xref: /linux/net/wireless/nl80211.c (revision c5dbb6aeefbda74d8b523f291a7ac081c4c00aca) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
319 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
320 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct netlink_range_validation q_range = {
471 	.max = INT_MAX,
472 };
473 
474 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
475 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
476 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
477 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
478 				      .len = 20-1 },
479 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
480 
481 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
482 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_CHANNELS_MIN,
485 						NL80211_EDMG_CHANNELS_MAX),
486 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
487 						NL80211_EDMG_BW_CONFIG_MIN,
488 						NL80211_EDMG_BW_CONFIG_MAX),
489 
490 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
491 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
492 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
493 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
494 
495 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
496 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
497 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
499 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
500 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
501 
502 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
503 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
504 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
505 
506 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
507 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
508 
509 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
510 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
511 				    .len = WLAN_MAX_KEY_LEN },
512 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
513 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
514 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
515 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
516 	[NL80211_ATTR_KEY_TYPE] =
517 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
518 
519 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
520 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
521 	[NL80211_ATTR_BEACON_HEAD] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_BEACON_TAIL] =
525 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
526 				       IEEE80211_MAX_DATA_LEN),
527 	[NL80211_ATTR_STA_AID] =
528 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
529 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
530 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
531 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
532 					       .len = NL80211_MAX_SUPP_RATES },
533 	[NL80211_ATTR_STA_PLINK_ACTION] =
534 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
535 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
536 		NLA_POLICY_RANGE(NLA_U8,
537 				 NL80211_TX_POWER_AUTOMATIC,
538 				 NL80211_TX_POWER_FIXED),
539 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
540 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
541 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
542 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
543 				   .len = IEEE80211_MAX_MESH_ID_LEN },
544 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
545 
546 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
547 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
548 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
549 
550 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
551 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
552 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
553 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
554 					   .len = NL80211_MAX_SUPP_RATES },
555 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
556 
557 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
559 
560 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
561 
562 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
563 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
564 						   validate_ie_attr,
565 						   IEEE80211_MAX_DATA_LEN),
566 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
567 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
568 
569 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
570 				.len = IEEE80211_MAX_SSID_LEN },
571 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
572 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
576 						  NL80211_MFP_NO,
577 						  NL80211_MFP_OPTIONAL),
578 	[NL80211_ATTR_STA_FLAGS2] =
579 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
580 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
583 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
584 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
585 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
586 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
587 	[NL80211_ATTR_WPA_VERSIONS] =
588 		NLA_POLICY_RANGE(NLA_U32, 0,
589 				 NL80211_WPA_VERSION_1 |
590 				 NL80211_WPA_VERSION_2 |
591 				 NL80211_WPA_VERSION_3),
592 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
593 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
594 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
595 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
596 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
597 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
599 				 .len = IEEE80211_MAX_DATA_LEN },
600 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
601 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
602 						   NL80211_PS_DISABLED,
603 						   NL80211_PS_ENABLED),
604 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
605 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
607 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
608 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
609 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
610 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
611 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
612 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
613 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
615 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_STA_PLINK_STATE] =
617 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
618 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
619 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_MESH_PEER_AID] =
621 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
622 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
623 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
624 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_HIDDEN_SSID] =
626 		NLA_POLICY_RANGE(NLA_U32,
627 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
628 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
629 	[NL80211_ATTR_IE_PROBE_RESP] =
630 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
631 				       IEEE80211_MAX_DATA_LEN),
632 	[NL80211_ATTR_IE_ASSOC_RESP] =
633 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
634 				       IEEE80211_MAX_DATA_LEN),
635 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
637 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
638 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
640 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
641 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
645 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
646 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
647 				      .len = IEEE80211_MAX_DATA_LEN },
648 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
649 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
650 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
651 		.len = NL80211_HT_CAPABILITY_LEN
652 	},
653 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
654 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
655 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
656 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
657 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
658 
659 	/* need to include at least Auth Transaction and Status Code */
660 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
661 
662 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
663 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
664 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
665 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
666 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
667 		NLA_POLICY_RANGE(NLA_U32,
668 				 NL80211_MESH_POWER_UNKNOWN + 1,
669 				 NL80211_MESH_POWER_MAX),
670 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
671 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
672 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
673 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
674 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
675 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
677 		.len = NL80211_VHT_CAPABILITY_LEN,
678 	},
679 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
680 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
681 				  .len = IEEE80211_MAX_DATA_LEN },
682 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
683 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
684 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
685 	[NL80211_ATTR_PEER_AID] =
686 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
687 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
688 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
689 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
690 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
692 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
693 	/*
694 	 * The value of the Length field of the Supported Operating
695 	 * Classes element is between 2 and 253.
696 	 */
697 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
698 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
699 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
701 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
702 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
705 						  IEEE80211_QOS_MAP_LEN_MIN,
706 						  IEEE80211_QOS_MAP_LEN_MAX),
707 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
708 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
709 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
712 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
714 	[NL80211_ATTR_USER_PRIO] =
715 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
716 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
717 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
718 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
719 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
720 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
721 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
722 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
723 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
724 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
726 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
727 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
728 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
729 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
730 	},
731 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
733 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
734 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
735 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
736 				    .len = FILS_MAX_KEK_LEN },
737 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
738 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
739 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
740 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
741 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
742 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
743 	},
744 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
745 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
746 					     .len = FILS_ERP_MAX_USERNAME_LEN },
747 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
748 					  .len = FILS_ERP_MAX_REALM_LEN },
749 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
750 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
751 					.len = FILS_ERP_MAX_RRK_LEN },
752 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
753 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
754 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
755 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
756 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
757 
758 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
759 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
760 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
761 	[NL80211_ATTR_HE_CAPABILITY] =
762 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
763 				       NL80211_HE_MAX_CAPABILITY_LEN),
764 	[NL80211_ATTR_FTM_RESPONDER] =
765 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
766 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PEER_MEASUREMENTS] =
768 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
769 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
770 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
771 					.len = SAE_PASSWORD_MAX_LEN },
772 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
773 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
774 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
775 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
776 	[NL80211_ATTR_TID_CONFIG] =
777 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
778 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
779 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
780 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
781 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
782 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
783 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
784 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
785 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
786 	[NL80211_ATTR_FILS_DISCOVERY] =
787 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
788 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
789 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
790 	[NL80211_ATTR_S1G_CAPABILITY] =
791 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
792 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
793 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
794 	[NL80211_ATTR_SAE_PWE] =
795 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
796 				 NL80211_SAE_PWE_BOTH),
797 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
798 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
799 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
801 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
802 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
803 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
804 	[NL80211_ATTR_MBSSID_CONFIG] =
805 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
806 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
807 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
808 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
809 	[NL80211_ATTR_EHT_CAPABILITY] =
810 		NLA_POLICY_RANGE(NLA_BINARY,
811 				 NL80211_EHT_MIN_CAPABILITY_LEN,
812 				 NL80211_EHT_MAX_CAPABILITY_LEN),
813 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
814 	[NL80211_ATTR_MLO_LINKS] =
815 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
816 	[NL80211_ATTR_MLO_LINK_ID] =
817 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
818 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
819 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
821 	[NL80211_ATTR_PUNCT_BITMAP] =
822 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
823 
824 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
825 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
826 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
827 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
828 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
830 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
831 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
832 };
833 
834 /* policy for the key attributes */
835 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
836 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
837 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
838 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
839 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
840 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
841 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
842 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
843 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
844 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
845 };
846 
847 /* policy for the key default flags */
848 static const struct nla_policy
849 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
850 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
851 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
852 };
853 
854 #ifdef CONFIG_PM
855 /* policy for WoWLAN attributes */
856 static const struct nla_policy
857 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
858 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
859 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
860 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
861 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
862 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
863 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
864 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
865 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
866 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
867 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
868 };
869 
870 static const struct nla_policy
871 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
872 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
873 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
875 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
876 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
877 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
878 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
879 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
880 	},
881 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
882 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
883 	},
884 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
885 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
886 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
887 };
888 #endif /* CONFIG_PM */
889 
890 /* policy for coalesce rule attributes */
891 static const struct nla_policy
892 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
893 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
894 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
895 		NLA_POLICY_RANGE(NLA_U32,
896 				 NL80211_COALESCE_CONDITION_MATCH,
897 				 NL80211_COALESCE_CONDITION_NO_MATCH),
898 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
899 };
900 
901 /* policy for GTK rekey offload attributes */
902 static const struct nla_policy
903 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
904 	[NL80211_REKEY_DATA_KEK] = {
905 		.type = NLA_BINARY,
906 		.len = NL80211_KEK_EXT_LEN
907 	},
908 	[NL80211_REKEY_DATA_KCK] = {
909 		.type = NLA_BINARY,
910 		.len = NL80211_KCK_EXT_LEN_32
911 	},
912 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
913 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
914 };
915 
916 static const struct nla_policy
917 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
919 						 .len = IEEE80211_MAX_SSID_LEN },
920 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
921 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
922 };
923 
924 static const struct nla_policy
925 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
926 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
927 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
928 };
929 
930 static const struct nla_policy
931 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
932 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
933 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
934 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
935 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
936 	},
937 };
938 
939 /* policy for NAN function attributes */
940 static const struct nla_policy
941 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
942 	[NL80211_NAN_FUNC_TYPE] =
943 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
944 	[NL80211_NAN_FUNC_SERVICE_ID] = {
945 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
946 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
947 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
952 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
953 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
954 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
955 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
956 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
960 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
961 };
962 
963 /* policy for Service Response Filter attributes */
964 static const struct nla_policy
965 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
966 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
967 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
968 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
969 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
970 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
971 };
972 
973 /* policy for packet pattern attributes */
974 static const struct nla_policy
975 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
976 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
979 };
980 
981 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
982 				     struct cfg80211_registered_device **rdev,
983 				     struct wireless_dev **wdev,
984 				     struct nlattr **attrbuf)
985 {
986 	int err;
987 
988 	if (!cb->args[0]) {
989 		struct nlattr **attrbuf_free = NULL;
990 
991 		if (!attrbuf) {
992 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
993 					  GFP_KERNEL);
994 			if (!attrbuf)
995 				return -ENOMEM;
996 			attrbuf_free = attrbuf;
997 		}
998 
999 		err = nlmsg_parse_deprecated(cb->nlh,
1000 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1001 					     attrbuf, nl80211_fam.maxattr,
1002 					     nl80211_policy, NULL);
1003 		if (err) {
1004 			kfree(attrbuf_free);
1005 			return err;
1006 		}
1007 
1008 		rtnl_lock();
1009 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1010 						   attrbuf);
1011 		kfree(attrbuf_free);
1012 		if (IS_ERR(*wdev)) {
1013 			rtnl_unlock();
1014 			return PTR_ERR(*wdev);
1015 		}
1016 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1017 		mutex_lock(&(*rdev)->wiphy.mtx);
1018 		rtnl_unlock();
1019 		/* 0 is the first index - add 1 to parse only once */
1020 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1021 		cb->args[1] = (*wdev)->identifier;
1022 	} else {
1023 		/* subtract the 1 again here */
1024 		struct wiphy *wiphy;
1025 		struct wireless_dev *tmp;
1026 
1027 		rtnl_lock();
1028 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1029 		if (!wiphy) {
1030 			rtnl_unlock();
1031 			return -ENODEV;
1032 		}
1033 		*rdev = wiphy_to_rdev(wiphy);
1034 		*wdev = NULL;
1035 
1036 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1037 			if (tmp->identifier == cb->args[1]) {
1038 				*wdev = tmp;
1039 				break;
1040 			}
1041 		}
1042 
1043 		if (!*wdev) {
1044 			rtnl_unlock();
1045 			return -ENODEV;
1046 		}
1047 		mutex_lock(&(*rdev)->wiphy.mtx);
1048 		rtnl_unlock();
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* message building helper */
1055 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1056 		     int flags, u8 cmd)
1057 {
1058 	/* since there is no private header just add the generic one */
1059 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1060 }
1061 
1062 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1063 				     const struct ieee80211_reg_rule *rule)
1064 {
1065 	int j;
1066 	struct nlattr *nl_wmm_rules =
1067 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1068 
1069 	if (!nl_wmm_rules)
1070 		goto nla_put_failure;
1071 
1072 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1073 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1074 
1075 		if (!nl_wmm_rule)
1076 			goto nla_put_failure;
1077 
1078 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1079 				rule->wmm_rule.client[j].cw_min) ||
1080 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1081 				rule->wmm_rule.client[j].cw_max) ||
1082 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1083 			       rule->wmm_rule.client[j].aifsn) ||
1084 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1085 			        rule->wmm_rule.client[j].cot))
1086 			goto nla_put_failure;
1087 
1088 		nla_nest_end(msg, nl_wmm_rule);
1089 	}
1090 	nla_nest_end(msg, nl_wmm_rules);
1091 
1092 	return 0;
1093 
1094 nla_put_failure:
1095 	return -ENOBUFS;
1096 }
1097 
1098 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1099 				   struct ieee80211_channel *chan,
1100 				   bool large)
1101 {
1102 	/* Some channels must be completely excluded from the
1103 	 * list to protect old user-space tools from breaking
1104 	 */
1105 	if (!large && chan->flags &
1106 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1107 		return 0;
1108 	if (!large && chan->freq_offset)
1109 		return 0;
1110 
1111 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1112 			chan->center_freq))
1113 		goto nla_put_failure;
1114 
1115 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1116 		goto nla_put_failure;
1117 
1118 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1119 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1120 		goto nla_put_failure;
1121 
1122 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1123 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1124 		goto nla_put_failure;
1125 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1126 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1127 			goto nla_put_failure;
1128 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1129 			goto nla_put_failure;
1130 	}
1131 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1132 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1133 			goto nla_put_failure;
1134 		if (large) {
1135 			u32 time;
1136 
1137 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1138 
1139 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1140 					chan->dfs_state))
1141 				goto nla_put_failure;
1142 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1143 					time))
1144 				goto nla_put_failure;
1145 			if (nla_put_u32(msg,
1146 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1147 					chan->dfs_cac_ms))
1148 				goto nla_put_failure;
1149 		}
1150 	}
1151 
1152 	if (large) {
1153 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1154 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1155 			goto nla_put_failure;
1156 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1157 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1158 			goto nla_put_failure;
1159 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1160 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1161 			goto nla_put_failure;
1162 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1163 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1164 			goto nla_put_failure;
1165 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1166 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1167 			goto nla_put_failure;
1168 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1169 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1170 			goto nla_put_failure;
1171 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1172 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1173 			goto nla_put_failure;
1174 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1215 			goto nla_put_failure;
1216 	}
1217 
1218 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1219 			DBM_TO_MBM(chan->max_power)))
1220 		goto nla_put_failure;
1221 
1222 	if (large) {
1223 		const struct ieee80211_reg_rule *rule =
1224 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1225 
1226 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1227 			if (nl80211_msg_put_wmm_rules(msg, rule))
1228 				goto nla_put_failure;
1229 		}
1230 	}
1231 
1232 	return 0;
1233 
1234  nla_put_failure:
1235 	return -ENOBUFS;
1236 }
1237 
1238 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1239 				  struct cfg80211_txq_stats *txqstats,
1240 				  int attrtype)
1241 {
1242 	struct nlattr *txqattr;
1243 
1244 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1245 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1246 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1247 		return false;						  \
1248 	} while (0)
1249 
1250 	txqattr = nla_nest_start_noflag(msg, attrtype);
1251 	if (!txqattr)
1252 		return false;
1253 
1254 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1255 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1256 	PUT_TXQVAL_U32(FLOWS, flows);
1257 	PUT_TXQVAL_U32(DROPS, drops);
1258 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1259 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1260 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1261 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1262 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1263 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1264 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1265 	nla_nest_end(msg, txqattr);
1266 
1267 #undef PUT_TXQVAL_U32
1268 	return true;
1269 }
1270 
1271 /* netlink command implementations */
1272 
1273 /**
1274  * nl80211_link_id - return link ID
1275  * @attrs: attributes to look at
1276  *
1277  * Returns: the link ID or 0 if not given
1278  *
1279  * Note this function doesn't do any validation of the link
1280  * ID validity wrt. links that were actually added, so it must
1281  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1282  * or if additional validation is done.
1283  */
1284 static unsigned int nl80211_link_id(struct nlattr **attrs)
1285 {
1286 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1287 
1288 	if (!linkid)
1289 		return 0;
1290 
1291 	return nla_get_u8(linkid);
1292 }
1293 
1294 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1295 {
1296 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1297 
1298 	if (!linkid)
1299 		return -1;
1300 
1301 	return nla_get_u8(linkid);
1302 }
1303 
1304 struct key_parse {
1305 	struct key_params p;
1306 	int idx;
1307 	int type;
1308 	bool def, defmgmt, defbeacon;
1309 	bool def_uni, def_multi;
1310 };
1311 
1312 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1313 				 struct key_parse *k)
1314 {
1315 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1316 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1317 					      nl80211_key_policy,
1318 					      info->extack);
1319 	if (err)
1320 		return err;
1321 
1322 	k->def = !!tb[NL80211_KEY_DEFAULT];
1323 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1324 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1325 
1326 	if (k->def) {
1327 		k->def_uni = true;
1328 		k->def_multi = true;
1329 	}
1330 	if (k->defmgmt || k->defbeacon)
1331 		k->def_multi = true;
1332 
1333 	if (tb[NL80211_KEY_IDX])
1334 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1335 
1336 	if (tb[NL80211_KEY_DATA]) {
1337 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1338 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1339 	}
1340 
1341 	if (tb[NL80211_KEY_SEQ]) {
1342 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1343 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1344 	}
1345 
1346 	if (tb[NL80211_KEY_CIPHER])
1347 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1348 
1349 	if (tb[NL80211_KEY_TYPE])
1350 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1351 
1352 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1353 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1354 
1355 		err = nla_parse_nested_deprecated(kdt,
1356 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1357 						  tb[NL80211_KEY_DEFAULT_TYPES],
1358 						  nl80211_key_default_policy,
1359 						  info->extack);
1360 		if (err)
1361 			return err;
1362 
1363 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1364 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1365 	}
1366 
1367 	if (tb[NL80211_KEY_MODE])
1368 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1369 
1370 	return 0;
1371 }
1372 
1373 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1374 {
1375 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1376 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1377 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1378 	}
1379 
1380 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1381 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1382 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1383 	}
1384 
1385 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1386 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1387 
1388 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1389 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1390 
1391 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1392 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1393 
1394 	if (k->def) {
1395 		k->def_uni = true;
1396 		k->def_multi = true;
1397 	}
1398 	if (k->defmgmt)
1399 		k->def_multi = true;
1400 
1401 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1402 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1403 
1404 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1405 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1406 		int err = nla_parse_nested_deprecated(kdt,
1407 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1408 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1409 						      nl80211_key_default_policy,
1410 						      info->extack);
1411 		if (err)
1412 			return err;
1413 
1414 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1415 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1416 	}
1417 
1418 	return 0;
1419 }
1420 
1421 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1422 {
1423 	int err;
1424 
1425 	memset(k, 0, sizeof(*k));
1426 	k->idx = -1;
1427 	k->type = -1;
1428 
1429 	if (info->attrs[NL80211_ATTR_KEY])
1430 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1431 	else
1432 		err = nl80211_parse_key_old(info, k);
1433 
1434 	if (err)
1435 		return err;
1436 
1437 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1438 	    (k->defbeacon ? 1 : 0) > 1) {
1439 		GENL_SET_ERR_MSG(info,
1440 				 "key with multiple default flags is invalid");
1441 		return -EINVAL;
1442 	}
1443 
1444 	if (k->defmgmt || k->defbeacon) {
1445 		if (k->def_uni || !k->def_multi) {
1446 			GENL_SET_ERR_MSG(info,
1447 					 "defmgmt/defbeacon key must be mcast");
1448 			return -EINVAL;
1449 		}
1450 	}
1451 
1452 	if (k->idx != -1) {
1453 		if (k->defmgmt) {
1454 			if (k->idx < 4 || k->idx > 5) {
1455 				GENL_SET_ERR_MSG(info,
1456 						 "defmgmt key idx not 4 or 5");
1457 				return -EINVAL;
1458 			}
1459 		} else if (k->defbeacon) {
1460 			if (k->idx < 6 || k->idx > 7) {
1461 				GENL_SET_ERR_MSG(info,
1462 						 "defbeacon key idx not 6 or 7");
1463 				return -EINVAL;
1464 			}
1465 		} else if (k->def) {
1466 			if (k->idx < 0 || k->idx > 3) {
1467 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1468 				return -EINVAL;
1469 			}
1470 		} else {
1471 			if (k->idx < 0 || k->idx > 7) {
1472 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1473 				return -EINVAL;
1474 			}
1475 		}
1476 	}
1477 
1478 	return 0;
1479 }
1480 
1481 static struct cfg80211_cached_keys *
1482 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1483 		       struct genl_info *info, bool *no_ht)
1484 {
1485 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1486 	struct key_parse parse;
1487 	struct nlattr *key;
1488 	struct cfg80211_cached_keys *result;
1489 	int rem, err, def = 0;
1490 	bool have_key = false;
1491 
1492 	nla_for_each_nested(key, keys, rem) {
1493 		have_key = true;
1494 		break;
1495 	}
1496 
1497 	if (!have_key)
1498 		return NULL;
1499 
1500 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1501 	if (!result)
1502 		return ERR_PTR(-ENOMEM);
1503 
1504 	result->def = -1;
1505 
1506 	nla_for_each_nested(key, keys, rem) {
1507 		memset(&parse, 0, sizeof(parse));
1508 		parse.idx = -1;
1509 
1510 		err = nl80211_parse_key_new(info, key, &parse);
1511 		if (err)
1512 			goto error;
1513 		err = -EINVAL;
1514 		if (!parse.p.key)
1515 			goto error;
1516 		if (parse.idx < 0 || parse.idx > 3) {
1517 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1518 			goto error;
1519 		}
1520 		if (parse.def) {
1521 			if (def) {
1522 				GENL_SET_ERR_MSG(info,
1523 						 "only one key can be default");
1524 				goto error;
1525 			}
1526 			def = 1;
1527 			result->def = parse.idx;
1528 			if (!parse.def_uni || !parse.def_multi)
1529 				goto error;
1530 		} else if (parse.defmgmt)
1531 			goto error;
1532 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1533 						     parse.idx, false, NULL);
1534 		if (err)
1535 			goto error;
1536 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1537 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1538 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1539 			err = -EINVAL;
1540 			goto error;
1541 		}
1542 		result->params[parse.idx].cipher = parse.p.cipher;
1543 		result->params[parse.idx].key_len = parse.p.key_len;
1544 		result->params[parse.idx].key = result->data[parse.idx];
1545 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1546 
1547 		/* must be WEP key if we got here */
1548 		if (no_ht)
1549 			*no_ht = true;
1550 	}
1551 
1552 	if (result->def < 0) {
1553 		err = -EINVAL;
1554 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1555 		goto error;
1556 	}
1557 
1558 	return result;
1559  error:
1560 	kfree(result);
1561 	return ERR_PTR(err);
1562 }
1563 
1564 static int nl80211_key_allowed(struct wireless_dev *wdev)
1565 {
1566 	lockdep_assert_wiphy(wdev->wiphy);
1567 
1568 	switch (wdev->iftype) {
1569 	case NL80211_IFTYPE_AP:
1570 	case NL80211_IFTYPE_AP_VLAN:
1571 	case NL80211_IFTYPE_P2P_GO:
1572 	case NL80211_IFTYPE_MESH_POINT:
1573 		break;
1574 	case NL80211_IFTYPE_ADHOC:
1575 		if (wdev->u.ibss.current_bss)
1576 			return 0;
1577 		return -ENOLINK;
1578 	case NL80211_IFTYPE_STATION:
1579 	case NL80211_IFTYPE_P2P_CLIENT:
1580 		if (wdev->connected)
1581 			return 0;
1582 		return -ENOLINK;
1583 	case NL80211_IFTYPE_NAN:
1584 		if (wiphy_ext_feature_isset(wdev->wiphy,
1585 					    NL80211_EXT_FEATURE_SECURE_NAN))
1586 			return 0;
1587 		return -EINVAL;
1588 	case NL80211_IFTYPE_UNSPECIFIED:
1589 	case NL80211_IFTYPE_OCB:
1590 	case NL80211_IFTYPE_MONITOR:
1591 	case NL80211_IFTYPE_P2P_DEVICE:
1592 	case NL80211_IFTYPE_WDS:
1593 	case NUM_NL80211_IFTYPES:
1594 		return -EINVAL;
1595 	}
1596 
1597 	return 0;
1598 }
1599 
1600 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1601 							u32 freq)
1602 {
1603 	struct ieee80211_channel *chan;
1604 
1605 	chan = ieee80211_get_channel_khz(wiphy, freq);
1606 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1607 		return NULL;
1608 	return chan;
1609 }
1610 
1611 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1612 {
1613 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1614 	int i;
1615 
1616 	if (!nl_modes)
1617 		goto nla_put_failure;
1618 
1619 	i = 0;
1620 	while (ifmodes) {
1621 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1622 			goto nla_put_failure;
1623 		ifmodes >>= 1;
1624 		i++;
1625 	}
1626 
1627 	nla_nest_end(msg, nl_modes);
1628 	return 0;
1629 
1630 nla_put_failure:
1631 	return -ENOBUFS;
1632 }
1633 
1634 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1635 				   const struct ieee80211_iface_combination *c,
1636 				   u16 nested)
1637 {
1638 	struct nlattr *nl_combi, *nl_limits;
1639 	int i;
1640 
1641 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1642 	if (!nl_combi)
1643 		goto nla_put_failure;
1644 
1645 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1646 					       nested);
1647 	if (!nl_limits)
1648 		goto nla_put_failure;
1649 
1650 	for (i = 0; i < c->n_limits; i++) {
1651 		struct nlattr *nl_limit;
1652 
1653 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1654 		if (!nl_limit)
1655 			goto nla_put_failure;
1656 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1657 			goto nla_put_failure;
1658 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1659 					c->limits[i].types))
1660 			goto nla_put_failure;
1661 		nla_nest_end(msg, nl_limit);
1662 	}
1663 
1664 	nla_nest_end(msg, nl_limits);
1665 
1666 	if (c->beacon_int_infra_match &&
1667 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1668 		goto nla_put_failure;
1669 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1670 			c->num_different_channels) ||
1671 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1672 			c->max_interfaces))
1673 		goto nla_put_failure;
1674 	if (large &&
1675 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1676 			c->radar_detect_widths) ||
1677 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1678 			c->radar_detect_regions)))
1679 		goto nla_put_failure;
1680 	if (c->beacon_int_min_gcd &&
1681 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1682 			c->beacon_int_min_gcd))
1683 		goto nla_put_failure;
1684 
1685 	nla_nest_end(msg, nl_combi);
1686 
1687 	return 0;
1688 nla_put_failure:
1689 	return -ENOBUFS;
1690 }
1691 
1692 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1693 					  struct sk_buff *msg,
1694 					  int attr, int radio,
1695 					  bool large, u16 nested)
1696 {
1697 	const struct ieee80211_iface_combination *c;
1698 	struct nlattr *nl_combis;
1699 	int i, n;
1700 
1701 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1702 	if (!nl_combis)
1703 		goto nla_put_failure;
1704 
1705 	if (radio >= 0) {
1706 		c = wiphy->radio[0].iface_combinations;
1707 		n = wiphy->radio[0].n_iface_combinations;
1708 	} else {
1709 		c = wiphy->iface_combinations;
1710 		n = wiphy->n_iface_combinations;
1711 	}
1712 	for (i = 0; i < n; i++)
1713 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1714 			goto nla_put_failure;
1715 
1716 	nla_nest_end(msg, nl_combis);
1717 
1718 	return 0;
1719 nla_put_failure:
1720 	return -ENOBUFS;
1721 }
1722 
1723 #ifdef CONFIG_PM
1724 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1725 					struct sk_buff *msg)
1726 {
1727 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1728 	struct nlattr *nl_tcp;
1729 
1730 	if (!tcp)
1731 		return 0;
1732 
1733 	nl_tcp = nla_nest_start_noflag(msg,
1734 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1735 	if (!nl_tcp)
1736 		return -ENOBUFS;
1737 
1738 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1739 			tcp->data_payload_max))
1740 		return -ENOBUFS;
1741 
1742 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1743 			tcp->data_payload_max))
1744 		return -ENOBUFS;
1745 
1746 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1747 		return -ENOBUFS;
1748 
1749 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1750 				sizeof(*tcp->tok), tcp->tok))
1751 		return -ENOBUFS;
1752 
1753 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1754 			tcp->data_interval_max))
1755 		return -ENOBUFS;
1756 
1757 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1758 			tcp->wake_payload_max))
1759 		return -ENOBUFS;
1760 
1761 	nla_nest_end(msg, nl_tcp);
1762 	return 0;
1763 }
1764 
1765 static int nl80211_send_wowlan(struct sk_buff *msg,
1766 			       struct cfg80211_registered_device *rdev,
1767 			       bool large)
1768 {
1769 	struct nlattr *nl_wowlan;
1770 
1771 	if (!rdev->wiphy.wowlan)
1772 		return 0;
1773 
1774 	nl_wowlan = nla_nest_start_noflag(msg,
1775 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1776 	if (!nl_wowlan)
1777 		return -ENOBUFS;
1778 
1779 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1780 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1781 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1782 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1783 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1784 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1785 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1786 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1787 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1788 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1789 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1790 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1791 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1792 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1793 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1794 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1795 		return -ENOBUFS;
1796 
1797 	if (rdev->wiphy.wowlan->n_patterns) {
1798 		struct nl80211_pattern_support pat = {
1799 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1800 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1801 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1802 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1803 		};
1804 
1805 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1806 			    sizeof(pat), &pat))
1807 			return -ENOBUFS;
1808 	}
1809 
1810 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1811 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1812 			rdev->wiphy.wowlan->max_nd_match_sets))
1813 		return -ENOBUFS;
1814 
1815 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1816 		return -ENOBUFS;
1817 
1818 	nla_nest_end(msg, nl_wowlan);
1819 
1820 	return 0;
1821 }
1822 #endif
1823 
1824 static int nl80211_send_coalesce(struct sk_buff *msg,
1825 				 struct cfg80211_registered_device *rdev)
1826 {
1827 	struct nl80211_coalesce_rule_support rule;
1828 
1829 	if (!rdev->wiphy.coalesce)
1830 		return 0;
1831 
1832 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1833 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1834 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1835 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1836 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1837 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1838 
1839 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1840 		return -ENOBUFS;
1841 
1842 	return 0;
1843 }
1844 
1845 static int
1846 nl80211_send_iftype_data(struct sk_buff *msg,
1847 			 const struct ieee80211_supported_band *sband,
1848 			 const struct ieee80211_sband_iftype_data *iftdata)
1849 {
1850 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1851 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1852 
1853 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1854 				iftdata->types_mask))
1855 		return -ENOBUFS;
1856 
1857 	if (he_cap->has_he) {
1858 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1859 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1860 			    he_cap->he_cap_elem.mac_cap_info) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1862 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1863 			    he_cap->he_cap_elem.phy_cap_info) ||
1864 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1865 			    sizeof(he_cap->he_mcs_nss_supp),
1866 			    &he_cap->he_mcs_nss_supp) ||
1867 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1868 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1869 			return -ENOBUFS;
1870 	}
1871 
1872 	if (eht_cap->has_eht && he_cap->has_he) {
1873 		u8 mcs_nss_size, ppe_thresh_size;
1874 		u16 ppe_thres_hdr;
1875 		bool is_ap;
1876 
1877 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1878 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1879 
1880 		mcs_nss_size =
1881 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1882 						   &eht_cap->eht_cap_elem,
1883 						   is_ap);
1884 
1885 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1886 		ppe_thresh_size =
1887 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1888 					       eht_cap->eht_cap_elem.phy_cap_info);
1889 
1890 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1891 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1892 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1893 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1894 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1895 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1896 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1897 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1898 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1899 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1900 			return -ENOBUFS;
1901 	}
1902 
1903 	if (sband->band == NL80211_BAND_6GHZ &&
1904 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1905 		    sizeof(iftdata->he_6ghz_capa),
1906 		    &iftdata->he_6ghz_capa))
1907 		return -ENOBUFS;
1908 
1909 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1910 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1911 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1912 		return -ENOBUFS;
1913 
1914 	return 0;
1915 }
1916 
1917 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1918 				      struct ieee80211_supported_band *sband,
1919 				      bool large)
1920 {
1921 	struct nlattr *nl_rates, *nl_rate;
1922 	struct ieee80211_rate *rate;
1923 	int i;
1924 
1925 	/* add HT info */
1926 	if (sband->ht_cap.ht_supported &&
1927 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1928 		     sizeof(sband->ht_cap.mcs),
1929 		     &sband->ht_cap.mcs) ||
1930 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1931 			 sband->ht_cap.cap) ||
1932 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1933 			sband->ht_cap.ampdu_factor) ||
1934 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1935 			sband->ht_cap.ampdu_density)))
1936 		return -ENOBUFS;
1937 
1938 	/* add VHT info */
1939 	if (sband->vht_cap.vht_supported &&
1940 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1941 		     sizeof(sband->vht_cap.vht_mcs),
1942 		     &sband->vht_cap.vht_mcs) ||
1943 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1944 			 sband->vht_cap.cap)))
1945 		return -ENOBUFS;
1946 
1947 	if (large && sband->n_iftype_data) {
1948 		struct nlattr *nl_iftype_data =
1949 			nla_nest_start_noflag(msg,
1950 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1951 		const struct ieee80211_sband_iftype_data *iftd;
1952 		int err;
1953 
1954 		if (!nl_iftype_data)
1955 			return -ENOBUFS;
1956 
1957 		for_each_sband_iftype_data(sband, i, iftd) {
1958 			struct nlattr *iftdata;
1959 
1960 			iftdata = nla_nest_start_noflag(msg, i + 1);
1961 			if (!iftdata)
1962 				return -ENOBUFS;
1963 
1964 			err = nl80211_send_iftype_data(msg, sband, iftd);
1965 			if (err)
1966 				return err;
1967 
1968 			nla_nest_end(msg, iftdata);
1969 		}
1970 
1971 		nla_nest_end(msg, nl_iftype_data);
1972 	}
1973 
1974 	/* add EDMG info */
1975 	if (large && sband->edmg_cap.channels &&
1976 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1977 		       sband->edmg_cap.channels) ||
1978 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1979 		       sband->edmg_cap.bw_config)))
1980 
1981 		return -ENOBUFS;
1982 
1983 	/* add bitrates */
1984 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1985 	if (!nl_rates)
1986 		return -ENOBUFS;
1987 
1988 	for (i = 0; i < sband->n_bitrates; i++) {
1989 		nl_rate = nla_nest_start_noflag(msg, i);
1990 		if (!nl_rate)
1991 			return -ENOBUFS;
1992 
1993 		rate = &sband->bitrates[i];
1994 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1995 				rate->bitrate))
1996 			return -ENOBUFS;
1997 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1998 		    nla_put_flag(msg,
1999 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2000 			return -ENOBUFS;
2001 
2002 		nla_nest_end(msg, nl_rate);
2003 	}
2004 
2005 	nla_nest_end(msg, nl_rates);
2006 
2007 	/* S1G capabilities */
2008 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2009 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2010 		     sizeof(sband->s1g_cap.cap),
2011 		     sband->s1g_cap.cap) ||
2012 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2013 		     sizeof(sband->s1g_cap.nss_mcs),
2014 		     sband->s1g_cap.nss_mcs)))
2015 		return -ENOBUFS;
2016 
2017 	return 0;
2018 }
2019 
2020 static int
2021 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2022 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2023 {
2024 	u16 stypes;
2025 	struct nlattr *nl_ftypes, *nl_ifs;
2026 	enum nl80211_iftype ift;
2027 	int i;
2028 
2029 	if (!mgmt_stypes)
2030 		return 0;
2031 
2032 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2033 	if (!nl_ifs)
2034 		return -ENOBUFS;
2035 
2036 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2037 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2038 		if (!nl_ftypes)
2039 			return -ENOBUFS;
2040 		i = 0;
2041 		stypes = mgmt_stypes[ift].tx;
2042 		while (stypes) {
2043 			if ((stypes & 1) &&
2044 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2045 					(i << 4) | IEEE80211_FTYPE_MGMT))
2046 				return -ENOBUFS;
2047 			stypes >>= 1;
2048 			i++;
2049 		}
2050 		nla_nest_end(msg, nl_ftypes);
2051 	}
2052 
2053 	nla_nest_end(msg, nl_ifs);
2054 
2055 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2056 	if (!nl_ifs)
2057 		return -ENOBUFS;
2058 
2059 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2060 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2061 		if (!nl_ftypes)
2062 			return -ENOBUFS;
2063 		i = 0;
2064 		stypes = mgmt_stypes[ift].rx;
2065 		while (stypes) {
2066 			if ((stypes & 1) &&
2067 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2068 					(i << 4) | IEEE80211_FTYPE_MGMT))
2069 				return -ENOBUFS;
2070 			stypes >>= 1;
2071 			i++;
2072 		}
2073 		nla_nest_end(msg, nl_ftypes);
2074 	}
2075 	nla_nest_end(msg, nl_ifs);
2076 
2077 	return 0;
2078 }
2079 
2080 #define CMD(op, n)							\
2081 	 do {								\
2082 		if (rdev->ops->op) {					\
2083 			i++;						\
2084 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2085 				goto nla_put_failure;			\
2086 		}							\
2087 	} while (0)
2088 
2089 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2090 					struct sk_buff *msg)
2091 {
2092 	int i = 0;
2093 
2094 	/*
2095 	 * do *NOT* add anything into this function, new things need to be
2096 	 * advertised only to new versions of userspace that can deal with
2097 	 * the split (and they can't possibly care about new features...
2098 	 */
2099 	CMD(add_virtual_intf, NEW_INTERFACE);
2100 	CMD(change_virtual_intf, SET_INTERFACE);
2101 	CMD(add_key, NEW_KEY);
2102 	CMD(start_ap, START_AP);
2103 	CMD(add_station, NEW_STATION);
2104 	CMD(add_mpath, NEW_MPATH);
2105 	CMD(update_mesh_config, SET_MESH_CONFIG);
2106 	CMD(change_bss, SET_BSS);
2107 	CMD(auth, AUTHENTICATE);
2108 	CMD(assoc, ASSOCIATE);
2109 	CMD(deauth, DEAUTHENTICATE);
2110 	CMD(disassoc, DISASSOCIATE);
2111 	CMD(join_ibss, JOIN_IBSS);
2112 	CMD(join_mesh, JOIN_MESH);
2113 	CMD(set_pmksa, SET_PMKSA);
2114 	CMD(del_pmksa, DEL_PMKSA);
2115 	CMD(flush_pmksa, FLUSH_PMKSA);
2116 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2117 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2118 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2119 	CMD(mgmt_tx, FRAME);
2120 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2121 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2122 		i++;
2123 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2124 			goto nla_put_failure;
2125 	}
2126 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2127 	    rdev->ops->join_mesh) {
2128 		i++;
2129 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2130 			goto nla_put_failure;
2131 	}
2132 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2133 		CMD(tdls_mgmt, TDLS_MGMT);
2134 		CMD(tdls_oper, TDLS_OPER);
2135 	}
2136 	if (rdev->wiphy.max_sched_scan_reqs)
2137 		CMD(sched_scan_start, START_SCHED_SCAN);
2138 	CMD(probe_client, PROBE_CLIENT);
2139 	CMD(set_noack_map, SET_NOACK_MAP);
2140 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2141 		i++;
2142 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2143 			goto nla_put_failure;
2144 	}
2145 	CMD(start_p2p_device, START_P2P_DEVICE);
2146 	CMD(set_mcast_rate, SET_MCAST_RATE);
2147 #ifdef CONFIG_NL80211_TESTMODE
2148 	CMD(testmode_cmd, TESTMODE);
2149 #endif
2150 
2151 	if (rdev->ops->connect || rdev->ops->auth) {
2152 		i++;
2153 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2154 			goto nla_put_failure;
2155 	}
2156 
2157 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2158 		i++;
2159 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2160 			goto nla_put_failure;
2161 	}
2162 
2163 	return i;
2164  nla_put_failure:
2165 	return -ENOBUFS;
2166 }
2167 
2168 static int
2169 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2170 			   struct sk_buff *msg)
2171 {
2172 	struct nlattr *ftm;
2173 
2174 	if (!cap->ftm.supported)
2175 		return 0;
2176 
2177 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2178 	if (!ftm)
2179 		return -ENOBUFS;
2180 
2181 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2182 		return -ENOBUFS;
2183 	if (cap->ftm.non_asap &&
2184 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2185 		return -ENOBUFS;
2186 	if (cap->ftm.request_lci &&
2187 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2188 		return -ENOBUFS;
2189 	if (cap->ftm.request_civicloc &&
2190 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2191 		return -ENOBUFS;
2192 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2193 			cap->ftm.preambles))
2194 		return -ENOBUFS;
2195 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2196 			cap->ftm.bandwidths))
2197 		return -ENOBUFS;
2198 	if (cap->ftm.max_bursts_exponent >= 0 &&
2199 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2200 			cap->ftm.max_bursts_exponent))
2201 		return -ENOBUFS;
2202 	if (cap->ftm.max_ftms_per_burst &&
2203 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2204 			cap->ftm.max_ftms_per_burst))
2205 		return -ENOBUFS;
2206 	if (cap->ftm.trigger_based &&
2207 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2208 		return -ENOBUFS;
2209 	if (cap->ftm.non_trigger_based &&
2210 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2211 		return -ENOBUFS;
2212 
2213 	nla_nest_end(msg, ftm);
2214 	return 0;
2215 }
2216 
2217 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2218 				  struct sk_buff *msg)
2219 {
2220 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2221 	struct nlattr *pmsr, *caps;
2222 
2223 	if (!cap)
2224 		return 0;
2225 
2226 	/*
2227 	 * we don't need to clean up anything here since the caller
2228 	 * will genlmsg_cancel() if we fail
2229 	 */
2230 
2231 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2232 	if (!pmsr)
2233 		return -ENOBUFS;
2234 
2235 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2236 		return -ENOBUFS;
2237 
2238 	if (cap->report_ap_tsf &&
2239 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2240 		return -ENOBUFS;
2241 
2242 	if (cap->randomize_mac_addr &&
2243 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2244 		return -ENOBUFS;
2245 
2246 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2247 	if (!caps)
2248 		return -ENOBUFS;
2249 
2250 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2251 		return -ENOBUFS;
2252 
2253 	nla_nest_end(msg, caps);
2254 	nla_nest_end(msg, pmsr);
2255 
2256 	return 0;
2257 }
2258 
2259 static int
2260 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2261 			      struct sk_buff *msg)
2262 {
2263 	int i;
2264 	struct nlattr *nested, *nested_akms;
2265 	const struct wiphy_iftype_akm_suites *iftype_akms;
2266 
2267 	if (!rdev->wiphy.num_iftype_akm_suites ||
2268 	    !rdev->wiphy.iftype_akm_suites)
2269 		return 0;
2270 
2271 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2272 	if (!nested)
2273 		return -ENOBUFS;
2274 
2275 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2276 		nested_akms = nla_nest_start(msg, i + 1);
2277 		if (!nested_akms)
2278 			return -ENOBUFS;
2279 
2280 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2281 
2282 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2283 					iftype_akms->iftypes_mask))
2284 			return -ENOBUFS;
2285 
2286 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2287 			    sizeof(u32) * iftype_akms->n_akm_suites,
2288 			    iftype_akms->akm_suites)) {
2289 			return -ENOBUFS;
2290 		}
2291 		nla_nest_end(msg, nested_akms);
2292 	}
2293 
2294 	nla_nest_end(msg, nested);
2295 
2296 	return 0;
2297 }
2298 
2299 static int
2300 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2301 			       struct sk_buff *msg)
2302 {
2303 	struct nlattr *supp;
2304 
2305 	if (!rdev->wiphy.tid_config_support.vif &&
2306 	    !rdev->wiphy.tid_config_support.peer)
2307 		return 0;
2308 
2309 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2310 	if (!supp)
2311 		return -ENOSPC;
2312 
2313 	if (rdev->wiphy.tid_config_support.vif &&
2314 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2315 			      rdev->wiphy.tid_config_support.vif,
2316 			      NL80211_TID_CONFIG_ATTR_PAD))
2317 		goto fail;
2318 
2319 	if (rdev->wiphy.tid_config_support.peer &&
2320 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2321 			      rdev->wiphy.tid_config_support.peer,
2322 			      NL80211_TID_CONFIG_ATTR_PAD))
2323 		goto fail;
2324 
2325 	/* for now we just use the same value ... makes more sense */
2326 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2327 		       rdev->wiphy.tid_config_support.max_retry))
2328 		goto fail;
2329 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2330 		       rdev->wiphy.tid_config_support.max_retry))
2331 		goto fail;
2332 
2333 	nla_nest_end(msg, supp);
2334 
2335 	return 0;
2336 fail:
2337 	nla_nest_cancel(msg, supp);
2338 	return -ENOBUFS;
2339 }
2340 
2341 static int
2342 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2343 		      struct sk_buff *msg)
2344 {
2345 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2346 	u8 num_freq_ranges;
2347 	int i;
2348 
2349 	if (!rdev->wiphy.sar_capa)
2350 		return 0;
2351 
2352 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2353 
2354 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2355 	if (!sar_capa)
2356 		return -ENOSPC;
2357 
2358 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2359 		goto fail;
2360 
2361 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2362 	if (!specs)
2363 		goto fail;
2364 
2365 	/* report supported freq_ranges */
2366 	for (i = 0; i < num_freq_ranges; i++) {
2367 		sub_freq_range = nla_nest_start(msg, i + 1);
2368 		if (!sub_freq_range)
2369 			goto fail;
2370 
2371 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2372 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2373 			goto fail;
2374 
2375 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2376 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2377 			goto fail;
2378 
2379 		nla_nest_end(msg, sub_freq_range);
2380 	}
2381 
2382 	nla_nest_end(msg, specs);
2383 	nla_nest_end(msg, sar_capa);
2384 
2385 	return 0;
2386 fail:
2387 	nla_nest_cancel(msg, sar_capa);
2388 	return -ENOBUFS;
2389 }
2390 
2391 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2392 {
2393 	struct nlattr *config;
2394 
2395 	if (!wiphy->mbssid_max_interfaces)
2396 		return 0;
2397 
2398 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2399 	if (!config)
2400 		return -ENOBUFS;
2401 
2402 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2403 		       wiphy->mbssid_max_interfaces))
2404 		goto fail;
2405 
2406 	if (wiphy->ema_max_profile_periodicity &&
2407 	    nla_put_u8(msg,
2408 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2409 		       wiphy->ema_max_profile_periodicity))
2410 		goto fail;
2411 
2412 	nla_nest_end(msg, config);
2413 	return 0;
2414 
2415 fail:
2416 	nla_nest_cancel(msg, config);
2417 	return -ENOBUFS;
2418 }
2419 
2420 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2421 {
2422 	const struct wiphy_radio *r = &wiphy->radio[idx];
2423 	struct nlattr *radio, *freq;
2424 	int i;
2425 
2426 	radio = nla_nest_start(msg, idx);
2427 	if (!radio)
2428 		return -ENOBUFS;
2429 
2430 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2431 		goto nla_put_failure;
2432 
2433 	for (i = 0; i < r->n_freq_range; i++) {
2434 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2435 
2436 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2437 		if (!freq)
2438 			goto nla_put_failure;
2439 
2440 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2441 				range->start_freq) ||
2442 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2443 				range->end_freq))
2444 			goto nla_put_failure;
2445 
2446 		nla_nest_end(msg, freq);
2447 	}
2448 
2449 	for (i = 0; i < r->n_iface_combinations; i++)
2450 		if (nl80211_put_ifcomb_data(msg, true,
2451 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2452 					    &r->iface_combinations[i],
2453 					    NLA_F_NESTED))
2454 			goto nla_put_failure;
2455 
2456 	nla_nest_end(msg, radio);
2457 
2458 	return 0;
2459 
2460 nla_put_failure:
2461 	return -ENOBUFS;
2462 }
2463 
2464 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2465 {
2466 	struct nlattr *radios;
2467 	int i;
2468 
2469 	if (!wiphy->n_radio)
2470 		return 0;
2471 
2472 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2473 	if (!radios)
2474 		return -ENOBUFS;
2475 
2476 	for (i = 0; i < wiphy->n_radio; i++)
2477 		if (nl80211_put_radio(wiphy, msg, i))
2478 			goto fail;
2479 
2480 	nla_nest_end(msg, radios);
2481 
2482 	if (nl80211_put_iface_combinations(wiphy, msg,
2483 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2484 					   -1, true, NLA_F_NESTED))
2485 		return -ENOBUFS;
2486 
2487 	return 0;
2488 
2489 fail:
2490 	nla_nest_cancel(msg, radios);
2491 	return -ENOBUFS;
2492 }
2493 
2494 struct nl80211_dump_wiphy_state {
2495 	s64 filter_wiphy;
2496 	long start;
2497 	long split_start, band_start, chan_start, capa_start;
2498 	bool split;
2499 };
2500 
2501 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2502 			      enum nl80211_commands cmd,
2503 			      struct sk_buff *msg, u32 portid, u32 seq,
2504 			      int flags, struct nl80211_dump_wiphy_state *state)
2505 {
2506 	void *hdr;
2507 	struct nlattr *nl_bands, *nl_band;
2508 	struct nlattr *nl_freqs, *nl_freq;
2509 	struct nlattr *nl_cmds;
2510 	enum nl80211_band band;
2511 	struct ieee80211_channel *chan;
2512 	int i;
2513 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2514 				rdev->wiphy.mgmt_stypes;
2515 	u32 features;
2516 
2517 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2518 	if (!hdr)
2519 		return -ENOBUFS;
2520 
2521 	if (WARN_ON(!state))
2522 		return -EINVAL;
2523 
2524 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2525 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2526 			   wiphy_name(&rdev->wiphy)) ||
2527 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2528 			cfg80211_rdev_list_generation))
2529 		goto nla_put_failure;
2530 
2531 	if (cmd != NL80211_CMD_NEW_WIPHY)
2532 		goto finish;
2533 
2534 	switch (state->split_start) {
2535 	case 0:
2536 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2537 			       rdev->wiphy.retry_short) ||
2538 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2539 			       rdev->wiphy.retry_long) ||
2540 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2541 				rdev->wiphy.frag_threshold) ||
2542 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2543 				rdev->wiphy.rts_threshold) ||
2544 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2545 			       rdev->wiphy.coverage_class) ||
2546 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2547 			       rdev->wiphy.max_scan_ssids) ||
2548 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2549 			       rdev->wiphy.max_sched_scan_ssids) ||
2550 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2551 				rdev->wiphy.max_scan_ie_len) ||
2552 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2553 				rdev->wiphy.max_sched_scan_ie_len) ||
2554 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2555 			       rdev->wiphy.max_match_sets))
2556 			goto nla_put_failure;
2557 
2558 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2559 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2560 			goto nla_put_failure;
2561 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2562 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2563 			goto nla_put_failure;
2564 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2565 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2566 			goto nla_put_failure;
2567 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2568 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2569 			goto nla_put_failure;
2570 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2571 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2572 			goto nla_put_failure;
2573 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2574 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2575 			goto nla_put_failure;
2576 		state->split_start++;
2577 		if (state->split)
2578 			break;
2579 		fallthrough;
2580 	case 1:
2581 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2582 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2583 			    rdev->wiphy.cipher_suites))
2584 			goto nla_put_failure;
2585 
2586 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2587 			       rdev->wiphy.max_num_pmkids))
2588 			goto nla_put_failure;
2589 
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2592 			goto nla_put_failure;
2593 
2594 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2595 				rdev->wiphy.available_antennas_tx) ||
2596 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2597 				rdev->wiphy.available_antennas_rx))
2598 			goto nla_put_failure;
2599 
2600 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2601 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2602 				rdev->wiphy.probe_resp_offload))
2603 			goto nla_put_failure;
2604 
2605 		if ((rdev->wiphy.available_antennas_tx ||
2606 		     rdev->wiphy.available_antennas_rx) &&
2607 		    rdev->ops->get_antenna) {
2608 			u32 tx_ant = 0, rx_ant = 0;
2609 			int res;
2610 
2611 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2612 			if (!res) {
2613 				if (nla_put_u32(msg,
2614 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2615 						tx_ant) ||
2616 				    nla_put_u32(msg,
2617 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2618 						rx_ant))
2619 					goto nla_put_failure;
2620 			}
2621 		}
2622 
2623 		state->split_start++;
2624 		if (state->split)
2625 			break;
2626 		fallthrough;
2627 	case 2:
2628 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2629 					rdev->wiphy.interface_modes))
2630 				goto nla_put_failure;
2631 		state->split_start++;
2632 		if (state->split)
2633 			break;
2634 		fallthrough;
2635 	case 3:
2636 		nl_bands = nla_nest_start_noflag(msg,
2637 						 NL80211_ATTR_WIPHY_BANDS);
2638 		if (!nl_bands)
2639 			goto nla_put_failure;
2640 
2641 		for (band = state->band_start;
2642 		     band < (state->split ?
2643 				NUM_NL80211_BANDS :
2644 				NL80211_BAND_60GHZ + 1);
2645 		     band++) {
2646 			struct ieee80211_supported_band *sband;
2647 
2648 			/* omit higher bands for ancient software */
2649 			if (band > NL80211_BAND_5GHZ && !state->split)
2650 				break;
2651 
2652 			sband = rdev->wiphy.bands[band];
2653 
2654 			if (!sband)
2655 				continue;
2656 
2657 			nl_band = nla_nest_start_noflag(msg, band);
2658 			if (!nl_band)
2659 				goto nla_put_failure;
2660 
2661 			switch (state->chan_start) {
2662 			case 0:
2663 				if (nl80211_send_band_rateinfo(msg, sband,
2664 							       state->split))
2665 					goto nla_put_failure;
2666 				state->chan_start++;
2667 				if (state->split)
2668 					break;
2669 				fallthrough;
2670 			default:
2671 				/* add frequencies */
2672 				nl_freqs = nla_nest_start_noflag(msg,
2673 								 NL80211_BAND_ATTR_FREQS);
2674 				if (!nl_freqs)
2675 					goto nla_put_failure;
2676 
2677 				for (i = state->chan_start - 1;
2678 				     i < sband->n_channels;
2679 				     i++) {
2680 					nl_freq = nla_nest_start_noflag(msg,
2681 									i);
2682 					if (!nl_freq)
2683 						goto nla_put_failure;
2684 
2685 					chan = &sband->channels[i];
2686 
2687 					if (nl80211_msg_put_channel(
2688 							msg, &rdev->wiphy, chan,
2689 							state->split))
2690 						goto nla_put_failure;
2691 
2692 					nla_nest_end(msg, nl_freq);
2693 					if (state->split)
2694 						break;
2695 				}
2696 				if (i < sband->n_channels)
2697 					state->chan_start = i + 2;
2698 				else
2699 					state->chan_start = 0;
2700 				nla_nest_end(msg, nl_freqs);
2701 			}
2702 
2703 			nla_nest_end(msg, nl_band);
2704 
2705 			if (state->split) {
2706 				/* start again here */
2707 				if (state->chan_start)
2708 					band--;
2709 				break;
2710 			}
2711 		}
2712 		nla_nest_end(msg, nl_bands);
2713 
2714 		if (band < NUM_NL80211_BANDS)
2715 			state->band_start = band + 1;
2716 		else
2717 			state->band_start = 0;
2718 
2719 		/* if bands & channels are done, continue outside */
2720 		if (state->band_start == 0 && state->chan_start == 0)
2721 			state->split_start++;
2722 		if (state->split)
2723 			break;
2724 		fallthrough;
2725 	case 4:
2726 		nl_cmds = nla_nest_start_noflag(msg,
2727 						NL80211_ATTR_SUPPORTED_COMMANDS);
2728 		if (!nl_cmds)
2729 			goto nla_put_failure;
2730 
2731 		i = nl80211_add_commands_unsplit(rdev, msg);
2732 		if (i < 0)
2733 			goto nla_put_failure;
2734 		if (state->split) {
2735 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2736 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2737 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2738 				CMD(channel_switch, CHANNEL_SWITCH);
2739 			CMD(set_qos_map, SET_QOS_MAP);
2740 			if (rdev->wiphy.features &
2741 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2742 				CMD(add_tx_ts, ADD_TX_TS);
2743 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2744 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2745 			CMD(update_ft_ies, UPDATE_FT_IES);
2746 			if (rdev->wiphy.sar_capa)
2747 				CMD(set_sar_specs, SET_SAR_SPECS);
2748 		}
2749 #undef CMD
2750 
2751 		nla_nest_end(msg, nl_cmds);
2752 		state->split_start++;
2753 		if (state->split)
2754 			break;
2755 		fallthrough;
2756 	case 5:
2757 		if (rdev->ops->remain_on_channel &&
2758 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2759 		    nla_put_u32(msg,
2760 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2761 				rdev->wiphy.max_remain_on_channel_duration))
2762 			goto nla_put_failure;
2763 
2764 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2765 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2766 			goto nla_put_failure;
2767 
2768 		state->split_start++;
2769 		if (state->split)
2770 			break;
2771 		fallthrough;
2772 	case 6:
2773 #ifdef CONFIG_PM
2774 		if (nl80211_send_wowlan(msg, rdev, state->split))
2775 			goto nla_put_failure;
2776 		state->split_start++;
2777 		if (state->split)
2778 			break;
2779 #else
2780 		state->split_start++;
2781 #endif
2782 		fallthrough;
2783 	case 7:
2784 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2785 					rdev->wiphy.software_iftypes))
2786 			goto nla_put_failure;
2787 
2788 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2789 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2790 						   rdev->wiphy.n_radio ? 0 : -1,
2791 						   state->split, 0))
2792 			goto nla_put_failure;
2793 
2794 		state->split_start++;
2795 		if (state->split)
2796 			break;
2797 		fallthrough;
2798 	case 8:
2799 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2800 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2801 				rdev->wiphy.ap_sme_capa))
2802 			goto nla_put_failure;
2803 
2804 		features = rdev->wiphy.features;
2805 		/*
2806 		 * We can only add the per-channel limit information if the
2807 		 * dump is split, otherwise it makes it too big. Therefore
2808 		 * only advertise it in that case.
2809 		 */
2810 		if (state->split)
2811 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2812 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2813 			goto nla_put_failure;
2814 
2815 		if (rdev->wiphy.ht_capa_mod_mask &&
2816 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2817 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2818 			    rdev->wiphy.ht_capa_mod_mask))
2819 			goto nla_put_failure;
2820 
2821 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2822 		    rdev->wiphy.max_acl_mac_addrs &&
2823 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2824 				rdev->wiphy.max_acl_mac_addrs))
2825 			goto nla_put_failure;
2826 
2827 		/*
2828 		 * Any information below this point is only available to
2829 		 * applications that can deal with it being split. This
2830 		 * helps ensure that newly added capabilities don't break
2831 		 * older tools by overrunning their buffers.
2832 		 *
2833 		 * We still increment split_start so that in the split
2834 		 * case we'll continue with more data in the next round,
2835 		 * but break unconditionally so unsplit data stops here.
2836 		 */
2837 		if (state->split)
2838 			state->split_start++;
2839 		else
2840 			state->split_start = 0;
2841 		break;
2842 	case 9:
2843 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2844 			goto nla_put_failure;
2845 
2846 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2847 				rdev->wiphy.max_sched_scan_plans) ||
2848 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2849 				rdev->wiphy.max_sched_scan_plan_interval) ||
2850 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2851 				rdev->wiphy.max_sched_scan_plan_iterations))
2852 			goto nla_put_failure;
2853 
2854 		if (rdev->wiphy.extended_capabilities &&
2855 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2856 			     rdev->wiphy.extended_capabilities_len,
2857 			     rdev->wiphy.extended_capabilities) ||
2858 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2859 			     rdev->wiphy.extended_capabilities_len,
2860 			     rdev->wiphy.extended_capabilities_mask)))
2861 			goto nla_put_failure;
2862 
2863 		if (rdev->wiphy.vht_capa_mod_mask &&
2864 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2865 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2866 			    rdev->wiphy.vht_capa_mod_mask))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2870 			    rdev->wiphy.perm_addr))
2871 			goto nla_put_failure;
2872 
2873 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2874 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2875 			    rdev->wiphy.addr_mask))
2876 			goto nla_put_failure;
2877 
2878 		if (rdev->wiphy.n_addresses > 1) {
2879 			void *attr;
2880 
2881 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2882 			if (!attr)
2883 				goto nla_put_failure;
2884 
2885 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2886 				if (nla_put(msg, i + 1, ETH_ALEN,
2887 					    rdev->wiphy.addresses[i].addr))
2888 					goto nla_put_failure;
2889 
2890 			nla_nest_end(msg, attr);
2891 		}
2892 
2893 		state->split_start++;
2894 		break;
2895 	case 10:
2896 		if (nl80211_send_coalesce(msg, rdev))
2897 			goto nla_put_failure;
2898 
2899 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2900 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2901 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2902 			goto nla_put_failure;
2903 
2904 		if (rdev->wiphy.max_ap_assoc_sta &&
2905 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2906 				rdev->wiphy.max_ap_assoc_sta))
2907 			goto nla_put_failure;
2908 
2909 		state->split_start++;
2910 		break;
2911 	case 11:
2912 		if (rdev->wiphy.n_vendor_commands) {
2913 			const struct nl80211_vendor_cmd_info *info;
2914 			struct nlattr *nested;
2915 
2916 			nested = nla_nest_start_noflag(msg,
2917 						       NL80211_ATTR_VENDOR_DATA);
2918 			if (!nested)
2919 				goto nla_put_failure;
2920 
2921 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2922 				info = &rdev->wiphy.vendor_commands[i].info;
2923 				if (nla_put(msg, i + 1, sizeof(*info), info))
2924 					goto nla_put_failure;
2925 			}
2926 			nla_nest_end(msg, nested);
2927 		}
2928 
2929 		if (rdev->wiphy.n_vendor_events) {
2930 			const struct nl80211_vendor_cmd_info *info;
2931 			struct nlattr *nested;
2932 
2933 			nested = nla_nest_start_noflag(msg,
2934 						       NL80211_ATTR_VENDOR_EVENTS);
2935 			if (!nested)
2936 				goto nla_put_failure;
2937 
2938 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2939 				info = &rdev->wiphy.vendor_events[i];
2940 				if (nla_put(msg, i + 1, sizeof(*info), info))
2941 					goto nla_put_failure;
2942 			}
2943 			nla_nest_end(msg, nested);
2944 		}
2945 		state->split_start++;
2946 		break;
2947 	case 12:
2948 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2949 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2950 			       rdev->wiphy.max_num_csa_counters))
2951 			goto nla_put_failure;
2952 
2953 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2954 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2955 			goto nla_put_failure;
2956 
2957 		if (rdev->wiphy.max_sched_scan_reqs &&
2958 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2959 				rdev->wiphy.max_sched_scan_reqs))
2960 			goto nla_put_failure;
2961 
2962 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2963 			    sizeof(rdev->wiphy.ext_features),
2964 			    rdev->wiphy.ext_features))
2965 			goto nla_put_failure;
2966 
2967 		if (rdev->wiphy.bss_select_support) {
2968 			struct nlattr *nested;
2969 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2970 
2971 			nested = nla_nest_start_noflag(msg,
2972 						       NL80211_ATTR_BSS_SELECT);
2973 			if (!nested)
2974 				goto nla_put_failure;
2975 
2976 			i = 0;
2977 			while (bss_select_support) {
2978 				if ((bss_select_support & 1) &&
2979 				    nla_put_flag(msg, i))
2980 					goto nla_put_failure;
2981 				i++;
2982 				bss_select_support >>= 1;
2983 			}
2984 			nla_nest_end(msg, nested);
2985 		}
2986 
2987 		state->split_start++;
2988 		break;
2989 	case 13:
2990 		if (rdev->wiphy.num_iftype_ext_capab &&
2991 		    rdev->wiphy.iftype_ext_capab) {
2992 			struct nlattr *nested_ext_capab, *nested;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			for (i = state->capa_start;
3000 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3001 				const struct wiphy_iftype_ext_capab *capab;
3002 
3003 				capab = &rdev->wiphy.iftype_ext_capab[i];
3004 
3005 				nested_ext_capab = nla_nest_start_noflag(msg,
3006 									 i);
3007 				if (!nested_ext_capab ||
3008 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3009 						capab->iftype) ||
3010 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3011 					    capab->extended_capabilities_len,
3012 					    capab->extended_capabilities) ||
3013 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3014 					    capab->extended_capabilities_len,
3015 					    capab->extended_capabilities_mask))
3016 					goto nla_put_failure;
3017 
3018 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3019 				    (nla_put_u16(msg,
3020 						 NL80211_ATTR_EML_CAPABILITY,
3021 						 capab->eml_capabilities) ||
3022 				     nla_put_u16(msg,
3023 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3024 						 capab->mld_capa_and_ops)))
3025 					goto nla_put_failure;
3026 
3027 				nla_nest_end(msg, nested_ext_capab);
3028 				if (state->split)
3029 					break;
3030 			}
3031 			nla_nest_end(msg, nested);
3032 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3033 				state->capa_start = i + 1;
3034 				break;
3035 			}
3036 		}
3037 
3038 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3039 				rdev->wiphy.nan_supported_bands))
3040 			goto nla_put_failure;
3041 
3042 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3043 					    NL80211_EXT_FEATURE_TXQS)) {
3044 			struct cfg80211_txq_stats txqstats = {};
3045 			int res;
3046 
3047 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3048 			if (!res &&
3049 			    !nl80211_put_txq_stats(msg, &txqstats,
3050 						   NL80211_ATTR_TXQ_STATS))
3051 				goto nla_put_failure;
3052 
3053 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3054 					rdev->wiphy.txq_limit))
3055 				goto nla_put_failure;
3056 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3057 					rdev->wiphy.txq_memory_limit))
3058 				goto nla_put_failure;
3059 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3060 					rdev->wiphy.txq_quantum))
3061 				goto nla_put_failure;
3062 		}
3063 
3064 		state->split_start++;
3065 		break;
3066 	case 14:
3067 		if (nl80211_send_pmsr_capa(rdev, msg))
3068 			goto nla_put_failure;
3069 
3070 		state->split_start++;
3071 		break;
3072 	case 15:
3073 		if (rdev->wiphy.akm_suites &&
3074 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3075 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3076 			    rdev->wiphy.akm_suites))
3077 			goto nla_put_failure;
3078 
3079 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3080 			goto nla_put_failure;
3081 
3082 		if (nl80211_put_tid_config_support(rdev, msg))
3083 			goto nla_put_failure;
3084 		state->split_start++;
3085 		break;
3086 	case 16:
3087 		if (nl80211_put_sar_specs(rdev, msg))
3088 			goto nla_put_failure;
3089 
3090 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3091 			goto nla_put_failure;
3092 
3093 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3094 				rdev->wiphy.max_num_akm_suites))
3095 			goto nla_put_failure;
3096 
3097 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3098 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3099 
3100 		if (rdev->wiphy.hw_timestamp_max_peers &&
3101 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3102 				rdev->wiphy.hw_timestamp_max_peers))
3103 			goto nla_put_failure;
3104 
3105 		state->split_start++;
3106 		break;
3107 	case 17:
3108 		if (nl80211_put_radios(&rdev->wiphy, msg))
3109 			goto nla_put_failure;
3110 
3111 		/* done */
3112 		state->split_start = 0;
3113 		break;
3114 	}
3115  finish:
3116 	genlmsg_end(msg, hdr);
3117 	return 0;
3118 
3119  nla_put_failure:
3120 	genlmsg_cancel(msg, hdr);
3121 	return -EMSGSIZE;
3122 }
3123 
3124 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3125 				    struct netlink_callback *cb,
3126 				    struct nl80211_dump_wiphy_state *state)
3127 {
3128 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3129 	int ret;
3130 
3131 	if (!tb)
3132 		return -ENOMEM;
3133 
3134 	ret = nlmsg_parse_deprecated(cb->nlh,
3135 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3136 				     tb, nl80211_fam.maxattr,
3137 				     nl80211_policy, NULL);
3138 	/* ignore parse errors for backward compatibility */
3139 	if (ret) {
3140 		ret = 0;
3141 		goto out;
3142 	}
3143 
3144 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3145 	if (tb[NL80211_ATTR_WIPHY])
3146 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3147 	if (tb[NL80211_ATTR_WDEV])
3148 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3149 	if (tb[NL80211_ATTR_IFINDEX]) {
3150 		struct net_device *netdev;
3151 		struct cfg80211_registered_device *rdev;
3152 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3153 
3154 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3155 		if (!netdev) {
3156 			ret = -ENODEV;
3157 			goto out;
3158 		}
3159 		if (netdev->ieee80211_ptr) {
3160 			rdev = wiphy_to_rdev(
3161 				netdev->ieee80211_ptr->wiphy);
3162 			state->filter_wiphy = rdev->wiphy_idx;
3163 		}
3164 	}
3165 
3166 	ret = 0;
3167 out:
3168 	kfree(tb);
3169 	return ret;
3170 }
3171 
3172 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3173 {
3174 	int idx = 0, ret;
3175 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3176 	struct cfg80211_registered_device *rdev;
3177 
3178 	rtnl_lock();
3179 	if (!state) {
3180 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3181 		if (!state) {
3182 			rtnl_unlock();
3183 			return -ENOMEM;
3184 		}
3185 		state->filter_wiphy = -1;
3186 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3187 		if (ret) {
3188 			kfree(state);
3189 			rtnl_unlock();
3190 			return ret;
3191 		}
3192 		cb->args[0] = (long)state;
3193 	}
3194 
3195 	for_each_rdev(rdev) {
3196 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3197 			continue;
3198 		if (++idx <= state->start)
3199 			continue;
3200 		if (state->filter_wiphy != -1 &&
3201 		    state->filter_wiphy != rdev->wiphy_idx)
3202 			continue;
3203 		wiphy_lock(&rdev->wiphy);
3204 		/* attempt to fit multiple wiphy data chunks into the skb */
3205 		do {
3206 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3207 						 skb,
3208 						 NETLINK_CB(cb->skb).portid,
3209 						 cb->nlh->nlmsg_seq,
3210 						 NLM_F_MULTI, state);
3211 			if (ret < 0) {
3212 				/*
3213 				 * If sending the wiphy data didn't fit (ENOBUFS
3214 				 * or EMSGSIZE returned), this SKB is still
3215 				 * empty (so it's not too big because another
3216 				 * wiphy dataset is already in the skb) and
3217 				 * we've not tried to adjust the dump allocation
3218 				 * yet ... then adjust the alloc size to be
3219 				 * bigger, and return 1 but with the empty skb.
3220 				 * This results in an empty message being RX'ed
3221 				 * in userspace, but that is ignored.
3222 				 *
3223 				 * We can then retry with the larger buffer.
3224 				 */
3225 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3226 				    !skb->len && !state->split &&
3227 				    cb->min_dump_alloc < 4096) {
3228 					cb->min_dump_alloc = 4096;
3229 					state->split_start = 0;
3230 					wiphy_unlock(&rdev->wiphy);
3231 					rtnl_unlock();
3232 					return 1;
3233 				}
3234 				idx--;
3235 				break;
3236 			}
3237 		} while (state->split_start > 0);
3238 		wiphy_unlock(&rdev->wiphy);
3239 		break;
3240 	}
3241 	rtnl_unlock();
3242 
3243 	state->start = idx;
3244 
3245 	return skb->len;
3246 }
3247 
3248 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3249 {
3250 	kfree((void *)cb->args[0]);
3251 	return 0;
3252 }
3253 
3254 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3255 {
3256 	struct sk_buff *msg;
3257 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3258 	struct nl80211_dump_wiphy_state state = {};
3259 
3260 	msg = nlmsg_new(4096, GFP_KERNEL);
3261 	if (!msg)
3262 		return -ENOMEM;
3263 
3264 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3265 			       info->snd_portid, info->snd_seq, 0,
3266 			       &state) < 0) {
3267 		nlmsg_free(msg);
3268 		return -ENOBUFS;
3269 	}
3270 
3271 	return genlmsg_reply(msg, info);
3272 }
3273 
3274 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3275 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3276 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3277 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3278 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3279 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3280 };
3281 
3282 static int parse_txq_params(struct nlattr *tb[],
3283 			    struct ieee80211_txq_params *txq_params)
3284 {
3285 	u8 ac;
3286 
3287 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3288 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3289 	    !tb[NL80211_TXQ_ATTR_AIFS])
3290 		return -EINVAL;
3291 
3292 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3293 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3294 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3295 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3296 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3297 
3298 	if (ac >= NL80211_NUM_ACS)
3299 		return -EINVAL;
3300 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3301 	return 0;
3302 }
3303 
3304 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3305 {
3306 	/*
3307 	 * You can only set the channel explicitly for some interfaces,
3308 	 * most have their channel managed via their respective
3309 	 * "establish a connection" command (connect, join, ...)
3310 	 *
3311 	 * For AP/GO and mesh mode, the channel can be set with the
3312 	 * channel userspace API, but is only stored and passed to the
3313 	 * low-level driver when the AP starts or the mesh is joined.
3314 	 * This is for backward compatibility, userspace can also give
3315 	 * the channel in the start-ap or join-mesh commands instead.
3316 	 *
3317 	 * Monitors are special as they are normally slaved to
3318 	 * whatever else is going on, so they have their own special
3319 	 * operation to set the monitor channel if possible.
3320 	 */
3321 	return !wdev ||
3322 		wdev->iftype == NL80211_IFTYPE_AP ||
3323 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3324 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3325 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3326 }
3327 
3328 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3329 				  struct genl_info *info, bool monitor,
3330 				  struct cfg80211_chan_def *chandef)
3331 {
3332 	struct netlink_ext_ack *extack = info->extack;
3333 	struct nlattr **attrs = info->attrs;
3334 	u32 control_freq;
3335 
3336 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3337 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3338 				    "Frequency is missing");
3339 		return -EINVAL;
3340 	}
3341 
3342 	control_freq = MHZ_TO_KHZ(
3343 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3344 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3345 		control_freq +=
3346 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3347 
3348 	memset(chandef, 0, sizeof(*chandef));
3349 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3350 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3351 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3352 	chandef->freq1_offset = control_freq % 1000;
3353 	chandef->center_freq2 = 0;
3354 
3355 	if (!chandef->chan) {
3356 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3357 				    "Unknown channel");
3358 		return -EINVAL;
3359 	}
3360 
3361 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3362 		enum nl80211_channel_type chantype;
3363 
3364 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3365 
3366 		switch (chantype) {
3367 		case NL80211_CHAN_NO_HT:
3368 		case NL80211_CHAN_HT20:
3369 		case NL80211_CHAN_HT40PLUS:
3370 		case NL80211_CHAN_HT40MINUS:
3371 			cfg80211_chandef_create(chandef, chandef->chan,
3372 						chantype);
3373 			/* user input for center_freq is incorrect */
3374 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3375 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3376 				NL_SET_ERR_MSG_ATTR(extack,
3377 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3378 						    "bad center frequency 1");
3379 				return -EINVAL;
3380 			}
3381 			/* center_freq2 must be zero */
3382 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3383 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3384 				NL_SET_ERR_MSG_ATTR(extack,
3385 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3386 						    "center frequency 2 can't be used");
3387 				return -EINVAL;
3388 			}
3389 			break;
3390 		default:
3391 			NL_SET_ERR_MSG_ATTR(extack,
3392 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3393 					    "invalid channel type");
3394 			return -EINVAL;
3395 		}
3396 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3397 		chandef->width =
3398 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3399 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3400 			/* User input error for channel width doesn't match channel  */
3401 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3402 				NL_SET_ERR_MSG_ATTR(extack,
3403 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3404 						    "bad channel width");
3405 				return -EINVAL;
3406 			}
3407 		}
3408 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3409 			chandef->center_freq1 =
3410 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3411 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3412 				chandef->freq1_offset = nla_get_u32(
3413 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3414 			else
3415 				chandef->freq1_offset = 0;
3416 		}
3417 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3418 			chandef->center_freq2 =
3419 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3420 	}
3421 
3422 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3423 		chandef->edmg.channels =
3424 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3425 
3426 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3427 			chandef->edmg.bw_config =
3428 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3429 	} else {
3430 		chandef->edmg.bw_config = 0;
3431 		chandef->edmg.channels = 0;
3432 	}
3433 
3434 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3435 		chandef->punctured =
3436 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3437 
3438 		if (chandef->punctured &&
3439 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3440 					     NL80211_EXT_FEATURE_PUNCT)) {
3441 			NL_SET_ERR_MSG(extack,
3442 				       "driver doesn't support puncturing");
3443 			return -EINVAL;
3444 		}
3445 	}
3446 
3447 	if (!cfg80211_chandef_valid(chandef)) {
3448 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3449 		return -EINVAL;
3450 	}
3451 
3452 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3453 				      IEEE80211_CHAN_DISABLED,
3454 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3455 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3456 		return -EINVAL;
3457 	}
3458 
3459 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3460 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3461 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3462 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3463 		return -EINVAL;
3464 	}
3465 
3466 	return 0;
3467 }
3468 
3469 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3470 			  struct genl_info *info,
3471 			  struct cfg80211_chan_def *chandef)
3472 {
3473 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3474 }
3475 
3476 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3477 				 struct net_device *dev,
3478 				 struct genl_info *info,
3479 				 int _link_id)
3480 {
3481 	struct cfg80211_chan_def chandef;
3482 	int result;
3483 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3484 	struct wireless_dev *wdev = NULL;
3485 	int link_id = _link_id;
3486 
3487 	if (dev)
3488 		wdev = dev->ieee80211_ptr;
3489 	if (!nl80211_can_set_dev_channel(wdev))
3490 		return -EOPNOTSUPP;
3491 	if (wdev)
3492 		iftype = wdev->iftype;
3493 
3494 	if (link_id < 0) {
3495 		if (wdev && wdev->valid_links)
3496 			return -EINVAL;
3497 		link_id = 0;
3498 	}
3499 
3500 	result = _nl80211_parse_chandef(rdev, info,
3501 					iftype == NL80211_IFTYPE_MONITOR,
3502 					&chandef);
3503 	if (result)
3504 		return result;
3505 
3506 	switch (iftype) {
3507 	case NL80211_IFTYPE_AP:
3508 	case NL80211_IFTYPE_P2P_GO:
3509 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3510 						   iftype))
3511 			return -EINVAL;
3512 		if (wdev->links[link_id].ap.beacon_interval) {
3513 			struct ieee80211_channel *cur_chan;
3514 
3515 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3516 			    !(rdev->wiphy.features &
3517 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3518 				return -EBUSY;
3519 
3520 			/* Only allow dynamic channel width changes */
3521 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3522 			if (chandef.chan != cur_chan)
3523 				return -EBUSY;
3524 
3525 			/* only allow this for regular channel widths */
3526 			switch (wdev->links[link_id].ap.chandef.width) {
3527 			case NL80211_CHAN_WIDTH_20_NOHT:
3528 			case NL80211_CHAN_WIDTH_20:
3529 			case NL80211_CHAN_WIDTH_40:
3530 			case NL80211_CHAN_WIDTH_80:
3531 			case NL80211_CHAN_WIDTH_80P80:
3532 			case NL80211_CHAN_WIDTH_160:
3533 			case NL80211_CHAN_WIDTH_320:
3534 				break;
3535 			default:
3536 				return -EINVAL;
3537 			}
3538 
3539 			switch (chandef.width) {
3540 			case NL80211_CHAN_WIDTH_20_NOHT:
3541 			case NL80211_CHAN_WIDTH_20:
3542 			case NL80211_CHAN_WIDTH_40:
3543 			case NL80211_CHAN_WIDTH_80:
3544 			case NL80211_CHAN_WIDTH_80P80:
3545 			case NL80211_CHAN_WIDTH_160:
3546 			case NL80211_CHAN_WIDTH_320:
3547 				break;
3548 			default:
3549 				return -EINVAL;
3550 			}
3551 
3552 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3553 						       &chandef);
3554 			if (result)
3555 				return result;
3556 			wdev->links[link_id].ap.chandef = chandef;
3557 		} else {
3558 			wdev->u.ap.preset_chandef = chandef;
3559 		}
3560 		return 0;
3561 	case NL80211_IFTYPE_MESH_POINT:
3562 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3563 	case NL80211_IFTYPE_MONITOR:
3564 		return cfg80211_set_monitor_channel(rdev, &chandef);
3565 	default:
3566 		break;
3567 	}
3568 
3569 	return -EINVAL;
3570 }
3571 
3572 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3573 {
3574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3575 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3576 	struct net_device *netdev = info->user_ptr[1];
3577 
3578 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3579 }
3580 
3581 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3582 {
3583 	struct cfg80211_registered_device *rdev = NULL;
3584 	struct net_device *netdev = NULL;
3585 	struct wireless_dev *wdev;
3586 	int result = 0, rem_txq_params = 0;
3587 	struct nlattr *nl_txq_params;
3588 	u32 changed;
3589 	u8 retry_short = 0, retry_long = 0;
3590 	u32 frag_threshold = 0, rts_threshold = 0;
3591 	u8 coverage_class = 0;
3592 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3593 
3594 	rtnl_lock();
3595 	/*
3596 	 * Try to find the wiphy and netdev. Normally this
3597 	 * function shouldn't need the netdev, but this is
3598 	 * done for backward compatibility -- previously
3599 	 * setting the channel was done per wiphy, but now
3600 	 * it is per netdev. Previous userland like hostapd
3601 	 * also passed a netdev to set_wiphy, so that it is
3602 	 * possible to let that go to the right netdev!
3603 	 */
3604 
3605 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3606 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3607 
3608 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3609 		if (netdev && netdev->ieee80211_ptr)
3610 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3611 		else
3612 			netdev = NULL;
3613 	}
3614 
3615 	if (!netdev) {
3616 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3617 						  info->attrs);
3618 		if (IS_ERR(rdev)) {
3619 			rtnl_unlock();
3620 			return PTR_ERR(rdev);
3621 		}
3622 		wdev = NULL;
3623 		netdev = NULL;
3624 		result = 0;
3625 	} else
3626 		wdev = netdev->ieee80211_ptr;
3627 
3628 	wiphy_lock(&rdev->wiphy);
3629 
3630 	/*
3631 	 * end workaround code, by now the rdev is available
3632 	 * and locked, and wdev may or may not be NULL.
3633 	 */
3634 
3635 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3636 		result = cfg80211_dev_rename(
3637 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3638 	rtnl_unlock();
3639 
3640 	if (result)
3641 		goto out;
3642 
3643 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3644 		struct ieee80211_txq_params txq_params;
3645 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3646 
3647 		if (!rdev->ops->set_txq_params) {
3648 			result = -EOPNOTSUPP;
3649 			goto out;
3650 		}
3651 
3652 		if (!netdev) {
3653 			result = -EINVAL;
3654 			goto out;
3655 		}
3656 
3657 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3658 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3659 			result = -EINVAL;
3660 			goto out;
3661 		}
3662 
3663 		if (!netif_running(netdev)) {
3664 			result = -ENETDOWN;
3665 			goto out;
3666 		}
3667 
3668 		nla_for_each_nested(nl_txq_params,
3669 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3670 				    rem_txq_params) {
3671 			result = nla_parse_nested_deprecated(tb,
3672 							     NL80211_TXQ_ATTR_MAX,
3673 							     nl_txq_params,
3674 							     txq_params_policy,
3675 							     info->extack);
3676 			if (result)
3677 				goto out;
3678 			result = parse_txq_params(tb, &txq_params);
3679 			if (result)
3680 				goto out;
3681 
3682 			txq_params.link_id =
3683 				nl80211_link_id_or_invalid(info->attrs);
3684 
3685 			if (txq_params.link_id >= 0 &&
3686 			    !(netdev->ieee80211_ptr->valid_links &
3687 			      BIT(txq_params.link_id)))
3688 				result = -ENOLINK;
3689 			else if (txq_params.link_id >= 0 &&
3690 				 !netdev->ieee80211_ptr->valid_links)
3691 				result = -EINVAL;
3692 			else
3693 				result = rdev_set_txq_params(rdev, netdev,
3694 							     &txq_params);
3695 			if (result)
3696 				goto out;
3697 		}
3698 	}
3699 
3700 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3701 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3702 
3703 		if (wdev) {
3704 			result = __nl80211_set_channel(
3705 				rdev,
3706 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3707 				info, link_id);
3708 		} else {
3709 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3710 		}
3711 
3712 		if (result)
3713 			goto out;
3714 	}
3715 
3716 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3717 		struct wireless_dev *txp_wdev = wdev;
3718 		enum nl80211_tx_power_setting type;
3719 		int idx, mbm = 0;
3720 
3721 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3722 			txp_wdev = NULL;
3723 
3724 		if (!rdev->ops->set_tx_power) {
3725 			result = -EOPNOTSUPP;
3726 			goto out;
3727 		}
3728 
3729 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3730 		type = nla_get_u32(info->attrs[idx]);
3731 
3732 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3733 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3734 			result = -EINVAL;
3735 			goto out;
3736 		}
3737 
3738 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3739 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3740 			mbm = nla_get_u32(info->attrs[idx]);
3741 		}
3742 
3743 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3744 		if (result)
3745 			goto out;
3746 	}
3747 
3748 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3749 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3750 		u32 tx_ant, rx_ant;
3751 
3752 		if ((!rdev->wiphy.available_antennas_tx &&
3753 		     !rdev->wiphy.available_antennas_rx) ||
3754 		    !rdev->ops->set_antenna) {
3755 			result = -EOPNOTSUPP;
3756 			goto out;
3757 		}
3758 
3759 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3760 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3761 
3762 		/* reject antenna configurations which don't match the
3763 		 * available antenna masks, except for the "all" mask */
3764 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3765 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3766 			result = -EINVAL;
3767 			goto out;
3768 		}
3769 
3770 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3771 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3772 
3773 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3774 		if (result)
3775 			goto out;
3776 	}
3777 
3778 	changed = 0;
3779 
3780 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3781 		retry_short = nla_get_u8(
3782 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3783 
3784 		changed |= WIPHY_PARAM_RETRY_SHORT;
3785 	}
3786 
3787 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3788 		retry_long = nla_get_u8(
3789 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3790 
3791 		changed |= WIPHY_PARAM_RETRY_LONG;
3792 	}
3793 
3794 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3795 		frag_threshold = nla_get_u32(
3796 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3797 		if (frag_threshold < 256) {
3798 			result = -EINVAL;
3799 			goto out;
3800 		}
3801 
3802 		if (frag_threshold != (u32) -1) {
3803 			/*
3804 			 * Fragments (apart from the last one) are required to
3805 			 * have even length. Make the fragmentation code
3806 			 * simpler by stripping LSB should someone try to use
3807 			 * odd threshold value.
3808 			 */
3809 			frag_threshold &= ~0x1;
3810 		}
3811 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3812 	}
3813 
3814 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3815 		rts_threshold = nla_get_u32(
3816 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3817 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3818 	}
3819 
3820 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3821 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3822 			result = -EINVAL;
3823 			goto out;
3824 		}
3825 
3826 		coverage_class = nla_get_u8(
3827 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3828 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3829 	}
3830 
3831 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3832 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3833 			result = -EOPNOTSUPP;
3834 			goto out;
3835 		}
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS)) {
3843 			result = -EOPNOTSUPP;
3844 			goto out;
3845 		}
3846 		txq_limit = nla_get_u32(
3847 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3848 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3849 	}
3850 
3851 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3852 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3853 					     NL80211_EXT_FEATURE_TXQS)) {
3854 			result = -EOPNOTSUPP;
3855 			goto out;
3856 		}
3857 		txq_memory_limit = nla_get_u32(
3858 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3859 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3860 	}
3861 
3862 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3863 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3864 					     NL80211_EXT_FEATURE_TXQS)) {
3865 			result = -EOPNOTSUPP;
3866 			goto out;
3867 		}
3868 		txq_quantum = nla_get_u32(
3869 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3870 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3871 	}
3872 
3873 	if (changed) {
3874 		u8 old_retry_short, old_retry_long;
3875 		u32 old_frag_threshold, old_rts_threshold;
3876 		u8 old_coverage_class;
3877 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3878 
3879 		if (!rdev->ops->set_wiphy_params) {
3880 			result = -EOPNOTSUPP;
3881 			goto out;
3882 		}
3883 
3884 		old_retry_short = rdev->wiphy.retry_short;
3885 		old_retry_long = rdev->wiphy.retry_long;
3886 		old_frag_threshold = rdev->wiphy.frag_threshold;
3887 		old_rts_threshold = rdev->wiphy.rts_threshold;
3888 		old_coverage_class = rdev->wiphy.coverage_class;
3889 		old_txq_limit = rdev->wiphy.txq_limit;
3890 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3891 		old_txq_quantum = rdev->wiphy.txq_quantum;
3892 
3893 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3894 			rdev->wiphy.retry_short = retry_short;
3895 		if (changed & WIPHY_PARAM_RETRY_LONG)
3896 			rdev->wiphy.retry_long = retry_long;
3897 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3898 			rdev->wiphy.frag_threshold = frag_threshold;
3899 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3900 			rdev->wiphy.rts_threshold = rts_threshold;
3901 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3902 			rdev->wiphy.coverage_class = coverage_class;
3903 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3904 			rdev->wiphy.txq_limit = txq_limit;
3905 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3906 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3907 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3908 			rdev->wiphy.txq_quantum = txq_quantum;
3909 
3910 		result = rdev_set_wiphy_params(rdev, changed);
3911 		if (result) {
3912 			rdev->wiphy.retry_short = old_retry_short;
3913 			rdev->wiphy.retry_long = old_retry_long;
3914 			rdev->wiphy.frag_threshold = old_frag_threshold;
3915 			rdev->wiphy.rts_threshold = old_rts_threshold;
3916 			rdev->wiphy.coverage_class = old_coverage_class;
3917 			rdev->wiphy.txq_limit = old_txq_limit;
3918 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3919 			rdev->wiphy.txq_quantum = old_txq_quantum;
3920 			goto out;
3921 		}
3922 	}
3923 
3924 	result = 0;
3925 
3926 out:
3927 	wiphy_unlock(&rdev->wiphy);
3928 	return result;
3929 }
3930 
3931 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3932 {
3933 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3934 		return -EINVAL;
3935 
3936 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3937 			chandef->chan->center_freq))
3938 		return -ENOBUFS;
3939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3940 			chandef->chan->freq_offset))
3941 		return -ENOBUFS;
3942 	switch (chandef->width) {
3943 	case NL80211_CHAN_WIDTH_20_NOHT:
3944 	case NL80211_CHAN_WIDTH_20:
3945 	case NL80211_CHAN_WIDTH_40:
3946 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3947 				cfg80211_get_chandef_type(chandef)))
3948 			return -ENOBUFS;
3949 		break;
3950 	default:
3951 		break;
3952 	}
3953 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3954 		return -ENOBUFS;
3955 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3956 		return -ENOBUFS;
3957 	if (chandef->center_freq2 &&
3958 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3959 		return -ENOBUFS;
3960 	if (chandef->punctured &&
3961 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3962 		return -ENOBUFS;
3963 
3964 	return 0;
3965 }
3966 EXPORT_SYMBOL(nl80211_send_chandef);
3967 
3968 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3969 			      struct cfg80211_registered_device *rdev,
3970 			      struct wireless_dev *wdev,
3971 			      enum nl80211_commands cmd)
3972 {
3973 	struct net_device *dev = wdev->netdev;
3974 	void *hdr;
3975 
3976 	lockdep_assert_wiphy(&rdev->wiphy);
3977 
3978 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3979 		cmd != NL80211_CMD_DEL_INTERFACE &&
3980 		cmd != NL80211_CMD_SET_INTERFACE);
3981 
3982 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3983 	if (!hdr)
3984 		return -1;
3985 
3986 	if (dev &&
3987 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3988 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3989 		goto nla_put_failure;
3990 
3991 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3992 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3993 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3994 			      NL80211_ATTR_PAD) ||
3995 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3996 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3997 			rdev->devlist_generation ^
3998 			(cfg80211_rdev_list_generation << 2)) ||
3999 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
4000 		goto nla_put_failure;
4001 
4002 	if (rdev->ops->get_channel && !wdev->valid_links) {
4003 		struct cfg80211_chan_def chandef = {};
4004 		int ret;
4005 
4006 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4007 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4008 			goto nla_put_failure;
4009 	}
4010 
4011 	if (rdev->ops->get_tx_power) {
4012 		int dbm, ret;
4013 
4014 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
4015 		if (ret == 0 &&
4016 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4017 				DBM_TO_MBM(dbm)))
4018 			goto nla_put_failure;
4019 	}
4020 
4021 	switch (wdev->iftype) {
4022 	case NL80211_IFTYPE_AP:
4023 	case NL80211_IFTYPE_P2P_GO:
4024 		if (wdev->u.ap.ssid_len &&
4025 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4026 			    wdev->u.ap.ssid))
4027 			goto nla_put_failure;
4028 		break;
4029 	case NL80211_IFTYPE_STATION:
4030 	case NL80211_IFTYPE_P2P_CLIENT:
4031 		if (wdev->u.client.ssid_len &&
4032 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4033 			    wdev->u.client.ssid))
4034 			goto nla_put_failure;
4035 		break;
4036 	case NL80211_IFTYPE_ADHOC:
4037 		if (wdev->u.ibss.ssid_len &&
4038 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4039 			    wdev->u.ibss.ssid))
4040 			goto nla_put_failure;
4041 		break;
4042 	default:
4043 		/* nothing */
4044 		break;
4045 	}
4046 
4047 	if (rdev->ops->get_txq_stats) {
4048 		struct cfg80211_txq_stats txqstats = {};
4049 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4050 
4051 		if (ret == 0 &&
4052 		    !nl80211_put_txq_stats(msg, &txqstats,
4053 					   NL80211_ATTR_TXQ_STATS))
4054 			goto nla_put_failure;
4055 	}
4056 
4057 	if (wdev->valid_links) {
4058 		unsigned int link_id;
4059 		struct nlattr *links = nla_nest_start(msg,
4060 						      NL80211_ATTR_MLO_LINKS);
4061 
4062 		if (!links)
4063 			goto nla_put_failure;
4064 
4065 		for_each_valid_link(wdev, link_id) {
4066 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4067 			struct cfg80211_chan_def chandef = {};
4068 			int ret;
4069 
4070 			if (!link)
4071 				goto nla_put_failure;
4072 
4073 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4074 				goto nla_put_failure;
4075 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4076 				    wdev->links[link_id].addr))
4077 				goto nla_put_failure;
4078 
4079 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4080 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4081 				goto nla_put_failure;
4082 
4083 			nla_nest_end(msg, link);
4084 		}
4085 
4086 		nla_nest_end(msg, links);
4087 	}
4088 
4089 	genlmsg_end(msg, hdr);
4090 	return 0;
4091 
4092  nla_put_failure:
4093 	genlmsg_cancel(msg, hdr);
4094 	return -EMSGSIZE;
4095 }
4096 
4097 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4098 {
4099 	int wp_idx = 0;
4100 	int if_idx = 0;
4101 	int wp_start = cb->args[0];
4102 	int if_start = cb->args[1];
4103 	int filter_wiphy = -1;
4104 	struct cfg80211_registered_device *rdev;
4105 	struct wireless_dev *wdev;
4106 	int ret;
4107 
4108 	rtnl_lock();
4109 	if (!cb->args[2]) {
4110 		struct nl80211_dump_wiphy_state state = {
4111 			.filter_wiphy = -1,
4112 		};
4113 
4114 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4115 		if (ret)
4116 			goto out_unlock;
4117 
4118 		filter_wiphy = state.filter_wiphy;
4119 
4120 		/*
4121 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4122 		 * value needed to determine that parsing is necessary.
4123 		 */
4124 		if (filter_wiphy >= 0)
4125 			cb->args[2] = filter_wiphy + 1;
4126 		else
4127 			cb->args[2] = -1;
4128 	} else if (cb->args[2] > 0) {
4129 		filter_wiphy = cb->args[2] - 1;
4130 	}
4131 
4132 	for_each_rdev(rdev) {
4133 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4134 			continue;
4135 		if (wp_idx < wp_start) {
4136 			wp_idx++;
4137 			continue;
4138 		}
4139 
4140 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4141 			continue;
4142 
4143 		if_idx = 0;
4144 
4145 		wiphy_lock(&rdev->wiphy);
4146 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4147 			if (if_idx < if_start) {
4148 				if_idx++;
4149 				continue;
4150 			}
4151 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4152 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4153 					       rdev, wdev,
4154 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4155 				wiphy_unlock(&rdev->wiphy);
4156 				goto out;
4157 			}
4158 			if_idx++;
4159 		}
4160 		wiphy_unlock(&rdev->wiphy);
4161 
4162 		if_start = 0;
4163 		wp_idx++;
4164 	}
4165  out:
4166 	cb->args[0] = wp_idx;
4167 	cb->args[1] = if_idx;
4168 
4169 	ret = skb->len;
4170  out_unlock:
4171 	rtnl_unlock();
4172 
4173 	return ret;
4174 }
4175 
4176 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4177 {
4178 	struct sk_buff *msg;
4179 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4180 	struct wireless_dev *wdev = info->user_ptr[1];
4181 
4182 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4183 	if (!msg)
4184 		return -ENOMEM;
4185 
4186 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4187 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4188 		nlmsg_free(msg);
4189 		return -ENOBUFS;
4190 	}
4191 
4192 	return genlmsg_reply(msg, info);
4193 }
4194 
4195 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4196 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4197 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4202 };
4203 
4204 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4205 {
4206 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4207 	int flag;
4208 
4209 	*mntrflags = 0;
4210 
4211 	if (!nla)
4212 		return -EINVAL;
4213 
4214 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4215 		return -EINVAL;
4216 
4217 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4218 		if (flags[flag])
4219 			*mntrflags |= (1<<flag);
4220 
4221 	*mntrflags |= MONITOR_FLAG_CHANGED;
4222 
4223 	return 0;
4224 }
4225 
4226 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4227 				     enum nl80211_iftype type,
4228 				     struct genl_info *info,
4229 				     struct vif_params *params)
4230 {
4231 	bool change = false;
4232 	int err;
4233 
4234 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4235 		if (type != NL80211_IFTYPE_MONITOR)
4236 			return -EINVAL;
4237 
4238 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4239 					  &params->flags);
4240 		if (err)
4241 			return err;
4242 
4243 		change = true;
4244 	}
4245 
4246 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4247 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4248 		return -EOPNOTSUPP;
4249 
4250 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4251 		const u8 *mumimo_groups;
4252 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4253 
4254 		if (type != NL80211_IFTYPE_MONITOR)
4255 			return -EINVAL;
4256 
4257 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4258 			return -EOPNOTSUPP;
4259 
4260 		mumimo_groups =
4261 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4262 
4263 		/* bits 0 and 63 are reserved and must be zero */
4264 		if ((mumimo_groups[0] & BIT(0)) ||
4265 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4266 			return -EINVAL;
4267 
4268 		params->vht_mumimo_groups = mumimo_groups;
4269 		change = true;
4270 	}
4271 
4272 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4273 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4274 
4275 		if (type != NL80211_IFTYPE_MONITOR)
4276 			return -EINVAL;
4277 
4278 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4279 			return -EOPNOTSUPP;
4280 
4281 		params->vht_mumimo_follow_addr =
4282 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4283 		change = true;
4284 	}
4285 
4286 	return change ? 1 : 0;
4287 }
4288 
4289 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4290 			       struct net_device *netdev, u8 use_4addr,
4291 			       enum nl80211_iftype iftype)
4292 {
4293 	if (!use_4addr) {
4294 		if (netdev && netif_is_bridge_port(netdev))
4295 			return -EBUSY;
4296 		return 0;
4297 	}
4298 
4299 	switch (iftype) {
4300 	case NL80211_IFTYPE_AP_VLAN:
4301 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4302 			return 0;
4303 		break;
4304 	case NL80211_IFTYPE_STATION:
4305 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4306 			return 0;
4307 		break;
4308 	default:
4309 		break;
4310 	}
4311 
4312 	return -EOPNOTSUPP;
4313 }
4314 
4315 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4316 {
4317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4318 	struct vif_params params;
4319 	int err;
4320 	enum nl80211_iftype otype, ntype;
4321 	struct net_device *dev = info->user_ptr[1];
4322 	bool change = false;
4323 
4324 	memset(&params, 0, sizeof(params));
4325 
4326 	otype = ntype = dev->ieee80211_ptr->iftype;
4327 
4328 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4329 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4330 		if (otype != ntype)
4331 			change = true;
4332 	}
4333 
4334 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4335 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4336 
4337 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4338 			return -EINVAL;
4339 		if (otype != NL80211_IFTYPE_MESH_POINT)
4340 			return -EINVAL;
4341 		if (netif_running(dev))
4342 			return -EBUSY;
4343 
4344 		wdev->u.mesh.id_up_len =
4345 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4346 		memcpy(wdev->u.mesh.id,
4347 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4348 		       wdev->u.mesh.id_up_len);
4349 	}
4350 
4351 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4352 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4353 		change = true;
4354 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4355 		if (err)
4356 			return err;
4357 	} else {
4358 		params.use_4addr = -1;
4359 	}
4360 
4361 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4362 	if (err < 0)
4363 		return err;
4364 	if (err > 0)
4365 		change = true;
4366 
4367 	if (change)
4368 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4369 	else
4370 		err = 0;
4371 
4372 	if (!err && params.use_4addr != -1)
4373 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4374 
4375 	if (change && !err) {
4376 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4377 
4378 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4379 	}
4380 
4381 	return err;
4382 }
4383 
4384 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4385 {
4386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4387 	struct vif_params params;
4388 	struct wireless_dev *wdev;
4389 	struct sk_buff *msg;
4390 	int err;
4391 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4392 
4393 	memset(&params, 0, sizeof(params));
4394 
4395 	if (!info->attrs[NL80211_ATTR_IFNAME])
4396 		return -EINVAL;
4397 
4398 	if (info->attrs[NL80211_ATTR_IFTYPE])
4399 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4400 
4401 	if (!rdev->ops->add_virtual_intf)
4402 		return -EOPNOTSUPP;
4403 
4404 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4405 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4406 	    info->attrs[NL80211_ATTR_MAC]) {
4407 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4408 			   ETH_ALEN);
4409 		if (!is_valid_ether_addr(params.macaddr))
4410 			return -EADDRNOTAVAIL;
4411 	}
4412 
4413 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4414 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4415 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4416 		if (err)
4417 			return err;
4418 	}
4419 
4420 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4421 		return -EOPNOTSUPP;
4422 
4423 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4424 	if (err < 0)
4425 		return err;
4426 
4427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4428 	if (!msg)
4429 		return -ENOMEM;
4430 
4431 	wdev = rdev_add_virtual_intf(rdev,
4432 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4433 				NET_NAME_USER, type, &params);
4434 	if (WARN_ON(!wdev)) {
4435 		nlmsg_free(msg);
4436 		return -EPROTO;
4437 	} else if (IS_ERR(wdev)) {
4438 		nlmsg_free(msg);
4439 		return PTR_ERR(wdev);
4440 	}
4441 
4442 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4443 		wdev->owner_nlportid = info->snd_portid;
4444 
4445 	switch (type) {
4446 	case NL80211_IFTYPE_MESH_POINT:
4447 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4448 			break;
4449 		wdev->u.mesh.id_up_len =
4450 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4451 		memcpy(wdev->u.mesh.id,
4452 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4453 		       wdev->u.mesh.id_up_len);
4454 		break;
4455 	case NL80211_IFTYPE_NAN:
4456 	case NL80211_IFTYPE_P2P_DEVICE:
4457 		/*
4458 		 * P2P Device and NAN do not have a netdev, so don't go
4459 		 * through the netdev notifier and must be added here
4460 		 */
4461 		cfg80211_init_wdev(wdev);
4462 		cfg80211_register_wdev(rdev, wdev);
4463 		break;
4464 	default:
4465 		break;
4466 	}
4467 
4468 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4469 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4470 		nlmsg_free(msg);
4471 		return -ENOBUFS;
4472 	}
4473 
4474 	return genlmsg_reply(msg, info);
4475 }
4476 
4477 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4478 {
4479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4480 	int ret;
4481 
4482 	/* to avoid failing a new interface creation due to pending removal */
4483 	cfg80211_destroy_ifaces(rdev);
4484 
4485 	wiphy_lock(&rdev->wiphy);
4486 	ret = _nl80211_new_interface(skb, info);
4487 	wiphy_unlock(&rdev->wiphy);
4488 
4489 	return ret;
4490 }
4491 
4492 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4493 {
4494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4495 	struct wireless_dev *wdev = info->user_ptr[1];
4496 
4497 	if (!rdev->ops->del_virtual_intf)
4498 		return -EOPNOTSUPP;
4499 
4500 	/*
4501 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4502 	 * reach 0, and thus the rdev cannot be deleted.
4503 	 *
4504 	 * We need to do it for the dev_close(), since that will call
4505 	 * the netdev notifiers, and we need to acquire the mutex there
4506 	 * but don't know if we get there from here or from some other
4507 	 * place (e.g. "ip link set ... down").
4508 	 */
4509 	mutex_unlock(&rdev->wiphy.mtx);
4510 
4511 	/*
4512 	 * If we remove a wireless device without a netdev then clear
4513 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4514 	 * to check if it needs to do dev_put(). Otherwise it crashes
4515 	 * since the wdev has been freed, unlike with a netdev where
4516 	 * we need the dev_put() for the netdev to really be freed.
4517 	 */
4518 	if (!wdev->netdev)
4519 		info->user_ptr[1] = NULL;
4520 	else
4521 		dev_close(wdev->netdev);
4522 
4523 	mutex_lock(&rdev->wiphy.mtx);
4524 
4525 	return cfg80211_remove_virtual_intf(rdev, wdev);
4526 }
4527 
4528 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4529 {
4530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4531 	struct net_device *dev = info->user_ptr[1];
4532 	u16 noack_map;
4533 
4534 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4535 		return -EINVAL;
4536 
4537 	if (!rdev->ops->set_noack_map)
4538 		return -EOPNOTSUPP;
4539 
4540 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4541 
4542 	return rdev_set_noack_map(rdev, dev, noack_map);
4543 }
4544 
4545 static int nl80211_validate_key_link_id(struct genl_info *info,
4546 					struct wireless_dev *wdev,
4547 					int link_id, bool pairwise)
4548 {
4549 	if (pairwise) {
4550 		if (link_id != -1) {
4551 			GENL_SET_ERR_MSG(info,
4552 					 "link ID not allowed for pairwise key");
4553 			return -EINVAL;
4554 		}
4555 
4556 		return 0;
4557 	}
4558 
4559 	if (wdev->valid_links) {
4560 		if (link_id == -1) {
4561 			GENL_SET_ERR_MSG(info,
4562 					 "link ID must for MLO group key");
4563 			return -EINVAL;
4564 		}
4565 		if (!(wdev->valid_links & BIT(link_id))) {
4566 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4567 			return -EINVAL;
4568 		}
4569 	} else if (link_id != -1) {
4570 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4571 		return -EINVAL;
4572 	}
4573 
4574 	return 0;
4575 }
4576 
4577 struct get_key_cookie {
4578 	struct sk_buff *msg;
4579 	int error;
4580 	int idx;
4581 };
4582 
4583 static void get_key_callback(void *c, struct key_params *params)
4584 {
4585 	struct nlattr *key;
4586 	struct get_key_cookie *cookie = c;
4587 
4588 	if ((params->seq &&
4589 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4590 		     params->seq_len, params->seq)) ||
4591 	    (params->cipher &&
4592 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4593 			 params->cipher)))
4594 		goto nla_put_failure;
4595 
4596 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4597 	if (!key)
4598 		goto nla_put_failure;
4599 
4600 	if ((params->seq &&
4601 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4602 		     params->seq_len, params->seq)) ||
4603 	    (params->cipher &&
4604 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4605 			 params->cipher)))
4606 		goto nla_put_failure;
4607 
4608 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4609 		goto nla_put_failure;
4610 
4611 	nla_nest_end(cookie->msg, key);
4612 
4613 	return;
4614  nla_put_failure:
4615 	cookie->error = 1;
4616 }
4617 
4618 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4619 {
4620 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4621 	int err;
4622 	struct net_device *dev = info->user_ptr[1];
4623 	u8 key_idx = 0;
4624 	const u8 *mac_addr = NULL;
4625 	bool pairwise;
4626 	struct get_key_cookie cookie = {
4627 		.error = 0,
4628 	};
4629 	void *hdr;
4630 	struct sk_buff *msg;
4631 	bool bigtk_support = false;
4632 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4633 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4634 
4635 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4636 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4637 		bigtk_support = true;
4638 
4639 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4640 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4641 	    wiphy_ext_feature_isset(&rdev->wiphy,
4642 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4643 		bigtk_support = true;
4644 
4645 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4646 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4647 
4648 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4649 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4650 			return -EINVAL;
4651 		}
4652 	}
4653 
4654 	if (info->attrs[NL80211_ATTR_MAC])
4655 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4656 
4657 	pairwise = !!mac_addr;
4658 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4659 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4660 
4661 		if (kt != NL80211_KEYTYPE_GROUP &&
4662 		    kt != NL80211_KEYTYPE_PAIRWISE)
4663 			return -EINVAL;
4664 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4665 	}
4666 
4667 	if (!rdev->ops->get_key)
4668 		return -EOPNOTSUPP;
4669 
4670 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4671 		return -ENOENT;
4672 
4673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4674 	if (!msg)
4675 		return -ENOMEM;
4676 
4677 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4678 			     NL80211_CMD_NEW_KEY);
4679 	if (!hdr)
4680 		goto nla_put_failure;
4681 
4682 	cookie.msg = msg;
4683 	cookie.idx = key_idx;
4684 
4685 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4686 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4687 		goto nla_put_failure;
4688 	if (mac_addr &&
4689 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4690 		goto nla_put_failure;
4691 
4692 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4693 	if (err)
4694 		goto free_msg;
4695 
4696 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4697 			   &cookie, get_key_callback);
4698 
4699 	if (err)
4700 		goto free_msg;
4701 
4702 	if (cookie.error)
4703 		goto nla_put_failure;
4704 
4705 	genlmsg_end(msg, hdr);
4706 	return genlmsg_reply(msg, info);
4707 
4708  nla_put_failure:
4709 	err = -ENOBUFS;
4710  free_msg:
4711 	nlmsg_free(msg);
4712 	return err;
4713 }
4714 
4715 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4716 {
4717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4718 	struct key_parse key;
4719 	int err;
4720 	struct net_device *dev = info->user_ptr[1];
4721 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4722 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4723 
4724 	err = nl80211_parse_key(info, &key);
4725 	if (err)
4726 		return err;
4727 
4728 	if (key.idx < 0)
4729 		return -EINVAL;
4730 
4731 	/* Only support setting default key and
4732 	 * Extended Key ID action NL80211_KEY_SET_TX.
4733 	 */
4734 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4735 	    !(key.p.mode == NL80211_KEY_SET_TX))
4736 		return -EINVAL;
4737 
4738 	if (key.def) {
4739 		if (!rdev->ops->set_default_key)
4740 			return -EOPNOTSUPP;
4741 
4742 		err = nl80211_key_allowed(wdev);
4743 		if (err)
4744 			return err;
4745 
4746 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4747 		if (err)
4748 			return err;
4749 
4750 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4751 					   key.def_uni, key.def_multi);
4752 
4753 		if (err)
4754 			return err;
4755 
4756 #ifdef CONFIG_CFG80211_WEXT
4757 		wdev->wext.default_key = key.idx;
4758 #endif
4759 		return 0;
4760 	} else if (key.defmgmt) {
4761 		if (key.def_uni || !key.def_multi)
4762 			return -EINVAL;
4763 
4764 		if (!rdev->ops->set_default_mgmt_key)
4765 			return -EOPNOTSUPP;
4766 
4767 		err = nl80211_key_allowed(wdev);
4768 		if (err)
4769 			return err;
4770 
4771 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4772 		if (err)
4773 			return err;
4774 
4775 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4776 		if (err)
4777 			return err;
4778 
4779 #ifdef CONFIG_CFG80211_WEXT
4780 		wdev->wext.default_mgmt_key = key.idx;
4781 #endif
4782 		return 0;
4783 	} else if (key.defbeacon) {
4784 		if (key.def_uni || !key.def_multi)
4785 			return -EINVAL;
4786 
4787 		if (!rdev->ops->set_default_beacon_key)
4788 			return -EOPNOTSUPP;
4789 
4790 		err = nl80211_key_allowed(wdev);
4791 		if (err)
4792 			return err;
4793 
4794 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4795 		if (err)
4796 			return err;
4797 
4798 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4799 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4800 		   wiphy_ext_feature_isset(&rdev->wiphy,
4801 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4802 		u8 *mac_addr = NULL;
4803 
4804 		if (info->attrs[NL80211_ATTR_MAC])
4805 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4806 
4807 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4808 			return -EINVAL;
4809 
4810 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4811 		if (err)
4812 			return err;
4813 
4814 		return rdev_add_key(rdev, dev, link_id, key.idx,
4815 				    NL80211_KEYTYPE_PAIRWISE,
4816 				    mac_addr, &key.p);
4817 	}
4818 
4819 	return -EINVAL;
4820 }
4821 
4822 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4823 {
4824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4825 	int err;
4826 	struct net_device *dev = info->user_ptr[1];
4827 	struct key_parse key;
4828 	const u8 *mac_addr = NULL;
4829 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4830 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4831 
4832 	err = nl80211_parse_key(info, &key);
4833 	if (err)
4834 		return err;
4835 
4836 	if (!key.p.key) {
4837 		GENL_SET_ERR_MSG(info, "no key");
4838 		return -EINVAL;
4839 	}
4840 
4841 	if (info->attrs[NL80211_ATTR_MAC])
4842 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4843 
4844 	if (key.type == -1) {
4845 		if (mac_addr)
4846 			key.type = NL80211_KEYTYPE_PAIRWISE;
4847 		else
4848 			key.type = NL80211_KEYTYPE_GROUP;
4849 	}
4850 
4851 	/* for now */
4852 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4853 	    key.type != NL80211_KEYTYPE_GROUP) {
4854 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4855 		return -EINVAL;
4856 	}
4857 
4858 	if (key.type == NL80211_KEYTYPE_GROUP &&
4859 	    info->attrs[NL80211_ATTR_VLAN_ID])
4860 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4861 
4862 	if (!rdev->ops->add_key)
4863 		return -EOPNOTSUPP;
4864 
4865 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4866 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4867 					   mac_addr)) {
4868 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4869 		return -EINVAL;
4870 	}
4871 
4872 	err = nl80211_key_allowed(wdev);
4873 	if (err)
4874 		GENL_SET_ERR_MSG(info, "key not allowed");
4875 
4876 	if (!err)
4877 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4878 				key.type == NL80211_KEYTYPE_PAIRWISE);
4879 
4880 	if (!err) {
4881 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4882 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4883 				    mac_addr, &key.p);
4884 		if (err)
4885 			GENL_SET_ERR_MSG(info, "key addition failed");
4886 	}
4887 
4888 	return err;
4889 }
4890 
4891 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4892 {
4893 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4894 	int err;
4895 	struct net_device *dev = info->user_ptr[1];
4896 	u8 *mac_addr = NULL;
4897 	struct key_parse key;
4898 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4899 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4900 
4901 	err = nl80211_parse_key(info, &key);
4902 	if (err)
4903 		return err;
4904 
4905 	if (info->attrs[NL80211_ATTR_MAC])
4906 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4907 
4908 	if (key.type == -1) {
4909 		if (mac_addr)
4910 			key.type = NL80211_KEYTYPE_PAIRWISE;
4911 		else
4912 			key.type = NL80211_KEYTYPE_GROUP;
4913 	}
4914 
4915 	/* for now */
4916 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4917 	    key.type != NL80211_KEYTYPE_GROUP)
4918 		return -EINVAL;
4919 
4920 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4921 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4922 		return -EINVAL;
4923 
4924 	if (!rdev->ops->del_key)
4925 		return -EOPNOTSUPP;
4926 
4927 	err = nl80211_key_allowed(wdev);
4928 
4929 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4930 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4931 		err = -ENOENT;
4932 
4933 	if (!err)
4934 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4935 				key.type == NL80211_KEYTYPE_PAIRWISE);
4936 
4937 	if (!err)
4938 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4939 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4940 				   mac_addr);
4941 
4942 #ifdef CONFIG_CFG80211_WEXT
4943 	if (!err) {
4944 		if (key.idx == wdev->wext.default_key)
4945 			wdev->wext.default_key = -1;
4946 		else if (key.idx == wdev->wext.default_mgmt_key)
4947 			wdev->wext.default_mgmt_key = -1;
4948 	}
4949 #endif
4950 
4951 	return err;
4952 }
4953 
4954 /* This function returns an error or the number of nested attributes */
4955 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4956 {
4957 	struct nlattr *attr;
4958 	int n_entries = 0, tmp;
4959 
4960 	nla_for_each_nested(attr, nl_attr, tmp) {
4961 		if (nla_len(attr) != ETH_ALEN)
4962 			return -EINVAL;
4963 
4964 		n_entries++;
4965 	}
4966 
4967 	return n_entries;
4968 }
4969 
4970 /*
4971  * This function parses ACL information and allocates memory for ACL data.
4972  * On successful return, the calling function is responsible to free the
4973  * ACL buffer returned by this function.
4974  */
4975 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4976 						struct genl_info *info)
4977 {
4978 	enum nl80211_acl_policy acl_policy;
4979 	struct nlattr *attr;
4980 	struct cfg80211_acl_data *acl;
4981 	int i = 0, n_entries, tmp;
4982 
4983 	if (!wiphy->max_acl_mac_addrs)
4984 		return ERR_PTR(-EOPNOTSUPP);
4985 
4986 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4987 		return ERR_PTR(-EINVAL);
4988 
4989 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4990 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4991 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4992 		return ERR_PTR(-EINVAL);
4993 
4994 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4995 		return ERR_PTR(-EINVAL);
4996 
4997 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4998 	if (n_entries < 0)
4999 		return ERR_PTR(n_entries);
5000 
5001 	if (n_entries > wiphy->max_acl_mac_addrs)
5002 		return ERR_PTR(-EOPNOTSUPP);
5003 
5004 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5005 	if (!acl)
5006 		return ERR_PTR(-ENOMEM);
5007 	acl->n_acl_entries = n_entries;
5008 
5009 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5010 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5011 		i++;
5012 	}
5013 	acl->acl_policy = acl_policy;
5014 
5015 	return acl;
5016 }
5017 
5018 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5019 {
5020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5021 	struct net_device *dev = info->user_ptr[1];
5022 	struct cfg80211_acl_data *acl;
5023 	int err;
5024 
5025 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5026 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5027 		return -EOPNOTSUPP;
5028 
5029 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5030 		return -EINVAL;
5031 
5032 	acl = parse_acl_data(&rdev->wiphy, info);
5033 	if (IS_ERR(acl))
5034 		return PTR_ERR(acl);
5035 
5036 	err = rdev_set_mac_acl(rdev, dev, acl);
5037 
5038 	kfree(acl);
5039 
5040 	return err;
5041 }
5042 
5043 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5044 			   u8 *rates, u8 rates_len)
5045 {
5046 	u8 i;
5047 	u32 mask = 0;
5048 
5049 	for (i = 0; i < rates_len; i++) {
5050 		int rate = (rates[i] & 0x7f) * 5;
5051 		int ridx;
5052 
5053 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5054 			struct ieee80211_rate *srate =
5055 				&sband->bitrates[ridx];
5056 			if (rate == srate->bitrate) {
5057 				mask |= 1 << ridx;
5058 				break;
5059 			}
5060 		}
5061 		if (ridx == sband->n_bitrates)
5062 			return 0; /* rate not found */
5063 	}
5064 
5065 	return mask;
5066 }
5067 
5068 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5069 			       u8 *rates, u8 rates_len,
5070 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5071 {
5072 	u8 i;
5073 
5074 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5075 
5076 	for (i = 0; i < rates_len; i++) {
5077 		int ridx, rbit;
5078 
5079 		ridx = rates[i] / 8;
5080 		rbit = BIT(rates[i] % 8);
5081 
5082 		/* check validity */
5083 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5084 			return false;
5085 
5086 		/* check availability */
5087 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5088 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5089 			mcs[ridx] |= rbit;
5090 		else
5091 			return false;
5092 	}
5093 
5094 	return true;
5095 }
5096 
5097 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5098 {
5099 	u16 mcs_mask = 0;
5100 
5101 	switch (vht_mcs_map) {
5102 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5103 		break;
5104 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5105 		mcs_mask = 0x00FF;
5106 		break;
5107 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5108 		mcs_mask = 0x01FF;
5109 		break;
5110 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5111 		mcs_mask = 0x03FF;
5112 		break;
5113 	default:
5114 		break;
5115 	}
5116 
5117 	return mcs_mask;
5118 }
5119 
5120 static void vht_build_mcs_mask(u16 vht_mcs_map,
5121 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5122 {
5123 	u8 nss;
5124 
5125 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5126 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5127 		vht_mcs_map >>= 2;
5128 	}
5129 }
5130 
5131 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5132 			     struct nl80211_txrate_vht *txrate,
5133 			     u16 mcs[NL80211_VHT_NSS_MAX])
5134 {
5135 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5136 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5137 	u8 i;
5138 
5139 	if (!sband->vht_cap.vht_supported)
5140 		return false;
5141 
5142 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5143 
5144 	/* Build vht_mcs_mask from VHT capabilities */
5145 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5146 
5147 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5148 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5149 			mcs[i] = txrate->mcs[i];
5150 		else
5151 			return false;
5152 	}
5153 
5154 	return true;
5155 }
5156 
5157 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5158 {
5159 	switch (he_mcs_map) {
5160 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5161 		return 0;
5162 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5163 		return 0x00FF;
5164 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5165 		return 0x03FF;
5166 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5167 		return 0xFFF;
5168 	default:
5169 		break;
5170 	}
5171 	return 0;
5172 }
5173 
5174 static void he_build_mcs_mask(u16 he_mcs_map,
5175 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5176 {
5177 	u8 nss;
5178 
5179 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5180 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5181 		he_mcs_map >>= 2;
5182 	}
5183 }
5184 
5185 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5186 			   const struct ieee80211_sta_he_cap *he_cap)
5187 {
5188 	struct net_device *dev = info->user_ptr[1];
5189 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5190 	struct cfg80211_chan_def *chandef;
5191 	__le16 tx_mcs;
5192 
5193 	chandef = wdev_chandef(wdev, link_id);
5194 	if (!chandef) {
5195 		/*
5196 		 * This is probably broken, but we never maintained
5197 		 * a chandef in these cases, so it always was.
5198 		 */
5199 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5200 	}
5201 
5202 	switch (chandef->width) {
5203 	case NL80211_CHAN_WIDTH_80P80:
5204 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5205 		break;
5206 	case NL80211_CHAN_WIDTH_160:
5207 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5208 		break;
5209 	default:
5210 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5211 		break;
5212 	}
5213 
5214 	return le16_to_cpu(tx_mcs);
5215 }
5216 
5217 static bool he_set_mcs_mask(struct genl_info *info,
5218 			    struct wireless_dev *wdev,
5219 			    struct ieee80211_supported_band *sband,
5220 			    struct nl80211_txrate_he *txrate,
5221 			    u16 mcs[NL80211_HE_NSS_MAX],
5222 			    unsigned int link_id)
5223 {
5224 	const struct ieee80211_sta_he_cap *he_cap;
5225 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5226 	u16 tx_mcs_map = 0;
5227 	u8 i;
5228 
5229 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5230 	if (!he_cap)
5231 		return false;
5232 
5233 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5234 
5235 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5236 
5237 	/* Build he_mcs_mask from HE capabilities */
5238 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5239 
5240 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5241 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5242 			mcs[i] = txrate->mcs[i];
5243 		else
5244 			return false;
5245 	}
5246 
5247 	return true;
5248 }
5249 
5250 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5251 					 struct nlattr *attrs[],
5252 					 enum nl80211_attrs attr,
5253 					 struct cfg80211_bitrate_mask *mask,
5254 					 struct net_device *dev,
5255 					 bool default_all_enabled,
5256 					 unsigned int link_id)
5257 {
5258 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5260 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5261 	int rem, i;
5262 	struct nlattr *tx_rates;
5263 	struct ieee80211_supported_band *sband;
5264 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5265 
5266 	memset(mask, 0, sizeof(*mask));
5267 	/* Default to all rates enabled */
5268 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5269 		const struct ieee80211_sta_he_cap *he_cap;
5270 
5271 		if (!default_all_enabled)
5272 			break;
5273 
5274 		sband = rdev->wiphy.bands[i];
5275 
5276 		if (!sband)
5277 			continue;
5278 
5279 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5280 		memcpy(mask->control[i].ht_mcs,
5281 		       sband->ht_cap.mcs.rx_mask,
5282 		       sizeof(mask->control[i].ht_mcs));
5283 
5284 		if (sband->vht_cap.vht_supported) {
5285 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5286 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5287 		}
5288 
5289 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5290 		if (!he_cap)
5291 			continue;
5292 
5293 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5294 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5295 
5296 		mask->control[i].he_gi = 0xFF;
5297 		mask->control[i].he_ltf = 0xFF;
5298 	}
5299 
5300 	/* if no rates are given set it back to the defaults */
5301 	if (!attrs[attr])
5302 		goto out;
5303 
5304 	/* The nested attribute uses enum nl80211_band as the index. This maps
5305 	 * directly to the enum nl80211_band values used in cfg80211.
5306 	 */
5307 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5308 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5309 		enum nl80211_band band = nla_type(tx_rates);
5310 		int err;
5311 
5312 		if (band < 0 || band >= NUM_NL80211_BANDS)
5313 			return -EINVAL;
5314 		sband = rdev->wiphy.bands[band];
5315 		if (sband == NULL)
5316 			return -EINVAL;
5317 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5318 						  tx_rates,
5319 						  nl80211_txattr_policy,
5320 						  info->extack);
5321 		if (err)
5322 			return err;
5323 		if (tb[NL80211_TXRATE_LEGACY]) {
5324 			mask->control[band].legacy = rateset_to_mask(
5325 				sband,
5326 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5327 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5328 			if ((mask->control[band].legacy == 0) &&
5329 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5330 				return -EINVAL;
5331 		}
5332 		if (tb[NL80211_TXRATE_HT]) {
5333 			if (!ht_rateset_to_mask(
5334 					sband,
5335 					nla_data(tb[NL80211_TXRATE_HT]),
5336 					nla_len(tb[NL80211_TXRATE_HT]),
5337 					mask->control[band].ht_mcs))
5338 				return -EINVAL;
5339 		}
5340 
5341 		if (tb[NL80211_TXRATE_VHT]) {
5342 			if (!vht_set_mcs_mask(
5343 					sband,
5344 					nla_data(tb[NL80211_TXRATE_VHT]),
5345 					mask->control[band].vht_mcs))
5346 				return -EINVAL;
5347 		}
5348 
5349 		if (tb[NL80211_TXRATE_GI]) {
5350 			mask->control[band].gi =
5351 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5352 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5353 				return -EINVAL;
5354 		}
5355 		if (tb[NL80211_TXRATE_HE] &&
5356 		    !he_set_mcs_mask(info, wdev, sband,
5357 				     nla_data(tb[NL80211_TXRATE_HE]),
5358 				     mask->control[band].he_mcs,
5359 				     link_id))
5360 			return -EINVAL;
5361 
5362 		if (tb[NL80211_TXRATE_HE_GI])
5363 			mask->control[band].he_gi =
5364 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5365 		if (tb[NL80211_TXRATE_HE_LTF])
5366 			mask->control[band].he_ltf =
5367 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5368 
5369 		if (mask->control[band].legacy == 0) {
5370 			/* don't allow empty legacy rates if HT, VHT or HE
5371 			 * are not even supported.
5372 			 */
5373 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5374 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5375 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5376 				return -EINVAL;
5377 
5378 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5379 				if (mask->control[band].ht_mcs[i])
5380 					goto out;
5381 
5382 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5383 				if (mask->control[band].vht_mcs[i])
5384 					goto out;
5385 
5386 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5387 				if (mask->control[band].he_mcs[i])
5388 					goto out;
5389 
5390 			/* legacy and mcs rates may not be both empty */
5391 			return -EINVAL;
5392 		}
5393 	}
5394 
5395 out:
5396 	return 0;
5397 }
5398 
5399 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5400 				   enum nl80211_band band,
5401 				   struct cfg80211_bitrate_mask *beacon_rate)
5402 {
5403 	u32 count_ht, count_vht, count_he, i;
5404 	u32 rate = beacon_rate->control[band].legacy;
5405 
5406 	/* Allow only one rate */
5407 	if (hweight32(rate) > 1)
5408 		return -EINVAL;
5409 
5410 	count_ht = 0;
5411 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5412 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5413 			return -EINVAL;
5414 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5415 			count_ht++;
5416 			if (count_ht > 1)
5417 				return -EINVAL;
5418 		}
5419 		if (count_ht && rate)
5420 			return -EINVAL;
5421 	}
5422 
5423 	count_vht = 0;
5424 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5425 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5426 			return -EINVAL;
5427 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5428 			count_vht++;
5429 			if (count_vht > 1)
5430 				return -EINVAL;
5431 		}
5432 		if (count_vht && rate)
5433 			return -EINVAL;
5434 	}
5435 
5436 	count_he = 0;
5437 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5438 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5439 			return -EINVAL;
5440 		} else if (beacon_rate->control[band].he_mcs[i]) {
5441 			count_he++;
5442 			if (count_he > 1)
5443 				return -EINVAL;
5444 		}
5445 		if (count_he && rate)
5446 			return -EINVAL;
5447 	}
5448 
5449 	if ((count_ht && count_vht && count_he) ||
5450 	    (!rate && !count_ht && !count_vht && !count_he))
5451 		return -EINVAL;
5452 
5453 	if (rate &&
5454 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5455 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5456 		return -EINVAL;
5457 	if (count_ht &&
5458 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5459 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5460 		return -EINVAL;
5461 	if (count_vht &&
5462 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5463 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5464 		return -EINVAL;
5465 	if (count_he &&
5466 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5467 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5468 		return -EINVAL;
5469 
5470 	return 0;
5471 }
5472 
5473 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5474 				       struct net_device *dev,
5475 				       struct nlattr *attrs,
5476 				       struct cfg80211_mbssid_config *config,
5477 				       u8 num_elems)
5478 {
5479 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5480 
5481 	if (!wiphy->mbssid_max_interfaces)
5482 		return -EOPNOTSUPP;
5483 
5484 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5485 			     NULL) ||
5486 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5487 		return -EINVAL;
5488 
5489 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5490 	if (config->ema) {
5491 		if (!wiphy->ema_max_profile_periodicity)
5492 			return -EOPNOTSUPP;
5493 
5494 		if (num_elems > wiphy->ema_max_profile_periodicity)
5495 			return -EINVAL;
5496 	}
5497 
5498 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5499 	if (config->index >= wiphy->mbssid_max_interfaces ||
5500 	    (!config->index && !num_elems))
5501 		return -EINVAL;
5502 
5503 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5504 		u32 tx_ifindex =
5505 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5506 
5507 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5508 		    (config->index && tx_ifindex == dev->ifindex))
5509 			return -EINVAL;
5510 
5511 		if (tx_ifindex != dev->ifindex) {
5512 			struct net_device *tx_netdev =
5513 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5514 
5515 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5516 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5517 			    tx_netdev->ieee80211_ptr->iftype !=
5518 							NL80211_IFTYPE_AP) {
5519 				dev_put(tx_netdev);
5520 				return -EINVAL;
5521 			}
5522 
5523 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5524 		} else {
5525 			config->tx_wdev = dev->ieee80211_ptr;
5526 		}
5527 	} else if (!config->index) {
5528 		config->tx_wdev = dev->ieee80211_ptr;
5529 	} else {
5530 		return -EINVAL;
5531 	}
5532 
5533 	return 0;
5534 }
5535 
5536 static struct cfg80211_mbssid_elems *
5537 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5538 {
5539 	struct nlattr *nl_elems;
5540 	struct cfg80211_mbssid_elems *elems;
5541 	int rem_elems;
5542 	u8 i = 0, num_elems = 0;
5543 
5544 	if (!wiphy->mbssid_max_interfaces)
5545 		return ERR_PTR(-EINVAL);
5546 
5547 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5548 		if (num_elems >= 255)
5549 			return ERR_PTR(-EINVAL);
5550 		num_elems++;
5551 	}
5552 
5553 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5554 	if (!elems)
5555 		return ERR_PTR(-ENOMEM);
5556 	elems->cnt = num_elems;
5557 
5558 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5559 		elems->elem[i].data = nla_data(nl_elems);
5560 		elems->elem[i].len = nla_len(nl_elems);
5561 		i++;
5562 	}
5563 	return elems;
5564 }
5565 
5566 static struct cfg80211_rnr_elems *
5567 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5568 			struct netlink_ext_ack *extack)
5569 {
5570 	struct nlattr *nl_elems;
5571 	struct cfg80211_rnr_elems *elems;
5572 	int rem_elems;
5573 	u8 i = 0, num_elems = 0;
5574 
5575 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5576 		int ret;
5577 
5578 		ret = validate_ie_attr(nl_elems, extack);
5579 		if (ret)
5580 			return ERR_PTR(ret);
5581 
5582 		num_elems++;
5583 	}
5584 
5585 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5586 	if (!elems)
5587 		return ERR_PTR(-ENOMEM);
5588 	elems->cnt = num_elems;
5589 
5590 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5591 		elems->elem[i].data = nla_data(nl_elems);
5592 		elems->elem[i].len = nla_len(nl_elems);
5593 		i++;
5594 	}
5595 	return elems;
5596 }
5597 
5598 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5599 				      struct cfg80211_he_bss_color *he_bss_color)
5600 {
5601 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5602 	int err;
5603 
5604 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5605 			       he_bss_color_policy, NULL);
5606 	if (err)
5607 		return err;
5608 
5609 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5610 		return -EINVAL;
5611 
5612 	he_bss_color->color =
5613 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5614 	he_bss_color->enabled =
5615 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5616 	he_bss_color->partial =
5617 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5618 
5619 	return 0;
5620 }
5621 
5622 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5623 				struct nlattr *attrs[],
5624 				struct cfg80211_beacon_data *bcn,
5625 				struct netlink_ext_ack *extack)
5626 {
5627 	bool haveinfo = false;
5628 	int err;
5629 
5630 	memset(bcn, 0, sizeof(*bcn));
5631 
5632 	bcn->link_id = nl80211_link_id(attrs);
5633 
5634 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5635 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5636 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5637 		if (!bcn->head_len)
5638 			return -EINVAL;
5639 		haveinfo = true;
5640 	}
5641 
5642 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5643 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5644 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5645 		haveinfo = true;
5646 	}
5647 
5648 	if (!haveinfo)
5649 		return -EINVAL;
5650 
5651 	if (attrs[NL80211_ATTR_IE]) {
5652 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5653 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5654 	}
5655 
5656 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5657 		bcn->proberesp_ies =
5658 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5659 		bcn->proberesp_ies_len =
5660 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5661 	}
5662 
5663 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5664 		bcn->assocresp_ies =
5665 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5666 		bcn->assocresp_ies_len =
5667 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5668 	}
5669 
5670 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5671 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5672 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5673 	}
5674 
5675 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5676 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5677 
5678 		err = nla_parse_nested_deprecated(tb,
5679 						  NL80211_FTM_RESP_ATTR_MAX,
5680 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5681 						  NULL, NULL);
5682 		if (err)
5683 			return err;
5684 
5685 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5686 		    wiphy_ext_feature_isset(&rdev->wiphy,
5687 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5688 			bcn->ftm_responder = 1;
5689 		else
5690 			return -EOPNOTSUPP;
5691 
5692 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5693 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5694 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5695 		}
5696 
5697 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5698 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5699 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5700 		}
5701 	} else {
5702 		bcn->ftm_responder = -1;
5703 	}
5704 
5705 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5706 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5707 						 &bcn->he_bss_color);
5708 		if (err)
5709 			return err;
5710 		bcn->he_bss_color_valid = true;
5711 	}
5712 
5713 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5714 		struct cfg80211_mbssid_elems *mbssid =
5715 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5716 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5717 
5718 		if (IS_ERR(mbssid))
5719 			return PTR_ERR(mbssid);
5720 
5721 		bcn->mbssid_ies = mbssid;
5722 
5723 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5724 			struct cfg80211_rnr_elems *rnr =
5725 				nl80211_parse_rnr_elems(&rdev->wiphy,
5726 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5727 							extack);
5728 
5729 			if (IS_ERR(rnr))
5730 				return PTR_ERR(rnr);
5731 
5732 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5733 				return -EINVAL;
5734 
5735 			bcn->rnr_ies = rnr;
5736 		}
5737 	}
5738 
5739 	return 0;
5740 }
5741 
5742 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5743 				    struct ieee80211_he_obss_pd *he_obss_pd)
5744 {
5745 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5746 	int err;
5747 
5748 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5749 			       he_obss_pd_policy, NULL);
5750 	if (err)
5751 		return err;
5752 
5753 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5754 		return -EINVAL;
5755 
5756 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5757 
5758 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5759 		he_obss_pd->min_offset =
5760 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5761 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5762 		he_obss_pd->max_offset =
5763 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5764 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5765 		he_obss_pd->non_srg_max_offset =
5766 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5767 
5768 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5769 		return -EINVAL;
5770 
5771 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5772 		memcpy(he_obss_pd->bss_color_bitmap,
5773 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5774 		       sizeof(he_obss_pd->bss_color_bitmap));
5775 
5776 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5777 		memcpy(he_obss_pd->partial_bssid_bitmap,
5778 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5779 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5780 
5781 	he_obss_pd->enable = true;
5782 
5783 	return 0;
5784 }
5785 
5786 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5787 					struct nlattr *attrs,
5788 					struct cfg80211_fils_discovery *fd)
5789 {
5790 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5791 	int ret;
5792 
5793 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5794 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5795 		return -EINVAL;
5796 
5797 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5798 			       NULL, NULL);
5799 	if (ret)
5800 		return ret;
5801 
5802 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5803 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5804 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5805 		fd->update = true;
5806 		return 0;
5807 	}
5808 
5809 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5810 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5811 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5812 		return -EINVAL;
5813 
5814 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5815 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5816 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5817 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5818 	fd->update = true;
5819 	return 0;
5820 }
5821 
5822 static int
5823 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5824 				     struct nlattr *attrs,
5825 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5826 {
5827 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5828 	int ret;
5829 
5830 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5831 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5832 		return -EINVAL;
5833 
5834 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5835 			       attrs, NULL, NULL);
5836 	if (ret)
5837 		return ret;
5838 
5839 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5840 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5841 		presp->update = true;
5842 		return 0;
5843 	}
5844 
5845 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5846 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5847 		return -EINVAL;
5848 
5849 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5850 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5851 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5852 	presp->update = true;
5853 	return 0;
5854 }
5855 
5856 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5857 					    const struct element *rates)
5858 {
5859 	int i;
5860 
5861 	if (!rates)
5862 		return;
5863 
5864 	for (i = 0; i < rates->datalen; i++) {
5865 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5866 			params->ht_required = true;
5867 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5868 			params->vht_required = true;
5869 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5870 			params->he_required = true;
5871 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5872 			params->sae_h2e_required = true;
5873 	}
5874 }
5875 
5876 /*
5877  * Since the nl80211 API didn't include, from the beginning, attributes about
5878  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5879  * benefit of drivers that rebuild IEs in the firmware.
5880  */
5881 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5882 {
5883 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5884 	size_t ies_len = bcn->tail_len;
5885 	const u8 *ies = bcn->tail;
5886 	const struct element *rates;
5887 	const struct element *cap;
5888 
5889 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5890 	nl80211_check_ap_rate_selectors(params, rates);
5891 
5892 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5893 	nl80211_check_ap_rate_selectors(params, rates);
5894 
5895 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5896 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5897 		params->ht_cap = (void *)cap->data;
5898 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5899 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5900 		params->vht_cap = (void *)cap->data;
5901 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5902 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5903 		params->he_cap = (void *)(cap->data + 1);
5904 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5905 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5906 		params->he_oper = (void *)(cap->data + 1);
5907 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5908 	if (cap) {
5909 		if (!cap->datalen)
5910 			return -EINVAL;
5911 		params->eht_cap = (void *)(cap->data + 1);
5912 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5913 						(const u8 *)params->eht_cap,
5914 						cap->datalen - 1, true))
5915 			return -EINVAL;
5916 	}
5917 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5918 	if (cap) {
5919 		if (!cap->datalen)
5920 			return -EINVAL;
5921 		params->eht_oper = (void *)(cap->data + 1);
5922 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5923 						cap->datalen - 1))
5924 			return -EINVAL;
5925 	}
5926 	return 0;
5927 }
5928 
5929 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5930 				   struct cfg80211_ap_settings *params)
5931 {
5932 	struct wireless_dev *wdev;
5933 
5934 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5935 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5936 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5937 			continue;
5938 
5939 		if (!wdev->u.ap.preset_chandef.chan)
5940 			continue;
5941 
5942 		params->chandef = wdev->u.ap.preset_chandef;
5943 		return true;
5944 	}
5945 
5946 	return false;
5947 }
5948 
5949 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5950 				    enum nl80211_auth_type auth_type,
5951 				    enum nl80211_commands cmd)
5952 {
5953 	if (auth_type > NL80211_AUTHTYPE_MAX)
5954 		return false;
5955 
5956 	switch (cmd) {
5957 	case NL80211_CMD_AUTHENTICATE:
5958 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5959 		    auth_type == NL80211_AUTHTYPE_SAE)
5960 			return false;
5961 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5962 					     NL80211_EXT_FEATURE_FILS_STA) &&
5963 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5964 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5965 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5966 			return false;
5967 		return true;
5968 	case NL80211_CMD_CONNECT:
5969 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5970 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5971 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5972 		    auth_type == NL80211_AUTHTYPE_SAE)
5973 			return false;
5974 
5975 		/* FILS with SK PFS or PK not supported yet */
5976 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5977 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5978 			return false;
5979 		if (!wiphy_ext_feature_isset(
5980 			    &rdev->wiphy,
5981 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5982 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5983 			return false;
5984 		return true;
5985 	case NL80211_CMD_START_AP:
5986 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5987 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5988 		    auth_type == NL80211_AUTHTYPE_SAE)
5989 			return false;
5990 		/* FILS not supported yet */
5991 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5992 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5993 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5994 			return false;
5995 		return true;
5996 	default:
5997 		return false;
5998 	}
5999 }
6000 
6001 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6002 				    unsigned int link_id)
6003 {
6004 	struct wiphy *wiphy = wdev->wiphy;
6005 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6006 	struct sk_buff *msg;
6007 	void *hdr;
6008 
6009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6010 	if (!msg)
6011 		return;
6012 
6013 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6014 	if (!hdr)
6015 		goto out;
6016 
6017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6018 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6019 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6020 			      NL80211_ATTR_PAD) ||
6021 	    (wdev->u.ap.ssid_len &&
6022 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6023 		     wdev->u.ap.ssid)) ||
6024 	    (wdev->valid_links &&
6025 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6026 		goto out;
6027 
6028 	genlmsg_end(msg, hdr);
6029 
6030 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6031 				NL80211_MCGRP_MLME, GFP_KERNEL);
6032 	return;
6033 out:
6034 	nlmsg_free(msg);
6035 }
6036 
6037 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6038 {
6039 	struct ieee80211_channel *channel = params->chandef.chan;
6040 
6041 	if ((params->he_cap ||  params->he_oper) &&
6042 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6043 		return -EOPNOTSUPP;
6044 
6045 	if ((params->eht_cap || params->eht_oper) &&
6046 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6047 		return -EOPNOTSUPP;
6048 
6049 	return 0;
6050 }
6051 
6052 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6053 {
6054 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6055 	struct cfg80211_beaconing_check_config beacon_check = {};
6056 	unsigned int link_id = nl80211_link_id(info->attrs);
6057 	struct net_device *dev = info->user_ptr[1];
6058 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6059 	struct cfg80211_ap_settings *params;
6060 	int err;
6061 
6062 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6063 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6064 		return -EOPNOTSUPP;
6065 
6066 	if (!rdev->ops->start_ap)
6067 		return -EOPNOTSUPP;
6068 
6069 	if (wdev->cac_started)
6070 		return -EBUSY;
6071 
6072 	if (wdev->links[link_id].ap.beacon_interval)
6073 		return -EALREADY;
6074 
6075 	/* these are required for START_AP */
6076 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6077 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6078 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6079 		return -EINVAL;
6080 
6081 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6082 	if (!params)
6083 		return -ENOMEM;
6084 
6085 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6086 				   info->extack);
6087 	if (err)
6088 		goto out;
6089 
6090 	params->beacon_interval =
6091 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6092 	params->dtim_period =
6093 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6094 
6095 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6096 					   params->beacon_interval);
6097 	if (err)
6098 		goto out;
6099 
6100 	/*
6101 	 * In theory, some of these attributes should be required here
6102 	 * but since they were not used when the command was originally
6103 	 * added, keep them optional for old user space programs to let
6104 	 * them continue to work with drivers that do not need the
6105 	 * additional information -- drivers must check!
6106 	 */
6107 	if (info->attrs[NL80211_ATTR_SSID]) {
6108 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6109 		params->ssid_len =
6110 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6111 		if (params->ssid_len == 0) {
6112 			err = -EINVAL;
6113 			goto out;
6114 		}
6115 
6116 		if (wdev->u.ap.ssid_len &&
6117 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6118 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6119 			/* require identical SSID for MLO */
6120 			err = -EINVAL;
6121 			goto out;
6122 		}
6123 	} else if (wdev->valid_links) {
6124 		/* require SSID for MLO */
6125 		err = -EINVAL;
6126 		goto out;
6127 	}
6128 
6129 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6130 		params->hidden_ssid = nla_get_u32(
6131 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6132 
6133 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6134 
6135 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6136 		params->auth_type = nla_get_u32(
6137 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6138 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6139 					     NL80211_CMD_START_AP)) {
6140 			err = -EINVAL;
6141 			goto out;
6142 		}
6143 	} else
6144 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6145 
6146 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6147 				      NL80211_MAX_NR_CIPHER_SUITES);
6148 	if (err)
6149 		goto out;
6150 
6151 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6152 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6153 			err = -EOPNOTSUPP;
6154 			goto out;
6155 		}
6156 		params->inactivity_timeout = nla_get_u16(
6157 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6158 	}
6159 
6160 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6161 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6162 			err = -EINVAL;
6163 			goto out;
6164 		}
6165 		params->p2p_ctwindow =
6166 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6167 		if (params->p2p_ctwindow != 0 &&
6168 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6169 			err = -EINVAL;
6170 			goto out;
6171 		}
6172 	}
6173 
6174 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6175 		u8 tmp;
6176 
6177 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6178 			err = -EINVAL;
6179 			goto out;
6180 		}
6181 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6182 		params->p2p_opp_ps = tmp;
6183 		if (params->p2p_opp_ps != 0 &&
6184 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6185 			err = -EINVAL;
6186 			goto out;
6187 		}
6188 	}
6189 
6190 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6191 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6192 		if (err)
6193 			goto out;
6194 	} else if (wdev->valid_links) {
6195 		/* with MLD need to specify the channel configuration */
6196 		err = -EINVAL;
6197 		goto out;
6198 	} else if (wdev->u.ap.preset_chandef.chan) {
6199 		params->chandef = wdev->u.ap.preset_chandef;
6200 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6201 		err = -EINVAL;
6202 		goto out;
6203 	}
6204 
6205 	beacon_check.iftype = wdev->iftype;
6206 	beacon_check.relax = true;
6207 	beacon_check.reg_power =
6208 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6209 					     params->beacon.tail_len);
6210 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6211 					  &beacon_check)) {
6212 		err = -EINVAL;
6213 		goto out;
6214 	}
6215 
6216 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6217 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6218 						    NL80211_ATTR_TX_RATES,
6219 						    &params->beacon_rate,
6220 						    dev, false, link_id);
6221 		if (err)
6222 			goto out;
6223 
6224 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6225 					      &params->beacon_rate);
6226 		if (err)
6227 			goto out;
6228 	}
6229 
6230 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6231 		params->smps_mode =
6232 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6233 		switch (params->smps_mode) {
6234 		case NL80211_SMPS_OFF:
6235 			break;
6236 		case NL80211_SMPS_STATIC:
6237 			if (!(rdev->wiphy.features &
6238 			      NL80211_FEATURE_STATIC_SMPS)) {
6239 				err = -EINVAL;
6240 				goto out;
6241 			}
6242 			break;
6243 		case NL80211_SMPS_DYNAMIC:
6244 			if (!(rdev->wiphy.features &
6245 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6246 				err = -EINVAL;
6247 				goto out;
6248 			}
6249 			break;
6250 		default:
6251 			err = -EINVAL;
6252 			goto out;
6253 		}
6254 	} else {
6255 		params->smps_mode = NL80211_SMPS_OFF;
6256 	}
6257 
6258 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6259 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6260 		err = -EOPNOTSUPP;
6261 		goto out;
6262 	}
6263 
6264 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6265 		params->acl = parse_acl_data(&rdev->wiphy, info);
6266 		if (IS_ERR(params->acl)) {
6267 			err = PTR_ERR(params->acl);
6268 			params->acl = NULL;
6269 			goto out;
6270 		}
6271 	}
6272 
6273 	params->twt_responder =
6274 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6275 
6276 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6277 		err = nl80211_parse_he_obss_pd(
6278 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6279 					&params->he_obss_pd);
6280 		if (err)
6281 			goto out;
6282 	}
6283 
6284 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6285 		err = nl80211_parse_fils_discovery(rdev,
6286 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6287 						   &params->fils_discovery);
6288 		if (err)
6289 			goto out;
6290 	}
6291 
6292 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6293 		err = nl80211_parse_unsol_bcast_probe_resp(
6294 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6295 			&params->unsol_bcast_probe_resp);
6296 		if (err)
6297 			goto out;
6298 	}
6299 
6300 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6301 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6302 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6303 						  &params->mbssid_config,
6304 						  params->beacon.mbssid_ies ?
6305 							params->beacon.mbssid_ies->cnt :
6306 							0);
6307 		if (err)
6308 			goto out;
6309 	}
6310 
6311 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6312 		err = -EINVAL;
6313 		goto out;
6314 	}
6315 
6316 	err = nl80211_calculate_ap_params(params);
6317 	if (err)
6318 		goto out;
6319 
6320 	err = nl80211_validate_ap_phy_operation(params);
6321 	if (err)
6322 		goto out;
6323 
6324 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6325 		params->flags = nla_get_u32(
6326 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6327 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6328 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6329 
6330 	if (wdev->conn_owner_nlportid &&
6331 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6332 	    wdev->conn_owner_nlportid != info->snd_portid) {
6333 		err = -EINVAL;
6334 		goto out;
6335 	}
6336 
6337 	/* FIXME: validate MLO/link-id against driver capabilities */
6338 
6339 	err = rdev_start_ap(rdev, dev, params);
6340 	if (!err) {
6341 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6342 		wdev->links[link_id].ap.chandef = params->chandef;
6343 		wdev->u.ap.ssid_len = params->ssid_len;
6344 		memcpy(wdev->u.ap.ssid, params->ssid,
6345 		       params->ssid_len);
6346 
6347 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6348 			wdev->conn_owner_nlportid = info->snd_portid;
6349 
6350 		nl80211_send_ap_started(wdev, link_id);
6351 	}
6352 out:
6353 	kfree(params->acl);
6354 	kfree(params->beacon.mbssid_ies);
6355 	if (params->mbssid_config.tx_wdev &&
6356 	    params->mbssid_config.tx_wdev->netdev &&
6357 	    params->mbssid_config.tx_wdev->netdev != dev)
6358 		dev_put(params->mbssid_config.tx_wdev->netdev);
6359 	kfree(params->beacon.rnr_ies);
6360 	kfree(params);
6361 
6362 	return err;
6363 }
6364 
6365 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6366 {
6367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6368 	struct cfg80211_beaconing_check_config beacon_check = {};
6369 	unsigned int link_id = nl80211_link_id(info->attrs);
6370 	struct net_device *dev = info->user_ptr[1];
6371 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6372 	struct cfg80211_ap_update *params;
6373 	struct nlattr *attr;
6374 	int err;
6375 
6376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6377 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6378 		return -EOPNOTSUPP;
6379 
6380 	if (!rdev->ops->change_beacon)
6381 		return -EOPNOTSUPP;
6382 
6383 	if (!wdev->links[link_id].ap.beacon_interval)
6384 		return -EINVAL;
6385 
6386 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6387 	if (!params)
6388 		return -ENOMEM;
6389 
6390 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6391 				   info->extack);
6392 	if (err)
6393 		goto out;
6394 
6395 	/* recheck beaconing is permitted with possibly changed power type */
6396 	beacon_check.iftype = wdev->iftype;
6397 	beacon_check.relax = true;
6398 	beacon_check.reg_power =
6399 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6400 					     params->beacon.tail_len);
6401 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6402 					  &wdev->links[link_id].ap.chandef,
6403 					  &beacon_check)) {
6404 		err = -EINVAL;
6405 		goto out;
6406 	}
6407 
6408 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6409 	if (attr) {
6410 		err = nl80211_parse_fils_discovery(rdev, attr,
6411 						   &params->fils_discovery);
6412 		if (err)
6413 			goto out;
6414 	}
6415 
6416 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6417 	if (attr) {
6418 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6419 							   &params->unsol_bcast_probe_resp);
6420 		if (err)
6421 			goto out;
6422 	}
6423 
6424 	err = rdev_change_beacon(rdev, dev, params);
6425 
6426 out:
6427 	kfree(params->beacon.mbssid_ies);
6428 	kfree(params->beacon.rnr_ies);
6429 	kfree(params);
6430 	return err;
6431 }
6432 
6433 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6434 {
6435 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6436 	unsigned int link_id = nl80211_link_id(info->attrs);
6437 	struct net_device *dev = info->user_ptr[1];
6438 
6439 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6440 }
6441 
6442 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6443 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6444 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6445 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6446 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6447 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6448 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6449 };
6450 
6451 static int parse_station_flags(struct genl_info *info,
6452 			       enum nl80211_iftype iftype,
6453 			       struct station_parameters *params)
6454 {
6455 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6456 	struct nlattr *nla;
6457 	int flag;
6458 
6459 	/*
6460 	 * Try parsing the new attribute first so userspace
6461 	 * can specify both for older kernels.
6462 	 */
6463 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6464 	if (nla) {
6465 		struct nl80211_sta_flag_update *sta_flags;
6466 
6467 		sta_flags = nla_data(nla);
6468 		params->sta_flags_mask = sta_flags->mask;
6469 		params->sta_flags_set = sta_flags->set;
6470 		params->sta_flags_set &= params->sta_flags_mask;
6471 		if ((params->sta_flags_mask |
6472 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6473 			return -EINVAL;
6474 		return 0;
6475 	}
6476 
6477 	/* if present, parse the old attribute */
6478 
6479 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6480 	if (!nla)
6481 		return 0;
6482 
6483 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6484 		return -EINVAL;
6485 
6486 	/*
6487 	 * Only allow certain flags for interface types so that
6488 	 * other attributes are silently ignored. Remember that
6489 	 * this is backward compatibility code with old userspace
6490 	 * and shouldn't be hit in other cases anyway.
6491 	 */
6492 	switch (iftype) {
6493 	case NL80211_IFTYPE_AP:
6494 	case NL80211_IFTYPE_AP_VLAN:
6495 	case NL80211_IFTYPE_P2P_GO:
6496 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6497 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6498 					 BIT(NL80211_STA_FLAG_WME) |
6499 					 BIT(NL80211_STA_FLAG_MFP);
6500 		break;
6501 	case NL80211_IFTYPE_P2P_CLIENT:
6502 	case NL80211_IFTYPE_STATION:
6503 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6504 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6505 		break;
6506 	case NL80211_IFTYPE_MESH_POINT:
6507 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6508 					 BIT(NL80211_STA_FLAG_MFP) |
6509 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6510 		break;
6511 	default:
6512 		return -EINVAL;
6513 	}
6514 
6515 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6516 		if (flags[flag]) {
6517 			params->sta_flags_set |= (1<<flag);
6518 
6519 			/* no longer support new API additions in old API */
6520 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6521 				return -EINVAL;
6522 		}
6523 	}
6524 
6525 	return 0;
6526 }
6527 
6528 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6529 {
6530 	struct nlattr *rate;
6531 	u32 bitrate;
6532 	u16 bitrate_compat;
6533 	enum nl80211_rate_info rate_flg;
6534 
6535 	rate = nla_nest_start_noflag(msg, attr);
6536 	if (!rate)
6537 		return false;
6538 
6539 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6540 	bitrate = cfg80211_calculate_bitrate(info);
6541 	/* report 16-bit bitrate only if we can */
6542 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6543 	if (bitrate > 0 &&
6544 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6545 		return false;
6546 	if (bitrate_compat > 0 &&
6547 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6548 		return false;
6549 
6550 	switch (info->bw) {
6551 	case RATE_INFO_BW_1:
6552 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6553 		break;
6554 	case RATE_INFO_BW_2:
6555 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6556 		break;
6557 	case RATE_INFO_BW_4:
6558 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6559 		break;
6560 	case RATE_INFO_BW_5:
6561 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6562 		break;
6563 	case RATE_INFO_BW_8:
6564 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6565 		break;
6566 	case RATE_INFO_BW_10:
6567 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6568 		break;
6569 	case RATE_INFO_BW_16:
6570 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6571 		break;
6572 	default:
6573 		WARN_ON(1);
6574 		fallthrough;
6575 	case RATE_INFO_BW_20:
6576 		rate_flg = 0;
6577 		break;
6578 	case RATE_INFO_BW_40:
6579 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6580 		break;
6581 	case RATE_INFO_BW_80:
6582 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6583 		break;
6584 	case RATE_INFO_BW_160:
6585 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6586 		break;
6587 	case RATE_INFO_BW_HE_RU:
6588 		rate_flg = 0;
6589 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6590 		break;
6591 	case RATE_INFO_BW_320:
6592 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6593 		break;
6594 	case RATE_INFO_BW_EHT_RU:
6595 		rate_flg = 0;
6596 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6597 		break;
6598 	}
6599 
6600 	if (rate_flg && nla_put_flag(msg, rate_flg))
6601 		return false;
6602 
6603 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6604 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6605 			return false;
6606 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6607 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6608 			return false;
6609 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6610 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6611 			return false;
6612 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6613 			return false;
6614 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6615 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6616 			return false;
6617 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6618 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6619 			return false;
6620 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6621 			return false;
6622 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6623 			return false;
6624 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6625 			return false;
6626 		if (info->bw == RATE_INFO_BW_HE_RU &&
6627 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6628 			       info->he_ru_alloc))
6629 			return false;
6630 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6631 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6632 			return false;
6633 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6634 			return false;
6635 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6636 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6637 			return false;
6638 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6642 			return false;
6643 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6644 			return false;
6645 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6646 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6647 			       info->eht_ru_alloc))
6648 			return false;
6649 	}
6650 
6651 	nla_nest_end(msg, rate);
6652 	return true;
6653 }
6654 
6655 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6656 			       int id)
6657 {
6658 	void *attr;
6659 	int i = 0;
6660 
6661 	if (!mask)
6662 		return true;
6663 
6664 	attr = nla_nest_start_noflag(msg, id);
6665 	if (!attr)
6666 		return false;
6667 
6668 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6669 		if (!(mask & BIT(i)))
6670 			continue;
6671 
6672 		if (nla_put_u8(msg, i, signal[i]))
6673 			return false;
6674 	}
6675 
6676 	nla_nest_end(msg, attr);
6677 
6678 	return true;
6679 }
6680 
6681 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6682 				u32 seq, int flags,
6683 				struct cfg80211_registered_device *rdev,
6684 				struct net_device *dev,
6685 				const u8 *mac_addr, struct station_info *sinfo)
6686 {
6687 	void *hdr;
6688 	struct nlattr *sinfoattr, *bss_param;
6689 
6690 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6691 	if (!hdr) {
6692 		cfg80211_sinfo_release_content(sinfo);
6693 		return -1;
6694 	}
6695 
6696 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6697 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6698 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6699 		goto nla_put_failure;
6700 
6701 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6702 	if (!sinfoattr)
6703 		goto nla_put_failure;
6704 
6705 #define PUT_SINFO(attr, memb, type) do {				\
6706 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6707 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6708 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6709 			     sinfo->memb))				\
6710 		goto nla_put_failure;					\
6711 	} while (0)
6712 #define PUT_SINFO_U64(attr, memb) do {					\
6713 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6714 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6715 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6716 		goto nla_put_failure;					\
6717 	} while (0)
6718 
6719 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6720 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6721 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6722 
6723 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6724 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6725 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6726 			(u32)sinfo->rx_bytes))
6727 		goto nla_put_failure;
6728 
6729 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6730 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6731 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6732 			(u32)sinfo->tx_bytes))
6733 		goto nla_put_failure;
6734 
6735 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6736 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6737 	PUT_SINFO(LLID, llid, u16);
6738 	PUT_SINFO(PLID, plid, u16);
6739 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6740 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6741 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6742 
6743 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6744 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6745 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6746 
6747 	switch (rdev->wiphy.signal_type) {
6748 	case CFG80211_SIGNAL_TYPE_MBM:
6749 		PUT_SINFO(SIGNAL, signal, u8);
6750 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6751 		break;
6752 	default:
6753 		break;
6754 	}
6755 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6756 		if (!nl80211_put_signal(msg, sinfo->chains,
6757 					sinfo->chain_signal,
6758 					NL80211_STA_INFO_CHAIN_SIGNAL))
6759 			goto nla_put_failure;
6760 	}
6761 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6762 		if (!nl80211_put_signal(msg, sinfo->chains,
6763 					sinfo->chain_signal_avg,
6764 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6765 			goto nla_put_failure;
6766 	}
6767 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6768 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6769 					  NL80211_STA_INFO_TX_BITRATE))
6770 			goto nla_put_failure;
6771 	}
6772 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6773 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6774 					  NL80211_STA_INFO_RX_BITRATE))
6775 			goto nla_put_failure;
6776 	}
6777 
6778 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6779 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6780 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6781 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6782 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6783 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6784 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6785 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6786 	PUT_SINFO(PEER_PM, peer_pm, u32);
6787 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6788 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6789 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6790 
6791 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6792 		bss_param = nla_nest_start_noflag(msg,
6793 						  NL80211_STA_INFO_BSS_PARAM);
6794 		if (!bss_param)
6795 			goto nla_put_failure;
6796 
6797 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6798 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6799 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6800 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6801 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6802 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6803 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6804 			       sinfo->bss_param.dtim_period) ||
6805 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6806 				sinfo->bss_param.beacon_interval))
6807 			goto nla_put_failure;
6808 
6809 		nla_nest_end(msg, bss_param);
6810 	}
6811 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6812 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6813 		    sizeof(struct nl80211_sta_flag_update),
6814 		    &sinfo->sta_flags))
6815 		goto nla_put_failure;
6816 
6817 	PUT_SINFO_U64(T_OFFSET, t_offset);
6818 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6819 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6820 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6821 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6822 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6823 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6824 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6825 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6826 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6827 	}
6828 
6829 #undef PUT_SINFO
6830 #undef PUT_SINFO_U64
6831 
6832 	if (sinfo->pertid) {
6833 		struct nlattr *tidsattr;
6834 		int tid;
6835 
6836 		tidsattr = nla_nest_start_noflag(msg,
6837 						 NL80211_STA_INFO_TID_STATS);
6838 		if (!tidsattr)
6839 			goto nla_put_failure;
6840 
6841 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6842 			struct cfg80211_tid_stats *tidstats;
6843 			struct nlattr *tidattr;
6844 
6845 			tidstats = &sinfo->pertid[tid];
6846 
6847 			if (!tidstats->filled)
6848 				continue;
6849 
6850 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6851 			if (!tidattr)
6852 				goto nla_put_failure;
6853 
6854 #define PUT_TIDVAL_U64(attr, memb) do {					\
6855 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6856 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6857 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6858 		goto nla_put_failure;					\
6859 	} while (0)
6860 
6861 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6862 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6863 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6864 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6865 
6866 #undef PUT_TIDVAL_U64
6867 			if ((tidstats->filled &
6868 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6869 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6870 						   NL80211_TID_STATS_TXQ_STATS))
6871 				goto nla_put_failure;
6872 
6873 			nla_nest_end(msg, tidattr);
6874 		}
6875 
6876 		nla_nest_end(msg, tidsattr);
6877 	}
6878 
6879 	nla_nest_end(msg, sinfoattr);
6880 
6881 	if (sinfo->assoc_req_ies_len &&
6882 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6883 		    sinfo->assoc_req_ies))
6884 		goto nla_put_failure;
6885 
6886 	if (sinfo->assoc_resp_ies_len &&
6887 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6888 		    sinfo->assoc_resp_ies))
6889 		goto nla_put_failure;
6890 
6891 	if (sinfo->mlo_params_valid) {
6892 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6893 			       sinfo->assoc_link_id))
6894 			goto nla_put_failure;
6895 
6896 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6897 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6898 			    sinfo->mld_addr))
6899 			goto nla_put_failure;
6900 	}
6901 
6902 	cfg80211_sinfo_release_content(sinfo);
6903 	genlmsg_end(msg, hdr);
6904 	return 0;
6905 
6906  nla_put_failure:
6907 	cfg80211_sinfo_release_content(sinfo);
6908 	genlmsg_cancel(msg, hdr);
6909 	return -EMSGSIZE;
6910 }
6911 
6912 static int nl80211_dump_station(struct sk_buff *skb,
6913 				struct netlink_callback *cb)
6914 {
6915 	struct station_info sinfo;
6916 	struct cfg80211_registered_device *rdev;
6917 	struct wireless_dev *wdev;
6918 	u8 mac_addr[ETH_ALEN];
6919 	int sta_idx = cb->args[2];
6920 	int err;
6921 
6922 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6923 	if (err)
6924 		return err;
6925 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6926 	__acquire(&rdev->wiphy.mtx);
6927 
6928 	if (!wdev->netdev) {
6929 		err = -EINVAL;
6930 		goto out_err;
6931 	}
6932 
6933 	if (!rdev->ops->dump_station) {
6934 		err = -EOPNOTSUPP;
6935 		goto out_err;
6936 	}
6937 
6938 	while (1) {
6939 		memset(&sinfo, 0, sizeof(sinfo));
6940 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6941 					mac_addr, &sinfo);
6942 		if (err == -ENOENT)
6943 			break;
6944 		if (err)
6945 			goto out_err;
6946 
6947 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6948 				NETLINK_CB(cb->skb).portid,
6949 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6950 				rdev, wdev->netdev, mac_addr,
6951 				&sinfo) < 0)
6952 			goto out;
6953 
6954 		sta_idx++;
6955 	}
6956 
6957  out:
6958 	cb->args[2] = sta_idx;
6959 	err = skb->len;
6960  out_err:
6961 	wiphy_unlock(&rdev->wiphy);
6962 
6963 	return err;
6964 }
6965 
6966 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6967 {
6968 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6969 	struct net_device *dev = info->user_ptr[1];
6970 	struct station_info sinfo;
6971 	struct sk_buff *msg;
6972 	u8 *mac_addr = NULL;
6973 	int err;
6974 
6975 	memset(&sinfo, 0, sizeof(sinfo));
6976 
6977 	if (!info->attrs[NL80211_ATTR_MAC])
6978 		return -EINVAL;
6979 
6980 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6981 
6982 	if (!rdev->ops->get_station)
6983 		return -EOPNOTSUPP;
6984 
6985 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6986 	if (err)
6987 		return err;
6988 
6989 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6990 	if (!msg) {
6991 		cfg80211_sinfo_release_content(&sinfo);
6992 		return -ENOMEM;
6993 	}
6994 
6995 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6996 				 info->snd_portid, info->snd_seq, 0,
6997 				 rdev, dev, mac_addr, &sinfo) < 0) {
6998 		nlmsg_free(msg);
6999 		return -ENOBUFS;
7000 	}
7001 
7002 	return genlmsg_reply(msg, info);
7003 }
7004 
7005 int cfg80211_check_station_change(struct wiphy *wiphy,
7006 				  struct station_parameters *params,
7007 				  enum cfg80211_station_type statype)
7008 {
7009 	if (params->listen_interval != -1 &&
7010 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7011 		return -EINVAL;
7012 
7013 	if (params->support_p2p_ps != -1 &&
7014 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7015 		return -EINVAL;
7016 
7017 	if (params->aid &&
7018 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7019 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7020 		return -EINVAL;
7021 
7022 	/* When you run into this, adjust the code below for the new flag */
7023 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7024 
7025 	switch (statype) {
7026 	case CFG80211_STA_MESH_PEER_KERNEL:
7027 	case CFG80211_STA_MESH_PEER_USER:
7028 		/*
7029 		 * No ignoring the TDLS flag here -- the userspace mesh
7030 		 * code doesn't have the bug of including TDLS in the
7031 		 * mask everywhere.
7032 		 */
7033 		if (params->sta_flags_mask &
7034 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7035 				  BIT(NL80211_STA_FLAG_MFP) |
7036 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7037 			return -EINVAL;
7038 		break;
7039 	case CFG80211_STA_TDLS_PEER_SETUP:
7040 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7041 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7042 			return -EINVAL;
7043 		/* ignore since it can't change */
7044 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7045 		break;
7046 	default:
7047 		/* disallow mesh-specific things */
7048 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7049 			return -EINVAL;
7050 		if (params->local_pm)
7051 			return -EINVAL;
7052 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7053 			return -EINVAL;
7054 	}
7055 
7056 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7057 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7058 		/* TDLS can't be set, ... */
7059 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7060 			return -EINVAL;
7061 		/*
7062 		 * ... but don't bother the driver with it. This works around
7063 		 * a hostapd/wpa_supplicant issue -- it always includes the
7064 		 * TLDS_PEER flag in the mask even for AP mode.
7065 		 */
7066 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7067 	}
7068 
7069 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7070 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7071 		/* reject other things that can't change */
7072 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7073 			return -EINVAL;
7074 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7075 			return -EINVAL;
7076 		if (params->link_sta_params.supported_rates)
7077 			return -EINVAL;
7078 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7079 		    params->link_sta_params.vht_capa ||
7080 		    params->link_sta_params.he_capa ||
7081 		    params->link_sta_params.eht_capa)
7082 			return -EINVAL;
7083 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7084 			return -EINVAL;
7085 	}
7086 
7087 	if (statype != CFG80211_STA_AP_CLIENT &&
7088 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7089 		if (params->vlan)
7090 			return -EINVAL;
7091 	}
7092 
7093 	switch (statype) {
7094 	case CFG80211_STA_AP_MLME_CLIENT:
7095 		/* Use this only for authorizing/unauthorizing a station */
7096 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7097 			return -EOPNOTSUPP;
7098 		break;
7099 	case CFG80211_STA_AP_CLIENT:
7100 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7101 		/* accept only the listed bits */
7102 		if (params->sta_flags_mask &
7103 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7104 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7105 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7106 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7107 				  BIT(NL80211_STA_FLAG_WME) |
7108 				  BIT(NL80211_STA_FLAG_MFP) |
7109 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7110 			return -EINVAL;
7111 
7112 		/* but authenticated/associated only if driver handles it */
7113 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7114 		    params->sta_flags_mask &
7115 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7116 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7117 			return -EINVAL;
7118 		break;
7119 	case CFG80211_STA_IBSS:
7120 	case CFG80211_STA_AP_STA:
7121 		/* reject any changes other than AUTHORIZED */
7122 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7123 			return -EINVAL;
7124 		break;
7125 	case CFG80211_STA_TDLS_PEER_SETUP:
7126 		/* reject any changes other than AUTHORIZED or WME */
7127 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7128 					       BIT(NL80211_STA_FLAG_WME)))
7129 			return -EINVAL;
7130 		/* force (at least) rates when authorizing */
7131 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7132 		    !params->link_sta_params.supported_rates)
7133 			return -EINVAL;
7134 		break;
7135 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7136 		/* reject any changes */
7137 		return -EINVAL;
7138 	case CFG80211_STA_MESH_PEER_KERNEL:
7139 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7140 			return -EINVAL;
7141 		break;
7142 	case CFG80211_STA_MESH_PEER_USER:
7143 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7144 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7145 			return -EINVAL;
7146 		break;
7147 	}
7148 
7149 	/*
7150 	 * Older kernel versions ignored this attribute entirely, so don't
7151 	 * reject attempts to update it but mark it as unused instead so the
7152 	 * driver won't look at the data.
7153 	 */
7154 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7155 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7156 		params->link_sta_params.opmode_notif_used = false;
7157 
7158 	return 0;
7159 }
7160 EXPORT_SYMBOL(cfg80211_check_station_change);
7161 
7162 /*
7163  * Get vlan interface making sure it is running and on the right wiphy.
7164  */
7165 static struct net_device *get_vlan(struct genl_info *info,
7166 				   struct cfg80211_registered_device *rdev)
7167 {
7168 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7169 	struct net_device *v;
7170 	int ret;
7171 
7172 	if (!vlanattr)
7173 		return NULL;
7174 
7175 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7176 	if (!v)
7177 		return ERR_PTR(-ENODEV);
7178 
7179 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7180 		ret = -EINVAL;
7181 		goto error;
7182 	}
7183 
7184 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7185 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7186 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7187 		ret = -EINVAL;
7188 		goto error;
7189 	}
7190 
7191 	if (!netif_running(v)) {
7192 		ret = -ENETDOWN;
7193 		goto error;
7194 	}
7195 
7196 	return v;
7197  error:
7198 	dev_put(v);
7199 	return ERR_PTR(ret);
7200 }
7201 
7202 static int nl80211_parse_sta_wme(struct genl_info *info,
7203 				 struct station_parameters *params)
7204 {
7205 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7206 	struct nlattr *nla;
7207 	int err;
7208 
7209 	/* parse WME attributes if present */
7210 	if (!info->attrs[NL80211_ATTR_STA_WME])
7211 		return 0;
7212 
7213 	nla = info->attrs[NL80211_ATTR_STA_WME];
7214 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7215 					  nl80211_sta_wme_policy,
7216 					  info->extack);
7217 	if (err)
7218 		return err;
7219 
7220 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7221 		params->uapsd_queues = nla_get_u8(
7222 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7223 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7224 		return -EINVAL;
7225 
7226 	if (tb[NL80211_STA_WME_MAX_SP])
7227 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7228 
7229 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7230 		return -EINVAL;
7231 
7232 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7233 
7234 	return 0;
7235 }
7236 
7237 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7238 				      struct station_parameters *params)
7239 {
7240 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7241 		params->supported_channels =
7242 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7243 		params->supported_channels_len =
7244 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7245 		/*
7246 		 * Need to include at least one (first channel, number of
7247 		 * channels) tuple for each subband (checked in policy),
7248 		 * and must have proper tuples for the rest of the data as well.
7249 		 */
7250 		if (params->supported_channels_len % 2)
7251 			return -EINVAL;
7252 	}
7253 
7254 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7255 		params->supported_oper_classes =
7256 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7257 		params->supported_oper_classes_len =
7258 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7259 	}
7260 	return 0;
7261 }
7262 
7263 static int nl80211_set_station_tdls(struct genl_info *info,
7264 				    struct station_parameters *params)
7265 {
7266 	int err;
7267 	/* Dummy STA entry gets updated once the peer capabilities are known */
7268 	if (info->attrs[NL80211_ATTR_PEER_AID])
7269 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7270 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7271 		params->link_sta_params.ht_capa =
7272 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7273 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7274 		params->link_sta_params.vht_capa =
7275 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7276 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7277 		params->link_sta_params.he_capa =
7278 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7279 		params->link_sta_params.he_capa_len =
7280 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7281 
7282 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7283 			params->link_sta_params.eht_capa =
7284 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7285 			params->link_sta_params.eht_capa_len =
7286 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7287 
7288 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7289 							(const u8 *)params->link_sta_params.eht_capa,
7290 							params->link_sta_params.eht_capa_len,
7291 							false))
7292 				return -EINVAL;
7293 		}
7294 	}
7295 
7296 	err = nl80211_parse_sta_channel_info(info, params);
7297 	if (err)
7298 		return err;
7299 
7300 	return nl80211_parse_sta_wme(info, params);
7301 }
7302 
7303 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7304 					     struct sta_txpwr *txpwr,
7305 					     bool *txpwr_set)
7306 {
7307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7308 	int idx;
7309 
7310 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7311 		if (!rdev->ops->set_tx_power ||
7312 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7313 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7314 			return -EOPNOTSUPP;
7315 
7316 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7317 		txpwr->type = nla_get_u8(info->attrs[idx]);
7318 
7319 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7320 			idx = NL80211_ATTR_STA_TX_POWER;
7321 
7322 			if (info->attrs[idx])
7323 				txpwr->power = nla_get_s16(info->attrs[idx]);
7324 			else
7325 				return -EINVAL;
7326 		}
7327 
7328 		*txpwr_set = true;
7329 	} else {
7330 		*txpwr_set = false;
7331 	}
7332 
7333 	return 0;
7334 }
7335 
7336 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7337 {
7338 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7339 	struct net_device *dev = info->user_ptr[1];
7340 	struct station_parameters params;
7341 	u8 *mac_addr;
7342 	int err;
7343 
7344 	memset(&params, 0, sizeof(params));
7345 
7346 	if (!rdev->ops->change_station)
7347 		return -EOPNOTSUPP;
7348 
7349 	/*
7350 	 * AID and listen_interval properties can be set only for unassociated
7351 	 * station. Include these parameters here and will check them in
7352 	 * cfg80211_check_station_change().
7353 	 */
7354 	if (info->attrs[NL80211_ATTR_STA_AID])
7355 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7356 
7357 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7358 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7359 
7360 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7361 		params.listen_interval =
7362 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7363 	else
7364 		params.listen_interval = -1;
7365 
7366 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7367 		params.support_p2p_ps =
7368 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7369 	else
7370 		params.support_p2p_ps = -1;
7371 
7372 	if (!info->attrs[NL80211_ATTR_MAC])
7373 		return -EINVAL;
7374 
7375 	params.link_sta_params.link_id =
7376 		nl80211_link_id_or_invalid(info->attrs);
7377 
7378 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7379 		/* If MLD_ADDR attribute is set then this is an MLD station
7380 		 * and the MLD_ADDR attribute holds the MLD address and the
7381 		 * MAC attribute holds for the LINK address.
7382 		 * In that case, the link_id is also expected to be valid.
7383 		 */
7384 		if (params.link_sta_params.link_id < 0)
7385 			return -EINVAL;
7386 
7387 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7388 		params.link_sta_params.mld_mac = mac_addr;
7389 		params.link_sta_params.link_mac =
7390 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7391 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7392 			return -EINVAL;
7393 	} else {
7394 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7395 	}
7396 
7397 
7398 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7399 		params.link_sta_params.supported_rates =
7400 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7401 		params.link_sta_params.supported_rates_len =
7402 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7403 	}
7404 
7405 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7406 		params.capability =
7407 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7408 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7409 	}
7410 
7411 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7412 		params.ext_capab =
7413 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7414 		params.ext_capab_len =
7415 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7416 	}
7417 
7418 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7419 		return -EINVAL;
7420 
7421 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7422 		params.plink_action =
7423 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7424 
7425 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7426 		params.plink_state =
7427 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7428 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7429 			params.peer_aid = nla_get_u16(
7430 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7431 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7432 	}
7433 
7434 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7435 		params.local_pm = nla_get_u32(
7436 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7437 
7438 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7439 		params.link_sta_params.opmode_notif_used = true;
7440 		params.link_sta_params.opmode_notif =
7441 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7442 	}
7443 
7444 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7445 		params.link_sta_params.he_6ghz_capa =
7446 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7447 
7448 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7449 		params.airtime_weight =
7450 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7451 
7452 	if (params.airtime_weight &&
7453 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7454 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7455 		return -EOPNOTSUPP;
7456 
7457 	err = nl80211_parse_sta_txpower_setting(info,
7458 						&params.link_sta_params.txpwr,
7459 						&params.link_sta_params.txpwr_set);
7460 	if (err)
7461 		return err;
7462 
7463 	/* Include parameters for TDLS peer (will check later) */
7464 	err = nl80211_set_station_tdls(info, &params);
7465 	if (err)
7466 		return err;
7467 
7468 	params.vlan = get_vlan(info, rdev);
7469 	if (IS_ERR(params.vlan))
7470 		return PTR_ERR(params.vlan);
7471 
7472 	switch (dev->ieee80211_ptr->iftype) {
7473 	case NL80211_IFTYPE_AP:
7474 	case NL80211_IFTYPE_AP_VLAN:
7475 	case NL80211_IFTYPE_P2P_GO:
7476 	case NL80211_IFTYPE_P2P_CLIENT:
7477 	case NL80211_IFTYPE_STATION:
7478 	case NL80211_IFTYPE_ADHOC:
7479 	case NL80211_IFTYPE_MESH_POINT:
7480 		break;
7481 	default:
7482 		err = -EOPNOTSUPP;
7483 		goto out_put_vlan;
7484 	}
7485 
7486 	/* driver will call cfg80211_check_station_change() */
7487 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7488 
7489  out_put_vlan:
7490 	dev_put(params.vlan);
7491 
7492 	return err;
7493 }
7494 
7495 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7496 {
7497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7498 	int err;
7499 	struct net_device *dev = info->user_ptr[1];
7500 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7501 	struct station_parameters params;
7502 	u8 *mac_addr = NULL;
7503 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7504 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7505 
7506 	memset(&params, 0, sizeof(params));
7507 
7508 	if (!rdev->ops->add_station)
7509 		return -EOPNOTSUPP;
7510 
7511 	if (!info->attrs[NL80211_ATTR_MAC])
7512 		return -EINVAL;
7513 
7514 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7515 		return -EINVAL;
7516 
7517 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7518 		return -EINVAL;
7519 
7520 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7521 	    !info->attrs[NL80211_ATTR_PEER_AID])
7522 		return -EINVAL;
7523 
7524 	params.link_sta_params.link_id =
7525 		nl80211_link_id_or_invalid(info->attrs);
7526 
7527 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7528 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7529 		params.link_sta_params.mld_mac = mac_addr;
7530 		params.link_sta_params.link_mac =
7531 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7532 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7533 			return -EINVAL;
7534 	} else {
7535 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7536 	}
7537 
7538 	params.link_sta_params.supported_rates =
7539 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7540 	params.link_sta_params.supported_rates_len =
7541 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7542 	params.listen_interval =
7543 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7544 
7545 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7546 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7547 
7548 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7549 		params.support_p2p_ps =
7550 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7551 	} else {
7552 		/*
7553 		 * if not specified, assume it's supported for P2P GO interface,
7554 		 * and is NOT supported for AP interface
7555 		 */
7556 		params.support_p2p_ps =
7557 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7558 	}
7559 
7560 	if (info->attrs[NL80211_ATTR_PEER_AID])
7561 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7562 	else
7563 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7564 
7565 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7566 		params.capability =
7567 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7568 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7569 	}
7570 
7571 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7572 		params.ext_capab =
7573 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7574 		params.ext_capab_len =
7575 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7576 	}
7577 
7578 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7579 		params.link_sta_params.ht_capa =
7580 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7581 
7582 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7583 		params.link_sta_params.vht_capa =
7584 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7585 
7586 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7587 		params.link_sta_params.he_capa =
7588 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7589 		params.link_sta_params.he_capa_len =
7590 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7591 
7592 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7593 			params.link_sta_params.eht_capa =
7594 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7595 			params.link_sta_params.eht_capa_len =
7596 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7597 
7598 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7599 							(const u8 *)params.link_sta_params.eht_capa,
7600 							params.link_sta_params.eht_capa_len,
7601 							false))
7602 				return -EINVAL;
7603 		}
7604 	}
7605 
7606 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7607 		params.link_sta_params.he_6ghz_capa =
7608 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7609 
7610 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7611 		params.link_sta_params.opmode_notif_used = true;
7612 		params.link_sta_params.opmode_notif =
7613 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7614 	}
7615 
7616 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7617 		params.plink_action =
7618 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7619 
7620 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7621 		params.airtime_weight =
7622 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7623 
7624 	if (params.airtime_weight &&
7625 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7626 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7627 		return -EOPNOTSUPP;
7628 
7629 	err = nl80211_parse_sta_txpower_setting(info,
7630 						&params.link_sta_params.txpwr,
7631 						&params.link_sta_params.txpwr_set);
7632 	if (err)
7633 		return err;
7634 
7635 	err = nl80211_parse_sta_channel_info(info, &params);
7636 	if (err)
7637 		return err;
7638 
7639 	err = nl80211_parse_sta_wme(info, &params);
7640 	if (err)
7641 		return err;
7642 
7643 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7644 		return -EINVAL;
7645 
7646 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7647 	 * as userspace might just pass through the capabilities from the IEs
7648 	 * directly, rather than enforcing this restriction and returning an
7649 	 * error in this case.
7650 	 */
7651 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7652 		params.link_sta_params.ht_capa = NULL;
7653 		params.link_sta_params.vht_capa = NULL;
7654 
7655 		/* HE and EHT require WME */
7656 		if (params.link_sta_params.he_capa_len ||
7657 		    params.link_sta_params.he_6ghz_capa ||
7658 		    params.link_sta_params.eht_capa_len)
7659 			return -EINVAL;
7660 	}
7661 
7662 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7663 	if (params.link_sta_params.he_6ghz_capa &&
7664 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7665 		return -EINVAL;
7666 
7667 	/* When you run into this, adjust the code below for the new flag */
7668 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7669 
7670 	switch (dev->ieee80211_ptr->iftype) {
7671 	case NL80211_IFTYPE_AP:
7672 	case NL80211_IFTYPE_AP_VLAN:
7673 	case NL80211_IFTYPE_P2P_GO:
7674 		/* ignore WME attributes if iface/sta is not capable */
7675 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7676 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7677 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7678 
7679 		/* TDLS peers cannot be added */
7680 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7681 		    info->attrs[NL80211_ATTR_PEER_AID])
7682 			return -EINVAL;
7683 		/* but don't bother the driver with it */
7684 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7685 
7686 		/* allow authenticated/associated only if driver handles it */
7687 		if (!(rdev->wiphy.features &
7688 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7689 		    params.sta_flags_mask & auth_assoc)
7690 			return -EINVAL;
7691 
7692 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7693 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7694 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7695 			return -EINVAL;
7696 
7697 		/* Older userspace, or userspace wanting to be compatible with
7698 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7699 		 * and assoc flags in the mask, but assumes the station will be
7700 		 * added as associated anyway since this was the required driver
7701 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7702 		 * introduced.
7703 		 * In order to not bother drivers with this quirk in the API
7704 		 * set the flags in both the mask and set for new stations in
7705 		 * this case.
7706 		 */
7707 		if (!(params.sta_flags_mask & auth_assoc)) {
7708 			params.sta_flags_mask |= auth_assoc;
7709 			params.sta_flags_set |= auth_assoc;
7710 		}
7711 
7712 		/* must be last in here for error handling */
7713 		params.vlan = get_vlan(info, rdev);
7714 		if (IS_ERR(params.vlan))
7715 			return PTR_ERR(params.vlan);
7716 		break;
7717 	case NL80211_IFTYPE_MESH_POINT:
7718 		/* ignore uAPSD data */
7719 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7720 
7721 		/* associated is disallowed */
7722 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7723 			return -EINVAL;
7724 		/* TDLS peers cannot be added */
7725 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7726 		    info->attrs[NL80211_ATTR_PEER_AID])
7727 			return -EINVAL;
7728 		break;
7729 	case NL80211_IFTYPE_STATION:
7730 	case NL80211_IFTYPE_P2P_CLIENT:
7731 		/* ignore uAPSD data */
7732 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7733 
7734 		/* these are disallowed */
7735 		if (params.sta_flags_mask &
7736 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7737 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7738 			return -EINVAL;
7739 		/* Only TDLS peers can be added */
7740 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7741 			return -EINVAL;
7742 		/* Can only add if TDLS ... */
7743 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7744 			return -EOPNOTSUPP;
7745 		/* ... with external setup is supported */
7746 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7747 			return -EOPNOTSUPP;
7748 		/*
7749 		 * Older wpa_supplicant versions always mark the TDLS peer
7750 		 * as authorized, but it shouldn't yet be.
7751 		 */
7752 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7753 		break;
7754 	default:
7755 		return -EOPNOTSUPP;
7756 	}
7757 
7758 	/* be aware of params.vlan when changing code here */
7759 
7760 	if (wdev->valid_links) {
7761 		if (params.link_sta_params.link_id < 0) {
7762 			err = -EINVAL;
7763 			goto out;
7764 		}
7765 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7766 			err = -ENOLINK;
7767 			goto out;
7768 		}
7769 	} else {
7770 		if (params.link_sta_params.link_id >= 0) {
7771 			err = -EINVAL;
7772 			goto out;
7773 		}
7774 	}
7775 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7776 out:
7777 	dev_put(params.vlan);
7778 	return err;
7779 }
7780 
7781 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7782 {
7783 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7784 	struct net_device *dev = info->user_ptr[1];
7785 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7786 	struct station_del_parameters params;
7787 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7788 
7789 	memset(&params, 0, sizeof(params));
7790 
7791 	if (info->attrs[NL80211_ATTR_MAC])
7792 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7793 
7794 	switch (wdev->iftype) {
7795 	case NL80211_IFTYPE_AP:
7796 	case NL80211_IFTYPE_AP_VLAN:
7797 	case NL80211_IFTYPE_MESH_POINT:
7798 	case NL80211_IFTYPE_P2P_GO:
7799 		/* always accept these */
7800 		break;
7801 	case NL80211_IFTYPE_ADHOC:
7802 		/* conditionally accept */
7803 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7804 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7805 			break;
7806 		return -EINVAL;
7807 	default:
7808 		return -EINVAL;
7809 	}
7810 
7811 	if (!rdev->ops->del_station)
7812 		return -EOPNOTSUPP;
7813 
7814 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7815 		params.subtype =
7816 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7817 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7818 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7819 			return -EINVAL;
7820 	} else {
7821 		/* Default to Deauthentication frame */
7822 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7823 	}
7824 
7825 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7826 		params.reason_code =
7827 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7828 		if (params.reason_code == 0)
7829 			return -EINVAL; /* 0 is reserved */
7830 	} else {
7831 		/* Default to reason code 2 */
7832 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7833 	}
7834 
7835 	/* Link ID not expected in case of non-ML operation */
7836 	if (!wdev->valid_links && link_id != -1)
7837 		return -EINVAL;
7838 
7839 	/* If given, a valid link ID should be passed during MLO */
7840 	if (wdev->valid_links && link_id >= 0 &&
7841 	    !(wdev->valid_links & BIT(link_id)))
7842 		return -EINVAL;
7843 
7844 	params.link_id = link_id;
7845 
7846 	return rdev_del_station(rdev, dev, &params);
7847 }
7848 
7849 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7850 				int flags, struct net_device *dev,
7851 				u8 *dst, u8 *next_hop,
7852 				struct mpath_info *pinfo)
7853 {
7854 	void *hdr;
7855 	struct nlattr *pinfoattr;
7856 
7857 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7858 	if (!hdr)
7859 		return -1;
7860 
7861 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7862 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7863 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7864 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7865 		goto nla_put_failure;
7866 
7867 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7868 	if (!pinfoattr)
7869 		goto nla_put_failure;
7870 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7871 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7872 			pinfo->frame_qlen))
7873 		goto nla_put_failure;
7874 	if (((pinfo->filled & MPATH_INFO_SN) &&
7875 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7876 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7877 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7878 			 pinfo->metric)) ||
7879 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7880 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7881 			 pinfo->exptime)) ||
7882 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7883 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7884 			pinfo->flags)) ||
7885 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7886 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7887 			 pinfo->discovery_timeout)) ||
7888 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7889 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7890 			pinfo->discovery_retries)) ||
7891 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7892 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7893 			pinfo->hop_count)) ||
7894 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7895 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7896 			 pinfo->path_change_count)))
7897 		goto nla_put_failure;
7898 
7899 	nla_nest_end(msg, pinfoattr);
7900 
7901 	genlmsg_end(msg, hdr);
7902 	return 0;
7903 
7904  nla_put_failure:
7905 	genlmsg_cancel(msg, hdr);
7906 	return -EMSGSIZE;
7907 }
7908 
7909 static int nl80211_dump_mpath(struct sk_buff *skb,
7910 			      struct netlink_callback *cb)
7911 {
7912 	struct mpath_info pinfo;
7913 	struct cfg80211_registered_device *rdev;
7914 	struct wireless_dev *wdev;
7915 	u8 dst[ETH_ALEN];
7916 	u8 next_hop[ETH_ALEN];
7917 	int path_idx = cb->args[2];
7918 	int err;
7919 
7920 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7921 	if (err)
7922 		return err;
7923 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7924 	__acquire(&rdev->wiphy.mtx);
7925 
7926 	if (!rdev->ops->dump_mpath) {
7927 		err = -EOPNOTSUPP;
7928 		goto out_err;
7929 	}
7930 
7931 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7932 		err = -EOPNOTSUPP;
7933 		goto out_err;
7934 	}
7935 
7936 	while (1) {
7937 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7938 				      next_hop, &pinfo);
7939 		if (err == -ENOENT)
7940 			break;
7941 		if (err)
7942 			goto out_err;
7943 
7944 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7945 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7946 				       wdev->netdev, dst, next_hop,
7947 				       &pinfo) < 0)
7948 			goto out;
7949 
7950 		path_idx++;
7951 	}
7952 
7953  out:
7954 	cb->args[2] = path_idx;
7955 	err = skb->len;
7956  out_err:
7957 	wiphy_unlock(&rdev->wiphy);
7958 	return err;
7959 }
7960 
7961 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7962 {
7963 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7964 	int err;
7965 	struct net_device *dev = info->user_ptr[1];
7966 	struct mpath_info pinfo;
7967 	struct sk_buff *msg;
7968 	u8 *dst = NULL;
7969 	u8 next_hop[ETH_ALEN];
7970 
7971 	memset(&pinfo, 0, sizeof(pinfo));
7972 
7973 	if (!info->attrs[NL80211_ATTR_MAC])
7974 		return -EINVAL;
7975 
7976 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7977 
7978 	if (!rdev->ops->get_mpath)
7979 		return -EOPNOTSUPP;
7980 
7981 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7982 		return -EOPNOTSUPP;
7983 
7984 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7985 	if (err)
7986 		return err;
7987 
7988 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7989 	if (!msg)
7990 		return -ENOMEM;
7991 
7992 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7993 				 dev, dst, next_hop, &pinfo) < 0) {
7994 		nlmsg_free(msg);
7995 		return -ENOBUFS;
7996 	}
7997 
7998 	return genlmsg_reply(msg, info);
7999 }
8000 
8001 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8002 {
8003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8004 	struct net_device *dev = info->user_ptr[1];
8005 	u8 *dst = NULL;
8006 	u8 *next_hop = NULL;
8007 
8008 	if (!info->attrs[NL80211_ATTR_MAC])
8009 		return -EINVAL;
8010 
8011 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8012 		return -EINVAL;
8013 
8014 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8015 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8016 
8017 	if (!rdev->ops->change_mpath)
8018 		return -EOPNOTSUPP;
8019 
8020 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8021 		return -EOPNOTSUPP;
8022 
8023 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8024 }
8025 
8026 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8027 {
8028 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8029 	struct net_device *dev = info->user_ptr[1];
8030 	u8 *dst = NULL;
8031 	u8 *next_hop = NULL;
8032 
8033 	if (!info->attrs[NL80211_ATTR_MAC])
8034 		return -EINVAL;
8035 
8036 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8037 		return -EINVAL;
8038 
8039 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8040 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8041 
8042 	if (!rdev->ops->add_mpath)
8043 		return -EOPNOTSUPP;
8044 
8045 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8046 		return -EOPNOTSUPP;
8047 
8048 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8049 }
8050 
8051 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8052 {
8053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8054 	struct net_device *dev = info->user_ptr[1];
8055 	u8 *dst = NULL;
8056 
8057 	if (info->attrs[NL80211_ATTR_MAC])
8058 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8059 
8060 	if (!rdev->ops->del_mpath)
8061 		return -EOPNOTSUPP;
8062 
8063 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8064 		return -EOPNOTSUPP;
8065 
8066 	return rdev_del_mpath(rdev, dev, dst);
8067 }
8068 
8069 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8070 {
8071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8072 	int err;
8073 	struct net_device *dev = info->user_ptr[1];
8074 	struct mpath_info pinfo;
8075 	struct sk_buff *msg;
8076 	u8 *dst = NULL;
8077 	u8 mpp[ETH_ALEN];
8078 
8079 	memset(&pinfo, 0, sizeof(pinfo));
8080 
8081 	if (!info->attrs[NL80211_ATTR_MAC])
8082 		return -EINVAL;
8083 
8084 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8085 
8086 	if (!rdev->ops->get_mpp)
8087 		return -EOPNOTSUPP;
8088 
8089 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8090 		return -EOPNOTSUPP;
8091 
8092 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8093 	if (err)
8094 		return err;
8095 
8096 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8097 	if (!msg)
8098 		return -ENOMEM;
8099 
8100 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8101 			       dev, dst, mpp, &pinfo) < 0) {
8102 		nlmsg_free(msg);
8103 		return -ENOBUFS;
8104 	}
8105 
8106 	return genlmsg_reply(msg, info);
8107 }
8108 
8109 static int nl80211_dump_mpp(struct sk_buff *skb,
8110 			    struct netlink_callback *cb)
8111 {
8112 	struct mpath_info pinfo;
8113 	struct cfg80211_registered_device *rdev;
8114 	struct wireless_dev *wdev;
8115 	u8 dst[ETH_ALEN];
8116 	u8 mpp[ETH_ALEN];
8117 	int path_idx = cb->args[2];
8118 	int err;
8119 
8120 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8121 	if (err)
8122 		return err;
8123 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8124 	__acquire(&rdev->wiphy.mtx);
8125 
8126 	if (!rdev->ops->dump_mpp) {
8127 		err = -EOPNOTSUPP;
8128 		goto out_err;
8129 	}
8130 
8131 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8132 		err = -EOPNOTSUPP;
8133 		goto out_err;
8134 	}
8135 
8136 	while (1) {
8137 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8138 				    mpp, &pinfo);
8139 		if (err == -ENOENT)
8140 			break;
8141 		if (err)
8142 			goto out_err;
8143 
8144 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8145 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8146 				       wdev->netdev, dst, mpp,
8147 				       &pinfo) < 0)
8148 			goto out;
8149 
8150 		path_idx++;
8151 	}
8152 
8153  out:
8154 	cb->args[2] = path_idx;
8155 	err = skb->len;
8156  out_err:
8157 	wiphy_unlock(&rdev->wiphy);
8158 	return err;
8159 }
8160 
8161 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8162 {
8163 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8164 	struct net_device *dev = info->user_ptr[1];
8165 	struct bss_parameters params;
8166 
8167 	memset(&params, 0, sizeof(params));
8168 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8169 	/* default to not changing parameters */
8170 	params.use_cts_prot = -1;
8171 	params.use_short_preamble = -1;
8172 	params.use_short_slot_time = -1;
8173 	params.ap_isolate = -1;
8174 	params.ht_opmode = -1;
8175 	params.p2p_ctwindow = -1;
8176 	params.p2p_opp_ps = -1;
8177 
8178 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8179 		params.use_cts_prot =
8180 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8181 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8182 		params.use_short_preamble =
8183 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8184 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8185 		params.use_short_slot_time =
8186 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8187 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8188 		params.basic_rates =
8189 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8190 		params.basic_rates_len =
8191 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8192 	}
8193 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8194 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8195 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8196 		params.ht_opmode =
8197 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8198 
8199 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8200 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8201 			return -EINVAL;
8202 		params.p2p_ctwindow =
8203 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8204 		if (params.p2p_ctwindow != 0 &&
8205 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8206 			return -EINVAL;
8207 	}
8208 
8209 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8210 		u8 tmp;
8211 
8212 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8213 			return -EINVAL;
8214 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8215 		params.p2p_opp_ps = tmp;
8216 		if (params.p2p_opp_ps &&
8217 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8218 			return -EINVAL;
8219 	}
8220 
8221 	if (!rdev->ops->change_bss)
8222 		return -EOPNOTSUPP;
8223 
8224 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8225 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8226 		return -EOPNOTSUPP;
8227 
8228 	return rdev_change_bss(rdev, dev, &params);
8229 }
8230 
8231 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8232 {
8233 	char *data = NULL;
8234 	bool is_indoor;
8235 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8236 	u32 owner_nlportid;
8237 
8238 	/*
8239 	 * You should only get this when cfg80211 hasn't yet initialized
8240 	 * completely when built-in to the kernel right between the time
8241 	 * window between nl80211_init() and regulatory_init(), if that is
8242 	 * even possible.
8243 	 */
8244 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8245 		return -EINPROGRESS;
8246 
8247 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8248 		user_reg_hint_type =
8249 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8250 	else
8251 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8252 
8253 	switch (user_reg_hint_type) {
8254 	case NL80211_USER_REG_HINT_USER:
8255 	case NL80211_USER_REG_HINT_CELL_BASE:
8256 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8257 			return -EINVAL;
8258 
8259 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8260 		return regulatory_hint_user(data, user_reg_hint_type);
8261 	case NL80211_USER_REG_HINT_INDOOR:
8262 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8263 			owner_nlportid = info->snd_portid;
8264 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8265 		} else {
8266 			owner_nlportid = 0;
8267 			is_indoor = true;
8268 		}
8269 
8270 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8271 		return 0;
8272 	default:
8273 		return -EINVAL;
8274 	}
8275 }
8276 
8277 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8278 {
8279 	return reg_reload_regdb();
8280 }
8281 
8282 static int nl80211_get_mesh_config(struct sk_buff *skb,
8283 				   struct genl_info *info)
8284 {
8285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8286 	struct net_device *dev = info->user_ptr[1];
8287 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8288 	struct mesh_config cur_params;
8289 	int err = 0;
8290 	void *hdr;
8291 	struct nlattr *pinfoattr;
8292 	struct sk_buff *msg;
8293 
8294 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8295 		return -EOPNOTSUPP;
8296 
8297 	if (!rdev->ops->get_mesh_config)
8298 		return -EOPNOTSUPP;
8299 
8300 	/* If not connected, get default parameters */
8301 	if (!wdev->u.mesh.id_len)
8302 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8303 	else
8304 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8305 
8306 	if (err)
8307 		return err;
8308 
8309 	/* Draw up a netlink message to send back */
8310 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8311 	if (!msg)
8312 		return -ENOMEM;
8313 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8314 			     NL80211_CMD_GET_MESH_CONFIG);
8315 	if (!hdr)
8316 		goto out;
8317 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8318 	if (!pinfoattr)
8319 		goto nla_put_failure;
8320 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8321 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8322 			cur_params.dot11MeshRetryTimeout) ||
8323 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8324 			cur_params.dot11MeshConfirmTimeout) ||
8325 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8326 			cur_params.dot11MeshHoldingTimeout) ||
8327 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8328 			cur_params.dot11MeshMaxPeerLinks) ||
8329 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8330 		       cur_params.dot11MeshMaxRetries) ||
8331 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8332 		       cur_params.dot11MeshTTL) ||
8333 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8334 		       cur_params.element_ttl) ||
8335 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8336 		       cur_params.auto_open_plinks) ||
8337 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8338 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8339 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8340 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8341 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8342 			cur_params.path_refresh_time) ||
8343 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8344 			cur_params.min_discovery_timeout) ||
8345 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8346 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8347 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8348 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8349 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8350 			cur_params.dot11MeshHWMPperrMinInterval) ||
8351 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8352 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8353 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8354 		       cur_params.dot11MeshHWMPRootMode) ||
8355 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8356 			cur_params.dot11MeshHWMPRannInterval) ||
8357 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8358 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8359 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8360 		       cur_params.dot11MeshForwarding) ||
8361 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8362 			cur_params.rssi_threshold) ||
8363 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8364 			cur_params.ht_opmode) ||
8365 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8366 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8367 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8368 			cur_params.dot11MeshHWMProotInterval) ||
8369 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8370 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8371 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8372 			cur_params.power_mode) ||
8373 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8374 			cur_params.dot11MeshAwakeWindowDuration) ||
8375 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8376 			cur_params.plink_timeout) ||
8377 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8378 		       cur_params.dot11MeshConnectedToMeshGate) ||
8379 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8380 		       cur_params.dot11MeshNolearn) ||
8381 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8382 		       cur_params.dot11MeshConnectedToAuthServer))
8383 		goto nla_put_failure;
8384 	nla_nest_end(msg, pinfoattr);
8385 	genlmsg_end(msg, hdr);
8386 	return genlmsg_reply(msg, info);
8387 
8388  nla_put_failure:
8389  out:
8390 	nlmsg_free(msg);
8391 	return -ENOBUFS;
8392 }
8393 
8394 static const struct nla_policy
8395 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8396 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8397 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8398 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8399 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8400 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8401 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8402 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8403 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8404 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8405 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8406 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8407 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8408 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8409 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8410 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8411 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8412 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8413 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8414 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8415 		NLA_POLICY_MIN(NLA_U16, 1),
8416 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8417 		NLA_POLICY_MIN(NLA_U16, 1),
8418 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8419 		NLA_POLICY_MIN(NLA_U16, 1),
8420 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8421 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8422 		NLA_POLICY_MIN(NLA_U16, 1),
8423 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8424 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8425 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8426 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8427 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8428 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8429 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8430 		NLA_POLICY_MIN(NLA_U16, 1),
8431 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8432 		NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_POWER_MODE] =
8434 		NLA_POLICY_RANGE(NLA_U32,
8435 				 NL80211_MESH_POWER_ACTIVE,
8436 				 NL80211_MESH_POWER_MAX),
8437 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8438 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8439 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8440 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8441 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8442 };
8443 
8444 static const struct nla_policy
8445 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8446 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8447 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8448 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8449 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8450 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8451 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8452 	[NL80211_MESH_SETUP_IE] =
8453 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8454 				       IEEE80211_MAX_DATA_LEN),
8455 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8456 };
8457 
8458 static int nl80211_parse_mesh_config(struct genl_info *info,
8459 				     struct mesh_config *cfg,
8460 				     u32 *mask_out)
8461 {
8462 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8463 	u32 mask = 0;
8464 	u16 ht_opmode;
8465 
8466 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8467 do {									\
8468 	if (tb[attr]) {							\
8469 		cfg->param = fn(tb[attr]);				\
8470 		mask |= BIT((attr) - 1);				\
8471 	}								\
8472 } while (0)
8473 
8474 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8475 		return -EINVAL;
8476 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8477 		return -EINVAL;
8478 
8479 	/* This makes sure that there aren't more than 32 mesh config
8480 	 * parameters (otherwise our bitfield scheme would not work.) */
8481 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8482 
8483 	/* Fill in the params struct */
8484 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8485 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8486 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8487 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8488 				  nla_get_u16);
8489 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8490 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8491 				  nla_get_u16);
8492 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8493 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8494 				  nla_get_u16);
8495 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8496 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8497 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8498 				  NL80211_MESHCONF_TTL, nla_get_u8);
8499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8500 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8502 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8503 				  nla_get_u8);
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8505 				  mask,
8506 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8507 				  nla_get_u32);
8508 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8509 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8510 				  nla_get_u8);
8511 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8512 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8513 				  nla_get_u32);
8514 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8515 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8516 		return -EINVAL;
8517 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8518 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8519 				  nla_get_u16);
8520 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8521 				  mask,
8522 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8523 				  nla_get_u32);
8524 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8525 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8526 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8527 		return -EINVAL;
8528 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8529 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8530 				  nla_get_u16);
8531 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8532 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8533 				  nla_get_u16);
8534 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8535 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8536 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8537 				  nla_get_u16);
8538 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8539 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8540 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8541 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8542 				  nla_get_u16);
8543 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8544 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8545 				  nla_get_u8);
8546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8547 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8549 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8550 				  nla_get_s32);
8551 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8552 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8553 				  nla_get_u8);
8554 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8555 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8556 				  nla_get_u8);
8557 	/*
8558 	 * Check HT operation mode based on
8559 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8560 	 */
8561 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8562 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8563 
8564 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8565 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8566 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8567 			return -EINVAL;
8568 
8569 		/* NON_HT_STA bit is reserved, but some programs set it */
8570 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8571 
8572 		cfg->ht_opmode = ht_opmode;
8573 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8574 	}
8575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8576 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8577 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8578 				  nla_get_u32);
8579 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8580 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8581 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8582 		return -EINVAL;
8583 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8584 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8585 				  nla_get_u16);
8586 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8587 				  mask,
8588 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8589 				  nla_get_u16);
8590 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8591 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8592 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8593 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8594 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8595 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8596 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8597 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8598 	if (mask_out)
8599 		*mask_out = mask;
8600 
8601 	return 0;
8602 
8603 #undef FILL_IN_MESH_PARAM_IF_SET
8604 }
8605 
8606 static int nl80211_parse_mesh_setup(struct genl_info *info,
8607 				     struct mesh_setup *setup)
8608 {
8609 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8610 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8611 
8612 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8613 		return -EINVAL;
8614 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8615 		return -EINVAL;
8616 
8617 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8618 		setup->sync_method =
8619 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8620 		 IEEE80211_SYNC_METHOD_VENDOR :
8621 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8622 
8623 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8624 		setup->path_sel_proto =
8625 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8626 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8627 		 IEEE80211_PATH_PROTOCOL_HWMP;
8628 
8629 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8630 		setup->path_metric =
8631 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8632 		 IEEE80211_PATH_METRIC_VENDOR :
8633 		 IEEE80211_PATH_METRIC_AIRTIME;
8634 
8635 	if (tb[NL80211_MESH_SETUP_IE]) {
8636 		struct nlattr *ieattr =
8637 			tb[NL80211_MESH_SETUP_IE];
8638 		setup->ie = nla_data(ieattr);
8639 		setup->ie_len = nla_len(ieattr);
8640 	}
8641 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8642 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8643 		return -EINVAL;
8644 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8645 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8646 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8647 	if (setup->is_secure)
8648 		setup->user_mpm = true;
8649 
8650 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8651 		if (!setup->user_mpm)
8652 			return -EINVAL;
8653 		setup->auth_id =
8654 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8655 	}
8656 
8657 	return 0;
8658 }
8659 
8660 static int nl80211_update_mesh_config(struct sk_buff *skb,
8661 				      struct genl_info *info)
8662 {
8663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8664 	struct net_device *dev = info->user_ptr[1];
8665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8666 	struct mesh_config cfg = {};
8667 	u32 mask;
8668 	int err;
8669 
8670 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8671 		return -EOPNOTSUPP;
8672 
8673 	if (!rdev->ops->update_mesh_config)
8674 		return -EOPNOTSUPP;
8675 
8676 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8677 	if (err)
8678 		return err;
8679 
8680 	if (!wdev->u.mesh.id_len)
8681 		err = -ENOLINK;
8682 
8683 	if (!err)
8684 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8685 
8686 	return err;
8687 }
8688 
8689 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8690 			      struct sk_buff *msg)
8691 {
8692 	struct nlattr *nl_reg_rules;
8693 	unsigned int i;
8694 
8695 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8696 	    (regdom->dfs_region &&
8697 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8698 		goto nla_put_failure;
8699 
8700 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8701 	if (!nl_reg_rules)
8702 		goto nla_put_failure;
8703 
8704 	for (i = 0; i < regdom->n_reg_rules; i++) {
8705 		struct nlattr *nl_reg_rule;
8706 		const struct ieee80211_reg_rule *reg_rule;
8707 		const struct ieee80211_freq_range *freq_range;
8708 		const struct ieee80211_power_rule *power_rule;
8709 		unsigned int max_bandwidth_khz;
8710 
8711 		reg_rule = &regdom->reg_rules[i];
8712 		freq_range = &reg_rule->freq_range;
8713 		power_rule = &reg_rule->power_rule;
8714 
8715 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8716 		if (!nl_reg_rule)
8717 			goto nla_put_failure;
8718 
8719 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8720 		if (!max_bandwidth_khz)
8721 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8722 								  reg_rule);
8723 
8724 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8725 				reg_rule->flags) ||
8726 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8727 				freq_range->start_freq_khz) ||
8728 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8729 				freq_range->end_freq_khz) ||
8730 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8731 				max_bandwidth_khz) ||
8732 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8733 				power_rule->max_antenna_gain) ||
8734 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8735 				power_rule->max_eirp) ||
8736 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8737 				reg_rule->dfs_cac_ms))
8738 			goto nla_put_failure;
8739 
8740 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8741 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8742 			       reg_rule->psd))
8743 			goto nla_put_failure;
8744 
8745 		nla_nest_end(msg, nl_reg_rule);
8746 	}
8747 
8748 	nla_nest_end(msg, nl_reg_rules);
8749 	return 0;
8750 
8751 nla_put_failure:
8752 	return -EMSGSIZE;
8753 }
8754 
8755 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8756 {
8757 	const struct ieee80211_regdomain *regdom = NULL;
8758 	struct cfg80211_registered_device *rdev;
8759 	struct wiphy *wiphy = NULL;
8760 	struct sk_buff *msg;
8761 	int err = -EMSGSIZE;
8762 	void *hdr;
8763 
8764 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8765 	if (!msg)
8766 		return -ENOBUFS;
8767 
8768 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8769 			     NL80211_CMD_GET_REG);
8770 	if (!hdr)
8771 		goto put_failure;
8772 
8773 	rtnl_lock();
8774 
8775 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8776 		bool self_managed;
8777 
8778 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8779 		if (IS_ERR(rdev)) {
8780 			err = PTR_ERR(rdev);
8781 			goto nla_put_failure;
8782 		}
8783 
8784 		wiphy = &rdev->wiphy;
8785 		self_managed = wiphy->regulatory_flags &
8786 			       REGULATORY_WIPHY_SELF_MANAGED;
8787 
8788 		rcu_read_lock();
8789 
8790 		regdom = get_wiphy_regdom(wiphy);
8791 
8792 		/* a self-managed-reg device must have a private regdom */
8793 		if (WARN_ON(!regdom && self_managed)) {
8794 			err = -EINVAL;
8795 			goto nla_put_failure_rcu;
8796 		}
8797 
8798 		if (regdom &&
8799 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8800 			goto nla_put_failure_rcu;
8801 	} else {
8802 		rcu_read_lock();
8803 	}
8804 
8805 	if (!wiphy && reg_last_request_cell_base() &&
8806 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8807 			NL80211_USER_REG_HINT_CELL_BASE))
8808 		goto nla_put_failure_rcu;
8809 
8810 	if (!regdom)
8811 		regdom = rcu_dereference(cfg80211_regdomain);
8812 
8813 	if (nl80211_put_regdom(regdom, msg))
8814 		goto nla_put_failure_rcu;
8815 
8816 	rcu_read_unlock();
8817 
8818 	genlmsg_end(msg, hdr);
8819 	rtnl_unlock();
8820 	return genlmsg_reply(msg, info);
8821 
8822 nla_put_failure_rcu:
8823 	rcu_read_unlock();
8824 nla_put_failure:
8825 	rtnl_unlock();
8826 put_failure:
8827 	nlmsg_free(msg);
8828 	return err;
8829 }
8830 
8831 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8832 			       u32 seq, int flags, struct wiphy *wiphy,
8833 			       const struct ieee80211_regdomain *regdom)
8834 {
8835 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8836 				   NL80211_CMD_GET_REG);
8837 
8838 	if (!hdr)
8839 		return -1;
8840 
8841 	genl_dump_check_consistent(cb, hdr);
8842 
8843 	if (nl80211_put_regdom(regdom, msg))
8844 		goto nla_put_failure;
8845 
8846 	if (!wiphy && reg_last_request_cell_base() &&
8847 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8848 			NL80211_USER_REG_HINT_CELL_BASE))
8849 		goto nla_put_failure;
8850 
8851 	if (wiphy &&
8852 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8853 		goto nla_put_failure;
8854 
8855 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8856 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8857 		goto nla_put_failure;
8858 
8859 	genlmsg_end(msg, hdr);
8860 	return 0;
8861 
8862 nla_put_failure:
8863 	genlmsg_cancel(msg, hdr);
8864 	return -EMSGSIZE;
8865 }
8866 
8867 static int nl80211_get_reg_dump(struct sk_buff *skb,
8868 				struct netlink_callback *cb)
8869 {
8870 	const struct ieee80211_regdomain *regdom = NULL;
8871 	struct cfg80211_registered_device *rdev;
8872 	int err, reg_idx, start = cb->args[2];
8873 
8874 	rcu_read_lock();
8875 
8876 	if (cfg80211_regdomain && start == 0) {
8877 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8878 					  NLM_F_MULTI, NULL,
8879 					  rcu_dereference(cfg80211_regdomain));
8880 		if (err < 0)
8881 			goto out_err;
8882 	}
8883 
8884 	/* the global regdom is idx 0 */
8885 	reg_idx = 1;
8886 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8887 		regdom = get_wiphy_regdom(&rdev->wiphy);
8888 		if (!regdom)
8889 			continue;
8890 
8891 		if (++reg_idx <= start)
8892 			continue;
8893 
8894 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8895 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8896 		if (err < 0) {
8897 			reg_idx--;
8898 			break;
8899 		}
8900 	}
8901 
8902 	cb->args[2] = reg_idx;
8903 	err = skb->len;
8904 out_err:
8905 	rcu_read_unlock();
8906 	return err;
8907 }
8908 
8909 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8910 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8911 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8912 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8913 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8914 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8915 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8916 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8917 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8918 };
8919 
8920 static int parse_reg_rule(struct nlattr *tb[],
8921 	struct ieee80211_reg_rule *reg_rule)
8922 {
8923 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8924 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8925 
8926 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8927 		return -EINVAL;
8928 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8929 		return -EINVAL;
8930 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8931 		return -EINVAL;
8932 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8933 		return -EINVAL;
8934 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8935 		return -EINVAL;
8936 
8937 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8938 
8939 	freq_range->start_freq_khz =
8940 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8941 	freq_range->end_freq_khz =
8942 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8943 	freq_range->max_bandwidth_khz =
8944 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8945 
8946 	power_rule->max_eirp =
8947 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8948 
8949 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8950 		power_rule->max_antenna_gain =
8951 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8952 
8953 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8954 		reg_rule->dfs_cac_ms =
8955 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8956 
8957 	return 0;
8958 }
8959 
8960 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8961 {
8962 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8963 	struct nlattr *nl_reg_rule;
8964 	char *alpha2;
8965 	int rem_reg_rules, r;
8966 	u32 num_rules = 0, rule_idx = 0;
8967 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8968 	struct ieee80211_regdomain *rd;
8969 
8970 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8971 		return -EINVAL;
8972 
8973 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8974 		return -EINVAL;
8975 
8976 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8977 
8978 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8979 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8980 
8981 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8982 			    rem_reg_rules) {
8983 		num_rules++;
8984 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8985 			return -EINVAL;
8986 	}
8987 
8988 	rtnl_lock();
8989 	if (!reg_is_valid_request(alpha2)) {
8990 		r = -EINVAL;
8991 		goto out;
8992 	}
8993 
8994 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8995 	if (!rd) {
8996 		r = -ENOMEM;
8997 		goto out;
8998 	}
8999 
9000 	rd->n_reg_rules = num_rules;
9001 	rd->alpha2[0] = alpha2[0];
9002 	rd->alpha2[1] = alpha2[1];
9003 
9004 	/*
9005 	 * Disable DFS master mode if the DFS region was
9006 	 * not supported or known on this kernel.
9007 	 */
9008 	if (reg_supported_dfs_region(dfs_region))
9009 		rd->dfs_region = dfs_region;
9010 
9011 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9012 			    rem_reg_rules) {
9013 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9014 						nl_reg_rule, reg_rule_policy,
9015 						info->extack);
9016 		if (r)
9017 			goto bad_reg;
9018 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9019 		if (r)
9020 			goto bad_reg;
9021 
9022 		rule_idx++;
9023 
9024 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9025 			r = -EINVAL;
9026 			goto bad_reg;
9027 		}
9028 	}
9029 
9030 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9031 	/* set_regdom takes ownership of rd */
9032 	rd = NULL;
9033  bad_reg:
9034 	kfree(rd);
9035  out:
9036 	rtnl_unlock();
9037 	return r;
9038 }
9039 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9040 
9041 static int validate_scan_freqs(struct nlattr *freqs)
9042 {
9043 	struct nlattr *attr1, *attr2;
9044 	int n_channels = 0, tmp1, tmp2;
9045 
9046 	nla_for_each_nested(attr1, freqs, tmp1)
9047 		if (nla_len(attr1) != sizeof(u32))
9048 			return 0;
9049 
9050 	nla_for_each_nested(attr1, freqs, tmp1) {
9051 		n_channels++;
9052 		/*
9053 		 * Some hardware has a limited channel list for
9054 		 * scanning, and it is pretty much nonsensical
9055 		 * to scan for a channel twice, so disallow that
9056 		 * and don't require drivers to check that the
9057 		 * channel list they get isn't longer than what
9058 		 * they can scan, as long as they can scan all
9059 		 * the channels they registered at once.
9060 		 */
9061 		nla_for_each_nested(attr2, freqs, tmp2)
9062 			if (attr1 != attr2 &&
9063 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9064 				return 0;
9065 	}
9066 
9067 	return n_channels;
9068 }
9069 
9070 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9071 {
9072 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9073 }
9074 
9075 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9076 			    struct cfg80211_bss_selection *bss_select)
9077 {
9078 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9079 	struct nlattr *nest;
9080 	int err;
9081 	bool found = false;
9082 	int i;
9083 
9084 	/* only process one nested attribute */
9085 	nest = nla_data(nla);
9086 	if (!nla_ok(nest, nla_len(nest)))
9087 		return -EINVAL;
9088 
9089 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9090 					  nest, nl80211_bss_select_policy,
9091 					  NULL);
9092 	if (err)
9093 		return err;
9094 
9095 	/* only one attribute may be given */
9096 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9097 		if (attr[i]) {
9098 			if (found)
9099 				return -EINVAL;
9100 			found = true;
9101 		}
9102 	}
9103 
9104 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9105 
9106 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9107 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9108 
9109 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9110 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9111 		bss_select->param.band_pref =
9112 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9113 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9114 			return -EINVAL;
9115 	}
9116 
9117 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9118 		struct nl80211_bss_select_rssi_adjust *adj_param;
9119 
9120 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9121 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9122 		bss_select->param.adjust.band = adj_param->band;
9123 		bss_select->param.adjust.delta = adj_param->delta;
9124 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9125 			return -EINVAL;
9126 	}
9127 
9128 	/* user-space did not provide behaviour attribute */
9129 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9130 		return -EINVAL;
9131 
9132 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9133 		return -EINVAL;
9134 
9135 	return 0;
9136 }
9137 
9138 int nl80211_parse_random_mac(struct nlattr **attrs,
9139 			     u8 *mac_addr, u8 *mac_addr_mask)
9140 {
9141 	int i;
9142 
9143 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9144 		eth_zero_addr(mac_addr);
9145 		eth_zero_addr(mac_addr_mask);
9146 		mac_addr[0] = 0x2;
9147 		mac_addr_mask[0] = 0x3;
9148 
9149 		return 0;
9150 	}
9151 
9152 	/* need both or none */
9153 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9154 		return -EINVAL;
9155 
9156 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9157 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9158 
9159 	/* don't allow or configure an mcast address */
9160 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9161 	    is_multicast_ether_addr(mac_addr))
9162 		return -EINVAL;
9163 
9164 	/*
9165 	 * allow users to pass a MAC address that has bits set outside
9166 	 * of the mask, but don't bother drivers with having to deal
9167 	 * with such bits
9168 	 */
9169 	for (i = 0; i < ETH_ALEN; i++)
9170 		mac_addr[i] &= mac_addr_mask[i];
9171 
9172 	return 0;
9173 }
9174 
9175 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9176 					      struct ieee80211_channel *chan)
9177 {
9178 	unsigned int link_id;
9179 	bool all_ok = true;
9180 
9181 	lockdep_assert_wiphy(wdev->wiphy);
9182 
9183 	if (!cfg80211_beaconing_iface_active(wdev))
9184 		return true;
9185 
9186 	/*
9187 	 * FIXME: check if we have a free HW resource/link for chan
9188 	 *
9189 	 * This, as well as the FIXME below, requires knowing the link
9190 	 * capabilities of the hardware.
9191 	 */
9192 
9193 	/* we cannot leave radar channels */
9194 	for_each_valid_link(wdev, link_id) {
9195 		struct cfg80211_chan_def *chandef;
9196 
9197 		chandef = wdev_chandef(wdev, link_id);
9198 		if (!chandef || !chandef->chan)
9199 			continue;
9200 
9201 		/*
9202 		 * FIXME: don't require all_ok, but rather check only the
9203 		 *	  correct HW resource/link onto which 'chan' falls,
9204 		 *	  as only that link leaves the channel for doing
9205 		 *	  the off-channel operation.
9206 		 */
9207 
9208 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9209 			all_ok = false;
9210 	}
9211 
9212 	if (all_ok)
9213 		return true;
9214 
9215 	return regulatory_pre_cac_allowed(wdev->wiphy);
9216 }
9217 
9218 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9219 				    enum nl80211_ext_feature_index feat)
9220 {
9221 	if (!(flags & flag))
9222 		return true;
9223 	if (wiphy_ext_feature_isset(wiphy, feat))
9224 		return true;
9225 	return false;
9226 }
9227 
9228 static int
9229 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9230 			 void *request, struct nlattr **attrs,
9231 			 bool is_sched_scan)
9232 {
9233 	u8 *mac_addr, *mac_addr_mask;
9234 	u32 *flags;
9235 	enum nl80211_feature_flags randomness_flag;
9236 
9237 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9238 		return 0;
9239 
9240 	if (is_sched_scan) {
9241 		struct cfg80211_sched_scan_request *req = request;
9242 
9243 		randomness_flag = wdev ?
9244 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9245 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9246 		flags = &req->flags;
9247 		mac_addr = req->mac_addr;
9248 		mac_addr_mask = req->mac_addr_mask;
9249 	} else {
9250 		struct cfg80211_scan_request *req = request;
9251 
9252 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9253 		flags = &req->flags;
9254 		mac_addr = req->mac_addr;
9255 		mac_addr_mask = req->mac_addr_mask;
9256 	}
9257 
9258 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9259 
9260 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9261 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9262 	    !nl80211_check_scan_feat(wiphy, *flags,
9263 				     NL80211_SCAN_FLAG_LOW_SPAN,
9264 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9265 	    !nl80211_check_scan_feat(wiphy, *flags,
9266 				     NL80211_SCAN_FLAG_LOW_POWER,
9267 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9268 	    !nl80211_check_scan_feat(wiphy, *flags,
9269 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9270 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9271 	    !nl80211_check_scan_feat(wiphy, *flags,
9272 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9273 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9274 	    !nl80211_check_scan_feat(wiphy, *flags,
9275 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9276 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9277 	    !nl80211_check_scan_feat(wiphy, *flags,
9278 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9279 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9280 	    !nl80211_check_scan_feat(wiphy, *flags,
9281 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9282 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9283 	    !nl80211_check_scan_feat(wiphy, *flags,
9284 				     NL80211_SCAN_FLAG_RANDOM_SN,
9285 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9288 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9289 		return -EOPNOTSUPP;
9290 
9291 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9292 		int err;
9293 
9294 		if (!(wiphy->features & randomness_flag) ||
9295 		    (wdev && wdev->connected))
9296 			return -EOPNOTSUPP;
9297 
9298 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9299 		if (err)
9300 			return err;
9301 	}
9302 
9303 	return 0;
9304 }
9305 
9306 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9307 {
9308 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9309 	struct wireless_dev *wdev = info->user_ptr[1];
9310 	struct cfg80211_scan_request *request;
9311 	struct nlattr *scan_freqs = NULL;
9312 	bool scan_freqs_khz = false;
9313 	struct nlattr *attr;
9314 	struct wiphy *wiphy;
9315 	int err, tmp, n_ssids = 0, n_channels, i;
9316 	size_t ie_len, size;
9317 	size_t ssids_offset, ie_offset;
9318 
9319 	wiphy = &rdev->wiphy;
9320 
9321 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9322 		return -EOPNOTSUPP;
9323 
9324 	if (!rdev->ops->scan)
9325 		return -EOPNOTSUPP;
9326 
9327 	if (rdev->scan_req || rdev->scan_msg)
9328 		return -EBUSY;
9329 
9330 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9331 		if (!wiphy_ext_feature_isset(wiphy,
9332 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9333 			return -EOPNOTSUPP;
9334 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9335 		scan_freqs_khz = true;
9336 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9337 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9338 
9339 	if (scan_freqs) {
9340 		n_channels = validate_scan_freqs(scan_freqs);
9341 		if (!n_channels)
9342 			return -EINVAL;
9343 	} else {
9344 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9345 	}
9346 
9347 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9348 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9349 			n_ssids++;
9350 
9351 	if (n_ssids > wiphy->max_scan_ssids)
9352 		return -EINVAL;
9353 
9354 	if (info->attrs[NL80211_ATTR_IE])
9355 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9356 	else
9357 		ie_len = 0;
9358 
9359 	if (ie_len > wiphy->max_scan_ie_len)
9360 		return -EINVAL;
9361 
9362 	size = struct_size(request, channels, n_channels);
9363 	ssids_offset = size;
9364 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9365 	ie_offset = size;
9366 	size = size_add(size, ie_len);
9367 	request = kzalloc(size, GFP_KERNEL);
9368 	if (!request)
9369 		return -ENOMEM;
9370 	request->n_channels = n_channels;
9371 
9372 	if (n_ssids)
9373 		request->ssids = (void *)request + ssids_offset;
9374 	request->n_ssids = n_ssids;
9375 	if (ie_len)
9376 		request->ie = (void *)request + ie_offset;
9377 
9378 	i = 0;
9379 	if (scan_freqs) {
9380 		/* user specified, bail out if channel not found */
9381 		nla_for_each_nested(attr, scan_freqs, tmp) {
9382 			struct ieee80211_channel *chan;
9383 			int freq = nla_get_u32(attr);
9384 
9385 			if (!scan_freqs_khz)
9386 				freq = MHZ_TO_KHZ(freq);
9387 
9388 			chan = ieee80211_get_channel_khz(wiphy, freq);
9389 			if (!chan) {
9390 				err = -EINVAL;
9391 				goto out_free;
9392 			}
9393 
9394 			/* ignore disabled channels */
9395 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9396 				continue;
9397 
9398 			request->channels[i] = chan;
9399 			i++;
9400 		}
9401 	} else {
9402 		enum nl80211_band band;
9403 
9404 		/* all channels */
9405 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9406 			int j;
9407 
9408 			if (!wiphy->bands[band])
9409 				continue;
9410 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9411 				struct ieee80211_channel *chan;
9412 
9413 				chan = &wiphy->bands[band]->channels[j];
9414 
9415 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9416 					continue;
9417 
9418 				request->channels[i] = chan;
9419 				i++;
9420 			}
9421 		}
9422 	}
9423 
9424 	if (!i) {
9425 		err = -EINVAL;
9426 		goto out_free;
9427 	}
9428 
9429 	request->n_channels = i;
9430 
9431 	for (i = 0; i < request->n_channels; i++) {
9432 		struct ieee80211_channel *chan = request->channels[i];
9433 
9434 		/* if we can go off-channel to the target channel we're good */
9435 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9436 			continue;
9437 
9438 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9439 			err = -EBUSY;
9440 			goto out_free;
9441 		}
9442 	}
9443 
9444 	i = 0;
9445 	if (n_ssids) {
9446 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9447 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9448 				err = -EINVAL;
9449 				goto out_free;
9450 			}
9451 			request->ssids[i].ssid_len = nla_len(attr);
9452 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9453 			i++;
9454 		}
9455 	}
9456 
9457 	if (info->attrs[NL80211_ATTR_IE]) {
9458 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9459 		memcpy((void *)request->ie,
9460 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9461 		       request->ie_len);
9462 	}
9463 
9464 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9465 		if (wiphy->bands[i])
9466 			request->rates[i] =
9467 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9468 
9469 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9470 		nla_for_each_nested(attr,
9471 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9472 				    tmp) {
9473 			enum nl80211_band band = nla_type(attr);
9474 
9475 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9476 				err = -EINVAL;
9477 				goto out_free;
9478 			}
9479 
9480 			if (!wiphy->bands[band])
9481 				continue;
9482 
9483 			err = ieee80211_get_ratemask(wiphy->bands[band],
9484 						     nla_data(attr),
9485 						     nla_len(attr),
9486 						     &request->rates[band]);
9487 			if (err)
9488 				goto out_free;
9489 		}
9490 	}
9491 
9492 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9493 		request->duration =
9494 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9495 		request->duration_mandatory =
9496 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9497 	}
9498 
9499 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9500 				       false);
9501 	if (err)
9502 		goto out_free;
9503 
9504 	request->no_cck =
9505 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9506 
9507 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9508 	 * BSSID to scan for. This was problematic because that same attribute
9509 	 * was already used for another purpose (local random MAC address). The
9510 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9511 	 * compatibility with older userspace components, also use the
9512 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9513 	 * the specific BSSID use case instead of the random MAC address
9514 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9515 	 */
9516 	if (info->attrs[NL80211_ATTR_BSSID])
9517 		memcpy(request->bssid,
9518 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9519 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9520 		 info->attrs[NL80211_ATTR_MAC])
9521 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9522 		       ETH_ALEN);
9523 	else
9524 		eth_broadcast_addr(request->bssid);
9525 
9526 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9527 	request->wdev = wdev;
9528 	request->wiphy = &rdev->wiphy;
9529 	request->scan_start = jiffies;
9530 
9531 	rdev->scan_req = request;
9532 	err = cfg80211_scan(rdev);
9533 
9534 	if (err)
9535 		goto out_free;
9536 
9537 	nl80211_send_scan_start(rdev, wdev);
9538 	dev_hold(wdev->netdev);
9539 
9540 	return 0;
9541 
9542  out_free:
9543 	rdev->scan_req = NULL;
9544 	kfree(request);
9545 
9546 	return err;
9547 }
9548 
9549 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9550 {
9551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9552 	struct wireless_dev *wdev = info->user_ptr[1];
9553 
9554 	if (!rdev->ops->abort_scan)
9555 		return -EOPNOTSUPP;
9556 
9557 	if (rdev->scan_msg)
9558 		return 0;
9559 
9560 	if (!rdev->scan_req)
9561 		return -ENOENT;
9562 
9563 	rdev_abort_scan(rdev, wdev);
9564 	return 0;
9565 }
9566 
9567 static int
9568 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9569 			       struct cfg80211_sched_scan_request *request,
9570 			       struct nlattr **attrs)
9571 {
9572 	int tmp, err, i = 0;
9573 	struct nlattr *attr;
9574 
9575 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9576 		u32 interval;
9577 
9578 		/*
9579 		 * If scan plans are not specified,
9580 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9581 		 * case one scan plan will be set with the specified scan
9582 		 * interval and infinite number of iterations.
9583 		 */
9584 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9585 		if (!interval)
9586 			return -EINVAL;
9587 
9588 		request->scan_plans[0].interval =
9589 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9590 		if (!request->scan_plans[0].interval)
9591 			return -EINVAL;
9592 
9593 		if (request->scan_plans[0].interval >
9594 		    wiphy->max_sched_scan_plan_interval)
9595 			request->scan_plans[0].interval =
9596 				wiphy->max_sched_scan_plan_interval;
9597 
9598 		return 0;
9599 	}
9600 
9601 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9602 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9603 
9604 		if (WARN_ON(i >= n_plans))
9605 			return -EINVAL;
9606 
9607 		err = nla_parse_nested_deprecated(plan,
9608 						  NL80211_SCHED_SCAN_PLAN_MAX,
9609 						  attr, nl80211_plan_policy,
9610 						  NULL);
9611 		if (err)
9612 			return err;
9613 
9614 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9615 			return -EINVAL;
9616 
9617 		request->scan_plans[i].interval =
9618 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9619 		if (!request->scan_plans[i].interval ||
9620 		    request->scan_plans[i].interval >
9621 		    wiphy->max_sched_scan_plan_interval)
9622 			return -EINVAL;
9623 
9624 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9625 			request->scan_plans[i].iterations =
9626 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9627 			if (!request->scan_plans[i].iterations ||
9628 			    (request->scan_plans[i].iterations >
9629 			     wiphy->max_sched_scan_plan_iterations))
9630 				return -EINVAL;
9631 		} else if (i < n_plans - 1) {
9632 			/*
9633 			 * All scan plans but the last one must specify
9634 			 * a finite number of iterations
9635 			 */
9636 			return -EINVAL;
9637 		}
9638 
9639 		i++;
9640 	}
9641 
9642 	/*
9643 	 * The last scan plan must not specify the number of
9644 	 * iterations, it is supposed to run infinitely
9645 	 */
9646 	if (request->scan_plans[n_plans - 1].iterations)
9647 		return  -EINVAL;
9648 
9649 	return 0;
9650 }
9651 
9652 static struct cfg80211_sched_scan_request *
9653 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9654 			 struct nlattr **attrs, int max_match_sets)
9655 {
9656 	struct cfg80211_sched_scan_request *request;
9657 	struct nlattr *attr;
9658 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9659 	enum nl80211_band band;
9660 	size_t ie_len, size;
9661 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9662 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9663 
9664 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9665 		n_channels = validate_scan_freqs(
9666 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9667 		if (!n_channels)
9668 			return ERR_PTR(-EINVAL);
9669 	} else {
9670 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9671 	}
9672 
9673 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9674 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9675 				    tmp)
9676 			n_ssids++;
9677 
9678 	if (n_ssids > wiphy->max_sched_scan_ssids)
9679 		return ERR_PTR(-EINVAL);
9680 
9681 	/*
9682 	 * First, count the number of 'real' matchsets. Due to an issue with
9683 	 * the old implementation, matchsets containing only the RSSI attribute
9684 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9685 	 * RSSI for all matchsets, rather than their own matchset for reporting
9686 	 * all APs with a strong RSSI. This is needed to be compatible with
9687 	 * older userspace that treated a matchset with only the RSSI as the
9688 	 * global RSSI for all other matchsets - if there are other matchsets.
9689 	 */
9690 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9691 		nla_for_each_nested(attr,
9692 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9693 				    tmp) {
9694 			struct nlattr *rssi;
9695 
9696 			err = nla_parse_nested_deprecated(tb,
9697 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9698 							  attr,
9699 							  nl80211_match_policy,
9700 							  NULL);
9701 			if (err)
9702 				return ERR_PTR(err);
9703 
9704 			/* SSID and BSSID are mutually exclusive */
9705 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9706 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9707 				return ERR_PTR(-EINVAL);
9708 
9709 			/* add other standalone attributes here */
9710 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9711 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9712 				n_match_sets++;
9713 				continue;
9714 			}
9715 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9716 			if (rssi)
9717 				default_match_rssi = nla_get_s32(rssi);
9718 		}
9719 	}
9720 
9721 	/* However, if there's no other matchset, add the RSSI one */
9722 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9723 		n_match_sets = 1;
9724 
9725 	if (n_match_sets > max_match_sets)
9726 		return ERR_PTR(-EINVAL);
9727 
9728 	if (attrs[NL80211_ATTR_IE])
9729 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9730 	else
9731 		ie_len = 0;
9732 
9733 	if (ie_len > wiphy->max_sched_scan_ie_len)
9734 		return ERR_PTR(-EINVAL);
9735 
9736 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9737 		/*
9738 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9739 		 * each scan plan already specifies its own interval
9740 		 */
9741 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9742 			return ERR_PTR(-EINVAL);
9743 
9744 		nla_for_each_nested(attr,
9745 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9746 			n_plans++;
9747 	} else {
9748 		/*
9749 		 * The scan interval attribute is kept for backward
9750 		 * compatibility. If no scan plans are specified and sched scan
9751 		 * interval is specified, one scan plan will be set with this
9752 		 * scan interval and infinite number of iterations.
9753 		 */
9754 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9755 			return ERR_PTR(-EINVAL);
9756 
9757 		n_plans = 1;
9758 	}
9759 
9760 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9761 		return ERR_PTR(-EINVAL);
9762 
9763 	if (!wiphy_ext_feature_isset(
9764 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9765 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9766 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9767 		return ERR_PTR(-EINVAL);
9768 
9769 	size = struct_size(request, channels, n_channels);
9770 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9771 	size = size_add(size, array_size(sizeof(*request->match_sets),
9772 					 n_match_sets));
9773 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9774 					 n_plans));
9775 	size = size_add(size, ie_len);
9776 	request = kzalloc(size, GFP_KERNEL);
9777 	if (!request)
9778 		return ERR_PTR(-ENOMEM);
9779 
9780 	if (n_ssids)
9781 		request->ssids = (void *)&request->channels[n_channels];
9782 	request->n_ssids = n_ssids;
9783 	if (ie_len) {
9784 		if (n_ssids)
9785 			request->ie = (void *)(request->ssids + n_ssids);
9786 		else
9787 			request->ie = (void *)(request->channels + n_channels);
9788 	}
9789 
9790 	if (n_match_sets) {
9791 		if (request->ie)
9792 			request->match_sets = (void *)(request->ie + ie_len);
9793 		else if (n_ssids)
9794 			request->match_sets =
9795 				(void *)(request->ssids + n_ssids);
9796 		else
9797 			request->match_sets =
9798 				(void *)(request->channels + n_channels);
9799 	}
9800 	request->n_match_sets = n_match_sets;
9801 
9802 	if (n_match_sets)
9803 		request->scan_plans = (void *)(request->match_sets +
9804 					       n_match_sets);
9805 	else if (request->ie)
9806 		request->scan_plans = (void *)(request->ie + ie_len);
9807 	else if (n_ssids)
9808 		request->scan_plans = (void *)(request->ssids + n_ssids);
9809 	else
9810 		request->scan_plans = (void *)(request->channels + n_channels);
9811 
9812 	request->n_scan_plans = n_plans;
9813 
9814 	i = 0;
9815 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9816 		/* user specified, bail out if channel not found */
9817 		nla_for_each_nested(attr,
9818 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9819 				    tmp) {
9820 			struct ieee80211_channel *chan;
9821 
9822 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9823 
9824 			if (!chan) {
9825 				err = -EINVAL;
9826 				goto out_free;
9827 			}
9828 
9829 			/* ignore disabled channels */
9830 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9831 				continue;
9832 
9833 			request->channels[i] = chan;
9834 			i++;
9835 		}
9836 	} else {
9837 		/* all channels */
9838 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9839 			int j;
9840 
9841 			if (!wiphy->bands[band])
9842 				continue;
9843 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9844 				struct ieee80211_channel *chan;
9845 
9846 				chan = &wiphy->bands[band]->channels[j];
9847 
9848 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9849 					continue;
9850 
9851 				request->channels[i] = chan;
9852 				i++;
9853 			}
9854 		}
9855 	}
9856 
9857 	if (!i) {
9858 		err = -EINVAL;
9859 		goto out_free;
9860 	}
9861 
9862 	request->n_channels = i;
9863 
9864 	i = 0;
9865 	if (n_ssids) {
9866 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9867 				    tmp) {
9868 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9869 				err = -EINVAL;
9870 				goto out_free;
9871 			}
9872 			request->ssids[i].ssid_len = nla_len(attr);
9873 			memcpy(request->ssids[i].ssid, nla_data(attr),
9874 			       nla_len(attr));
9875 			i++;
9876 		}
9877 	}
9878 
9879 	i = 0;
9880 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9881 		nla_for_each_nested(attr,
9882 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9883 				    tmp) {
9884 			struct nlattr *ssid, *bssid, *rssi;
9885 
9886 			err = nla_parse_nested_deprecated(tb,
9887 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9888 							  attr,
9889 							  nl80211_match_policy,
9890 							  NULL);
9891 			if (err)
9892 				goto out_free;
9893 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9894 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9895 
9896 			if (!ssid && !bssid) {
9897 				i++;
9898 				continue;
9899 			}
9900 
9901 			if (WARN_ON(i >= n_match_sets)) {
9902 				/* this indicates a programming error,
9903 				 * the loop above should have verified
9904 				 * things properly
9905 				 */
9906 				err = -EINVAL;
9907 				goto out_free;
9908 			}
9909 
9910 			if (ssid) {
9911 				memcpy(request->match_sets[i].ssid.ssid,
9912 				       nla_data(ssid), nla_len(ssid));
9913 				request->match_sets[i].ssid.ssid_len =
9914 					nla_len(ssid);
9915 			}
9916 			if (bssid)
9917 				memcpy(request->match_sets[i].bssid,
9918 				       nla_data(bssid), ETH_ALEN);
9919 
9920 			/* special attribute - old implementation w/a */
9921 			request->match_sets[i].rssi_thold = default_match_rssi;
9922 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9923 			if (rssi)
9924 				request->match_sets[i].rssi_thold =
9925 					nla_get_s32(rssi);
9926 			i++;
9927 		}
9928 
9929 		/* there was no other matchset, so the RSSI one is alone */
9930 		if (i == 0 && n_match_sets)
9931 			request->match_sets[0].rssi_thold = default_match_rssi;
9932 
9933 		request->min_rssi_thold = INT_MAX;
9934 		for (i = 0; i < n_match_sets; i++)
9935 			request->min_rssi_thold =
9936 				min(request->match_sets[i].rssi_thold,
9937 				    request->min_rssi_thold);
9938 	} else {
9939 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9940 	}
9941 
9942 	if (ie_len) {
9943 		request->ie_len = ie_len;
9944 		memcpy((void *)request->ie,
9945 		       nla_data(attrs[NL80211_ATTR_IE]),
9946 		       request->ie_len);
9947 	}
9948 
9949 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9950 	if (err)
9951 		goto out_free;
9952 
9953 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9954 		request->delay =
9955 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9956 
9957 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9958 		request->relative_rssi = nla_get_s8(
9959 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9960 		request->relative_rssi_set = true;
9961 	}
9962 
9963 	if (request->relative_rssi_set &&
9964 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9965 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9966 
9967 		rssi_adjust = nla_data(
9968 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9969 		request->rssi_adjust.band = rssi_adjust->band;
9970 		request->rssi_adjust.delta = rssi_adjust->delta;
9971 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9972 			err = -EINVAL;
9973 			goto out_free;
9974 		}
9975 	}
9976 
9977 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9978 	if (err)
9979 		goto out_free;
9980 
9981 	request->scan_start = jiffies;
9982 
9983 	return request;
9984 
9985 out_free:
9986 	kfree(request);
9987 	return ERR_PTR(err);
9988 }
9989 
9990 static int nl80211_start_sched_scan(struct sk_buff *skb,
9991 				    struct genl_info *info)
9992 {
9993 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9994 	struct net_device *dev = info->user_ptr[1];
9995 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9996 	struct cfg80211_sched_scan_request *sched_scan_req;
9997 	bool want_multi;
9998 	int err;
9999 
10000 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10001 		return -EOPNOTSUPP;
10002 
10003 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10004 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10005 	if (err)
10006 		return err;
10007 
10008 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10009 						  info->attrs,
10010 						  rdev->wiphy.max_match_sets);
10011 
10012 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10013 	if (err)
10014 		goto out_err;
10015 
10016 	/* leave request id zero for legacy request
10017 	 * or if driver does not support multi-scheduled scan
10018 	 */
10019 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10020 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10021 
10022 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10023 	if (err)
10024 		goto out_free;
10025 
10026 	sched_scan_req->dev = dev;
10027 	sched_scan_req->wiphy = &rdev->wiphy;
10028 
10029 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10030 		sched_scan_req->owner_nlportid = info->snd_portid;
10031 
10032 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10033 
10034 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10035 	return 0;
10036 
10037 out_free:
10038 	kfree(sched_scan_req);
10039 out_err:
10040 	return err;
10041 }
10042 
10043 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10044 				   struct genl_info *info)
10045 {
10046 	struct cfg80211_sched_scan_request *req;
10047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10048 	u64 cookie;
10049 
10050 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10051 		return -EOPNOTSUPP;
10052 
10053 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10054 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10055 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10056 	}
10057 
10058 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10059 				     struct cfg80211_sched_scan_request,
10060 				     list);
10061 	if (!req || req->reqid ||
10062 	    (req->owner_nlportid &&
10063 	     req->owner_nlportid != info->snd_portid))
10064 		return -ENOENT;
10065 
10066 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10067 }
10068 
10069 static int nl80211_start_radar_detection(struct sk_buff *skb,
10070 					 struct genl_info *info)
10071 {
10072 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10073 	struct net_device *dev = info->user_ptr[1];
10074 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10075 	struct wiphy *wiphy = wdev->wiphy;
10076 	struct cfg80211_chan_def chandef;
10077 	enum nl80211_dfs_regions dfs_region;
10078 	unsigned int cac_time_ms;
10079 	int err = -EINVAL;
10080 
10081 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10082 
10083 	switch (wdev->iftype) {
10084 	case NL80211_IFTYPE_AP:
10085 	case NL80211_IFTYPE_P2P_GO:
10086 	case NL80211_IFTYPE_MESH_POINT:
10087 	case NL80211_IFTYPE_ADHOC:
10088 		break;
10089 	default:
10090 		/* caution - see cfg80211_beaconing_iface_active() below */
10091 		return -EINVAL;
10092 	}
10093 
10094 	wiphy_lock(wiphy);
10095 
10096 	dfs_region = reg_get_dfs_region(wiphy);
10097 	if (dfs_region == NL80211_DFS_UNSET)
10098 		goto unlock;
10099 
10100 	err = nl80211_parse_chandef(rdev, info, &chandef);
10101 	if (err)
10102 		goto unlock;
10103 
10104 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10105 	if (err < 0)
10106 		goto unlock;
10107 
10108 	if (err == 0) {
10109 		err = -EINVAL;
10110 		goto unlock;
10111 	}
10112 
10113 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10114 		err = -EINVAL;
10115 		goto unlock;
10116 	}
10117 
10118 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10119 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10120 								&chandef);
10121 		goto unlock;
10122 	}
10123 
10124 	if (cfg80211_beaconing_iface_active(wdev) || wdev->cac_started) {
10125 		err = -EBUSY;
10126 		goto unlock;
10127 	}
10128 
10129 	/* CAC start is offloaded to HW and can't be started manually */
10130 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10131 		err = -EOPNOTSUPP;
10132 		goto unlock;
10133 	}
10134 
10135 	if (!rdev->ops->start_radar_detection) {
10136 		err = -EOPNOTSUPP;
10137 		goto unlock;
10138 	}
10139 
10140 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10141 	if (WARN_ON(!cac_time_ms))
10142 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10143 
10144 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
10145 	if (!err) {
10146 		switch (wdev->iftype) {
10147 		case NL80211_IFTYPE_AP:
10148 		case NL80211_IFTYPE_P2P_GO:
10149 			wdev->links[0].ap.chandef = chandef;
10150 			break;
10151 		case NL80211_IFTYPE_ADHOC:
10152 			wdev->u.ibss.chandef = chandef;
10153 			break;
10154 		case NL80211_IFTYPE_MESH_POINT:
10155 			wdev->u.mesh.chandef = chandef;
10156 			break;
10157 		default:
10158 			break;
10159 		}
10160 		wdev->cac_started = true;
10161 		wdev->cac_start_time = jiffies;
10162 		wdev->cac_time_ms = cac_time_ms;
10163 	}
10164 unlock:
10165 	wiphy_unlock(wiphy);
10166 
10167 	return err;
10168 }
10169 
10170 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10171 					  struct genl_info *info)
10172 {
10173 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10174 	struct net_device *dev = info->user_ptr[1];
10175 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10176 	struct wiphy *wiphy = wdev->wiphy;
10177 	struct cfg80211_chan_def chandef;
10178 	enum nl80211_dfs_regions dfs_region;
10179 	int err;
10180 
10181 	dfs_region = reg_get_dfs_region(wiphy);
10182 	if (dfs_region == NL80211_DFS_UNSET) {
10183 		GENL_SET_ERR_MSG(info,
10184 				 "DFS Region is not set. Unexpected Radar indication");
10185 		return -EINVAL;
10186 	}
10187 
10188 	err = nl80211_parse_chandef(rdev, info, &chandef);
10189 	if (err) {
10190 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10191 		return err;
10192 	}
10193 
10194 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10195 	if (err < 0) {
10196 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10197 		return err;
10198 	}
10199 
10200 	if (err == 0) {
10201 		GENL_SET_ERR_MSG(info,
10202 				 "Unexpected Radar indication for chandef/iftype");
10203 		return -EINVAL;
10204 	}
10205 
10206 	/* Do not process this notification if radar is already detected
10207 	 * by kernel on this channel, and return success.
10208 	 */
10209 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10210 		return 0;
10211 
10212 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10213 
10214 	cfg80211_sched_dfs_chan_update(rdev);
10215 
10216 	rdev->radar_chandef = chandef;
10217 
10218 	/* Propagate this notification to other radios as well */
10219 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10220 
10221 	return 0;
10222 }
10223 
10224 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10225 					 const u8 *data, size_t datalen,
10226 					 int first_count, struct nlattr *attr,
10227 					 const u16 **offsets, unsigned int *n_offsets)
10228 {
10229 	int i;
10230 
10231 	*n_offsets = 0;
10232 
10233 	if (!attr)
10234 		return 0;
10235 
10236 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10237 		return -EINVAL;
10238 
10239 	*n_offsets = nla_len(attr) / sizeof(u16);
10240 	if (rdev->wiphy.max_num_csa_counters &&
10241 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10242 		return -EINVAL;
10243 
10244 	*offsets = nla_data(attr);
10245 
10246 	/* sanity checks - counters should fit and be the same */
10247 	for (i = 0; i < *n_offsets; i++) {
10248 		u16 offset = (*offsets)[i];
10249 
10250 		if (offset >= datalen)
10251 			return -EINVAL;
10252 
10253 		if (first_count != -1 && data[offset] != first_count)
10254 			return -EINVAL;
10255 	}
10256 
10257 	return 0;
10258 }
10259 
10260 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10261 {
10262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10263 	unsigned int link_id = nl80211_link_id(info->attrs);
10264 	struct net_device *dev = info->user_ptr[1];
10265 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10266 	struct cfg80211_csa_settings params;
10267 	struct nlattr **csa_attrs = NULL;
10268 	int err;
10269 	bool need_new_beacon = false;
10270 	bool need_handle_dfs_flag = true;
10271 	u32 cs_count;
10272 
10273 	if (!rdev->ops->channel_switch ||
10274 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10275 		return -EOPNOTSUPP;
10276 
10277 	switch (dev->ieee80211_ptr->iftype) {
10278 	case NL80211_IFTYPE_AP:
10279 	case NL80211_IFTYPE_P2P_GO:
10280 		need_new_beacon = true;
10281 		/* For all modes except AP the handle_dfs flag needs to be
10282 		 * supplied to tell the kernel that userspace will handle radar
10283 		 * events when they happen. Otherwise a switch to a channel
10284 		 * requiring DFS will be rejected.
10285 		 */
10286 		need_handle_dfs_flag = false;
10287 
10288 		/* useless if AP is not running */
10289 		if (!wdev->links[link_id].ap.beacon_interval)
10290 			return -ENOTCONN;
10291 		break;
10292 	case NL80211_IFTYPE_ADHOC:
10293 		if (!wdev->u.ibss.ssid_len)
10294 			return -ENOTCONN;
10295 		break;
10296 	case NL80211_IFTYPE_MESH_POINT:
10297 		if (!wdev->u.mesh.id_len)
10298 			return -ENOTCONN;
10299 		break;
10300 	default:
10301 		return -EOPNOTSUPP;
10302 	}
10303 
10304 	memset(&params, 0, sizeof(params));
10305 	params.beacon_csa.ftm_responder = -1;
10306 
10307 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10308 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10309 		return -EINVAL;
10310 
10311 	/* only important for AP, IBSS and mesh create IEs internally */
10312 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10313 		return -EINVAL;
10314 
10315 	/* Even though the attribute is u32, the specification says
10316 	 * u8, so let's make sure we don't overflow.
10317 	 */
10318 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10319 	if (cs_count > 255)
10320 		return -EINVAL;
10321 
10322 	params.count = cs_count;
10323 
10324 	if (!need_new_beacon)
10325 		goto skip_beacons;
10326 
10327 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10328 				   info->extack);
10329 	if (err)
10330 		goto free;
10331 
10332 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10333 			    GFP_KERNEL);
10334 	if (!csa_attrs) {
10335 		err = -ENOMEM;
10336 		goto free;
10337 	}
10338 
10339 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10340 					  info->attrs[NL80211_ATTR_CSA_IES],
10341 					  nl80211_policy, info->extack);
10342 	if (err)
10343 		goto free;
10344 
10345 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10346 				   info->extack);
10347 	if (err)
10348 		goto free;
10349 
10350 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10351 		err = -EINVAL;
10352 		goto free;
10353 	}
10354 
10355 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10356 					    params.beacon_csa.tail_len,
10357 					    params.count,
10358 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10359 					    &params.counter_offsets_beacon,
10360 					    &params.n_counter_offsets_beacon);
10361 	if (err)
10362 		goto free;
10363 
10364 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10365 					    params.beacon_csa.probe_resp_len,
10366 					    params.count,
10367 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10368 					    &params.counter_offsets_presp,
10369 					    &params.n_counter_offsets_presp);
10370 	if (err)
10371 		goto free;
10372 
10373 skip_beacons:
10374 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10375 	if (err)
10376 		goto free;
10377 
10378 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10379 					   wdev->iftype)) {
10380 		err = -EINVAL;
10381 		goto free;
10382 	}
10383 
10384 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10385 					    &params.chandef,
10386 					    wdev->iftype);
10387 	if (err < 0)
10388 		goto free;
10389 
10390 	if (err > 0) {
10391 		params.radar_required = true;
10392 		if (need_handle_dfs_flag &&
10393 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10394 			err = -EINVAL;
10395 			goto free;
10396 		}
10397 	}
10398 
10399 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10400 		params.block_tx = true;
10401 
10402 	params.link_id = link_id;
10403 	err = rdev_channel_switch(rdev, dev, &params);
10404 
10405 free:
10406 	kfree(params.beacon_after.mbssid_ies);
10407 	kfree(params.beacon_csa.mbssid_ies);
10408 	kfree(params.beacon_after.rnr_ies);
10409 	kfree(params.beacon_csa.rnr_ies);
10410 	kfree(csa_attrs);
10411 	return err;
10412 }
10413 
10414 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10415 			    u32 seq, int flags,
10416 			    struct cfg80211_registered_device *rdev,
10417 			    struct wireless_dev *wdev,
10418 			    struct cfg80211_internal_bss *intbss)
10419 {
10420 	struct cfg80211_bss *res = &intbss->pub;
10421 	const struct cfg80211_bss_ies *ies;
10422 	unsigned int link_id;
10423 	void *hdr;
10424 	struct nlattr *bss;
10425 
10426 	lockdep_assert_wiphy(wdev->wiphy);
10427 
10428 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10429 			     NL80211_CMD_NEW_SCAN_RESULTS);
10430 	if (!hdr)
10431 		return -1;
10432 
10433 	genl_dump_check_consistent(cb, hdr);
10434 
10435 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10436 		goto nla_put_failure;
10437 	if (wdev->netdev &&
10438 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10439 		goto nla_put_failure;
10440 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10441 			      NL80211_ATTR_PAD))
10442 		goto nla_put_failure;
10443 
10444 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10445 	if (!bss)
10446 		goto nla_put_failure;
10447 	if ((!is_zero_ether_addr(res->bssid) &&
10448 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10449 		goto nla_put_failure;
10450 
10451 	rcu_read_lock();
10452 	/* indicate whether we have probe response data or not */
10453 	if (rcu_access_pointer(res->proberesp_ies) &&
10454 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10455 		goto fail_unlock_rcu;
10456 
10457 	/* this pointer prefers to be pointed to probe response data
10458 	 * but is always valid
10459 	 */
10460 	ies = rcu_dereference(res->ies);
10461 	if (ies) {
10462 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10463 				      NL80211_BSS_PAD))
10464 			goto fail_unlock_rcu;
10465 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10466 					ies->len, ies->data))
10467 			goto fail_unlock_rcu;
10468 	}
10469 
10470 	/* and this pointer is always (unless driver didn't know) beacon data */
10471 	ies = rcu_dereference(res->beacon_ies);
10472 	if (ies && ies->from_beacon) {
10473 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10474 				      NL80211_BSS_PAD))
10475 			goto fail_unlock_rcu;
10476 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10477 					ies->len, ies->data))
10478 			goto fail_unlock_rcu;
10479 	}
10480 	rcu_read_unlock();
10481 
10482 	if (res->beacon_interval &&
10483 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10484 		goto nla_put_failure;
10485 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10486 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10487 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10488 			res->channel->freq_offset) ||
10489 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10490 			jiffies_to_msecs(jiffies - intbss->ts)))
10491 		goto nla_put_failure;
10492 
10493 	if (intbss->parent_tsf &&
10494 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10495 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10496 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10497 		     intbss->parent_bssid)))
10498 		goto nla_put_failure;
10499 
10500 	if (intbss->ts_boottime &&
10501 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10502 			      intbss->ts_boottime, NL80211_BSS_PAD))
10503 		goto nla_put_failure;
10504 
10505 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10506 				intbss->pub.chain_signal,
10507 				NL80211_BSS_CHAIN_SIGNAL))
10508 		goto nla_put_failure;
10509 
10510 	switch (rdev->wiphy.signal_type) {
10511 	case CFG80211_SIGNAL_TYPE_MBM:
10512 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10513 			goto nla_put_failure;
10514 		break;
10515 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10516 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10517 			goto nla_put_failure;
10518 		break;
10519 	default:
10520 		break;
10521 	}
10522 
10523 	switch (wdev->iftype) {
10524 	case NL80211_IFTYPE_P2P_CLIENT:
10525 	case NL80211_IFTYPE_STATION:
10526 		for_each_valid_link(wdev, link_id) {
10527 			if (intbss == wdev->links[link_id].client.current_bss &&
10528 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10529 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10530 			     (wdev->valid_links &&
10531 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10532 					  link_id) ||
10533 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10534 				       wdev->u.client.connected_addr)))))
10535 				goto nla_put_failure;
10536 		}
10537 		break;
10538 	case NL80211_IFTYPE_ADHOC:
10539 		if (intbss == wdev->u.ibss.current_bss &&
10540 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10541 				NL80211_BSS_STATUS_IBSS_JOINED))
10542 			goto nla_put_failure;
10543 		break;
10544 	default:
10545 		break;
10546 	}
10547 
10548 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10549 		goto nla_put_failure;
10550 
10551 	if (res->cannot_use_reasons &&
10552 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10553 			      res->cannot_use_reasons,
10554 			      NL80211_BSS_PAD))
10555 		goto nla_put_failure;
10556 
10557 	nla_nest_end(msg, bss);
10558 
10559 	genlmsg_end(msg, hdr);
10560 	return 0;
10561 
10562  fail_unlock_rcu:
10563 	rcu_read_unlock();
10564  nla_put_failure:
10565 	genlmsg_cancel(msg, hdr);
10566 	return -EMSGSIZE;
10567 }
10568 
10569 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10570 {
10571 	struct cfg80211_registered_device *rdev;
10572 	struct cfg80211_internal_bss *scan;
10573 	struct wireless_dev *wdev;
10574 	struct nlattr **attrbuf;
10575 	int start = cb->args[2], idx = 0;
10576 	bool dump_include_use_data;
10577 	int err;
10578 
10579 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10580 	if (!attrbuf)
10581 		return -ENOMEM;
10582 
10583 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10584 	if (err) {
10585 		kfree(attrbuf);
10586 		return err;
10587 	}
10588 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10589 	__acquire(&rdev->wiphy.mtx);
10590 
10591 	dump_include_use_data =
10592 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10593 	kfree(attrbuf);
10594 
10595 	spin_lock_bh(&rdev->bss_lock);
10596 
10597 	/*
10598 	 * dump_scan will be called multiple times to break up the scan results
10599 	 * into multiple messages.  It is unlikely that any more bss-es will be
10600 	 * expired after the first call, so only call only call this on the
10601 	 * first dump_scan invocation.
10602 	 */
10603 	if (start == 0)
10604 		cfg80211_bss_expire(rdev);
10605 
10606 	cb->seq = rdev->bss_generation;
10607 
10608 	list_for_each_entry(scan, &rdev->bss_list, list) {
10609 		if (++idx <= start)
10610 			continue;
10611 		if (!dump_include_use_data &&
10612 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10613 			continue;
10614 		if (nl80211_send_bss(skb, cb,
10615 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10616 				rdev, wdev, scan) < 0) {
10617 			idx--;
10618 			break;
10619 		}
10620 	}
10621 
10622 	spin_unlock_bh(&rdev->bss_lock);
10623 
10624 	cb->args[2] = idx;
10625 	wiphy_unlock(&rdev->wiphy);
10626 
10627 	return skb->len;
10628 }
10629 
10630 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10631 			       int flags, struct net_device *dev,
10632 			       bool allow_radio_stats,
10633 			       struct survey_info *survey)
10634 {
10635 	void *hdr;
10636 	struct nlattr *infoattr;
10637 
10638 	/* skip radio stats if userspace didn't request them */
10639 	if (!survey->channel && !allow_radio_stats)
10640 		return 0;
10641 
10642 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10643 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10644 	if (!hdr)
10645 		return -ENOMEM;
10646 
10647 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10648 		goto nla_put_failure;
10649 
10650 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10651 	if (!infoattr)
10652 		goto nla_put_failure;
10653 
10654 	if (survey->channel &&
10655 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10656 			survey->channel->center_freq))
10657 		goto nla_put_failure;
10658 
10659 	if (survey->channel && survey->channel->freq_offset &&
10660 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10661 			survey->channel->freq_offset))
10662 		goto nla_put_failure;
10663 
10664 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10665 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10666 		goto nla_put_failure;
10667 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10668 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10669 		goto nla_put_failure;
10670 	if ((survey->filled & SURVEY_INFO_TIME) &&
10671 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10672 			survey->time, NL80211_SURVEY_INFO_PAD))
10673 		goto nla_put_failure;
10674 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10675 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10676 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10677 		goto nla_put_failure;
10678 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10679 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10680 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10681 		goto nla_put_failure;
10682 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10683 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10684 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10685 		goto nla_put_failure;
10686 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10687 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10688 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10689 		goto nla_put_failure;
10690 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10691 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10692 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10693 		goto nla_put_failure;
10694 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10695 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10696 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10697 		goto nla_put_failure;
10698 
10699 	nla_nest_end(msg, infoattr);
10700 
10701 	genlmsg_end(msg, hdr);
10702 	return 0;
10703 
10704  nla_put_failure:
10705 	genlmsg_cancel(msg, hdr);
10706 	return -EMSGSIZE;
10707 }
10708 
10709 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10710 {
10711 	struct nlattr **attrbuf;
10712 	struct survey_info survey;
10713 	struct cfg80211_registered_device *rdev;
10714 	struct wireless_dev *wdev;
10715 	int survey_idx = cb->args[2];
10716 	int res;
10717 	bool radio_stats;
10718 
10719 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10720 	if (!attrbuf)
10721 		return -ENOMEM;
10722 
10723 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10724 	if (res) {
10725 		kfree(attrbuf);
10726 		return res;
10727 	}
10728 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10729 	__acquire(&rdev->wiphy.mtx);
10730 
10731 	/* prepare_wdev_dump parsed the attributes */
10732 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10733 
10734 	if (!wdev->netdev) {
10735 		res = -EINVAL;
10736 		goto out_err;
10737 	}
10738 
10739 	if (!rdev->ops->dump_survey) {
10740 		res = -EOPNOTSUPP;
10741 		goto out_err;
10742 	}
10743 
10744 	while (1) {
10745 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10746 		if (res == -ENOENT)
10747 			break;
10748 		if (res)
10749 			goto out_err;
10750 
10751 		/* don't send disabled channels, but do send non-channel data */
10752 		if (survey.channel &&
10753 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10754 			survey_idx++;
10755 			continue;
10756 		}
10757 
10758 		if (nl80211_send_survey(skb,
10759 				NETLINK_CB(cb->skb).portid,
10760 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10761 				wdev->netdev, radio_stats, &survey) < 0)
10762 			goto out;
10763 		survey_idx++;
10764 	}
10765 
10766  out:
10767 	cb->args[2] = survey_idx;
10768 	res = skb->len;
10769  out_err:
10770 	kfree(attrbuf);
10771 	wiphy_unlock(&rdev->wiphy);
10772 	return res;
10773 }
10774 
10775 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10776 {
10777 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10778 	struct net_device *dev = info->user_ptr[1];
10779 	struct ieee80211_channel *chan;
10780 	const u8 *bssid, *ssid;
10781 	int err, ssid_len;
10782 	enum nl80211_auth_type auth_type;
10783 	struct key_parse key;
10784 	bool local_state_change;
10785 	struct cfg80211_auth_request req = {};
10786 	u32 freq;
10787 
10788 	if (!info->attrs[NL80211_ATTR_MAC])
10789 		return -EINVAL;
10790 
10791 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10792 		return -EINVAL;
10793 
10794 	if (!info->attrs[NL80211_ATTR_SSID])
10795 		return -EINVAL;
10796 
10797 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10798 		return -EINVAL;
10799 
10800 	err = nl80211_parse_key(info, &key);
10801 	if (err)
10802 		return err;
10803 
10804 	if (key.idx >= 0) {
10805 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10806 			return -EINVAL;
10807 		if (!key.p.key || !key.p.key_len)
10808 			return -EINVAL;
10809 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10810 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10811 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10812 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10813 			return -EINVAL;
10814 		if (key.idx > 3)
10815 			return -EINVAL;
10816 	} else {
10817 		key.p.key_len = 0;
10818 		key.p.key = NULL;
10819 	}
10820 
10821 	if (key.idx >= 0) {
10822 		int i;
10823 		bool ok = false;
10824 
10825 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10826 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10827 				ok = true;
10828 				break;
10829 			}
10830 		}
10831 		if (!ok)
10832 			return -EINVAL;
10833 	}
10834 
10835 	if (!rdev->ops->auth)
10836 		return -EOPNOTSUPP;
10837 
10838 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10839 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10840 		return -EOPNOTSUPP;
10841 
10842 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10843 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10844 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10845 		freq +=
10846 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10847 
10848 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10849 	if (!chan)
10850 		return -EINVAL;
10851 
10852 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10853 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10854 
10855 	if (info->attrs[NL80211_ATTR_IE]) {
10856 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10857 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10858 	}
10859 
10860 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10861 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10862 		return -EINVAL;
10863 
10864 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10865 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10866 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10867 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10868 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10869 		return -EINVAL;
10870 
10871 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10872 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10873 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10874 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10875 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10876 			return -EINVAL;
10877 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10878 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10879 	}
10880 
10881 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10882 
10883 	/*
10884 	 * Since we no longer track auth state, ignore
10885 	 * requests to only change local state.
10886 	 */
10887 	if (local_state_change)
10888 		return 0;
10889 
10890 	req.auth_type = auth_type;
10891 	req.key = key.p.key;
10892 	req.key_len = key.p.key_len;
10893 	req.key_idx = key.idx;
10894 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10895 	if (req.link_id >= 0) {
10896 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10897 			return -EINVAL;
10898 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10899 			return -EINVAL;
10900 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10901 		if (!is_valid_ether_addr(req.ap_mld_addr))
10902 			return -EINVAL;
10903 	}
10904 
10905 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10906 				   IEEE80211_BSS_TYPE_ESS,
10907 				   IEEE80211_PRIVACY_ANY);
10908 	if (!req.bss)
10909 		return -ENOENT;
10910 
10911 	err = cfg80211_mlme_auth(rdev, dev, &req);
10912 
10913 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10914 
10915 	return err;
10916 }
10917 
10918 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10919 				     struct genl_info *info)
10920 {
10921 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10922 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10923 		return -EINVAL;
10924 	}
10925 
10926 	if (!rdev->ops->tx_control_port ||
10927 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10928 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10929 		return -EOPNOTSUPP;
10930 
10931 	return 0;
10932 }
10933 
10934 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10935 				   struct genl_info *info,
10936 				   struct cfg80211_crypto_settings *settings,
10937 				   int cipher_limit)
10938 {
10939 	memset(settings, 0, sizeof(*settings));
10940 
10941 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10942 
10943 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10944 		u16 proto;
10945 
10946 		proto = nla_get_u16(
10947 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10948 		settings->control_port_ethertype = cpu_to_be16(proto);
10949 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10950 		    proto != ETH_P_PAE)
10951 			return -EINVAL;
10952 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10953 			settings->control_port_no_encrypt = true;
10954 	} else
10955 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10956 
10957 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10958 		int r = validate_pae_over_nl80211(rdev, info);
10959 
10960 		if (r < 0)
10961 			return r;
10962 
10963 		settings->control_port_over_nl80211 = true;
10964 
10965 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10966 			settings->control_port_no_preauth = true;
10967 	}
10968 
10969 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10970 		void *data;
10971 		int len, i;
10972 
10973 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10974 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10975 		settings->n_ciphers_pairwise = len / sizeof(u32);
10976 
10977 		if (len % sizeof(u32))
10978 			return -EINVAL;
10979 
10980 		if (settings->n_ciphers_pairwise > cipher_limit)
10981 			return -EINVAL;
10982 
10983 		memcpy(settings->ciphers_pairwise, data, len);
10984 
10985 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10986 			if (!cfg80211_supported_cipher_suite(
10987 					&rdev->wiphy,
10988 					settings->ciphers_pairwise[i]))
10989 				return -EINVAL;
10990 	}
10991 
10992 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10993 		settings->cipher_group =
10994 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10995 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10996 						     settings->cipher_group))
10997 			return -EINVAL;
10998 	}
10999 
11000 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11001 		settings->wpa_versions =
11002 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11003 
11004 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11005 		void *data;
11006 		int len;
11007 
11008 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11009 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11010 		settings->n_akm_suites = len / sizeof(u32);
11011 
11012 		if (len % sizeof(u32))
11013 			return -EINVAL;
11014 
11015 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11016 			return -EINVAL;
11017 
11018 		memcpy(settings->akm_suites, data, len);
11019 	}
11020 
11021 	if (info->attrs[NL80211_ATTR_PMK]) {
11022 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11023 			return -EINVAL;
11024 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11025 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11026 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11027 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11028 			return -EINVAL;
11029 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11030 	}
11031 
11032 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11033 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11034 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11035 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11036 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11037 			return -EINVAL;
11038 		settings->sae_pwd =
11039 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11040 		settings->sae_pwd_len =
11041 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11042 	}
11043 
11044 	if (info->attrs[NL80211_ATTR_SAE_PWE])
11045 		settings->sae_pwe =
11046 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
11047 	else
11048 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
11049 
11050 	return 0;
11051 }
11052 
11053 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11054 					      const u8 *ssid, int ssid_len,
11055 					      struct nlattr **attrs,
11056 					      int assoc_link_id, int link_id)
11057 {
11058 	struct ieee80211_channel *chan;
11059 	struct cfg80211_bss *bss;
11060 	const u8 *bssid;
11061 	u32 freq, use_for = 0;
11062 
11063 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11064 		return ERR_PTR(-EINVAL);
11065 
11066 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11067 
11068 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11069 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11070 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11071 
11072 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11073 	if (!chan)
11074 		return ERR_PTR(-EINVAL);
11075 
11076 	if (assoc_link_id >= 0)
11077 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11078 	if (assoc_link_id == link_id)
11079 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11080 
11081 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11082 				 ssid, ssid_len,
11083 				 IEEE80211_BSS_TYPE_ESS,
11084 				 IEEE80211_PRIVACY_ANY,
11085 				 use_for);
11086 	if (!bss)
11087 		return ERR_PTR(-ENOENT);
11088 
11089 	return bss;
11090 }
11091 
11092 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11093 {
11094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11095 	struct net_device *dev = info->user_ptr[1];
11096 	struct cfg80211_assoc_request req = {};
11097 	struct nlattr **attrs = NULL;
11098 	const u8 *ap_addr, *ssid;
11099 	unsigned int link_id;
11100 	int err, ssid_len;
11101 
11102 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11103 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11104 		return -EPERM;
11105 
11106 	if (!info->attrs[NL80211_ATTR_SSID])
11107 		return -EINVAL;
11108 
11109 	if (!rdev->ops->assoc)
11110 		return -EOPNOTSUPP;
11111 
11112 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11113 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11114 		return -EOPNOTSUPP;
11115 
11116 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11117 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11118 
11119 	if (info->attrs[NL80211_ATTR_IE]) {
11120 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11121 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11122 
11123 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11124 					   req.ie, req.ie_len)) {
11125 			NL_SET_ERR_MSG_ATTR(info->extack,
11126 					    info->attrs[NL80211_ATTR_IE],
11127 					    "non-inheritance makes no sense");
11128 			return -EINVAL;
11129 		}
11130 	}
11131 
11132 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11133 		enum nl80211_mfp mfp =
11134 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11135 		if (mfp == NL80211_MFP_REQUIRED)
11136 			req.use_mfp = true;
11137 		else if (mfp != NL80211_MFP_NO)
11138 			return -EINVAL;
11139 	}
11140 
11141 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11142 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11143 
11144 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11145 		req.flags |= ASSOC_REQ_DISABLE_HT;
11146 
11147 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11148 		memcpy(&req.ht_capa_mask,
11149 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11150 		       sizeof(req.ht_capa_mask));
11151 
11152 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11153 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11154 			return -EINVAL;
11155 		memcpy(&req.ht_capa,
11156 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11157 		       sizeof(req.ht_capa));
11158 	}
11159 
11160 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11161 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11162 
11163 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11164 		req.flags |= ASSOC_REQ_DISABLE_HE;
11165 
11166 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11167 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11168 
11169 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11170 		memcpy(&req.vht_capa_mask,
11171 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11172 		       sizeof(req.vht_capa_mask));
11173 
11174 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11175 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11176 			return -EINVAL;
11177 		memcpy(&req.vht_capa,
11178 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11179 		       sizeof(req.vht_capa));
11180 	}
11181 
11182 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11183 		if (!((rdev->wiphy.features &
11184 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11185 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11186 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11187 					     NL80211_EXT_FEATURE_RRM))
11188 			return -EINVAL;
11189 		req.flags |= ASSOC_REQ_USE_RRM;
11190 	}
11191 
11192 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11193 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11194 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11195 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11196 			return -EINVAL;
11197 		req.fils_nonces =
11198 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11199 	}
11200 
11201 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11202 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11203 			return -EINVAL;
11204 		memcpy(&req.s1g_capa_mask,
11205 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11206 		       sizeof(req.s1g_capa_mask));
11207 	}
11208 
11209 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11210 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11211 			return -EINVAL;
11212 		memcpy(&req.s1g_capa,
11213 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11214 		       sizeof(req.s1g_capa));
11215 	}
11216 
11217 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11218 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11219 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11220 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11221 			return -EINVAL;
11222 		}
11223 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11224 	}
11225 
11226 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11227 
11228 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11229 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11230 		struct nlattr *link;
11231 		int rem = 0;
11232 
11233 		if (req.link_id < 0)
11234 			return -EINVAL;
11235 
11236 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11237 			return -EINVAL;
11238 
11239 		if (info->attrs[NL80211_ATTR_MAC] ||
11240 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11241 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11242 			return -EINVAL;
11243 
11244 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11245 		ap_addr = req.ap_mld_addr;
11246 
11247 		attrs = kzalloc(attrsize, GFP_KERNEL);
11248 		if (!attrs)
11249 			return -ENOMEM;
11250 
11251 		nla_for_each_nested(link,
11252 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11253 				    rem) {
11254 			memset(attrs, 0, attrsize);
11255 
11256 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11257 					 link, NULL, NULL);
11258 
11259 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11260 				err = -EINVAL;
11261 				NL_SET_BAD_ATTR(info->extack, link);
11262 				goto free;
11263 			}
11264 
11265 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11266 			/* cannot use the same link ID again */
11267 			if (req.links[link_id].bss) {
11268 				err = -EINVAL;
11269 				NL_SET_BAD_ATTR(info->extack, link);
11270 				goto free;
11271 			}
11272 			req.links[link_id].bss =
11273 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11274 						  req.link_id, link_id);
11275 			if (IS_ERR(req.links[link_id].bss)) {
11276 				err = PTR_ERR(req.links[link_id].bss);
11277 				req.links[link_id].bss = NULL;
11278 				NL_SET_ERR_MSG_ATTR(info->extack,
11279 						    link, "Error fetching BSS for link");
11280 				goto free;
11281 			}
11282 
11283 			if (attrs[NL80211_ATTR_IE]) {
11284 				req.links[link_id].elems =
11285 					nla_data(attrs[NL80211_ATTR_IE]);
11286 				req.links[link_id].elems_len =
11287 					nla_len(attrs[NL80211_ATTR_IE]);
11288 
11289 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11290 						       req.links[link_id].elems,
11291 						       req.links[link_id].elems_len)) {
11292 					NL_SET_ERR_MSG_ATTR(info->extack,
11293 							    attrs[NL80211_ATTR_IE],
11294 							    "cannot deal with fragmentation");
11295 					err = -EINVAL;
11296 					goto free;
11297 				}
11298 
11299 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11300 							   req.links[link_id].elems,
11301 							   req.links[link_id].elems_len)) {
11302 					NL_SET_ERR_MSG_ATTR(info->extack,
11303 							    attrs[NL80211_ATTR_IE],
11304 							    "cannot deal with non-inheritance");
11305 					err = -EINVAL;
11306 					goto free;
11307 				}
11308 			}
11309 
11310 			req.links[link_id].disabled =
11311 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11312 		}
11313 
11314 		if (!req.links[req.link_id].bss) {
11315 			err = -EINVAL;
11316 			goto free;
11317 		}
11318 
11319 		if (req.links[req.link_id].elems_len) {
11320 			GENL_SET_ERR_MSG(info,
11321 					 "cannot have per-link elems on assoc link");
11322 			err = -EINVAL;
11323 			goto free;
11324 		}
11325 
11326 		if (req.links[req.link_id].disabled) {
11327 			GENL_SET_ERR_MSG(info,
11328 					 "cannot have assoc link disabled");
11329 			err = -EINVAL;
11330 			goto free;
11331 		}
11332 
11333 		kfree(attrs);
11334 		attrs = NULL;
11335 	} else {
11336 		if (req.link_id >= 0)
11337 			return -EINVAL;
11338 
11339 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11340 					    -1, -1);
11341 		if (IS_ERR(req.bss))
11342 			return PTR_ERR(req.bss);
11343 		ap_addr = req.bss->bssid;
11344 	}
11345 
11346 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11347 	if (!err) {
11348 		struct nlattr *link;
11349 		int rem = 0;
11350 
11351 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11352 					  info->extack);
11353 
11354 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11355 			dev->ieee80211_ptr->conn_owner_nlportid =
11356 				info->snd_portid;
11357 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11358 			       ap_addr, ETH_ALEN);
11359 		}
11360 
11361 		/* Report error from first problematic link */
11362 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11363 			nla_for_each_nested(link,
11364 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11365 					    rem) {
11366 				struct nlattr *link_id_attr =
11367 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11368 
11369 				if (!link_id_attr)
11370 					continue;
11371 
11372 				link_id = nla_get_u8(link_id_attr);
11373 
11374 				if (link_id == req.link_id)
11375 					continue;
11376 
11377 				if (!req.links[link_id].error ||
11378 				    WARN_ON(req.links[link_id].error > 0))
11379 					continue;
11380 
11381 				WARN_ON(err >= 0);
11382 
11383 				NL_SET_BAD_ATTR(info->extack, link);
11384 				err = req.links[link_id].error;
11385 				break;
11386 			}
11387 		}
11388 	}
11389 
11390 free:
11391 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11392 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11393 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11394 	kfree(attrs);
11395 
11396 	return err;
11397 }
11398 
11399 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11400 {
11401 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11402 	struct net_device *dev = info->user_ptr[1];
11403 	const u8 *ie = NULL, *bssid;
11404 	int ie_len = 0;
11405 	u16 reason_code;
11406 	bool local_state_change;
11407 
11408 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11409 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11410 		return -EPERM;
11411 
11412 	if (!info->attrs[NL80211_ATTR_MAC])
11413 		return -EINVAL;
11414 
11415 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11416 		return -EINVAL;
11417 
11418 	if (!rdev->ops->deauth)
11419 		return -EOPNOTSUPP;
11420 
11421 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11422 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11423 		return -EOPNOTSUPP;
11424 
11425 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11426 
11427 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11428 	if (reason_code == 0) {
11429 		/* Reason Code 0 is reserved */
11430 		return -EINVAL;
11431 	}
11432 
11433 	if (info->attrs[NL80211_ATTR_IE]) {
11434 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11435 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11436 	}
11437 
11438 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11439 
11440 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11441 				    local_state_change);
11442 }
11443 
11444 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11445 {
11446 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11447 	struct net_device *dev = info->user_ptr[1];
11448 	const u8 *ie = NULL, *bssid;
11449 	int ie_len = 0;
11450 	u16 reason_code;
11451 	bool local_state_change;
11452 
11453 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11454 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11455 		return -EPERM;
11456 
11457 	if (!info->attrs[NL80211_ATTR_MAC])
11458 		return -EINVAL;
11459 
11460 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11461 		return -EINVAL;
11462 
11463 	if (!rdev->ops->disassoc)
11464 		return -EOPNOTSUPP;
11465 
11466 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11467 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11468 		return -EOPNOTSUPP;
11469 
11470 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11471 
11472 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11473 	if (reason_code == 0) {
11474 		/* Reason Code 0 is reserved */
11475 		return -EINVAL;
11476 	}
11477 
11478 	if (info->attrs[NL80211_ATTR_IE]) {
11479 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11480 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11481 	}
11482 
11483 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11484 
11485 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11486 				      local_state_change);
11487 }
11488 
11489 static bool
11490 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11491 			 int mcast_rate[NUM_NL80211_BANDS],
11492 			 int rateval)
11493 {
11494 	struct wiphy *wiphy = &rdev->wiphy;
11495 	bool found = false;
11496 	int band, i;
11497 
11498 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11499 		struct ieee80211_supported_band *sband;
11500 
11501 		sband = wiphy->bands[band];
11502 		if (!sband)
11503 			continue;
11504 
11505 		for (i = 0; i < sband->n_bitrates; i++) {
11506 			if (sband->bitrates[i].bitrate == rateval) {
11507 				mcast_rate[band] = i + 1;
11508 				found = true;
11509 				break;
11510 			}
11511 		}
11512 	}
11513 
11514 	return found;
11515 }
11516 
11517 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11518 {
11519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11520 	struct net_device *dev = info->user_ptr[1];
11521 	struct cfg80211_ibss_params ibss;
11522 	struct wiphy *wiphy;
11523 	struct cfg80211_cached_keys *connkeys = NULL;
11524 	int err;
11525 
11526 	memset(&ibss, 0, sizeof(ibss));
11527 
11528 	if (!info->attrs[NL80211_ATTR_SSID] ||
11529 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11530 		return -EINVAL;
11531 
11532 	ibss.beacon_interval = 100;
11533 
11534 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11535 		ibss.beacon_interval =
11536 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11537 
11538 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11539 					   ibss.beacon_interval);
11540 	if (err)
11541 		return err;
11542 
11543 	if (!rdev->ops->join_ibss)
11544 		return -EOPNOTSUPP;
11545 
11546 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11547 		return -EOPNOTSUPP;
11548 
11549 	wiphy = &rdev->wiphy;
11550 
11551 	if (info->attrs[NL80211_ATTR_MAC]) {
11552 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11553 
11554 		if (!is_valid_ether_addr(ibss.bssid))
11555 			return -EINVAL;
11556 	}
11557 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11558 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11559 
11560 	if (info->attrs[NL80211_ATTR_IE]) {
11561 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11562 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11563 	}
11564 
11565 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11566 	if (err)
11567 		return err;
11568 
11569 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11570 				     NL80211_IFTYPE_ADHOC))
11571 		return -EINVAL;
11572 
11573 	switch (ibss.chandef.width) {
11574 	case NL80211_CHAN_WIDTH_5:
11575 	case NL80211_CHAN_WIDTH_10:
11576 	case NL80211_CHAN_WIDTH_20_NOHT:
11577 		break;
11578 	case NL80211_CHAN_WIDTH_20:
11579 	case NL80211_CHAN_WIDTH_40:
11580 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11581 			return -EINVAL;
11582 		break;
11583 	case NL80211_CHAN_WIDTH_80:
11584 	case NL80211_CHAN_WIDTH_80P80:
11585 	case NL80211_CHAN_WIDTH_160:
11586 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11587 			return -EINVAL;
11588 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11589 					     NL80211_EXT_FEATURE_VHT_IBSS))
11590 			return -EINVAL;
11591 		break;
11592 	case NL80211_CHAN_WIDTH_320:
11593 		return -EINVAL;
11594 	default:
11595 		return -EINVAL;
11596 	}
11597 
11598 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11599 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11600 
11601 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11602 		u8 *rates =
11603 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11604 		int n_rates =
11605 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11606 		struct ieee80211_supported_band *sband =
11607 			wiphy->bands[ibss.chandef.chan->band];
11608 
11609 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11610 					     &ibss.basic_rates);
11611 		if (err)
11612 			return err;
11613 	}
11614 
11615 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11616 		memcpy(&ibss.ht_capa_mask,
11617 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11618 		       sizeof(ibss.ht_capa_mask));
11619 
11620 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11621 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11622 			return -EINVAL;
11623 		memcpy(&ibss.ht_capa,
11624 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11625 		       sizeof(ibss.ht_capa));
11626 	}
11627 
11628 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11629 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11630 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11631 		return -EINVAL;
11632 
11633 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11634 		bool no_ht = false;
11635 
11636 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11637 		if (IS_ERR(connkeys))
11638 			return PTR_ERR(connkeys);
11639 
11640 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11641 		    no_ht) {
11642 			kfree_sensitive(connkeys);
11643 			return -EINVAL;
11644 		}
11645 	}
11646 
11647 	ibss.control_port =
11648 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11649 
11650 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11651 		int r = validate_pae_over_nl80211(rdev, info);
11652 
11653 		if (r < 0) {
11654 			kfree_sensitive(connkeys);
11655 			return r;
11656 		}
11657 
11658 		ibss.control_port_over_nl80211 = true;
11659 	}
11660 
11661 	ibss.userspace_handles_dfs =
11662 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11663 
11664 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11665 	if (err)
11666 		kfree_sensitive(connkeys);
11667 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11668 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11669 
11670 	return err;
11671 }
11672 
11673 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11674 {
11675 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11676 	struct net_device *dev = info->user_ptr[1];
11677 
11678 	if (!rdev->ops->leave_ibss)
11679 		return -EOPNOTSUPP;
11680 
11681 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11682 		return -EOPNOTSUPP;
11683 
11684 	return cfg80211_leave_ibss(rdev, dev, false);
11685 }
11686 
11687 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11688 {
11689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11690 	struct net_device *dev = info->user_ptr[1];
11691 	int mcast_rate[NUM_NL80211_BANDS];
11692 	u32 nla_rate;
11693 
11694 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11695 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11696 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11697 		return -EOPNOTSUPP;
11698 
11699 	if (!rdev->ops->set_mcast_rate)
11700 		return -EOPNOTSUPP;
11701 
11702 	memset(mcast_rate, 0, sizeof(mcast_rate));
11703 
11704 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11705 		return -EINVAL;
11706 
11707 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11708 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11709 		return -EINVAL;
11710 
11711 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11712 }
11713 
11714 static struct sk_buff *
11715 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11716 			    struct wireless_dev *wdev, int approxlen,
11717 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11718 			    enum nl80211_attrs attr,
11719 			    const struct nl80211_vendor_cmd_info *info,
11720 			    gfp_t gfp)
11721 {
11722 	struct sk_buff *skb;
11723 	void *hdr;
11724 	struct nlattr *data;
11725 
11726 	skb = nlmsg_new(approxlen + 100, gfp);
11727 	if (!skb)
11728 		return NULL;
11729 
11730 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11731 	if (!hdr) {
11732 		kfree_skb(skb);
11733 		return NULL;
11734 	}
11735 
11736 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11737 		goto nla_put_failure;
11738 
11739 	if (info) {
11740 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11741 				info->vendor_id))
11742 			goto nla_put_failure;
11743 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11744 				info->subcmd))
11745 			goto nla_put_failure;
11746 	}
11747 
11748 	if (wdev) {
11749 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11750 				      wdev_id(wdev), NL80211_ATTR_PAD))
11751 			goto nla_put_failure;
11752 		if (wdev->netdev &&
11753 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11754 				wdev->netdev->ifindex))
11755 			goto nla_put_failure;
11756 	}
11757 
11758 	data = nla_nest_start_noflag(skb, attr);
11759 	if (!data)
11760 		goto nla_put_failure;
11761 
11762 	((void **)skb->cb)[0] = rdev;
11763 	((void **)skb->cb)[1] = hdr;
11764 	((void **)skb->cb)[2] = data;
11765 
11766 	return skb;
11767 
11768  nla_put_failure:
11769 	kfree_skb(skb);
11770 	return NULL;
11771 }
11772 
11773 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11774 					   struct wireless_dev *wdev,
11775 					   enum nl80211_commands cmd,
11776 					   enum nl80211_attrs attr,
11777 					   unsigned int portid,
11778 					   int vendor_event_idx,
11779 					   int approxlen, gfp_t gfp)
11780 {
11781 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11782 	const struct nl80211_vendor_cmd_info *info;
11783 
11784 	switch (cmd) {
11785 	case NL80211_CMD_TESTMODE:
11786 		if (WARN_ON(vendor_event_idx != -1))
11787 			return NULL;
11788 		info = NULL;
11789 		break;
11790 	case NL80211_CMD_VENDOR:
11791 		if (WARN_ON(vendor_event_idx < 0 ||
11792 			    vendor_event_idx >= wiphy->n_vendor_events))
11793 			return NULL;
11794 		info = &wiphy->vendor_events[vendor_event_idx];
11795 		break;
11796 	default:
11797 		WARN_ON(1);
11798 		return NULL;
11799 	}
11800 
11801 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11802 					   cmd, attr, info, gfp);
11803 }
11804 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11805 
11806 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11807 {
11808 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11809 	void *hdr = ((void **)skb->cb)[1];
11810 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11811 	struct nlattr *data = ((void **)skb->cb)[2];
11812 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11813 
11814 	/* clear CB data for netlink core to own from now on */
11815 	memset(skb->cb, 0, sizeof(skb->cb));
11816 
11817 	nla_nest_end(skb, data);
11818 	genlmsg_end(skb, hdr);
11819 
11820 	if (nlhdr->nlmsg_pid) {
11821 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11822 				nlhdr->nlmsg_pid);
11823 	} else {
11824 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11825 			mcgrp = NL80211_MCGRP_VENDOR;
11826 
11827 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11828 					skb, 0, mcgrp, gfp);
11829 	}
11830 }
11831 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11832 
11833 #ifdef CONFIG_NL80211_TESTMODE
11834 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11835 {
11836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11837 	struct wireless_dev *wdev;
11838 	int err;
11839 
11840 	lockdep_assert_held(&rdev->wiphy.mtx);
11841 
11842 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11843 					  info->attrs);
11844 
11845 	if (!rdev->ops->testmode_cmd)
11846 		return -EOPNOTSUPP;
11847 
11848 	if (IS_ERR(wdev)) {
11849 		err = PTR_ERR(wdev);
11850 		if (err != -EINVAL)
11851 			return err;
11852 		wdev = NULL;
11853 	} else if (wdev->wiphy != &rdev->wiphy) {
11854 		return -EINVAL;
11855 	}
11856 
11857 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11858 		return -EINVAL;
11859 
11860 	rdev->cur_cmd_info = info;
11861 	err = rdev_testmode_cmd(rdev, wdev,
11862 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11863 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11864 	rdev->cur_cmd_info = NULL;
11865 
11866 	return err;
11867 }
11868 
11869 static int nl80211_testmode_dump(struct sk_buff *skb,
11870 				 struct netlink_callback *cb)
11871 {
11872 	struct cfg80211_registered_device *rdev;
11873 	struct nlattr **attrbuf = NULL;
11874 	int err;
11875 	long phy_idx;
11876 	void *data = NULL;
11877 	int data_len = 0;
11878 
11879 	rtnl_lock();
11880 
11881 	if (cb->args[0]) {
11882 		/*
11883 		 * 0 is a valid index, but not valid for args[0],
11884 		 * so we need to offset by 1.
11885 		 */
11886 		phy_idx = cb->args[0] - 1;
11887 
11888 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11889 		if (!rdev) {
11890 			err = -ENOENT;
11891 			goto out_err;
11892 		}
11893 	} else {
11894 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11895 				  GFP_KERNEL);
11896 		if (!attrbuf) {
11897 			err = -ENOMEM;
11898 			goto out_err;
11899 		}
11900 
11901 		err = nlmsg_parse_deprecated(cb->nlh,
11902 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11903 					     attrbuf, nl80211_fam.maxattr,
11904 					     nl80211_policy, NULL);
11905 		if (err)
11906 			goto out_err;
11907 
11908 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11909 		if (IS_ERR(rdev)) {
11910 			err = PTR_ERR(rdev);
11911 			goto out_err;
11912 		}
11913 		phy_idx = rdev->wiphy_idx;
11914 
11915 		if (attrbuf[NL80211_ATTR_TESTDATA])
11916 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11917 	}
11918 
11919 	if (cb->args[1]) {
11920 		data = nla_data((void *)cb->args[1]);
11921 		data_len = nla_len((void *)cb->args[1]);
11922 	}
11923 
11924 	if (!rdev->ops->testmode_dump) {
11925 		err = -EOPNOTSUPP;
11926 		goto out_err;
11927 	}
11928 
11929 	while (1) {
11930 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11931 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11932 					   NL80211_CMD_TESTMODE);
11933 		struct nlattr *tmdata;
11934 
11935 		if (!hdr)
11936 			break;
11937 
11938 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11939 			genlmsg_cancel(skb, hdr);
11940 			break;
11941 		}
11942 
11943 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11944 		if (!tmdata) {
11945 			genlmsg_cancel(skb, hdr);
11946 			break;
11947 		}
11948 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11949 		nla_nest_end(skb, tmdata);
11950 
11951 		if (err == -ENOBUFS || err == -ENOENT) {
11952 			genlmsg_cancel(skb, hdr);
11953 			break;
11954 		} else if (err) {
11955 			genlmsg_cancel(skb, hdr);
11956 			goto out_err;
11957 		}
11958 
11959 		genlmsg_end(skb, hdr);
11960 	}
11961 
11962 	err = skb->len;
11963 	/* see above */
11964 	cb->args[0] = phy_idx + 1;
11965  out_err:
11966 	kfree(attrbuf);
11967 	rtnl_unlock();
11968 	return err;
11969 }
11970 #endif
11971 
11972 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11973 {
11974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11975 	struct net_device *dev = info->user_ptr[1];
11976 	struct cfg80211_connect_params connect;
11977 	struct wiphy *wiphy;
11978 	struct cfg80211_cached_keys *connkeys = NULL;
11979 	u32 freq = 0;
11980 	int err;
11981 
11982 	memset(&connect, 0, sizeof(connect));
11983 
11984 	if (!info->attrs[NL80211_ATTR_SSID] ||
11985 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11986 		return -EINVAL;
11987 
11988 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11989 		connect.auth_type =
11990 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11991 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11992 					     NL80211_CMD_CONNECT))
11993 			return -EINVAL;
11994 	} else
11995 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11996 
11997 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11998 
11999 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12000 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12001 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12002 		return -EINVAL;
12003 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12004 
12005 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12006 				      NL80211_MAX_NR_CIPHER_SUITES);
12007 	if (err)
12008 		return err;
12009 
12010 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12011 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12012 		return -EOPNOTSUPP;
12013 
12014 	wiphy = &rdev->wiphy;
12015 
12016 	connect.bg_scan_period = -1;
12017 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12018 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12019 		connect.bg_scan_period =
12020 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12021 	}
12022 
12023 	if (info->attrs[NL80211_ATTR_MAC])
12024 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12025 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12026 		connect.bssid_hint =
12027 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12028 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12029 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12030 
12031 	if (info->attrs[NL80211_ATTR_IE]) {
12032 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12033 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12034 	}
12035 
12036 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12037 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12038 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12039 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12040 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12041 			return -EOPNOTSUPP;
12042 	} else {
12043 		connect.mfp = NL80211_MFP_NO;
12044 	}
12045 
12046 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12047 		connect.prev_bssid =
12048 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12049 
12050 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12051 		freq = MHZ_TO_KHZ(nla_get_u32(
12052 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12053 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12054 		freq +=
12055 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12056 
12057 	if (freq) {
12058 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12059 		if (!connect.channel)
12060 			return -EINVAL;
12061 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12062 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12063 		freq = MHZ_TO_KHZ(freq);
12064 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12065 		if (!connect.channel_hint)
12066 			return -EINVAL;
12067 	}
12068 
12069 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12070 		connect.edmg.channels =
12071 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12072 
12073 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12074 			connect.edmg.bw_config =
12075 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12076 	}
12077 
12078 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12079 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12080 		if (IS_ERR(connkeys))
12081 			return PTR_ERR(connkeys);
12082 	}
12083 
12084 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12085 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12086 
12087 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12088 		memcpy(&connect.ht_capa_mask,
12089 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12090 		       sizeof(connect.ht_capa_mask));
12091 
12092 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12093 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12094 			kfree_sensitive(connkeys);
12095 			return -EINVAL;
12096 		}
12097 		memcpy(&connect.ht_capa,
12098 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12099 		       sizeof(connect.ht_capa));
12100 	}
12101 
12102 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12103 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12104 
12105 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12106 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12107 
12108 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12109 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12110 
12111 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12112 		memcpy(&connect.vht_capa_mask,
12113 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12114 		       sizeof(connect.vht_capa_mask));
12115 
12116 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12117 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12118 			kfree_sensitive(connkeys);
12119 			return -EINVAL;
12120 		}
12121 		memcpy(&connect.vht_capa,
12122 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12123 		       sizeof(connect.vht_capa));
12124 	}
12125 
12126 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12127 		if (!((rdev->wiphy.features &
12128 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12129 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12130 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12131 					     NL80211_EXT_FEATURE_RRM)) {
12132 			kfree_sensitive(connkeys);
12133 			return -EINVAL;
12134 		}
12135 		connect.flags |= ASSOC_REQ_USE_RRM;
12136 	}
12137 
12138 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12139 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12140 		kfree_sensitive(connkeys);
12141 		return -EOPNOTSUPP;
12142 	}
12143 
12144 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12145 		/* bss selection makes no sense if bssid is set */
12146 		if (connect.bssid) {
12147 			kfree_sensitive(connkeys);
12148 			return -EINVAL;
12149 		}
12150 
12151 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12152 				       wiphy, &connect.bss_select);
12153 		if (err) {
12154 			kfree_sensitive(connkeys);
12155 			return err;
12156 		}
12157 	}
12158 
12159 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12160 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12161 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12162 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12163 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12164 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12165 		connect.fils_erp_username =
12166 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12167 		connect.fils_erp_username_len =
12168 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12169 		connect.fils_erp_realm =
12170 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12171 		connect.fils_erp_realm_len =
12172 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12173 		connect.fils_erp_next_seq_num =
12174 			nla_get_u16(
12175 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12176 		connect.fils_erp_rrk =
12177 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12178 		connect.fils_erp_rrk_len =
12179 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12180 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12181 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12182 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12183 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12184 		kfree_sensitive(connkeys);
12185 		return -EINVAL;
12186 	}
12187 
12188 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12189 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12190 			kfree_sensitive(connkeys);
12191 			GENL_SET_ERR_MSG(info,
12192 					 "external auth requires connection ownership");
12193 			return -EINVAL;
12194 		}
12195 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12196 	}
12197 
12198 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12199 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12200 
12201 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12202 			       connect.prev_bssid);
12203 	if (err)
12204 		kfree_sensitive(connkeys);
12205 
12206 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12207 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12208 		if (connect.bssid)
12209 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12210 			       connect.bssid, ETH_ALEN);
12211 		else
12212 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12213 	}
12214 
12215 	return err;
12216 }
12217 
12218 static int nl80211_update_connect_params(struct sk_buff *skb,
12219 					 struct genl_info *info)
12220 {
12221 	struct cfg80211_connect_params connect = {};
12222 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12223 	struct net_device *dev = info->user_ptr[1];
12224 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12225 	bool fils_sk_offload;
12226 	u32 auth_type;
12227 	u32 changed = 0;
12228 
12229 	if (!rdev->ops->update_connect_params)
12230 		return -EOPNOTSUPP;
12231 
12232 	if (info->attrs[NL80211_ATTR_IE]) {
12233 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12234 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12235 		changed |= UPDATE_ASSOC_IES;
12236 	}
12237 
12238 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12239 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12240 
12241 	/*
12242 	 * when driver supports fils-sk offload all attributes must be
12243 	 * provided. So the else covers "fils-sk-not-all" and
12244 	 * "no-fils-sk-any".
12245 	 */
12246 	if (fils_sk_offload &&
12247 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12248 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12249 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12250 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12251 		connect.fils_erp_username =
12252 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12253 		connect.fils_erp_username_len =
12254 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12255 		connect.fils_erp_realm =
12256 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12257 		connect.fils_erp_realm_len =
12258 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12259 		connect.fils_erp_next_seq_num =
12260 			nla_get_u16(
12261 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12262 		connect.fils_erp_rrk =
12263 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12264 		connect.fils_erp_rrk_len =
12265 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12266 		changed |= UPDATE_FILS_ERP_INFO;
12267 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12268 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12269 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12270 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12271 		return -EINVAL;
12272 	}
12273 
12274 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12275 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12276 		if (!nl80211_valid_auth_type(rdev, auth_type,
12277 					     NL80211_CMD_CONNECT))
12278 			return -EINVAL;
12279 
12280 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12281 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12282 			return -EINVAL;
12283 
12284 		connect.auth_type = auth_type;
12285 		changed |= UPDATE_AUTH_TYPE;
12286 	}
12287 
12288 	if (!wdev->connected)
12289 		return -ENOLINK;
12290 
12291 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12292 }
12293 
12294 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12295 {
12296 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12297 	struct net_device *dev = info->user_ptr[1];
12298 	u16 reason;
12299 
12300 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12301 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12302 		return -EPERM;
12303 
12304 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12305 		reason = WLAN_REASON_DEAUTH_LEAVING;
12306 	else
12307 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12308 
12309 	if (reason == 0)
12310 		return -EINVAL;
12311 
12312 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12313 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12314 		return -EOPNOTSUPP;
12315 
12316 	return cfg80211_disconnect(rdev, dev, reason, true);
12317 }
12318 
12319 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12320 {
12321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12322 	struct net *net;
12323 	int err;
12324 
12325 	if (info->attrs[NL80211_ATTR_PID]) {
12326 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12327 
12328 		net = get_net_ns_by_pid(pid);
12329 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12330 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12331 
12332 		net = get_net_ns_by_fd(fd);
12333 	} else {
12334 		return -EINVAL;
12335 	}
12336 
12337 	if (IS_ERR(net))
12338 		return PTR_ERR(net);
12339 
12340 	err = 0;
12341 
12342 	/* check if anything to do */
12343 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12344 		err = cfg80211_switch_netns(rdev, net);
12345 
12346 	put_net(net);
12347 	return err;
12348 }
12349 
12350 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12351 {
12352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12353 	struct net_device *dev = info->user_ptr[1];
12354 	struct cfg80211_pmksa pmksa;
12355 	bool ap_pmksa_caching_support = false;
12356 
12357 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12358 
12359 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12360 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12361 
12362 	if (!info->attrs[NL80211_ATTR_PMKID])
12363 		return -EINVAL;
12364 
12365 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12366 
12367 	if (info->attrs[NL80211_ATTR_MAC]) {
12368 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12369 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12370 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12371 	           info->attrs[NL80211_ATTR_PMK]) {
12372 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12373 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12374 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12375 	} else {
12376 		return -EINVAL;
12377 	}
12378 
12379 	if (info->attrs[NL80211_ATTR_PMK]) {
12380 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12381 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12382 	}
12383 
12384 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12385 		pmksa.pmk_lifetime =
12386 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12387 
12388 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12389 		pmksa.pmk_reauth_threshold =
12390 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12391 
12392 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12393 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12394 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12395 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12396 	       ap_pmksa_caching_support))
12397 		return -EOPNOTSUPP;
12398 
12399 	if (!rdev->ops->set_pmksa)
12400 		return -EOPNOTSUPP;
12401 
12402 	return rdev_set_pmksa(rdev, dev, &pmksa);
12403 }
12404 
12405 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12406 {
12407 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12408 	struct net_device *dev = info->user_ptr[1];
12409 	struct cfg80211_pmksa pmksa;
12410 	bool sae_offload_support = false;
12411 	bool owe_offload_support = false;
12412 	bool ap_pmksa_caching_support = false;
12413 
12414 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12415 
12416 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12417 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12418 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12419 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12420 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12421 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12422 
12423 	if (info->attrs[NL80211_ATTR_PMKID])
12424 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12425 
12426 	if (info->attrs[NL80211_ATTR_MAC]) {
12427 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12428 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12429 		/* SSID based pmksa flush suppported only for FILS,
12430 		 * OWE/SAE OFFLOAD cases
12431 		 */
12432 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12433 		    info->attrs[NL80211_ATTR_PMK]) {
12434 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12435 		} else if (!sae_offload_support && !owe_offload_support) {
12436 			return -EINVAL;
12437 		}
12438 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12439 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12440 	} else {
12441 		return -EINVAL;
12442 	}
12443 
12444 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12445 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12446 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12447 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12448 	       ap_pmksa_caching_support))
12449 		return -EOPNOTSUPP;
12450 
12451 	if (!rdev->ops->del_pmksa)
12452 		return -EOPNOTSUPP;
12453 
12454 	return rdev_del_pmksa(rdev, dev, &pmksa);
12455 }
12456 
12457 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12458 {
12459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12460 	struct net_device *dev = info->user_ptr[1];
12461 
12462 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12463 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12464 		return -EOPNOTSUPP;
12465 
12466 	if (!rdev->ops->flush_pmksa)
12467 		return -EOPNOTSUPP;
12468 
12469 	return rdev_flush_pmksa(rdev, dev);
12470 }
12471 
12472 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12473 {
12474 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12475 	struct net_device *dev = info->user_ptr[1];
12476 	u8 action_code, dialog_token;
12477 	u32 peer_capability = 0;
12478 	u16 status_code;
12479 	u8 *peer;
12480 	int link_id;
12481 	bool initiator;
12482 
12483 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12484 	    !rdev->ops->tdls_mgmt)
12485 		return -EOPNOTSUPP;
12486 
12487 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12488 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12489 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12490 	    !info->attrs[NL80211_ATTR_IE] ||
12491 	    !info->attrs[NL80211_ATTR_MAC])
12492 		return -EINVAL;
12493 
12494 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12495 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12496 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12497 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12498 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12499 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12500 		peer_capability =
12501 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12502 	link_id = nl80211_link_id_or_invalid(info->attrs);
12503 
12504 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12505 			      dialog_token, status_code, peer_capability,
12506 			      initiator,
12507 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12508 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12509 }
12510 
12511 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12512 {
12513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12514 	struct net_device *dev = info->user_ptr[1];
12515 	enum nl80211_tdls_operation operation;
12516 	u8 *peer;
12517 
12518 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12519 	    !rdev->ops->tdls_oper)
12520 		return -EOPNOTSUPP;
12521 
12522 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12523 	    !info->attrs[NL80211_ATTR_MAC])
12524 		return -EINVAL;
12525 
12526 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12527 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12528 
12529 	return rdev_tdls_oper(rdev, dev, peer, operation);
12530 }
12531 
12532 static int nl80211_remain_on_channel(struct sk_buff *skb,
12533 				     struct genl_info *info)
12534 {
12535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12536 	unsigned int link_id = nl80211_link_id(info->attrs);
12537 	struct wireless_dev *wdev = info->user_ptr[1];
12538 	struct cfg80211_chan_def chandef;
12539 	struct sk_buff *msg;
12540 	void *hdr;
12541 	u64 cookie;
12542 	u32 duration;
12543 	int err;
12544 
12545 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12546 	    !info->attrs[NL80211_ATTR_DURATION])
12547 		return -EINVAL;
12548 
12549 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12550 
12551 	if (!rdev->ops->remain_on_channel ||
12552 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12553 		return -EOPNOTSUPP;
12554 
12555 	/*
12556 	 * We should be on that channel for at least a minimum amount of
12557 	 * time (10ms) but no longer than the driver supports.
12558 	 */
12559 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12560 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12561 		return -EINVAL;
12562 
12563 	err = nl80211_parse_chandef(rdev, info, &chandef);
12564 	if (err)
12565 		return err;
12566 
12567 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12568 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12569 
12570 		oper_chandef = wdev_chandef(wdev, link_id);
12571 
12572 		if (WARN_ON(!oper_chandef)) {
12573 			/* cannot happen since we must beacon to get here */
12574 			WARN_ON(1);
12575 			return -EBUSY;
12576 		}
12577 
12578 		/* note: returns first one if identical chandefs */
12579 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12580 							     oper_chandef);
12581 
12582 		if (compat_chandef != &chandef)
12583 			return -EBUSY;
12584 	}
12585 
12586 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12587 	if (!msg)
12588 		return -ENOMEM;
12589 
12590 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12591 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12592 	if (!hdr) {
12593 		err = -ENOBUFS;
12594 		goto free_msg;
12595 	}
12596 
12597 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12598 				     duration, &cookie);
12599 
12600 	if (err)
12601 		goto free_msg;
12602 
12603 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12604 			      NL80211_ATTR_PAD))
12605 		goto nla_put_failure;
12606 
12607 	genlmsg_end(msg, hdr);
12608 
12609 	return genlmsg_reply(msg, info);
12610 
12611  nla_put_failure:
12612 	err = -ENOBUFS;
12613  free_msg:
12614 	nlmsg_free(msg);
12615 	return err;
12616 }
12617 
12618 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12619 					    struct genl_info *info)
12620 {
12621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12622 	struct wireless_dev *wdev = info->user_ptr[1];
12623 	u64 cookie;
12624 
12625 	if (!info->attrs[NL80211_ATTR_COOKIE])
12626 		return -EINVAL;
12627 
12628 	if (!rdev->ops->cancel_remain_on_channel)
12629 		return -EOPNOTSUPP;
12630 
12631 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12632 
12633 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12634 }
12635 
12636 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12637 				       struct genl_info *info)
12638 {
12639 	struct cfg80211_bitrate_mask mask;
12640 	unsigned int link_id = nl80211_link_id(info->attrs);
12641 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12642 	struct net_device *dev = info->user_ptr[1];
12643 	int err;
12644 
12645 	if (!rdev->ops->set_bitrate_mask)
12646 		return -EOPNOTSUPP;
12647 
12648 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12649 					    NL80211_ATTR_TX_RATES, &mask,
12650 					    dev, true, link_id);
12651 	if (err)
12652 		return err;
12653 
12654 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12655 }
12656 
12657 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12658 {
12659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12660 	struct wireless_dev *wdev = info->user_ptr[1];
12661 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12662 
12663 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12664 		return -EINVAL;
12665 
12666 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12667 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12668 
12669 	switch (wdev->iftype) {
12670 	case NL80211_IFTYPE_STATION:
12671 	case NL80211_IFTYPE_ADHOC:
12672 	case NL80211_IFTYPE_P2P_CLIENT:
12673 	case NL80211_IFTYPE_AP:
12674 	case NL80211_IFTYPE_AP_VLAN:
12675 	case NL80211_IFTYPE_MESH_POINT:
12676 	case NL80211_IFTYPE_P2P_GO:
12677 	case NL80211_IFTYPE_P2P_DEVICE:
12678 		break;
12679 	case NL80211_IFTYPE_NAN:
12680 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12681 					     NL80211_EXT_FEATURE_SECURE_NAN))
12682 			return -EOPNOTSUPP;
12683 		break;
12684 	default:
12685 		return -EOPNOTSUPP;
12686 	}
12687 
12688 	/* not much point in registering if we can't reply */
12689 	if (!rdev->ops->mgmt_tx)
12690 		return -EOPNOTSUPP;
12691 
12692 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12693 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12694 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12695 		GENL_SET_ERR_MSG(info,
12696 				 "multicast RX registrations are not supported");
12697 		return -EOPNOTSUPP;
12698 	}
12699 
12700 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12701 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12702 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12703 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12704 					   info->extack);
12705 }
12706 
12707 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12708 {
12709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12710 	struct wireless_dev *wdev = info->user_ptr[1];
12711 	struct cfg80211_chan_def chandef;
12712 	int err;
12713 	void *hdr = NULL;
12714 	u64 cookie;
12715 	struct sk_buff *msg = NULL;
12716 	struct cfg80211_mgmt_tx_params params = {
12717 		.dont_wait_for_ack =
12718 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12719 	};
12720 
12721 	if (!info->attrs[NL80211_ATTR_FRAME])
12722 		return -EINVAL;
12723 
12724 	if (!rdev->ops->mgmt_tx)
12725 		return -EOPNOTSUPP;
12726 
12727 	switch (wdev->iftype) {
12728 	case NL80211_IFTYPE_P2P_DEVICE:
12729 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12730 			return -EINVAL;
12731 		break;
12732 	case NL80211_IFTYPE_STATION:
12733 	case NL80211_IFTYPE_ADHOC:
12734 	case NL80211_IFTYPE_P2P_CLIENT:
12735 	case NL80211_IFTYPE_AP:
12736 	case NL80211_IFTYPE_AP_VLAN:
12737 	case NL80211_IFTYPE_MESH_POINT:
12738 	case NL80211_IFTYPE_P2P_GO:
12739 		break;
12740 	case NL80211_IFTYPE_NAN:
12741 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12742 					     NL80211_EXT_FEATURE_SECURE_NAN))
12743 			return -EOPNOTSUPP;
12744 		break;
12745 	default:
12746 		return -EOPNOTSUPP;
12747 	}
12748 
12749 	if (info->attrs[NL80211_ATTR_DURATION]) {
12750 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12751 			return -EINVAL;
12752 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12753 
12754 		/*
12755 		 * We should wait on the channel for at least a minimum amount
12756 		 * of time (10ms) but no longer than the driver supports.
12757 		 */
12758 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12759 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12760 			return -EINVAL;
12761 	}
12762 
12763 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12764 
12765 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12766 		return -EINVAL;
12767 
12768 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12769 
12770 	/* get the channel if any has been specified, otherwise pass NULL to
12771 	 * the driver. The latter will use the current one
12772 	 */
12773 	chandef.chan = NULL;
12774 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12775 		err = nl80211_parse_chandef(rdev, info, &chandef);
12776 		if (err)
12777 			return err;
12778 	}
12779 
12780 	if (!chandef.chan && params.offchan)
12781 		return -EINVAL;
12782 
12783 	if (params.offchan &&
12784 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12785 		return -EBUSY;
12786 
12787 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12788 	/*
12789 	 * This now races due to the unlock, but we cannot check
12790 	 * the valid links for the _station_ anyway, so that's up
12791 	 * to the driver.
12792 	 */
12793 	if (params.link_id >= 0 &&
12794 	    !(wdev->valid_links & BIT(params.link_id)))
12795 		return -EINVAL;
12796 
12797 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12798 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12799 
12800 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12801 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12802 					    &params.csa_offsets,
12803 					    &params.n_csa_offsets);
12804 	if (err)
12805 		return err;
12806 
12807 	if (!params.dont_wait_for_ack) {
12808 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12809 		if (!msg)
12810 			return -ENOMEM;
12811 
12812 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12813 				     NL80211_CMD_FRAME);
12814 		if (!hdr) {
12815 			err = -ENOBUFS;
12816 			goto free_msg;
12817 		}
12818 	}
12819 
12820 	params.chan = chandef.chan;
12821 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12822 	if (err)
12823 		goto free_msg;
12824 
12825 	if (msg) {
12826 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12827 				      NL80211_ATTR_PAD))
12828 			goto nla_put_failure;
12829 
12830 		genlmsg_end(msg, hdr);
12831 		return genlmsg_reply(msg, info);
12832 	}
12833 
12834 	return 0;
12835 
12836  nla_put_failure:
12837 	err = -ENOBUFS;
12838  free_msg:
12839 	nlmsg_free(msg);
12840 	return err;
12841 }
12842 
12843 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12844 {
12845 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12846 	struct wireless_dev *wdev = info->user_ptr[1];
12847 	u64 cookie;
12848 
12849 	if (!info->attrs[NL80211_ATTR_COOKIE])
12850 		return -EINVAL;
12851 
12852 	if (!rdev->ops->mgmt_tx_cancel_wait)
12853 		return -EOPNOTSUPP;
12854 
12855 	switch (wdev->iftype) {
12856 	case NL80211_IFTYPE_STATION:
12857 	case NL80211_IFTYPE_ADHOC:
12858 	case NL80211_IFTYPE_P2P_CLIENT:
12859 	case NL80211_IFTYPE_AP:
12860 	case NL80211_IFTYPE_AP_VLAN:
12861 	case NL80211_IFTYPE_P2P_GO:
12862 	case NL80211_IFTYPE_P2P_DEVICE:
12863 		break;
12864 	case NL80211_IFTYPE_NAN:
12865 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12866 					     NL80211_EXT_FEATURE_SECURE_NAN))
12867 			return -EOPNOTSUPP;
12868 		break;
12869 	default:
12870 		return -EOPNOTSUPP;
12871 	}
12872 
12873 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12874 
12875 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12876 }
12877 
12878 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12879 {
12880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12881 	struct wireless_dev *wdev;
12882 	struct net_device *dev = info->user_ptr[1];
12883 	u8 ps_state;
12884 	bool state;
12885 	int err;
12886 
12887 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12888 		return -EINVAL;
12889 
12890 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12891 
12892 	wdev = dev->ieee80211_ptr;
12893 
12894 	if (!rdev->ops->set_power_mgmt)
12895 		return -EOPNOTSUPP;
12896 
12897 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12898 
12899 	if (state == wdev->ps)
12900 		return 0;
12901 
12902 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12903 	if (!err)
12904 		wdev->ps = state;
12905 	return err;
12906 }
12907 
12908 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12909 {
12910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12911 	enum nl80211_ps_state ps_state;
12912 	struct wireless_dev *wdev;
12913 	struct net_device *dev = info->user_ptr[1];
12914 	struct sk_buff *msg;
12915 	void *hdr;
12916 	int err;
12917 
12918 	wdev = dev->ieee80211_ptr;
12919 
12920 	if (!rdev->ops->set_power_mgmt)
12921 		return -EOPNOTSUPP;
12922 
12923 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12924 	if (!msg)
12925 		return -ENOMEM;
12926 
12927 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12928 			     NL80211_CMD_GET_POWER_SAVE);
12929 	if (!hdr) {
12930 		err = -ENOBUFS;
12931 		goto free_msg;
12932 	}
12933 
12934 	if (wdev->ps)
12935 		ps_state = NL80211_PS_ENABLED;
12936 	else
12937 		ps_state = NL80211_PS_DISABLED;
12938 
12939 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12940 		goto nla_put_failure;
12941 
12942 	genlmsg_end(msg, hdr);
12943 	return genlmsg_reply(msg, info);
12944 
12945  nla_put_failure:
12946 	err = -ENOBUFS;
12947  free_msg:
12948 	nlmsg_free(msg);
12949 	return err;
12950 }
12951 
12952 static const struct nla_policy
12953 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12954 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12955 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12956 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12957 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12958 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12959 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12960 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12961 };
12962 
12963 static int nl80211_set_cqm_txe(struct genl_info *info,
12964 			       u32 rate, u32 pkts, u32 intvl)
12965 {
12966 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12967 	struct net_device *dev = info->user_ptr[1];
12968 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12969 
12970 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12971 		return -EINVAL;
12972 
12973 	if (!rdev->ops->set_cqm_txe_config)
12974 		return -EOPNOTSUPP;
12975 
12976 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12977 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12978 		return -EOPNOTSUPP;
12979 
12980 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12981 }
12982 
12983 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12984 				    struct net_device *dev,
12985 				    struct cfg80211_cqm_config *cqm_config)
12986 {
12987 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12988 	s32 last, low, high;
12989 	u32 hyst;
12990 	int i, n, low_index;
12991 	int err;
12992 
12993 	/*
12994 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12995 	 * event has been received yet, we should receive an event after a
12996 	 * connection is established and enough beacons received to calculate
12997 	 * the average.
12998 	 */
12999 	if (!cqm_config->last_rssi_event_value &&
13000 	    wdev->links[0].client.current_bss &&
13001 	    rdev->ops->get_station) {
13002 		struct station_info sinfo = {};
13003 		u8 *mac_addr;
13004 
13005 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13006 
13007 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13008 		if (err)
13009 			return err;
13010 
13011 		cfg80211_sinfo_release_content(&sinfo);
13012 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13013 			cqm_config->last_rssi_event_value =
13014 				(s8) sinfo.rx_beacon_signal_avg;
13015 	}
13016 
13017 	last = cqm_config->last_rssi_event_value;
13018 	hyst = cqm_config->rssi_hyst;
13019 	n = cqm_config->n_rssi_thresholds;
13020 
13021 	for (i = 0; i < n; i++) {
13022 		i = array_index_nospec(i, n);
13023 		if (last < cqm_config->rssi_thresholds[i])
13024 			break;
13025 	}
13026 
13027 	low_index = i - 1;
13028 	if (low_index >= 0) {
13029 		low_index = array_index_nospec(low_index, n);
13030 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13031 	} else {
13032 		low = S32_MIN;
13033 	}
13034 	if (i < n) {
13035 		i = array_index_nospec(i, n);
13036 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13037 	} else {
13038 		high = S32_MAX;
13039 	}
13040 
13041 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13042 }
13043 
13044 static int nl80211_set_cqm_rssi(struct genl_info *info,
13045 				const s32 *thresholds, int n_thresholds,
13046 				u32 hysteresis)
13047 {
13048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13049 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13050 	struct net_device *dev = info->user_ptr[1];
13051 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13052 	s32 prev = S32_MIN;
13053 	int i, err;
13054 
13055 	/* Check all values negative and sorted */
13056 	for (i = 0; i < n_thresholds; i++) {
13057 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13058 			return -EINVAL;
13059 
13060 		prev = thresholds[i];
13061 	}
13062 
13063 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13064 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13065 		return -EOPNOTSUPP;
13066 
13067 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13068 		n_thresholds = 0;
13069 
13070 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13071 
13072 	/* if already disabled just succeed */
13073 	if (!n_thresholds && !old)
13074 		return 0;
13075 
13076 	if (n_thresholds > 1) {
13077 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13078 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13079 		    !rdev->ops->set_cqm_rssi_range_config)
13080 			return -EOPNOTSUPP;
13081 	} else {
13082 		if (!rdev->ops->set_cqm_rssi_config)
13083 			return -EOPNOTSUPP;
13084 	}
13085 
13086 	if (n_thresholds) {
13087 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13088 						 n_thresholds),
13089 				     GFP_KERNEL);
13090 		if (!cqm_config)
13091 			return -ENOMEM;
13092 
13093 		cqm_config->rssi_hyst = hysteresis;
13094 		cqm_config->n_rssi_thresholds = n_thresholds;
13095 		memcpy(cqm_config->rssi_thresholds, thresholds,
13096 		       flex_array_size(cqm_config, rssi_thresholds,
13097 				       n_thresholds));
13098 		cqm_config->use_range_api = n_thresholds > 1 ||
13099 					    !rdev->ops->set_cqm_rssi_config;
13100 
13101 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13102 
13103 		if (cqm_config->use_range_api)
13104 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13105 		else
13106 			err = rdev_set_cqm_rssi_config(rdev, dev,
13107 						       thresholds[0],
13108 						       hysteresis);
13109 	} else {
13110 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13111 		/* if enabled as range also disable via range */
13112 		if (old->use_range_api)
13113 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13114 		else
13115 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13116 	}
13117 
13118 	if (err) {
13119 		rcu_assign_pointer(wdev->cqm_config, old);
13120 		kfree_rcu(cqm_config, rcu_head);
13121 	} else {
13122 		kfree_rcu(old, rcu_head);
13123 	}
13124 
13125 	return err;
13126 }
13127 
13128 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13129 {
13130 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13131 	struct nlattr *cqm;
13132 	int err;
13133 
13134 	cqm = info->attrs[NL80211_ATTR_CQM];
13135 	if (!cqm)
13136 		return -EINVAL;
13137 
13138 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13139 					  nl80211_attr_cqm_policy,
13140 					  info->extack);
13141 	if (err)
13142 		return err;
13143 
13144 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13145 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13146 		const s32 *thresholds =
13147 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13148 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13149 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13150 
13151 		if (len % 4)
13152 			return -EINVAL;
13153 
13154 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13155 					    hysteresis);
13156 	}
13157 
13158 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13159 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13160 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13161 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13162 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13163 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13164 
13165 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13166 	}
13167 
13168 	return -EINVAL;
13169 }
13170 
13171 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13172 {
13173 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13174 	struct net_device *dev = info->user_ptr[1];
13175 	struct ocb_setup setup = {};
13176 	int err;
13177 
13178 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13179 	if (err)
13180 		return err;
13181 
13182 	return cfg80211_join_ocb(rdev, dev, &setup);
13183 }
13184 
13185 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13186 {
13187 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13188 	struct net_device *dev = info->user_ptr[1];
13189 
13190 	return cfg80211_leave_ocb(rdev, dev);
13191 }
13192 
13193 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13194 {
13195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13196 	struct net_device *dev = info->user_ptr[1];
13197 	struct mesh_config cfg;
13198 	struct mesh_setup setup;
13199 	int err;
13200 
13201 	/* start with default */
13202 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13203 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13204 
13205 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13206 		/* and parse parameters if given */
13207 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13208 		if (err)
13209 			return err;
13210 	}
13211 
13212 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13213 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13214 		return -EINVAL;
13215 
13216 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13217 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13218 
13219 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13220 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13221 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13222 			return -EINVAL;
13223 
13224 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13225 		setup.beacon_interval =
13226 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13227 
13228 		err = cfg80211_validate_beacon_int(rdev,
13229 						   NL80211_IFTYPE_MESH_POINT,
13230 						   setup.beacon_interval);
13231 		if (err)
13232 			return err;
13233 	}
13234 
13235 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13236 		setup.dtim_period =
13237 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13238 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13239 			return -EINVAL;
13240 	}
13241 
13242 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13243 		/* parse additional setup parameters if given */
13244 		err = nl80211_parse_mesh_setup(info, &setup);
13245 		if (err)
13246 			return err;
13247 	}
13248 
13249 	if (setup.user_mpm)
13250 		cfg.auto_open_plinks = false;
13251 
13252 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13253 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13254 		if (err)
13255 			return err;
13256 	} else {
13257 		/* __cfg80211_join_mesh() will sort it out */
13258 		setup.chandef.chan = NULL;
13259 	}
13260 
13261 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13262 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13263 		int n_rates =
13264 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13265 		struct ieee80211_supported_band *sband;
13266 
13267 		if (!setup.chandef.chan)
13268 			return -EINVAL;
13269 
13270 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13271 
13272 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13273 					     &setup.basic_rates);
13274 		if (err)
13275 			return err;
13276 	}
13277 
13278 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13279 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13280 						    NL80211_ATTR_TX_RATES,
13281 						    &setup.beacon_rate,
13282 						    dev, false, 0);
13283 		if (err)
13284 			return err;
13285 
13286 		if (!setup.chandef.chan)
13287 			return -EINVAL;
13288 
13289 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13290 					      &setup.beacon_rate);
13291 		if (err)
13292 			return err;
13293 	}
13294 
13295 	setup.userspace_handles_dfs =
13296 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13297 
13298 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13299 		int r = validate_pae_over_nl80211(rdev, info);
13300 
13301 		if (r < 0)
13302 			return r;
13303 
13304 		setup.control_port_over_nl80211 = true;
13305 	}
13306 
13307 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13308 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13309 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13310 
13311 	return err;
13312 }
13313 
13314 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13315 {
13316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13317 	struct net_device *dev = info->user_ptr[1];
13318 
13319 	return cfg80211_leave_mesh(rdev, dev);
13320 }
13321 
13322 #ifdef CONFIG_PM
13323 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13324 					struct cfg80211_registered_device *rdev)
13325 {
13326 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13327 	struct nlattr *nl_pats, *nl_pat;
13328 	int i, pat_len;
13329 
13330 	if (!wowlan->n_patterns)
13331 		return 0;
13332 
13333 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13334 	if (!nl_pats)
13335 		return -ENOBUFS;
13336 
13337 	for (i = 0; i < wowlan->n_patterns; i++) {
13338 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13339 		if (!nl_pat)
13340 			return -ENOBUFS;
13341 		pat_len = wowlan->patterns[i].pattern_len;
13342 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13343 			    wowlan->patterns[i].mask) ||
13344 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13345 			    wowlan->patterns[i].pattern) ||
13346 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13347 				wowlan->patterns[i].pkt_offset))
13348 			return -ENOBUFS;
13349 		nla_nest_end(msg, nl_pat);
13350 	}
13351 	nla_nest_end(msg, nl_pats);
13352 
13353 	return 0;
13354 }
13355 
13356 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13357 				   struct cfg80211_wowlan_tcp *tcp)
13358 {
13359 	struct nlattr *nl_tcp;
13360 
13361 	if (!tcp)
13362 		return 0;
13363 
13364 	nl_tcp = nla_nest_start_noflag(msg,
13365 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13366 	if (!nl_tcp)
13367 		return -ENOBUFS;
13368 
13369 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13370 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13371 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13372 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13373 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13374 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13375 		    tcp->payload_len, tcp->payload) ||
13376 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13377 			tcp->data_interval) ||
13378 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13379 		    tcp->wake_len, tcp->wake_data) ||
13380 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13381 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13382 		return -ENOBUFS;
13383 
13384 	if (tcp->payload_seq.len &&
13385 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13386 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13387 		return -ENOBUFS;
13388 
13389 	if (tcp->payload_tok.len &&
13390 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13391 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13392 		    &tcp->payload_tok))
13393 		return -ENOBUFS;
13394 
13395 	nla_nest_end(msg, nl_tcp);
13396 
13397 	return 0;
13398 }
13399 
13400 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13401 				  struct cfg80211_sched_scan_request *req)
13402 {
13403 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13404 	int i;
13405 
13406 	if (!req)
13407 		return 0;
13408 
13409 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13410 	if (!nd)
13411 		return -ENOBUFS;
13412 
13413 	if (req->n_scan_plans == 1 &&
13414 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13415 			req->scan_plans[0].interval * 1000))
13416 		return -ENOBUFS;
13417 
13418 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13419 		return -ENOBUFS;
13420 
13421 	if (req->relative_rssi_set) {
13422 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13423 
13424 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13425 			       req->relative_rssi))
13426 			return -ENOBUFS;
13427 
13428 		rssi_adjust.band = req->rssi_adjust.band;
13429 		rssi_adjust.delta = req->rssi_adjust.delta;
13430 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13431 			    sizeof(rssi_adjust), &rssi_adjust))
13432 			return -ENOBUFS;
13433 	}
13434 
13435 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13436 	if (!freqs)
13437 		return -ENOBUFS;
13438 
13439 	for (i = 0; i < req->n_channels; i++) {
13440 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13441 			return -ENOBUFS;
13442 	}
13443 
13444 	nla_nest_end(msg, freqs);
13445 
13446 	if (req->n_match_sets) {
13447 		matches = nla_nest_start_noflag(msg,
13448 						NL80211_ATTR_SCHED_SCAN_MATCH);
13449 		if (!matches)
13450 			return -ENOBUFS;
13451 
13452 		for (i = 0; i < req->n_match_sets; i++) {
13453 			match = nla_nest_start_noflag(msg, i);
13454 			if (!match)
13455 				return -ENOBUFS;
13456 
13457 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13458 				    req->match_sets[i].ssid.ssid_len,
13459 				    req->match_sets[i].ssid.ssid))
13460 				return -ENOBUFS;
13461 			nla_nest_end(msg, match);
13462 		}
13463 		nla_nest_end(msg, matches);
13464 	}
13465 
13466 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13467 	if (!scan_plans)
13468 		return -ENOBUFS;
13469 
13470 	for (i = 0; i < req->n_scan_plans; i++) {
13471 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13472 		if (!scan_plan)
13473 			return -ENOBUFS;
13474 
13475 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13476 				req->scan_plans[i].interval) ||
13477 		    (req->scan_plans[i].iterations &&
13478 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13479 				 req->scan_plans[i].iterations)))
13480 			return -ENOBUFS;
13481 		nla_nest_end(msg, scan_plan);
13482 	}
13483 	nla_nest_end(msg, scan_plans);
13484 
13485 	nla_nest_end(msg, nd);
13486 
13487 	return 0;
13488 }
13489 
13490 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13491 {
13492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13493 	struct sk_buff *msg;
13494 	void *hdr;
13495 	u32 size = NLMSG_DEFAULT_SIZE;
13496 
13497 	if (!rdev->wiphy.wowlan)
13498 		return -EOPNOTSUPP;
13499 
13500 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13501 		/* adjust size to have room for all the data */
13502 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13503 			rdev->wiphy.wowlan_config->tcp->payload_len +
13504 			rdev->wiphy.wowlan_config->tcp->wake_len +
13505 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13506 	}
13507 
13508 	msg = nlmsg_new(size, GFP_KERNEL);
13509 	if (!msg)
13510 		return -ENOMEM;
13511 
13512 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13513 			     NL80211_CMD_GET_WOWLAN);
13514 	if (!hdr)
13515 		goto nla_put_failure;
13516 
13517 	if (rdev->wiphy.wowlan_config) {
13518 		struct nlattr *nl_wowlan;
13519 
13520 		nl_wowlan = nla_nest_start_noflag(msg,
13521 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13522 		if (!nl_wowlan)
13523 			goto nla_put_failure;
13524 
13525 		if ((rdev->wiphy.wowlan_config->any &&
13526 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13527 		    (rdev->wiphy.wowlan_config->disconnect &&
13528 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13529 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13530 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13531 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13532 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13533 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13534 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13535 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13536 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13537 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13538 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13539 			goto nla_put_failure;
13540 
13541 		if (nl80211_send_wowlan_patterns(msg, rdev))
13542 			goto nla_put_failure;
13543 
13544 		if (nl80211_send_wowlan_tcp(msg,
13545 					    rdev->wiphy.wowlan_config->tcp))
13546 			goto nla_put_failure;
13547 
13548 		if (nl80211_send_wowlan_nd(
13549 			    msg,
13550 			    rdev->wiphy.wowlan_config->nd_config))
13551 			goto nla_put_failure;
13552 
13553 		nla_nest_end(msg, nl_wowlan);
13554 	}
13555 
13556 	genlmsg_end(msg, hdr);
13557 	return genlmsg_reply(msg, info);
13558 
13559 nla_put_failure:
13560 	nlmsg_free(msg);
13561 	return -ENOBUFS;
13562 }
13563 
13564 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13565 				    struct nlattr *attr,
13566 				    struct cfg80211_wowlan *trig)
13567 {
13568 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13569 	struct cfg80211_wowlan_tcp *cfg;
13570 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13571 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13572 	u32 size;
13573 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13574 	int err, port;
13575 
13576 	if (!rdev->wiphy.wowlan->tcp)
13577 		return -EINVAL;
13578 
13579 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13580 					  nl80211_wowlan_tcp_policy, NULL);
13581 	if (err)
13582 		return err;
13583 
13584 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13585 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13586 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13587 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13588 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13589 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13590 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13591 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13592 		return -EINVAL;
13593 
13594 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13595 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13596 		return -EINVAL;
13597 
13598 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13599 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13600 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13601 		return -EINVAL;
13602 
13603 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13604 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13605 		return -EINVAL;
13606 
13607 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13608 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13609 		return -EINVAL;
13610 
13611 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13612 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13613 
13614 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13615 		tokens_size = tokln - sizeof(*tok);
13616 
13617 		if (!tok->len || tokens_size % tok->len)
13618 			return -EINVAL;
13619 		if (!rdev->wiphy.wowlan->tcp->tok)
13620 			return -EINVAL;
13621 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13622 			return -EINVAL;
13623 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13624 			return -EINVAL;
13625 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13626 			return -EINVAL;
13627 		if (tok->offset + tok->len > data_size)
13628 			return -EINVAL;
13629 	}
13630 
13631 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13632 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13633 		if (!rdev->wiphy.wowlan->tcp->seq)
13634 			return -EINVAL;
13635 		if (seq->len == 0 || seq->len > 4)
13636 			return -EINVAL;
13637 		if (seq->len + seq->offset > data_size)
13638 			return -EINVAL;
13639 	}
13640 
13641 	size = sizeof(*cfg);
13642 	size += data_size;
13643 	size += wake_size + wake_mask_size;
13644 	size += tokens_size;
13645 
13646 	cfg = kzalloc(size, GFP_KERNEL);
13647 	if (!cfg)
13648 		return -ENOMEM;
13649 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13650 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13651 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13652 	       ETH_ALEN);
13653 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13654 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13655 	else
13656 		port = 0;
13657 #ifdef CONFIG_INET
13658 	/* allocate a socket and port for it and use it */
13659 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13660 			    IPPROTO_TCP, &cfg->sock, 1);
13661 	if (err) {
13662 		kfree(cfg);
13663 		return err;
13664 	}
13665 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13666 		sock_release(cfg->sock);
13667 		kfree(cfg);
13668 		return -EADDRINUSE;
13669 	}
13670 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13671 #else
13672 	if (!port) {
13673 		kfree(cfg);
13674 		return -EINVAL;
13675 	}
13676 	cfg->src_port = port;
13677 #endif
13678 
13679 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13680 	cfg->payload_len = data_size;
13681 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13682 	memcpy((void *)cfg->payload,
13683 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13684 	       data_size);
13685 	if (seq)
13686 		cfg->payload_seq = *seq;
13687 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13688 	cfg->wake_len = wake_size;
13689 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13690 	memcpy((void *)cfg->wake_data,
13691 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13692 	       wake_size);
13693 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13694 			 data_size + wake_size;
13695 	memcpy((void *)cfg->wake_mask,
13696 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13697 	       wake_mask_size);
13698 	if (tok) {
13699 		cfg->tokens_size = tokens_size;
13700 		cfg->payload_tok = *tok;
13701 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13702 		       tokens_size);
13703 	}
13704 
13705 	trig->tcp = cfg;
13706 
13707 	return 0;
13708 }
13709 
13710 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13711 				   const struct wiphy_wowlan_support *wowlan,
13712 				   struct nlattr *attr,
13713 				   struct cfg80211_wowlan *trig)
13714 {
13715 	struct nlattr **tb;
13716 	int err;
13717 
13718 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13719 	if (!tb)
13720 		return -ENOMEM;
13721 
13722 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13723 		err = -EOPNOTSUPP;
13724 		goto out;
13725 	}
13726 
13727 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13728 					  nl80211_policy, NULL);
13729 	if (err)
13730 		goto out;
13731 
13732 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13733 						   wowlan->max_nd_match_sets);
13734 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13735 	if (err)
13736 		trig->nd_config = NULL;
13737 
13738 out:
13739 	kfree(tb);
13740 	return err;
13741 }
13742 
13743 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13744 {
13745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13746 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13747 	struct cfg80211_wowlan new_triggers = {};
13748 	struct cfg80211_wowlan *ntrig;
13749 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13750 	int err, i;
13751 	bool prev_enabled = rdev->wiphy.wowlan_config;
13752 	bool regular = false;
13753 
13754 	if (!wowlan)
13755 		return -EOPNOTSUPP;
13756 
13757 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13758 		cfg80211_rdev_free_wowlan(rdev);
13759 		rdev->wiphy.wowlan_config = NULL;
13760 		goto set_wakeup;
13761 	}
13762 
13763 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13764 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13765 					  nl80211_wowlan_policy, info->extack);
13766 	if (err)
13767 		return err;
13768 
13769 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13770 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13771 			return -EINVAL;
13772 		new_triggers.any = true;
13773 	}
13774 
13775 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13776 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13777 			return -EINVAL;
13778 		new_triggers.disconnect = true;
13779 		regular = true;
13780 	}
13781 
13782 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13783 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13784 			return -EINVAL;
13785 		new_triggers.magic_pkt = true;
13786 		regular = true;
13787 	}
13788 
13789 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13790 		return -EINVAL;
13791 
13792 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13793 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13794 			return -EINVAL;
13795 		new_triggers.gtk_rekey_failure = true;
13796 		regular = true;
13797 	}
13798 
13799 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13800 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13801 			return -EINVAL;
13802 		new_triggers.eap_identity_req = true;
13803 		regular = true;
13804 	}
13805 
13806 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13807 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13808 			return -EINVAL;
13809 		new_triggers.four_way_handshake = true;
13810 		regular = true;
13811 	}
13812 
13813 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13814 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13815 			return -EINVAL;
13816 		new_triggers.rfkill_release = true;
13817 		regular = true;
13818 	}
13819 
13820 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13821 		struct nlattr *pat;
13822 		int n_patterns = 0;
13823 		int rem, pat_len, mask_len, pkt_offset;
13824 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13825 
13826 		regular = true;
13827 
13828 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13829 				    rem)
13830 			n_patterns++;
13831 		if (n_patterns > wowlan->n_patterns)
13832 			return -EINVAL;
13833 
13834 		new_triggers.patterns = kcalloc(n_patterns,
13835 						sizeof(new_triggers.patterns[0]),
13836 						GFP_KERNEL);
13837 		if (!new_triggers.patterns)
13838 			return -ENOMEM;
13839 
13840 		new_triggers.n_patterns = n_patterns;
13841 		i = 0;
13842 
13843 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13844 				    rem) {
13845 			u8 *mask_pat;
13846 
13847 			err = nla_parse_nested_deprecated(pat_tb,
13848 							  MAX_NL80211_PKTPAT,
13849 							  pat,
13850 							  nl80211_packet_pattern_policy,
13851 							  info->extack);
13852 			if (err)
13853 				goto error;
13854 
13855 			err = -EINVAL;
13856 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13857 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13858 				goto error;
13859 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13860 			mask_len = DIV_ROUND_UP(pat_len, 8);
13861 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13862 				goto error;
13863 			if (pat_len > wowlan->pattern_max_len ||
13864 			    pat_len < wowlan->pattern_min_len)
13865 				goto error;
13866 
13867 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13868 				pkt_offset = 0;
13869 			else
13870 				pkt_offset = nla_get_u32(
13871 					pat_tb[NL80211_PKTPAT_OFFSET]);
13872 			if (pkt_offset > wowlan->max_pkt_offset)
13873 				goto error;
13874 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13875 
13876 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13877 			if (!mask_pat) {
13878 				err = -ENOMEM;
13879 				goto error;
13880 			}
13881 			new_triggers.patterns[i].mask = mask_pat;
13882 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13883 			       mask_len);
13884 			mask_pat += mask_len;
13885 			new_triggers.patterns[i].pattern = mask_pat;
13886 			new_triggers.patterns[i].pattern_len = pat_len;
13887 			memcpy(mask_pat,
13888 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13889 			       pat_len);
13890 			i++;
13891 		}
13892 	}
13893 
13894 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13895 		regular = true;
13896 		err = nl80211_parse_wowlan_tcp(
13897 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13898 			&new_triggers);
13899 		if (err)
13900 			goto error;
13901 	}
13902 
13903 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13904 		regular = true;
13905 		err = nl80211_parse_wowlan_nd(
13906 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13907 			&new_triggers);
13908 		if (err)
13909 			goto error;
13910 	}
13911 
13912 	/* The 'any' trigger means the device continues operating more or less
13913 	 * as in its normal operation mode and wakes up the host on most of the
13914 	 * normal interrupts (like packet RX, ...)
13915 	 * It therefore makes little sense to combine with the more constrained
13916 	 * wakeup trigger modes.
13917 	 */
13918 	if (new_triggers.any && regular) {
13919 		err = -EINVAL;
13920 		goto error;
13921 	}
13922 
13923 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13924 	if (!ntrig) {
13925 		err = -ENOMEM;
13926 		goto error;
13927 	}
13928 	cfg80211_rdev_free_wowlan(rdev);
13929 	rdev->wiphy.wowlan_config = ntrig;
13930 
13931  set_wakeup:
13932 	if (rdev->ops->set_wakeup &&
13933 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13934 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13935 
13936 	return 0;
13937  error:
13938 	for (i = 0; i < new_triggers.n_patterns; i++)
13939 		kfree(new_triggers.patterns[i].mask);
13940 	kfree(new_triggers.patterns);
13941 	if (new_triggers.tcp && new_triggers.tcp->sock)
13942 		sock_release(new_triggers.tcp->sock);
13943 	kfree(new_triggers.tcp);
13944 	kfree(new_triggers.nd_config);
13945 	return err;
13946 }
13947 #endif
13948 
13949 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13950 				       struct cfg80211_registered_device *rdev)
13951 {
13952 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13953 	int i, j, pat_len;
13954 	struct cfg80211_coalesce_rules *rule;
13955 
13956 	if (!rdev->coalesce->n_rules)
13957 		return 0;
13958 
13959 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13960 	if (!nl_rules)
13961 		return -ENOBUFS;
13962 
13963 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13964 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13965 		if (!nl_rule)
13966 			return -ENOBUFS;
13967 
13968 		rule = &rdev->coalesce->rules[i];
13969 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13970 				rule->delay))
13971 			return -ENOBUFS;
13972 
13973 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13974 				rule->condition))
13975 			return -ENOBUFS;
13976 
13977 		nl_pats = nla_nest_start_noflag(msg,
13978 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13979 		if (!nl_pats)
13980 			return -ENOBUFS;
13981 
13982 		for (j = 0; j < rule->n_patterns; j++) {
13983 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13984 			if (!nl_pat)
13985 				return -ENOBUFS;
13986 			pat_len = rule->patterns[j].pattern_len;
13987 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13988 				    DIV_ROUND_UP(pat_len, 8),
13989 				    rule->patterns[j].mask) ||
13990 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13991 				    rule->patterns[j].pattern) ||
13992 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13993 					rule->patterns[j].pkt_offset))
13994 				return -ENOBUFS;
13995 			nla_nest_end(msg, nl_pat);
13996 		}
13997 		nla_nest_end(msg, nl_pats);
13998 		nla_nest_end(msg, nl_rule);
13999 	}
14000 	nla_nest_end(msg, nl_rules);
14001 
14002 	return 0;
14003 }
14004 
14005 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14006 {
14007 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14008 	struct sk_buff *msg;
14009 	void *hdr;
14010 
14011 	if (!rdev->wiphy.coalesce)
14012 		return -EOPNOTSUPP;
14013 
14014 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14015 	if (!msg)
14016 		return -ENOMEM;
14017 
14018 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14019 			     NL80211_CMD_GET_COALESCE);
14020 	if (!hdr)
14021 		goto nla_put_failure;
14022 
14023 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14024 		goto nla_put_failure;
14025 
14026 	genlmsg_end(msg, hdr);
14027 	return genlmsg_reply(msg, info);
14028 
14029 nla_put_failure:
14030 	nlmsg_free(msg);
14031 	return -ENOBUFS;
14032 }
14033 
14034 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14035 {
14036 	int i, j;
14037 	struct cfg80211_coalesce_rules *rule;
14038 
14039 	if (!coalesce)
14040 		return;
14041 
14042 	for (i = 0; i < coalesce->n_rules; i++) {
14043 		rule = &coalesce->rules[i];
14044 		if (!rule)
14045 			continue;
14046 		for (j = 0; j < rule->n_patterns; j++)
14047 			kfree(rule->patterns[j].mask);
14048 		kfree(rule->patterns);
14049 	}
14050 	kfree(coalesce);
14051 }
14052 
14053 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14054 				       struct nlattr *rule,
14055 				       struct cfg80211_coalesce_rules *new_rule)
14056 {
14057 	int err, i;
14058 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14059 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14060 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14061 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14062 
14063 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14064 					  rule, nl80211_coalesce_policy, NULL);
14065 	if (err)
14066 		return err;
14067 
14068 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14069 		new_rule->delay =
14070 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14071 	if (new_rule->delay > coalesce->max_delay)
14072 		return -EINVAL;
14073 
14074 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14075 		new_rule->condition =
14076 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14077 
14078 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14079 		return -EINVAL;
14080 
14081 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14082 			    rem)
14083 		n_patterns++;
14084 	if (n_patterns > coalesce->n_patterns)
14085 		return -EINVAL;
14086 
14087 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14088 				     GFP_KERNEL);
14089 	if (!new_rule->patterns)
14090 		return -ENOMEM;
14091 
14092 	new_rule->n_patterns = n_patterns;
14093 	i = 0;
14094 
14095 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14096 			    rem) {
14097 		u8 *mask_pat;
14098 
14099 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14100 						  pat,
14101 						  nl80211_packet_pattern_policy,
14102 						  NULL);
14103 		if (err)
14104 			return err;
14105 
14106 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14107 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14108 			return -EINVAL;
14109 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14110 		mask_len = DIV_ROUND_UP(pat_len, 8);
14111 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14112 			return -EINVAL;
14113 		if (pat_len > coalesce->pattern_max_len ||
14114 		    pat_len < coalesce->pattern_min_len)
14115 			return -EINVAL;
14116 
14117 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
14118 			pkt_offset = 0;
14119 		else
14120 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
14121 		if (pkt_offset > coalesce->max_pkt_offset)
14122 			return -EINVAL;
14123 		new_rule->patterns[i].pkt_offset = pkt_offset;
14124 
14125 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14126 		if (!mask_pat)
14127 			return -ENOMEM;
14128 
14129 		new_rule->patterns[i].mask = mask_pat;
14130 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14131 		       mask_len);
14132 
14133 		mask_pat += mask_len;
14134 		new_rule->patterns[i].pattern = mask_pat;
14135 		new_rule->patterns[i].pattern_len = pat_len;
14136 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14137 		       pat_len);
14138 		i++;
14139 	}
14140 
14141 	return 0;
14142 }
14143 
14144 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14145 {
14146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14147 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14148 	struct cfg80211_coalesce *new_coalesce;
14149 	int err, rem_rule, n_rules = 0, i;
14150 	struct nlattr *rule;
14151 
14152 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14153 		return -EOPNOTSUPP;
14154 
14155 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14156 		cfg80211_free_coalesce(rdev->coalesce);
14157 		rdev->coalesce = NULL;
14158 		rdev_set_coalesce(rdev, NULL);
14159 		return 0;
14160 	}
14161 
14162 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14163 			    rem_rule)
14164 		n_rules++;
14165 	if (n_rules > coalesce->n_rules)
14166 		return -EINVAL;
14167 
14168 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14169 			       GFP_KERNEL);
14170 	if (!new_coalesce)
14171 		return -ENOMEM;
14172 
14173 	new_coalesce->n_rules = n_rules;
14174 	i = 0;
14175 
14176 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14177 			    rem_rule) {
14178 		err = nl80211_parse_coalesce_rule(rdev, rule,
14179 						  &new_coalesce->rules[i]);
14180 		if (err)
14181 			goto error;
14182 
14183 		i++;
14184 	}
14185 
14186 	err = rdev_set_coalesce(rdev, new_coalesce);
14187 	if (err)
14188 		goto error;
14189 
14190 	cfg80211_free_coalesce(rdev->coalesce);
14191 	rdev->coalesce = new_coalesce;
14192 
14193 	return 0;
14194 error:
14195 	cfg80211_free_coalesce(new_coalesce);
14196 
14197 	return err;
14198 }
14199 
14200 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14201 {
14202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14203 	struct net_device *dev = info->user_ptr[1];
14204 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14205 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14206 	struct cfg80211_gtk_rekey_data rekey_data = {};
14207 	int err;
14208 
14209 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14210 		return -EINVAL;
14211 
14212 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14213 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14214 					  nl80211_rekey_policy, info->extack);
14215 	if (err)
14216 		return err;
14217 
14218 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14219 	    !tb[NL80211_REKEY_DATA_KCK])
14220 		return -EINVAL;
14221 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14222 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14223 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14224 		return -ERANGE;
14225 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14226 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14227 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14228 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14229 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14230 		return -ERANGE;
14231 
14232 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14233 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14234 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14235 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14236 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14237 	if (tb[NL80211_REKEY_DATA_AKM])
14238 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14239 
14240 	if (!wdev->connected)
14241 		return -ENOTCONN;
14242 
14243 	if (!rdev->ops->set_rekey_data)
14244 		return -EOPNOTSUPP;
14245 
14246 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14247 }
14248 
14249 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14250 					     struct genl_info *info)
14251 {
14252 	struct net_device *dev = info->user_ptr[1];
14253 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14254 
14255 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14256 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14257 		return -EINVAL;
14258 
14259 	if (wdev->ap_unexpected_nlportid)
14260 		return -EBUSY;
14261 
14262 	wdev->ap_unexpected_nlportid = info->snd_portid;
14263 	return 0;
14264 }
14265 
14266 static int nl80211_probe_client(struct sk_buff *skb,
14267 				struct genl_info *info)
14268 {
14269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14270 	struct net_device *dev = info->user_ptr[1];
14271 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14272 	struct sk_buff *msg;
14273 	void *hdr;
14274 	const u8 *addr;
14275 	u64 cookie;
14276 	int err;
14277 
14278 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14279 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14280 		return -EOPNOTSUPP;
14281 
14282 	if (!info->attrs[NL80211_ATTR_MAC])
14283 		return -EINVAL;
14284 
14285 	if (!rdev->ops->probe_client)
14286 		return -EOPNOTSUPP;
14287 
14288 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14289 	if (!msg)
14290 		return -ENOMEM;
14291 
14292 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14293 			     NL80211_CMD_PROBE_CLIENT);
14294 	if (!hdr) {
14295 		err = -ENOBUFS;
14296 		goto free_msg;
14297 	}
14298 
14299 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14300 
14301 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14302 	if (err)
14303 		goto free_msg;
14304 
14305 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14306 			      NL80211_ATTR_PAD))
14307 		goto nla_put_failure;
14308 
14309 	genlmsg_end(msg, hdr);
14310 
14311 	return genlmsg_reply(msg, info);
14312 
14313  nla_put_failure:
14314 	err = -ENOBUFS;
14315  free_msg:
14316 	nlmsg_free(msg);
14317 	return err;
14318 }
14319 
14320 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14321 {
14322 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14323 	struct cfg80211_beacon_registration *reg, *nreg;
14324 	int rv;
14325 
14326 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14327 		return -EOPNOTSUPP;
14328 
14329 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14330 	if (!nreg)
14331 		return -ENOMEM;
14332 
14333 	/* First, check if already registered. */
14334 	spin_lock_bh(&rdev->beacon_registrations_lock);
14335 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14336 		if (reg->nlportid == info->snd_portid) {
14337 			rv = -EALREADY;
14338 			goto out_err;
14339 		}
14340 	}
14341 	/* Add it to the list */
14342 	nreg->nlportid = info->snd_portid;
14343 	list_add(&nreg->list, &rdev->beacon_registrations);
14344 
14345 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14346 
14347 	return 0;
14348 out_err:
14349 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14350 	kfree(nreg);
14351 	return rv;
14352 }
14353 
14354 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14355 {
14356 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14357 	struct wireless_dev *wdev = info->user_ptr[1];
14358 	int err;
14359 
14360 	if (!rdev->ops->start_p2p_device)
14361 		return -EOPNOTSUPP;
14362 
14363 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14364 		return -EOPNOTSUPP;
14365 
14366 	if (wdev_running(wdev))
14367 		return 0;
14368 
14369 	if (rfkill_blocked(rdev->wiphy.rfkill))
14370 		return -ERFKILL;
14371 
14372 	err = rdev_start_p2p_device(rdev, wdev);
14373 	if (err)
14374 		return err;
14375 
14376 	wdev->is_running = true;
14377 	rdev->opencount++;
14378 
14379 	return 0;
14380 }
14381 
14382 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14383 {
14384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14385 	struct wireless_dev *wdev = info->user_ptr[1];
14386 
14387 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14388 		return -EOPNOTSUPP;
14389 
14390 	if (!rdev->ops->stop_p2p_device)
14391 		return -EOPNOTSUPP;
14392 
14393 	cfg80211_stop_p2p_device(rdev, wdev);
14394 
14395 	return 0;
14396 }
14397 
14398 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14399 {
14400 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14401 	struct wireless_dev *wdev = info->user_ptr[1];
14402 	struct cfg80211_nan_conf conf = {};
14403 	int err;
14404 
14405 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14406 		return -EOPNOTSUPP;
14407 
14408 	if (wdev_running(wdev))
14409 		return -EEXIST;
14410 
14411 	if (rfkill_blocked(rdev->wiphy.rfkill))
14412 		return -ERFKILL;
14413 
14414 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14415 		return -EINVAL;
14416 
14417 	conf.master_pref =
14418 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14419 
14420 	if (info->attrs[NL80211_ATTR_BANDS]) {
14421 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14422 
14423 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14424 			return -EOPNOTSUPP;
14425 
14426 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14427 			return -EINVAL;
14428 
14429 		conf.bands = bands;
14430 	}
14431 
14432 	err = rdev_start_nan(rdev, wdev, &conf);
14433 	if (err)
14434 		return err;
14435 
14436 	wdev->is_running = true;
14437 	rdev->opencount++;
14438 
14439 	return 0;
14440 }
14441 
14442 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14443 {
14444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14445 	struct wireless_dev *wdev = info->user_ptr[1];
14446 
14447 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14448 		return -EOPNOTSUPP;
14449 
14450 	cfg80211_stop_nan(rdev, wdev);
14451 
14452 	return 0;
14453 }
14454 
14455 static int validate_nan_filter(struct nlattr *filter_attr)
14456 {
14457 	struct nlattr *attr;
14458 	int len = 0, n_entries = 0, rem;
14459 
14460 	nla_for_each_nested(attr, filter_attr, rem) {
14461 		len += nla_len(attr);
14462 		n_entries++;
14463 	}
14464 
14465 	if (len >= U8_MAX)
14466 		return -EINVAL;
14467 
14468 	return n_entries;
14469 }
14470 
14471 static int handle_nan_filter(struct nlattr *attr_filter,
14472 			     struct cfg80211_nan_func *func,
14473 			     bool tx)
14474 {
14475 	struct nlattr *attr;
14476 	int n_entries, rem, i;
14477 	struct cfg80211_nan_func_filter *filter;
14478 
14479 	n_entries = validate_nan_filter(attr_filter);
14480 	if (n_entries < 0)
14481 		return n_entries;
14482 
14483 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14484 
14485 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14486 	if (!filter)
14487 		return -ENOMEM;
14488 
14489 	i = 0;
14490 	nla_for_each_nested(attr, attr_filter, rem) {
14491 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14492 		if (!filter[i].filter)
14493 			goto err;
14494 
14495 		filter[i].len = nla_len(attr);
14496 		i++;
14497 	}
14498 	if (tx) {
14499 		func->num_tx_filters = n_entries;
14500 		func->tx_filters = filter;
14501 	} else {
14502 		func->num_rx_filters = n_entries;
14503 		func->rx_filters = filter;
14504 	}
14505 
14506 	return 0;
14507 
14508 err:
14509 	i = 0;
14510 	nla_for_each_nested(attr, attr_filter, rem) {
14511 		kfree(filter[i].filter);
14512 		i++;
14513 	}
14514 	kfree(filter);
14515 	return -ENOMEM;
14516 }
14517 
14518 static int nl80211_nan_add_func(struct sk_buff *skb,
14519 				struct genl_info *info)
14520 {
14521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14522 	struct wireless_dev *wdev = info->user_ptr[1];
14523 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14524 	struct cfg80211_nan_func *func;
14525 	struct sk_buff *msg = NULL;
14526 	void *hdr = NULL;
14527 	int err = 0;
14528 
14529 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14530 		return -EOPNOTSUPP;
14531 
14532 	if (!wdev_running(wdev))
14533 		return -ENOTCONN;
14534 
14535 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14536 		return -EINVAL;
14537 
14538 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14539 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14540 					  nl80211_nan_func_policy,
14541 					  info->extack);
14542 	if (err)
14543 		return err;
14544 
14545 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14546 	if (!func)
14547 		return -ENOMEM;
14548 
14549 	func->cookie = cfg80211_assign_cookie(rdev);
14550 
14551 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14552 		err = -EINVAL;
14553 		goto out;
14554 	}
14555 
14556 
14557 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14558 
14559 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14560 		err = -EINVAL;
14561 		goto out;
14562 	}
14563 
14564 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14565 	       sizeof(func->service_id));
14566 
14567 	func->close_range =
14568 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14569 
14570 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14571 		func->serv_spec_info_len =
14572 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14573 		func->serv_spec_info =
14574 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14575 				func->serv_spec_info_len,
14576 				GFP_KERNEL);
14577 		if (!func->serv_spec_info) {
14578 			err = -ENOMEM;
14579 			goto out;
14580 		}
14581 	}
14582 
14583 	if (tb[NL80211_NAN_FUNC_TTL])
14584 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14585 
14586 	switch (func->type) {
14587 	case NL80211_NAN_FUNC_PUBLISH:
14588 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14589 			err = -EINVAL;
14590 			goto out;
14591 		}
14592 
14593 		func->publish_type =
14594 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14595 		func->publish_bcast =
14596 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14597 
14598 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14599 			func->publish_bcast) {
14600 			err = -EINVAL;
14601 			goto out;
14602 		}
14603 		break;
14604 	case NL80211_NAN_FUNC_SUBSCRIBE:
14605 		func->subscribe_active =
14606 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14607 		break;
14608 	case NL80211_NAN_FUNC_FOLLOW_UP:
14609 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14610 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14611 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14612 			err = -EINVAL;
14613 			goto out;
14614 		}
14615 
14616 		func->followup_id =
14617 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14618 		func->followup_reqid =
14619 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14620 		memcpy(func->followup_dest.addr,
14621 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14622 		       sizeof(func->followup_dest.addr));
14623 		if (func->ttl) {
14624 			err = -EINVAL;
14625 			goto out;
14626 		}
14627 		break;
14628 	default:
14629 		err = -EINVAL;
14630 		goto out;
14631 	}
14632 
14633 	if (tb[NL80211_NAN_FUNC_SRF]) {
14634 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14635 
14636 		err = nla_parse_nested_deprecated(srf_tb,
14637 						  NL80211_NAN_SRF_ATTR_MAX,
14638 						  tb[NL80211_NAN_FUNC_SRF],
14639 						  nl80211_nan_srf_policy,
14640 						  info->extack);
14641 		if (err)
14642 			goto out;
14643 
14644 		func->srf_include =
14645 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14646 
14647 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14648 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14649 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14650 				err = -EINVAL;
14651 				goto out;
14652 			}
14653 
14654 			func->srf_bf_len =
14655 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14656 			func->srf_bf =
14657 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14658 					func->srf_bf_len, GFP_KERNEL);
14659 			if (!func->srf_bf) {
14660 				err = -ENOMEM;
14661 				goto out;
14662 			}
14663 
14664 			func->srf_bf_idx =
14665 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14666 		} else {
14667 			struct nlattr *attr, *mac_attr =
14668 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14669 			int n_entries, rem, i = 0;
14670 
14671 			if (!mac_attr) {
14672 				err = -EINVAL;
14673 				goto out;
14674 			}
14675 
14676 			n_entries = validate_acl_mac_addrs(mac_attr);
14677 			if (n_entries <= 0) {
14678 				err = -EINVAL;
14679 				goto out;
14680 			}
14681 
14682 			func->srf_num_macs = n_entries;
14683 			func->srf_macs =
14684 				kcalloc(n_entries, sizeof(*func->srf_macs),
14685 					GFP_KERNEL);
14686 			if (!func->srf_macs) {
14687 				err = -ENOMEM;
14688 				goto out;
14689 			}
14690 
14691 			nla_for_each_nested(attr, mac_attr, rem)
14692 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14693 				       sizeof(*func->srf_macs));
14694 		}
14695 	}
14696 
14697 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14698 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14699 					func, true);
14700 		if (err)
14701 			goto out;
14702 	}
14703 
14704 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14705 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14706 					func, false);
14707 		if (err)
14708 			goto out;
14709 	}
14710 
14711 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14712 	if (!msg) {
14713 		err = -ENOMEM;
14714 		goto out;
14715 	}
14716 
14717 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14718 			     NL80211_CMD_ADD_NAN_FUNCTION);
14719 	/* This can't really happen - we just allocated 4KB */
14720 	if (WARN_ON(!hdr)) {
14721 		err = -ENOMEM;
14722 		goto out;
14723 	}
14724 
14725 	err = rdev_add_nan_func(rdev, wdev, func);
14726 out:
14727 	if (err < 0) {
14728 		cfg80211_free_nan_func(func);
14729 		nlmsg_free(msg);
14730 		return err;
14731 	}
14732 
14733 	/* propagate the instance id and cookie to userspace  */
14734 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14735 			      NL80211_ATTR_PAD))
14736 		goto nla_put_failure;
14737 
14738 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14739 	if (!func_attr)
14740 		goto nla_put_failure;
14741 
14742 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14743 		       func->instance_id))
14744 		goto nla_put_failure;
14745 
14746 	nla_nest_end(msg, func_attr);
14747 
14748 	genlmsg_end(msg, hdr);
14749 	return genlmsg_reply(msg, info);
14750 
14751 nla_put_failure:
14752 	nlmsg_free(msg);
14753 	return -ENOBUFS;
14754 }
14755 
14756 static int nl80211_nan_del_func(struct sk_buff *skb,
14757 			       struct genl_info *info)
14758 {
14759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14760 	struct wireless_dev *wdev = info->user_ptr[1];
14761 	u64 cookie;
14762 
14763 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14764 		return -EOPNOTSUPP;
14765 
14766 	if (!wdev_running(wdev))
14767 		return -ENOTCONN;
14768 
14769 	if (!info->attrs[NL80211_ATTR_COOKIE])
14770 		return -EINVAL;
14771 
14772 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14773 
14774 	rdev_del_nan_func(rdev, wdev, cookie);
14775 
14776 	return 0;
14777 }
14778 
14779 static int nl80211_nan_change_config(struct sk_buff *skb,
14780 				     struct genl_info *info)
14781 {
14782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14783 	struct wireless_dev *wdev = info->user_ptr[1];
14784 	struct cfg80211_nan_conf conf = {};
14785 	u32 changed = 0;
14786 
14787 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14788 		return -EOPNOTSUPP;
14789 
14790 	if (!wdev_running(wdev))
14791 		return -ENOTCONN;
14792 
14793 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14794 		conf.master_pref =
14795 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14796 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14797 			return -EINVAL;
14798 
14799 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14800 	}
14801 
14802 	if (info->attrs[NL80211_ATTR_BANDS]) {
14803 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14804 
14805 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14806 			return -EOPNOTSUPP;
14807 
14808 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14809 			return -EINVAL;
14810 
14811 		conf.bands = bands;
14812 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14813 	}
14814 
14815 	if (!changed)
14816 		return -EINVAL;
14817 
14818 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14819 }
14820 
14821 void cfg80211_nan_match(struct wireless_dev *wdev,
14822 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14823 {
14824 	struct wiphy *wiphy = wdev->wiphy;
14825 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14826 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14827 	struct sk_buff *msg;
14828 	void *hdr;
14829 
14830 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14831 		return;
14832 
14833 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14834 	if (!msg)
14835 		return;
14836 
14837 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14838 	if (!hdr) {
14839 		nlmsg_free(msg);
14840 		return;
14841 	}
14842 
14843 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14844 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14845 					 wdev->netdev->ifindex)) ||
14846 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14847 			      NL80211_ATTR_PAD))
14848 		goto nla_put_failure;
14849 
14850 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14851 			      NL80211_ATTR_PAD) ||
14852 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14853 		goto nla_put_failure;
14854 
14855 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14856 	if (!match_attr)
14857 		goto nla_put_failure;
14858 
14859 	local_func_attr = nla_nest_start_noflag(msg,
14860 						NL80211_NAN_MATCH_FUNC_LOCAL);
14861 	if (!local_func_attr)
14862 		goto nla_put_failure;
14863 
14864 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14865 		goto nla_put_failure;
14866 
14867 	nla_nest_end(msg, local_func_attr);
14868 
14869 	peer_func_attr = nla_nest_start_noflag(msg,
14870 					       NL80211_NAN_MATCH_FUNC_PEER);
14871 	if (!peer_func_attr)
14872 		goto nla_put_failure;
14873 
14874 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14875 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14876 		goto nla_put_failure;
14877 
14878 	if (match->info && match->info_len &&
14879 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14880 		    match->info))
14881 		goto nla_put_failure;
14882 
14883 	nla_nest_end(msg, peer_func_attr);
14884 	nla_nest_end(msg, match_attr);
14885 	genlmsg_end(msg, hdr);
14886 
14887 	if (!wdev->owner_nlportid)
14888 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14889 					msg, 0, NL80211_MCGRP_NAN, gfp);
14890 	else
14891 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14892 				wdev->owner_nlportid);
14893 
14894 	return;
14895 
14896 nla_put_failure:
14897 	nlmsg_free(msg);
14898 }
14899 EXPORT_SYMBOL(cfg80211_nan_match);
14900 
14901 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14902 				  u8 inst_id,
14903 				  enum nl80211_nan_func_term_reason reason,
14904 				  u64 cookie, gfp_t gfp)
14905 {
14906 	struct wiphy *wiphy = wdev->wiphy;
14907 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14908 	struct sk_buff *msg;
14909 	struct nlattr *func_attr;
14910 	void *hdr;
14911 
14912 	if (WARN_ON(!inst_id))
14913 		return;
14914 
14915 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14916 	if (!msg)
14917 		return;
14918 
14919 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14920 	if (!hdr) {
14921 		nlmsg_free(msg);
14922 		return;
14923 	}
14924 
14925 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14926 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14927 					 wdev->netdev->ifindex)) ||
14928 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14929 			      NL80211_ATTR_PAD))
14930 		goto nla_put_failure;
14931 
14932 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14933 			      NL80211_ATTR_PAD))
14934 		goto nla_put_failure;
14935 
14936 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14937 	if (!func_attr)
14938 		goto nla_put_failure;
14939 
14940 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14941 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14942 		goto nla_put_failure;
14943 
14944 	nla_nest_end(msg, func_attr);
14945 	genlmsg_end(msg, hdr);
14946 
14947 	if (!wdev->owner_nlportid)
14948 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14949 					msg, 0, NL80211_MCGRP_NAN, gfp);
14950 	else
14951 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14952 				wdev->owner_nlportid);
14953 
14954 	return;
14955 
14956 nla_put_failure:
14957 	nlmsg_free(msg);
14958 }
14959 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14960 
14961 static int nl80211_get_protocol_features(struct sk_buff *skb,
14962 					 struct genl_info *info)
14963 {
14964 	void *hdr;
14965 	struct sk_buff *msg;
14966 
14967 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14968 	if (!msg)
14969 		return -ENOMEM;
14970 
14971 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14972 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14973 	if (!hdr)
14974 		goto nla_put_failure;
14975 
14976 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14977 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14978 		goto nla_put_failure;
14979 
14980 	genlmsg_end(msg, hdr);
14981 	return genlmsg_reply(msg, info);
14982 
14983  nla_put_failure:
14984 	kfree_skb(msg);
14985 	return -ENOBUFS;
14986 }
14987 
14988 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14989 {
14990 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14991 	struct cfg80211_update_ft_ies_params ft_params;
14992 	struct net_device *dev = info->user_ptr[1];
14993 
14994 	if (!rdev->ops->update_ft_ies)
14995 		return -EOPNOTSUPP;
14996 
14997 	if (!info->attrs[NL80211_ATTR_MDID] ||
14998 	    !info->attrs[NL80211_ATTR_IE])
14999 		return -EINVAL;
15000 
15001 	memset(&ft_params, 0, sizeof(ft_params));
15002 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15003 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15004 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15005 
15006 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15007 }
15008 
15009 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15010 				       struct genl_info *info)
15011 {
15012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15013 	struct wireless_dev *wdev = info->user_ptr[1];
15014 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15015 	u16 duration;
15016 	int ret;
15017 
15018 	if (!rdev->ops->crit_proto_start)
15019 		return -EOPNOTSUPP;
15020 
15021 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15022 		return -EINVAL;
15023 
15024 	if (rdev->crit_proto_nlportid)
15025 		return -EBUSY;
15026 
15027 	/* determine protocol if provided */
15028 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15029 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15030 
15031 	if (proto >= NUM_NL80211_CRIT_PROTO)
15032 		return -EINVAL;
15033 
15034 	/* timeout must be provided */
15035 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15036 		return -EINVAL;
15037 
15038 	duration =
15039 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15040 
15041 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15042 	if (!ret)
15043 		rdev->crit_proto_nlportid = info->snd_portid;
15044 
15045 	return ret;
15046 }
15047 
15048 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15049 				      struct genl_info *info)
15050 {
15051 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15052 	struct wireless_dev *wdev = info->user_ptr[1];
15053 
15054 	if (!rdev->ops->crit_proto_stop)
15055 		return -EOPNOTSUPP;
15056 
15057 	if (rdev->crit_proto_nlportid) {
15058 		rdev->crit_proto_nlportid = 0;
15059 		rdev_crit_proto_stop(rdev, wdev);
15060 	}
15061 	return 0;
15062 }
15063 
15064 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15065 				       struct nlattr *attr,
15066 				       struct netlink_ext_ack *extack)
15067 {
15068 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15069 		if (attr->nla_type & NLA_F_NESTED) {
15070 			NL_SET_ERR_MSG_ATTR(extack, attr,
15071 					    "unexpected nested data");
15072 			return -EINVAL;
15073 		}
15074 
15075 		return 0;
15076 	}
15077 
15078 	if (!(attr->nla_type & NLA_F_NESTED)) {
15079 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15080 		return -EINVAL;
15081 	}
15082 
15083 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15084 }
15085 
15086 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15087 {
15088 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15089 	struct wireless_dev *wdev =
15090 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15091 					   info->attrs);
15092 	int i, err;
15093 	u32 vid, subcmd;
15094 
15095 	if (!rdev->wiphy.vendor_commands)
15096 		return -EOPNOTSUPP;
15097 
15098 	if (IS_ERR(wdev)) {
15099 		err = PTR_ERR(wdev);
15100 		if (err != -EINVAL)
15101 			return err;
15102 		wdev = NULL;
15103 	} else if (wdev->wiphy != &rdev->wiphy) {
15104 		return -EINVAL;
15105 	}
15106 
15107 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15108 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15109 		return -EINVAL;
15110 
15111 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15112 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15113 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15114 		const struct wiphy_vendor_command *vcmd;
15115 		void *data = NULL;
15116 		int len = 0;
15117 
15118 		vcmd = &rdev->wiphy.vendor_commands[i];
15119 
15120 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15121 			continue;
15122 
15123 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15124 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15125 			if (!wdev)
15126 				return -EINVAL;
15127 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15128 			    !wdev->netdev)
15129 				return -EINVAL;
15130 
15131 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15132 				if (!wdev_running(wdev))
15133 					return -ENETDOWN;
15134 			}
15135 		} else {
15136 			wdev = NULL;
15137 		}
15138 
15139 		if (!vcmd->doit)
15140 			return -EOPNOTSUPP;
15141 
15142 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15143 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15144 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15145 
15146 			err = nl80211_vendor_check_policy(vcmd,
15147 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15148 					info->extack);
15149 			if (err)
15150 				return err;
15151 		}
15152 
15153 		rdev->cur_cmd_info = info;
15154 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15155 		rdev->cur_cmd_info = NULL;
15156 		return err;
15157 	}
15158 
15159 	return -EOPNOTSUPP;
15160 }
15161 
15162 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15163 				       struct netlink_callback *cb,
15164 				       struct cfg80211_registered_device **rdev,
15165 				       struct wireless_dev **wdev)
15166 {
15167 	struct nlattr **attrbuf;
15168 	u32 vid, subcmd;
15169 	unsigned int i;
15170 	int vcmd_idx = -1;
15171 	int err;
15172 	void *data = NULL;
15173 	unsigned int data_len = 0;
15174 
15175 	if (cb->args[0]) {
15176 		/* subtract the 1 again here */
15177 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15178 		struct wireless_dev *tmp;
15179 
15180 		if (!wiphy)
15181 			return -ENODEV;
15182 		*rdev = wiphy_to_rdev(wiphy);
15183 		*wdev = NULL;
15184 
15185 		if (cb->args[1]) {
15186 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15187 				if (tmp->identifier == cb->args[1] - 1) {
15188 					*wdev = tmp;
15189 					break;
15190 				}
15191 			}
15192 		}
15193 
15194 		/* keep rtnl locked in successful case */
15195 		return 0;
15196 	}
15197 
15198 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15199 	if (!attrbuf)
15200 		return -ENOMEM;
15201 
15202 	err = nlmsg_parse_deprecated(cb->nlh,
15203 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15204 				     attrbuf, nl80211_fam.maxattr,
15205 				     nl80211_policy, NULL);
15206 	if (err)
15207 		goto out;
15208 
15209 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15210 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15211 		err = -EINVAL;
15212 		goto out;
15213 	}
15214 
15215 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15216 	if (IS_ERR(*wdev))
15217 		*wdev = NULL;
15218 
15219 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15220 	if (IS_ERR(*rdev)) {
15221 		err = PTR_ERR(*rdev);
15222 		goto out;
15223 	}
15224 
15225 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15226 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15227 
15228 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15229 		const struct wiphy_vendor_command *vcmd;
15230 
15231 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15232 
15233 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15234 			continue;
15235 
15236 		if (!vcmd->dumpit) {
15237 			err = -EOPNOTSUPP;
15238 			goto out;
15239 		}
15240 
15241 		vcmd_idx = i;
15242 		break;
15243 	}
15244 
15245 	if (vcmd_idx < 0) {
15246 		err = -EOPNOTSUPP;
15247 		goto out;
15248 	}
15249 
15250 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15251 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15252 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15253 
15254 		err = nl80211_vendor_check_policy(
15255 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15256 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15257 				cb->extack);
15258 		if (err)
15259 			goto out;
15260 	}
15261 
15262 	/* 0 is the first index - add 1 to parse only once */
15263 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15264 	/* add 1 to know if it was NULL */
15265 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15266 	cb->args[2] = vcmd_idx;
15267 	cb->args[3] = (unsigned long)data;
15268 	cb->args[4] = data_len;
15269 
15270 	/* keep rtnl locked in successful case */
15271 	err = 0;
15272 out:
15273 	kfree(attrbuf);
15274 	return err;
15275 }
15276 
15277 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15278 				   struct netlink_callback *cb)
15279 {
15280 	struct cfg80211_registered_device *rdev;
15281 	struct wireless_dev *wdev;
15282 	unsigned int vcmd_idx;
15283 	const struct wiphy_vendor_command *vcmd;
15284 	void *data;
15285 	int data_len;
15286 	int err;
15287 	struct nlattr *vendor_data;
15288 
15289 	rtnl_lock();
15290 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15291 	if (err)
15292 		goto out;
15293 
15294 	vcmd_idx = cb->args[2];
15295 	data = (void *)cb->args[3];
15296 	data_len = cb->args[4];
15297 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15298 
15299 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15300 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15301 		if (!wdev) {
15302 			err = -EINVAL;
15303 			goto out;
15304 		}
15305 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15306 		    !wdev->netdev) {
15307 			err = -EINVAL;
15308 			goto out;
15309 		}
15310 
15311 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15312 			if (!wdev_running(wdev)) {
15313 				err = -ENETDOWN;
15314 				goto out;
15315 			}
15316 		}
15317 	}
15318 
15319 	while (1) {
15320 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15321 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15322 					   NL80211_CMD_VENDOR);
15323 		if (!hdr)
15324 			break;
15325 
15326 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15327 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15328 					       wdev_id(wdev),
15329 					       NL80211_ATTR_PAD))) {
15330 			genlmsg_cancel(skb, hdr);
15331 			break;
15332 		}
15333 
15334 		vendor_data = nla_nest_start_noflag(skb,
15335 						    NL80211_ATTR_VENDOR_DATA);
15336 		if (!vendor_data) {
15337 			genlmsg_cancel(skb, hdr);
15338 			break;
15339 		}
15340 
15341 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15342 				   (unsigned long *)&cb->args[5]);
15343 		nla_nest_end(skb, vendor_data);
15344 
15345 		if (err == -ENOBUFS || err == -ENOENT) {
15346 			genlmsg_cancel(skb, hdr);
15347 			break;
15348 		} else if (err <= 0) {
15349 			genlmsg_cancel(skb, hdr);
15350 			goto out;
15351 		}
15352 
15353 		genlmsg_end(skb, hdr);
15354 	}
15355 
15356 	err = skb->len;
15357  out:
15358 	rtnl_unlock();
15359 	return err;
15360 }
15361 
15362 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15363 					   enum nl80211_commands cmd,
15364 					   enum nl80211_attrs attr,
15365 					   int approxlen)
15366 {
15367 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15368 
15369 	if (WARN_ON(!rdev->cur_cmd_info))
15370 		return NULL;
15371 
15372 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15373 					   rdev->cur_cmd_info->snd_portid,
15374 					   rdev->cur_cmd_info->snd_seq,
15375 					   cmd, attr, NULL, GFP_KERNEL);
15376 }
15377 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15378 
15379 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15380 {
15381 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15382 	void *hdr = ((void **)skb->cb)[1];
15383 	struct nlattr *data = ((void **)skb->cb)[2];
15384 
15385 	/* clear CB data for netlink core to own from now on */
15386 	memset(skb->cb, 0, sizeof(skb->cb));
15387 
15388 	if (WARN_ON(!rdev->cur_cmd_info)) {
15389 		kfree_skb(skb);
15390 		return -EINVAL;
15391 	}
15392 
15393 	nla_nest_end(skb, data);
15394 	genlmsg_end(skb, hdr);
15395 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15396 }
15397 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15398 
15399 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15400 {
15401 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15402 
15403 	if (WARN_ON(!rdev->cur_cmd_info))
15404 		return 0;
15405 
15406 	return rdev->cur_cmd_info->snd_portid;
15407 }
15408 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15409 
15410 static int nl80211_set_qos_map(struct sk_buff *skb,
15411 			       struct genl_info *info)
15412 {
15413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15414 	struct cfg80211_qos_map *qos_map = NULL;
15415 	struct net_device *dev = info->user_ptr[1];
15416 	u8 *pos, len, num_des, des_len, des;
15417 	int ret;
15418 
15419 	if (!rdev->ops->set_qos_map)
15420 		return -EOPNOTSUPP;
15421 
15422 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15423 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15424 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15425 
15426 		if (len % 2)
15427 			return -EINVAL;
15428 
15429 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15430 		if (!qos_map)
15431 			return -ENOMEM;
15432 
15433 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15434 		if (num_des) {
15435 			des_len = num_des *
15436 				sizeof(struct cfg80211_dscp_exception);
15437 			memcpy(qos_map->dscp_exception, pos, des_len);
15438 			qos_map->num_des = num_des;
15439 			for (des = 0; des < num_des; des++) {
15440 				if (qos_map->dscp_exception[des].up > 7) {
15441 					kfree(qos_map);
15442 					return -EINVAL;
15443 				}
15444 			}
15445 			pos += des_len;
15446 		}
15447 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15448 	}
15449 
15450 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15451 	if (!ret)
15452 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15453 
15454 	kfree(qos_map);
15455 	return ret;
15456 }
15457 
15458 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15459 {
15460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15461 	struct net_device *dev = info->user_ptr[1];
15462 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15463 	const u8 *peer;
15464 	u8 tsid, up;
15465 	u16 admitted_time = 0;
15466 
15467 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15468 		return -EOPNOTSUPP;
15469 
15470 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15471 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15472 		return -EINVAL;
15473 
15474 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15475 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15476 
15477 	/* WMM uses TIDs 0-7 even for TSPEC */
15478 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15479 		/* TODO: handle 802.11 TSPEC/admission control
15480 		 * need more attributes for that (e.g. BA session requirement);
15481 		 * change the WMM adminssion test above to allow both then
15482 		 */
15483 		return -EINVAL;
15484 	}
15485 
15486 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15487 
15488 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15489 		admitted_time =
15490 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15491 		if (!admitted_time)
15492 			return -EINVAL;
15493 	}
15494 
15495 	switch (wdev->iftype) {
15496 	case NL80211_IFTYPE_STATION:
15497 	case NL80211_IFTYPE_P2P_CLIENT:
15498 		if (wdev->connected)
15499 			break;
15500 		return -ENOTCONN;
15501 	default:
15502 		return -EOPNOTSUPP;
15503 	}
15504 
15505 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15506 }
15507 
15508 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15509 {
15510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15511 	struct net_device *dev = info->user_ptr[1];
15512 	const u8 *peer;
15513 	u8 tsid;
15514 
15515 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15516 		return -EINVAL;
15517 
15518 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15519 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15520 
15521 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15522 }
15523 
15524 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15525 				       struct genl_info *info)
15526 {
15527 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15528 	struct net_device *dev = info->user_ptr[1];
15529 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15530 	struct cfg80211_chan_def chandef = {};
15531 	const u8 *addr;
15532 	u8 oper_class;
15533 	int err;
15534 
15535 	if (!rdev->ops->tdls_channel_switch ||
15536 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15537 		return -EOPNOTSUPP;
15538 
15539 	switch (dev->ieee80211_ptr->iftype) {
15540 	case NL80211_IFTYPE_STATION:
15541 	case NL80211_IFTYPE_P2P_CLIENT:
15542 		break;
15543 	default:
15544 		return -EOPNOTSUPP;
15545 	}
15546 
15547 	if (!info->attrs[NL80211_ATTR_MAC] ||
15548 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15549 		return -EINVAL;
15550 
15551 	err = nl80211_parse_chandef(rdev, info, &chandef);
15552 	if (err)
15553 		return err;
15554 
15555 	/*
15556 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15557 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15558 	 * specification is not defined for them.
15559 	 */
15560 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15561 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15562 	    chandef.width != NL80211_CHAN_WIDTH_20)
15563 		return -EINVAL;
15564 
15565 	/* we will be active on the TDLS link */
15566 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15567 					   wdev->iftype))
15568 		return -EINVAL;
15569 
15570 	/* don't allow switching to DFS channels */
15571 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15572 		return -EINVAL;
15573 
15574 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15575 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15576 
15577 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15578 }
15579 
15580 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15581 					      struct genl_info *info)
15582 {
15583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15584 	struct net_device *dev = info->user_ptr[1];
15585 	const u8 *addr;
15586 
15587 	if (!rdev->ops->tdls_channel_switch ||
15588 	    !rdev->ops->tdls_cancel_channel_switch ||
15589 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15590 		return -EOPNOTSUPP;
15591 
15592 	switch (dev->ieee80211_ptr->iftype) {
15593 	case NL80211_IFTYPE_STATION:
15594 	case NL80211_IFTYPE_P2P_CLIENT:
15595 		break;
15596 	default:
15597 		return -EOPNOTSUPP;
15598 	}
15599 
15600 	if (!info->attrs[NL80211_ATTR_MAC])
15601 		return -EINVAL;
15602 
15603 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15604 
15605 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15606 
15607 	return 0;
15608 }
15609 
15610 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15611 					    struct genl_info *info)
15612 {
15613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15614 	struct net_device *dev = info->user_ptr[1];
15615 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15616 	const struct nlattr *nla;
15617 	bool enabled;
15618 
15619 	if (!rdev->ops->set_multicast_to_unicast)
15620 		return -EOPNOTSUPP;
15621 
15622 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15623 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15624 		return -EOPNOTSUPP;
15625 
15626 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15627 	enabled = nla_get_flag(nla);
15628 
15629 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15630 }
15631 
15632 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15633 {
15634 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15635 	struct net_device *dev = info->user_ptr[1];
15636 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15637 	struct cfg80211_pmk_conf pmk_conf = {};
15638 
15639 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15640 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15641 		return -EOPNOTSUPP;
15642 
15643 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15644 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15645 		return -EOPNOTSUPP;
15646 
15647 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15648 		return -EINVAL;
15649 
15650 	if (!wdev->connected)
15651 		return -ENOTCONN;
15652 
15653 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15654 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15655 		return -EINVAL;
15656 
15657 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15658 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15659 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15660 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15661 		return -EINVAL;
15662 
15663 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15664 		pmk_conf.pmk_r0_name =
15665 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15666 
15667 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15668 }
15669 
15670 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15671 {
15672 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15673 	struct net_device *dev = info->user_ptr[1];
15674 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15675 	const u8 *aa;
15676 
15677 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15678 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15679 		return -EOPNOTSUPP;
15680 
15681 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15682 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15683 		return -EOPNOTSUPP;
15684 
15685 	if (!info->attrs[NL80211_ATTR_MAC])
15686 		return -EINVAL;
15687 
15688 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15689 	return rdev_del_pmk(rdev, dev, aa);
15690 }
15691 
15692 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15693 {
15694 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15695 	struct net_device *dev = info->user_ptr[1];
15696 	struct cfg80211_external_auth_params params;
15697 
15698 	if (!rdev->ops->external_auth)
15699 		return -EOPNOTSUPP;
15700 
15701 	if (!info->attrs[NL80211_ATTR_SSID] &&
15702 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15703 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15704 		return -EINVAL;
15705 
15706 	if (!info->attrs[NL80211_ATTR_BSSID])
15707 		return -EINVAL;
15708 
15709 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15710 		return -EINVAL;
15711 
15712 	memset(&params, 0, sizeof(params));
15713 
15714 	if (info->attrs[NL80211_ATTR_SSID]) {
15715 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15716 		if (params.ssid.ssid_len == 0)
15717 			return -EINVAL;
15718 		memcpy(params.ssid.ssid,
15719 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15720 		       params.ssid.ssid_len);
15721 	}
15722 
15723 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15724 	       ETH_ALEN);
15725 
15726 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15727 
15728 	if (info->attrs[NL80211_ATTR_PMKID])
15729 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15730 
15731 	return rdev_external_auth(rdev, dev, &params);
15732 }
15733 
15734 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15735 {
15736 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15737 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15738 	struct net_device *dev = info->user_ptr[1];
15739 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15740 	const u8 *buf;
15741 	size_t len;
15742 	u8 *dest;
15743 	u16 proto;
15744 	bool noencrypt;
15745 	u64 cookie = 0;
15746 	int link_id;
15747 	int err;
15748 
15749 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15750 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15751 		return -EOPNOTSUPP;
15752 
15753 	if (!rdev->ops->tx_control_port)
15754 		return -EOPNOTSUPP;
15755 
15756 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15757 	    !info->attrs[NL80211_ATTR_MAC] ||
15758 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15759 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15760 		return -EINVAL;
15761 	}
15762 
15763 	switch (wdev->iftype) {
15764 	case NL80211_IFTYPE_AP:
15765 	case NL80211_IFTYPE_P2P_GO:
15766 	case NL80211_IFTYPE_MESH_POINT:
15767 		break;
15768 	case NL80211_IFTYPE_ADHOC:
15769 		if (wdev->u.ibss.current_bss)
15770 			break;
15771 		return -ENOTCONN;
15772 	case NL80211_IFTYPE_STATION:
15773 	case NL80211_IFTYPE_P2P_CLIENT:
15774 		if (wdev->connected)
15775 			break;
15776 		return -ENOTCONN;
15777 	default:
15778 		return -EOPNOTSUPP;
15779 	}
15780 
15781 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15782 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15783 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15784 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15785 	noencrypt =
15786 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15787 
15788 	link_id = nl80211_link_id_or_invalid(info->attrs);
15789 
15790 	err = rdev_tx_control_port(rdev, dev, buf, len,
15791 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15792 				   dont_wait_for_ack ? NULL : &cookie);
15793 	if (!err && !dont_wait_for_ack)
15794 		nl_set_extack_cookie_u64(info->extack, cookie);
15795 	return err;
15796 }
15797 
15798 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15799 					   struct genl_info *info)
15800 {
15801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15802 	struct net_device *dev = info->user_ptr[1];
15803 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15804 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15805 	unsigned int link_id = nl80211_link_id(info->attrs);
15806 	struct sk_buff *msg;
15807 	void *hdr;
15808 	struct nlattr *ftm_stats_attr;
15809 	int err;
15810 
15811 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15812 	    !wdev->links[link_id].ap.beacon_interval)
15813 		return -EOPNOTSUPP;
15814 
15815 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15816 	if (err)
15817 		return err;
15818 
15819 	if (!ftm_stats.filled)
15820 		return -ENODATA;
15821 
15822 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15823 	if (!msg)
15824 		return -ENOMEM;
15825 
15826 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15827 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15828 	if (!hdr)
15829 		goto nla_put_failure;
15830 
15831 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15832 		goto nla_put_failure;
15833 
15834 	ftm_stats_attr = nla_nest_start_noflag(msg,
15835 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15836 	if (!ftm_stats_attr)
15837 		goto nla_put_failure;
15838 
15839 #define SET_FTM(field, name, type)					 \
15840 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15841 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15842 			     ftm_stats.field))				 \
15843 		goto nla_put_failure; } while (0)
15844 #define SET_FTM_U64(field, name)					 \
15845 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15846 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15847 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15848 		goto nla_put_failure; } while (0)
15849 
15850 	SET_FTM(success_num, SUCCESS_NUM, u32);
15851 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15852 	SET_FTM(failed_num, FAILED_NUM, u32);
15853 	SET_FTM(asap_num, ASAP_NUM, u32);
15854 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15855 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15856 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15857 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15858 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15859 #undef SET_FTM
15860 
15861 	nla_nest_end(msg, ftm_stats_attr);
15862 
15863 	genlmsg_end(msg, hdr);
15864 	return genlmsg_reply(msg, info);
15865 
15866 nla_put_failure:
15867 	nlmsg_free(msg);
15868 	return -ENOBUFS;
15869 }
15870 
15871 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15872 {
15873 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15874 	struct cfg80211_update_owe_info owe_info;
15875 	struct net_device *dev = info->user_ptr[1];
15876 
15877 	if (!rdev->ops->update_owe_info)
15878 		return -EOPNOTSUPP;
15879 
15880 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15881 	    !info->attrs[NL80211_ATTR_MAC])
15882 		return -EINVAL;
15883 
15884 	memset(&owe_info, 0, sizeof(owe_info));
15885 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15886 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15887 
15888 	if (info->attrs[NL80211_ATTR_IE]) {
15889 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15890 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15891 	}
15892 
15893 	return rdev_update_owe_info(rdev, dev, &owe_info);
15894 }
15895 
15896 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15897 {
15898 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15899 	struct net_device *dev = info->user_ptr[1];
15900 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15901 	struct station_info sinfo = {};
15902 	const u8 *buf;
15903 	size_t len;
15904 	u8 *dest;
15905 	int err;
15906 
15907 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15908 		return -EOPNOTSUPP;
15909 
15910 	if (!info->attrs[NL80211_ATTR_MAC] ||
15911 	    !info->attrs[NL80211_ATTR_FRAME]) {
15912 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15913 		return -EINVAL;
15914 	}
15915 
15916 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15917 		return -EOPNOTSUPP;
15918 
15919 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15920 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15921 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15922 
15923 	if (len < sizeof(struct ethhdr))
15924 		return -EINVAL;
15925 
15926 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15927 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15928 		return -EINVAL;
15929 
15930 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15931 	if (err)
15932 		return err;
15933 
15934 	cfg80211_sinfo_release_content(&sinfo);
15935 
15936 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15937 }
15938 
15939 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15940 			  struct nlattr *attrs[], struct net_device *dev,
15941 			  struct cfg80211_tid_cfg *tid_conf,
15942 			  struct genl_info *info, const u8 *peer,
15943 			  unsigned int link_id)
15944 {
15945 	struct netlink_ext_ack *extack = info->extack;
15946 	u64 mask;
15947 	int err;
15948 
15949 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15950 		return -EINVAL;
15951 
15952 	tid_conf->config_override =
15953 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15954 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15955 
15956 	if (tid_conf->config_override) {
15957 		if (rdev->ops->reset_tid_config) {
15958 			err = rdev_reset_tid_config(rdev, dev, peer,
15959 						    tid_conf->tids);
15960 			if (err)
15961 				return err;
15962 		} else {
15963 			return -EINVAL;
15964 		}
15965 	}
15966 
15967 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15968 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15969 		tid_conf->noack =
15970 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15971 	}
15972 
15973 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15974 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15975 		tid_conf->retry_short =
15976 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15977 
15978 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15979 			return -EINVAL;
15980 	}
15981 
15982 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15983 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15984 		tid_conf->retry_long =
15985 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15986 
15987 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15988 			return -EINVAL;
15989 	}
15990 
15991 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15992 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15993 		tid_conf->ampdu =
15994 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15995 	}
15996 
15997 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15998 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15999 		tid_conf->rtscts =
16000 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16001 	}
16002 
16003 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16004 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16005 		tid_conf->amsdu =
16006 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16007 	}
16008 
16009 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16010 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16011 
16012 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16013 
16014 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16015 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16016 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16017 						    &tid_conf->txrate_mask, dev,
16018 						    true, link_id);
16019 			if (err)
16020 				return err;
16021 
16022 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16023 		}
16024 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16025 	}
16026 
16027 	if (peer)
16028 		mask = rdev->wiphy.tid_config_support.peer;
16029 	else
16030 		mask = rdev->wiphy.tid_config_support.vif;
16031 
16032 	if (tid_conf->mask & ~mask) {
16033 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16034 		return -EOPNOTSUPP;
16035 	}
16036 
16037 	return 0;
16038 }
16039 
16040 static int nl80211_set_tid_config(struct sk_buff *skb,
16041 				  struct genl_info *info)
16042 {
16043 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16044 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16045 	unsigned int link_id = nl80211_link_id(info->attrs);
16046 	struct net_device *dev = info->user_ptr[1];
16047 	struct cfg80211_tid_config *tid_config;
16048 	struct nlattr *tid;
16049 	int conf_idx = 0, rem_conf;
16050 	int ret = -EINVAL;
16051 	u32 num_conf = 0;
16052 
16053 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16054 		return -EINVAL;
16055 
16056 	if (!rdev->ops->set_tid_config)
16057 		return -EOPNOTSUPP;
16058 
16059 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16060 			    rem_conf)
16061 		num_conf++;
16062 
16063 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16064 			     GFP_KERNEL);
16065 	if (!tid_config)
16066 		return -ENOMEM;
16067 
16068 	tid_config->n_tid_conf = num_conf;
16069 
16070 	if (info->attrs[NL80211_ATTR_MAC])
16071 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16072 
16073 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16074 			    rem_conf) {
16075 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16076 				       tid, NULL, NULL);
16077 
16078 		if (ret)
16079 			goto bad_tid_conf;
16080 
16081 		ret = parse_tid_conf(rdev, attrs, dev,
16082 				     &tid_config->tid_conf[conf_idx],
16083 				     info, tid_config->peer, link_id);
16084 		if (ret)
16085 			goto bad_tid_conf;
16086 
16087 		conf_idx++;
16088 	}
16089 
16090 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16091 
16092 bad_tid_conf:
16093 	kfree(tid_config);
16094 	return ret;
16095 }
16096 
16097 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16098 {
16099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16100 	struct cfg80211_color_change_settings params = {};
16101 	struct net_device *dev = info->user_ptr[1];
16102 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16103 	struct nlattr **tb;
16104 	u16 offset;
16105 	int err;
16106 
16107 	if (!rdev->ops->color_change)
16108 		return -EOPNOTSUPP;
16109 
16110 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16111 				     NL80211_EXT_FEATURE_BSS_COLOR))
16112 		return -EOPNOTSUPP;
16113 
16114 	if (wdev->iftype != NL80211_IFTYPE_AP)
16115 		return -EOPNOTSUPP;
16116 
16117 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16118 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16119 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16120 		return -EINVAL;
16121 
16122 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16123 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16124 
16125 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16126 				   info->extack);
16127 	if (err)
16128 		return err;
16129 
16130 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16131 	if (!tb)
16132 		return -ENOMEM;
16133 
16134 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16135 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16136 			       nl80211_policy, info->extack);
16137 	if (err)
16138 		goto out;
16139 
16140 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16141 				   info->extack);
16142 	if (err)
16143 		goto out;
16144 
16145 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16146 		err = -EINVAL;
16147 		goto out;
16148 	}
16149 
16150 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16151 		err = -EINVAL;
16152 		goto out;
16153 	}
16154 
16155 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16156 	if (offset >= params.beacon_color_change.tail_len) {
16157 		err = -EINVAL;
16158 		goto out;
16159 	}
16160 
16161 	if (params.beacon_color_change.tail[offset] != params.count) {
16162 		err = -EINVAL;
16163 		goto out;
16164 	}
16165 
16166 	params.counter_offset_beacon = offset;
16167 
16168 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16169 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16170 		    sizeof(u16)) {
16171 			err = -EINVAL;
16172 			goto out;
16173 		}
16174 
16175 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16176 		if (offset >= params.beacon_color_change.probe_resp_len) {
16177 			err = -EINVAL;
16178 			goto out;
16179 		}
16180 
16181 		if (params.beacon_color_change.probe_resp[offset] !=
16182 		    params.count) {
16183 			err = -EINVAL;
16184 			goto out;
16185 		}
16186 
16187 		params.counter_offset_presp = offset;
16188 	}
16189 
16190 	params.link_id = nl80211_link_id(info->attrs);
16191 	err = rdev_color_change(rdev, dev, &params);
16192 
16193 out:
16194 	kfree(params.beacon_next.mbssid_ies);
16195 	kfree(params.beacon_color_change.mbssid_ies);
16196 	kfree(params.beacon_next.rnr_ies);
16197 	kfree(params.beacon_color_change.rnr_ies);
16198 	kfree(tb);
16199 	return err;
16200 }
16201 
16202 static int nl80211_set_fils_aad(struct sk_buff *skb,
16203 				struct genl_info *info)
16204 {
16205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16206 	struct net_device *dev = info->user_ptr[1];
16207 	struct cfg80211_fils_aad fils_aad = {};
16208 	u8 *nonces;
16209 
16210 	if (!info->attrs[NL80211_ATTR_MAC] ||
16211 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16212 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16213 		return -EINVAL;
16214 
16215 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16216 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16217 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16218 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16219 	fils_aad.snonce = nonces;
16220 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16221 
16222 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16223 }
16224 
16225 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16226 {
16227 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16228 	unsigned int link_id = nl80211_link_id(info->attrs);
16229 	struct net_device *dev = info->user_ptr[1];
16230 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16231 	int ret;
16232 
16233 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16234 		return -EINVAL;
16235 
16236 	switch (wdev->iftype) {
16237 	case NL80211_IFTYPE_AP:
16238 		break;
16239 	default:
16240 		return -EINVAL;
16241 	}
16242 
16243 	if (!info->attrs[NL80211_ATTR_MAC] ||
16244 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16245 		return -EINVAL;
16246 
16247 	wdev->valid_links |= BIT(link_id);
16248 	ether_addr_copy(wdev->links[link_id].addr,
16249 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16250 
16251 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16252 	if (ret) {
16253 		wdev->valid_links &= ~BIT(link_id);
16254 		eth_zero_addr(wdev->links[link_id].addr);
16255 	}
16256 
16257 	return ret;
16258 }
16259 
16260 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16261 {
16262 	unsigned int link_id = nl80211_link_id(info->attrs);
16263 	struct net_device *dev = info->user_ptr[1];
16264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16265 
16266 	/* cannot remove if there's no link */
16267 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16268 		return -EINVAL;
16269 
16270 	switch (wdev->iftype) {
16271 	case NL80211_IFTYPE_AP:
16272 		break;
16273 	default:
16274 		return -EINVAL;
16275 	}
16276 
16277 	cfg80211_remove_link(wdev, link_id);
16278 
16279 	return 0;
16280 }
16281 
16282 static int
16283 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16284 			     bool add)
16285 {
16286 	struct link_station_parameters params = {};
16287 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16288 	struct net_device *dev = info->user_ptr[1];
16289 	int err;
16290 
16291 	if ((add && !rdev->ops->add_link_station) ||
16292 	    (!add && !rdev->ops->mod_link_station))
16293 		return -EOPNOTSUPP;
16294 
16295 	if (add && !info->attrs[NL80211_ATTR_MAC])
16296 		return -EINVAL;
16297 
16298 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16299 		return -EINVAL;
16300 
16301 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16302 		return -EINVAL;
16303 
16304 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16305 
16306 	if (info->attrs[NL80211_ATTR_MAC]) {
16307 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16308 		if (!is_valid_ether_addr(params.link_mac))
16309 			return -EINVAL;
16310 	}
16311 
16312 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16313 		return -EINVAL;
16314 
16315 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16316 
16317 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16318 		params.supported_rates =
16319 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16320 		params.supported_rates_len =
16321 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16322 	}
16323 
16324 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16325 		params.ht_capa =
16326 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16327 
16328 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16329 		params.vht_capa =
16330 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16331 
16332 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16333 		params.he_capa =
16334 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16335 		params.he_capa_len =
16336 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16337 
16338 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16339 			params.eht_capa =
16340 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16341 			params.eht_capa_len =
16342 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16343 
16344 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16345 							(const u8 *)params.eht_capa,
16346 							params.eht_capa_len,
16347 							false))
16348 				return -EINVAL;
16349 		}
16350 	}
16351 
16352 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16353 		params.he_6ghz_capa =
16354 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16355 
16356 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16357 		params.opmode_notif_used = true;
16358 		params.opmode_notif =
16359 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16360 	}
16361 
16362 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16363 						&params.txpwr_set);
16364 	if (err)
16365 		return err;
16366 
16367 	if (add)
16368 		return rdev_add_link_station(rdev, dev, &params);
16369 
16370 	return rdev_mod_link_station(rdev, dev, &params);
16371 }
16372 
16373 static int
16374 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16375 {
16376 	return nl80211_add_mod_link_station(skb, info, true);
16377 }
16378 
16379 static int
16380 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16381 {
16382 	return nl80211_add_mod_link_station(skb, info, false);
16383 }
16384 
16385 static int
16386 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16387 {
16388 	struct link_station_del_parameters params = {};
16389 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16390 	struct net_device *dev = info->user_ptr[1];
16391 
16392 	if (!rdev->ops->del_link_station)
16393 		return -EOPNOTSUPP;
16394 
16395 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16396 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16397 		return -EINVAL;
16398 
16399 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16400 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16401 
16402 	return rdev_del_link_station(rdev, dev, &params);
16403 }
16404 
16405 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16406 				    struct genl_info *info)
16407 {
16408 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16409 	struct net_device *dev = info->user_ptr[1];
16410 	struct cfg80211_set_hw_timestamp hwts = {};
16411 
16412 	if (!rdev->wiphy.hw_timestamp_max_peers)
16413 		return -EOPNOTSUPP;
16414 
16415 	if (!info->attrs[NL80211_ATTR_MAC] &&
16416 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16417 		return -EOPNOTSUPP;
16418 
16419 	if (info->attrs[NL80211_ATTR_MAC])
16420 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16421 
16422 	hwts.enable =
16423 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16424 
16425 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16426 }
16427 
16428 static int
16429 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16430 {
16431 	struct cfg80211_ttlm_params params = {};
16432 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16433 	struct net_device *dev = info->user_ptr[1];
16434 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16435 
16436 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16437 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16438 		return -EOPNOTSUPP;
16439 
16440 	if (!wdev->connected)
16441 		return -ENOLINK;
16442 
16443 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16444 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16445 		return -EINVAL;
16446 
16447 	nla_memcpy(params.dlink,
16448 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16449 		   sizeof(params.dlink));
16450 	nla_memcpy(params.ulink,
16451 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16452 		   sizeof(params.ulink));
16453 
16454 	return rdev_set_ttlm(rdev, dev, &params);
16455 }
16456 
16457 #define NL80211_FLAG_NEED_WIPHY		0x01
16458 #define NL80211_FLAG_NEED_NETDEV	0x02
16459 #define NL80211_FLAG_NEED_RTNL		0x04
16460 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16461 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16462 					 NL80211_FLAG_CHECK_NETDEV_UP)
16463 #define NL80211_FLAG_NEED_WDEV		0x10
16464 /* If a netdev is associated, it must be UP, P2P must be started */
16465 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16466 					 NL80211_FLAG_CHECK_NETDEV_UP)
16467 #define NL80211_FLAG_CLEAR_SKB		0x20
16468 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16469 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16470 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16471 
16472 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16473 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16474 	SELECTOR(__sel, WIPHY,				\
16475 		 NL80211_FLAG_NEED_WIPHY)		\
16476 	SELECTOR(__sel, WDEV,				\
16477 		 NL80211_FLAG_NEED_WDEV)		\
16478 	SELECTOR(__sel, NETDEV,				\
16479 		 NL80211_FLAG_NEED_NETDEV)		\
16480 	SELECTOR(__sel, NETDEV_LINK,			\
16481 		 NL80211_FLAG_NEED_NETDEV |		\
16482 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16483 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16484 		 NL80211_FLAG_NEED_NETDEV |		\
16485 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16486 	SELECTOR(__sel, WIPHY_RTNL,			\
16487 		 NL80211_FLAG_NEED_WIPHY |		\
16488 		 NL80211_FLAG_NEED_RTNL)		\
16489 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16490 		 NL80211_FLAG_NEED_WIPHY |		\
16491 		 NL80211_FLAG_NEED_RTNL |		\
16492 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16493 	SELECTOR(__sel, WDEV_RTNL,			\
16494 		 NL80211_FLAG_NEED_WDEV |		\
16495 		 NL80211_FLAG_NEED_RTNL)		\
16496 	SELECTOR(__sel, NETDEV_RTNL,			\
16497 		 NL80211_FLAG_NEED_NETDEV |		\
16498 		 NL80211_FLAG_NEED_RTNL)		\
16499 	SELECTOR(__sel, NETDEV_UP,			\
16500 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16501 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16502 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16503 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16504 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16505 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16506 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16507 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16508 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16509 		 NL80211_FLAG_CLEAR_SKB |		\
16510 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16511 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16512 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16513 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16514 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16515 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16516 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16517 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16518 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16519 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16520 		 NL80211_FLAG_CLEAR_SKB)		\
16521 	SELECTOR(__sel, WDEV_UP,			\
16522 		 NL80211_FLAG_NEED_WDEV_UP)		\
16523 	SELECTOR(__sel, WDEV_UP_LINK,			\
16524 		 NL80211_FLAG_NEED_WDEV_UP |		\
16525 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16526 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16527 		 NL80211_FLAG_NEED_WDEV_UP |		\
16528 		 NL80211_FLAG_NEED_RTNL)		\
16529 	SELECTOR(__sel, WIPHY_CLEAR,			\
16530 		 NL80211_FLAG_NEED_WIPHY |		\
16531 		 NL80211_FLAG_CLEAR_SKB)
16532 
16533 enum nl80211_internal_flags_selector {
16534 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16535 	INTERNAL_FLAG_SELECTORS(_)
16536 #undef SELECTOR
16537 };
16538 
16539 static u32 nl80211_internal_flags[] = {
16540 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16541 	INTERNAL_FLAG_SELECTORS(_)
16542 #undef SELECTOR
16543 };
16544 
16545 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16546 			    struct sk_buff *skb,
16547 			    struct genl_info *info)
16548 {
16549 	struct cfg80211_registered_device *rdev = NULL;
16550 	struct wireless_dev *wdev = NULL;
16551 	struct net_device *dev = NULL;
16552 	u32 internal_flags;
16553 	int err;
16554 
16555 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16556 		return -EINVAL;
16557 
16558 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16559 
16560 	rtnl_lock();
16561 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16562 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16563 		if (IS_ERR(rdev)) {
16564 			err = PTR_ERR(rdev);
16565 			goto out_unlock;
16566 		}
16567 		info->user_ptr[0] = rdev;
16568 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16569 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16570 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16571 						  info->attrs);
16572 		if (IS_ERR(wdev)) {
16573 			err = PTR_ERR(wdev);
16574 			goto out_unlock;
16575 		}
16576 
16577 		dev = wdev->netdev;
16578 		dev_hold(dev);
16579 		rdev = wiphy_to_rdev(wdev->wiphy);
16580 
16581 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16582 			if (!dev) {
16583 				err = -EINVAL;
16584 				goto out_unlock;
16585 			}
16586 
16587 			info->user_ptr[1] = dev;
16588 		} else {
16589 			info->user_ptr[1] = wdev;
16590 		}
16591 
16592 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16593 		    !wdev_running(wdev)) {
16594 			err = -ENETDOWN;
16595 			goto out_unlock;
16596 		}
16597 
16598 		info->user_ptr[0] = rdev;
16599 	}
16600 
16601 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16602 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16603 
16604 		if (!wdev) {
16605 			err = -EINVAL;
16606 			goto out_unlock;
16607 		}
16608 
16609 		/* MLO -> require valid link ID */
16610 		if (wdev->valid_links &&
16611 		    (!link_id ||
16612 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16613 			err = -EINVAL;
16614 			goto out_unlock;
16615 		}
16616 
16617 		/* non-MLO -> no link ID attribute accepted */
16618 		if (!wdev->valid_links && link_id) {
16619 			err = -EINVAL;
16620 			goto out_unlock;
16621 		}
16622 	}
16623 
16624 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16625 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16626 		    (wdev && wdev->valid_links)) {
16627 			err = -EINVAL;
16628 			goto out_unlock;
16629 		}
16630 	}
16631 
16632 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16633 		wiphy_lock(&rdev->wiphy);
16634 		/* we keep the mutex locked until post_doit */
16635 		__release(&rdev->wiphy.mtx);
16636 	}
16637 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16638 		rtnl_unlock();
16639 
16640 	return 0;
16641 out_unlock:
16642 	rtnl_unlock();
16643 	dev_put(dev);
16644 	return err;
16645 }
16646 
16647 static void nl80211_post_doit(const struct genl_split_ops *ops,
16648 			      struct sk_buff *skb,
16649 			      struct genl_info *info)
16650 {
16651 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16652 
16653 	if (info->user_ptr[1]) {
16654 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16655 			struct wireless_dev *wdev = info->user_ptr[1];
16656 
16657 			dev_put(wdev->netdev);
16658 		} else {
16659 			dev_put(info->user_ptr[1]);
16660 		}
16661 	}
16662 
16663 	if (info->user_ptr[0] &&
16664 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16665 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16666 
16667 		/* we kept the mutex locked since pre_doit */
16668 		__acquire(&rdev->wiphy.mtx);
16669 		wiphy_unlock(&rdev->wiphy);
16670 	}
16671 
16672 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16673 		rtnl_unlock();
16674 
16675 	/* If needed, clear the netlink message payload from the SKB
16676 	 * as it might contain key data that shouldn't stick around on
16677 	 * the heap after the SKB is freed. The netlink message header
16678 	 * is still needed for further processing, so leave it intact.
16679 	 */
16680 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16681 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16682 
16683 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16684 	}
16685 }
16686 
16687 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16688 				     struct cfg80211_sar_specs *sar_specs,
16689 				     struct nlattr *spec[], int index)
16690 {
16691 	u32 range_index, i;
16692 
16693 	if (!sar_specs || !spec)
16694 		return -EINVAL;
16695 
16696 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16697 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16698 		return -EINVAL;
16699 
16700 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16701 
16702 	/* check if range_index exceeds num_freq_ranges */
16703 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16704 		return -EINVAL;
16705 
16706 	/* check if range_index duplicates */
16707 	for (i = 0; i < index; i++) {
16708 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16709 			return -EINVAL;
16710 	}
16711 
16712 	sar_specs->sub_specs[index].power =
16713 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16714 
16715 	sar_specs->sub_specs[index].freq_range_index = range_index;
16716 
16717 	return 0;
16718 }
16719 
16720 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16721 {
16722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16723 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16724 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16725 	struct cfg80211_sar_specs *sar_spec;
16726 	enum nl80211_sar_type type;
16727 	struct nlattr *spec_list;
16728 	u32 specs;
16729 	int rem, err;
16730 
16731 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16732 		return -EOPNOTSUPP;
16733 
16734 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16735 		return -EINVAL;
16736 
16737 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16738 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16739 			 NULL, NULL);
16740 
16741 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16742 		return -EINVAL;
16743 
16744 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16745 	if (type != rdev->wiphy.sar_capa->type)
16746 		return -EINVAL;
16747 
16748 	specs = 0;
16749 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16750 		specs++;
16751 
16752 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16753 		return -EINVAL;
16754 
16755 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16756 	if (!sar_spec)
16757 		return -ENOMEM;
16758 
16759 	sar_spec->type = type;
16760 	specs = 0;
16761 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16762 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16763 				 spec_list, NULL, NULL);
16764 
16765 		switch (type) {
16766 		case NL80211_SAR_TYPE_POWER:
16767 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16768 						      spec, specs)) {
16769 				err = -EINVAL;
16770 				goto error;
16771 			}
16772 			break;
16773 		default:
16774 			err = -EINVAL;
16775 			goto error;
16776 		}
16777 		specs++;
16778 	}
16779 
16780 	sar_spec->num_sub_specs = specs;
16781 
16782 	rdev->cur_cmd_info = info;
16783 	err = rdev_set_sar_specs(rdev, sar_spec);
16784 	rdev->cur_cmd_info = NULL;
16785 error:
16786 	kfree(sar_spec);
16787 	return err;
16788 }
16789 
16790 #define SELECTOR(__sel, name, value) \
16791 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16792 int __missing_selector(void);
16793 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16794 
16795 static const struct genl_ops nl80211_ops[] = {
16796 	{
16797 		.cmd = NL80211_CMD_GET_WIPHY,
16798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16799 		.doit = nl80211_get_wiphy,
16800 		.dumpit = nl80211_dump_wiphy,
16801 		.done = nl80211_dump_wiphy_done,
16802 		/* can be retrieved by unprivileged users */
16803 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16804 	},
16805 };
16806 
16807 static const struct genl_small_ops nl80211_small_ops[] = {
16808 	{
16809 		.cmd = NL80211_CMD_SET_WIPHY,
16810 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16811 		.doit = nl80211_set_wiphy,
16812 		.flags = GENL_UNS_ADMIN_PERM,
16813 	},
16814 	{
16815 		.cmd = NL80211_CMD_GET_INTERFACE,
16816 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16817 		.doit = nl80211_get_interface,
16818 		.dumpit = nl80211_dump_interface,
16819 		/* can be retrieved by unprivileged users */
16820 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16821 	},
16822 	{
16823 		.cmd = NL80211_CMD_SET_INTERFACE,
16824 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16825 		.doit = nl80211_set_interface,
16826 		.flags = GENL_UNS_ADMIN_PERM,
16827 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16828 					 NL80211_FLAG_NEED_RTNL),
16829 	},
16830 	{
16831 		.cmd = NL80211_CMD_NEW_INTERFACE,
16832 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16833 		.doit = nl80211_new_interface,
16834 		.flags = GENL_UNS_ADMIN_PERM,
16835 		.internal_flags =
16836 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16837 			       NL80211_FLAG_NEED_RTNL |
16838 			       /* we take the wiphy mutex later ourselves */
16839 			       NL80211_FLAG_NO_WIPHY_MTX),
16840 	},
16841 	{
16842 		.cmd = NL80211_CMD_DEL_INTERFACE,
16843 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16844 		.doit = nl80211_del_interface,
16845 		.flags = GENL_UNS_ADMIN_PERM,
16846 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16847 					 NL80211_FLAG_NEED_RTNL),
16848 	},
16849 	{
16850 		.cmd = NL80211_CMD_GET_KEY,
16851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16852 		.doit = nl80211_get_key,
16853 		.flags = GENL_UNS_ADMIN_PERM,
16854 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16855 	},
16856 	{
16857 		.cmd = NL80211_CMD_SET_KEY,
16858 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16859 		.doit = nl80211_set_key,
16860 		.flags = GENL_UNS_ADMIN_PERM,
16861 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16862 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16863 					 NL80211_FLAG_CLEAR_SKB),
16864 	},
16865 	{
16866 		.cmd = NL80211_CMD_NEW_KEY,
16867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16868 		.doit = nl80211_new_key,
16869 		.flags = GENL_UNS_ADMIN_PERM,
16870 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16871 					 NL80211_FLAG_CLEAR_SKB),
16872 	},
16873 	{
16874 		.cmd = NL80211_CMD_DEL_KEY,
16875 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16876 		.doit = nl80211_del_key,
16877 		.flags = GENL_UNS_ADMIN_PERM,
16878 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16879 	},
16880 	{
16881 		.cmd = NL80211_CMD_SET_BEACON,
16882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16883 		.flags = GENL_UNS_ADMIN_PERM,
16884 		.doit = nl80211_set_beacon,
16885 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16886 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16887 	},
16888 	{
16889 		.cmd = NL80211_CMD_START_AP,
16890 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16891 		.flags = GENL_UNS_ADMIN_PERM,
16892 		.doit = nl80211_start_ap,
16893 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16894 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16895 	},
16896 	{
16897 		.cmd = NL80211_CMD_STOP_AP,
16898 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16899 		.flags = GENL_UNS_ADMIN_PERM,
16900 		.doit = nl80211_stop_ap,
16901 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16902 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16903 	},
16904 	{
16905 		.cmd = NL80211_CMD_GET_STATION,
16906 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16907 		.doit = nl80211_get_station,
16908 		.dumpit = nl80211_dump_station,
16909 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16910 	},
16911 	{
16912 		.cmd = NL80211_CMD_SET_STATION,
16913 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16914 		.doit = nl80211_set_station,
16915 		.flags = GENL_UNS_ADMIN_PERM,
16916 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16917 	},
16918 	{
16919 		.cmd = NL80211_CMD_NEW_STATION,
16920 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16921 		.doit = nl80211_new_station,
16922 		.flags = GENL_UNS_ADMIN_PERM,
16923 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16924 	},
16925 	{
16926 		.cmd = NL80211_CMD_DEL_STATION,
16927 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16928 		.doit = nl80211_del_station,
16929 		.flags = GENL_UNS_ADMIN_PERM,
16930 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
16931 		 * whether MAC address is passed or not. If MAC address is
16932 		 * passed, then even during MLO, link ID is not required.
16933 		 */
16934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_GET_MPATH,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_get_mpath,
16940 		.dumpit = nl80211_dump_mpath,
16941 		.flags = GENL_UNS_ADMIN_PERM,
16942 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16943 	},
16944 	{
16945 		.cmd = NL80211_CMD_GET_MPP,
16946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16947 		.doit = nl80211_get_mpp,
16948 		.dumpit = nl80211_dump_mpp,
16949 		.flags = GENL_UNS_ADMIN_PERM,
16950 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16951 	},
16952 	{
16953 		.cmd = NL80211_CMD_SET_MPATH,
16954 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16955 		.doit = nl80211_set_mpath,
16956 		.flags = GENL_UNS_ADMIN_PERM,
16957 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16958 	},
16959 	{
16960 		.cmd = NL80211_CMD_NEW_MPATH,
16961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16962 		.doit = nl80211_new_mpath,
16963 		.flags = GENL_UNS_ADMIN_PERM,
16964 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16965 	},
16966 	{
16967 		.cmd = NL80211_CMD_DEL_MPATH,
16968 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16969 		.doit = nl80211_del_mpath,
16970 		.flags = GENL_UNS_ADMIN_PERM,
16971 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16972 	},
16973 	{
16974 		.cmd = NL80211_CMD_SET_BSS,
16975 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16976 		.doit = nl80211_set_bss,
16977 		.flags = GENL_UNS_ADMIN_PERM,
16978 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16979 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16980 	},
16981 	{
16982 		.cmd = NL80211_CMD_GET_REG,
16983 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16984 		.doit = nl80211_get_reg_do,
16985 		.dumpit = nl80211_get_reg_dump,
16986 		/* can be retrieved by unprivileged users */
16987 	},
16988 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16989 	{
16990 		.cmd = NL80211_CMD_SET_REG,
16991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16992 		.doit = nl80211_set_reg,
16993 		.flags = GENL_ADMIN_PERM,
16994 	},
16995 #endif
16996 	{
16997 		.cmd = NL80211_CMD_REQ_SET_REG,
16998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16999 		.doit = nl80211_req_set_reg,
17000 		.flags = GENL_ADMIN_PERM,
17001 	},
17002 	{
17003 		.cmd = NL80211_CMD_RELOAD_REGDB,
17004 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17005 		.doit = nl80211_reload_regdb,
17006 		.flags = GENL_ADMIN_PERM,
17007 	},
17008 	{
17009 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17010 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17011 		.doit = nl80211_get_mesh_config,
17012 		/* can be retrieved by unprivileged users */
17013 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17014 	},
17015 	{
17016 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17018 		.doit = nl80211_update_mesh_config,
17019 		.flags = GENL_UNS_ADMIN_PERM,
17020 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17021 	},
17022 	{
17023 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17025 		.doit = nl80211_trigger_scan,
17026 		.flags = GENL_UNS_ADMIN_PERM,
17027 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17028 	},
17029 	{
17030 		.cmd = NL80211_CMD_ABORT_SCAN,
17031 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17032 		.doit = nl80211_abort_scan,
17033 		.flags = GENL_UNS_ADMIN_PERM,
17034 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17035 	},
17036 	{
17037 		.cmd = NL80211_CMD_GET_SCAN,
17038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17039 		.dumpit = nl80211_dump_scan,
17040 	},
17041 	{
17042 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17043 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17044 		.doit = nl80211_start_sched_scan,
17045 		.flags = GENL_UNS_ADMIN_PERM,
17046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17047 	},
17048 	{
17049 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17051 		.doit = nl80211_stop_sched_scan,
17052 		.flags = GENL_UNS_ADMIN_PERM,
17053 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17054 	},
17055 	{
17056 		.cmd = NL80211_CMD_AUTHENTICATE,
17057 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17058 		.doit = nl80211_authenticate,
17059 		.flags = GENL_UNS_ADMIN_PERM,
17060 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17061 					 NL80211_FLAG_CLEAR_SKB),
17062 	},
17063 	{
17064 		.cmd = NL80211_CMD_ASSOCIATE,
17065 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17066 		.doit = nl80211_associate,
17067 		.flags = GENL_UNS_ADMIN_PERM,
17068 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17069 					 NL80211_FLAG_CLEAR_SKB),
17070 	},
17071 	{
17072 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17073 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17074 		.doit = nl80211_deauthenticate,
17075 		.flags = GENL_UNS_ADMIN_PERM,
17076 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17077 	},
17078 	{
17079 		.cmd = NL80211_CMD_DISASSOCIATE,
17080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17081 		.doit = nl80211_disassociate,
17082 		.flags = GENL_UNS_ADMIN_PERM,
17083 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17084 	},
17085 	{
17086 		.cmd = NL80211_CMD_JOIN_IBSS,
17087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17088 		.doit = nl80211_join_ibss,
17089 		.flags = GENL_UNS_ADMIN_PERM,
17090 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17091 	},
17092 	{
17093 		.cmd = NL80211_CMD_LEAVE_IBSS,
17094 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17095 		.doit = nl80211_leave_ibss,
17096 		.flags = GENL_UNS_ADMIN_PERM,
17097 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17098 	},
17099 #ifdef CONFIG_NL80211_TESTMODE
17100 	{
17101 		.cmd = NL80211_CMD_TESTMODE,
17102 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17103 		.doit = nl80211_testmode_do,
17104 		.dumpit = nl80211_testmode_dump,
17105 		.flags = GENL_UNS_ADMIN_PERM,
17106 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17107 	},
17108 #endif
17109 	{
17110 		.cmd = NL80211_CMD_CONNECT,
17111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17112 		.doit = nl80211_connect,
17113 		.flags = GENL_UNS_ADMIN_PERM,
17114 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17115 					 NL80211_FLAG_CLEAR_SKB),
17116 	},
17117 	{
17118 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17120 		.doit = nl80211_update_connect_params,
17121 		.flags = GENL_ADMIN_PERM,
17122 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17123 					 NL80211_FLAG_CLEAR_SKB),
17124 	},
17125 	{
17126 		.cmd = NL80211_CMD_DISCONNECT,
17127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17128 		.doit = nl80211_disconnect,
17129 		.flags = GENL_UNS_ADMIN_PERM,
17130 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17131 	},
17132 	{
17133 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17134 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17135 		.doit = nl80211_wiphy_netns,
17136 		.flags = GENL_UNS_ADMIN_PERM,
17137 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17138 					 NL80211_FLAG_NEED_RTNL |
17139 					 NL80211_FLAG_NO_WIPHY_MTX),
17140 	},
17141 	{
17142 		.cmd = NL80211_CMD_GET_SURVEY,
17143 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17144 		.dumpit = nl80211_dump_survey,
17145 	},
17146 	{
17147 		.cmd = NL80211_CMD_SET_PMKSA,
17148 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17149 		.doit = nl80211_set_pmksa,
17150 		.flags = GENL_UNS_ADMIN_PERM,
17151 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17152 					 NL80211_FLAG_CLEAR_SKB),
17153 	},
17154 	{
17155 		.cmd = NL80211_CMD_DEL_PMKSA,
17156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17157 		.doit = nl80211_del_pmksa,
17158 		.flags = GENL_UNS_ADMIN_PERM,
17159 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17160 	},
17161 	{
17162 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17164 		.doit = nl80211_flush_pmksa,
17165 		.flags = GENL_UNS_ADMIN_PERM,
17166 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17167 	},
17168 	{
17169 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17170 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17171 		.doit = nl80211_remain_on_channel,
17172 		.flags = GENL_UNS_ADMIN_PERM,
17173 		/* FIXME: requiring a link ID here is probably not good */
17174 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17175 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17176 	},
17177 	{
17178 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17179 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17180 		.doit = nl80211_cancel_remain_on_channel,
17181 		.flags = GENL_UNS_ADMIN_PERM,
17182 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17183 	},
17184 	{
17185 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17186 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17187 		.doit = nl80211_set_tx_bitrate_mask,
17188 		.flags = GENL_UNS_ADMIN_PERM,
17189 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17190 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17191 	},
17192 	{
17193 		.cmd = NL80211_CMD_REGISTER_FRAME,
17194 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17195 		.doit = nl80211_register_mgmt,
17196 		.flags = GENL_UNS_ADMIN_PERM,
17197 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17198 	},
17199 	{
17200 		.cmd = NL80211_CMD_FRAME,
17201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17202 		.doit = nl80211_tx_mgmt,
17203 		.flags = GENL_UNS_ADMIN_PERM,
17204 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17205 	},
17206 	{
17207 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17208 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17209 		.doit = nl80211_tx_mgmt_cancel_wait,
17210 		.flags = GENL_UNS_ADMIN_PERM,
17211 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17212 	},
17213 	{
17214 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17215 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17216 		.doit = nl80211_set_power_save,
17217 		.flags = GENL_UNS_ADMIN_PERM,
17218 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17219 	},
17220 	{
17221 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17222 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17223 		.doit = nl80211_get_power_save,
17224 		/* can be retrieved by unprivileged users */
17225 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17226 	},
17227 	{
17228 		.cmd = NL80211_CMD_SET_CQM,
17229 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17230 		.doit = nl80211_set_cqm,
17231 		.flags = GENL_UNS_ADMIN_PERM,
17232 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17233 	},
17234 	{
17235 		.cmd = NL80211_CMD_SET_CHANNEL,
17236 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17237 		.doit = nl80211_set_channel,
17238 		.flags = GENL_UNS_ADMIN_PERM,
17239 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17240 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17241 	},
17242 	{
17243 		.cmd = NL80211_CMD_JOIN_MESH,
17244 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17245 		.doit = nl80211_join_mesh,
17246 		.flags = GENL_UNS_ADMIN_PERM,
17247 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17248 	},
17249 	{
17250 		.cmd = NL80211_CMD_LEAVE_MESH,
17251 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17252 		.doit = nl80211_leave_mesh,
17253 		.flags = GENL_UNS_ADMIN_PERM,
17254 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17255 	},
17256 	{
17257 		.cmd = NL80211_CMD_JOIN_OCB,
17258 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17259 		.doit = nl80211_join_ocb,
17260 		.flags = GENL_UNS_ADMIN_PERM,
17261 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17262 	},
17263 	{
17264 		.cmd = NL80211_CMD_LEAVE_OCB,
17265 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17266 		.doit = nl80211_leave_ocb,
17267 		.flags = GENL_UNS_ADMIN_PERM,
17268 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17269 	},
17270 #ifdef CONFIG_PM
17271 	{
17272 		.cmd = NL80211_CMD_GET_WOWLAN,
17273 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17274 		.doit = nl80211_get_wowlan,
17275 		/* can be retrieved by unprivileged users */
17276 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17277 	},
17278 	{
17279 		.cmd = NL80211_CMD_SET_WOWLAN,
17280 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17281 		.doit = nl80211_set_wowlan,
17282 		.flags = GENL_UNS_ADMIN_PERM,
17283 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17284 	},
17285 #endif
17286 	{
17287 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17289 		.doit = nl80211_set_rekey_data,
17290 		.flags = GENL_UNS_ADMIN_PERM,
17291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17292 					 NL80211_FLAG_CLEAR_SKB),
17293 	},
17294 	{
17295 		.cmd = NL80211_CMD_TDLS_MGMT,
17296 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17297 		.doit = nl80211_tdls_mgmt,
17298 		.flags = GENL_UNS_ADMIN_PERM,
17299 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17300 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17301 	},
17302 	{
17303 		.cmd = NL80211_CMD_TDLS_OPER,
17304 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17305 		.doit = nl80211_tdls_oper,
17306 		.flags = GENL_UNS_ADMIN_PERM,
17307 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17308 	},
17309 	{
17310 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17311 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17312 		.doit = nl80211_register_unexpected_frame,
17313 		.flags = GENL_UNS_ADMIN_PERM,
17314 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17315 	},
17316 	{
17317 		.cmd = NL80211_CMD_PROBE_CLIENT,
17318 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17319 		.doit = nl80211_probe_client,
17320 		.flags = GENL_UNS_ADMIN_PERM,
17321 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17322 	},
17323 	{
17324 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17325 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17326 		.doit = nl80211_register_beacons,
17327 		.flags = GENL_UNS_ADMIN_PERM,
17328 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17329 	},
17330 	{
17331 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17332 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17333 		.doit = nl80211_set_noack_map,
17334 		.flags = GENL_UNS_ADMIN_PERM,
17335 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17336 	},
17337 	{
17338 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17339 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17340 		.doit = nl80211_start_p2p_device,
17341 		.flags = GENL_UNS_ADMIN_PERM,
17342 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17343 					 NL80211_FLAG_NEED_RTNL),
17344 	},
17345 	{
17346 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17347 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17348 		.doit = nl80211_stop_p2p_device,
17349 		.flags = GENL_UNS_ADMIN_PERM,
17350 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17351 					 NL80211_FLAG_NEED_RTNL),
17352 	},
17353 	{
17354 		.cmd = NL80211_CMD_START_NAN,
17355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17356 		.doit = nl80211_start_nan,
17357 		.flags = GENL_ADMIN_PERM,
17358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17359 					 NL80211_FLAG_NEED_RTNL),
17360 	},
17361 	{
17362 		.cmd = NL80211_CMD_STOP_NAN,
17363 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17364 		.doit = nl80211_stop_nan,
17365 		.flags = GENL_ADMIN_PERM,
17366 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17367 					 NL80211_FLAG_NEED_RTNL),
17368 	},
17369 	{
17370 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17371 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17372 		.doit = nl80211_nan_add_func,
17373 		.flags = GENL_ADMIN_PERM,
17374 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17375 	},
17376 	{
17377 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17379 		.doit = nl80211_nan_del_func,
17380 		.flags = GENL_ADMIN_PERM,
17381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17382 	},
17383 	{
17384 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17386 		.doit = nl80211_nan_change_config,
17387 		.flags = GENL_ADMIN_PERM,
17388 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17389 	},
17390 	{
17391 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393 		.doit = nl80211_set_mcast_rate,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_SET_MAC_ACL,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_set_mac_acl,
17401 		.flags = GENL_UNS_ADMIN_PERM,
17402 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17403 					 NL80211_FLAG_MLO_UNSUPPORTED),
17404 	},
17405 	{
17406 		.cmd = NL80211_CMD_RADAR_DETECT,
17407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17408 		.doit = nl80211_start_radar_detection,
17409 		.flags = GENL_UNS_ADMIN_PERM,
17410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17411 					 NL80211_FLAG_NO_WIPHY_MTX |
17412 					 NL80211_FLAG_MLO_UNSUPPORTED),
17413 	},
17414 	{
17415 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17416 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17417 		.doit = nl80211_get_protocol_features,
17418 	},
17419 	{
17420 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17421 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17422 		.doit = nl80211_update_ft_ies,
17423 		.flags = GENL_UNS_ADMIN_PERM,
17424 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17425 	},
17426 	{
17427 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17428 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17429 		.doit = nl80211_crit_protocol_start,
17430 		.flags = GENL_UNS_ADMIN_PERM,
17431 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17432 	},
17433 	{
17434 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17435 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17436 		.doit = nl80211_crit_protocol_stop,
17437 		.flags = GENL_UNS_ADMIN_PERM,
17438 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17439 	},
17440 	{
17441 		.cmd = NL80211_CMD_GET_COALESCE,
17442 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17443 		.doit = nl80211_get_coalesce,
17444 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17445 	},
17446 	{
17447 		.cmd = NL80211_CMD_SET_COALESCE,
17448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17449 		.doit = nl80211_set_coalesce,
17450 		.flags = GENL_UNS_ADMIN_PERM,
17451 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17452 	},
17453 	{
17454 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17455 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17456 		.doit = nl80211_channel_switch,
17457 		.flags = GENL_UNS_ADMIN_PERM,
17458 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17459 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17460 	},
17461 	{
17462 		.cmd = NL80211_CMD_VENDOR,
17463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17464 		.doit = nl80211_vendor_cmd,
17465 		.dumpit = nl80211_vendor_cmd_dump,
17466 		.flags = GENL_UNS_ADMIN_PERM,
17467 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17468 					 NL80211_FLAG_CLEAR_SKB),
17469 	},
17470 	{
17471 		.cmd = NL80211_CMD_SET_QOS_MAP,
17472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17473 		.doit = nl80211_set_qos_map,
17474 		.flags = GENL_UNS_ADMIN_PERM,
17475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17476 	},
17477 	{
17478 		.cmd = NL80211_CMD_ADD_TX_TS,
17479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17480 		.doit = nl80211_add_tx_ts,
17481 		.flags = GENL_UNS_ADMIN_PERM,
17482 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17483 					 NL80211_FLAG_MLO_UNSUPPORTED),
17484 	},
17485 	{
17486 		.cmd = NL80211_CMD_DEL_TX_TS,
17487 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17488 		.doit = nl80211_del_tx_ts,
17489 		.flags = GENL_UNS_ADMIN_PERM,
17490 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17491 	},
17492 	{
17493 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17495 		.doit = nl80211_tdls_channel_switch,
17496 		.flags = GENL_UNS_ADMIN_PERM,
17497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17498 	},
17499 	{
17500 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17502 		.doit = nl80211_tdls_cancel_channel_switch,
17503 		.flags = GENL_UNS_ADMIN_PERM,
17504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17505 	},
17506 	{
17507 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17508 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17509 		.doit = nl80211_set_multicast_to_unicast,
17510 		.flags = GENL_UNS_ADMIN_PERM,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17512 	},
17513 	{
17514 		.cmd = NL80211_CMD_SET_PMK,
17515 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17516 		.doit = nl80211_set_pmk,
17517 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17518 					 NL80211_FLAG_CLEAR_SKB),
17519 	},
17520 	{
17521 		.cmd = NL80211_CMD_DEL_PMK,
17522 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17523 		.doit = nl80211_del_pmk,
17524 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17525 	},
17526 	{
17527 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17528 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17529 		.doit = nl80211_external_auth,
17530 		.flags = GENL_ADMIN_PERM,
17531 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17532 	},
17533 	{
17534 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17536 		.doit = nl80211_tx_control_port,
17537 		.flags = GENL_UNS_ADMIN_PERM,
17538 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17539 	},
17540 	{
17541 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17543 		.doit = nl80211_get_ftm_responder_stats,
17544 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17545 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17546 	},
17547 	{
17548 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17550 		.doit = nl80211_pmsr_start,
17551 		.flags = GENL_UNS_ADMIN_PERM,
17552 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17553 	},
17554 	{
17555 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17557 		.doit = nl80211_notify_radar_detection,
17558 		.flags = GENL_UNS_ADMIN_PERM,
17559 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17560 	},
17561 	{
17562 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17563 		.doit = nl80211_update_owe_info,
17564 		.flags = GENL_ADMIN_PERM,
17565 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17566 	},
17567 	{
17568 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17569 		.doit = nl80211_probe_mesh_link,
17570 		.flags = GENL_UNS_ADMIN_PERM,
17571 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17572 	},
17573 	{
17574 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17575 		.doit = nl80211_set_tid_config,
17576 		.flags = GENL_UNS_ADMIN_PERM,
17577 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17578 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17579 	},
17580 	{
17581 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17583 		.doit = nl80211_set_sar_specs,
17584 		.flags = GENL_UNS_ADMIN_PERM,
17585 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17586 					 NL80211_FLAG_NEED_RTNL),
17587 	},
17588 	{
17589 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17591 		.doit = nl80211_color_change,
17592 		.flags = GENL_UNS_ADMIN_PERM,
17593 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17594 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17595 	},
17596 	{
17597 		.cmd = NL80211_CMD_SET_FILS_AAD,
17598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17599 		.doit = nl80211_set_fils_aad,
17600 		.flags = GENL_UNS_ADMIN_PERM,
17601 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17602 	},
17603 	{
17604 		.cmd = NL80211_CMD_ADD_LINK,
17605 		.doit = nl80211_add_link,
17606 		.flags = GENL_UNS_ADMIN_PERM,
17607 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17608 	},
17609 	{
17610 		.cmd = NL80211_CMD_REMOVE_LINK,
17611 		.doit = nl80211_remove_link,
17612 		.flags = GENL_UNS_ADMIN_PERM,
17613 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17614 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17615 	},
17616 	{
17617 		.cmd = NL80211_CMD_ADD_LINK_STA,
17618 		.doit = nl80211_add_link_station,
17619 		.flags = GENL_UNS_ADMIN_PERM,
17620 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17621 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17622 	},
17623 	{
17624 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17625 		.doit = nl80211_modify_link_station,
17626 		.flags = GENL_UNS_ADMIN_PERM,
17627 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17628 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17629 	},
17630 	{
17631 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17632 		.doit = nl80211_remove_link_station,
17633 		.flags = GENL_UNS_ADMIN_PERM,
17634 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17635 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17636 	},
17637 	{
17638 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17639 		.doit = nl80211_set_hw_timestamp,
17640 		.flags = GENL_UNS_ADMIN_PERM,
17641 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17642 	},
17643 	{
17644 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17645 		.doit = nl80211_set_ttlm,
17646 		.flags = GENL_UNS_ADMIN_PERM,
17647 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17648 	},
17649 };
17650 
17651 static struct genl_family nl80211_fam __ro_after_init = {
17652 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17653 	.hdrsize = 0,			/* no private header */
17654 	.version = 1,			/* no particular meaning now */
17655 	.maxattr = NL80211_ATTR_MAX,
17656 	.policy = nl80211_policy,
17657 	.netnsok = true,
17658 	.pre_doit = nl80211_pre_doit,
17659 	.post_doit = nl80211_post_doit,
17660 	.module = THIS_MODULE,
17661 	.ops = nl80211_ops,
17662 	.n_ops = ARRAY_SIZE(nl80211_ops),
17663 	.small_ops = nl80211_small_ops,
17664 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17665 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17666 	.mcgrps = nl80211_mcgrps,
17667 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17668 	.parallel_ops = true,
17669 };
17670 
17671 /* notification functions */
17672 
17673 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17674 			  enum nl80211_commands cmd)
17675 {
17676 	struct sk_buff *msg;
17677 	struct nl80211_dump_wiphy_state state = {};
17678 
17679 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17680 		cmd != NL80211_CMD_DEL_WIPHY);
17681 
17682 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17683 	if (!msg)
17684 		return;
17685 
17686 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17687 		nlmsg_free(msg);
17688 		return;
17689 	}
17690 
17691 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17692 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17693 }
17694 
17695 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17696 				struct wireless_dev *wdev,
17697 				enum nl80211_commands cmd)
17698 {
17699 	struct sk_buff *msg;
17700 
17701 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17702 	if (!msg)
17703 		return;
17704 
17705 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17706 		nlmsg_free(msg);
17707 		return;
17708 	}
17709 
17710 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17711 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17712 }
17713 
17714 static int nl80211_add_scan_req(struct sk_buff *msg,
17715 				struct cfg80211_registered_device *rdev)
17716 {
17717 	struct cfg80211_scan_request *req = rdev->scan_req;
17718 	struct nlattr *nest;
17719 	int i;
17720 	struct cfg80211_scan_info *info;
17721 
17722 	if (WARN_ON(!req))
17723 		return 0;
17724 
17725 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17726 	if (!nest)
17727 		goto nla_put_failure;
17728 	for (i = 0; i < req->n_ssids; i++) {
17729 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17730 			goto nla_put_failure;
17731 	}
17732 	nla_nest_end(msg, nest);
17733 
17734 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17735 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17736 		if (!nest)
17737 			goto nla_put_failure;
17738 		for (i = 0; i < req->n_channels; i++) {
17739 			if (nla_put_u32(msg, i,
17740 				   ieee80211_channel_to_khz(req->channels[i])))
17741 				goto nla_put_failure;
17742 		}
17743 		nla_nest_end(msg, nest);
17744 	} else {
17745 		nest = nla_nest_start_noflag(msg,
17746 					     NL80211_ATTR_SCAN_FREQUENCIES);
17747 		if (!nest)
17748 			goto nla_put_failure;
17749 		for (i = 0; i < req->n_channels; i++) {
17750 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17751 				goto nla_put_failure;
17752 		}
17753 		nla_nest_end(msg, nest);
17754 	}
17755 
17756 	if (req->ie &&
17757 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17758 		goto nla_put_failure;
17759 
17760 	if (req->flags &&
17761 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17762 		goto nla_put_failure;
17763 
17764 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17765 		&rdev->scan_req->info;
17766 	if (info->scan_start_tsf &&
17767 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17768 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17769 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17770 		     info->tsf_bssid)))
17771 		goto nla_put_failure;
17772 
17773 	return 0;
17774  nla_put_failure:
17775 	return -ENOBUFS;
17776 }
17777 
17778 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17779 				 struct cfg80211_registered_device *rdev,
17780 				 struct wireless_dev *wdev,
17781 				 u32 portid, u32 seq, int flags,
17782 				 u32 cmd)
17783 {
17784 	void *hdr;
17785 
17786 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17787 	if (!hdr)
17788 		return -1;
17789 
17790 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17791 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17792 					 wdev->netdev->ifindex)) ||
17793 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17794 			      NL80211_ATTR_PAD))
17795 		goto nla_put_failure;
17796 
17797 	/* ignore errors and send incomplete event anyway */
17798 	nl80211_add_scan_req(msg, rdev);
17799 
17800 	genlmsg_end(msg, hdr);
17801 	return 0;
17802 
17803  nla_put_failure:
17804 	genlmsg_cancel(msg, hdr);
17805 	return -EMSGSIZE;
17806 }
17807 
17808 static int
17809 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17810 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17811 {
17812 	void *hdr;
17813 
17814 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17815 	if (!hdr)
17816 		return -1;
17817 
17818 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17819 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17820 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17821 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17822 			      NL80211_ATTR_PAD))
17823 		goto nla_put_failure;
17824 
17825 	genlmsg_end(msg, hdr);
17826 	return 0;
17827 
17828  nla_put_failure:
17829 	genlmsg_cancel(msg, hdr);
17830 	return -EMSGSIZE;
17831 }
17832 
17833 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17834 			     struct wireless_dev *wdev)
17835 {
17836 	struct sk_buff *msg;
17837 
17838 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17839 	if (!msg)
17840 		return;
17841 
17842 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17843 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17844 		nlmsg_free(msg);
17845 		return;
17846 	}
17847 
17848 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17849 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17850 }
17851 
17852 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17853 				       struct wireless_dev *wdev, bool aborted)
17854 {
17855 	struct sk_buff *msg;
17856 
17857 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17858 	if (!msg)
17859 		return NULL;
17860 
17861 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17862 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17863 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17864 		nlmsg_free(msg);
17865 		return NULL;
17866 	}
17867 
17868 	return msg;
17869 }
17870 
17871 /* send message created by nl80211_build_scan_msg() */
17872 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17873 			   struct sk_buff *msg)
17874 {
17875 	if (!msg)
17876 		return;
17877 
17878 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17879 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17880 }
17881 
17882 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17883 {
17884 	struct sk_buff *msg;
17885 
17886 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17887 	if (!msg)
17888 		return;
17889 
17890 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17891 		nlmsg_free(msg);
17892 		return;
17893 	}
17894 
17895 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17896 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17897 }
17898 
17899 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17900 					  struct regulatory_request *request)
17901 {
17902 	/* Userspace can always count this one always being set */
17903 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17904 		goto nla_put_failure;
17905 
17906 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17907 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17908 			       NL80211_REGDOM_TYPE_WORLD))
17909 			goto nla_put_failure;
17910 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17911 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17912 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17913 			goto nla_put_failure;
17914 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17915 		   request->intersect) {
17916 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17917 			       NL80211_REGDOM_TYPE_INTERSECTION))
17918 			goto nla_put_failure;
17919 	} else {
17920 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17921 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17922 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17923 				   request->alpha2))
17924 			goto nla_put_failure;
17925 	}
17926 
17927 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17928 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17929 
17930 		if (wiphy &&
17931 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17932 			goto nla_put_failure;
17933 
17934 		if (wiphy &&
17935 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17936 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17937 			goto nla_put_failure;
17938 	}
17939 
17940 	return true;
17941 
17942 nla_put_failure:
17943 	return false;
17944 }
17945 
17946 /*
17947  * This can happen on global regulatory changes or device specific settings
17948  * based on custom regulatory domains.
17949  */
17950 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17951 				     struct regulatory_request *request)
17952 {
17953 	struct sk_buff *msg;
17954 	void *hdr;
17955 
17956 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17957 	if (!msg)
17958 		return;
17959 
17960 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17961 	if (!hdr)
17962 		goto nla_put_failure;
17963 
17964 	if (!nl80211_reg_change_event_fill(msg, request))
17965 		goto nla_put_failure;
17966 
17967 	genlmsg_end(msg, hdr);
17968 
17969 	rcu_read_lock();
17970 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17971 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17972 	rcu_read_unlock();
17973 
17974 	return;
17975 
17976 nla_put_failure:
17977 	nlmsg_free(msg);
17978 }
17979 
17980 struct nl80211_mlme_event {
17981 	enum nl80211_commands cmd;
17982 	const u8 *buf;
17983 	size_t buf_len;
17984 	int uapsd_queues;
17985 	const u8 *req_ies;
17986 	size_t req_ies_len;
17987 	bool reconnect;
17988 };
17989 
17990 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17991 				    struct net_device *netdev,
17992 				    const struct nl80211_mlme_event *event,
17993 				    gfp_t gfp)
17994 {
17995 	struct sk_buff *msg;
17996 	void *hdr;
17997 
17998 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
17999 	if (!msg)
18000 		return;
18001 
18002 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18003 	if (!hdr) {
18004 		nlmsg_free(msg);
18005 		return;
18006 	}
18007 
18008 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18009 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18010 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18011 	    (event->req_ies &&
18012 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18013 		     event->req_ies)))
18014 		goto nla_put_failure;
18015 
18016 	if (event->reconnect &&
18017 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18018 		goto nla_put_failure;
18019 
18020 	if (event->uapsd_queues >= 0) {
18021 		struct nlattr *nla_wmm =
18022 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18023 		if (!nla_wmm)
18024 			goto nla_put_failure;
18025 
18026 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18027 			       event->uapsd_queues))
18028 			goto nla_put_failure;
18029 
18030 		nla_nest_end(msg, nla_wmm);
18031 	}
18032 
18033 	genlmsg_end(msg, hdr);
18034 
18035 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18036 				NL80211_MCGRP_MLME, gfp);
18037 	return;
18038 
18039  nla_put_failure:
18040 	nlmsg_free(msg);
18041 }
18042 
18043 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18044 			  struct net_device *netdev, const u8 *buf,
18045 			  size_t len, gfp_t gfp)
18046 {
18047 	struct nl80211_mlme_event event = {
18048 		.cmd = NL80211_CMD_AUTHENTICATE,
18049 		.buf = buf,
18050 		.buf_len = len,
18051 		.uapsd_queues = -1,
18052 	};
18053 
18054 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18055 }
18056 
18057 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18058 			   struct net_device *netdev,
18059 			   const struct cfg80211_rx_assoc_resp_data *data)
18060 {
18061 	struct nl80211_mlme_event event = {
18062 		.cmd = NL80211_CMD_ASSOCIATE,
18063 		.buf = data->buf,
18064 		.buf_len = data->len,
18065 		.uapsd_queues = data->uapsd_queues,
18066 		.req_ies = data->req_ies,
18067 		.req_ies_len = data->req_ies_len,
18068 	};
18069 
18070 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18071 }
18072 
18073 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18074 			 struct net_device *netdev, const u8 *buf,
18075 			 size_t len, bool reconnect, gfp_t gfp)
18076 {
18077 	struct nl80211_mlme_event event = {
18078 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18079 		.buf = buf,
18080 		.buf_len = len,
18081 		.reconnect = reconnect,
18082 		.uapsd_queues = -1,
18083 	};
18084 
18085 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18086 }
18087 
18088 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18089 			   struct net_device *netdev, const u8 *buf,
18090 			   size_t len, bool reconnect, gfp_t gfp)
18091 {
18092 	struct nl80211_mlme_event event = {
18093 		.cmd = NL80211_CMD_DISASSOCIATE,
18094 		.buf = buf,
18095 		.buf_len = len,
18096 		.reconnect = reconnect,
18097 		.uapsd_queues = -1,
18098 	};
18099 
18100 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18101 }
18102 
18103 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18104 				  size_t len)
18105 {
18106 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18107 	struct wiphy *wiphy = wdev->wiphy;
18108 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18109 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18110 	struct nl80211_mlme_event event = {
18111 		.buf = buf,
18112 		.buf_len = len,
18113 		.uapsd_queues = -1,
18114 	};
18115 
18116 	if (WARN_ON(len < 2))
18117 		return;
18118 
18119 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18120 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18121 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18122 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18123 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18124 		if (wdev->unprot_beacon_reported &&
18125 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18126 			return;
18127 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18128 		wdev->unprot_beacon_reported = jiffies;
18129 	} else {
18130 		return;
18131 	}
18132 
18133 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18134 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18135 }
18136 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18137 
18138 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18139 				      struct net_device *netdev, int cmd,
18140 				      const u8 *addr, gfp_t gfp)
18141 {
18142 	struct sk_buff *msg;
18143 	void *hdr;
18144 
18145 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18146 	if (!msg)
18147 		return;
18148 
18149 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18150 	if (!hdr) {
18151 		nlmsg_free(msg);
18152 		return;
18153 	}
18154 
18155 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18156 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18157 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18158 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18159 		goto nla_put_failure;
18160 
18161 	genlmsg_end(msg, hdr);
18162 
18163 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18164 				NL80211_MCGRP_MLME, gfp);
18165 	return;
18166 
18167  nla_put_failure:
18168 	nlmsg_free(msg);
18169 }
18170 
18171 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18172 			       struct net_device *netdev, const u8 *addr,
18173 			       gfp_t gfp)
18174 {
18175 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18176 				  addr, gfp);
18177 }
18178 
18179 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18180 				struct net_device *netdev, const u8 *addr,
18181 				gfp_t gfp)
18182 {
18183 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18184 				  addr, gfp);
18185 }
18186 
18187 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18188 				 struct net_device *netdev,
18189 				 struct cfg80211_connect_resp_params *cr,
18190 				 gfp_t gfp)
18191 {
18192 	struct sk_buff *msg;
18193 	void *hdr;
18194 	unsigned int link;
18195 	size_t link_info_size = 0;
18196 	const u8 *connected_addr = cr->valid_links ?
18197 				   cr->ap_mld_addr : cr->links[0].bssid;
18198 
18199 	if (cr->valid_links) {
18200 		for_each_valid_link(cr, link) {
18201 			/* Nested attribute header */
18202 			link_info_size += NLA_HDRLEN;
18203 			/* Link ID */
18204 			link_info_size += nla_total_size(sizeof(u8));
18205 			link_info_size += cr->links[link].addr ?
18206 					  nla_total_size(ETH_ALEN) : 0;
18207 			link_info_size += (cr->links[link].bssid ||
18208 					   cr->links[link].bss) ?
18209 					  nla_total_size(ETH_ALEN) : 0;
18210 			link_info_size += nla_total_size(sizeof(u16));
18211 		}
18212 	}
18213 
18214 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18215 			cr->fils.kek_len + cr->fils.pmk_len +
18216 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18217 			gfp);
18218 	if (!msg)
18219 		return;
18220 
18221 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18222 	if (!hdr) {
18223 		nlmsg_free(msg);
18224 		return;
18225 	}
18226 
18227 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18228 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18229 	    (connected_addr &&
18230 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18231 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18232 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18233 			cr->status) ||
18234 	    (cr->status < 0 &&
18235 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18236 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18237 			  cr->timeout_reason))) ||
18238 	    (cr->req_ie &&
18239 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18240 	    (cr->resp_ie &&
18241 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18242 		     cr->resp_ie)) ||
18243 	    (cr->fils.update_erp_next_seq_num &&
18244 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18245 			 cr->fils.erp_next_seq_num)) ||
18246 	    (cr->status == WLAN_STATUS_SUCCESS &&
18247 	     ((cr->fils.kek &&
18248 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18249 		       cr->fils.kek)) ||
18250 	      (cr->fils.pmk &&
18251 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18252 	      (cr->fils.pmkid &&
18253 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18254 		goto nla_put_failure;
18255 
18256 	if (cr->valid_links) {
18257 		int i = 1;
18258 		struct nlattr *nested;
18259 
18260 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18261 		if (!nested)
18262 			goto nla_put_failure;
18263 
18264 		for_each_valid_link(cr, link) {
18265 			struct nlattr *nested_mlo_links;
18266 			const u8 *bssid = cr->links[link].bss ?
18267 					  cr->links[link].bss->bssid :
18268 					  cr->links[link].bssid;
18269 
18270 			nested_mlo_links = nla_nest_start(msg, i);
18271 			if (!nested_mlo_links)
18272 				goto nla_put_failure;
18273 
18274 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18275 			    (bssid &&
18276 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18277 			    (cr->links[link].addr &&
18278 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18279 				     cr->links[link].addr)) ||
18280 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18281 					cr->links[link].status))
18282 				goto nla_put_failure;
18283 
18284 			nla_nest_end(msg, nested_mlo_links);
18285 			i++;
18286 		}
18287 		nla_nest_end(msg, nested);
18288 	}
18289 
18290 	genlmsg_end(msg, hdr);
18291 
18292 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18293 				NL80211_MCGRP_MLME, gfp);
18294 	return;
18295 
18296  nla_put_failure:
18297 	nlmsg_free(msg);
18298 }
18299 
18300 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18301 			 struct net_device *netdev,
18302 			 struct cfg80211_roam_info *info, gfp_t gfp)
18303 {
18304 	struct sk_buff *msg;
18305 	void *hdr;
18306 	size_t link_info_size = 0;
18307 	unsigned int link;
18308 	const u8 *connected_addr = info->ap_mld_addr ?
18309 				   info->ap_mld_addr :
18310 				   (info->links[0].bss ?
18311 				    info->links[0].bss->bssid :
18312 				    info->links[0].bssid);
18313 
18314 	if (info->valid_links) {
18315 		for_each_valid_link(info, link) {
18316 			/* Nested attribute header */
18317 			link_info_size += NLA_HDRLEN;
18318 			/* Link ID */
18319 			link_info_size += nla_total_size(sizeof(u8));
18320 			link_info_size += info->links[link].addr ?
18321 					  nla_total_size(ETH_ALEN) : 0;
18322 			link_info_size += (info->links[link].bssid ||
18323 					   info->links[link].bss) ?
18324 					  nla_total_size(ETH_ALEN) : 0;
18325 		}
18326 	}
18327 
18328 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18329 			info->fils.kek_len + info->fils.pmk_len +
18330 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18331 			link_info_size, gfp);
18332 	if (!msg)
18333 		return;
18334 
18335 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18336 	if (!hdr) {
18337 		nlmsg_free(msg);
18338 		return;
18339 	}
18340 
18341 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18342 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18343 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18344 	    (info->req_ie &&
18345 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18346 		     info->req_ie)) ||
18347 	    (info->resp_ie &&
18348 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18349 		     info->resp_ie)) ||
18350 	    (info->fils.update_erp_next_seq_num &&
18351 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18352 			 info->fils.erp_next_seq_num)) ||
18353 	    (info->fils.kek &&
18354 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18355 		     info->fils.kek)) ||
18356 	    (info->fils.pmk &&
18357 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18358 	    (info->fils.pmkid &&
18359 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18360 		goto nla_put_failure;
18361 
18362 	if (info->valid_links) {
18363 		int i = 1;
18364 		struct nlattr *nested;
18365 
18366 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18367 		if (!nested)
18368 			goto nla_put_failure;
18369 
18370 		for_each_valid_link(info, link) {
18371 			struct nlattr *nested_mlo_links;
18372 			const u8 *bssid = info->links[link].bss ?
18373 					  info->links[link].bss->bssid :
18374 					  info->links[link].bssid;
18375 
18376 			nested_mlo_links = nla_nest_start(msg, i);
18377 			if (!nested_mlo_links)
18378 				goto nla_put_failure;
18379 
18380 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18381 			    (bssid &&
18382 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18383 			    (info->links[link].addr &&
18384 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18385 				     info->links[link].addr)))
18386 				goto nla_put_failure;
18387 
18388 			nla_nest_end(msg, nested_mlo_links);
18389 			i++;
18390 		}
18391 		nla_nest_end(msg, nested);
18392 	}
18393 
18394 	genlmsg_end(msg, hdr);
18395 
18396 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18397 				NL80211_MCGRP_MLME, gfp);
18398 	return;
18399 
18400  nla_put_failure:
18401 	nlmsg_free(msg);
18402 }
18403 
18404 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18405 				  struct net_device *netdev, const u8 *peer_addr,
18406 				  const u8 *td_bitmap, u8 td_bitmap_len)
18407 {
18408 	struct sk_buff *msg;
18409 	void *hdr;
18410 
18411 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18412 	if (!msg)
18413 		return;
18414 
18415 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18416 	if (!hdr) {
18417 		nlmsg_free(msg);
18418 		return;
18419 	}
18420 
18421 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18422 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18423 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18424 		goto nla_put_failure;
18425 
18426 	if ((td_bitmap_len > 0) && td_bitmap)
18427 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18428 			    td_bitmap_len, td_bitmap))
18429 			goto nla_put_failure;
18430 
18431 	genlmsg_end(msg, hdr);
18432 
18433 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18434 				NL80211_MCGRP_MLME, GFP_KERNEL);
18435 	return;
18436 
18437  nla_put_failure:
18438 	nlmsg_free(msg);
18439 }
18440 
18441 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18442 			       struct net_device *netdev, u16 reason,
18443 			       const u8 *ie, size_t ie_len, bool from_ap)
18444 {
18445 	struct sk_buff *msg;
18446 	void *hdr;
18447 
18448 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18449 	if (!msg)
18450 		return;
18451 
18452 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18453 	if (!hdr) {
18454 		nlmsg_free(msg);
18455 		return;
18456 	}
18457 
18458 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18459 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18460 	    (reason &&
18461 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18462 	    (from_ap &&
18463 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18464 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18465 		goto nla_put_failure;
18466 
18467 	genlmsg_end(msg, hdr);
18468 
18469 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18470 				NL80211_MCGRP_MLME, GFP_KERNEL);
18471 	return;
18472 
18473  nla_put_failure:
18474 	nlmsg_free(msg);
18475 }
18476 
18477 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18478 {
18479 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18480 	struct wiphy *wiphy = wdev->wiphy;
18481 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18482 	struct sk_buff *msg;
18483 	struct nlattr *links;
18484 	void *hdr;
18485 
18486 	lockdep_assert_wiphy(wdev->wiphy);
18487 	trace_cfg80211_links_removed(dev, link_mask);
18488 
18489 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18490 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18491 		return;
18492 
18493 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18494 		    (wdev->valid_links & link_mask) != link_mask ||
18495 		    wdev->valid_links == link_mask))
18496 		return;
18497 
18498 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18499 	wdev->valid_links &= ~link_mask;
18500 
18501 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18502 	if (!msg)
18503 		return;
18504 
18505 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18506 	if (!hdr) {
18507 		nlmsg_free(msg);
18508 		return;
18509 	}
18510 
18511 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18512 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18513 		goto nla_put_failure;
18514 
18515 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18516 	if (!links)
18517 		goto nla_put_failure;
18518 
18519 	while (link_mask) {
18520 		struct nlattr *link;
18521 		int link_id = __ffs(link_mask);
18522 
18523 		link = nla_nest_start(msg, link_id + 1);
18524 		if (!link)
18525 			goto nla_put_failure;
18526 
18527 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18528 			goto nla_put_failure;
18529 
18530 		nla_nest_end(msg, link);
18531 		link_mask &= ~(1 << link_id);
18532 	}
18533 
18534 	nla_nest_end(msg, links);
18535 
18536 	genlmsg_end(msg, hdr);
18537 
18538 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18539 				NL80211_MCGRP_MLME, GFP_KERNEL);
18540 	return;
18541 
18542  nla_put_failure:
18543 	nlmsg_free(msg);
18544 }
18545 EXPORT_SYMBOL(cfg80211_links_removed);
18546 
18547 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18548 			     struct net_device *netdev, const u8 *bssid,
18549 			     gfp_t gfp)
18550 {
18551 	struct sk_buff *msg;
18552 	void *hdr;
18553 
18554 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18555 	if (!msg)
18556 		return;
18557 
18558 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18559 	if (!hdr) {
18560 		nlmsg_free(msg);
18561 		return;
18562 	}
18563 
18564 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18565 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18566 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18567 		goto nla_put_failure;
18568 
18569 	genlmsg_end(msg, hdr);
18570 
18571 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18572 				NL80211_MCGRP_MLME, gfp);
18573 	return;
18574 
18575  nla_put_failure:
18576 	nlmsg_free(msg);
18577 }
18578 
18579 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18580 					const u8 *ie, u8 ie_len,
18581 					int sig_dbm, gfp_t gfp)
18582 {
18583 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18584 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18585 	struct sk_buff *msg;
18586 	void *hdr;
18587 
18588 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18589 		return;
18590 
18591 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18592 
18593 	msg = nlmsg_new(100 + ie_len, gfp);
18594 	if (!msg)
18595 		return;
18596 
18597 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18598 	if (!hdr) {
18599 		nlmsg_free(msg);
18600 		return;
18601 	}
18602 
18603 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18604 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18605 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18606 	    (ie_len && ie &&
18607 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18608 	    (sig_dbm &&
18609 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18610 		goto nla_put_failure;
18611 
18612 	genlmsg_end(msg, hdr);
18613 
18614 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18615 				NL80211_MCGRP_MLME, gfp);
18616 	return;
18617 
18618  nla_put_failure:
18619 	nlmsg_free(msg);
18620 }
18621 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18622 
18623 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18624 				 struct net_device *netdev, const u8 *addr,
18625 				 enum nl80211_key_type key_type, int key_id,
18626 				 const u8 *tsc, gfp_t gfp)
18627 {
18628 	struct sk_buff *msg;
18629 	void *hdr;
18630 
18631 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18632 	if (!msg)
18633 		return;
18634 
18635 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18636 	if (!hdr) {
18637 		nlmsg_free(msg);
18638 		return;
18639 	}
18640 
18641 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18642 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18643 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18644 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18645 	    (key_id != -1 &&
18646 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18647 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18648 		goto nla_put_failure;
18649 
18650 	genlmsg_end(msg, hdr);
18651 
18652 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18653 				NL80211_MCGRP_MLME, gfp);
18654 	return;
18655 
18656  nla_put_failure:
18657 	nlmsg_free(msg);
18658 }
18659 
18660 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18661 				    struct ieee80211_channel *channel_before,
18662 				    struct ieee80211_channel *channel_after)
18663 {
18664 	struct sk_buff *msg;
18665 	void *hdr;
18666 	struct nlattr *nl_freq;
18667 
18668 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18669 	if (!msg)
18670 		return;
18671 
18672 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18673 	if (!hdr) {
18674 		nlmsg_free(msg);
18675 		return;
18676 	}
18677 
18678 	/*
18679 	 * Since we are applying the beacon hint to a wiphy we know its
18680 	 * wiphy_idx is valid
18681 	 */
18682 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18683 		goto nla_put_failure;
18684 
18685 	/* Before */
18686 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18687 	if (!nl_freq)
18688 		goto nla_put_failure;
18689 
18690 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18691 		goto nla_put_failure;
18692 	nla_nest_end(msg, nl_freq);
18693 
18694 	/* After */
18695 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18696 	if (!nl_freq)
18697 		goto nla_put_failure;
18698 
18699 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18700 		goto nla_put_failure;
18701 	nla_nest_end(msg, nl_freq);
18702 
18703 	genlmsg_end(msg, hdr);
18704 
18705 	rcu_read_lock();
18706 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18707 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18708 	rcu_read_unlock();
18709 
18710 	return;
18711 
18712 nla_put_failure:
18713 	nlmsg_free(msg);
18714 }
18715 
18716 static void nl80211_send_remain_on_chan_event(
18717 	int cmd, struct cfg80211_registered_device *rdev,
18718 	struct wireless_dev *wdev, u64 cookie,
18719 	struct ieee80211_channel *chan,
18720 	unsigned int duration, gfp_t gfp)
18721 {
18722 	struct sk_buff *msg;
18723 	void *hdr;
18724 
18725 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18726 	if (!msg)
18727 		return;
18728 
18729 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18730 	if (!hdr) {
18731 		nlmsg_free(msg);
18732 		return;
18733 	}
18734 
18735 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18736 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18737 					 wdev->netdev->ifindex)) ||
18738 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18739 			      NL80211_ATTR_PAD) ||
18740 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18741 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18742 			NL80211_CHAN_NO_HT) ||
18743 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18744 			      NL80211_ATTR_PAD))
18745 		goto nla_put_failure;
18746 
18747 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18748 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18749 		goto nla_put_failure;
18750 
18751 	genlmsg_end(msg, hdr);
18752 
18753 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18754 				NL80211_MCGRP_MLME, gfp);
18755 	return;
18756 
18757  nla_put_failure:
18758 	nlmsg_free(msg);
18759 }
18760 
18761 void cfg80211_assoc_comeback(struct net_device *netdev,
18762 			     const u8 *ap_addr, u32 timeout)
18763 {
18764 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18765 	struct wiphy *wiphy = wdev->wiphy;
18766 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18767 	struct sk_buff *msg;
18768 	void *hdr;
18769 
18770 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18771 
18772 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18773 	if (!msg)
18774 		return;
18775 
18776 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18777 	if (!hdr) {
18778 		nlmsg_free(msg);
18779 		return;
18780 	}
18781 
18782 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18783 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18784 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18785 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18786 		goto nla_put_failure;
18787 
18788 	genlmsg_end(msg, hdr);
18789 
18790 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18791 				NL80211_MCGRP_MLME, GFP_KERNEL);
18792 	return;
18793 
18794  nla_put_failure:
18795 	nlmsg_free(msg);
18796 }
18797 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18798 
18799 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18800 			       struct ieee80211_channel *chan,
18801 			       unsigned int duration, gfp_t gfp)
18802 {
18803 	struct wiphy *wiphy = wdev->wiphy;
18804 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18805 
18806 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18807 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18808 					  rdev, wdev, cookie, chan,
18809 					  duration, gfp);
18810 }
18811 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18812 
18813 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18814 					struct ieee80211_channel *chan,
18815 					gfp_t gfp)
18816 {
18817 	struct wiphy *wiphy = wdev->wiphy;
18818 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18819 
18820 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18821 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18822 					  rdev, wdev, cookie, chan, 0, gfp);
18823 }
18824 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18825 
18826 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18827 					struct ieee80211_channel *chan,
18828 					gfp_t gfp)
18829 {
18830 	struct wiphy *wiphy = wdev->wiphy;
18831 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18832 
18833 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18834 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18835 					  rdev, wdev, cookie, chan, 0, gfp);
18836 }
18837 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18838 
18839 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18840 		      struct station_info *sinfo, gfp_t gfp)
18841 {
18842 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18843 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18844 	struct sk_buff *msg;
18845 
18846 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18847 
18848 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18849 	if (!msg)
18850 		return;
18851 
18852 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18853 				 rdev, dev, mac_addr, sinfo) < 0) {
18854 		nlmsg_free(msg);
18855 		return;
18856 	}
18857 
18858 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18859 				NL80211_MCGRP_MLME, gfp);
18860 }
18861 EXPORT_SYMBOL(cfg80211_new_sta);
18862 
18863 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18864 			    struct station_info *sinfo, gfp_t gfp)
18865 {
18866 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18867 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18868 	struct sk_buff *msg;
18869 	struct station_info empty_sinfo = {};
18870 
18871 	if (!sinfo)
18872 		sinfo = &empty_sinfo;
18873 
18874 	trace_cfg80211_del_sta(dev, mac_addr);
18875 
18876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18877 	if (!msg) {
18878 		cfg80211_sinfo_release_content(sinfo);
18879 		return;
18880 	}
18881 
18882 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18883 				 rdev, dev, mac_addr, sinfo) < 0) {
18884 		nlmsg_free(msg);
18885 		return;
18886 	}
18887 
18888 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18889 				NL80211_MCGRP_MLME, gfp);
18890 }
18891 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18892 
18893 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18894 			  enum nl80211_connect_failed_reason reason,
18895 			  gfp_t gfp)
18896 {
18897 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18898 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18899 	struct sk_buff *msg;
18900 	void *hdr;
18901 
18902 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18903 	if (!msg)
18904 		return;
18905 
18906 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18907 	if (!hdr) {
18908 		nlmsg_free(msg);
18909 		return;
18910 	}
18911 
18912 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18913 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18914 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18915 		goto nla_put_failure;
18916 
18917 	genlmsg_end(msg, hdr);
18918 
18919 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18920 				NL80211_MCGRP_MLME, gfp);
18921 	return;
18922 
18923  nla_put_failure:
18924 	nlmsg_free(msg);
18925 }
18926 EXPORT_SYMBOL(cfg80211_conn_failed);
18927 
18928 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18929 				       const u8 *addr, gfp_t gfp)
18930 {
18931 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18932 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18933 	struct sk_buff *msg;
18934 	void *hdr;
18935 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18936 
18937 	if (!nlportid)
18938 		return false;
18939 
18940 	msg = nlmsg_new(100, gfp);
18941 	if (!msg)
18942 		return true;
18943 
18944 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18945 	if (!hdr) {
18946 		nlmsg_free(msg);
18947 		return true;
18948 	}
18949 
18950 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18951 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18952 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18953 		goto nla_put_failure;
18954 
18955 	genlmsg_end(msg, hdr);
18956 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18957 	return true;
18958 
18959  nla_put_failure:
18960 	nlmsg_free(msg);
18961 	return true;
18962 }
18963 
18964 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18965 				const u8 *addr, gfp_t gfp)
18966 {
18967 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18968 	bool ret;
18969 
18970 	trace_cfg80211_rx_spurious_frame(dev, addr);
18971 
18972 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18973 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18974 		trace_cfg80211_return_bool(false);
18975 		return false;
18976 	}
18977 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18978 					 addr, gfp);
18979 	trace_cfg80211_return_bool(ret);
18980 	return ret;
18981 }
18982 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18983 
18984 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18985 					const u8 *addr, gfp_t gfp)
18986 {
18987 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18988 	bool ret;
18989 
18990 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18991 
18992 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18993 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18994 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18995 		trace_cfg80211_return_bool(false);
18996 		return false;
18997 	}
18998 	ret = __nl80211_unexpected_frame(dev,
18999 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19000 					 addr, gfp);
19001 	trace_cfg80211_return_bool(ret);
19002 	return ret;
19003 }
19004 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19005 
19006 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19007 		      struct wireless_dev *wdev, u32 nlportid,
19008 		      struct cfg80211_rx_info *info, gfp_t gfp)
19009 {
19010 	struct net_device *netdev = wdev->netdev;
19011 	struct sk_buff *msg;
19012 	void *hdr;
19013 
19014 	msg = nlmsg_new(100 + info->len, gfp);
19015 	if (!msg)
19016 		return -ENOMEM;
19017 
19018 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19019 	if (!hdr) {
19020 		nlmsg_free(msg);
19021 		return -ENOMEM;
19022 	}
19023 
19024 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19025 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19026 					netdev->ifindex)) ||
19027 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19028 			      NL80211_ATTR_PAD) ||
19029 	    (info->have_link_id &&
19030 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19031 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19032 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19033 	    (info->sig_dbm &&
19034 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19035 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19036 	    (info->flags &&
19037 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19038 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19039 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19040 						  info->rx_tstamp,
19041 						  NL80211_ATTR_PAD)) ||
19042 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19043 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19044 						   info->ack_tstamp,
19045 						   NL80211_ATTR_PAD)))
19046 		goto nla_put_failure;
19047 
19048 	genlmsg_end(msg, hdr);
19049 
19050 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19051 
19052  nla_put_failure:
19053 	nlmsg_free(msg);
19054 	return -ENOBUFS;
19055 }
19056 
19057 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19058 				    struct cfg80211_tx_status *status,
19059 				    gfp_t gfp, enum nl80211_commands command)
19060 {
19061 	struct wiphy *wiphy = wdev->wiphy;
19062 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19063 	struct net_device *netdev = wdev->netdev;
19064 	struct sk_buff *msg;
19065 	void *hdr;
19066 
19067 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19068 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19069 					      status->ack);
19070 	else
19071 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19072 						      status->ack);
19073 
19074 	msg = nlmsg_new(100 + status->len, gfp);
19075 	if (!msg)
19076 		return;
19077 
19078 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19079 	if (!hdr) {
19080 		nlmsg_free(msg);
19081 		return;
19082 	}
19083 
19084 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19085 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19086 				   netdev->ifindex)) ||
19087 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19088 			      NL80211_ATTR_PAD) ||
19089 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19090 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19091 			      NL80211_ATTR_PAD) ||
19092 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19093 	    (status->tx_tstamp &&
19094 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19095 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19096 	    (status->ack_tstamp &&
19097 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19098 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19099 		goto nla_put_failure;
19100 
19101 	genlmsg_end(msg, hdr);
19102 
19103 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19104 				NL80211_MCGRP_MLME, gfp);
19105 	return;
19106 
19107 nla_put_failure:
19108 	nlmsg_free(msg);
19109 }
19110 
19111 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19112 				     const u8 *buf, size_t len, bool ack,
19113 				     gfp_t gfp)
19114 {
19115 	struct cfg80211_tx_status status = {
19116 		.cookie = cookie,
19117 		.buf = buf,
19118 		.len = len,
19119 		.ack = ack
19120 	};
19121 
19122 	nl80211_frame_tx_status(wdev, &status, gfp,
19123 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19124 }
19125 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19126 
19127 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19128 				 struct cfg80211_tx_status *status, gfp_t gfp)
19129 {
19130 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19131 }
19132 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19133 
19134 static int __nl80211_rx_control_port(struct net_device *dev,
19135 				     struct sk_buff *skb,
19136 				     bool unencrypted,
19137 				     int link_id,
19138 				     gfp_t gfp)
19139 {
19140 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19141 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19142 	struct ethhdr *ehdr = eth_hdr(skb);
19143 	const u8 *addr = ehdr->h_source;
19144 	u16 proto = be16_to_cpu(skb->protocol);
19145 	struct sk_buff *msg;
19146 	void *hdr;
19147 	struct nlattr *frame;
19148 
19149 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19150 
19151 	if (!nlportid)
19152 		return -ENOENT;
19153 
19154 	msg = nlmsg_new(100 + skb->len, gfp);
19155 	if (!msg)
19156 		return -ENOMEM;
19157 
19158 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19159 	if (!hdr) {
19160 		nlmsg_free(msg);
19161 		return -ENOBUFS;
19162 	}
19163 
19164 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19165 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19166 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19167 			      NL80211_ATTR_PAD) ||
19168 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19169 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19170 	    (link_id >= 0 &&
19171 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19172 	    (unencrypted && nla_put_flag(msg,
19173 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19174 		goto nla_put_failure;
19175 
19176 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19177 	if (!frame)
19178 		goto nla_put_failure;
19179 
19180 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19181 	genlmsg_end(msg, hdr);
19182 
19183 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19184 
19185  nla_put_failure:
19186 	nlmsg_free(msg);
19187 	return -ENOBUFS;
19188 }
19189 
19190 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19191 			      bool unencrypted, int link_id)
19192 {
19193 	int ret;
19194 
19195 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19196 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19197 					GFP_ATOMIC);
19198 	trace_cfg80211_return_bool(ret == 0);
19199 	return ret == 0;
19200 }
19201 EXPORT_SYMBOL(cfg80211_rx_control_port);
19202 
19203 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19204 					    const char *mac, gfp_t gfp)
19205 {
19206 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19207 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19208 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19209 	void **cb;
19210 
19211 	if (!msg)
19212 		return NULL;
19213 
19214 	cb = (void **)msg->cb;
19215 
19216 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19217 	if (!cb[0]) {
19218 		nlmsg_free(msg);
19219 		return NULL;
19220 	}
19221 
19222 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19223 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19224 		goto nla_put_failure;
19225 
19226 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19227 		goto nla_put_failure;
19228 
19229 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19230 	if (!cb[1])
19231 		goto nla_put_failure;
19232 
19233 	cb[2] = rdev;
19234 
19235 	return msg;
19236  nla_put_failure:
19237 	nlmsg_free(msg);
19238 	return NULL;
19239 }
19240 
19241 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19242 {
19243 	void **cb = (void **)msg->cb;
19244 	struct cfg80211_registered_device *rdev = cb[2];
19245 
19246 	nla_nest_end(msg, cb[1]);
19247 	genlmsg_end(msg, cb[0]);
19248 
19249 	memset(msg->cb, 0, sizeof(msg->cb));
19250 
19251 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19252 				NL80211_MCGRP_MLME, gfp);
19253 }
19254 
19255 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19256 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19257 			      s32 rssi_level, gfp_t gfp)
19258 {
19259 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19260 	struct cfg80211_cqm_config *cqm_config;
19261 
19262 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19263 
19264 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19265 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19266 		return;
19267 
19268 	rcu_read_lock();
19269 	cqm_config = rcu_dereference(wdev->cqm_config);
19270 	if (cqm_config) {
19271 		cqm_config->last_rssi_event_value = rssi_level;
19272 		cqm_config->last_rssi_event_type = rssi_event;
19273 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19274 	}
19275 	rcu_read_unlock();
19276 }
19277 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19278 
19279 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19280 {
19281 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19282 						 cqm_rssi_work);
19283 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19284 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19285 	struct cfg80211_cqm_config *cqm_config;
19286 	struct sk_buff *msg;
19287 	s32 rssi_level;
19288 
19289 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19290 	if (!cqm_config)
19291 		return;
19292 
19293 	if (cqm_config->use_range_api)
19294 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19295 
19296 	rssi_level = cqm_config->last_rssi_event_value;
19297 	rssi_event = cqm_config->last_rssi_event_type;
19298 
19299 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19300 	if (!msg)
19301 		return;
19302 
19303 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19304 			rssi_event))
19305 		goto nla_put_failure;
19306 
19307 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19308 				      rssi_level))
19309 		goto nla_put_failure;
19310 
19311 	cfg80211_send_cqm(msg, GFP_KERNEL);
19312 
19313 	return;
19314 
19315  nla_put_failure:
19316 	nlmsg_free(msg);
19317 }
19318 
19319 void cfg80211_cqm_txe_notify(struct net_device *dev,
19320 			     const u8 *peer, u32 num_packets,
19321 			     u32 rate, u32 intvl, gfp_t gfp)
19322 {
19323 	struct sk_buff *msg;
19324 
19325 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19326 	if (!msg)
19327 		return;
19328 
19329 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19330 		goto nla_put_failure;
19331 
19332 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19333 		goto nla_put_failure;
19334 
19335 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19336 		goto nla_put_failure;
19337 
19338 	cfg80211_send_cqm(msg, gfp);
19339 	return;
19340 
19341  nla_put_failure:
19342 	nlmsg_free(msg);
19343 }
19344 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19345 
19346 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19347 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19348 {
19349 	struct sk_buff *msg;
19350 
19351 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19352 
19353 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19354 	if (!msg)
19355 		return;
19356 
19357 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19358 		goto nla_put_failure;
19359 
19360 	cfg80211_send_cqm(msg, gfp);
19361 	return;
19362 
19363  nla_put_failure:
19364 	nlmsg_free(msg);
19365 }
19366 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19367 
19368 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19369 {
19370 	struct sk_buff *msg;
19371 
19372 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19373 	if (!msg)
19374 		return;
19375 
19376 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19377 		goto nla_put_failure;
19378 
19379 	cfg80211_send_cqm(msg, gfp);
19380 	return;
19381 
19382  nla_put_failure:
19383 	nlmsg_free(msg);
19384 }
19385 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19386 
19387 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19388 				     struct net_device *netdev, const u8 *bssid,
19389 				     const u8 *replay_ctr, gfp_t gfp)
19390 {
19391 	struct sk_buff *msg;
19392 	struct nlattr *rekey_attr;
19393 	void *hdr;
19394 
19395 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19396 	if (!msg)
19397 		return;
19398 
19399 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19400 	if (!hdr) {
19401 		nlmsg_free(msg);
19402 		return;
19403 	}
19404 
19405 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19406 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19407 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19408 		goto nla_put_failure;
19409 
19410 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19411 	if (!rekey_attr)
19412 		goto nla_put_failure;
19413 
19414 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19415 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19416 		goto nla_put_failure;
19417 
19418 	nla_nest_end(msg, rekey_attr);
19419 
19420 	genlmsg_end(msg, hdr);
19421 
19422 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19423 				NL80211_MCGRP_MLME, gfp);
19424 	return;
19425 
19426  nla_put_failure:
19427 	nlmsg_free(msg);
19428 }
19429 
19430 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19431 			       const u8 *replay_ctr, gfp_t gfp)
19432 {
19433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19434 	struct wiphy *wiphy = wdev->wiphy;
19435 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19436 
19437 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19438 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19439 }
19440 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19441 
19442 static void
19443 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19444 			       struct net_device *netdev, int index,
19445 			       const u8 *bssid, bool preauth, gfp_t gfp)
19446 {
19447 	struct sk_buff *msg;
19448 	struct nlattr *attr;
19449 	void *hdr;
19450 
19451 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19452 	if (!msg)
19453 		return;
19454 
19455 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19456 	if (!hdr) {
19457 		nlmsg_free(msg);
19458 		return;
19459 	}
19460 
19461 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19462 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19463 		goto nla_put_failure;
19464 
19465 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19466 	if (!attr)
19467 		goto nla_put_failure;
19468 
19469 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19470 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19471 	    (preauth &&
19472 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19473 		goto nla_put_failure;
19474 
19475 	nla_nest_end(msg, attr);
19476 
19477 	genlmsg_end(msg, hdr);
19478 
19479 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19480 				NL80211_MCGRP_MLME, gfp);
19481 	return;
19482 
19483  nla_put_failure:
19484 	nlmsg_free(msg);
19485 }
19486 
19487 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19488 				     const u8 *bssid, bool preauth, gfp_t gfp)
19489 {
19490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19491 	struct wiphy *wiphy = wdev->wiphy;
19492 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19493 
19494 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19495 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19496 }
19497 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19498 
19499 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19500 				     struct net_device *netdev,
19501 				     unsigned int link_id,
19502 				     struct cfg80211_chan_def *chandef,
19503 				     gfp_t gfp,
19504 				     enum nl80211_commands notif,
19505 				     u8 count, bool quiet)
19506 {
19507 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19508 	struct sk_buff *msg;
19509 	void *hdr;
19510 
19511 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19512 	if (!msg)
19513 		return;
19514 
19515 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19516 	if (!hdr) {
19517 		nlmsg_free(msg);
19518 		return;
19519 	}
19520 
19521 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19522 		goto nla_put_failure;
19523 
19524 	if (wdev->valid_links &&
19525 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19526 		goto nla_put_failure;
19527 
19528 	if (nl80211_send_chandef(msg, chandef))
19529 		goto nla_put_failure;
19530 
19531 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19532 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19533 			goto nla_put_failure;
19534 		if (quiet &&
19535 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19536 			goto nla_put_failure;
19537 	}
19538 
19539 	genlmsg_end(msg, hdr);
19540 
19541 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19542 				NL80211_MCGRP_MLME, gfp);
19543 	return;
19544 
19545  nla_put_failure:
19546 	nlmsg_free(msg);
19547 }
19548 
19549 void cfg80211_ch_switch_notify(struct net_device *dev,
19550 			       struct cfg80211_chan_def *chandef,
19551 			       unsigned int link_id)
19552 {
19553 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19554 	struct wiphy *wiphy = wdev->wiphy;
19555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19556 
19557 	lockdep_assert_wiphy(wdev->wiphy);
19558 	WARN_INVALID_LINK_ID(wdev, link_id);
19559 
19560 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19561 
19562 	switch (wdev->iftype) {
19563 	case NL80211_IFTYPE_STATION:
19564 	case NL80211_IFTYPE_P2P_CLIENT:
19565 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19566 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19567 							chandef->chan);
19568 		break;
19569 	case NL80211_IFTYPE_MESH_POINT:
19570 		wdev->u.mesh.chandef = *chandef;
19571 		wdev->u.mesh.preset_chandef = *chandef;
19572 		break;
19573 	case NL80211_IFTYPE_AP:
19574 	case NL80211_IFTYPE_P2P_GO:
19575 		wdev->links[link_id].ap.chandef = *chandef;
19576 		break;
19577 	case NL80211_IFTYPE_ADHOC:
19578 		wdev->u.ibss.chandef = *chandef;
19579 		break;
19580 	default:
19581 		WARN_ON(1);
19582 		break;
19583 	}
19584 
19585 	cfg80211_schedule_channels_check(wdev);
19586 	cfg80211_sched_dfs_chan_update(rdev);
19587 
19588 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19589 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19590 }
19591 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19592 
19593 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19594 				       struct cfg80211_chan_def *chandef,
19595 				       unsigned int link_id, u8 count,
19596 				       bool quiet)
19597 {
19598 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19599 	struct wiphy *wiphy = wdev->wiphy;
19600 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19601 
19602 	lockdep_assert_wiphy(wdev->wiphy);
19603 	WARN_INVALID_LINK_ID(wdev, link_id);
19604 
19605 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19606 
19607 
19608 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19609 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19610 				 count, quiet);
19611 }
19612 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19613 
19614 int cfg80211_bss_color_notify(struct net_device *dev,
19615 			      enum nl80211_commands cmd, u8 count,
19616 			      u64 color_bitmap, u8 link_id)
19617 {
19618 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19619 	struct wiphy *wiphy = wdev->wiphy;
19620 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19621 	struct sk_buff *msg;
19622 	void *hdr;
19623 
19624 	lockdep_assert_wiphy(wdev->wiphy);
19625 
19626 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19627 
19628 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19629 	if (!msg)
19630 		return -ENOMEM;
19631 
19632 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19633 	if (!hdr)
19634 		goto nla_put_failure;
19635 
19636 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19637 		goto nla_put_failure;
19638 
19639 	if (wdev->valid_links &&
19640 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19641 		goto nla_put_failure;
19642 
19643 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19644 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19645 		goto nla_put_failure;
19646 
19647 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19648 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19649 			      color_bitmap, NL80211_ATTR_PAD))
19650 		goto nla_put_failure;
19651 
19652 	genlmsg_end(msg, hdr);
19653 
19654 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19655 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19656 
19657 nla_put_failure:
19658 	nlmsg_free(msg);
19659 	return -EINVAL;
19660 }
19661 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19662 
19663 void
19664 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19665 		     const struct cfg80211_chan_def *chandef,
19666 		     enum nl80211_radar_event event,
19667 		     struct net_device *netdev, gfp_t gfp)
19668 {
19669 	struct sk_buff *msg;
19670 	void *hdr;
19671 
19672 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19673 	if (!msg)
19674 		return;
19675 
19676 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19677 	if (!hdr) {
19678 		nlmsg_free(msg);
19679 		return;
19680 	}
19681 
19682 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19683 		goto nla_put_failure;
19684 
19685 	/* NOP and radar events don't need a netdev parameter */
19686 	if (netdev) {
19687 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19688 
19689 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19690 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19691 				      NL80211_ATTR_PAD))
19692 			goto nla_put_failure;
19693 	}
19694 
19695 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19696 		goto nla_put_failure;
19697 
19698 	if (nl80211_send_chandef(msg, chandef))
19699 		goto nla_put_failure;
19700 
19701 	genlmsg_end(msg, hdr);
19702 
19703 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19704 				NL80211_MCGRP_MLME, gfp);
19705 	return;
19706 
19707  nla_put_failure:
19708 	nlmsg_free(msg);
19709 }
19710 
19711 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19712 				       struct sta_opmode_info *sta_opmode,
19713 				       gfp_t gfp)
19714 {
19715 	struct sk_buff *msg;
19716 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19717 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19718 	void *hdr;
19719 
19720 	if (WARN_ON(!mac))
19721 		return;
19722 
19723 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19724 	if (!msg)
19725 		return;
19726 
19727 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19728 	if (!hdr) {
19729 		nlmsg_free(msg);
19730 		return;
19731 	}
19732 
19733 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19734 		goto nla_put_failure;
19735 
19736 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19737 		goto nla_put_failure;
19738 
19739 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19740 		goto nla_put_failure;
19741 
19742 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19743 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19744 		goto nla_put_failure;
19745 
19746 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19747 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19748 		goto nla_put_failure;
19749 
19750 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19751 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19752 		goto nla_put_failure;
19753 
19754 	genlmsg_end(msg, hdr);
19755 
19756 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19757 				NL80211_MCGRP_MLME, gfp);
19758 
19759 	return;
19760 
19761 nla_put_failure:
19762 	nlmsg_free(msg);
19763 }
19764 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19765 
19766 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19767 			   u64 cookie, bool acked, s32 ack_signal,
19768 			   bool is_valid_ack_signal, gfp_t gfp)
19769 {
19770 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19771 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19772 	struct sk_buff *msg;
19773 	void *hdr;
19774 
19775 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19776 
19777 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19778 
19779 	if (!msg)
19780 		return;
19781 
19782 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19783 	if (!hdr) {
19784 		nlmsg_free(msg);
19785 		return;
19786 	}
19787 
19788 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19789 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19790 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19791 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19792 			      NL80211_ATTR_PAD) ||
19793 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19794 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19795 						ack_signal)))
19796 		goto nla_put_failure;
19797 
19798 	genlmsg_end(msg, hdr);
19799 
19800 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19801 				NL80211_MCGRP_MLME, gfp);
19802 	return;
19803 
19804  nla_put_failure:
19805 	nlmsg_free(msg);
19806 }
19807 EXPORT_SYMBOL(cfg80211_probe_status);
19808 
19809 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19810 				     size_t len, int freq, int sig_dbm)
19811 {
19812 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19813 	struct sk_buff *msg;
19814 	void *hdr;
19815 	struct cfg80211_beacon_registration *reg;
19816 
19817 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19818 
19819 	spin_lock_bh(&rdev->beacon_registrations_lock);
19820 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19821 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19822 		if (!msg) {
19823 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19824 			return;
19825 		}
19826 
19827 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19828 		if (!hdr)
19829 			goto nla_put_failure;
19830 
19831 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19832 		    (freq &&
19833 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19834 				  KHZ_TO_MHZ(freq)) ||
19835 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19836 				  freq % 1000))) ||
19837 		    (sig_dbm &&
19838 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19839 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19840 			goto nla_put_failure;
19841 
19842 		genlmsg_end(msg, hdr);
19843 
19844 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19845 	}
19846 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19847 	return;
19848 
19849  nla_put_failure:
19850 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19851 	nlmsg_free(msg);
19852 }
19853 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19854 
19855 #ifdef CONFIG_PM
19856 static int cfg80211_net_detect_results(struct sk_buff *msg,
19857 				       struct cfg80211_wowlan_wakeup *wakeup)
19858 {
19859 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19860 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19861 	int i, j;
19862 
19863 	nl_results = nla_nest_start_noflag(msg,
19864 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19865 	if (!nl_results)
19866 		return -EMSGSIZE;
19867 
19868 	for (i = 0; i < nd->n_matches; i++) {
19869 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19870 
19871 		nl_match = nla_nest_start_noflag(msg, i);
19872 		if (!nl_match)
19873 			break;
19874 
19875 		/* The SSID attribute is optional in nl80211, but for
19876 		 * simplicity reasons it's always present in the
19877 		 * cfg80211 structure.  If a driver can't pass the
19878 		 * SSID, that needs to be changed.  A zero length SSID
19879 		 * is still a valid SSID (wildcard), so it cannot be
19880 		 * used for this purpose.
19881 		 */
19882 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19883 			    match->ssid.ssid)) {
19884 			nla_nest_cancel(msg, nl_match);
19885 			goto out;
19886 		}
19887 
19888 		if (match->n_channels) {
19889 			nl_freqs = nla_nest_start_noflag(msg,
19890 							 NL80211_ATTR_SCAN_FREQUENCIES);
19891 			if (!nl_freqs) {
19892 				nla_nest_cancel(msg, nl_match);
19893 				goto out;
19894 			}
19895 
19896 			for (j = 0; j < match->n_channels; j++) {
19897 				if (nla_put_u32(msg, j, match->channels[j])) {
19898 					nla_nest_cancel(msg, nl_freqs);
19899 					nla_nest_cancel(msg, nl_match);
19900 					goto out;
19901 				}
19902 			}
19903 
19904 			nla_nest_end(msg, nl_freqs);
19905 		}
19906 
19907 		nla_nest_end(msg, nl_match);
19908 	}
19909 
19910 out:
19911 	nla_nest_end(msg, nl_results);
19912 	return 0;
19913 }
19914 
19915 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19916 				   struct cfg80211_wowlan_wakeup *wakeup,
19917 				   gfp_t gfp)
19918 {
19919 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19920 	struct sk_buff *msg;
19921 	void *hdr;
19922 	int size = 200;
19923 
19924 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19925 
19926 	if (wakeup)
19927 		size += wakeup->packet_present_len;
19928 
19929 	msg = nlmsg_new(size, gfp);
19930 	if (!msg)
19931 		return;
19932 
19933 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19934 	if (!hdr)
19935 		goto free_msg;
19936 
19937 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19938 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19939 			      NL80211_ATTR_PAD))
19940 		goto free_msg;
19941 
19942 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19943 					wdev->netdev->ifindex))
19944 		goto free_msg;
19945 
19946 	if (wakeup) {
19947 		struct nlattr *reasons;
19948 
19949 		reasons = nla_nest_start_noflag(msg,
19950 						NL80211_ATTR_WOWLAN_TRIGGERS);
19951 		if (!reasons)
19952 			goto free_msg;
19953 
19954 		if (wakeup->disconnect &&
19955 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19956 			goto free_msg;
19957 		if (wakeup->magic_pkt &&
19958 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19959 			goto free_msg;
19960 		if (wakeup->gtk_rekey_failure &&
19961 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19962 			goto free_msg;
19963 		if (wakeup->eap_identity_req &&
19964 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19965 			goto free_msg;
19966 		if (wakeup->four_way_handshake &&
19967 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19968 			goto free_msg;
19969 		if (wakeup->rfkill_release &&
19970 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19971 			goto free_msg;
19972 
19973 		if (wakeup->pattern_idx >= 0 &&
19974 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19975 				wakeup->pattern_idx))
19976 			goto free_msg;
19977 
19978 		if (wakeup->tcp_match &&
19979 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19980 			goto free_msg;
19981 
19982 		if (wakeup->tcp_connlost &&
19983 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19984 			goto free_msg;
19985 
19986 		if (wakeup->tcp_nomoretokens &&
19987 		    nla_put_flag(msg,
19988 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19989 			goto free_msg;
19990 
19991 		if (wakeup->unprot_deauth_disassoc &&
19992 		    nla_put_flag(msg,
19993 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
19994 			goto free_msg;
19995 
19996 		if (wakeup->packet) {
19997 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19998 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19999 
20000 			if (!wakeup->packet_80211) {
20001 				pkt_attr =
20002 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20003 				len_attr =
20004 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20005 			}
20006 
20007 			if (wakeup->packet_len &&
20008 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20009 				goto free_msg;
20010 
20011 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20012 				    wakeup->packet))
20013 				goto free_msg;
20014 		}
20015 
20016 		if (wakeup->net_detect &&
20017 		    cfg80211_net_detect_results(msg, wakeup))
20018 				goto free_msg;
20019 
20020 		nla_nest_end(msg, reasons);
20021 	}
20022 
20023 	genlmsg_end(msg, hdr);
20024 
20025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20026 				NL80211_MCGRP_MLME, gfp);
20027 	return;
20028 
20029  free_msg:
20030 	nlmsg_free(msg);
20031 }
20032 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20033 #endif
20034 
20035 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20036 				enum nl80211_tdls_operation oper,
20037 				u16 reason_code, gfp_t gfp)
20038 {
20039 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20040 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20041 	struct sk_buff *msg;
20042 	void *hdr;
20043 
20044 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20045 					 reason_code);
20046 
20047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20048 	if (!msg)
20049 		return;
20050 
20051 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20052 	if (!hdr) {
20053 		nlmsg_free(msg);
20054 		return;
20055 	}
20056 
20057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20058 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20059 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20060 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20061 	    (reason_code > 0 &&
20062 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20063 		goto nla_put_failure;
20064 
20065 	genlmsg_end(msg, hdr);
20066 
20067 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20068 				NL80211_MCGRP_MLME, gfp);
20069 	return;
20070 
20071  nla_put_failure:
20072 	nlmsg_free(msg);
20073 }
20074 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20075 
20076 static int nl80211_netlink_notify(struct notifier_block * nb,
20077 				  unsigned long state,
20078 				  void *_notify)
20079 {
20080 	struct netlink_notify *notify = _notify;
20081 	struct cfg80211_registered_device *rdev;
20082 	struct wireless_dev *wdev;
20083 	struct cfg80211_beacon_registration *reg, *tmp;
20084 
20085 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20086 		return NOTIFY_DONE;
20087 
20088 	rcu_read_lock();
20089 
20090 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20091 		struct cfg80211_sched_scan_request *sched_scan_req;
20092 
20093 		list_for_each_entry_rcu(sched_scan_req,
20094 					&rdev->sched_scan_req_list,
20095 					list) {
20096 			if (sched_scan_req->owner_nlportid == notify->portid) {
20097 				sched_scan_req->nl_owner_dead = true;
20098 				wiphy_work_queue(&rdev->wiphy,
20099 						 &rdev->sched_scan_stop_wk);
20100 			}
20101 		}
20102 
20103 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20104 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20105 
20106 			if (wdev->owner_nlportid == notify->portid) {
20107 				wdev->nl_owner_dead = true;
20108 				schedule_work(&rdev->destroy_work);
20109 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20110 				schedule_work(&wdev->disconnect_wk);
20111 			}
20112 
20113 			cfg80211_release_pmsr(wdev, notify->portid);
20114 		}
20115 
20116 		spin_lock_bh(&rdev->beacon_registrations_lock);
20117 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20118 					 list) {
20119 			if (reg->nlportid == notify->portid) {
20120 				list_del(&reg->list);
20121 				kfree(reg);
20122 				break;
20123 			}
20124 		}
20125 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20126 	}
20127 
20128 	rcu_read_unlock();
20129 
20130 	/*
20131 	 * It is possible that the user space process that is controlling the
20132 	 * indoor setting disappeared, so notify the regulatory core.
20133 	 */
20134 	regulatory_netlink_notify(notify->portid);
20135 	return NOTIFY_OK;
20136 }
20137 
20138 static struct notifier_block nl80211_netlink_notifier = {
20139 	.notifier_call = nl80211_netlink_notify,
20140 };
20141 
20142 void cfg80211_ft_event(struct net_device *netdev,
20143 		       struct cfg80211_ft_event_params *ft_event)
20144 {
20145 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20146 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20147 	struct sk_buff *msg;
20148 	void *hdr;
20149 
20150 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20151 
20152 	if (!ft_event->target_ap)
20153 		return;
20154 
20155 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20156 			GFP_KERNEL);
20157 	if (!msg)
20158 		return;
20159 
20160 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20161 	if (!hdr)
20162 		goto out;
20163 
20164 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20165 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20166 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20167 		goto out;
20168 
20169 	if (ft_event->ies &&
20170 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20171 		goto out;
20172 	if (ft_event->ric_ies &&
20173 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20174 		    ft_event->ric_ies))
20175 		goto out;
20176 
20177 	genlmsg_end(msg, hdr);
20178 
20179 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20180 				NL80211_MCGRP_MLME, GFP_KERNEL);
20181 	return;
20182  out:
20183 	nlmsg_free(msg);
20184 }
20185 EXPORT_SYMBOL(cfg80211_ft_event);
20186 
20187 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20188 {
20189 	struct cfg80211_registered_device *rdev;
20190 	struct sk_buff *msg;
20191 	void *hdr;
20192 	u32 nlportid;
20193 
20194 	rdev = wiphy_to_rdev(wdev->wiphy);
20195 	if (!rdev->crit_proto_nlportid)
20196 		return;
20197 
20198 	nlportid = rdev->crit_proto_nlportid;
20199 	rdev->crit_proto_nlportid = 0;
20200 
20201 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20202 	if (!msg)
20203 		return;
20204 
20205 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20206 	if (!hdr)
20207 		goto nla_put_failure;
20208 
20209 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20210 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20211 			      NL80211_ATTR_PAD))
20212 		goto nla_put_failure;
20213 
20214 	genlmsg_end(msg, hdr);
20215 
20216 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20217 	return;
20218 
20219  nla_put_failure:
20220 	nlmsg_free(msg);
20221 }
20222 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20223 
20224 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20225 {
20226 	struct wiphy *wiphy = wdev->wiphy;
20227 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20228 	struct sk_buff *msg;
20229 	void *hdr;
20230 
20231 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20232 	if (!msg)
20233 		return;
20234 
20235 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20236 	if (!hdr)
20237 		goto out;
20238 
20239 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20240 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20241 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20242 			      NL80211_ATTR_PAD) ||
20243 	    (wdev->valid_links &&
20244 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20245 		goto out;
20246 
20247 	genlmsg_end(msg, hdr);
20248 
20249 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20250 				NL80211_MCGRP_MLME, GFP_KERNEL);
20251 	return;
20252  out:
20253 	nlmsg_free(msg);
20254 }
20255 
20256 int cfg80211_external_auth_request(struct net_device *dev,
20257 				   struct cfg80211_external_auth_params *params,
20258 				   gfp_t gfp)
20259 {
20260 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20261 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20262 	struct sk_buff *msg;
20263 	void *hdr;
20264 
20265 	if (!wdev->conn_owner_nlportid)
20266 		return -EINVAL;
20267 
20268 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20269 	if (!msg)
20270 		return -ENOMEM;
20271 
20272 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20273 	if (!hdr)
20274 		goto nla_put_failure;
20275 
20276 	/* Some historical mistakes in drivers <-> userspace interface (notably
20277 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20278 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20279 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20280 	 * benefit of older wpa_supplicant versions, send this particular value
20281 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20282 	 * particular value in big endian still, so it all continues to work.
20283 	 */
20284 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20285 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20286 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20287 			goto nla_put_failure;
20288 	} else {
20289 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20290 				params->key_mgmt_suite))
20291 			goto nla_put_failure;
20292 	}
20293 
20294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20295 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20296 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20297 			params->action) ||
20298 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20299 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20300 		    params->ssid.ssid) ||
20301 	    (!is_zero_ether_addr(params->mld_addr) &&
20302 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20303 		goto nla_put_failure;
20304 
20305 	genlmsg_end(msg, hdr);
20306 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20307 			wdev->conn_owner_nlportid);
20308 	return 0;
20309 
20310  nla_put_failure:
20311 	nlmsg_free(msg);
20312 	return -ENOBUFS;
20313 }
20314 EXPORT_SYMBOL(cfg80211_external_auth_request);
20315 
20316 void cfg80211_update_owe_info_event(struct net_device *netdev,
20317 				    struct cfg80211_update_owe_info *owe_info,
20318 				    gfp_t gfp)
20319 {
20320 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20321 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20322 	struct sk_buff *msg;
20323 	void *hdr;
20324 
20325 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20326 
20327 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20328 	if (!msg)
20329 		return;
20330 
20331 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20332 	if (!hdr)
20333 		goto nla_put_failure;
20334 
20335 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20336 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20337 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20338 		goto nla_put_failure;
20339 
20340 	if (!owe_info->ie_len ||
20341 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20342 		goto nla_put_failure;
20343 
20344 	if (owe_info->assoc_link_id != -1) {
20345 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20346 			       owe_info->assoc_link_id))
20347 			goto nla_put_failure;
20348 
20349 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20350 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20351 			    owe_info->peer_mld_addr))
20352 			goto nla_put_failure;
20353 	}
20354 
20355 	genlmsg_end(msg, hdr);
20356 
20357 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20358 				NL80211_MCGRP_MLME, gfp);
20359 	return;
20360 
20361 nla_put_failure:
20362 	genlmsg_cancel(msg, hdr);
20363 	nlmsg_free(msg);
20364 }
20365 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20366 
20367 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20368 {
20369 	struct wiphy *wiphy = wdev->wiphy;
20370 
20371 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20372 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20373 	    (wiphy_ext_feature_isset(wiphy,
20374 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20375 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20376 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20377 		reg_check_channels();
20378 }
20379 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20380 
20381 /* initialisation/exit functions */
20382 
20383 int __init nl80211_init(void)
20384 {
20385 	int err;
20386 
20387 	err = genl_register_family(&nl80211_fam);
20388 	if (err)
20389 		return err;
20390 
20391 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20392 	if (err)
20393 		goto err_out;
20394 
20395 	return 0;
20396  err_out:
20397 	genl_unregister_family(&nl80211_fam);
20398 	return err;
20399 }
20400 
20401 void nl80211_exit(void)
20402 {
20403 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20404 	genl_unregister_family(&nl80211_fam);
20405 }
20406