG_PM */
1006 
1007 /* policy for coalesce rule attributes */
1008 static const struct nla_policy
1009 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
1010 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
1011 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
1012 		NLA_POLICY_RANGE(NLA_U32,
1013 				 NL80211_COALESCE_CONDITION_MATCH,
1014 				 NL80211_COALESCE_CONDITION_NO_MATCH),
1015 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
1016 };
1017 
1018 /* policy for GTK rekey offload attributes */
1019 static const struct nla_policy
1020 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
1021 	[NL80211_REKEY_DATA_KEK] = {
1022 		.type = NLA_BINARY,
1023 		.len = NL80211_KEK_EXT_LEN
1024 	},
1025 	[NL80211_REKEY_DATA_KCK] = {
1026 		.type = NLA_BINARY,
1027 		.len = NL80211_KCK_EXT_LEN_32
1028 	},
1029 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
1030 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
1031 };
1032 
1033 static const struct nla_policy
1034 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
1035 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
1036 						 .len = IEEE80211_MAX_SSID_LEN },
1037 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1038 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
1039 };
1040 
1041 static const struct nla_policy
1042 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
1043 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
1044 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
1045 };
1046 
1047 static const struct nla_policy
1048 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
1049 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
1050 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
1051 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
1052 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
1053 	},
1054 };
1055 
1056 /* policy for NAN function attributes */
1057 static const struct nla_policy
1058 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
1059 	[NL80211_NAN_FUNC_TYPE] =
1060 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
1061 	[NL80211_NAN_FUNC_SERVICE_ID] = {
1062 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
1063 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
1064 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
1065 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
1066 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
1067 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
1068 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
1069 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
1070 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
1071 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
1072 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
1073 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
1074 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
1075 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
1076 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
1077 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
1078 };
1079 
1080 /* policy for Service Response Filter attributes */
1081 static const struct nla_policy
1082 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
1083 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
1084 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
1085 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
1086 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
1087 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
1088 };
1089 
1090 /* policy for packet pattern attributes */
1091 static const struct nla_policy
1092 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
1093 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
1094 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
1095 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1096 };
1097 
1098 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1099 				     struct cfg80211_registered_device **rdev,
1100 				     struct wireless_dev **wdev,
1101 				     struct nlattr **attrbuf)
1102 {
1103 	int err;
1104 
1105 	if (!cb->args[0]) {
1106 		struct nlattr **attrbuf_free = NULL;
1107 
1108 		if (!attrbuf) {
1109 			attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR,
1110 					       GFP_KERNEL);
1111 			if (!attrbuf)
1112 				return -ENOMEM;
1113 			attrbuf_free = attrbuf;
1114 		}
1115 
1116 		err = nlmsg_parse_deprecated(cb->nlh,
1117 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1118 					     attrbuf, nl80211_fam.maxattr,
1119 					     nl80211_policy, NULL);
1120 		if (err) {
1121 			kfree(attrbuf_free);
1122 			return err;
1123 		}
1124 
1125 		rtnl_lock();
1126 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1127 						   attrbuf);
1128 		kfree(attrbuf_free);
1129 		if (IS_ERR(*wdev)) {
1130 			rtnl_unlock();
1131 			return PTR_ERR(*wdev);
1132 		}
1133 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1134 		mutex_lock(&(*rdev)->wiphy.mtx);
1135 		rtnl_unlock();
1136 		/* 0 is the first index - add 1 to parse only once */
1137 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1138 		cb->args[1] = (*wdev)->identifier;
1139 	} else {
1140 		/* subtract the 1 again here */
1141 		struct wiphy *wiphy;
1142 		struct wireless_dev *tmp;
1143 
1144 		rtnl_lock();
1145 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1146 		if (!wiphy) {
1147 			rtnl_unlock();
1148 			return -ENODEV;
1149 		}
1150 		*rdev = wiphy_to_rdev(wiphy);
1151 		*wdev = NULL;
1152 
1153 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1154 			if (tmp->identifier == cb->args[1]) {
1155 				*wdev = tmp;
1156 				break;
1157 			}
1158 		}
1159 
1160 		if (!*wdev) {
1161 			rtnl_unlock();
1162 			return -ENODEV;
1163 		}
1164 		mutex_lock(&(*rdev)->wiphy.mtx);
1165 		rtnl_unlock();
1166 	}
1167 
1168 	return 0;
1169 }
1170 
1171 /* message building helper */
1172 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1173 		     int flags, u8 cmd)
1174 {
1175 	/* since there is no private header just add the generic one */
1176 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1177 }
1178 
1179 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1180 				     const struct ieee80211_reg_rule *rule)
1181 {
1182 	int j;
1183 	struct nlattr *nl_wmm_rules =
1184 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1185 
1186 	if (!nl_wmm_rules)
1187 		goto nla_put_failure;
1188 
1189 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1190 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1191 
1192 		if (!nl_wmm_rule)
1193 			goto nla_put_failure;
1194 
1195 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1196 				rule->wmm_rule.client[j].cw_min) ||
1197 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1198 				rule->wmm_rule.client[j].cw_max) ||
1199 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1200 			       rule->wmm_rule.client[j].aifsn) ||
1201 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1202 			        rule->wmm_rule.client[j].cot))
1203 			goto nla_put_failure;
1204 
1205 		nla_nest_end(msg, nl_wmm_rule);
1206 	}
1207 	nla_nest_end(msg, nl_wmm_rules);
1208 
1209 	return 0;
1210 
1211 nla_put_failure:
1212 	return -ENOBUFS;
1213 }
1214 
1215 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1216 				   struct ieee80211_channel *chan,
1217 				   bool large)
1218 {
1219 	/* Some channels must be completely excluded from the
1220 	 * list to protect old user-space tools from breaking
1221 	 */
1222 	if (!large && chan->flags &
1223 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1224 		return 0;
1225 	if (!large && chan->freq_offset)
1226 		return 0;
1227 
1228 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1229 			chan->center_freq))
1230 		goto nla_put_failure;
1231 
1232 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1233 		goto nla_put_failure;
1234 
1235 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1236 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1237 		goto nla_put_failure;
1238 
1239 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1240 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1241 		goto nla_put_failure;
1242 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1243 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1244 			goto nla_put_failure;
1245 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1246 			goto nla_put_failure;
1247 	}
1248 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1249 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1250 			goto nla_put_failure;
1251 		if (large) {
1252 			u32 time;
1253 
1254 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1255 
1256 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1257 					chan->dfs_state))
1258 				goto nla_put_failure;
1259 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1260 					time))
1261 				goto nla_put_failure;
1262 			if (nla_put_u32(msg,
1263 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1264 					chan->dfs_cac_ms))
1265 				goto nla_put_failure;
1266 		}
1267 	}
1268 
1269 	if (large) {
1270 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1271 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1272 			goto nla_put_failure;
1273 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1274 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1275 			goto nla_put_failure;
1276 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1277 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1278 			goto nla_put_failure;
1279 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1280 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1281 			goto nla_put_failure;
1282 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1283 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1284 			goto nla_put_failure;
1285 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1286 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1287 			goto nla_put_failure;
1288 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1289 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1290 			goto nla_put_failure;
1291 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1292 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1293 			goto nla_put_failure;
1294 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1295 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1296 			goto nla_put_failure;
1297 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1298 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1299 			goto nla_put_failure;
1300 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1301 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1302 			goto nla_put_failure;
1303 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1304 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1305 			goto nla_put_failure;
1306 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1307 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1308 			goto nla_put_failure;
1309 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1310 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1311 			goto nla_put_failure;
1312 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1313 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1314 			goto nla_put_failure;
1315 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1316 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1317 			goto nla_put_failure;
1318 		if ((chan->flags & IEEE80211_CHAN_ALLOW_20MHZ_ACTIVITY) &&
1319 		    nla_put_flag(msg,
1320 				 NL80211_FREQUENCY_ATTR_ALLOW_20MHZ_ACTIVITY))
1321 			goto nla_put_failure;
1322 		if ((chan->flags & IEEE80211_CHAN_NO_4MHZ) &&
1323 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_4MHZ))
1324 			goto nla_put_failure;
1325 		if ((chan->flags & IEEE80211_CHAN_NO_8MHZ) &&
1326 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_8MHZ))
1327 			goto nla_put_failure;
1328 		if ((chan->flags & IEEE80211_CHAN_NO_16MHZ) &&
1329 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_16MHZ))
1330 			goto nla_put_failure;
1331 		if ((chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY) &&
1332 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_S1G_NO_PRIMARY))
1333 			goto nla_put_failure;
1334 		if ((chan->flags & IEEE80211_CHAN_NO_UHR) &&
1335 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_UHR))
1336 			goto nla_put_failure;
1337 	}
1338 
1339 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1340 			DBM_TO_MBM(chan->max_power)))
1341 		goto nla_put_failure;
1342 
1343 	if (large) {
1344 		const struct ieee80211_reg_rule *rule =
1345 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1346 
1347 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1348 			if (nl80211_msg_put_wmm_rules(msg, rule))
1349 				goto nla_put_failure;
1350 		}
1351 	}
1352 
1353 	return 0;
1354 
1355  nla_put_failure:
1356 	return -ENOBUFS;
1357 }
1358 
1359 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1360 				  struct cfg80211_txq_stats *txqstats,
1361 				  int attrtype)
1362 {
1363 	struct nlattr *txqattr;
1364 
1365 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1366 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1367 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1368 		return false;						  \
1369 	} while (0)
1370 
1371 	txqattr = nla_nest_start_noflag(msg, attrtype);
1372 	if (!txqattr)
1373 		return false;
1374 
1375 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1376 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1377 	PUT_TXQVAL_U32(FLOWS, flows);
1378 	PUT_TXQVAL_U32(DROPS, drops);
1379 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1380 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1381 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1382 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1383 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1384 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1385 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1386 	nla_nest_end(msg, txqattr);
1387 
1388 #undef PUT_TXQVAL_U32
1389 	return true;
1390 }
1391 
1392 /* netlink command implementations */
1393 
1394 /**
1395  * nl80211_link_id - return link ID
1396  * @attrs: attributes to look at
1397  *
1398  * Returns: the link ID or 0 if not given
1399  *
1400  * Note this function doesn't do any validation of the link
1401  * ID validity wrt. links that were actually added, so it must
1402  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1403  * or if additional validation is done.
1404  */
1405 static unsigned int nl80211_link_id(struct nlattr **attrs)
1406 {
1407 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1408 
1409 	return nla_get_u8_default(linkid, 0);
1410 }
1411 
1412 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1413 {
1414 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1415 
1416 	if (!linkid)
1417 		return -1;
1418 
1419 	return nla_get_u8(linkid);
1420 }
1421 
1422 struct key_parse {
1423 	struct key_params p;
1424 	int idx;
1425 	int type;
1426 	bool def, defmgmt, defbeacon;
1427 	bool def_uni, def_multi;
1428 };
1429 
1430 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1431 				 struct key_parse *k)
1432 {
1433 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1434 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1435 					      nl80211_key_policy,
1436 					      info->extack);
1437 	if (err)
1438 		return err;
1439 
1440 	k->def = !!tb[NL80211_KEY_DEFAULT];
1441 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1442 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1443 
1444 	if (k->def) {
1445 		k->def_uni = true;
1446 		k->def_multi = true;
1447 	}
1448 	if (k->defmgmt || k->defbeacon)
1449 		k->def_multi = true;
1450 
1451 	if (tb[NL80211_KEY_IDX])
1452 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1453 
1454 	if (tb[NL80211_KEY_DATA]) {
1455 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1456 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1457 	}
1458 
1459 	if (tb[NL80211_KEY_SEQ]) {
1460 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1461 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1462 	}
1463 
1464 	if (tb[NL80211_KEY_CIPHER])
1465 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1466 
1467 	if (tb[NL80211_KEY_TYPE])
1468 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1469 
1470 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1471 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1472 
1473 		err = nla_parse_nested_deprecated(kdt,
1474 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1475 						  tb[NL80211_KEY_DEFAULT_TYPES],
1476 						  nl80211_key_default_policy,
1477 						  info->extack);
1478 		if (err)
1479 			return err;
1480 
1481 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1482 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1483 	}
1484 
1485 	if (tb[NL80211_KEY_MODE])
1486 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1487 
1488 	return 0;
1489 }
1490 
1491 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1492 {
1493 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1494 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1495 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1496 	}
1497 
1498 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1499 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1500 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1501 	}
1502 
1503 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1504 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1505 
1506 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1507 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1508 
1509 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1510 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1511 
1512 	if (k->def) {
1513 		k->def_uni = true;
1514 		k->def_multi = true;
1515 	}
1516 	if (k->defmgmt)
1517 		k->def_multi = true;
1518 
1519 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1520 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1521 
1522 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1523 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1524 		int err = nla_parse_nested_deprecated(kdt,
1525 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1526 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1527 						      nl80211_key_default_policy,
1528 						      info->extack);
1529 		if (err)
1530 			return err;
1531 
1532 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1533 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1534 	}
1535 
1536 	return 0;
1537 }
1538 
1539 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1540 {
1541 	int err;
1542 
1543 	memset(k, 0, sizeof(*k));
1544 	k->idx = -1;
1545 	k->type = -1;
1546 
1547 	if (info->attrs[NL80211_ATTR_KEY])
1548 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1549 	else
1550 		err = nl80211_parse_key_old(info, k);
1551 
1552 	if (err)
1553 		return err;
1554 
1555 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1556 	    (k->defbeacon ? 1 : 0) > 1) {
1557 		GENL_SET_ERR_MSG(info,
1558 				 "key with multiple default flags is invalid");
1559 		return -EINVAL;
1560 	}
1561 
1562 	if (k->defmgmt || k->defbeacon) {
1563 		if (k->def_uni || !k->def_multi) {
1564 			GENL_SET_ERR_MSG(info,
1565 					 "defmgmt/defbeacon key must be mcast");
1566 			return -EINVAL;
1567 		}
1568 	}
1569 
1570 	if (k->idx != -1) {
1571 		if (k->defmgmt) {
1572 			if (k->idx < 4 || k->idx > 5) {
1573 				GENL_SET_ERR_MSG(info,
1574 						 "defmgmt key idx not 4 or 5");
1575 				return -EINVAL;
1576 			}
1577 		} else if (k->defbeacon) {
1578 			if (k->idx < 6 || k->idx > 7) {
1579 				GENL_SET_ERR_MSG(info,
1580 						 "defbeacon key idx not 6 or 7");
1581 				return -EINVAL;
1582 			}
1583 		} else if (k->def) {
1584 			if (k->idx < 0 || k->idx > 3) {
1585 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1586 				return -EINVAL;
1587 			}
1588 		} else {
1589 			if (k->idx < 0 || k->idx > 7) {
1590 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1591 				return -EINVAL;
1592 			}
1593 		}
1594 	}
1595 
1596 	return 0;
1597 }
1598 
1599 static struct cfg80211_cached_keys *
1600 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1601 		       struct genl_info *info, bool *no_ht)
1602 {
1603 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1604 	struct key_parse parse;
1605 	struct nlattr *key;
1606 	struct cfg80211_cached_keys *result;
1607 	int rem, err, def = 0;
1608 	bool have_key = false;
1609 
1610 	nla_for_each_nested(key, keys, rem) {
1611 		have_key = true;
1612 		break;
1613 	}
1614 
1615 	if (!have_key)
1616 		return NULL;
1617 
1618 	result = kzalloc_obj(*result);
1619 	if (!result)
1620 		return ERR_PTR(-ENOMEM);
1621 
1622 	result->def = -1;
1623 
1624 	nla_for_each_nested(key, keys, rem) {
1625 		memset(&parse, 0, sizeof(parse));
1626 		parse.idx = -1;
1627 
1628 		err = nl80211_parse_key_new(info, key, &parse);
1629 		if (err)
1630 			goto error;
1631 		err = -EINVAL;
1632 		if (!parse.p.key)
1633 			goto error;
1634 		if (parse.idx < 0 || parse.idx > 3) {
1635 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1636 			goto error;
1637 		}
1638 		if (parse.def) {
1639 			if (def) {
1640 				GENL_SET_ERR_MSG(info,
1641 						 "only one key can be default");
1642 				goto error;
1643 			}
1644 			def = 1;
1645 			result->def = parse.idx;
1646 			if (!parse.def_uni || !parse.def_multi)
1647 				goto error;
1648 		} else if (parse.defmgmt)
1649 			goto error;
1650 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1651 						     parse.idx, false, NULL);
1652 		if (err)
1653 			goto error;
1654 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1655 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1656 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1657 			err = -EINVAL;
1658 			goto error;
1659 		}
1660 		result->params[parse.idx].cipher = parse.p.cipher;
1661 		result->params[parse.idx].key_len = parse.p.key_len;
1662 		result->params[parse.idx].key = result->data[parse.idx];
1663 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1664 
1665 		/* must be WEP key if we got here */
1666 		if (no_ht)
1667 			*no_ht = true;
1668 	}
1669 
1670 	if (result->def < 0) {
1671 		err = -EINVAL;
1672 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1673 		goto error;
1674 	}
1675 
1676 	return result;
1677  error:
1678 	kfree_sensitive(result);
1679 	return ERR_PTR(err);
1680 }
1681 
1682 static int nl80211_key_allowed(struct wireless_dev *wdev)
1683 {
1684 	lockdep_assert_wiphy(wdev->wiphy);
1685 
1686 	switch (wdev->iftype) {
1687 	case NL80211_IFTYPE_AP:
1688 	case NL80211_IFTYPE_AP_VLAN:
1689 	case NL80211_IFTYPE_P2P_GO:
1690 	case NL80211_IFTYPE_MESH_POINT:
1691 		break;
1692 	case NL80211_IFTYPE_ADHOC:
1693 		if (wdev->u.ibss.current_bss)
1694 			return 0;
1695 		return -ENOLINK;
1696 	case NL80211_IFTYPE_STATION:
1697 	case NL80211_IFTYPE_P2P_CLIENT:
1698 		if (wdev->connected ||
1699 		    (wiphy_ext_feature_isset(wdev->wiphy,
1700 					     NL80211_EXT_FEATURE_ASSOC_FRAME_ENCRYPTION)))
1701 			return 0;
1702 		return -ENOLINK;
1703 	case NL80211_IFTYPE_NAN:
1704 		if (wiphy_ext_feature_isset(wdev->wiphy,
1705 					    NL80211_EXT_FEATURE_SECURE_NAN))
1706 			return 0;
1707 		return -EINVAL;
1708 	case NL80211_IFTYPE_UNSPECIFIED:
1709 	case NL80211_IFTYPE_OCB:
1710 	case NL80211_IFTYPE_MONITOR:
1711 	case NL80211_IFTYPE_P2P_DEVICE:
1712 	case NL80211_IFTYPE_WDS:
1713 	case NUM_NL80211_IFTYPES:
1714 		return -EINVAL;
1715 	}
1716 
1717 	return 0;
1718 }
1719 
1720 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1721 							u32 freq)
1722 {
1723 	struct ieee80211_channel *chan;
1724 
1725 	chan = ieee80211_get_channel_khz(wiphy, freq);
1726 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1727 		return NULL;
1728 	return chan;
1729 }
1730 
1731 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1732 {
1733 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1734 	int i;
1735 
1736 	if (!nl_modes)
1737 		goto nla_put_failure;
1738 
1739 	i = 0;
1740 	while (ifmodes) {
1741 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1742 			goto nla_put_failure;
1743 		ifmodes >>= 1;
1744 		i++;
1745 	}
1746 
1747 	nla_nest_end(msg, nl_modes);
1748 	return 0;
1749 
1750 nla_put_failure:
1751 	return -ENOBUFS;
1752 }
1753 
1754 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1755 				   const struct ieee80211_iface_combination *c,
1756 				   u16 nested)
1757 {
1758 	struct nlattr *nl_combi, *nl_limits;
1759 	int i;
1760 
1761 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1762 	if (!nl_combi)
1763 		goto nla_put_failure;
1764 
1765 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1766 					       nested);
1767 	if (!nl_limits)
1768 		goto nla_put_failure;
1769 
1770 	for (i = 0; i < c->n_limits; i++) {
1771 		struct nlattr *nl_limit;
1772 
1773 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1774 		if (!nl_limit)
1775 			goto nla_put_failure;
1776 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1777 			goto nla_put_failure;
1778 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1779 					c->limits[i].types))
1780 			goto nla_put_failure;
1781 		nla_nest_end(msg, nl_limit);
1782 	}
1783 
1784 	nla_nest_end(msg, nl_limits);
1785 
1786 	if (c->beacon_int_infra_match &&
1787 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1788 		goto nla_put_failure;
1789 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1790 			c->num_different_channels) ||
1791 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1792 			c->max_interfaces))
1793 		goto nla_put_failure;
1794 	if (large &&
1795 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1796 			c->radar_detect_widths) ||
1797 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1798 			c->radar_detect_regions)))
1799 		goto nla_put_failure;
1800 	if (c->beacon_int_min_gcd &&
1801 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1802 			c->beacon_int_min_gcd))
1803 		goto nla_put_failure;
1804 
1805 	nla_nest_end(msg, nl_combi);
1806 
1807 	return 0;
1808 nla_put_failure:
1809 	return -ENOBUFS;
1810 }
1811 
1812 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1813 					  struct sk_buff *msg,
1814 					  int attr, int radio,
1815 					  bool large, u16 nested)
1816 {
1817 	const struct ieee80211_iface_combination *c;
1818 	struct nlattr *nl_combis;
1819 	int i, n;
1820 
1821 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1822 	if (!nl_combis)
1823 		goto nla_put_failure;
1824 
1825 	if (radio >= 0) {
1826 		c = wiphy->radio[0].iface_combinations;
1827 		n = wiphy->radio[0].n_iface_combinations;
1828 	} else {
1829 		c = wiphy->iface_combinations;
1830 		n = wiphy->n_iface_combinations;
1831 	}
1832 	for (i = 0; i < n; i++)
1833 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1834 			goto nla_put_failure;
1835 
1836 	nla_nest_end(msg, nl_combis);
1837 
1838 	return 0;
1839 nla_put_failure:
1840 	return -ENOBUFS;
1841 }
1842 
1843 #ifdef CONFIG_PM
1844 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1845 					struct sk_buff *msg)
1846 {
1847 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1848 	struct nlattr *nl_tcp;
1849 
1850 	if (!tcp)
1851 		return 0;
1852 
1853 	nl_tcp = nla_nest_start_noflag(msg,
1854 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1855 	if (!nl_tcp)
1856 		return -ENOBUFS;
1857 
1858 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1859 			tcp->data_payload_max))
1860 		return -ENOBUFS;
1861 
1862 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1863 			tcp->data_payload_max))
1864 		return -ENOBUFS;
1865 
1866 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1867 		return -ENOBUFS;
1868 
1869 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1870 				sizeof(*tcp->tok), tcp->tok))
1871 		return -ENOBUFS;
1872 
1873 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1874 			tcp->data_interval_max))
1875 		return -ENOBUFS;
1876 
1877 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1878 			tcp->wake_payload_max))
1879 		return -ENOBUFS;
1880 
1881 	nla_nest_end(msg, nl_tcp);
1882 	return 0;
1883 }
1884 
1885 static int nl80211_send_wowlan(struct sk_buff *msg,
1886 			       struct cfg80211_registered_device *rdev,
1887 			       bool large)
1888 {
1889 	struct nlattr *nl_wowlan;
1890 
1891 	if (!rdev->wiphy.wowlan)
1892 		return 0;
1893 
1894 	nl_wowlan = nla_nest_start_noflag(msg,
1895 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1896 	if (!nl_wowlan)
1897 		return -ENOBUFS;
1898 
1899 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1900 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1901 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1902 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1903 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1904 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1905 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1906 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1907 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1908 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1909 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1910 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1911 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1912 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1913 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1914 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1915 		return -ENOBUFS;
1916 
1917 	if (rdev->wiphy.wowlan->n_patterns) {
1918 		struct nl80211_pattern_support pat = {
1919 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1920 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1921 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1922 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1923 		};
1924 
1925 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1926 			    sizeof(pat), &pat))
1927 			return -ENOBUFS;
1928 	}
1929 
1930 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1931 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1932 			rdev->wiphy.wowlan->max_nd_match_sets))
1933 		return -ENOBUFS;
1934 
1935 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1936 		return -ENOBUFS;
1937 
1938 	nla_nest_end(msg, nl_wowlan);
1939 
1940 	return 0;
1941 }
1942 #endif
1943 
1944 static int nl80211_send_coalesce(struct sk_buff *msg,
1945 				 struct cfg80211_registered_device *rdev)
1946 {
1947 	struct nl80211_coalesce_rule_support rule;
1948 
1949 	if (!rdev->wiphy.coalesce)
1950 		return 0;
1951 
1952 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1953 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1954 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1955 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1956 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1957 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1958 
1959 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1960 		return -ENOBUFS;
1961 
1962 	return 0;
1963 }
1964 
1965 static int
1966 nl80211_send_iftype_data(struct sk_buff *msg,
1967 			 const struct ieee80211_supported_band *sband,
1968 			 const struct ieee80211_sband_iftype_data *iftdata)
1969 {
1970 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1971 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1972 	const struct ieee80211_sta_uhr_cap *uhr_cap = &iftdata->uhr_cap;
1973 
1974 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1975 				iftdata->types_mask))
1976 		return -ENOBUFS;
1977 
1978 	if (he_cap->has_he) {
1979 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1980 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1981 			    he_cap->he_cap_elem.mac_cap_info) ||
1982 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1983 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1984 			    he_cap->he_cap_elem.phy_cap_info) ||
1985 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1986 			    sizeof(he_cap->he_mcs_nss_supp),
1987 			    &he_cap->he_mcs_nss_supp) ||
1988 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1989 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1990 			return -ENOBUFS;
1991 	}
1992 
1993 	if (eht_cap->has_eht && he_cap->has_he) {
1994 		u8 mcs_nss_size, ppe_thresh_size;
1995 		u16 ppe_thres_hdr;
1996 		bool is_ap;
1997 
1998 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1999 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
2000 
2001 		mcs_nss_size =
2002 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
2003 						   &eht_cap->eht_cap_elem,
2004 						   is_ap);
2005 
2006 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
2007 		ppe_thresh_size =
2008 			ieee80211_eht_ppe_size(ppe_thres_hdr,
2009 					       eht_cap->eht_cap_elem.phy_cap_info);
2010 
2011 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
2012 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
2013 			    eht_cap->eht_cap_elem.mac_cap_info) ||
2014 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
2015 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
2016 			    eht_cap->eht_cap_elem.phy_cap_info) ||
2017 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
2018 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
2019 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
2020 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
2021 			return -ENOBUFS;
2022 	}
2023 
2024 	if (uhr_cap->has_uhr) {
2025 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_MAC,
2026 			    sizeof(uhr_cap->mac), &uhr_cap->mac) ||
2027 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_UHR_CAP_PHY,
2028 			    sizeof(uhr_cap->phy), &uhr_cap->phy))
2029 			return -ENOBUFS;
2030 	}
2031 
2032 	if (sband->band == NL80211_BAND_6GHZ &&
2033 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
2034 		    sizeof(iftdata->he_6ghz_capa),
2035 		    &iftdata->he_6ghz_capa))
2036 		return -ENOBUFS;
2037 
2038 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
2039 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
2040 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
2041 		return -ENOBUFS;
2042 
2043 	return 0;
2044 }
2045 
2046 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
2047 				      struct ieee80211_supported_band *sband,
2048 				      bool large)
2049 {
2050 	struct nlattr *nl_rates, *nl_rate;
2051 	struct ieee80211_rate *rate;
2052 	int i;
2053 
2054 	/* add HT info */
2055 	if (sband->ht_cap.ht_supported &&
2056 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
2057 		     sizeof(sband->ht_cap.mcs),
2058 		     &sband->ht_cap.mcs) ||
2059 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
2060 			 sband->ht_cap.cap) ||
2061 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
2062 			sband->ht_cap.ampdu_factor) ||
2063 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
2064 			sband->ht_cap.ampdu_density)))
2065 		return -ENOBUFS;
2066 
2067 	/* add VHT info */
2068 	if (sband->vht_cap.vht_supported &&
2069 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
2070 		     sizeof(sband->vht_cap.vht_mcs),
2071 		     &sband->vht_cap.vht_mcs) ||
2072 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
2073 			 sband->vht_cap.cap)))
2074 		return -ENOBUFS;
2075 
2076 	if (large && sband->n_iftype_data) {
2077 		struct nlattr *nl_iftype_data =
2078 			nla_nest_start_noflag(msg,
2079 					      NL80211_BAND_ATTR_IFTYPE_DATA);
2080 		const struct ieee80211_sband_iftype_data *iftd;
2081 		int err;
2082 
2083 		if (!nl_iftype_data)
2084 			return -ENOBUFS;
2085 
2086 		for_each_sband_iftype_data(sband, i, iftd) {
2087 			struct nlattr *iftdata;
2088 
2089 			iftdata = nla_nest_start_noflag(msg, i + 1);
2090 			if (!iftdata)
2091 				return -ENOBUFS;
2092 
2093 			err = nl80211_send_iftype_data(msg, sband, iftd);
2094 			if (err)
2095 				return err;
2096 
2097 			nla_nest_end(msg, iftdata);
2098 		}
2099 
2100 		nla_nest_end(msg, nl_iftype_data);
2101 	}
2102 
2103 	/* add EDMG info */
2104 	if (large && sband->edmg_cap.channels &&
2105 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
2106 		       sband->edmg_cap.channels) ||
2107 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
2108 		       sband->edmg_cap.bw_config)))
2109 
2110 		return -ENOBUFS;
2111 
2112 	/* add bitrates */
2113 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2114 	if (!nl_rates)
2115 		return -ENOBUFS;
2116 
2117 	for (i = 0; i < sband->n_bitrates; i++) {
2118 		nl_rate = nla_nest_start_noflag(msg, i);
2119 		if (!nl_rate)
2120 			return -ENOBUFS;
2121 
2122 		rate = &sband->bitrates[i];
2123 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2124 				rate->bitrate))
2125 			return -ENOBUFS;
2126 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2127 		    nla_put_flag(msg,
2128 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2129 			return -ENOBUFS;
2130 
2131 		nla_nest_end(msg, nl_rate);
2132 	}
2133 
2134 	nla_nest_end(msg, nl_rates);
2135 
2136 	/* S1G capabilities */
2137 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2138 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2139 		     sizeof(sband->s1g_cap.cap),
2140 		     sband->s1g_cap.cap) ||
2141 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2142 		     sizeof(sband->s1g_cap.nss_mcs),
2143 		     sband->s1g_cap.nss_mcs)))
2144 		return -ENOBUFS;
2145 
2146 	return 0;
2147 }
2148 
2149 static int
2150 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2151 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2152 {
2153 	u16 stypes;
2154 	struct nlattr *nl_ftypes, *nl_ifs;
2155 	enum nl80211_iftype ift;
2156 	int i;
2157 
2158 	if (!mgmt_stypes)
2159 		return 0;
2160 
2161 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2162 	if (!nl_ifs)
2163 		return -ENOBUFS;
2164 
2165 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2166 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2167 		if (!nl_ftypes)
2168 			return -ENOBUFS;
2169 		i = 0;
2170 		stypes = mgmt_stypes[ift].tx;
2171 		while (stypes) {
2172 			if ((stypes & 1) &&
2173 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2174 					(i << 4) | IEEE80211_FTYPE_MGMT))
2175 				return -ENOBUFS;
2176 			stypes >>= 1;
2177 			i++;
2178 		}
2179 		nla_nest_end(msg, nl_ftypes);
2180 	}
2181 
2182 	nla_nest_end(msg, nl_ifs);
2183 
2184 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2185 	if (!nl_ifs)
2186 		return -ENOBUFS;
2187 
2188 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2189 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2190 		if (!nl_ftypes)
2191 			return -ENOBUFS;
2192 		i = 0;
2193 		stypes = mgmt_stypes[ift].rx;
2194 		while (stypes) {
2195 			if ((stypes & 1) &&
2196 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2197 					(i << 4) | IEEE80211_FTYPE_MGMT))
2198 				return -ENOBUFS;
2199 			stypes >>= 1;
2200 			i++;
2201 		}
2202 		nla_nest_end(msg, nl_ftypes);
2203 	}
2204 	nla_nest_end(msg, nl_ifs);
2205 
2206 	return 0;
2207 }
2208 
2209 #define CMD(op, n)							\
2210 	 do {								\
2211 		if (rdev->ops->op) {					\
2212 			i++;						\
2213 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2214 				goto nla_put_failure;			\
2215 		}							\
2216 	} while (0)
2217 
2218 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2219 					struct sk_buff *msg)
2220 {
2221 	int i = 0;
2222 
2223 	/*
2224 	 * do *NOT* add anything into this function, new things need to be
2225 	 * advertised only to new versions of userspace that can deal with
2226 	 * the split (and they can't possibly care about new features...
2227 	 */
2228 	CMD(add_virtual_intf, NEW_INTERFACE);
2229 	CMD(change_virtual_intf, SET_INTERFACE);
2230 	CMD(add_key, NEW_KEY);
2231 	CMD(start_ap, START_AP);
2232 	CMD(add_station, NEW_STATION);
2233 	CMD(add_mpath, NEW_MPATH);
2234 	CMD(update_mesh_config, SET_MESH_CONFIG);
2235 	CMD(change_bss, SET_BSS);
2236 	CMD(auth, AUTHENTICATE);
2237 	CMD(assoc, ASSOCIATE);
2238 	CMD(deauth, DEAUTHENTICATE);
2239 	CMD(disassoc, DISASSOCIATE);
2240 	CMD(join_ibss, JOIN_IBSS);
2241 	CMD(join_mesh, JOIN_MESH);
2242 	CMD(set_pmksa, SET_PMKSA);
2243 	CMD(del_pmksa, DEL_PMKSA);
2244 	CMD(flush_pmksa, FLUSH_PMKSA);
2245 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2246 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2247 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2248 	CMD(mgmt_tx, FRAME);
2249 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2250 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2251 		i++;
2252 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2253 			goto nla_put_failure;
2254 	}
2255 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2256 	    rdev->ops->join_mesh) {
2257 		i++;
2258 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2259 			goto nla_put_failure;
2260 	}
2261 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2262 		CMD(tdls_mgmt, TDLS_MGMT);
2263 		CMD(tdls_oper, TDLS_OPER);
2264 	}
2265 	if (rdev->wiphy.max_sched_scan_reqs)
2266 		CMD(sched_scan_start, START_SCHED_SCAN);
2267 	CMD(probe_client, PROBE_CLIENT);
2268 	CMD(set_noack_map, SET_NOACK_MAP);
2269 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2270 		i++;
2271 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2272 			goto nla_put_failure;
2273 	}
2274 	CMD(start_p2p_device, START_P2P_DEVICE);
2275 	CMD(set_mcast_rate, SET_MCAST_RATE);
2276 #ifdef CONFIG_NL80211_TESTMODE
2277 	CMD(testmode_cmd, TESTMODE);
2278 #endif
2279 
2280 	if (rdev->ops->connect || rdev->ops->auth) {
2281 		i++;
2282 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2283 			goto nla_put_failure;
2284 	}
2285 
2286 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2287 		i++;
2288 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2289 			goto nla_put_failure;
2290 	}
2291 
2292 	return i;
2293  nla_put_failure:
2294 	return -ENOBUFS;
2295 }
2296 
2297 static int
2298 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2299 			   struct sk_buff *msg)
2300 {
2301 	struct nlattr *ftm;
2302 
2303 	if (!cap->ftm.supported)
2304 		return 0;
2305 
2306 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2307 	if (!ftm)
2308 		return -ENOBUFS;
2309 
2310 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2311 		return -ENOBUFS;
2312 	if (cap->ftm.non_asap &&
2313 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2314 		return -ENOBUFS;
2315 	if (cap->ftm.request_lci &&
2316 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2317 		return -ENOBUFS;
2318 	if (cap->ftm.request_civicloc &&
2319 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2320 		return -ENOBUFS;
2321 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2322 			cap->ftm.preambles))
2323 		return -ENOBUFS;
2324 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2325 			cap->ftm.bandwidths))
2326 		return -ENOBUFS;
2327 	if (cap->ftm.max_bursts_exponent >= 0 &&
2328 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2329 			cap->ftm.max_bursts_exponent))
2330 		return -ENOBUFS;
2331 	if (cap->ftm.max_ftms_per_burst &&
2332 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2333 			cap->ftm.max_ftms_per_burst))
2334 		return -ENOBUFS;
2335 	if (cap->ftm.trigger_based &&
2336 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2337 		return -ENOBUFS;
2338 	if (cap->ftm.non_trigger_based &&
2339 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2340 		return -ENOBUFS;
2341 	if (cap->ftm.support_6ghz &&
2342 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_6GHZ_SUPPORT))
2343 		return -ENOBUFS;
2344 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_LTF_REP,
2345 			cap->ftm.max_tx_ltf_rep))
2346 		return -ENOBUFS;
2347 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_LTF_REP,
2348 			cap->ftm.max_rx_ltf_rep))
2349 		return -ENOBUFS;
2350 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TX_STS,
2351 			cap->ftm.max_tx_sts))
2352 		return -ENOBUFS;
2353 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_RX_STS,
2354 			cap->ftm.max_rx_sts))
2355 		return -ENOBUFS;
2356 	if (cap->ftm.max_total_ltf_tx > 0 &&
2357 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_TX,
2358 			cap->ftm.max_total_ltf_tx))
2359 		return -ENOBUFS;
2360 	if (cap->ftm.max_total_ltf_rx > 0 &&
2361 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_TOTAL_LTF_RX,
2362 			cap->ftm.max_total_ltf_rx))
2363 		return -ENOBUFS;
2364 	if (cap->ftm.support_rsta &&
2365 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_RSTA_SUPPORT))
2366 		return -ENOBUFS;
2367 
2368 	nla_nest_end(msg, ftm);
2369 	return 0;
2370 }
2371 
2372 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2373 				  struct sk_buff *msg)
2374 {
2375 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2376 	struct nlattr *pmsr, *caps;
2377 
2378 	if (!cap)
2379 		return 0;
2380 
2381 	/*
2382 	 * we don't need to clean up anything here since the caller
2383 	 * will genlmsg_cancel() if we fail
2384 	 */
2385 
2386 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2387 	if (!pmsr)
2388 		return -ENOBUFS;
2389 
2390 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2391 		return -ENOBUFS;
2392 
2393 	if (cap->report_ap_tsf &&
2394 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2395 		return -ENOBUFS;
2396 
2397 	if (cap->randomize_mac_addr &&
2398 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2399 		return -ENOBUFS;
2400 
2401 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2402 	if (!caps)
2403 		return -ENOBUFS;
2404 
2405 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2406 		return -ENOBUFS;
2407 
2408 	nla_nest_end(msg, caps);
2409 	nla_nest_end(msg, pmsr);
2410 
2411 	return 0;
2412 }
2413 
2414 static int
2415 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2416 			      struct sk_buff *msg)
2417 {
2418 	int i;
2419 	struct nlattr *nested, *nested_akms;
2420 	const struct wiphy_iftype_akm_suites *iftype_akms;
2421 
2422 	if (!rdev->wiphy.num_iftype_akm_suites ||
2423 	    !rdev->wiphy.iftype_akm_suites)
2424 		return 0;
2425 
2426 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2427 	if (!nested)
2428 		return -ENOBUFS;
2429 
2430 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2431 		nested_akms = nla_nest_start(msg, i + 1);
2432 		if (!nested_akms)
2433 			return -ENOBUFS;
2434 
2435 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2436 
2437 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2438 					iftype_akms->iftypes_mask))
2439 			return -ENOBUFS;
2440 
2441 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2442 			    sizeof(u32) * iftype_akms->n_akm_suites,
2443 			    iftype_akms->akm_suites)) {
2444 			return -ENOBUFS;
2445 		}
2446 		nla_nest_end(msg, nested_akms);
2447 	}
2448 
2449 	nla_nest_end(msg, nested);
2450 
2451 	return 0;
2452 }
2453 
2454 static int
2455 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2456 			       struct sk_buff *msg)
2457 {
2458 	struct nlattr *supp;
2459 
2460 	if (!rdev->wiphy.tid_config_support.vif &&
2461 	    !rdev->wiphy.tid_config_support.peer)
2462 		return 0;
2463 
2464 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2465 	if (!supp)
2466 		return -ENOSPC;
2467 
2468 	if (rdev->wiphy.tid_config_support.vif &&
2469 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2470 			      rdev->wiphy.tid_config_support.vif,
2471 			      NL80211_TID_CONFIG_ATTR_PAD))
2472 		goto fail;
2473 
2474 	if (rdev->wiphy.tid_config_support.peer &&
2475 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2476 			      rdev->wiphy.tid_config_support.peer,
2477 			      NL80211_TID_CONFIG_ATTR_PAD))
2478 		goto fail;
2479 
2480 	/* for now we just use the same value ... makes more sense */
2481 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2482 		       rdev->wiphy.tid_config_support.max_retry))
2483 		goto fail;
2484 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2485 		       rdev->wiphy.tid_config_support.max_retry))
2486 		goto fail;
2487 
2488 	nla_nest_end(msg, supp);
2489 
2490 	return 0;
2491 fail:
2492 	nla_nest_cancel(msg, supp);
2493 	return -ENOBUFS;
2494 }
2495 
2496 static int
2497 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2498 		      struct sk_buff *msg)
2499 {
2500 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2501 	u8 num_freq_ranges;
2502 	int i;
2503 
2504 	if (!rdev->wiphy.sar_capa)
2505 		return 0;
2506 
2507 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2508 
2509 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2510 	if (!sar_capa)
2511 		return -ENOSPC;
2512 
2513 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2514 		goto fail;
2515 
2516 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2517 	if (!specs)
2518 		goto fail;
2519 
2520 	/* report supported freq_ranges */
2521 	for (i = 0; i < num_freq_ranges; i++) {
2522 		sub_freq_range = nla_nest_start(msg, i + 1);
2523 		if (!sub_freq_range)
2524 			goto fail;
2525 
2526 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2527 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2528 			goto fail;
2529 
2530 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2531 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2532 			goto fail;
2533 
2534 		nla_nest_end(msg, sub_freq_range);
2535 	}
2536 
2537 	nla_nest_end(msg, specs);
2538 	nla_nest_end(msg, sar_capa);
2539 
2540 	return 0;
2541 fail:
2542 	nla_nest_cancel(msg, sar_capa);
2543 	return -ENOBUFS;
2544 }
2545 
2546 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2547 {
2548 	struct nlattr *config;
2549 
2550 	if (!wiphy->mbssid_max_interfaces)
2551 		return 0;
2552 
2553 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2554 	if (!config)
2555 		return -ENOBUFS;
2556 
2557 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2558 		       wiphy->mbssid_max_interfaces))
2559 		goto fail;
2560 
2561 	if (wiphy->ema_max_profile_periodicity &&
2562 	    nla_put_u8(msg,
2563 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2564 		       wiphy->ema_max_profile_periodicity))
2565 		goto fail;
2566 
2567 	nla_nest_end(msg, config);
2568 	return 0;
2569 
2570 fail:
2571 	nla_nest_cancel(msg, config);
2572 	return -ENOBUFS;
2573 }
2574 
2575 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2576 {
2577 	const struct wiphy_radio *r = &wiphy->radio[idx];
2578 	const struct wiphy_radio_cfg *rcfg = &wiphy->radio_cfg[idx];
2579 	struct nlattr *radio, *freq;
2580 	int i;
2581 
2582 	radio = nla_nest_start(msg, idx);
2583 	if (!radio)
2584 		return -ENOBUFS;
2585 
2586 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2587 		goto nla_put_failure;
2588 
2589 	if (rcfg->rts_threshold &&
2590 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_RTS_THRESHOLD,
2591 			rcfg->rts_threshold))
2592 		goto nla_put_failure;
2593 
2594 	if (r->antenna_mask &&
2595 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2596 			r->antenna_mask))
2597 		goto nla_put_failure;
2598 
2599 	for (i = 0; i < r->n_freq_range; i++) {
2600 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2601 
2602 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2603 		if (!freq)
2604 			goto nla_put_failure;
2605 
2606 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2607 				range->start_freq) ||
2608 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2609 				range->end_freq))
2610 			goto nla_put_failure;
2611 
2612 		nla_nest_end(msg, freq);
2613 	}
2614 
2615 	for (i = 0; i < r->n_iface_combinations; i++)
2616 		if (nl80211_put_ifcomb_data(msg, true,
2617 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2618 					    &r->iface_combinations[i],
2619 					    NLA_F_NESTED))
2620 			goto nla_put_failure;
2621 
2622 	nla_nest_end(msg, radio);
2623 
2624 	return 0;
2625 
2626 nla_put_failure:
2627 	return -ENOBUFS;
2628 }
2629 
2630 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2631 {
2632 	struct nlattr *radios;
2633 	int i;
2634 
2635 	if (!wiphy->n_radio)
2636 		return 0;
2637 
2638 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2639 	if (!radios)
2640 		return -ENOBUFS;
2641 
2642 	for (i = 0; i < wiphy->n_radio; i++)
2643 		if (nl80211_put_radio(wiphy, msg, i))
2644 			goto fail;
2645 
2646 	nla_nest_end(msg, radios);
2647 
2648 	if (nl80211_put_iface_combinations(wiphy, msg,
2649 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2650 					   -1, true, NLA_F_NESTED))
2651 		return -ENOBUFS;
2652 
2653 	return 0;
2654 
2655 fail:
2656 	nla_nest_cancel(msg, radios);
2657 	return -ENOBUFS;
2658 }
2659 
2660 static int nl80211_put_nan_capa(struct wiphy *wiphy, struct sk_buff *msg)
2661 {
2662 	struct nlattr *nan_caps;
2663 
2664 	nan_caps = nla_nest_start(msg, NL80211_ATTR_NAN_CAPABILITIES);
2665 	if (!nan_caps)
2666 		return -ENOBUFS;
2667 
2668 	if (wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_CONFIGURABLE_SYNC &&
2669 	    nla_put_flag(msg, NL80211_NAN_CAPA_CONFIGURABLE_SYNC))
2670 		goto fail;
2671 
2672 	if ((wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE) &&
2673 	    nla_put_flag(msg, NL80211_NAN_CAPA_USERSPACE_DE))
2674 		goto fail;
2675 
2676 	if (nla_put_u8(msg, NL80211_NAN_CAPA_OP_MODE,
2677 		       wiphy->nan_capa.op_mode) ||
2678 	    nla_put_u8(msg, NL80211_NAN_CAPA_NUM_ANTENNAS,
2679 		       wiphy->nan_capa.n_antennas) ||
2680 	    nla_put_u16(msg, NL80211_NAN_CAPA_MAX_CHANNEL_SWITCH_TIME,
2681 			wiphy->nan_capa.max_channel_switch_time) ||
2682 	    nla_put_u8(msg, NL80211_NAN_CAPA_CAPABILITIES,
2683 		       wiphy->nan_capa.dev_capabilities))
2684 		goto fail;
2685 
2686 	nla_nest_end(msg, nan_caps);
2687 
2688 	return 0;
2689 
2690 fail:
2691 	nla_nest_cancel(msg, nan_caps);
2692 	return -ENOBUFS;
2693 }
2694 
2695 struct nl80211_dump_wiphy_state {
2696 	s64 filter_wiphy;
2697 	long start;
2698 	long split_start, band_start, chan_start, capa_start;
2699 	bool split;
2700 };
2701 
2702 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2703 			      enum nl80211_commands cmd,
2704 			      struct sk_buff *msg, u32 portid, u32 seq,
2705 			      int flags, struct nl80211_dump_wiphy_state *state)
2706 {
2707 	void *hdr;
2708 	struct nlattr *nl_bands, *nl_band;
2709 	struct nlattr *nl_freqs, *nl_freq;
2710 	struct nlattr *nl_cmds;
2711 	enum nl80211_band band;
2712 	struct ieee80211_channel *chan;
2713 	int i;
2714 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2715 				rdev->wiphy.mgmt_stypes;
2716 	u32 features;
2717 
2718 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2719 	if (!hdr)
2720 		return -ENOBUFS;
2721 
2722 	if (WARN_ON(!state))
2723 		return -EINVAL;
2724 
2725 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2726 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2727 			   wiphy_name(&rdev->wiphy)) ||
2728 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2729 			cfg80211_rdev_list_generation))
2730 		goto nla_put_failure;
2731 
2732 	if (cmd != NL80211_CMD_NEW_WIPHY)
2733 		goto finish;
2734 
2735 	switch (state->split_start) {
2736 	case 0:
2737 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2738 			       rdev->wiphy.retry_short) ||
2739 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2740 			       rdev->wiphy.retry_long) ||
2741 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2742 				rdev->wiphy.frag_threshold) ||
2743 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2744 				rdev->wiphy.rts_threshold) ||
2745 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2746 			       rdev->wiphy.coverage_class) ||
2747 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2748 			       rdev->wiphy.max_scan_ssids) ||
2749 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2750 			       rdev->wiphy.max_sched_scan_ssids) ||
2751 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2752 				rdev->wiphy.max_scan_ie_len) ||
2753 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2754 				rdev->wiphy.max_sched_scan_ie_len) ||
2755 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2756 			       rdev->wiphy.max_match_sets))
2757 			goto nla_put_failure;
2758 
2759 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2760 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2761 			goto nla_put_failure;
2762 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2763 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2764 			goto nla_put_failure;
2765 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2766 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2767 			goto nla_put_failure;
2768 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2769 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2770 			goto nla_put_failure;
2771 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2772 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2773 			goto nla_put_failure;
2774 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2775 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2776 			goto nla_put_failure;
2777 		state->split_start++;
2778 		if (state->split)
2779 			break;
2780 		fallthrough;
2781 	case 1:
2782 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2783 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2784 			    rdev->wiphy.cipher_suites))
2785 			goto nla_put_failure;
2786 
2787 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2788 			       rdev->wiphy.max_num_pmkids))
2789 			goto nla_put_failure;
2790 
2791 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2792 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2793 			goto nla_put_failure;
2794 
2795 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2796 				rdev->wiphy.available_antennas_tx) ||
2797 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2798 				rdev->wiphy.available_antennas_rx))
2799 			goto nla_put_failure;
2800 
2801 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2802 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2803 				rdev->wiphy.probe_resp_offload))
2804 			goto nla_put_failure;
2805 
2806 		if ((rdev->wiphy.available_antennas_tx ||
2807 		     rdev->wiphy.available_antennas_rx) &&
2808 		    rdev->ops->get_antenna) {
2809 			u32 tx_ant = 0, rx_ant = 0;
2810 			int res;
2811 
2812 			res = rdev_get_antenna(rdev, -1, &tx_ant, &rx_ant);
2813 			if (!res) {
2814 				if (nla_put_u32(msg,
2815 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2816 						tx_ant) ||
2817 				    nla_put_u32(msg,
2818 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2819 						rx_ant))
2820 					goto nla_put_failure;
2821 			}
2822 		}
2823 
2824 		state->split_start++;
2825 		if (state->split)
2826 			break;
2827 		fallthrough;
2828 	case 2:
2829 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2830 					rdev->wiphy.interface_modes))
2831 				goto nla_put_failure;
2832 		state->split_start++;
2833 		if (state->split)
2834 			break;
2835 		fallthrough;
2836 	case 3:
2837 		nl_bands = nla_nest_start_noflag(msg,
2838 						 NL80211_ATTR_WIPHY_BANDS);
2839 		if (!nl_bands)
2840 			goto nla_put_failure;
2841 
2842 		for (band = state->band_start;
2843 		     band < (state->split ?
2844 				NUM_NL80211_BANDS :
2845 				NL80211_BAND_60GHZ + 1);
2846 		     band++) {
2847 			struct ieee80211_supported_band *sband;
2848 
2849 			/* omit higher bands for ancient software */
2850 			if (band > NL80211_BAND_5GHZ && !state->split)
2851 				break;
2852 
2853 			sband = rdev->wiphy.bands[band];
2854 
2855 			if (!sband)
2856 				continue;
2857 
2858 			nl_band = nla_nest_start_noflag(msg, band);
2859 			if (!nl_band)
2860 				goto nla_put_failure;
2861 
2862 			switch (state->chan_start) {
2863 			case 0:
2864 				if (nl80211_send_band_rateinfo(msg, sband,
2865 							       state->split))
2866 					goto nla_put_failure;
2867 				state->chan_start++;
2868 				if (state->split)
2869 					break;
2870 				fallthrough;
2871 			default:
2872 				/* add frequencies */
2873 				nl_freqs = nla_nest_start_noflag(msg,
2874 								 NL80211_BAND_ATTR_FREQS);
2875 				if (!nl_freqs)
2876 					goto nla_put_failure;
2877 
2878 				for (i = state->chan_start - 1;
2879 				     i < sband->n_channels;
2880 				     i++) {
2881 					nl_freq = nla_nest_start_noflag(msg,
2882 									i);
2883 					if (!nl_freq)
2884 						goto nla_put_failure;
2885 
2886 					chan = &sband->channels[i];
2887 
2888 					if (nl80211_msg_put_channel(
2889 							msg, &rdev->wiphy, chan,
2890 							state->split))
2891 						goto nla_put_failure;
2892 
2893 					nla_nest_end(msg, nl_freq);
2894 					if (state->split)
2895 						break;
2896 				}
2897 				if (i < sband->n_channels)
2898 					state->chan_start = i + 2;
2899 				else
2900 					state->chan_start = 0;
2901 				nla_nest_end(msg, nl_freqs);
2902 			}
2903 
2904 			nla_nest_end(msg, nl_band);
2905 
2906 			if (state->split) {
2907 				/* start again here */
2908 				if (state->chan_start)
2909 					band--;
2910 				break;
2911 			}
2912 		}
2913 		nla_nest_end(msg, nl_bands);
2914 
2915 		if (band < NUM_NL80211_BANDS)
2916 			state->band_start = band + 1;
2917 		else
2918 			state->band_start = 0;
2919 
2920 		/* if bands & channels are done, continue outside */
2921 		if (state->band_start == 0 && state->chan_start == 0)
2922 			state->split_start++;
2923 		if (state->split)
2924 			break;
2925 		fallthrough;
2926 	case 4:
2927 		nl_cmds = nla_nest_start_noflag(msg,
2928 						NL80211_ATTR_SUPPORTED_COMMANDS);
2929 		if (!nl_cmds)
2930 			goto nla_put_failure;
2931 
2932 		i = nl80211_add_commands_unsplit(rdev, msg);
2933 		if (i < 0)
2934 			goto nla_put_failure;
2935 		if (state->split) {
2936 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2937 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2938 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2939 				CMD(channel_switch, CHANNEL_SWITCH);
2940 			CMD(set_qos_map, SET_QOS_MAP);
2941 			if (rdev->wiphy.features &
2942 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2943 				CMD(add_tx_ts, ADD_TX_TS);
2944 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2945 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2946 			CMD(update_ft_ies, UPDATE_FT_IES);
2947 			if (rdev->wiphy.sar_capa)
2948 				CMD(set_sar_specs, SET_SAR_SPECS);
2949 			CMD(assoc_ml_reconf, ASSOC_MLO_RECONF);
2950 		}
2951 #undef CMD
2952 
2953 		nla_nest_end(msg, nl_cmds);
2954 		state->split_start++;
2955 		if (state->split)
2956 			break;
2957 		fallthrough;
2958 	case 5:
2959 		if (rdev->ops->remain_on_channel &&
2960 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2961 		    nla_put_u32(msg,
2962 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2963 				rdev->wiphy.max_remain_on_channel_duration))
2964 			goto nla_put_failure;
2965 
2966 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2967 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2968 			goto nla_put_failure;
2969 
2970 		state->split_start++;
2971 		if (state->split)
2972 			break;
2973 		fallthrough;
2974 	case 6:
2975 #ifdef CONFIG_PM
2976 		if (nl80211_send_wowlan(msg, rdev, state->split))
2977 			goto nla_put_failure;
2978 		state->split_start++;
2979 		if (state->split)
2980 			break;
2981 #else
2982 		state->split_start++;
2983 #endif
2984 		fallthrough;
2985 	case 7:
2986 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2987 					rdev->wiphy.software_iftypes))
2988 			goto nla_put_failure;
2989 
2990 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2991 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2992 						   rdev->wiphy.n_radio ? 0 : -1,
2993 						   state->split, 0))
2994 			goto nla_put_failure;
2995 
2996 		state->split_start++;
2997 		if (state->split)
2998 			break;
2999 		fallthrough;
3000 	case 8:
3001 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
3002 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
3003 				rdev->wiphy.ap_sme_capa))
3004 			goto nla_put_failure;
3005 
3006 		features = rdev->wiphy.features;
3007 		/*
3008 		 * We can only add the per-channel limit information if the
3009 		 * dump is split, otherwise it makes it too big. Therefore
3010 		 * only advertise it in that case.
3011 		 */
3012 		if (state->split)
3013 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
3014 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
3015 			goto nla_put_failure;
3016 
3017 		if (rdev->wiphy.ht_capa_mod_mask &&
3018 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
3019 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
3020 			    rdev->wiphy.ht_capa_mod_mask))
3021 			goto nla_put_failure;
3022 
3023 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
3024 		    rdev->wiphy.max_acl_mac_addrs &&
3025 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
3026 				rdev->wiphy.max_acl_mac_addrs))
3027 			goto nla_put_failure;
3028 
3029 		/*
3030 		 * Any information below this point is only available to
3031 		 * applications that can deal with it being split. This
3032 		 * helps ensure that newly added capabilities don't break
3033 		 * older tools by overrunning their buffers.
3034 		 *
3035 		 * We still increment split_start so that in the split
3036 		 * case we'll continue with more data in the next round,
3037 		 * but break unconditionally so unsplit data stops here.
3038 		 */
3039 		if (state->split)
3040 			state->split_start++;
3041 		else
3042 			state->split_start = 0;
3043 		break;
3044 	case 9:
3045 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
3046 			goto nla_put_failure;
3047 
3048 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
3049 				rdev->wiphy.max_sched_scan_plans) ||
3050 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
3051 				rdev->wiphy.max_sched_scan_plan_interval) ||
3052 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
3053 				rdev->wiphy.max_sched_scan_plan_iterations))
3054 			goto nla_put_failure;
3055 
3056 		if (rdev->wiphy.extended_capabilities &&
3057 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
3058 			     rdev->wiphy.extended_capabilities_len,
3059 			     rdev->wiphy.extended_capabilities) ||
3060 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3061 			     rdev->wiphy.extended_capabilities_len,
3062 			     rdev->wiphy.extended_capabilities_mask)))
3063 			goto nla_put_failure;
3064 
3065 		if (rdev->wiphy.vht_capa_mod_mask &&
3066 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
3067 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
3068 			    rdev->wiphy.vht_capa_mod_mask))
3069 			goto nla_put_failure;
3070 
3071 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3072 			    rdev->wiphy.perm_addr))
3073 			goto nla_put_failure;
3074 
3075 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
3076 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
3077 			    rdev->wiphy.addr_mask))
3078 			goto nla_put_failure;
3079 
3080 		if (rdev->wiphy.n_addresses > 1) {
3081 			void *attr;
3082 
3083 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
3084 			if (!attr)
3085 				goto nla_put_failure;
3086 
3087 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
3088 				if (nla_put(msg, i + 1, ETH_ALEN,
3089 					    rdev->wiphy.addresses[i].addr))
3090 					goto nla_put_failure;
3091 
3092 			nla_nest_end(msg, attr);
3093 		}
3094 
3095 		state->split_start++;
3096 		break;
3097 	case 10:
3098 		if (nl80211_send_coalesce(msg, rdev))
3099 			goto nla_put_failure;
3100 
3101 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
3102 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
3103 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
3104 			goto nla_put_failure;
3105 
3106 		if (rdev->wiphy.max_ap_assoc_sta &&
3107 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
3108 				rdev->wiphy.max_ap_assoc_sta))
3109 			goto nla_put_failure;
3110 
3111 		state->split_start++;
3112 		break;
3113 	case 11:
3114 		if (rdev->wiphy.n_vendor_commands) {
3115 			const struct nl80211_vendor_cmd_info *info;
3116 			struct nlattr *nested;
3117 
3118 			nested = nla_nest_start_noflag(msg,
3119 						       NL80211_ATTR_VENDOR_DATA);
3120 			if (!nested)
3121 				goto nla_put_failure;
3122 
3123 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
3124 				info = &rdev->wiphy.vendor_commands[i].info;
3125 				if (nla_put(msg, i + 1, sizeof(*info), info))
3126 					goto nla_put_failure;
3127 			}
3128 			nla_nest_end(msg, nested);
3129 		}
3130 
3131 		if (rdev->wiphy.n_vendor_events) {
3132 			const struct nl80211_vendor_cmd_info *info;
3133 			struct nlattr *nested;
3134 
3135 			nested = nla_nest_start_noflag(msg,
3136 						       NL80211_ATTR_VENDOR_EVENTS);
3137 			if (!nested)
3138 				goto nla_put_failure;
3139 
3140 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
3141 				info = &rdev->wiphy.vendor_events[i];
3142 				if (nla_put(msg, i + 1, sizeof(*info), info))
3143 					goto nla_put_failure;
3144 			}
3145 			nla_nest_end(msg, nested);
3146 		}
3147 		state->split_start++;
3148 		break;
3149 	case 12:
3150 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
3151 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
3152 			       rdev->wiphy.max_num_csa_counters))
3153 			goto nla_put_failure;
3154 
3155 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
3156 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
3157 			goto nla_put_failure;
3158 
3159 		if (rdev->wiphy.max_sched_scan_reqs &&
3160 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
3161 				rdev->wiphy.max_sched_scan_reqs))
3162 			goto nla_put_failure;
3163 
3164 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
3165 			    sizeof(rdev->wiphy.ext_features),
3166 			    rdev->wiphy.ext_features))
3167 			goto nla_put_failure;
3168 
3169 		if (rdev->wiphy.bss_param_support) {
3170 			struct nlattr *nested;
3171 			u32 parsup = rdev->wiphy.bss_param_support;
3172 
3173 			nested = nla_nest_start(msg, NL80211_ATTR_BSS_PARAM);
3174 			if (!nested)
3175 				goto nla_put_failure;
3176 
3177 			if ((parsup & WIPHY_BSS_PARAM_CTS_PROT) &&
3178 			    nla_put_flag(msg, NL80211_ATTR_BSS_CTS_PROT))
3179 				goto nla_put_failure;
3180 			if ((parsup & WIPHY_BSS_PARAM_SHORT_PREAMBLE) &&
3181 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_PREAMBLE))
3182 				goto nla_put_failure;
3183 			if ((parsup & WIPHY_BSS_PARAM_SHORT_SLOT_TIME) &&
3184 			    nla_put_flag(msg, NL80211_ATTR_BSS_SHORT_SLOT_TIME))
3185 				goto nla_put_failure;
3186 			if ((parsup & WIPHY_BSS_PARAM_BASIC_RATES) &&
3187 			    nla_put_flag(msg, NL80211_ATTR_BSS_BASIC_RATES))
3188 				goto nla_put_failure;
3189 			if ((parsup & WIPHY_BSS_PARAM_AP_ISOLATE) &&
3190 			    nla_put_flag(msg, NL80211_ATTR_AP_ISOLATE))
3191 				goto nla_put_failure;
3192 			if ((parsup & WIPHY_BSS_PARAM_HT_OPMODE) &&
3193 			    nla_put_flag(msg, NL80211_ATTR_BSS_HT_OPMODE))
3194 				goto nla_put_failure;
3195 			if ((parsup & WIPHY_BSS_PARAM_P2P_CTWINDOW) &&
3196 			    nla_put_flag(msg, NL80211_ATTR_P2P_CTWINDOW))
3197 				goto nla_put_failure;
3198 			if ((parsup & WIPHY_BSS_PARAM_P2P_OPPPS) &&
3199 			    nla_put_flag(msg, NL80211_ATTR_P2P_OPPPS))
3200 				goto nla_put_failure;
3201 			nla_nest_end(msg, nested);
3202 		}
3203 		if (rdev->wiphy.bss_select_support) {
3204 			struct nlattr *nested;
3205 			u32 bss_select_support = rdev->wiphy.bss_select_support;
3206 
3207 			nested = nla_nest_start_noflag(msg,
3208 						       NL80211_ATTR_BSS_SELECT);
3209 			if (!nested)
3210 				goto nla_put_failure;
3211 
3212 			i = 0;
3213 			while (bss_select_support) {
3214 				if ((bss_select_support & 1) &&
3215 				    nla_put_flag(msg, i))
3216 					goto nla_put_failure;
3217 				i++;
3218 				bss_select_support >>= 1;
3219 			}
3220 			nla_nest_end(msg, nested);
3221 		}
3222 
3223 		state->split_start++;
3224 		break;
3225 	case 13:
3226 		if (rdev->wiphy.num_iftype_ext_capab &&
3227 		    rdev->wiphy.iftype_ext_capab) {
3228 			struct nlattr *nested_ext_capab, *nested;
3229 
3230 			nested = nla_nest_start_noflag(msg,
3231 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3232 			if (!nested)
3233 				goto nla_put_failure;
3234 
3235 			for (i = state->capa_start;
3236 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3237 				const struct wiphy_iftype_ext_capab *capab;
3238 
3239 				capab = &rdev->wiphy.iftype_ext_capab[i];
3240 
3241 				nested_ext_capab = nla_nest_start_noflag(msg,
3242 									 i);
3243 				if (!nested_ext_capab ||
3244 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3245 						capab->iftype) ||
3246 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3247 					    capab->extended_capabilities_len,
3248 					    capab->extended_capabilities) ||
3249 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3250 					    capab->extended_capabilities_len,
3251 					    capab->extended_capabilities_mask))
3252 					goto nla_put_failure;
3253 
3254 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3255 				    (nla_put_u16(msg,
3256 						 NL80211_ATTR_EML_CAPABILITY,
3257 						 capab->eml_capabilities) ||
3258 				     nla_put_u16(msg,
3259 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3260 						 capab->mld_capa_and_ops)))
3261 					goto nla_put_failure;
3262 
3263 				nla_nest_end(msg, nested_ext_capab);
3264 				if (state->split)
3265 					break;
3266 			}
3267 			nla_nest_end(msg, nested);
3268 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3269 				state->capa_start = i + 1;
3270 				break;
3271 			}
3272 		}
3273 
3274 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3275 				rdev->wiphy.nan_supported_bands))
3276 			goto nla_put_failure;
3277 
3278 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3279 					    NL80211_EXT_FEATURE_TXQS)) {
3280 			struct cfg80211_txq_stats txqstats = {};
3281 			int res;
3282 
3283 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3284 			if (!res &&
3285 			    !nl80211_put_txq_stats(msg, &txqstats,
3286 						   NL80211_ATTR_TXQ_STATS))
3287 				goto nla_put_failure;
3288 
3289 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3290 					rdev->wiphy.txq_limit))
3291 				goto nla_put_failure;
3292 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3293 					rdev->wiphy.txq_memory_limit))
3294 				goto nla_put_failure;
3295 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3296 					rdev->wiphy.txq_quantum))
3297 				goto nla_put_failure;
3298 		}
3299 
3300 		state->split_start++;
3301 		break;
3302 	case 14:
3303 		if (nl80211_send_pmsr_capa(rdev, msg))
3304 			goto nla_put_failure;
3305 
3306 		state->split_start++;
3307 		break;
3308 	case 15:
3309 		if (rdev->wiphy.akm_suites &&
3310 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3311 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3312 			    rdev->wiphy.akm_suites))
3313 			goto nla_put_failure;
3314 
3315 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3316 			goto nla_put_failure;
3317 
3318 		if (nl80211_put_tid_config_support(rdev, msg))
3319 			goto nla_put_failure;
3320 		state->split_start++;
3321 		break;
3322 	case 16:
3323 		if (nl80211_put_sar_specs(rdev, msg))
3324 			goto nla_put_failure;
3325 
3326 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3327 			goto nla_put_failure;
3328 
3329 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3330 				rdev->wiphy.max_num_akm_suites))
3331 			goto nla_put_failure;
3332 
3333 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3334 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3335 
3336 		if (rdev->wiphy.hw_timestamp_max_peers &&
3337 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3338 				rdev->wiphy.hw_timestamp_max_peers))
3339 			goto nla_put_failure;
3340 
3341 		state->split_start++;
3342 		break;
3343 	case 17:
3344 		if (nl80211_put_radios(&rdev->wiphy, msg))
3345 			goto nla_put_failure;
3346 
3347 		state->split_start++;
3348 		break;
3349 	case 18:
3350 		if (nl80211_put_nan_capa(&rdev->wiphy, msg))
3351 			goto nla_put_failure;
3352 
3353 		/* done */
3354 		state->split_start = 0;
3355 		break;
3356 	}
3357  finish:
3358 	genlmsg_end(msg, hdr);
3359 	return 0;
3360 
3361  nla_put_failure:
3362 	genlmsg_cancel(msg, hdr);
3363 	return -EMSGSIZE;
3364 }
3365 
3366 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3367 				    struct netlink_callback *cb,
3368 				    struct nl80211_dump_wiphy_state *state)
3369 {
3370 	struct nlattr **tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
3371 	int ret;
3372 
3373 	if (!tb)
3374 		return -ENOMEM;
3375 
3376 	ret = nlmsg_parse_deprecated(cb->nlh,
3377 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3378 				     tb, nl80211_fam.maxattr,
3379 				     nl80211_policy, NULL);
3380 	/* ignore parse errors for backward compatibility */
3381 	if (ret) {
3382 		ret = 0;
3383 		goto out;
3384 	}
3385 
3386 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3387 	if (tb[NL80211_ATTR_WIPHY])
3388 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3389 	if (tb[NL80211_ATTR_WDEV])
3390 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3391 	if (tb[NL80211_ATTR_IFINDEX]) {
3392 		struct net_device *netdev;
3393 		struct cfg80211_registered_device *rdev;
3394 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3395 
3396 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3397 		if (!netdev) {
3398 			ret = -ENODEV;
3399 			goto out;
3400 		}
3401 		if (netdev->ieee80211_ptr) {
3402 			rdev = wiphy_to_rdev(
3403 				netdev->ieee80211_ptr->wiphy);
3404 			state->filter_wiphy = rdev->wiphy_idx;
3405 		}
3406 	}
3407 
3408 	ret = 0;
3409 out:
3410 	kfree(tb);
3411 	return ret;
3412 }
3413 
3414 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3415 {
3416 	int idx = 0, ret;
3417 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3418 	struct cfg80211_registered_device *rdev;
3419 
3420 	rtnl_lock();
3421 	if (!state) {
3422 		state = kzalloc_obj(*state);
3423 		if (!state) {
3424 			rtnl_unlock();
3425 			return -ENOMEM;
3426 		}
3427 		state->filter_wiphy = -1;
3428 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3429 		if (ret) {
3430 			kfree(state);
3431 			rtnl_unlock();
3432 			return ret;
3433 		}
3434 		cb->args[0] = (long)state;
3435 	}
3436 
3437 	for_each_rdev(rdev) {
3438 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3439 			continue;
3440 		if (++idx <= state->start)
3441 			continue;
3442 		if (state->filter_wiphy != -1 &&
3443 		    state->filter_wiphy != rdev->wiphy_idx)
3444 			continue;
3445 		wiphy_lock(&rdev->wiphy);
3446 		/* attempt to fit multiple wiphy data chunks into the skb */
3447 		do {
3448 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3449 						 skb,
3450 						 NETLINK_CB(cb->skb).portid,
3451 						 cb->nlh->nlmsg_seq,
3452 						 NLM_F_MULTI, state);
3453 			if (ret < 0) {
3454 				/*
3455 				 * If sending the wiphy data didn't fit (ENOBUFS
3456 				 * or EMSGSIZE returned), this SKB is still
3457 				 * empty (so it's not too big because another
3458 				 * wiphy dataset is already in the skb) and
3459 				 * we've not tried to adjust the dump allocation
3460 				 * yet ... then adjust the alloc size to be
3461 				 * bigger, and return 1 but with the empty skb.
3462 				 * This results in an empty message being RX'ed
3463 				 * in userspace, but that is ignored.
3464 				 *
3465 				 * We can then retry with the larger buffer.
3466 				 */
3467 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3468 				    !skb->len && !state->split &&
3469 				    cb->min_dump_alloc < 4096) {
3470 					cb->min_dump_alloc = 4096;
3471 					state->split_start = 0;
3472 					wiphy_unlock(&rdev->wiphy);
3473 					rtnl_unlock();
3474 					return 1;
3475 				}
3476 				idx--;
3477 				break;
3478 			}
3479 		} while (state->split_start > 0);
3480 		wiphy_unlock(&rdev->wiphy);
3481 		break;
3482 	}
3483 	rtnl_unlock();
3484 
3485 	state->start = idx;
3486 
3487 	return skb->len;
3488 }
3489 
3490 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3491 {
3492 	kfree((void *)cb->args[0]);
3493 	return 0;
3494 }
3495 
3496 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3497 {
3498 	struct sk_buff *msg;
3499 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3500 	struct nl80211_dump_wiphy_state state = {};
3501 
3502 	msg = nlmsg_new(4096, GFP_KERNEL);
3503 	if (!msg)
3504 		return -ENOMEM;
3505 
3506 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3507 			       info->snd_portid, info->snd_seq, 0,
3508 			       &state) < 0) {
3509 		nlmsg_free(msg);
3510 		return -ENOBUFS;
3511 	}
3512 
3513 	return genlmsg_reply(msg, info);
3514 }
3515 
3516 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3517 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3518 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3519 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3520 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3521 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3522 };
3523 
3524 static int parse_txq_params(struct nlattr *tb[],
3525 			    struct ieee80211_txq_params *txq_params)
3526 {
3527 	u8 ac;
3528 
3529 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3530 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3531 	    !tb[NL80211_TXQ_ATTR_AIFS])
3532 		return -EINVAL;
3533 
3534 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3535 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3536 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3537 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3538 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3539 
3540 	if (ac >= NL80211_NUM_ACS)
3541 		return -EINVAL;
3542 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3543 	return 0;
3544 }
3545 
3546 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3547 {
3548 	/*
3549 	 * You can only set the channel explicitly for some interfaces,
3550 	 * most have their channel managed via their respective
3551 	 * "establish a connection" command (connect, join, ...)
3552 	 *
3553 	 * For AP/GO and mesh mode, the channel can be set with the
3554 	 * channel userspace API, but is only stored and passed to the
3555 	 * low-level driver when the AP starts or the mesh is joined.
3556 	 * This is for backward compatibility, userspace can also give
3557 	 * the channel in the start-ap or join-mesh commands instead.
3558 	 *
3559 	 * Monitors are special as they are normally slaved to
3560 	 * whatever else is going on, so they have their own special
3561 	 * operation to set the monitor channel if possible.
3562 	 */
3563 	return !wdev ||
3564 		wdev->iftype == NL80211_IFTYPE_AP ||
3565 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3566 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3567 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3568 }
3569 
3570 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3571 				  struct genl_info *info, bool monitor,
3572 				  struct cfg80211_chan_def *chandef)
3573 {
3574 	struct netlink_ext_ack *extack = info->extack;
3575 	struct nlattr **attrs = info->attrs;
3576 	u32 control_freq;
3577 
3578 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3579 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3580 				    "Frequency is missing");
3581 		return -EINVAL;
3582 	}
3583 
3584 	control_freq = MHZ_TO_KHZ(
3585 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3586 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3587 		control_freq +=
3588 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3589 
3590 	memset(chandef, 0, sizeof(*chandef));
3591 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3592 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3593 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3594 	chandef->freq1_offset = control_freq % 1000;
3595 	chandef->center_freq2 = 0;
3596 	chandef->s1g_primary_2mhz = false;
3597 
3598 	if (!chandef->chan) {
3599 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3600 				    "Unknown channel");
3601 		return -EINVAL;
3602 	}
3603 
3604 	if (cfg80211_chandef_is_s1g(chandef))
3605 		chandef->width = NL80211_CHAN_WIDTH_1;
3606 
3607 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3608 		enum nl80211_channel_type chantype;
3609 
3610 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3611 
3612 		switch (chantype) {
3613 		case NL80211_CHAN_NO_HT:
3614 		case NL80211_CHAN_HT20:
3615 		case NL80211_CHAN_HT40PLUS:
3616 		case NL80211_CHAN_HT40MINUS:
3617 			cfg80211_chandef_create(chandef, chandef->chan,
3618 						chantype);
3619 			/* user input for center_freq is incorrect */
3620 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3621 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3622 				NL_SET_ERR_MSG_ATTR(extack,
3623 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3624 						    "bad center frequency 1");
3625 				return -EINVAL;
3626 			}
3627 			/* center_freq2 must be zero */
3628 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3629 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3630 				NL_SET_ERR_MSG_ATTR(extack,
3631 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3632 						    "center frequency 2 can't be used");
3633 				return -EINVAL;
3634 			}
3635 			break;
3636 		default:
3637 			NL_SET_ERR_MSG_ATTR(extack,
3638 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3639 					    "invalid channel type");
3640 			return -EINVAL;
3641 		}
3642 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3643 		chandef->width = nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3644 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3645 			chandef->center_freq1 =
3646 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3647 			chandef->freq1_offset = nla_get_u32_default(
3648 				attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET], 0);
3649 		}
3650 
3651 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3652 			chandef->center_freq2 =
3653 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3654 
3655 		chandef->s1g_primary_2mhz = nla_get_flag(
3656 			attrs[NL80211_ATTR_S1G_PRIMARY_2MHZ]);
3657 	}
3658 
3659 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3660 		chandef->edmg.channels =
3661 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3662 
3663 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3664 			chandef->edmg.bw_config =
3665 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3666 	} else {
3667 		chandef->edmg.bw_config = 0;
3668 		chandef->edmg.channels = 0;
3669 	}
3670 
3671 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3672 		chandef->punctured =
3673 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3674 
3675 		if (chandef->punctured &&
3676 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3677 					     NL80211_EXT_FEATURE_PUNCT)) {
3678 			NL_SET_ERR_MSG(extack,
3679 				       "driver doesn't support puncturing");
3680 			return -EINVAL;
3681 		}
3682 	}
3683 
3684 	if (!cfg80211_chandef_valid(chandef)) {
3685 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3686 		return -EINVAL;
3687 	}
3688 
3689 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3690 				      IEEE80211_CHAN_DISABLED,
3691 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3692 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3693 		return -EINVAL;
3694 	}
3695 
3696 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3697 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3698 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3699 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3700 		return -EINVAL;
3701 	}
3702 
3703 	return 0;
3704 }
3705 
3706 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3707 			  struct genl_info *info,
3708 			  struct cfg80211_chan_def *chandef)
3709 {
3710 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3711 }
3712 
3713 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3714 				 struct net_device *dev,
3715 				 struct genl_info *info,
3716 				 int _link_id)
3717 {
3718 	struct cfg80211_chan_def chandef;
3719 	int result;
3720 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3721 	struct wireless_dev *wdev = NULL;
3722 	int link_id = _link_id;
3723 
3724 	if (dev)
3725 		wdev = dev->ieee80211_ptr;
3726 	if (!nl80211_can_set_dev_channel(wdev))
3727 		return -EOPNOTSUPP;
3728 	if (wdev)
3729 		iftype = wdev->iftype;
3730 
3731 	if (link_id < 0) {
3732 		if (wdev && wdev->valid_links)
3733 			return -EINVAL;
3734 		link_id = 0;
3735 	}
3736 
3737 	result = _nl80211_parse_chandef(rdev, info,
3738 					iftype == NL80211_IFTYPE_MONITOR,
3739 					&chandef);
3740 	if (result)
3741 		return result;
3742 
3743 	switch (iftype) {
3744 	case NL80211_IFTYPE_AP:
3745 	case NL80211_IFTYPE_P2P_GO:
3746 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3747 						   iftype))
3748 			return -EINVAL;
3749 		if (wdev->links[link_id].ap.beacon_interval) {
3750 			struct ieee80211_channel *cur_chan;
3751 
3752 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3753 			    !(rdev->wiphy.features &
3754 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3755 				return -EBUSY;
3756 
3757 			/* Only allow dynamic channel width changes */
3758 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3759 			if (chandef.chan != cur_chan)
3760 				return -EBUSY;
3761 
3762 			/* only allow this for regular channel widths */
3763 			switch (wdev->links[link_id].ap.chandef.width) {
3764 			case NL80211_CHAN_WIDTH_20_NOHT:
3765 			case NL80211_CHAN_WIDTH_20:
3766 			case NL80211_CHAN_WIDTH_40:
3767 			case NL80211_CHAN_WIDTH_80:
3768 			case NL80211_CHAN_WIDTH_80P80:
3769 			case NL80211_CHAN_WIDTH_160:
3770 			case NL80211_CHAN_WIDTH_320:
3771 				break;
3772 			default:
3773 				return -EINVAL;
3774 			}
3775 
3776 			switch (chandef.width) {
3777 			case NL80211_CHAN_WIDTH_20_NOHT:
3778 			case NL80211_CHAN_WIDTH_20:
3779 			case NL80211_CHAN_WIDTH_40:
3780 			case NL80211_CHAN_WIDTH_80:
3781 			case NL80211_CHAN_WIDTH_80P80:
3782 			case NL80211_CHAN_WIDTH_160:
3783 			case NL80211_CHAN_WIDTH_320:
3784 				break;
3785 			default:
3786 				return -EINVAL;
3787 			}
3788 
3789 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3790 						       &chandef);
3791 			if (result)
3792 				return result;
3793 			wdev->links[link_id].ap.chandef = chandef;
3794 		} else {
3795 			wdev->u.ap.preset_chandef = chandef;
3796 		}
3797 		return 0;
3798 	case NL80211_IFTYPE_MESH_POINT:
3799 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3800 	case NL80211_IFTYPE_MONITOR:
3801 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3802 	default:
3803 		break;
3804 	}
3805 
3806 	return -EINVAL;
3807 }
3808 
3809 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3810 {
3811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3812 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3813 	struct net_device *netdev = info->user_ptr[1];
3814 
3815 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3816 }
3817 
3818 static int nl80211_set_wiphy_radio(struct genl_info *info,
3819 				   struct cfg80211_registered_device *rdev,
3820 				   int radio_idx)
3821 {
3822 	u32 rts_threshold = 0, old_rts, changed = 0;
3823 	int result;
3824 
3825 	if (!rdev->ops->set_wiphy_params)
3826 		return -EOPNOTSUPP;
3827 
3828 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3829 		rts_threshold = nla_get_u32(
3830 				info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3831 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3832 	}
3833 
3834 	old_rts = rdev->wiphy.radio_cfg[radio_idx].rts_threshold;
3835 
3836 	rdev->wiphy.radio_cfg[radio_idx].rts_threshold = rts_threshold;
3837 
3838 	result = rdev_set_wiphy_params(rdev, radio_idx, changed);
3839 	if (result)
3840 		rdev->wiphy.radio_cfg[radio_idx].rts_threshold = old_rts;
3841 
3842 	return 0;
3843 }
3844 
3845 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3846 {
3847 	struct cfg80211_registered_device *rdev = NULL;
3848 	struct net_device *netdev = NULL;
3849 	struct wireless_dev *wdev;
3850 	int result = 0, rem_txq_params = 0;
3851 	struct nlattr *nl_txq_params;
3852 	u32 changed;
3853 	u8 retry_short = 0, retry_long = 0;
3854 	u32 frag_threshold = 0, rts_threshold = 0;
3855 	u8 coverage_class = 0;
3856 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3857 	int radio_idx = -1;
3858 
3859 	rtnl_lock();
3860 	/*
3861 	 * Try to find the wiphy and netdev. Normally this
3862 	 * function shouldn't need the netdev, but this is
3863 	 * done for backward compatibility -- previously
3864 	 * setting the channel was done per wiphy, but now
3865 	 * it is per netdev. Previous userland like hostapd
3866 	 * also passed a netdev to set_wiphy, so that it is
3867 	 * possible to let that go to the right netdev!
3868 	 */
3869 
3870 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3871 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3872 
3873 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3874 		if (netdev && netdev->ieee80211_ptr)
3875 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3876 		else
3877 			netdev = NULL;
3878 	}
3879 
3880 	if (!netdev) {
3881 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3882 						  info->attrs);
3883 		if (IS_ERR(rdev)) {
3884 			rtnl_unlock();
3885 			return PTR_ERR(rdev);
3886 		}
3887 		wdev = NULL;
3888 		netdev = NULL;
3889 		result = 0;
3890 	} else
3891 		wdev = netdev->ieee80211_ptr;
3892 
3893 	guard(wiphy)(&rdev->wiphy);
3894 
3895 	/*
3896 	 * end workaround code, by now the rdev is available
3897 	 * and locked, and wdev may or may not be NULL.
3898 	 */
3899 
3900 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3901 		result = cfg80211_dev_rename(
3902 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3903 	rtnl_unlock();
3904 
3905 	if (result)
3906 		return result;
3907 
3908 	if (info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]) {
3909 		/* Radio idx is not expected for non-multi radio wiphy */
3910 		if (rdev->wiphy.n_radio <= 0)
3911 			return -EINVAL;
3912 
3913 		radio_idx = nla_get_u8(
3914 				info->attrs[NL80211_ATTR_WIPHY_RADIO_INDEX]);
3915 		if (radio_idx >= rdev->wiphy.n_radio)
3916 			return -EINVAL;
3917 
3918 		return nl80211_set_wiphy_radio(info, rdev, radio_idx);
3919 	}
3920 
3921 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3922 		struct ieee80211_txq_params txq_params;
3923 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3924 
3925 		if (!rdev->ops->set_txq_params)
3926 			return -EOPNOTSUPP;
3927 
3928 		if (!netdev)
3929 			return -EINVAL;
3930 
3931 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3932 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3933 			return -EINVAL;
3934 
3935 		if (!netif_running(netdev))
3936 			return -ENETDOWN;
3937 
3938 		nla_for_each_nested(nl_txq_params,
3939 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3940 				    rem_txq_params) {
3941 			result = nla_parse_nested_deprecated(tb,
3942 							     NL80211_TXQ_ATTR_MAX,
3943 							     nl_txq_params,
3944 							     txq_params_policy,
3945 							     info->extack);
3946 			if (result)
3947 				return result;
3948 
3949 			result = parse_txq_params(tb, &txq_params);
3950 			if (result)
3951 				return result;
3952 
3953 			txq_params.link_id =
3954 				nl80211_link_id_or_invalid(info->attrs);
3955 
3956 			if (txq_params.link_id >= 0 &&
3957 			    !(netdev->ieee80211_ptr->valid_links &
3958 			      BIT(txq_params.link_id)))
3959 				result = -ENOLINK;
3960 			else if (txq_params.link_id >= 0 &&
3961 				 !netdev->ieee80211_ptr->valid_links)
3962 				result = -EINVAL;
3963 			else
3964 				result = rdev_set_txq_params(rdev, netdev,
3965 							     &txq_params);
3966 			if (result)
3967 				return result;
3968 		}
3969 	}
3970 
3971 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3972 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3973 
3974 		if (wdev) {
3975 			result = __nl80211_set_channel(
3976 				rdev,
3977 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3978 				info, link_id);
3979 		} else {
3980 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3981 		}
3982 
3983 		if (result)
3984 			return result;
3985 	}
3986 
3987 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3988 		struct wireless_dev *txp_wdev = wdev;
3989 		enum nl80211_tx_power_setting type;
3990 		int idx, mbm = 0;
3991 
3992 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3993 			txp_wdev = NULL;
3994 
3995 		if (!rdev->ops->set_tx_power)
3996 			return -EOPNOTSUPP;
3997 
3998 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3999 		type = nla_get_u32(info->attrs[idx]);
4000 
4001 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
4002 		    (type != NL80211_TX_POWER_AUTOMATIC))
4003 			return -EINVAL;
4004 
4005 		if (type != NL80211_TX_POWER_AUTOMATIC) {
4006 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
4007 			mbm = nla_get_u32(info->attrs[idx]);
4008 		}
4009 
4010 		result = rdev_set_tx_power(rdev, txp_wdev, radio_idx, type,
4011 					   mbm);
4012 		if (result)
4013 			return result;
4014 	}
4015 
4016 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
4017 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
4018 		u32 tx_ant, rx_ant;
4019 
4020 		if ((!rdev->wiphy.available_antennas_tx &&
4021 		     !rdev->wiphy.available_antennas_rx) ||
4022 		    !rdev->ops->set_antenna)
4023 			return -EOPNOTSUPP;
4024 
4025 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
4026 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
4027 
4028 		/* reject antenna configurations which don't match the
4029 		 * available antenna masks, except for the "all" mask */
4030 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
4031 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
4032 			return -EINVAL;
4033 
4034 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
4035 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
4036 
4037 		result = rdev_set_antenna(rdev, radio_idx, tx_ant, rx_ant);
4038 		if (result)
4039 			return result;
4040 	}
4041 
4042 	changed = 0;
4043 
4044 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
4045 		retry_short = nla_get_u8(
4046 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
4047 
4048 		changed |= WIPHY_PARAM_RETRY_SHORT;
4049 	}
4050 
4051 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
4052 		retry_long = nla_get_u8(
4053 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
4054 
4055 		changed |= WIPHY_PARAM_RETRY_LONG;
4056 	}
4057 
4058 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
4059 		frag_threshold = nla_get_u32(
4060 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
4061 		if (frag_threshold < 256)
4062 			return -EINVAL;
4063 
4064 		if (frag_threshold != (u32) -1) {
4065 			/*
4066 			 * Fragments (apart from the last one) are required to
4067 			 * have even length. Make the fragmentation code
4068 			 * simpler by stripping LSB should someone try to use
4069 			 * odd threshold value.
4070 			 */
4071 			frag_threshold &= ~0x1;
4072 		}
4073 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
4074 	}
4075 
4076 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
4077 		rts_threshold = nla_get_u32(
4078 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
4079 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
4080 	}
4081 
4082 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
4083 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
4084 			return -EINVAL;
4085 
4086 		coverage_class = nla_get_u8(
4087 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
4088 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
4089 	}
4090 
4091 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
4092 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
4093 			return -EOPNOTSUPP;
4094 
4095 		changed |= WIPHY_PARAM_DYN_ACK;
4096 	}
4097 
4098 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
4099 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4100 					     NL80211_EXT_FEATURE_TXQS))
4101 			return -EOPNOTSUPP;
4102 
4103 		txq_limit = nla_get_u32(
4104 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
4105 		changed |= WIPHY_PARAM_TXQ_LIMIT;
4106 	}
4107 
4108 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
4109 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4110 					     NL80211_EXT_FEATURE_TXQS))
4111 			return -EOPNOTSUPP;
4112 
4113 		txq_memory_limit = nla_get_u32(
4114 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
4115 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
4116 	}
4117 
4118 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
4119 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4120 					     NL80211_EXT_FEATURE_TXQS))
4121 			return -EOPNOTSUPP;
4122 
4123 		txq_quantum = nla_get_u32(
4124 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
4125 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
4126 	}
4127 
4128 	if (changed) {
4129 		u8 old_retry_short, old_retry_long;
4130 		u32 old_frag_threshold, old_rts_threshold;
4131 		u8 old_coverage_class, i;
4132 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
4133 		u32 *old_radio_rts_threshold = NULL;
4134 
4135 		if (!rdev->ops->set_wiphy_params)
4136 			return -EOPNOTSUPP;
4137 
4138 		if (rdev->wiphy.n_radio) {
4139 			old_radio_rts_threshold = kcalloc(rdev->wiphy.n_radio,
4140 							  sizeof(u32),
4141 							  GFP_KERNEL);
4142 			if (!old_radio_rts_threshold)
4143 				return -ENOMEM;
4144 		}
4145 
4146 		old_retry_short = rdev->wiphy.retry_short;
4147 		old_retry_long = rdev->wiphy.retry_long;
4148 		old_frag_threshold = rdev->wiphy.frag_threshold;
4149 		old_rts_threshold = rdev->wiphy.rts_threshold;
4150 		if (old_radio_rts_threshold) {
4151 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4152 				old_radio_rts_threshold[i] =
4153 					rdev->wiphy.radio_cfg[i].rts_threshold;
4154 		}
4155 		old_coverage_class = rdev->wiphy.coverage_class;
4156 		old_txq_limit = rdev->wiphy.txq_limit;
4157 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
4158 		old_txq_quantum = rdev->wiphy.txq_quantum;
4159 
4160 		if (changed & WIPHY_PARAM_RETRY_SHORT)
4161 			rdev->wiphy.retry_short = retry_short;
4162 		if (changed & WIPHY_PARAM_RETRY_LONG)
4163 			rdev->wiphy.retry_long = retry_long;
4164 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
4165 			rdev->wiphy.frag_threshold = frag_threshold;
4166 		if ((changed & WIPHY_PARAM_RTS_THRESHOLD) &&
4167 		    old_radio_rts_threshold) {
4168 			rdev->wiphy.rts_threshold = rts_threshold;
4169 			for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4170 				rdev->wiphy.radio_cfg[i].rts_threshold =
4171 					rdev->wiphy.rts_threshold;
4172 		}
4173 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
4174 			rdev->wiphy.coverage_class = coverage_class;
4175 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
4176 			rdev->wiphy.txq_limit = txq_limit;
4177 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
4178 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
4179 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
4180 			rdev->wiphy.txq_quantum = txq_quantum;
4181 
4182 		result = rdev_set_wiphy_params(rdev, radio_idx, changed);
4183 		if (result) {
4184 			rdev->wiphy.retry_short = old_retry_short;
4185 			rdev->wiphy.retry_long = old_retry_long;
4186 			rdev->wiphy.frag_threshold = old_frag_threshold;
4187 			rdev->wiphy.rts_threshold = old_rts_threshold;
4188 			if (old_radio_rts_threshold) {
4189 				for (i = 0 ; i < rdev->wiphy.n_radio; i++)
4190 					rdev->wiphy.radio_cfg[i].rts_threshold =
4191 						old_radio_rts_threshold[i];
4192 			}
4193 			rdev->wiphy.coverage_class = old_coverage_class;
4194 			rdev->wiphy.txq_limit = old_txq_limit;
4195 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
4196 			rdev->wiphy.txq_quantum = old_txq_quantum;
4197 		}
4198 
4199 		kfree(old_radio_rts_threshold);
4200 		return result;
4201 	}
4202 
4203 	return 0;
4204 }
4205 
4206 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
4207 {
4208 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
4209 		return -EINVAL;
4210 
4211 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
4212 			chandef->chan->center_freq))
4213 		return -ENOBUFS;
4214 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
4215 			chandef->chan->freq_offset))
4216 		return -ENOBUFS;
4217 	switch (chandef->width) {
4218 	case NL80211_CHAN_WIDTH_20_NOHT:
4219 	case NL80211_CHAN_WIDTH_20:
4220 	case NL80211_CHAN_WIDTH_40:
4221 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
4222 				cfg80211_get_chandef_type(chandef)))
4223 			return -ENOBUFS;
4224 		break;
4225 	default:
4226 		break;
4227 	}
4228 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
4229 		return -ENOBUFS;
4230 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
4231 		return -ENOBUFS;
4232 	if (chandef->center_freq2 &&
4233 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
4234 		return -ENOBUFS;
4235 	if (chandef->punctured &&
4236 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
4237 		return -ENOBUFS;
4238 	if (chandef->s1g_primary_2mhz &&
4239 	    nla_put_flag(msg, NL80211_ATTR_S1G_PRIMARY_2MHZ))
4240 		return -ENOBUFS;
4241 
4242 	return 0;
4243 }
4244 EXPORT_SYMBOL(nl80211_send_chandef);
4245 
4246 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
4247 			      struct cfg80211_registered_device *rdev,
4248 			      struct wireless_dev *wdev,
4249 			      enum nl80211_commands cmd)
4250 {
4251 	struct net_device *dev = wdev->netdev;
4252 	void *hdr;
4253 
4254 	lockdep_assert_wiphy(&rdev->wiphy);
4255 
4256 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
4257 		cmd != NL80211_CMD_DEL_INTERFACE &&
4258 		cmd != NL80211_CMD_SET_INTERFACE);
4259 
4260 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
4261 	if (!hdr)
4262 		return -1;
4263 
4264 	if (dev &&
4265 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4266 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
4267 		goto nla_put_failure;
4268 
4269 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
4270 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
4271 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4272 			      NL80211_ATTR_PAD) ||
4273 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4274 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4275 			rdev->devlist_generation ^
4276 			(cfg80211_rdev_list_generation << 2)) ||
4277 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4278 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4279 		goto nla_put_failure;
4280 
4281 	if (rdev->ops->get_channel && !wdev->valid_links) {
4282 		struct cfg80211_chan_def chandef = {};
4283 		int ret;
4284 
4285 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4286 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4287 			goto nla_put_failure;
4288 	}
4289 
4290 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4291 		int dbm, ret;
4292 
4293 		ret = rdev_get_tx_power(rdev, wdev, -1, 0, &dbm);
4294 		if (ret == 0 &&
4295 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4296 				DBM_TO_MBM(dbm)))
4297 			goto nla_put_failure;
4298 	}
4299 
4300 	switch (wdev->iftype) {
4301 	case NL80211_IFTYPE_AP:
4302 	case NL80211_IFTYPE_P2P_GO:
4303 		if (wdev->u.ap.ssid_len &&
4304 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4305 			    wdev->u.ap.ssid))
4306 			goto nla_put_failure;
4307 		break;
4308 	case NL80211_IFTYPE_STATION:
4309 	case NL80211_IFTYPE_P2P_CLIENT:
4310 		if (wdev->u.client.ssid_len &&
4311 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4312 			    wdev->u.client.ssid))
4313 			goto nla_put_failure;
4314 		break;
4315 	case NL80211_IFTYPE_ADHOC:
4316 		if (wdev->u.ibss.ssid_len &&
4317 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4318 			    wdev->u.ibss.ssid))
4319 			goto nla_put_failure;
4320 		break;
4321 	default:
4322 		/* nothing */
4323 		break;
4324 	}
4325 
4326 	if (rdev->ops->get_txq_stats) {
4327 		struct cfg80211_txq_stats txqstats = {};
4328 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4329 
4330 		if (ret == 0 &&
4331 		    !nl80211_put_txq_stats(msg, &txqstats,
4332 					   NL80211_ATTR_TXQ_STATS))
4333 			goto nla_put_failure;
4334 	}
4335 
4336 	if (wdev->valid_links) {
4337 		unsigned int link_id;
4338 		struct nlattr *links = nla_nest_start(msg,
4339 						      NL80211_ATTR_MLO_LINKS);
4340 
4341 		if (!links)
4342 			goto nla_put_failure;
4343 
4344 		for_each_valid_link(wdev, link_id) {
4345 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4346 			struct cfg80211_chan_def chandef = {};
4347 			int ret;
4348 
4349 			if (!link)
4350 				goto nla_put_failure;
4351 
4352 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4353 				goto nla_put_failure;
4354 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4355 				    wdev->links[link_id].addr))
4356 				goto nla_put_failure;
4357 
4358 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4359 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4360 				goto nla_put_failure;
4361 
4362 			if (rdev->ops->get_tx_power) {
4363 				int dbm, ret;
4364 
4365 				ret = rdev_get_tx_power(rdev, wdev, -1, link_id, &dbm);
4366 				if (ret == 0 &&
4367 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4368 						DBM_TO_MBM(dbm)))
4369 					goto nla_put_failure;
4370 			}
4371 			nla_nest_end(msg, link);
4372 		}
4373 
4374 		nla_nest_end(msg, links);
4375 	}
4376 
4377 	genlmsg_end(msg, hdr);
4378 	return 0;
4379 
4380  nla_put_failure:
4381 	genlmsg_cancel(msg, hdr);
4382 	return -EMSGSIZE;
4383 }
4384 
4385 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4386 {
4387 	int wp_idx = 0;
4388 	int if_idx = 0;
4389 	int wp_start = cb->args[0];
4390 	int if_start = cb->args[1];
4391 	int filter_wiphy = -1;
4392 	struct cfg80211_registered_device *rdev;
4393 	struct wireless_dev *wdev;
4394 	int ret;
4395 
4396 	rtnl_lock();
4397 	if (!cb->args[2]) {
4398 		struct nl80211_dump_wiphy_state state = {
4399 			.filter_wiphy = -1,
4400 		};
4401 
4402 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4403 		if (ret)
4404 			goto out_unlock;
4405 
4406 		filter_wiphy = state.filter_wiphy;
4407 
4408 		/*
4409 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4410 		 * value needed to determine that parsing is necessary.
4411 		 */
4412 		if (filter_wiphy >= 0)
4413 			cb->args[2] = filter_wiphy + 1;
4414 		else
4415 			cb->args[2] = -1;
4416 	} else if (cb->args[2] > 0) {
4417 		filter_wiphy = cb->args[2] - 1;
4418 	}
4419 
4420 	for_each_rdev(rdev) {
4421 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4422 			continue;
4423 		if (wp_idx < wp_start) {
4424 			wp_idx++;
4425 			continue;
4426 		}
4427 
4428 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4429 			continue;
4430 
4431 		if_idx = 0;
4432 
4433 		guard(wiphy)(&rdev->wiphy);
4434 
4435 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4436 			if (if_idx < if_start) {
4437 				if_idx++;
4438 				continue;
4439 			}
4440 
4441 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4442 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4443 					       rdev, wdev,
4444 					       NL80211_CMD_NEW_INTERFACE) < 0)
4445 				goto out;
4446 
4447 			if_idx++;
4448 		}
4449 
4450 		if_start = 0;
4451 		wp_idx++;
4452 	}
4453  out:
4454 	cb->args[0] = wp_idx;
4455 	cb->args[1] = if_idx;
4456 
4457 	ret = skb->len;
4458  out_unlock:
4459 	rtnl_unlock();
4460 
4461 	return ret;
4462 }
4463 
4464 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4465 {
4466 	struct sk_buff *msg;
4467 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4468 	struct wireless_dev *wdev = info->user_ptr[1];
4469 
4470 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4471 	if (!msg)
4472 		return -ENOMEM;
4473 
4474 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4475 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4476 		nlmsg_free(msg);
4477 		return -ENOBUFS;
4478 	}
4479 
4480 	return genlmsg_reply(msg, info);
4481 }
4482 
4483 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4484 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4485 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4486 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4487 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4488 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4489 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4490 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4491 };
4492 
4493 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4494 {
4495 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4496 	int flag;
4497 
4498 	*mntrflags = 0;
4499 
4500 	if (!nla)
4501 		return -EINVAL;
4502 
4503 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4504 		return -EINVAL;
4505 
4506 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4507 		if (flags[flag])
4508 			*mntrflags |= (1<<flag);
4509 
4510 	/* cooked monitor mode is incompatible with other modes */
4511 	if (*mntrflags & MONITOR_FLAG_COOK_FRAMES &&
4512 	    *mntrflags != MONITOR_FLAG_COOK_FRAMES)
4513 		return -EOPNOTSUPP;
4514 
4515 	*mntrflags |= MONITOR_FLAG_CHANGED;
4516 
4517 	return 0;
4518 }
4519 
4520 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4521 				     enum nl80211_iftype type,
4522 				     struct genl_info *info,
4523 				     struct vif_params *params)
4524 {
4525 	bool change = false;
4526 	int err;
4527 
4528 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4529 		if (type != NL80211_IFTYPE_MONITOR)
4530 			return -EINVAL;
4531 
4532 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4533 					  &params->flags);
4534 		if (err)
4535 			return err;
4536 
4537 		change = true;
4538 	}
4539 
4540 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4541 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4542 		return -EOPNOTSUPP;
4543 
4544 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4545 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4546 		return -EOPNOTSUPP;
4547 
4548 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4549 		const u8 *mumimo_groups;
4550 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4551 
4552 		if (type != NL80211_IFTYPE_MONITOR)
4553 			return -EINVAL;
4554 
4555 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4556 			return -EOPNOTSUPP;
4557 
4558 		mumimo_groups =
4559 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4560 
4561 		/* bits 0 and 63 are reserved and must be zero */
4562 		if ((mumimo_groups[0] & BIT(0)) ||
4563 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4564 			return -EINVAL;
4565 
4566 		params->vht_mumimo_groups = mumimo_groups;
4567 		change = true;
4568 	}
4569 
4570 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4571 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4572 
4573 		if (type != NL80211_IFTYPE_MONITOR)
4574 			return -EINVAL;
4575 
4576 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4577 			return -EOPNOTSUPP;
4578 
4579 		params->vht_mumimo_follow_addr =
4580 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4581 		change = true;
4582 	}
4583 
4584 	return change ? 1 : 0;
4585 }
4586 
4587 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4588 			       struct net_device *netdev, u8 use_4addr,
4589 			       enum nl80211_iftype iftype)
4590 {
4591 	if (!use_4addr) {
4592 		if (netdev && netif_is_bridge_port(netdev))
4593 			return -EBUSY;
4594 		return 0;
4595 	}
4596 
4597 	switch (iftype) {
4598 	case NL80211_IFTYPE_AP_VLAN:
4599 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4600 			return 0;
4601 		break;
4602 	case NL80211_IFTYPE_STATION:
4603 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4604 			return 0;
4605 		break;
4606 	default:
4607 		break;
4608 	}
4609 
4610 	return -EOPNOTSUPP;
4611 }
4612 
4613 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4614 					u32 *radio_mask)
4615 {
4616 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4617 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4618 	u32 mask, allowed;
4619 
4620 	if (!attr) {
4621 		*radio_mask = 0;
4622 		return 0;
4623 	}
4624 
4625 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4626 	mask = nla_get_u32(attr);
4627 	if (mask & ~allowed)
4628 		return -EINVAL;
4629 	if (!mask)
4630 		mask = allowed;
4631 	*radio_mask = mask;
4632 
4633 	return 1;
4634 }
4635 
4636 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4637 {
4638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4639 	struct vif_params params;
4640 	int err;
4641 	enum nl80211_iftype otype, ntype;
4642 	struct net_device *dev = info->user_ptr[1];
4643 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4644 	u32 radio_mask = 0;
4645 	bool change = false;
4646 
4647 	memset(&params, 0, sizeof(params));
4648 
4649 	otype = ntype = dev->ieee80211_ptr->iftype;
4650 
4651 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4652 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4653 		if (otype != ntype)
4654 			change = true;
4655 	}
4656 
4657 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4658 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4659 			return -EINVAL;
4660 		if (otype != NL80211_IFTYPE_MESH_POINT)
4661 			return -EINVAL;
4662 		if (netif_running(dev))
4663 			return -EBUSY;
4664 
4665 		wdev->u.mesh.id_up_len =
4666 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4667 		memcpy(wdev->u.mesh.id,
4668 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4669 		       wdev->u.mesh.id_up_len);
4670 	}
4671 
4672 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4673 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4674 		change = true;
4675 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4676 		if (err)
4677 			return err;
4678 	} else {
4679 		params.use_4addr = -1;
4680 	}
4681 
4682 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4683 	if (err < 0)
4684 		return err;
4685 	if (err > 0)
4686 		change = true;
4687 
4688 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4689 	if (err < 0)
4690 		return err;
4691 	if (err && netif_running(dev))
4692 		return -EBUSY;
4693 
4694 	if (change)
4695 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4696 	else
4697 		err = 0;
4698 
4699 	if (!err && params.use_4addr != -1)
4700 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4701 
4702 	if (radio_mask)
4703 		wdev->radio_mask = radio_mask;
4704 
4705 	if (change && !err)
4706 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4707 
4708 	return err;
4709 }
4710 
4711 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4712 {
4713 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4714 	struct vif_params params;
4715 	struct wireless_dev *wdev;
4716 	struct sk_buff *msg;
4717 	u32 radio_mask;
4718 	int err;
4719 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4720 
4721 	memset(&params, 0, sizeof(params));
4722 
4723 	if (!info->attrs[NL80211_ATTR_IFNAME])
4724 		return -EINVAL;
4725 
4726 	if (info->attrs[NL80211_ATTR_IFTYPE])
4727 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4728 
4729 	if (!rdev->ops->add_virtual_intf)
4730 		return -EOPNOTSUPP;
4731 
4732 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4733 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4734 	    info->attrs[NL80211_ATTR_MAC]) {
4735 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4736 			   ETH_ALEN);
4737 		if (!is_valid_ether_addr(params.macaddr))
4738 			return -EADDRNOTAVAIL;
4739 	}
4740 
4741 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4742 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4743 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4744 		if (err)
4745 			return err;
4746 	}
4747 
4748 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4749 		return -EOPNOTSUPP;
4750 
4751 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4752 	if (err < 0)
4753 		return err;
4754 
4755 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4756 	if (err < 0)
4757 		return err;
4758 
4759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4760 	if (!msg)
4761 		return -ENOMEM;
4762 
4763 	wdev = rdev_add_virtual_intf(rdev,
4764 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4765 				NET_NAME_USER, type, &params);
4766 	if (WARN_ON(!wdev)) {
4767 		nlmsg_free(msg);
4768 		return -EPROTO;
4769 	} else if (IS_ERR(wdev)) {
4770 		nlmsg_free(msg);
4771 		return PTR_ERR(wdev);
4772 	}
4773 
4774 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4775 		wdev->owner_nlportid = info->snd_portid;
4776 
4777 	switch (type) {
4778 	case NL80211_IFTYPE_MESH_POINT:
4779 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4780 			break;
4781 		wdev->u.mesh.id_up_len =
4782 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4783 		memcpy(wdev->u.mesh.id,
4784 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4785 		       wdev->u.mesh.id_up_len);
4786 		break;
4787 	case NL80211_IFTYPE_NAN:
4788 	case NL80211_IFTYPE_P2P_DEVICE:
4789 		/*
4790 		 * P2P Device and NAN do not have a netdev, so don't go
4791 		 * through the netdev notifier and must be added here
4792 		 */
4793 		cfg80211_init_wdev(wdev);
4794 		cfg80211_register_wdev(rdev, wdev);
4795 		break;
4796 	default:
4797 		break;
4798 	}
4799 
4800 	if (radio_mask)
4801 		wdev->radio_mask = radio_mask;
4802 
4803 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4804 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4805 		nlmsg_free(msg);
4806 		return -ENOBUFS;
4807 	}
4808 
4809 	return genlmsg_reply(msg, info);
4810 }
4811 
4812 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4813 {
4814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4815 
4816 	/* to avoid failing a new interface creation due to pending removal */
4817 	cfg80211_destroy_ifaces(rdev);
4818 
4819 	guard(wiphy)(&rdev->wiphy);
4820 
4821 	return _nl80211_new_interface(skb, info);
4822 }
4823 
4824 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4825 {
4826 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4827 	struct wireless_dev *wdev = info->user_ptr[1];
4828 
4829 	if (!rdev->ops->del_virtual_intf)
4830 		return -EOPNOTSUPP;
4831 
4832 	/*
4833 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4834 	 * reach 0, and thus the rdev cannot be deleted.
4835 	 *
4836 	 * We need to do it for the dev_close(), since that will call
4837 	 * the netdev notifiers, and we need to acquire the mutex there
4838 	 * but don't know if we get there from here or from some other
4839 	 * place (e.g. "ip link set ... down").
4840 	 */
4841 	mutex_unlock(&rdev->wiphy.mtx);
4842 
4843 	/*
4844 	 * If we remove a wireless device without a netdev then clear
4845 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4846 	 * to check if it needs to do dev_put(). Otherwise it crashes
4847 	 * since the wdev has been freed, unlike with a netdev where
4848 	 * we need the dev_put() for the netdev to really be freed.
4849 	 */
4850 	if (!wdev->netdev)
4851 		info->user_ptr[1] = NULL;
4852 	else
4853 		dev_close(wdev->netdev);
4854 
4855 	mutex_lock(&rdev->wiphy.mtx);
4856 
4857 	return cfg80211_remove_virtual_intf(rdev, wdev);
4858 }
4859 
4860 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4861 {
4862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4863 	struct net_device *dev = info->user_ptr[1];
4864 	u16 noack_map;
4865 
4866 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4867 		return -EINVAL;
4868 
4869 	if (!rdev->ops->set_noack_map)
4870 		return -EOPNOTSUPP;
4871 
4872 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4873 
4874 	return rdev_set_noack_map(rdev, dev, noack_map);
4875 }
4876 
4877 static int nl80211_validate_key_link_id(struct genl_info *info,
4878 					struct wireless_dev *wdev,
4879 					int link_id, bool pairwise)
4880 {
4881 	if (pairwise) {
4882 		if (link_id != -1) {
4883 			GENL_SET_ERR_MSG(info,
4884 					 "link ID not allowed for pairwise key");
4885 			return -EINVAL;
4886 		}
4887 
4888 		return 0;
4889 	}
4890 
4891 	if (wdev->valid_links) {
4892 		if (link_id == -1) {
4893 			GENL_SET_ERR_MSG(info,
4894 					 "link ID must for MLO group key");
4895 			return -EINVAL;
4896 		}
4897 		if (!(wdev->valid_links & BIT(link_id))) {
4898 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4899 			return -EINVAL;
4900 		}
4901 	} else if (link_id != -1) {
4902 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4903 		return -EINVAL;
4904 	}
4905 
4906 	return 0;
4907 }
4908 
4909 struct get_key_cookie {
4910 	struct sk_buff *msg;
4911 	int error;
4912 	int idx;
4913 };
4914 
4915 static void get_key_callback(void *c, struct key_params *params)
4916 {
4917 	struct nlattr *key;
4918 	struct get_key_cookie *cookie = c;
4919 
4920 	if ((params->seq &&
4921 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4922 		     params->seq_len, params->seq)) ||
4923 	    (params->cipher &&
4924 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4925 			 params->cipher)))
4926 		goto nla_put_failure;
4927 
4928 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4929 	if (!key)
4930 		goto nla_put_failure;
4931 
4932 	if ((params->seq &&
4933 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4934 		     params->seq_len, params->seq)) ||
4935 	    (params->cipher &&
4936 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4937 			 params->cipher)))
4938 		goto nla_put_failure;
4939 
4940 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4941 		goto nla_put_failure;
4942 
4943 	nla_nest_end(cookie->msg, key);
4944 
4945 	return;
4946  nla_put_failure:
4947 	cookie->error = 1;
4948 }
4949 
4950 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4951 {
4952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4953 	int err;
4954 	struct net_device *dev = info->user_ptr[1];
4955 	u8 key_idx = 0;
4956 	const u8 *mac_addr = NULL;
4957 	bool pairwise;
4958 	struct get_key_cookie cookie = {
4959 		.error = 0,
4960 	};
4961 	void *hdr;
4962 	struct sk_buff *msg;
4963 	bool bigtk_support = false;
4964 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4965 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4966 
4967 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4968 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4969 		bigtk_support = true;
4970 
4971 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4972 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4973 	    wiphy_ext_feature_isset(&rdev->wiphy,
4974 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4975 		bigtk_support = true;
4976 
4977 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4978 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4979 
4980 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4981 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4982 			return -EINVAL;
4983 		}
4984 	}
4985 
4986 	if (info->attrs[NL80211_ATTR_MAC])
4987 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4988 
4989 	pairwise = !!mac_addr;
4990 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4991 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4992 
4993 		if (kt != NL80211_KEYTYPE_GROUP &&
4994 		    kt != NL80211_KEYTYPE_PAIRWISE)
4995 			return -EINVAL;
4996 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4997 	}
4998 
4999 	if (!rdev->ops->get_key)
5000 		return -EOPNOTSUPP;
5001 
5002 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5003 		return -ENOENT;
5004 
5005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5006 	if (!msg)
5007 		return -ENOMEM;
5008 
5009 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
5010 			     NL80211_CMD_NEW_KEY);
5011 	if (!hdr)
5012 		goto nla_put_failure;
5013 
5014 	cookie.msg = msg;
5015 	cookie.idx = key_idx;
5016 
5017 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5018 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
5019 		goto nla_put_failure;
5020 	if (mac_addr &&
5021 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
5022 		goto nla_put_failure;
5023 
5024 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
5025 	if (err)
5026 		goto free_msg;
5027 
5028 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
5029 			   &cookie, get_key_callback);
5030 
5031 	if (err)
5032 		goto free_msg;
5033 
5034 	if (cookie.error)
5035 		goto nla_put_failure;
5036 
5037 	genlmsg_end(msg, hdr);
5038 	return genlmsg_reply(msg, info);
5039 
5040  nla_put_failure:
5041 	err = -ENOBUFS;
5042  free_msg:
5043 	nlmsg_free(msg);
5044 	return err;
5045 }
5046 
5047 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
5048 {
5049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5050 	struct key_parse key;
5051 	int err;
5052 	struct net_device *dev = info->user_ptr[1];
5053 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5054 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5055 
5056 	err = nl80211_parse_key(info, &key);
5057 	if (err)
5058 		return err;
5059 
5060 	if (key.idx < 0)
5061 		return -EINVAL;
5062 
5063 	/* Only support setting default key and
5064 	 * Extended Key ID action NL80211_KEY_SET_TX.
5065 	 */
5066 	if (!key.def && !key.defmgmt && !key.defbeacon &&
5067 	    !(key.p.mode == NL80211_KEY_SET_TX))
5068 		return -EINVAL;
5069 
5070 	if (key.def) {
5071 		if (!rdev->ops->set_default_key)
5072 			return -EOPNOTSUPP;
5073 
5074 		err = nl80211_key_allowed(wdev);
5075 		if (err)
5076 			return err;
5077 
5078 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5079 		if (err)
5080 			return err;
5081 
5082 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
5083 					   key.def_uni, key.def_multi);
5084 
5085 		if (err)
5086 			return err;
5087 
5088 #ifdef CONFIG_CFG80211_WEXT
5089 		wdev->wext.default_key = key.idx;
5090 #endif
5091 		return 0;
5092 	} else if (key.defmgmt) {
5093 		if (key.def_uni || !key.def_multi)
5094 			return -EINVAL;
5095 
5096 		if (!rdev->ops->set_default_mgmt_key)
5097 			return -EOPNOTSUPP;
5098 
5099 		err = nl80211_key_allowed(wdev);
5100 		if (err)
5101 			return err;
5102 
5103 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5104 		if (err)
5105 			return err;
5106 
5107 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
5108 		if (err)
5109 			return err;
5110 
5111 #ifdef CONFIG_CFG80211_WEXT
5112 		wdev->wext.default_mgmt_key = key.idx;
5113 #endif
5114 		return 0;
5115 	} else if (key.defbeacon) {
5116 		if (key.def_uni || !key.def_multi)
5117 			return -EINVAL;
5118 
5119 		if (!rdev->ops->set_default_beacon_key)
5120 			return -EOPNOTSUPP;
5121 
5122 		err = nl80211_key_allowed(wdev);
5123 		if (err)
5124 			return err;
5125 
5126 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
5127 		if (err)
5128 			return err;
5129 
5130 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
5131 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
5132 		   wiphy_ext_feature_isset(&rdev->wiphy,
5133 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
5134 		u8 *mac_addr = NULL;
5135 
5136 		if (info->attrs[NL80211_ATTR_MAC])
5137 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5138 
5139 		if (!mac_addr || key.idx < 0 || key.idx > 1)
5140 			return -EINVAL;
5141 
5142 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
5143 		if (err)
5144 			return err;
5145 
5146 		return rdev_add_key(rdev, dev, link_id, key.idx,
5147 				    NL80211_KEYTYPE_PAIRWISE,
5148 				    mac_addr, &key.p);
5149 	}
5150 
5151 	return -EINVAL;
5152 }
5153 
5154 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
5155 {
5156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5157 	int err;
5158 	struct net_device *dev = info->user_ptr[1];
5159 	struct key_parse key;
5160 	const u8 *mac_addr = NULL;
5161 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5162 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5163 
5164 	err = nl80211_parse_key(info, &key);
5165 	if (err)
5166 		return err;
5167 
5168 	if (!key.p.key) {
5169 		GENL_SET_ERR_MSG(info, "no key");
5170 		return -EINVAL;
5171 	}
5172 
5173 	if (info->attrs[NL80211_ATTR_MAC])
5174 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5175 
5176 	if (key.type == -1) {
5177 		if (mac_addr)
5178 			key.type = NL80211_KEYTYPE_PAIRWISE;
5179 		else
5180 			key.type = NL80211_KEYTYPE_GROUP;
5181 	}
5182 
5183 	/* for now */
5184 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5185 	    key.type != NL80211_KEYTYPE_GROUP) {
5186 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
5187 		return -EINVAL;
5188 	}
5189 
5190 	if (key.type == NL80211_KEYTYPE_GROUP &&
5191 	    info->attrs[NL80211_ATTR_VLAN_ID])
5192 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5193 
5194 	if (!rdev->ops->add_key)
5195 		return -EOPNOTSUPP;
5196 
5197 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
5198 					   key.type == NL80211_KEYTYPE_PAIRWISE,
5199 					   mac_addr)) {
5200 		GENL_SET_ERR_MSG(info, "key setting validation failed");
5201 		return -EINVAL;
5202 	}
5203 
5204 	err = nl80211_key_allowed(wdev);
5205 	if (err)
5206 		GENL_SET_ERR_MSG(info, "key not allowed");
5207 
5208 	if (!err)
5209 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5210 				key.type == NL80211_KEYTYPE_PAIRWISE);
5211 
5212 	if (!err) {
5213 		err = rdev_add_key(rdev, dev, link_id, key.idx,
5214 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5215 				    mac_addr, &key.p);
5216 		if (err)
5217 			GENL_SET_ERR_MSG(info, "key addition failed");
5218 	}
5219 
5220 	return err;
5221 }
5222 
5223 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
5224 {
5225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5226 	int err;
5227 	struct net_device *dev = info->user_ptr[1];
5228 	u8 *mac_addr = NULL;
5229 	struct key_parse key;
5230 	int link_id = nl80211_link_id_or_invalid(info->attrs);
5231 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5232 
5233 	err = nl80211_parse_key(info, &key);
5234 	if (err)
5235 		return err;
5236 
5237 	if (info->attrs[NL80211_ATTR_MAC])
5238 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5239 
5240 	if (key.type == -1) {
5241 		if (mac_addr)
5242 			key.type = NL80211_KEYTYPE_PAIRWISE;
5243 		else
5244 			key.type = NL80211_KEYTYPE_GROUP;
5245 	}
5246 
5247 	/* for now */
5248 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
5249 	    key.type != NL80211_KEYTYPE_GROUP)
5250 		return -EINVAL;
5251 
5252 	if (!cfg80211_valid_key_idx(rdev, key.idx,
5253 				    key.type == NL80211_KEYTYPE_PAIRWISE))
5254 		return -EINVAL;
5255 
5256 	if (!rdev->ops->del_key)
5257 		return -EOPNOTSUPP;
5258 
5259 	err = nl80211_key_allowed(wdev);
5260 
5261 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
5262 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
5263 		err = -ENOENT;
5264 
5265 	if (!err)
5266 		err = nl80211_validate_key_link_id(info, wdev, link_id,
5267 				key.type == NL80211_KEYTYPE_PAIRWISE);
5268 
5269 	if (!err)
5270 		err = rdev_del_key(rdev, dev, link_id, key.idx,
5271 				   key.type == NL80211_KEYTYPE_PAIRWISE,
5272 				   mac_addr);
5273 
5274 #ifdef CONFIG_CFG80211_WEXT
5275 	if (!err) {
5276 		if (key.idx == wdev->wext.default_key)
5277 			wdev->wext.default_key = -1;
5278 		else if (key.idx == wdev->wext.default_mgmt_key)
5279 			wdev->wext.default_mgmt_key = -1;
5280 	}
5281 #endif
5282 
5283 	return err;
5284 }
5285 
5286 /* This function returns an error or the number of nested attributes */
5287 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5288 {
5289 	struct nlattr *attr;
5290 	int n_entries = 0, tmp;
5291 
5292 	nla_for_each_nested(attr, nl_attr, tmp) {
5293 		if (nla_len(attr) != ETH_ALEN)
5294 			return -EINVAL;
5295 
5296 		n_entries++;
5297 	}
5298 
5299 	return n_entries;
5300 }
5301 
5302 /*
5303  * This function parses ACL information and allocates memory for ACL data.
5304  * On successful return, the calling function is responsible to free the
5305  * ACL buffer returned by this function.
5306  */
5307 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5308 						struct genl_info *info)
5309 {
5310 	enum nl80211_acl_policy acl_policy;
5311 	struct nlattr *attr;
5312 	struct cfg80211_acl_data *acl;
5313 	int i = 0, n_entries, tmp;
5314 
5315 	if (!wiphy->max_acl_mac_addrs)
5316 		return ERR_PTR(-EOPNOTSUPP);
5317 
5318 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5319 		return ERR_PTR(-EINVAL);
5320 
5321 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5322 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5323 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5324 		return ERR_PTR(-EINVAL);
5325 
5326 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5327 		return ERR_PTR(-EINVAL);
5328 
5329 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5330 	if (n_entries < 0)
5331 		return ERR_PTR(n_entries);
5332 
5333 	if (n_entries > wiphy->max_acl_mac_addrs)
5334 		return ERR_PTR(-EOPNOTSUPP);
5335 
5336 	acl = kzalloc_flex(*acl, mac_addrs, n_entries, GFP_KERNEL);
5337 	if (!acl)
5338 		return ERR_PTR(-ENOMEM);
5339 	acl->n_acl_entries = n_entries;
5340 
5341 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5342 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5343 		i++;
5344 	}
5345 	acl->acl_policy = acl_policy;
5346 
5347 	return acl;
5348 }
5349 
5350 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5351 {
5352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5353 	struct net_device *dev = info->user_ptr[1];
5354 	struct cfg80211_acl_data *acl;
5355 	int err;
5356 
5357 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5358 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5359 		return -EOPNOTSUPP;
5360 
5361 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5362 		return -EINVAL;
5363 
5364 	acl = parse_acl_data(&rdev->wiphy, info);
5365 	if (IS_ERR(acl))
5366 		return PTR_ERR(acl);
5367 
5368 	err = rdev_set_mac_acl(rdev, dev, acl);
5369 
5370 	kfree(acl);
5371 
5372 	return err;
5373 }
5374 
5375 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5376 			   u8 *rates, u8 rates_len)
5377 {
5378 	u8 i;
5379 	u32 mask = 0;
5380 
5381 	for (i = 0; i < rates_len; i++) {
5382 		int rate = (rates[i] & 0x7f) * 5;
5383 		int ridx;
5384 
5385 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5386 			struct ieee80211_rate *srate =
5387 				&sband->bitrates[ridx];
5388 			if (rate == srate->bitrate) {
5389 				mask |= 1 << ridx;
5390 				break;
5391 			}
5392 		}
5393 		if (ridx == sband->n_bitrates)
5394 			return 0; /* rate not found */
5395 	}
5396 
5397 	return mask;
5398 }
5399 
5400 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5401 			       u8 *rates, u8 rates_len,
5402 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5403 {
5404 	u8 i;
5405 
5406 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5407 
5408 	for (i = 0; i < rates_len; i++) {
5409 		int ridx, rbit;
5410 
5411 		ridx = rates[i] / 8;
5412 		rbit = BIT(rates[i] % 8);
5413 
5414 		/* check validity */
5415 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5416 			return false;
5417 
5418 		/* check availability */
5419 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5420 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5421 			mcs[ridx] |= rbit;
5422 		else
5423 			return false;
5424 	}
5425 
5426 	return true;
5427 }
5428 
5429 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5430 {
5431 	u16 mcs_mask = 0;
5432 
5433 	switch (vht_mcs_map) {
5434 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5435 		break;
5436 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5437 		mcs_mask = 0x00FF;
5438 		break;
5439 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5440 		mcs_mask = 0x01FF;
5441 		break;
5442 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5443 		mcs_mask = 0x03FF;
5444 		break;
5445 	default:
5446 		break;
5447 	}
5448 
5449 	return mcs_mask;
5450 }
5451 
5452 static void vht_build_mcs_mask(u16 vht_mcs_map,
5453 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5454 {
5455 	u8 nss;
5456 
5457 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5458 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5459 		vht_mcs_map >>= 2;
5460 	}
5461 }
5462 
5463 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5464 			     struct nl80211_txrate_vht *txrate,
5465 			     u16 mcs[NL80211_VHT_NSS_MAX])
5466 {
5467 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5468 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5469 	u8 i;
5470 
5471 	if (!sband->vht_cap.vht_supported)
5472 		return false;
5473 
5474 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5475 
5476 	/* Build vht_mcs_mask from VHT capabilities */
5477 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5478 
5479 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5480 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5481 			mcs[i] = txrate->mcs[i];
5482 		else
5483 			return false;
5484 	}
5485 
5486 	return true;
5487 }
5488 
5489 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5490 {
5491 	switch (he_mcs_map) {
5492 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5493 		return 0;
5494 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5495 		return 0x00FF;
5496 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5497 		return 0x03FF;
5498 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5499 		return 0xFFF;
5500 	default:
5501 		break;
5502 	}
5503 	return 0;
5504 }
5505 
5506 static void he_build_mcs_mask(u16 he_mcs_map,
5507 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5508 {
5509 	u8 nss;
5510 
5511 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5512 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5513 		he_mcs_map >>= 2;
5514 	}
5515 }
5516 
5517 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5518 			   const struct ieee80211_sta_he_cap *he_cap)
5519 {
5520 	struct net_device *dev = info->user_ptr[1];
5521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5522 	struct cfg80211_chan_def *chandef;
5523 	__le16 tx_mcs;
5524 
5525 	chandef = wdev_chandef(wdev, link_id);
5526 	if (!chandef) {
5527 		/*
5528 		 * This is probably broken, but we never maintained
5529 		 * a chandef in these cases, so it always was.
5530 		 */
5531 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5532 	}
5533 
5534 	switch (chandef->width) {
5535 	case NL80211_CHAN_WIDTH_80P80:
5536 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5537 		break;
5538 	case NL80211_CHAN_WIDTH_160:
5539 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5540 		break;
5541 	default:
5542 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5543 		break;
5544 	}
5545 
5546 	return le16_to_cpu(tx_mcs);
5547 }
5548 
5549 static bool he_set_mcs_mask(struct genl_info *info,
5550 			    struct wireless_dev *wdev,
5551 			    struct ieee80211_supported_band *sband,
5552 			    struct nl80211_txrate_he *txrate,
5553 			    u16 mcs[NL80211_HE_NSS_MAX],
5554 			    unsigned int link_id)
5555 {
5556 	const struct ieee80211_sta_he_cap *he_cap;
5557 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5558 	u16 tx_mcs_map = 0;
5559 	u8 i;
5560 
5561 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5562 	if (!he_cap)
5563 		return false;
5564 
5565 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5566 
5567 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5568 
5569 	/* Build he_mcs_mask from HE capabilities */
5570 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5571 
5572 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5573 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5574 			mcs[i] = txrate->mcs[i];
5575 		else
5576 			return false;
5577 	}
5578 
5579 	return true;
5580 }
5581 
5582 static void eht_build_mcs_mask(struct genl_info *info,
5583 			       const struct ieee80211_sta_eht_cap *eht_cap,
5584 			       u8 mcs_nss_len, u16 *mcs_mask)
5585 {
5586 	struct net_device *dev = info->user_ptr[1];
5587 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5588 	u8 nss, mcs_7 = 0, mcs_9 = 0, mcs_11 = 0, mcs_13 = 0;
5589 	unsigned int link_id = nl80211_link_id(info->attrs);
5590 
5591 	if (mcs_nss_len == 4) {
5592 		const struct ieee80211_eht_mcs_nss_supp_20mhz_only *mcs =
5593 					&eht_cap->eht_mcs_nss_supp.only_20mhz;
5594 
5595 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs7_max_nss,
5596 				    IEEE80211_EHT_MCS_NSS_TX);
5597 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5598 				    IEEE80211_EHT_MCS_NSS_TX);
5599 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5600 				     IEEE80211_EHT_MCS_NSS_TX);
5601 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5602 				     IEEE80211_EHT_MCS_NSS_TX);
5603 
5604 	} else {
5605 		const struct ieee80211_eht_mcs_nss_supp_bw *mcs;
5606 		enum nl80211_chan_width width;
5607 
5608 		switch (wdev->iftype) {
5609 		case NL80211_IFTYPE_ADHOC:
5610 			width = wdev->u.ibss.chandef.width;
5611 			break;
5612 		case NL80211_IFTYPE_MESH_POINT:
5613 			width = wdev->u.mesh.chandef.width;
5614 			break;
5615 		case NL80211_IFTYPE_OCB:
5616 			width = wdev->u.ocb.chandef.width;
5617 			break;
5618 		default:
5619 			if (wdev->valid_links)
5620 				width = wdev->links[link_id].ap.chandef.width;
5621 			else
5622 				width = wdev->u.ap.preset_chandef.width;
5623 			break;
5624 		}
5625 
5626 		switch (width) {
5627 		case NL80211_CHAN_WIDTH_320:
5628 			mcs = &eht_cap->eht_mcs_nss_supp.bw._320;
5629 			break;
5630 		case NL80211_CHAN_WIDTH_160:
5631 			mcs = &eht_cap->eht_mcs_nss_supp.bw._160;
5632 			break;
5633 		default:
5634 			mcs = &eht_cap->eht_mcs_nss_supp.bw._80;
5635 			break;
5636 		}
5637 
5638 		mcs_7 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5639 				    IEEE80211_EHT_MCS_NSS_TX);
5640 		mcs_9 = u8_get_bits(mcs->rx_tx_mcs9_max_nss,
5641 				    IEEE80211_EHT_MCS_NSS_TX);
5642 		mcs_11 = u8_get_bits(mcs->rx_tx_mcs11_max_nss,
5643 				     IEEE80211_EHT_MCS_NSS_TX);
5644 		mcs_13 = u8_get_bits(mcs->rx_tx_mcs13_max_nss,
5645 				     IEEE80211_EHT_MCS_NSS_TX);
5646 	}
5647 
5648 	/* Enable MCS 14 for NSS 0 */
5649 	if (eht_cap->eht_cap_elem.phy_cap_info[6] &
5650 	    IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP)
5651 		mcs_mask[0] |= 0x4000;
5652 
5653 	/* Enable MCS 15 for NSS 0 */
5654 	mcs_mask[0] |= 0x8000;
5655 
5656 	for (nss = 0; nss < NL80211_EHT_NSS_MAX; nss++) {
5657 		if (!mcs_7)
5658 			continue;
5659 		mcs_mask[nss] |= 0x00FF;
5660 		mcs_7--;
5661 
5662 		if (!mcs_9)
5663 			continue;
5664 		mcs_mask[nss] |= 0x0300;
5665 		mcs_9--;
5666 
5667 		if (!mcs_11)
5668 			continue;
5669 		mcs_mask[nss] |= 0x0C00;
5670 		mcs_11--;
5671 
5672 		if (!mcs_13)
5673 			continue;
5674 		mcs_mask[nss] |= 0x3000;
5675 		mcs_13--;
5676 	}
5677 }
5678 
5679 static bool eht_set_mcs_mask(struct genl_info *info, struct wireless_dev *wdev,
5680 			     struct ieee80211_supported_band *sband,
5681 			     struct nl80211_txrate_eht *txrate,
5682 			     u16 mcs[NL80211_EHT_NSS_MAX])
5683 {
5684 	const struct ieee80211_sta_he_cap *he_cap;
5685 	const struct ieee80211_sta_eht_cap *eht_cap;
5686 	u16 tx_mcs_mask[NL80211_EHT_NSS_MAX] = { 0 };
5687 	u8 i, mcs_nss_len;
5688 
5689 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5690 	if (!he_cap)
5691 		return false;
5692 
5693 	eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5694 	if (!eht_cap)
5695 		return false;
5696 
5697 	/* Checks for MCS 14 */
5698 	if (txrate->mcs[0] & 0x4000) {
5699 		if (sband->band != NL80211_BAND_6GHZ)
5700 			return false;
5701 
5702 		if (!(eht_cap->eht_cap_elem.phy_cap_info[6] &
5703 		      IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP))
5704 			return false;
5705 	}
5706 
5707 	mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5708 						 &eht_cap->eht_cap_elem,
5709 						 wdev->iftype ==
5710 							NL80211_IFTYPE_STATION);
5711 
5712 	if (mcs_nss_len == 3) {
5713 		/* Supported iftypes for setting non-20 MHZ only EHT MCS */
5714 		switch (wdev->iftype) {
5715 		case NL80211_IFTYPE_ADHOC:
5716 		case NL80211_IFTYPE_AP:
5717 		case NL80211_IFTYPE_P2P_GO:
5718 		case NL80211_IFTYPE_MESH_POINT:
5719 		case NL80211_IFTYPE_OCB:
5720 			break;
5721 		default:
5722 			return false;
5723 		}
5724 	}
5725 
5726 	/* Build eht_mcs_mask from EHT and HE capabilities */
5727 	eht_build_mcs_mask(info, eht_cap, mcs_nss_len, tx_mcs_mask);
5728 
5729 	memset(mcs, 0, sizeof(u16) * NL80211_EHT_NSS_MAX);
5730 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5731 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5732 			mcs[i] = txrate->mcs[i];
5733 		else
5734 			return false;
5735 	}
5736 
5737 	return true;
5738 }
5739 
5740 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5741 					 struct nlattr *attrs[],
5742 					 enum nl80211_attrs attr,
5743 					 struct cfg80211_bitrate_mask *mask,
5744 					 struct net_device *dev,
5745 					 bool default_all_enabled,
5746 					 unsigned int link_id)
5747 {
5748 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5750 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5751 	int rem, i;
5752 	struct nlattr *tx_rates;
5753 	struct ieee80211_supported_band *sband;
5754 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5755 
5756 	memset(mask, 0, sizeof(*mask));
5757 	/* Default to all rates enabled */
5758 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5759 		const struct ieee80211_sta_he_cap *he_cap;
5760 		const struct ieee80211_sta_eht_cap *eht_cap;
5761 		u8 mcs_nss_len;
5762 
5763 		if (!default_all_enabled)
5764 			break;
5765 
5766 		sband = rdev->wiphy.bands[i];
5767 
5768 		if (!sband)
5769 			continue;
5770 
5771 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5772 		memcpy(mask->control[i].ht_mcs,
5773 		       sband->ht_cap.mcs.rx_mask,
5774 		       sizeof(mask->control[i].ht_mcs));
5775 
5776 		if (sband->vht_cap.vht_supported) {
5777 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5778 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5779 		}
5780 
5781 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5782 		if (!he_cap)
5783 			continue;
5784 
5785 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5786 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5787 
5788 		mask->control[i].he_gi = 0xFF;
5789 		mask->control[i].he_ltf = 0xFF;
5790 
5791 		eht_cap = ieee80211_get_eht_iftype_cap(sband, wdev->iftype);
5792 		if (!eht_cap)
5793 			continue;
5794 
5795 		mcs_nss_len = ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
5796 							 &eht_cap->eht_cap_elem,
5797 							 wdev->iftype ==
5798 							 NL80211_IFTYPE_STATION);
5799 
5800 		eht_build_mcs_mask(info, eht_cap, mcs_nss_len,
5801 				   mask->control[i].eht_mcs);
5802 
5803 		mask->control[i].eht_gi = 0xFF;
5804 		mask->control[i].eht_ltf = 0xFF;
5805 	}
5806 
5807 	/* if no rates are given set it back to the defaults */
5808 	if (!attrs[attr])
5809 		goto out;
5810 
5811 	/* The nested attribute uses enum nl80211_band as the index. This maps
5812 	 * directly to the enum nl80211_band values used in cfg80211.
5813 	 */
5814 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5815 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5816 		enum nl80211_band band = nla_type(tx_rates);
5817 		int err;
5818 
5819 		if (band < 0 || band >= NUM_NL80211_BANDS)
5820 			return -EINVAL;
5821 		sband = rdev->wiphy.bands[band];
5822 		if (sband == NULL)
5823 			return -EINVAL;
5824 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5825 						  tx_rates,
5826 						  nl80211_txattr_policy,
5827 						  info->extack);
5828 		if (err)
5829 			return err;
5830 		if (tb[NL80211_TXRATE_LEGACY]) {
5831 			mask->control[band].legacy = rateset_to_mask(
5832 				sband,
5833 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5834 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5835 			if ((mask->control[band].legacy == 0) &&
5836 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5837 				return -EINVAL;
5838 		}
5839 		if (tb[NL80211_TXRATE_HT]) {
5840 			if (!ht_rateset_to_mask(
5841 					sband,
5842 					nla_data(tb[NL80211_TXRATE_HT]),
5843 					nla_len(tb[NL80211_TXRATE_HT]),
5844 					mask->control[band].ht_mcs))
5845 				return -EINVAL;
5846 		}
5847 
5848 		if (tb[NL80211_TXRATE_VHT]) {
5849 			if (!vht_set_mcs_mask(
5850 					sband,
5851 					nla_data(tb[NL80211_TXRATE_VHT]),
5852 					mask->control[band].vht_mcs))
5853 				return -EINVAL;
5854 		}
5855 
5856 		if (tb[NL80211_TXRATE_GI]) {
5857 			mask->control[band].gi =
5858 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5859 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5860 				return -EINVAL;
5861 		}
5862 		if (tb[NL80211_TXRATE_HE] &&
5863 		    !he_set_mcs_mask(info, wdev, sband,
5864 				     nla_data(tb[NL80211_TXRATE_HE]),
5865 				     mask->control[band].he_mcs,
5866 				     link_id))
5867 			return -EINVAL;
5868 
5869 		if (tb[NL80211_TXRATE_HE_GI])
5870 			mask->control[band].he_gi =
5871 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5872 		if (tb[NL80211_TXRATE_HE_LTF])
5873 			mask->control[band].he_ltf =
5874 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5875 
5876 		if (tb[NL80211_TXRATE_EHT] &&
5877 		    !eht_set_mcs_mask(info, wdev, sband,
5878 				      nla_data(tb[NL80211_TXRATE_EHT]),
5879 				      mask->control[band].eht_mcs))
5880 			return -EINVAL;
5881 
5882 		if (tb[NL80211_TXRATE_EHT_GI])
5883 			mask->control[band].eht_gi =
5884 				nla_get_u8(tb[NL80211_TXRATE_EHT_GI]);
5885 		if (tb[NL80211_TXRATE_EHT_LTF])
5886 			mask->control[band].eht_ltf =
5887 				nla_get_u8(tb[NL80211_TXRATE_EHT_LTF]);
5888 
5889 		if (mask->control[band].legacy == 0) {
5890 			/* don't allow empty legacy rates if HT, VHT, HE or EHT
5891 			 * are not even supported.
5892 			 */
5893 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5894 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5895 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype) ||
5896 			      ieee80211_get_eht_iftype_cap(sband, wdev->iftype)))
5897 				return -EINVAL;
5898 
5899 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5900 				if (mask->control[band].ht_mcs[i])
5901 					goto out;
5902 
5903 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5904 				if (mask->control[band].vht_mcs[i])
5905 					goto out;
5906 
5907 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5908 				if (mask->control[band].he_mcs[i])
5909 					goto out;
5910 
5911 			for (i = 0; i < NL80211_EHT_NSS_MAX; i++)
5912 				if (mask->control[band].eht_mcs[i])
5913 					goto out;
5914 
5915 			/* legacy and mcs rates may not be both empty */
5916 			return -EINVAL;
5917 		}
5918 	}
5919 
5920 out:
5921 	return 0;
5922 }
5923 
5924 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5925 				   enum nl80211_band band,
5926 				   struct cfg80211_bitrate_mask *beacon_rate)
5927 {
5928 	u32 count_ht, count_vht, count_he, count_eht, i;
5929 	u32 rate = beacon_rate->control[band].legacy;
5930 
5931 	/* Allow only one rate */
5932 	if (hweight32(rate) > 1)
5933 		return -EINVAL;
5934 
5935 	count_ht = 0;
5936 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5937 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5938 			return -EINVAL;
5939 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5940 			count_ht++;
5941 			if (count_ht > 1)
5942 				return -EINVAL;
5943 		}
5944 		if (count_ht && rate)
5945 			return -EINVAL;
5946 	}
5947 
5948 	count_vht = 0;
5949 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5950 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5951 			return -EINVAL;
5952 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5953 			count_vht++;
5954 			if (count_vht > 1)
5955 				return -EINVAL;
5956 		}
5957 		if (count_vht && rate)
5958 			return -EINVAL;
5959 	}
5960 
5961 	count_he = 0;
5962 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5963 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5964 			return -EINVAL;
5965 		} else if (beacon_rate->control[band].he_mcs[i]) {
5966 			count_he++;
5967 			if (count_he > 1)
5968 				return -EINVAL;
5969 		}
5970 		if (count_he && rate)
5971 			return -EINVAL;
5972 	}
5973 
5974 	count_eht = 0;
5975 	for (i = 0; i < NL80211_EHT_NSS_MAX; i++) {
5976 		if (hweight16(beacon_rate->control[band].eht_mcs[i]) > 1) {
5977 			return -EINVAL;
5978 		} else if (beacon_rate->control[band].eht_mcs[i]) {
5979 			count_eht++;
5980 			if (count_eht > 1)
5981 				return -EINVAL;
5982 		}
5983 		if (count_eht && rate)
5984 			return -EINVAL;
5985 	}
5986 
5987 	if ((count_ht && count_vht && count_he && count_eht) ||
5988 	    (!rate && !count_ht && !count_vht && !count_he && !count_eht))
5989 		return -EINVAL;
5990 
5991 	if (rate &&
5992 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5993 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5994 		return -EINVAL;
5995 	if (count_ht &&
5996 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5997 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5998 		return -EINVAL;
5999 	if (count_vht &&
6000 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6001 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
6002 		return -EINVAL;
6003 	if (count_he &&
6004 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6005 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
6006 		return -EINVAL;
6007 
6008 	if (count_eht &&
6009 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6010 				     NL80211_EXT_FEATURE_BEACON_RATE_EHT))
6011 		return -EINVAL;
6012 
6013 	return 0;
6014 }
6015 
6016 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
6017 				       struct net_device *dev,
6018 				       unsigned int link_id,
6019 				       struct nlattr *attrs,
6020 				       struct cfg80211_mbssid_config *config,
6021 				       u8 num_elems)
6022 {
6023 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
6024 	int tx_link_id = -1;
6025 
6026 	if (!wiphy->mbssid_max_interfaces)
6027 		return -EOPNOTSUPP;
6028 
6029 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
6030 			     NULL) ||
6031 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
6032 		return -EINVAL;
6033 
6034 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
6035 	if (config->ema) {
6036 		if (!wiphy->ema_max_profile_periodicity)
6037 			return -EOPNOTSUPP;
6038 
6039 		if (num_elems > wiphy->ema_max_profile_periodicity)
6040 			return -EINVAL;
6041 	}
6042 
6043 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
6044 	if (config->index >= wiphy->mbssid_max_interfaces ||
6045 	    (!config->index && !num_elems))
6046 		return -EINVAL;
6047 
6048 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID])
6049 		tx_link_id = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_TX_LINK_ID]);
6050 
6051 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
6052 		u32 tx_ifindex =
6053 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
6054 
6055 		if ((!config->index && tx_ifindex != dev->ifindex) ||
6056 		    (config->index && tx_ifindex == dev->ifindex))
6057 			return -EINVAL;
6058 
6059 		if (tx_ifindex != dev->ifindex) {
6060 			struct net_device *tx_netdev =
6061 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
6062 
6063 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
6064 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
6065 			    tx_netdev->ieee80211_ptr->iftype !=
6066 							NL80211_IFTYPE_AP) {
6067 				dev_put(tx_netdev);
6068 				return -EINVAL;
6069 			}
6070 
6071 			config->tx_wdev = tx_netdev->ieee80211_ptr;
6072 			/* Caller should call dev_put(config->tx_wdev) from this point */
6073 
6074 			if (config->tx_wdev->valid_links) {
6075 				if (tx_link_id == -1 ||
6076 				    !(config->tx_wdev->valid_links & BIT(tx_link_id)))
6077 					return -ENOLINK;
6078 
6079 				config->tx_link_id = tx_link_id;
6080 			}
6081 		} else {
6082 			if (tx_link_id >= 0 && tx_link_id != link_id)
6083 				return -EINVAL;
6084 
6085 			config->tx_wdev = dev->ieee80211_ptr;
6086 		}
6087 	} else if (!config->index) {
6088 		if (tx_link_id >= 0 && tx_link_id != link_id)
6089 			return -EINVAL;
6090 
6091 		config->tx_wdev = dev->ieee80211_ptr;
6092 	} else {
6093 		return -EINVAL;
6094 	}
6095 
6096 	return 0;
6097 }
6098 
6099 static struct cfg80211_mbssid_elems *
6100 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
6101 {
6102 	struct nlattr *nl_elems;
6103 	struct cfg80211_mbssid_elems *elems;
6104 	int rem_elems;
6105 	u8 i = 0, num_elems = 0;
6106 
6107 	if (!wiphy->mbssid_max_interfaces)
6108 		return ERR_PTR(-EINVAL);
6109 
6110 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6111 		if (num_elems >= 255)
6112 			return ERR_PTR(-EINVAL);
6113 		num_elems++;
6114 	}
6115 
6116 	elems = kzalloc_flex(*elems, elem, num_elems, GFP_KERNEL);
6117 	if (!elems)
6118 		return ERR_PTR(-ENOMEM);
6119 	elems->cnt = num_elems;
6120 
6121 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6122 		elems->elem[i].data = nla_data(nl_elems);
6123 		elems->elem[i].len = nla_len(nl_elems);
6124 		i++;
6125 	}
6126 	return elems;
6127 }
6128 
6129 static struct cfg80211_rnr_elems *
6130 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
6131 			struct netlink_ext_ack *extack)
6132 {
6133 	struct nlattr *nl_elems;
6134 	struct cfg80211_rnr_elems *elems;
6135 	int rem_elems;
6136 	u8 i = 0, num_elems = 0;
6137 
6138 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6139 		int ret;
6140 
6141 		ret = validate_ie_attr(nl_elems, extack);
6142 		if (ret)
6143 			return ERR_PTR(ret);
6144 
6145 		num_elems++;
6146 	}
6147 
6148 	elems = kzalloc_flex(*elems, elem, num_elems, GFP_KERNEL);
6149 	if (!elems)
6150 		return ERR_PTR(-ENOMEM);
6151 	elems->cnt = num_elems;
6152 
6153 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
6154 		elems->elem[i].data = nla_data(nl_elems);
6155 		elems->elem[i].len = nla_len(nl_elems);
6156 		i++;
6157 	}
6158 	return elems;
6159 }
6160 
6161 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
6162 				      struct cfg80211_he_bss_color *he_bss_color)
6163 {
6164 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
6165 	int err;
6166 
6167 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
6168 			       he_bss_color_policy, NULL);
6169 	if (err)
6170 		return err;
6171 
6172 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
6173 		return -EINVAL;
6174 
6175 	he_bss_color->color =
6176 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
6177 	he_bss_color->enabled =
6178 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
6179 	he_bss_color->partial =
6180 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
6181 
6182 	return 0;
6183 }
6184 
6185 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
6186 				struct nlattr *attrs[],
6187 				struct cfg80211_beacon_data *bcn,
6188 				struct netlink_ext_ack *extack)
6189 {
6190 	bool haveinfo = false;
6191 	int err;
6192 
6193 	memset(bcn, 0, sizeof(*bcn));
6194 
6195 	bcn->link_id = nl80211_link_id(attrs);
6196 
6197 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
6198 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
6199 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
6200 		if (!bcn->head_len)
6201 			return -EINVAL;
6202 		haveinfo = true;
6203 	}
6204 
6205 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
6206 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
6207 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
6208 		haveinfo = true;
6209 	}
6210 
6211 	if (!haveinfo)
6212 		return -EINVAL;
6213 
6214 	if (attrs[NL80211_ATTR_IE]) {
6215 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
6216 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
6217 	}
6218 
6219 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
6220 		bcn->proberesp_ies =
6221 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6222 		bcn->proberesp_ies_len =
6223 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
6224 	}
6225 
6226 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
6227 		bcn->assocresp_ies =
6228 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6229 		bcn->assocresp_ies_len =
6230 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
6231 	}
6232 
6233 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
6234 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
6235 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
6236 	}
6237 
6238 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
6239 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
6240 
6241 		err = nla_parse_nested_deprecated(tb,
6242 						  NL80211_FTM_RESP_ATTR_MAX,
6243 						  attrs[NL80211_ATTR_FTM_RESPONDER],
6244 						  NULL, NULL);
6245 		if (err)
6246 			return err;
6247 
6248 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
6249 		    wiphy_ext_feature_isset(&rdev->wiphy,
6250 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
6251 			bcn->ftm_responder = 1;
6252 		else
6253 			return -EOPNOTSUPP;
6254 
6255 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
6256 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
6257 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
6258 		}
6259 
6260 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
6261 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6262 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
6263 		}
6264 	} else {
6265 		bcn->ftm_responder = -1;
6266 	}
6267 
6268 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
6269 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
6270 						 &bcn->he_bss_color);
6271 		if (err)
6272 			return err;
6273 		bcn->he_bss_color_valid = true;
6274 	}
6275 
6276 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
6277 		struct cfg80211_mbssid_elems *mbssid =
6278 			nl80211_parse_mbssid_elems(&rdev->wiphy,
6279 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
6280 
6281 		if (IS_ERR(mbssid))
6282 			return PTR_ERR(mbssid);
6283 
6284 		bcn->mbssid_ies = mbssid;
6285 
6286 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
6287 			struct cfg80211_rnr_elems *rnr =
6288 				nl80211_parse_rnr_elems(&rdev->wiphy,
6289 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
6290 							extack);
6291 
6292 			if (IS_ERR(rnr))
6293 				return PTR_ERR(rnr);
6294 
6295 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
6296 				return -EINVAL;
6297 
6298 			bcn->rnr_ies = rnr;
6299 		}
6300 	}
6301 
6302 	return 0;
6303 }
6304 
6305 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
6306 				    struct ieee80211_he_obss_pd *he_obss_pd)
6307 {
6308 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
6309 	int err;
6310 
6311 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
6312 			       he_obss_pd_policy, NULL);
6313 	if (err)
6314 		return err;
6315 
6316 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
6317 		return -EINVAL;
6318 
6319 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
6320 
6321 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
6322 		he_obss_pd->min_offset =
6323 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
6324 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
6325 		he_obss_pd->max_offset =
6326 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
6327 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
6328 		he_obss_pd->non_srg_max_offset =
6329 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
6330 
6331 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
6332 		return -EINVAL;
6333 
6334 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
6335 		memcpy(he_obss_pd->bss_color_bitmap,
6336 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
6337 		       sizeof(he_obss_pd->bss_color_bitmap));
6338 
6339 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
6340 		memcpy(he_obss_pd->partial_bssid_bitmap,
6341 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
6342 		       sizeof(he_obss_pd->partial_bssid_bitmap));
6343 
6344 	he_obss_pd->enable = true;
6345 
6346 	return 0;
6347 }
6348 
6349 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
6350 					struct nlattr *attrs,
6351 					struct cfg80211_fils_discovery *fd)
6352 {
6353 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
6354 	int ret;
6355 
6356 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6357 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
6358 		return -EINVAL;
6359 
6360 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
6361 			       NULL, NULL);
6362 	if (ret)
6363 		return ret;
6364 
6365 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
6366 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
6367 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
6368 		fd->update = true;
6369 		return 0;
6370 	}
6371 
6372 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
6373 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
6374 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
6375 		return -EINVAL;
6376 
6377 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6378 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
6379 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
6380 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
6381 	fd->update = true;
6382 	return 0;
6383 }
6384 
6385 static int
6386 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
6387 				     struct nlattr *attrs,
6388 				     struct cfg80211_unsol_bcast_probe_resp *presp)
6389 {
6390 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
6391 	int ret;
6392 
6393 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
6394 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
6395 		return -EINVAL;
6396 
6397 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
6398 			       attrs, NULL, NULL);
6399 	if (ret)
6400 		return ret;
6401 
6402 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
6403 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
6404 		presp->update = true;
6405 		return 0;
6406 	}
6407 
6408 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
6409 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
6410 		return -EINVAL;
6411 
6412 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6413 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
6414 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
6415 	presp->update = true;
6416 	return 0;
6417 }
6418 
6419 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
6420 					    const struct element *rates)
6421 {
6422 	int i;
6423 
6424 	if (!rates)
6425 		return;
6426 
6427 	for (i = 0; i < rates->datalen; i++) {
6428 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
6429 			params->ht_required = true;
6430 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
6431 			params->vht_required = true;
6432 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
6433 			params->he_required = true;
6434 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
6435 			params->sae_h2e_required = true;
6436 	}
6437 }
6438 
6439 /*
6440  * Since the nl80211 API didn't include, from the beginning, attributes about
6441  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
6442  * benefit of drivers that rebuild IEs in the firmware.
6443  */
6444 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
6445 {
6446 	const struct cfg80211_beacon_data *bcn = &params->beacon;
6447 	size_t ies_len = bcn->tail_len;
6448 	const u8 *ies = bcn->tail;
6449 	const struct element *rates;
6450 	const struct element *cap;
6451 
6452 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
6453 	nl80211_check_ap_rate_selectors(params, rates);
6454 
6455 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
6456 	nl80211_check_ap_rate_selectors(params, rates);
6457 
6458 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
6459 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
6460 		params->ht_cap = (void *)cap->data;
6461 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
6462 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
6463 		params->vht_cap = (void *)cap->data;
6464 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
6465 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
6466 		params->he_cap = (void *)(cap->data + 1);
6467 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
6468 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
6469 		params->he_oper = (void *)(cap->data + 1);
6470 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
6471 	if (cap) {
6472 		if (!cap->datalen)
6473 			return -EINVAL;
6474 		params->eht_cap = (void *)(cap->data + 1);
6475 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
6476 						(const u8 *)params->eht_cap,
6477 						cap->datalen - 1, true))
6478 			return -EINVAL;
6479 	}
6480 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
6481 	if (cap) {
6482 		if (!cap->datalen)
6483 			return -EINVAL;
6484 		params->eht_oper = (void *)(cap->data + 1);
6485 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
6486 						cap->datalen - 1))
6487 			return -EINVAL;
6488 	}
6489 
6490 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_UHR_OPER, ies, ies_len);
6491 	if (cap) {
6492 		if (!cap->datalen)
6493 			return -EINVAL;
6494 		params->uhr_oper = (void *)(cap->data + 1);
6495 		if (!ieee80211_uhr_oper_size_ok((const u8 *)params->uhr_oper,
6496 						cap->datalen - 1, true))
6497 			return -EINVAL;
6498 	}
6499 
6500 	return 0;
6501 }
6502 
6503 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
6504 				   struct cfg80211_ap_settings *params)
6505 {
6506 	struct wireless_dev *wdev;
6507 
6508 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
6509 		if (wdev->iftype != NL80211_IFTYPE_AP &&
6510 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
6511 			continue;
6512 
6513 		if (!wdev->u.ap.preset_chandef.chan)
6514 			continue;
6515 
6516 		params->chandef = wdev->u.ap.preset_chandef;
6517 		return true;
6518 	}
6519 
6520 	return false;
6521 }
6522 
6523 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
6524 				    enum nl80211_auth_type auth_type,
6525 				    enum nl80211_commands cmd)
6526 {
6527 	if (auth_type > NL80211_AUTHTYPE_MAX)
6528 		return false;
6529 
6530 	switch (cmd) {
6531 	case NL80211_CMD_AUTHENTICATE:
6532 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6533 		    auth_type == NL80211_AUTHTYPE_SAE)
6534 			return false;
6535 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6536 					     NL80211_EXT_FEATURE_FILS_STA) &&
6537 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6538 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6539 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6540 			return false;
6541 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6542 					     NL80211_EXT_FEATURE_EPPKE) &&
6543 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6544 			return false;
6545 		return true;
6546 	case NL80211_CMD_CONNECT:
6547 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6548 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6549 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6550 		    auth_type == NL80211_AUTHTYPE_SAE)
6551 			return false;
6552 
6553 		/* FILS with SK PFS or PK not supported yet */
6554 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6555 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6556 			return false;
6557 		if (!wiphy_ext_feature_isset(
6558 			    &rdev->wiphy,
6559 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6560 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6561 			return false;
6562 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6563 					     NL80211_EXT_FEATURE_EPPKE) &&
6564 		    auth_type == NL80211_AUTHTYPE_EPPKE)
6565 			return false;
6566 		return true;
6567 	case NL80211_CMD_START_AP:
6568 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6569 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6570 		    auth_type == NL80211_AUTHTYPE_SAE)
6571 			return false;
6572 		/* FILS not supported yet */
6573 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6574 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6575 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6576 			return false;
6577 		return true;
6578 	default:
6579 		return false;
6580 	}
6581 }
6582 
6583 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6584 				    unsigned int link_id)
6585 {
6586 	struct wiphy *wiphy = wdev->wiphy;
6587 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6588 	struct sk_buff *msg;
6589 	void *hdr;
6590 
6591 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6592 	if (!msg)
6593 		return;
6594 
6595 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6596 	if (!hdr)
6597 		goto out;
6598 
6599 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6600 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6601 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6602 			      NL80211_ATTR_PAD) ||
6603 	    (wdev->u.ap.ssid_len &&
6604 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6605 		     wdev->u.ap.ssid)) ||
6606 	    (wdev->valid_links &&
6607 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6608 		goto out;
6609 
6610 	genlmsg_end(msg, hdr);
6611 
6612 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6613 				NL80211_MCGRP_MLME, GFP_KERNEL);
6614 	return;
6615 out:
6616 	nlmsg_free(msg);
6617 }
6618 
6619 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6620 {
6621 	struct ieee80211_channel *channel = params->chandef.chan;
6622 
6623 	if ((params->he_cap ||  params->he_oper) &&
6624 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6625 		return -EOPNOTSUPP;
6626 
6627 	if ((params->eht_cap || params->eht_oper) &&
6628 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6629 		return -EOPNOTSUPP;
6630 
6631 	if (params->uhr_oper && (channel->flags & IEEE80211_CHAN_NO_UHR))
6632 		return -EOPNOTSUPP;
6633 
6634 	return 0;
6635 }
6636 
6637 static int
6638 nl80211_parse_s1g_short_beacon(struct cfg80211_registered_device *rdev,
6639 			       struct nlattr *attrs,
6640 			       struct cfg80211_s1g_short_beacon *sb)
6641 {
6642 	struct nlattr *tb[NL80211_S1G_SHORT_BEACON_ATTR_MAX + 1];
6643 	int ret;
6644 
6645 	if (!rdev->wiphy.bands[NL80211_BAND_S1GHZ])
6646 		return -EINVAL;
6647 
6648 	ret = nla_parse_nested(tb, NL80211_S1G_SHORT_BEACON_ATTR_MAX, attrs,
6649 			       NULL, NULL);
6650 	if (ret)
6651 		return ret;
6652 
6653 	/* Short beacon tail is optional (i.e might only include the TIM) */
6654 	if (!tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD])
6655 		return -EINVAL;
6656 
6657 	sb->short_head = nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6658 	sb->short_head_len = nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_HEAD]);
6659 	sb->short_tail_len = 0;
6660 
6661 	if (tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]) {
6662 		sb->short_tail =
6663 			nla_data(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6664 		sb->short_tail_len =
6665 			nla_len(tb[NL80211_S1G_SHORT_BEACON_ATTR_TAIL]);
6666 	}
6667 
6668 	sb->update = true;
6669 	return 0;
6670 }
6671 
6672 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6673 {
6674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6675 	struct cfg80211_beaconing_check_config beacon_check = {};
6676 	unsigned int link_id = nl80211_link_id(info->attrs);
6677 	struct net_device *dev = info->user_ptr[1];
6678 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6679 	struct cfg80211_ap_settings *params;
6680 	int err;
6681 
6682 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6684 		return -EOPNOTSUPP;
6685 
6686 	if (!rdev->ops->start_ap)
6687 		return -EOPNOTSUPP;
6688 
6689 	if (wdev->links[link_id].cac_started)
6690 		return -EBUSY;
6691 
6692 	if (wdev->links[link_id].ap.beacon_interval)
6693 		return -EALREADY;
6694 
6695 	/* these are required for START_AP */
6696 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6697 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6698 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6699 		return -EINVAL;
6700 
6701 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6702 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6703 		return -EOPNOTSUPP;
6704 
6705 	params = kzalloc_obj(*params);
6706 	if (!params)
6707 		return -ENOMEM;
6708 
6709 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6710 				   info->extack);
6711 	if (err)
6712 		goto out;
6713 
6714 	params->beacon_interval =
6715 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6716 	params->dtim_period =
6717 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6718 
6719 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6720 					   params->beacon_interval);
6721 	if (err)
6722 		goto out;
6723 
6724 	/*
6725 	 * In theory, some of these attributes should be required here
6726 	 * but since they were not used when the command was originally
6727 	 * added, keep them optional for old user space programs to let
6728 	 * them continue to work with drivers that do not need the
6729 	 * additional information -- drivers must check!
6730 	 */
6731 	if (info->attrs[NL80211_ATTR_SSID]) {
6732 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6733 		params->ssid_len =
6734 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6735 		if (params->ssid_len == 0) {
6736 			err = -EINVAL;
6737 			goto out;
6738 		}
6739 
6740 		if (wdev->u.ap.ssid_len &&
6741 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6742 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6743 			/* require identical SSID for MLO */
6744 			err = -EINVAL;
6745 			goto out;
6746 		}
6747 	} else if (wdev->valid_links) {
6748 		/* require SSID for MLO */
6749 		err = -EINVAL;
6750 		goto out;
6751 	}
6752 
6753 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6754 		params->hidden_ssid = nla_get_u32(
6755 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6756 
6757 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6758 
6759 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6760 		params->auth_type = nla_get_u32(
6761 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6762 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6763 					     NL80211_CMD_START_AP)) {
6764 			err = -EINVAL;
6765 			goto out;
6766 		}
6767 	} else
6768 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6769 
6770 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6771 				      NL80211_MAX_NR_CIPHER_SUITES);
6772 	if (err)
6773 		goto out;
6774 
6775 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6776 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6777 			err = -EOPNOTSUPP;
6778 			goto out;
6779 		}
6780 		params->inactivity_timeout = nla_get_u16(
6781 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6782 	}
6783 
6784 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6785 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6786 			err = -EINVAL;
6787 			goto out;
6788 		}
6789 		params->p2p_ctwindow =
6790 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6791 		if (params->p2p_ctwindow != 0 &&
6792 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6793 			err = -EINVAL;
6794 			goto out;
6795 		}
6796 	}
6797 
6798 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6799 		u8 tmp;
6800 
6801 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6802 			err = -EINVAL;
6803 			goto out;
6804 		}
6805 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6806 		params->p2p_opp_ps = tmp;
6807 		if (params->p2p_opp_ps != 0 &&
6808 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6809 			err = -EINVAL;
6810 			goto out;
6811 		}
6812 	}
6813 
6814 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6815 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6816 		if (err)
6817 			goto out;
6818 	} else if (wdev->valid_links) {
6819 		/* with MLD need to specify the channel configuration */
6820 		err = -EINVAL;
6821 		goto out;
6822 	} else if (wdev->u.ap.preset_chandef.chan) {
6823 		params->chandef = wdev->u.ap.preset_chandef;
6824 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6825 		err = -EINVAL;
6826 		goto out;
6827 	}
6828 
6829 	beacon_check.iftype = wdev->iftype;
6830 	beacon_check.relax = true;
6831 	beacon_check.reg_power =
6832 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6833 					     params->beacon.tail_len, 0);
6834 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6835 					  &beacon_check)) {
6836 		err = -EINVAL;
6837 		goto out;
6838 	}
6839 
6840 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6841 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6842 						    NL80211_ATTR_TX_RATES,
6843 						    &params->beacon_rate,
6844 						    dev, false, link_id);
6845 		if (err)
6846 			goto out;
6847 
6848 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6849 					      &params->beacon_rate);
6850 		if (err)
6851 			goto out;
6852 	}
6853 
6854 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6855 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6856 		err = -EOPNOTSUPP;
6857 		goto out;
6858 	}
6859 
6860 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6861 		params->acl = parse_acl_data(&rdev->wiphy, info);
6862 		if (IS_ERR(params->acl)) {
6863 			err = PTR_ERR(params->acl);
6864 			params->acl = NULL;
6865 			goto out;
6866 		}
6867 	}
6868 
6869 	params->twt_responder =
6870 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6871 
6872 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6873 		err = nl80211_parse_he_obss_pd(
6874 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6875 					&params->he_obss_pd);
6876 		if (err)
6877 			goto out;
6878 	}
6879 
6880 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6881 		err = nl80211_parse_fils_discovery(rdev,
6882 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6883 						   &params->fils_discovery);
6884 		if (err)
6885 			goto out;
6886 	}
6887 
6888 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6889 		err = nl80211_parse_unsol_bcast_probe_resp(
6890 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6891 			&params->unsol_bcast_probe_resp);
6892 		if (err)
6893 			goto out;
6894 	}
6895 
6896 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6897 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev, link_id,
6898 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6899 						  &params->mbssid_config,
6900 						  params->beacon.mbssid_ies ?
6901 							params->beacon.mbssid_ies->cnt :
6902 							0);
6903 		if (err)
6904 			goto out;
6905 	}
6906 
6907 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6908 		err = -EINVAL;
6909 		goto out;
6910 	}
6911 
6912 	if (info->attrs[NL80211_ATTR_S1G_SHORT_BEACON]) {
6913 		if (!info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]) {
6914 			err = -EINVAL;
6915 			goto out;
6916 		}
6917 
6918 		params->s1g_long_beacon_period = nla_get_u8(
6919 			info->attrs[NL80211_ATTR_S1G_LONG_BEACON_PERIOD]);
6920 
6921 		err = nl80211_parse_s1g_short_beacon(
6922 			rdev, info->attrs[NL80211_ATTR_S1G_SHORT_BEACON],
6923 			&params->s1g_short_beacon);
6924 		if (err)
6925 			goto out;
6926 	}
6927 
6928 	err = nl80211_calculate_ap_params(params);
6929 	if (err)
6930 		goto out;
6931 
6932 	err = nl80211_validate_ap_phy_operation(params);
6933 	if (err)
6934 		goto out;
6935 
6936 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6937 		params->flags = nla_get_u32(
6938 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6939 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6940 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6941 
6942 	if (wdev->conn_owner_nlportid &&
6943 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6944 	    wdev->conn_owner_nlportid != info->snd_portid) {
6945 		err = -EINVAL;
6946 		goto out;
6947 	}
6948 
6949 	/* FIXME: validate MLO/link-id against driver capabilities */
6950 
6951 	err = rdev_start_ap(rdev, dev, params);
6952 	if (!err) {
6953 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6954 		wdev->links[link_id].ap.chandef = params->chandef;
6955 		wdev->u.ap.ssid_len = params->ssid_len;
6956 		memcpy(wdev->u.ap.ssid, params->ssid,
6957 		       params->ssid_len);
6958 
6959 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6960 			wdev->conn_owner_nlportid = info->snd_portid;
6961 
6962 		nl80211_send_ap_started(wdev, link_id);
6963 	}
6964 out:
6965 	kfree(params->acl);
6966 	kfree(params->beacon.mbssid_ies);
6967 	if (params->mbssid_config.tx_wdev &&
6968 	    params->mbssid_config.tx_wdev->netdev &&
6969 	    params->mbssid_config.tx_wdev->netdev != dev)
6970 		dev_put(params->mbssid_config.tx_wdev->netdev);
6971 	kfree(params->beacon.rnr_ies);
6972 	kfree(params);
6973 
6974 	return err;
6975 }
6976 
6977 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6978 {
6979 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6980 	struct cfg80211_beaconing_check_config beacon_check = {};
6981 	unsigned int link_id = nl80211_link_id(info->attrs);
6982 	struct net_device *dev = info->user_ptr[1];
6983 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6984 	struct cfg80211_ap_update *params;
6985 	struct nlattr *attr;
6986 	int err;
6987 
6988 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6989 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6990 		return -EOPNOTSUPP;
6991 
6992 	if (!rdev->ops->change_beacon)
6993 		return -EOPNOTSUPP;
6994 
6995 	if (!wdev->links[link_id].ap.beacon_interval)
6996 		return -EINVAL;
6997 
6998 	params = kzalloc_obj(*params);
6999 	if (!params)
7000 		return -ENOMEM;
7001 
7002 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
7003 				   info->extack);
7004 	if (err)
7005 		goto out;
7006 
7007 	/* recheck beaconing is permitted with possibly changed power type */
7008 	beacon_check.iftype = wdev->iftype;
7009 	beacon_check.relax = true;
7010 	beacon_check.reg_power =
7011 		cfg80211_get_6ghz_power_type(params->beacon.tail,
7012 					     params->beacon.tail_len, 0);
7013 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
7014 					  &wdev->links[link_id].ap.chandef,
7015 					  &beacon_check)) {
7016 		err = -EINVAL;
7017 		goto out;
7018 	}
7019 
7020 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
7021 	if (attr) {
7022 		err = nl80211_parse_fils_discovery(rdev, attr,
7023 						   &params->fils_discovery);
7024 		if (err)
7025 			goto out;
7026 	}
7027 
7028 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
7029 	if (attr) {
7030 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
7031 							   &params->unsol_bcast_probe_resp);
7032 		if (err)
7033 			goto out;
7034 	}
7035 
7036 	attr = info->attrs[NL80211_ATTR_S1G_SHORT_BEACON];
7037 	if (attr) {
7038 		err = nl80211_parse_s1g_short_beacon(rdev, attr,
7039 						     &params->s1g_short_beacon);
7040 		if (err)
7041 			goto out;
7042 	}
7043 
7044 	err = rdev_change_beacon(rdev, dev, params);
7045 
7046 out:
7047 	kfree(params->beacon.mbssid_ies);
7048 	kfree(params->beacon.rnr_ies);
7049 	kfree(params);
7050 	return err;
7051 }
7052 
7053 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
7054 {
7055 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7056 	unsigned int link_id = nl80211_link_id(info->attrs);
7057 	struct net_device *dev = info->user_ptr[1];
7058 
7059 	return cfg80211_stop_ap(rdev, dev, link_id, false);
7060 }
7061 
7062 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
7063 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
7064 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
7065 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
7066 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
7067 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
7068 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
7069 };
7070 
7071 static int parse_station_flags(struct genl_info *info,
7072 			       enum nl80211_iftype iftype,
7073 			       struct station_parameters *params)
7074 {
7075 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
7076 	struct nlattr *nla;
7077 	int flag;
7078 
7079 	/*
7080 	 * Try parsing the new attribute first so userspace
7081 	 * can specify both for older kernels.
7082 	 */
7083 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
7084 	if (nla) {
7085 		struct nl80211_sta_flag_update *sta_flags;
7086 
7087 		sta_flags = nla_data(nla);
7088 		params->sta_flags_mask = sta_flags->mask;
7089 		params->sta_flags_set = sta_flags->set;
7090 		params->sta_flags_set &= params->sta_flags_mask;
7091 		if ((params->sta_flags_mask |
7092 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
7093 			return -EINVAL;
7094 		return 0;
7095 	}
7096 
7097 	/* if present, parse the old attribute */
7098 
7099 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
7100 	if (!nla)
7101 		return 0;
7102 
7103 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
7104 		return -EINVAL;
7105 
7106 	/*
7107 	 * Only allow certain flags for interface types so that
7108 	 * other attributes are silently ignored. Remember that
7109 	 * this is backward compatibility code with old userspace
7110 	 * and shouldn't be hit in other cases anyway.
7111 	 */
7112 	switch (iftype) {
7113 	case NL80211_IFTYPE_AP:
7114 	case NL80211_IFTYPE_AP_VLAN:
7115 	case NL80211_IFTYPE_P2P_GO:
7116 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7117 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7118 					 BIT(NL80211_STA_FLAG_WME) |
7119 					 BIT(NL80211_STA_FLAG_MFP);
7120 		break;
7121 	case NL80211_IFTYPE_P2P_CLIENT:
7122 	case NL80211_IFTYPE_STATION:
7123 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
7124 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
7125 		break;
7126 	case NL80211_IFTYPE_MESH_POINT:
7127 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7128 					 BIT(NL80211_STA_FLAG_MFP) |
7129 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
7130 		break;
7131 	default:
7132 		return -EINVAL;
7133 	}
7134 
7135 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
7136 		if (flags[flag]) {
7137 			params->sta_flags_set |= (1<<flag);
7138 
7139 			/* no longer support new API additions in old API */
7140 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
7141 				return -EINVAL;
7142 		}
7143 	}
7144 
7145 	return 0;
7146 }
7147 
7148 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
7149 {
7150 	struct nlattr *rate;
7151 	u32 bitrate;
7152 	u16 bitrate_compat;
7153 	enum nl80211_rate_info rate_flg;
7154 
7155 	rate = nla_nest_start_noflag(msg, attr);
7156 	if (!rate)
7157 		return false;
7158 
7159 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
7160 	bitrate = cfg80211_calculate_bitrate(info);
7161 	/* report 16-bit bitrate only if we can */
7162 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
7163 	if (bitrate > 0 &&
7164 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
7165 		return false;
7166 	if (bitrate_compat > 0 &&
7167 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
7168 		return false;
7169 
7170 	switch (info->bw) {
7171 	case RATE_INFO_BW_1:
7172 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
7173 		break;
7174 	case RATE_INFO_BW_2:
7175 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
7176 		break;
7177 	case RATE_INFO_BW_4:
7178 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
7179 		break;
7180 	case RATE_INFO_BW_5:
7181 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
7182 		break;
7183 	case RATE_INFO_BW_8:
7184 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
7185 		break;
7186 	case RATE_INFO_BW_10:
7187 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
7188 		break;
7189 	case RATE_INFO_BW_16:
7190 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
7191 		break;
7192 	default:
7193 		WARN_ON(1);
7194 		fallthrough;
7195 	case RATE_INFO_BW_20:
7196 		rate_flg = 0;
7197 		break;
7198 	case RATE_INFO_BW_40:
7199 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
7200 		break;
7201 	case RATE_INFO_BW_80:
7202 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
7203 		break;
7204 	case RATE_INFO_BW_160:
7205 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
7206 		break;
7207 	case RATE_INFO_BW_HE_RU:
7208 		rate_flg = 0;
7209 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
7210 		break;
7211 	case RATE_INFO_BW_320:
7212 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
7213 		break;
7214 	case RATE_INFO_BW_EHT_RU:
7215 		rate_flg = 0;
7216 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS) &&
7217 			!(info->flags & RATE_INFO_FLAGS_UHR_MCS));
7218 		break;
7219 	}
7220 
7221 	if (rate_flg && nla_put_flag(msg, rate_flg))
7222 		return false;
7223 
7224 	if (info->flags & RATE_INFO_FLAGS_MCS) {
7225 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
7226 			return false;
7227 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7228 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7229 			return false;
7230 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
7231 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
7232 			return false;
7233 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
7234 			return false;
7235 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7236 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7237 			return false;
7238 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
7239 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
7240 			return false;
7241 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
7242 			return false;
7243 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
7244 			return false;
7245 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
7246 			return false;
7247 		if (info->bw == RATE_INFO_BW_HE_RU &&
7248 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
7249 			       info->he_ru_alloc))
7250 			return false;
7251 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
7252 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
7253 			return false;
7254 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
7255 			return false;
7256 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
7257 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
7258 			return false;
7259 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
7260 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
7261 			return false;
7262 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7263 			return false;
7264 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7265 			return false;
7266 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7267 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7268 			       info->eht_ru_alloc))
7269 			return false;
7270 	} else if (info->flags & RATE_INFO_FLAGS_UHR_MCS) {
7271 		if (nla_put_u8(msg, NL80211_RATE_INFO_UHR_MCS, info->mcs))
7272 			return false;
7273 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
7274 			return false;
7275 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
7276 			return false;
7277 		if (info->bw == RATE_INFO_BW_EHT_RU &&
7278 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
7279 			       info->eht_ru_alloc))
7280 			return false;
7281 		if (info->flags & RATE_INFO_FLAGS_UHR_ELR_MCS &&
7282 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_ELR))
7283 			return false;
7284 		if (info->flags & RATE_INFO_FLAGS_UHR_IM &&
7285 		    nla_put_flag(msg, NL80211_RATE_INFO_UHR_IM))
7286 			return false;
7287 	}
7288 
7289 	nla_nest_end(msg, rate);
7290 	return true;
7291 }
7292 
7293 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
7294 			       int id)
7295 {
7296 	void *attr;
7297 	int i = 0;
7298 
7299 	if (!mask)
7300 		return true;
7301 
7302 	attr = nla_nest_start_noflag(msg, id);
7303 	if (!attr)
7304 		return false;
7305 
7306 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
7307 		if (!(mask & BIT(i)))
7308 			continue;
7309 
7310 		if (nla_put_u8(msg, i, signal[i]))
7311 			return false;
7312 	}
7313 
7314 	nla_nest_end(msg, attr);
7315 
7316 	return true;
7317 }
7318 
7319 static int nl80211_fill_link_station(struct sk_buff *msg,
7320 				     struct cfg80211_registered_device *rdev,
7321 				     struct link_station_info *link_sinfo)
7322 {
7323 	struct nlattr *bss_param, *link_sinfoattr;
7324 
7325 #define PUT_LINK_SINFO(attr, memb, type) do {				\
7326 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7327 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7328 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7329 			     link_sinfo->memb))				\
7330 		goto nla_put_failure;					\
7331 	} while (0)
7332 #define PUT_LINK_SINFO_U64(attr, memb) do {				\
7333 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7334 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7335 			      link_sinfo->memb, NL80211_STA_INFO_PAD))	\
7336 		goto nla_put_failure;					\
7337 	} while (0)
7338 
7339 	link_sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7340 	if (!link_sinfoattr)
7341 		goto nla_put_failure;
7342 
7343 	PUT_LINK_SINFO(INACTIVE_TIME, inactive_time, u32);
7344 
7345 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7346 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7347 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7348 			(u32)link_sinfo->rx_bytes))
7349 		goto nla_put_failure;
7350 
7351 	if (link_sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7352 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7353 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7354 			(u32)link_sinfo->tx_bytes))
7355 		goto nla_put_failure;
7356 
7357 	PUT_LINK_SINFO_U64(RX_BYTES64, rx_bytes);
7358 	PUT_LINK_SINFO_U64(TX_BYTES64, tx_bytes);
7359 	PUT_LINK_SINFO_U64(RX_DURATION, rx_duration);
7360 	PUT_LINK_SINFO_U64(TX_DURATION, tx_duration);
7361 
7362 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7363 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7364 		PUT_LINK_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7365 
7366 	switch (rdev->wiphy.signal_type) {
7367 	case CFG80211_SIGNAL_TYPE_MBM:
7368 		PUT_LINK_SINFO(SIGNAL, signal, u8);
7369 		PUT_LINK_SINFO(SIGNAL_AVG, signal_avg, u8);
7370 		break;
7371 	default:
7372 		break;
7373 	}
7374 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7375 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7376 					link_sinfo->chain_signal,
7377 					NL80211_STA_INFO_CHAIN_SIGNAL))
7378 			goto nla_put_failure;
7379 	}
7380 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7381 		if (!nl80211_put_signal(msg, link_sinfo->chains,
7382 					link_sinfo->chain_signal_avg,
7383 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7384 			goto nla_put_failure;
7385 	}
7386 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7387 		if (!nl80211_put_sta_rate(msg, &link_sinfo->txrate,
7388 					  NL80211_STA_INFO_TX_BITRATE))
7389 			goto nla_put_failure;
7390 	}
7391 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7392 		if (!nl80211_put_sta_rate(msg, &link_sinfo->rxrate,
7393 					  NL80211_STA_INFO_RX_BITRATE))
7394 			goto nla_put_failure;
7395 	}
7396 
7397 	PUT_LINK_SINFO(RX_PACKETS, rx_packets, u32);
7398 	PUT_LINK_SINFO(TX_PACKETS, tx_packets, u32);
7399 	PUT_LINK_SINFO(TX_RETRIES, tx_retries, u32);
7400 	PUT_LINK_SINFO(TX_FAILED, tx_failed, u32);
7401 	PUT_LINK_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7402 	PUT_LINK_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7403 
7404 	if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7405 		bss_param = nla_nest_start_noflag(msg,
7406 						  NL80211_STA_INFO_BSS_PARAM);
7407 		if (!bss_param)
7408 			goto nla_put_failure;
7409 
7410 		if (((link_sinfo->bss_param.flags &
7411 		      BSS_PARAM_FLAGS_CTS_PROT) &&
7412 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7413 		    ((link_sinfo->bss_param.flags &
7414 		      BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7415 		     nla_put_flag(msg,
7416 				  NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7417 		    ((link_sinfo->bss_param.flags &
7418 		      BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7419 		     nla_put_flag(msg,
7420 				  NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7421 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7422 			       link_sinfo->bss_param.dtim_period) ||
7423 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7424 				link_sinfo->bss_param.beacon_interval))
7425 			goto nla_put_failure;
7426 
7427 		nla_nest_end(msg, bss_param);
7428 	}
7429 
7430 	PUT_LINK_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7431 	PUT_LINK_SINFO_U64(BEACON_RX, rx_beacon);
7432 	PUT_LINK_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7433 	PUT_LINK_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7434 	PUT_LINK_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7435 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7436 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7437 		PUT_LINK_SINFO(ACK_SIGNAL, ack_signal, u8);
7438 		PUT_LINK_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7439 	}
7440 
7441 #undef PUT_LINK_SINFO
7442 #undef PUT_LINK_SINFO_U64
7443 
7444 	if (link_sinfo->pertid) {
7445 		struct nlattr *tidsattr;
7446 		int tid;
7447 
7448 		tidsattr = nla_nest_start_noflag(msg,
7449 						 NL80211_STA_INFO_TID_STATS);
7450 		if (!tidsattr)
7451 			goto nla_put_failure;
7452 
7453 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7454 			struct cfg80211_tid_stats *tidstats;
7455 			struct nlattr *tidattr;
7456 
7457 			tidstats = &link_sinfo->pertid[tid];
7458 
7459 			if (!tidstats->filled)
7460 				continue;
7461 
7462 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7463 			if (!tidattr)
7464 				goto nla_put_failure;
7465 
7466 #define PUT_TIDVAL_U64(attr, memb) do {					\
7467 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7468 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7469 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7470 		goto nla_put_failure;					\
7471 	} while (0)
7472 
7473 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7474 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7475 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7476 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7477 
7478 #undef PUT_TIDVAL_U64
7479 			if ((tidstats->filled &
7480 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7481 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7482 						   NL80211_TID_STATS_TXQ_STATS))
7483 				goto nla_put_failure;
7484 
7485 			nla_nest_end(msg, tidattr);
7486 		}
7487 
7488 		nla_nest_end(msg, tidsattr);
7489 	}
7490 
7491 	nla_nest_end(msg, link_sinfoattr);
7492 	return 0;
7493 
7494 nla_put_failure:
7495 	return -EMSGSIZE;
7496 }
7497 
7498 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
7499 				u32 seq, int flags,
7500 				struct cfg80211_registered_device *rdev,
7501 				struct net_device *dev,
7502 				const u8 *mac_addr, struct station_info *sinfo,
7503 				bool link_stats)
7504 {
7505 	void *hdr;
7506 	struct nlattr *sinfoattr, *bss_param;
7507 	struct link_station_info *link_sinfo;
7508 	struct nlattr *links, *link;
7509 	int link_id;
7510 
7511 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
7512 	if (!hdr) {
7513 		cfg80211_sinfo_release_content(sinfo);
7514 		return -1;
7515 	}
7516 
7517 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7518 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
7519 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
7520 		goto nla_put_failure;
7521 
7522 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
7523 	if (!sinfoattr)
7524 		goto nla_put_failure;
7525 
7526 #define PUT_SINFO(attr, memb, type) do {				\
7527 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
7528 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7529 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
7530 			     sinfo->memb))				\
7531 		goto nla_put_failure;					\
7532 	} while (0)
7533 #define PUT_SINFO_U64(attr, memb) do {					\
7534 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
7535 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
7536 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
7537 		goto nla_put_failure;					\
7538 	} while (0)
7539 
7540 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
7541 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
7542 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
7543 
7544 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7545 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
7546 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
7547 			(u32)sinfo->rx_bytes))
7548 		goto nla_put_failure;
7549 
7550 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7551 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
7552 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
7553 			(u32)sinfo->tx_bytes))
7554 		goto nla_put_failure;
7555 
7556 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
7557 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
7558 	PUT_SINFO_U64(RX_DURATION, rx_duration);
7559 	PUT_SINFO_U64(TX_DURATION, tx_duration);
7560 
7561 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7562 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7563 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
7564 
7565 	switch (rdev->wiphy.signal_type) {
7566 	case CFG80211_SIGNAL_TYPE_MBM:
7567 		PUT_SINFO(SIGNAL, signal, u8);
7568 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
7569 		break;
7570 	default:
7571 		break;
7572 	}
7573 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
7574 		if (!nl80211_put_signal(msg, sinfo->chains,
7575 					sinfo->chain_signal,
7576 					NL80211_STA_INFO_CHAIN_SIGNAL))
7577 			goto nla_put_failure;
7578 	}
7579 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
7580 		if (!nl80211_put_signal(msg, sinfo->chains,
7581 					sinfo->chain_signal_avg,
7582 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
7583 			goto nla_put_failure;
7584 	}
7585 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
7586 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
7587 					  NL80211_STA_INFO_TX_BITRATE))
7588 			goto nla_put_failure;
7589 	}
7590 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
7591 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
7592 					  NL80211_STA_INFO_RX_BITRATE))
7593 			goto nla_put_failure;
7594 	}
7595 
7596 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
7597 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
7598 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
7599 	PUT_SINFO(TX_FAILED, tx_failed, u32);
7600 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
7601 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
7602 
7603 	PUT_SINFO(LLID, llid, u16);
7604 	PUT_SINFO(PLID, plid, u16);
7605 	PUT_SINFO(PLINK_STATE, plink_state, u8);
7606 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
7607 	PUT_SINFO(LOCAL_PM, local_pm, u32);
7608 	PUT_SINFO(PEER_PM, peer_pm, u32);
7609 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
7610 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
7611 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
7612 	PUT_SINFO_U64(T_OFFSET, t_offset);
7613 
7614 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
7615 		bss_param = nla_nest_start_noflag(msg,
7616 						  NL80211_STA_INFO_BSS_PARAM);
7617 		if (!bss_param)
7618 			goto nla_put_failure;
7619 
7620 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
7621 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
7622 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
7623 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
7624 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
7625 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
7626 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
7627 			       sinfo->bss_param.dtim_period) ||
7628 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
7629 				sinfo->bss_param.beacon_interval))
7630 			goto nla_put_failure;
7631 
7632 		nla_nest_end(msg, bss_param);
7633 	}
7634 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
7635 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
7636 		    sizeof(struct nl80211_sta_flag_update),
7637 		    &sinfo->sta_flags))
7638 		goto nla_put_failure;
7639 
7640 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
7641 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
7642 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
7643 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
7644 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
7645 	if (wiphy_ext_feature_isset(&rdev->wiphy,
7646 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
7647 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
7648 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
7649 	}
7650 
7651 #undef PUT_SINFO
7652 #undef PUT_SINFO_U64
7653 
7654 	if (sinfo->pertid) {
7655 		struct nlattr *tidsattr;
7656 		int tid;
7657 
7658 		tidsattr = nla_nest_start_noflag(msg,
7659 						 NL80211_STA_INFO_TID_STATS);
7660 		if (!tidsattr)
7661 			goto nla_put_failure;
7662 
7663 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
7664 			struct cfg80211_tid_stats *tidstats;
7665 			struct nlattr *tidattr;
7666 
7667 			tidstats = &sinfo->pertid[tid];
7668 
7669 			if (!tidstats->filled)
7670 				continue;
7671 
7672 			tidattr = nla_nest_start_noflag(msg, tid + 1);
7673 			if (!tidattr)
7674 				goto nla_put_failure;
7675 
7676 #define PUT_TIDVAL_U64(attr, memb) do {					\
7677 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
7678 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
7679 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
7680 		goto nla_put_failure;					\
7681 	} while (0)
7682 
7683 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
7684 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
7685 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
7686 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
7687 
7688 #undef PUT_TIDVAL_U64
7689 			if ((tidstats->filled &
7690 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
7691 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
7692 						   NL80211_TID_STATS_TXQ_STATS))
7693 				goto nla_put_failure;
7694 
7695 			nla_nest_end(msg, tidattr);
7696 		}
7697 
7698 		nla_nest_end(msg, tidsattr);
7699 	}
7700 
7701 	nla_nest_end(msg, sinfoattr);
7702 
7703 	if (sinfo->assoc_req_ies_len &&
7704 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
7705 		    sinfo->assoc_req_ies))
7706 		goto nla_put_failure;
7707 
7708 	if (sinfo->assoc_resp_ies_len &&
7709 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
7710 		    sinfo->assoc_resp_ies))
7711 		goto nla_put_failure;
7712 
7713 	if (sinfo->mlo_params_valid) {
7714 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7715 			       sinfo->assoc_link_id))
7716 			goto nla_put_failure;
7717 
7718 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
7719 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
7720 			    sinfo->mld_addr))
7721 			goto nla_put_failure;
7722 	}
7723 
7724 	if (link_stats && sinfo->valid_links) {
7725 		links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
7726 		if (!links)
7727 			goto nla_put_failure;
7728 
7729 		for_each_valid_link(sinfo, link_id) {
7730 			link_sinfo = sinfo->links[link_id];
7731 
7732 			if (WARN_ON_ONCE(!link_sinfo))
7733 				continue;
7734 
7735 			if (!is_valid_ether_addr(link_sinfo->addr))
7736 				continue;
7737 
7738 			link = nla_nest_start(msg, link_id + 1);
7739 			if (!link)
7740 				goto nla_put_failure;
7741 
7742 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
7743 				       link_id))
7744 				goto nla_put_failure;
7745 
7746 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
7747 				    link_sinfo->addr))
7748 				goto nla_put_failure;
7749 
7750 			if (nl80211_fill_link_station(msg, rdev, link_sinfo))
7751 				goto nla_put_failure;
7752 
7753 			nla_nest_end(msg, link);
7754 		}
7755 		nla_nest_end(msg, links);
7756 	}
7757 
7758 	cfg80211_sinfo_release_content(sinfo);
7759 	genlmsg_end(msg, hdr);
7760 	return 0;
7761 
7762  nla_put_failure:
7763 	cfg80211_sinfo_release_content(sinfo);
7764 	genlmsg_cancel(msg, hdr);
7765 	return -EMSGSIZE;
7766 }
7767 
7768 static void cfg80211_sta_set_mld_sinfo(struct station_info *sinfo)
7769 {
7770 	struct link_station_info *link_sinfo;
7771 	int link_id, init = 0;
7772 	u32 link_inactive_time;
7773 
7774 	sinfo->signal = -99;
7775 
7776 	for_each_valid_link(sinfo, link_id) {
7777 		link_sinfo = sinfo->links[link_id];
7778 		if (!link_sinfo)
7779 			continue;
7780 
7781 		if ((link_sinfo->filled &
7782 		     BIT_ULL(NL80211_STA_INFO_TX_PACKETS))) {
7783 			sinfo->tx_packets += link_sinfo->tx_packets;
7784 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_PACKETS);
7785 		}
7786 
7787 		if ((link_sinfo->filled &
7788 		     BIT_ULL(NL80211_STA_INFO_RX_PACKETS))) {
7789 			sinfo->rx_packets += link_sinfo->rx_packets;
7790 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_PACKETS);
7791 		}
7792 
7793 		if (link_sinfo->filled &
7794 		    (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
7795 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7796 			sinfo->tx_bytes += link_sinfo->tx_bytes;
7797 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BYTES);
7798 		}
7799 
7800 		if (link_sinfo->filled &
7801 		    (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
7802 		     BIT_ULL(NL80211_STA_INFO_TX_BYTES64))) {
7803 			sinfo->rx_bytes += link_sinfo->rx_bytes;
7804 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BYTES);
7805 		}
7806 
7807 		if (link_sinfo->filled &
7808 		    BIT_ULL(NL80211_STA_INFO_TX_RETRIES)) {
7809 			sinfo->tx_retries += link_sinfo->tx_retries;
7810 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_RETRIES);
7811 		}
7812 
7813 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_FAILED)) {
7814 			sinfo->tx_failed += link_sinfo->tx_failed;
7815 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_FAILED);
7816 		}
7817 
7818 		if (link_sinfo->filled &
7819 		    BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC)) {
7820 			sinfo->rx_dropped_misc += link_sinfo->rx_dropped_misc;
7821 			sinfo->filled |=
7822 				BIT_ULL(NL80211_STA_INFO_RX_DROP_MISC);
7823 		}
7824 
7825 		if (link_sinfo->filled &
7826 		    BIT_ULL(NL80211_STA_INFO_BEACON_LOSS)) {
7827 			sinfo->beacon_loss_count +=
7828 				link_sinfo->beacon_loss_count;
7829 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_LOSS);
7830 		}
7831 
7832 		if (link_sinfo->filled &
7833 		    BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT)) {
7834 			sinfo->expected_throughput +=
7835 				link_sinfo->expected_throughput;
7836 			sinfo->filled |=
7837 				BIT_ULL(NL80211_STA_INFO_EXPECTED_THROUGHPUT);
7838 		}
7839 
7840 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_MPDUS)) {
7841 			sinfo->rx_mpdu_count += link_sinfo->rx_mpdu_count;
7842 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_MPDUS);
7843 		}
7844 
7845 		if (link_sinfo->filled &
7846 		    BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT)) {
7847 			sinfo->fcs_err_count += link_sinfo->fcs_err_count;
7848 			sinfo->filled |=
7849 				BIT_ULL(NL80211_STA_INFO_FCS_ERROR_COUNT);
7850 		}
7851 
7852 		if (link_sinfo->filled &
7853 		    BIT_ULL(NL80211_STA_INFO_BEACON_RX)) {
7854 			sinfo->rx_beacon += link_sinfo->rx_beacon;
7855 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_BEACON_RX);
7856 		}
7857 
7858 		/* Update MLO signal, signal_avg as best among links */
7859 		if ((link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_SIGNAL)) &&
7860 		    link_sinfo->signal > sinfo->signal) {
7861 			sinfo->signal = link_sinfo->signal;
7862 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL);
7863 		}
7864 
7865 		if ((link_sinfo->filled &
7866 			BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG)) &&
7867 		    link_sinfo->signal_avg > sinfo->signal_avg) {
7868 			sinfo->signal_avg = link_sinfo->signal_avg;
7869 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_SIGNAL_AVG);
7870 		}
7871 
7872 		/* Update MLO inactive_time, bss_param based on least
7873 		 * value for corresponding field of link.
7874 		 */
7875 		if ((link_sinfo->filled &
7876 		     BIT_ULL(NL80211_STA_INFO_INACTIVE_TIME)) &&
7877 		    (!init ||
7878 		     link_inactive_time > link_sinfo->inactive_time)) {
7879 			link_inactive_time = link_sinfo->inactive_time;
7880 			sinfo->inactive_time = link_sinfo->inactive_time;
7881 			sinfo->filled |= NL80211_STA_INFO_INACTIVE_TIME;
7882 		}
7883 
7884 		if (link_sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM) &&
7885 		    (!init ||
7886 		     sinfo->bss_param.dtim_period >
7887 		      link_sinfo->bss_param.dtim_period)) {
7888 			sinfo->bss_param.dtim_period =
7889 				link_sinfo->bss_param.dtim_period;
7890 			sinfo->filled |= NL80211_STA_BSS_PARAM_DTIM_PERIOD;
7891 			sinfo->bss_param.beacon_interval =
7892 				link_sinfo->bss_param.beacon_interval;
7893 			sinfo->filled |= NL80211_STA_BSS_PARAM_BEACON_INTERVAL;
7894 		}
7895 
7896 		/* Update MLO rates as per last updated link rate */
7897 		if ((link_sinfo->filled &
7898 		     BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) &&
7899 		    (!init ||
7900 		     link_inactive_time > link_sinfo->inactive_time)) {
7901 			sinfo->txrate = link_sinfo->txrate;
7902 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_TX_BITRATE);
7903 		}
7904 		if ((link_sinfo->filled &
7905 		     BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) &&
7906 		    (!init ||
7907 		     link_inactive_time > link_sinfo->inactive_time)) {
7908 			sinfo->rxrate = link_sinfo->rxrate;
7909 			sinfo->filled |= BIT_ULL(NL80211_STA_INFO_RX_BITRATE);
7910 		}
7911 
7912 		if (link_sinfo->filled &
7913 		    BIT_ULL(NL80211_STA_INFO_TX_DURATION) &&
7914 		    (!init ||
7915 		     link_inactive_time > link_sinfo->inactive_time)) {
7916 			sinfo->tx_duration += link_sinfo->tx_duration;
7917 			sinfo->filled |=
7918 				BIT_ULL(NL80211_STA_INFO_TX_DURATION);
7919 		}
7920 		if (link_sinfo->filled &
7921 		    BIT_ULL(NL80211_STA_INFO_RX_DURATION) &&
7922 		    (!init ||
7923 		     link_inactive_time > link_sinfo->inactive_time)) {
7924 			sinfo->rx_duration += link_sinfo->rx_duration;
7925 			sinfo->filled |=
7926 				BIT_ULL(NL80211_STA_INFO_RX_DURATION);
7927 		}
7928 		init++;
7929 
7930 		/* pertid stats accumulate for rx/tx fields */
7931 		if (sinfo->pertid) {
7932 			sinfo->pertid->rx_msdu +=
7933 				link_sinfo->pertid->rx_msdu;
7934 			sinfo->pertid->tx_msdu +=
7935 				link_sinfo->pertid->tx_msdu;
7936 			sinfo->pertid->tx_msdu_retries +=
7937 				link_sinfo->pertid->tx_msdu_retries;
7938 			sinfo->pertid->tx_msdu_failed +=
7939 				link_sinfo->pertid->tx_msdu_failed;
7940 
7941 			sinfo->pertid->filled |=
7942 				BIT(NL80211_TID_STATS_RX_MSDU) |
7943 				BIT(NL80211_TID_STATS_TX_MSDU) |
7944 				BIT(NL80211_TID_STATS_TX_MSDU_RETRIES) |
7945 				BIT(NL80211_TID_STATS_TX_MSDU_FAILED);
7946 		}
7947 	}
7948 
7949 	/* Reset sinfo->filled bits to exclude fields which don't make
7950 	 * much sense at the MLO level.
7951 	 */
7952 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL);
7953 	sinfo->filled &= ~BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG);
7954 }
7955 
7956 static int nl80211_dump_station(struct sk_buff *skb,
7957 				struct netlink_callback *cb)
7958 {
7959 	struct station_info sinfo;
7960 	struct cfg80211_registered_device *rdev;
7961 	struct wireless_dev *wdev;
7962 	u8 mac_addr[ETH_ALEN];
7963 	int sta_idx = cb->args[2];
7964 	bool sinfo_alloc = false;
7965 	int err, i;
7966 
7967 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7968 	if (err)
7969 		return err;
7970 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7971 	__acquire(&rdev->wiphy.mtx);
7972 
7973 	if (!wdev->netdev) {
7974 		err = -EINVAL;
7975 		goto out_err;
7976 	}
7977 
7978 	if (!rdev->ops->dump_station) {
7979 		err = -EOPNOTSUPP;
7980 		goto out_err;
7981 	}
7982 
7983 	while (1) {
7984 		memset(&sinfo, 0, sizeof(sinfo));
7985 
7986 		for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
7987 			sinfo.links[i] =
7988 				kzalloc_obj(*sinfo.links[0]);
7989 			if (!sinfo.links[i]) {
7990 				err = -ENOMEM;
7991 				goto out_err;
7992 			}
7993 			sinfo_alloc = true;
7994 		}
7995 
7996 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
7997 					mac_addr, &sinfo);
7998 		if (err == -ENOENT)
7999 			break;
8000 		if (err)
8001 			goto out_err;
8002 
8003 		if (sinfo.valid_links)
8004 			cfg80211_sta_set_mld_sinfo(&sinfo);
8005 
8006 		/* reset the sinfo_alloc flag as nl80211_send_station()
8007 		 * always releases sinfo
8008 		 */
8009 		sinfo_alloc = false;
8010 
8011 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
8012 				NETLINK_CB(cb->skb).portid,
8013 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
8014 				rdev, wdev->netdev, mac_addr,
8015 				&sinfo, false) < 0)
8016 			goto out;
8017 
8018 		sta_idx++;
8019 	}
8020 
8021  out:
8022 	cb->args[2] = sta_idx;
8023 	err = skb->len;
8024  out_err:
8025 	if (sinfo_alloc)
8026 		cfg80211_sinfo_release_content(&sinfo);
8027 	wiphy_unlock(&rdev->wiphy);
8028 
8029 	return err;
8030 }
8031 
8032 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
8033 {
8034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8035 	struct net_device *dev = info->user_ptr[1];
8036 	struct station_info sinfo;
8037 	struct sk_buff *msg;
8038 	u8 *mac_addr = NULL;
8039 	int err, i;
8040 
8041 	memset(&sinfo, 0, sizeof(sinfo));
8042 
8043 	if (!info->attrs[NL80211_ATTR_MAC])
8044 		return -EINVAL;
8045 
8046 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8047 
8048 	if (!rdev->ops->get_station)
8049 		return -EOPNOTSUPP;
8050 
8051 	for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
8052 		sinfo.links[i] = kzalloc_obj(*sinfo.links[0]);
8053 		if (!sinfo.links[i]) {
8054 			cfg80211_sinfo_release_content(&sinfo);
8055 			return -ENOMEM;
8056 		}
8057 	}
8058 
8059 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
8060 	if (err) {
8061 		cfg80211_sinfo_release_content(&sinfo);
8062 		return err;
8063 	}
8064 
8065 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8066 	if (!msg) {
8067 		cfg80211_sinfo_release_content(&sinfo);
8068 		return -ENOMEM;
8069 	}
8070 
8071 	if (sinfo.valid_links)
8072 		cfg80211_sta_set_mld_sinfo(&sinfo);
8073 
8074 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
8075 				 info->snd_portid, info->snd_seq, 0,
8076 				 rdev, dev, mac_addr, &sinfo, false) < 0) {
8077 		nlmsg_free(msg);
8078 		return -ENOBUFS;
8079 	}
8080 
8081 	return genlmsg_reply(msg, info);
8082 }
8083 
8084 int cfg80211_check_station_change(struct wiphy *wiphy,
8085 				  struct station_parameters *params,
8086 				  enum cfg80211_station_type statype)
8087 {
8088 	if (params->listen_interval != -1 &&
8089 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8090 		return -EINVAL;
8091 
8092 	if (params->support_p2p_ps != -1 &&
8093 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8094 		return -EINVAL;
8095 
8096 	if (params->aid &&
8097 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
8098 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
8099 		return -EINVAL;
8100 
8101 	/* When you run into this, adjust the code below for the new flag */
8102 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8103 
8104 	switch (statype) {
8105 	case CFG80211_STA_MESH_PEER_KERNEL:
8106 	case CFG80211_STA_MESH_PEER_USER:
8107 		/*
8108 		 * No ignoring the TDLS flag here -- the userspace mesh
8109 		 * code doesn't have the bug of including TDLS in the
8110 		 * mask everywhere.
8111 		 */
8112 		if (params->sta_flags_mask &
8113 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8114 				  BIT(NL80211_STA_FLAG_MFP) |
8115 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
8116 			return -EINVAL;
8117 		break;
8118 	case CFG80211_STA_TDLS_PEER_SETUP:
8119 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8120 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8121 			return -EINVAL;
8122 		/* ignore since it can't change */
8123 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8124 		break;
8125 	default:
8126 		/* disallow mesh-specific things */
8127 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
8128 			return -EINVAL;
8129 		if (params->local_pm)
8130 			return -EINVAL;
8131 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8132 			return -EINVAL;
8133 	}
8134 
8135 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8136 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
8137 		/* TDLS can't be set, ... */
8138 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
8139 			return -EINVAL;
8140 		/*
8141 		 * ... but don't bother the driver with it. This works around
8142 		 * a hostapd/wpa_supplicant issue -- it always includes the
8143 		 * TLDS_PEER flag in the mask even for AP mode.
8144 		 */
8145 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8146 	}
8147 
8148 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
8149 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8150 		/* reject other things that can't change */
8151 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
8152 			return -EINVAL;
8153 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
8154 			return -EINVAL;
8155 		if (params->link_sta_params.supported_rates)
8156 			return -EINVAL;
8157 		if (params->ext_capab || params->link_sta_params.ht_capa ||
8158 		    params->link_sta_params.vht_capa ||
8159 		    params->link_sta_params.he_capa ||
8160 		    params->link_sta_params.eht_capa ||
8161 		    params->link_sta_params.uhr_capa)
8162 			return -EINVAL;
8163 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8164 			return -EINVAL;
8165 	}
8166 
8167 	if (statype != CFG80211_STA_AP_CLIENT &&
8168 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
8169 		if (params->vlan)
8170 			return -EINVAL;
8171 	}
8172 
8173 	/* Accept EMLSR capabilities only for AP client before association */
8174 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8175 	    params->eml_cap_present)
8176 		return -EINVAL;
8177 
8178 	switch (statype) {
8179 	case CFG80211_STA_AP_MLME_CLIENT:
8180 		/* Use this only for authorizing/unauthorizing a station */
8181 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
8182 			return -EOPNOTSUPP;
8183 		break;
8184 	case CFG80211_STA_AP_CLIENT:
8185 	case CFG80211_STA_AP_CLIENT_UNASSOC:
8186 		/* accept only the listed bits */
8187 		if (params->sta_flags_mask &
8188 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8189 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8190 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
8191 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
8192 				  BIT(NL80211_STA_FLAG_WME) |
8193 				  BIT(NL80211_STA_FLAG_MFP) |
8194 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
8195 			return -EINVAL;
8196 
8197 		/* but authenticated/associated only if driver handles it */
8198 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8199 		    params->sta_flags_mask &
8200 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8201 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
8202 			return -EINVAL;
8203 		break;
8204 	case CFG80211_STA_IBSS:
8205 	case CFG80211_STA_AP_STA:
8206 		/* reject any changes other than AUTHORIZED */
8207 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
8208 			return -EINVAL;
8209 		break;
8210 	case CFG80211_STA_TDLS_PEER_SETUP:
8211 		/* reject any changes other than AUTHORIZED or WME */
8212 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
8213 					       BIT(NL80211_STA_FLAG_WME)))
8214 			return -EINVAL;
8215 		/* force (at least) rates when authorizing */
8216 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
8217 		    !params->link_sta_params.supported_rates)
8218 			return -EINVAL;
8219 		break;
8220 	case CFG80211_STA_TDLS_PEER_ACTIVE:
8221 		/* reject any changes */
8222 		return -EINVAL;
8223 	case CFG80211_STA_MESH_PEER_KERNEL:
8224 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
8225 			return -EINVAL;
8226 		break;
8227 	case CFG80211_STA_MESH_PEER_USER:
8228 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
8229 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
8230 			return -EINVAL;
8231 		break;
8232 	}
8233 
8234 	/*
8235 	 * Older kernel versions ignored this attribute entirely, so don't
8236 	 * reject attempts to update it but mark it as unused instead so the
8237 	 * driver won't look at the data.
8238 	 */
8239 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
8240 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
8241 		params->link_sta_params.opmode_notif_used = false;
8242 
8243 	return 0;
8244 }
8245 EXPORT_SYMBOL(cfg80211_check_station_change);
8246 
8247 /*
8248  * Get vlan interface making sure it is running and on the right wiphy.
8249  */
8250 static struct net_device *get_vlan(struct genl_info *info,
8251 				   struct cfg80211_registered_device *rdev)
8252 {
8253 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
8254 	struct net_device *v;
8255 	int ret;
8256 
8257 	if (!vlanattr)
8258 		return NULL;
8259 
8260 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
8261 	if (!v)
8262 		return ERR_PTR(-ENODEV);
8263 
8264 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
8265 		ret = -EINVAL;
8266 		goto error;
8267 	}
8268 
8269 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
8270 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8271 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
8272 		ret = -EINVAL;
8273 		goto error;
8274 	}
8275 
8276 	if (!netif_running(v)) {
8277 		ret = -ENETDOWN;
8278 		goto error;
8279 	}
8280 
8281 	return v;
8282  error:
8283 	dev_put(v);
8284 	return ERR_PTR(ret);
8285 }
8286 
8287 static int nl80211_parse_sta_wme(struct genl_info *info,
8288 				 struct station_parameters *params)
8289 {
8290 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
8291 	struct nlattr *nla;
8292 	int err;
8293 
8294 	/* parse WME attributes if present */
8295 	if (!info->attrs[NL80211_ATTR_STA_WME])
8296 		return 0;
8297 
8298 	nla = info->attrs[NL80211_ATTR_STA_WME];
8299 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
8300 					  nl80211_sta_wme_policy,
8301 					  info->extack);
8302 	if (err)
8303 		return err;
8304 
8305 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
8306 		params->uapsd_queues = nla_get_u8(
8307 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
8308 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
8309 		return -EINVAL;
8310 
8311 	if (tb[NL80211_STA_WME_MAX_SP])
8312 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
8313 
8314 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
8315 		return -EINVAL;
8316 
8317 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
8318 
8319 	return 0;
8320 }
8321 
8322 static int nl80211_parse_sta_channel_info(struct genl_info *info,
8323 				      struct station_parameters *params)
8324 {
8325 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
8326 		params->supported_channels =
8327 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8328 		params->supported_channels_len =
8329 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
8330 		/*
8331 		 * Need to include at least one (first channel, number of
8332 		 * channels) tuple for each subband (checked in policy),
8333 		 * and must have proper tuples for the rest of the data as well.
8334 		 */
8335 		if (params->supported_channels_len % 2)
8336 			return -EINVAL;
8337 	}
8338 
8339 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
8340 		params->supported_oper_classes =
8341 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8342 		params->supported_oper_classes_len =
8343 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
8344 	}
8345 	return 0;
8346 }
8347 
8348 static int nl80211_set_station_tdls(struct genl_info *info,
8349 				    struct station_parameters *params)
8350 {
8351 	int err;
8352 	/* Dummy STA entry gets updated once the peer capabilities are known */
8353 	if (info->attrs[NL80211_ATTR_PEER_AID])
8354 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8355 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8356 		params->link_sta_params.ht_capa =
8357 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8358 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8359 		params->link_sta_params.vht_capa =
8360 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8361 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8362 		params->link_sta_params.he_capa =
8363 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8364 		params->link_sta_params.he_capa_len =
8365 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8366 
8367 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8368 			params->link_sta_params.eht_capa =
8369 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8370 			params->link_sta_params.eht_capa_len =
8371 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8372 
8373 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
8374 							(const u8 *)params->link_sta_params.eht_capa,
8375 							params->link_sta_params.eht_capa_len,
8376 							false))
8377 				return -EINVAL;
8378 		}
8379 	}
8380 
8381 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8382 		if (!params->link_sta_params.eht_capa)
8383 			return -EINVAL;
8384 
8385 		params->link_sta_params.uhr_capa =
8386 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8387 		params->link_sta_params.uhr_capa_len =
8388 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8389 	}
8390 
8391 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8392 		params->link_sta_params.s1g_capa =
8393 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8394 
8395 	err = nl80211_parse_sta_channel_info(info, params);
8396 	if (err)
8397 		return err;
8398 
8399 	return nl80211_parse_sta_wme(info, params);
8400 }
8401 
8402 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
8403 					     struct sta_txpwr *txpwr,
8404 					     bool *txpwr_set)
8405 {
8406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8407 	int idx;
8408 
8409 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
8410 		if (!rdev->ops->set_tx_power ||
8411 		    !wiphy_ext_feature_isset(&rdev->wiphy,
8412 					 NL80211_EXT_FEATURE_STA_TX_PWR))
8413 			return -EOPNOTSUPP;
8414 
8415 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
8416 		txpwr->type = nla_get_u8(info->attrs[idx]);
8417 
8418 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
8419 			idx = NL80211_ATTR_STA_TX_POWER;
8420 
8421 			if (info->attrs[idx])
8422 				txpwr->power = nla_get_s16(info->attrs[idx]);
8423 			else
8424 				return -EINVAL;
8425 		}
8426 
8427 		*txpwr_set = true;
8428 	} else {
8429 		*txpwr_set = false;
8430 	}
8431 
8432 	return 0;
8433 }
8434 
8435 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
8436 {
8437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8438 	struct net_device *dev = info->user_ptr[1];
8439 	struct station_parameters params;
8440 	u8 *mac_addr;
8441 	int err;
8442 
8443 	memset(&params, 0, sizeof(params));
8444 
8445 	if (!rdev->ops->change_station)
8446 		return -EOPNOTSUPP;
8447 
8448 	/*
8449 	 * AID and listen_interval properties can be set only for unassociated
8450 	 * station. Include these parameters here and will check them in
8451 	 * cfg80211_check_station_change().
8452 	 */
8453 	if (info->attrs[NL80211_ATTR_STA_AID])
8454 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8455 
8456 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8457 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8458 
8459 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8460 		params.listen_interval =
8461 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8462 	else
8463 		params.listen_interval = -1;
8464 
8465 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
8466 		params.support_p2p_ps =
8467 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8468 	else
8469 		params.support_p2p_ps = -1;
8470 
8471 	if (!info->attrs[NL80211_ATTR_MAC])
8472 		return -EINVAL;
8473 
8474 	params.link_sta_params.link_id =
8475 		nl80211_link_id_or_invalid(info->attrs);
8476 
8477 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8478 		/* If MLD_ADDR attribute is set then this is an MLD station
8479 		 * and the MLD_ADDR attribute holds the MLD address and the
8480 		 * MAC attribute holds for the LINK address.
8481 		 * In that case, the link_id is also expected to be valid.
8482 		 */
8483 		if (params.link_sta_params.link_id < 0)
8484 			return -EINVAL;
8485 
8486 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8487 		params.link_sta_params.mld_mac = mac_addr;
8488 		params.link_sta_params.link_mac =
8489 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8490 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8491 			return -EINVAL;
8492 	} else {
8493 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8494 	}
8495 
8496 
8497 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
8498 		params.link_sta_params.supported_rates =
8499 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8500 		params.link_sta_params.supported_rates_len =
8501 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8502 	}
8503 
8504 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8505 		params.capability =
8506 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8507 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8508 	}
8509 
8510 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8511 		params.ext_capab =
8512 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8513 		params.ext_capab_len =
8514 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8515 	}
8516 
8517 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8518 		return -EINVAL;
8519 
8520 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8521 		params.plink_action =
8522 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8523 
8524 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
8525 		params.plink_state =
8526 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
8527 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
8528 			params.peer_aid = nla_get_u16(
8529 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
8530 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
8531 	}
8532 
8533 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
8534 		params.local_pm = nla_get_u32(
8535 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
8536 
8537 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8538 		params.link_sta_params.opmode_notif_used = true;
8539 		params.link_sta_params.opmode_notif =
8540 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8541 	}
8542 
8543 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8544 		params.link_sta_params.he_6ghz_capa =
8545 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8546 
8547 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8548 		params.eml_cap_present = true;
8549 		params.eml_cap =
8550 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8551 	}
8552 
8553 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8554 		params.airtime_weight =
8555 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8556 
8557 	if (params.airtime_weight &&
8558 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8559 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8560 		return -EOPNOTSUPP;
8561 
8562 	err = nl80211_parse_sta_txpower_setting(info,
8563 						&params.link_sta_params.txpwr,
8564 						&params.link_sta_params.txpwr_set);
8565 	if (err)
8566 		return err;
8567 
8568 	/* Include parameters for TDLS peer (will check later) */
8569 	err = nl80211_set_station_tdls(info, &params);
8570 	if (err)
8571 		return err;
8572 
8573 	params.vlan = get_vlan(info, rdev);
8574 	if (IS_ERR(params.vlan))
8575 		return PTR_ERR(params.vlan);
8576 
8577 	switch (dev->ieee80211_ptr->iftype) {
8578 	case NL80211_IFTYPE_AP:
8579 	case NL80211_IFTYPE_AP_VLAN:
8580 	case NL80211_IFTYPE_P2P_GO:
8581 	case NL80211_IFTYPE_P2P_CLIENT:
8582 	case NL80211_IFTYPE_STATION:
8583 	case NL80211_IFTYPE_ADHOC:
8584 	case NL80211_IFTYPE_MESH_POINT:
8585 		break;
8586 	default:
8587 		err = -EOPNOTSUPP;
8588 		goto out_put_vlan;
8589 	}
8590 
8591 	/* driver will call cfg80211_check_station_change() */
8592 	err = rdev_change_station(rdev, dev, mac_addr, &params);
8593 
8594  out_put_vlan:
8595 	dev_put(params.vlan);
8596 
8597 	return err;
8598 }
8599 
8600 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
8601 {
8602 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8603 	int err;
8604 	struct net_device *dev = info->user_ptr[1];
8605 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8606 	struct station_parameters params;
8607 	u8 *mac_addr = NULL;
8608 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
8609 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
8610 
8611 	memset(&params, 0, sizeof(params));
8612 
8613 	if (!rdev->ops->add_station)
8614 		return -EOPNOTSUPP;
8615 
8616 	if (!info->attrs[NL80211_ATTR_MAC])
8617 		return -EINVAL;
8618 
8619 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
8620 		return -EINVAL;
8621 
8622 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
8623 		return -EINVAL;
8624 
8625 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
8626 	    !info->attrs[NL80211_ATTR_PEER_AID])
8627 		return -EINVAL;
8628 
8629 	params.link_sta_params.link_id =
8630 		nl80211_link_id_or_invalid(info->attrs);
8631 
8632 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
8633 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
8634 		params.link_sta_params.mld_mac = mac_addr;
8635 		params.link_sta_params.link_mac =
8636 			nla_data(info->attrs[NL80211_ATTR_MAC]);
8637 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
8638 			return -EINVAL;
8639 	} else {
8640 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
8641 	}
8642 
8643 	params.link_sta_params.supported_rates =
8644 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8645 	params.link_sta_params.supported_rates_len =
8646 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
8647 	params.listen_interval =
8648 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
8649 
8650 	if (info->attrs[NL80211_ATTR_VLAN_ID])
8651 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
8652 
8653 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
8654 		params.support_p2p_ps =
8655 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
8656 	} else {
8657 		/*
8658 		 * if not specified, assume it's supported for P2P GO interface,
8659 		 * and is NOT supported for AP interface
8660 		 */
8661 		params.support_p2p_ps =
8662 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
8663 	}
8664 
8665 	if (info->attrs[NL80211_ATTR_PEER_AID])
8666 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
8667 	else
8668 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
8669 
8670 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
8671 		params.capability =
8672 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
8673 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
8674 	}
8675 
8676 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
8677 		params.ext_capab =
8678 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8679 		params.ext_capab_len =
8680 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
8681 	}
8682 
8683 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
8684 		params.link_sta_params.ht_capa =
8685 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
8686 
8687 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
8688 		params.link_sta_params.vht_capa =
8689 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
8690 
8691 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
8692 		params.link_sta_params.he_capa =
8693 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8694 		params.link_sta_params.he_capa_len =
8695 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
8696 
8697 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
8698 			params.link_sta_params.eht_capa =
8699 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8700 			params.link_sta_params.eht_capa_len =
8701 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
8702 
8703 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
8704 							(const u8 *)params.link_sta_params.eht_capa,
8705 							params.link_sta_params.eht_capa_len,
8706 							false))
8707 				return -EINVAL;
8708 		}
8709 	}
8710 
8711 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
8712 		if (!params.link_sta_params.eht_capa)
8713 			return -EINVAL;
8714 
8715 		params.link_sta_params.uhr_capa =
8716 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8717 		params.link_sta_params.uhr_capa_len =
8718 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
8719 	}
8720 
8721 	if (info->attrs[NL80211_ATTR_EML_CAPABILITY]) {
8722 		params.eml_cap_present = true;
8723 		params.eml_cap =
8724 			nla_get_u16(info->attrs[NL80211_ATTR_EML_CAPABILITY]);
8725 	}
8726 
8727 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
8728 		params.link_sta_params.he_6ghz_capa =
8729 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
8730 
8731 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY])
8732 		params.link_sta_params.s1g_capa =
8733 			nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]);
8734 
8735 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
8736 		params.link_sta_params.opmode_notif_used = true;
8737 		params.link_sta_params.opmode_notif =
8738 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
8739 	}
8740 
8741 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
8742 		params.plink_action =
8743 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
8744 
8745 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
8746 		params.airtime_weight =
8747 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
8748 
8749 	if (params.airtime_weight &&
8750 	    !wiphy_ext_feature_isset(&rdev->wiphy,
8751 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
8752 		return -EOPNOTSUPP;
8753 
8754 	err = nl80211_parse_sta_txpower_setting(info,
8755 						&params.link_sta_params.txpwr,
8756 						&params.link_sta_params.txpwr_set);
8757 	if (err)
8758 		return err;
8759 
8760 	err = nl80211_parse_sta_channel_info(info, &params);
8761 	if (err)
8762 		return err;
8763 
8764 	err = nl80211_parse_sta_wme(info, &params);
8765 	if (err)
8766 		return err;
8767 
8768 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
8769 		return -EINVAL;
8770 
8771 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
8772 	 * as userspace might just pass through the capabilities from the IEs
8773 	 * directly, rather than enforcing this restriction and returning an
8774 	 * error in this case.
8775 	 */
8776 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
8777 		params.link_sta_params.ht_capa = NULL;
8778 		params.link_sta_params.vht_capa = NULL;
8779 
8780 		/* HE, EHT and UHR require WME */
8781 		if (params.link_sta_params.he_capa_len ||
8782 		    params.link_sta_params.he_6ghz_capa ||
8783 		    params.link_sta_params.eht_capa_len ||
8784 		    params.link_sta_params.uhr_capa_len)
8785 			return -EINVAL;
8786 	}
8787 
8788 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
8789 	if (params.link_sta_params.he_6ghz_capa &&
8790 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
8791 		return -EINVAL;
8792 
8793 	/* When you run into this, adjust the code below for the new flag */
8794 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
8795 
8796 	switch (dev->ieee80211_ptr->iftype) {
8797 	case NL80211_IFTYPE_AP:
8798 	case NL80211_IFTYPE_AP_VLAN:
8799 	case NL80211_IFTYPE_P2P_GO:
8800 		/* ignore WME attributes if iface/sta is not capable */
8801 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
8802 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
8803 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8804 
8805 		/* TDLS peers cannot be added */
8806 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8807 		    info->attrs[NL80211_ATTR_PEER_AID])
8808 			return -EINVAL;
8809 		/* but don't bother the driver with it */
8810 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
8811 
8812 		/* allow authenticated/associated only if driver handles it */
8813 		if (!(rdev->wiphy.features &
8814 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
8815 		    params.sta_flags_mask & auth_assoc)
8816 			return -EINVAL;
8817 
8818 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
8819 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
8820 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
8821 			return -EINVAL;
8822 
8823 		/* Older userspace, or userspace wanting to be compatible with
8824 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
8825 		 * and assoc flags in the mask, but assumes the station will be
8826 		 * added as associated anyway since this was the required driver
8827 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
8828 		 * introduced.
8829 		 * In order to not bother drivers with this quirk in the API
8830 		 * set the flags in both the mask and set for new stations in
8831 		 * this case.
8832 		 */
8833 		if (!(params.sta_flags_mask & auth_assoc)) {
8834 			params.sta_flags_mask |= auth_assoc;
8835 			params.sta_flags_set |= auth_assoc;
8836 		}
8837 
8838 		/* must be last in here for error handling */
8839 		params.vlan = get_vlan(info, rdev);
8840 		if (IS_ERR(params.vlan))
8841 			return PTR_ERR(params.vlan);
8842 		break;
8843 	case NL80211_IFTYPE_MESH_POINT:
8844 		/* ignore uAPSD data */
8845 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8846 
8847 		/* associated is disallowed */
8848 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
8849 			return -EINVAL;
8850 		/* TDLS peers cannot be added */
8851 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
8852 		    info->attrs[NL80211_ATTR_PEER_AID])
8853 			return -EINVAL;
8854 		break;
8855 	case NL80211_IFTYPE_STATION:
8856 	case NL80211_IFTYPE_P2P_CLIENT:
8857 		/* ignore uAPSD data */
8858 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
8859 
8860 		/* these are disallowed */
8861 		if (params.sta_flags_mask &
8862 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
8863 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
8864 			return -EINVAL;
8865 		/* Only TDLS peers can be added */
8866 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
8867 			return -EINVAL;
8868 		/* Can only add if TDLS ... */
8869 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
8870 			return -EOPNOTSUPP;
8871 		/* ... with external setup is supported */
8872 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
8873 			return -EOPNOTSUPP;
8874 		/*
8875 		 * Older wpa_supplicant versions always mark the TDLS peer
8876 		 * as authorized, but it shouldn't yet be.
8877 		 */
8878 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
8879 		break;
8880 	default:
8881 		return -EOPNOTSUPP;
8882 	}
8883 
8884 	/* be aware of params.vlan when changing code here */
8885 
8886 	if (wdev->valid_links) {
8887 		if (params.link_sta_params.link_id < 0) {
8888 			err = -EINVAL;
8889 			goto out;
8890 		}
8891 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
8892 			err = -ENOLINK;
8893 			goto out;
8894 		}
8895 	} else {
8896 		if (params.link_sta_params.link_id >= 0) {
8897 			err = -EINVAL;
8898 			goto out;
8899 		}
8900 	}
8901 
8902 	params.epp_peer =
8903 		nla_get_flag(info->attrs[NL80211_ATTR_EPP_PEER]);
8904 
8905 	err = rdev_add_station(rdev, dev, mac_addr, &params);
8906 out:
8907 	dev_put(params.vlan);
8908 	return err;
8909 }
8910 
8911 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
8912 {
8913 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8914 	struct net_device *dev = info->user_ptr[1];
8915 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8916 	struct station_del_parameters params;
8917 	int link_id = nl80211_link_id_or_invalid(info->attrs);
8918 
8919 	memset(&params, 0, sizeof(params));
8920 
8921 	if (info->attrs[NL80211_ATTR_MAC])
8922 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
8923 
8924 	switch (wdev->iftype) {
8925 	case NL80211_IFTYPE_AP:
8926 	case NL80211_IFTYPE_AP_VLAN:
8927 	case NL80211_IFTYPE_MESH_POINT:
8928 	case NL80211_IFTYPE_P2P_GO:
8929 		/* always accept these */
8930 		break;
8931 	case NL80211_IFTYPE_ADHOC:
8932 		/* conditionally accept */
8933 		if (wiphy_ext_feature_isset(&rdev->wiphy,
8934 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
8935 			break;
8936 		return -EINVAL;
8937 	default:
8938 		return -EINVAL;
8939 	}
8940 
8941 	if (!rdev->ops->del_station)
8942 		return -EOPNOTSUPP;
8943 
8944 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
8945 		params.subtype =
8946 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
8947 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
8948 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
8949 			return -EINVAL;
8950 	} else {
8951 		/* Default to Deauthentication frame */
8952 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
8953 	}
8954 
8955 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
8956 		params.reason_code =
8957 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
8958 		if (params.reason_code == 0)
8959 			return -EINVAL; /* 0 is reserved */
8960 	} else {
8961 		/* Default to reason code 2 */
8962 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
8963 	}
8964 
8965 	/* Link ID not expected in case of non-ML operation */
8966 	if (!wdev->valid_links && link_id != -1)
8967 		return -EINVAL;
8968 
8969 	/* If given, a valid link ID should be passed during MLO */
8970 	if (wdev->valid_links && link_id >= 0 &&
8971 	    !(wdev->valid_links & BIT(link_id)))
8972 		return -EINVAL;
8973 
8974 	params.link_id = link_id;
8975 
8976 	return rdev_del_station(rdev, dev, &params);
8977 }
8978 
8979 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
8980 				int flags, struct net_device *dev,
8981 				u8 *dst, u8 *next_hop,
8982 				struct mpath_info *pinfo)
8983 {
8984 	void *hdr;
8985 	struct nlattr *pinfoattr;
8986 
8987 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
8988 	if (!hdr)
8989 		return -1;
8990 
8991 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8992 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
8993 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
8994 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
8995 		goto nla_put_failure;
8996 
8997 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
8998 	if (!pinfoattr)
8999 		goto nla_put_failure;
9000 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
9001 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
9002 			pinfo->frame_qlen))
9003 		goto nla_put_failure;
9004 	if (((pinfo->filled & MPATH_INFO_SN) &&
9005 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
9006 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
9007 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
9008 			 pinfo->metric)) ||
9009 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
9010 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
9011 			 pinfo->exptime)) ||
9012 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
9013 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
9014 			pinfo->flags)) ||
9015 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
9016 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
9017 			 pinfo->discovery_timeout)) ||
9018 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
9019 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
9020 			pinfo->discovery_retries)) ||
9021 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
9022 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
9023 			pinfo->hop_count)) ||
9024 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
9025 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
9026 			 pinfo->path_change_count)))
9027 		goto nla_put_failure;
9028 
9029 	nla_nest_end(msg, pinfoattr);
9030 
9031 	genlmsg_end(msg, hdr);
9032 	return 0;
9033 
9034  nla_put_failure:
9035 	genlmsg_cancel(msg, hdr);
9036 	return -EMSGSIZE;
9037 }
9038 
9039 static int nl80211_dump_mpath(struct sk_buff *skb,
9040 			      struct netlink_callback *cb)
9041 {
9042 	struct mpath_info pinfo;
9043 	struct cfg80211_registered_device *rdev;
9044 	struct wireless_dev *wdev;
9045 	u8 dst[ETH_ALEN];
9046 	u8 next_hop[ETH_ALEN];
9047 	int path_idx = cb->args[2];
9048 	int err;
9049 
9050 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9051 	if (err)
9052 		return err;
9053 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9054 	__acquire(&rdev->wiphy.mtx);
9055 
9056 	if (!rdev->ops->dump_mpath) {
9057 		err = -EOPNOTSUPP;
9058 		goto out_err;
9059 	}
9060 
9061 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9062 		err = -EOPNOTSUPP;
9063 		goto out_err;
9064 	}
9065 
9066 	while (1) {
9067 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
9068 				      next_hop, &pinfo);
9069 		if (err == -ENOENT)
9070 			break;
9071 		if (err)
9072 			goto out_err;
9073 
9074 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9075 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9076 				       wdev->netdev, dst, next_hop,
9077 				       &pinfo) < 0)
9078 			goto out;
9079 
9080 		path_idx++;
9081 	}
9082 
9083  out:
9084 	cb->args[2] = path_idx;
9085 	err = skb->len;
9086  out_err:
9087 	wiphy_unlock(&rdev->wiphy);
9088 	return err;
9089 }
9090 
9091 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
9092 {
9093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9094 	int err;
9095 	struct net_device *dev = info->user_ptr[1];
9096 	struct mpath_info pinfo;
9097 	struct sk_buff *msg;
9098 	u8 *dst = NULL;
9099 	u8 next_hop[ETH_ALEN];
9100 
9101 	memset(&pinfo, 0, sizeof(pinfo));
9102 
9103 	if (!info->attrs[NL80211_ATTR_MAC])
9104 		return -EINVAL;
9105 
9106 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9107 
9108 	if (!rdev->ops->get_mpath)
9109 		return -EOPNOTSUPP;
9110 
9111 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9112 		return -EOPNOTSUPP;
9113 
9114 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
9115 	if (err)
9116 		return err;
9117 
9118 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9119 	if (!msg)
9120 		return -ENOMEM;
9121 
9122 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9123 				 dev, dst, next_hop, &pinfo) < 0) {
9124 		nlmsg_free(msg);
9125 		return -ENOBUFS;
9126 	}
9127 
9128 	return genlmsg_reply(msg, info);
9129 }
9130 
9131 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
9132 {
9133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9134 	struct net_device *dev = info->user_ptr[1];
9135 	u8 *dst = NULL;
9136 	u8 *next_hop = NULL;
9137 
9138 	if (!info->attrs[NL80211_ATTR_MAC])
9139 		return -EINVAL;
9140 
9141 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9142 		return -EINVAL;
9143 
9144 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9145 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9146 
9147 	if (!rdev->ops->change_mpath)
9148 		return -EOPNOTSUPP;
9149 
9150 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9151 		return -EOPNOTSUPP;
9152 
9153 	return rdev_change_mpath(rdev, dev, dst, next_hop);
9154 }
9155 
9156 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
9157 {
9158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9159 	struct net_device *dev = info->user_ptr[1];
9160 	u8 *dst = NULL;
9161 	u8 *next_hop = NULL;
9162 
9163 	if (!info->attrs[NL80211_ATTR_MAC])
9164 		return -EINVAL;
9165 
9166 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
9167 		return -EINVAL;
9168 
9169 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9170 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
9171 
9172 	if (!rdev->ops->add_mpath)
9173 		return -EOPNOTSUPP;
9174 
9175 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9176 		return -EOPNOTSUPP;
9177 
9178 	return rdev_add_mpath(rdev, dev, dst, next_hop);
9179 }
9180 
9181 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
9182 {
9183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9184 	struct net_device *dev = info->user_ptr[1];
9185 	u8 *dst = NULL;
9186 
9187 	if (info->attrs[NL80211_ATTR_MAC])
9188 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9189 
9190 	if (!rdev->ops->del_mpath)
9191 		return -EOPNOTSUPP;
9192 
9193 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9194 		return -EOPNOTSUPP;
9195 
9196 	return rdev_del_mpath(rdev, dev, dst);
9197 }
9198 
9199 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
9200 {
9201 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9202 	int err;
9203 	struct net_device *dev = info->user_ptr[1];
9204 	struct mpath_info pinfo;
9205 	struct sk_buff *msg;
9206 	u8 *dst = NULL;
9207 	u8 mpp[ETH_ALEN];
9208 
9209 	memset(&pinfo, 0, sizeof(pinfo));
9210 
9211 	if (!info->attrs[NL80211_ATTR_MAC])
9212 		return -EINVAL;
9213 
9214 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
9215 
9216 	if (!rdev->ops->get_mpp)
9217 		return -EOPNOTSUPP;
9218 
9219 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
9220 		return -EOPNOTSUPP;
9221 
9222 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
9223 	if (err)
9224 		return err;
9225 
9226 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9227 	if (!msg)
9228 		return -ENOMEM;
9229 
9230 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
9231 			       dev, dst, mpp, &pinfo) < 0) {
9232 		nlmsg_free(msg);
9233 		return -ENOBUFS;
9234 	}
9235 
9236 	return genlmsg_reply(msg, info);
9237 }
9238 
9239 static int nl80211_dump_mpp(struct sk_buff *skb,
9240 			    struct netlink_callback *cb)
9241 {
9242 	struct mpath_info pinfo;
9243 	struct cfg80211_registered_device *rdev;
9244 	struct wireless_dev *wdev;
9245 	u8 dst[ETH_ALEN];
9246 	u8 mpp[ETH_ALEN];
9247 	int path_idx = cb->args[2];
9248 	int err;
9249 
9250 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9251 	if (err)
9252 		return err;
9253 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9254 	__acquire(&rdev->wiphy.mtx);
9255 
9256 	if (!rdev->ops->dump_mpp) {
9257 		err = -EOPNOTSUPP;
9258 		goto out_err;
9259 	}
9260 
9261 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
9262 		err = -EOPNOTSUPP;
9263 		goto out_err;
9264 	}
9265 
9266 	while (1) {
9267 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
9268 				    mpp, &pinfo);
9269 		if (err == -ENOENT)
9270 			break;
9271 		if (err)
9272 			goto out_err;
9273 
9274 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
9275 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
9276 				       wdev->netdev, dst, mpp,
9277 				       &pinfo) < 0)
9278 			goto out;
9279 
9280 		path_idx++;
9281 	}
9282 
9283  out:
9284 	cb->args[2] = path_idx;
9285 	err = skb->len;
9286  out_err:
9287 	wiphy_unlock(&rdev->wiphy);
9288 	return err;
9289 }
9290 
9291 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
9292 {
9293 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9294 	struct net_device *dev = info->user_ptr[1];
9295 	struct bss_parameters params;
9296 	u32 bss_param_support = rdev->wiphy.bss_param_support;
9297 	u32 changed = 0;
9298 	bool strict;
9299 
9300 	memset(&params, 0, sizeof(params));
9301 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
9302 	/* default to not changing parameters */
9303 	params.use_cts_prot = -1;
9304 	params.use_short_preamble = -1;
9305 	params.use_short_slot_time = -1;
9306 	params.ap_isolate = -1;
9307 	params.ht_opmode = -1;
9308 	params.p2p_ctwindow = -1;
9309 	params.p2p_opp_ps = -1;
9310 
9311 	strict = nla_get_flag(info->attrs[NL80211_ATTR_BSS_PARAM]);
9312 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT]) {
9313 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_CTS_PROT))
9314 			return -EINVAL;
9315 		params.use_cts_prot =
9316 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
9317 		changed |= WIPHY_BSS_PARAM_CTS_PROT;
9318 	}
9319 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]) {
9320 		if (strict &&
9321 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_PREAMBLE))
9322 			return -EINVAL;
9323 		params.use_short_preamble =
9324 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
9325 		changed |= WIPHY_BSS_PARAM_SHORT_PREAMBLE;
9326 	}
9327 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]) {
9328 		if (strict &&
9329 		    !(bss_param_support & WIPHY_BSS_PARAM_SHORT_SLOT_TIME))
9330 			return -EINVAL;
9331 		params.use_short_slot_time =
9332 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
9333 		changed |= WIPHY_BSS_PARAM_SHORT_SLOT_TIME;
9334 	}
9335 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9336 		if (strict &&
9337 		    !(bss_param_support & WIPHY_BSS_PARAM_BASIC_RATES))
9338 			return -EINVAL;
9339 		params.basic_rates =
9340 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9341 		params.basic_rates_len =
9342 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9343 		changed |= WIPHY_BSS_PARAM_BASIC_RATES;
9344 	}
9345 	if (info->attrs[NL80211_ATTR_AP_ISOLATE]) {
9346 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_AP_ISOLATE))
9347 			return -EINVAL;
9348 		params.ap_isolate =
9349 			!!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
9350 		changed |= WIPHY_BSS_PARAM_AP_ISOLATE;
9351 	}
9352 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE]) {
9353 		if (strict && !(bss_param_support & WIPHY_BSS_PARAM_HT_OPMODE))
9354 			return -EINVAL;
9355 		params.ht_opmode =
9356 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
9357 		changed |= WIPHY_BSS_PARAM_HT_OPMODE;
9358 	}
9359 
9360 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
9361 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9362 			return -EINVAL;
9363 		params.p2p_ctwindow =
9364 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
9365 		if (params.p2p_ctwindow != 0 &&
9366 		    !(bss_param_support & WIPHY_BSS_PARAM_P2P_CTWINDOW))
9367 			return -EINVAL;
9368 		changed |= WIPHY_BSS_PARAM_P2P_CTWINDOW;
9369 	}
9370 
9371 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
9372 		u8 tmp;
9373 
9374 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9375 			return -EINVAL;
9376 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
9377 		if (tmp && !(bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9378 			return -EINVAL;
9379 		params.p2p_opp_ps = tmp;
9380 		if (params.p2p_opp_ps &&
9381 		    !(rdev->wiphy.bss_param_support & WIPHY_BSS_PARAM_P2P_OPPPS))
9382 			return -EINVAL;
9383 	}
9384 
9385 	if (!rdev->ops->change_bss)
9386 		return -EOPNOTSUPP;
9387 
9388 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
9389 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
9390 		return -EOPNOTSUPP;
9391 
9392 	changed &= rdev->wiphy.bss_param_support;
9393 	if (!changed)
9394 		return 0;
9395 
9396 	return rdev_change_bss(rdev, dev, &params);
9397 }
9398 
9399 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
9400 {
9401 	char *data = NULL;
9402 	bool is_indoor;
9403 	enum nl80211_user_reg_hint_type user_reg_hint_type;
9404 	u32 owner_nlportid;
9405 
9406 	/*
9407 	 * You should only get this when cfg80211 hasn't yet initialized
9408 	 * completely when built-in to the kernel right between the time
9409 	 * window between nl80211_init() and regulatory_init(), if that is
9410 	 * even possible.
9411 	 */
9412 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
9413 		return -EINPROGRESS;
9414 
9415 	user_reg_hint_type =
9416 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
9417 				    NL80211_USER_REG_HINT_USER);
9418 
9419 	switch (user_reg_hint_type) {
9420 	case NL80211_USER_REG_HINT_USER:
9421 	case NL80211_USER_REG_HINT_CELL_BASE:
9422 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
9423 			return -EINVAL;
9424 
9425 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
9426 		return regulatory_hint_user(data, user_reg_hint_type);
9427 	case NL80211_USER_REG_HINT_INDOOR:
9428 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9429 			owner_nlportid = info->snd_portid;
9430 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
9431 		} else {
9432 			owner_nlportid = 0;
9433 			is_indoor = true;
9434 		}
9435 
9436 		regulatory_hint_indoor(is_indoor, owner_nlportid);
9437 		return 0;
9438 	default:
9439 		return -EINVAL;
9440 	}
9441 }
9442 
9443 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
9444 {
9445 	return reg_reload_regdb();
9446 }
9447 
9448 static int nl80211_get_mesh_config(struct sk_buff *skb,
9449 				   struct genl_info *info)
9450 {
9451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9452 	struct net_device *dev = info->user_ptr[1];
9453 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9454 	struct mesh_config cur_params;
9455 	int err = 0;
9456 	void *hdr;
9457 	struct nlattr *pinfoattr;
9458 	struct sk_buff *msg;
9459 
9460 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9461 		return -EOPNOTSUPP;
9462 
9463 	if (!rdev->ops->get_mesh_config)
9464 		return -EOPNOTSUPP;
9465 
9466 	/* If not connected, get default parameters */
9467 	if (!wdev->u.mesh.id_len)
9468 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
9469 	else
9470 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
9471 
9472 	if (err)
9473 		return err;
9474 
9475 	/* Draw up a netlink message to send back */
9476 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9477 	if (!msg)
9478 		return -ENOMEM;
9479 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9480 			     NL80211_CMD_GET_MESH_CONFIG);
9481 	if (!hdr)
9482 		goto out;
9483 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
9484 	if (!pinfoattr)
9485 		goto nla_put_failure;
9486 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
9487 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
9488 			cur_params.dot11MeshRetryTimeout) ||
9489 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
9490 			cur_params.dot11MeshConfirmTimeout) ||
9491 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
9492 			cur_params.dot11MeshHoldingTimeout) ||
9493 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
9494 			cur_params.dot11MeshMaxPeerLinks) ||
9495 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
9496 		       cur_params.dot11MeshMaxRetries) ||
9497 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
9498 		       cur_params.dot11MeshTTL) ||
9499 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
9500 		       cur_params.element_ttl) ||
9501 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9502 		       cur_params.auto_open_plinks) ||
9503 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9504 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
9505 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9506 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
9507 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
9508 			cur_params.path_refresh_time) ||
9509 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9510 			cur_params.min_discovery_timeout) ||
9511 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9512 			cur_params.dot11MeshHWMPactivePathTimeout) ||
9513 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9514 			cur_params.dot11MeshHWMPpreqMinInterval) ||
9515 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9516 			cur_params.dot11MeshHWMPperrMinInterval) ||
9517 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9518 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
9519 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
9520 		       cur_params.dot11MeshHWMPRootMode) ||
9521 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9522 			cur_params.dot11MeshHWMPRannInterval) ||
9523 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9524 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
9525 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
9526 		       cur_params.dot11MeshForwarding) ||
9527 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
9528 			cur_params.rssi_threshold) ||
9529 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
9530 			cur_params.ht_opmode) ||
9531 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9532 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
9533 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9534 			cur_params.dot11MeshHWMProotInterval) ||
9535 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9536 			cur_params.dot11MeshHWMPconfirmationInterval) ||
9537 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
9538 			cur_params.power_mode) ||
9539 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
9540 			cur_params.dot11MeshAwakeWindowDuration) ||
9541 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
9542 			cur_params.plink_timeout) ||
9543 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
9544 		       cur_params.dot11MeshConnectedToMeshGate) ||
9545 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
9546 		       cur_params.dot11MeshNolearn) ||
9547 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
9548 		       cur_params.dot11MeshConnectedToAuthServer))
9549 		goto nla_put_failure;
9550 	nla_nest_end(msg, pinfoattr);
9551 	genlmsg_end(msg, hdr);
9552 	return genlmsg_reply(msg, info);
9553 
9554  nla_put_failure:
9555  out:
9556 	nlmsg_free(msg);
9557 	return -ENOBUFS;
9558 }
9559 
9560 static const struct nla_policy
9561 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
9562 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
9563 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9564 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
9565 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9566 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
9567 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
9568 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
9569 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
9570 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
9571 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9572 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
9573 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
9574 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
9575 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
9576 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
9577 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
9578 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
9579 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
9580 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
9581 		NLA_POLICY_MIN(NLA_U16, 1),
9582 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
9583 		NLA_POLICY_MIN(NLA_U16, 1),
9584 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
9585 		NLA_POLICY_MIN(NLA_U16, 1),
9586 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
9587 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
9588 		NLA_POLICY_MIN(NLA_U16, 1),
9589 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
9590 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
9591 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
9592 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
9593 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
9594 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
9595 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
9596 		NLA_POLICY_MIN(NLA_U16, 1),
9597 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
9598 		NLA_POLICY_MIN(NLA_U16, 1),
9599 	[NL80211_MESHCONF_POWER_MODE] =
9600 		NLA_POLICY_RANGE(NLA_U32,
9601 				 NL80211_MESH_POWER_ACTIVE,
9602 				 NL80211_MESH_POWER_MAX),
9603 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
9604 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
9605 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9606 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9607 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
9608 };
9609 
9610 static const struct nla_policy
9611 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
9612 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
9613 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
9614 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
9615 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
9616 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
9617 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
9618 	[NL80211_MESH_SETUP_IE] =
9619 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
9620 				       IEEE80211_MAX_DATA_LEN),
9621 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
9622 };
9623 
9624 static int nl80211_parse_mesh_config(struct genl_info *info,
9625 				     struct mesh_config *cfg,
9626 				     u32 *mask_out)
9627 {
9628 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
9629 	u32 mask = 0;
9630 	u16 ht_opmode;
9631 
9632 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
9633 do {									\
9634 	if (tb[attr]) {							\
9635 		cfg->param = fn(tb[attr]);				\
9636 		mask |= BIT((attr) - 1);				\
9637 	}								\
9638 } while (0)
9639 
9640 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
9641 		return -EINVAL;
9642 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
9643 		return -EINVAL;
9644 
9645 	/* This makes sure that there aren't more than 32 mesh config
9646 	 * parameters (otherwise our bitfield scheme would not work.) */
9647 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
9648 
9649 	/* Fill in the params struct */
9650 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
9651 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
9652 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
9653 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
9654 				  nla_get_u16);
9655 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
9656 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
9657 				  nla_get_u16);
9658 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
9659 				  NL80211_MESHCONF_MAX_PEER_LINKS,
9660 				  nla_get_u16);
9661 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
9662 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
9663 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
9664 				  NL80211_MESHCONF_TTL, nla_get_u8);
9665 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
9666 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
9667 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
9668 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
9669 				  nla_get_u8);
9670 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
9671 				  mask,
9672 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
9673 				  nla_get_u32);
9674 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
9675 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
9676 				  nla_get_u8);
9677 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
9678 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
9679 				  nla_get_u32);
9680 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
9681 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
9682 		return -EINVAL;
9683 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
9684 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
9685 				  nla_get_u16);
9686 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
9687 				  mask,
9688 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
9689 				  nla_get_u32);
9690 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
9691 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
9692 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
9693 		return -EINVAL;
9694 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
9695 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
9696 				  nla_get_u16);
9697 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
9698 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
9699 				  nla_get_u16);
9700 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9701 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
9702 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
9703 				  nla_get_u16);
9704 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
9705 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
9706 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
9707 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
9708 				  nla_get_u16);
9709 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
9710 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
9711 				  nla_get_u8);
9712 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
9713 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
9714 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
9715 				  NL80211_MESHCONF_RSSI_THRESHOLD,
9716 				  nla_get_s32);
9717 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
9718 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
9719 				  nla_get_u8);
9720 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
9721 				  NL80211_MESHCONF_CONNECTED_TO_AS,
9722 				  nla_get_u8);
9723 	/*
9724 	 * Check HT operation mode based on
9725 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
9726 	 */
9727 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
9728 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
9729 
9730 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
9731 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
9732 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
9733 			return -EINVAL;
9734 
9735 		/* NON_HT_STA bit is reserved, but some programs set it */
9736 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
9737 
9738 		cfg->ht_opmode = ht_opmode;
9739 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
9740 	}
9741 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
9742 				  dot11MeshHWMPactivePathToRootTimeout, mask,
9743 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
9744 				  nla_get_u32);
9745 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
9746 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
9747 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
9748 		return -EINVAL;
9749 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
9750 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
9751 				  nla_get_u16);
9752 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
9753 				  mask,
9754 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
9755 				  nla_get_u16);
9756 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
9757 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
9758 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
9759 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
9760 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
9761 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
9762 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
9763 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
9764 	if (mask_out)
9765 		*mask_out = mask;
9766 
9767 	return 0;
9768 
9769 #undef FILL_IN_MESH_PARAM_IF_SET
9770 }
9771 
9772 static int nl80211_parse_mesh_setup(struct genl_info *info,
9773 				     struct mesh_setup *setup)
9774 {
9775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9776 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
9777 
9778 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
9779 		return -EINVAL;
9780 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
9781 		return -EINVAL;
9782 
9783 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
9784 		setup->sync_method =
9785 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
9786 		 IEEE80211_SYNC_METHOD_VENDOR :
9787 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
9788 
9789 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
9790 		setup->path_sel_proto =
9791 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
9792 		 IEEE80211_PATH_PROTOCOL_VENDOR :
9793 		 IEEE80211_PATH_PROTOCOL_HWMP;
9794 
9795 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
9796 		setup->path_metric =
9797 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
9798 		 IEEE80211_PATH_METRIC_VENDOR :
9799 		 IEEE80211_PATH_METRIC_AIRTIME;
9800 
9801 	if (tb[NL80211_MESH_SETUP_IE]) {
9802 		struct nlattr *ieattr =
9803 			tb[NL80211_MESH_SETUP_IE];
9804 		setup->ie = nla_data(ieattr);
9805 		setup->ie_len = nla_len(ieattr);
9806 	}
9807 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
9808 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
9809 		return -EINVAL;
9810 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
9811 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
9812 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
9813 	if (setup->is_secure)
9814 		setup->user_mpm = true;
9815 
9816 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
9817 		if (!setup->user_mpm)
9818 			return -EINVAL;
9819 		setup->auth_id =
9820 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
9821 	}
9822 
9823 	return 0;
9824 }
9825 
9826 static int nl80211_update_mesh_config(struct sk_buff *skb,
9827 				      struct genl_info *info)
9828 {
9829 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9830 	struct net_device *dev = info->user_ptr[1];
9831 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9832 	struct mesh_config cfg = {};
9833 	u32 mask;
9834 	int err;
9835 
9836 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
9837 		return -EOPNOTSUPP;
9838 
9839 	if (!rdev->ops->update_mesh_config)
9840 		return -EOPNOTSUPP;
9841 
9842 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
9843 	if (err)
9844 		return err;
9845 
9846 	if (!wdev->u.mesh.id_len)
9847 		err = -ENOLINK;
9848 
9849 	if (!err)
9850 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
9851 
9852 	return err;
9853 }
9854 
9855 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
9856 			      struct sk_buff *msg)
9857 {
9858 	struct nlattr *nl_reg_rules;
9859 	unsigned int i;
9860 
9861 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
9862 	    (regdom->dfs_region &&
9863 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
9864 		goto nla_put_failure;
9865 
9866 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
9867 	if (!nl_reg_rules)
9868 		goto nla_put_failure;
9869 
9870 	for (i = 0; i < regdom->n_reg_rules; i++) {
9871 		struct nlattr *nl_reg_rule;
9872 		const struct ieee80211_reg_rule *reg_rule;
9873 		const struct ieee80211_freq_range *freq_range;
9874 		const struct ieee80211_power_rule *power_rule;
9875 		unsigned int max_bandwidth_khz;
9876 
9877 		reg_rule = &regdom->reg_rules[i];
9878 		freq_range = &reg_rule->freq_range;
9879 		power_rule = &reg_rule->power_rule;
9880 
9881 		nl_reg_rule = nla_nest_start_noflag(msg, i);
9882 		if (!nl_reg_rule)
9883 			goto nla_put_failure;
9884 
9885 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
9886 		if (!max_bandwidth_khz)
9887 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
9888 								  reg_rule);
9889 
9890 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
9891 				reg_rule->flags) ||
9892 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
9893 				freq_range->start_freq_khz) ||
9894 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
9895 				freq_range->end_freq_khz) ||
9896 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
9897 				max_bandwidth_khz) ||
9898 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
9899 				power_rule->max_antenna_gain) ||
9900 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
9901 				power_rule->max_eirp) ||
9902 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
9903 				reg_rule->dfs_cac_ms))
9904 			goto nla_put_failure;
9905 
9906 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
9907 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
9908 			       reg_rule->psd))
9909 			goto nla_put_failure;
9910 
9911 		nla_nest_end(msg, nl_reg_rule);
9912 	}
9913 
9914 	nla_nest_end(msg, nl_reg_rules);
9915 	return 0;
9916 
9917 nla_put_failure:
9918 	return -EMSGSIZE;
9919 }
9920 
9921 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
9922 {
9923 	const struct ieee80211_regdomain *regdom = NULL;
9924 	struct cfg80211_registered_device *rdev;
9925 	struct wiphy *wiphy = NULL;
9926 	struct sk_buff *msg;
9927 	int err = -EMSGSIZE;
9928 	void *hdr;
9929 
9930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
9931 	if (!msg)
9932 		return -ENOBUFS;
9933 
9934 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
9935 			     NL80211_CMD_GET_REG);
9936 	if (!hdr)
9937 		goto put_failure;
9938 
9939 	rtnl_lock();
9940 
9941 	if (info->attrs[NL80211_ATTR_WIPHY]) {
9942 		bool self_managed;
9943 
9944 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
9945 		if (IS_ERR(rdev)) {
9946 			err = PTR_ERR(rdev);
9947 			goto nla_put_failure;
9948 		}
9949 
9950 		wiphy = &rdev->wiphy;
9951 		self_managed = wiphy->regulatory_flags &
9952 			       REGULATORY_WIPHY_SELF_MANAGED;
9953 
9954 		rcu_read_lock();
9955 
9956 		regdom = get_wiphy_regdom(wiphy);
9957 
9958 		/* a self-managed-reg device must have a private regdom */
9959 		if (WARN_ON(!regdom && self_managed)) {
9960 			err = -EINVAL;
9961 			goto nla_put_failure_rcu;
9962 		}
9963 
9964 		if (regdom &&
9965 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
9966 			goto nla_put_failure_rcu;
9967 	} else {
9968 		rcu_read_lock();
9969 	}
9970 
9971 	if (!wiphy && reg_last_request_cell_base() &&
9972 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
9973 			NL80211_USER_REG_HINT_CELL_BASE))
9974 		goto nla_put_failure_rcu;
9975 
9976 	if (!regdom)
9977 		regdom = rcu_dereference(cfg80211_regdomain);
9978 
9979 	if (nl80211_put_regdom(regdom, msg))
9980 		goto nla_put_failure_rcu;
9981 
9982 	rcu_read_unlock();
9983 
9984 	genlmsg_end(msg, hdr);
9985 	rtnl_unlock();
9986 	return genlmsg_reply(msg, info);
9987 
9988 nla_put_failure_rcu:
9989 	rcu_read_unlock();
9990 nla_put_failure:
9991 	rtnl_unlock();
9992 put_failure:
9993 	nlmsg_free(msg);
9994 	return err;
9995 }
9996 
9997 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
9998 			       u32 seq, int flags, struct wiphy *wiphy,
9999 			       const struct ieee80211_regdomain *regdom)
10000 {
10001 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10002 				   NL80211_CMD_GET_REG);
10003 
10004 	if (!hdr)
10005 		return -1;
10006 
10007 	genl_dump_check_consistent(cb, hdr);
10008 
10009 	if (nl80211_put_regdom(regdom, msg))
10010 		goto nla_put_failure;
10011 
10012 	if (!wiphy && reg_last_request_cell_base() &&
10013 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
10014 			NL80211_USER_REG_HINT_CELL_BASE))
10015 		goto nla_put_failure;
10016 
10017 	if (wiphy &&
10018 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
10019 		goto nla_put_failure;
10020 
10021 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
10022 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
10023 		goto nla_put_failure;
10024 
10025 	genlmsg_end(msg, hdr);
10026 	return 0;
10027 
10028 nla_put_failure:
10029 	genlmsg_cancel(msg, hdr);
10030 	return -EMSGSIZE;
10031 }
10032 
10033 static int nl80211_get_reg_dump(struct sk_buff *skb,
10034 				struct netlink_callback *cb)
10035 {
10036 	const struct ieee80211_regdomain *regdom = NULL;
10037 	struct cfg80211_registered_device *rdev;
10038 	int err, reg_idx, start = cb->args[2];
10039 
10040 	rcu_read_lock();
10041 
10042 	if (cfg80211_regdomain && start == 0) {
10043 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10044 					  NLM_F_MULTI, NULL,
10045 					  rcu_dereference(cfg80211_regdomain));
10046 		if (err < 0)
10047 			goto out_err;
10048 	}
10049 
10050 	/* the global regdom is idx 0 */
10051 	reg_idx = 1;
10052 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
10053 		regdom = get_wiphy_regdom(&rdev->wiphy);
10054 		if (!regdom)
10055 			continue;
10056 
10057 		if (++reg_idx <= start)
10058 			continue;
10059 
10060 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
10061 					  NLM_F_MULTI, &rdev->wiphy, regdom);
10062 		if (err < 0) {
10063 			reg_idx--;
10064 			break;
10065 		}
10066 	}
10067 
10068 	cb->args[2] = reg_idx;
10069 	err = skb->len;
10070 out_err:
10071 	rcu_read_unlock();
10072 	return err;
10073 }
10074 
10075 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
10076 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
10077 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
10078 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
10079 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
10080 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
10081 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
10082 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
10083 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
10084 };
10085 
10086 static int parse_reg_rule(struct nlattr *tb[],
10087 	struct ieee80211_reg_rule *reg_rule)
10088 {
10089 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
10090 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
10091 
10092 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
10093 		return -EINVAL;
10094 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
10095 		return -EINVAL;
10096 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
10097 		return -EINVAL;
10098 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
10099 		return -EINVAL;
10100 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
10101 		return -EINVAL;
10102 
10103 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
10104 
10105 	freq_range->start_freq_khz =
10106 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
10107 	freq_range->end_freq_khz =
10108 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
10109 	freq_range->max_bandwidth_khz =
10110 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
10111 
10112 	power_rule->max_eirp =
10113 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
10114 
10115 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
10116 		power_rule->max_antenna_gain =
10117 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
10118 
10119 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
10120 		reg_rule->dfs_cac_ms =
10121 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
10122 
10123 	return 0;
10124 }
10125 
10126 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
10127 {
10128 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
10129 	struct nlattr *nl_reg_rule;
10130 	char *alpha2;
10131 	int rem_reg_rules, r;
10132 	u32 num_rules = 0, rule_idx = 0;
10133 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
10134 	struct ieee80211_regdomain *rd;
10135 
10136 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
10137 		return -EINVAL;
10138 
10139 	if (!info->attrs[NL80211_ATTR_REG_RULES])
10140 		return -EINVAL;
10141 
10142 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
10143 
10144 	if (info->attrs[NL80211_ATTR_DFS_REGION])
10145 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
10146 
10147 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10148 			    rem_reg_rules) {
10149 		num_rules++;
10150 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
10151 			return -EINVAL;
10152 	}
10153 
10154 	rtnl_lock();
10155 	if (!reg_is_valid_request(alpha2)) {
10156 		r = -EINVAL;
10157 		goto out;
10158 	}
10159 
10160 	rd = kzalloc_flex(*rd, reg_rules, num_rules, GFP_KERNEL);
10161 	if (!rd) {
10162 		r = -ENOMEM;
10163 		goto out;
10164 	}
10165 
10166 	rd->n_reg_rules = num_rules;
10167 	rd->alpha2[0] = alpha2[0];
10168 	rd->alpha2[1] = alpha2[1];
10169 
10170 	/*
10171 	 * Disable DFS master mode if the DFS region was
10172 	 * not supported or known on this kernel.
10173 	 */
10174 	if (reg_supported_dfs_region(dfs_region))
10175 		rd->dfs_region = dfs_region;
10176 
10177 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
10178 			    rem_reg_rules) {
10179 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
10180 						nl_reg_rule, reg_rule_policy,
10181 						info->extack);
10182 		if (r)
10183 			goto bad_reg;
10184 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
10185 		if (r)
10186 			goto bad_reg;
10187 
10188 		rule_idx++;
10189 
10190 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
10191 			r = -EINVAL;
10192 			goto bad_reg;
10193 		}
10194 	}
10195 
10196 	r = set_regdom(rd, REGD_SOURCE_CRDA);
10197 	/* set_regdom takes ownership of rd */
10198 	rd = NULL;
10199  bad_reg:
10200 	kfree(rd);
10201  out:
10202 	rtnl_unlock();
10203 	return r;
10204 }
10205 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
10206 
10207 static int validate_scan_freqs(struct nlattr *freqs)
10208 {
10209 	struct nlattr *attr1, *attr2;
10210 	int n_channels = 0, tmp1, tmp2;
10211 
10212 	nla_for_each_nested(attr1, freqs, tmp1)
10213 		if (nla_len(attr1) != sizeof(u32))
10214 			return 0;
10215 
10216 	nla_for_each_nested(attr1, freqs, tmp1) {
10217 		n_channels++;
10218 		/*
10219 		 * Some hardware has a limited channel list for
10220 		 * scanning, and it is pretty much nonsensical
10221 		 * to scan for a channel twice, so disallow that
10222 		 * and don't require drivers to check that the
10223 		 * channel list they get isn't longer than what
10224 		 * they can scan, as long as they can scan all
10225 		 * the channels they registered at once.
10226 		 */
10227 		nla_for_each_nested(attr2, freqs, tmp2)
10228 			if (attr1 != attr2 &&
10229 			    nla_get_u32(attr1) == nla_get_u32(attr2))
10230 				return 0;
10231 	}
10232 
10233 	return n_channels;
10234 }
10235 
10236 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
10237 {
10238 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
10239 }
10240 
10241 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
10242 			    struct cfg80211_bss_selection *bss_select)
10243 {
10244 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
10245 	struct nlattr *nest;
10246 	int err;
10247 	bool found = false;
10248 	int i;
10249 
10250 	/* only process one nested attribute */
10251 	nest = nla_data(nla);
10252 	if (!nla_ok(nest, nla_len(nest)))
10253 		return -EINVAL;
10254 
10255 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
10256 					  nest, nl80211_bss_select_policy,
10257 					  NULL);
10258 	if (err)
10259 		return err;
10260 
10261 	/* only one attribute may be given */
10262 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
10263 		if (attr[i]) {
10264 			if (found)
10265 				return -EINVAL;
10266 			found = true;
10267 		}
10268 	}
10269 
10270 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
10271 
10272 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
10273 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
10274 
10275 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
10276 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
10277 		bss_select->param.band_pref =
10278 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
10279 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
10280 			return -EINVAL;
10281 	}
10282 
10283 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
10284 		struct nl80211_bss_select_rssi_adjust *adj_param;
10285 
10286 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
10287 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
10288 		bss_select->param.adjust.band = adj_param->band;
10289 		bss_select->param.adjust.delta = adj_param->delta;
10290 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
10291 			return -EINVAL;
10292 	}
10293 
10294 	/* user-space did not provide behaviour attribute */
10295 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
10296 		return -EINVAL;
10297 
10298 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
10299 		return -EINVAL;
10300 
10301 	return 0;
10302 }
10303 
10304 int nl80211_parse_random_mac(struct nlattr **attrs,
10305 			     u8 *mac_addr, u8 *mac_addr_mask)
10306 {
10307 	int i;
10308 
10309 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
10310 		eth_zero_addr(mac_addr);
10311 		eth_zero_addr(mac_addr_mask);
10312 		mac_addr[0] = 0x2;
10313 		mac_addr_mask[0] = 0x3;
10314 
10315 		return 0;
10316 	}
10317 
10318 	/* need both or none */
10319 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
10320 		return -EINVAL;
10321 
10322 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
10323 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
10324 
10325 	/* don't allow or configure an mcast address */
10326 	if (!is_multicast_ether_addr(mac_addr_mask) ||
10327 	    is_multicast_ether_addr(mac_addr))
10328 		return -EINVAL;
10329 
10330 	/*
10331 	 * allow users to pass a MAC address that has bits set outside
10332 	 * of the mask, but don't bother drivers with having to deal
10333 	 * with such bits
10334 	 */
10335 	for (i = 0; i < ETH_ALEN; i++)
10336 		mac_addr[i] &= mac_addr_mask[i];
10337 
10338 	return 0;
10339 }
10340 
10341 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
10342 					      struct ieee80211_channel *chan)
10343 {
10344 	unsigned int link_id;
10345 	bool all_ok = true;
10346 	int radio_idx;
10347 
10348 	lockdep_assert_wiphy(wdev->wiphy);
10349 
10350 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
10351 		return false;
10352 
10353 	if (!cfg80211_beaconing_iface_active(wdev))
10354 		return true;
10355 
10356 	radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy, chan);
10357 
10358 	/*
10359 	 * FIXME: check if we have a free radio/link for chan
10360 	 *
10361 	 * This, as well as the FIXME below, requires knowing the link
10362 	 * capabilities of the hardware.
10363 	 */
10364 
10365 	/* we cannot leave radar channels */
10366 	for_each_valid_link(wdev, link_id) {
10367 		struct cfg80211_chan_def *chandef;
10368 		int link_radio_idx;
10369 
10370 		chandef = wdev_chandef(wdev, link_id);
10371 		if (!chandef || !chandef->chan)
10372 			continue;
10373 
10374 		if (!(chandef->chan->flags & IEEE80211_CHAN_RADAR))
10375 			continue;
10376 
10377 		/*
10378 		 * chandef->chan is a radar channel. If the radio/link onto
10379 		 * which this radar channel falls is the same radio/link onto
10380 		 * which the input 'chan' falls, off-channel operation should
10381 		 * not be allowed. Hence, set 'all_ok' to false.
10382 		 */
10383 
10384 		link_radio_idx = cfg80211_get_radio_idx_by_chan(wdev->wiphy,
10385 								chandef->chan);
10386 		if (link_radio_idx == radio_idx) {
10387 			all_ok = false;
10388 			break;
10389 		}
10390 	}
10391 
10392 	if (all_ok)
10393 		return true;
10394 
10395 	return regulatory_pre_cac_allowed(wdev->wiphy);
10396 }
10397 
10398 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
10399 				    enum nl80211_ext_feature_index feat)
10400 {
10401 	if (!(flags & flag))
10402 		return true;
10403 	if (wiphy_ext_feature_isset(wiphy, feat))
10404 		return true;
10405 	return false;
10406 }
10407 
10408 static int
10409 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
10410 			 struct nlattr **attrs, u8 *mac_addr, u8 *mac_addr_mask,
10411 			 u32 *flags, enum nl80211_feature_flags randomness_flag)
10412 {
10413 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
10414 		return 0;
10415 
10416 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
10417 
10418 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
10419 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
10420 	    !nl80211_check_scan_feat(wiphy, *flags,
10421 				     NL80211_SCAN_FLAG_LOW_SPAN,
10422 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
10423 	    !nl80211_check_scan_feat(wiphy, *flags,
10424 				     NL80211_SCAN_FLAG_LOW_POWER,
10425 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
10426 	    !nl80211_check_scan_feat(wiphy, *flags,
10427 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
10428 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
10429 	    !nl80211_check_scan_feat(wiphy, *flags,
10430 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
10431 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
10432 	    !nl80211_check_scan_feat(wiphy, *flags,
10433 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
10434 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
10435 	    !nl80211_check_scan_feat(wiphy, *flags,
10436 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
10437 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
10438 	    !nl80211_check_scan_feat(wiphy, *flags,
10439 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
10440 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
10441 	    !nl80211_check_scan_feat(wiphy, *flags,
10442 				     NL80211_SCAN_FLAG_RANDOM_SN,
10443 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
10444 	    !nl80211_check_scan_feat(wiphy, *flags,
10445 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
10446 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
10447 		return -EOPNOTSUPP;
10448 
10449 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
10450 		int err;
10451 
10452 		if (!(wiphy->features & randomness_flag) ||
10453 		    (wdev && wdev->connected))
10454 			return -EOPNOTSUPP;
10455 
10456 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
10457 		if (err)
10458 			return err;
10459 	}
10460 
10461 	return 0;
10462 }
10463 
10464 static int
10465 nl80211_check_scan_flags_sched(struct wiphy *wiphy, struct wireless_dev *wdev,
10466 			       struct nlattr **attrs,
10467 			       struct cfg80211_sched_scan_request *req)
10468 {
10469 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10470 					req->mac_addr, req->mac_addr_mask,
10471 					&req->flags,
10472 					wdev ? NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
10473 					       NL80211_FEATURE_ND_RANDOM_MAC_ADDR);
10474 }
10475 
10476 static int
10477 nl80211_check_scan_flags_reg(struct wiphy *wiphy, struct wireless_dev *wdev,
10478 			     struct nlattr **attrs,
10479 			     struct cfg80211_scan_request_int *req)
10480 {
10481 	return nl80211_check_scan_flags(wiphy, wdev, attrs,
10482 					req->req.mac_addr,
10483 					req->req.mac_addr_mask,
10484 					&req->req.flags,
10485 					NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR);
10486 }
10487 
10488 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
10489 {
10490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10491 	struct wireless_dev *wdev = info->user_ptr[1];
10492 	struct cfg80211_scan_request_int *request;
10493 	struct nlattr *scan_freqs = NULL;
10494 	bool scan_freqs_khz = false;
10495 	struct nlattr *attr;
10496 	struct wiphy *wiphy;
10497 	int err, tmp, n_ssids = 0, n_channels, i;
10498 	size_t ie_len, size;
10499 	size_t ssids_offset, ie_offset;
10500 
10501 	wiphy = &rdev->wiphy;
10502 
10503 	if (wdev->iftype == NL80211_IFTYPE_NAN)
10504 		return -EOPNOTSUPP;
10505 
10506 	if (!rdev->ops->scan)
10507 		return -EOPNOTSUPP;
10508 
10509 	if (rdev->scan_req || rdev->scan_msg)
10510 		return -EBUSY;
10511 
10512 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
10513 		if (!wiphy_ext_feature_isset(wiphy,
10514 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
10515 			return -EOPNOTSUPP;
10516 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
10517 		scan_freqs_khz = true;
10518 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
10519 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
10520 
10521 	if (scan_freqs) {
10522 		n_channels = validate_scan_freqs(scan_freqs);
10523 		if (!n_channels)
10524 			return -EINVAL;
10525 	} else {
10526 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10527 	}
10528 
10529 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
10530 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
10531 			n_ssids++;
10532 
10533 	if (n_ssids > wiphy->max_scan_ssids)
10534 		return -EINVAL;
10535 
10536 	if (info->attrs[NL80211_ATTR_IE])
10537 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10538 	else
10539 		ie_len = 0;
10540 
10541 	if (ie_len > wiphy->max_scan_ie_len)
10542 		return -EINVAL;
10543 
10544 	size = struct_size(request, req.channels, n_channels);
10545 	ssids_offset = size;
10546 	size = size_add(size, array_size(sizeof(*request->req.ssids), n_ssids));
10547 	ie_offset = size;
10548 	size = size_add(size, ie_len);
10549 	request = kzalloc(size, GFP_KERNEL);
10550 	if (!request)
10551 		return -ENOMEM;
10552 
10553 	if (n_ssids)
10554 		request->req.ssids = (void *)request + ssids_offset;
10555 	request->req.n_ssids = n_ssids;
10556 	if (ie_len)
10557 		request->req.ie = (void *)request + ie_offset;
10558 
10559 	i = 0;
10560 	if (scan_freqs) {
10561 		/* user specified, bail out if channel not found */
10562 		nla_for_each_nested(attr, scan_freqs, tmp) {
10563 			struct ieee80211_channel *chan;
10564 			int freq = nla_get_u32(attr);
10565 
10566 			if (!scan_freqs_khz)
10567 				freq = MHZ_TO_KHZ(freq);
10568 
10569 			chan = ieee80211_get_channel_khz(wiphy, freq);
10570 			if (!chan) {
10571 				err = -EINVAL;
10572 				goto out_free;
10573 			}
10574 
10575 			/* Ignore disabled / no primary channels */
10576 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
10577 			    chan->flags & IEEE80211_CHAN_S1G_NO_PRIMARY ||
10578 			    !cfg80211_wdev_channel_allowed(wdev, chan))
10579 				continue;
10580 
10581 			request->req.channels[i] = chan;
10582 			i++;
10583 		}
10584 	} else {
10585 		enum nl80211_band band;
10586 
10587 		/* all channels */
10588 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
10589 			int j;
10590 
10591 			if (!wiphy->bands[band])
10592 				continue;
10593 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
10594 				struct ieee80211_channel *chan;
10595 
10596 				chan = &wiphy->bands[band]->channels[j];
10597 
10598 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
10599 				    chan->flags &
10600 					    IEEE80211_CHAN_S1G_NO_PRIMARY ||
10601 				    !cfg80211_wdev_channel_allowed(wdev, chan))
10602 					continue;
10603 
10604 				request->req.channels[i] = chan;
10605 				i++;
10606 			}
10607 		}
10608 	}
10609 
10610 	if (!i) {
10611 		err = -EINVAL;
10612 		goto out_free;
10613 	}
10614 
10615 	request->req.n_channels = i;
10616 
10617 	for (i = 0; i < request->req.n_channels; i++) {
10618 		struct ieee80211_channel *chan = request->req.channels[i];
10619 
10620 		/* if we can go off-channel to the target channel we're good */
10621 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
10622 			continue;
10623 
10624 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
10625 			err = -EBUSY;
10626 			goto out_free;
10627 		}
10628 	}
10629 
10630 	i = 0;
10631 	if (n_ssids) {
10632 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
10633 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
10634 				err = -EINVAL;
10635 				goto out_free;
10636 			}
10637 			request->req.ssids[i].ssid_len = nla_len(attr);
10638 			memcpy(request->req.ssids[i].ssid,
10639 			       nla_data(attr), nla_len(attr));
10640 			i++;
10641 		}
10642 	}
10643 
10644 	if (info->attrs[NL80211_ATTR_IE]) {
10645 		request->req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10646 		memcpy((void *)request->req.ie,
10647 		       nla_data(info->attrs[NL80211_ATTR_IE]),
10648 		       request->req.ie_len);
10649 	}
10650 
10651 	for (i = 0; i < NUM_NL80211_BANDS; i++)
10652 		if (wiphy->bands[i])
10653 			request->req.rates[i] =
10654 				(1 << wiphy->bands[i]->n_bitrates) - 1;
10655 
10656 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
10657 		nla_for_each_nested(attr,
10658 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
10659 				    tmp) {
10660 			enum nl80211_band band = nla_type(attr);
10661 
10662 			if (band < 0 || band >= NUM_NL80211_BANDS) {
10663 				err = -EINVAL;
10664 				goto out_free;
10665 			}
10666 
10667 			if (!wiphy->bands[band])
10668 				continue;
10669 
10670 			err = ieee80211_get_ratemask(wiphy->bands[band],
10671 						     nla_data(attr),
10672 						     nla_len(attr),
10673 						     &request->req.rates[band]);
10674 			if (err)
10675 				goto out_free;
10676 		}
10677 	}
10678 
10679 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
10680 		request->req.duration =
10681 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
10682 		request->req.duration_mandatory =
10683 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
10684 	}
10685 
10686 	err = nl80211_check_scan_flags_reg(wiphy, wdev, info->attrs, request);
10687 	if (err)
10688 		goto out_free;
10689 
10690 	request->req.no_cck =
10691 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10692 
10693 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
10694 	 * BSSID to scan for. This was problematic because that same attribute
10695 	 * was already used for another purpose (local random MAC address). The
10696 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
10697 	 * compatibility with older userspace components, also use the
10698 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
10699 	 * the specific BSSID use case instead of the random MAC address
10700 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
10701 	 */
10702 	if (info->attrs[NL80211_ATTR_BSSID])
10703 		memcpy(request->req.bssid,
10704 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
10705 	else if (!(request->req.flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
10706 		 info->attrs[NL80211_ATTR_MAC])
10707 		memcpy(request->req.bssid,
10708 		       nla_data(info->attrs[NL80211_ATTR_MAC]),
10709 		       ETH_ALEN);
10710 	else
10711 		eth_broadcast_addr(request->req.bssid);
10712 
10713 	request->req.tsf_report_link_id =
10714 		nl80211_link_id_or_invalid(info->attrs);
10715 	request->req.wdev = wdev;
10716 	request->req.wiphy = &rdev->wiphy;
10717 	request->req.scan_start = jiffies;
10718 
10719 	rdev->scan_req = request;
10720 	err = cfg80211_scan(rdev);
10721 
10722 	if (err)
10723 		goto out_free;
10724 
10725 	nl80211_send_scan_start(rdev, wdev);
10726 	dev_hold(wdev->netdev);
10727 
10728 	return 0;
10729 
10730  out_free:
10731 	rdev->scan_req = NULL;
10732 	kfree(request);
10733 
10734 	return err;
10735 }
10736 
10737 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
10738 {
10739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10740 	struct wireless_dev *wdev = info->user_ptr[1];
10741 
10742 	if (!rdev->ops->abort_scan)
10743 		return -EOPNOTSUPP;
10744 
10745 	if (rdev->scan_msg)
10746 		return 0;
10747 
10748 	if (!rdev->scan_req)
10749 		return -ENOENT;
10750 
10751 	rdev_abort_scan(rdev, wdev);
10752 	return 0;
10753 }
10754 
10755 static int
10756 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
10757 			       struct cfg80211_sched_scan_request *request,
10758 			       struct nlattr **attrs)
10759 {
10760 	int tmp, err, i = 0;
10761 	struct nlattr *attr;
10762 
10763 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10764 		u32 interval;
10765 
10766 		/*
10767 		 * If scan plans are not specified,
10768 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
10769 		 * case one scan plan will be set with the specified scan
10770 		 * interval and infinite number of iterations.
10771 		 */
10772 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
10773 		if (!interval)
10774 			return -EINVAL;
10775 
10776 		request->scan_plans[0].interval =
10777 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
10778 		if (!request->scan_plans[0].interval)
10779 			return -EINVAL;
10780 
10781 		if (request->scan_plans[0].interval >
10782 		    wiphy->max_sched_scan_plan_interval)
10783 			request->scan_plans[0].interval =
10784 				wiphy->max_sched_scan_plan_interval;
10785 
10786 		return 0;
10787 	}
10788 
10789 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
10790 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
10791 
10792 		if (WARN_ON(i >= n_plans))
10793 			return -EINVAL;
10794 
10795 		err = nla_parse_nested_deprecated(plan,
10796 						  NL80211_SCHED_SCAN_PLAN_MAX,
10797 						  attr, nl80211_plan_policy,
10798 						  NULL);
10799 		if (err)
10800 			return err;
10801 
10802 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
10803 			return -EINVAL;
10804 
10805 		request->scan_plans[i].interval =
10806 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
10807 		if (!request->scan_plans[i].interval ||
10808 		    request->scan_plans[i].interval >
10809 		    wiphy->max_sched_scan_plan_interval)
10810 			return -EINVAL;
10811 
10812 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
10813 			request->scan_plans[i].iterations =
10814 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
10815 			if (!request->scan_plans[i].iterations ||
10816 			    (request->scan_plans[i].iterations >
10817 			     wiphy->max_sched_scan_plan_iterations))
10818 				return -EINVAL;
10819 		} else if (i < n_plans - 1) {
10820 			/*
10821 			 * All scan plans but the last one must specify
10822 			 * a finite number of iterations
10823 			 */
10824 			return -EINVAL;
10825 		}
10826 
10827 		i++;
10828 	}
10829 
10830 	/*
10831 	 * The last scan plan must not specify the number of
10832 	 * iterations, it is supposed to run infinitely
10833 	 */
10834 	if (request->scan_plans[n_plans - 1].iterations)
10835 		return  -EINVAL;
10836 
10837 	return 0;
10838 }
10839 
10840 static struct cfg80211_sched_scan_request *
10841 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
10842 			 struct nlattr **attrs, int max_match_sets)
10843 {
10844 	struct cfg80211_sched_scan_request *request;
10845 	struct nlattr *attr;
10846 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
10847 	enum nl80211_band band;
10848 	size_t ie_len, size;
10849 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
10850 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
10851 
10852 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
10853 		n_channels = validate_scan_freqs(
10854 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
10855 		if (!n_channels)
10856 			return ERR_PTR(-EINVAL);
10857 	} else {
10858 		n_channels = ieee80211_get_num_supported_channels(wiphy);
10859 	}
10860 
10861 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
10862 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
10863 				    tmp)
10864 			n_ssids++;
10865 
10866 	if (n_ssids > wiphy->max_sched_scan_ssids)
10867 		return ERR_PTR(-EINVAL);
10868 
10869 	/*
10870 	 * First, count the number of 'real' matchsets. Due to an issue with
10871 	 * the old implementation, matchsets containing only the RSSI attribute
10872 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
10873 	 * RSSI for all matchsets, rather than their own matchset for reporting
10874 	 * all APs with a strong RSSI. This is needed to be compatible with
10875 	 * older userspace that treated a matchset with only the RSSI as the
10876 	 * global RSSI for all other matchsets - if there are other matchsets.
10877 	 */
10878 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
10879 		nla_for_each_nested(attr,
10880 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
10881 				    tmp) {
10882 			struct nlattr *rssi;
10883 
10884 			err = nla_parse_nested_deprecated(tb,
10885 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
10886 							  attr,
10887 							  nl80211_match_policy,
10888 							  NULL);
10889 			if (err)
10890 				return ERR_PTR(err);
10891 
10892 			/* SSID and BSSID are mutually exclusive */
10893 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
10894 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
10895 				return ERR_PTR(-EINVAL);
10896 
10897 			/* add other standalone attributes here */
10898 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
10899 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
10900 				n_match_sets++;
10901 				continue;
10902 			}
10903 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
10904 			if (rssi)
10905 				default_match_rssi = nla_get_s32(rssi);
10906 		}
10907 	}
10908 
10909 	/* However, if there's no other matchset, add the RSSI one */
10910 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
10911 		n_match_sets = 1;
10912 
10913 	if (n_match_sets > max_match_sets)
10914 		return ERR_PTR(-EINVAL);
10915 
10916 	if (attrs[NL80211_ATTR_IE])
10917 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
10918 	else
10919 		ie_len = 0;
10920 
10921 	if (ie_len > wiphy->max_sched_scan_ie_len)
10922 		return ERR_PTR(-EINVAL);
10923 
10924 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
10925 		/*
10926 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
10927 		 * each scan plan already specifies its own interval
10928 		 */
10929 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10930 			return ERR_PTR(-EINVAL);
10931 
10932 		nla_for_each_nested(attr,
10933 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
10934 			n_plans++;
10935 	} else {
10936 		/*
10937 		 * The scan interval attribute is kept for backward
10938 		 * compatibility. If no scan plans are specified and sched scan
10939 		 * interval is specified, one scan plan will be set with this
10940 		 * scan interval and infinite number of iterations.
10941 		 */
10942 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
10943 			return ERR_PTR(-EINVAL);
10944 
10945 		n_plans = 1;
10946 	}
10947 
10948 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
10949 		return ERR_PTR(-EINVAL);
10950 
10951 	if (!wiphy_ext_feature_isset(
10952 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
10953 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
10954 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
10955 		return ERR_PTR(-EINVAL);
10956 
10957 	size = struct_size(request, channels, n_channels);
10958 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
10959 	size = size_add(size, array_size(sizeof(*request->match_sets),
10960 					 n_match_sets));
10961 	size = size_add(size, array_size(sizeof(*request->scan_plans),
10962 					 n_plans));
10963 	size = size_add(size, ie_len);
10964 	request = kzalloc(size, GFP_KERNEL);
10965 	if (!request)
10966 		return ERR_PTR(-ENOMEM);
10967 	request->n_channels = n_channels;
10968 
10969 	if (n_ssids)
10970 		request->ssids = (void *)request +
10971 			struct_size(request, channels, n_channels);
10972 	request->n_ssids = n_ssids;
10973 	if (ie_len) {
10974 		if (n_ssids)
10975 			request->ie = (void *)(request->ssids + n_ssids);
10976 		else
10977 			request->ie = (void *)(request->channels + n_channels);
10978 	}
10979 
10980 	if (n_match_sets) {
10981 		if (request->ie)
10982 			request->match_sets = (void *)(request->ie + ie_len);
10983 		else if (n_ssids)
10984 			request->match_sets =
10985 				(void *)(request->ssids + n_ssids);
10986 		else
10987 			request->match_sets =
10988 				(void *)(request->channels + n_channels);
10989 	}
10990 	request->n_match_sets = n_match_sets;
10991 
10992 	if (n_match_sets)
10993 		request->scan_plans = (void *)(request->match_sets +
10994 					       n_match_sets);
10995 	else if (request->ie)
10996 		request->scan_plans = (void *)(request->ie + ie_len);
10997 	else if (n_ssids)
10998 		request->scan_plans = (void *)(request->ssids + n_ssids);
10999 	else
11000 		request->scan_plans = (void *)(request->channels + n_channels);
11001 
11002 	request->n_scan_plans = n_plans;
11003 
11004 	i = 0;
11005 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
11006 		/* user specified, bail out if channel not found */
11007 		nla_for_each_nested(attr,
11008 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
11009 				    tmp) {
11010 			struct ieee80211_channel *chan;
11011 
11012 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
11013 
11014 			if (!chan) {
11015 				err = -EINVAL;
11016 				goto out_free;
11017 			}
11018 
11019 			/* ignore disabled channels */
11020 			if (chan->flags & IEEE80211_CHAN_DISABLED)
11021 				continue;
11022 
11023 			request->channels[i] = chan;
11024 			i++;
11025 		}
11026 	} else {
11027 		/* all channels */
11028 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
11029 			int j;
11030 
11031 			if (!wiphy->bands[band])
11032 				continue;
11033 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
11034 				struct ieee80211_channel *chan;
11035 
11036 				chan = &wiphy->bands[band]->channels[j];
11037 
11038 				if (chan->flags & IEEE80211_CHAN_DISABLED)
11039 					continue;
11040 
11041 				request->channels[i] = chan;
11042 				i++;
11043 			}
11044 		}
11045 	}
11046 
11047 	if (!i) {
11048 		err = -EINVAL;
11049 		goto out_free;
11050 	}
11051 
11052 	request->n_channels = i;
11053 
11054 	i = 0;
11055 	if (n_ssids) {
11056 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
11057 				    tmp) {
11058 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
11059 				err = -EINVAL;
11060 				goto out_free;
11061 			}
11062 			request->ssids[i].ssid_len = nla_len(attr);
11063 			memcpy(request->ssids[i].ssid, nla_data(attr),
11064 			       nla_len(attr));
11065 			i++;
11066 		}
11067 	}
11068 
11069 	i = 0;
11070 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
11071 		nla_for_each_nested(attr,
11072 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
11073 				    tmp) {
11074 			struct nlattr *ssid, *bssid, *rssi;
11075 
11076 			err = nla_parse_nested_deprecated(tb,
11077 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
11078 							  attr,
11079 							  nl80211_match_policy,
11080 							  NULL);
11081 			if (err)
11082 				goto out_free;
11083 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
11084 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
11085 
11086 			if (!ssid && !bssid) {
11087 				i++;
11088 				continue;
11089 			}
11090 
11091 			if (WARN_ON(i >= n_match_sets)) {
11092 				/* this indicates a programming error,
11093 				 * the loop above should have verified
11094 				 * things properly
11095 				 */
11096 				err = -EINVAL;
11097 				goto out_free;
11098 			}
11099 
11100 			if (ssid) {
11101 				memcpy(request->match_sets[i].ssid.ssid,
11102 				       nla_data(ssid), nla_len(ssid));
11103 				request->match_sets[i].ssid.ssid_len =
11104 					nla_len(ssid);
11105 			}
11106 			if (bssid)
11107 				memcpy(request->match_sets[i].bssid,
11108 				       nla_data(bssid), ETH_ALEN);
11109 
11110 			/* special attribute - old implementation w/a */
11111 			request->match_sets[i].rssi_thold = default_match_rssi;
11112 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
11113 			if (rssi)
11114 				request->match_sets[i].rssi_thold =
11115 					nla_get_s32(rssi);
11116 			i++;
11117 		}
11118 
11119 		/* there was no other matchset, so the RSSI one is alone */
11120 		if (i == 0 && n_match_sets)
11121 			request->match_sets[0].rssi_thold = default_match_rssi;
11122 
11123 		request->min_rssi_thold = INT_MAX;
11124 		for (i = 0; i < n_match_sets; i++)
11125 			request->min_rssi_thold =
11126 				min(request->match_sets[i].rssi_thold,
11127 				    request->min_rssi_thold);
11128 	} else {
11129 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
11130 	}
11131 
11132 	if (ie_len) {
11133 		request->ie_len = ie_len;
11134 		memcpy((void *)request->ie,
11135 		       nla_data(attrs[NL80211_ATTR_IE]),
11136 		       request->ie_len);
11137 	}
11138 
11139 	err = nl80211_check_scan_flags_sched(wiphy, wdev, attrs, request);
11140 	if (err)
11141 		goto out_free;
11142 
11143 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
11144 		request->delay =
11145 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
11146 
11147 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
11148 		request->relative_rssi = nla_get_s8(
11149 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
11150 		request->relative_rssi_set = true;
11151 	}
11152 
11153 	if (request->relative_rssi_set &&
11154 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
11155 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
11156 
11157 		rssi_adjust = nla_data(
11158 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
11159 		request->rssi_adjust.band = rssi_adjust->band;
11160 		request->rssi_adjust.delta = rssi_adjust->delta;
11161 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
11162 			err = -EINVAL;
11163 			goto out_free;
11164 		}
11165 	}
11166 
11167 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
11168 	if (err)
11169 		goto out_free;
11170 
11171 	request->scan_start = jiffies;
11172 
11173 	return request;
11174 
11175 out_free:
11176 	kfree(request);
11177 	return ERR_PTR(err);
11178 }
11179 
11180 static int nl80211_start_sched_scan(struct sk_buff *skb,
11181 				    struct genl_info *info)
11182 {
11183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11184 	struct net_device *dev = info->user_ptr[1];
11185 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11186 	struct cfg80211_sched_scan_request *sched_scan_req;
11187 	bool want_multi;
11188 	int err;
11189 
11190 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
11191 		return -EOPNOTSUPP;
11192 
11193 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
11194 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
11195 	if (err)
11196 		return err;
11197 
11198 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
11199 						  info->attrs,
11200 						  rdev->wiphy.max_match_sets);
11201 
11202 	err = PTR_ERR_OR_ZERO(sched_scan_req);
11203 	if (err)
11204 		goto out_err;
11205 
11206 	/* leave request id zero for legacy request
11207 	 * or if driver does not support multi-scheduled scan
11208 	 */
11209 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
11210 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
11211 
11212 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
11213 	if (err)
11214 		goto out_free;
11215 
11216 	sched_scan_req->dev = dev;
11217 	sched_scan_req->wiphy = &rdev->wiphy;
11218 
11219 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11220 		sched_scan_req->owner_nlportid = info->snd_portid;
11221 
11222 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
11223 
11224 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
11225 	return 0;
11226 
11227 out_free:
11228 	kfree(sched_scan_req);
11229 out_err:
11230 	return err;
11231 }
11232 
11233 static int nl80211_stop_sched_scan(struct sk_buff *skb,
11234 				   struct genl_info *info)
11235 {
11236 	struct cfg80211_sched_scan_request *req;
11237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11238 	u64 cookie;
11239 
11240 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
11241 		return -EOPNOTSUPP;
11242 
11243 	if (info->attrs[NL80211_ATTR_COOKIE]) {
11244 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11245 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
11246 	}
11247 
11248 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
11249 				     struct cfg80211_sched_scan_request,
11250 				     list);
11251 	if (!req || req->reqid ||
11252 	    (req->owner_nlportid &&
11253 	     req->owner_nlportid != info->snd_portid))
11254 		return -ENOENT;
11255 
11256 	return cfg80211_stop_sched_scan_req(rdev, req, false);
11257 }
11258 
11259 static int nl80211_start_radar_detection(struct sk_buff *skb,
11260 					 struct genl_info *info)
11261 {
11262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11263 	struct net_device *dev = info->user_ptr[1];
11264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11265 	int link_id = nl80211_link_id(info->attrs);
11266 	struct wiphy *wiphy = wdev->wiphy;
11267 	struct cfg80211_chan_def chandef;
11268 	enum nl80211_dfs_regions dfs_region;
11269 	unsigned int cac_time_ms;
11270 	int err;
11271 
11272 	flush_delayed_work(&rdev->dfs_update_channels_wk);
11273 
11274 	switch (wdev->iftype) {
11275 	case NL80211_IFTYPE_AP:
11276 	case NL80211_IFTYPE_P2P_GO:
11277 	case NL80211_IFTYPE_MESH_POINT:
11278 	case NL80211_IFTYPE_ADHOC:
11279 		break;
11280 	default:
11281 		/* caution - see cfg80211_beaconing_iface_active() below */
11282 		return -EINVAL;
11283 	}
11284 
11285 	guard(wiphy)(wiphy);
11286 
11287 	dfs_region = reg_get_dfs_region(wiphy);
11288 	if (dfs_region == NL80211_DFS_UNSET)
11289 		return -EINVAL;
11290 
11291 	err = nl80211_parse_chandef(rdev, info, &chandef);
11292 	if (err)
11293 		return err;
11294 
11295 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11296 	if (err < 0)
11297 		return err;
11298 
11299 	if (err == 0)
11300 		return -EINVAL;
11301 
11302 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
11303 		return -EINVAL;
11304 
11305 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
11306 		return cfg80211_start_background_radar_detection(rdev, wdev,
11307 								 &chandef);
11308 
11309 	if (cfg80211_beaconing_iface_active(wdev)) {
11310 		/* During MLO other link(s) can beacon, only the current link
11311 		 * can not already beacon
11312 		 */
11313 		if (wdev->valid_links &&
11314 		    !wdev->links[link_id].ap.beacon_interval) {
11315 			/* nothing */
11316 		} else {
11317 			return -EBUSY;
11318 		}
11319 	}
11320 
11321 	if (wdev->links[link_id].cac_started)
11322 		return -EBUSY;
11323 
11324 	/* CAC start is offloaded to HW and can't be started manually */
11325 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
11326 		return -EOPNOTSUPP;
11327 
11328 	if (!rdev->ops->start_radar_detection)
11329 		return -EOPNOTSUPP;
11330 
11331 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
11332 	if (WARN_ON(!cac_time_ms))
11333 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
11334 
11335 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
11336 					 link_id);
11337 	if (err)
11338 		return err;
11339 
11340 	switch (wdev->iftype) {
11341 	case NL80211_IFTYPE_AP:
11342 	case NL80211_IFTYPE_P2P_GO:
11343 		wdev->links[link_id].ap.chandef = chandef;
11344 		break;
11345 	case NL80211_IFTYPE_ADHOC:
11346 		wdev->u.ibss.chandef = chandef;
11347 		break;
11348 	case NL80211_IFTYPE_MESH_POINT:
11349 		wdev->u.mesh.chandef = chandef;
11350 		break;
11351 	default:
11352 		break;
11353 	}
11354 	wdev->links[link_id].cac_started = true;
11355 	wdev->links[link_id].cac_start_time = jiffies;
11356 	wdev->links[link_id].cac_time_ms = cac_time_ms;
11357 
11358 	return 0;
11359 }
11360 
11361 static int nl80211_notify_radar_detection(struct sk_buff *skb,
11362 					  struct genl_info *info)
11363 {
11364 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11365 	struct net_device *dev = info->user_ptr[1];
11366 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11367 	struct wiphy *wiphy = wdev->wiphy;
11368 	struct cfg80211_chan_def chandef;
11369 	enum nl80211_dfs_regions dfs_region;
11370 	int err;
11371 
11372 	dfs_region = reg_get_dfs_region(wiphy);
11373 	if (dfs_region == NL80211_DFS_UNSET) {
11374 		GENL_SET_ERR_MSG(info,
11375 				 "DFS Region is not set. Unexpected Radar indication");
11376 		return -EINVAL;
11377 	}
11378 
11379 	err = nl80211_parse_chandef(rdev, info, &chandef);
11380 	if (err) {
11381 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
11382 		return err;
11383 	}
11384 
11385 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
11386 	if (err < 0) {
11387 		GENL_SET_ERR_MSG(info, "chandef is invalid");
11388 		return err;
11389 	}
11390 
11391 	if (err == 0) {
11392 		GENL_SET_ERR_MSG(info,
11393 				 "Unexpected Radar indication for chandef/iftype");
11394 		return -EINVAL;
11395 	}
11396 
11397 	/* Do not process this notification if radar is already detected
11398 	 * by kernel on this channel, and return success.
11399 	 */
11400 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
11401 		return 0;
11402 
11403 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
11404 
11405 	cfg80211_sched_dfs_chan_update(rdev);
11406 
11407 	rdev->radar_chandef = chandef;
11408 
11409 	/* Propagate this notification to other radios as well */
11410 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
11411 
11412 	return 0;
11413 }
11414 
11415 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
11416 					 const u8 *data, size_t datalen,
11417 					 int first_count, struct nlattr *attr,
11418 					 const u16 **offsets, unsigned int *n_offsets)
11419 {
11420 	int i;
11421 
11422 	*n_offsets = 0;
11423 
11424 	if (!attr)
11425 		return 0;
11426 
11427 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
11428 		return -EINVAL;
11429 
11430 	*n_offsets = nla_len(attr) / sizeof(u16);
11431 	if (rdev->wiphy.max_num_csa_counters &&
11432 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
11433 		return -EINVAL;
11434 
11435 	*offsets = nla_data(attr);
11436 
11437 	/* sanity checks - counters should fit and be the same */
11438 	for (i = 0; i < *n_offsets; i++) {
11439 		u16 offset = (*offsets)[i];
11440 
11441 		if (offset >= datalen)
11442 			return -EINVAL;
11443 
11444 		if (first_count != -1 && data[offset] != first_count)
11445 			return -EINVAL;
11446 	}
11447 
11448 	return 0;
11449 }
11450 
11451 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
11452 {
11453 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11454 	unsigned int link_id = nl80211_link_id(info->attrs);
11455 	struct net_device *dev = info->user_ptr[1];
11456 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11457 	struct cfg80211_csa_settings params;
11458 	struct nlattr **csa_attrs = NULL;
11459 	int err;
11460 	bool need_new_beacon = false;
11461 	bool need_handle_dfs_flag = true;
11462 	u32 cs_count;
11463 
11464 	if (!rdev->ops->channel_switch ||
11465 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
11466 		return -EOPNOTSUPP;
11467 
11468 	switch (dev->ieee80211_ptr->iftype) {
11469 	case NL80211_IFTYPE_AP:
11470 	case NL80211_IFTYPE_P2P_GO:
11471 		need_new_beacon = true;
11472 		/* For all modes except AP the handle_dfs flag needs to be
11473 		 * supplied to tell the kernel that userspace will handle radar
11474 		 * events when they happen. Otherwise a switch to a channel
11475 		 * requiring DFS will be rejected.
11476 		 */
11477 		need_handle_dfs_flag = false;
11478 
11479 		/* useless if AP is not running */
11480 		if (!wdev->links[link_id].ap.beacon_interval)
11481 			return -ENOTCONN;
11482 		break;
11483 	case NL80211_IFTYPE_ADHOC:
11484 		if (!wdev->u.ibss.ssid_len)
11485 			return -ENOTCONN;
11486 		break;
11487 	case NL80211_IFTYPE_MESH_POINT:
11488 		if (!wdev->u.mesh.id_len)
11489 			return -ENOTCONN;
11490 		break;
11491 	default:
11492 		return -EOPNOTSUPP;
11493 	}
11494 
11495 	memset(&params, 0, sizeof(params));
11496 	params.beacon_csa.ftm_responder = -1;
11497 
11498 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11499 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
11500 		return -EINVAL;
11501 
11502 	/* only important for AP, IBSS and mesh create IEs internally */
11503 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
11504 		return -EINVAL;
11505 
11506 	/* Even though the attribute is u32, the specification says
11507 	 * u8, so let's make sure we don't overflow.
11508 	 */
11509 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
11510 	if (cs_count > 255)
11511 		return -EINVAL;
11512 
11513 	params.count = cs_count;
11514 
11515 	if (!need_new_beacon)
11516 		goto skip_beacons;
11517 
11518 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
11519 				   info->extack);
11520 	if (err)
11521 		goto free;
11522 
11523 	csa_attrs = kzalloc_objs(*csa_attrs, NL80211_ATTR_MAX + 1);
11524 	if (!csa_attrs) {
11525 		err = -ENOMEM;
11526 		goto free;
11527 	}
11528 
11529 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
11530 					  info->attrs[NL80211_ATTR_CSA_IES],
11531 					  nl80211_policy, info->extack);
11532 	if (err)
11533 		goto free;
11534 
11535 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
11536 				   info->extack);
11537 	if (err)
11538 		goto free;
11539 
11540 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
11541 		err = -EINVAL;
11542 		goto free;
11543 	}
11544 
11545 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
11546 					    params.beacon_csa.tail_len,
11547 					    params.count,
11548 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
11549 					    &params.counter_offsets_beacon,
11550 					    &params.n_counter_offsets_beacon);
11551 	if (err)
11552 		goto free;
11553 
11554 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
11555 					    params.beacon_csa.probe_resp_len,
11556 					    params.count,
11557 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
11558 					    &params.counter_offsets_presp,
11559 					    &params.n_counter_offsets_presp);
11560 	if (err)
11561 		goto free;
11562 
11563 skip_beacons:
11564 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
11565 	if (err)
11566 		goto free;
11567 
11568 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
11569 					   wdev->iftype)) {
11570 		err = -EINVAL;
11571 		goto free;
11572 	}
11573 
11574 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
11575 					    &params.chandef,
11576 					    wdev->iftype);
11577 	if (err < 0)
11578 		goto free;
11579 
11580 	if (err > 0) {
11581 		params.radar_required = true;
11582 		if (need_handle_dfs_flag &&
11583 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
11584 			err = -EINVAL;
11585 			goto free;
11586 		}
11587 	}
11588 
11589 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
11590 		params.block_tx = true;
11591 
11592 	if ((wdev->iftype == NL80211_IFTYPE_AP ||
11593 	     wdev->iftype == NL80211_IFTYPE_P2P_GO) &&
11594 	    info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
11595 		err = nl80211_parse_unsol_bcast_probe_resp(
11596 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
11597 			&params.unsol_bcast_probe_resp);
11598 		if (err)
11599 			goto free;
11600 	}
11601 
11602 	params.link_id = link_id;
11603 	err = rdev_channel_switch(rdev, dev, &params);
11604 
11605 free:
11606 	kfree(params.beacon_after.mbssid_ies);
11607 	kfree(params.beacon_csa.mbssid_ies);
11608 	kfree(params.beacon_after.rnr_ies);
11609 	kfree(params.beacon_csa.rnr_ies);
11610 	kfree(csa_attrs);
11611 	return err;
11612 }
11613 
11614 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
11615 			    u32 seq, int flags,
11616 			    struct cfg80211_registered_device *rdev,
11617 			    struct wireless_dev *wdev,
11618 			    struct cfg80211_internal_bss *intbss)
11619 {
11620 	struct cfg80211_bss *res = &intbss->pub;
11621 	const struct cfg80211_bss_ies *ies;
11622 	unsigned int link_id;
11623 	void *hdr;
11624 	struct nlattr *bss;
11625 
11626 	lockdep_assert_wiphy(wdev->wiphy);
11627 
11628 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
11629 			     NL80211_CMD_NEW_SCAN_RESULTS);
11630 	if (!hdr)
11631 		return -1;
11632 
11633 	genl_dump_check_consistent(cb, hdr);
11634 
11635 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
11636 		goto nla_put_failure;
11637 	if (wdev->netdev &&
11638 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
11639 		goto nla_put_failure;
11640 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
11641 			      NL80211_ATTR_PAD))
11642 		goto nla_put_failure;
11643 
11644 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
11645 	if (!bss)
11646 		goto nla_put_failure;
11647 	if ((!is_zero_ether_addr(res->bssid) &&
11648 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
11649 		goto nla_put_failure;
11650 
11651 	rcu_read_lock();
11652 	/* indicate whether we have probe response data or not */
11653 	if (rcu_access_pointer(res->proberesp_ies) &&
11654 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
11655 		goto fail_unlock_rcu;
11656 
11657 	/* this pointer prefers to be pointed to probe response data
11658 	 * but is always valid
11659 	 */
11660 	ies = rcu_dereference(res->ies);
11661 	if (ies) {
11662 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
11663 				      NL80211_BSS_PAD))
11664 			goto fail_unlock_rcu;
11665 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
11666 					ies->len, ies->data))
11667 			goto fail_unlock_rcu;
11668 	}
11669 
11670 	/* and this pointer is always (unless driver didn't know) beacon data */
11671 	ies = rcu_dereference(res->beacon_ies);
11672 	if (ies && ies->from_beacon) {
11673 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
11674 				      NL80211_BSS_PAD))
11675 			goto fail_unlock_rcu;
11676 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
11677 					ies->len, ies->data))
11678 			goto fail_unlock_rcu;
11679 	}
11680 	rcu_read_unlock();
11681 
11682 	if (res->beacon_interval &&
11683 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
11684 		goto nla_put_failure;
11685 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
11686 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
11687 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
11688 			res->channel->freq_offset) ||
11689 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
11690 			jiffies_to_msecs(jiffies - intbss->ts)))
11691 		goto nla_put_failure;
11692 
11693 	if (intbss->parent_tsf &&
11694 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
11695 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
11696 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
11697 		     intbss->parent_bssid)))
11698 		goto nla_put_failure;
11699 
11700 	if (res->ts_boottime &&
11701 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
11702 			      res->ts_boottime, NL80211_BSS_PAD))
11703 		goto nla_put_failure;
11704 
11705 	if (!nl80211_put_signal(msg, intbss->pub.chains,
11706 				intbss->pub.chain_signal,
11707 				NL80211_BSS_CHAIN_SIGNAL))
11708 		goto nla_put_failure;
11709 
11710 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
11711 		switch (rdev->wiphy.signal_type) {
11712 		case CFG80211_SIGNAL_TYPE_MBM:
11713 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
11714 					res->signal))
11715 				goto nla_put_failure;
11716 			break;
11717 		case CFG80211_SIGNAL_TYPE_UNSPEC:
11718 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
11719 				       res->signal))
11720 				goto nla_put_failure;
11721 			break;
11722 		default:
11723 			break;
11724 		}
11725 	}
11726 
11727 	switch (wdev->iftype) {
11728 	case NL80211_IFTYPE_P2P_CLIENT:
11729 	case NL80211_IFTYPE_STATION:
11730 		for_each_valid_link(wdev, link_id) {
11731 			if (intbss == wdev->links[link_id].client.current_bss &&
11732 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
11733 					 NL80211_BSS_STATUS_ASSOCIATED) ||
11734 			     (wdev->valid_links &&
11735 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
11736 					  link_id) ||
11737 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
11738 				       wdev->u.client.connected_addr)))))
11739 				goto nla_put_failure;
11740 		}
11741 		break;
11742 	case NL80211_IFTYPE_ADHOC:
11743 		if (intbss == wdev->u.ibss.current_bss &&
11744 		    nla_put_u32(msg, NL80211_BSS_STATUS,
11745 				NL80211_BSS_STATUS_IBSS_JOINED))
11746 			goto nla_put_failure;
11747 		break;
11748 	default:
11749 		break;
11750 	}
11751 
11752 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
11753 		goto nla_put_failure;
11754 
11755 	if (res->cannot_use_reasons &&
11756 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
11757 			      res->cannot_use_reasons,
11758 			      NL80211_BSS_PAD))
11759 		goto nla_put_failure;
11760 
11761 	nla_nest_end(msg, bss);
11762 
11763 	genlmsg_end(msg, hdr);
11764 	return 0;
11765 
11766  fail_unlock_rcu:
11767 	rcu_read_unlock();
11768  nla_put_failure:
11769 	genlmsg_cancel(msg, hdr);
11770 	return -EMSGSIZE;
11771 }
11772 
11773 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
11774 {
11775 	struct cfg80211_registered_device *rdev;
11776 	struct cfg80211_internal_bss *scan;
11777 	struct wireless_dev *wdev;
11778 	struct nlattr **attrbuf;
11779 	int start = cb->args[2], idx = 0;
11780 	bool dump_include_use_data;
11781 	int err;
11782 
11783 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11784 	if (!attrbuf)
11785 		return -ENOMEM;
11786 
11787 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11788 	if (err) {
11789 		kfree(attrbuf);
11790 		return err;
11791 	}
11792 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11793 	__acquire(&rdev->wiphy.mtx);
11794 
11795 	dump_include_use_data =
11796 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
11797 	kfree(attrbuf);
11798 
11799 	spin_lock_bh(&rdev->bss_lock);
11800 
11801 	/*
11802 	 * dump_scan will be called multiple times to break up the scan results
11803 	 * into multiple messages.  It is unlikely that any more bss-es will be
11804 	 * expired after the first call, so only call only call this on the
11805 	 * first dump_scan invocation.
11806 	 */
11807 	if (start == 0)
11808 		cfg80211_bss_expire(rdev);
11809 
11810 	cb->seq = rdev->bss_generation;
11811 
11812 	list_for_each_entry(scan, &rdev->bss_list, list) {
11813 		if (++idx <= start)
11814 			continue;
11815 		if (!dump_include_use_data &&
11816 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
11817 			continue;
11818 		if (nl80211_send_bss(skb, cb,
11819 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11820 				rdev, wdev, scan) < 0) {
11821 			idx--;
11822 			break;
11823 		}
11824 	}
11825 
11826 	spin_unlock_bh(&rdev->bss_lock);
11827 
11828 	cb->args[2] = idx;
11829 	wiphy_unlock(&rdev->wiphy);
11830 
11831 	return skb->len;
11832 }
11833 
11834 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
11835 			       int flags, struct net_device *dev,
11836 			       bool allow_radio_stats,
11837 			       struct survey_info *survey)
11838 {
11839 	void *hdr;
11840 	struct nlattr *infoattr;
11841 
11842 	/* skip radio stats if userspace didn't request them */
11843 	if (!survey->channel && !allow_radio_stats)
11844 		return 0;
11845 
11846 	hdr = nl80211hdr_put(msg, portid, seq, flags,
11847 			     NL80211_CMD_NEW_SURVEY_RESULTS);
11848 	if (!hdr)
11849 		return -ENOMEM;
11850 
11851 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
11852 		goto nla_put_failure;
11853 
11854 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
11855 	if (!infoattr)
11856 		goto nla_put_failure;
11857 
11858 	if (survey->channel &&
11859 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
11860 			survey->channel->center_freq))
11861 		goto nla_put_failure;
11862 
11863 	if (survey->channel && survey->channel->freq_offset &&
11864 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
11865 			survey->channel->freq_offset))
11866 		goto nla_put_failure;
11867 
11868 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
11869 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
11870 		goto nla_put_failure;
11871 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
11872 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
11873 		goto nla_put_failure;
11874 	if ((survey->filled & SURVEY_INFO_TIME) &&
11875 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
11876 			survey->time, NL80211_SURVEY_INFO_PAD))
11877 		goto nla_put_failure;
11878 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
11879 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
11880 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
11881 		goto nla_put_failure;
11882 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
11883 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
11884 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
11885 		goto nla_put_failure;
11886 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
11887 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
11888 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
11889 		goto nla_put_failure;
11890 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
11891 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
11892 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
11893 		goto nla_put_failure;
11894 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
11895 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
11896 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
11897 		goto nla_put_failure;
11898 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
11899 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
11900 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
11901 		goto nla_put_failure;
11902 
11903 	nla_nest_end(msg, infoattr);
11904 
11905 	genlmsg_end(msg, hdr);
11906 	return 0;
11907 
11908  nla_put_failure:
11909 	genlmsg_cancel(msg, hdr);
11910 	return -EMSGSIZE;
11911 }
11912 
11913 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
11914 {
11915 	struct nlattr **attrbuf;
11916 	struct survey_info survey;
11917 	struct cfg80211_registered_device *rdev;
11918 	struct wireless_dev *wdev;
11919 	int survey_idx = cb->args[2];
11920 	int res;
11921 	bool radio_stats;
11922 
11923 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
11924 	if (!attrbuf)
11925 		return -ENOMEM;
11926 
11927 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
11928 	if (res) {
11929 		kfree(attrbuf);
11930 		return res;
11931 	}
11932 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
11933 	__acquire(&rdev->wiphy.mtx);
11934 
11935 	/* prepare_wdev_dump parsed the attributes */
11936 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
11937 
11938 	if (!wdev->netdev) {
11939 		res = -EINVAL;
11940 		goto out_err;
11941 	}
11942 
11943 	if (!rdev->ops->dump_survey) {
11944 		res = -EOPNOTSUPP;
11945 		goto out_err;
11946 	}
11947 
11948 	while (1) {
11949 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
11950 		if (res == -ENOENT)
11951 			break;
11952 		if (res)
11953 			goto out_err;
11954 
11955 		/* don't send disabled channels, but do send non-channel data */
11956 		if (survey.channel &&
11957 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
11958 			survey_idx++;
11959 			continue;
11960 		}
11961 
11962 		if (nl80211_send_survey(skb,
11963 				NETLINK_CB(cb->skb).portid,
11964 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
11965 				wdev->netdev, radio_stats, &survey) < 0)
11966 			goto out;
11967 		survey_idx++;
11968 	}
11969 
11970  out:
11971 	cb->args[2] = survey_idx;
11972 	res = skb->len;
11973  out_err:
11974 	kfree(attrbuf);
11975 	wiphy_unlock(&rdev->wiphy);
11976 	return res;
11977 }
11978 
11979 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
11980 {
11981 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11982 	struct net_device *dev = info->user_ptr[1];
11983 	struct ieee80211_channel *chan;
11984 	const u8 *bssid, *ssid;
11985 	int err, ssid_len;
11986 	enum nl80211_auth_type auth_type;
11987 	struct key_parse key;
11988 	bool local_state_change;
11989 	struct cfg80211_auth_request req = {};
11990 	u32 freq;
11991 
11992 	if (!info->attrs[NL80211_ATTR_MAC])
11993 		return -EINVAL;
11994 
11995 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
11996 		return -EINVAL;
11997 
11998 	if (!info->attrs[NL80211_ATTR_SSID])
11999 		return -EINVAL;
12000 
12001 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12002 		return -EINVAL;
12003 
12004 	err = nl80211_parse_key(info, &key);
12005 	if (err)
12006 		return err;
12007 
12008 	if (key.idx >= 0) {
12009 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
12010 			return -EINVAL;
12011 		if (!key.p.key || !key.p.key_len)
12012 			return -EINVAL;
12013 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
12014 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
12015 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
12016 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
12017 			return -EINVAL;
12018 		if (key.idx > 3)
12019 			return -EINVAL;
12020 	} else {
12021 		key.p.key_len = 0;
12022 		key.p.key = NULL;
12023 	}
12024 
12025 	if (key.idx >= 0) {
12026 		int i;
12027 		bool ok = false;
12028 
12029 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
12030 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
12031 				ok = true;
12032 				break;
12033 			}
12034 		}
12035 		if (!ok)
12036 			return -EINVAL;
12037 	}
12038 
12039 	if (!rdev->ops->auth)
12040 		return -EOPNOTSUPP;
12041 
12042 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12043 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12044 		return -EOPNOTSUPP;
12045 
12046 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12047 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12048 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12049 		freq +=
12050 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12051 
12052 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12053 	if (!chan)
12054 		return -EINVAL;
12055 
12056 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12057 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12058 
12059 	if (info->attrs[NL80211_ATTR_IE]) {
12060 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12061 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12062 	}
12063 
12064 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12065 		req.supported_selectors =
12066 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12067 		req.supported_selectors_len =
12068 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12069 	}
12070 
12071 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12072 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
12073 		return -EINVAL;
12074 
12075 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
12076 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
12077 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
12078 	     auth_type == NL80211_AUTHTYPE_FILS_PK ||
12079 	     auth_type == NL80211_AUTHTYPE_EPPKE) &&
12080 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
12081 		return -EINVAL;
12082 
12083 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
12084 		if (auth_type != NL80211_AUTHTYPE_SAE &&
12085 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
12086 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
12087 		    auth_type != NL80211_AUTHTYPE_FILS_PK &&
12088 		    auth_type != NL80211_AUTHTYPE_EPPKE)
12089 			return -EINVAL;
12090 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
12091 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
12092 	}
12093 
12094 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12095 
12096 	/*
12097 	 * Since we no longer track auth state, ignore
12098 	 * requests to only change local state.
12099 	 */
12100 	if (local_state_change)
12101 		return 0;
12102 
12103 	req.auth_type = auth_type;
12104 	req.key = key.p.key;
12105 	req.key_len = key.p.key_len;
12106 	req.key_idx = key.idx;
12107 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12108 	if (req.link_id >= 0) {
12109 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12110 			return -EINVAL;
12111 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
12112 			return -EINVAL;
12113 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12114 		if (!is_valid_ether_addr(req.ap_mld_addr))
12115 			return -EINVAL;
12116 	}
12117 
12118 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
12119 				   IEEE80211_BSS_TYPE_ESS,
12120 				   IEEE80211_PRIVACY_ANY);
12121 	if (!req.bss)
12122 		return -ENOENT;
12123 
12124 	err = cfg80211_mlme_auth(rdev, dev, &req);
12125 
12126 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12127 
12128 	return err;
12129 }
12130 
12131 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
12132 				     struct genl_info *info)
12133 {
12134 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12135 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
12136 		return -EINVAL;
12137 	}
12138 
12139 	if (!rdev->ops->tx_control_port ||
12140 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12141 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
12142 		return -EOPNOTSUPP;
12143 
12144 	return 0;
12145 }
12146 
12147 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
12148 				   struct genl_info *info,
12149 				   struct cfg80211_crypto_settings *settings,
12150 				   int cipher_limit)
12151 {
12152 	memset(settings, 0, sizeof(*settings));
12153 
12154 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
12155 
12156 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
12157 		u16 proto;
12158 
12159 		proto = nla_get_u16(
12160 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
12161 		settings->control_port_ethertype = cpu_to_be16(proto);
12162 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
12163 		    proto != ETH_P_PAE)
12164 			return -EINVAL;
12165 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
12166 			settings->control_port_no_encrypt = true;
12167 	} else
12168 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
12169 
12170 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12171 		int r = validate_pae_over_nl80211(rdev, info);
12172 
12173 		if (r < 0)
12174 			return r;
12175 
12176 		settings->control_port_over_nl80211 = true;
12177 
12178 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
12179 			settings->control_port_no_preauth = true;
12180 	}
12181 
12182 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
12183 		void *data;
12184 		int len, i;
12185 
12186 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12187 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
12188 		settings->n_ciphers_pairwise = len / sizeof(u32);
12189 
12190 		if (len % sizeof(u32))
12191 			return -EINVAL;
12192 
12193 		if (settings->n_ciphers_pairwise > cipher_limit)
12194 			return -EINVAL;
12195 
12196 		memcpy(settings->ciphers_pairwise, data, len);
12197 
12198 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
12199 			if (!cfg80211_supported_cipher_suite(
12200 					&rdev->wiphy,
12201 					settings->ciphers_pairwise[i]))
12202 				return -EINVAL;
12203 	}
12204 
12205 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
12206 		settings->cipher_group =
12207 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
12208 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
12209 						     settings->cipher_group))
12210 			return -EINVAL;
12211 	}
12212 
12213 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
12214 		settings->wpa_versions =
12215 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
12216 
12217 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
12218 		void *data;
12219 		int len;
12220 
12221 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
12222 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
12223 		settings->n_akm_suites = len / sizeof(u32);
12224 
12225 		if (len % sizeof(u32))
12226 			return -EINVAL;
12227 
12228 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
12229 			return -EINVAL;
12230 
12231 		memcpy(settings->akm_suites, data, len);
12232 	}
12233 
12234 	if (info->attrs[NL80211_ATTR_PMK]) {
12235 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
12236 			return -EINVAL;
12237 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12238 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
12239 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12240 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
12241 			return -EINVAL;
12242 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12243 	}
12244 
12245 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
12246 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12247 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
12248 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12249 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
12250 			return -EINVAL;
12251 		settings->sae_pwd =
12252 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12253 		settings->sae_pwd_len =
12254 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
12255 	}
12256 
12257 	settings->sae_pwe =
12258 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
12259 				   NL80211_SAE_PWE_UNSPECIFIED);
12260 
12261 	return 0;
12262 }
12263 
12264 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
12265 					      const u8 *ssid, int ssid_len,
12266 					      struct nlattr **attrs,
12267 					      int assoc_link_id, int link_id)
12268 {
12269 	struct ieee80211_channel *chan;
12270 	struct cfg80211_bss *bss;
12271 	const u8 *bssid;
12272 	u32 freq, use_for = 0;
12273 
12274 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
12275 		return ERR_PTR(-EINVAL);
12276 
12277 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
12278 
12279 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
12280 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12281 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12282 
12283 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
12284 	if (!chan)
12285 		return ERR_PTR(-EINVAL);
12286 
12287 	if (assoc_link_id >= 0)
12288 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
12289 	if (assoc_link_id == link_id)
12290 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
12291 
12292 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
12293 				 ssid, ssid_len,
12294 				 IEEE80211_BSS_TYPE_ESS,
12295 				 IEEE80211_PRIVACY_ANY,
12296 				 use_for);
12297 	if (!bss)
12298 		return ERR_PTR(-ENOENT);
12299 
12300 	return bss;
12301 }
12302 
12303 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
12304 				 struct cfg80211_assoc_link *links,
12305 				 int assoc_link_id,
12306 				 const u8 *ssid, int ssid_len,
12307 				 struct genl_info *info)
12308 {
12309 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
12310 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
12311 	struct nlattr *link;
12312 	unsigned int link_id;
12313 	int rem, err;
12314 
12315 	if (!attrs)
12316 		return -ENOMEM;
12317 
12318 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
12319 		memset(attrs, 0, attrsize);
12320 
12321 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
12322 
12323 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
12324 			NL_SET_BAD_ATTR(info->extack, link);
12325 			return -EINVAL;
12326 		}
12327 
12328 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
12329 		/* cannot use the same link ID again */
12330 		if (links[link_id].bss) {
12331 			NL_SET_BAD_ATTR(info->extack, link);
12332 			return -EINVAL;
12333 		}
12334 		links[link_id].bss =
12335 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
12336 					  assoc_link_id, link_id);
12337 		if (IS_ERR(links[link_id].bss)) {
12338 			err = PTR_ERR(links[link_id].bss);
12339 			links[link_id].bss = NULL;
12340 			NL_SET_ERR_MSG_ATTR(info->extack, link,
12341 					    "Error fetching BSS for link");
12342 			return err;
12343 		}
12344 
12345 		if (attrs[NL80211_ATTR_IE]) {
12346 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
12347 			links[link_id].elems_len =
12348 				nla_len(attrs[NL80211_ATTR_IE]);
12349 
12350 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
12351 					       links[link_id].elems,
12352 					       links[link_id].elems_len)) {
12353 				NL_SET_ERR_MSG_ATTR(info->extack,
12354 						    attrs[NL80211_ATTR_IE],
12355 						    "cannot deal with fragmentation");
12356 				return -EINVAL;
12357 			}
12358 
12359 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12360 						   links[link_id].elems,
12361 						   links[link_id].elems_len)) {
12362 				NL_SET_ERR_MSG_ATTR(info->extack,
12363 						    attrs[NL80211_ATTR_IE],
12364 						    "cannot deal with non-inheritance");
12365 				return -EINVAL;
12366 			}
12367 		}
12368 	}
12369 
12370 	return 0;
12371 }
12372 
12373 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
12374 {
12375 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12376 	struct net_device *dev = info->user_ptr[1];
12377 	struct cfg80211_assoc_request req = {};
12378 	const u8 *ap_addr, *ssid;
12379 	unsigned int link_id;
12380 	int err, ssid_len;
12381 
12382 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12383 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12384 		return -EPERM;
12385 
12386 	if (!info->attrs[NL80211_ATTR_SSID])
12387 		return -EINVAL;
12388 
12389 	if (!rdev->ops->assoc)
12390 		return -EOPNOTSUPP;
12391 
12392 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12393 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12394 		return -EOPNOTSUPP;
12395 
12396 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12397 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12398 
12399 	if (info->attrs[NL80211_ATTR_IE]) {
12400 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12401 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12402 
12403 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
12404 					   req.ie, req.ie_len)) {
12405 			NL_SET_ERR_MSG_ATTR(info->extack,
12406 					    info->attrs[NL80211_ATTR_IE],
12407 					    "non-inheritance makes no sense");
12408 			return -EINVAL;
12409 		}
12410 	}
12411 
12412 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12413 		enum nl80211_mfp mfp =
12414 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12415 		if (mfp == NL80211_MFP_REQUIRED)
12416 			req.use_mfp = true;
12417 		else if (mfp != NL80211_MFP_NO)
12418 			return -EINVAL;
12419 	}
12420 
12421 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12422 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12423 
12424 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
12425 		req.supported_selectors =
12426 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12427 		req.supported_selectors_len =
12428 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
12429 	}
12430 
12431 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12432 		req.flags |= ASSOC_REQ_DISABLE_HT;
12433 
12434 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12435 		memcpy(&req.ht_capa_mask,
12436 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12437 		       sizeof(req.ht_capa_mask));
12438 
12439 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12440 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12441 			return -EINVAL;
12442 		memcpy(&req.ht_capa,
12443 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12444 		       sizeof(req.ht_capa));
12445 	}
12446 
12447 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12448 		req.flags |= ASSOC_REQ_DISABLE_VHT;
12449 
12450 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12451 		req.flags |= ASSOC_REQ_DISABLE_HE;
12452 
12453 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12454 		req.flags |= ASSOC_REQ_DISABLE_EHT;
12455 
12456 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
12457 		req.flags |= ASSOC_REQ_DISABLE_UHR;
12458 
12459 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12460 		memcpy(&req.vht_capa_mask,
12461 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12462 		       sizeof(req.vht_capa_mask));
12463 
12464 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12465 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12466 			return -EINVAL;
12467 		memcpy(&req.vht_capa,
12468 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12469 		       sizeof(req.vht_capa));
12470 	}
12471 
12472 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12473 		if (!((rdev->wiphy.features &
12474 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12475 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12476 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12477 					     NL80211_EXT_FEATURE_RRM))
12478 			return -EINVAL;
12479 		req.flags |= ASSOC_REQ_USE_RRM;
12480 	}
12481 
12482 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
12483 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
12484 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
12485 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
12486 			return -EINVAL;
12487 		req.fils_nonces =
12488 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
12489 	}
12490 
12491 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
12492 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
12493 			return -EINVAL;
12494 		memcpy(&req.s1g_capa_mask,
12495 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
12496 		       sizeof(req.s1g_capa_mask));
12497 	}
12498 
12499 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
12500 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
12501 			return -EINVAL;
12502 		memcpy(&req.s1g_capa,
12503 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
12504 		       sizeof(req.s1g_capa));
12505 	}
12506 
12507 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
12508 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12509 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
12510 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
12511 			return -EINVAL;
12512 		}
12513 		req.flags |= ASSOC_REQ_SPP_AMSDU;
12514 	}
12515 
12516 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
12517 
12518 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12519 		if (req.link_id < 0)
12520 			return -EINVAL;
12521 
12522 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
12523 			return -EINVAL;
12524 
12525 		if (info->attrs[NL80211_ATTR_MAC] ||
12526 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12527 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
12528 			return -EINVAL;
12529 
12530 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
12531 		ap_addr = req.ap_mld_addr;
12532 
12533 		err = nl80211_process_links(rdev, req.links, req.link_id,
12534 					    ssid, ssid_len, info);
12535 		if (err)
12536 			goto free;
12537 
12538 		if (!req.links[req.link_id].bss) {
12539 			err = -EINVAL;
12540 			goto free;
12541 		}
12542 
12543 		if (req.links[req.link_id].elems_len) {
12544 			GENL_SET_ERR_MSG(info,
12545 					 "cannot have per-link elems on assoc link");
12546 			err = -EINVAL;
12547 			goto free;
12548 		}
12549 
12550 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12551 			req.ext_mld_capa_ops =
12552 				nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
12553 	} else {
12554 		if (req.link_id >= 0)
12555 			return -EINVAL;
12556 
12557 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
12558 					    -1, -1);
12559 		if (IS_ERR(req.bss))
12560 			return PTR_ERR(req.bss);
12561 		ap_addr = req.bss->bssid;
12562 
12563 		if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
12564 			return -EINVAL;
12565 	}
12566 
12567 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
12568 	if (!err) {
12569 		struct nlattr *link;
12570 		int rem = 0;
12571 
12572 		err = cfg80211_mlme_assoc(rdev, dev, &req,
12573 					  info->extack);
12574 
12575 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12576 			dev->ieee80211_ptr->conn_owner_nlportid =
12577 				info->snd_portid;
12578 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12579 			       ap_addr, ETH_ALEN);
12580 		}
12581 
12582 		/* Report error from first problematic link */
12583 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
12584 			nla_for_each_nested(link,
12585 					    info->attrs[NL80211_ATTR_MLO_LINKS],
12586 					    rem) {
12587 				struct nlattr *link_id_attr =
12588 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
12589 
12590 				if (!link_id_attr)
12591 					continue;
12592 
12593 				link_id = nla_get_u8(link_id_attr);
12594 
12595 				if (link_id == req.link_id)
12596 					continue;
12597 
12598 				if (!req.links[link_id].error ||
12599 				    WARN_ON(req.links[link_id].error > 0))
12600 					continue;
12601 
12602 				WARN_ON(err >= 0);
12603 
12604 				NL_SET_BAD_ATTR(info->extack, link);
12605 				err = req.links[link_id].error;
12606 				break;
12607 			}
12608 		}
12609 	}
12610 
12611 free:
12612 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
12613 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
12614 	cfg80211_put_bss(&rdev->wiphy, req.bss);
12615 
12616 	return err;
12617 }
12618 
12619 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
12620 {
12621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12622 	struct net_device *dev = info->user_ptr[1];
12623 	const u8 *ie = NULL, *bssid;
12624 	int ie_len = 0;
12625 	u16 reason_code;
12626 	bool local_state_change;
12627 
12628 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12629 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12630 		return -EPERM;
12631 
12632 	if (!info->attrs[NL80211_ATTR_MAC])
12633 		return -EINVAL;
12634 
12635 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12636 		return -EINVAL;
12637 
12638 	if (!rdev->ops->deauth)
12639 		return -EOPNOTSUPP;
12640 
12641 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12642 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12643 		return -EOPNOTSUPP;
12644 
12645 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12646 
12647 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12648 	if (reason_code == 0) {
12649 		/* Reason Code 0 is reserved */
12650 		return -EINVAL;
12651 	}
12652 
12653 	if (info->attrs[NL80211_ATTR_IE]) {
12654 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12655 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12656 	}
12657 
12658 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12659 
12660 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
12661 				    local_state_change);
12662 }
12663 
12664 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
12665 {
12666 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12667 	struct net_device *dev = info->user_ptr[1];
12668 	const u8 *ie = NULL, *bssid;
12669 	int ie_len = 0;
12670 	u16 reason_code;
12671 	bool local_state_change;
12672 
12673 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12674 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12675 		return -EPERM;
12676 
12677 	if (!info->attrs[NL80211_ATTR_MAC])
12678 		return -EINVAL;
12679 
12680 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12681 		return -EINVAL;
12682 
12683 	if (!rdev->ops->disassoc)
12684 		return -EOPNOTSUPP;
12685 
12686 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12687 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12688 		return -EOPNOTSUPP;
12689 
12690 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12691 
12692 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12693 	if (reason_code == 0) {
12694 		/* Reason Code 0 is reserved */
12695 		return -EINVAL;
12696 	}
12697 
12698 	if (info->attrs[NL80211_ATTR_IE]) {
12699 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12700 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12701 	}
12702 
12703 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
12704 
12705 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
12706 				      local_state_change);
12707 }
12708 
12709 static bool
12710 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
12711 			 int mcast_rate[NUM_NL80211_BANDS],
12712 			 int rateval)
12713 {
12714 	struct wiphy *wiphy = &rdev->wiphy;
12715 	bool found = false;
12716 	int band, i;
12717 
12718 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
12719 		struct ieee80211_supported_band *sband;
12720 
12721 		sband = wiphy->bands[band];
12722 		if (!sband)
12723 			continue;
12724 
12725 		for (i = 0; i < sband->n_bitrates; i++) {
12726 			if (sband->bitrates[i].bitrate == rateval) {
12727 				mcast_rate[band] = i + 1;
12728 				found = true;
12729 				break;
12730 			}
12731 		}
12732 	}
12733 
12734 	return found;
12735 }
12736 
12737 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
12738 {
12739 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12740 	struct net_device *dev = info->user_ptr[1];
12741 	struct cfg80211_ibss_params ibss;
12742 	struct wiphy *wiphy;
12743 	struct cfg80211_cached_keys *connkeys = NULL;
12744 	int err;
12745 
12746 	memset(&ibss, 0, sizeof(ibss));
12747 
12748 	if (!info->attrs[NL80211_ATTR_SSID] ||
12749 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12750 		return -EINVAL;
12751 
12752 	ibss.beacon_interval = 100;
12753 
12754 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
12755 		ibss.beacon_interval =
12756 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12757 
12758 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
12759 					   ibss.beacon_interval);
12760 	if (err)
12761 		return err;
12762 
12763 	if (!rdev->ops->join_ibss)
12764 		return -EOPNOTSUPP;
12765 
12766 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12767 		return -EOPNOTSUPP;
12768 
12769 	wiphy = &rdev->wiphy;
12770 
12771 	if (info->attrs[NL80211_ATTR_MAC]) {
12772 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12773 
12774 		if (!is_valid_ether_addr(ibss.bssid))
12775 			return -EINVAL;
12776 	}
12777 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12778 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12779 
12780 	if (info->attrs[NL80211_ATTR_IE]) {
12781 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12782 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12783 	}
12784 
12785 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
12786 	if (err)
12787 		return err;
12788 
12789 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
12790 				     NL80211_IFTYPE_ADHOC))
12791 		return -EINVAL;
12792 
12793 	switch (ibss.chandef.width) {
12794 	case NL80211_CHAN_WIDTH_5:
12795 	case NL80211_CHAN_WIDTH_10:
12796 	case NL80211_CHAN_WIDTH_20_NOHT:
12797 		break;
12798 	case NL80211_CHAN_WIDTH_20:
12799 	case NL80211_CHAN_WIDTH_40:
12800 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12801 			return -EINVAL;
12802 		break;
12803 	case NL80211_CHAN_WIDTH_80:
12804 	case NL80211_CHAN_WIDTH_80P80:
12805 	case NL80211_CHAN_WIDTH_160:
12806 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
12807 			return -EINVAL;
12808 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
12809 					     NL80211_EXT_FEATURE_VHT_IBSS))
12810 			return -EINVAL;
12811 		break;
12812 	case NL80211_CHAN_WIDTH_320:
12813 		return -EINVAL;
12814 	default:
12815 		return -EINVAL;
12816 	}
12817 
12818 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
12819 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
12820 
12821 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12822 		u8 *rates =
12823 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12824 		int n_rates =
12825 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12826 		struct ieee80211_supported_band *sband =
12827 			wiphy->bands[ibss.chandef.chan->band];
12828 
12829 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12830 					     &ibss.basic_rates);
12831 		if (err)
12832 			return err;
12833 	}
12834 
12835 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12836 		memcpy(&ibss.ht_capa_mask,
12837 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12838 		       sizeof(ibss.ht_capa_mask));
12839 
12840 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12841 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12842 			return -EINVAL;
12843 		memcpy(&ibss.ht_capa,
12844 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12845 		       sizeof(ibss.ht_capa));
12846 	}
12847 
12848 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12849 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
12850 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12851 		return -EINVAL;
12852 
12853 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12854 		bool no_ht = false;
12855 
12856 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
12857 		if (IS_ERR(connkeys))
12858 			return PTR_ERR(connkeys);
12859 
12860 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
12861 		    no_ht) {
12862 			kfree_sensitive(connkeys);
12863 			return -EINVAL;
12864 		}
12865 	}
12866 
12867 	ibss.control_port =
12868 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
12869 
12870 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12871 		int r = validate_pae_over_nl80211(rdev, info);
12872 
12873 		if (r < 0) {
12874 			kfree_sensitive(connkeys);
12875 			return r;
12876 		}
12877 
12878 		ibss.control_port_over_nl80211 = true;
12879 	}
12880 
12881 	ibss.userspace_handles_dfs =
12882 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12883 
12884 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
12885 	if (err)
12886 		kfree_sensitive(connkeys);
12887 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
12888 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12889 
12890 	return err;
12891 }
12892 
12893 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
12894 {
12895 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12896 	struct net_device *dev = info->user_ptr[1];
12897 
12898 	if (!rdev->ops->leave_ibss)
12899 		return -EOPNOTSUPP;
12900 
12901 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
12902 		return -EOPNOTSUPP;
12903 
12904 	return cfg80211_leave_ibss(rdev, dev, false);
12905 }
12906 
12907 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
12908 {
12909 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12910 	struct net_device *dev = info->user_ptr[1];
12911 	int mcast_rate[NUM_NL80211_BANDS];
12912 	u32 nla_rate;
12913 
12914 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
12915 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
12916 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
12917 		return -EOPNOTSUPP;
12918 
12919 	if (!rdev->ops->set_mcast_rate)
12920 		return -EOPNOTSUPP;
12921 
12922 	memset(mcast_rate, 0, sizeof(mcast_rate));
12923 
12924 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
12925 		return -EINVAL;
12926 
12927 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
12928 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
12929 		return -EINVAL;
12930 
12931 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
12932 }
12933 
12934 static struct sk_buff *
12935 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
12936 			    struct wireless_dev *wdev, int approxlen,
12937 			    u32 portid, u32 seq, enum nl80211_commands cmd,
12938 			    enum nl80211_attrs attr,
12939 			    const struct nl80211_vendor_cmd_info *info,
12940 			    gfp_t gfp)
12941 {
12942 	struct sk_buff *skb;
12943 	void *hdr;
12944 	struct nlattr *data;
12945 
12946 	skb = nlmsg_new(approxlen + 100, gfp);
12947 	if (!skb)
12948 		return NULL;
12949 
12950 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
12951 	if (!hdr) {
12952 		kfree_skb(skb);
12953 		return NULL;
12954 	}
12955 
12956 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
12957 		goto nla_put_failure;
12958 
12959 	if (info) {
12960 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
12961 				info->vendor_id))
12962 			goto nla_put_failure;
12963 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
12964 				info->subcmd))
12965 			goto nla_put_failure;
12966 	}
12967 
12968 	if (wdev) {
12969 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
12970 				      wdev_id(wdev), NL80211_ATTR_PAD))
12971 			goto nla_put_failure;
12972 		if (wdev->netdev &&
12973 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
12974 				wdev->netdev->ifindex))
12975 			goto nla_put_failure;
12976 	}
12977 
12978 	data = nla_nest_start_noflag(skb, attr);
12979 	if (!data)
12980 		goto nla_put_failure;
12981 
12982 	((void **)skb->cb)[0] = rdev;
12983 	((void **)skb->cb)[1] = hdr;
12984 	((void **)skb->cb)[2] = data;
12985 
12986 	return skb;
12987 
12988  nla_put_failure:
12989 	kfree_skb(skb);
12990 	return NULL;
12991 }
12992 
12993 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
12994 					   struct wireless_dev *wdev,
12995 					   enum nl80211_commands cmd,
12996 					   enum nl80211_attrs attr,
12997 					   unsigned int portid,
12998 					   int vendor_event_idx,
12999 					   int approxlen, gfp_t gfp)
13000 {
13001 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13002 	const struct nl80211_vendor_cmd_info *info;
13003 
13004 	switch (cmd) {
13005 	case NL80211_CMD_TESTMODE:
13006 		if (WARN_ON(vendor_event_idx != -1))
13007 			return NULL;
13008 		info = NULL;
13009 		break;
13010 	case NL80211_CMD_VENDOR:
13011 		if (WARN_ON(vendor_event_idx < 0 ||
13012 			    vendor_event_idx >= wiphy->n_vendor_events))
13013 			return NULL;
13014 		info = &wiphy->vendor_events[vendor_event_idx];
13015 		break;
13016 	default:
13017 		WARN_ON(1);
13018 		return NULL;
13019 	}
13020 
13021 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
13022 					   cmd, attr, info, gfp);
13023 }
13024 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
13025 
13026 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
13027 {
13028 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13029 	void *hdr = ((void **)skb->cb)[1];
13030 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
13031 	struct nlattr *data = ((void **)skb->cb)[2];
13032 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
13033 
13034 	/* clear CB data for netlink core to own from now on */
13035 	memset(skb->cb, 0, sizeof(skb->cb));
13036 
13037 	nla_nest_end(skb, data);
13038 	genlmsg_end(skb, hdr);
13039 
13040 	if (nlhdr->nlmsg_pid) {
13041 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
13042 				nlhdr->nlmsg_pid);
13043 	} else {
13044 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
13045 			mcgrp = NL80211_MCGRP_VENDOR;
13046 
13047 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13048 					skb, 0, mcgrp, gfp);
13049 	}
13050 }
13051 EXPORT_SYMBOL(__cfg80211_send_event_skb);
13052 
13053 #ifdef CONFIG_NL80211_TESTMODE
13054 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
13055 {
13056 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13057 	struct wireless_dev *wdev;
13058 	int err;
13059 
13060 	lockdep_assert_held(&rdev->wiphy.mtx);
13061 
13062 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13063 					  info->attrs);
13064 
13065 	if (!rdev->ops->testmode_cmd)
13066 		return -EOPNOTSUPP;
13067 
13068 	if (IS_ERR(wdev)) {
13069 		err = PTR_ERR(wdev);
13070 		if (err != -EINVAL)
13071 			return err;
13072 		wdev = NULL;
13073 	} else if (wdev->wiphy != &rdev->wiphy) {
13074 		return -EINVAL;
13075 	}
13076 
13077 	if (!info->attrs[NL80211_ATTR_TESTDATA])
13078 		return -EINVAL;
13079 
13080 	rdev->cur_cmd_info = info;
13081 	err = rdev_testmode_cmd(rdev, wdev,
13082 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
13083 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
13084 	rdev->cur_cmd_info = NULL;
13085 
13086 	return err;
13087 }
13088 
13089 static int nl80211_testmode_dump(struct sk_buff *skb,
13090 				 struct netlink_callback *cb)
13091 {
13092 	struct cfg80211_registered_device *rdev;
13093 	struct nlattr **attrbuf = NULL;
13094 	int err;
13095 	long phy_idx;
13096 	void *data = NULL;
13097 	int data_len = 0;
13098 
13099 	rtnl_lock();
13100 
13101 	if (cb->args[0]) {
13102 		/*
13103 		 * 0 is a valid index, but not valid for args[0],
13104 		 * so we need to offset by 1.
13105 		 */
13106 		phy_idx = cb->args[0] - 1;
13107 
13108 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
13109 		if (!rdev) {
13110 			err = -ENOENT;
13111 			goto out_err;
13112 		}
13113 	} else {
13114 		attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
13115 		if (!attrbuf) {
13116 			err = -ENOMEM;
13117 			goto out_err;
13118 		}
13119 
13120 		err = nlmsg_parse_deprecated(cb->nlh,
13121 					     GENL_HDRLEN + nl80211_fam.hdrsize,
13122 					     attrbuf, nl80211_fam.maxattr,
13123 					     nl80211_policy, NULL);
13124 		if (err)
13125 			goto out_err;
13126 
13127 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13128 		if (IS_ERR(rdev)) {
13129 			err = PTR_ERR(rdev);
13130 			goto out_err;
13131 		}
13132 		phy_idx = rdev->wiphy_idx;
13133 
13134 		if (attrbuf[NL80211_ATTR_TESTDATA])
13135 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
13136 	}
13137 
13138 	if (cb->args[1]) {
13139 		data = nla_data((void *)cb->args[1]);
13140 		data_len = nla_len((void *)cb->args[1]);
13141 	}
13142 
13143 	if (!rdev->ops->testmode_dump) {
13144 		err = -EOPNOTSUPP;
13145 		goto out_err;
13146 	}
13147 
13148 	while (1) {
13149 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13150 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13151 					   NL80211_CMD_TESTMODE);
13152 		struct nlattr *tmdata;
13153 
13154 		if (!hdr)
13155 			break;
13156 
13157 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
13158 			genlmsg_cancel(skb, hdr);
13159 			break;
13160 		}
13161 
13162 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
13163 		if (!tmdata) {
13164 			genlmsg_cancel(skb, hdr);
13165 			break;
13166 		}
13167 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
13168 		nla_nest_end(skb, tmdata);
13169 
13170 		if (err == -ENOBUFS || err == -ENOENT) {
13171 			genlmsg_cancel(skb, hdr);
13172 			break;
13173 		} else if (err) {
13174 			genlmsg_cancel(skb, hdr);
13175 			goto out_err;
13176 		}
13177 
13178 		genlmsg_end(skb, hdr);
13179 	}
13180 
13181 	err = skb->len;
13182 	/* see above */
13183 	cb->args[0] = phy_idx + 1;
13184  out_err:
13185 	kfree(attrbuf);
13186 	rtnl_unlock();
13187 	return err;
13188 }
13189 #endif
13190 
13191 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
13192 {
13193 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13194 	struct net_device *dev = info->user_ptr[1];
13195 	struct cfg80211_connect_params connect;
13196 	struct wiphy *wiphy;
13197 	struct cfg80211_cached_keys *connkeys = NULL;
13198 	u32 freq = 0;
13199 	int err;
13200 
13201 	memset(&connect, 0, sizeof(connect));
13202 
13203 	if (!info->attrs[NL80211_ATTR_SSID] ||
13204 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
13205 		return -EINVAL;
13206 
13207 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13208 		connect.auth_type =
13209 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13210 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
13211 					     NL80211_CMD_CONNECT))
13212 			return -EINVAL;
13213 	} else
13214 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
13215 
13216 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
13217 
13218 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
13219 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13220 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13221 		return -EINVAL;
13222 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
13223 
13224 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
13225 				      NL80211_MAX_NR_CIPHER_SUITES);
13226 	if (err)
13227 		return err;
13228 
13229 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13230 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13231 		return -EOPNOTSUPP;
13232 
13233 	wiphy = &rdev->wiphy;
13234 
13235 	connect.bg_scan_period = -1;
13236 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
13237 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
13238 		connect.bg_scan_period =
13239 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
13240 	}
13241 
13242 	if (info->attrs[NL80211_ATTR_MAC])
13243 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13244 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
13245 		connect.bssid_hint =
13246 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
13247 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13248 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13249 
13250 	if (info->attrs[NL80211_ATTR_IE]) {
13251 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13252 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13253 	}
13254 
13255 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
13256 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
13257 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
13258 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13259 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
13260 			return -EOPNOTSUPP;
13261 	} else {
13262 		connect.mfp = NL80211_MFP_NO;
13263 	}
13264 
13265 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
13266 		connect.prev_bssid =
13267 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
13268 
13269 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
13270 		freq = MHZ_TO_KHZ(nla_get_u32(
13271 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
13272 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
13273 		freq +=
13274 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
13275 
13276 	if (freq) {
13277 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
13278 		if (!connect.channel)
13279 			return -EINVAL;
13280 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
13281 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
13282 		freq = MHZ_TO_KHZ(freq);
13283 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
13284 		if (!connect.channel_hint)
13285 			return -EINVAL;
13286 	}
13287 
13288 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
13289 		connect.edmg.channels =
13290 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
13291 
13292 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
13293 			connect.edmg.bw_config =
13294 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
13295 	}
13296 
13297 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
13298 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
13299 		if (IS_ERR(connkeys))
13300 			return PTR_ERR(connkeys);
13301 	}
13302 
13303 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
13304 		connect.flags |= ASSOC_REQ_DISABLE_HT;
13305 
13306 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
13307 		memcpy(&connect.ht_capa_mask,
13308 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
13309 		       sizeof(connect.ht_capa_mask));
13310 
13311 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
13312 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
13313 			kfree_sensitive(connkeys);
13314 			return -EINVAL;
13315 		}
13316 		memcpy(&connect.ht_capa,
13317 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
13318 		       sizeof(connect.ht_capa));
13319 	}
13320 
13321 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
13322 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
13323 
13324 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
13325 		connect.flags |= ASSOC_REQ_DISABLE_HE;
13326 
13327 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
13328 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
13329 
13330 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_UHR]))
13331 		connect.flags |= ASSOC_REQ_DISABLE_UHR;
13332 
13333 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
13334 		memcpy(&connect.vht_capa_mask,
13335 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
13336 		       sizeof(connect.vht_capa_mask));
13337 
13338 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
13339 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
13340 			kfree_sensitive(connkeys);
13341 			return -EINVAL;
13342 		}
13343 		memcpy(&connect.vht_capa,
13344 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
13345 		       sizeof(connect.vht_capa));
13346 	}
13347 
13348 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
13349 		if (!((rdev->wiphy.features &
13350 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
13351 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
13352 		    !wiphy_ext_feature_isset(&rdev->wiphy,
13353 					     NL80211_EXT_FEATURE_RRM)) {
13354 			kfree_sensitive(connkeys);
13355 			return -EINVAL;
13356 		}
13357 		connect.flags |= ASSOC_REQ_USE_RRM;
13358 	}
13359 
13360 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
13361 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
13362 		kfree_sensitive(connkeys);
13363 		return -EOPNOTSUPP;
13364 	}
13365 
13366 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
13367 		/* bss selection makes no sense if bssid is set */
13368 		if (connect.bssid) {
13369 			kfree_sensitive(connkeys);
13370 			return -EINVAL;
13371 		}
13372 
13373 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
13374 				       wiphy, &connect.bss_select);
13375 		if (err) {
13376 			kfree_sensitive(connkeys);
13377 			return err;
13378 		}
13379 	}
13380 
13381 	if (wiphy_ext_feature_isset(&rdev->wiphy,
13382 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
13383 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13384 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13385 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13386 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13387 		connect.fils_erp_username =
13388 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13389 		connect.fils_erp_username_len =
13390 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13391 		connect.fils_erp_realm =
13392 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13393 		connect.fils_erp_realm_len =
13394 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13395 		connect.fils_erp_next_seq_num =
13396 			nla_get_u16(
13397 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13398 		connect.fils_erp_rrk =
13399 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13400 		connect.fils_erp_rrk_len =
13401 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13402 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13403 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13404 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13405 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13406 		kfree_sensitive(connkeys);
13407 		return -EINVAL;
13408 	}
13409 
13410 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
13411 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13412 			kfree_sensitive(connkeys);
13413 			GENL_SET_ERR_MSG(info,
13414 					 "external auth requires connection ownership");
13415 			return -EINVAL;
13416 		}
13417 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
13418 	}
13419 
13420 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
13421 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
13422 
13423 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
13424 			       connect.prev_bssid);
13425 	if (err)
13426 		kfree_sensitive(connkeys);
13427 
13428 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
13429 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13430 		if (connect.bssid)
13431 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
13432 			       connect.bssid, ETH_ALEN);
13433 		else
13434 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
13435 	}
13436 
13437 	return err;
13438 }
13439 
13440 static int nl80211_update_connect_params(struct sk_buff *skb,
13441 					 struct genl_info *info)
13442 {
13443 	struct cfg80211_connect_params connect = {};
13444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13445 	struct net_device *dev = info->user_ptr[1];
13446 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13447 	bool fils_sk_offload;
13448 	u32 auth_type;
13449 	u32 changed = 0;
13450 
13451 	if (!rdev->ops->update_connect_params)
13452 		return -EOPNOTSUPP;
13453 
13454 	if (info->attrs[NL80211_ATTR_IE]) {
13455 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13456 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13457 		changed |= UPDATE_ASSOC_IES;
13458 	}
13459 
13460 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
13461 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
13462 
13463 	/*
13464 	 * when driver supports fils-sk offload all attributes must be
13465 	 * provided. So the else covers "fils-sk-not-all" and
13466 	 * "no-fils-sk-any".
13467 	 */
13468 	if (fils_sk_offload &&
13469 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
13470 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
13471 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
13472 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13473 		connect.fils_erp_username =
13474 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13475 		connect.fils_erp_username_len =
13476 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
13477 		connect.fils_erp_realm =
13478 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13479 		connect.fils_erp_realm_len =
13480 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
13481 		connect.fils_erp_next_seq_num =
13482 			nla_get_u16(
13483 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
13484 		connect.fils_erp_rrk =
13485 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13486 		connect.fils_erp_rrk_len =
13487 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
13488 		changed |= UPDATE_FILS_ERP_INFO;
13489 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
13490 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
13491 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
13492 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
13493 		return -EINVAL;
13494 	}
13495 
13496 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
13497 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
13498 		if (!nl80211_valid_auth_type(rdev, auth_type,
13499 					     NL80211_CMD_CONNECT))
13500 			return -EINVAL;
13501 
13502 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
13503 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
13504 			return -EINVAL;
13505 
13506 		connect.auth_type = auth_type;
13507 		changed |= UPDATE_AUTH_TYPE;
13508 	}
13509 
13510 	if (!wdev->connected)
13511 		return -ENOLINK;
13512 
13513 	return rdev_update_connect_params(rdev, dev, &connect, changed);
13514 }
13515 
13516 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
13517 {
13518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13519 	struct net_device *dev = info->user_ptr[1];
13520 	u16 reason;
13521 
13522 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
13523 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
13524 		return -EPERM;
13525 
13526 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
13527 				     WLAN_REASON_DEAUTH_LEAVING);
13528 
13529 	if (reason == 0)
13530 		return -EINVAL;
13531 
13532 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13533 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13534 		return -EOPNOTSUPP;
13535 
13536 	return cfg80211_disconnect(rdev, dev, reason, true);
13537 }
13538 
13539 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
13540 {
13541 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13542 	struct net *net;
13543 	int err;
13544 
13545 	if (info->attrs[NL80211_ATTR_PID]) {
13546 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
13547 
13548 		net = get_net_ns_by_pid(pid);
13549 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
13550 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
13551 
13552 		net = get_net_ns_by_fd(fd);
13553 	} else {
13554 		return -EINVAL;
13555 	}
13556 
13557 	if (IS_ERR(net))
13558 		return PTR_ERR(net);
13559 
13560 	err = 0;
13561 
13562 	/* check if anything to do */
13563 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
13564 		err = cfg80211_switch_netns(rdev, net);
13565 
13566 	put_net(net);
13567 	return err;
13568 }
13569 
13570 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
13571 {
13572 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13573 	struct net_device *dev = info->user_ptr[1];
13574 	struct cfg80211_pmksa pmksa;
13575 	bool ap_pmksa_caching_support = false;
13576 
13577 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13578 
13579 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13580 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13581 
13582 	if (!info->attrs[NL80211_ATTR_PMKID])
13583 		return -EINVAL;
13584 
13585 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13586 
13587 	if (info->attrs[NL80211_ATTR_MAC]) {
13588 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13589 	} else if (info->attrs[NL80211_ATTR_SSID] &&
13590 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13591 	           info->attrs[NL80211_ATTR_PMK]) {
13592 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13593 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13594 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13595 	} else {
13596 		return -EINVAL;
13597 	}
13598 
13599 	if (info->attrs[NL80211_ATTR_PMK]) {
13600 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13601 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13602 	}
13603 
13604 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
13605 		pmksa.pmk_lifetime =
13606 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
13607 
13608 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
13609 		pmksa.pmk_reauth_threshold =
13610 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
13611 
13612 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13613 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13614 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13615 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13616 	       ap_pmksa_caching_support))
13617 		return -EOPNOTSUPP;
13618 
13619 	if (!rdev->ops->set_pmksa)
13620 		return -EOPNOTSUPP;
13621 
13622 	return rdev_set_pmksa(rdev, dev, &pmksa);
13623 }
13624 
13625 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
13626 {
13627 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13628 	struct net_device *dev = info->user_ptr[1];
13629 	struct cfg80211_pmksa pmksa;
13630 	bool sae_offload_support = false;
13631 	bool owe_offload_support = false;
13632 	bool ap_pmksa_caching_support = false;
13633 
13634 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
13635 
13636 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13637 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
13638 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
13639 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
13640 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
13641 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
13642 
13643 	if (info->attrs[NL80211_ATTR_PMKID])
13644 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13645 
13646 	if (info->attrs[NL80211_ATTR_MAC]) {
13647 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
13648 	} else if (info->attrs[NL80211_ATTR_SSID]) {
13649 		/* SSID based pmksa flush supported only for FILS,
13650 		 * OWE/SAE OFFLOAD cases
13651 		 */
13652 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
13653 		    info->attrs[NL80211_ATTR_PMK]) {
13654 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
13655 		} else if (!sae_offload_support && !owe_offload_support) {
13656 			return -EINVAL;
13657 		}
13658 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
13659 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13660 	} else {
13661 		return -EINVAL;
13662 	}
13663 
13664 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13665 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
13666 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
13667 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
13668 	       ap_pmksa_caching_support))
13669 		return -EOPNOTSUPP;
13670 
13671 	if (!rdev->ops->del_pmksa)
13672 		return -EOPNOTSUPP;
13673 
13674 	return rdev_del_pmksa(rdev, dev, &pmksa);
13675 }
13676 
13677 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
13678 {
13679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13680 	struct net_device *dev = info->user_ptr[1];
13681 
13682 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
13683 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
13684 		return -EOPNOTSUPP;
13685 
13686 	if (!rdev->ops->flush_pmksa)
13687 		return -EOPNOTSUPP;
13688 
13689 	return rdev_flush_pmksa(rdev, dev);
13690 }
13691 
13692 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
13693 {
13694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13695 	struct net_device *dev = info->user_ptr[1];
13696 	u8 action_code, dialog_token;
13697 	u32 peer_capability = 0;
13698 	u16 status_code;
13699 	u8 *peer;
13700 	int link_id;
13701 	bool initiator;
13702 
13703 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13704 	    !rdev->ops->tdls_mgmt)
13705 		return -EOPNOTSUPP;
13706 
13707 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
13708 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
13709 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
13710 	    !info->attrs[NL80211_ATTR_IE] ||
13711 	    !info->attrs[NL80211_ATTR_MAC])
13712 		return -EINVAL;
13713 
13714 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13715 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
13716 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13717 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
13718 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
13719 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
13720 		peer_capability =
13721 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
13722 	link_id = nl80211_link_id_or_invalid(info->attrs);
13723 
13724 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
13725 			      dialog_token, status_code, peer_capability,
13726 			      initiator,
13727 			      nla_data(info->attrs[NL80211_ATTR_IE]),
13728 			      nla_len(info->attrs[NL80211_ATTR_IE]));
13729 }
13730 
13731 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
13732 {
13733 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13734 	struct net_device *dev = info->user_ptr[1];
13735 	enum nl80211_tdls_operation operation;
13736 	u8 *peer;
13737 
13738 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
13739 	    !rdev->ops->tdls_oper)
13740 		return -EOPNOTSUPP;
13741 
13742 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
13743 	    !info->attrs[NL80211_ATTR_MAC])
13744 		return -EINVAL;
13745 
13746 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
13747 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13748 
13749 	return rdev_tdls_oper(rdev, dev, peer, operation);
13750 }
13751 
13752 static int nl80211_remain_on_channel(struct sk_buff *skb,
13753 				     struct genl_info *info)
13754 {
13755 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13756 	unsigned int link_id = nl80211_link_id(info->attrs);
13757 	struct wireless_dev *wdev = info->user_ptr[1];
13758 	struct cfg80211_chan_def chandef;
13759 	struct sk_buff *msg;
13760 	void *hdr;
13761 	u64 cookie;
13762 	u32 duration;
13763 	int err;
13764 
13765 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
13766 	    !info->attrs[NL80211_ATTR_DURATION])
13767 		return -EINVAL;
13768 
13769 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13770 
13771 	if (!rdev->ops->remain_on_channel ||
13772 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
13773 		return -EOPNOTSUPP;
13774 
13775 	/*
13776 	 * We should be on that channel for at least a minimum amount of
13777 	 * time (10ms) but no longer than the driver supports.
13778 	 */
13779 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13780 	    duration > rdev->wiphy.max_remain_on_channel_duration)
13781 		return -EINVAL;
13782 
13783 	err = nl80211_parse_chandef(rdev, info, &chandef);
13784 	if (err)
13785 		return err;
13786 
13787 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
13788 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
13789 
13790 		oper_chandef = wdev_chandef(wdev, link_id);
13791 
13792 		if (WARN_ON(!oper_chandef)) {
13793 			/* cannot happen since we must beacon to get here */
13794 			WARN_ON(1);
13795 			return -EBUSY;
13796 		}
13797 
13798 		/* note: returns first one if identical chandefs */
13799 		compat_chandef = cfg80211_chandef_compatible(&chandef,
13800 							     oper_chandef);
13801 
13802 		if (compat_chandef != &chandef)
13803 			return -EBUSY;
13804 	}
13805 
13806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13807 	if (!msg)
13808 		return -ENOMEM;
13809 
13810 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13811 			     NL80211_CMD_REMAIN_ON_CHANNEL);
13812 	if (!hdr) {
13813 		err = -ENOBUFS;
13814 		goto free_msg;
13815 	}
13816 
13817 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
13818 				     duration, &cookie);
13819 
13820 	if (err)
13821 		goto free_msg;
13822 
13823 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13824 			      NL80211_ATTR_PAD))
13825 		goto nla_put_failure;
13826 
13827 	genlmsg_end(msg, hdr);
13828 
13829 	return genlmsg_reply(msg, info);
13830 
13831  nla_put_failure:
13832 	err = -ENOBUFS;
13833  free_msg:
13834 	nlmsg_free(msg);
13835 	return err;
13836 }
13837 
13838 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
13839 					    struct genl_info *info)
13840 {
13841 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13842 	struct wireless_dev *wdev = info->user_ptr[1];
13843 	u64 cookie;
13844 
13845 	if (!info->attrs[NL80211_ATTR_COOKIE])
13846 		return -EINVAL;
13847 
13848 	if (!rdev->ops->cancel_remain_on_channel)
13849 		return -EOPNOTSUPP;
13850 
13851 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13852 
13853 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
13854 }
13855 
13856 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
13857 				       struct genl_info *info)
13858 {
13859 	struct cfg80211_bitrate_mask mask;
13860 	unsigned int link_id = nl80211_link_id(info->attrs);
13861 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13862 	struct net_device *dev = info->user_ptr[1];
13863 	int err;
13864 
13865 	if (!rdev->ops->set_bitrate_mask)
13866 		return -EOPNOTSUPP;
13867 
13868 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13869 					    NL80211_ATTR_TX_RATES, &mask,
13870 					    dev, true, link_id);
13871 	if (err)
13872 		return err;
13873 
13874 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
13875 }
13876 
13877 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
13878 {
13879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13880 	struct wireless_dev *wdev = info->user_ptr[1];
13881 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
13882 
13883 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
13884 		return -EINVAL;
13885 
13886 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
13887 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
13888 
13889 	switch (wdev->iftype) {
13890 	case NL80211_IFTYPE_STATION:
13891 	case NL80211_IFTYPE_ADHOC:
13892 	case NL80211_IFTYPE_P2P_CLIENT:
13893 	case NL80211_IFTYPE_AP:
13894 	case NL80211_IFTYPE_AP_VLAN:
13895 	case NL80211_IFTYPE_MESH_POINT:
13896 	case NL80211_IFTYPE_P2P_GO:
13897 	case NL80211_IFTYPE_P2P_DEVICE:
13898 		break;
13899 	case NL80211_IFTYPE_NAN:
13900 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13901 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13902 		    !(wdev->wiphy->nan_capa.flags &
13903 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13904 			return -EOPNOTSUPP;
13905 		break;
13906 	default:
13907 		return -EOPNOTSUPP;
13908 	}
13909 
13910 	/* not much point in registering if we can't reply */
13911 	if (!rdev->ops->mgmt_tx)
13912 		return -EOPNOTSUPP;
13913 
13914 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
13915 	    !wiphy_ext_feature_isset(&rdev->wiphy,
13916 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
13917 		GENL_SET_ERR_MSG(info,
13918 				 "multicast RX registrations are not supported");
13919 		return -EOPNOTSUPP;
13920 	}
13921 
13922 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
13923 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13924 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
13925 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
13926 					   info->extack);
13927 }
13928 
13929 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
13930 {
13931 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13932 	struct wireless_dev *wdev = info->user_ptr[1];
13933 	struct cfg80211_chan_def chandef;
13934 	int err;
13935 	void *hdr = NULL;
13936 	u64 cookie;
13937 	struct sk_buff *msg = NULL;
13938 	struct cfg80211_mgmt_tx_params params = {
13939 		.dont_wait_for_ack =
13940 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
13941 	};
13942 
13943 	if (!info->attrs[NL80211_ATTR_FRAME])
13944 		return -EINVAL;
13945 
13946 	if (!rdev->ops->mgmt_tx)
13947 		return -EOPNOTSUPP;
13948 
13949 	switch (wdev->iftype) {
13950 	case NL80211_IFTYPE_P2P_DEVICE:
13951 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
13952 			return -EINVAL;
13953 		break;
13954 	case NL80211_IFTYPE_STATION:
13955 	case NL80211_IFTYPE_ADHOC:
13956 	case NL80211_IFTYPE_P2P_CLIENT:
13957 	case NL80211_IFTYPE_AP:
13958 	case NL80211_IFTYPE_AP_VLAN:
13959 	case NL80211_IFTYPE_MESH_POINT:
13960 	case NL80211_IFTYPE_P2P_GO:
13961 		break;
13962 	case NL80211_IFTYPE_NAN:
13963 		if (!wiphy_ext_feature_isset(wdev->wiphy,
13964 					     NL80211_EXT_FEATURE_SECURE_NAN) &&
13965 		    !(wdev->wiphy->nan_capa.flags &
13966 		      WIPHY_NAN_FLAGS_USERSPACE_DE))
13967 			return -EOPNOTSUPP;
13968 		break;
13969 	default:
13970 		return -EOPNOTSUPP;
13971 	}
13972 
13973 	if (info->attrs[NL80211_ATTR_DURATION]) {
13974 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13975 			return -EINVAL;
13976 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
13977 
13978 		/*
13979 		 * We should wait on the channel for at least a minimum amount
13980 		 * of time (10ms) but no longer than the driver supports.
13981 		 */
13982 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
13983 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
13984 			return -EINVAL;
13985 	}
13986 
13987 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
13988 
13989 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
13990 		return -EINVAL;
13991 
13992 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
13993 
13994 	/* get the channel if any has been specified, otherwise pass NULL to
13995 	 * the driver. The latter will use the current one
13996 	 */
13997 	chandef.chan = NULL;
13998 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13999 		err = nl80211_parse_chandef(rdev, info, &chandef);
14000 		if (err)
14001 			return err;
14002 	}
14003 
14004 	if (!chandef.chan && params.offchan)
14005 		return -EINVAL;
14006 
14007 	if (params.offchan &&
14008 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
14009 		return -EBUSY;
14010 
14011 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
14012 	/*
14013 	 * This now races due to the unlock, but we cannot check
14014 	 * the valid links for the _station_ anyway, so that's up
14015 	 * to the driver.
14016 	 */
14017 	if (params.link_id >= 0 &&
14018 	    !(wdev->valid_links & BIT(params.link_id)))
14019 		return -EINVAL;
14020 
14021 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14022 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14023 
14024 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
14025 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
14026 					    &params.csa_offsets,
14027 					    &params.n_csa_offsets);
14028 	if (err)
14029 		return err;
14030 
14031 	if (!params.dont_wait_for_ack) {
14032 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14033 		if (!msg)
14034 			return -ENOMEM;
14035 
14036 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14037 				     NL80211_CMD_FRAME);
14038 		if (!hdr) {
14039 			err = -ENOBUFS;
14040 			goto free_msg;
14041 		}
14042 	}
14043 
14044 	params.chan = chandef.chan;
14045 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
14046 	if (err)
14047 		goto free_msg;
14048 
14049 	if (msg) {
14050 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14051 				      NL80211_ATTR_PAD))
14052 			goto nla_put_failure;
14053 
14054 		genlmsg_end(msg, hdr);
14055 		return genlmsg_reply(msg, info);
14056 	}
14057 
14058 	return 0;
14059 
14060  nla_put_failure:
14061 	err = -ENOBUFS;
14062  free_msg:
14063 	nlmsg_free(msg);
14064 	return err;
14065 }
14066 
14067 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
14068 {
14069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14070 	struct wireless_dev *wdev = info->user_ptr[1];
14071 	u64 cookie;
14072 
14073 	if (!info->attrs[NL80211_ATTR_COOKIE])
14074 		return -EINVAL;
14075 
14076 	if (!rdev->ops->mgmt_tx_cancel_wait)
14077 		return -EOPNOTSUPP;
14078 
14079 	switch (wdev->iftype) {
14080 	case NL80211_IFTYPE_STATION:
14081 	case NL80211_IFTYPE_ADHOC:
14082 	case NL80211_IFTYPE_P2P_CLIENT:
14083 	case NL80211_IFTYPE_AP:
14084 	case NL80211_IFTYPE_AP_VLAN:
14085 	case NL80211_IFTYPE_P2P_GO:
14086 	case NL80211_IFTYPE_P2P_DEVICE:
14087 		break;
14088 	case NL80211_IFTYPE_NAN:
14089 		if (!wiphy_ext_feature_isset(wdev->wiphy,
14090 					     NL80211_EXT_FEATURE_SECURE_NAN))
14091 			return -EOPNOTSUPP;
14092 		break;
14093 	default:
14094 		return -EOPNOTSUPP;
14095 	}
14096 
14097 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14098 
14099 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
14100 }
14101 
14102 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
14103 {
14104 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14105 	struct wireless_dev *wdev;
14106 	struct net_device *dev = info->user_ptr[1];
14107 	u8 ps_state;
14108 	bool state;
14109 	int err;
14110 
14111 	if (!info->attrs[NL80211_ATTR_PS_STATE])
14112 		return -EINVAL;
14113 
14114 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
14115 
14116 	wdev = dev->ieee80211_ptr;
14117 
14118 	if (!rdev->ops->set_power_mgmt)
14119 		return -EOPNOTSUPP;
14120 
14121 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
14122 
14123 	if (state == wdev->ps)
14124 		return 0;
14125 
14126 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
14127 	if (!err)
14128 		wdev->ps = state;
14129 	return err;
14130 }
14131 
14132 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
14133 {
14134 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14135 	enum nl80211_ps_state ps_state;
14136 	struct wireless_dev *wdev;
14137 	struct net_device *dev = info->user_ptr[1];
14138 	struct sk_buff *msg;
14139 	void *hdr;
14140 	int err;
14141 
14142 	wdev = dev->ieee80211_ptr;
14143 
14144 	if (!rdev->ops->set_power_mgmt)
14145 		return -EOPNOTSUPP;
14146 
14147 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14148 	if (!msg)
14149 		return -ENOMEM;
14150 
14151 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14152 			     NL80211_CMD_GET_POWER_SAVE);
14153 	if (!hdr) {
14154 		err = -ENOBUFS;
14155 		goto free_msg;
14156 	}
14157 
14158 	if (wdev->ps)
14159 		ps_state = NL80211_PS_ENABLED;
14160 	else
14161 		ps_state = NL80211_PS_DISABLED;
14162 
14163 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
14164 		goto nla_put_failure;
14165 
14166 	genlmsg_end(msg, hdr);
14167 	return genlmsg_reply(msg, info);
14168 
14169  nla_put_failure:
14170 	err = -ENOBUFS;
14171  free_msg:
14172 	nlmsg_free(msg);
14173 	return err;
14174 }
14175 
14176 static const struct nla_policy
14177 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
14178 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
14179 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
14180 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
14181 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
14182 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
14183 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
14184 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
14185 };
14186 
14187 static int nl80211_set_cqm_txe(struct genl_info *info,
14188 			       u32 rate, u32 pkts, u32 intvl)
14189 {
14190 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14191 	struct net_device *dev = info->user_ptr[1];
14192 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14193 
14194 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
14195 		return -EINVAL;
14196 
14197 	if (!rdev->ops->set_cqm_txe_config)
14198 		return -EOPNOTSUPP;
14199 
14200 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14201 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14202 		return -EOPNOTSUPP;
14203 
14204 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
14205 }
14206 
14207 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
14208 				    struct net_device *dev,
14209 				    struct cfg80211_cqm_config *cqm_config)
14210 {
14211 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14212 	s32 last, low, high;
14213 	u32 hyst;
14214 	int i, n, low_index;
14215 	int err;
14216 
14217 	/*
14218 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
14219 	 * event has been received yet, we should receive an event after a
14220 	 * connection is established and enough beacons received to calculate
14221 	 * the average.
14222 	 */
14223 	if (!cqm_config->last_rssi_event_value &&
14224 	    wdev->links[0].client.current_bss &&
14225 	    rdev->ops->get_station) {
14226 		struct station_info sinfo = {};
14227 		u8 *mac_addr;
14228 
14229 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
14230 
14231 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
14232 		if (err)
14233 			return err;
14234 
14235 		cfg80211_sinfo_release_content(&sinfo);
14236 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
14237 			cqm_config->last_rssi_event_value =
14238 				(s8) sinfo.rx_beacon_signal_avg;
14239 	}
14240 
14241 	last = cqm_config->last_rssi_event_value;
14242 	hyst = cqm_config->rssi_hyst;
14243 	n = cqm_config->n_rssi_thresholds;
14244 
14245 	for (i = 0; i < n; i++) {
14246 		i = array_index_nospec(i, n);
14247 		if (last < cqm_config->rssi_thresholds[i])
14248 			break;
14249 	}
14250 
14251 	low_index = i - 1;
14252 	if (low_index >= 0) {
14253 		low_index = array_index_nospec(low_index, n);
14254 		low = cqm_config->rssi_thresholds[low_index] - hyst;
14255 	} else {
14256 		low = S32_MIN;
14257 	}
14258 	if (i < n) {
14259 		i = array_index_nospec(i, n);
14260 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
14261 	} else {
14262 		high = S32_MAX;
14263 	}
14264 
14265 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
14266 }
14267 
14268 static int nl80211_set_cqm_rssi(struct genl_info *info,
14269 				const s32 *thresholds, int n_thresholds,
14270 				u32 hysteresis)
14271 {
14272 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14273 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
14274 	struct net_device *dev = info->user_ptr[1];
14275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14276 	s32 prev = S32_MIN;
14277 	int i, err;
14278 
14279 	/* Check all values negative and sorted */
14280 	for (i = 0; i < n_thresholds; i++) {
14281 		if (thresholds[i] > 0 || thresholds[i] <= prev)
14282 			return -EINVAL;
14283 
14284 		prev = thresholds[i];
14285 	}
14286 
14287 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14288 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14289 		return -EOPNOTSUPP;
14290 
14291 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
14292 		n_thresholds = 0;
14293 
14294 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
14295 
14296 	/* if already disabled just succeed */
14297 	if (!n_thresholds && !old)
14298 		return 0;
14299 
14300 	if (n_thresholds > 1) {
14301 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
14302 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
14303 		    !rdev->ops->set_cqm_rssi_range_config)
14304 			return -EOPNOTSUPP;
14305 	} else {
14306 		if (!rdev->ops->set_cqm_rssi_config)
14307 			return -EOPNOTSUPP;
14308 	}
14309 
14310 	if (n_thresholds) {
14311 		cqm_config = kzalloc_flex(*cqm_config, rssi_thresholds,
14312 					  n_thresholds, GFP_KERNEL);
14313 		if (!cqm_config)
14314 			return -ENOMEM;
14315 
14316 		cqm_config->rssi_hyst = hysteresis;
14317 		cqm_config->n_rssi_thresholds = n_thresholds;
14318 		memcpy(cqm_config->rssi_thresholds, thresholds,
14319 		       flex_array_size(cqm_config, rssi_thresholds,
14320 				       n_thresholds));
14321 		cqm_config->use_range_api = n_thresholds > 1 ||
14322 					    !rdev->ops->set_cqm_rssi_config;
14323 
14324 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
14325 
14326 		if (cqm_config->use_range_api)
14327 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
14328 		else
14329 			err = rdev_set_cqm_rssi_config(rdev, dev,
14330 						       thresholds[0],
14331 						       hysteresis);
14332 	} else {
14333 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
14334 		/* if enabled as range also disable via range */
14335 		if (old->use_range_api)
14336 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
14337 		else
14338 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
14339 	}
14340 
14341 	if (err) {
14342 		rcu_assign_pointer(wdev->cqm_config, old);
14343 		kfree_rcu(cqm_config, rcu_head);
14344 	} else {
14345 		kfree_rcu(old, rcu_head);
14346 	}
14347 
14348 	return err;
14349 }
14350 
14351 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
14352 {
14353 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
14354 	struct nlattr *cqm;
14355 	int err;
14356 
14357 	cqm = info->attrs[NL80211_ATTR_CQM];
14358 	if (!cqm)
14359 		return -EINVAL;
14360 
14361 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
14362 					  nl80211_attr_cqm_policy,
14363 					  info->extack);
14364 	if (err)
14365 		return err;
14366 
14367 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
14368 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
14369 		const s32 *thresholds =
14370 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14371 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
14372 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
14373 
14374 		if (len % 4)
14375 			return -EINVAL;
14376 
14377 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
14378 					    hysteresis);
14379 	}
14380 
14381 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
14382 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
14383 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
14384 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
14385 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
14386 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
14387 
14388 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
14389 	}
14390 
14391 	return -EINVAL;
14392 }
14393 
14394 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
14395 {
14396 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14397 	struct net_device *dev = info->user_ptr[1];
14398 	struct ocb_setup setup = {};
14399 	int err;
14400 
14401 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14402 	if (err)
14403 		return err;
14404 
14405 	return cfg80211_join_ocb(rdev, dev, &setup);
14406 }
14407 
14408 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
14409 {
14410 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14411 	struct net_device *dev = info->user_ptr[1];
14412 
14413 	return cfg80211_leave_ocb(rdev, dev);
14414 }
14415 
14416 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
14417 {
14418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14419 	struct net_device *dev = info->user_ptr[1];
14420 	struct mesh_config cfg;
14421 	struct mesh_setup setup;
14422 	int err;
14423 
14424 	/* start with default */
14425 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
14426 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
14427 
14428 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
14429 		/* and parse parameters if given */
14430 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
14431 		if (err)
14432 			return err;
14433 	}
14434 
14435 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
14436 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
14437 		return -EINVAL;
14438 
14439 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
14440 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
14441 
14442 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
14443 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
14444 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
14445 			return -EINVAL;
14446 
14447 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
14448 		setup.beacon_interval =
14449 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
14450 
14451 		err = cfg80211_validate_beacon_int(rdev,
14452 						   NL80211_IFTYPE_MESH_POINT,
14453 						   setup.beacon_interval);
14454 		if (err)
14455 			return err;
14456 	}
14457 
14458 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
14459 		setup.dtim_period =
14460 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
14461 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
14462 			return -EINVAL;
14463 	}
14464 
14465 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
14466 		/* parse additional setup parameters if given */
14467 		err = nl80211_parse_mesh_setup(info, &setup);
14468 		if (err)
14469 			return err;
14470 	}
14471 
14472 	if (setup.user_mpm)
14473 		cfg.auto_open_plinks = false;
14474 
14475 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
14476 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
14477 		if (err)
14478 			return err;
14479 	} else {
14480 		/* __cfg80211_join_mesh() will sort it out */
14481 		setup.chandef.chan = NULL;
14482 	}
14483 
14484 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
14485 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14486 		int n_rates =
14487 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
14488 		struct ieee80211_supported_band *sband;
14489 
14490 		if (!setup.chandef.chan)
14491 			return -EINVAL;
14492 
14493 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
14494 
14495 		err = ieee80211_get_ratemask(sband, rates, n_rates,
14496 					     &setup.basic_rates);
14497 		if (err)
14498 			return err;
14499 	}
14500 
14501 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
14502 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
14503 						    NL80211_ATTR_TX_RATES,
14504 						    &setup.beacon_rate,
14505 						    dev, false, 0);
14506 		if (err)
14507 			return err;
14508 
14509 		if (!setup.chandef.chan)
14510 			return -EINVAL;
14511 
14512 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
14513 					      &setup.beacon_rate);
14514 		if (err)
14515 			return err;
14516 	}
14517 
14518 	setup.userspace_handles_dfs =
14519 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
14520 
14521 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
14522 		int r = validate_pae_over_nl80211(rdev, info);
14523 
14524 		if (r < 0)
14525 			return r;
14526 
14527 		setup.control_port_over_nl80211 = true;
14528 	}
14529 
14530 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
14531 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
14532 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
14533 
14534 	return err;
14535 }
14536 
14537 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
14538 {
14539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14540 	struct net_device *dev = info->user_ptr[1];
14541 
14542 	return cfg80211_leave_mesh(rdev, dev);
14543 }
14544 
14545 #ifdef CONFIG_PM
14546 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
14547 					struct cfg80211_registered_device *rdev)
14548 {
14549 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
14550 	struct nlattr *nl_pats, *nl_pat;
14551 	int i, pat_len;
14552 
14553 	if (!wowlan->n_patterns)
14554 		return 0;
14555 
14556 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
14557 	if (!nl_pats)
14558 		return -ENOBUFS;
14559 
14560 	for (i = 0; i < wowlan->n_patterns; i++) {
14561 		nl_pat = nla_nest_start_noflag(msg, i + 1);
14562 		if (!nl_pat)
14563 			return -ENOBUFS;
14564 		pat_len = wowlan->patterns[i].pattern_len;
14565 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
14566 			    wowlan->patterns[i].mask) ||
14567 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14568 			    wowlan->patterns[i].pattern) ||
14569 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14570 				wowlan->patterns[i].pkt_offset))
14571 			return -ENOBUFS;
14572 		nla_nest_end(msg, nl_pat);
14573 	}
14574 	nla_nest_end(msg, nl_pats);
14575 
14576 	return 0;
14577 }
14578 
14579 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
14580 				   struct cfg80211_wowlan_tcp *tcp)
14581 {
14582 	struct nlattr *nl_tcp;
14583 
14584 	if (!tcp)
14585 		return 0;
14586 
14587 	nl_tcp = nla_nest_start_noflag(msg,
14588 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
14589 	if (!nl_tcp)
14590 		return -ENOBUFS;
14591 
14592 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
14593 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
14594 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
14595 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
14596 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
14597 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
14598 		    tcp->payload_len, tcp->payload) ||
14599 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
14600 			tcp->data_interval) ||
14601 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
14602 		    tcp->wake_len, tcp->wake_data) ||
14603 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
14604 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
14605 		return -ENOBUFS;
14606 
14607 	if (tcp->payload_seq.len &&
14608 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
14609 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
14610 		return -ENOBUFS;
14611 
14612 	if (tcp->payload_tok.len &&
14613 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
14614 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
14615 		    &tcp->payload_tok))
14616 		return -ENOBUFS;
14617 
14618 	nla_nest_end(msg, nl_tcp);
14619 
14620 	return 0;
14621 }
14622 
14623 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
14624 				  struct cfg80211_sched_scan_request *req)
14625 {
14626 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
14627 	int i;
14628 
14629 	if (!req)
14630 		return 0;
14631 
14632 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
14633 	if (!nd)
14634 		return -ENOBUFS;
14635 
14636 	if (req->n_scan_plans == 1 &&
14637 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
14638 			req->scan_plans[0].interval * 1000))
14639 		return -ENOBUFS;
14640 
14641 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
14642 		return -ENOBUFS;
14643 
14644 	if (req->relative_rssi_set) {
14645 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
14646 
14647 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
14648 			       req->relative_rssi))
14649 			return -ENOBUFS;
14650 
14651 		rssi_adjust.band = req->rssi_adjust.band;
14652 		rssi_adjust.delta = req->rssi_adjust.delta;
14653 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
14654 			    sizeof(rssi_adjust), &rssi_adjust))
14655 			return -ENOBUFS;
14656 	}
14657 
14658 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
14659 	if (!freqs)
14660 		return -ENOBUFS;
14661 
14662 	for (i = 0; i < req->n_channels; i++) {
14663 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
14664 			return -ENOBUFS;
14665 	}
14666 
14667 	nla_nest_end(msg, freqs);
14668 
14669 	if (req->n_match_sets) {
14670 		matches = nla_nest_start_noflag(msg,
14671 						NL80211_ATTR_SCHED_SCAN_MATCH);
14672 		if (!matches)
14673 			return -ENOBUFS;
14674 
14675 		for (i = 0; i < req->n_match_sets; i++) {
14676 			match = nla_nest_start_noflag(msg, i);
14677 			if (!match)
14678 				return -ENOBUFS;
14679 
14680 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
14681 				    req->match_sets[i].ssid.ssid_len,
14682 				    req->match_sets[i].ssid.ssid))
14683 				return -ENOBUFS;
14684 			nla_nest_end(msg, match);
14685 		}
14686 		nla_nest_end(msg, matches);
14687 	}
14688 
14689 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
14690 	if (!scan_plans)
14691 		return -ENOBUFS;
14692 
14693 	for (i = 0; i < req->n_scan_plans; i++) {
14694 		scan_plan = nla_nest_start_noflag(msg, i + 1);
14695 		if (!scan_plan)
14696 			return -ENOBUFS;
14697 
14698 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
14699 				req->scan_plans[i].interval) ||
14700 		    (req->scan_plans[i].iterations &&
14701 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
14702 				 req->scan_plans[i].iterations)))
14703 			return -ENOBUFS;
14704 		nla_nest_end(msg, scan_plan);
14705 	}
14706 	nla_nest_end(msg, scan_plans);
14707 
14708 	nla_nest_end(msg, nd);
14709 
14710 	return 0;
14711 }
14712 
14713 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
14714 {
14715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14716 	struct sk_buff *msg;
14717 	void *hdr;
14718 	u32 size = NLMSG_DEFAULT_SIZE;
14719 
14720 	if (!rdev->wiphy.wowlan)
14721 		return -EOPNOTSUPP;
14722 
14723 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
14724 		/* adjust size to have room for all the data */
14725 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
14726 			rdev->wiphy.wowlan_config->tcp->payload_len +
14727 			rdev->wiphy.wowlan_config->tcp->wake_len +
14728 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
14729 	}
14730 
14731 	msg = nlmsg_new(size, GFP_KERNEL);
14732 	if (!msg)
14733 		return -ENOMEM;
14734 
14735 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14736 			     NL80211_CMD_GET_WOWLAN);
14737 	if (!hdr)
14738 		goto nla_put_failure;
14739 
14740 	if (rdev->wiphy.wowlan_config) {
14741 		struct nlattr *nl_wowlan;
14742 
14743 		nl_wowlan = nla_nest_start_noflag(msg,
14744 						  NL80211_ATTR_WOWLAN_TRIGGERS);
14745 		if (!nl_wowlan)
14746 			goto nla_put_failure;
14747 
14748 		if ((rdev->wiphy.wowlan_config->any &&
14749 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
14750 		    (rdev->wiphy.wowlan_config->disconnect &&
14751 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
14752 		    (rdev->wiphy.wowlan_config->magic_pkt &&
14753 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
14754 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
14755 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
14756 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
14757 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
14758 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
14759 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
14760 		    (rdev->wiphy.wowlan_config->rfkill_release &&
14761 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
14762 			goto nla_put_failure;
14763 
14764 		if (nl80211_send_wowlan_patterns(msg, rdev))
14765 			goto nla_put_failure;
14766 
14767 		if (nl80211_send_wowlan_tcp(msg,
14768 					    rdev->wiphy.wowlan_config->tcp))
14769 			goto nla_put_failure;
14770 
14771 		if (nl80211_send_wowlan_nd(
14772 			    msg,
14773 			    rdev->wiphy.wowlan_config->nd_config))
14774 			goto nla_put_failure;
14775 
14776 		nla_nest_end(msg, nl_wowlan);
14777 	}
14778 
14779 	genlmsg_end(msg, hdr);
14780 	return genlmsg_reply(msg, info);
14781 
14782 nla_put_failure:
14783 	nlmsg_free(msg);
14784 	return -ENOBUFS;
14785 }
14786 
14787 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
14788 				    struct nlattr *attr,
14789 				    struct cfg80211_wowlan *trig)
14790 {
14791 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
14792 	struct cfg80211_wowlan_tcp *cfg;
14793 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
14794 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
14795 	u32 size;
14796 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
14797 	int err, port;
14798 
14799 	if (!rdev->wiphy.wowlan->tcp)
14800 		return -EINVAL;
14801 
14802 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
14803 					  nl80211_wowlan_tcp_policy, NULL);
14804 	if (err)
14805 		return err;
14806 
14807 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
14808 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
14809 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
14810 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
14811 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
14812 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
14813 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
14814 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
14815 		return -EINVAL;
14816 
14817 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
14818 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
14819 		return -EINVAL;
14820 
14821 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
14822 			rdev->wiphy.wowlan->tcp->data_interval_max ||
14823 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
14824 		return -EINVAL;
14825 
14826 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
14827 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
14828 		return -EINVAL;
14829 
14830 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
14831 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
14832 		return -EINVAL;
14833 
14834 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
14835 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14836 
14837 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
14838 		tokens_size = tokln - sizeof(*tok);
14839 
14840 		if (!tok->len || tokens_size % tok->len)
14841 			return -EINVAL;
14842 		if (!rdev->wiphy.wowlan->tcp->tok)
14843 			return -EINVAL;
14844 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
14845 			return -EINVAL;
14846 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
14847 			return -EINVAL;
14848 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
14849 			return -EINVAL;
14850 		if (tok->offset + tok->len > data_size)
14851 			return -EINVAL;
14852 	}
14853 
14854 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
14855 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
14856 		if (!rdev->wiphy.wowlan->tcp->seq)
14857 			return -EINVAL;
14858 		if (seq->len == 0 || seq->len > 4)
14859 			return -EINVAL;
14860 		if (seq->len + seq->offset > data_size)
14861 			return -EINVAL;
14862 	}
14863 
14864 	size = sizeof(*cfg);
14865 	size += data_size;
14866 	size += wake_size + wake_mask_size;
14867 	size += tokens_size;
14868 
14869 	cfg = kzalloc(size, GFP_KERNEL);
14870 	if (!cfg)
14871 		return -ENOMEM;
14872 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
14873 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
14874 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
14875 	       ETH_ALEN);
14876 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
14877 #ifdef CONFIG_INET
14878 	/* allocate a socket and port for it and use it */
14879 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
14880 			    IPPROTO_TCP, &cfg->sock, 1);
14881 	if (err) {
14882 		kfree(cfg);
14883 		return err;
14884 	}
14885 	if (inet_csk_get_port(cfg->sock->sk, port)) {
14886 		sock_release(cfg->sock);
14887 		kfree(cfg);
14888 		return -EADDRINUSE;
14889 	}
14890 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
14891 #else
14892 	if (!port) {
14893 		kfree(cfg);
14894 		return -EINVAL;
14895 	}
14896 	cfg->src_port = port;
14897 #endif
14898 
14899 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
14900 	cfg->payload_len = data_size;
14901 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
14902 	memcpy((void *)cfg->payload,
14903 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
14904 	       data_size);
14905 	if (seq)
14906 		cfg->payload_seq = *seq;
14907 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
14908 	cfg->wake_len = wake_size;
14909 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
14910 	memcpy((void *)cfg->wake_data,
14911 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
14912 	       wake_size);
14913 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
14914 			 data_size + wake_size;
14915 	memcpy((void *)cfg->wake_mask,
14916 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
14917 	       wake_mask_size);
14918 	if (tok) {
14919 		cfg->tokens_size = tokens_size;
14920 		cfg->payload_tok = *tok;
14921 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
14922 		       tokens_size);
14923 	}
14924 
14925 	trig->tcp = cfg;
14926 
14927 	return 0;
14928 }
14929 
14930 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
14931 				   const struct wiphy_wowlan_support *wowlan,
14932 				   struct nlattr *attr,
14933 				   struct cfg80211_wowlan *trig)
14934 {
14935 	struct nlattr **tb;
14936 	int err;
14937 
14938 	tb = kzalloc_objs(*tb, NUM_NL80211_ATTR);
14939 	if (!tb)
14940 		return -ENOMEM;
14941 
14942 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
14943 		err = -EOPNOTSUPP;
14944 		goto out;
14945 	}
14946 
14947 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
14948 					  nl80211_policy, NULL);
14949 	if (err)
14950 		goto out;
14951 
14952 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
14953 						   wowlan->max_nd_match_sets);
14954 	err = PTR_ERR_OR_ZERO(trig->nd_config);
14955 	if (err)
14956 		trig->nd_config = NULL;
14957 
14958 out:
14959 	kfree(tb);
14960 	return err;
14961 }
14962 
14963 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
14964 {
14965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14966 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
14967 	struct cfg80211_wowlan new_triggers = {};
14968 	struct cfg80211_wowlan *ntrig;
14969 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
14970 	int err, i;
14971 	bool prev_enabled = rdev->wiphy.wowlan_config;
14972 	bool regular = false;
14973 
14974 	if (!wowlan)
14975 		return -EOPNOTSUPP;
14976 
14977 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
14978 		cfg80211_rdev_free_wowlan(rdev);
14979 		rdev->wiphy.wowlan_config = NULL;
14980 		goto set_wakeup;
14981 	}
14982 
14983 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
14984 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
14985 					  nl80211_wowlan_policy, info->extack);
14986 	if (err)
14987 		return err;
14988 
14989 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
14990 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
14991 			return -EINVAL;
14992 		new_triggers.any = true;
14993 	}
14994 
14995 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
14996 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
14997 			return -EINVAL;
14998 		new_triggers.disconnect = true;
14999 		regular = true;
15000 	}
15001 
15002 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
15003 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
15004 			return -EINVAL;
15005 		new_triggers.magic_pkt = true;
15006 		regular = true;
15007 	}
15008 
15009 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
15010 		return -EINVAL;
15011 
15012 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
15013 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
15014 			return -EINVAL;
15015 		new_triggers.gtk_rekey_failure = true;
15016 		regular = true;
15017 	}
15018 
15019 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
15020 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
15021 			return -EINVAL;
15022 		new_triggers.eap_identity_req = true;
15023 		regular = true;
15024 	}
15025 
15026 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
15027 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
15028 			return -EINVAL;
15029 		new_triggers.four_way_handshake = true;
15030 		regular = true;
15031 	}
15032 
15033 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
15034 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
15035 			return -EINVAL;
15036 		new_triggers.rfkill_release = true;
15037 		regular = true;
15038 	}
15039 
15040 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
15041 		struct nlattr *pat;
15042 		int n_patterns = 0;
15043 		int rem, pat_len, mask_len, pkt_offset;
15044 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15045 
15046 		regular = true;
15047 
15048 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15049 				    rem)
15050 			n_patterns++;
15051 		if (n_patterns > wowlan->n_patterns)
15052 			return -EINVAL;
15053 
15054 		new_triggers.patterns = kzalloc_objs(new_triggers.patterns[0],
15055 						     n_patterns, GFP_KERNEL);
15056 		if (!new_triggers.patterns)
15057 			return -ENOMEM;
15058 
15059 		new_triggers.n_patterns = n_patterns;
15060 		i = 0;
15061 
15062 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
15063 				    rem) {
15064 			u8 *mask_pat;
15065 
15066 			err = nla_parse_nested_deprecated(pat_tb,
15067 							  MAX_NL80211_PKTPAT,
15068 							  pat,
15069 							  nl80211_packet_pattern_policy,
15070 							  info->extack);
15071 			if (err)
15072 				goto error;
15073 
15074 			err = -EINVAL;
15075 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
15076 			    !pat_tb[NL80211_PKTPAT_PATTERN])
15077 				goto error;
15078 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15079 			mask_len = DIV_ROUND_UP(pat_len, 8);
15080 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15081 				goto error;
15082 			if (pat_len > wowlan->pattern_max_len ||
15083 			    pat_len < wowlan->pattern_min_len)
15084 				goto error;
15085 
15086 			pkt_offset =
15087 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15088 						    0);
15089 			if (pkt_offset > wowlan->max_pkt_offset)
15090 				goto error;
15091 			new_triggers.patterns[i].pkt_offset = pkt_offset;
15092 
15093 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15094 			if (!mask_pat) {
15095 				err = -ENOMEM;
15096 				goto error;
15097 			}
15098 			new_triggers.patterns[i].mask = mask_pat;
15099 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15100 			       mask_len);
15101 			mask_pat += mask_len;
15102 			new_triggers.patterns[i].pattern = mask_pat;
15103 			new_triggers.patterns[i].pattern_len = pat_len;
15104 			memcpy(mask_pat,
15105 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15106 			       pat_len);
15107 			i++;
15108 		}
15109 	}
15110 
15111 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
15112 		regular = true;
15113 		err = nl80211_parse_wowlan_tcp(
15114 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
15115 			&new_triggers);
15116 		if (err)
15117 			goto error;
15118 	}
15119 
15120 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
15121 		regular = true;
15122 		err = nl80211_parse_wowlan_nd(
15123 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
15124 			&new_triggers);
15125 		if (err)
15126 			goto error;
15127 	}
15128 
15129 	/* The 'any' trigger means the device continues operating more or less
15130 	 * as in its normal operation mode and wakes up the host on most of the
15131 	 * normal interrupts (like packet RX, ...)
15132 	 * It therefore makes little sense to combine with the more constrained
15133 	 * wakeup trigger modes.
15134 	 */
15135 	if (new_triggers.any && regular) {
15136 		err = -EINVAL;
15137 		goto error;
15138 	}
15139 
15140 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
15141 	if (!ntrig) {
15142 		err = -ENOMEM;
15143 		goto error;
15144 	}
15145 	cfg80211_rdev_free_wowlan(rdev);
15146 	rdev->wiphy.wowlan_config = ntrig;
15147 
15148  set_wakeup:
15149 	if (rdev->ops->set_wakeup &&
15150 	    prev_enabled != !!rdev->wiphy.wowlan_config)
15151 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
15152 
15153 	return 0;
15154  error:
15155 	for (i = 0; i < new_triggers.n_patterns; i++)
15156 		kfree(new_triggers.patterns[i].mask);
15157 	kfree(new_triggers.patterns);
15158 	if (new_triggers.tcp && new_triggers.tcp->sock)
15159 		sock_release(new_triggers.tcp->sock);
15160 	kfree(new_triggers.tcp);
15161 	kfree(new_triggers.nd_config);
15162 	return err;
15163 }
15164 #endif
15165 
15166 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
15167 				       struct cfg80211_registered_device *rdev)
15168 {
15169 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
15170 	int i, j, pat_len;
15171 	struct cfg80211_coalesce_rules *rule;
15172 
15173 	if (!rdev->coalesce->n_rules)
15174 		return 0;
15175 
15176 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
15177 	if (!nl_rules)
15178 		return -ENOBUFS;
15179 
15180 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
15181 		nl_rule = nla_nest_start_noflag(msg, i + 1);
15182 		if (!nl_rule)
15183 			return -ENOBUFS;
15184 
15185 		rule = &rdev->coalesce->rules[i];
15186 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
15187 				rule->delay))
15188 			return -ENOBUFS;
15189 
15190 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
15191 				rule->condition))
15192 			return -ENOBUFS;
15193 
15194 		nl_pats = nla_nest_start_noflag(msg,
15195 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
15196 		if (!nl_pats)
15197 			return -ENOBUFS;
15198 
15199 		for (j = 0; j < rule->n_patterns; j++) {
15200 			nl_pat = nla_nest_start_noflag(msg, j + 1);
15201 			if (!nl_pat)
15202 				return -ENOBUFS;
15203 			pat_len = rule->patterns[j].pattern_len;
15204 			if (nla_put(msg, NL80211_PKTPAT_MASK,
15205 				    DIV_ROUND_UP(pat_len, 8),
15206 				    rule->patterns[j].mask) ||
15207 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
15208 				    rule->patterns[j].pattern) ||
15209 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
15210 					rule->patterns[j].pkt_offset))
15211 				return -ENOBUFS;
15212 			nla_nest_end(msg, nl_pat);
15213 		}
15214 		nla_nest_end(msg, nl_pats);
15215 		nla_nest_end(msg, nl_rule);
15216 	}
15217 	nla_nest_end(msg, nl_rules);
15218 
15219 	return 0;
15220 }
15221 
15222 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
15223 {
15224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15225 	struct sk_buff *msg;
15226 	void *hdr;
15227 
15228 	if (!rdev->wiphy.coalesce)
15229 		return -EOPNOTSUPP;
15230 
15231 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15232 	if (!msg)
15233 		return -ENOMEM;
15234 
15235 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15236 			     NL80211_CMD_GET_COALESCE);
15237 	if (!hdr)
15238 		goto nla_put_failure;
15239 
15240 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
15241 		goto nla_put_failure;
15242 
15243 	genlmsg_end(msg, hdr);
15244 	return genlmsg_reply(msg, info);
15245 
15246 nla_put_failure:
15247 	nlmsg_free(msg);
15248 	return -ENOBUFS;
15249 }
15250 
15251 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
15252 {
15253 	int i, j;
15254 	struct cfg80211_coalesce_rules *rule;
15255 
15256 	if (!coalesce)
15257 		return;
15258 
15259 	for (i = 0; i < coalesce->n_rules; i++) {
15260 		rule = &coalesce->rules[i];
15261 		for (j = 0; j < rule->n_patterns; j++)
15262 			kfree(rule->patterns[j].mask);
15263 		kfree(rule->patterns);
15264 	}
15265 	kfree(coalesce);
15266 }
15267 
15268 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
15269 				       struct nlattr *rule,
15270 				       struct cfg80211_coalesce_rules *new_rule)
15271 {
15272 	int err, i;
15273 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15274 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
15275 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
15276 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
15277 
15278 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
15279 					  rule, nl80211_coalesce_policy, NULL);
15280 	if (err)
15281 		return err;
15282 
15283 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
15284 		new_rule->delay =
15285 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
15286 	if (new_rule->delay > coalesce->max_delay)
15287 		return -EINVAL;
15288 
15289 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
15290 		new_rule->condition =
15291 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
15292 
15293 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
15294 		return -EINVAL;
15295 
15296 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15297 			    rem)
15298 		n_patterns++;
15299 	if (n_patterns > coalesce->n_patterns)
15300 		return -EINVAL;
15301 
15302 	new_rule->patterns = kzalloc_objs(new_rule->patterns[0], n_patterns,
15303 					  GFP_KERNEL);
15304 	if (!new_rule->patterns)
15305 		return -ENOMEM;
15306 
15307 	new_rule->n_patterns = n_patterns;
15308 	i = 0;
15309 
15310 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
15311 			    rem) {
15312 		u8 *mask_pat;
15313 
15314 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
15315 						  pat,
15316 						  nl80211_packet_pattern_policy,
15317 						  NULL);
15318 		if (err)
15319 			return err;
15320 
15321 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
15322 		    !pat_tb[NL80211_PKTPAT_PATTERN])
15323 			return -EINVAL;
15324 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
15325 		mask_len = DIV_ROUND_UP(pat_len, 8);
15326 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
15327 			return -EINVAL;
15328 		if (pat_len > coalesce->pattern_max_len ||
15329 		    pat_len < coalesce->pattern_min_len)
15330 			return -EINVAL;
15331 
15332 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
15333 						 0);
15334 		if (pkt_offset > coalesce->max_pkt_offset)
15335 			return -EINVAL;
15336 		new_rule->patterns[i].pkt_offset = pkt_offset;
15337 
15338 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
15339 		if (!mask_pat)
15340 			return -ENOMEM;
15341 
15342 		new_rule->patterns[i].mask = mask_pat;
15343 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
15344 		       mask_len);
15345 
15346 		mask_pat += mask_len;
15347 		new_rule->patterns[i].pattern = mask_pat;
15348 		new_rule->patterns[i].pattern_len = pat_len;
15349 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
15350 		       pat_len);
15351 		i++;
15352 	}
15353 
15354 	return 0;
15355 }
15356 
15357 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
15358 {
15359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15360 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
15361 	struct cfg80211_coalesce *new_coalesce;
15362 	int err, rem_rule, n_rules = 0, i;
15363 	struct nlattr *rule;
15364 
15365 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
15366 		return -EOPNOTSUPP;
15367 
15368 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
15369 		cfg80211_free_coalesce(rdev->coalesce);
15370 		rdev->coalesce = NULL;
15371 		rdev_set_coalesce(rdev, NULL);
15372 		return 0;
15373 	}
15374 
15375 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15376 			    rem_rule)
15377 		n_rules++;
15378 	if (n_rules > coalesce->n_rules)
15379 		return -EINVAL;
15380 
15381 	new_coalesce = kzalloc_flex(*new_coalesce, rules, n_rules, GFP_KERNEL);
15382 	if (!new_coalesce)
15383 		return -ENOMEM;
15384 
15385 	new_coalesce->n_rules = n_rules;
15386 	i = 0;
15387 
15388 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
15389 			    rem_rule) {
15390 		err = nl80211_parse_coalesce_rule(rdev, rule,
15391 						  &new_coalesce->rules[i]);
15392 		if (err)
15393 			goto error;
15394 
15395 		i++;
15396 	}
15397 
15398 	err = rdev_set_coalesce(rdev, new_coalesce);
15399 	if (err)
15400 		goto error;
15401 
15402 	cfg80211_free_coalesce(rdev->coalesce);
15403 	rdev->coalesce = new_coalesce;
15404 
15405 	return 0;
15406 error:
15407 	cfg80211_free_coalesce(new_coalesce);
15408 
15409 	return err;
15410 }
15411 
15412 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
15413 {
15414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15415 	struct net_device *dev = info->user_ptr[1];
15416 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15417 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
15418 	struct cfg80211_gtk_rekey_data rekey_data = {};
15419 	int err;
15420 
15421 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
15422 		return -EINVAL;
15423 
15424 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
15425 					  info->attrs[NL80211_ATTR_REKEY_DATA],
15426 					  nl80211_rekey_policy, info->extack);
15427 	if (err)
15428 		return err;
15429 
15430 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
15431 	    !tb[NL80211_REKEY_DATA_KCK])
15432 		return -EINVAL;
15433 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
15434 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15435 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
15436 		return -ERANGE;
15437 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
15438 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
15439 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
15440 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
15441 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
15442 		return -ERANGE;
15443 
15444 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
15445 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
15446 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
15447 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
15448 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
15449 	if (tb[NL80211_REKEY_DATA_AKM])
15450 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
15451 
15452 	if (!wdev->connected)
15453 		return -ENOTCONN;
15454 
15455 	if (!rdev->ops->set_rekey_data)
15456 		return -EOPNOTSUPP;
15457 
15458 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
15459 }
15460 
15461 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
15462 					     struct genl_info *info)
15463 {
15464 	struct net_device *dev = info->user_ptr[1];
15465 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15466 
15467 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15468 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15469 		return -EINVAL;
15470 
15471 	if (wdev->ap_unexpected_nlportid)
15472 		return -EBUSY;
15473 
15474 	wdev->ap_unexpected_nlportid = info->snd_portid;
15475 	return 0;
15476 }
15477 
15478 static int nl80211_probe_client(struct sk_buff *skb,
15479 				struct genl_info *info)
15480 {
15481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15482 	struct net_device *dev = info->user_ptr[1];
15483 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15484 	struct sk_buff *msg;
15485 	void *hdr;
15486 	const u8 *addr;
15487 	u64 cookie;
15488 	int err;
15489 
15490 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15491 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15492 		return -EOPNOTSUPP;
15493 
15494 	if (!info->attrs[NL80211_ATTR_MAC])
15495 		return -EINVAL;
15496 
15497 	if (!rdev->ops->probe_client)
15498 		return -EOPNOTSUPP;
15499 
15500 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15501 	if (!msg)
15502 		return -ENOMEM;
15503 
15504 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15505 			     NL80211_CMD_PROBE_CLIENT);
15506 	if (!hdr) {
15507 		err = -ENOBUFS;
15508 		goto free_msg;
15509 	}
15510 
15511 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15512 
15513 	err = rdev_probe_client(rdev, dev, addr, &cookie);
15514 	if (err)
15515 		goto free_msg;
15516 
15517 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15518 			      NL80211_ATTR_PAD))
15519 		goto nla_put_failure;
15520 
15521 	genlmsg_end(msg, hdr);
15522 
15523 	return genlmsg_reply(msg, info);
15524 
15525  nla_put_failure:
15526 	err = -ENOBUFS;
15527  free_msg:
15528 	nlmsg_free(msg);
15529 	return err;
15530 }
15531 
15532 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
15533 {
15534 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15535 	struct cfg80211_beacon_registration *reg, *nreg;
15536 	int rv;
15537 
15538 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
15539 		return -EOPNOTSUPP;
15540 
15541 	nreg = kzalloc_obj(*nreg);
15542 	if (!nreg)
15543 		return -ENOMEM;
15544 
15545 	/* First, check if already registered. */
15546 	spin_lock_bh(&rdev->beacon_registrations_lock);
15547 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
15548 		if (reg->nlportid == info->snd_portid) {
15549 			rv = -EALREADY;
15550 			goto out_err;
15551 		}
15552 	}
15553 	/* Add it to the list */
15554 	nreg->nlportid = info->snd_portid;
15555 	list_add(&nreg->list, &rdev->beacon_registrations);
15556 
15557 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15558 
15559 	return 0;
15560 out_err:
15561 	spin_unlock_bh(&rdev->beacon_registrations_lock);
15562 	kfree(nreg);
15563 	return rv;
15564 }
15565 
15566 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
15567 {
15568 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15569 	struct wireless_dev *wdev = info->user_ptr[1];
15570 	int err;
15571 
15572 	if (!rdev->ops->start_p2p_device)
15573 		return -EOPNOTSUPP;
15574 
15575 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15576 		return -EOPNOTSUPP;
15577 
15578 	if (wdev_running(wdev))
15579 		return 0;
15580 
15581 	if (rfkill_blocked(rdev->wiphy.rfkill))
15582 		return -ERFKILL;
15583 
15584 	err = rdev_start_p2p_device(rdev, wdev);
15585 	if (err)
15586 		return err;
15587 
15588 	wdev->is_running = true;
15589 	rdev->opencount++;
15590 
15591 	return 0;
15592 }
15593 
15594 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
15595 {
15596 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15597 	struct wireless_dev *wdev = info->user_ptr[1];
15598 
15599 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
15600 		return -EOPNOTSUPP;
15601 
15602 	if (!rdev->ops->stop_p2p_device)
15603 		return -EOPNOTSUPP;
15604 
15605 	cfg80211_stop_p2p_device(rdev, wdev);
15606 
15607 	return 0;
15608 }
15609 
15610 static struct ieee80211_channel *nl80211_get_nan_channel(struct wiphy *wiphy,
15611 							 int freq)
15612 {
15613 	struct ieee80211_channel *chan;
15614 	struct cfg80211_chan_def def;
15615 
15616 	/* Check if the frequency is valid for NAN */
15617 	if (freq != 5220 && freq != 5745 && freq != 2437)
15618 		return NULL;
15619 
15620 	chan = ieee80211_get_channel(wiphy, freq);
15621 	if (!chan)
15622 		return NULL;
15623 
15624 	cfg80211_chandef_create(&def, chan, NL80211_CHAN_NO_HT);
15625 
15626 	/* Check if the channel is allowed */
15627 	if (cfg80211_reg_can_beacon(wiphy, &def, NL80211_IFTYPE_NAN))
15628 		return chan;
15629 
15630 	return NULL;
15631 }
15632 
15633 static int nl80211_parse_nan_band_config(struct wiphy *wiphy,
15634 					 struct nlattr **tb,
15635 					 struct cfg80211_nan_band_config *cfg,
15636 					 enum nl80211_band band)
15637 {
15638 	if (BIT(band) & ~(u32)wiphy->nan_supported_bands)
15639 		return -EINVAL;
15640 
15641 	if (tb[NL80211_NAN_BAND_CONF_FREQ]) {
15642 		u16 freq = nla_get_u16(tb[NL80211_NAN_BAND_CONF_FREQ]);
15643 
15644 		if (band != NL80211_BAND_5GHZ)
15645 			return -EINVAL;
15646 
15647 		cfg->chan = nl80211_get_nan_channel(wiphy, freq);
15648 		if (!cfg->chan)
15649 			return -EINVAL;
15650 	}
15651 
15652 	if (tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]) {
15653 		cfg->rssi_close =
15654 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_CLOSE]);
15655 		if (!tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE])
15656 			return -EINVAL;
15657 	}
15658 
15659 	if (tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]) {
15660 		cfg->rssi_middle =
15661 			nla_get_s8(tb[NL80211_NAN_BAND_CONF_RSSI_MIDDLE]);
15662 		if (!cfg->rssi_close || cfg->rssi_middle >= cfg->rssi_close)
15663 			return -EINVAL;
15664 	}
15665 
15666 	if (tb[NL80211_NAN_BAND_CONF_WAKE_DW]) {
15667 		cfg->awake_dw_interval =
15668 			nla_get_u8(tb[NL80211_NAN_BAND_CONF_WAKE_DW]);
15669 
15670 		if (band == NL80211_BAND_2GHZ && cfg->awake_dw_interval == 0)
15671 			return -EINVAL;
15672 	}
15673 
15674 	cfg->disable_scan =
15675 		nla_get_flag(tb[NL80211_NAN_BAND_CONF_DISABLE_SCAN]);
15676 	return 0;
15677 }
15678 
15679 static int nl80211_parse_nan_conf(struct wiphy *wiphy,
15680 				  struct genl_info *info,
15681 				  struct cfg80211_nan_conf *conf,
15682 				  u32 *changed_flags,
15683 				  bool start)
15684 {
15685 	struct nlattr *attrs[NL80211_NAN_CONF_ATTR_MAX + 1];
15686 	int err, rem;
15687 	u32 changed = 0;
15688 	struct nlattr *band_config;
15689 
15690 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
15691 		conf->master_pref =
15692 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
15693 
15694 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
15695 	}
15696 
15697 	if (info->attrs[NL80211_ATTR_BANDS]) {
15698 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
15699 
15700 		if (bands & ~(u32)wiphy->nan_supported_bands)
15701 			return -EOPNOTSUPP;
15702 
15703 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
15704 			return -EINVAL;
15705 
15706 		conf->bands = bands;
15707 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
15708 	}
15709 
15710 	conf->band_cfgs[NL80211_BAND_2GHZ].awake_dw_interval = 1;
15711 	if (conf->bands & BIT(NL80211_BAND_5GHZ) || !conf->bands)
15712 		conf->band_cfgs[NL80211_BAND_5GHZ].awake_dw_interval = 1;
15713 
15714 	/* On 2.4 GHz band use channel 6 */
15715 	conf->band_cfgs[NL80211_BAND_2GHZ].chan =
15716 		nl80211_get_nan_channel(wiphy, 2437);
15717 	if (!conf->band_cfgs[NL80211_BAND_2GHZ].chan)
15718 		return -EINVAL;
15719 
15720 	if (!info->attrs[NL80211_ATTR_NAN_CONFIG])
15721 		goto out;
15722 
15723 	err = nla_parse_nested(attrs, NL80211_NAN_CONF_ATTR_MAX,
15724 			       info->attrs[NL80211_ATTR_NAN_CONFIG], NULL,
15725 			       info->extack);
15726 	if (err)
15727 		return err;
15728 
15729 	changed |= CFG80211_NAN_CONF_CHANGED_CONFIG;
15730 	if (attrs[NL80211_NAN_CONF_CLUSTER_ID] && start)
15731 		conf->cluster_id =
15732 			nla_data(attrs[NL80211_NAN_CONF_CLUSTER_ID]);
15733 
15734 	if (attrs[NL80211_NAN_CONF_EXTRA_ATTRS]) {
15735 		conf->extra_nan_attrs =
15736 			nla_data(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15737 		conf->extra_nan_attrs_len =
15738 			nla_len(attrs[NL80211_NAN_CONF_EXTRA_ATTRS]);
15739 	}
15740 
15741 	if (attrs[NL80211_NAN_CONF_VENDOR_ELEMS]) {
15742 		conf->vendor_elems =
15743 			nla_data(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15744 		conf->vendor_elems_len =
15745 			nla_len(attrs[NL80211_NAN_CONF_VENDOR_ELEMS]);
15746 	}
15747 
15748 	if (attrs[NL80211_NAN_CONF_BAND_CONFIGS]) {
15749 		nla_for_each_nested(band_config,
15750 				    attrs[NL80211_NAN_CONF_BAND_CONFIGS],
15751 				    rem) {
15752 			enum nl80211_band band;
15753 			struct cfg80211_nan_band_config *cfg;
15754 			struct nlattr *tb[NL80211_NAN_BAND_CONF_ATTR_MAX + 1];
15755 
15756 			err = nla_parse_nested(tb,
15757 					       NL80211_NAN_BAND_CONF_ATTR_MAX,
15758 					       band_config, NULL,
15759 					       info->extack);
15760 			if (err)
15761 				return err;
15762 
15763 			if (!tb[NL80211_NAN_BAND_CONF_BAND])
15764 				return -EINVAL;
15765 
15766 			band = nla_get_u8(tb[NL80211_NAN_BAND_CONF_BAND]);
15767 			if (conf->bands && !(conf->bands & BIT(band)))
15768 				return -EINVAL;
15769 
15770 			cfg = &conf->band_cfgs[band];
15771 
15772 			err = nl80211_parse_nan_band_config(wiphy, tb, cfg,
15773 							    band);
15774 			if (err)
15775 				return err;
15776 		}
15777 	}
15778 
15779 	if (attrs[NL80211_NAN_CONF_SCAN_PERIOD])
15780 		conf->scan_period =
15781 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_PERIOD]);
15782 
15783 	if (attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME])
15784 		conf->scan_dwell_time =
15785 			nla_get_u16(attrs[NL80211_NAN_CONF_SCAN_DWELL_TIME]);
15786 
15787 	if (attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL])
15788 		conf->discovery_beacon_interval =
15789 			nla_get_u8(attrs[NL80211_NAN_CONF_DISCOVERY_BEACON_INTERVAL]);
15790 
15791 	if (attrs[NL80211_NAN_CONF_NOTIFY_DW])
15792 		conf->enable_dw_notification =
15793 			nla_get_flag(attrs[NL80211_NAN_CONF_NOTIFY_DW]);
15794 
15795 out:
15796 	if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15797 	    (!conf->bands || conf->bands & BIT(NL80211_BAND_5GHZ))) {
15798 		/* If no 5GHz channel is specified use default, if possible */
15799 		conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15800 				nl80211_get_nan_channel(wiphy, 5745);
15801 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan)
15802 			conf->band_cfgs[NL80211_BAND_5GHZ].chan =
15803 					nl80211_get_nan_channel(wiphy, 5220);
15804 
15805 		/* Return error if user space asked explicitly for 5 GHz */
15806 		if (!conf->band_cfgs[NL80211_BAND_5GHZ].chan &&
15807 		    conf->bands & BIT(NL80211_BAND_5GHZ)) {
15808 			NL_SET_ERR_MSG_ATTR(info->extack,
15809 					    info->attrs[NL80211_ATTR_BANDS],
15810 					    "5 GHz band operation is not allowed");
15811 			return -EINVAL;
15812 		}
15813 	}
15814 
15815 	if (changed_flags)
15816 		*changed_flags = changed;
15817 
15818 	return 0;
15819 }
15820 
15821 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
15822 {
15823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15824 	struct wireless_dev *wdev = info->user_ptr[1];
15825 	struct cfg80211_nan_conf conf = {};
15826 	int err;
15827 
15828 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15829 		return -EOPNOTSUPP;
15830 
15831 	if (wdev_running(wdev))
15832 		return -EEXIST;
15833 
15834 	if (rfkill_blocked(rdev->wiphy.rfkill))
15835 		return -ERFKILL;
15836 
15837 	/* Master preference is mandatory for START_NAN */
15838 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
15839 		return -EINVAL;
15840 
15841 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, NULL, true);
15842 	if (err)
15843 		return err;
15844 
15845 	err = rdev_start_nan(rdev, wdev, &conf);
15846 	if (err)
15847 		return err;
15848 
15849 	wdev->is_running = true;
15850 	rdev->opencount++;
15851 
15852 	return 0;
15853 }
15854 
15855 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
15856 {
15857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15858 	struct wireless_dev *wdev = info->user_ptr[1];
15859 
15860 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15861 		return -EOPNOTSUPP;
15862 
15863 	cfg80211_stop_nan(rdev, wdev);
15864 
15865 	return 0;
15866 }
15867 
15868 static int validate_nan_filter(struct nlattr *filter_attr)
15869 {
15870 	struct nlattr *attr;
15871 	int len = 0, n_entries = 0, rem;
15872 
15873 	nla_for_each_nested(attr, filter_attr, rem) {
15874 		len += nla_len(attr);
15875 		n_entries++;
15876 	}
15877 
15878 	if (len >= U8_MAX)
15879 		return -EINVAL;
15880 
15881 	return n_entries;
15882 }
15883 
15884 static int handle_nan_filter(struct nlattr *attr_filter,
15885 			     struct cfg80211_nan_func *func,
15886 			     bool tx)
15887 {
15888 	struct nlattr *attr;
15889 	int n_entries, rem, i;
15890 	struct cfg80211_nan_func_filter *filter;
15891 
15892 	n_entries = validate_nan_filter(attr_filter);
15893 	if (n_entries < 0)
15894 		return n_entries;
15895 
15896 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
15897 
15898 	filter = kzalloc_objs(*func->rx_filters, n_entries);
15899 	if (!filter)
15900 		return -ENOMEM;
15901 
15902 	i = 0;
15903 	nla_for_each_nested(attr, attr_filter, rem) {
15904 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
15905 		if (!filter[i].filter)
15906 			goto err;
15907 
15908 		filter[i].len = nla_len(attr);
15909 		i++;
15910 	}
15911 	if (tx) {
15912 		func->num_tx_filters = n_entries;
15913 		func->tx_filters = filter;
15914 	} else {
15915 		func->num_rx_filters = n_entries;
15916 		func->rx_filters = filter;
15917 	}
15918 
15919 	return 0;
15920 
15921 err:
15922 	i = 0;
15923 	nla_for_each_nested(attr, attr_filter, rem) {
15924 		kfree(filter[i].filter);
15925 		i++;
15926 	}
15927 	kfree(filter);
15928 	return -ENOMEM;
15929 }
15930 
15931 static int nl80211_nan_add_func(struct sk_buff *skb,
15932 				struct genl_info *info)
15933 {
15934 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15935 	struct wireless_dev *wdev = info->user_ptr[1];
15936 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
15937 	struct cfg80211_nan_func *func;
15938 	struct sk_buff *msg = NULL;
15939 	void *hdr = NULL;
15940 	int err = 0;
15941 
15942 	if (wdev->iftype != NL80211_IFTYPE_NAN)
15943 		return -EOPNOTSUPP;
15944 
15945 	if (!wdev_running(wdev))
15946 		return -ENOTCONN;
15947 
15948 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
15949 		return -EINVAL;
15950 
15951 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
15952 					  info->attrs[NL80211_ATTR_NAN_FUNC],
15953 					  nl80211_nan_func_policy,
15954 					  info->extack);
15955 	if (err)
15956 		return err;
15957 
15958 	func = kzalloc_obj(*func);
15959 	if (!func)
15960 		return -ENOMEM;
15961 
15962 	func->cookie = cfg80211_assign_cookie(rdev);
15963 
15964 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
15965 		err = -EINVAL;
15966 		goto out;
15967 	}
15968 
15969 
15970 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
15971 
15972 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
15973 		err = -EINVAL;
15974 		goto out;
15975 	}
15976 
15977 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
15978 	       sizeof(func->service_id));
15979 
15980 	func->close_range =
15981 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
15982 
15983 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
15984 		func->serv_spec_info_len =
15985 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
15986 		func->serv_spec_info =
15987 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
15988 				func->serv_spec_info_len,
15989 				GFP_KERNEL);
15990 		if (!func->serv_spec_info) {
15991 			err = -ENOMEM;
15992 			goto out;
15993 		}
15994 	}
15995 
15996 	if (tb[NL80211_NAN_FUNC_TTL])
15997 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
15998 
15999 	switch (func->type) {
16000 	case NL80211_NAN_FUNC_PUBLISH:
16001 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
16002 			err = -EINVAL;
16003 			goto out;
16004 		}
16005 
16006 		func->publish_type =
16007 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
16008 		func->publish_bcast =
16009 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
16010 
16011 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
16012 			func->publish_bcast) {
16013 			err = -EINVAL;
16014 			goto out;
16015 		}
16016 		break;
16017 	case NL80211_NAN_FUNC_SUBSCRIBE:
16018 		func->subscribe_active =
16019 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
16020 		break;
16021 	case NL80211_NAN_FUNC_FOLLOW_UP:
16022 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
16023 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
16024 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
16025 			err = -EINVAL;
16026 			goto out;
16027 		}
16028 
16029 		func->followup_id =
16030 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
16031 		func->followup_reqid =
16032 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
16033 		memcpy(func->followup_dest.addr,
16034 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
16035 		       sizeof(func->followup_dest.addr));
16036 		if (func->ttl) {
16037 			err = -EINVAL;
16038 			goto out;
16039 		}
16040 		break;
16041 	default:
16042 		err = -EINVAL;
16043 		goto out;
16044 	}
16045 
16046 	if (tb[NL80211_NAN_FUNC_SRF]) {
16047 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
16048 
16049 		err = nla_parse_nested_deprecated(srf_tb,
16050 						  NL80211_NAN_SRF_ATTR_MAX,
16051 						  tb[NL80211_NAN_FUNC_SRF],
16052 						  nl80211_nan_srf_policy,
16053 						  info->extack);
16054 		if (err)
16055 			goto out;
16056 
16057 		func->srf_include =
16058 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
16059 
16060 		if (srf_tb[NL80211_NAN_SRF_BF]) {
16061 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
16062 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
16063 				err = -EINVAL;
16064 				goto out;
16065 			}
16066 
16067 			func->srf_bf_len =
16068 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
16069 			func->srf_bf =
16070 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
16071 					func->srf_bf_len, GFP_KERNEL);
16072 			if (!func->srf_bf) {
16073 				err = -ENOMEM;
16074 				goto out;
16075 			}
16076 
16077 			func->srf_bf_idx =
16078 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
16079 		} else {
16080 			struct nlattr *attr, *mac_attr =
16081 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
16082 			int n_entries, rem, i = 0;
16083 
16084 			if (!mac_attr) {
16085 				err = -EINVAL;
16086 				goto out;
16087 			}
16088 
16089 			n_entries = validate_acl_mac_addrs(mac_attr);
16090 			if (n_entries <= 0) {
16091 				err = -EINVAL;
16092 				goto out;
16093 			}
16094 
16095 			func->srf_num_macs = n_entries;
16096 			func->srf_macs =
16097 				kzalloc_objs(*func->srf_macs, n_entries,
16098 					     GFP_KERNEL);
16099 			if (!func->srf_macs) {
16100 				err = -ENOMEM;
16101 				goto out;
16102 			}
16103 
16104 			nla_for_each_nested(attr, mac_attr, rem)
16105 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
16106 				       sizeof(*func->srf_macs));
16107 		}
16108 	}
16109 
16110 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
16111 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
16112 					func, true);
16113 		if (err)
16114 			goto out;
16115 	}
16116 
16117 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
16118 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
16119 					func, false);
16120 		if (err)
16121 			goto out;
16122 	}
16123 
16124 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16125 	if (!msg) {
16126 		err = -ENOMEM;
16127 		goto out;
16128 	}
16129 
16130 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16131 			     NL80211_CMD_ADD_NAN_FUNCTION);
16132 	/* This can't really happen - we just allocated 4KB */
16133 	if (WARN_ON(!hdr)) {
16134 		err = -ENOMEM;
16135 		goto out;
16136 	}
16137 
16138 	err = rdev_add_nan_func(rdev, wdev, func);
16139 out:
16140 	if (err < 0) {
16141 		cfg80211_free_nan_func(func);
16142 		nlmsg_free(msg);
16143 		return err;
16144 	}
16145 
16146 	/* propagate the instance id and cookie to userspace  */
16147 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
16148 			      NL80211_ATTR_PAD))
16149 		goto nla_put_failure;
16150 
16151 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16152 	if (!func_attr)
16153 		goto nla_put_failure;
16154 
16155 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
16156 		       func->instance_id))
16157 		goto nla_put_failure;
16158 
16159 	nla_nest_end(msg, func_attr);
16160 
16161 	genlmsg_end(msg, hdr);
16162 	return genlmsg_reply(msg, info);
16163 
16164 nla_put_failure:
16165 	nlmsg_free(msg);
16166 	return -ENOBUFS;
16167 }
16168 
16169 static int nl80211_nan_del_func(struct sk_buff *skb,
16170 			       struct genl_info *info)
16171 {
16172 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16173 	struct wireless_dev *wdev = info->user_ptr[1];
16174 	u64 cookie;
16175 
16176 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16177 		return -EOPNOTSUPP;
16178 
16179 	if (!wdev_running(wdev))
16180 		return -ENOTCONN;
16181 
16182 	if (!info->attrs[NL80211_ATTR_COOKIE])
16183 		return -EINVAL;
16184 
16185 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
16186 
16187 	rdev_del_nan_func(rdev, wdev, cookie);
16188 
16189 	return 0;
16190 }
16191 
16192 static int nl80211_nan_change_config(struct sk_buff *skb,
16193 				     struct genl_info *info)
16194 {
16195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16196 	struct wireless_dev *wdev = info->user_ptr[1];
16197 	struct cfg80211_nan_conf conf = {};
16198 	u32 changed = 0;
16199 	int err;
16200 
16201 	if (wdev->iftype != NL80211_IFTYPE_NAN)
16202 		return -EOPNOTSUPP;
16203 
16204 	if (!wdev_running(wdev))
16205 		return -ENOTCONN;
16206 
16207 	err = nl80211_parse_nan_conf(&rdev->wiphy, info, &conf, &changed, false);
16208 	if (err)
16209 		return err;
16210 
16211 	if (!changed)
16212 		return -EINVAL;
16213 
16214 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
16215 }
16216 
16217 void cfg80211_nan_match(struct wireless_dev *wdev,
16218 			struct cfg80211_nan_match_params *match, gfp_t gfp)
16219 {
16220 	struct wiphy *wiphy = wdev->wiphy;
16221 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16222 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
16223 	struct sk_buff *msg;
16224 	void *hdr;
16225 
16226 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16227 		return;
16228 
16229 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
16230 		return;
16231 
16232 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16233 	if (!msg)
16234 		return;
16235 
16236 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
16237 	if (!hdr) {
16238 		nlmsg_free(msg);
16239 		return;
16240 	}
16241 
16242 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16243 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16244 					 wdev->netdev->ifindex)) ||
16245 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16246 			      NL80211_ATTR_PAD))
16247 		goto nla_put_failure;
16248 
16249 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
16250 			      NL80211_ATTR_PAD) ||
16251 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
16252 		goto nla_put_failure;
16253 
16254 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
16255 	if (!match_attr)
16256 		goto nla_put_failure;
16257 
16258 	local_func_attr = nla_nest_start_noflag(msg,
16259 						NL80211_NAN_MATCH_FUNC_LOCAL);
16260 	if (!local_func_attr)
16261 		goto nla_put_failure;
16262 
16263 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
16264 		goto nla_put_failure;
16265 
16266 	nla_nest_end(msg, local_func_attr);
16267 
16268 	peer_func_attr = nla_nest_start_noflag(msg,
16269 					       NL80211_NAN_MATCH_FUNC_PEER);
16270 	if (!peer_func_attr)
16271 		goto nla_put_failure;
16272 
16273 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
16274 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
16275 		goto nla_put_failure;
16276 
16277 	if (match->info && match->info_len &&
16278 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
16279 		    match->info))
16280 		goto nla_put_failure;
16281 
16282 	nla_nest_end(msg, peer_func_attr);
16283 	nla_nest_end(msg, match_attr);
16284 	genlmsg_end(msg, hdr);
16285 
16286 	if (!wdev->owner_nlportid)
16287 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16288 					msg, 0, NL80211_MCGRP_NAN, gfp);
16289 	else
16290 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16291 				wdev->owner_nlportid);
16292 
16293 	return;
16294 
16295 nla_put_failure:
16296 	nlmsg_free(msg);
16297 }
16298 EXPORT_SYMBOL(cfg80211_nan_match);
16299 
16300 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
16301 				  u8 inst_id,
16302 				  enum nl80211_nan_func_term_reason reason,
16303 				  u64 cookie, gfp_t gfp)
16304 {
16305 	struct wiphy *wiphy = wdev->wiphy;
16306 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16307 	struct sk_buff *msg;
16308 	struct nlattr *func_attr;
16309 	void *hdr;
16310 
16311 	if (WARN_ON(wiphy->nan_capa.flags & WIPHY_NAN_FLAGS_USERSPACE_DE))
16312 		return;
16313 
16314 	if (WARN_ON(!inst_id))
16315 		return;
16316 
16317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16318 	if (!msg)
16319 		return;
16320 
16321 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
16322 	if (!hdr) {
16323 		nlmsg_free(msg);
16324 		return;
16325 	}
16326 
16327 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16328 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16329 					 wdev->netdev->ifindex)) ||
16330 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16331 			      NL80211_ATTR_PAD))
16332 		goto nla_put_failure;
16333 
16334 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16335 			      NL80211_ATTR_PAD))
16336 		goto nla_put_failure;
16337 
16338 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
16339 	if (!func_attr)
16340 		goto nla_put_failure;
16341 
16342 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
16343 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
16344 		goto nla_put_failure;
16345 
16346 	nla_nest_end(msg, func_attr);
16347 	genlmsg_end(msg, hdr);
16348 
16349 	if (!wdev->owner_nlportid)
16350 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
16351 					msg, 0, NL80211_MCGRP_NAN, gfp);
16352 	else
16353 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
16354 				wdev->owner_nlportid);
16355 
16356 	return;
16357 
16358 nla_put_failure:
16359 	nlmsg_free(msg);
16360 }
16361 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
16362 
16363 static int nl80211_get_protocol_features(struct sk_buff *skb,
16364 					 struct genl_info *info)
16365 {
16366 	void *hdr;
16367 	struct sk_buff *msg;
16368 
16369 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16370 	if (!msg)
16371 		return -ENOMEM;
16372 
16373 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
16374 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
16375 	if (!hdr)
16376 		goto nla_put_failure;
16377 
16378 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
16379 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
16380 		goto nla_put_failure;
16381 
16382 	genlmsg_end(msg, hdr);
16383 	return genlmsg_reply(msg, info);
16384 
16385  nla_put_failure:
16386 	kfree_skb(msg);
16387 	return -ENOBUFS;
16388 }
16389 
16390 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
16391 {
16392 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16393 	struct cfg80211_update_ft_ies_params ft_params;
16394 	struct net_device *dev = info->user_ptr[1];
16395 
16396 	if (!rdev->ops->update_ft_ies)
16397 		return -EOPNOTSUPP;
16398 
16399 	if (!info->attrs[NL80211_ATTR_MDID] ||
16400 	    !info->attrs[NL80211_ATTR_IE])
16401 		return -EINVAL;
16402 
16403 	memset(&ft_params, 0, sizeof(ft_params));
16404 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
16405 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
16406 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
16407 
16408 	return rdev_update_ft_ies(rdev, dev, &ft_params);
16409 }
16410 
16411 static int nl80211_crit_protocol_start(struct sk_buff *skb,
16412 				       struct genl_info *info)
16413 {
16414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16415 	struct wireless_dev *wdev = info->user_ptr[1];
16416 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
16417 	u16 duration;
16418 	int ret;
16419 
16420 	if (!rdev->ops->crit_proto_start)
16421 		return -EOPNOTSUPP;
16422 
16423 	if (WARN_ON(!rdev->ops->crit_proto_stop))
16424 		return -EINVAL;
16425 
16426 	if (rdev->crit_proto_nlportid)
16427 		return -EBUSY;
16428 
16429 	/* determine protocol if provided */
16430 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
16431 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
16432 
16433 	if (proto >= NUM_NL80211_CRIT_PROTO)
16434 		return -EINVAL;
16435 
16436 	/* timeout must be provided */
16437 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
16438 		return -EINVAL;
16439 
16440 	duration =
16441 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
16442 
16443 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
16444 	if (!ret)
16445 		rdev->crit_proto_nlportid = info->snd_portid;
16446 
16447 	return ret;
16448 }
16449 
16450 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
16451 				      struct genl_info *info)
16452 {
16453 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16454 	struct wireless_dev *wdev = info->user_ptr[1];
16455 
16456 	if (!rdev->ops->crit_proto_stop)
16457 		return -EOPNOTSUPP;
16458 
16459 	if (rdev->crit_proto_nlportid) {
16460 		rdev->crit_proto_nlportid = 0;
16461 		rdev_crit_proto_stop(rdev, wdev);
16462 	}
16463 	return 0;
16464 }
16465 
16466 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
16467 				       struct nlattr *attr,
16468 				       struct netlink_ext_ack *extack)
16469 {
16470 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
16471 		if (attr->nla_type & NLA_F_NESTED) {
16472 			NL_SET_ERR_MSG_ATTR(extack, attr,
16473 					    "unexpected nested data");
16474 			return -EINVAL;
16475 		}
16476 
16477 		return 0;
16478 	}
16479 
16480 	if (!(attr->nla_type & NLA_F_NESTED)) {
16481 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
16482 		return -EINVAL;
16483 	}
16484 
16485 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
16486 }
16487 
16488 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
16489 {
16490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16491 	struct wireless_dev *wdev =
16492 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
16493 					   info->attrs);
16494 	int i, err;
16495 	u32 vid, subcmd;
16496 
16497 	if (!rdev->wiphy.vendor_commands)
16498 		return -EOPNOTSUPP;
16499 
16500 	if (IS_ERR(wdev)) {
16501 		err = PTR_ERR(wdev);
16502 		if (err != -EINVAL)
16503 			return err;
16504 		wdev = NULL;
16505 	} else if (wdev->wiphy != &rdev->wiphy) {
16506 		return -EINVAL;
16507 	}
16508 
16509 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
16510 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
16511 		return -EINVAL;
16512 
16513 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
16514 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
16515 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
16516 		const struct wiphy_vendor_command *vcmd;
16517 		void *data = NULL;
16518 		int len = 0;
16519 
16520 		vcmd = &rdev->wiphy.vendor_commands[i];
16521 
16522 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16523 			continue;
16524 
16525 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16526 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16527 			if (!wdev)
16528 				return -EINVAL;
16529 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16530 			    !wdev->netdev)
16531 				return -EINVAL;
16532 
16533 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16534 				if (!wdev_running(wdev))
16535 					return -ENETDOWN;
16536 			}
16537 		} else {
16538 			wdev = NULL;
16539 		}
16540 
16541 		if (!vcmd->doit)
16542 			return -EOPNOTSUPP;
16543 
16544 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
16545 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16546 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
16547 
16548 			err = nl80211_vendor_check_policy(vcmd,
16549 					info->attrs[NL80211_ATTR_VENDOR_DATA],
16550 					info->extack);
16551 			if (err)
16552 				return err;
16553 		}
16554 
16555 		rdev->cur_cmd_info = info;
16556 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
16557 		rdev->cur_cmd_info = NULL;
16558 		return err;
16559 	}
16560 
16561 	return -EOPNOTSUPP;
16562 }
16563 
16564 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
16565 				       struct netlink_callback *cb,
16566 				       struct cfg80211_registered_device **rdev,
16567 				       struct wireless_dev **wdev)
16568 {
16569 	struct nlattr **attrbuf;
16570 	u32 vid, subcmd;
16571 	unsigned int i;
16572 	int vcmd_idx = -1;
16573 	int err;
16574 	void *data = NULL;
16575 	unsigned int data_len = 0;
16576 
16577 	if (cb->args[0]) {
16578 		/* subtract the 1 again here */
16579 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
16580 		struct wireless_dev *tmp;
16581 
16582 		if (!wiphy)
16583 			return -ENODEV;
16584 		*rdev = wiphy_to_rdev(wiphy);
16585 		*wdev = NULL;
16586 
16587 		if (cb->args[1]) {
16588 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
16589 				if (tmp->identifier == cb->args[1] - 1) {
16590 					*wdev = tmp;
16591 					break;
16592 				}
16593 			}
16594 		}
16595 
16596 		/* keep rtnl locked in successful case */
16597 		return 0;
16598 	}
16599 
16600 	attrbuf = kzalloc_objs(*attrbuf, NUM_NL80211_ATTR);
16601 	if (!attrbuf)
16602 		return -ENOMEM;
16603 
16604 	err = nlmsg_parse_deprecated(cb->nlh,
16605 				     GENL_HDRLEN + nl80211_fam.hdrsize,
16606 				     attrbuf, nl80211_fam.maxattr,
16607 				     nl80211_policy, NULL);
16608 	if (err)
16609 		goto out;
16610 
16611 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
16612 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
16613 		err = -EINVAL;
16614 		goto out;
16615 	}
16616 
16617 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
16618 	if (IS_ERR(*wdev))
16619 		*wdev = NULL;
16620 
16621 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
16622 	if (IS_ERR(*rdev)) {
16623 		err = PTR_ERR(*rdev);
16624 		goto out;
16625 	}
16626 
16627 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
16628 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
16629 
16630 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
16631 		const struct wiphy_vendor_command *vcmd;
16632 
16633 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
16634 
16635 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
16636 			continue;
16637 
16638 		if (!vcmd->dumpit) {
16639 			err = -EOPNOTSUPP;
16640 			goto out;
16641 		}
16642 
16643 		vcmd_idx = i;
16644 		break;
16645 	}
16646 
16647 	if (vcmd_idx < 0) {
16648 		err = -EOPNOTSUPP;
16649 		goto out;
16650 	}
16651 
16652 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
16653 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16654 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
16655 
16656 		err = nl80211_vendor_check_policy(
16657 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
16658 				attrbuf[NL80211_ATTR_VENDOR_DATA],
16659 				cb->extack);
16660 		if (err)
16661 			goto out;
16662 	}
16663 
16664 	/* 0 is the first index - add 1 to parse only once */
16665 	cb->args[0] = (*rdev)->wiphy_idx + 1;
16666 	/* add 1 to know if it was NULL */
16667 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
16668 	cb->args[2] = vcmd_idx;
16669 	cb->args[3] = (unsigned long)data;
16670 	cb->args[4] = data_len;
16671 
16672 	/* keep rtnl locked in successful case */
16673 	err = 0;
16674 out:
16675 	kfree(attrbuf);
16676 	return err;
16677 }
16678 
16679 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
16680 				   struct netlink_callback *cb)
16681 {
16682 	struct cfg80211_registered_device *rdev;
16683 	struct wireless_dev *wdev;
16684 	unsigned int vcmd_idx;
16685 	const struct wiphy_vendor_command *vcmd;
16686 	void *data;
16687 	int data_len;
16688 	int err;
16689 	struct nlattr *vendor_data;
16690 
16691 	rtnl_lock();
16692 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
16693 	if (err)
16694 		goto out;
16695 
16696 	vcmd_idx = cb->args[2];
16697 	data = (void *)cb->args[3];
16698 	data_len = cb->args[4];
16699 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
16700 
16701 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
16702 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
16703 		if (!wdev) {
16704 			err = -EINVAL;
16705 			goto out;
16706 		}
16707 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
16708 		    !wdev->netdev) {
16709 			err = -EINVAL;
16710 			goto out;
16711 		}
16712 
16713 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
16714 			if (!wdev_running(wdev)) {
16715 				err = -ENETDOWN;
16716 				goto out;
16717 			}
16718 		}
16719 	}
16720 
16721 	while (1) {
16722 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
16723 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
16724 					   NL80211_CMD_VENDOR);
16725 		if (!hdr)
16726 			break;
16727 
16728 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16729 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
16730 					       wdev_id(wdev),
16731 					       NL80211_ATTR_PAD))) {
16732 			genlmsg_cancel(skb, hdr);
16733 			break;
16734 		}
16735 
16736 		vendor_data = nla_nest_start_noflag(skb,
16737 						    NL80211_ATTR_VENDOR_DATA);
16738 		if (!vendor_data) {
16739 			genlmsg_cancel(skb, hdr);
16740 			break;
16741 		}
16742 
16743 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
16744 				   (unsigned long *)&cb->args[5]);
16745 		nla_nest_end(skb, vendor_data);
16746 
16747 		if (err == -ENOBUFS || err == -ENOENT) {
16748 			genlmsg_cancel(skb, hdr);
16749 			break;
16750 		} else if (err <= 0) {
16751 			genlmsg_cancel(skb, hdr);
16752 			goto out;
16753 		}
16754 
16755 		genlmsg_end(skb, hdr);
16756 	}
16757 
16758 	err = skb->len;
16759  out:
16760 	rtnl_unlock();
16761 	return err;
16762 }
16763 
16764 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
16765 					   enum nl80211_commands cmd,
16766 					   enum nl80211_attrs attr,
16767 					   int approxlen)
16768 {
16769 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16770 
16771 	if (WARN_ON(!rdev->cur_cmd_info))
16772 		return NULL;
16773 
16774 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
16775 					   rdev->cur_cmd_info->snd_portid,
16776 					   rdev->cur_cmd_info->snd_seq,
16777 					   cmd, attr, NULL, GFP_KERNEL);
16778 }
16779 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
16780 
16781 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
16782 {
16783 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
16784 	void *hdr = ((void **)skb->cb)[1];
16785 	struct nlattr *data = ((void **)skb->cb)[2];
16786 
16787 	/* clear CB data for netlink core to own from now on */
16788 	memset(skb->cb, 0, sizeof(skb->cb));
16789 
16790 	if (WARN_ON(!rdev->cur_cmd_info)) {
16791 		kfree_skb(skb);
16792 		return -EINVAL;
16793 	}
16794 
16795 	nla_nest_end(skb, data);
16796 	genlmsg_end(skb, hdr);
16797 	return genlmsg_reply(skb, rdev->cur_cmd_info);
16798 }
16799 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
16800 
16801 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
16802 {
16803 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16804 
16805 	if (WARN_ON(!rdev->cur_cmd_info))
16806 		return 0;
16807 
16808 	return rdev->cur_cmd_info->snd_portid;
16809 }
16810 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
16811 
16812 static int nl80211_set_qos_map(struct sk_buff *skb,
16813 			       struct genl_info *info)
16814 {
16815 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16816 	struct cfg80211_qos_map *qos_map = NULL;
16817 	struct net_device *dev = info->user_ptr[1];
16818 	u8 *pos, len, num_des, des_len, des;
16819 	int ret;
16820 
16821 	if (!rdev->ops->set_qos_map)
16822 		return -EOPNOTSUPP;
16823 
16824 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
16825 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
16826 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
16827 
16828 		if (len % 2)
16829 			return -EINVAL;
16830 
16831 		qos_map = kzalloc_obj(struct cfg80211_qos_map);
16832 		if (!qos_map)
16833 			return -ENOMEM;
16834 
16835 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
16836 		if (num_des) {
16837 			des_len = num_des *
16838 				sizeof(struct cfg80211_dscp_exception);
16839 			memcpy(qos_map->dscp_exception, pos, des_len);
16840 			qos_map->num_des = num_des;
16841 			for (des = 0; des < num_des; des++) {
16842 				if (qos_map->dscp_exception[des].up > 7) {
16843 					kfree(qos_map);
16844 					return -EINVAL;
16845 				}
16846 			}
16847 			pos += des_len;
16848 		}
16849 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
16850 	}
16851 
16852 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
16853 	if (!ret)
16854 		ret = rdev_set_qos_map(rdev, dev, qos_map);
16855 
16856 	kfree(qos_map);
16857 	return ret;
16858 }
16859 
16860 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
16861 {
16862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16863 	struct net_device *dev = info->user_ptr[1];
16864 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16865 	const u8 *peer;
16866 	u8 tsid, up;
16867 	u16 admitted_time = 0;
16868 
16869 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
16870 		return -EOPNOTSUPP;
16871 
16872 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
16873 	    !info->attrs[NL80211_ATTR_USER_PRIO])
16874 		return -EINVAL;
16875 
16876 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16877 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
16878 
16879 	/* WMM uses TIDs 0-7 even for TSPEC */
16880 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
16881 		/* TODO: handle 802.11 TSPEC/admission control
16882 		 * need more attributes for that (e.g. BA session requirement);
16883 		 * change the WMM admission test above to allow both then
16884 		 */
16885 		return -EINVAL;
16886 	}
16887 
16888 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16889 
16890 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
16891 		admitted_time =
16892 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
16893 		if (!admitted_time)
16894 			return -EINVAL;
16895 	}
16896 
16897 	switch (wdev->iftype) {
16898 	case NL80211_IFTYPE_STATION:
16899 	case NL80211_IFTYPE_P2P_CLIENT:
16900 		if (wdev->connected)
16901 			break;
16902 		return -ENOTCONN;
16903 	default:
16904 		return -EOPNOTSUPP;
16905 	}
16906 
16907 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
16908 }
16909 
16910 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
16911 {
16912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16913 	struct net_device *dev = info->user_ptr[1];
16914 	const u8 *peer;
16915 	u8 tsid;
16916 
16917 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
16918 		return -EINVAL;
16919 
16920 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
16921 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16922 
16923 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
16924 }
16925 
16926 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
16927 				       struct genl_info *info)
16928 {
16929 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16930 	struct net_device *dev = info->user_ptr[1];
16931 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16932 	struct cfg80211_chan_def chandef = {};
16933 	const u8 *addr;
16934 	u8 oper_class;
16935 	int err;
16936 
16937 	if (!rdev->ops->tdls_channel_switch ||
16938 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16939 		return -EOPNOTSUPP;
16940 
16941 	switch (dev->ieee80211_ptr->iftype) {
16942 	case NL80211_IFTYPE_STATION:
16943 	case NL80211_IFTYPE_P2P_CLIENT:
16944 		break;
16945 	default:
16946 		return -EOPNOTSUPP;
16947 	}
16948 
16949 	if (!info->attrs[NL80211_ATTR_MAC] ||
16950 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
16951 		return -EINVAL;
16952 
16953 	err = nl80211_parse_chandef(rdev, info, &chandef);
16954 	if (err)
16955 		return err;
16956 
16957 	/*
16958 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
16959 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
16960 	 * specification is not defined for them.
16961 	 */
16962 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
16963 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
16964 	    chandef.width != NL80211_CHAN_WIDTH_20)
16965 		return -EINVAL;
16966 
16967 	/* we will be active on the TDLS link */
16968 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
16969 					   wdev->iftype))
16970 		return -EINVAL;
16971 
16972 	/* don't allow switching to DFS channels */
16973 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
16974 		return -EINVAL;
16975 
16976 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16977 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
16978 
16979 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
16980 }
16981 
16982 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
16983 					      struct genl_info *info)
16984 {
16985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16986 	struct net_device *dev = info->user_ptr[1];
16987 	const u8 *addr;
16988 
16989 	if (!rdev->ops->tdls_channel_switch ||
16990 	    !rdev->ops->tdls_cancel_channel_switch ||
16991 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
16992 		return -EOPNOTSUPP;
16993 
16994 	switch (dev->ieee80211_ptr->iftype) {
16995 	case NL80211_IFTYPE_STATION:
16996 	case NL80211_IFTYPE_P2P_CLIENT:
16997 		break;
16998 	default:
16999 		return -EOPNOTSUPP;
17000 	}
17001 
17002 	if (!info->attrs[NL80211_ATTR_MAC])
17003 		return -EINVAL;
17004 
17005 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17006 
17007 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
17008 
17009 	return 0;
17010 }
17011 
17012 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
17013 					    struct genl_info *info)
17014 {
17015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17016 	struct net_device *dev = info->user_ptr[1];
17017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17018 	const struct nlattr *nla;
17019 	bool enabled;
17020 
17021 	if (!rdev->ops->set_multicast_to_unicast)
17022 		return -EOPNOTSUPP;
17023 
17024 	if (wdev->iftype != NL80211_IFTYPE_AP &&
17025 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
17026 		return -EOPNOTSUPP;
17027 
17028 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
17029 	enabled = nla_get_flag(nla);
17030 
17031 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
17032 }
17033 
17034 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
17035 {
17036 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17037 	struct net_device *dev = info->user_ptr[1];
17038 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17039 	struct cfg80211_pmk_conf pmk_conf = {};
17040 
17041 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17042 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17043 		return -EOPNOTSUPP;
17044 
17045 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17046 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17047 		return -EOPNOTSUPP;
17048 
17049 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
17050 		return -EINVAL;
17051 
17052 	if (!wdev->connected)
17053 		return -ENOTCONN;
17054 
17055 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17056 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
17057 		return -EINVAL;
17058 
17059 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
17060 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
17061 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
17062 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
17063 		return -EINVAL;
17064 
17065 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
17066 		pmk_conf.pmk_r0_name =
17067 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
17068 
17069 	return rdev_set_pmk(rdev, dev, &pmk_conf);
17070 }
17071 
17072 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
17073 {
17074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17075 	struct net_device *dev = info->user_ptr[1];
17076 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17077 	const u8 *aa;
17078 
17079 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17080 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17081 		return -EOPNOTSUPP;
17082 
17083 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17084 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
17085 		return -EOPNOTSUPP;
17086 
17087 	if (!info->attrs[NL80211_ATTR_MAC])
17088 		return -EINVAL;
17089 
17090 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
17091 	return rdev_del_pmk(rdev, dev, aa);
17092 }
17093 
17094 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
17095 {
17096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17097 	struct net_device *dev = info->user_ptr[1];
17098 	struct cfg80211_external_auth_params params;
17099 
17100 	if (!rdev->ops->external_auth)
17101 		return -EOPNOTSUPP;
17102 
17103 	if (!info->attrs[NL80211_ATTR_SSID] &&
17104 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
17105 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
17106 		return -EINVAL;
17107 
17108 	if (!info->attrs[NL80211_ATTR_BSSID])
17109 		return -EINVAL;
17110 
17111 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
17112 		return -EINVAL;
17113 
17114 	memset(&params, 0, sizeof(params));
17115 
17116 	if (info->attrs[NL80211_ATTR_SSID]) {
17117 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
17118 		if (params.ssid.ssid_len == 0)
17119 			return -EINVAL;
17120 		memcpy(params.ssid.ssid,
17121 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
17122 		       params.ssid.ssid_len);
17123 	}
17124 
17125 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
17126 	       ETH_ALEN);
17127 
17128 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17129 
17130 	if (info->attrs[NL80211_ATTR_PMKID])
17131 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
17132 
17133 	return rdev_external_auth(rdev, dev, &params);
17134 }
17135 
17136 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
17137 {
17138 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
17139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17140 	struct net_device *dev = info->user_ptr[1];
17141 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17142 	const u8 *buf;
17143 	size_t len;
17144 	u8 *dest;
17145 	u16 proto;
17146 	bool noencrypt;
17147 	u64 cookie = 0;
17148 	int link_id;
17149 	int err;
17150 
17151 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17152 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
17153 		return -EOPNOTSUPP;
17154 
17155 	if (!rdev->ops->tx_control_port)
17156 		return -EOPNOTSUPP;
17157 
17158 	if (!info->attrs[NL80211_ATTR_FRAME] ||
17159 	    !info->attrs[NL80211_ATTR_MAC] ||
17160 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
17161 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
17162 		return -EINVAL;
17163 	}
17164 
17165 	switch (wdev->iftype) {
17166 	case NL80211_IFTYPE_AP:
17167 	case NL80211_IFTYPE_P2P_GO:
17168 	case NL80211_IFTYPE_MESH_POINT:
17169 		break;
17170 	case NL80211_IFTYPE_ADHOC:
17171 		if (wdev->u.ibss.current_bss)
17172 			break;
17173 		return -ENOTCONN;
17174 	case NL80211_IFTYPE_STATION:
17175 	case NL80211_IFTYPE_P2P_CLIENT:
17176 		if (wdev->connected)
17177 			break;
17178 		return -ENOTCONN;
17179 	default:
17180 		return -EOPNOTSUPP;
17181 	}
17182 
17183 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17184 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17185 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17186 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
17187 	noencrypt =
17188 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
17189 
17190 	link_id = nl80211_link_id_or_invalid(info->attrs);
17191 
17192 	err = rdev_tx_control_port(rdev, dev, buf, len,
17193 				   dest, cpu_to_be16(proto), noencrypt, link_id,
17194 				   dont_wait_for_ack ? NULL : &cookie);
17195 	if (!err && !dont_wait_for_ack)
17196 		nl_set_extack_cookie_u64(info->extack, cookie);
17197 	return err;
17198 }
17199 
17200 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
17201 					   struct genl_info *info)
17202 {
17203 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17204 	struct net_device *dev = info->user_ptr[1];
17205 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17206 	struct cfg80211_ftm_responder_stats ftm_stats = {};
17207 	unsigned int link_id = nl80211_link_id(info->attrs);
17208 	struct sk_buff *msg;
17209 	void *hdr;
17210 	struct nlattr *ftm_stats_attr;
17211 	int err;
17212 
17213 	if (wdev->iftype != NL80211_IFTYPE_AP ||
17214 	    !wdev->links[link_id].ap.beacon_interval)
17215 		return -EOPNOTSUPP;
17216 
17217 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
17218 	if (err)
17219 		return err;
17220 
17221 	if (!ftm_stats.filled)
17222 		return -ENODATA;
17223 
17224 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17225 	if (!msg)
17226 		return -ENOMEM;
17227 
17228 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
17229 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
17230 	if (!hdr)
17231 		goto nla_put_failure;
17232 
17233 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17234 		goto nla_put_failure;
17235 
17236 	ftm_stats_attr = nla_nest_start_noflag(msg,
17237 					       NL80211_ATTR_FTM_RESPONDER_STATS);
17238 	if (!ftm_stats_attr)
17239 		goto nla_put_failure;
17240 
17241 #define SET_FTM(field, name, type)					 \
17242 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17243 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
17244 			     ftm_stats.field))				 \
17245 		goto nla_put_failure; } while (0)
17246 #define SET_FTM_U64(field, name)					 \
17247 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
17248 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
17249 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
17250 		goto nla_put_failure; } while (0)
17251 
17252 	SET_FTM(success_num, SUCCESS_NUM, u32);
17253 	SET_FTM(partial_num, PARTIAL_NUM, u32);
17254 	SET_FTM(failed_num, FAILED_NUM, u32);
17255 	SET_FTM(asap_num, ASAP_NUM, u32);
17256 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
17257 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
17258 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
17259 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
17260 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
17261 #undef SET_FTM
17262 
17263 	nla_nest_end(msg, ftm_stats_attr);
17264 
17265 	genlmsg_end(msg, hdr);
17266 	return genlmsg_reply(msg, info);
17267 
17268 nla_put_failure:
17269 	nlmsg_free(msg);
17270 	return -ENOBUFS;
17271 }
17272 
17273 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
17274 {
17275 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17276 	struct cfg80211_update_owe_info owe_info;
17277 	struct net_device *dev = info->user_ptr[1];
17278 
17279 	if (!rdev->ops->update_owe_info)
17280 		return -EOPNOTSUPP;
17281 
17282 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
17283 	    !info->attrs[NL80211_ATTR_MAC])
17284 		return -EINVAL;
17285 
17286 	memset(&owe_info, 0, sizeof(owe_info));
17287 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
17288 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
17289 
17290 	if (info->attrs[NL80211_ATTR_IE]) {
17291 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
17292 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
17293 	}
17294 
17295 	return rdev_update_owe_info(rdev, dev, &owe_info);
17296 }
17297 
17298 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
17299 {
17300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17301 	struct net_device *dev = info->user_ptr[1];
17302 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17303 	struct station_info sinfo = {};
17304 	const u8 *buf;
17305 	size_t len;
17306 	u8 *dest;
17307 	int err;
17308 
17309 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
17310 		return -EOPNOTSUPP;
17311 
17312 	if (!info->attrs[NL80211_ATTR_MAC] ||
17313 	    !info->attrs[NL80211_ATTR_FRAME]) {
17314 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
17315 		return -EINVAL;
17316 	}
17317 
17318 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
17319 		return -EOPNOTSUPP;
17320 
17321 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
17322 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
17323 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
17324 
17325 	if (len < sizeof(struct ethhdr))
17326 		return -EINVAL;
17327 
17328 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
17329 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
17330 		return -EINVAL;
17331 
17332 	err = rdev_get_station(rdev, dev, dest, &sinfo);
17333 	if (err)
17334 		return err;
17335 
17336 	cfg80211_sinfo_release_content(&sinfo);
17337 
17338 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
17339 }
17340 
17341 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
17342 			  struct nlattr *attrs[], struct net_device *dev,
17343 			  struct cfg80211_tid_cfg *tid_conf,
17344 			  struct genl_info *info, const u8 *peer,
17345 			  unsigned int link_id)
17346 {
17347 	struct netlink_ext_ack *extack = info->extack;
17348 	u64 mask;
17349 	int err;
17350 
17351 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
17352 		return -EINVAL;
17353 
17354 	tid_conf->config_override =
17355 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
17356 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
17357 
17358 	if (tid_conf->config_override) {
17359 		if (rdev->ops->reset_tid_config) {
17360 			err = rdev_reset_tid_config(rdev, dev, peer,
17361 						    tid_conf->tids);
17362 			if (err)
17363 				return err;
17364 		} else {
17365 			return -EINVAL;
17366 		}
17367 	}
17368 
17369 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
17370 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
17371 		tid_conf->noack =
17372 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
17373 	}
17374 
17375 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
17376 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
17377 		tid_conf->retry_short =
17378 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
17379 
17380 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
17381 			return -EINVAL;
17382 	}
17383 
17384 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
17385 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
17386 		tid_conf->retry_long =
17387 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
17388 
17389 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
17390 			return -EINVAL;
17391 	}
17392 
17393 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
17394 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
17395 		tid_conf->ampdu =
17396 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
17397 	}
17398 
17399 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
17400 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
17401 		tid_conf->rtscts =
17402 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
17403 	}
17404 
17405 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
17406 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
17407 		tid_conf->amsdu =
17408 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
17409 	}
17410 
17411 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
17412 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
17413 
17414 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
17415 
17416 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
17417 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
17418 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
17419 						    &tid_conf->txrate_mask, dev,
17420 						    true, link_id);
17421 			if (err)
17422 				return err;
17423 
17424 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
17425 		}
17426 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
17427 	}
17428 
17429 	if (peer)
17430 		mask = rdev->wiphy.tid_config_support.peer;
17431 	else
17432 		mask = rdev->wiphy.tid_config_support.vif;
17433 
17434 	if (tid_conf->mask & ~mask) {
17435 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
17436 		return -EOPNOTSUPP;
17437 	}
17438 
17439 	return 0;
17440 }
17441 
17442 static int nl80211_set_tid_config(struct sk_buff *skb,
17443 				  struct genl_info *info)
17444 {
17445 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17446 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
17447 	unsigned int link_id = nl80211_link_id(info->attrs);
17448 	struct net_device *dev = info->user_ptr[1];
17449 	struct cfg80211_tid_config *tid_config;
17450 	struct nlattr *tid;
17451 	int conf_idx = 0, rem_conf;
17452 	int ret = -EINVAL;
17453 	u32 num_conf = 0;
17454 
17455 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
17456 		return -EINVAL;
17457 
17458 	if (!rdev->ops->set_tid_config)
17459 		return -EOPNOTSUPP;
17460 
17461 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17462 			    rem_conf)
17463 		num_conf++;
17464 
17465 	tid_config = kzalloc_flex(*tid_config, tid_conf, num_conf, GFP_KERNEL);
17466 	if (!tid_config)
17467 		return -ENOMEM;
17468 
17469 	tid_config->n_tid_conf = num_conf;
17470 
17471 	if (info->attrs[NL80211_ATTR_MAC])
17472 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
17473 
17474 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
17475 			    rem_conf) {
17476 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
17477 				       tid, NULL, NULL);
17478 
17479 		if (ret)
17480 			goto bad_tid_conf;
17481 
17482 		ret = parse_tid_conf(rdev, attrs, dev,
17483 				     &tid_config->tid_conf[conf_idx],
17484 				     info, tid_config->peer, link_id);
17485 		if (ret)
17486 			goto bad_tid_conf;
17487 
17488 		conf_idx++;
17489 	}
17490 
17491 	ret = rdev_set_tid_config(rdev, dev, tid_config);
17492 
17493 bad_tid_conf:
17494 	kfree(tid_config);
17495 	return ret;
17496 }
17497 
17498 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
17499 {
17500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17501 	struct cfg80211_color_change_settings params = {};
17502 	struct net_device *dev = info->user_ptr[1];
17503 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17504 	struct nlattr **tb;
17505 	u16 offset;
17506 	int err;
17507 
17508 	if (!rdev->ops->color_change)
17509 		return -EOPNOTSUPP;
17510 
17511 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
17512 				     NL80211_EXT_FEATURE_BSS_COLOR))
17513 		return -EOPNOTSUPP;
17514 
17515 	if (wdev->iftype != NL80211_IFTYPE_AP)
17516 		return -EOPNOTSUPP;
17517 
17518 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
17519 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
17520 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
17521 		return -EINVAL;
17522 
17523 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
17524 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
17525 
17526 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
17527 				   info->extack);
17528 	if (err)
17529 		return err;
17530 
17531 	tb = kzalloc_objs(*tb, NL80211_ATTR_MAX + 1);
17532 	if (!tb)
17533 		return -ENOMEM;
17534 
17535 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
17536 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
17537 			       nl80211_policy, info->extack);
17538 	if (err)
17539 		goto out;
17540 
17541 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
17542 				   info->extack);
17543 	if (err)
17544 		goto out;
17545 
17546 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
17547 		err = -EINVAL;
17548 		goto out;
17549 	}
17550 
17551 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
17552 		err = -EINVAL;
17553 		goto out;
17554 	}
17555 
17556 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
17557 	if (offset >= params.beacon_color_change.tail_len) {
17558 		err = -EINVAL;
17559 		goto out;
17560 	}
17561 
17562 	if (params.beacon_color_change.tail[offset] != params.count) {
17563 		err = -EINVAL;
17564 		goto out;
17565 	}
17566 
17567 	params.counter_offset_beacon = offset;
17568 
17569 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
17570 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
17571 		    sizeof(u16)) {
17572 			err = -EINVAL;
17573 			goto out;
17574 		}
17575 
17576 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
17577 		if (offset >= params.beacon_color_change.probe_resp_len) {
17578 			err = -EINVAL;
17579 			goto out;
17580 		}
17581 
17582 		if (params.beacon_color_change.probe_resp[offset] !=
17583 		    params.count) {
17584 			err = -EINVAL;
17585 			goto out;
17586 		}
17587 
17588 		params.counter_offset_presp = offset;
17589 	}
17590 
17591 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
17592 		err = nl80211_parse_unsol_bcast_probe_resp(
17593 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
17594 			&params.unsol_bcast_probe_resp);
17595 		if (err)
17596 			goto out;
17597 	}
17598 
17599 	params.link_id = nl80211_link_id(info->attrs);
17600 	err = rdev_color_change(rdev, dev, &params);
17601 
17602 out:
17603 	kfree(params.beacon_next.mbssid_ies);
17604 	kfree(params.beacon_color_change.mbssid_ies);
17605 	kfree(params.beacon_next.rnr_ies);
17606 	kfree(params.beacon_color_change.rnr_ies);
17607 	kfree(tb);
17608 	return err;
17609 }
17610 
17611 static int nl80211_set_fils_aad(struct sk_buff *skb,
17612 				struct genl_info *info)
17613 {
17614 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17615 	struct net_device *dev = info->user_ptr[1];
17616 	struct cfg80211_fils_aad fils_aad = {};
17617 	u8 *nonces;
17618 
17619 	if (!info->attrs[NL80211_ATTR_MAC] ||
17620 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
17621 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
17622 		return -EINVAL;
17623 
17624 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17625 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
17626 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
17627 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
17628 	fils_aad.snonce = nonces;
17629 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
17630 
17631 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
17632 }
17633 
17634 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
17635 {
17636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17637 	unsigned int link_id = nl80211_link_id(info->attrs);
17638 	struct net_device *dev = info->user_ptr[1];
17639 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17640 	int ret;
17641 
17642 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
17643 		return -EINVAL;
17644 
17645 	switch (wdev->iftype) {
17646 	case NL80211_IFTYPE_AP:
17647 		break;
17648 	default:
17649 		return -EINVAL;
17650 	}
17651 
17652 	if (!info->attrs[NL80211_ATTR_MAC] ||
17653 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
17654 		return -EINVAL;
17655 
17656 	wdev->valid_links |= BIT(link_id);
17657 	ether_addr_copy(wdev->links[link_id].addr,
17658 			nla_data(info->attrs[NL80211_ATTR_MAC]));
17659 
17660 	ret = rdev_add_intf_link(rdev, wdev, link_id);
17661 	if (ret) {
17662 		wdev->valid_links &= ~BIT(link_id);
17663 		eth_zero_addr(wdev->links[link_id].addr);
17664 	}
17665 
17666 	return ret;
17667 }
17668 
17669 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
17670 {
17671 	unsigned int link_id = nl80211_link_id(info->attrs);
17672 	struct net_device *dev = info->user_ptr[1];
17673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17674 
17675 	/* cannot remove if there's no link */
17676 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17677 		return -EINVAL;
17678 
17679 	switch (wdev->iftype) {
17680 	case NL80211_IFTYPE_AP:
17681 		break;
17682 	default:
17683 		return -EINVAL;
17684 	}
17685 
17686 	cfg80211_remove_link(wdev, link_id);
17687 
17688 	return 0;
17689 }
17690 
17691 static int
17692 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
17693 			     bool add)
17694 {
17695 	struct link_station_parameters params = {};
17696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17697 	struct net_device *dev = info->user_ptr[1];
17698 	int err;
17699 
17700 	if ((add && !rdev->ops->add_link_station) ||
17701 	    (!add && !rdev->ops->mod_link_station))
17702 		return -EOPNOTSUPP;
17703 
17704 	if (add && !info->attrs[NL80211_ATTR_MAC])
17705 		return -EINVAL;
17706 
17707 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
17708 		return -EINVAL;
17709 
17710 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
17711 		return -EINVAL;
17712 
17713 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17714 
17715 	if (info->attrs[NL80211_ATTR_MAC]) {
17716 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
17717 		if (!is_valid_ether_addr(params.link_mac))
17718 			return -EINVAL;
17719 	}
17720 
17721 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
17722 		return -EINVAL;
17723 
17724 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17725 
17726 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
17727 		params.supported_rates =
17728 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17729 		params.supported_rates_len =
17730 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
17731 	}
17732 
17733 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
17734 		params.ht_capa =
17735 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
17736 
17737 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
17738 		params.vht_capa =
17739 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
17740 
17741 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
17742 		params.he_capa =
17743 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17744 		params.he_capa_len =
17745 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
17746 
17747 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
17748 			params.eht_capa =
17749 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17750 			params.eht_capa_len =
17751 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
17752 
17753 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
17754 							(const u8 *)params.eht_capa,
17755 							params.eht_capa_len,
17756 							false))
17757 				return -EINVAL;
17758 		}
17759 	}
17760 
17761 	if (info->attrs[NL80211_ATTR_UHR_CAPABILITY]) {
17762 		if (!params.eht_capa)
17763 			return -EINVAL;
17764 
17765 		params.uhr_capa =
17766 			nla_data(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17767 		params.uhr_capa_len =
17768 			nla_len(info->attrs[NL80211_ATTR_UHR_CAPABILITY]);
17769 	}
17770 
17771 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
17772 		params.he_6ghz_capa =
17773 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
17774 
17775 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
17776 		params.opmode_notif_used = true;
17777 		params.opmode_notif =
17778 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
17779 	}
17780 
17781 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
17782 						&params.txpwr_set);
17783 	if (err)
17784 		return err;
17785 
17786 	if (add)
17787 		return rdev_add_link_station(rdev, dev, &params);
17788 
17789 	return rdev_mod_link_station(rdev, dev, &params);
17790 }
17791 
17792 static int
17793 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
17794 {
17795 	return nl80211_add_mod_link_station(skb, info, true);
17796 }
17797 
17798 static int
17799 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
17800 {
17801 	return nl80211_add_mod_link_station(skb, info, false);
17802 }
17803 
17804 static int
17805 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
17806 {
17807 	struct link_station_del_parameters params = {};
17808 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17809 	struct net_device *dev = info->user_ptr[1];
17810 
17811 	if (!rdev->ops->del_link_station)
17812 		return -EOPNOTSUPP;
17813 
17814 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
17815 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
17816 		return -EINVAL;
17817 
17818 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
17819 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
17820 
17821 	return rdev_del_link_station(rdev, dev, &params);
17822 }
17823 
17824 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
17825 				    struct genl_info *info)
17826 {
17827 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17828 	struct net_device *dev = info->user_ptr[1];
17829 	struct cfg80211_set_hw_timestamp hwts = {};
17830 
17831 	if (!rdev->wiphy.hw_timestamp_max_peers)
17832 		return -EOPNOTSUPP;
17833 
17834 	if (!info->attrs[NL80211_ATTR_MAC] &&
17835 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
17836 		return -EOPNOTSUPP;
17837 
17838 	if (info->attrs[NL80211_ATTR_MAC])
17839 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
17840 
17841 	hwts.enable =
17842 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
17843 
17844 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
17845 }
17846 
17847 static int
17848 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
17849 {
17850 	struct cfg80211_ttlm_params params = {};
17851 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17852 	struct net_device *dev = info->user_ptr[1];
17853 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17854 
17855 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17856 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17857 		return -EOPNOTSUPP;
17858 
17859 	if (!wdev->connected)
17860 		return -ENOLINK;
17861 
17862 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
17863 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
17864 		return -EINVAL;
17865 
17866 	nla_memcpy(params.dlink,
17867 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
17868 		   sizeof(params.dlink));
17869 	nla_memcpy(params.ulink,
17870 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
17871 		   sizeof(params.ulink));
17872 
17873 	return rdev_set_ttlm(rdev, dev, &params);
17874 }
17875 
17876 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
17877 {
17878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17879 	struct net_device *dev = info->user_ptr[1];
17880 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17881 	struct cfg80211_ml_reconf_req req = {};
17882 	unsigned int link_id;
17883 	u16 add_links;
17884 	int err;
17885 
17886 	if (!wdev->valid_links)
17887 		return -EINVAL;
17888 
17889 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
17890 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
17891 		return -EPERM;
17892 
17893 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
17894 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
17895 		return -EOPNOTSUPP;
17896 
17897 	add_links = 0;
17898 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
17899 		err = nl80211_process_links(rdev, req.add_links,
17900 					    /* mark as MLO, but not assoc */
17901 					    IEEE80211_MLD_MAX_NUM_LINKS,
17902 					    NULL, 0, info);
17903 		if (err)
17904 			return err;
17905 
17906 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
17907 		     link_id++) {
17908 			if (!req.add_links[link_id].bss)
17909 				continue;
17910 			add_links |= BIT(link_id);
17911 		}
17912 	}
17913 
17914 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
17915 		req.rem_links =
17916 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
17917 
17918 	/* Validate that existing links are not added, removed links are valid
17919 	 * and don't allow adding and removing the same links
17920 	 */
17921 	if ((add_links & req.rem_links) || !(add_links | req.rem_links) ||
17922 	    (wdev->valid_links & add_links) ||
17923 	    ((wdev->valid_links & req.rem_links) != req.rem_links)) {
17924 		err = -EINVAL;
17925 		goto out;
17926 	}
17927 
17928 	if (info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS])
17929 		req.ext_mld_capa_ops =
17930 			nla_get_u16(info->attrs[NL80211_ATTR_ASSOC_MLD_EXT_CAPA_OPS]);
17931 
17932 	err = cfg80211_assoc_ml_reconf(rdev, dev, &req);
17933 
17934 out:
17935 	for (link_id = 0; link_id < ARRAY_SIZE(req.add_links); link_id++)
17936 		cfg80211_put_bss(&rdev->wiphy, req.add_links[link_id].bss);
17937 
17938 	return err;
17939 }
17940 
17941 static int
17942 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
17943 {
17944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
17945 	struct net_device *dev = info->user_ptr[1];
17946 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17947 	bool val;
17948 
17949 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
17950 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
17951 		return -EOPNOTSUPP;
17952 
17953 	if (!wdev->connected)
17954 		return -ENOLINK;
17955 
17956 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
17957 
17958 	return rdev_set_epcs(rdev, dev, val);
17959 }
17960 
17961 #define NL80211_FLAG_NEED_WIPHY		0x01
17962 #define NL80211_FLAG_NEED_NETDEV	0x02
17963 #define NL80211_FLAG_NEED_RTNL		0x04
17964 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
17965 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
17966 					 NL80211_FLAG_CHECK_NETDEV_UP)
17967 #define NL80211_FLAG_NEED_WDEV		0x10
17968 /* If a netdev is associated, it must be UP, P2P must be started */
17969 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
17970 					 NL80211_FLAG_CHECK_NETDEV_UP)
17971 #define NL80211_FLAG_CLEAR_SKB		0x20
17972 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
17973 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
17974 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
17975 
17976 #define INTERNAL_FLAG_SELECTORS(__sel)			\
17977 	SELECTOR(__sel, NONE, 0) /* must be first */	\
17978 	SELECTOR(__sel, WIPHY,				\
17979 		 NL80211_FLAG_NEED_WIPHY)		\
17980 	SELECTOR(__sel, WDEV,				\
17981 		 NL80211_FLAG_NEED_WDEV)		\
17982 	SELECTOR(__sel, NETDEV,				\
17983 		 NL80211_FLAG_NEED_NETDEV)		\
17984 	SELECTOR(__sel, NETDEV_LINK,			\
17985 		 NL80211_FLAG_NEED_NETDEV |		\
17986 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
17987 	SELECTOR(__sel, NETDEV_NO_MLO,			\
17988 		 NL80211_FLAG_NEED_NETDEV |		\
17989 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
17990 	SELECTOR(__sel, WIPHY_RTNL,			\
17991 		 NL80211_FLAG_NEED_WIPHY |		\
17992 		 NL80211_FLAG_NEED_RTNL)		\
17993 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
17994 		 NL80211_FLAG_NEED_WIPHY |		\
17995 		 NL80211_FLAG_NEED_RTNL |		\
17996 		 NL80211_FLAG_NO_WIPHY_MTX)		\
17997 	SELECTOR(__sel, WDEV_RTNL,			\
17998 		 NL80211_FLAG_NEED_WDEV |		\
17999 		 NL80211_FLAG_NEED_RTNL)		\
18000 	SELECTOR(__sel, NETDEV_RTNL,			\
18001 		 NL80211_FLAG_NEED_NETDEV |		\
18002 		 NL80211_FLAG_NEED_RTNL)		\
18003 	SELECTOR(__sel, NETDEV_UP,			\
18004 		 NL80211_FLAG_NEED_NETDEV_UP)		\
18005 	SELECTOR(__sel, NETDEV_UP_LINK,			\
18006 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18007 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18008 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
18009 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18010 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18011 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
18012 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18013 		 NL80211_FLAG_CLEAR_SKB |		\
18014 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
18015 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
18016 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18017 		 NL80211_FLAG_NO_WIPHY_MTX)		\
18018 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
18019 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18020 		 NL80211_FLAG_NO_WIPHY_MTX |		\
18021 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18022 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
18023 		 NL80211_FLAG_NEED_NETDEV_UP |		\
18024 		 NL80211_FLAG_CLEAR_SKB)		\
18025 	SELECTOR(__sel, WDEV_UP,			\
18026 		 NL80211_FLAG_NEED_WDEV_UP)		\
18027 	SELECTOR(__sel, WDEV_UP_LINK,			\
18028 		 NL80211_FLAG_NEED_WDEV_UP |		\
18029 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
18030 	SELECTOR(__sel, WDEV_UP_RTNL,			\
18031 		 NL80211_FLAG_NEED_WDEV_UP |		\
18032 		 NL80211_FLAG_NEED_RTNL)		\
18033 	SELECTOR(__sel, WIPHY_CLEAR,			\
18034 		 NL80211_FLAG_NEED_WIPHY |		\
18035 		 NL80211_FLAG_CLEAR_SKB)
18036 
18037 enum nl80211_internal_flags_selector {
18038 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
18039 	INTERNAL_FLAG_SELECTORS(_)
18040 #undef SELECTOR
18041 };
18042 
18043 static u32 nl80211_internal_flags[] = {
18044 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
18045 	INTERNAL_FLAG_SELECTORS(_)
18046 #undef SELECTOR
18047 };
18048 
18049 static int nl80211_pre_doit(const struct genl_split_ops *ops,
18050 			    struct sk_buff *skb,
18051 			    struct genl_info *info)
18052 {
18053 	struct cfg80211_registered_device *rdev = NULL;
18054 	struct wireless_dev *wdev = NULL;
18055 	struct net_device *dev = NULL;
18056 	u32 internal_flags;
18057 	int err;
18058 
18059 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
18060 		return -EINVAL;
18061 
18062 	internal_flags = nl80211_internal_flags[ops->internal_flags];
18063 
18064 	rtnl_lock();
18065 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
18066 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
18067 		if (IS_ERR(rdev)) {
18068 			err = PTR_ERR(rdev);
18069 			goto out_unlock;
18070 		}
18071 		info->user_ptr[0] = rdev;
18072 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
18073 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
18074 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
18075 						  info->attrs);
18076 		if (IS_ERR(wdev)) {
18077 			err = PTR_ERR(wdev);
18078 			goto out_unlock;
18079 		}
18080 
18081 		dev = wdev->netdev;
18082 		dev_hold(dev);
18083 		rdev = wiphy_to_rdev(wdev->wiphy);
18084 
18085 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
18086 			if (!dev) {
18087 				err = -EINVAL;
18088 				goto out_unlock;
18089 			}
18090 
18091 			info->user_ptr[1] = dev;
18092 		} else {
18093 			info->user_ptr[1] = wdev;
18094 		}
18095 
18096 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
18097 		    !wdev_running(wdev)) {
18098 			err = -ENETDOWN;
18099 			goto out_unlock;
18100 		}
18101 
18102 		info->user_ptr[0] = rdev;
18103 	}
18104 
18105 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
18106 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
18107 
18108 		if (!wdev) {
18109 			err = -EINVAL;
18110 			goto out_unlock;
18111 		}
18112 
18113 		/* MLO -> require valid link ID */
18114 		if (wdev->valid_links &&
18115 		    (!link_id ||
18116 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
18117 			err = -EINVAL;
18118 			goto out_unlock;
18119 		}
18120 
18121 		/* non-MLO -> no link ID attribute accepted */
18122 		if (!wdev->valid_links && link_id) {
18123 			err = -EINVAL;
18124 			goto out_unlock;
18125 		}
18126 	}
18127 
18128 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
18129 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
18130 		    (wdev && wdev->valid_links)) {
18131 			err = -EINVAL;
18132 			goto out_unlock;
18133 		}
18134 	}
18135 
18136 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18137 		wiphy_lock(&rdev->wiphy);
18138 		/* we keep the mutex locked until post_doit */
18139 		__release(&rdev->wiphy.mtx);
18140 	}
18141 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
18142 		rtnl_unlock();
18143 
18144 	return 0;
18145 out_unlock:
18146 	rtnl_unlock();
18147 	dev_put(dev);
18148 	return err;
18149 }
18150 
18151 static void nl80211_post_doit(const struct genl_split_ops *ops,
18152 			      struct sk_buff *skb,
18153 			      struct genl_info *info)
18154 {
18155 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
18156 
18157 	if (info->user_ptr[1]) {
18158 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
18159 			struct wireless_dev *wdev = info->user_ptr[1];
18160 
18161 			dev_put(wdev->netdev);
18162 		} else {
18163 			dev_put(info->user_ptr[1]);
18164 		}
18165 	}
18166 
18167 	if (info->user_ptr[0] &&
18168 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
18169 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
18170 
18171 		/* we kept the mutex locked since pre_doit */
18172 		__acquire(&rdev->wiphy.mtx);
18173 		wiphy_unlock(&rdev->wiphy);
18174 	}
18175 
18176 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
18177 		rtnl_unlock();
18178 
18179 	/* If needed, clear the netlink message payload from the SKB
18180 	 * as it might contain key data that shouldn't stick around on
18181 	 * the heap after the SKB is freed. The netlink message header
18182 	 * is still needed for further processing, so leave it intact.
18183 	 */
18184 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
18185 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
18186 
18187 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
18188 	}
18189 }
18190 
18191 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
18192 				     struct cfg80211_sar_specs *sar_specs,
18193 				     struct nlattr *spec[], int index)
18194 {
18195 	u32 range_index, i;
18196 
18197 	if (!sar_specs || !spec)
18198 		return -EINVAL;
18199 
18200 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
18201 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
18202 		return -EINVAL;
18203 
18204 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
18205 
18206 	/* check if range_index exceeds num_freq_ranges */
18207 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
18208 		return -EINVAL;
18209 
18210 	/* check if range_index duplicates */
18211 	for (i = 0; i < index; i++) {
18212 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
18213 			return -EINVAL;
18214 	}
18215 
18216 	sar_specs->sub_specs[index].power =
18217 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
18218 
18219 	sar_specs->sub_specs[index].freq_range_index = range_index;
18220 
18221 	return 0;
18222 }
18223 
18224 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
18225 {
18226 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
18227 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
18228 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
18229 	struct cfg80211_sar_specs *sar_spec;
18230 	enum nl80211_sar_type type;
18231 	struct nlattr *spec_list;
18232 	u32 specs;
18233 	int rem, err;
18234 
18235 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
18236 		return -EOPNOTSUPP;
18237 
18238 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
18239 		return -EINVAL;
18240 
18241 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
18242 			 info->attrs[NL80211_ATTR_SAR_SPEC],
18243 			 NULL, NULL);
18244 
18245 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
18246 		return -EINVAL;
18247 
18248 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
18249 	if (type != rdev->wiphy.sar_capa->type)
18250 		return -EINVAL;
18251 
18252 	specs = 0;
18253 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
18254 		specs++;
18255 
18256 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
18257 		return -EINVAL;
18258 
18259 	sar_spec = kzalloc_flex(*sar_spec, sub_specs, specs, GFP_KERNEL);
18260 	if (!sar_spec)
18261 		return -ENOMEM;
18262 
18263 	sar_spec->num_sub_specs = specs;
18264 	sar_spec->type = type;
18265 	specs = 0;
18266 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
18267 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
18268 				 spec_list, NULL, NULL);
18269 
18270 		switch (type) {
18271 		case NL80211_SAR_TYPE_POWER:
18272 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
18273 						      spec, specs)) {
18274 				err = -EINVAL;
18275 				goto error;
18276 			}
18277 			break;
18278 		default:
18279 			err = -EINVAL;
18280 			goto error;
18281 		}
18282 		specs++;
18283 	}
18284 
18285 	sar_spec->num_sub_specs = specs;
18286 
18287 	rdev->cur_cmd_info = info;
18288 	err = rdev_set_sar_specs(rdev, sar_spec);
18289 	rdev->cur_cmd_info = NULL;
18290 error:
18291 	kfree(sar_spec);
18292 	return err;
18293 }
18294 
18295 #define SELECTOR(__sel, name, value) \
18296 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
18297 int __missing_selector(void);
18298 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
18299 
18300 static const struct genl_ops nl80211_ops[] = {
18301 	{
18302 		.cmd = NL80211_CMD_GET_WIPHY,
18303 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18304 		.doit = nl80211_get_wiphy,
18305 		.dumpit = nl80211_dump_wiphy,
18306 		.done = nl80211_dump_wiphy_done,
18307 		/* can be retrieved by unprivileged users */
18308 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18309 	},
18310 };
18311 
18312 static const struct genl_small_ops nl80211_small_ops[] = {
18313 	{
18314 		.cmd = NL80211_CMD_SET_WIPHY,
18315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18316 		.doit = nl80211_set_wiphy,
18317 		.flags = GENL_UNS_ADMIN_PERM,
18318 	},
18319 	{
18320 		.cmd = NL80211_CMD_GET_INTERFACE,
18321 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18322 		.doit = nl80211_get_interface,
18323 		.dumpit = nl80211_dump_interface,
18324 		/* can be retrieved by unprivileged users */
18325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18326 	},
18327 	{
18328 		.cmd = NL80211_CMD_SET_INTERFACE,
18329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18330 		.doit = nl80211_set_interface,
18331 		.flags = GENL_UNS_ADMIN_PERM,
18332 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18333 					 NL80211_FLAG_NEED_RTNL),
18334 	},
18335 	{
18336 		.cmd = NL80211_CMD_NEW_INTERFACE,
18337 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18338 		.doit = nl80211_new_interface,
18339 		.flags = GENL_UNS_ADMIN_PERM,
18340 		.internal_flags =
18341 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
18342 			       NL80211_FLAG_NEED_RTNL |
18343 			       /* we take the wiphy mutex later ourselves */
18344 			       NL80211_FLAG_NO_WIPHY_MTX),
18345 	},
18346 	{
18347 		.cmd = NL80211_CMD_DEL_INTERFACE,
18348 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18349 		.doit = nl80211_del_interface,
18350 		.flags = GENL_UNS_ADMIN_PERM,
18351 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18352 					 NL80211_FLAG_NEED_RTNL),
18353 	},
18354 	{
18355 		.cmd = NL80211_CMD_GET_KEY,
18356 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18357 		.doit = nl80211_get_key,
18358 		.flags = GENL_UNS_ADMIN_PERM,
18359 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18360 	},
18361 	{
18362 		.cmd = NL80211_CMD_SET_KEY,
18363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18364 		.doit = nl80211_set_key,
18365 		.flags = GENL_UNS_ADMIN_PERM,
18366 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
18367 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18368 					 NL80211_FLAG_CLEAR_SKB),
18369 	},
18370 	{
18371 		.cmd = NL80211_CMD_NEW_KEY,
18372 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18373 		.doit = nl80211_new_key,
18374 		.flags = GENL_UNS_ADMIN_PERM,
18375 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18376 					 NL80211_FLAG_CLEAR_SKB),
18377 	},
18378 	{
18379 		.cmd = NL80211_CMD_DEL_KEY,
18380 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18381 		.doit = nl80211_del_key,
18382 		.flags = GENL_UNS_ADMIN_PERM,
18383 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18384 	},
18385 	{
18386 		.cmd = NL80211_CMD_SET_BEACON,
18387 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18388 		.flags = GENL_UNS_ADMIN_PERM,
18389 		.doit = nl80211_set_beacon,
18390 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18391 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18392 	},
18393 	{
18394 		.cmd = NL80211_CMD_START_AP,
18395 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18396 		.flags = GENL_UNS_ADMIN_PERM,
18397 		.doit = nl80211_start_ap,
18398 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18399 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18400 	},
18401 	{
18402 		.cmd = NL80211_CMD_STOP_AP,
18403 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18404 		.flags = GENL_UNS_ADMIN_PERM,
18405 		.doit = nl80211_stop_ap,
18406 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18407 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18408 	},
18409 	{
18410 		.cmd = NL80211_CMD_GET_STATION,
18411 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18412 		.doit = nl80211_get_station,
18413 		.dumpit = nl80211_dump_station,
18414 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18415 	},
18416 	{
18417 		.cmd = NL80211_CMD_SET_STATION,
18418 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18419 		.doit = nl80211_set_station,
18420 		.flags = GENL_UNS_ADMIN_PERM,
18421 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18422 	},
18423 	{
18424 		.cmd = NL80211_CMD_NEW_STATION,
18425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18426 		.doit = nl80211_new_station,
18427 		.flags = GENL_UNS_ADMIN_PERM,
18428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18429 	},
18430 	{
18431 		.cmd = NL80211_CMD_DEL_STATION,
18432 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18433 		.doit = nl80211_del_station,
18434 		.flags = GENL_UNS_ADMIN_PERM,
18435 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
18436 		 * whether MAC address is passed or not. If MAC address is
18437 		 * passed, then even during MLO, link ID is not required.
18438 		 */
18439 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18440 	},
18441 	{
18442 		.cmd = NL80211_CMD_GET_MPATH,
18443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18444 		.doit = nl80211_get_mpath,
18445 		.dumpit = nl80211_dump_mpath,
18446 		.flags = GENL_UNS_ADMIN_PERM,
18447 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18448 	},
18449 	{
18450 		.cmd = NL80211_CMD_GET_MPP,
18451 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18452 		.doit = nl80211_get_mpp,
18453 		.dumpit = nl80211_dump_mpp,
18454 		.flags = GENL_UNS_ADMIN_PERM,
18455 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18456 	},
18457 	{
18458 		.cmd = NL80211_CMD_SET_MPATH,
18459 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18460 		.doit = nl80211_set_mpath,
18461 		.flags = GENL_UNS_ADMIN_PERM,
18462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18463 	},
18464 	{
18465 		.cmd = NL80211_CMD_NEW_MPATH,
18466 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18467 		.doit = nl80211_new_mpath,
18468 		.flags = GENL_UNS_ADMIN_PERM,
18469 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18470 	},
18471 	{
18472 		.cmd = NL80211_CMD_DEL_MPATH,
18473 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18474 		.doit = nl80211_del_mpath,
18475 		.flags = GENL_UNS_ADMIN_PERM,
18476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18477 	},
18478 	{
18479 		.cmd = NL80211_CMD_SET_BSS,
18480 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18481 		.doit = nl80211_set_bss,
18482 		.flags = GENL_UNS_ADMIN_PERM,
18483 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18484 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18485 	},
18486 	{
18487 		.cmd = NL80211_CMD_GET_REG,
18488 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18489 		.doit = nl80211_get_reg_do,
18490 		.dumpit = nl80211_get_reg_dump,
18491 		/* can be retrieved by unprivileged users */
18492 	},
18493 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
18494 	{
18495 		.cmd = NL80211_CMD_SET_REG,
18496 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18497 		.doit = nl80211_set_reg,
18498 		.flags = GENL_ADMIN_PERM,
18499 	},
18500 #endif
18501 	{
18502 		.cmd = NL80211_CMD_REQ_SET_REG,
18503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18504 		.doit = nl80211_req_set_reg,
18505 		.flags = GENL_ADMIN_PERM,
18506 	},
18507 	{
18508 		.cmd = NL80211_CMD_RELOAD_REGDB,
18509 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18510 		.doit = nl80211_reload_regdb,
18511 		.flags = GENL_ADMIN_PERM,
18512 	},
18513 	{
18514 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
18515 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18516 		.doit = nl80211_get_mesh_config,
18517 		/* can be retrieved by unprivileged users */
18518 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18519 	},
18520 	{
18521 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
18522 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18523 		.doit = nl80211_update_mesh_config,
18524 		.flags = GENL_UNS_ADMIN_PERM,
18525 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18526 	},
18527 	{
18528 		.cmd = NL80211_CMD_TRIGGER_SCAN,
18529 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18530 		.doit = nl80211_trigger_scan,
18531 		.flags = GENL_UNS_ADMIN_PERM,
18532 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18533 	},
18534 	{
18535 		.cmd = NL80211_CMD_ABORT_SCAN,
18536 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18537 		.doit = nl80211_abort_scan,
18538 		.flags = GENL_UNS_ADMIN_PERM,
18539 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18540 	},
18541 	{
18542 		.cmd = NL80211_CMD_GET_SCAN,
18543 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18544 		.dumpit = nl80211_dump_scan,
18545 	},
18546 	{
18547 		.cmd = NL80211_CMD_START_SCHED_SCAN,
18548 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18549 		.doit = nl80211_start_sched_scan,
18550 		.flags = GENL_UNS_ADMIN_PERM,
18551 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18552 	},
18553 	{
18554 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
18555 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18556 		.doit = nl80211_stop_sched_scan,
18557 		.flags = GENL_UNS_ADMIN_PERM,
18558 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18559 	},
18560 	{
18561 		.cmd = NL80211_CMD_AUTHENTICATE,
18562 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18563 		.doit = nl80211_authenticate,
18564 		.flags = GENL_UNS_ADMIN_PERM,
18565 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18566 					 NL80211_FLAG_CLEAR_SKB),
18567 	},
18568 	{
18569 		.cmd = NL80211_CMD_ASSOCIATE,
18570 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18571 		.doit = nl80211_associate,
18572 		.flags = GENL_UNS_ADMIN_PERM,
18573 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18574 					 NL80211_FLAG_CLEAR_SKB),
18575 	},
18576 	{
18577 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18578 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18579 		.doit = nl80211_deauthenticate,
18580 		.flags = GENL_UNS_ADMIN_PERM,
18581 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18582 	},
18583 	{
18584 		.cmd = NL80211_CMD_DISASSOCIATE,
18585 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18586 		.doit = nl80211_disassociate,
18587 		.flags = GENL_UNS_ADMIN_PERM,
18588 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18589 	},
18590 	{
18591 		.cmd = NL80211_CMD_JOIN_IBSS,
18592 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18593 		.doit = nl80211_join_ibss,
18594 		.flags = GENL_UNS_ADMIN_PERM,
18595 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18596 	},
18597 	{
18598 		.cmd = NL80211_CMD_LEAVE_IBSS,
18599 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18600 		.doit = nl80211_leave_ibss,
18601 		.flags = GENL_UNS_ADMIN_PERM,
18602 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18603 	},
18604 #ifdef CONFIG_NL80211_TESTMODE
18605 	{
18606 		.cmd = NL80211_CMD_TESTMODE,
18607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18608 		.doit = nl80211_testmode_do,
18609 		.dumpit = nl80211_testmode_dump,
18610 		.flags = GENL_UNS_ADMIN_PERM,
18611 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18612 	},
18613 #endif
18614 	{
18615 		.cmd = NL80211_CMD_CONNECT,
18616 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18617 		.doit = nl80211_connect,
18618 		.flags = GENL_UNS_ADMIN_PERM,
18619 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18620 					 NL80211_FLAG_CLEAR_SKB),
18621 	},
18622 	{
18623 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
18624 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18625 		.doit = nl80211_update_connect_params,
18626 		.flags = GENL_ADMIN_PERM,
18627 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18628 					 NL80211_FLAG_CLEAR_SKB),
18629 	},
18630 	{
18631 		.cmd = NL80211_CMD_DISCONNECT,
18632 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18633 		.doit = nl80211_disconnect,
18634 		.flags = GENL_UNS_ADMIN_PERM,
18635 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18636 	},
18637 	{
18638 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
18639 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18640 		.doit = nl80211_wiphy_netns,
18641 		.flags = GENL_UNS_ADMIN_PERM,
18642 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18643 					 NL80211_FLAG_NEED_RTNL |
18644 					 NL80211_FLAG_NO_WIPHY_MTX),
18645 	},
18646 	{
18647 		.cmd = NL80211_CMD_GET_SURVEY,
18648 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18649 		.dumpit = nl80211_dump_survey,
18650 	},
18651 	{
18652 		.cmd = NL80211_CMD_SET_PMKSA,
18653 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18654 		.doit = nl80211_set_pmksa,
18655 		.flags = GENL_UNS_ADMIN_PERM,
18656 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18657 					 NL80211_FLAG_CLEAR_SKB),
18658 	},
18659 	{
18660 		.cmd = NL80211_CMD_DEL_PMKSA,
18661 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18662 		.doit = nl80211_del_pmksa,
18663 		.flags = GENL_UNS_ADMIN_PERM,
18664 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18665 	},
18666 	{
18667 		.cmd = NL80211_CMD_FLUSH_PMKSA,
18668 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18669 		.doit = nl80211_flush_pmksa,
18670 		.flags = GENL_UNS_ADMIN_PERM,
18671 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18672 	},
18673 	{
18674 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
18675 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18676 		.doit = nl80211_remain_on_channel,
18677 		.flags = GENL_UNS_ADMIN_PERM,
18678 		/* FIXME: requiring a link ID here is probably not good */
18679 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18680 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18681 	},
18682 	{
18683 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18684 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18685 		.doit = nl80211_cancel_remain_on_channel,
18686 		.flags = GENL_UNS_ADMIN_PERM,
18687 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18688 	},
18689 	{
18690 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
18691 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18692 		.doit = nl80211_set_tx_bitrate_mask,
18693 		.flags = GENL_UNS_ADMIN_PERM,
18694 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18695 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18696 	},
18697 	{
18698 		.cmd = NL80211_CMD_REGISTER_FRAME,
18699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18700 		.doit = nl80211_register_mgmt,
18701 		.flags = GENL_UNS_ADMIN_PERM,
18702 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
18703 	},
18704 	{
18705 		.cmd = NL80211_CMD_FRAME,
18706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18707 		.doit = nl80211_tx_mgmt,
18708 		.flags = GENL_UNS_ADMIN_PERM,
18709 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18710 	},
18711 	{
18712 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
18713 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18714 		.doit = nl80211_tx_mgmt_cancel_wait,
18715 		.flags = GENL_UNS_ADMIN_PERM,
18716 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18717 	},
18718 	{
18719 		.cmd = NL80211_CMD_SET_POWER_SAVE,
18720 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18721 		.doit = nl80211_set_power_save,
18722 		.flags = GENL_UNS_ADMIN_PERM,
18723 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18724 	},
18725 	{
18726 		.cmd = NL80211_CMD_GET_POWER_SAVE,
18727 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18728 		.doit = nl80211_get_power_save,
18729 		/* can be retrieved by unprivileged users */
18730 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18731 	},
18732 	{
18733 		.cmd = NL80211_CMD_SET_CQM,
18734 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18735 		.doit = nl80211_set_cqm,
18736 		.flags = GENL_UNS_ADMIN_PERM,
18737 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18738 	},
18739 	{
18740 		.cmd = NL80211_CMD_SET_CHANNEL,
18741 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18742 		.doit = nl80211_set_channel,
18743 		.flags = GENL_UNS_ADMIN_PERM,
18744 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18745 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18746 	},
18747 	{
18748 		.cmd = NL80211_CMD_JOIN_MESH,
18749 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18750 		.doit = nl80211_join_mesh,
18751 		.flags = GENL_UNS_ADMIN_PERM,
18752 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18753 	},
18754 	{
18755 		.cmd = NL80211_CMD_LEAVE_MESH,
18756 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18757 		.doit = nl80211_leave_mesh,
18758 		.flags = GENL_UNS_ADMIN_PERM,
18759 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18760 	},
18761 	{
18762 		.cmd = NL80211_CMD_JOIN_OCB,
18763 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18764 		.doit = nl80211_join_ocb,
18765 		.flags = GENL_UNS_ADMIN_PERM,
18766 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18767 	},
18768 	{
18769 		.cmd = NL80211_CMD_LEAVE_OCB,
18770 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18771 		.doit = nl80211_leave_ocb,
18772 		.flags = GENL_UNS_ADMIN_PERM,
18773 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18774 	},
18775 #ifdef CONFIG_PM
18776 	{
18777 		.cmd = NL80211_CMD_GET_WOWLAN,
18778 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18779 		.doit = nl80211_get_wowlan,
18780 		/* can be retrieved by unprivileged users */
18781 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18782 	},
18783 	{
18784 		.cmd = NL80211_CMD_SET_WOWLAN,
18785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18786 		.doit = nl80211_set_wowlan,
18787 		.flags = GENL_UNS_ADMIN_PERM,
18788 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18789 	},
18790 #endif
18791 	{
18792 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
18793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18794 		.doit = nl80211_set_rekey_data,
18795 		.flags = GENL_UNS_ADMIN_PERM,
18796 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18797 					 NL80211_FLAG_CLEAR_SKB),
18798 	},
18799 	{
18800 		.cmd = NL80211_CMD_TDLS_MGMT,
18801 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18802 		.doit = nl80211_tdls_mgmt,
18803 		.flags = GENL_UNS_ADMIN_PERM,
18804 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18805 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18806 	},
18807 	{
18808 		.cmd = NL80211_CMD_TDLS_OPER,
18809 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18810 		.doit = nl80211_tdls_oper,
18811 		.flags = GENL_UNS_ADMIN_PERM,
18812 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18813 	},
18814 	{
18815 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
18816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18817 		.doit = nl80211_register_unexpected_frame,
18818 		.flags = GENL_UNS_ADMIN_PERM,
18819 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18820 	},
18821 	{
18822 		.cmd = NL80211_CMD_PROBE_CLIENT,
18823 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18824 		.doit = nl80211_probe_client,
18825 		.flags = GENL_UNS_ADMIN_PERM,
18826 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18827 	},
18828 	{
18829 		.cmd = NL80211_CMD_REGISTER_BEACONS,
18830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18831 		.doit = nl80211_register_beacons,
18832 		.flags = GENL_UNS_ADMIN_PERM,
18833 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18834 	},
18835 	{
18836 		.cmd = NL80211_CMD_SET_NOACK_MAP,
18837 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18838 		.doit = nl80211_set_noack_map,
18839 		.flags = GENL_UNS_ADMIN_PERM,
18840 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18841 	},
18842 	{
18843 		.cmd = NL80211_CMD_START_P2P_DEVICE,
18844 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18845 		.doit = nl80211_start_p2p_device,
18846 		.flags = GENL_UNS_ADMIN_PERM,
18847 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18848 					 NL80211_FLAG_NEED_RTNL),
18849 	},
18850 	{
18851 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
18852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18853 		.doit = nl80211_stop_p2p_device,
18854 		.flags = GENL_UNS_ADMIN_PERM,
18855 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18856 					 NL80211_FLAG_NEED_RTNL),
18857 	},
18858 	{
18859 		.cmd = NL80211_CMD_START_NAN,
18860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18861 		.doit = nl80211_start_nan,
18862 		.flags = GENL_ADMIN_PERM,
18863 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
18864 					 NL80211_FLAG_NEED_RTNL),
18865 	},
18866 	{
18867 		.cmd = NL80211_CMD_STOP_NAN,
18868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18869 		.doit = nl80211_stop_nan,
18870 		.flags = GENL_ADMIN_PERM,
18871 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
18872 					 NL80211_FLAG_NEED_RTNL),
18873 	},
18874 	{
18875 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
18876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18877 		.doit = nl80211_nan_add_func,
18878 		.flags = GENL_ADMIN_PERM,
18879 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18880 	},
18881 	{
18882 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
18883 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18884 		.doit = nl80211_nan_del_func,
18885 		.flags = GENL_ADMIN_PERM,
18886 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18887 	},
18888 	{
18889 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
18890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18891 		.doit = nl80211_nan_change_config,
18892 		.flags = GENL_ADMIN_PERM,
18893 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18894 	},
18895 	{
18896 		.cmd = NL80211_CMD_SET_MCAST_RATE,
18897 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18898 		.doit = nl80211_set_mcast_rate,
18899 		.flags = GENL_UNS_ADMIN_PERM,
18900 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
18901 	},
18902 	{
18903 		.cmd = NL80211_CMD_SET_MAC_ACL,
18904 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18905 		.doit = nl80211_set_mac_acl,
18906 		.flags = GENL_UNS_ADMIN_PERM,
18907 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
18908 					 NL80211_FLAG_MLO_UNSUPPORTED),
18909 	},
18910 	{
18911 		.cmd = NL80211_CMD_RADAR_DETECT,
18912 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18913 		.doit = nl80211_start_radar_detection,
18914 		.flags = GENL_UNS_ADMIN_PERM,
18915 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18916 					 NL80211_FLAG_NO_WIPHY_MTX |
18917 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18918 	},
18919 	{
18920 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
18921 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18922 		.doit = nl80211_get_protocol_features,
18923 	},
18924 	{
18925 		.cmd = NL80211_CMD_UPDATE_FT_IES,
18926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18927 		.doit = nl80211_update_ft_ies,
18928 		.flags = GENL_UNS_ADMIN_PERM,
18929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18930 	},
18931 	{
18932 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
18933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18934 		.doit = nl80211_crit_protocol_start,
18935 		.flags = GENL_UNS_ADMIN_PERM,
18936 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18937 	},
18938 	{
18939 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
18940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18941 		.doit = nl80211_crit_protocol_stop,
18942 		.flags = GENL_UNS_ADMIN_PERM,
18943 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
18944 	},
18945 	{
18946 		.cmd = NL80211_CMD_GET_COALESCE,
18947 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18948 		.doit = nl80211_get_coalesce,
18949 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18950 	},
18951 	{
18952 		.cmd = NL80211_CMD_SET_COALESCE,
18953 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18954 		.doit = nl80211_set_coalesce,
18955 		.flags = GENL_UNS_ADMIN_PERM,
18956 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
18957 	},
18958 	{
18959 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
18960 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18961 		.doit = nl80211_channel_switch,
18962 		.flags = GENL_UNS_ADMIN_PERM,
18963 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18964 					 NL80211_FLAG_MLO_VALID_LINK_ID),
18965 	},
18966 	{
18967 		.cmd = NL80211_CMD_VENDOR,
18968 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18969 		.doit = nl80211_vendor_cmd,
18970 		.dumpit = nl80211_vendor_cmd_dump,
18971 		.flags = GENL_UNS_ADMIN_PERM,
18972 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
18973 					 NL80211_FLAG_CLEAR_SKB),
18974 	},
18975 	{
18976 		.cmd = NL80211_CMD_SET_QOS_MAP,
18977 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18978 		.doit = nl80211_set_qos_map,
18979 		.flags = GENL_UNS_ADMIN_PERM,
18980 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18981 	},
18982 	{
18983 		.cmd = NL80211_CMD_ADD_TX_TS,
18984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18985 		.doit = nl80211_add_tx_ts,
18986 		.flags = GENL_UNS_ADMIN_PERM,
18987 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
18988 					 NL80211_FLAG_MLO_UNSUPPORTED),
18989 	},
18990 	{
18991 		.cmd = NL80211_CMD_DEL_TX_TS,
18992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
18993 		.doit = nl80211_del_tx_ts,
18994 		.flags = GENL_UNS_ADMIN_PERM,
18995 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
18996 	},
18997 	{
18998 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
18999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19000 		.doit = nl80211_tdls_channel_switch,
19001 		.flags = GENL_UNS_ADMIN_PERM,
19002 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19003 	},
19004 	{
19005 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
19006 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19007 		.doit = nl80211_tdls_cancel_channel_switch,
19008 		.flags = GENL_UNS_ADMIN_PERM,
19009 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19010 	},
19011 	{
19012 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
19013 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19014 		.doit = nl80211_set_multicast_to_unicast,
19015 		.flags = GENL_UNS_ADMIN_PERM,
19016 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
19017 	},
19018 	{
19019 		.cmd = NL80211_CMD_SET_PMK,
19020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19021 		.doit = nl80211_set_pmk,
19022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19023 					 NL80211_FLAG_CLEAR_SKB),
19024 	},
19025 	{
19026 		.cmd = NL80211_CMD_DEL_PMK,
19027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19028 		.doit = nl80211_del_pmk,
19029 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19030 	},
19031 	{
19032 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
19033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19034 		.doit = nl80211_external_auth,
19035 		.flags = GENL_ADMIN_PERM,
19036 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19037 	},
19038 	{
19039 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
19040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19041 		.doit = nl80211_tx_control_port,
19042 		.flags = GENL_UNS_ADMIN_PERM,
19043 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19044 	},
19045 	{
19046 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
19047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19048 		.doit = nl80211_get_ftm_responder_stats,
19049 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19050 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19051 	},
19052 	{
19053 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
19054 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19055 		.doit = nl80211_pmsr_start,
19056 		.flags = GENL_UNS_ADMIN_PERM,
19057 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
19058 	},
19059 	{
19060 		.cmd = NL80211_CMD_NOTIFY_RADAR,
19061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19062 		.doit = nl80211_notify_radar_detection,
19063 		.flags = GENL_UNS_ADMIN_PERM,
19064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19065 	},
19066 	{
19067 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
19068 		.doit = nl80211_update_owe_info,
19069 		.flags = GENL_ADMIN_PERM,
19070 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19071 	},
19072 	{
19073 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
19074 		.doit = nl80211_probe_mesh_link,
19075 		.flags = GENL_UNS_ADMIN_PERM,
19076 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19077 	},
19078 	{
19079 		.cmd = NL80211_CMD_SET_TID_CONFIG,
19080 		.doit = nl80211_set_tid_config,
19081 		.flags = GENL_UNS_ADMIN_PERM,
19082 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
19083 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19084 	},
19085 	{
19086 		.cmd = NL80211_CMD_SET_SAR_SPECS,
19087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19088 		.doit = nl80211_set_sar_specs,
19089 		.flags = GENL_UNS_ADMIN_PERM,
19090 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
19091 					 NL80211_FLAG_NEED_RTNL),
19092 	},
19093 	{
19094 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
19095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19096 		.doit = nl80211_color_change,
19097 		.flags = GENL_UNS_ADMIN_PERM,
19098 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19099 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19100 	},
19101 	{
19102 		.cmd = NL80211_CMD_SET_FILS_AAD,
19103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
19104 		.doit = nl80211_set_fils_aad,
19105 		.flags = GENL_UNS_ADMIN_PERM,
19106 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19107 	},
19108 	{
19109 		.cmd = NL80211_CMD_ADD_LINK,
19110 		.doit = nl80211_add_link,
19111 		.flags = GENL_UNS_ADMIN_PERM,
19112 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19113 	},
19114 	{
19115 		.cmd = NL80211_CMD_REMOVE_LINK,
19116 		.doit = nl80211_remove_link,
19117 		.flags = GENL_UNS_ADMIN_PERM,
19118 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19119 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19120 	},
19121 	{
19122 		.cmd = NL80211_CMD_ADD_LINK_STA,
19123 		.doit = nl80211_add_link_station,
19124 		.flags = GENL_UNS_ADMIN_PERM,
19125 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19126 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19127 	},
19128 	{
19129 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
19130 		.doit = nl80211_modify_link_station,
19131 		.flags = GENL_UNS_ADMIN_PERM,
19132 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19133 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19134 	},
19135 	{
19136 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
19137 		.doit = nl80211_remove_link_station,
19138 		.flags = GENL_UNS_ADMIN_PERM,
19139 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
19140 					 NL80211_FLAG_MLO_VALID_LINK_ID),
19141 	},
19142 	{
19143 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
19144 		.doit = nl80211_set_hw_timestamp,
19145 		.flags = GENL_UNS_ADMIN_PERM,
19146 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19147 	},
19148 	{
19149 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
19150 		.doit = nl80211_set_ttlm,
19151 		.flags = GENL_UNS_ADMIN_PERM,
19152 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19153 	},
19154 	{
19155 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
19156 		.doit = nl80211_assoc_ml_reconf,
19157 		.flags = GENL_UNS_ADMIN_PERM,
19158 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19159 	},
19160 	{
19161 		.cmd = NL80211_CMD_EPCS_CFG,
19162 		.doit = nl80211_epcs_cfg,
19163 		.flags = GENL_UNS_ADMIN_PERM,
19164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
19165 	},
19166 };
19167 
19168 static struct genl_family nl80211_fam __ro_after_init = {
19169 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
19170 	.hdrsize = 0,			/* no private header */
19171 	.version = 1,			/* no particular meaning now */
19172 	.maxattr = NL80211_ATTR_MAX,
19173 	.policy = nl80211_policy,
19174 	.netnsok = true,
19175 	.pre_doit = nl80211_pre_doit,
19176 	.post_doit = nl80211_post_doit,
19177 	.module = THIS_MODULE,
19178 	.ops = nl80211_ops,
19179 	.n_ops = ARRAY_SIZE(nl80211_ops),
19180 	.small_ops = nl80211_small_ops,
19181 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
19182 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
19183 	.mcgrps = nl80211_mcgrps,
19184 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
19185 	.parallel_ops = true,
19186 };
19187 
19188 /* notification functions */
19189 
19190 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
19191 			  enum nl80211_commands cmd)
19192 {
19193 	struct sk_buff *msg;
19194 	struct nl80211_dump_wiphy_state state = {};
19195 
19196 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
19197 		cmd != NL80211_CMD_DEL_WIPHY);
19198 
19199 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19200 	if (!msg)
19201 		return;
19202 
19203 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
19204 		nlmsg_free(msg);
19205 		return;
19206 	}
19207 
19208 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19209 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19210 }
19211 
19212 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
19213 				struct wireless_dev *wdev,
19214 				enum nl80211_commands cmd)
19215 {
19216 	struct sk_buff *msg;
19217 
19218 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19219 	if (!msg)
19220 		return;
19221 
19222 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
19223 		nlmsg_free(msg);
19224 		return;
19225 	}
19226 
19227 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19228 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
19229 }
19230 
19231 static int nl80211_add_scan_req(struct sk_buff *msg,
19232 				struct cfg80211_registered_device *rdev)
19233 {
19234 	struct cfg80211_scan_request_int *req = rdev->scan_req;
19235 	struct nlattr *nest;
19236 	int i;
19237 	struct cfg80211_scan_info *info;
19238 
19239 	if (WARN_ON(!req))
19240 		return 0;
19241 
19242 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
19243 	if (!nest)
19244 		goto nla_put_failure;
19245 	for (i = 0; i < req->req.n_ssids; i++) {
19246 		if (nla_put(msg, i, req->req.ssids[i].ssid_len,
19247 			    req->req.ssids[i].ssid))
19248 			goto nla_put_failure;
19249 	}
19250 	nla_nest_end(msg, nest);
19251 
19252 	if (req->req.flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
19253 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
19254 		if (!nest)
19255 			goto nla_put_failure;
19256 		for (i = 0; i < req->req.n_channels; i++) {
19257 			if (nla_put_u32(msg, i,
19258 					ieee80211_channel_to_khz(req->req.channels[i])))
19259 				goto nla_put_failure;
19260 		}
19261 		nla_nest_end(msg, nest);
19262 	} else {
19263 		nest = nla_nest_start_noflag(msg,
19264 					     NL80211_ATTR_SCAN_FREQUENCIES);
19265 		if (!nest)
19266 			goto nla_put_failure;
19267 		for (i = 0; i < req->req.n_channels; i++) {
19268 			if (nla_put_u32(msg, i,
19269 					req->req.channels[i]->center_freq))
19270 				goto nla_put_failure;
19271 		}
19272 		nla_nest_end(msg, nest);
19273 	}
19274 
19275 	if (req->req.ie &&
19276 	    nla_put(msg, NL80211_ATTR_IE, req->req.ie_len, req->req.ie))
19277 		goto nla_put_failure;
19278 
19279 	if (req->req.flags &&
19280 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->req.flags))
19281 		goto nla_put_failure;
19282 
19283 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
19284 		&rdev->scan_req->info;
19285 	if (info->scan_start_tsf &&
19286 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
19287 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
19288 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
19289 		     info->tsf_bssid)))
19290 		goto nla_put_failure;
19291 
19292 	return 0;
19293  nla_put_failure:
19294 	return -ENOBUFS;
19295 }
19296 
19297 static int nl80211_prep_scan_msg(struct sk_buff *msg,
19298 				 struct cfg80211_registered_device *rdev,
19299 				 struct wireless_dev *wdev,
19300 				 u32 portid, u32 seq, int flags,
19301 				 u32 cmd)
19302 {
19303 	void *hdr;
19304 
19305 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
19306 	if (!hdr)
19307 		return -1;
19308 
19309 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19310 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19311 					 wdev->netdev->ifindex)) ||
19312 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19313 			      NL80211_ATTR_PAD))
19314 		goto nla_put_failure;
19315 
19316 	/* ignore errors and send incomplete event anyway */
19317 	nl80211_add_scan_req(msg, rdev);
19318 
19319 	genlmsg_end(msg, hdr);
19320 	return 0;
19321 
19322  nla_put_failure:
19323 	genlmsg_cancel(msg, hdr);
19324 	return -EMSGSIZE;
19325 }
19326 
19327 static int
19328 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
19329 			    struct cfg80211_sched_scan_request *req, u32 cmd)
19330 {
19331 	void *hdr;
19332 
19333 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19334 	if (!hdr)
19335 		return -1;
19336 
19337 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
19338 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
19339 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
19340 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
19341 			      NL80211_ATTR_PAD))
19342 		goto nla_put_failure;
19343 
19344 	genlmsg_end(msg, hdr);
19345 	return 0;
19346 
19347  nla_put_failure:
19348 	genlmsg_cancel(msg, hdr);
19349 	return -EMSGSIZE;
19350 }
19351 
19352 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
19353 			     struct wireless_dev *wdev)
19354 {
19355 	struct sk_buff *msg;
19356 
19357 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19358 	if (!msg)
19359 		return;
19360 
19361 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19362 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
19363 		nlmsg_free(msg);
19364 		return;
19365 	}
19366 
19367 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19368 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19369 }
19370 
19371 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
19372 				       struct wireless_dev *wdev, bool aborted)
19373 {
19374 	struct sk_buff *msg;
19375 
19376 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19377 	if (!msg)
19378 		return NULL;
19379 
19380 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
19381 				  aborted ? NL80211_CMD_SCAN_ABORTED :
19382 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
19383 		nlmsg_free(msg);
19384 		return NULL;
19385 	}
19386 
19387 	return msg;
19388 }
19389 
19390 /* send message created by nl80211_build_scan_msg() */
19391 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
19392 			   struct sk_buff *msg)
19393 {
19394 	if (!msg)
19395 		return;
19396 
19397 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19398 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19399 }
19400 
19401 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
19402 {
19403 	struct sk_buff *msg;
19404 
19405 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19406 	if (!msg)
19407 		return;
19408 
19409 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
19410 		nlmsg_free(msg);
19411 		return;
19412 	}
19413 
19414 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
19415 				NL80211_MCGRP_SCAN, GFP_KERNEL);
19416 }
19417 
19418 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
19419 					  struct regulatory_request *request)
19420 {
19421 	/* Userspace can always count this one always being set */
19422 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
19423 		goto nla_put_failure;
19424 
19425 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
19426 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19427 			       NL80211_REGDOM_TYPE_WORLD))
19428 			goto nla_put_failure;
19429 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
19430 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19431 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
19432 			goto nla_put_failure;
19433 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
19434 		   request->intersect) {
19435 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19436 			       NL80211_REGDOM_TYPE_INTERSECTION))
19437 			goto nla_put_failure;
19438 	} else {
19439 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
19440 			       NL80211_REGDOM_TYPE_COUNTRY) ||
19441 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
19442 				   request->alpha2))
19443 			goto nla_put_failure;
19444 	}
19445 
19446 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
19447 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
19448 
19449 		if (wiphy &&
19450 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
19451 			goto nla_put_failure;
19452 
19453 		if (wiphy &&
19454 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
19455 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
19456 			goto nla_put_failure;
19457 	}
19458 
19459 	return true;
19460 
19461 nla_put_failure:
19462 	return false;
19463 }
19464 
19465 /*
19466  * This can happen on global regulatory changes or device specific settings
19467  * based on custom regulatory domains.
19468  */
19469 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
19470 				     struct regulatory_request *request)
19471 {
19472 	struct sk_buff *msg;
19473 	void *hdr;
19474 
19475 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19476 	if (!msg)
19477 		return;
19478 
19479 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
19480 	if (!hdr)
19481 		goto nla_put_failure;
19482 
19483 	if (!nl80211_reg_change_event_fill(msg, request))
19484 		goto nla_put_failure;
19485 
19486 	genlmsg_end(msg, hdr);
19487 
19488 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
19489 				NL80211_MCGRP_REGULATORY);
19490 
19491 	return;
19492 
19493 nla_put_failure:
19494 	nlmsg_free(msg);
19495 }
19496 
19497 struct nl80211_mlme_event {
19498 	enum nl80211_commands cmd;
19499 	const u8 *buf;
19500 	size_t buf_len;
19501 	int uapsd_queues;
19502 	const u8 *req_ies;
19503 	size_t req_ies_len;
19504 	bool reconnect;
19505 };
19506 
19507 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
19508 				    struct net_device *netdev,
19509 				    const struct nl80211_mlme_event *event,
19510 				    gfp_t gfp)
19511 {
19512 	struct sk_buff *msg;
19513 	void *hdr;
19514 
19515 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
19516 	if (!msg)
19517 		return;
19518 
19519 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
19520 	if (!hdr) {
19521 		nlmsg_free(msg);
19522 		return;
19523 	}
19524 
19525 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19526 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19527 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
19528 	    (event->req_ies &&
19529 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
19530 		     event->req_ies)))
19531 		goto nla_put_failure;
19532 
19533 	if (event->reconnect &&
19534 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
19535 		goto nla_put_failure;
19536 
19537 	if (event->uapsd_queues >= 0) {
19538 		struct nlattr *nla_wmm =
19539 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
19540 		if (!nla_wmm)
19541 			goto nla_put_failure;
19542 
19543 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
19544 			       event->uapsd_queues))
19545 			goto nla_put_failure;
19546 
19547 		nla_nest_end(msg, nla_wmm);
19548 	}
19549 
19550 	genlmsg_end(msg, hdr);
19551 
19552 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19553 				NL80211_MCGRP_MLME, gfp);
19554 	return;
19555 
19556  nla_put_failure:
19557 	nlmsg_free(msg);
19558 }
19559 
19560 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
19561 			  struct net_device *netdev, const u8 *buf,
19562 			  size_t len, gfp_t gfp)
19563 {
19564 	struct nl80211_mlme_event event = {
19565 		.cmd = NL80211_CMD_AUTHENTICATE,
19566 		.buf = buf,
19567 		.buf_len = len,
19568 		.uapsd_queues = -1,
19569 	};
19570 
19571 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19572 }
19573 
19574 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
19575 			   struct net_device *netdev,
19576 			   const struct cfg80211_rx_assoc_resp_data *data)
19577 {
19578 	struct nl80211_mlme_event event = {
19579 		.cmd = NL80211_CMD_ASSOCIATE,
19580 		.buf = data->buf,
19581 		.buf_len = data->len,
19582 		.uapsd_queues = data->uapsd_queues,
19583 		.req_ies = data->req_ies,
19584 		.req_ies_len = data->req_ies_len,
19585 	};
19586 
19587 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
19588 }
19589 
19590 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
19591 			 struct net_device *netdev, const u8 *buf,
19592 			 size_t len, bool reconnect, gfp_t gfp)
19593 {
19594 	struct nl80211_mlme_event event = {
19595 		.cmd = NL80211_CMD_DEAUTHENTICATE,
19596 		.buf = buf,
19597 		.buf_len = len,
19598 		.reconnect = reconnect,
19599 		.uapsd_queues = -1,
19600 	};
19601 
19602 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19603 }
19604 
19605 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
19606 			   struct net_device *netdev, const u8 *buf,
19607 			   size_t len, bool reconnect, gfp_t gfp)
19608 {
19609 	struct nl80211_mlme_event event = {
19610 		.cmd = NL80211_CMD_DISASSOCIATE,
19611 		.buf = buf,
19612 		.buf_len = len,
19613 		.reconnect = reconnect,
19614 		.uapsd_queues = -1,
19615 	};
19616 
19617 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
19618 }
19619 
19620 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
19621 				  size_t len)
19622 {
19623 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19624 	struct wiphy *wiphy = wdev->wiphy;
19625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19626 	const struct ieee80211_mgmt *mgmt = (void *)buf;
19627 	struct nl80211_mlme_event event = {
19628 		.buf = buf,
19629 		.buf_len = len,
19630 		.uapsd_queues = -1,
19631 	};
19632 
19633 	if (WARN_ON(len < 2))
19634 		return;
19635 
19636 	if (ieee80211_is_deauth(mgmt->frame_control)) {
19637 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
19638 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
19639 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
19640 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
19641 		if (wdev->unprot_beacon_reported &&
19642 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
19643 			return;
19644 		event.cmd = NL80211_CMD_UNPROT_BEACON;
19645 		wdev->unprot_beacon_reported = jiffies;
19646 	} else {
19647 		return;
19648 	}
19649 
19650 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
19651 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
19652 }
19653 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
19654 
19655 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
19656 				      struct net_device *netdev, int cmd,
19657 				      const u8 *addr, gfp_t gfp)
19658 {
19659 	struct sk_buff *msg;
19660 	void *hdr;
19661 
19662 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19663 	if (!msg)
19664 		return;
19665 
19666 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19667 	if (!hdr) {
19668 		nlmsg_free(msg);
19669 		return;
19670 	}
19671 
19672 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19673 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19674 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19675 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19676 		goto nla_put_failure;
19677 
19678 	genlmsg_end(msg, hdr);
19679 
19680 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19681 				NL80211_MCGRP_MLME, gfp);
19682 	return;
19683 
19684  nla_put_failure:
19685 	nlmsg_free(msg);
19686 }
19687 
19688 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
19689 			       struct net_device *netdev, const u8 *addr,
19690 			       gfp_t gfp)
19691 {
19692 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
19693 				  addr, gfp);
19694 }
19695 
19696 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
19697 				struct net_device *netdev, const u8 *addr,
19698 				gfp_t gfp)
19699 {
19700 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
19701 				  addr, gfp);
19702 }
19703 
19704 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
19705 				 struct net_device *netdev,
19706 				 struct cfg80211_connect_resp_params *cr,
19707 				 gfp_t gfp)
19708 {
19709 	struct sk_buff *msg;
19710 	void *hdr;
19711 	unsigned int link;
19712 	size_t link_info_size = 0;
19713 	const u8 *connected_addr = cr->valid_links ?
19714 				   cr->ap_mld_addr : cr->links[0].bssid;
19715 
19716 	if (cr->valid_links) {
19717 		for_each_valid_link(cr, link) {
19718 			/* Nested attribute header */
19719 			link_info_size += NLA_HDRLEN;
19720 			/* Link ID */
19721 			link_info_size += nla_total_size(sizeof(u8));
19722 			link_info_size += cr->links[link].addr ?
19723 					  nla_total_size(ETH_ALEN) : 0;
19724 			link_info_size += (cr->links[link].bssid ||
19725 					   cr->links[link].bss) ?
19726 					  nla_total_size(ETH_ALEN) : 0;
19727 			link_info_size += nla_total_size(sizeof(u16));
19728 		}
19729 	}
19730 
19731 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
19732 			cr->fils.kek_len + cr->fils.pmk_len +
19733 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
19734 			gfp);
19735 	if (!msg)
19736 		return;
19737 
19738 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
19739 	if (!hdr) {
19740 		nlmsg_free(msg);
19741 		return;
19742 	}
19743 
19744 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19745 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19746 	    (connected_addr &&
19747 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
19748 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19749 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
19750 			cr->status) ||
19751 	    (cr->status < 0 &&
19752 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
19753 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
19754 			  cr->timeout_reason))) ||
19755 	    (cr->req_ie &&
19756 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
19757 	    (cr->resp_ie &&
19758 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
19759 		     cr->resp_ie)) ||
19760 	    (cr->fils.update_erp_next_seq_num &&
19761 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19762 			 cr->fils.erp_next_seq_num)) ||
19763 	    (cr->status == WLAN_STATUS_SUCCESS &&
19764 	     ((cr->fils.kek &&
19765 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
19766 		       cr->fils.kek)) ||
19767 	      (cr->fils.pmk &&
19768 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
19769 	      (cr->fils.pmkid &&
19770 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
19771 		goto nla_put_failure;
19772 
19773 	if (cr->valid_links) {
19774 		int i = 1;
19775 		struct nlattr *nested;
19776 
19777 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19778 		if (!nested)
19779 			goto nla_put_failure;
19780 
19781 		for_each_valid_link(cr, link) {
19782 			struct nlattr *nested_mlo_links;
19783 			const u8 *bssid = cr->links[link].bss ?
19784 					  cr->links[link].bss->bssid :
19785 					  cr->links[link].bssid;
19786 
19787 			nested_mlo_links = nla_nest_start(msg, i);
19788 			if (!nested_mlo_links)
19789 				goto nla_put_failure;
19790 
19791 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19792 			    (bssid &&
19793 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19794 			    (cr->links[link].addr &&
19795 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19796 				     cr->links[link].addr)) ||
19797 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
19798 					cr->links[link].status))
19799 				goto nla_put_failure;
19800 
19801 			nla_nest_end(msg, nested_mlo_links);
19802 			i++;
19803 		}
19804 		nla_nest_end(msg, nested);
19805 	}
19806 
19807 	genlmsg_end(msg, hdr);
19808 
19809 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19810 				NL80211_MCGRP_MLME, gfp);
19811 	return;
19812 
19813  nla_put_failure:
19814 	nlmsg_free(msg);
19815 }
19816 
19817 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
19818 			 struct net_device *netdev,
19819 			 struct cfg80211_roam_info *info, gfp_t gfp)
19820 {
19821 	struct sk_buff *msg;
19822 	void *hdr;
19823 	size_t link_info_size = 0;
19824 	unsigned int link;
19825 	const u8 *connected_addr = info->ap_mld_addr ?
19826 				   info->ap_mld_addr :
19827 				   (info->links[0].bss ?
19828 				    info->links[0].bss->bssid :
19829 				    info->links[0].bssid);
19830 
19831 	if (info->valid_links) {
19832 		for_each_valid_link(info, link) {
19833 			/* Nested attribute header */
19834 			link_info_size += NLA_HDRLEN;
19835 			/* Link ID */
19836 			link_info_size += nla_total_size(sizeof(u8));
19837 			link_info_size += info->links[link].addr ?
19838 					  nla_total_size(ETH_ALEN) : 0;
19839 			link_info_size += (info->links[link].bssid ||
19840 					   info->links[link].bss) ?
19841 					  nla_total_size(ETH_ALEN) : 0;
19842 		}
19843 	}
19844 
19845 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
19846 			info->fils.kek_len + info->fils.pmk_len +
19847 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
19848 			link_info_size, gfp);
19849 	if (!msg)
19850 		return;
19851 
19852 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
19853 	if (!hdr) {
19854 		nlmsg_free(msg);
19855 		return;
19856 	}
19857 
19858 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19859 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19860 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
19861 	    (info->req_ie &&
19862 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
19863 		     info->req_ie)) ||
19864 	    (info->resp_ie &&
19865 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
19866 		     info->resp_ie)) ||
19867 	    (info->fils.update_erp_next_seq_num &&
19868 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
19869 			 info->fils.erp_next_seq_num)) ||
19870 	    (info->fils.kek &&
19871 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
19872 		     info->fils.kek)) ||
19873 	    (info->fils.pmk &&
19874 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
19875 	    (info->fils.pmkid &&
19876 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
19877 		goto nla_put_failure;
19878 
19879 	if (info->valid_links) {
19880 		int i = 1;
19881 		struct nlattr *nested;
19882 
19883 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
19884 		if (!nested)
19885 			goto nla_put_failure;
19886 
19887 		for_each_valid_link(info, link) {
19888 			struct nlattr *nested_mlo_links;
19889 			const u8 *bssid = info->links[link].bss ?
19890 					  info->links[link].bss->bssid :
19891 					  info->links[link].bssid;
19892 
19893 			nested_mlo_links = nla_nest_start(msg, i);
19894 			if (!nested_mlo_links)
19895 				goto nla_put_failure;
19896 
19897 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
19898 			    (bssid &&
19899 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
19900 			    (info->links[link].addr &&
19901 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
19902 				     info->links[link].addr)))
19903 				goto nla_put_failure;
19904 
19905 			nla_nest_end(msg, nested_mlo_links);
19906 			i++;
19907 		}
19908 		nla_nest_end(msg, nested);
19909 	}
19910 
19911 	genlmsg_end(msg, hdr);
19912 
19913 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19914 				NL80211_MCGRP_MLME, gfp);
19915 	return;
19916 
19917  nla_put_failure:
19918 	nlmsg_free(msg);
19919 }
19920 
19921 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
19922 				  struct net_device *netdev, const u8 *peer_addr,
19923 				  const u8 *td_bitmap, u8 td_bitmap_len)
19924 {
19925 	struct sk_buff *msg;
19926 	void *hdr;
19927 
19928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19929 	if (!msg)
19930 		return;
19931 
19932 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
19933 	if (!hdr) {
19934 		nlmsg_free(msg);
19935 		return;
19936 	}
19937 
19938 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19939 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19940 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
19941 		goto nla_put_failure;
19942 
19943 	if (td_bitmap_len > 0 && td_bitmap &&
19944 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
19945 		goto nla_put_failure;
19946 
19947 	genlmsg_end(msg, hdr);
19948 
19949 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19950 				NL80211_MCGRP_MLME, GFP_KERNEL);
19951 	return;
19952 
19953  nla_put_failure:
19954 	nlmsg_free(msg);
19955 }
19956 
19957 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
19958 			       struct net_device *netdev, u16 reason,
19959 			       const u8 *ie, size_t ie_len, bool from_ap)
19960 {
19961 	struct sk_buff *msg;
19962 	void *hdr;
19963 
19964 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
19965 	if (!msg)
19966 		return;
19967 
19968 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
19969 	if (!hdr) {
19970 		nlmsg_free(msg);
19971 		return;
19972 	}
19973 
19974 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19975 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19976 	    (reason &&
19977 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
19978 	    (from_ap &&
19979 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
19980 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
19981 		goto nla_put_failure;
19982 
19983 	genlmsg_end(msg, hdr);
19984 
19985 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19986 				NL80211_MCGRP_MLME, GFP_KERNEL);
19987 	return;
19988 
19989  nla_put_failure:
19990 	nlmsg_free(msg);
19991 }
19992 
19993 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
19994 {
19995 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19996 	struct wiphy *wiphy = wdev->wiphy;
19997 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19998 	struct sk_buff *msg;
19999 	struct nlattr *links;
20000 	void *hdr;
20001 
20002 	lockdep_assert_wiphy(wdev->wiphy);
20003 	trace_cfg80211_links_removed(dev, link_mask);
20004 
20005 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
20006 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
20007 		return;
20008 
20009 	if (WARN_ON(!wdev->valid_links || !link_mask ||
20010 		    (wdev->valid_links & link_mask) != link_mask ||
20011 		    wdev->valid_links == link_mask))
20012 		return;
20013 
20014 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
20015 	wdev->valid_links &= ~link_mask;
20016 
20017 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20018 	if (!msg)
20019 		return;
20020 
20021 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
20022 	if (!hdr) {
20023 		nlmsg_free(msg);
20024 		return;
20025 	}
20026 
20027 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20028 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20029 		goto nla_put_failure;
20030 
20031 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
20032 	if (!links)
20033 		goto nla_put_failure;
20034 
20035 	while (link_mask) {
20036 		struct nlattr *link;
20037 		int link_id = __ffs(link_mask);
20038 
20039 		link = nla_nest_start(msg, link_id + 1);
20040 		if (!link)
20041 			goto nla_put_failure;
20042 
20043 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
20044 			goto nla_put_failure;
20045 
20046 		nla_nest_end(msg, link);
20047 		link_mask &= ~(1 << link_id);
20048 	}
20049 
20050 	nla_nest_end(msg, links);
20051 
20052 	genlmsg_end(msg, hdr);
20053 
20054 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20055 				NL80211_MCGRP_MLME, GFP_KERNEL);
20056 	return;
20057 
20058  nla_put_failure:
20059 	nlmsg_free(msg);
20060 }
20061 EXPORT_SYMBOL(cfg80211_links_removed);
20062 
20063 void nl80211_mlo_reconf_add_done(struct net_device *dev,
20064 				 struct cfg80211_mlo_reconf_done_data *data)
20065 {
20066 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20067 	struct wiphy *wiphy = wdev->wiphy;
20068 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20069 	struct nl80211_mlme_event event = {
20070 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
20071 		.buf = data->buf,
20072 		.buf_len = data->len,
20073 		.uapsd_queues = -1,
20074 	};
20075 
20076 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
20077 }
20078 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
20079 
20080 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
20081 			     struct net_device *netdev, const u8 *bssid,
20082 			     gfp_t gfp)
20083 {
20084 	struct sk_buff *msg;
20085 	void *hdr;
20086 
20087 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20088 	if (!msg)
20089 		return;
20090 
20091 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
20092 	if (!hdr) {
20093 		nlmsg_free(msg);
20094 		return;
20095 	}
20096 
20097 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20098 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20099 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20100 		goto nla_put_failure;
20101 
20102 	genlmsg_end(msg, hdr);
20103 
20104 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20105 				NL80211_MCGRP_MLME, gfp);
20106 	return;
20107 
20108  nla_put_failure:
20109 	nlmsg_free(msg);
20110 }
20111 
20112 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
20113 					const u8 *ie, u8 ie_len,
20114 					int sig_dbm, gfp_t gfp)
20115 {
20116 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20117 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20118 	struct sk_buff *msg;
20119 	void *hdr;
20120 
20121 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
20122 		return;
20123 
20124 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
20125 
20126 	msg = nlmsg_new(100 + ie_len, gfp);
20127 	if (!msg)
20128 		return;
20129 
20130 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
20131 	if (!hdr) {
20132 		nlmsg_free(msg);
20133 		return;
20134 	}
20135 
20136 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20137 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20138 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20139 	    (ie_len && ie &&
20140 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
20141 	    (sig_dbm &&
20142 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
20143 		goto nla_put_failure;
20144 
20145 	genlmsg_end(msg, hdr);
20146 
20147 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20148 				NL80211_MCGRP_MLME, gfp);
20149 	return;
20150 
20151  nla_put_failure:
20152 	nlmsg_free(msg);
20153 }
20154 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
20155 
20156 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
20157 				 struct net_device *netdev, const u8 *addr,
20158 				 enum nl80211_key_type key_type, int key_id,
20159 				 const u8 *tsc, gfp_t gfp)
20160 {
20161 	struct sk_buff *msg;
20162 	void *hdr;
20163 
20164 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20165 	if (!msg)
20166 		return;
20167 
20168 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
20169 	if (!hdr) {
20170 		nlmsg_free(msg);
20171 		return;
20172 	}
20173 
20174 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20175 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20176 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
20177 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
20178 	    (key_id != -1 &&
20179 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
20180 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
20181 		goto nla_put_failure;
20182 
20183 	genlmsg_end(msg, hdr);
20184 
20185 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20186 				NL80211_MCGRP_MLME, gfp);
20187 	return;
20188 
20189  nla_put_failure:
20190 	nlmsg_free(msg);
20191 }
20192 
20193 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
20194 				    struct ieee80211_channel *channel_before,
20195 				    struct ieee80211_channel *channel_after)
20196 {
20197 	struct sk_buff *msg;
20198 	void *hdr;
20199 	struct nlattr *nl_freq;
20200 
20201 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
20202 	if (!msg)
20203 		return;
20204 
20205 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
20206 	if (!hdr) {
20207 		nlmsg_free(msg);
20208 		return;
20209 	}
20210 
20211 	/*
20212 	 * Since we are applying the beacon hint to a wiphy we know its
20213 	 * wiphy_idx is valid
20214 	 */
20215 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
20216 		goto nla_put_failure;
20217 
20218 	/* Before */
20219 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
20220 	if (!nl_freq)
20221 		goto nla_put_failure;
20222 
20223 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
20224 		goto nla_put_failure;
20225 	nla_nest_end(msg, nl_freq);
20226 
20227 	/* After */
20228 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
20229 	if (!nl_freq)
20230 		goto nla_put_failure;
20231 
20232 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
20233 		goto nla_put_failure;
20234 	nla_nest_end(msg, nl_freq);
20235 
20236 	genlmsg_end(msg, hdr);
20237 
20238 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
20239 				NL80211_MCGRP_REGULATORY);
20240 
20241 	return;
20242 
20243 nla_put_failure:
20244 	nlmsg_free(msg);
20245 }
20246 
20247 static void nl80211_send_remain_on_chan_event(
20248 	int cmd, struct cfg80211_registered_device *rdev,
20249 	struct wireless_dev *wdev, u64 cookie,
20250 	struct ieee80211_channel *chan,
20251 	unsigned int duration, gfp_t gfp)
20252 {
20253 	struct sk_buff *msg;
20254 	void *hdr;
20255 
20256 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20257 	if (!msg)
20258 		return;
20259 
20260 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20261 	if (!hdr) {
20262 		nlmsg_free(msg);
20263 		return;
20264 	}
20265 
20266 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20267 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20268 					 wdev->netdev->ifindex)) ||
20269 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20270 			      NL80211_ATTR_PAD) ||
20271 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
20272 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
20273 			NL80211_CHAN_NO_HT) ||
20274 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
20275 			      NL80211_ATTR_PAD))
20276 		goto nla_put_failure;
20277 
20278 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
20279 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
20280 		goto nla_put_failure;
20281 
20282 	genlmsg_end(msg, hdr);
20283 
20284 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20285 				NL80211_MCGRP_MLME, gfp);
20286 	return;
20287 
20288  nla_put_failure:
20289 	nlmsg_free(msg);
20290 }
20291 
20292 void cfg80211_assoc_comeback(struct net_device *netdev,
20293 			     const u8 *ap_addr, u32 timeout)
20294 {
20295 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20296 	struct wiphy *wiphy = wdev->wiphy;
20297 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20298 	struct sk_buff *msg;
20299 	void *hdr;
20300 
20301 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
20302 
20303 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20304 	if (!msg)
20305 		return;
20306 
20307 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
20308 	if (!hdr) {
20309 		nlmsg_free(msg);
20310 		return;
20311 	}
20312 
20313 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20314 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20315 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
20316 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
20317 		goto nla_put_failure;
20318 
20319 	genlmsg_end(msg, hdr);
20320 
20321 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20322 				NL80211_MCGRP_MLME, GFP_KERNEL);
20323 	return;
20324 
20325  nla_put_failure:
20326 	nlmsg_free(msg);
20327 }
20328 EXPORT_SYMBOL(cfg80211_assoc_comeback);
20329 
20330 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
20331 			       struct ieee80211_channel *chan,
20332 			       unsigned int duration, gfp_t gfp)
20333 {
20334 	struct wiphy *wiphy = wdev->wiphy;
20335 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20336 
20337 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
20338 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
20339 					  rdev, wdev, cookie, chan,
20340 					  duration, gfp);
20341 }
20342 EXPORT_SYMBOL(cfg80211_ready_on_channel);
20343 
20344 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
20345 					struct ieee80211_channel *chan,
20346 					gfp_t gfp)
20347 {
20348 	struct wiphy *wiphy = wdev->wiphy;
20349 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20350 
20351 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
20352 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
20353 					  rdev, wdev, cookie, chan, 0, gfp);
20354 }
20355 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
20356 
20357 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
20358 					struct ieee80211_channel *chan,
20359 					gfp_t gfp)
20360 {
20361 	struct wiphy *wiphy = wdev->wiphy;
20362 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20363 
20364 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
20365 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
20366 					  rdev, wdev, cookie, chan, 0, gfp);
20367 }
20368 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
20369 
20370 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
20371 		      struct station_info *sinfo, gfp_t gfp)
20372 {
20373 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20374 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20375 	struct sk_buff *msg;
20376 
20377 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
20378 
20379 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20380 	if (!msg)
20381 		return;
20382 
20383 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
20384 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20385 		nlmsg_free(msg);
20386 		return;
20387 	}
20388 
20389 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20390 				NL80211_MCGRP_MLME, gfp);
20391 }
20392 EXPORT_SYMBOL(cfg80211_new_sta);
20393 
20394 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
20395 			    struct station_info *sinfo, gfp_t gfp)
20396 {
20397 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20398 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20399 	struct sk_buff *msg;
20400 	struct station_info empty_sinfo = {};
20401 
20402 	if (!sinfo)
20403 		sinfo = &empty_sinfo;
20404 
20405 	trace_cfg80211_del_sta(dev, mac_addr);
20406 
20407 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20408 	if (!msg) {
20409 		cfg80211_sinfo_release_content(sinfo);
20410 		return;
20411 	}
20412 
20413 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
20414 				 rdev, dev, mac_addr, sinfo, false) < 0) {
20415 		nlmsg_free(msg);
20416 		return;
20417 	}
20418 
20419 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20420 				NL80211_MCGRP_MLME, gfp);
20421 }
20422 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
20423 
20424 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
20425 			  enum nl80211_connect_failed_reason reason,
20426 			  gfp_t gfp)
20427 {
20428 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
20429 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20430 	struct sk_buff *msg;
20431 	void *hdr;
20432 
20433 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
20434 	if (!msg)
20435 		return;
20436 
20437 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
20438 	if (!hdr) {
20439 		nlmsg_free(msg);
20440 		return;
20441 	}
20442 
20443 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20444 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
20445 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
20446 		goto nla_put_failure;
20447 
20448 	genlmsg_end(msg, hdr);
20449 
20450 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20451 				NL80211_MCGRP_MLME, gfp);
20452 	return;
20453 
20454  nla_put_failure:
20455 	nlmsg_free(msg);
20456 }
20457 EXPORT_SYMBOL(cfg80211_conn_failed);
20458 
20459 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
20460 				       const u8 *addr, int link_id, gfp_t gfp)
20461 {
20462 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20463 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20464 	struct sk_buff *msg;
20465 	void *hdr;
20466 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
20467 
20468 	if (!nlportid)
20469 		return false;
20470 
20471 	msg = nlmsg_new(100, gfp);
20472 	if (!msg)
20473 		return true;
20474 
20475 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
20476 	if (!hdr) {
20477 		nlmsg_free(msg);
20478 		return true;
20479 	}
20480 
20481 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20482 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20483 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20484 	    (link_id >= 0 &&
20485 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20486 		goto nla_put_failure;
20487 
20488 	genlmsg_end(msg, hdr);
20489 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20490 	return true;
20491 
20492  nla_put_failure:
20493 	nlmsg_free(msg);
20494 	return true;
20495 }
20496 
20497 bool cfg80211_rx_spurious_frame(struct net_device *dev, const u8 *addr,
20498 				int link_id, gfp_t gfp)
20499 {
20500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20501 	bool ret;
20502 
20503 	trace_cfg80211_rx_spurious_frame(dev, addr, link_id);
20504 
20505 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20506 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
20507 		trace_cfg80211_return_bool(false);
20508 		return false;
20509 	}
20510 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
20511 					 addr, link_id, gfp);
20512 	trace_cfg80211_return_bool(ret);
20513 	return ret;
20514 }
20515 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
20516 
20517 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
20518 					int link_id, gfp_t gfp)
20519 {
20520 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20521 	bool ret;
20522 
20523 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr, link_id);
20524 
20525 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
20526 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
20527 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
20528 		trace_cfg80211_return_bool(false);
20529 		return false;
20530 	}
20531 	ret = __nl80211_unexpected_frame(dev,
20532 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
20533 					 addr, link_id, gfp);
20534 	trace_cfg80211_return_bool(ret);
20535 	return ret;
20536 }
20537 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
20538 
20539 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
20540 		      struct wireless_dev *wdev, u32 nlportid,
20541 		      struct cfg80211_rx_info *info, gfp_t gfp)
20542 {
20543 	struct net_device *netdev = wdev->netdev;
20544 	struct sk_buff *msg;
20545 	void *hdr;
20546 
20547 	msg = nlmsg_new(100 + info->len, gfp);
20548 	if (!msg)
20549 		return -ENOMEM;
20550 
20551 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
20552 	if (!hdr) {
20553 		nlmsg_free(msg);
20554 		return -ENOMEM;
20555 	}
20556 
20557 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20558 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20559 					netdev->ifindex)) ||
20560 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20561 			      NL80211_ATTR_PAD) ||
20562 	    (info->have_link_id &&
20563 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
20564 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
20565 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
20566 	    (info->sig_dbm &&
20567 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
20568 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
20569 	    (info->flags &&
20570 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
20571 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
20572 						  NL80211_ATTR_RX_HW_TIMESTAMP,
20573 						  info->rx_tstamp,
20574 						  NL80211_ATTR_PAD)) ||
20575 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
20576 						   NL80211_ATTR_TX_HW_TIMESTAMP,
20577 						   info->ack_tstamp,
20578 						   NL80211_ATTR_PAD)))
20579 		goto nla_put_failure;
20580 
20581 	genlmsg_end(msg, hdr);
20582 
20583 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20584 
20585  nla_put_failure:
20586 	nlmsg_free(msg);
20587 	return -ENOBUFS;
20588 }
20589 
20590 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
20591 				    struct cfg80211_tx_status *status,
20592 				    gfp_t gfp, enum nl80211_commands command)
20593 {
20594 	struct wiphy *wiphy = wdev->wiphy;
20595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20596 	struct net_device *netdev = wdev->netdev;
20597 	struct sk_buff *msg;
20598 	void *hdr;
20599 
20600 	if (command == NL80211_CMD_FRAME_TX_STATUS)
20601 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
20602 					      status->ack);
20603 	else
20604 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
20605 						      status->ack);
20606 
20607 	msg = nlmsg_new(100 + status->len, gfp);
20608 	if (!msg)
20609 		return;
20610 
20611 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
20612 	if (!hdr) {
20613 		nlmsg_free(msg);
20614 		return;
20615 	}
20616 
20617 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20618 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20619 				   netdev->ifindex)) ||
20620 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20621 			      NL80211_ATTR_PAD) ||
20622 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
20623 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
20624 			      NL80211_ATTR_PAD) ||
20625 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
20626 	    (status->tx_tstamp &&
20627 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
20628 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
20629 	    (status->ack_tstamp &&
20630 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
20631 			       status->ack_tstamp, NL80211_ATTR_PAD)))
20632 		goto nla_put_failure;
20633 
20634 	genlmsg_end(msg, hdr);
20635 
20636 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20637 				NL80211_MCGRP_MLME, gfp);
20638 	return;
20639 
20640 nla_put_failure:
20641 	nlmsg_free(msg);
20642 }
20643 
20644 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
20645 				     const u8 *buf, size_t len, bool ack,
20646 				     gfp_t gfp)
20647 {
20648 	struct cfg80211_tx_status status = {
20649 		.cookie = cookie,
20650 		.buf = buf,
20651 		.len = len,
20652 		.ack = ack
20653 	};
20654 
20655 	nl80211_frame_tx_status(wdev, &status, gfp,
20656 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
20657 }
20658 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
20659 
20660 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
20661 				 struct cfg80211_tx_status *status, gfp_t gfp)
20662 {
20663 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
20664 }
20665 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
20666 
20667 static int __nl80211_rx_control_port(struct net_device *dev,
20668 				     struct sk_buff *skb,
20669 				     bool unencrypted,
20670 				     int link_id,
20671 				     gfp_t gfp)
20672 {
20673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20674 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20675 	struct ethhdr *ehdr = eth_hdr(skb);
20676 	const u8 *addr = ehdr->h_source;
20677 	u16 proto = be16_to_cpu(skb->protocol);
20678 	struct sk_buff *msg;
20679 	void *hdr;
20680 	struct nlattr *frame;
20681 
20682 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
20683 
20684 	if (!nlportid)
20685 		return -ENOENT;
20686 
20687 	msg = nlmsg_new(100 + skb->len, gfp);
20688 	if (!msg)
20689 		return -ENOMEM;
20690 
20691 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
20692 	if (!hdr) {
20693 		nlmsg_free(msg);
20694 		return -ENOBUFS;
20695 	}
20696 
20697 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20698 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20699 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20700 			      NL80211_ATTR_PAD) ||
20701 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
20702 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
20703 	    (link_id >= 0 &&
20704 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
20705 	    (unencrypted && nla_put_flag(msg,
20706 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
20707 		goto nla_put_failure;
20708 
20709 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
20710 	if (!frame)
20711 		goto nla_put_failure;
20712 
20713 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
20714 	genlmsg_end(msg, hdr);
20715 
20716 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20717 
20718  nla_put_failure:
20719 	nlmsg_free(msg);
20720 	return -ENOBUFS;
20721 }
20722 
20723 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
20724 			      bool unencrypted, int link_id)
20725 {
20726 	int ret;
20727 
20728 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
20729 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
20730 					GFP_ATOMIC);
20731 	trace_cfg80211_return_bool(ret == 0);
20732 	return ret == 0;
20733 }
20734 EXPORT_SYMBOL(cfg80211_rx_control_port);
20735 
20736 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
20737 					    const char *mac, gfp_t gfp)
20738 {
20739 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20740 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20741 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20742 	void **cb;
20743 
20744 	if (!msg)
20745 		return NULL;
20746 
20747 	cb = (void **)msg->cb;
20748 
20749 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
20750 	if (!cb[0]) {
20751 		nlmsg_free(msg);
20752 		return NULL;
20753 	}
20754 
20755 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20756 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
20757 		goto nla_put_failure;
20758 
20759 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
20760 		goto nla_put_failure;
20761 
20762 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
20763 	if (!cb[1])
20764 		goto nla_put_failure;
20765 
20766 	cb[2] = rdev;
20767 
20768 	return msg;
20769  nla_put_failure:
20770 	nlmsg_free(msg);
20771 	return NULL;
20772 }
20773 
20774 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
20775 {
20776 	void **cb = (void **)msg->cb;
20777 	struct cfg80211_registered_device *rdev = cb[2];
20778 
20779 	nla_nest_end(msg, cb[1]);
20780 	genlmsg_end(msg, cb[0]);
20781 
20782 	memset(msg->cb, 0, sizeof(msg->cb));
20783 
20784 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20785 				NL80211_MCGRP_MLME, gfp);
20786 }
20787 
20788 void cfg80211_cqm_rssi_notify(struct net_device *dev,
20789 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
20790 			      s32 rssi_level, gfp_t gfp)
20791 {
20792 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20793 	struct cfg80211_cqm_config *cqm_config;
20794 
20795 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
20796 
20797 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
20798 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
20799 		return;
20800 
20801 	rcu_read_lock();
20802 	cqm_config = rcu_dereference(wdev->cqm_config);
20803 	if (cqm_config) {
20804 		cqm_config->last_rssi_event_value = rssi_level;
20805 		cqm_config->last_rssi_event_type = rssi_event;
20806 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
20807 	}
20808 	rcu_read_unlock();
20809 }
20810 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
20811 
20812 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
20813 {
20814 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
20815 						 cqm_rssi_work);
20816 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20817 	enum nl80211_cqm_rssi_threshold_event rssi_event;
20818 	struct cfg80211_cqm_config *cqm_config;
20819 	struct sk_buff *msg;
20820 	s32 rssi_level;
20821 
20822 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
20823 	if (!cqm_config)
20824 		return;
20825 
20826 	if (cqm_config->use_range_api)
20827 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
20828 
20829 	rssi_level = cqm_config->last_rssi_event_value;
20830 	rssi_event = cqm_config->last_rssi_event_type;
20831 
20832 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
20833 	if (!msg)
20834 		return;
20835 
20836 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
20837 			rssi_event))
20838 		goto nla_put_failure;
20839 
20840 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
20841 				      rssi_level))
20842 		goto nla_put_failure;
20843 
20844 	cfg80211_send_cqm(msg, GFP_KERNEL);
20845 
20846 	return;
20847 
20848  nla_put_failure:
20849 	nlmsg_free(msg);
20850 }
20851 
20852 void cfg80211_cqm_txe_notify(struct net_device *dev,
20853 			     const u8 *peer, u32 num_packets,
20854 			     u32 rate, u32 intvl, gfp_t gfp)
20855 {
20856 	struct sk_buff *msg;
20857 
20858 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20859 	if (!msg)
20860 		return;
20861 
20862 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
20863 		goto nla_put_failure;
20864 
20865 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
20866 		goto nla_put_failure;
20867 
20868 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
20869 		goto nla_put_failure;
20870 
20871 	cfg80211_send_cqm(msg, gfp);
20872 	return;
20873 
20874  nla_put_failure:
20875 	nlmsg_free(msg);
20876 }
20877 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
20878 
20879 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
20880 				 const u8 *peer, u32 num_packets, gfp_t gfp)
20881 {
20882 	struct sk_buff *msg;
20883 
20884 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
20885 
20886 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
20887 	if (!msg)
20888 		return;
20889 
20890 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
20891 		goto nla_put_failure;
20892 
20893 	cfg80211_send_cqm(msg, gfp);
20894 	return;
20895 
20896  nla_put_failure:
20897 	nlmsg_free(msg);
20898 }
20899 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
20900 
20901 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
20902 {
20903 	struct sk_buff *msg;
20904 
20905 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
20906 	if (!msg)
20907 		return;
20908 
20909 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
20910 		goto nla_put_failure;
20911 
20912 	cfg80211_send_cqm(msg, gfp);
20913 	return;
20914 
20915  nla_put_failure:
20916 	nlmsg_free(msg);
20917 }
20918 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
20919 
20920 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
20921 				     struct net_device *netdev, const u8 *bssid,
20922 				     const u8 *replay_ctr, gfp_t gfp)
20923 {
20924 	struct sk_buff *msg;
20925 	struct nlattr *rekey_attr;
20926 	void *hdr;
20927 
20928 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20929 	if (!msg)
20930 		return;
20931 
20932 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
20933 	if (!hdr) {
20934 		nlmsg_free(msg);
20935 		return;
20936 	}
20937 
20938 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20939 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20940 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
20941 		goto nla_put_failure;
20942 
20943 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
20944 	if (!rekey_attr)
20945 		goto nla_put_failure;
20946 
20947 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
20948 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
20949 		goto nla_put_failure;
20950 
20951 	nla_nest_end(msg, rekey_attr);
20952 
20953 	genlmsg_end(msg, hdr);
20954 
20955 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20956 				NL80211_MCGRP_MLME, gfp);
20957 	return;
20958 
20959  nla_put_failure:
20960 	nlmsg_free(msg);
20961 }
20962 
20963 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
20964 			       const u8 *replay_ctr, gfp_t gfp)
20965 {
20966 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20967 	struct wiphy *wiphy = wdev->wiphy;
20968 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20969 
20970 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
20971 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
20972 }
20973 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
20974 
20975 static void
20976 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
20977 			       struct net_device *netdev, int index,
20978 			       const u8 *bssid, bool preauth, gfp_t gfp)
20979 {
20980 	struct sk_buff *msg;
20981 	struct nlattr *attr;
20982 	void *hdr;
20983 
20984 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20985 	if (!msg)
20986 		return;
20987 
20988 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
20989 	if (!hdr) {
20990 		nlmsg_free(msg);
20991 		return;
20992 	}
20993 
20994 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20995 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
20996 		goto nla_put_failure;
20997 
20998 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
20999 	if (!attr)
21000 		goto nla_put_failure;
21001 
21002 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
21003 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
21004 	    (preauth &&
21005 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
21006 		goto nla_put_failure;
21007 
21008 	nla_nest_end(msg, attr);
21009 
21010 	genlmsg_end(msg, hdr);
21011 
21012 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21013 				NL80211_MCGRP_MLME, gfp);
21014 	return;
21015 
21016  nla_put_failure:
21017 	nlmsg_free(msg);
21018 }
21019 
21020 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
21021 				     const u8 *bssid, bool preauth, gfp_t gfp)
21022 {
21023 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21024 	struct wiphy *wiphy = wdev->wiphy;
21025 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21026 
21027 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
21028 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
21029 }
21030 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
21031 
21032 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
21033 				     struct net_device *netdev,
21034 				     unsigned int link_id,
21035 				     struct cfg80211_chan_def *chandef,
21036 				     gfp_t gfp,
21037 				     enum nl80211_commands notif,
21038 				     u8 count, bool quiet)
21039 {
21040 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21041 	struct sk_buff *msg;
21042 	void *hdr;
21043 
21044 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21045 	if (!msg)
21046 		return;
21047 
21048 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
21049 	if (!hdr) {
21050 		nlmsg_free(msg);
21051 		return;
21052 	}
21053 
21054 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
21055 		goto nla_put_failure;
21056 
21057 	if (wdev->valid_links &&
21058 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21059 		goto nla_put_failure;
21060 
21061 	if (nl80211_send_chandef(msg, chandef))
21062 		goto nla_put_failure;
21063 
21064 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
21065 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
21066 			goto nla_put_failure;
21067 		if (quiet &&
21068 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
21069 			goto nla_put_failure;
21070 	}
21071 
21072 	genlmsg_end(msg, hdr);
21073 
21074 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21075 				NL80211_MCGRP_MLME, gfp);
21076 	return;
21077 
21078  nla_put_failure:
21079 	nlmsg_free(msg);
21080 }
21081 
21082 void cfg80211_ch_switch_notify(struct net_device *dev,
21083 			       struct cfg80211_chan_def *chandef,
21084 			       unsigned int link_id)
21085 {
21086 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21087 	struct wiphy *wiphy = wdev->wiphy;
21088 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21089 
21090 	lockdep_assert_wiphy(wdev->wiphy);
21091 	WARN_INVALID_LINK_ID(wdev, link_id);
21092 
21093 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
21094 
21095 	switch (wdev->iftype) {
21096 	case NL80211_IFTYPE_STATION:
21097 	case NL80211_IFTYPE_P2P_CLIENT:
21098 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
21099 			cfg80211_update_assoc_bss_entry(wdev, link_id,
21100 							chandef->chan);
21101 		break;
21102 	case NL80211_IFTYPE_MESH_POINT:
21103 		wdev->u.mesh.chandef = *chandef;
21104 		wdev->u.mesh.preset_chandef = *chandef;
21105 		break;
21106 	case NL80211_IFTYPE_AP:
21107 	case NL80211_IFTYPE_P2P_GO:
21108 		wdev->links[link_id].ap.chandef = *chandef;
21109 		break;
21110 	case NL80211_IFTYPE_ADHOC:
21111 		wdev->u.ibss.chandef = *chandef;
21112 		break;
21113 	default:
21114 		WARN_ON(1);
21115 		break;
21116 	}
21117 
21118 	cfg80211_schedule_channels_check(wdev);
21119 	cfg80211_sched_dfs_chan_update(rdev);
21120 
21121 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21122 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
21123 }
21124 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
21125 
21126 void cfg80211_ch_switch_started_notify(struct net_device *dev,
21127 				       struct cfg80211_chan_def *chandef,
21128 				       unsigned int link_id, u8 count,
21129 				       bool quiet)
21130 {
21131 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21132 	struct wiphy *wiphy = wdev->wiphy;
21133 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21134 
21135 	lockdep_assert_wiphy(wdev->wiphy);
21136 	WARN_INVALID_LINK_ID(wdev, link_id);
21137 
21138 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
21139 
21140 
21141 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
21142 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
21143 				 count, quiet);
21144 }
21145 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
21146 
21147 int cfg80211_bss_color_notify(struct net_device *dev,
21148 			      enum nl80211_commands cmd, u8 count,
21149 			      u64 color_bitmap, u8 link_id)
21150 {
21151 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21152 	struct wiphy *wiphy = wdev->wiphy;
21153 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21154 	struct sk_buff *msg;
21155 	void *hdr;
21156 
21157 	lockdep_assert_wiphy(wdev->wiphy);
21158 
21159 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
21160 
21161 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21162 	if (!msg)
21163 		return -ENOMEM;
21164 
21165 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
21166 	if (!hdr)
21167 		goto nla_put_failure;
21168 
21169 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21170 		goto nla_put_failure;
21171 
21172 	if (wdev->valid_links &&
21173 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
21174 		goto nla_put_failure;
21175 
21176 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
21177 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
21178 		goto nla_put_failure;
21179 
21180 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
21181 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
21182 			      color_bitmap, NL80211_ATTR_PAD))
21183 		goto nla_put_failure;
21184 
21185 	genlmsg_end(msg, hdr);
21186 
21187 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
21188 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
21189 
21190 nla_put_failure:
21191 	nlmsg_free(msg);
21192 	return -EINVAL;
21193 }
21194 EXPORT_SYMBOL(cfg80211_bss_color_notify);
21195 
21196 void
21197 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
21198 		     const struct cfg80211_chan_def *chandef,
21199 		     enum nl80211_radar_event event,
21200 		     struct net_device *netdev, gfp_t gfp)
21201 {
21202 	struct sk_buff *msg;
21203 	void *hdr;
21204 
21205 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21206 	if (!msg)
21207 		return;
21208 
21209 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
21210 	if (!hdr) {
21211 		nlmsg_free(msg);
21212 		return;
21213 	}
21214 
21215 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21216 		goto nla_put_failure;
21217 
21218 	/* NOP and radar events don't need a netdev parameter */
21219 	if (netdev) {
21220 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
21221 
21222 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21223 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21224 				      NL80211_ATTR_PAD))
21225 			goto nla_put_failure;
21226 	}
21227 
21228 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
21229 		goto nla_put_failure;
21230 
21231 	if (nl80211_send_chandef(msg, chandef))
21232 		goto nla_put_failure;
21233 
21234 	genlmsg_end(msg, hdr);
21235 
21236 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21237 				NL80211_MCGRP_MLME, gfp);
21238 	return;
21239 
21240  nla_put_failure:
21241 	nlmsg_free(msg);
21242 }
21243 
21244 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
21245 				       struct sta_opmode_info *sta_opmode,
21246 				       gfp_t gfp)
21247 {
21248 	struct sk_buff *msg;
21249 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21250 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21251 	void *hdr;
21252 
21253 	if (WARN_ON(!mac))
21254 		return;
21255 
21256 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21257 	if (!msg)
21258 		return;
21259 
21260 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
21261 	if (!hdr) {
21262 		nlmsg_free(msg);
21263 		return;
21264 	}
21265 
21266 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
21267 		goto nla_put_failure;
21268 
21269 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
21270 		goto nla_put_failure;
21271 
21272 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
21273 		goto nla_put_failure;
21274 
21275 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
21276 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
21277 		goto nla_put_failure;
21278 
21279 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
21280 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
21281 		goto nla_put_failure;
21282 
21283 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
21284 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
21285 		goto nla_put_failure;
21286 
21287 	genlmsg_end(msg, hdr);
21288 
21289 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21290 				NL80211_MCGRP_MLME, gfp);
21291 
21292 	return;
21293 
21294 nla_put_failure:
21295 	nlmsg_free(msg);
21296 }
21297 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
21298 
21299 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
21300 			   u64 cookie, bool acked, s32 ack_signal,
21301 			   bool is_valid_ack_signal, gfp_t gfp)
21302 {
21303 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21304 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21305 	struct sk_buff *msg;
21306 	void *hdr;
21307 
21308 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
21309 
21310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21311 
21312 	if (!msg)
21313 		return;
21314 
21315 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
21316 	if (!hdr) {
21317 		nlmsg_free(msg);
21318 		return;
21319 	}
21320 
21321 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21322 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21323 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
21324 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
21325 			      NL80211_ATTR_PAD) ||
21326 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
21327 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
21328 						ack_signal)))
21329 		goto nla_put_failure;
21330 
21331 	genlmsg_end(msg, hdr);
21332 
21333 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21334 				NL80211_MCGRP_MLME, gfp);
21335 	return;
21336 
21337  nla_put_failure:
21338 	nlmsg_free(msg);
21339 }
21340 EXPORT_SYMBOL(cfg80211_probe_status);
21341 
21342 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
21343 				     size_t len, int freq, int sig_dbm)
21344 {
21345 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21346 	struct sk_buff *msg;
21347 	void *hdr;
21348 	struct cfg80211_beacon_registration *reg;
21349 
21350 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
21351 
21352 	spin_lock_bh(&rdev->beacon_registrations_lock);
21353 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
21354 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
21355 		if (!msg) {
21356 			spin_unlock_bh(&rdev->beacon_registrations_lock);
21357 			return;
21358 		}
21359 
21360 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
21361 		if (!hdr)
21362 			goto nla_put_failure;
21363 
21364 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21365 		    (freq &&
21366 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
21367 				  KHZ_TO_MHZ(freq)) ||
21368 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
21369 				  freq % 1000))) ||
21370 		    (sig_dbm &&
21371 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
21372 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
21373 			goto nla_put_failure;
21374 
21375 		genlmsg_end(msg, hdr);
21376 
21377 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
21378 	}
21379 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21380 	return;
21381 
21382  nla_put_failure:
21383 	spin_unlock_bh(&rdev->beacon_registrations_lock);
21384 	nlmsg_free(msg);
21385 }
21386 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
21387 
21388 #ifdef CONFIG_PM
21389 static int cfg80211_net_detect_results(struct sk_buff *msg,
21390 				       struct cfg80211_wowlan_wakeup *wakeup)
21391 {
21392 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
21393 	struct nlattr *nl_results, *nl_match, *nl_freqs;
21394 	int i, j;
21395 
21396 	nl_results = nla_nest_start_noflag(msg,
21397 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
21398 	if (!nl_results)
21399 		return -EMSGSIZE;
21400 
21401 	for (i = 0; i < nd->n_matches; i++) {
21402 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
21403 
21404 		nl_match = nla_nest_start_noflag(msg, i);
21405 		if (!nl_match)
21406 			break;
21407 
21408 		/* The SSID attribute is optional in nl80211, but for
21409 		 * simplicity reasons it's always present in the
21410 		 * cfg80211 structure.  If a driver can't pass the
21411 		 * SSID, that needs to be changed.  A zero length SSID
21412 		 * is still a valid SSID (wildcard), so it cannot be
21413 		 * used for this purpose.
21414 		 */
21415 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
21416 			    match->ssid.ssid)) {
21417 			nla_nest_cancel(msg, nl_match);
21418 			goto out;
21419 		}
21420 
21421 		if (match->n_channels) {
21422 			nl_freqs = nla_nest_start_noflag(msg,
21423 							 NL80211_ATTR_SCAN_FREQUENCIES);
21424 			if (!nl_freqs) {
21425 				nla_nest_cancel(msg, nl_match);
21426 				goto out;
21427 			}
21428 
21429 			for (j = 0; j < match->n_channels; j++) {
21430 				if (nla_put_u32(msg, j, match->channels[j])) {
21431 					nla_nest_cancel(msg, nl_freqs);
21432 					nla_nest_cancel(msg, nl_match);
21433 					goto out;
21434 				}
21435 			}
21436 
21437 			nla_nest_end(msg, nl_freqs);
21438 		}
21439 
21440 		nla_nest_end(msg, nl_match);
21441 	}
21442 
21443 out:
21444 	nla_nest_end(msg, nl_results);
21445 	return 0;
21446 }
21447 
21448 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
21449 				   struct cfg80211_wowlan_wakeup *wakeup,
21450 				   gfp_t gfp)
21451 {
21452 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21453 	struct sk_buff *msg;
21454 	void *hdr;
21455 	int size = 200;
21456 
21457 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
21458 
21459 	if (wakeup)
21460 		size += wakeup->packet_present_len;
21461 
21462 	msg = nlmsg_new(size, gfp);
21463 	if (!msg)
21464 		return;
21465 
21466 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
21467 	if (!hdr)
21468 		goto free_msg;
21469 
21470 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21471 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21472 			      NL80211_ATTR_PAD))
21473 		goto free_msg;
21474 
21475 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
21476 					wdev->netdev->ifindex))
21477 		goto free_msg;
21478 
21479 	if (wakeup) {
21480 		struct nlattr *reasons;
21481 
21482 		reasons = nla_nest_start_noflag(msg,
21483 						NL80211_ATTR_WOWLAN_TRIGGERS);
21484 		if (!reasons)
21485 			goto free_msg;
21486 
21487 		if (wakeup->disconnect &&
21488 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
21489 			goto free_msg;
21490 		if (wakeup->magic_pkt &&
21491 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
21492 			goto free_msg;
21493 		if (wakeup->gtk_rekey_failure &&
21494 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
21495 			goto free_msg;
21496 		if (wakeup->eap_identity_req &&
21497 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
21498 			goto free_msg;
21499 		if (wakeup->four_way_handshake &&
21500 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
21501 			goto free_msg;
21502 		if (wakeup->rfkill_release &&
21503 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
21504 			goto free_msg;
21505 
21506 		if (wakeup->pattern_idx >= 0 &&
21507 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
21508 				wakeup->pattern_idx))
21509 			goto free_msg;
21510 
21511 		if (wakeup->tcp_match &&
21512 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
21513 			goto free_msg;
21514 
21515 		if (wakeup->tcp_connlost &&
21516 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
21517 			goto free_msg;
21518 
21519 		if (wakeup->tcp_nomoretokens &&
21520 		    nla_put_flag(msg,
21521 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
21522 			goto free_msg;
21523 
21524 		if (wakeup->unprot_deauth_disassoc &&
21525 		    nla_put_flag(msg,
21526 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
21527 			goto free_msg;
21528 
21529 		if (wakeup->packet) {
21530 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
21531 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
21532 
21533 			if (!wakeup->packet_80211) {
21534 				pkt_attr =
21535 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
21536 				len_attr =
21537 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
21538 			}
21539 
21540 			if (wakeup->packet_len &&
21541 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
21542 				goto free_msg;
21543 
21544 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
21545 				    wakeup->packet))
21546 				goto free_msg;
21547 		}
21548 
21549 		if (wakeup->net_detect &&
21550 		    cfg80211_net_detect_results(msg, wakeup))
21551 				goto free_msg;
21552 
21553 		nla_nest_end(msg, reasons);
21554 	}
21555 
21556 	genlmsg_end(msg, hdr);
21557 
21558 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21559 				NL80211_MCGRP_MLME, gfp);
21560 	return;
21561 
21562  free_msg:
21563 	nlmsg_free(msg);
21564 }
21565 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
21566 #endif
21567 
21568 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
21569 				enum nl80211_tdls_operation oper,
21570 				u16 reason_code, gfp_t gfp)
21571 {
21572 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21573 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21574 	struct sk_buff *msg;
21575 	void *hdr;
21576 
21577 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
21578 					 reason_code);
21579 
21580 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21581 	if (!msg)
21582 		return;
21583 
21584 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
21585 	if (!hdr) {
21586 		nlmsg_free(msg);
21587 		return;
21588 	}
21589 
21590 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21591 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21592 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
21593 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
21594 	    (reason_code > 0 &&
21595 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
21596 		goto nla_put_failure;
21597 
21598 	genlmsg_end(msg, hdr);
21599 
21600 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21601 				NL80211_MCGRP_MLME, gfp);
21602 	return;
21603 
21604  nla_put_failure:
21605 	nlmsg_free(msg);
21606 }
21607 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
21608 
21609 static int nl80211_netlink_notify(struct notifier_block * nb,
21610 				  unsigned long state,
21611 				  void *_notify)
21612 {
21613 	struct netlink_notify *notify = _notify;
21614 	struct cfg80211_registered_device *rdev;
21615 	struct wireless_dev *wdev;
21616 	struct cfg80211_beacon_registration *reg, *tmp;
21617 
21618 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
21619 		return NOTIFY_DONE;
21620 
21621 	rcu_read_lock();
21622 
21623 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
21624 		struct cfg80211_sched_scan_request *sched_scan_req;
21625 
21626 		list_for_each_entry_rcu(sched_scan_req,
21627 					&rdev->sched_scan_req_list,
21628 					list) {
21629 			if (sched_scan_req->owner_nlportid == notify->portid) {
21630 				sched_scan_req->nl_owner_dead = true;
21631 				wiphy_work_queue(&rdev->wiphy,
21632 						 &rdev->sched_scan_stop_wk);
21633 			}
21634 		}
21635 
21636 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
21637 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
21638 
21639 			if (wdev->owner_nlportid == notify->portid) {
21640 				wdev->nl_owner_dead = true;
21641 				schedule_work(&rdev->destroy_work);
21642 			} else if (wdev->conn_owner_nlportid == notify->portid) {
21643 				schedule_work(&wdev->disconnect_wk);
21644 			}
21645 
21646 			cfg80211_release_pmsr(wdev, notify->portid);
21647 		}
21648 
21649 		spin_lock_bh(&rdev->beacon_registrations_lock);
21650 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
21651 					 list) {
21652 			if (reg->nlportid == notify->portid) {
21653 				list_del(&reg->list);
21654 				kfree(reg);
21655 				break;
21656 			}
21657 		}
21658 		spin_unlock_bh(&rdev->beacon_registrations_lock);
21659 	}
21660 
21661 	rcu_read_unlock();
21662 
21663 	/*
21664 	 * It is possible that the user space process that is controlling the
21665 	 * indoor setting disappeared, so notify the regulatory core.
21666 	 */
21667 	regulatory_netlink_notify(notify->portid);
21668 	return NOTIFY_OK;
21669 }
21670 
21671 static struct notifier_block nl80211_netlink_notifier = {
21672 	.notifier_call = nl80211_netlink_notify,
21673 };
21674 
21675 void cfg80211_ft_event(struct net_device *netdev,
21676 		       struct cfg80211_ft_event_params *ft_event)
21677 {
21678 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21679 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21680 	struct sk_buff *msg;
21681 	void *hdr;
21682 
21683 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
21684 
21685 	if (!ft_event->target_ap)
21686 		return;
21687 
21688 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
21689 			GFP_KERNEL);
21690 	if (!msg)
21691 		return;
21692 
21693 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
21694 	if (!hdr)
21695 		goto out;
21696 
21697 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21698 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21699 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
21700 		goto out;
21701 
21702 	if (ft_event->ies &&
21703 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
21704 		goto out;
21705 	if (ft_event->ric_ies &&
21706 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
21707 		    ft_event->ric_ies))
21708 		goto out;
21709 
21710 	genlmsg_end(msg, hdr);
21711 
21712 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21713 				NL80211_MCGRP_MLME, GFP_KERNEL);
21714 	return;
21715  out:
21716 	nlmsg_free(msg);
21717 }
21718 EXPORT_SYMBOL(cfg80211_ft_event);
21719 
21720 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
21721 {
21722 	struct cfg80211_registered_device *rdev;
21723 	struct sk_buff *msg;
21724 	void *hdr;
21725 	u32 nlportid;
21726 
21727 	rdev = wiphy_to_rdev(wdev->wiphy);
21728 	if (!rdev->crit_proto_nlportid)
21729 		return;
21730 
21731 	nlportid = rdev->crit_proto_nlportid;
21732 	rdev->crit_proto_nlportid = 0;
21733 
21734 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21735 	if (!msg)
21736 		return;
21737 
21738 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
21739 	if (!hdr)
21740 		goto nla_put_failure;
21741 
21742 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21743 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21744 			      NL80211_ATTR_PAD))
21745 		goto nla_put_failure;
21746 
21747 	genlmsg_end(msg, hdr);
21748 
21749 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
21750 	return;
21751 
21752  nla_put_failure:
21753 	nlmsg_free(msg);
21754 }
21755 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
21756 
21757 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
21758 {
21759 	struct wiphy *wiphy = wdev->wiphy;
21760 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21761 	struct sk_buff *msg;
21762 	void *hdr;
21763 
21764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21765 	if (!msg)
21766 		return;
21767 
21768 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
21769 	if (!hdr)
21770 		goto out;
21771 
21772 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21773 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
21774 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21775 			      NL80211_ATTR_PAD) ||
21776 	    (wdev->valid_links &&
21777 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
21778 		goto out;
21779 
21780 	genlmsg_end(msg, hdr);
21781 
21782 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
21783 				NL80211_MCGRP_MLME, GFP_KERNEL);
21784 	return;
21785  out:
21786 	nlmsg_free(msg);
21787 }
21788 
21789 int cfg80211_external_auth_request(struct net_device *dev,
21790 				   struct cfg80211_external_auth_params *params,
21791 				   gfp_t gfp)
21792 {
21793 	struct wireless_dev *wdev = dev->ieee80211_ptr;
21794 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
21795 	struct sk_buff *msg;
21796 	void *hdr;
21797 
21798 	if (!wdev->conn_owner_nlportid)
21799 		return -EINVAL;
21800 
21801 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21802 	if (!msg)
21803 		return -ENOMEM;
21804 
21805 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
21806 	if (!hdr)
21807 		goto nla_put_failure;
21808 
21809 	/* Some historical mistakes in drivers <-> userspace interface (notably
21810 	 * between drivers and wpa_supplicant) led to a big-endian conversion
21811 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
21812 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
21813 	 * benefit of older wpa_supplicant versions, send this particular value
21814 	 * in big-endian. Note that newer wpa_supplicant will also detect this
21815 	 * particular value in big endian still, so it all continues to work.
21816 	 */
21817 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
21818 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
21819 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
21820 			goto nla_put_failure;
21821 	} else {
21822 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
21823 				params->key_mgmt_suite))
21824 			goto nla_put_failure;
21825 	}
21826 
21827 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21828 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
21829 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
21830 			params->action) ||
21831 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
21832 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
21833 		    params->ssid.ssid) ||
21834 	    (!is_zero_ether_addr(params->mld_addr) &&
21835 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
21836 		goto nla_put_failure;
21837 
21838 	genlmsg_end(msg, hdr);
21839 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
21840 			wdev->conn_owner_nlportid);
21841 	return 0;
21842 
21843  nla_put_failure:
21844 	nlmsg_free(msg);
21845 	return -ENOBUFS;
21846 }
21847 EXPORT_SYMBOL(cfg80211_external_auth_request);
21848 
21849 void cfg80211_update_owe_info_event(struct net_device *netdev,
21850 				    struct cfg80211_update_owe_info *owe_info,
21851 				    gfp_t gfp)
21852 {
21853 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
21854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21855 	struct sk_buff *msg;
21856 	void *hdr;
21857 
21858 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
21859 
21860 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21861 	if (!msg)
21862 		return;
21863 
21864 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
21865 	if (!hdr)
21866 		goto nla_put_failure;
21867 
21868 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21869 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
21870 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
21871 		goto nla_put_failure;
21872 
21873 	if (!owe_info->ie_len ||
21874 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
21875 		goto nla_put_failure;
21876 
21877 	if (owe_info->assoc_link_id != -1) {
21878 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
21879 			       owe_info->assoc_link_id))
21880 			goto nla_put_failure;
21881 
21882 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
21883 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
21884 			    owe_info->peer_mld_addr))
21885 			goto nla_put_failure;
21886 	}
21887 
21888 	genlmsg_end(msg, hdr);
21889 
21890 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21891 				NL80211_MCGRP_MLME, gfp);
21892 	return;
21893 
21894 nla_put_failure:
21895 	genlmsg_cancel(msg, hdr);
21896 	nlmsg_free(msg);
21897 }
21898 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
21899 
21900 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
21901 {
21902 	struct wiphy *wiphy = wdev->wiphy;
21903 
21904 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
21905 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
21906 	    (wiphy_ext_feature_isset(wiphy,
21907 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
21908 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
21909 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
21910 		reg_check_channels();
21911 }
21912 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
21913 
21914 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
21915 {
21916 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
21917 	struct wiphy *wiphy = wdev->wiphy;
21918 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21919 	struct sk_buff *msg;
21920 	void *hdr;
21921 
21922 	trace_cfg80211_epcs_changed(wdev, enabled);
21923 
21924 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
21925 	if (!msg)
21926 		return;
21927 
21928 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
21929 	if (!hdr) {
21930 		nlmsg_free(msg);
21931 		return;
21932 	}
21933 
21934 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
21935 		goto nla_put_failure;
21936 
21937 	genlmsg_end(msg, hdr);
21938 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
21939 				NL80211_MCGRP_MLME, GFP_KERNEL);
21940 	return;
21941 
21942  nla_put_failure:
21943 	nlmsg_free(msg);
21944 }
21945 EXPORT_SYMBOL(cfg80211_epcs_changed);
21946 
21947 void cfg80211_next_nan_dw_notif(struct wireless_dev *wdev,
21948 				struct ieee80211_channel *chan, gfp_t gfp)
21949 {
21950 	struct wiphy *wiphy = wdev->wiphy;
21951 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21952 	struct sk_buff *msg;
21953 	void *hdr;
21954 
21955 	trace_cfg80211_next_nan_dw_notif(wdev, chan);
21956 
21957 	if (!wdev->owner_nlportid)
21958 		return;
21959 
21960 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
21961 	if (!msg)
21962 		return;
21963 
21964 	hdr = nl80211hdr_put(msg, 0, 0, 0,
21965 			     NL80211_CMD_NAN_NEXT_DW_NOTIFICATION);
21966 	if (!hdr)
21967 		goto nla_put_failure;
21968 
21969 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
21970 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
21971 			      NL80211_ATTR_PAD) ||
21972 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq))
21973 		goto nla_put_failure;
21974 
21975 	genlmsg_end(msg, hdr);
21976 
21977 	genlmsg_unicast(wiphy_net(wiphy), msg, wdev->owner_nlportid);
21978 
21979 	return;
21980 
21981  nla_put_failure:
21982 	nlmsg_free(msg);
21983 }
21984 EXPORT_SYMBOL(cfg80211_next_nan_dw_notif);
21985 
21986 void cfg80211_nan_cluster_joined(struct wireless_dev *wdev,
21987 				 const u8 *cluster_id, bool new_cluster,
21988 				 gfp_t gfp)
21989 {
21990 	struct wiphy *wiphy = wdev->wiphy;
21991 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
21992 	struct sk_buff *msg;
21993 	void *hdr;
21994 
21995 	trace_cfg80211_nan_cluster_joined(wdev, cluster_id, new_cluster);
21996 
21997 	memcpy(wdev->u.nan.cluster_id, cluster_id, ETH_ALEN);
21998 
21999 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
22000 	if (!msg)
22001 		return;
22002 
22003 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_CLUSTER_JOINED);
22004 	if (!hdr)
22005 		goto nla_put_failure;
22006 
22007 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
22008 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
22009 			      NL80211_ATTR_PAD) ||
22010 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cluster_id) ||
22011 	    (new_cluster && nla_put_flag(msg, NL80211_ATTR_NAN_NEW_CLUSTER)))
22012 		goto nla_put_failure;
22013 
22014 	genlmsg_end(msg, hdr);
22015 
22016 	if (!wdev->owner_nlportid)
22017 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy),
22018 					msg, 0, NL80211_MCGRP_NAN, gfp);
22019 	else
22020 		genlmsg_unicast(wiphy_net(wiphy), msg,
22021 				wdev->owner_nlportid);
22022 	return;
22023 
22024  nla_put_failure:
22025 	nlmsg_free(msg);
22026 }
22027 EXPORT_SYMBOL(cfg80211_nan_cluster_joined);
22028 
22029 /* initialisation/exit functions */
22030 
22031 int __init nl80211_init(void)
22032 {
22033 	int err;
22034 
22035 	err = genl_register_family(&nl80211_fam);
22036 	if (err)
22037 		return err;
22038 
22039 	err = netlink_register_notifier(&nl80211_netlink_notifier);
22040 	if (err)
22041 		goto err_out;
22042 
22043 	return 0;
22044  err_out:
22045 	genl_unregister_family(&nl80211_fam);
22046 	return err;
22047 }
22048 
22049 void nl80211_exit(void)
22050 {
22051 	netlink_unregister_notifier(&nl80211_netlink_notifier);
22052 	genl_unregister_family(&nl80211_fam);
22053 }
22054