xref: /linux/net/wireless/nl80211.c (revision cbac924200b838cfb8d8b1415113d788089dc50b) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
460 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
461 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
462 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
463 				      .len = 20-1 },
464 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
465 
466 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
467 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
469 						NL80211_EDMG_CHANNELS_MIN,
470 						NL80211_EDMG_CHANNELS_MAX),
471 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
472 						NL80211_EDMG_BW_CONFIG_MIN,
473 						NL80211_EDMG_BW_CONFIG_MAX),
474 
475 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
476 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
477 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
478 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
479 
480 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
481 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
482 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
484 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
485 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
486 
487 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
488 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
489 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
490 
491 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
492 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
493 
494 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
495 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
496 				    .len = WLAN_MAX_KEY_LEN },
497 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
498 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
499 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
501 	[NL80211_ATTR_KEY_TYPE] =
502 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
503 
504 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
505 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
506 	[NL80211_ATTR_BEACON_HEAD] =
507 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
508 				       IEEE80211_MAX_DATA_LEN),
509 	[NL80211_ATTR_BEACON_TAIL] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_STA_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
515 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
516 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
517 					       .len = NL80211_MAX_SUPP_RATES },
518 	[NL80211_ATTR_STA_PLINK_ACTION] =
519 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
520 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
521 		NLA_POLICY_RANGE(NLA_U8,
522 				 NL80211_TX_POWER_AUTOMATIC,
523 				 NL80211_TX_POWER_FIXED),
524 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
525 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
526 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
527 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
528 				   .len = IEEE80211_MAX_MESH_ID_LEN },
529 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
530 
531 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
532 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
533 
534 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
535 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
536 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
537 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
538 					   .len = NL80211_MAX_SUPP_RATES },
539 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
540 
541 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
542 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
543 
544 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
545 
546 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
547 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
548 						   validate_ie_attr,
549 						   IEEE80211_MAX_DATA_LEN),
550 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
551 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
552 
553 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
554 				.len = IEEE80211_MAX_SSID_LEN },
555 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
556 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
557 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
558 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
559 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
560 						  NL80211_MFP_NO,
561 						  NL80211_MFP_OPTIONAL),
562 	[NL80211_ATTR_STA_FLAGS2] = {
563 		.len = sizeof(struct nl80211_sta_flag_update),
564 	},
565 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
566 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
567 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
568 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
569 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
571 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
572 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
573 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
574 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
575 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
576 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
577 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
578 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
579 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
580 				 .len = IEEE80211_MAX_DATA_LEN },
581 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
582 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
583 						   NL80211_PS_DISABLED,
584 						   NL80211_PS_ENABLED),
585 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
586 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
587 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
588 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
589 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
590 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
591 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
592 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
593 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
594 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
595 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
596 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
597 	[NL80211_ATTR_STA_PLINK_STATE] =
598 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
599 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
600 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_MESH_PEER_AID] =
602 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
603 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
604 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
605 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
606 	[NL80211_ATTR_HIDDEN_SSID] =
607 		NLA_POLICY_RANGE(NLA_U32,
608 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
609 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
610 	[NL80211_ATTR_IE_PROBE_RESP] =
611 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
612 				       IEEE80211_MAX_DATA_LEN),
613 	[NL80211_ATTR_IE_ASSOC_RESP] =
614 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
615 				       IEEE80211_MAX_DATA_LEN),
616 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
617 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
618 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
619 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
620 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
621 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
622 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
623 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
624 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
625 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
626 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
627 				      .len = IEEE80211_MAX_DATA_LEN },
628 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
629 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
630 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
631 		.len = NL80211_HT_CAPABILITY_LEN
632 	},
633 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
634 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
635 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
636 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
637 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
638 
639 	/* need to include at least Auth Transaction and Status Code */
640 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
641 
642 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
643 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
644 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
645 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
646 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
647 		NLA_POLICY_RANGE(NLA_U32,
648 				 NL80211_MESH_POWER_UNKNOWN + 1,
649 				 NL80211_MESH_POWER_MAX),
650 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
651 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
652 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
653 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
654 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
655 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
656 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
657 		.len = NL80211_VHT_CAPABILITY_LEN,
658 	},
659 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
660 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
661 				  .len = IEEE80211_MAX_DATA_LEN },
662 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
663 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
664 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
665 	[NL80211_ATTR_PEER_AID] =
666 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
667 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
668 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
669 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
670 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
671 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
672 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
673 	/*
674 	 * The value of the Length field of the Supported Operating
675 	 * Classes element is between 2 and 253.
676 	 */
677 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
678 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
679 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
680 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
681 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
682 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
683 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
684 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
685 						  IEEE80211_QOS_MAP_LEN_MIN,
686 						  IEEE80211_QOS_MAP_LEN_MAX),
687 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
688 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
689 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
690 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
691 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
692 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
693 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
694 	[NL80211_ATTR_USER_PRIO] =
695 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
696 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
697 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
698 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
699 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
700 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
701 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
702 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
703 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
706 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
707 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
708 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
709 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
710 	},
711 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
712 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
713 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
714 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
715 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
716 				    .len = FILS_MAX_KEK_LEN },
717 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
718 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
719 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
720 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
721 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
722 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
723 	},
724 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
725 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
726 					     .len = FILS_ERP_MAX_USERNAME_LEN },
727 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
728 					  .len = FILS_ERP_MAX_REALM_LEN },
729 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
730 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
731 					.len = FILS_ERP_MAX_RRK_LEN },
732 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
733 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
734 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
735 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
736 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
737 
738 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
739 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
740 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
741 	[NL80211_ATTR_HE_CAPABILITY] =
742 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
743 				       NL80211_HE_MAX_CAPABILITY_LEN),
744 	[NL80211_ATTR_FTM_RESPONDER] =
745 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
746 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
747 	[NL80211_ATTR_PEER_MEASUREMENTS] =
748 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
749 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
750 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
751 					.len = SAE_PASSWORD_MAX_LEN },
752 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
753 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
754 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
755 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
756 	[NL80211_ATTR_TID_CONFIG] =
757 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
758 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
759 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
760 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
761 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
762 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
763 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
764 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
765 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
766 	[NL80211_ATTR_FILS_DISCOVERY] =
767 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
768 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
769 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
770 	[NL80211_ATTR_S1G_CAPABILITY] =
771 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
772 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
773 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
774 	[NL80211_ATTR_SAE_PWE] =
775 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
776 				 NL80211_SAE_PWE_BOTH),
777 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
778 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
779 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
780 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
781 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
782 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
783 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
784 	[NL80211_ATTR_MBSSID_CONFIG] =
785 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
786 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
787 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
789 	[NL80211_ATTR_EHT_CAPABILITY] =
790 		NLA_POLICY_RANGE(NLA_BINARY,
791 				 NL80211_EHT_MIN_CAPABILITY_LEN,
792 				 NL80211_EHT_MAX_CAPABILITY_LEN),
793 };
794 
795 /* policy for the key attributes */
796 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
797 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
798 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
799 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
800 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
801 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
802 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
803 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
804 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
805 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
806 };
807 
808 /* policy for the key default flags */
809 static const struct nla_policy
810 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
811 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
812 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
813 };
814 
815 #ifdef CONFIG_PM
816 /* policy for WoWLAN attributes */
817 static const struct nla_policy
818 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
819 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
820 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
821 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
822 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
823 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
824 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
825 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
826 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
827 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
828 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
829 };
830 
831 static const struct nla_policy
832 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
833 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
834 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
835 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
836 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
837 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
838 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
839 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
840 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
841 	},
842 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
843 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
844 	},
845 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
846 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
847 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
848 };
849 #endif /* CONFIG_PM */
850 
851 /* policy for coalesce rule attributes */
852 static const struct nla_policy
853 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
854 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
855 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
856 		NLA_POLICY_RANGE(NLA_U32,
857 				 NL80211_COALESCE_CONDITION_MATCH,
858 				 NL80211_COALESCE_CONDITION_NO_MATCH),
859 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
860 };
861 
862 /* policy for GTK rekey offload attributes */
863 static const struct nla_policy
864 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
865 	[NL80211_REKEY_DATA_KEK] = {
866 		.type = NLA_BINARY,
867 		.len = NL80211_KEK_EXT_LEN
868 	},
869 	[NL80211_REKEY_DATA_KCK] = {
870 		.type = NLA_BINARY,
871 		.len = NL80211_KCK_EXT_LEN
872 	},
873 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
874 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
875 };
876 
877 static const struct nla_policy
878 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
879 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
880 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
881 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
882 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
883 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
884 };
885 
886 static const struct nla_policy
887 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
888 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
889 						 .len = IEEE80211_MAX_SSID_LEN },
890 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
891 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
892 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
893 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
894 };
895 
896 static const struct nla_policy
897 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
898 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
899 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
900 };
901 
902 static const struct nla_policy
903 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
904 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
905 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
906 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
907 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
908 	},
909 };
910 
911 /* policy for NAN function attributes */
912 static const struct nla_policy
913 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
914 	[NL80211_NAN_FUNC_TYPE] =
915 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
916 	[NL80211_NAN_FUNC_SERVICE_ID] = {
917 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
918 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
919 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
920 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
921 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
922 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
923 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
924 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
925 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
926 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
927 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
928 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
929 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
930 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
931 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
932 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
933 };
934 
935 /* policy for Service Response Filter attributes */
936 static const struct nla_policy
937 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
938 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
939 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
940 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
941 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
942 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
943 };
944 
945 /* policy for packet pattern attributes */
946 static const struct nla_policy
947 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
948 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
949 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
950 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
951 };
952 
953 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
954 				     struct cfg80211_registered_device **rdev,
955 				     struct wireless_dev **wdev,
956 				     struct nlattr **attrbuf)
957 {
958 	int err;
959 
960 	if (!cb->args[0]) {
961 		struct nlattr **attrbuf_free = NULL;
962 
963 		if (!attrbuf) {
964 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
965 					  GFP_KERNEL);
966 			if (!attrbuf)
967 				return -ENOMEM;
968 			attrbuf_free = attrbuf;
969 		}
970 
971 		err = nlmsg_parse_deprecated(cb->nlh,
972 					     GENL_HDRLEN + nl80211_fam.hdrsize,
973 					     attrbuf, nl80211_fam.maxattr,
974 					     nl80211_policy, NULL);
975 		if (err) {
976 			kfree(attrbuf_free);
977 			return err;
978 		}
979 
980 		rtnl_lock();
981 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
982 						   attrbuf);
983 		kfree(attrbuf_free);
984 		if (IS_ERR(*wdev)) {
985 			rtnl_unlock();
986 			return PTR_ERR(*wdev);
987 		}
988 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
989 		mutex_lock(&(*rdev)->wiphy.mtx);
990 		rtnl_unlock();
991 		/* 0 is the first index - add 1 to parse only once */
992 		cb->args[0] = (*rdev)->wiphy_idx + 1;
993 		cb->args[1] = (*wdev)->identifier;
994 	} else {
995 		/* subtract the 1 again here */
996 		struct wiphy *wiphy;
997 		struct wireless_dev *tmp;
998 
999 		rtnl_lock();
1000 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1001 		if (!wiphy) {
1002 			rtnl_unlock();
1003 			return -ENODEV;
1004 		}
1005 		*rdev = wiphy_to_rdev(wiphy);
1006 		*wdev = NULL;
1007 
1008 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1009 			if (tmp->identifier == cb->args[1]) {
1010 				*wdev = tmp;
1011 				break;
1012 			}
1013 		}
1014 
1015 		if (!*wdev) {
1016 			rtnl_unlock();
1017 			return -ENODEV;
1018 		}
1019 		mutex_lock(&(*rdev)->wiphy.mtx);
1020 		rtnl_unlock();
1021 	}
1022 
1023 	return 0;
1024 }
1025 
1026 /* message building helper */
1027 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1028 		     int flags, u8 cmd)
1029 {
1030 	/* since there is no private header just add the generic one */
1031 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1032 }
1033 
1034 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1035 				     const struct ieee80211_reg_rule *rule)
1036 {
1037 	int j;
1038 	struct nlattr *nl_wmm_rules =
1039 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1040 
1041 	if (!nl_wmm_rules)
1042 		goto nla_put_failure;
1043 
1044 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1045 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1046 
1047 		if (!nl_wmm_rule)
1048 			goto nla_put_failure;
1049 
1050 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1051 				rule->wmm_rule.client[j].cw_min) ||
1052 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1053 				rule->wmm_rule.client[j].cw_max) ||
1054 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1055 			       rule->wmm_rule.client[j].aifsn) ||
1056 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1057 			        rule->wmm_rule.client[j].cot))
1058 			goto nla_put_failure;
1059 
1060 		nla_nest_end(msg, nl_wmm_rule);
1061 	}
1062 	nla_nest_end(msg, nl_wmm_rules);
1063 
1064 	return 0;
1065 
1066 nla_put_failure:
1067 	return -ENOBUFS;
1068 }
1069 
1070 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1071 				   struct ieee80211_channel *chan,
1072 				   bool large)
1073 {
1074 	/* Some channels must be completely excluded from the
1075 	 * list to protect old user-space tools from breaking
1076 	 */
1077 	if (!large && chan->flags &
1078 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1079 		return 0;
1080 	if (!large && chan->freq_offset)
1081 		return 0;
1082 
1083 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1084 			chan->center_freq))
1085 		goto nla_put_failure;
1086 
1087 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1088 		goto nla_put_failure;
1089 
1090 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1091 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1092 		goto nla_put_failure;
1093 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1094 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1095 			goto nla_put_failure;
1096 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1097 			goto nla_put_failure;
1098 	}
1099 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1100 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1101 			goto nla_put_failure;
1102 		if (large) {
1103 			u32 time;
1104 
1105 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1106 
1107 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1108 					chan->dfs_state))
1109 				goto nla_put_failure;
1110 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1111 					time))
1112 				goto nla_put_failure;
1113 			if (nla_put_u32(msg,
1114 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1115 					chan->dfs_cac_ms))
1116 				goto nla_put_failure;
1117 		}
1118 	}
1119 
1120 	if (large) {
1121 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1122 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1123 			goto nla_put_failure;
1124 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1125 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1126 			goto nla_put_failure;
1127 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1128 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1129 			goto nla_put_failure;
1130 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1131 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1132 			goto nla_put_failure;
1133 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1134 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1135 			goto nla_put_failure;
1136 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1137 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1138 			goto nla_put_failure;
1139 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1140 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1141 			goto nla_put_failure;
1142 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1143 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1144 			goto nla_put_failure;
1145 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1146 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1147 			goto nla_put_failure;
1148 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1150 			goto nla_put_failure;
1151 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1152 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1153 			goto nla_put_failure;
1154 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1168 			goto nla_put_failure;
1169 	}
1170 
1171 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1172 			DBM_TO_MBM(chan->max_power)))
1173 		goto nla_put_failure;
1174 
1175 	if (large) {
1176 		const struct ieee80211_reg_rule *rule =
1177 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1178 
1179 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1180 			if (nl80211_msg_put_wmm_rules(msg, rule))
1181 				goto nla_put_failure;
1182 		}
1183 	}
1184 
1185 	return 0;
1186 
1187  nla_put_failure:
1188 	return -ENOBUFS;
1189 }
1190 
1191 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1192 				  struct cfg80211_txq_stats *txqstats,
1193 				  int attrtype)
1194 {
1195 	struct nlattr *txqattr;
1196 
1197 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1198 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1199 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1200 		return false;						  \
1201 	} while (0)
1202 
1203 	txqattr = nla_nest_start_noflag(msg, attrtype);
1204 	if (!txqattr)
1205 		return false;
1206 
1207 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1208 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1209 	PUT_TXQVAL_U32(FLOWS, flows);
1210 	PUT_TXQVAL_U32(DROPS, drops);
1211 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1212 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1213 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1214 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1215 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1216 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1217 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1218 	nla_nest_end(msg, txqattr);
1219 
1220 #undef PUT_TXQVAL_U32
1221 	return true;
1222 }
1223 
1224 /* netlink command implementations */
1225 
1226 struct key_parse {
1227 	struct key_params p;
1228 	int idx;
1229 	int type;
1230 	bool def, defmgmt, defbeacon;
1231 	bool def_uni, def_multi;
1232 };
1233 
1234 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1235 				 struct key_parse *k)
1236 {
1237 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1238 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1239 					      nl80211_key_policy,
1240 					      info->extack);
1241 	if (err)
1242 		return err;
1243 
1244 	k->def = !!tb[NL80211_KEY_DEFAULT];
1245 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1246 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1247 
1248 	if (k->def) {
1249 		k->def_uni = true;
1250 		k->def_multi = true;
1251 	}
1252 	if (k->defmgmt || k->defbeacon)
1253 		k->def_multi = true;
1254 
1255 	if (tb[NL80211_KEY_IDX])
1256 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1257 
1258 	if (tb[NL80211_KEY_DATA]) {
1259 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1260 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1261 	}
1262 
1263 	if (tb[NL80211_KEY_SEQ]) {
1264 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1265 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1266 	}
1267 
1268 	if (tb[NL80211_KEY_CIPHER])
1269 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1270 
1271 	if (tb[NL80211_KEY_TYPE])
1272 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1273 
1274 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1275 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1276 
1277 		err = nla_parse_nested_deprecated(kdt,
1278 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1279 						  tb[NL80211_KEY_DEFAULT_TYPES],
1280 						  nl80211_key_default_policy,
1281 						  info->extack);
1282 		if (err)
1283 			return err;
1284 
1285 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1286 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1287 	}
1288 
1289 	if (tb[NL80211_KEY_MODE])
1290 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1291 
1292 	return 0;
1293 }
1294 
1295 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1296 {
1297 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1298 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1299 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1300 	}
1301 
1302 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1303 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1304 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1305 	}
1306 
1307 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1308 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1309 
1310 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1311 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1312 
1313 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1314 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1315 
1316 	if (k->def) {
1317 		k->def_uni = true;
1318 		k->def_multi = true;
1319 	}
1320 	if (k->defmgmt)
1321 		k->def_multi = true;
1322 
1323 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1324 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1325 
1326 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1327 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1328 		int err = nla_parse_nested_deprecated(kdt,
1329 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1330 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1331 						      nl80211_key_default_policy,
1332 						      info->extack);
1333 		if (err)
1334 			return err;
1335 
1336 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1337 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1338 	}
1339 
1340 	return 0;
1341 }
1342 
1343 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1344 {
1345 	int err;
1346 
1347 	memset(k, 0, sizeof(*k));
1348 	k->idx = -1;
1349 	k->type = -1;
1350 
1351 	if (info->attrs[NL80211_ATTR_KEY])
1352 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1353 	else
1354 		err = nl80211_parse_key_old(info, k);
1355 
1356 	if (err)
1357 		return err;
1358 
1359 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1360 	    (k->defbeacon ? 1 : 0) > 1) {
1361 		GENL_SET_ERR_MSG(info,
1362 				 "key with multiple default flags is invalid");
1363 		return -EINVAL;
1364 	}
1365 
1366 	if (k->defmgmt || k->defbeacon) {
1367 		if (k->def_uni || !k->def_multi) {
1368 			GENL_SET_ERR_MSG(info,
1369 					 "defmgmt/defbeacon key must be mcast");
1370 			return -EINVAL;
1371 		}
1372 	}
1373 
1374 	if (k->idx != -1) {
1375 		if (k->defmgmt) {
1376 			if (k->idx < 4 || k->idx > 5) {
1377 				GENL_SET_ERR_MSG(info,
1378 						 "defmgmt key idx not 4 or 5");
1379 				return -EINVAL;
1380 			}
1381 		} else if (k->defbeacon) {
1382 			if (k->idx < 6 || k->idx > 7) {
1383 				GENL_SET_ERR_MSG(info,
1384 						 "defbeacon key idx not 6 or 7");
1385 				return -EINVAL;
1386 			}
1387 		} else if (k->def) {
1388 			if (k->idx < 0 || k->idx > 3) {
1389 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1390 				return -EINVAL;
1391 			}
1392 		} else {
1393 			if (k->idx < 0 || k->idx > 7) {
1394 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1395 				return -EINVAL;
1396 			}
1397 		}
1398 	}
1399 
1400 	return 0;
1401 }
1402 
1403 static struct cfg80211_cached_keys *
1404 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1405 		       struct genl_info *info, bool *no_ht)
1406 {
1407 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1408 	struct key_parse parse;
1409 	struct nlattr *key;
1410 	struct cfg80211_cached_keys *result;
1411 	int rem, err, def = 0;
1412 	bool have_key = false;
1413 
1414 	nla_for_each_nested(key, keys, rem) {
1415 		have_key = true;
1416 		break;
1417 	}
1418 
1419 	if (!have_key)
1420 		return NULL;
1421 
1422 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1423 	if (!result)
1424 		return ERR_PTR(-ENOMEM);
1425 
1426 	result->def = -1;
1427 
1428 	nla_for_each_nested(key, keys, rem) {
1429 		memset(&parse, 0, sizeof(parse));
1430 		parse.idx = -1;
1431 
1432 		err = nl80211_parse_key_new(info, key, &parse);
1433 		if (err)
1434 			goto error;
1435 		err = -EINVAL;
1436 		if (!parse.p.key)
1437 			goto error;
1438 		if (parse.idx < 0 || parse.idx > 3) {
1439 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1440 			goto error;
1441 		}
1442 		if (parse.def) {
1443 			if (def) {
1444 				GENL_SET_ERR_MSG(info,
1445 						 "only one key can be default");
1446 				goto error;
1447 			}
1448 			def = 1;
1449 			result->def = parse.idx;
1450 			if (!parse.def_uni || !parse.def_multi)
1451 				goto error;
1452 		} else if (parse.defmgmt)
1453 			goto error;
1454 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1455 						     parse.idx, false, NULL);
1456 		if (err)
1457 			goto error;
1458 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1459 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1460 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1461 			err = -EINVAL;
1462 			goto error;
1463 		}
1464 		result->params[parse.idx].cipher = parse.p.cipher;
1465 		result->params[parse.idx].key_len = parse.p.key_len;
1466 		result->params[parse.idx].key = result->data[parse.idx];
1467 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1468 
1469 		/* must be WEP key if we got here */
1470 		if (no_ht)
1471 			*no_ht = true;
1472 	}
1473 
1474 	if (result->def < 0) {
1475 		err = -EINVAL;
1476 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1477 		goto error;
1478 	}
1479 
1480 	return result;
1481  error:
1482 	kfree(result);
1483 	return ERR_PTR(err);
1484 }
1485 
1486 static int nl80211_key_allowed(struct wireless_dev *wdev)
1487 {
1488 	ASSERT_WDEV_LOCK(wdev);
1489 
1490 	switch (wdev->iftype) {
1491 	case NL80211_IFTYPE_AP:
1492 	case NL80211_IFTYPE_AP_VLAN:
1493 	case NL80211_IFTYPE_P2P_GO:
1494 	case NL80211_IFTYPE_MESH_POINT:
1495 		break;
1496 	case NL80211_IFTYPE_ADHOC:
1497 	case NL80211_IFTYPE_STATION:
1498 	case NL80211_IFTYPE_P2P_CLIENT:
1499 		if (!wdev->current_bss)
1500 			return -ENOLINK;
1501 		break;
1502 	case NL80211_IFTYPE_UNSPECIFIED:
1503 	case NL80211_IFTYPE_OCB:
1504 	case NL80211_IFTYPE_MONITOR:
1505 	case NL80211_IFTYPE_NAN:
1506 	case NL80211_IFTYPE_P2P_DEVICE:
1507 	case NL80211_IFTYPE_WDS:
1508 	case NUM_NL80211_IFTYPES:
1509 		return -EINVAL;
1510 	}
1511 
1512 	return 0;
1513 }
1514 
1515 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1516 							u32 freq)
1517 {
1518 	struct ieee80211_channel *chan;
1519 
1520 	chan = ieee80211_get_channel_khz(wiphy, freq);
1521 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1522 		return NULL;
1523 	return chan;
1524 }
1525 
1526 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1527 {
1528 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1529 	int i;
1530 
1531 	if (!nl_modes)
1532 		goto nla_put_failure;
1533 
1534 	i = 0;
1535 	while (ifmodes) {
1536 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1537 			goto nla_put_failure;
1538 		ifmodes >>= 1;
1539 		i++;
1540 	}
1541 
1542 	nla_nest_end(msg, nl_modes);
1543 	return 0;
1544 
1545 nla_put_failure:
1546 	return -ENOBUFS;
1547 }
1548 
1549 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1550 					  struct sk_buff *msg,
1551 					  bool large)
1552 {
1553 	struct nlattr *nl_combis;
1554 	int i, j;
1555 
1556 	nl_combis = nla_nest_start_noflag(msg,
1557 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1558 	if (!nl_combis)
1559 		goto nla_put_failure;
1560 
1561 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1562 		const struct ieee80211_iface_combination *c;
1563 		struct nlattr *nl_combi, *nl_limits;
1564 
1565 		c = &wiphy->iface_combinations[i];
1566 
1567 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1568 		if (!nl_combi)
1569 			goto nla_put_failure;
1570 
1571 		nl_limits = nla_nest_start_noflag(msg,
1572 						  NL80211_IFACE_COMB_LIMITS);
1573 		if (!nl_limits)
1574 			goto nla_put_failure;
1575 
1576 		for (j = 0; j < c->n_limits; j++) {
1577 			struct nlattr *nl_limit;
1578 
1579 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1580 			if (!nl_limit)
1581 				goto nla_put_failure;
1582 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1583 					c->limits[j].max))
1584 				goto nla_put_failure;
1585 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1586 						c->limits[j].types))
1587 				goto nla_put_failure;
1588 			nla_nest_end(msg, nl_limit);
1589 		}
1590 
1591 		nla_nest_end(msg, nl_limits);
1592 
1593 		if (c->beacon_int_infra_match &&
1594 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1595 			goto nla_put_failure;
1596 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1597 				c->num_different_channels) ||
1598 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1599 				c->max_interfaces))
1600 			goto nla_put_failure;
1601 		if (large &&
1602 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1603 				c->radar_detect_widths) ||
1604 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1605 				c->radar_detect_regions)))
1606 			goto nla_put_failure;
1607 		if (c->beacon_int_min_gcd &&
1608 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1609 				c->beacon_int_min_gcd))
1610 			goto nla_put_failure;
1611 
1612 		nla_nest_end(msg, nl_combi);
1613 	}
1614 
1615 	nla_nest_end(msg, nl_combis);
1616 
1617 	return 0;
1618 nla_put_failure:
1619 	return -ENOBUFS;
1620 }
1621 
1622 #ifdef CONFIG_PM
1623 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1624 					struct sk_buff *msg)
1625 {
1626 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1627 	struct nlattr *nl_tcp;
1628 
1629 	if (!tcp)
1630 		return 0;
1631 
1632 	nl_tcp = nla_nest_start_noflag(msg,
1633 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1634 	if (!nl_tcp)
1635 		return -ENOBUFS;
1636 
1637 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1638 			tcp->data_payload_max))
1639 		return -ENOBUFS;
1640 
1641 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1642 			tcp->data_payload_max))
1643 		return -ENOBUFS;
1644 
1645 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1646 		return -ENOBUFS;
1647 
1648 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1649 				sizeof(*tcp->tok), tcp->tok))
1650 		return -ENOBUFS;
1651 
1652 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1653 			tcp->data_interval_max))
1654 		return -ENOBUFS;
1655 
1656 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1657 			tcp->wake_payload_max))
1658 		return -ENOBUFS;
1659 
1660 	nla_nest_end(msg, nl_tcp);
1661 	return 0;
1662 }
1663 
1664 static int nl80211_send_wowlan(struct sk_buff *msg,
1665 			       struct cfg80211_registered_device *rdev,
1666 			       bool large)
1667 {
1668 	struct nlattr *nl_wowlan;
1669 
1670 	if (!rdev->wiphy.wowlan)
1671 		return 0;
1672 
1673 	nl_wowlan = nla_nest_start_noflag(msg,
1674 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1675 	if (!nl_wowlan)
1676 		return -ENOBUFS;
1677 
1678 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1679 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1680 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1681 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1682 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1683 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1684 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1685 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1686 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1687 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1688 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1689 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1690 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1691 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1692 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1693 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1694 		return -ENOBUFS;
1695 
1696 	if (rdev->wiphy.wowlan->n_patterns) {
1697 		struct nl80211_pattern_support pat = {
1698 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1699 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1700 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1701 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1702 		};
1703 
1704 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1705 			    sizeof(pat), &pat))
1706 			return -ENOBUFS;
1707 	}
1708 
1709 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1710 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1711 			rdev->wiphy.wowlan->max_nd_match_sets))
1712 		return -ENOBUFS;
1713 
1714 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1715 		return -ENOBUFS;
1716 
1717 	nla_nest_end(msg, nl_wowlan);
1718 
1719 	return 0;
1720 }
1721 #endif
1722 
1723 static int nl80211_send_coalesce(struct sk_buff *msg,
1724 				 struct cfg80211_registered_device *rdev)
1725 {
1726 	struct nl80211_coalesce_rule_support rule;
1727 
1728 	if (!rdev->wiphy.coalesce)
1729 		return 0;
1730 
1731 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1732 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1733 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1734 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1735 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1736 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1737 
1738 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1739 		return -ENOBUFS;
1740 
1741 	return 0;
1742 }
1743 
1744 static int
1745 nl80211_send_iftype_data(struct sk_buff *msg,
1746 			 const struct ieee80211_supported_band *sband,
1747 			 const struct ieee80211_sband_iftype_data *iftdata)
1748 {
1749 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1750 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1751 
1752 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1753 				iftdata->types_mask))
1754 		return -ENOBUFS;
1755 
1756 	if (he_cap->has_he) {
1757 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1758 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1759 			    he_cap->he_cap_elem.mac_cap_info) ||
1760 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1761 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1762 			    he_cap->he_cap_elem.phy_cap_info) ||
1763 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1764 			    sizeof(he_cap->he_mcs_nss_supp),
1765 			    &he_cap->he_mcs_nss_supp) ||
1766 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1767 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1768 			return -ENOBUFS;
1769 	}
1770 
1771 	if (eht_cap->has_eht && he_cap->has_he) {
1772 		u8 mcs_nss_size, ppe_thresh_size;
1773 		u16 ppe_thres_hdr;
1774 
1775 		mcs_nss_size =
1776 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1777 						   &eht_cap->eht_cap_elem);
1778 
1779 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1780 		ppe_thresh_size =
1781 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1782 					       eht_cap->eht_cap_elem.phy_cap_info);
1783 
1784 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1785 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1786 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1787 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1788 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1789 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1790 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1791 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1792 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1793 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1794 			return -ENOBUFS;
1795 	}
1796 
1797 	if (sband->band == NL80211_BAND_6GHZ &&
1798 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1799 		    sizeof(iftdata->he_6ghz_capa),
1800 		    &iftdata->he_6ghz_capa))
1801 		return -ENOBUFS;
1802 
1803 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1804 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1805 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1806 		return -ENOBUFS;
1807 
1808 	return 0;
1809 }
1810 
1811 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1812 				      struct ieee80211_supported_band *sband,
1813 				      bool large)
1814 {
1815 	struct nlattr *nl_rates, *nl_rate;
1816 	struct ieee80211_rate *rate;
1817 	int i;
1818 
1819 	/* add HT info */
1820 	if (sband->ht_cap.ht_supported &&
1821 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1822 		     sizeof(sband->ht_cap.mcs),
1823 		     &sband->ht_cap.mcs) ||
1824 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1825 			 sband->ht_cap.cap) ||
1826 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1827 			sband->ht_cap.ampdu_factor) ||
1828 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1829 			sband->ht_cap.ampdu_density)))
1830 		return -ENOBUFS;
1831 
1832 	/* add VHT info */
1833 	if (sband->vht_cap.vht_supported &&
1834 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1835 		     sizeof(sband->vht_cap.vht_mcs),
1836 		     &sband->vht_cap.vht_mcs) ||
1837 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1838 			 sband->vht_cap.cap)))
1839 		return -ENOBUFS;
1840 
1841 	if (large && sband->n_iftype_data) {
1842 		struct nlattr *nl_iftype_data =
1843 			nla_nest_start_noflag(msg,
1844 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1845 		int err;
1846 
1847 		if (!nl_iftype_data)
1848 			return -ENOBUFS;
1849 
1850 		for (i = 0; i < sband->n_iftype_data; i++) {
1851 			struct nlattr *iftdata;
1852 
1853 			iftdata = nla_nest_start_noflag(msg, i + 1);
1854 			if (!iftdata)
1855 				return -ENOBUFS;
1856 
1857 			err = nl80211_send_iftype_data(msg, sband,
1858 						       &sband->iftype_data[i]);
1859 			if (err)
1860 				return err;
1861 
1862 			nla_nest_end(msg, iftdata);
1863 		}
1864 
1865 		nla_nest_end(msg, nl_iftype_data);
1866 	}
1867 
1868 	/* add EDMG info */
1869 	if (large && sband->edmg_cap.channels &&
1870 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1871 		       sband->edmg_cap.channels) ||
1872 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1873 		       sband->edmg_cap.bw_config)))
1874 
1875 		return -ENOBUFS;
1876 
1877 	/* add bitrates */
1878 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1879 	if (!nl_rates)
1880 		return -ENOBUFS;
1881 
1882 	for (i = 0; i < sband->n_bitrates; i++) {
1883 		nl_rate = nla_nest_start_noflag(msg, i);
1884 		if (!nl_rate)
1885 			return -ENOBUFS;
1886 
1887 		rate = &sband->bitrates[i];
1888 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1889 				rate->bitrate))
1890 			return -ENOBUFS;
1891 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1892 		    nla_put_flag(msg,
1893 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1894 			return -ENOBUFS;
1895 
1896 		nla_nest_end(msg, nl_rate);
1897 	}
1898 
1899 	nla_nest_end(msg, nl_rates);
1900 
1901 	return 0;
1902 }
1903 
1904 static int
1905 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1906 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1907 {
1908 	u16 stypes;
1909 	struct nlattr *nl_ftypes, *nl_ifs;
1910 	enum nl80211_iftype ift;
1911 	int i;
1912 
1913 	if (!mgmt_stypes)
1914 		return 0;
1915 
1916 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1917 	if (!nl_ifs)
1918 		return -ENOBUFS;
1919 
1920 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1921 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1922 		if (!nl_ftypes)
1923 			return -ENOBUFS;
1924 		i = 0;
1925 		stypes = mgmt_stypes[ift].tx;
1926 		while (stypes) {
1927 			if ((stypes & 1) &&
1928 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1929 					(i << 4) | IEEE80211_FTYPE_MGMT))
1930 				return -ENOBUFS;
1931 			stypes >>= 1;
1932 			i++;
1933 		}
1934 		nla_nest_end(msg, nl_ftypes);
1935 	}
1936 
1937 	nla_nest_end(msg, nl_ifs);
1938 
1939 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1940 	if (!nl_ifs)
1941 		return -ENOBUFS;
1942 
1943 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1944 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1945 		if (!nl_ftypes)
1946 			return -ENOBUFS;
1947 		i = 0;
1948 		stypes = mgmt_stypes[ift].rx;
1949 		while (stypes) {
1950 			if ((stypes & 1) &&
1951 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1952 					(i << 4) | IEEE80211_FTYPE_MGMT))
1953 				return -ENOBUFS;
1954 			stypes >>= 1;
1955 			i++;
1956 		}
1957 		nla_nest_end(msg, nl_ftypes);
1958 	}
1959 	nla_nest_end(msg, nl_ifs);
1960 
1961 	return 0;
1962 }
1963 
1964 #define CMD(op, n)							\
1965 	 do {								\
1966 		if (rdev->ops->op) {					\
1967 			i++;						\
1968 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1969 				goto nla_put_failure;			\
1970 		}							\
1971 	} while (0)
1972 
1973 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1974 					struct sk_buff *msg)
1975 {
1976 	int i = 0;
1977 
1978 	/*
1979 	 * do *NOT* add anything into this function, new things need to be
1980 	 * advertised only to new versions of userspace that can deal with
1981 	 * the split (and they can't possibly care about new features...
1982 	 */
1983 	CMD(add_virtual_intf, NEW_INTERFACE);
1984 	CMD(change_virtual_intf, SET_INTERFACE);
1985 	CMD(add_key, NEW_KEY);
1986 	CMD(start_ap, START_AP);
1987 	CMD(add_station, NEW_STATION);
1988 	CMD(add_mpath, NEW_MPATH);
1989 	CMD(update_mesh_config, SET_MESH_CONFIG);
1990 	CMD(change_bss, SET_BSS);
1991 	CMD(auth, AUTHENTICATE);
1992 	CMD(assoc, ASSOCIATE);
1993 	CMD(deauth, DEAUTHENTICATE);
1994 	CMD(disassoc, DISASSOCIATE);
1995 	CMD(join_ibss, JOIN_IBSS);
1996 	CMD(join_mesh, JOIN_MESH);
1997 	CMD(set_pmksa, SET_PMKSA);
1998 	CMD(del_pmksa, DEL_PMKSA);
1999 	CMD(flush_pmksa, FLUSH_PMKSA);
2000 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2001 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2002 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2003 	CMD(mgmt_tx, FRAME);
2004 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2005 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2006 		i++;
2007 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2008 			goto nla_put_failure;
2009 	}
2010 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2011 	    rdev->ops->join_mesh) {
2012 		i++;
2013 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2014 			goto nla_put_failure;
2015 	}
2016 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2017 		CMD(tdls_mgmt, TDLS_MGMT);
2018 		CMD(tdls_oper, TDLS_OPER);
2019 	}
2020 	if (rdev->wiphy.max_sched_scan_reqs)
2021 		CMD(sched_scan_start, START_SCHED_SCAN);
2022 	CMD(probe_client, PROBE_CLIENT);
2023 	CMD(set_noack_map, SET_NOACK_MAP);
2024 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2025 		i++;
2026 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2027 			goto nla_put_failure;
2028 	}
2029 	CMD(start_p2p_device, START_P2P_DEVICE);
2030 	CMD(set_mcast_rate, SET_MCAST_RATE);
2031 #ifdef CONFIG_NL80211_TESTMODE
2032 	CMD(testmode_cmd, TESTMODE);
2033 #endif
2034 
2035 	if (rdev->ops->connect || rdev->ops->auth) {
2036 		i++;
2037 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2038 			goto nla_put_failure;
2039 	}
2040 
2041 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2042 		i++;
2043 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2044 			goto nla_put_failure;
2045 	}
2046 
2047 	return i;
2048  nla_put_failure:
2049 	return -ENOBUFS;
2050 }
2051 
2052 static int
2053 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2054 			   struct sk_buff *msg)
2055 {
2056 	struct nlattr *ftm;
2057 
2058 	if (!cap->ftm.supported)
2059 		return 0;
2060 
2061 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2062 	if (!ftm)
2063 		return -ENOBUFS;
2064 
2065 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2066 		return -ENOBUFS;
2067 	if (cap->ftm.non_asap &&
2068 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2069 		return -ENOBUFS;
2070 	if (cap->ftm.request_lci &&
2071 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2072 		return -ENOBUFS;
2073 	if (cap->ftm.request_civicloc &&
2074 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2075 		return -ENOBUFS;
2076 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2077 			cap->ftm.preambles))
2078 		return -ENOBUFS;
2079 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2080 			cap->ftm.bandwidths))
2081 		return -ENOBUFS;
2082 	if (cap->ftm.max_bursts_exponent >= 0 &&
2083 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2084 			cap->ftm.max_bursts_exponent))
2085 		return -ENOBUFS;
2086 	if (cap->ftm.max_ftms_per_burst &&
2087 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2088 			cap->ftm.max_ftms_per_burst))
2089 		return -ENOBUFS;
2090 	if (cap->ftm.trigger_based &&
2091 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2092 		return -ENOBUFS;
2093 	if (cap->ftm.non_trigger_based &&
2094 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2095 		return -ENOBUFS;
2096 
2097 	nla_nest_end(msg, ftm);
2098 	return 0;
2099 }
2100 
2101 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2102 				  struct sk_buff *msg)
2103 {
2104 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2105 	struct nlattr *pmsr, *caps;
2106 
2107 	if (!cap)
2108 		return 0;
2109 
2110 	/*
2111 	 * we don't need to clean up anything here since the caller
2112 	 * will genlmsg_cancel() if we fail
2113 	 */
2114 
2115 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2116 	if (!pmsr)
2117 		return -ENOBUFS;
2118 
2119 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2120 		return -ENOBUFS;
2121 
2122 	if (cap->report_ap_tsf &&
2123 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2124 		return -ENOBUFS;
2125 
2126 	if (cap->randomize_mac_addr &&
2127 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2128 		return -ENOBUFS;
2129 
2130 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2131 	if (!caps)
2132 		return -ENOBUFS;
2133 
2134 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2135 		return -ENOBUFS;
2136 
2137 	nla_nest_end(msg, caps);
2138 	nla_nest_end(msg, pmsr);
2139 
2140 	return 0;
2141 }
2142 
2143 static int
2144 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2145 			      struct sk_buff *msg)
2146 {
2147 	int i;
2148 	struct nlattr *nested, *nested_akms;
2149 	const struct wiphy_iftype_akm_suites *iftype_akms;
2150 
2151 	if (!rdev->wiphy.num_iftype_akm_suites ||
2152 	    !rdev->wiphy.iftype_akm_suites)
2153 		return 0;
2154 
2155 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2156 	if (!nested)
2157 		return -ENOBUFS;
2158 
2159 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2160 		nested_akms = nla_nest_start(msg, i + 1);
2161 		if (!nested_akms)
2162 			return -ENOBUFS;
2163 
2164 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2165 
2166 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2167 					iftype_akms->iftypes_mask))
2168 			return -ENOBUFS;
2169 
2170 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2171 			    sizeof(u32) * iftype_akms->n_akm_suites,
2172 			    iftype_akms->akm_suites)) {
2173 			return -ENOBUFS;
2174 		}
2175 		nla_nest_end(msg, nested_akms);
2176 	}
2177 
2178 	nla_nest_end(msg, nested);
2179 
2180 	return 0;
2181 }
2182 
2183 static int
2184 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2185 			       struct sk_buff *msg)
2186 {
2187 	struct nlattr *supp;
2188 
2189 	if (!rdev->wiphy.tid_config_support.vif &&
2190 	    !rdev->wiphy.tid_config_support.peer)
2191 		return 0;
2192 
2193 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2194 	if (!supp)
2195 		return -ENOSPC;
2196 
2197 	if (rdev->wiphy.tid_config_support.vif &&
2198 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2199 			      rdev->wiphy.tid_config_support.vif,
2200 			      NL80211_TID_CONFIG_ATTR_PAD))
2201 		goto fail;
2202 
2203 	if (rdev->wiphy.tid_config_support.peer &&
2204 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2205 			      rdev->wiphy.tid_config_support.peer,
2206 			      NL80211_TID_CONFIG_ATTR_PAD))
2207 		goto fail;
2208 
2209 	/* for now we just use the same value ... makes more sense */
2210 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2211 		       rdev->wiphy.tid_config_support.max_retry))
2212 		goto fail;
2213 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2214 		       rdev->wiphy.tid_config_support.max_retry))
2215 		goto fail;
2216 
2217 	nla_nest_end(msg, supp);
2218 
2219 	return 0;
2220 fail:
2221 	nla_nest_cancel(msg, supp);
2222 	return -ENOBUFS;
2223 }
2224 
2225 static int
2226 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2227 		      struct sk_buff *msg)
2228 {
2229 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2230 	u8 num_freq_ranges;
2231 	int i;
2232 
2233 	if (!rdev->wiphy.sar_capa)
2234 		return 0;
2235 
2236 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2237 
2238 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2239 	if (!sar_capa)
2240 		return -ENOSPC;
2241 
2242 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2243 		goto fail;
2244 
2245 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2246 	if (!specs)
2247 		goto fail;
2248 
2249 	/* report supported freq_ranges */
2250 	for (i = 0; i < num_freq_ranges; i++) {
2251 		sub_freq_range = nla_nest_start(msg, i + 1);
2252 		if (!sub_freq_range)
2253 			goto fail;
2254 
2255 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2256 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2257 			goto fail;
2258 
2259 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2260 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2261 			goto fail;
2262 
2263 		nla_nest_end(msg, sub_freq_range);
2264 	}
2265 
2266 	nla_nest_end(msg, specs);
2267 	nla_nest_end(msg, sar_capa);
2268 
2269 	return 0;
2270 fail:
2271 	nla_nest_cancel(msg, sar_capa);
2272 	return -ENOBUFS;
2273 }
2274 
2275 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2276 {
2277 	struct nlattr *config;
2278 
2279 	if (!wiphy->mbssid_max_interfaces)
2280 		return 0;
2281 
2282 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2283 	if (!config)
2284 		return -ENOBUFS;
2285 
2286 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2287 		       wiphy->mbssid_max_interfaces))
2288 		goto fail;
2289 
2290 	if (wiphy->ema_max_profile_periodicity &&
2291 	    nla_put_u8(msg,
2292 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2293 		       wiphy->ema_max_profile_periodicity))
2294 		goto fail;
2295 
2296 	nla_nest_end(msg, config);
2297 	return 0;
2298 
2299 fail:
2300 	nla_nest_cancel(msg, config);
2301 	return -ENOBUFS;
2302 }
2303 
2304 struct nl80211_dump_wiphy_state {
2305 	s64 filter_wiphy;
2306 	long start;
2307 	long split_start, band_start, chan_start, capa_start;
2308 	bool split;
2309 };
2310 
2311 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2312 			      enum nl80211_commands cmd,
2313 			      struct sk_buff *msg, u32 portid, u32 seq,
2314 			      int flags, struct nl80211_dump_wiphy_state *state)
2315 {
2316 	void *hdr;
2317 	struct nlattr *nl_bands, *nl_band;
2318 	struct nlattr *nl_freqs, *nl_freq;
2319 	struct nlattr *nl_cmds;
2320 	enum nl80211_band band;
2321 	struct ieee80211_channel *chan;
2322 	int i;
2323 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2324 				rdev->wiphy.mgmt_stypes;
2325 	u32 features;
2326 
2327 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2328 	if (!hdr)
2329 		return -ENOBUFS;
2330 
2331 	if (WARN_ON(!state))
2332 		return -EINVAL;
2333 
2334 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2335 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2336 			   wiphy_name(&rdev->wiphy)) ||
2337 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2338 			cfg80211_rdev_list_generation))
2339 		goto nla_put_failure;
2340 
2341 	if (cmd != NL80211_CMD_NEW_WIPHY)
2342 		goto finish;
2343 
2344 	switch (state->split_start) {
2345 	case 0:
2346 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2347 			       rdev->wiphy.retry_short) ||
2348 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2349 			       rdev->wiphy.retry_long) ||
2350 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2351 				rdev->wiphy.frag_threshold) ||
2352 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2353 				rdev->wiphy.rts_threshold) ||
2354 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2355 			       rdev->wiphy.coverage_class) ||
2356 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2357 			       rdev->wiphy.max_scan_ssids) ||
2358 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2359 			       rdev->wiphy.max_sched_scan_ssids) ||
2360 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2361 				rdev->wiphy.max_scan_ie_len) ||
2362 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2363 				rdev->wiphy.max_sched_scan_ie_len) ||
2364 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2365 			       rdev->wiphy.max_match_sets))
2366 			goto nla_put_failure;
2367 
2368 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2369 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2370 			goto nla_put_failure;
2371 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2372 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2373 			goto nla_put_failure;
2374 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2375 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2376 			goto nla_put_failure;
2377 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2378 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2379 			goto nla_put_failure;
2380 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2381 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2382 			goto nla_put_failure;
2383 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2384 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2385 			goto nla_put_failure;
2386 		state->split_start++;
2387 		if (state->split)
2388 			break;
2389 		fallthrough;
2390 	case 1:
2391 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2392 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2393 			    rdev->wiphy.cipher_suites))
2394 			goto nla_put_failure;
2395 
2396 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2397 			       rdev->wiphy.max_num_pmkids))
2398 			goto nla_put_failure;
2399 
2400 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2401 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2402 			goto nla_put_failure;
2403 
2404 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2405 				rdev->wiphy.available_antennas_tx) ||
2406 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2407 				rdev->wiphy.available_antennas_rx))
2408 			goto nla_put_failure;
2409 
2410 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2411 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2412 				rdev->wiphy.probe_resp_offload))
2413 			goto nla_put_failure;
2414 
2415 		if ((rdev->wiphy.available_antennas_tx ||
2416 		     rdev->wiphy.available_antennas_rx) &&
2417 		    rdev->ops->get_antenna) {
2418 			u32 tx_ant = 0, rx_ant = 0;
2419 			int res;
2420 
2421 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2422 			if (!res) {
2423 				if (nla_put_u32(msg,
2424 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2425 						tx_ant) ||
2426 				    nla_put_u32(msg,
2427 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2428 						rx_ant))
2429 					goto nla_put_failure;
2430 			}
2431 		}
2432 
2433 		state->split_start++;
2434 		if (state->split)
2435 			break;
2436 		fallthrough;
2437 	case 2:
2438 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2439 					rdev->wiphy.interface_modes))
2440 				goto nla_put_failure;
2441 		state->split_start++;
2442 		if (state->split)
2443 			break;
2444 		fallthrough;
2445 	case 3:
2446 		nl_bands = nla_nest_start_noflag(msg,
2447 						 NL80211_ATTR_WIPHY_BANDS);
2448 		if (!nl_bands)
2449 			goto nla_put_failure;
2450 
2451 		for (band = state->band_start;
2452 		     band < (state->split ?
2453 				NUM_NL80211_BANDS :
2454 				NL80211_BAND_60GHZ + 1);
2455 		     band++) {
2456 			struct ieee80211_supported_band *sband;
2457 
2458 			/* omit higher bands for ancient software */
2459 			if (band > NL80211_BAND_5GHZ && !state->split)
2460 				break;
2461 
2462 			sband = rdev->wiphy.bands[band];
2463 
2464 			if (!sband)
2465 				continue;
2466 
2467 			nl_band = nla_nest_start_noflag(msg, band);
2468 			if (!nl_band)
2469 				goto nla_put_failure;
2470 
2471 			switch (state->chan_start) {
2472 			case 0:
2473 				if (nl80211_send_band_rateinfo(msg, sband,
2474 							       state->split))
2475 					goto nla_put_failure;
2476 				state->chan_start++;
2477 				if (state->split)
2478 					break;
2479 				fallthrough;
2480 			default:
2481 				/* add frequencies */
2482 				nl_freqs = nla_nest_start_noflag(msg,
2483 								 NL80211_BAND_ATTR_FREQS);
2484 				if (!nl_freqs)
2485 					goto nla_put_failure;
2486 
2487 				for (i = state->chan_start - 1;
2488 				     i < sband->n_channels;
2489 				     i++) {
2490 					nl_freq = nla_nest_start_noflag(msg,
2491 									i);
2492 					if (!nl_freq)
2493 						goto nla_put_failure;
2494 
2495 					chan = &sband->channels[i];
2496 
2497 					if (nl80211_msg_put_channel(
2498 							msg, &rdev->wiphy, chan,
2499 							state->split))
2500 						goto nla_put_failure;
2501 
2502 					nla_nest_end(msg, nl_freq);
2503 					if (state->split)
2504 						break;
2505 				}
2506 				if (i < sband->n_channels)
2507 					state->chan_start = i + 2;
2508 				else
2509 					state->chan_start = 0;
2510 				nla_nest_end(msg, nl_freqs);
2511 			}
2512 
2513 			nla_nest_end(msg, nl_band);
2514 
2515 			if (state->split) {
2516 				/* start again here */
2517 				if (state->chan_start)
2518 					band--;
2519 				break;
2520 			}
2521 		}
2522 		nla_nest_end(msg, nl_bands);
2523 
2524 		if (band < NUM_NL80211_BANDS)
2525 			state->band_start = band + 1;
2526 		else
2527 			state->band_start = 0;
2528 
2529 		/* if bands & channels are done, continue outside */
2530 		if (state->band_start == 0 && state->chan_start == 0)
2531 			state->split_start++;
2532 		if (state->split)
2533 			break;
2534 		fallthrough;
2535 	case 4:
2536 		nl_cmds = nla_nest_start_noflag(msg,
2537 						NL80211_ATTR_SUPPORTED_COMMANDS);
2538 		if (!nl_cmds)
2539 			goto nla_put_failure;
2540 
2541 		i = nl80211_add_commands_unsplit(rdev, msg);
2542 		if (i < 0)
2543 			goto nla_put_failure;
2544 		if (state->split) {
2545 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2546 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2547 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2548 				CMD(channel_switch, CHANNEL_SWITCH);
2549 			CMD(set_qos_map, SET_QOS_MAP);
2550 			if (rdev->wiphy.features &
2551 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2552 				CMD(add_tx_ts, ADD_TX_TS);
2553 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2554 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2555 			CMD(update_ft_ies, UPDATE_FT_IES);
2556 			if (rdev->wiphy.sar_capa)
2557 				CMD(set_sar_specs, SET_SAR_SPECS);
2558 		}
2559 #undef CMD
2560 
2561 		nla_nest_end(msg, nl_cmds);
2562 		state->split_start++;
2563 		if (state->split)
2564 			break;
2565 		fallthrough;
2566 	case 5:
2567 		if (rdev->ops->remain_on_channel &&
2568 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2569 		    nla_put_u32(msg,
2570 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2571 				rdev->wiphy.max_remain_on_channel_duration))
2572 			goto nla_put_failure;
2573 
2574 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2575 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2576 			goto nla_put_failure;
2577 
2578 		state->split_start++;
2579 		if (state->split)
2580 			break;
2581 		fallthrough;
2582 	case 6:
2583 #ifdef CONFIG_PM
2584 		if (nl80211_send_wowlan(msg, rdev, state->split))
2585 			goto nla_put_failure;
2586 		state->split_start++;
2587 		if (state->split)
2588 			break;
2589 #else
2590 		state->split_start++;
2591 #endif
2592 		fallthrough;
2593 	case 7:
2594 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2595 					rdev->wiphy.software_iftypes))
2596 			goto nla_put_failure;
2597 
2598 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2599 						   state->split))
2600 			goto nla_put_failure;
2601 
2602 		state->split_start++;
2603 		if (state->split)
2604 			break;
2605 		fallthrough;
2606 	case 8:
2607 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2608 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2609 				rdev->wiphy.ap_sme_capa))
2610 			goto nla_put_failure;
2611 
2612 		features = rdev->wiphy.features;
2613 		/*
2614 		 * We can only add the per-channel limit information if the
2615 		 * dump is split, otherwise it makes it too big. Therefore
2616 		 * only advertise it in that case.
2617 		 */
2618 		if (state->split)
2619 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2620 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2621 			goto nla_put_failure;
2622 
2623 		if (rdev->wiphy.ht_capa_mod_mask &&
2624 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2625 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2626 			    rdev->wiphy.ht_capa_mod_mask))
2627 			goto nla_put_failure;
2628 
2629 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2630 		    rdev->wiphy.max_acl_mac_addrs &&
2631 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2632 				rdev->wiphy.max_acl_mac_addrs))
2633 			goto nla_put_failure;
2634 
2635 		/*
2636 		 * Any information below this point is only available to
2637 		 * applications that can deal with it being split. This
2638 		 * helps ensure that newly added capabilities don't break
2639 		 * older tools by overrunning their buffers.
2640 		 *
2641 		 * We still increment split_start so that in the split
2642 		 * case we'll continue with more data in the next round,
2643 		 * but break unconditionally so unsplit data stops here.
2644 		 */
2645 		if (state->split)
2646 			state->split_start++;
2647 		else
2648 			state->split_start = 0;
2649 		break;
2650 	case 9:
2651 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2652 			goto nla_put_failure;
2653 
2654 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2655 				rdev->wiphy.max_sched_scan_plans) ||
2656 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2657 				rdev->wiphy.max_sched_scan_plan_interval) ||
2658 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2659 				rdev->wiphy.max_sched_scan_plan_iterations))
2660 			goto nla_put_failure;
2661 
2662 		if (rdev->wiphy.extended_capabilities &&
2663 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2664 			     rdev->wiphy.extended_capabilities_len,
2665 			     rdev->wiphy.extended_capabilities) ||
2666 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2667 			     rdev->wiphy.extended_capabilities_len,
2668 			     rdev->wiphy.extended_capabilities_mask)))
2669 			goto nla_put_failure;
2670 
2671 		if (rdev->wiphy.vht_capa_mod_mask &&
2672 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2673 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2674 			    rdev->wiphy.vht_capa_mod_mask))
2675 			goto nla_put_failure;
2676 
2677 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2678 			    rdev->wiphy.perm_addr))
2679 			goto nla_put_failure;
2680 
2681 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2682 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2683 			    rdev->wiphy.addr_mask))
2684 			goto nla_put_failure;
2685 
2686 		if (rdev->wiphy.n_addresses > 1) {
2687 			void *attr;
2688 
2689 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2690 			if (!attr)
2691 				goto nla_put_failure;
2692 
2693 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2694 				if (nla_put(msg, i + 1, ETH_ALEN,
2695 					    rdev->wiphy.addresses[i].addr))
2696 					goto nla_put_failure;
2697 
2698 			nla_nest_end(msg, attr);
2699 		}
2700 
2701 		state->split_start++;
2702 		break;
2703 	case 10:
2704 		if (nl80211_send_coalesce(msg, rdev))
2705 			goto nla_put_failure;
2706 
2707 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2708 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2709 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2710 			goto nla_put_failure;
2711 
2712 		if (rdev->wiphy.max_ap_assoc_sta &&
2713 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2714 				rdev->wiphy.max_ap_assoc_sta))
2715 			goto nla_put_failure;
2716 
2717 		state->split_start++;
2718 		break;
2719 	case 11:
2720 		if (rdev->wiphy.n_vendor_commands) {
2721 			const struct nl80211_vendor_cmd_info *info;
2722 			struct nlattr *nested;
2723 
2724 			nested = nla_nest_start_noflag(msg,
2725 						       NL80211_ATTR_VENDOR_DATA);
2726 			if (!nested)
2727 				goto nla_put_failure;
2728 
2729 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2730 				info = &rdev->wiphy.vendor_commands[i].info;
2731 				if (nla_put(msg, i + 1, sizeof(*info), info))
2732 					goto nla_put_failure;
2733 			}
2734 			nla_nest_end(msg, nested);
2735 		}
2736 
2737 		if (rdev->wiphy.n_vendor_events) {
2738 			const struct nl80211_vendor_cmd_info *info;
2739 			struct nlattr *nested;
2740 
2741 			nested = nla_nest_start_noflag(msg,
2742 						       NL80211_ATTR_VENDOR_EVENTS);
2743 			if (!nested)
2744 				goto nla_put_failure;
2745 
2746 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2747 				info = &rdev->wiphy.vendor_events[i];
2748 				if (nla_put(msg, i + 1, sizeof(*info), info))
2749 					goto nla_put_failure;
2750 			}
2751 			nla_nest_end(msg, nested);
2752 		}
2753 		state->split_start++;
2754 		break;
2755 	case 12:
2756 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2757 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2758 			       rdev->wiphy.max_num_csa_counters))
2759 			goto nla_put_failure;
2760 
2761 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2762 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2763 			goto nla_put_failure;
2764 
2765 		if (rdev->wiphy.max_sched_scan_reqs &&
2766 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2767 				rdev->wiphy.max_sched_scan_reqs))
2768 			goto nla_put_failure;
2769 
2770 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2771 			    sizeof(rdev->wiphy.ext_features),
2772 			    rdev->wiphy.ext_features))
2773 			goto nla_put_failure;
2774 
2775 		if (rdev->wiphy.bss_select_support) {
2776 			struct nlattr *nested;
2777 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2778 
2779 			nested = nla_nest_start_noflag(msg,
2780 						       NL80211_ATTR_BSS_SELECT);
2781 			if (!nested)
2782 				goto nla_put_failure;
2783 
2784 			i = 0;
2785 			while (bss_select_support) {
2786 				if ((bss_select_support & 1) &&
2787 				    nla_put_flag(msg, i))
2788 					goto nla_put_failure;
2789 				i++;
2790 				bss_select_support >>= 1;
2791 			}
2792 			nla_nest_end(msg, nested);
2793 		}
2794 
2795 		state->split_start++;
2796 		break;
2797 	case 13:
2798 		if (rdev->wiphy.num_iftype_ext_capab &&
2799 		    rdev->wiphy.iftype_ext_capab) {
2800 			struct nlattr *nested_ext_capab, *nested;
2801 
2802 			nested = nla_nest_start_noflag(msg,
2803 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2804 			if (!nested)
2805 				goto nla_put_failure;
2806 
2807 			for (i = state->capa_start;
2808 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2809 				const struct wiphy_iftype_ext_capab *capab;
2810 
2811 				capab = &rdev->wiphy.iftype_ext_capab[i];
2812 
2813 				nested_ext_capab = nla_nest_start_noflag(msg,
2814 									 i);
2815 				if (!nested_ext_capab ||
2816 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2817 						capab->iftype) ||
2818 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2819 					    capab->extended_capabilities_len,
2820 					    capab->extended_capabilities) ||
2821 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2822 					    capab->extended_capabilities_len,
2823 					    capab->extended_capabilities_mask))
2824 					goto nla_put_failure;
2825 
2826 				nla_nest_end(msg, nested_ext_capab);
2827 				if (state->split)
2828 					break;
2829 			}
2830 			nla_nest_end(msg, nested);
2831 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2832 				state->capa_start = i + 1;
2833 				break;
2834 			}
2835 		}
2836 
2837 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2838 				rdev->wiphy.nan_supported_bands))
2839 			goto nla_put_failure;
2840 
2841 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2842 					    NL80211_EXT_FEATURE_TXQS)) {
2843 			struct cfg80211_txq_stats txqstats = {};
2844 			int res;
2845 
2846 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2847 			if (!res &&
2848 			    !nl80211_put_txq_stats(msg, &txqstats,
2849 						   NL80211_ATTR_TXQ_STATS))
2850 				goto nla_put_failure;
2851 
2852 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2853 					rdev->wiphy.txq_limit))
2854 				goto nla_put_failure;
2855 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2856 					rdev->wiphy.txq_memory_limit))
2857 				goto nla_put_failure;
2858 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2859 					rdev->wiphy.txq_quantum))
2860 				goto nla_put_failure;
2861 		}
2862 
2863 		state->split_start++;
2864 		break;
2865 	case 14:
2866 		if (nl80211_send_pmsr_capa(rdev, msg))
2867 			goto nla_put_failure;
2868 
2869 		state->split_start++;
2870 		break;
2871 	case 15:
2872 		if (rdev->wiphy.akm_suites &&
2873 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2874 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2875 			    rdev->wiphy.akm_suites))
2876 			goto nla_put_failure;
2877 
2878 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2879 			goto nla_put_failure;
2880 
2881 		if (nl80211_put_tid_config_support(rdev, msg))
2882 			goto nla_put_failure;
2883 		state->split_start++;
2884 		break;
2885 	case 16:
2886 		if (nl80211_put_sar_specs(rdev, msg))
2887 			goto nla_put_failure;
2888 
2889 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2890 			goto nla_put_failure;
2891 
2892 		/* done */
2893 		state->split_start = 0;
2894 		break;
2895 	}
2896  finish:
2897 	genlmsg_end(msg, hdr);
2898 	return 0;
2899 
2900  nla_put_failure:
2901 	genlmsg_cancel(msg, hdr);
2902 	return -EMSGSIZE;
2903 }
2904 
2905 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2906 				    struct netlink_callback *cb,
2907 				    struct nl80211_dump_wiphy_state *state)
2908 {
2909 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2910 	int ret;
2911 
2912 	if (!tb)
2913 		return -ENOMEM;
2914 
2915 	ret = nlmsg_parse_deprecated(cb->nlh,
2916 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2917 				     tb, nl80211_fam.maxattr,
2918 				     nl80211_policy, NULL);
2919 	/* ignore parse errors for backward compatibility */
2920 	if (ret) {
2921 		ret = 0;
2922 		goto out;
2923 	}
2924 
2925 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2926 	if (tb[NL80211_ATTR_WIPHY])
2927 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2928 	if (tb[NL80211_ATTR_WDEV])
2929 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2930 	if (tb[NL80211_ATTR_IFINDEX]) {
2931 		struct net_device *netdev;
2932 		struct cfg80211_registered_device *rdev;
2933 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2934 
2935 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2936 		if (!netdev) {
2937 			ret = -ENODEV;
2938 			goto out;
2939 		}
2940 		if (netdev->ieee80211_ptr) {
2941 			rdev = wiphy_to_rdev(
2942 				netdev->ieee80211_ptr->wiphy);
2943 			state->filter_wiphy = rdev->wiphy_idx;
2944 		}
2945 	}
2946 
2947 	ret = 0;
2948 out:
2949 	kfree(tb);
2950 	return ret;
2951 }
2952 
2953 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2954 {
2955 	int idx = 0, ret;
2956 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2957 	struct cfg80211_registered_device *rdev;
2958 
2959 	rtnl_lock();
2960 	if (!state) {
2961 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2962 		if (!state) {
2963 			rtnl_unlock();
2964 			return -ENOMEM;
2965 		}
2966 		state->filter_wiphy = -1;
2967 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2968 		if (ret) {
2969 			kfree(state);
2970 			rtnl_unlock();
2971 			return ret;
2972 		}
2973 		cb->args[0] = (long)state;
2974 	}
2975 
2976 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2977 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2978 			continue;
2979 		if (++idx <= state->start)
2980 			continue;
2981 		if (state->filter_wiphy != -1 &&
2982 		    state->filter_wiphy != rdev->wiphy_idx)
2983 			continue;
2984 		/* attempt to fit multiple wiphy data chunks into the skb */
2985 		do {
2986 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2987 						 skb,
2988 						 NETLINK_CB(cb->skb).portid,
2989 						 cb->nlh->nlmsg_seq,
2990 						 NLM_F_MULTI, state);
2991 			if (ret < 0) {
2992 				/*
2993 				 * If sending the wiphy data didn't fit (ENOBUFS
2994 				 * or EMSGSIZE returned), this SKB is still
2995 				 * empty (so it's not too big because another
2996 				 * wiphy dataset is already in the skb) and
2997 				 * we've not tried to adjust the dump allocation
2998 				 * yet ... then adjust the alloc size to be
2999 				 * bigger, and return 1 but with the empty skb.
3000 				 * This results in an empty message being RX'ed
3001 				 * in userspace, but that is ignored.
3002 				 *
3003 				 * We can then retry with the larger buffer.
3004 				 */
3005 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3006 				    !skb->len && !state->split &&
3007 				    cb->min_dump_alloc < 4096) {
3008 					cb->min_dump_alloc = 4096;
3009 					state->split_start = 0;
3010 					rtnl_unlock();
3011 					return 1;
3012 				}
3013 				idx--;
3014 				break;
3015 			}
3016 		} while (state->split_start > 0);
3017 		break;
3018 	}
3019 	rtnl_unlock();
3020 
3021 	state->start = idx;
3022 
3023 	return skb->len;
3024 }
3025 
3026 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3027 {
3028 	kfree((void *)cb->args[0]);
3029 	return 0;
3030 }
3031 
3032 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3033 {
3034 	struct sk_buff *msg;
3035 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3036 	struct nl80211_dump_wiphy_state state = {};
3037 
3038 	msg = nlmsg_new(4096, GFP_KERNEL);
3039 	if (!msg)
3040 		return -ENOMEM;
3041 
3042 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3043 			       info->snd_portid, info->snd_seq, 0,
3044 			       &state) < 0) {
3045 		nlmsg_free(msg);
3046 		return -ENOBUFS;
3047 	}
3048 
3049 	return genlmsg_reply(msg, info);
3050 }
3051 
3052 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3053 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3054 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3055 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3056 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3057 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3058 };
3059 
3060 static int parse_txq_params(struct nlattr *tb[],
3061 			    struct ieee80211_txq_params *txq_params)
3062 {
3063 	u8 ac;
3064 
3065 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3066 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3067 	    !tb[NL80211_TXQ_ATTR_AIFS])
3068 		return -EINVAL;
3069 
3070 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3071 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3072 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3073 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3074 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3075 
3076 	if (ac >= NL80211_NUM_ACS)
3077 		return -EINVAL;
3078 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3079 	return 0;
3080 }
3081 
3082 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3083 {
3084 	/*
3085 	 * You can only set the channel explicitly for some interfaces,
3086 	 * most have their channel managed via their respective
3087 	 * "establish a connection" command (connect, join, ...)
3088 	 *
3089 	 * For AP/GO and mesh mode, the channel can be set with the
3090 	 * channel userspace API, but is only stored and passed to the
3091 	 * low-level driver when the AP starts or the mesh is joined.
3092 	 * This is for backward compatibility, userspace can also give
3093 	 * the channel in the start-ap or join-mesh commands instead.
3094 	 *
3095 	 * Monitors are special as they are normally slaved to
3096 	 * whatever else is going on, so they have their own special
3097 	 * operation to set the monitor channel if possible.
3098 	 */
3099 	return !wdev ||
3100 		wdev->iftype == NL80211_IFTYPE_AP ||
3101 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3102 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3103 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3104 }
3105 
3106 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3107 			  struct genl_info *info,
3108 			  struct cfg80211_chan_def *chandef)
3109 {
3110 	struct netlink_ext_ack *extack = info->extack;
3111 	struct nlattr **attrs = info->attrs;
3112 	u32 control_freq;
3113 
3114 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3115 		return -EINVAL;
3116 
3117 	control_freq = MHZ_TO_KHZ(
3118 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3119 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3120 		control_freq +=
3121 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3122 
3123 	memset(chandef, 0, sizeof(*chandef));
3124 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3125 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3126 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3127 	chandef->freq1_offset = control_freq % 1000;
3128 	chandef->center_freq2 = 0;
3129 
3130 	/* Primary channel not allowed */
3131 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3132 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3133 				    "Channel is disabled");
3134 		return -EINVAL;
3135 	}
3136 
3137 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3138 		enum nl80211_channel_type chantype;
3139 
3140 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3141 
3142 		switch (chantype) {
3143 		case NL80211_CHAN_NO_HT:
3144 		case NL80211_CHAN_HT20:
3145 		case NL80211_CHAN_HT40PLUS:
3146 		case NL80211_CHAN_HT40MINUS:
3147 			cfg80211_chandef_create(chandef, chandef->chan,
3148 						chantype);
3149 			/* user input for center_freq is incorrect */
3150 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3151 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3152 				NL_SET_ERR_MSG_ATTR(extack,
3153 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3154 						    "bad center frequency 1");
3155 				return -EINVAL;
3156 			}
3157 			/* center_freq2 must be zero */
3158 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3159 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3160 				NL_SET_ERR_MSG_ATTR(extack,
3161 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3162 						    "center frequency 2 can't be used");
3163 				return -EINVAL;
3164 			}
3165 			break;
3166 		default:
3167 			NL_SET_ERR_MSG_ATTR(extack,
3168 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3169 					    "invalid channel type");
3170 			return -EINVAL;
3171 		}
3172 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3173 		chandef->width =
3174 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3175 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3176 			chandef->center_freq1 =
3177 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3178 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3179 				chandef->freq1_offset = nla_get_u32(
3180 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3181 			else
3182 				chandef->freq1_offset = 0;
3183 		}
3184 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3185 			chandef->center_freq2 =
3186 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3187 	}
3188 
3189 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3190 		chandef->edmg.channels =
3191 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3192 
3193 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3194 			chandef->edmg.bw_config =
3195 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3196 	} else {
3197 		chandef->edmg.bw_config = 0;
3198 		chandef->edmg.channels = 0;
3199 	}
3200 
3201 	if (!cfg80211_chandef_valid(chandef)) {
3202 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3203 		return -EINVAL;
3204 	}
3205 
3206 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3207 				     IEEE80211_CHAN_DISABLED)) {
3208 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3209 		return -EINVAL;
3210 	}
3211 
3212 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3213 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3214 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3215 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3216 		return -EINVAL;
3217 	}
3218 
3219 	return 0;
3220 }
3221 
3222 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3223 				 struct net_device *dev,
3224 				 struct genl_info *info)
3225 {
3226 	struct cfg80211_chan_def chandef;
3227 	int result;
3228 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3229 	struct wireless_dev *wdev = NULL;
3230 
3231 	if (dev)
3232 		wdev = dev->ieee80211_ptr;
3233 	if (!nl80211_can_set_dev_channel(wdev))
3234 		return -EOPNOTSUPP;
3235 	if (wdev)
3236 		iftype = wdev->iftype;
3237 
3238 	result = nl80211_parse_chandef(rdev, info, &chandef);
3239 	if (result)
3240 		return result;
3241 
3242 	switch (iftype) {
3243 	case NL80211_IFTYPE_AP:
3244 	case NL80211_IFTYPE_P2P_GO:
3245 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3246 						   iftype)) {
3247 			result = -EINVAL;
3248 			break;
3249 		}
3250 		if (wdev->beacon_interval) {
3251 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3252 			    !(rdev->wiphy.features &
3253 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3254 				result = -EBUSY;
3255 				break;
3256 			}
3257 
3258 			/* Only allow dynamic channel width changes */
3259 			if (chandef.chan != wdev->preset_chandef.chan) {
3260 				result = -EBUSY;
3261 				break;
3262 			}
3263 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3264 			if (result)
3265 				break;
3266 		}
3267 		wdev->preset_chandef = chandef;
3268 		result = 0;
3269 		break;
3270 	case NL80211_IFTYPE_MESH_POINT:
3271 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3272 		break;
3273 	case NL80211_IFTYPE_MONITOR:
3274 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3275 		break;
3276 	default:
3277 		result = -EINVAL;
3278 	}
3279 
3280 	return result;
3281 }
3282 
3283 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3284 {
3285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3286 	struct net_device *netdev = info->user_ptr[1];
3287 
3288 	return __nl80211_set_channel(rdev, netdev, info);
3289 }
3290 
3291 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3292 {
3293 	struct cfg80211_registered_device *rdev = NULL;
3294 	struct net_device *netdev = NULL;
3295 	struct wireless_dev *wdev;
3296 	int result = 0, rem_txq_params = 0;
3297 	struct nlattr *nl_txq_params;
3298 	u32 changed;
3299 	u8 retry_short = 0, retry_long = 0;
3300 	u32 frag_threshold = 0, rts_threshold = 0;
3301 	u8 coverage_class = 0;
3302 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3303 
3304 	rtnl_lock();
3305 	/*
3306 	 * Try to find the wiphy and netdev. Normally this
3307 	 * function shouldn't need the netdev, but this is
3308 	 * done for backward compatibility -- previously
3309 	 * setting the channel was done per wiphy, but now
3310 	 * it is per netdev. Previous userland like hostapd
3311 	 * also passed a netdev to set_wiphy, so that it is
3312 	 * possible to let that go to the right netdev!
3313 	 */
3314 
3315 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3316 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3317 
3318 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3319 		if (netdev && netdev->ieee80211_ptr)
3320 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3321 		else
3322 			netdev = NULL;
3323 	}
3324 
3325 	if (!netdev) {
3326 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3327 						  info->attrs);
3328 		if (IS_ERR(rdev)) {
3329 			rtnl_unlock();
3330 			return PTR_ERR(rdev);
3331 		}
3332 		wdev = NULL;
3333 		netdev = NULL;
3334 		result = 0;
3335 	} else
3336 		wdev = netdev->ieee80211_ptr;
3337 
3338 	wiphy_lock(&rdev->wiphy);
3339 
3340 	/*
3341 	 * end workaround code, by now the rdev is available
3342 	 * and locked, and wdev may or may not be NULL.
3343 	 */
3344 
3345 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3346 		result = cfg80211_dev_rename(
3347 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3348 	rtnl_unlock();
3349 
3350 	if (result)
3351 		goto out;
3352 
3353 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3354 		struct ieee80211_txq_params txq_params;
3355 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3356 
3357 		if (!rdev->ops->set_txq_params) {
3358 			result = -EOPNOTSUPP;
3359 			goto out;
3360 		}
3361 
3362 		if (!netdev) {
3363 			result = -EINVAL;
3364 			goto out;
3365 		}
3366 
3367 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3368 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3369 			result = -EINVAL;
3370 			goto out;
3371 		}
3372 
3373 		if (!netif_running(netdev)) {
3374 			result = -ENETDOWN;
3375 			goto out;
3376 		}
3377 
3378 		nla_for_each_nested(nl_txq_params,
3379 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3380 				    rem_txq_params) {
3381 			result = nla_parse_nested_deprecated(tb,
3382 							     NL80211_TXQ_ATTR_MAX,
3383 							     nl_txq_params,
3384 							     txq_params_policy,
3385 							     info->extack);
3386 			if (result)
3387 				goto out;
3388 			result = parse_txq_params(tb, &txq_params);
3389 			if (result)
3390 				goto out;
3391 
3392 			result = rdev_set_txq_params(rdev, netdev,
3393 						     &txq_params);
3394 			if (result)
3395 				goto out;
3396 		}
3397 	}
3398 
3399 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3400 		result = __nl80211_set_channel(
3401 			rdev,
3402 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3403 			info);
3404 		if (result)
3405 			goto out;
3406 	}
3407 
3408 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3409 		struct wireless_dev *txp_wdev = wdev;
3410 		enum nl80211_tx_power_setting type;
3411 		int idx, mbm = 0;
3412 
3413 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3414 			txp_wdev = NULL;
3415 
3416 		if (!rdev->ops->set_tx_power) {
3417 			result = -EOPNOTSUPP;
3418 			goto out;
3419 		}
3420 
3421 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3422 		type = nla_get_u32(info->attrs[idx]);
3423 
3424 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3425 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3426 			result = -EINVAL;
3427 			goto out;
3428 		}
3429 
3430 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3431 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3432 			mbm = nla_get_u32(info->attrs[idx]);
3433 		}
3434 
3435 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3436 		if (result)
3437 			goto out;
3438 	}
3439 
3440 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3441 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3442 		u32 tx_ant, rx_ant;
3443 
3444 		if ((!rdev->wiphy.available_antennas_tx &&
3445 		     !rdev->wiphy.available_antennas_rx) ||
3446 		    !rdev->ops->set_antenna) {
3447 			result = -EOPNOTSUPP;
3448 			goto out;
3449 		}
3450 
3451 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3452 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3453 
3454 		/* reject antenna configurations which don't match the
3455 		 * available antenna masks, except for the "all" mask */
3456 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3457 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3458 			result = -EINVAL;
3459 			goto out;
3460 		}
3461 
3462 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3463 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3464 
3465 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3466 		if (result)
3467 			goto out;
3468 	}
3469 
3470 	changed = 0;
3471 
3472 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3473 		retry_short = nla_get_u8(
3474 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3475 
3476 		changed |= WIPHY_PARAM_RETRY_SHORT;
3477 	}
3478 
3479 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3480 		retry_long = nla_get_u8(
3481 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3482 
3483 		changed |= WIPHY_PARAM_RETRY_LONG;
3484 	}
3485 
3486 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3487 		frag_threshold = nla_get_u32(
3488 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3489 		if (frag_threshold < 256) {
3490 			result = -EINVAL;
3491 			goto out;
3492 		}
3493 
3494 		if (frag_threshold != (u32) -1) {
3495 			/*
3496 			 * Fragments (apart from the last one) are required to
3497 			 * have even length. Make the fragmentation code
3498 			 * simpler by stripping LSB should someone try to use
3499 			 * odd threshold value.
3500 			 */
3501 			frag_threshold &= ~0x1;
3502 		}
3503 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3504 	}
3505 
3506 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3507 		rts_threshold = nla_get_u32(
3508 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3509 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3510 	}
3511 
3512 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3513 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3514 			result = -EINVAL;
3515 			goto out;
3516 		}
3517 
3518 		coverage_class = nla_get_u8(
3519 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3520 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3521 	}
3522 
3523 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3524 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3525 			result = -EOPNOTSUPP;
3526 			goto out;
3527 		}
3528 
3529 		changed |= WIPHY_PARAM_DYN_ACK;
3530 	}
3531 
3532 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3533 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3534 					     NL80211_EXT_FEATURE_TXQS)) {
3535 			result = -EOPNOTSUPP;
3536 			goto out;
3537 		}
3538 		txq_limit = nla_get_u32(
3539 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3540 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3541 	}
3542 
3543 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3544 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3545 					     NL80211_EXT_FEATURE_TXQS)) {
3546 			result = -EOPNOTSUPP;
3547 			goto out;
3548 		}
3549 		txq_memory_limit = nla_get_u32(
3550 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3551 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3552 	}
3553 
3554 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3555 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3556 					     NL80211_EXT_FEATURE_TXQS)) {
3557 			result = -EOPNOTSUPP;
3558 			goto out;
3559 		}
3560 		txq_quantum = nla_get_u32(
3561 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3562 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3563 	}
3564 
3565 	if (changed) {
3566 		u8 old_retry_short, old_retry_long;
3567 		u32 old_frag_threshold, old_rts_threshold;
3568 		u8 old_coverage_class;
3569 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3570 
3571 		if (!rdev->ops->set_wiphy_params) {
3572 			result = -EOPNOTSUPP;
3573 			goto out;
3574 		}
3575 
3576 		old_retry_short = rdev->wiphy.retry_short;
3577 		old_retry_long = rdev->wiphy.retry_long;
3578 		old_frag_threshold = rdev->wiphy.frag_threshold;
3579 		old_rts_threshold = rdev->wiphy.rts_threshold;
3580 		old_coverage_class = rdev->wiphy.coverage_class;
3581 		old_txq_limit = rdev->wiphy.txq_limit;
3582 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3583 		old_txq_quantum = rdev->wiphy.txq_quantum;
3584 
3585 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3586 			rdev->wiphy.retry_short = retry_short;
3587 		if (changed & WIPHY_PARAM_RETRY_LONG)
3588 			rdev->wiphy.retry_long = retry_long;
3589 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3590 			rdev->wiphy.frag_threshold = frag_threshold;
3591 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3592 			rdev->wiphy.rts_threshold = rts_threshold;
3593 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3594 			rdev->wiphy.coverage_class = coverage_class;
3595 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3596 			rdev->wiphy.txq_limit = txq_limit;
3597 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3598 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3599 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3600 			rdev->wiphy.txq_quantum = txq_quantum;
3601 
3602 		result = rdev_set_wiphy_params(rdev, changed);
3603 		if (result) {
3604 			rdev->wiphy.retry_short = old_retry_short;
3605 			rdev->wiphy.retry_long = old_retry_long;
3606 			rdev->wiphy.frag_threshold = old_frag_threshold;
3607 			rdev->wiphy.rts_threshold = old_rts_threshold;
3608 			rdev->wiphy.coverage_class = old_coverage_class;
3609 			rdev->wiphy.txq_limit = old_txq_limit;
3610 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3611 			rdev->wiphy.txq_quantum = old_txq_quantum;
3612 			goto out;
3613 		}
3614 	}
3615 
3616 	result = 0;
3617 
3618 out:
3619 	wiphy_unlock(&rdev->wiphy);
3620 	return result;
3621 }
3622 
3623 static int nl80211_send_chandef(struct sk_buff *msg,
3624 				const struct cfg80211_chan_def *chandef)
3625 {
3626 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3627 		return -EINVAL;
3628 
3629 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3630 			chandef->chan->center_freq))
3631 		return -ENOBUFS;
3632 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3633 			chandef->chan->freq_offset))
3634 		return -ENOBUFS;
3635 	switch (chandef->width) {
3636 	case NL80211_CHAN_WIDTH_20_NOHT:
3637 	case NL80211_CHAN_WIDTH_20:
3638 	case NL80211_CHAN_WIDTH_40:
3639 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3640 				cfg80211_get_chandef_type(chandef)))
3641 			return -ENOBUFS;
3642 		break;
3643 	default:
3644 		break;
3645 	}
3646 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3647 		return -ENOBUFS;
3648 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3649 		return -ENOBUFS;
3650 	if (chandef->center_freq2 &&
3651 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3652 		return -ENOBUFS;
3653 	return 0;
3654 }
3655 
3656 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3657 			      struct cfg80211_registered_device *rdev,
3658 			      struct wireless_dev *wdev,
3659 			      enum nl80211_commands cmd)
3660 {
3661 	struct net_device *dev = wdev->netdev;
3662 	void *hdr;
3663 
3664 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3665 		cmd != NL80211_CMD_DEL_INTERFACE &&
3666 		cmd != NL80211_CMD_SET_INTERFACE);
3667 
3668 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3669 	if (!hdr)
3670 		return -1;
3671 
3672 	if (dev &&
3673 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3674 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3675 		goto nla_put_failure;
3676 
3677 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3678 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3679 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3680 			      NL80211_ATTR_PAD) ||
3681 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3682 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3683 			rdev->devlist_generation ^
3684 			(cfg80211_rdev_list_generation << 2)) ||
3685 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3686 		goto nla_put_failure;
3687 
3688 	if (rdev->ops->get_channel) {
3689 		int ret;
3690 		struct cfg80211_chan_def chandef = {};
3691 
3692 		ret = rdev_get_channel(rdev, wdev, &chandef);
3693 		if (ret == 0) {
3694 			if (nl80211_send_chandef(msg, &chandef))
3695 				goto nla_put_failure;
3696 		}
3697 	}
3698 
3699 	if (rdev->ops->get_tx_power) {
3700 		int dbm, ret;
3701 
3702 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3703 		if (ret == 0 &&
3704 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3705 				DBM_TO_MBM(dbm)))
3706 			goto nla_put_failure;
3707 	}
3708 
3709 	wdev_lock(wdev);
3710 	switch (wdev->iftype) {
3711 	case NL80211_IFTYPE_AP:
3712 		if (wdev->ssid_len &&
3713 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3714 			goto nla_put_failure_locked;
3715 		break;
3716 	case NL80211_IFTYPE_STATION:
3717 	case NL80211_IFTYPE_P2P_CLIENT:
3718 	case NL80211_IFTYPE_ADHOC: {
3719 		const struct element *ssid_elem;
3720 
3721 		if (!wdev->current_bss)
3722 			break;
3723 		rcu_read_lock();
3724 		ssid_elem = ieee80211_bss_get_elem(&wdev->current_bss->pub,
3725 						   WLAN_EID_SSID);
3726 		if (ssid_elem &&
3727 		    nla_put(msg, NL80211_ATTR_SSID, ssid_elem->datalen,
3728 			    ssid_elem->data))
3729 			goto nla_put_failure_rcu_locked;
3730 		rcu_read_unlock();
3731 		break;
3732 		}
3733 	default:
3734 		/* nothing */
3735 		break;
3736 	}
3737 	wdev_unlock(wdev);
3738 
3739 	if (rdev->ops->get_txq_stats) {
3740 		struct cfg80211_txq_stats txqstats = {};
3741 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3742 
3743 		if (ret == 0 &&
3744 		    !nl80211_put_txq_stats(msg, &txqstats,
3745 					   NL80211_ATTR_TXQ_STATS))
3746 			goto nla_put_failure;
3747 	}
3748 
3749 	genlmsg_end(msg, hdr);
3750 	return 0;
3751 
3752  nla_put_failure_rcu_locked:
3753 	rcu_read_unlock();
3754  nla_put_failure_locked:
3755 	wdev_unlock(wdev);
3756  nla_put_failure:
3757 	genlmsg_cancel(msg, hdr);
3758 	return -EMSGSIZE;
3759 }
3760 
3761 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3762 {
3763 	int wp_idx = 0;
3764 	int if_idx = 0;
3765 	int wp_start = cb->args[0];
3766 	int if_start = cb->args[1];
3767 	int filter_wiphy = -1;
3768 	struct cfg80211_registered_device *rdev;
3769 	struct wireless_dev *wdev;
3770 	int ret;
3771 
3772 	rtnl_lock();
3773 	if (!cb->args[2]) {
3774 		struct nl80211_dump_wiphy_state state = {
3775 			.filter_wiphy = -1,
3776 		};
3777 
3778 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3779 		if (ret)
3780 			goto out_unlock;
3781 
3782 		filter_wiphy = state.filter_wiphy;
3783 
3784 		/*
3785 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3786 		 * value needed to determine that parsing is necessary.
3787 		 */
3788 		if (filter_wiphy >= 0)
3789 			cb->args[2] = filter_wiphy + 1;
3790 		else
3791 			cb->args[2] = -1;
3792 	} else if (cb->args[2] > 0) {
3793 		filter_wiphy = cb->args[2] - 1;
3794 	}
3795 
3796 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3797 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3798 			continue;
3799 		if (wp_idx < wp_start) {
3800 			wp_idx++;
3801 			continue;
3802 		}
3803 
3804 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3805 			continue;
3806 
3807 		if_idx = 0;
3808 
3809 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3810 			if (if_idx < if_start) {
3811 				if_idx++;
3812 				continue;
3813 			}
3814 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3815 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3816 					       rdev, wdev,
3817 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3818 				goto out;
3819 			}
3820 			if_idx++;
3821 		}
3822 
3823 		wp_idx++;
3824 	}
3825  out:
3826 	cb->args[0] = wp_idx;
3827 	cb->args[1] = if_idx;
3828 
3829 	ret = skb->len;
3830  out_unlock:
3831 	rtnl_unlock();
3832 
3833 	return ret;
3834 }
3835 
3836 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3837 {
3838 	struct sk_buff *msg;
3839 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3840 	struct wireless_dev *wdev = info->user_ptr[1];
3841 
3842 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3843 	if (!msg)
3844 		return -ENOMEM;
3845 
3846 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3847 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3848 		nlmsg_free(msg);
3849 		return -ENOBUFS;
3850 	}
3851 
3852 	return genlmsg_reply(msg, info);
3853 }
3854 
3855 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3856 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3857 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3858 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3859 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3860 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3861 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3862 };
3863 
3864 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3865 {
3866 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3867 	int flag;
3868 
3869 	*mntrflags = 0;
3870 
3871 	if (!nla)
3872 		return -EINVAL;
3873 
3874 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3875 		return -EINVAL;
3876 
3877 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3878 		if (flags[flag])
3879 			*mntrflags |= (1<<flag);
3880 
3881 	*mntrflags |= MONITOR_FLAG_CHANGED;
3882 
3883 	return 0;
3884 }
3885 
3886 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3887 				     enum nl80211_iftype type,
3888 				     struct genl_info *info,
3889 				     struct vif_params *params)
3890 {
3891 	bool change = false;
3892 	int err;
3893 
3894 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3895 		if (type != NL80211_IFTYPE_MONITOR)
3896 			return -EINVAL;
3897 
3898 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3899 					  &params->flags);
3900 		if (err)
3901 			return err;
3902 
3903 		change = true;
3904 	}
3905 
3906 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3907 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3908 		return -EOPNOTSUPP;
3909 
3910 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3911 		const u8 *mumimo_groups;
3912 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3913 
3914 		if (type != NL80211_IFTYPE_MONITOR)
3915 			return -EINVAL;
3916 
3917 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3918 			return -EOPNOTSUPP;
3919 
3920 		mumimo_groups =
3921 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3922 
3923 		/* bits 0 and 63 are reserved and must be zero */
3924 		if ((mumimo_groups[0] & BIT(0)) ||
3925 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3926 			return -EINVAL;
3927 
3928 		params->vht_mumimo_groups = mumimo_groups;
3929 		change = true;
3930 	}
3931 
3932 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3933 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3934 
3935 		if (type != NL80211_IFTYPE_MONITOR)
3936 			return -EINVAL;
3937 
3938 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3939 			return -EOPNOTSUPP;
3940 
3941 		params->vht_mumimo_follow_addr =
3942 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3943 		change = true;
3944 	}
3945 
3946 	return change ? 1 : 0;
3947 }
3948 
3949 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3950 			       struct net_device *netdev, u8 use_4addr,
3951 			       enum nl80211_iftype iftype)
3952 {
3953 	if (!use_4addr) {
3954 		if (netdev && netif_is_bridge_port(netdev))
3955 			return -EBUSY;
3956 		return 0;
3957 	}
3958 
3959 	switch (iftype) {
3960 	case NL80211_IFTYPE_AP_VLAN:
3961 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3962 			return 0;
3963 		break;
3964 	case NL80211_IFTYPE_STATION:
3965 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3966 			return 0;
3967 		break;
3968 	default:
3969 		break;
3970 	}
3971 
3972 	return -EOPNOTSUPP;
3973 }
3974 
3975 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3976 {
3977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3978 	struct vif_params params;
3979 	int err;
3980 	enum nl80211_iftype otype, ntype;
3981 	struct net_device *dev = info->user_ptr[1];
3982 	bool change = false;
3983 
3984 	memset(&params, 0, sizeof(params));
3985 
3986 	otype = ntype = dev->ieee80211_ptr->iftype;
3987 
3988 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3989 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3990 		if (otype != ntype)
3991 			change = true;
3992 	}
3993 
3994 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3995 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3996 
3997 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3998 			return -EINVAL;
3999 		if (netif_running(dev))
4000 			return -EBUSY;
4001 
4002 		wdev_lock(wdev);
4003 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4004 			     IEEE80211_MAX_MESH_ID_LEN);
4005 		wdev->mesh_id_up_len =
4006 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4007 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4008 		       wdev->mesh_id_up_len);
4009 		wdev_unlock(wdev);
4010 	}
4011 
4012 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4013 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4014 		change = true;
4015 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4016 		if (err)
4017 			return err;
4018 	} else {
4019 		params.use_4addr = -1;
4020 	}
4021 
4022 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4023 	if (err < 0)
4024 		return err;
4025 	if (err > 0)
4026 		change = true;
4027 
4028 	if (change)
4029 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4030 	else
4031 		err = 0;
4032 
4033 	if (!err && params.use_4addr != -1)
4034 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4035 
4036 	if (change && !err) {
4037 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4038 
4039 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4040 	}
4041 
4042 	return err;
4043 }
4044 
4045 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4046 {
4047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4048 	struct vif_params params;
4049 	struct wireless_dev *wdev;
4050 	struct sk_buff *msg;
4051 	int err;
4052 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4053 
4054 	memset(&params, 0, sizeof(params));
4055 
4056 	if (!info->attrs[NL80211_ATTR_IFNAME])
4057 		return -EINVAL;
4058 
4059 	if (info->attrs[NL80211_ATTR_IFTYPE])
4060 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4061 
4062 	if (!rdev->ops->add_virtual_intf)
4063 		return -EOPNOTSUPP;
4064 
4065 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4066 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4067 	    info->attrs[NL80211_ATTR_MAC]) {
4068 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4069 			   ETH_ALEN);
4070 		if (!is_valid_ether_addr(params.macaddr))
4071 			return -EADDRNOTAVAIL;
4072 	}
4073 
4074 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4075 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4076 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4077 		if (err)
4078 			return err;
4079 	}
4080 
4081 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4082 		return -EOPNOTSUPP;
4083 
4084 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4085 	if (err < 0)
4086 		return err;
4087 
4088 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4089 	if (!msg)
4090 		return -ENOMEM;
4091 
4092 	wdev = rdev_add_virtual_intf(rdev,
4093 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4094 				NET_NAME_USER, type, &params);
4095 	if (WARN_ON(!wdev)) {
4096 		nlmsg_free(msg);
4097 		return -EPROTO;
4098 	} else if (IS_ERR(wdev)) {
4099 		nlmsg_free(msg);
4100 		return PTR_ERR(wdev);
4101 	}
4102 
4103 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4104 		wdev->owner_nlportid = info->snd_portid;
4105 
4106 	switch (type) {
4107 	case NL80211_IFTYPE_MESH_POINT:
4108 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4109 			break;
4110 		wdev_lock(wdev);
4111 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4112 			     IEEE80211_MAX_MESH_ID_LEN);
4113 		wdev->mesh_id_up_len =
4114 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4115 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4116 		       wdev->mesh_id_up_len);
4117 		wdev_unlock(wdev);
4118 		break;
4119 	case NL80211_IFTYPE_NAN:
4120 	case NL80211_IFTYPE_P2P_DEVICE:
4121 		/*
4122 		 * P2P Device and NAN do not have a netdev, so don't go
4123 		 * through the netdev notifier and must be added here
4124 		 */
4125 		cfg80211_init_wdev(wdev);
4126 		cfg80211_register_wdev(rdev, wdev);
4127 		break;
4128 	default:
4129 		break;
4130 	}
4131 
4132 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4133 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4134 		nlmsg_free(msg);
4135 		return -ENOBUFS;
4136 	}
4137 
4138 	return genlmsg_reply(msg, info);
4139 }
4140 
4141 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4142 {
4143 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4144 	int ret;
4145 
4146 	/* to avoid failing a new interface creation due to pending removal */
4147 	cfg80211_destroy_ifaces(rdev);
4148 
4149 	wiphy_lock(&rdev->wiphy);
4150 	ret = _nl80211_new_interface(skb, info);
4151 	wiphy_unlock(&rdev->wiphy);
4152 
4153 	return ret;
4154 }
4155 
4156 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4157 {
4158 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4159 	struct wireless_dev *wdev = info->user_ptr[1];
4160 
4161 	if (!rdev->ops->del_virtual_intf)
4162 		return -EOPNOTSUPP;
4163 
4164 	/*
4165 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4166 	 * reach 0, and thus the rdev cannot be deleted.
4167 	 *
4168 	 * We need to do it for the dev_close(), since that will call
4169 	 * the netdev notifiers, and we need to acquire the mutex there
4170 	 * but don't know if we get there from here or from some other
4171 	 * place (e.g. "ip link set ... down").
4172 	 */
4173 	mutex_unlock(&rdev->wiphy.mtx);
4174 
4175 	/*
4176 	 * If we remove a wireless device without a netdev then clear
4177 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4178 	 * to check if it needs to do dev_put(). Otherwise it crashes
4179 	 * since the wdev has been freed, unlike with a netdev where
4180 	 * we need the dev_put() for the netdev to really be freed.
4181 	 */
4182 	if (!wdev->netdev)
4183 		info->user_ptr[1] = NULL;
4184 	else
4185 		dev_close(wdev->netdev);
4186 
4187 	mutex_lock(&rdev->wiphy.mtx);
4188 
4189 	return rdev_del_virtual_intf(rdev, wdev);
4190 }
4191 
4192 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4193 {
4194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4195 	struct net_device *dev = info->user_ptr[1];
4196 	u16 noack_map;
4197 
4198 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4199 		return -EINVAL;
4200 
4201 	if (!rdev->ops->set_noack_map)
4202 		return -EOPNOTSUPP;
4203 
4204 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4205 
4206 	return rdev_set_noack_map(rdev, dev, noack_map);
4207 }
4208 
4209 struct get_key_cookie {
4210 	struct sk_buff *msg;
4211 	int error;
4212 	int idx;
4213 };
4214 
4215 static void get_key_callback(void *c, struct key_params *params)
4216 {
4217 	struct nlattr *key;
4218 	struct get_key_cookie *cookie = c;
4219 
4220 	if ((params->key &&
4221 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4222 		     params->key_len, params->key)) ||
4223 	    (params->seq &&
4224 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4225 		     params->seq_len, params->seq)) ||
4226 	    (params->cipher &&
4227 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4228 			 params->cipher)))
4229 		goto nla_put_failure;
4230 
4231 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4232 	if (!key)
4233 		goto nla_put_failure;
4234 
4235 	if ((params->key &&
4236 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4237 		     params->key_len, params->key)) ||
4238 	    (params->seq &&
4239 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4240 		     params->seq_len, params->seq)) ||
4241 	    (params->cipher &&
4242 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4243 			 params->cipher)))
4244 		goto nla_put_failure;
4245 
4246 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4247 		goto nla_put_failure;
4248 
4249 	nla_nest_end(cookie->msg, key);
4250 
4251 	return;
4252  nla_put_failure:
4253 	cookie->error = 1;
4254 }
4255 
4256 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4257 {
4258 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4259 	int err;
4260 	struct net_device *dev = info->user_ptr[1];
4261 	u8 key_idx = 0;
4262 	const u8 *mac_addr = NULL;
4263 	bool pairwise;
4264 	struct get_key_cookie cookie = {
4265 		.error = 0,
4266 	};
4267 	void *hdr;
4268 	struct sk_buff *msg;
4269 	bool bigtk_support = false;
4270 
4271 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4272 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4273 		bigtk_support = true;
4274 
4275 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4276 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4277 	    wiphy_ext_feature_isset(&rdev->wiphy,
4278 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4279 		bigtk_support = true;
4280 
4281 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4282 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4283 
4284 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4285 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4286 			return -EINVAL;
4287 		}
4288 	}
4289 
4290 	if (info->attrs[NL80211_ATTR_MAC])
4291 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4292 
4293 	pairwise = !!mac_addr;
4294 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4295 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4296 
4297 		if (kt != NL80211_KEYTYPE_GROUP &&
4298 		    kt != NL80211_KEYTYPE_PAIRWISE)
4299 			return -EINVAL;
4300 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4301 	}
4302 
4303 	if (!rdev->ops->get_key)
4304 		return -EOPNOTSUPP;
4305 
4306 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4307 		return -ENOENT;
4308 
4309 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4310 	if (!msg)
4311 		return -ENOMEM;
4312 
4313 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4314 			     NL80211_CMD_NEW_KEY);
4315 	if (!hdr)
4316 		goto nla_put_failure;
4317 
4318 	cookie.msg = msg;
4319 	cookie.idx = key_idx;
4320 
4321 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4322 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4323 		goto nla_put_failure;
4324 	if (mac_addr &&
4325 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4326 		goto nla_put_failure;
4327 
4328 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4329 			   get_key_callback);
4330 
4331 	if (err)
4332 		goto free_msg;
4333 
4334 	if (cookie.error)
4335 		goto nla_put_failure;
4336 
4337 	genlmsg_end(msg, hdr);
4338 	return genlmsg_reply(msg, info);
4339 
4340  nla_put_failure:
4341 	err = -ENOBUFS;
4342  free_msg:
4343 	nlmsg_free(msg);
4344 	return err;
4345 }
4346 
4347 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4348 {
4349 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4350 	struct key_parse key;
4351 	int err;
4352 	struct net_device *dev = info->user_ptr[1];
4353 
4354 	err = nl80211_parse_key(info, &key);
4355 	if (err)
4356 		return err;
4357 
4358 	if (key.idx < 0)
4359 		return -EINVAL;
4360 
4361 	/* Only support setting default key and
4362 	 * Extended Key ID action NL80211_KEY_SET_TX.
4363 	 */
4364 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4365 	    !(key.p.mode == NL80211_KEY_SET_TX))
4366 		return -EINVAL;
4367 
4368 	wdev_lock(dev->ieee80211_ptr);
4369 
4370 	if (key.def) {
4371 		if (!rdev->ops->set_default_key) {
4372 			err = -EOPNOTSUPP;
4373 			goto out;
4374 		}
4375 
4376 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4377 		if (err)
4378 			goto out;
4379 
4380 		err = rdev_set_default_key(rdev, dev, key.idx,
4381 						 key.def_uni, key.def_multi);
4382 
4383 		if (err)
4384 			goto out;
4385 
4386 #ifdef CONFIG_CFG80211_WEXT
4387 		dev->ieee80211_ptr->wext.default_key = key.idx;
4388 #endif
4389 	} else if (key.defmgmt) {
4390 		if (key.def_uni || !key.def_multi) {
4391 			err = -EINVAL;
4392 			goto out;
4393 		}
4394 
4395 		if (!rdev->ops->set_default_mgmt_key) {
4396 			err = -EOPNOTSUPP;
4397 			goto out;
4398 		}
4399 
4400 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4401 		if (err)
4402 			goto out;
4403 
4404 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4405 		if (err)
4406 			goto out;
4407 
4408 #ifdef CONFIG_CFG80211_WEXT
4409 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4410 #endif
4411 	} else if (key.defbeacon) {
4412 		if (key.def_uni || !key.def_multi) {
4413 			err = -EINVAL;
4414 			goto out;
4415 		}
4416 
4417 		if (!rdev->ops->set_default_beacon_key) {
4418 			err = -EOPNOTSUPP;
4419 			goto out;
4420 		}
4421 
4422 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4423 		if (err)
4424 			goto out;
4425 
4426 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4427 		if (err)
4428 			goto out;
4429 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4430 		   wiphy_ext_feature_isset(&rdev->wiphy,
4431 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4432 		u8 *mac_addr = NULL;
4433 
4434 		if (info->attrs[NL80211_ATTR_MAC])
4435 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4436 
4437 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4438 			err = -EINVAL;
4439 			goto out;
4440 		}
4441 
4442 		err = rdev_add_key(rdev, dev, key.idx,
4443 				   NL80211_KEYTYPE_PAIRWISE,
4444 				   mac_addr, &key.p);
4445 	} else {
4446 		err = -EINVAL;
4447 	}
4448  out:
4449 	wdev_unlock(dev->ieee80211_ptr);
4450 
4451 	return err;
4452 }
4453 
4454 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4455 {
4456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4457 	int err;
4458 	struct net_device *dev = info->user_ptr[1];
4459 	struct key_parse key;
4460 	const u8 *mac_addr = NULL;
4461 
4462 	err = nl80211_parse_key(info, &key);
4463 	if (err)
4464 		return err;
4465 
4466 	if (!key.p.key) {
4467 		GENL_SET_ERR_MSG(info, "no key");
4468 		return -EINVAL;
4469 	}
4470 
4471 	if (info->attrs[NL80211_ATTR_MAC])
4472 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4473 
4474 	if (key.type == -1) {
4475 		if (mac_addr)
4476 			key.type = NL80211_KEYTYPE_PAIRWISE;
4477 		else
4478 			key.type = NL80211_KEYTYPE_GROUP;
4479 	}
4480 
4481 	/* for now */
4482 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4483 	    key.type != NL80211_KEYTYPE_GROUP) {
4484 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4485 		return -EINVAL;
4486 	}
4487 
4488 	if (key.type == NL80211_KEYTYPE_GROUP &&
4489 	    info->attrs[NL80211_ATTR_VLAN_ID])
4490 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4491 
4492 	if (!rdev->ops->add_key)
4493 		return -EOPNOTSUPP;
4494 
4495 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4496 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4497 					   mac_addr)) {
4498 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4499 		return -EINVAL;
4500 	}
4501 
4502 	wdev_lock(dev->ieee80211_ptr);
4503 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4504 	if (err)
4505 		GENL_SET_ERR_MSG(info, "key not allowed");
4506 	if (!err) {
4507 		err = rdev_add_key(rdev, dev, key.idx,
4508 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4509 				    mac_addr, &key.p);
4510 		if (err)
4511 			GENL_SET_ERR_MSG(info, "key addition failed");
4512 	}
4513 	wdev_unlock(dev->ieee80211_ptr);
4514 
4515 	return err;
4516 }
4517 
4518 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4519 {
4520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4521 	int err;
4522 	struct net_device *dev = info->user_ptr[1];
4523 	u8 *mac_addr = NULL;
4524 	struct key_parse key;
4525 
4526 	err = nl80211_parse_key(info, &key);
4527 	if (err)
4528 		return err;
4529 
4530 	if (info->attrs[NL80211_ATTR_MAC])
4531 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4532 
4533 	if (key.type == -1) {
4534 		if (mac_addr)
4535 			key.type = NL80211_KEYTYPE_PAIRWISE;
4536 		else
4537 			key.type = NL80211_KEYTYPE_GROUP;
4538 	}
4539 
4540 	/* for now */
4541 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4542 	    key.type != NL80211_KEYTYPE_GROUP)
4543 		return -EINVAL;
4544 
4545 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4546 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4547 		return -EINVAL;
4548 
4549 	if (!rdev->ops->del_key)
4550 		return -EOPNOTSUPP;
4551 
4552 	wdev_lock(dev->ieee80211_ptr);
4553 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4554 
4555 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4556 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4557 		err = -ENOENT;
4558 
4559 	if (!err)
4560 		err = rdev_del_key(rdev, dev, key.idx,
4561 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4562 				   mac_addr);
4563 
4564 #ifdef CONFIG_CFG80211_WEXT
4565 	if (!err) {
4566 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4567 			dev->ieee80211_ptr->wext.default_key = -1;
4568 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4569 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4570 	}
4571 #endif
4572 	wdev_unlock(dev->ieee80211_ptr);
4573 
4574 	return err;
4575 }
4576 
4577 /* This function returns an error or the number of nested attributes */
4578 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4579 {
4580 	struct nlattr *attr;
4581 	int n_entries = 0, tmp;
4582 
4583 	nla_for_each_nested(attr, nl_attr, tmp) {
4584 		if (nla_len(attr) != ETH_ALEN)
4585 			return -EINVAL;
4586 
4587 		n_entries++;
4588 	}
4589 
4590 	return n_entries;
4591 }
4592 
4593 /*
4594  * This function parses ACL information and allocates memory for ACL data.
4595  * On successful return, the calling function is responsible to free the
4596  * ACL buffer returned by this function.
4597  */
4598 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4599 						struct genl_info *info)
4600 {
4601 	enum nl80211_acl_policy acl_policy;
4602 	struct nlattr *attr;
4603 	struct cfg80211_acl_data *acl;
4604 	int i = 0, n_entries, tmp;
4605 
4606 	if (!wiphy->max_acl_mac_addrs)
4607 		return ERR_PTR(-EOPNOTSUPP);
4608 
4609 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4610 		return ERR_PTR(-EINVAL);
4611 
4612 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4613 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4614 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4615 		return ERR_PTR(-EINVAL);
4616 
4617 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4618 		return ERR_PTR(-EINVAL);
4619 
4620 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4621 	if (n_entries < 0)
4622 		return ERR_PTR(n_entries);
4623 
4624 	if (n_entries > wiphy->max_acl_mac_addrs)
4625 		return ERR_PTR(-ENOTSUPP);
4626 
4627 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4628 	if (!acl)
4629 		return ERR_PTR(-ENOMEM);
4630 
4631 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4632 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4633 		i++;
4634 	}
4635 
4636 	acl->n_acl_entries = n_entries;
4637 	acl->acl_policy = acl_policy;
4638 
4639 	return acl;
4640 }
4641 
4642 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4643 {
4644 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4645 	struct net_device *dev = info->user_ptr[1];
4646 	struct cfg80211_acl_data *acl;
4647 	int err;
4648 
4649 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4650 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4651 		return -EOPNOTSUPP;
4652 
4653 	if (!dev->ieee80211_ptr->beacon_interval)
4654 		return -EINVAL;
4655 
4656 	acl = parse_acl_data(&rdev->wiphy, info);
4657 	if (IS_ERR(acl))
4658 		return PTR_ERR(acl);
4659 
4660 	err = rdev_set_mac_acl(rdev, dev, acl);
4661 
4662 	kfree(acl);
4663 
4664 	return err;
4665 }
4666 
4667 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4668 			   u8 *rates, u8 rates_len)
4669 {
4670 	u8 i;
4671 	u32 mask = 0;
4672 
4673 	for (i = 0; i < rates_len; i++) {
4674 		int rate = (rates[i] & 0x7f) * 5;
4675 		int ridx;
4676 
4677 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4678 			struct ieee80211_rate *srate =
4679 				&sband->bitrates[ridx];
4680 			if (rate == srate->bitrate) {
4681 				mask |= 1 << ridx;
4682 				break;
4683 			}
4684 		}
4685 		if (ridx == sband->n_bitrates)
4686 			return 0; /* rate not found */
4687 	}
4688 
4689 	return mask;
4690 }
4691 
4692 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4693 			       u8 *rates, u8 rates_len,
4694 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4695 {
4696 	u8 i;
4697 
4698 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4699 
4700 	for (i = 0; i < rates_len; i++) {
4701 		int ridx, rbit;
4702 
4703 		ridx = rates[i] / 8;
4704 		rbit = BIT(rates[i] % 8);
4705 
4706 		/* check validity */
4707 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4708 			return false;
4709 
4710 		/* check availability */
4711 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4712 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4713 			mcs[ridx] |= rbit;
4714 		else
4715 			return false;
4716 	}
4717 
4718 	return true;
4719 }
4720 
4721 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4722 {
4723 	u16 mcs_mask = 0;
4724 
4725 	switch (vht_mcs_map) {
4726 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4727 		break;
4728 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4729 		mcs_mask = 0x00FF;
4730 		break;
4731 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4732 		mcs_mask = 0x01FF;
4733 		break;
4734 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4735 		mcs_mask = 0x03FF;
4736 		break;
4737 	default:
4738 		break;
4739 	}
4740 
4741 	return mcs_mask;
4742 }
4743 
4744 static void vht_build_mcs_mask(u16 vht_mcs_map,
4745 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4746 {
4747 	u8 nss;
4748 
4749 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4750 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4751 		vht_mcs_map >>= 2;
4752 	}
4753 }
4754 
4755 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4756 			     struct nl80211_txrate_vht *txrate,
4757 			     u16 mcs[NL80211_VHT_NSS_MAX])
4758 {
4759 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4760 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4761 	u8 i;
4762 
4763 	if (!sband->vht_cap.vht_supported)
4764 		return false;
4765 
4766 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4767 
4768 	/* Build vht_mcs_mask from VHT capabilities */
4769 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4770 
4771 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4772 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4773 			mcs[i] = txrate->mcs[i];
4774 		else
4775 			return false;
4776 	}
4777 
4778 	return true;
4779 }
4780 
4781 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4782 {
4783 	switch (he_mcs_map) {
4784 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4785 		return 0;
4786 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4787 		return 0x00FF;
4788 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4789 		return 0x03FF;
4790 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4791 		return 0xFFF;
4792 	default:
4793 		break;
4794 	}
4795 	return 0;
4796 }
4797 
4798 static void he_build_mcs_mask(u16 he_mcs_map,
4799 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4800 {
4801 	u8 nss;
4802 
4803 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4804 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4805 		he_mcs_map >>= 2;
4806 	}
4807 }
4808 
4809 static u16 he_get_txmcsmap(struct genl_info *info,
4810 			   const struct ieee80211_sta_he_cap *he_cap)
4811 {
4812 	struct net_device *dev = info->user_ptr[1];
4813 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4814 	__le16	tx_mcs;
4815 
4816 	switch (wdev->chandef.width) {
4817 	case NL80211_CHAN_WIDTH_80P80:
4818 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4819 		break;
4820 	case NL80211_CHAN_WIDTH_160:
4821 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4822 		break;
4823 	default:
4824 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4825 		break;
4826 	}
4827 	return le16_to_cpu(tx_mcs);
4828 }
4829 
4830 static bool he_set_mcs_mask(struct genl_info *info,
4831 			    struct wireless_dev *wdev,
4832 			    struct ieee80211_supported_band *sband,
4833 			    struct nl80211_txrate_he *txrate,
4834 			    u16 mcs[NL80211_HE_NSS_MAX])
4835 {
4836 	const struct ieee80211_sta_he_cap *he_cap;
4837 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4838 	u16 tx_mcs_map = 0;
4839 	u8 i;
4840 
4841 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4842 	if (!he_cap)
4843 		return false;
4844 
4845 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4846 
4847 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4848 
4849 	/* Build he_mcs_mask from HE capabilities */
4850 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4851 
4852 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4853 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4854 			mcs[i] = txrate->mcs[i];
4855 		else
4856 			return false;
4857 	}
4858 
4859 	return true;
4860 }
4861 
4862 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4863 					 struct nlattr *attrs[],
4864 					 enum nl80211_attrs attr,
4865 					 struct cfg80211_bitrate_mask *mask,
4866 					 struct net_device *dev,
4867 					 bool default_all_enabled)
4868 {
4869 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4870 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4871 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4872 	int rem, i;
4873 	struct nlattr *tx_rates;
4874 	struct ieee80211_supported_band *sband;
4875 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4876 
4877 	memset(mask, 0, sizeof(*mask));
4878 	/* Default to all rates enabled */
4879 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4880 		const struct ieee80211_sta_he_cap *he_cap;
4881 
4882 		if (!default_all_enabled)
4883 			break;
4884 
4885 		sband = rdev->wiphy.bands[i];
4886 
4887 		if (!sband)
4888 			continue;
4889 
4890 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4891 		memcpy(mask->control[i].ht_mcs,
4892 		       sband->ht_cap.mcs.rx_mask,
4893 		       sizeof(mask->control[i].ht_mcs));
4894 
4895 		if (sband->vht_cap.vht_supported) {
4896 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4897 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4898 		}
4899 
4900 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4901 		if (!he_cap)
4902 			continue;
4903 
4904 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4905 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4906 
4907 		mask->control[i].he_gi = 0xFF;
4908 		mask->control[i].he_ltf = 0xFF;
4909 	}
4910 
4911 	/* if no rates are given set it back to the defaults */
4912 	if (!attrs[attr])
4913 		goto out;
4914 
4915 	/* The nested attribute uses enum nl80211_band as the index. This maps
4916 	 * directly to the enum nl80211_band values used in cfg80211.
4917 	 */
4918 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4919 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4920 		enum nl80211_band band = nla_type(tx_rates);
4921 		int err;
4922 
4923 		if (band < 0 || band >= NUM_NL80211_BANDS)
4924 			return -EINVAL;
4925 		sband = rdev->wiphy.bands[band];
4926 		if (sband == NULL)
4927 			return -EINVAL;
4928 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4929 						  tx_rates,
4930 						  nl80211_txattr_policy,
4931 						  info->extack);
4932 		if (err)
4933 			return err;
4934 		if (tb[NL80211_TXRATE_LEGACY]) {
4935 			mask->control[band].legacy = rateset_to_mask(
4936 				sband,
4937 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4938 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4939 			if ((mask->control[band].legacy == 0) &&
4940 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4941 				return -EINVAL;
4942 		}
4943 		if (tb[NL80211_TXRATE_HT]) {
4944 			if (!ht_rateset_to_mask(
4945 					sband,
4946 					nla_data(tb[NL80211_TXRATE_HT]),
4947 					nla_len(tb[NL80211_TXRATE_HT]),
4948 					mask->control[band].ht_mcs))
4949 				return -EINVAL;
4950 		}
4951 
4952 		if (tb[NL80211_TXRATE_VHT]) {
4953 			if (!vht_set_mcs_mask(
4954 					sband,
4955 					nla_data(tb[NL80211_TXRATE_VHT]),
4956 					mask->control[band].vht_mcs))
4957 				return -EINVAL;
4958 		}
4959 
4960 		if (tb[NL80211_TXRATE_GI]) {
4961 			mask->control[band].gi =
4962 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4963 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4964 				return -EINVAL;
4965 		}
4966 		if (tb[NL80211_TXRATE_HE] &&
4967 		    !he_set_mcs_mask(info, wdev, sband,
4968 				     nla_data(tb[NL80211_TXRATE_HE]),
4969 				     mask->control[band].he_mcs))
4970 			return -EINVAL;
4971 
4972 		if (tb[NL80211_TXRATE_HE_GI])
4973 			mask->control[band].he_gi =
4974 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4975 		if (tb[NL80211_TXRATE_HE_LTF])
4976 			mask->control[band].he_ltf =
4977 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4978 
4979 		if (mask->control[band].legacy == 0) {
4980 			/* don't allow empty legacy rates if HT, VHT or HE
4981 			 * are not even supported.
4982 			 */
4983 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4984 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4985 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4986 				return -EINVAL;
4987 
4988 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4989 				if (mask->control[band].ht_mcs[i])
4990 					goto out;
4991 
4992 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4993 				if (mask->control[band].vht_mcs[i])
4994 					goto out;
4995 
4996 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4997 				if (mask->control[band].he_mcs[i])
4998 					goto out;
4999 
5000 			/* legacy and mcs rates may not be both empty */
5001 			return -EINVAL;
5002 		}
5003 	}
5004 
5005 out:
5006 	return 0;
5007 }
5008 
5009 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5010 				   enum nl80211_band band,
5011 				   struct cfg80211_bitrate_mask *beacon_rate)
5012 {
5013 	u32 count_ht, count_vht, count_he, i;
5014 	u32 rate = beacon_rate->control[band].legacy;
5015 
5016 	/* Allow only one rate */
5017 	if (hweight32(rate) > 1)
5018 		return -EINVAL;
5019 
5020 	count_ht = 0;
5021 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5022 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5023 			return -EINVAL;
5024 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5025 			count_ht++;
5026 			if (count_ht > 1)
5027 				return -EINVAL;
5028 		}
5029 		if (count_ht && rate)
5030 			return -EINVAL;
5031 	}
5032 
5033 	count_vht = 0;
5034 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5035 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5036 			return -EINVAL;
5037 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5038 			count_vht++;
5039 			if (count_vht > 1)
5040 				return -EINVAL;
5041 		}
5042 		if (count_vht && rate)
5043 			return -EINVAL;
5044 	}
5045 
5046 	count_he = 0;
5047 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5048 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5049 			return -EINVAL;
5050 		} else if (beacon_rate->control[band].he_mcs[i]) {
5051 			count_he++;
5052 			if (count_he > 1)
5053 				return -EINVAL;
5054 		}
5055 		if (count_he && rate)
5056 			return -EINVAL;
5057 	}
5058 
5059 	if ((count_ht && count_vht && count_he) ||
5060 	    (!rate && !count_ht && !count_vht && !count_he))
5061 		return -EINVAL;
5062 
5063 	if (rate &&
5064 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5065 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5066 		return -EINVAL;
5067 	if (count_ht &&
5068 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5069 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5070 		return -EINVAL;
5071 	if (count_vht &&
5072 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5073 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5074 		return -EINVAL;
5075 	if (count_he &&
5076 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5077 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5078 		return -EINVAL;
5079 
5080 	return 0;
5081 }
5082 
5083 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5084 				       struct net_device *dev,
5085 				       struct nlattr *attrs,
5086 				       struct cfg80211_mbssid_config *config,
5087 				       u8 num_elems)
5088 {
5089 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5090 
5091 	if (!wiphy->mbssid_max_interfaces)
5092 		return -EOPNOTSUPP;
5093 
5094 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5095 			     NULL) ||
5096 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5097 		return -EINVAL;
5098 
5099 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5100 	if (config->ema) {
5101 		if (!wiphy->ema_max_profile_periodicity)
5102 			return -EOPNOTSUPP;
5103 
5104 		if (num_elems > wiphy->ema_max_profile_periodicity)
5105 			return -EINVAL;
5106 	}
5107 
5108 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5109 	if (config->index >= wiphy->mbssid_max_interfaces ||
5110 	    (!config->index && !num_elems))
5111 		return -EINVAL;
5112 
5113 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5114 		u32 tx_ifindex =
5115 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5116 
5117 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5118 		    (config->index && tx_ifindex == dev->ifindex))
5119 			return -EINVAL;
5120 
5121 		if (tx_ifindex != dev->ifindex) {
5122 			struct net_device *tx_netdev =
5123 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5124 
5125 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5126 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5127 			    tx_netdev->ieee80211_ptr->iftype !=
5128 							NL80211_IFTYPE_AP) {
5129 				dev_put(tx_netdev);
5130 				return -EINVAL;
5131 			}
5132 
5133 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5134 		} else {
5135 			config->tx_wdev = dev->ieee80211_ptr;
5136 		}
5137 	} else if (!config->index) {
5138 		config->tx_wdev = dev->ieee80211_ptr;
5139 	} else {
5140 		return -EINVAL;
5141 	}
5142 
5143 	return 0;
5144 }
5145 
5146 static struct cfg80211_mbssid_elems *
5147 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5148 {
5149 	struct nlattr *nl_elems;
5150 	struct cfg80211_mbssid_elems *elems;
5151 	int rem_elems;
5152 	u8 i = 0, num_elems = 0;
5153 
5154 	if (!wiphy->mbssid_max_interfaces)
5155 		return ERR_PTR(-EINVAL);
5156 
5157 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5158 		num_elems++;
5159 
5160 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5161 	if (!elems)
5162 		return ERR_PTR(-ENOMEM);
5163 
5164 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5165 		elems->elem[i].data = nla_data(nl_elems);
5166 		elems->elem[i].len = nla_len(nl_elems);
5167 		i++;
5168 	}
5169 	elems->cnt = num_elems;
5170 	return elems;
5171 }
5172 
5173 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5174 				struct nlattr *attrs[],
5175 				struct cfg80211_beacon_data *bcn)
5176 {
5177 	bool haveinfo = false;
5178 	int err;
5179 
5180 	memset(bcn, 0, sizeof(*bcn));
5181 
5182 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5183 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5184 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5185 		if (!bcn->head_len)
5186 			return -EINVAL;
5187 		haveinfo = true;
5188 	}
5189 
5190 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5191 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5192 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5193 		haveinfo = true;
5194 	}
5195 
5196 	if (!haveinfo)
5197 		return -EINVAL;
5198 
5199 	if (attrs[NL80211_ATTR_IE]) {
5200 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5201 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5202 	}
5203 
5204 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5205 		bcn->proberesp_ies =
5206 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5207 		bcn->proberesp_ies_len =
5208 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5209 	}
5210 
5211 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5212 		bcn->assocresp_ies =
5213 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5214 		bcn->assocresp_ies_len =
5215 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5216 	}
5217 
5218 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5219 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5220 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5221 	}
5222 
5223 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5224 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5225 
5226 		err = nla_parse_nested_deprecated(tb,
5227 						  NL80211_FTM_RESP_ATTR_MAX,
5228 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5229 						  NULL, NULL);
5230 		if (err)
5231 			return err;
5232 
5233 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5234 		    wiphy_ext_feature_isset(&rdev->wiphy,
5235 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5236 			bcn->ftm_responder = 1;
5237 		else
5238 			return -EOPNOTSUPP;
5239 
5240 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5241 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5242 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5243 		}
5244 
5245 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5246 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5247 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5248 		}
5249 	} else {
5250 		bcn->ftm_responder = -1;
5251 	}
5252 
5253 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5254 		struct cfg80211_mbssid_elems *mbssid =
5255 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5256 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5257 
5258 		if (IS_ERR(mbssid))
5259 			return PTR_ERR(mbssid);
5260 
5261 		bcn->mbssid_ies = mbssid;
5262 	}
5263 
5264 	return 0;
5265 }
5266 
5267 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5268 				    struct ieee80211_he_obss_pd *he_obss_pd)
5269 {
5270 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5271 	int err;
5272 
5273 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5274 			       he_obss_pd_policy, NULL);
5275 	if (err)
5276 		return err;
5277 
5278 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5279 		return -EINVAL;
5280 
5281 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5282 
5283 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5284 		he_obss_pd->min_offset =
5285 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5286 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5287 		he_obss_pd->max_offset =
5288 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5289 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5290 		he_obss_pd->non_srg_max_offset =
5291 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5292 
5293 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5294 		return -EINVAL;
5295 
5296 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5297 		memcpy(he_obss_pd->bss_color_bitmap,
5298 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5299 		       sizeof(he_obss_pd->bss_color_bitmap));
5300 
5301 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5302 		memcpy(he_obss_pd->partial_bssid_bitmap,
5303 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5304 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5305 
5306 	he_obss_pd->enable = true;
5307 
5308 	return 0;
5309 }
5310 
5311 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5312 				      struct cfg80211_he_bss_color *he_bss_color)
5313 {
5314 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5315 	int err;
5316 
5317 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5318 			       he_bss_color_policy, NULL);
5319 	if (err)
5320 		return err;
5321 
5322 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5323 		return -EINVAL;
5324 
5325 	he_bss_color->color =
5326 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5327 	he_bss_color->enabled =
5328 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5329 	he_bss_color->partial =
5330 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5331 
5332 	return 0;
5333 }
5334 
5335 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5336 					struct nlattr *attrs,
5337 					struct cfg80211_ap_settings *params)
5338 {
5339 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5340 	int ret;
5341 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5342 
5343 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5344 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5345 		return -EINVAL;
5346 
5347 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5348 			       NULL, NULL);
5349 	if (ret)
5350 		return ret;
5351 
5352 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5353 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5354 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5355 		return -EINVAL;
5356 
5357 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5358 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5359 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5360 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5361 
5362 	return 0;
5363 }
5364 
5365 static int
5366 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5367 				     struct nlattr *attrs,
5368 				     struct cfg80211_ap_settings *params)
5369 {
5370 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5371 	int ret;
5372 	struct cfg80211_unsol_bcast_probe_resp *presp =
5373 					&params->unsol_bcast_probe_resp;
5374 
5375 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5376 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5377 		return -EINVAL;
5378 
5379 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5380 			       attrs, NULL, NULL);
5381 	if (ret)
5382 		return ret;
5383 
5384 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5385 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5386 		return -EINVAL;
5387 
5388 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5389 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5390 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5391 	return 0;
5392 }
5393 
5394 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5395 					    const struct element *rates)
5396 {
5397 	int i;
5398 
5399 	if (!rates)
5400 		return;
5401 
5402 	for (i = 0; i < rates->datalen; i++) {
5403 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5404 			params->ht_required = true;
5405 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5406 			params->vht_required = true;
5407 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5408 			params->he_required = true;
5409 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5410 			params->sae_h2e_required = true;
5411 	}
5412 }
5413 
5414 /*
5415  * Since the nl80211 API didn't include, from the beginning, attributes about
5416  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5417  * benefit of drivers that rebuild IEs in the firmware.
5418  */
5419 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5420 {
5421 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5422 	size_t ies_len = bcn->tail_len;
5423 	const u8 *ies = bcn->tail;
5424 	const struct element *rates;
5425 	const struct element *cap;
5426 
5427 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5428 	nl80211_check_ap_rate_selectors(params, rates);
5429 
5430 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5431 	nl80211_check_ap_rate_selectors(params, rates);
5432 
5433 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5434 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5435 		params->ht_cap = (void *)cap->data;
5436 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5437 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5438 		params->vht_cap = (void *)cap->data;
5439 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5440 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5441 		params->he_cap = (void *)(cap->data + 1);
5442 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5443 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5444 		params->he_oper = (void *)(cap->data + 1);
5445 }
5446 
5447 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5448 				   struct cfg80211_ap_settings *params)
5449 {
5450 	struct wireless_dev *wdev;
5451 	bool ret = false;
5452 
5453 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5454 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5455 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5456 			continue;
5457 
5458 		if (!wdev->preset_chandef.chan)
5459 			continue;
5460 
5461 		params->chandef = wdev->preset_chandef;
5462 		ret = true;
5463 		break;
5464 	}
5465 
5466 	return ret;
5467 }
5468 
5469 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5470 				    enum nl80211_auth_type auth_type,
5471 				    enum nl80211_commands cmd)
5472 {
5473 	if (auth_type > NL80211_AUTHTYPE_MAX)
5474 		return false;
5475 
5476 	switch (cmd) {
5477 	case NL80211_CMD_AUTHENTICATE:
5478 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5479 		    auth_type == NL80211_AUTHTYPE_SAE)
5480 			return false;
5481 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5482 					     NL80211_EXT_FEATURE_FILS_STA) &&
5483 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5484 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5485 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5486 			return false;
5487 		return true;
5488 	case NL80211_CMD_CONNECT:
5489 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5490 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5491 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5492 		    auth_type == NL80211_AUTHTYPE_SAE)
5493 			return false;
5494 
5495 		/* FILS with SK PFS or PK not supported yet */
5496 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5497 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5498 			return false;
5499 		if (!wiphy_ext_feature_isset(
5500 			    &rdev->wiphy,
5501 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5502 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5503 			return false;
5504 		return true;
5505 	case NL80211_CMD_START_AP:
5506 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5507 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5508 		    auth_type == NL80211_AUTHTYPE_SAE)
5509 			return false;
5510 		/* FILS not supported yet */
5511 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5512 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5513 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5514 			return false;
5515 		return true;
5516 	default:
5517 		return false;
5518 	}
5519 }
5520 
5521 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5522 {
5523 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5524 	struct net_device *dev = info->user_ptr[1];
5525 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5526 	struct cfg80211_ap_settings *params;
5527 	int err;
5528 
5529 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5530 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5531 		return -EOPNOTSUPP;
5532 
5533 	if (!rdev->ops->start_ap)
5534 		return -EOPNOTSUPP;
5535 
5536 	if (wdev->beacon_interval)
5537 		return -EALREADY;
5538 
5539 	/* these are required for START_AP */
5540 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5541 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5542 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5543 		return -EINVAL;
5544 
5545 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5546 	if (!params)
5547 		return -ENOMEM;
5548 
5549 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon);
5550 	if (err)
5551 		goto out;
5552 
5553 	params->beacon_interval =
5554 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5555 	params->dtim_period =
5556 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5557 
5558 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5559 					   params->beacon_interval);
5560 	if (err)
5561 		goto out;
5562 
5563 	/*
5564 	 * In theory, some of these attributes should be required here
5565 	 * but since they were not used when the command was originally
5566 	 * added, keep them optional for old user space programs to let
5567 	 * them continue to work with drivers that do not need the
5568 	 * additional information -- drivers must check!
5569 	 */
5570 	if (info->attrs[NL80211_ATTR_SSID]) {
5571 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5572 		params->ssid_len =
5573 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5574 		if (params->ssid_len == 0) {
5575 			err = -EINVAL;
5576 			goto out;
5577 		}
5578 	}
5579 
5580 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5581 		params->hidden_ssid = nla_get_u32(
5582 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5583 
5584 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5585 
5586 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5587 		params->auth_type = nla_get_u32(
5588 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5589 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5590 					     NL80211_CMD_START_AP)) {
5591 			err = -EINVAL;
5592 			goto out;
5593 		}
5594 	} else
5595 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5596 
5597 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5598 				      NL80211_MAX_NR_CIPHER_SUITES);
5599 	if (err)
5600 		goto out;
5601 
5602 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5603 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
5604 			err = -EOPNOTSUPP;
5605 			goto out;
5606 		}
5607 		params->inactivity_timeout = nla_get_u16(
5608 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5609 	}
5610 
5611 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5612 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5613 			err = -EINVAL;
5614 			goto out;
5615 		}
5616 		params->p2p_ctwindow =
5617 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5618 		if (params->p2p_ctwindow != 0 &&
5619 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
5620 			err = -EINVAL;
5621 			goto out;
5622 		}
5623 	}
5624 
5625 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5626 		u8 tmp;
5627 
5628 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5629 			err = -EINVAL;
5630 			goto out;
5631 		}
5632 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5633 		params->p2p_opp_ps = tmp;
5634 		if (params->p2p_opp_ps != 0 &&
5635 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
5636 			err = -EINVAL;
5637 			goto out;
5638 		}
5639 	}
5640 
5641 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5642 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
5643 		if (err)
5644 			goto out;
5645 	} else if (wdev->preset_chandef.chan) {
5646 		params->chandef = wdev->preset_chandef;
5647 	} else if (!nl80211_get_ap_channel(rdev, params)) {
5648 		err = -EINVAL;
5649 		goto out;
5650 	}
5651 
5652 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
5653 					   wdev->iftype)) {
5654 		err = -EINVAL;
5655 		goto out;
5656 	}
5657 
5658 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5659 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5660 						    NL80211_ATTR_TX_RATES,
5661 						    &params->beacon_rate,
5662 						    dev, false);
5663 		if (err)
5664 			goto out;
5665 
5666 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
5667 					      &params->beacon_rate);
5668 		if (err)
5669 			goto out;
5670 	}
5671 
5672 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5673 		params->smps_mode =
5674 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5675 		switch (params->smps_mode) {
5676 		case NL80211_SMPS_OFF:
5677 			break;
5678 		case NL80211_SMPS_STATIC:
5679 			if (!(rdev->wiphy.features &
5680 			      NL80211_FEATURE_STATIC_SMPS)) {
5681 				err = -EINVAL;
5682 				goto out;
5683 			}
5684 			break;
5685 		case NL80211_SMPS_DYNAMIC:
5686 			if (!(rdev->wiphy.features &
5687 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
5688 				err = -EINVAL;
5689 				goto out;
5690 			}
5691 			break;
5692 		default:
5693 			err = -EINVAL;
5694 			goto out;
5695 		}
5696 	} else {
5697 		params->smps_mode = NL80211_SMPS_OFF;
5698 	}
5699 
5700 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5701 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
5702 		err = -EOPNOTSUPP;
5703 		goto out;
5704 	}
5705 
5706 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5707 		params->acl = parse_acl_data(&rdev->wiphy, info);
5708 		if (IS_ERR(params->acl)) {
5709 			err = PTR_ERR(params->acl);
5710 			params->acl = NULL;
5711 			goto out;
5712 		}
5713 	}
5714 
5715 	params->twt_responder =
5716 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5717 
5718 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5719 		err = nl80211_parse_he_obss_pd(
5720 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5721 					&params->he_obss_pd);
5722 		if (err)
5723 			goto out;
5724 	}
5725 
5726 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5727 		err = nl80211_parse_he_bss_color(
5728 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5729 					&params->he_bss_color);
5730 		if (err)
5731 			goto out;
5732 	}
5733 
5734 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5735 		err = nl80211_parse_fils_discovery(rdev,
5736 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5737 						   params);
5738 		if (err)
5739 			goto out;
5740 	}
5741 
5742 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5743 		err = nl80211_parse_unsol_bcast_probe_resp(
5744 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5745 			params);
5746 		if (err)
5747 			goto out;
5748 	}
5749 
5750 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
5751 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
5752 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
5753 						  &params->mbssid_config,
5754 						  params->beacon.mbssid_ies ?
5755 							params->beacon.mbssid_ies->cnt :
5756 							0);
5757 		if (err)
5758 			goto out;
5759 	}
5760 
5761 	nl80211_calculate_ap_params(params);
5762 
5763 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
5764 		params->flags = nla_get_u32(
5765 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
5766 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5767 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5768 
5769 	wdev_lock(wdev);
5770 	err = rdev_start_ap(rdev, dev, params);
5771 	if (!err) {
5772 		wdev->preset_chandef = params->chandef;
5773 		wdev->beacon_interval = params->beacon_interval;
5774 		wdev->chandef = params->chandef;
5775 		wdev->ssid_len = params->ssid_len;
5776 		memcpy(wdev->ssid, params->ssid, wdev->ssid_len);
5777 
5778 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5779 			wdev->conn_owner_nlportid = info->snd_portid;
5780 	}
5781 	wdev_unlock(wdev);
5782 
5783 out:
5784 	kfree(params->acl);
5785 	kfree(params->beacon.mbssid_ies);
5786 	if (params->mbssid_config.tx_wdev &&
5787 	    params->mbssid_config.tx_wdev->netdev &&
5788 	    params->mbssid_config.tx_wdev->netdev != dev)
5789 		dev_put(params->mbssid_config.tx_wdev->netdev);
5790 	kfree(params);
5791 
5792 	return err;
5793 }
5794 
5795 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5796 {
5797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5798 	struct net_device *dev = info->user_ptr[1];
5799 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5800 	struct cfg80211_beacon_data params;
5801 	int err;
5802 
5803 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5804 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5805 		return -EOPNOTSUPP;
5806 
5807 	if (!rdev->ops->change_beacon)
5808 		return -EOPNOTSUPP;
5809 
5810 	if (!wdev->beacon_interval)
5811 		return -EINVAL;
5812 
5813 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5814 	if (err)
5815 		goto out;
5816 
5817 	wdev_lock(wdev);
5818 	err = rdev_change_beacon(rdev, dev, &params);
5819 	wdev_unlock(wdev);
5820 
5821 out:
5822 	kfree(params.mbssid_ies);
5823 	return err;
5824 }
5825 
5826 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5827 {
5828 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5829 	struct net_device *dev = info->user_ptr[1];
5830 
5831 	return cfg80211_stop_ap(rdev, dev, false);
5832 }
5833 
5834 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5835 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5836 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5837 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5838 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5839 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5840 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5841 };
5842 
5843 static int parse_station_flags(struct genl_info *info,
5844 			       enum nl80211_iftype iftype,
5845 			       struct station_parameters *params)
5846 {
5847 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5848 	struct nlattr *nla;
5849 	int flag;
5850 
5851 	/*
5852 	 * Try parsing the new attribute first so userspace
5853 	 * can specify both for older kernels.
5854 	 */
5855 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5856 	if (nla) {
5857 		struct nl80211_sta_flag_update *sta_flags;
5858 
5859 		sta_flags = nla_data(nla);
5860 		params->sta_flags_mask = sta_flags->mask;
5861 		params->sta_flags_set = sta_flags->set;
5862 		params->sta_flags_set &= params->sta_flags_mask;
5863 		if ((params->sta_flags_mask |
5864 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5865 			return -EINVAL;
5866 		return 0;
5867 	}
5868 
5869 	/* if present, parse the old attribute */
5870 
5871 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5872 	if (!nla)
5873 		return 0;
5874 
5875 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5876 		return -EINVAL;
5877 
5878 	/*
5879 	 * Only allow certain flags for interface types so that
5880 	 * other attributes are silently ignored. Remember that
5881 	 * this is backward compatibility code with old userspace
5882 	 * and shouldn't be hit in other cases anyway.
5883 	 */
5884 	switch (iftype) {
5885 	case NL80211_IFTYPE_AP:
5886 	case NL80211_IFTYPE_AP_VLAN:
5887 	case NL80211_IFTYPE_P2P_GO:
5888 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5889 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5890 					 BIT(NL80211_STA_FLAG_WME) |
5891 					 BIT(NL80211_STA_FLAG_MFP);
5892 		break;
5893 	case NL80211_IFTYPE_P2P_CLIENT:
5894 	case NL80211_IFTYPE_STATION:
5895 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5896 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5897 		break;
5898 	case NL80211_IFTYPE_MESH_POINT:
5899 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5900 					 BIT(NL80211_STA_FLAG_MFP) |
5901 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5902 		break;
5903 	default:
5904 		return -EINVAL;
5905 	}
5906 
5907 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5908 		if (flags[flag]) {
5909 			params->sta_flags_set |= (1<<flag);
5910 
5911 			/* no longer support new API additions in old API */
5912 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5913 				return -EINVAL;
5914 		}
5915 	}
5916 
5917 	return 0;
5918 }
5919 
5920 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5921 {
5922 	struct nlattr *rate;
5923 	u32 bitrate;
5924 	u16 bitrate_compat;
5925 	enum nl80211_rate_info rate_flg;
5926 
5927 	rate = nla_nest_start_noflag(msg, attr);
5928 	if (!rate)
5929 		return false;
5930 
5931 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5932 	bitrate = cfg80211_calculate_bitrate(info);
5933 	/* report 16-bit bitrate only if we can */
5934 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5935 	if (bitrate > 0 &&
5936 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5937 		return false;
5938 	if (bitrate_compat > 0 &&
5939 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5940 		return false;
5941 
5942 	switch (info->bw) {
5943 	case RATE_INFO_BW_5:
5944 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5945 		break;
5946 	case RATE_INFO_BW_10:
5947 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5948 		break;
5949 	default:
5950 		WARN_ON(1);
5951 		fallthrough;
5952 	case RATE_INFO_BW_20:
5953 		rate_flg = 0;
5954 		break;
5955 	case RATE_INFO_BW_40:
5956 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5957 		break;
5958 	case RATE_INFO_BW_80:
5959 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5960 		break;
5961 	case RATE_INFO_BW_160:
5962 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5963 		break;
5964 	case RATE_INFO_BW_HE_RU:
5965 		rate_flg = 0;
5966 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5967 		break;
5968 	case RATE_INFO_BW_320:
5969 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
5970 		break;
5971 	case RATE_INFO_BW_EHT_RU:
5972 		rate_flg = 0;
5973 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
5974 		break;
5975 	}
5976 
5977 	if (rate_flg && nla_put_flag(msg, rate_flg))
5978 		return false;
5979 
5980 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5981 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5982 			return false;
5983 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5984 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5985 			return false;
5986 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5987 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5988 			return false;
5989 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5990 			return false;
5991 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5992 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5993 			return false;
5994 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5995 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5996 			return false;
5997 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5998 			return false;
5999 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6000 			return false;
6001 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6002 			return false;
6003 		if (info->bw == RATE_INFO_BW_HE_RU &&
6004 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6005 			       info->he_ru_alloc))
6006 			return false;
6007 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6008 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6009 			return false;
6010 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6011 			return false;
6012 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6013 			return false;
6014 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6015 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6016 			       info->eht_ru_alloc))
6017 			return false;
6018 	}
6019 
6020 	nla_nest_end(msg, rate);
6021 	return true;
6022 }
6023 
6024 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6025 			       int id)
6026 {
6027 	void *attr;
6028 	int i = 0;
6029 
6030 	if (!mask)
6031 		return true;
6032 
6033 	attr = nla_nest_start_noflag(msg, id);
6034 	if (!attr)
6035 		return false;
6036 
6037 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6038 		if (!(mask & BIT(i)))
6039 			continue;
6040 
6041 		if (nla_put_u8(msg, i, signal[i]))
6042 			return false;
6043 	}
6044 
6045 	nla_nest_end(msg, attr);
6046 
6047 	return true;
6048 }
6049 
6050 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6051 				u32 seq, int flags,
6052 				struct cfg80211_registered_device *rdev,
6053 				struct net_device *dev,
6054 				const u8 *mac_addr, struct station_info *sinfo)
6055 {
6056 	void *hdr;
6057 	struct nlattr *sinfoattr, *bss_param;
6058 
6059 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6060 	if (!hdr) {
6061 		cfg80211_sinfo_release_content(sinfo);
6062 		return -1;
6063 	}
6064 
6065 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6066 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6067 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6068 		goto nla_put_failure;
6069 
6070 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6071 	if (!sinfoattr)
6072 		goto nla_put_failure;
6073 
6074 #define PUT_SINFO(attr, memb, type) do {				\
6075 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6076 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6077 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6078 			     sinfo->memb))				\
6079 		goto nla_put_failure;					\
6080 	} while (0)
6081 #define PUT_SINFO_U64(attr, memb) do {					\
6082 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6083 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6084 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6085 		goto nla_put_failure;					\
6086 	} while (0)
6087 
6088 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6089 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6090 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6091 
6092 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6093 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6094 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6095 			(u32)sinfo->rx_bytes))
6096 		goto nla_put_failure;
6097 
6098 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6099 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6100 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6101 			(u32)sinfo->tx_bytes))
6102 		goto nla_put_failure;
6103 
6104 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6105 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6106 	PUT_SINFO(LLID, llid, u16);
6107 	PUT_SINFO(PLID, plid, u16);
6108 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6109 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6110 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6111 
6112 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6113 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6114 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6115 
6116 	switch (rdev->wiphy.signal_type) {
6117 	case CFG80211_SIGNAL_TYPE_MBM:
6118 		PUT_SINFO(SIGNAL, signal, u8);
6119 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6120 		break;
6121 	default:
6122 		break;
6123 	}
6124 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6125 		if (!nl80211_put_signal(msg, sinfo->chains,
6126 					sinfo->chain_signal,
6127 					NL80211_STA_INFO_CHAIN_SIGNAL))
6128 			goto nla_put_failure;
6129 	}
6130 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6131 		if (!nl80211_put_signal(msg, sinfo->chains,
6132 					sinfo->chain_signal_avg,
6133 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6134 			goto nla_put_failure;
6135 	}
6136 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6137 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6138 					  NL80211_STA_INFO_TX_BITRATE))
6139 			goto nla_put_failure;
6140 	}
6141 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6142 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6143 					  NL80211_STA_INFO_RX_BITRATE))
6144 			goto nla_put_failure;
6145 	}
6146 
6147 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6148 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6149 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6150 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6151 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6152 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6153 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6154 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6155 	PUT_SINFO(PEER_PM, peer_pm, u32);
6156 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6157 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6158 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6159 
6160 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6161 		bss_param = nla_nest_start_noflag(msg,
6162 						  NL80211_STA_INFO_BSS_PARAM);
6163 		if (!bss_param)
6164 			goto nla_put_failure;
6165 
6166 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6167 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6168 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6169 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6170 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6171 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6172 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6173 			       sinfo->bss_param.dtim_period) ||
6174 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6175 				sinfo->bss_param.beacon_interval))
6176 			goto nla_put_failure;
6177 
6178 		nla_nest_end(msg, bss_param);
6179 	}
6180 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6181 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6182 		    sizeof(struct nl80211_sta_flag_update),
6183 		    &sinfo->sta_flags))
6184 		goto nla_put_failure;
6185 
6186 	PUT_SINFO_U64(T_OFFSET, t_offset);
6187 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6188 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6189 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6190 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6191 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6192 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6193 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6194 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6195 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6196 	}
6197 
6198 #undef PUT_SINFO
6199 #undef PUT_SINFO_U64
6200 
6201 	if (sinfo->pertid) {
6202 		struct nlattr *tidsattr;
6203 		int tid;
6204 
6205 		tidsattr = nla_nest_start_noflag(msg,
6206 						 NL80211_STA_INFO_TID_STATS);
6207 		if (!tidsattr)
6208 			goto nla_put_failure;
6209 
6210 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6211 			struct cfg80211_tid_stats *tidstats;
6212 			struct nlattr *tidattr;
6213 
6214 			tidstats = &sinfo->pertid[tid];
6215 
6216 			if (!tidstats->filled)
6217 				continue;
6218 
6219 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6220 			if (!tidattr)
6221 				goto nla_put_failure;
6222 
6223 #define PUT_TIDVAL_U64(attr, memb) do {					\
6224 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6225 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6226 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6227 		goto nla_put_failure;					\
6228 	} while (0)
6229 
6230 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6231 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6232 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6233 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6234 
6235 #undef PUT_TIDVAL_U64
6236 			if ((tidstats->filled &
6237 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6238 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6239 						   NL80211_TID_STATS_TXQ_STATS))
6240 				goto nla_put_failure;
6241 
6242 			nla_nest_end(msg, tidattr);
6243 		}
6244 
6245 		nla_nest_end(msg, tidsattr);
6246 	}
6247 
6248 	nla_nest_end(msg, sinfoattr);
6249 
6250 	if (sinfo->assoc_req_ies_len &&
6251 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6252 		    sinfo->assoc_req_ies))
6253 		goto nla_put_failure;
6254 
6255 	cfg80211_sinfo_release_content(sinfo);
6256 	genlmsg_end(msg, hdr);
6257 	return 0;
6258 
6259  nla_put_failure:
6260 	cfg80211_sinfo_release_content(sinfo);
6261 	genlmsg_cancel(msg, hdr);
6262 	return -EMSGSIZE;
6263 }
6264 
6265 static int nl80211_dump_station(struct sk_buff *skb,
6266 				struct netlink_callback *cb)
6267 {
6268 	struct station_info sinfo;
6269 	struct cfg80211_registered_device *rdev;
6270 	struct wireless_dev *wdev;
6271 	u8 mac_addr[ETH_ALEN];
6272 	int sta_idx = cb->args[2];
6273 	int err;
6274 
6275 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6276 	if (err)
6277 		return err;
6278 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6279 	__acquire(&rdev->wiphy.mtx);
6280 
6281 	if (!wdev->netdev) {
6282 		err = -EINVAL;
6283 		goto out_err;
6284 	}
6285 
6286 	if (!rdev->ops->dump_station) {
6287 		err = -EOPNOTSUPP;
6288 		goto out_err;
6289 	}
6290 
6291 	while (1) {
6292 		memset(&sinfo, 0, sizeof(sinfo));
6293 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6294 					mac_addr, &sinfo);
6295 		if (err == -ENOENT)
6296 			break;
6297 		if (err)
6298 			goto out_err;
6299 
6300 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6301 				NETLINK_CB(cb->skb).portid,
6302 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6303 				rdev, wdev->netdev, mac_addr,
6304 				&sinfo) < 0)
6305 			goto out;
6306 
6307 		sta_idx++;
6308 	}
6309 
6310  out:
6311 	cb->args[2] = sta_idx;
6312 	err = skb->len;
6313  out_err:
6314 	wiphy_unlock(&rdev->wiphy);
6315 
6316 	return err;
6317 }
6318 
6319 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6320 {
6321 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6322 	struct net_device *dev = info->user_ptr[1];
6323 	struct station_info sinfo;
6324 	struct sk_buff *msg;
6325 	u8 *mac_addr = NULL;
6326 	int err;
6327 
6328 	memset(&sinfo, 0, sizeof(sinfo));
6329 
6330 	if (!info->attrs[NL80211_ATTR_MAC])
6331 		return -EINVAL;
6332 
6333 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6334 
6335 	if (!rdev->ops->get_station)
6336 		return -EOPNOTSUPP;
6337 
6338 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6339 	if (err)
6340 		return err;
6341 
6342 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6343 	if (!msg) {
6344 		cfg80211_sinfo_release_content(&sinfo);
6345 		return -ENOMEM;
6346 	}
6347 
6348 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6349 				 info->snd_portid, info->snd_seq, 0,
6350 				 rdev, dev, mac_addr, &sinfo) < 0) {
6351 		nlmsg_free(msg);
6352 		return -ENOBUFS;
6353 	}
6354 
6355 	return genlmsg_reply(msg, info);
6356 }
6357 
6358 int cfg80211_check_station_change(struct wiphy *wiphy,
6359 				  struct station_parameters *params,
6360 				  enum cfg80211_station_type statype)
6361 {
6362 	if (params->listen_interval != -1 &&
6363 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6364 		return -EINVAL;
6365 
6366 	if (params->support_p2p_ps != -1 &&
6367 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6368 		return -EINVAL;
6369 
6370 	if (params->aid &&
6371 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6372 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6373 		return -EINVAL;
6374 
6375 	/* When you run into this, adjust the code below for the new flag */
6376 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6377 
6378 	switch (statype) {
6379 	case CFG80211_STA_MESH_PEER_KERNEL:
6380 	case CFG80211_STA_MESH_PEER_USER:
6381 		/*
6382 		 * No ignoring the TDLS flag here -- the userspace mesh
6383 		 * code doesn't have the bug of including TDLS in the
6384 		 * mask everywhere.
6385 		 */
6386 		if (params->sta_flags_mask &
6387 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6388 				  BIT(NL80211_STA_FLAG_MFP) |
6389 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6390 			return -EINVAL;
6391 		break;
6392 	case CFG80211_STA_TDLS_PEER_SETUP:
6393 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6394 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6395 			return -EINVAL;
6396 		/* ignore since it can't change */
6397 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6398 		break;
6399 	default:
6400 		/* disallow mesh-specific things */
6401 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6402 			return -EINVAL;
6403 		if (params->local_pm)
6404 			return -EINVAL;
6405 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6406 			return -EINVAL;
6407 	}
6408 
6409 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6410 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6411 		/* TDLS can't be set, ... */
6412 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6413 			return -EINVAL;
6414 		/*
6415 		 * ... but don't bother the driver with it. This works around
6416 		 * a hostapd/wpa_supplicant issue -- it always includes the
6417 		 * TLDS_PEER flag in the mask even for AP mode.
6418 		 */
6419 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6420 	}
6421 
6422 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6423 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6424 		/* reject other things that can't change */
6425 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6426 			return -EINVAL;
6427 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6428 			return -EINVAL;
6429 		if (params->supported_rates)
6430 			return -EINVAL;
6431 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6432 		    params->he_capa || params->eht_capa)
6433 			return -EINVAL;
6434 	}
6435 
6436 	if (statype != CFG80211_STA_AP_CLIENT &&
6437 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6438 		if (params->vlan)
6439 			return -EINVAL;
6440 	}
6441 
6442 	switch (statype) {
6443 	case CFG80211_STA_AP_MLME_CLIENT:
6444 		/* Use this only for authorizing/unauthorizing a station */
6445 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6446 			return -EOPNOTSUPP;
6447 		break;
6448 	case CFG80211_STA_AP_CLIENT:
6449 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6450 		/* accept only the listed bits */
6451 		if (params->sta_flags_mask &
6452 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6453 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6454 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6455 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6456 				  BIT(NL80211_STA_FLAG_WME) |
6457 				  BIT(NL80211_STA_FLAG_MFP)))
6458 			return -EINVAL;
6459 
6460 		/* but authenticated/associated only if driver handles it */
6461 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6462 		    params->sta_flags_mask &
6463 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6464 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6465 			return -EINVAL;
6466 		break;
6467 	case CFG80211_STA_IBSS:
6468 	case CFG80211_STA_AP_STA:
6469 		/* reject any changes other than AUTHORIZED */
6470 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6471 			return -EINVAL;
6472 		break;
6473 	case CFG80211_STA_TDLS_PEER_SETUP:
6474 		/* reject any changes other than AUTHORIZED or WME */
6475 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6476 					       BIT(NL80211_STA_FLAG_WME)))
6477 			return -EINVAL;
6478 		/* force (at least) rates when authorizing */
6479 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6480 		    !params->supported_rates)
6481 			return -EINVAL;
6482 		break;
6483 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6484 		/* reject any changes */
6485 		return -EINVAL;
6486 	case CFG80211_STA_MESH_PEER_KERNEL:
6487 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6488 			return -EINVAL;
6489 		break;
6490 	case CFG80211_STA_MESH_PEER_USER:
6491 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6492 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6493 			return -EINVAL;
6494 		break;
6495 	}
6496 
6497 	/*
6498 	 * Older kernel versions ignored this attribute entirely, so don't
6499 	 * reject attempts to update it but mark it as unused instead so the
6500 	 * driver won't look at the data.
6501 	 */
6502 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6503 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6504 		params->opmode_notif_used = false;
6505 
6506 	return 0;
6507 }
6508 EXPORT_SYMBOL(cfg80211_check_station_change);
6509 
6510 /*
6511  * Get vlan interface making sure it is running and on the right wiphy.
6512  */
6513 static struct net_device *get_vlan(struct genl_info *info,
6514 				   struct cfg80211_registered_device *rdev)
6515 {
6516 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6517 	struct net_device *v;
6518 	int ret;
6519 
6520 	if (!vlanattr)
6521 		return NULL;
6522 
6523 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6524 	if (!v)
6525 		return ERR_PTR(-ENODEV);
6526 
6527 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6528 		ret = -EINVAL;
6529 		goto error;
6530 	}
6531 
6532 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6533 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6534 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6535 		ret = -EINVAL;
6536 		goto error;
6537 	}
6538 
6539 	if (!netif_running(v)) {
6540 		ret = -ENETDOWN;
6541 		goto error;
6542 	}
6543 
6544 	return v;
6545  error:
6546 	dev_put(v);
6547 	return ERR_PTR(ret);
6548 }
6549 
6550 static const struct nla_policy
6551 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6552 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6553 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6554 };
6555 
6556 static int nl80211_parse_sta_wme(struct genl_info *info,
6557 				 struct station_parameters *params)
6558 {
6559 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6560 	struct nlattr *nla;
6561 	int err;
6562 
6563 	/* parse WME attributes if present */
6564 	if (!info->attrs[NL80211_ATTR_STA_WME])
6565 		return 0;
6566 
6567 	nla = info->attrs[NL80211_ATTR_STA_WME];
6568 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6569 					  nl80211_sta_wme_policy,
6570 					  info->extack);
6571 	if (err)
6572 		return err;
6573 
6574 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6575 		params->uapsd_queues = nla_get_u8(
6576 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6577 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6578 		return -EINVAL;
6579 
6580 	if (tb[NL80211_STA_WME_MAX_SP])
6581 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6582 
6583 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6584 		return -EINVAL;
6585 
6586 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6587 
6588 	return 0;
6589 }
6590 
6591 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6592 				      struct station_parameters *params)
6593 {
6594 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6595 		params->supported_channels =
6596 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6597 		params->supported_channels_len =
6598 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6599 		/*
6600 		 * Need to include at least one (first channel, number of
6601 		 * channels) tuple for each subband (checked in policy),
6602 		 * and must have proper tuples for the rest of the data as well.
6603 		 */
6604 		if (params->supported_channels_len % 2)
6605 			return -EINVAL;
6606 	}
6607 
6608 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6609 		params->supported_oper_classes =
6610 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6611 		params->supported_oper_classes_len =
6612 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6613 	}
6614 	return 0;
6615 }
6616 
6617 static int nl80211_set_station_tdls(struct genl_info *info,
6618 				    struct station_parameters *params)
6619 {
6620 	int err;
6621 	/* Dummy STA entry gets updated once the peer capabilities are known */
6622 	if (info->attrs[NL80211_ATTR_PEER_AID])
6623 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6624 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6625 		params->ht_capa =
6626 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6627 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6628 		params->vht_capa =
6629 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6630 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6631 		params->he_capa =
6632 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6633 		params->he_capa_len =
6634 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6635 
6636 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6637 			params->eht_capa =
6638 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6639 			params->eht_capa_len =
6640 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6641 
6642 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_capa,
6643 							(const u8 *)params->eht_capa,
6644 							params->eht_capa_len))
6645 				return -EINVAL;
6646 		}
6647 	}
6648 
6649 	err = nl80211_parse_sta_channel_info(info, params);
6650 	if (err)
6651 		return err;
6652 
6653 	return nl80211_parse_sta_wme(info, params);
6654 }
6655 
6656 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6657 					     struct station_parameters *params)
6658 {
6659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6660 	int idx;
6661 
6662 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6663 		if (!rdev->ops->set_tx_power ||
6664 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6665 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6666 			return -EOPNOTSUPP;
6667 
6668 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6669 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6670 
6671 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6672 			idx = NL80211_ATTR_STA_TX_POWER;
6673 
6674 			if (info->attrs[idx])
6675 				params->txpwr.power =
6676 					nla_get_s16(info->attrs[idx]);
6677 			else
6678 				return -EINVAL;
6679 		}
6680 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6681 	}
6682 
6683 	return 0;
6684 }
6685 
6686 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6687 {
6688 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6689 	struct net_device *dev = info->user_ptr[1];
6690 	struct station_parameters params;
6691 	u8 *mac_addr;
6692 	int err;
6693 
6694 	memset(&params, 0, sizeof(params));
6695 
6696 	if (!rdev->ops->change_station)
6697 		return -EOPNOTSUPP;
6698 
6699 	/*
6700 	 * AID and listen_interval properties can be set only for unassociated
6701 	 * station. Include these parameters here and will check them in
6702 	 * cfg80211_check_station_change().
6703 	 */
6704 	if (info->attrs[NL80211_ATTR_STA_AID])
6705 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6706 
6707 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6708 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6709 
6710 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6711 		params.listen_interval =
6712 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6713 	else
6714 		params.listen_interval = -1;
6715 
6716 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6717 		params.support_p2p_ps =
6718 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6719 	else
6720 		params.support_p2p_ps = -1;
6721 
6722 	if (!info->attrs[NL80211_ATTR_MAC])
6723 		return -EINVAL;
6724 
6725 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6726 
6727 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6728 		params.supported_rates =
6729 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6730 		params.supported_rates_len =
6731 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6732 	}
6733 
6734 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6735 		params.capability =
6736 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6737 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6738 	}
6739 
6740 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6741 		params.ext_capab =
6742 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6743 		params.ext_capab_len =
6744 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6745 	}
6746 
6747 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6748 		return -EINVAL;
6749 
6750 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6751 		params.plink_action =
6752 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6753 
6754 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6755 		params.plink_state =
6756 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6757 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6758 			params.peer_aid = nla_get_u16(
6759 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6760 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6761 	}
6762 
6763 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6764 		params.local_pm = nla_get_u32(
6765 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6766 
6767 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6768 		params.opmode_notif_used = true;
6769 		params.opmode_notif =
6770 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6771 	}
6772 
6773 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6774 		params.he_6ghz_capa =
6775 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6776 
6777 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6778 		params.airtime_weight =
6779 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6780 
6781 	if (params.airtime_weight &&
6782 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6783 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6784 		return -EOPNOTSUPP;
6785 
6786 	err = nl80211_parse_sta_txpower_setting(info, &params);
6787 	if (err)
6788 		return err;
6789 
6790 	/* Include parameters for TDLS peer (will check later) */
6791 	err = nl80211_set_station_tdls(info, &params);
6792 	if (err)
6793 		return err;
6794 
6795 	params.vlan = get_vlan(info, rdev);
6796 	if (IS_ERR(params.vlan))
6797 		return PTR_ERR(params.vlan);
6798 
6799 	switch (dev->ieee80211_ptr->iftype) {
6800 	case NL80211_IFTYPE_AP:
6801 	case NL80211_IFTYPE_AP_VLAN:
6802 	case NL80211_IFTYPE_P2P_GO:
6803 	case NL80211_IFTYPE_P2P_CLIENT:
6804 	case NL80211_IFTYPE_STATION:
6805 	case NL80211_IFTYPE_ADHOC:
6806 	case NL80211_IFTYPE_MESH_POINT:
6807 		break;
6808 	default:
6809 		err = -EOPNOTSUPP;
6810 		goto out_put_vlan;
6811 	}
6812 
6813 	/* driver will call cfg80211_check_station_change() */
6814 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6815 
6816  out_put_vlan:
6817 	dev_put(params.vlan);
6818 
6819 	return err;
6820 }
6821 
6822 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6823 {
6824 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6825 	int err;
6826 	struct net_device *dev = info->user_ptr[1];
6827 	struct station_parameters params;
6828 	u8 *mac_addr = NULL;
6829 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6830 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6831 
6832 	memset(&params, 0, sizeof(params));
6833 
6834 	if (!rdev->ops->add_station)
6835 		return -EOPNOTSUPP;
6836 
6837 	if (!info->attrs[NL80211_ATTR_MAC])
6838 		return -EINVAL;
6839 
6840 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6841 		return -EINVAL;
6842 
6843 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6844 		return -EINVAL;
6845 
6846 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6847 	    !info->attrs[NL80211_ATTR_PEER_AID])
6848 		return -EINVAL;
6849 
6850 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6851 	params.supported_rates =
6852 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6853 	params.supported_rates_len =
6854 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6855 	params.listen_interval =
6856 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6857 
6858 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6859 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6860 
6861 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6862 		params.support_p2p_ps =
6863 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6864 	} else {
6865 		/*
6866 		 * if not specified, assume it's supported for P2P GO interface,
6867 		 * and is NOT supported for AP interface
6868 		 */
6869 		params.support_p2p_ps =
6870 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6871 	}
6872 
6873 	if (info->attrs[NL80211_ATTR_PEER_AID])
6874 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6875 	else
6876 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6877 
6878 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6879 		params.capability =
6880 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6881 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6882 	}
6883 
6884 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6885 		params.ext_capab =
6886 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6887 		params.ext_capab_len =
6888 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6889 	}
6890 
6891 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6892 		params.ht_capa =
6893 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6894 
6895 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6896 		params.vht_capa =
6897 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6898 
6899 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6900 		params.he_capa =
6901 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6902 		params.he_capa_len =
6903 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6904 
6905 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
6906 			params.eht_capa =
6907 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6908 			params.eht_capa_len =
6909 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
6910 
6911 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
6912 							(const u8 *)params.eht_capa,
6913 							params.eht_capa_len))
6914 				return -EINVAL;
6915 		}
6916 	}
6917 
6918 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6919 		params.he_6ghz_capa =
6920 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6921 
6922 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6923 		params.opmode_notif_used = true;
6924 		params.opmode_notif =
6925 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6926 	}
6927 
6928 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6929 		params.plink_action =
6930 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6931 
6932 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6933 		params.airtime_weight =
6934 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6935 
6936 	if (params.airtime_weight &&
6937 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6938 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6939 		return -EOPNOTSUPP;
6940 
6941 	err = nl80211_parse_sta_txpower_setting(info, &params);
6942 	if (err)
6943 		return err;
6944 
6945 	err = nl80211_parse_sta_channel_info(info, &params);
6946 	if (err)
6947 		return err;
6948 
6949 	err = nl80211_parse_sta_wme(info, &params);
6950 	if (err)
6951 		return err;
6952 
6953 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6954 		return -EINVAL;
6955 
6956 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6957 	 * as userspace might just pass through the capabilities from the IEs
6958 	 * directly, rather than enforcing this restriction and returning an
6959 	 * error in this case.
6960 	 */
6961 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6962 		params.ht_capa = NULL;
6963 		params.vht_capa = NULL;
6964 
6965 		/* HE and EHT require WME */
6966 		if (params.he_capa_len || params.he_6ghz_capa ||
6967 		    params.eht_capa_len)
6968 			return -EINVAL;
6969 	}
6970 
6971 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6972 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6973 		return -EINVAL;
6974 
6975 	/* When you run into this, adjust the code below for the new flag */
6976 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6977 
6978 	switch (dev->ieee80211_ptr->iftype) {
6979 	case NL80211_IFTYPE_AP:
6980 	case NL80211_IFTYPE_AP_VLAN:
6981 	case NL80211_IFTYPE_P2P_GO:
6982 		/* ignore WME attributes if iface/sta is not capable */
6983 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6984 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6985 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6986 
6987 		/* TDLS peers cannot be added */
6988 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6989 		    info->attrs[NL80211_ATTR_PEER_AID])
6990 			return -EINVAL;
6991 		/* but don't bother the driver with it */
6992 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6993 
6994 		/* allow authenticated/associated only if driver handles it */
6995 		if (!(rdev->wiphy.features &
6996 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6997 		    params.sta_flags_mask & auth_assoc)
6998 			return -EINVAL;
6999 
7000 		/* Older userspace, or userspace wanting to be compatible with
7001 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7002 		 * and assoc flags in the mask, but assumes the station will be
7003 		 * added as associated anyway since this was the required driver
7004 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7005 		 * introduced.
7006 		 * In order to not bother drivers with this quirk in the API
7007 		 * set the flags in both the mask and set for new stations in
7008 		 * this case.
7009 		 */
7010 		if (!(params.sta_flags_mask & auth_assoc)) {
7011 			params.sta_flags_mask |= auth_assoc;
7012 			params.sta_flags_set |= auth_assoc;
7013 		}
7014 
7015 		/* must be last in here for error handling */
7016 		params.vlan = get_vlan(info, rdev);
7017 		if (IS_ERR(params.vlan))
7018 			return PTR_ERR(params.vlan);
7019 		break;
7020 	case NL80211_IFTYPE_MESH_POINT:
7021 		/* ignore uAPSD data */
7022 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7023 
7024 		/* associated is disallowed */
7025 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7026 			return -EINVAL;
7027 		/* TDLS peers cannot be added */
7028 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7029 		    info->attrs[NL80211_ATTR_PEER_AID])
7030 			return -EINVAL;
7031 		break;
7032 	case NL80211_IFTYPE_STATION:
7033 	case NL80211_IFTYPE_P2P_CLIENT:
7034 		/* ignore uAPSD data */
7035 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7036 
7037 		/* these are disallowed */
7038 		if (params.sta_flags_mask &
7039 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7040 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7041 			return -EINVAL;
7042 		/* Only TDLS peers can be added */
7043 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7044 			return -EINVAL;
7045 		/* Can only add if TDLS ... */
7046 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7047 			return -EOPNOTSUPP;
7048 		/* ... with external setup is supported */
7049 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7050 			return -EOPNOTSUPP;
7051 		/*
7052 		 * Older wpa_supplicant versions always mark the TDLS peer
7053 		 * as authorized, but it shouldn't yet be.
7054 		 */
7055 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7056 		break;
7057 	default:
7058 		return -EOPNOTSUPP;
7059 	}
7060 
7061 	/* be aware of params.vlan when changing code here */
7062 
7063 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7064 
7065 	dev_put(params.vlan);
7066 	return err;
7067 }
7068 
7069 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7070 {
7071 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7072 	struct net_device *dev = info->user_ptr[1];
7073 	struct station_del_parameters params;
7074 
7075 	memset(&params, 0, sizeof(params));
7076 
7077 	if (info->attrs[NL80211_ATTR_MAC])
7078 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7079 
7080 	switch (dev->ieee80211_ptr->iftype) {
7081 	case NL80211_IFTYPE_AP:
7082 	case NL80211_IFTYPE_AP_VLAN:
7083 	case NL80211_IFTYPE_MESH_POINT:
7084 	case NL80211_IFTYPE_P2P_GO:
7085 		/* always accept these */
7086 		break;
7087 	case NL80211_IFTYPE_ADHOC:
7088 		/* conditionally accept */
7089 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7090 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7091 			break;
7092 		return -EINVAL;
7093 	default:
7094 		return -EINVAL;
7095 	}
7096 
7097 	if (!rdev->ops->del_station)
7098 		return -EOPNOTSUPP;
7099 
7100 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7101 		params.subtype =
7102 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7103 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7104 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7105 			return -EINVAL;
7106 	} else {
7107 		/* Default to Deauthentication frame */
7108 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7109 	}
7110 
7111 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7112 		params.reason_code =
7113 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7114 		if (params.reason_code == 0)
7115 			return -EINVAL; /* 0 is reserved */
7116 	} else {
7117 		/* Default to reason code 2 */
7118 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7119 	}
7120 
7121 	return rdev_del_station(rdev, dev, &params);
7122 }
7123 
7124 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7125 				int flags, struct net_device *dev,
7126 				u8 *dst, u8 *next_hop,
7127 				struct mpath_info *pinfo)
7128 {
7129 	void *hdr;
7130 	struct nlattr *pinfoattr;
7131 
7132 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7133 	if (!hdr)
7134 		return -1;
7135 
7136 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7137 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7138 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7139 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7140 		goto nla_put_failure;
7141 
7142 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7143 	if (!pinfoattr)
7144 		goto nla_put_failure;
7145 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7146 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7147 			pinfo->frame_qlen))
7148 		goto nla_put_failure;
7149 	if (((pinfo->filled & MPATH_INFO_SN) &&
7150 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7151 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7152 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7153 			 pinfo->metric)) ||
7154 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7155 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7156 			 pinfo->exptime)) ||
7157 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7158 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7159 			pinfo->flags)) ||
7160 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7161 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7162 			 pinfo->discovery_timeout)) ||
7163 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7164 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7165 			pinfo->discovery_retries)) ||
7166 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7167 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7168 			pinfo->hop_count)) ||
7169 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7170 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7171 			 pinfo->path_change_count)))
7172 		goto nla_put_failure;
7173 
7174 	nla_nest_end(msg, pinfoattr);
7175 
7176 	genlmsg_end(msg, hdr);
7177 	return 0;
7178 
7179  nla_put_failure:
7180 	genlmsg_cancel(msg, hdr);
7181 	return -EMSGSIZE;
7182 }
7183 
7184 static int nl80211_dump_mpath(struct sk_buff *skb,
7185 			      struct netlink_callback *cb)
7186 {
7187 	struct mpath_info pinfo;
7188 	struct cfg80211_registered_device *rdev;
7189 	struct wireless_dev *wdev;
7190 	u8 dst[ETH_ALEN];
7191 	u8 next_hop[ETH_ALEN];
7192 	int path_idx = cb->args[2];
7193 	int err;
7194 
7195 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7196 	if (err)
7197 		return err;
7198 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7199 	__acquire(&rdev->wiphy.mtx);
7200 
7201 	if (!rdev->ops->dump_mpath) {
7202 		err = -EOPNOTSUPP;
7203 		goto out_err;
7204 	}
7205 
7206 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7207 		err = -EOPNOTSUPP;
7208 		goto out_err;
7209 	}
7210 
7211 	while (1) {
7212 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7213 				      next_hop, &pinfo);
7214 		if (err == -ENOENT)
7215 			break;
7216 		if (err)
7217 			goto out_err;
7218 
7219 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7220 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7221 				       wdev->netdev, dst, next_hop,
7222 				       &pinfo) < 0)
7223 			goto out;
7224 
7225 		path_idx++;
7226 	}
7227 
7228  out:
7229 	cb->args[2] = path_idx;
7230 	err = skb->len;
7231  out_err:
7232 	wiphy_unlock(&rdev->wiphy);
7233 	return err;
7234 }
7235 
7236 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7237 {
7238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7239 	int err;
7240 	struct net_device *dev = info->user_ptr[1];
7241 	struct mpath_info pinfo;
7242 	struct sk_buff *msg;
7243 	u8 *dst = NULL;
7244 	u8 next_hop[ETH_ALEN];
7245 
7246 	memset(&pinfo, 0, sizeof(pinfo));
7247 
7248 	if (!info->attrs[NL80211_ATTR_MAC])
7249 		return -EINVAL;
7250 
7251 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7252 
7253 	if (!rdev->ops->get_mpath)
7254 		return -EOPNOTSUPP;
7255 
7256 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7257 		return -EOPNOTSUPP;
7258 
7259 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7260 	if (err)
7261 		return err;
7262 
7263 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7264 	if (!msg)
7265 		return -ENOMEM;
7266 
7267 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7268 				 dev, dst, next_hop, &pinfo) < 0) {
7269 		nlmsg_free(msg);
7270 		return -ENOBUFS;
7271 	}
7272 
7273 	return genlmsg_reply(msg, info);
7274 }
7275 
7276 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7277 {
7278 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7279 	struct net_device *dev = info->user_ptr[1];
7280 	u8 *dst = NULL;
7281 	u8 *next_hop = NULL;
7282 
7283 	if (!info->attrs[NL80211_ATTR_MAC])
7284 		return -EINVAL;
7285 
7286 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7287 		return -EINVAL;
7288 
7289 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7290 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7291 
7292 	if (!rdev->ops->change_mpath)
7293 		return -EOPNOTSUPP;
7294 
7295 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7296 		return -EOPNOTSUPP;
7297 
7298 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7299 }
7300 
7301 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7302 {
7303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7304 	struct net_device *dev = info->user_ptr[1];
7305 	u8 *dst = NULL;
7306 	u8 *next_hop = NULL;
7307 
7308 	if (!info->attrs[NL80211_ATTR_MAC])
7309 		return -EINVAL;
7310 
7311 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7312 		return -EINVAL;
7313 
7314 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7315 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7316 
7317 	if (!rdev->ops->add_mpath)
7318 		return -EOPNOTSUPP;
7319 
7320 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7321 		return -EOPNOTSUPP;
7322 
7323 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7324 }
7325 
7326 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7327 {
7328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7329 	struct net_device *dev = info->user_ptr[1];
7330 	u8 *dst = NULL;
7331 
7332 	if (info->attrs[NL80211_ATTR_MAC])
7333 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7334 
7335 	if (!rdev->ops->del_mpath)
7336 		return -EOPNOTSUPP;
7337 
7338 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7339 		return -EOPNOTSUPP;
7340 
7341 	return rdev_del_mpath(rdev, dev, dst);
7342 }
7343 
7344 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7345 {
7346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7347 	int err;
7348 	struct net_device *dev = info->user_ptr[1];
7349 	struct mpath_info pinfo;
7350 	struct sk_buff *msg;
7351 	u8 *dst = NULL;
7352 	u8 mpp[ETH_ALEN];
7353 
7354 	memset(&pinfo, 0, sizeof(pinfo));
7355 
7356 	if (!info->attrs[NL80211_ATTR_MAC])
7357 		return -EINVAL;
7358 
7359 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7360 
7361 	if (!rdev->ops->get_mpp)
7362 		return -EOPNOTSUPP;
7363 
7364 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7365 		return -EOPNOTSUPP;
7366 
7367 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7368 	if (err)
7369 		return err;
7370 
7371 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7372 	if (!msg)
7373 		return -ENOMEM;
7374 
7375 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7376 			       dev, dst, mpp, &pinfo) < 0) {
7377 		nlmsg_free(msg);
7378 		return -ENOBUFS;
7379 	}
7380 
7381 	return genlmsg_reply(msg, info);
7382 }
7383 
7384 static int nl80211_dump_mpp(struct sk_buff *skb,
7385 			    struct netlink_callback *cb)
7386 {
7387 	struct mpath_info pinfo;
7388 	struct cfg80211_registered_device *rdev;
7389 	struct wireless_dev *wdev;
7390 	u8 dst[ETH_ALEN];
7391 	u8 mpp[ETH_ALEN];
7392 	int path_idx = cb->args[2];
7393 	int err;
7394 
7395 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7396 	if (err)
7397 		return err;
7398 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7399 	__acquire(&rdev->wiphy.mtx);
7400 
7401 	if (!rdev->ops->dump_mpp) {
7402 		err = -EOPNOTSUPP;
7403 		goto out_err;
7404 	}
7405 
7406 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7407 		err = -EOPNOTSUPP;
7408 		goto out_err;
7409 	}
7410 
7411 	while (1) {
7412 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7413 				    mpp, &pinfo);
7414 		if (err == -ENOENT)
7415 			break;
7416 		if (err)
7417 			goto out_err;
7418 
7419 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7420 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7421 				       wdev->netdev, dst, mpp,
7422 				       &pinfo) < 0)
7423 			goto out;
7424 
7425 		path_idx++;
7426 	}
7427 
7428  out:
7429 	cb->args[2] = path_idx;
7430 	err = skb->len;
7431  out_err:
7432 	wiphy_unlock(&rdev->wiphy);
7433 	return err;
7434 }
7435 
7436 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7437 {
7438 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7439 	struct net_device *dev = info->user_ptr[1];
7440 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7441 	struct bss_parameters params;
7442 	int err;
7443 
7444 	memset(&params, 0, sizeof(params));
7445 	/* default to not changing parameters */
7446 	params.use_cts_prot = -1;
7447 	params.use_short_preamble = -1;
7448 	params.use_short_slot_time = -1;
7449 	params.ap_isolate = -1;
7450 	params.ht_opmode = -1;
7451 	params.p2p_ctwindow = -1;
7452 	params.p2p_opp_ps = -1;
7453 
7454 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7455 		params.use_cts_prot =
7456 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7457 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7458 		params.use_short_preamble =
7459 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7460 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7461 		params.use_short_slot_time =
7462 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7463 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7464 		params.basic_rates =
7465 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7466 		params.basic_rates_len =
7467 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7468 	}
7469 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7470 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7471 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7472 		params.ht_opmode =
7473 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7474 
7475 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7476 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7477 			return -EINVAL;
7478 		params.p2p_ctwindow =
7479 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7480 		if (params.p2p_ctwindow != 0 &&
7481 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7482 			return -EINVAL;
7483 	}
7484 
7485 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7486 		u8 tmp;
7487 
7488 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7489 			return -EINVAL;
7490 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7491 		params.p2p_opp_ps = tmp;
7492 		if (params.p2p_opp_ps &&
7493 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7494 			return -EINVAL;
7495 	}
7496 
7497 	if (!rdev->ops->change_bss)
7498 		return -EOPNOTSUPP;
7499 
7500 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7501 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7502 		return -EOPNOTSUPP;
7503 
7504 	wdev_lock(wdev);
7505 	err = rdev_change_bss(rdev, dev, &params);
7506 	wdev_unlock(wdev);
7507 
7508 	return err;
7509 }
7510 
7511 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7512 {
7513 	char *data = NULL;
7514 	bool is_indoor;
7515 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7516 	u32 owner_nlportid;
7517 
7518 	/*
7519 	 * You should only get this when cfg80211 hasn't yet initialized
7520 	 * completely when built-in to the kernel right between the time
7521 	 * window between nl80211_init() and regulatory_init(), if that is
7522 	 * even possible.
7523 	 */
7524 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7525 		return -EINPROGRESS;
7526 
7527 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7528 		user_reg_hint_type =
7529 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7530 	else
7531 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7532 
7533 	switch (user_reg_hint_type) {
7534 	case NL80211_USER_REG_HINT_USER:
7535 	case NL80211_USER_REG_HINT_CELL_BASE:
7536 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7537 			return -EINVAL;
7538 
7539 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7540 		return regulatory_hint_user(data, user_reg_hint_type);
7541 	case NL80211_USER_REG_HINT_INDOOR:
7542 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7543 			owner_nlportid = info->snd_portid;
7544 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7545 		} else {
7546 			owner_nlportid = 0;
7547 			is_indoor = true;
7548 		}
7549 
7550 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7551 	default:
7552 		return -EINVAL;
7553 	}
7554 }
7555 
7556 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7557 {
7558 	return reg_reload_regdb();
7559 }
7560 
7561 static int nl80211_get_mesh_config(struct sk_buff *skb,
7562 				   struct genl_info *info)
7563 {
7564 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7565 	struct net_device *dev = info->user_ptr[1];
7566 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7567 	struct mesh_config cur_params;
7568 	int err = 0;
7569 	void *hdr;
7570 	struct nlattr *pinfoattr;
7571 	struct sk_buff *msg;
7572 
7573 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7574 		return -EOPNOTSUPP;
7575 
7576 	if (!rdev->ops->get_mesh_config)
7577 		return -EOPNOTSUPP;
7578 
7579 	wdev_lock(wdev);
7580 	/* If not connected, get default parameters */
7581 	if (!wdev->mesh_id_len)
7582 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7583 	else
7584 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7585 	wdev_unlock(wdev);
7586 
7587 	if (err)
7588 		return err;
7589 
7590 	/* Draw up a netlink message to send back */
7591 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7592 	if (!msg)
7593 		return -ENOMEM;
7594 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7595 			     NL80211_CMD_GET_MESH_CONFIG);
7596 	if (!hdr)
7597 		goto out;
7598 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7599 	if (!pinfoattr)
7600 		goto nla_put_failure;
7601 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7602 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7603 			cur_params.dot11MeshRetryTimeout) ||
7604 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7605 			cur_params.dot11MeshConfirmTimeout) ||
7606 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7607 			cur_params.dot11MeshHoldingTimeout) ||
7608 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7609 			cur_params.dot11MeshMaxPeerLinks) ||
7610 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7611 		       cur_params.dot11MeshMaxRetries) ||
7612 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7613 		       cur_params.dot11MeshTTL) ||
7614 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7615 		       cur_params.element_ttl) ||
7616 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7617 		       cur_params.auto_open_plinks) ||
7618 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7619 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7620 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7621 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7622 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7623 			cur_params.path_refresh_time) ||
7624 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7625 			cur_params.min_discovery_timeout) ||
7626 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7627 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7628 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7629 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7630 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7631 			cur_params.dot11MeshHWMPperrMinInterval) ||
7632 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7633 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7634 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7635 		       cur_params.dot11MeshHWMPRootMode) ||
7636 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7637 			cur_params.dot11MeshHWMPRannInterval) ||
7638 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7639 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7640 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7641 		       cur_params.dot11MeshForwarding) ||
7642 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7643 			cur_params.rssi_threshold) ||
7644 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7645 			cur_params.ht_opmode) ||
7646 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7647 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7648 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7649 			cur_params.dot11MeshHWMProotInterval) ||
7650 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7651 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7652 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7653 			cur_params.power_mode) ||
7654 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7655 			cur_params.dot11MeshAwakeWindowDuration) ||
7656 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7657 			cur_params.plink_timeout) ||
7658 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7659 		       cur_params.dot11MeshConnectedToMeshGate) ||
7660 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7661 		       cur_params.dot11MeshNolearn) ||
7662 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7663 		       cur_params.dot11MeshConnectedToAuthServer))
7664 		goto nla_put_failure;
7665 	nla_nest_end(msg, pinfoattr);
7666 	genlmsg_end(msg, hdr);
7667 	return genlmsg_reply(msg, info);
7668 
7669  nla_put_failure:
7670  out:
7671 	nlmsg_free(msg);
7672 	return -ENOBUFS;
7673 }
7674 
7675 static const struct nla_policy
7676 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7677 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7678 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7679 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7680 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7681 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7682 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7683 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7684 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7685 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7686 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7687 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7688 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7689 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7690 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7691 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7692 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7693 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7694 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7695 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7696 		NLA_POLICY_MIN(NLA_U16, 1),
7697 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7698 		NLA_POLICY_MIN(NLA_U16, 1),
7699 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7700 		NLA_POLICY_MIN(NLA_U16, 1),
7701 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7702 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7703 		NLA_POLICY_MIN(NLA_U16, 1),
7704 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7705 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7706 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7707 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7708 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7709 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7710 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7711 		NLA_POLICY_MIN(NLA_U16, 1),
7712 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7713 		NLA_POLICY_MIN(NLA_U16, 1),
7714 	[NL80211_MESHCONF_POWER_MODE] =
7715 		NLA_POLICY_RANGE(NLA_U32,
7716 				 NL80211_MESH_POWER_ACTIVE,
7717 				 NL80211_MESH_POWER_MAX),
7718 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7719 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7720 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7721 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7722 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7723 };
7724 
7725 static const struct nla_policy
7726 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7727 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7728 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7729 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7730 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7731 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7732 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7733 	[NL80211_MESH_SETUP_IE] =
7734 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7735 				       IEEE80211_MAX_DATA_LEN),
7736 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7737 };
7738 
7739 static int nl80211_parse_mesh_config(struct genl_info *info,
7740 				     struct mesh_config *cfg,
7741 				     u32 *mask_out)
7742 {
7743 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7744 	u32 mask = 0;
7745 	u16 ht_opmode;
7746 
7747 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7748 do {									\
7749 	if (tb[attr]) {							\
7750 		cfg->param = fn(tb[attr]);				\
7751 		mask |= BIT((attr) - 1);				\
7752 	}								\
7753 } while (0)
7754 
7755 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7756 		return -EINVAL;
7757 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7758 		return -EINVAL;
7759 
7760 	/* This makes sure that there aren't more than 32 mesh config
7761 	 * parameters (otherwise our bitfield scheme would not work.) */
7762 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7763 
7764 	/* Fill in the params struct */
7765 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7766 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7767 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7768 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7769 				  nla_get_u16);
7770 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7771 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7772 				  nla_get_u16);
7773 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7774 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7775 				  nla_get_u16);
7776 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7777 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7778 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7779 				  NL80211_MESHCONF_TTL, nla_get_u8);
7780 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7781 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7782 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7783 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7784 				  nla_get_u8);
7785 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7786 				  mask,
7787 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7788 				  nla_get_u32);
7789 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7790 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7791 				  nla_get_u8);
7792 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7793 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7794 				  nla_get_u32);
7795 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7796 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7797 		return -EINVAL;
7798 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7799 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7800 				  nla_get_u16);
7801 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7802 				  mask,
7803 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7804 				  nla_get_u32);
7805 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7806 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7807 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7808 		return -EINVAL;
7809 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7810 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7811 				  nla_get_u16);
7812 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7813 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7814 				  nla_get_u16);
7815 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7816 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7817 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7818 				  nla_get_u16);
7819 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7820 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7821 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7822 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7823 				  nla_get_u16);
7824 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7825 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7826 				  nla_get_u8);
7827 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7828 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7829 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7830 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7831 				  nla_get_s32);
7832 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7833 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7834 				  nla_get_u8);
7835 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7836 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7837 				  nla_get_u8);
7838 	/*
7839 	 * Check HT operation mode based on
7840 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7841 	 */
7842 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7843 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7844 
7845 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7846 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7847 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7848 			return -EINVAL;
7849 
7850 		/* NON_HT_STA bit is reserved, but some programs set it */
7851 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7852 
7853 		cfg->ht_opmode = ht_opmode;
7854 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7855 	}
7856 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7857 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7858 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7859 				  nla_get_u32);
7860 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7861 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7862 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7863 		return -EINVAL;
7864 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7865 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7866 				  nla_get_u16);
7867 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7868 				  mask,
7869 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7870 				  nla_get_u16);
7871 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7872 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7873 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7874 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7875 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7876 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7877 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7878 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7879 	if (mask_out)
7880 		*mask_out = mask;
7881 
7882 	return 0;
7883 
7884 #undef FILL_IN_MESH_PARAM_IF_SET
7885 }
7886 
7887 static int nl80211_parse_mesh_setup(struct genl_info *info,
7888 				     struct mesh_setup *setup)
7889 {
7890 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7891 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7892 
7893 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7894 		return -EINVAL;
7895 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7896 		return -EINVAL;
7897 
7898 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7899 		setup->sync_method =
7900 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7901 		 IEEE80211_SYNC_METHOD_VENDOR :
7902 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7903 
7904 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7905 		setup->path_sel_proto =
7906 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7907 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7908 		 IEEE80211_PATH_PROTOCOL_HWMP;
7909 
7910 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7911 		setup->path_metric =
7912 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7913 		 IEEE80211_PATH_METRIC_VENDOR :
7914 		 IEEE80211_PATH_METRIC_AIRTIME;
7915 
7916 	if (tb[NL80211_MESH_SETUP_IE]) {
7917 		struct nlattr *ieattr =
7918 			tb[NL80211_MESH_SETUP_IE];
7919 		setup->ie = nla_data(ieattr);
7920 		setup->ie_len = nla_len(ieattr);
7921 	}
7922 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7923 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7924 		return -EINVAL;
7925 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7926 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7927 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7928 	if (setup->is_secure)
7929 		setup->user_mpm = true;
7930 
7931 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7932 		if (!setup->user_mpm)
7933 			return -EINVAL;
7934 		setup->auth_id =
7935 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7936 	}
7937 
7938 	return 0;
7939 }
7940 
7941 static int nl80211_update_mesh_config(struct sk_buff *skb,
7942 				      struct genl_info *info)
7943 {
7944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7945 	struct net_device *dev = info->user_ptr[1];
7946 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7947 	struct mesh_config cfg;
7948 	u32 mask;
7949 	int err;
7950 
7951 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7952 		return -EOPNOTSUPP;
7953 
7954 	if (!rdev->ops->update_mesh_config)
7955 		return -EOPNOTSUPP;
7956 
7957 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7958 	if (err)
7959 		return err;
7960 
7961 	wdev_lock(wdev);
7962 	if (!wdev->mesh_id_len)
7963 		err = -ENOLINK;
7964 
7965 	if (!err)
7966 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7967 
7968 	wdev_unlock(wdev);
7969 
7970 	return err;
7971 }
7972 
7973 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7974 			      struct sk_buff *msg)
7975 {
7976 	struct nlattr *nl_reg_rules;
7977 	unsigned int i;
7978 
7979 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7980 	    (regdom->dfs_region &&
7981 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7982 		goto nla_put_failure;
7983 
7984 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7985 	if (!nl_reg_rules)
7986 		goto nla_put_failure;
7987 
7988 	for (i = 0; i < regdom->n_reg_rules; i++) {
7989 		struct nlattr *nl_reg_rule;
7990 		const struct ieee80211_reg_rule *reg_rule;
7991 		const struct ieee80211_freq_range *freq_range;
7992 		const struct ieee80211_power_rule *power_rule;
7993 		unsigned int max_bandwidth_khz;
7994 
7995 		reg_rule = &regdom->reg_rules[i];
7996 		freq_range = &reg_rule->freq_range;
7997 		power_rule = &reg_rule->power_rule;
7998 
7999 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8000 		if (!nl_reg_rule)
8001 			goto nla_put_failure;
8002 
8003 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8004 		if (!max_bandwidth_khz)
8005 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8006 								  reg_rule);
8007 
8008 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8009 				reg_rule->flags) ||
8010 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8011 				freq_range->start_freq_khz) ||
8012 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8013 				freq_range->end_freq_khz) ||
8014 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8015 				max_bandwidth_khz) ||
8016 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8017 				power_rule->max_antenna_gain) ||
8018 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8019 				power_rule->max_eirp) ||
8020 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8021 				reg_rule->dfs_cac_ms))
8022 			goto nla_put_failure;
8023 
8024 		nla_nest_end(msg, nl_reg_rule);
8025 	}
8026 
8027 	nla_nest_end(msg, nl_reg_rules);
8028 	return 0;
8029 
8030 nla_put_failure:
8031 	return -EMSGSIZE;
8032 }
8033 
8034 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8035 {
8036 	const struct ieee80211_regdomain *regdom = NULL;
8037 	struct cfg80211_registered_device *rdev;
8038 	struct wiphy *wiphy = NULL;
8039 	struct sk_buff *msg;
8040 	int err = -EMSGSIZE;
8041 	void *hdr;
8042 
8043 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8044 	if (!msg)
8045 		return -ENOBUFS;
8046 
8047 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8048 			     NL80211_CMD_GET_REG);
8049 	if (!hdr)
8050 		goto put_failure;
8051 
8052 	rtnl_lock();
8053 
8054 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8055 		bool self_managed;
8056 
8057 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8058 		if (IS_ERR(rdev)) {
8059 			err = PTR_ERR(rdev);
8060 			goto nla_put_failure;
8061 		}
8062 
8063 		wiphy = &rdev->wiphy;
8064 		self_managed = wiphy->regulatory_flags &
8065 			       REGULATORY_WIPHY_SELF_MANAGED;
8066 
8067 		rcu_read_lock();
8068 
8069 		regdom = get_wiphy_regdom(wiphy);
8070 
8071 		/* a self-managed-reg device must have a private regdom */
8072 		if (WARN_ON(!regdom && self_managed)) {
8073 			err = -EINVAL;
8074 			goto nla_put_failure_rcu;
8075 		}
8076 
8077 		if (regdom &&
8078 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8079 			goto nla_put_failure_rcu;
8080 	} else {
8081 		rcu_read_lock();
8082 	}
8083 
8084 	if (!wiphy && reg_last_request_cell_base() &&
8085 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8086 			NL80211_USER_REG_HINT_CELL_BASE))
8087 		goto nla_put_failure_rcu;
8088 
8089 	if (!regdom)
8090 		regdom = rcu_dereference(cfg80211_regdomain);
8091 
8092 	if (nl80211_put_regdom(regdom, msg))
8093 		goto nla_put_failure_rcu;
8094 
8095 	rcu_read_unlock();
8096 
8097 	genlmsg_end(msg, hdr);
8098 	rtnl_unlock();
8099 	return genlmsg_reply(msg, info);
8100 
8101 nla_put_failure_rcu:
8102 	rcu_read_unlock();
8103 nla_put_failure:
8104 	rtnl_unlock();
8105 put_failure:
8106 	nlmsg_free(msg);
8107 	return err;
8108 }
8109 
8110 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8111 			       u32 seq, int flags, struct wiphy *wiphy,
8112 			       const struct ieee80211_regdomain *regdom)
8113 {
8114 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8115 				   NL80211_CMD_GET_REG);
8116 
8117 	if (!hdr)
8118 		return -1;
8119 
8120 	genl_dump_check_consistent(cb, hdr);
8121 
8122 	if (nl80211_put_regdom(regdom, msg))
8123 		goto nla_put_failure;
8124 
8125 	if (!wiphy && reg_last_request_cell_base() &&
8126 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8127 			NL80211_USER_REG_HINT_CELL_BASE))
8128 		goto nla_put_failure;
8129 
8130 	if (wiphy &&
8131 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8132 		goto nla_put_failure;
8133 
8134 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8135 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8136 		goto nla_put_failure;
8137 
8138 	genlmsg_end(msg, hdr);
8139 	return 0;
8140 
8141 nla_put_failure:
8142 	genlmsg_cancel(msg, hdr);
8143 	return -EMSGSIZE;
8144 }
8145 
8146 static int nl80211_get_reg_dump(struct sk_buff *skb,
8147 				struct netlink_callback *cb)
8148 {
8149 	const struct ieee80211_regdomain *regdom = NULL;
8150 	struct cfg80211_registered_device *rdev;
8151 	int err, reg_idx, start = cb->args[2];
8152 
8153 	rcu_read_lock();
8154 
8155 	if (cfg80211_regdomain && start == 0) {
8156 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8157 					  NLM_F_MULTI, NULL,
8158 					  rcu_dereference(cfg80211_regdomain));
8159 		if (err < 0)
8160 			goto out_err;
8161 	}
8162 
8163 	/* the global regdom is idx 0 */
8164 	reg_idx = 1;
8165 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8166 		regdom = get_wiphy_regdom(&rdev->wiphy);
8167 		if (!regdom)
8168 			continue;
8169 
8170 		if (++reg_idx <= start)
8171 			continue;
8172 
8173 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8174 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8175 		if (err < 0) {
8176 			reg_idx--;
8177 			break;
8178 		}
8179 	}
8180 
8181 	cb->args[2] = reg_idx;
8182 	err = skb->len;
8183 out_err:
8184 	rcu_read_unlock();
8185 	return err;
8186 }
8187 
8188 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8189 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8190 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8191 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8192 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8193 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8194 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8195 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8196 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8197 };
8198 
8199 static int parse_reg_rule(struct nlattr *tb[],
8200 	struct ieee80211_reg_rule *reg_rule)
8201 {
8202 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8203 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8204 
8205 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8206 		return -EINVAL;
8207 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8208 		return -EINVAL;
8209 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8210 		return -EINVAL;
8211 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8212 		return -EINVAL;
8213 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8214 		return -EINVAL;
8215 
8216 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8217 
8218 	freq_range->start_freq_khz =
8219 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8220 	freq_range->end_freq_khz =
8221 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8222 	freq_range->max_bandwidth_khz =
8223 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8224 
8225 	power_rule->max_eirp =
8226 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8227 
8228 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8229 		power_rule->max_antenna_gain =
8230 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8231 
8232 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8233 		reg_rule->dfs_cac_ms =
8234 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8235 
8236 	return 0;
8237 }
8238 
8239 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8240 {
8241 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8242 	struct nlattr *nl_reg_rule;
8243 	char *alpha2;
8244 	int rem_reg_rules, r;
8245 	u32 num_rules = 0, rule_idx = 0;
8246 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8247 	struct ieee80211_regdomain *rd;
8248 
8249 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8250 		return -EINVAL;
8251 
8252 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8253 		return -EINVAL;
8254 
8255 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8256 
8257 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8258 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8259 
8260 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8261 			    rem_reg_rules) {
8262 		num_rules++;
8263 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8264 			return -EINVAL;
8265 	}
8266 
8267 	rtnl_lock();
8268 	if (!reg_is_valid_request(alpha2)) {
8269 		r = -EINVAL;
8270 		goto out;
8271 	}
8272 
8273 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8274 	if (!rd) {
8275 		r = -ENOMEM;
8276 		goto out;
8277 	}
8278 
8279 	rd->n_reg_rules = num_rules;
8280 	rd->alpha2[0] = alpha2[0];
8281 	rd->alpha2[1] = alpha2[1];
8282 
8283 	/*
8284 	 * Disable DFS master mode if the DFS region was
8285 	 * not supported or known on this kernel.
8286 	 */
8287 	if (reg_supported_dfs_region(dfs_region))
8288 		rd->dfs_region = dfs_region;
8289 
8290 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8291 			    rem_reg_rules) {
8292 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8293 						nl_reg_rule, reg_rule_policy,
8294 						info->extack);
8295 		if (r)
8296 			goto bad_reg;
8297 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8298 		if (r)
8299 			goto bad_reg;
8300 
8301 		rule_idx++;
8302 
8303 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8304 			r = -EINVAL;
8305 			goto bad_reg;
8306 		}
8307 	}
8308 
8309 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8310 	/* set_regdom takes ownership of rd */
8311 	rd = NULL;
8312  bad_reg:
8313 	kfree(rd);
8314  out:
8315 	rtnl_unlock();
8316 	return r;
8317 }
8318 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8319 
8320 static int validate_scan_freqs(struct nlattr *freqs)
8321 {
8322 	struct nlattr *attr1, *attr2;
8323 	int n_channels = 0, tmp1, tmp2;
8324 
8325 	nla_for_each_nested(attr1, freqs, tmp1)
8326 		if (nla_len(attr1) != sizeof(u32))
8327 			return 0;
8328 
8329 	nla_for_each_nested(attr1, freqs, tmp1) {
8330 		n_channels++;
8331 		/*
8332 		 * Some hardware has a limited channel list for
8333 		 * scanning, and it is pretty much nonsensical
8334 		 * to scan for a channel twice, so disallow that
8335 		 * and don't require drivers to check that the
8336 		 * channel list they get isn't longer than what
8337 		 * they can scan, as long as they can scan all
8338 		 * the channels they registered at once.
8339 		 */
8340 		nla_for_each_nested(attr2, freqs, tmp2)
8341 			if (attr1 != attr2 &&
8342 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8343 				return 0;
8344 	}
8345 
8346 	return n_channels;
8347 }
8348 
8349 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8350 {
8351 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8352 }
8353 
8354 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8355 			    struct cfg80211_bss_selection *bss_select)
8356 {
8357 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8358 	struct nlattr *nest;
8359 	int err;
8360 	bool found = false;
8361 	int i;
8362 
8363 	/* only process one nested attribute */
8364 	nest = nla_data(nla);
8365 	if (!nla_ok(nest, nla_len(nest)))
8366 		return -EINVAL;
8367 
8368 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8369 					  nest, nl80211_bss_select_policy,
8370 					  NULL);
8371 	if (err)
8372 		return err;
8373 
8374 	/* only one attribute may be given */
8375 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8376 		if (attr[i]) {
8377 			if (found)
8378 				return -EINVAL;
8379 			found = true;
8380 		}
8381 	}
8382 
8383 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8384 
8385 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8386 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8387 
8388 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8389 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8390 		bss_select->param.band_pref =
8391 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8392 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8393 			return -EINVAL;
8394 	}
8395 
8396 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8397 		struct nl80211_bss_select_rssi_adjust *adj_param;
8398 
8399 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8400 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8401 		bss_select->param.adjust.band = adj_param->band;
8402 		bss_select->param.adjust.delta = adj_param->delta;
8403 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8404 			return -EINVAL;
8405 	}
8406 
8407 	/* user-space did not provide behaviour attribute */
8408 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8409 		return -EINVAL;
8410 
8411 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8412 		return -EINVAL;
8413 
8414 	return 0;
8415 }
8416 
8417 int nl80211_parse_random_mac(struct nlattr **attrs,
8418 			     u8 *mac_addr, u8 *mac_addr_mask)
8419 {
8420 	int i;
8421 
8422 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8423 		eth_zero_addr(mac_addr);
8424 		eth_zero_addr(mac_addr_mask);
8425 		mac_addr[0] = 0x2;
8426 		mac_addr_mask[0] = 0x3;
8427 
8428 		return 0;
8429 	}
8430 
8431 	/* need both or none */
8432 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8433 		return -EINVAL;
8434 
8435 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8436 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8437 
8438 	/* don't allow or configure an mcast address */
8439 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8440 	    is_multicast_ether_addr(mac_addr))
8441 		return -EINVAL;
8442 
8443 	/*
8444 	 * allow users to pass a MAC address that has bits set outside
8445 	 * of the mask, but don't bother drivers with having to deal
8446 	 * with such bits
8447 	 */
8448 	for (i = 0; i < ETH_ALEN; i++)
8449 		mac_addr[i] &= mac_addr_mask[i];
8450 
8451 	return 0;
8452 }
8453 
8454 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8455 {
8456 	ASSERT_WDEV_LOCK(wdev);
8457 
8458 	if (!cfg80211_beaconing_iface_active(wdev))
8459 		return true;
8460 
8461 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8462 		return true;
8463 
8464 	return regulatory_pre_cac_allowed(wdev->wiphy);
8465 }
8466 
8467 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8468 				    enum nl80211_ext_feature_index feat)
8469 {
8470 	if (!(flags & flag))
8471 		return true;
8472 	if (wiphy_ext_feature_isset(wiphy, feat))
8473 		return true;
8474 	return false;
8475 }
8476 
8477 static int
8478 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8479 			 void *request, struct nlattr **attrs,
8480 			 bool is_sched_scan)
8481 {
8482 	u8 *mac_addr, *mac_addr_mask;
8483 	u32 *flags;
8484 	enum nl80211_feature_flags randomness_flag;
8485 
8486 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8487 		return 0;
8488 
8489 	if (is_sched_scan) {
8490 		struct cfg80211_sched_scan_request *req = request;
8491 
8492 		randomness_flag = wdev ?
8493 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8494 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8495 		flags = &req->flags;
8496 		mac_addr = req->mac_addr;
8497 		mac_addr_mask = req->mac_addr_mask;
8498 	} else {
8499 		struct cfg80211_scan_request *req = request;
8500 
8501 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8502 		flags = &req->flags;
8503 		mac_addr = req->mac_addr;
8504 		mac_addr_mask = req->mac_addr_mask;
8505 	}
8506 
8507 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8508 
8509 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8510 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8511 	    !nl80211_check_scan_feat(wiphy, *flags,
8512 				     NL80211_SCAN_FLAG_LOW_SPAN,
8513 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8514 	    !nl80211_check_scan_feat(wiphy, *flags,
8515 				     NL80211_SCAN_FLAG_LOW_POWER,
8516 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8517 	    !nl80211_check_scan_feat(wiphy, *flags,
8518 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8519 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8520 	    !nl80211_check_scan_feat(wiphy, *flags,
8521 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8522 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8523 	    !nl80211_check_scan_feat(wiphy, *flags,
8524 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8525 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8526 	    !nl80211_check_scan_feat(wiphy, *flags,
8527 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8528 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8529 	    !nl80211_check_scan_feat(wiphy, *flags,
8530 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8531 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8532 	    !nl80211_check_scan_feat(wiphy, *flags,
8533 				     NL80211_SCAN_FLAG_RANDOM_SN,
8534 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8535 	    !nl80211_check_scan_feat(wiphy, *flags,
8536 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8537 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8538 		return -EOPNOTSUPP;
8539 
8540 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8541 		int err;
8542 
8543 		if (!(wiphy->features & randomness_flag) ||
8544 		    (wdev && wdev->current_bss))
8545 			return -EOPNOTSUPP;
8546 
8547 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8548 		if (err)
8549 			return err;
8550 	}
8551 
8552 	return 0;
8553 }
8554 
8555 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8556 {
8557 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8558 	struct wireless_dev *wdev = info->user_ptr[1];
8559 	struct cfg80211_scan_request *request;
8560 	struct nlattr *scan_freqs = NULL;
8561 	bool scan_freqs_khz = false;
8562 	struct nlattr *attr;
8563 	struct wiphy *wiphy;
8564 	int err, tmp, n_ssids = 0, n_channels, i;
8565 	size_t ie_len;
8566 
8567 	wiphy = &rdev->wiphy;
8568 
8569 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8570 		return -EOPNOTSUPP;
8571 
8572 	if (!rdev->ops->scan)
8573 		return -EOPNOTSUPP;
8574 
8575 	if (rdev->scan_req || rdev->scan_msg)
8576 		return -EBUSY;
8577 
8578 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8579 		if (!wiphy_ext_feature_isset(wiphy,
8580 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8581 			return -EOPNOTSUPP;
8582 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8583 		scan_freqs_khz = true;
8584 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8585 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8586 
8587 	if (scan_freqs) {
8588 		n_channels = validate_scan_freqs(scan_freqs);
8589 		if (!n_channels)
8590 			return -EINVAL;
8591 	} else {
8592 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8593 	}
8594 
8595 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8596 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8597 			n_ssids++;
8598 
8599 	if (n_ssids > wiphy->max_scan_ssids)
8600 		return -EINVAL;
8601 
8602 	if (info->attrs[NL80211_ATTR_IE])
8603 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8604 	else
8605 		ie_len = 0;
8606 
8607 	if (ie_len > wiphy->max_scan_ie_len)
8608 		return -EINVAL;
8609 
8610 	request = kzalloc(sizeof(*request)
8611 			+ sizeof(*request->ssids) * n_ssids
8612 			+ sizeof(*request->channels) * n_channels
8613 			+ ie_len, GFP_KERNEL);
8614 	if (!request)
8615 		return -ENOMEM;
8616 
8617 	if (n_ssids)
8618 		request->ssids = (void *)&request->channels[n_channels];
8619 	request->n_ssids = n_ssids;
8620 	if (ie_len) {
8621 		if (n_ssids)
8622 			request->ie = (void *)(request->ssids + n_ssids);
8623 		else
8624 			request->ie = (void *)(request->channels + n_channels);
8625 	}
8626 
8627 	i = 0;
8628 	if (scan_freqs) {
8629 		/* user specified, bail out if channel not found */
8630 		nla_for_each_nested(attr, scan_freqs, tmp) {
8631 			struct ieee80211_channel *chan;
8632 			int freq = nla_get_u32(attr);
8633 
8634 			if (!scan_freqs_khz)
8635 				freq = MHZ_TO_KHZ(freq);
8636 
8637 			chan = ieee80211_get_channel_khz(wiphy, freq);
8638 			if (!chan) {
8639 				err = -EINVAL;
8640 				goto out_free;
8641 			}
8642 
8643 			/* ignore disabled channels */
8644 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8645 				continue;
8646 
8647 			request->channels[i] = chan;
8648 			i++;
8649 		}
8650 	} else {
8651 		enum nl80211_band band;
8652 
8653 		/* all channels */
8654 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8655 			int j;
8656 
8657 			if (!wiphy->bands[band])
8658 				continue;
8659 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8660 				struct ieee80211_channel *chan;
8661 
8662 				chan = &wiphy->bands[band]->channels[j];
8663 
8664 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8665 					continue;
8666 
8667 				request->channels[i] = chan;
8668 				i++;
8669 			}
8670 		}
8671 	}
8672 
8673 	if (!i) {
8674 		err = -EINVAL;
8675 		goto out_free;
8676 	}
8677 
8678 	request->n_channels = i;
8679 
8680 	wdev_lock(wdev);
8681 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8682 		struct ieee80211_channel *chan;
8683 
8684 		if (request->n_channels != 1) {
8685 			wdev_unlock(wdev);
8686 			err = -EBUSY;
8687 			goto out_free;
8688 		}
8689 
8690 		chan = request->channels[0];
8691 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8692 			wdev_unlock(wdev);
8693 			err = -EBUSY;
8694 			goto out_free;
8695 		}
8696 	}
8697 	wdev_unlock(wdev);
8698 
8699 	i = 0;
8700 	if (n_ssids) {
8701 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8702 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8703 				err = -EINVAL;
8704 				goto out_free;
8705 			}
8706 			request->ssids[i].ssid_len = nla_len(attr);
8707 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8708 			i++;
8709 		}
8710 	}
8711 
8712 	if (info->attrs[NL80211_ATTR_IE]) {
8713 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8714 		memcpy((void *)request->ie,
8715 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8716 		       request->ie_len);
8717 	}
8718 
8719 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8720 		if (wiphy->bands[i])
8721 			request->rates[i] =
8722 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8723 
8724 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8725 		nla_for_each_nested(attr,
8726 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8727 				    tmp) {
8728 			enum nl80211_band band = nla_type(attr);
8729 
8730 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8731 				err = -EINVAL;
8732 				goto out_free;
8733 			}
8734 
8735 			if (!wiphy->bands[band])
8736 				continue;
8737 
8738 			err = ieee80211_get_ratemask(wiphy->bands[band],
8739 						     nla_data(attr),
8740 						     nla_len(attr),
8741 						     &request->rates[band]);
8742 			if (err)
8743 				goto out_free;
8744 		}
8745 	}
8746 
8747 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8748 		request->duration =
8749 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8750 		request->duration_mandatory =
8751 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8752 	}
8753 
8754 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8755 				       false);
8756 	if (err)
8757 		goto out_free;
8758 
8759 	request->no_cck =
8760 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8761 
8762 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8763 	 * BSSID to scan for. This was problematic because that same attribute
8764 	 * was already used for another purpose (local random MAC address). The
8765 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8766 	 * compatibility with older userspace components, also use the
8767 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8768 	 * the specific BSSID use case instead of the random MAC address
8769 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8770 	 */
8771 	if (info->attrs[NL80211_ATTR_BSSID])
8772 		memcpy(request->bssid,
8773 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8774 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8775 		 info->attrs[NL80211_ATTR_MAC])
8776 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8777 		       ETH_ALEN);
8778 	else
8779 		eth_broadcast_addr(request->bssid);
8780 
8781 	request->wdev = wdev;
8782 	request->wiphy = &rdev->wiphy;
8783 	request->scan_start = jiffies;
8784 
8785 	rdev->scan_req = request;
8786 	err = cfg80211_scan(rdev);
8787 
8788 	if (err)
8789 		goto out_free;
8790 
8791 	nl80211_send_scan_start(rdev, wdev);
8792 	dev_hold(wdev->netdev);
8793 
8794 	return 0;
8795 
8796  out_free:
8797 	rdev->scan_req = NULL;
8798 	kfree(request);
8799 
8800 	return err;
8801 }
8802 
8803 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8804 {
8805 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8806 	struct wireless_dev *wdev = info->user_ptr[1];
8807 
8808 	if (!rdev->ops->abort_scan)
8809 		return -EOPNOTSUPP;
8810 
8811 	if (rdev->scan_msg)
8812 		return 0;
8813 
8814 	if (!rdev->scan_req)
8815 		return -ENOENT;
8816 
8817 	rdev_abort_scan(rdev, wdev);
8818 	return 0;
8819 }
8820 
8821 static int
8822 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8823 			       struct cfg80211_sched_scan_request *request,
8824 			       struct nlattr **attrs)
8825 {
8826 	int tmp, err, i = 0;
8827 	struct nlattr *attr;
8828 
8829 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8830 		u32 interval;
8831 
8832 		/*
8833 		 * If scan plans are not specified,
8834 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8835 		 * case one scan plan will be set with the specified scan
8836 		 * interval and infinite number of iterations.
8837 		 */
8838 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8839 		if (!interval)
8840 			return -EINVAL;
8841 
8842 		request->scan_plans[0].interval =
8843 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8844 		if (!request->scan_plans[0].interval)
8845 			return -EINVAL;
8846 
8847 		if (request->scan_plans[0].interval >
8848 		    wiphy->max_sched_scan_plan_interval)
8849 			request->scan_plans[0].interval =
8850 				wiphy->max_sched_scan_plan_interval;
8851 
8852 		return 0;
8853 	}
8854 
8855 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8856 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8857 
8858 		if (WARN_ON(i >= n_plans))
8859 			return -EINVAL;
8860 
8861 		err = nla_parse_nested_deprecated(plan,
8862 						  NL80211_SCHED_SCAN_PLAN_MAX,
8863 						  attr, nl80211_plan_policy,
8864 						  NULL);
8865 		if (err)
8866 			return err;
8867 
8868 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8869 			return -EINVAL;
8870 
8871 		request->scan_plans[i].interval =
8872 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8873 		if (!request->scan_plans[i].interval ||
8874 		    request->scan_plans[i].interval >
8875 		    wiphy->max_sched_scan_plan_interval)
8876 			return -EINVAL;
8877 
8878 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8879 			request->scan_plans[i].iterations =
8880 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8881 			if (!request->scan_plans[i].iterations ||
8882 			    (request->scan_plans[i].iterations >
8883 			     wiphy->max_sched_scan_plan_iterations))
8884 				return -EINVAL;
8885 		} else if (i < n_plans - 1) {
8886 			/*
8887 			 * All scan plans but the last one must specify
8888 			 * a finite number of iterations
8889 			 */
8890 			return -EINVAL;
8891 		}
8892 
8893 		i++;
8894 	}
8895 
8896 	/*
8897 	 * The last scan plan must not specify the number of
8898 	 * iterations, it is supposed to run infinitely
8899 	 */
8900 	if (request->scan_plans[n_plans - 1].iterations)
8901 		return  -EINVAL;
8902 
8903 	return 0;
8904 }
8905 
8906 static int
8907 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8908 				       struct cfg80211_match_set *match_sets,
8909 				       struct nlattr *tb_band_rssi,
8910 				       s32 rssi_thold)
8911 {
8912 	struct nlattr *attr;
8913 	int i, tmp, ret = 0;
8914 
8915 	if (!wiphy_ext_feature_isset(wiphy,
8916 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8917 		if (tb_band_rssi)
8918 			ret = -EOPNOTSUPP;
8919 		else
8920 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8921 				match_sets->per_band_rssi_thold[i] =
8922 					NL80211_SCAN_RSSI_THOLD_OFF;
8923 		return ret;
8924 	}
8925 
8926 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8927 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8928 
8929 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8930 		enum nl80211_band band = nla_type(attr);
8931 
8932 		if (band < 0 || band >= NUM_NL80211_BANDS)
8933 			return -EINVAL;
8934 
8935 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8936 	}
8937 
8938 	return 0;
8939 }
8940 
8941 static struct cfg80211_sched_scan_request *
8942 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8943 			 struct nlattr **attrs, int max_match_sets)
8944 {
8945 	struct cfg80211_sched_scan_request *request;
8946 	struct nlattr *attr;
8947 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8948 	enum nl80211_band band;
8949 	size_t ie_len;
8950 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8951 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8952 
8953 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8954 		n_channels = validate_scan_freqs(
8955 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8956 		if (!n_channels)
8957 			return ERR_PTR(-EINVAL);
8958 	} else {
8959 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8960 	}
8961 
8962 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8963 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8964 				    tmp)
8965 			n_ssids++;
8966 
8967 	if (n_ssids > wiphy->max_sched_scan_ssids)
8968 		return ERR_PTR(-EINVAL);
8969 
8970 	/*
8971 	 * First, count the number of 'real' matchsets. Due to an issue with
8972 	 * the old implementation, matchsets containing only the RSSI attribute
8973 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8974 	 * RSSI for all matchsets, rather than their own matchset for reporting
8975 	 * all APs with a strong RSSI. This is needed to be compatible with
8976 	 * older userspace that treated a matchset with only the RSSI as the
8977 	 * global RSSI for all other matchsets - if there are other matchsets.
8978 	 */
8979 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8980 		nla_for_each_nested(attr,
8981 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8982 				    tmp) {
8983 			struct nlattr *rssi;
8984 
8985 			err = nla_parse_nested_deprecated(tb,
8986 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8987 							  attr,
8988 							  nl80211_match_policy,
8989 							  NULL);
8990 			if (err)
8991 				return ERR_PTR(err);
8992 
8993 			/* SSID and BSSID are mutually exclusive */
8994 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8995 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8996 				return ERR_PTR(-EINVAL);
8997 
8998 			/* add other standalone attributes here */
8999 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9000 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9001 				n_match_sets++;
9002 				continue;
9003 			}
9004 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9005 			if (rssi)
9006 				default_match_rssi = nla_get_s32(rssi);
9007 		}
9008 	}
9009 
9010 	/* However, if there's no other matchset, add the RSSI one */
9011 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9012 		n_match_sets = 1;
9013 
9014 	if (n_match_sets > max_match_sets)
9015 		return ERR_PTR(-EINVAL);
9016 
9017 	if (attrs[NL80211_ATTR_IE])
9018 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9019 	else
9020 		ie_len = 0;
9021 
9022 	if (ie_len > wiphy->max_sched_scan_ie_len)
9023 		return ERR_PTR(-EINVAL);
9024 
9025 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9026 		/*
9027 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9028 		 * each scan plan already specifies its own interval
9029 		 */
9030 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9031 			return ERR_PTR(-EINVAL);
9032 
9033 		nla_for_each_nested(attr,
9034 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9035 			n_plans++;
9036 	} else {
9037 		/*
9038 		 * The scan interval attribute is kept for backward
9039 		 * compatibility. If no scan plans are specified and sched scan
9040 		 * interval is specified, one scan plan will be set with this
9041 		 * scan interval and infinite number of iterations.
9042 		 */
9043 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9044 			return ERR_PTR(-EINVAL);
9045 
9046 		n_plans = 1;
9047 	}
9048 
9049 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9050 		return ERR_PTR(-EINVAL);
9051 
9052 	if (!wiphy_ext_feature_isset(
9053 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9054 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9055 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9056 		return ERR_PTR(-EINVAL);
9057 
9058 	request = kzalloc(sizeof(*request)
9059 			+ sizeof(*request->ssids) * n_ssids
9060 			+ sizeof(*request->match_sets) * n_match_sets
9061 			+ sizeof(*request->scan_plans) * n_plans
9062 			+ sizeof(*request->channels) * n_channels
9063 			+ ie_len, GFP_KERNEL);
9064 	if (!request)
9065 		return ERR_PTR(-ENOMEM);
9066 
9067 	if (n_ssids)
9068 		request->ssids = (void *)&request->channels[n_channels];
9069 	request->n_ssids = n_ssids;
9070 	if (ie_len) {
9071 		if (n_ssids)
9072 			request->ie = (void *)(request->ssids + n_ssids);
9073 		else
9074 			request->ie = (void *)(request->channels + n_channels);
9075 	}
9076 
9077 	if (n_match_sets) {
9078 		if (request->ie)
9079 			request->match_sets = (void *)(request->ie + ie_len);
9080 		else if (n_ssids)
9081 			request->match_sets =
9082 				(void *)(request->ssids + n_ssids);
9083 		else
9084 			request->match_sets =
9085 				(void *)(request->channels + n_channels);
9086 	}
9087 	request->n_match_sets = n_match_sets;
9088 
9089 	if (n_match_sets)
9090 		request->scan_plans = (void *)(request->match_sets +
9091 					       n_match_sets);
9092 	else if (request->ie)
9093 		request->scan_plans = (void *)(request->ie + ie_len);
9094 	else if (n_ssids)
9095 		request->scan_plans = (void *)(request->ssids + n_ssids);
9096 	else
9097 		request->scan_plans = (void *)(request->channels + n_channels);
9098 
9099 	request->n_scan_plans = n_plans;
9100 
9101 	i = 0;
9102 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9103 		/* user specified, bail out if channel not found */
9104 		nla_for_each_nested(attr,
9105 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9106 				    tmp) {
9107 			struct ieee80211_channel *chan;
9108 
9109 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9110 
9111 			if (!chan) {
9112 				err = -EINVAL;
9113 				goto out_free;
9114 			}
9115 
9116 			/* ignore disabled channels */
9117 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9118 				continue;
9119 
9120 			request->channels[i] = chan;
9121 			i++;
9122 		}
9123 	} else {
9124 		/* all channels */
9125 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9126 			int j;
9127 
9128 			if (!wiphy->bands[band])
9129 				continue;
9130 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9131 				struct ieee80211_channel *chan;
9132 
9133 				chan = &wiphy->bands[band]->channels[j];
9134 
9135 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9136 					continue;
9137 
9138 				request->channels[i] = chan;
9139 				i++;
9140 			}
9141 		}
9142 	}
9143 
9144 	if (!i) {
9145 		err = -EINVAL;
9146 		goto out_free;
9147 	}
9148 
9149 	request->n_channels = i;
9150 
9151 	i = 0;
9152 	if (n_ssids) {
9153 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9154 				    tmp) {
9155 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9156 				err = -EINVAL;
9157 				goto out_free;
9158 			}
9159 			request->ssids[i].ssid_len = nla_len(attr);
9160 			memcpy(request->ssids[i].ssid, nla_data(attr),
9161 			       nla_len(attr));
9162 			i++;
9163 		}
9164 	}
9165 
9166 	i = 0;
9167 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9168 		nla_for_each_nested(attr,
9169 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9170 				    tmp) {
9171 			struct nlattr *ssid, *bssid, *rssi;
9172 
9173 			err = nla_parse_nested_deprecated(tb,
9174 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9175 							  attr,
9176 							  nl80211_match_policy,
9177 							  NULL);
9178 			if (err)
9179 				goto out_free;
9180 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9181 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9182 
9183 			if (!ssid && !bssid) {
9184 				i++;
9185 				continue;
9186 			}
9187 
9188 			if (WARN_ON(i >= n_match_sets)) {
9189 				/* this indicates a programming error,
9190 				 * the loop above should have verified
9191 				 * things properly
9192 				 */
9193 				err = -EINVAL;
9194 				goto out_free;
9195 			}
9196 
9197 			if (ssid) {
9198 				memcpy(request->match_sets[i].ssid.ssid,
9199 				       nla_data(ssid), nla_len(ssid));
9200 				request->match_sets[i].ssid.ssid_len =
9201 					nla_len(ssid);
9202 			}
9203 			if (bssid)
9204 				memcpy(request->match_sets[i].bssid,
9205 				       nla_data(bssid), ETH_ALEN);
9206 
9207 			/* special attribute - old implementation w/a */
9208 			request->match_sets[i].rssi_thold = default_match_rssi;
9209 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9210 			if (rssi)
9211 				request->match_sets[i].rssi_thold =
9212 					nla_get_s32(rssi);
9213 
9214 			/* Parse per band RSSI attribute */
9215 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9216 				&request->match_sets[i],
9217 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9218 				request->match_sets[i].rssi_thold);
9219 			if (err)
9220 				goto out_free;
9221 
9222 			i++;
9223 		}
9224 
9225 		/* there was no other matchset, so the RSSI one is alone */
9226 		if (i == 0 && n_match_sets)
9227 			request->match_sets[0].rssi_thold = default_match_rssi;
9228 
9229 		request->min_rssi_thold = INT_MAX;
9230 		for (i = 0; i < n_match_sets; i++)
9231 			request->min_rssi_thold =
9232 				min(request->match_sets[i].rssi_thold,
9233 				    request->min_rssi_thold);
9234 	} else {
9235 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9236 	}
9237 
9238 	if (ie_len) {
9239 		request->ie_len = ie_len;
9240 		memcpy((void *)request->ie,
9241 		       nla_data(attrs[NL80211_ATTR_IE]),
9242 		       request->ie_len);
9243 	}
9244 
9245 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9246 	if (err)
9247 		goto out_free;
9248 
9249 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9250 		request->delay =
9251 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9252 
9253 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9254 		request->relative_rssi = nla_get_s8(
9255 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9256 		request->relative_rssi_set = true;
9257 	}
9258 
9259 	if (request->relative_rssi_set &&
9260 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9261 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9262 
9263 		rssi_adjust = nla_data(
9264 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9265 		request->rssi_adjust.band = rssi_adjust->band;
9266 		request->rssi_adjust.delta = rssi_adjust->delta;
9267 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9268 			err = -EINVAL;
9269 			goto out_free;
9270 		}
9271 	}
9272 
9273 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9274 	if (err)
9275 		goto out_free;
9276 
9277 	request->scan_start = jiffies;
9278 
9279 	return request;
9280 
9281 out_free:
9282 	kfree(request);
9283 	return ERR_PTR(err);
9284 }
9285 
9286 static int nl80211_start_sched_scan(struct sk_buff *skb,
9287 				    struct genl_info *info)
9288 {
9289 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9290 	struct net_device *dev = info->user_ptr[1];
9291 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9292 	struct cfg80211_sched_scan_request *sched_scan_req;
9293 	bool want_multi;
9294 	int err;
9295 
9296 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9297 		return -EOPNOTSUPP;
9298 
9299 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9300 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9301 	if (err)
9302 		return err;
9303 
9304 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9305 						  info->attrs,
9306 						  rdev->wiphy.max_match_sets);
9307 
9308 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9309 	if (err)
9310 		goto out_err;
9311 
9312 	/* leave request id zero for legacy request
9313 	 * or if driver does not support multi-scheduled scan
9314 	 */
9315 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9316 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9317 
9318 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9319 	if (err)
9320 		goto out_free;
9321 
9322 	sched_scan_req->dev = dev;
9323 	sched_scan_req->wiphy = &rdev->wiphy;
9324 
9325 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9326 		sched_scan_req->owner_nlportid = info->snd_portid;
9327 
9328 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9329 
9330 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9331 	return 0;
9332 
9333 out_free:
9334 	kfree(sched_scan_req);
9335 out_err:
9336 	return err;
9337 }
9338 
9339 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9340 				   struct genl_info *info)
9341 {
9342 	struct cfg80211_sched_scan_request *req;
9343 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9344 	u64 cookie;
9345 
9346 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9347 		return -EOPNOTSUPP;
9348 
9349 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9350 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9351 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9352 	}
9353 
9354 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9355 				     struct cfg80211_sched_scan_request,
9356 				     list);
9357 	if (!req || req->reqid ||
9358 	    (req->owner_nlportid &&
9359 	     req->owner_nlportid != info->snd_portid))
9360 		return -ENOENT;
9361 
9362 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9363 }
9364 
9365 static int nl80211_start_radar_detection(struct sk_buff *skb,
9366 					 struct genl_info *info)
9367 {
9368 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9369 	struct net_device *dev = info->user_ptr[1];
9370 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9371 	struct wiphy *wiphy = wdev->wiphy;
9372 	struct cfg80211_chan_def chandef;
9373 	enum nl80211_dfs_regions dfs_region;
9374 	unsigned int cac_time_ms;
9375 	int err = -EINVAL;
9376 
9377 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9378 
9379 	wiphy_lock(wiphy);
9380 
9381 	dfs_region = reg_get_dfs_region(wiphy);
9382 	if (dfs_region == NL80211_DFS_UNSET)
9383 		goto unlock;
9384 
9385 	err = nl80211_parse_chandef(rdev, info, &chandef);
9386 	if (err)
9387 		goto unlock;
9388 
9389 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9390 	if (err < 0)
9391 		goto unlock;
9392 
9393 	if (err == 0) {
9394 		err = -EINVAL;
9395 		goto unlock;
9396 	}
9397 
9398 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9399 		err = -EINVAL;
9400 		goto unlock;
9401 	}
9402 
9403 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9404 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9405 								&chandef);
9406 		goto unlock;
9407 	}
9408 
9409 	if (netif_carrier_ok(dev)) {
9410 		err = -EBUSY;
9411 		goto unlock;
9412 	}
9413 
9414 	if (wdev->cac_started) {
9415 		err = -EBUSY;
9416 		goto unlock;
9417 	}
9418 
9419 	/* CAC start is offloaded to HW and can't be started manually */
9420 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9421 		err = -EOPNOTSUPP;
9422 		goto unlock;
9423 	}
9424 
9425 	if (!rdev->ops->start_radar_detection) {
9426 		err = -EOPNOTSUPP;
9427 		goto unlock;
9428 	}
9429 
9430 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9431 	if (WARN_ON(!cac_time_ms))
9432 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9433 
9434 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9435 	if (!err) {
9436 		wdev->chandef = chandef;
9437 		wdev->cac_started = true;
9438 		wdev->cac_start_time = jiffies;
9439 		wdev->cac_time_ms = cac_time_ms;
9440 	}
9441 unlock:
9442 	wiphy_unlock(wiphy);
9443 
9444 	return err;
9445 }
9446 
9447 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9448 					  struct genl_info *info)
9449 {
9450 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9451 	struct net_device *dev = info->user_ptr[1];
9452 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9453 	struct wiphy *wiphy = wdev->wiphy;
9454 	struct cfg80211_chan_def chandef;
9455 	enum nl80211_dfs_regions dfs_region;
9456 	int err;
9457 
9458 	dfs_region = reg_get_dfs_region(wiphy);
9459 	if (dfs_region == NL80211_DFS_UNSET) {
9460 		GENL_SET_ERR_MSG(info,
9461 				 "DFS Region is not set. Unexpected Radar indication");
9462 		return -EINVAL;
9463 	}
9464 
9465 	err = nl80211_parse_chandef(rdev, info, &chandef);
9466 	if (err) {
9467 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9468 		return err;
9469 	}
9470 
9471 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9472 	if (err < 0) {
9473 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9474 		return err;
9475 	}
9476 
9477 	if (err == 0) {
9478 		GENL_SET_ERR_MSG(info,
9479 				 "Unexpected Radar indication for chandef/iftype");
9480 		return -EINVAL;
9481 	}
9482 
9483 	/* Do not process this notification if radar is already detected
9484 	 * by kernel on this channel, and return success.
9485 	 */
9486 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9487 		return 0;
9488 
9489 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9490 
9491 	cfg80211_sched_dfs_chan_update(rdev);
9492 
9493 	rdev->radar_chandef = chandef;
9494 
9495 	/* Propagate this notification to other radios as well */
9496 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9497 
9498 	return 0;
9499 }
9500 
9501 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9502 {
9503 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9504 	struct net_device *dev = info->user_ptr[1];
9505 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9506 	struct cfg80211_csa_settings params;
9507 	struct nlattr **csa_attrs = NULL;
9508 	int err;
9509 	bool need_new_beacon = false;
9510 	bool need_handle_dfs_flag = true;
9511 	int len, i;
9512 	u32 cs_count;
9513 
9514 	if (!rdev->ops->channel_switch ||
9515 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9516 		return -EOPNOTSUPP;
9517 
9518 	switch (dev->ieee80211_ptr->iftype) {
9519 	case NL80211_IFTYPE_AP:
9520 	case NL80211_IFTYPE_P2P_GO:
9521 		need_new_beacon = true;
9522 		/* For all modes except AP the handle_dfs flag needs to be
9523 		 * supplied to tell the kernel that userspace will handle radar
9524 		 * events when they happen. Otherwise a switch to a channel
9525 		 * requiring DFS will be rejected.
9526 		 */
9527 		need_handle_dfs_flag = false;
9528 
9529 		/* useless if AP is not running */
9530 		if (!wdev->beacon_interval)
9531 			return -ENOTCONN;
9532 		break;
9533 	case NL80211_IFTYPE_ADHOC:
9534 		if (!wdev->ssid_len)
9535 			return -ENOTCONN;
9536 		break;
9537 	case NL80211_IFTYPE_MESH_POINT:
9538 		if (!wdev->mesh_id_len)
9539 			return -ENOTCONN;
9540 		break;
9541 	default:
9542 		return -EOPNOTSUPP;
9543 	}
9544 
9545 	memset(&params, 0, sizeof(params));
9546 	params.beacon_csa.ftm_responder = -1;
9547 
9548 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9549 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9550 		return -EINVAL;
9551 
9552 	/* only important for AP, IBSS and mesh create IEs internally */
9553 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9554 		return -EINVAL;
9555 
9556 	/* Even though the attribute is u32, the specification says
9557 	 * u8, so let's make sure we don't overflow.
9558 	 */
9559 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9560 	if (cs_count > 255)
9561 		return -EINVAL;
9562 
9563 	params.count = cs_count;
9564 
9565 	if (!need_new_beacon)
9566 		goto skip_beacons;
9567 
9568 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9569 	if (err)
9570 		goto free;
9571 
9572 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9573 			    GFP_KERNEL);
9574 	if (!csa_attrs) {
9575 		err = -ENOMEM;
9576 		goto free;
9577 	}
9578 
9579 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9580 					  info->attrs[NL80211_ATTR_CSA_IES],
9581 					  nl80211_policy, info->extack);
9582 	if (err)
9583 		goto free;
9584 
9585 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9586 	if (err)
9587 		goto free;
9588 
9589 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9590 		err = -EINVAL;
9591 		goto free;
9592 	}
9593 
9594 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9595 	if (!len || (len % sizeof(u16))) {
9596 		err = -EINVAL;
9597 		goto free;
9598 	}
9599 
9600 	params.n_counter_offsets_beacon = len / sizeof(u16);
9601 	if (rdev->wiphy.max_num_csa_counters &&
9602 	    (params.n_counter_offsets_beacon >
9603 	     rdev->wiphy.max_num_csa_counters)) {
9604 		err = -EINVAL;
9605 		goto free;
9606 	}
9607 
9608 	params.counter_offsets_beacon =
9609 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9610 
9611 	/* sanity checks - counters should fit and be the same */
9612 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9613 		u16 offset = params.counter_offsets_beacon[i];
9614 
9615 		if (offset >= params.beacon_csa.tail_len) {
9616 			err = -EINVAL;
9617 			goto free;
9618 		}
9619 
9620 		if (params.beacon_csa.tail[offset] != params.count) {
9621 			err = -EINVAL;
9622 			goto free;
9623 		}
9624 	}
9625 
9626 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9627 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9628 		if (!len || (len % sizeof(u16))) {
9629 			err = -EINVAL;
9630 			goto free;
9631 		}
9632 
9633 		params.n_counter_offsets_presp = len / sizeof(u16);
9634 		if (rdev->wiphy.max_num_csa_counters &&
9635 		    (params.n_counter_offsets_presp >
9636 		     rdev->wiphy.max_num_csa_counters)) {
9637 			err = -EINVAL;
9638 			goto free;
9639 		}
9640 
9641 		params.counter_offsets_presp =
9642 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9643 
9644 		/* sanity checks - counters should fit and be the same */
9645 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9646 			u16 offset = params.counter_offsets_presp[i];
9647 
9648 			if (offset >= params.beacon_csa.probe_resp_len) {
9649 				err = -EINVAL;
9650 				goto free;
9651 			}
9652 
9653 			if (params.beacon_csa.probe_resp[offset] !=
9654 			    params.count) {
9655 				err = -EINVAL;
9656 				goto free;
9657 			}
9658 		}
9659 	}
9660 
9661 skip_beacons:
9662 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9663 	if (err)
9664 		goto free;
9665 
9666 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9667 					   wdev->iftype)) {
9668 		err = -EINVAL;
9669 		goto free;
9670 	}
9671 
9672 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9673 					    &params.chandef,
9674 					    wdev->iftype);
9675 	if (err < 0)
9676 		goto free;
9677 
9678 	if (err > 0) {
9679 		params.radar_required = true;
9680 		if (need_handle_dfs_flag &&
9681 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9682 			err = -EINVAL;
9683 			goto free;
9684 		}
9685 	}
9686 
9687 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9688 		params.block_tx = true;
9689 
9690 	wdev_lock(wdev);
9691 	err = rdev_channel_switch(rdev, dev, &params);
9692 	wdev_unlock(wdev);
9693 
9694 free:
9695 	kfree(params.beacon_after.mbssid_ies);
9696 	kfree(params.beacon_csa.mbssid_ies);
9697 	kfree(csa_attrs);
9698 	return err;
9699 }
9700 
9701 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9702 			    u32 seq, int flags,
9703 			    struct cfg80211_registered_device *rdev,
9704 			    struct wireless_dev *wdev,
9705 			    struct cfg80211_internal_bss *intbss)
9706 {
9707 	struct cfg80211_bss *res = &intbss->pub;
9708 	const struct cfg80211_bss_ies *ies;
9709 	void *hdr;
9710 	struct nlattr *bss;
9711 
9712 	ASSERT_WDEV_LOCK(wdev);
9713 
9714 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9715 			     NL80211_CMD_NEW_SCAN_RESULTS);
9716 	if (!hdr)
9717 		return -1;
9718 
9719 	genl_dump_check_consistent(cb, hdr);
9720 
9721 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9722 		goto nla_put_failure;
9723 	if (wdev->netdev &&
9724 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9725 		goto nla_put_failure;
9726 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9727 			      NL80211_ATTR_PAD))
9728 		goto nla_put_failure;
9729 
9730 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9731 	if (!bss)
9732 		goto nla_put_failure;
9733 	if ((!is_zero_ether_addr(res->bssid) &&
9734 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9735 		goto nla_put_failure;
9736 
9737 	rcu_read_lock();
9738 	/* indicate whether we have probe response data or not */
9739 	if (rcu_access_pointer(res->proberesp_ies) &&
9740 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9741 		goto fail_unlock_rcu;
9742 
9743 	/* this pointer prefers to be pointed to probe response data
9744 	 * but is always valid
9745 	 */
9746 	ies = rcu_dereference(res->ies);
9747 	if (ies) {
9748 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9749 				      NL80211_BSS_PAD))
9750 			goto fail_unlock_rcu;
9751 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9752 					ies->len, ies->data))
9753 			goto fail_unlock_rcu;
9754 	}
9755 
9756 	/* and this pointer is always (unless driver didn't know) beacon data */
9757 	ies = rcu_dereference(res->beacon_ies);
9758 	if (ies && ies->from_beacon) {
9759 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9760 				      NL80211_BSS_PAD))
9761 			goto fail_unlock_rcu;
9762 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9763 					ies->len, ies->data))
9764 			goto fail_unlock_rcu;
9765 	}
9766 	rcu_read_unlock();
9767 
9768 	if (res->beacon_interval &&
9769 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9770 		goto nla_put_failure;
9771 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9772 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9773 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9774 			res->channel->freq_offset) ||
9775 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9776 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9777 			jiffies_to_msecs(jiffies - intbss->ts)))
9778 		goto nla_put_failure;
9779 
9780 	if (intbss->parent_tsf &&
9781 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9782 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9783 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9784 		     intbss->parent_bssid)))
9785 		goto nla_put_failure;
9786 
9787 	if (intbss->ts_boottime &&
9788 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9789 			      intbss->ts_boottime, NL80211_BSS_PAD))
9790 		goto nla_put_failure;
9791 
9792 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9793 				intbss->pub.chain_signal,
9794 				NL80211_BSS_CHAIN_SIGNAL))
9795 		goto nla_put_failure;
9796 
9797 	switch (rdev->wiphy.signal_type) {
9798 	case CFG80211_SIGNAL_TYPE_MBM:
9799 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9800 			goto nla_put_failure;
9801 		break;
9802 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9803 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9804 			goto nla_put_failure;
9805 		break;
9806 	default:
9807 		break;
9808 	}
9809 
9810 	switch (wdev->iftype) {
9811 	case NL80211_IFTYPE_P2P_CLIENT:
9812 	case NL80211_IFTYPE_STATION:
9813 		if (intbss == wdev->current_bss &&
9814 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9815 				NL80211_BSS_STATUS_ASSOCIATED))
9816 			goto nla_put_failure;
9817 		break;
9818 	case NL80211_IFTYPE_ADHOC:
9819 		if (intbss == wdev->current_bss &&
9820 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9821 				NL80211_BSS_STATUS_IBSS_JOINED))
9822 			goto nla_put_failure;
9823 		break;
9824 	default:
9825 		break;
9826 	}
9827 
9828 	nla_nest_end(msg, bss);
9829 
9830 	genlmsg_end(msg, hdr);
9831 	return 0;
9832 
9833  fail_unlock_rcu:
9834 	rcu_read_unlock();
9835  nla_put_failure:
9836 	genlmsg_cancel(msg, hdr);
9837 	return -EMSGSIZE;
9838 }
9839 
9840 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9841 {
9842 	struct cfg80211_registered_device *rdev;
9843 	struct cfg80211_internal_bss *scan;
9844 	struct wireless_dev *wdev;
9845 	int start = cb->args[2], idx = 0;
9846 	int err;
9847 
9848 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
9849 	if (err)
9850 		return err;
9851 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9852 	__acquire(&rdev->wiphy.mtx);
9853 
9854 	wdev_lock(wdev);
9855 	spin_lock_bh(&rdev->bss_lock);
9856 
9857 	/*
9858 	 * dump_scan will be called multiple times to break up the scan results
9859 	 * into multiple messages.  It is unlikely that any more bss-es will be
9860 	 * expired after the first call, so only call only call this on the
9861 	 * first dump_scan invocation.
9862 	 */
9863 	if (start == 0)
9864 		cfg80211_bss_expire(rdev);
9865 
9866 	cb->seq = rdev->bss_generation;
9867 
9868 	list_for_each_entry(scan, &rdev->bss_list, list) {
9869 		if (++idx <= start)
9870 			continue;
9871 		if (nl80211_send_bss(skb, cb,
9872 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9873 				rdev, wdev, scan) < 0) {
9874 			idx--;
9875 			break;
9876 		}
9877 	}
9878 
9879 	spin_unlock_bh(&rdev->bss_lock);
9880 	wdev_unlock(wdev);
9881 
9882 	cb->args[2] = idx;
9883 	wiphy_unlock(&rdev->wiphy);
9884 
9885 	return skb->len;
9886 }
9887 
9888 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9889 			       int flags, struct net_device *dev,
9890 			       bool allow_radio_stats,
9891 			       struct survey_info *survey)
9892 {
9893 	void *hdr;
9894 	struct nlattr *infoattr;
9895 
9896 	/* skip radio stats if userspace didn't request them */
9897 	if (!survey->channel && !allow_radio_stats)
9898 		return 0;
9899 
9900 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9901 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9902 	if (!hdr)
9903 		return -ENOMEM;
9904 
9905 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9906 		goto nla_put_failure;
9907 
9908 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9909 	if (!infoattr)
9910 		goto nla_put_failure;
9911 
9912 	if (survey->channel &&
9913 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9914 			survey->channel->center_freq))
9915 		goto nla_put_failure;
9916 
9917 	if (survey->channel && survey->channel->freq_offset &&
9918 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9919 			survey->channel->freq_offset))
9920 		goto nla_put_failure;
9921 
9922 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9923 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9924 		goto nla_put_failure;
9925 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9926 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9927 		goto nla_put_failure;
9928 	if ((survey->filled & SURVEY_INFO_TIME) &&
9929 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9930 			survey->time, NL80211_SURVEY_INFO_PAD))
9931 		goto nla_put_failure;
9932 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9933 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9934 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9935 		goto nla_put_failure;
9936 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9937 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9938 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9939 		goto nla_put_failure;
9940 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9941 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9942 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9943 		goto nla_put_failure;
9944 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9945 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9946 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9947 		goto nla_put_failure;
9948 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9949 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9950 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9951 		goto nla_put_failure;
9952 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9953 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9954 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9955 		goto nla_put_failure;
9956 
9957 	nla_nest_end(msg, infoattr);
9958 
9959 	genlmsg_end(msg, hdr);
9960 	return 0;
9961 
9962  nla_put_failure:
9963 	genlmsg_cancel(msg, hdr);
9964 	return -EMSGSIZE;
9965 }
9966 
9967 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9968 {
9969 	struct nlattr **attrbuf;
9970 	struct survey_info survey;
9971 	struct cfg80211_registered_device *rdev;
9972 	struct wireless_dev *wdev;
9973 	int survey_idx = cb->args[2];
9974 	int res;
9975 	bool radio_stats;
9976 
9977 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9978 	if (!attrbuf)
9979 		return -ENOMEM;
9980 
9981 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
9982 	if (res) {
9983 		kfree(attrbuf);
9984 		return res;
9985 	}
9986 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9987 	__acquire(&rdev->wiphy.mtx);
9988 
9989 	/* prepare_wdev_dump parsed the attributes */
9990 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9991 
9992 	if (!wdev->netdev) {
9993 		res = -EINVAL;
9994 		goto out_err;
9995 	}
9996 
9997 	if (!rdev->ops->dump_survey) {
9998 		res = -EOPNOTSUPP;
9999 		goto out_err;
10000 	}
10001 
10002 	while (1) {
10003 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10004 		if (res == -ENOENT)
10005 			break;
10006 		if (res)
10007 			goto out_err;
10008 
10009 		/* don't send disabled channels, but do send non-channel data */
10010 		if (survey.channel &&
10011 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10012 			survey_idx++;
10013 			continue;
10014 		}
10015 
10016 		if (nl80211_send_survey(skb,
10017 				NETLINK_CB(cb->skb).portid,
10018 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10019 				wdev->netdev, radio_stats, &survey) < 0)
10020 			goto out;
10021 		survey_idx++;
10022 	}
10023 
10024  out:
10025 	cb->args[2] = survey_idx;
10026 	res = skb->len;
10027  out_err:
10028 	kfree(attrbuf);
10029 	wiphy_unlock(&rdev->wiphy);
10030 	return res;
10031 }
10032 
10033 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10034 {
10035 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10036 				  NL80211_WPA_VERSION_2 |
10037 				  NL80211_WPA_VERSION_3));
10038 }
10039 
10040 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10041 {
10042 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10043 	struct net_device *dev = info->user_ptr[1];
10044 	struct ieee80211_channel *chan;
10045 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
10046 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
10047 	enum nl80211_auth_type auth_type;
10048 	struct key_parse key;
10049 	bool local_state_change;
10050 	u32 freq;
10051 
10052 	if (!info->attrs[NL80211_ATTR_MAC])
10053 		return -EINVAL;
10054 
10055 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10056 		return -EINVAL;
10057 
10058 	if (!info->attrs[NL80211_ATTR_SSID])
10059 		return -EINVAL;
10060 
10061 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10062 		return -EINVAL;
10063 
10064 	err = nl80211_parse_key(info, &key);
10065 	if (err)
10066 		return err;
10067 
10068 	if (key.idx >= 0) {
10069 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10070 			return -EINVAL;
10071 		if (!key.p.key || !key.p.key_len)
10072 			return -EINVAL;
10073 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10074 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10075 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10076 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10077 			return -EINVAL;
10078 		if (key.idx > 3)
10079 			return -EINVAL;
10080 	} else {
10081 		key.p.key_len = 0;
10082 		key.p.key = NULL;
10083 	}
10084 
10085 	if (key.idx >= 0) {
10086 		int i;
10087 		bool ok = false;
10088 
10089 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10090 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10091 				ok = true;
10092 				break;
10093 			}
10094 		}
10095 		if (!ok)
10096 			return -EINVAL;
10097 	}
10098 
10099 	if (!rdev->ops->auth)
10100 		return -EOPNOTSUPP;
10101 
10102 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10103 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10104 		return -EOPNOTSUPP;
10105 
10106 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10107 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10108 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10109 		freq +=
10110 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10111 
10112 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10113 	if (!chan)
10114 		return -EINVAL;
10115 
10116 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10117 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10118 
10119 	if (info->attrs[NL80211_ATTR_IE]) {
10120 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10121 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10122 	}
10123 
10124 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10125 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10126 		return -EINVAL;
10127 
10128 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10129 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10130 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10131 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10132 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10133 		return -EINVAL;
10134 
10135 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10136 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10137 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10138 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10139 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10140 			return -EINVAL;
10141 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10142 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10143 	}
10144 
10145 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10146 
10147 	/*
10148 	 * Since we no longer track auth state, ignore
10149 	 * requests to only change local state.
10150 	 */
10151 	if (local_state_change)
10152 		return 0;
10153 
10154 	wdev_lock(dev->ieee80211_ptr);
10155 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
10156 				 ssid, ssid_len, ie, ie_len,
10157 				 key.p.key, key.p.key_len, key.idx,
10158 				 auth_data, auth_data_len);
10159 	wdev_unlock(dev->ieee80211_ptr);
10160 	return err;
10161 }
10162 
10163 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10164 				     struct genl_info *info)
10165 {
10166 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10167 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10168 		return -EINVAL;
10169 	}
10170 
10171 	if (!rdev->ops->tx_control_port ||
10172 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10173 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10174 		return -EOPNOTSUPP;
10175 
10176 	return 0;
10177 }
10178 
10179 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10180 				   struct genl_info *info,
10181 				   struct cfg80211_crypto_settings *settings,
10182 				   int cipher_limit)
10183 {
10184 	memset(settings, 0, sizeof(*settings));
10185 
10186 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10187 
10188 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10189 		u16 proto;
10190 
10191 		proto = nla_get_u16(
10192 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10193 		settings->control_port_ethertype = cpu_to_be16(proto);
10194 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10195 		    proto != ETH_P_PAE)
10196 			return -EINVAL;
10197 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10198 			settings->control_port_no_encrypt = true;
10199 	} else
10200 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10201 
10202 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10203 		int r = validate_pae_over_nl80211(rdev, info);
10204 
10205 		if (r < 0)
10206 			return r;
10207 
10208 		settings->control_port_over_nl80211 = true;
10209 
10210 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10211 			settings->control_port_no_preauth = true;
10212 	}
10213 
10214 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10215 		void *data;
10216 		int len, i;
10217 
10218 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10219 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10220 		settings->n_ciphers_pairwise = len / sizeof(u32);
10221 
10222 		if (len % sizeof(u32))
10223 			return -EINVAL;
10224 
10225 		if (settings->n_ciphers_pairwise > cipher_limit)
10226 			return -EINVAL;
10227 
10228 		memcpy(settings->ciphers_pairwise, data, len);
10229 
10230 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10231 			if (!cfg80211_supported_cipher_suite(
10232 					&rdev->wiphy,
10233 					settings->ciphers_pairwise[i]))
10234 				return -EINVAL;
10235 	}
10236 
10237 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10238 		settings->cipher_group =
10239 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10240 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10241 						     settings->cipher_group))
10242 			return -EINVAL;
10243 	}
10244 
10245 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10246 		settings->wpa_versions =
10247 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10248 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10249 			return -EINVAL;
10250 	}
10251 
10252 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10253 		void *data;
10254 		int len;
10255 
10256 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10257 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10258 		settings->n_akm_suites = len / sizeof(u32);
10259 
10260 		if (len % sizeof(u32))
10261 			return -EINVAL;
10262 
10263 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
10264 			return -EINVAL;
10265 
10266 		memcpy(settings->akm_suites, data, len);
10267 	}
10268 
10269 	if (info->attrs[NL80211_ATTR_PMK]) {
10270 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10271 			return -EINVAL;
10272 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10273 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10274 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10275 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10276 			return -EINVAL;
10277 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10278 	}
10279 
10280 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10281 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10282 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10283 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10284 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10285 			return -EINVAL;
10286 		settings->sae_pwd =
10287 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10288 		settings->sae_pwd_len =
10289 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10290 	}
10291 
10292 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10293 		settings->sae_pwe =
10294 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10295 	else
10296 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10297 
10298 	return 0;
10299 }
10300 
10301 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10302 {
10303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10304 	struct net_device *dev = info->user_ptr[1];
10305 	struct ieee80211_channel *chan;
10306 	struct cfg80211_assoc_request req = {};
10307 	const u8 *bssid, *ssid;
10308 	int err, ssid_len = 0;
10309 	u32 freq;
10310 
10311 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10312 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10313 		return -EPERM;
10314 
10315 	if (!info->attrs[NL80211_ATTR_MAC] ||
10316 	    !info->attrs[NL80211_ATTR_SSID] ||
10317 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
10318 		return -EINVAL;
10319 
10320 	if (!rdev->ops->assoc)
10321 		return -EOPNOTSUPP;
10322 
10323 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10324 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10325 		return -EOPNOTSUPP;
10326 
10327 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10328 
10329 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10330 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10331 		freq +=
10332 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10333 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10334 	if (!chan)
10335 		return -EINVAL;
10336 
10337 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10338 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10339 
10340 	if (info->attrs[NL80211_ATTR_IE]) {
10341 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10342 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10343 	}
10344 
10345 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10346 		enum nl80211_mfp mfp =
10347 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10348 		if (mfp == NL80211_MFP_REQUIRED)
10349 			req.use_mfp = true;
10350 		else if (mfp != NL80211_MFP_NO)
10351 			return -EINVAL;
10352 	}
10353 
10354 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10355 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10356 
10357 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10358 		req.flags |= ASSOC_REQ_DISABLE_HT;
10359 
10360 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10361 		memcpy(&req.ht_capa_mask,
10362 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10363 		       sizeof(req.ht_capa_mask));
10364 
10365 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10366 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10367 			return -EINVAL;
10368 		memcpy(&req.ht_capa,
10369 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10370 		       sizeof(req.ht_capa));
10371 	}
10372 
10373 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10374 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10375 
10376 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10377 		req.flags |= ASSOC_REQ_DISABLE_HE;
10378 
10379 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10380 		memcpy(&req.vht_capa_mask,
10381 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10382 		       sizeof(req.vht_capa_mask));
10383 
10384 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10385 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10386 			return -EINVAL;
10387 		memcpy(&req.vht_capa,
10388 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10389 		       sizeof(req.vht_capa));
10390 	}
10391 
10392 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10393 		if (!((rdev->wiphy.features &
10394 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10395 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10396 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10397 					     NL80211_EXT_FEATURE_RRM))
10398 			return -EINVAL;
10399 		req.flags |= ASSOC_REQ_USE_RRM;
10400 	}
10401 
10402 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10403 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10404 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10405 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10406 			return -EINVAL;
10407 		req.fils_nonces =
10408 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10409 	}
10410 
10411 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10412 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10413 			return -EINVAL;
10414 		memcpy(&req.s1g_capa_mask,
10415 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10416 		       sizeof(req.s1g_capa_mask));
10417 	}
10418 
10419 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10420 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10421 			return -EINVAL;
10422 		memcpy(&req.s1g_capa,
10423 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10424 		       sizeof(req.s1g_capa));
10425 	}
10426 
10427 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10428 	if (!err) {
10429 		wdev_lock(dev->ieee80211_ptr);
10430 
10431 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10432 					  ssid, ssid_len, &req);
10433 
10434 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10435 			dev->ieee80211_ptr->conn_owner_nlportid =
10436 				info->snd_portid;
10437 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10438 			       bssid, ETH_ALEN);
10439 		}
10440 
10441 		wdev_unlock(dev->ieee80211_ptr);
10442 	}
10443 
10444 	return err;
10445 }
10446 
10447 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10448 {
10449 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10450 	struct net_device *dev = info->user_ptr[1];
10451 	const u8 *ie = NULL, *bssid;
10452 	int ie_len = 0, err;
10453 	u16 reason_code;
10454 	bool local_state_change;
10455 
10456 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10457 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10458 		return -EPERM;
10459 
10460 	if (!info->attrs[NL80211_ATTR_MAC])
10461 		return -EINVAL;
10462 
10463 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10464 		return -EINVAL;
10465 
10466 	if (!rdev->ops->deauth)
10467 		return -EOPNOTSUPP;
10468 
10469 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10470 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10471 		return -EOPNOTSUPP;
10472 
10473 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10474 
10475 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10476 	if (reason_code == 0) {
10477 		/* Reason Code 0 is reserved */
10478 		return -EINVAL;
10479 	}
10480 
10481 	if (info->attrs[NL80211_ATTR_IE]) {
10482 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10483 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10484 	}
10485 
10486 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10487 
10488 	wdev_lock(dev->ieee80211_ptr);
10489 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10490 				   local_state_change);
10491 	wdev_unlock(dev->ieee80211_ptr);
10492 	return err;
10493 }
10494 
10495 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10496 {
10497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10498 	struct net_device *dev = info->user_ptr[1];
10499 	const u8 *ie = NULL, *bssid;
10500 	int ie_len = 0, err;
10501 	u16 reason_code;
10502 	bool local_state_change;
10503 
10504 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10505 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10506 		return -EPERM;
10507 
10508 	if (!info->attrs[NL80211_ATTR_MAC])
10509 		return -EINVAL;
10510 
10511 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10512 		return -EINVAL;
10513 
10514 	if (!rdev->ops->disassoc)
10515 		return -EOPNOTSUPP;
10516 
10517 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10518 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10519 		return -EOPNOTSUPP;
10520 
10521 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10522 
10523 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10524 	if (reason_code == 0) {
10525 		/* Reason Code 0 is reserved */
10526 		return -EINVAL;
10527 	}
10528 
10529 	if (info->attrs[NL80211_ATTR_IE]) {
10530 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10531 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10532 	}
10533 
10534 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10535 
10536 	wdev_lock(dev->ieee80211_ptr);
10537 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10538 				     local_state_change);
10539 	wdev_unlock(dev->ieee80211_ptr);
10540 	return err;
10541 }
10542 
10543 static bool
10544 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10545 			 int mcast_rate[NUM_NL80211_BANDS],
10546 			 int rateval)
10547 {
10548 	struct wiphy *wiphy = &rdev->wiphy;
10549 	bool found = false;
10550 	int band, i;
10551 
10552 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10553 		struct ieee80211_supported_band *sband;
10554 
10555 		sband = wiphy->bands[band];
10556 		if (!sband)
10557 			continue;
10558 
10559 		for (i = 0; i < sband->n_bitrates; i++) {
10560 			if (sband->bitrates[i].bitrate == rateval) {
10561 				mcast_rate[band] = i + 1;
10562 				found = true;
10563 				break;
10564 			}
10565 		}
10566 	}
10567 
10568 	return found;
10569 }
10570 
10571 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10572 {
10573 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10574 	struct net_device *dev = info->user_ptr[1];
10575 	struct cfg80211_ibss_params ibss;
10576 	struct wiphy *wiphy;
10577 	struct cfg80211_cached_keys *connkeys = NULL;
10578 	int err;
10579 
10580 	memset(&ibss, 0, sizeof(ibss));
10581 
10582 	if (!info->attrs[NL80211_ATTR_SSID] ||
10583 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10584 		return -EINVAL;
10585 
10586 	ibss.beacon_interval = 100;
10587 
10588 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10589 		ibss.beacon_interval =
10590 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10591 
10592 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10593 					   ibss.beacon_interval);
10594 	if (err)
10595 		return err;
10596 
10597 	if (!rdev->ops->join_ibss)
10598 		return -EOPNOTSUPP;
10599 
10600 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10601 		return -EOPNOTSUPP;
10602 
10603 	wiphy = &rdev->wiphy;
10604 
10605 	if (info->attrs[NL80211_ATTR_MAC]) {
10606 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10607 
10608 		if (!is_valid_ether_addr(ibss.bssid))
10609 			return -EINVAL;
10610 	}
10611 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10612 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10613 
10614 	if (info->attrs[NL80211_ATTR_IE]) {
10615 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10616 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10617 	}
10618 
10619 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10620 	if (err)
10621 		return err;
10622 
10623 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10624 				     NL80211_IFTYPE_ADHOC))
10625 		return -EINVAL;
10626 
10627 	switch (ibss.chandef.width) {
10628 	case NL80211_CHAN_WIDTH_5:
10629 	case NL80211_CHAN_WIDTH_10:
10630 	case NL80211_CHAN_WIDTH_20_NOHT:
10631 		break;
10632 	case NL80211_CHAN_WIDTH_20:
10633 	case NL80211_CHAN_WIDTH_40:
10634 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10635 			return -EINVAL;
10636 		break;
10637 	case NL80211_CHAN_WIDTH_80:
10638 	case NL80211_CHAN_WIDTH_80P80:
10639 	case NL80211_CHAN_WIDTH_160:
10640 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10641 			return -EINVAL;
10642 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10643 					     NL80211_EXT_FEATURE_VHT_IBSS))
10644 			return -EINVAL;
10645 		break;
10646 	case NL80211_CHAN_WIDTH_320:
10647 		return -EINVAL;
10648 	default:
10649 		return -EINVAL;
10650 	}
10651 
10652 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10653 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10654 
10655 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10656 		u8 *rates =
10657 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10658 		int n_rates =
10659 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10660 		struct ieee80211_supported_band *sband =
10661 			wiphy->bands[ibss.chandef.chan->band];
10662 
10663 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10664 					     &ibss.basic_rates);
10665 		if (err)
10666 			return err;
10667 	}
10668 
10669 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10670 		memcpy(&ibss.ht_capa_mask,
10671 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10672 		       sizeof(ibss.ht_capa_mask));
10673 
10674 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10675 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10676 			return -EINVAL;
10677 		memcpy(&ibss.ht_capa,
10678 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10679 		       sizeof(ibss.ht_capa));
10680 	}
10681 
10682 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10683 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10684 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10685 		return -EINVAL;
10686 
10687 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10688 		bool no_ht = false;
10689 
10690 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10691 		if (IS_ERR(connkeys))
10692 			return PTR_ERR(connkeys);
10693 
10694 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10695 		    no_ht) {
10696 			kfree_sensitive(connkeys);
10697 			return -EINVAL;
10698 		}
10699 	}
10700 
10701 	ibss.control_port =
10702 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10703 
10704 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10705 		int r = validate_pae_over_nl80211(rdev, info);
10706 
10707 		if (r < 0) {
10708 			kfree_sensitive(connkeys);
10709 			return r;
10710 		}
10711 
10712 		ibss.control_port_over_nl80211 = true;
10713 	}
10714 
10715 	ibss.userspace_handles_dfs =
10716 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10717 
10718 	wdev_lock(dev->ieee80211_ptr);
10719 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10720 	if (err)
10721 		kfree_sensitive(connkeys);
10722 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10723 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10724 	wdev_unlock(dev->ieee80211_ptr);
10725 
10726 	return err;
10727 }
10728 
10729 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10730 {
10731 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10732 	struct net_device *dev = info->user_ptr[1];
10733 
10734 	if (!rdev->ops->leave_ibss)
10735 		return -EOPNOTSUPP;
10736 
10737 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10738 		return -EOPNOTSUPP;
10739 
10740 	return cfg80211_leave_ibss(rdev, dev, false);
10741 }
10742 
10743 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10744 {
10745 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10746 	struct net_device *dev = info->user_ptr[1];
10747 	int mcast_rate[NUM_NL80211_BANDS];
10748 	u32 nla_rate;
10749 	int err;
10750 
10751 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10752 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10753 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10754 		return -EOPNOTSUPP;
10755 
10756 	if (!rdev->ops->set_mcast_rate)
10757 		return -EOPNOTSUPP;
10758 
10759 	memset(mcast_rate, 0, sizeof(mcast_rate));
10760 
10761 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10762 		return -EINVAL;
10763 
10764 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10765 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10766 		return -EINVAL;
10767 
10768 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10769 
10770 	return err;
10771 }
10772 
10773 static struct sk_buff *
10774 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10775 			    struct wireless_dev *wdev, int approxlen,
10776 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10777 			    enum nl80211_attrs attr,
10778 			    const struct nl80211_vendor_cmd_info *info,
10779 			    gfp_t gfp)
10780 {
10781 	struct sk_buff *skb;
10782 	void *hdr;
10783 	struct nlattr *data;
10784 
10785 	skb = nlmsg_new(approxlen + 100, gfp);
10786 	if (!skb)
10787 		return NULL;
10788 
10789 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10790 	if (!hdr) {
10791 		kfree_skb(skb);
10792 		return NULL;
10793 	}
10794 
10795 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10796 		goto nla_put_failure;
10797 
10798 	if (info) {
10799 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10800 				info->vendor_id))
10801 			goto nla_put_failure;
10802 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10803 				info->subcmd))
10804 			goto nla_put_failure;
10805 	}
10806 
10807 	if (wdev) {
10808 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10809 				      wdev_id(wdev), NL80211_ATTR_PAD))
10810 			goto nla_put_failure;
10811 		if (wdev->netdev &&
10812 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10813 				wdev->netdev->ifindex))
10814 			goto nla_put_failure;
10815 	}
10816 
10817 	data = nla_nest_start_noflag(skb, attr);
10818 	if (!data)
10819 		goto nla_put_failure;
10820 
10821 	((void **)skb->cb)[0] = rdev;
10822 	((void **)skb->cb)[1] = hdr;
10823 	((void **)skb->cb)[2] = data;
10824 
10825 	return skb;
10826 
10827  nla_put_failure:
10828 	kfree_skb(skb);
10829 	return NULL;
10830 }
10831 
10832 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10833 					   struct wireless_dev *wdev,
10834 					   enum nl80211_commands cmd,
10835 					   enum nl80211_attrs attr,
10836 					   unsigned int portid,
10837 					   int vendor_event_idx,
10838 					   int approxlen, gfp_t gfp)
10839 {
10840 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10841 	const struct nl80211_vendor_cmd_info *info;
10842 
10843 	switch (cmd) {
10844 	case NL80211_CMD_TESTMODE:
10845 		if (WARN_ON(vendor_event_idx != -1))
10846 			return NULL;
10847 		info = NULL;
10848 		break;
10849 	case NL80211_CMD_VENDOR:
10850 		if (WARN_ON(vendor_event_idx < 0 ||
10851 			    vendor_event_idx >= wiphy->n_vendor_events))
10852 			return NULL;
10853 		info = &wiphy->vendor_events[vendor_event_idx];
10854 		break;
10855 	default:
10856 		WARN_ON(1);
10857 		return NULL;
10858 	}
10859 
10860 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10861 					   cmd, attr, info, gfp);
10862 }
10863 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10864 
10865 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10866 {
10867 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10868 	void *hdr = ((void **)skb->cb)[1];
10869 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10870 	struct nlattr *data = ((void **)skb->cb)[2];
10871 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10872 
10873 	/* clear CB data for netlink core to own from now on */
10874 	memset(skb->cb, 0, sizeof(skb->cb));
10875 
10876 	nla_nest_end(skb, data);
10877 	genlmsg_end(skb, hdr);
10878 
10879 	if (nlhdr->nlmsg_pid) {
10880 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10881 				nlhdr->nlmsg_pid);
10882 	} else {
10883 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10884 			mcgrp = NL80211_MCGRP_VENDOR;
10885 
10886 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10887 					skb, 0, mcgrp, gfp);
10888 	}
10889 }
10890 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10891 
10892 #ifdef CONFIG_NL80211_TESTMODE
10893 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10894 {
10895 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10896 	struct wireless_dev *wdev;
10897 	int err;
10898 
10899 	lockdep_assert_held(&rdev->wiphy.mtx);
10900 
10901 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10902 					  info->attrs);
10903 
10904 	if (!rdev->ops->testmode_cmd)
10905 		return -EOPNOTSUPP;
10906 
10907 	if (IS_ERR(wdev)) {
10908 		err = PTR_ERR(wdev);
10909 		if (err != -EINVAL)
10910 			return err;
10911 		wdev = NULL;
10912 	} else if (wdev->wiphy != &rdev->wiphy) {
10913 		return -EINVAL;
10914 	}
10915 
10916 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10917 		return -EINVAL;
10918 
10919 	rdev->cur_cmd_info = info;
10920 	err = rdev_testmode_cmd(rdev, wdev,
10921 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10922 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10923 	rdev->cur_cmd_info = NULL;
10924 
10925 	return err;
10926 }
10927 
10928 static int nl80211_testmode_dump(struct sk_buff *skb,
10929 				 struct netlink_callback *cb)
10930 {
10931 	struct cfg80211_registered_device *rdev;
10932 	struct nlattr **attrbuf = NULL;
10933 	int err;
10934 	long phy_idx;
10935 	void *data = NULL;
10936 	int data_len = 0;
10937 
10938 	rtnl_lock();
10939 
10940 	if (cb->args[0]) {
10941 		/*
10942 		 * 0 is a valid index, but not valid for args[0],
10943 		 * so we need to offset by 1.
10944 		 */
10945 		phy_idx = cb->args[0] - 1;
10946 
10947 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10948 		if (!rdev) {
10949 			err = -ENOENT;
10950 			goto out_err;
10951 		}
10952 	} else {
10953 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10954 				  GFP_KERNEL);
10955 		if (!attrbuf) {
10956 			err = -ENOMEM;
10957 			goto out_err;
10958 		}
10959 
10960 		err = nlmsg_parse_deprecated(cb->nlh,
10961 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10962 					     attrbuf, nl80211_fam.maxattr,
10963 					     nl80211_policy, NULL);
10964 		if (err)
10965 			goto out_err;
10966 
10967 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10968 		if (IS_ERR(rdev)) {
10969 			err = PTR_ERR(rdev);
10970 			goto out_err;
10971 		}
10972 		phy_idx = rdev->wiphy_idx;
10973 
10974 		if (attrbuf[NL80211_ATTR_TESTDATA])
10975 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10976 	}
10977 
10978 	if (cb->args[1]) {
10979 		data = nla_data((void *)cb->args[1]);
10980 		data_len = nla_len((void *)cb->args[1]);
10981 	}
10982 
10983 	if (!rdev->ops->testmode_dump) {
10984 		err = -EOPNOTSUPP;
10985 		goto out_err;
10986 	}
10987 
10988 	while (1) {
10989 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10990 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10991 					   NL80211_CMD_TESTMODE);
10992 		struct nlattr *tmdata;
10993 
10994 		if (!hdr)
10995 			break;
10996 
10997 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10998 			genlmsg_cancel(skb, hdr);
10999 			break;
11000 		}
11001 
11002 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11003 		if (!tmdata) {
11004 			genlmsg_cancel(skb, hdr);
11005 			break;
11006 		}
11007 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11008 		nla_nest_end(skb, tmdata);
11009 
11010 		if (err == -ENOBUFS || err == -ENOENT) {
11011 			genlmsg_cancel(skb, hdr);
11012 			break;
11013 		} else if (err) {
11014 			genlmsg_cancel(skb, hdr);
11015 			goto out_err;
11016 		}
11017 
11018 		genlmsg_end(skb, hdr);
11019 	}
11020 
11021 	err = skb->len;
11022 	/* see above */
11023 	cb->args[0] = phy_idx + 1;
11024  out_err:
11025 	kfree(attrbuf);
11026 	rtnl_unlock();
11027 	return err;
11028 }
11029 #endif
11030 
11031 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11032 {
11033 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11034 	struct net_device *dev = info->user_ptr[1];
11035 	struct cfg80211_connect_params connect;
11036 	struct wiphy *wiphy;
11037 	struct cfg80211_cached_keys *connkeys = NULL;
11038 	u32 freq = 0;
11039 	int err;
11040 
11041 	memset(&connect, 0, sizeof(connect));
11042 
11043 	if (!info->attrs[NL80211_ATTR_SSID] ||
11044 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11045 		return -EINVAL;
11046 
11047 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11048 		connect.auth_type =
11049 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11050 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11051 					     NL80211_CMD_CONNECT))
11052 			return -EINVAL;
11053 	} else
11054 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11055 
11056 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11057 
11058 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11059 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11060 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11061 		return -EINVAL;
11062 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11063 
11064 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11065 				      NL80211_MAX_NR_CIPHER_SUITES);
11066 	if (err)
11067 		return err;
11068 
11069 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11070 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11071 		return -EOPNOTSUPP;
11072 
11073 	wiphy = &rdev->wiphy;
11074 
11075 	connect.bg_scan_period = -1;
11076 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11077 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11078 		connect.bg_scan_period =
11079 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11080 	}
11081 
11082 	if (info->attrs[NL80211_ATTR_MAC])
11083 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11084 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11085 		connect.bssid_hint =
11086 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11087 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11088 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11089 
11090 	if (info->attrs[NL80211_ATTR_IE]) {
11091 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11092 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11093 	}
11094 
11095 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11096 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11097 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11098 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11099 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11100 			return -EOPNOTSUPP;
11101 	} else {
11102 		connect.mfp = NL80211_MFP_NO;
11103 	}
11104 
11105 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11106 		connect.prev_bssid =
11107 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11108 
11109 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11110 		freq = MHZ_TO_KHZ(nla_get_u32(
11111 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11112 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11113 		freq +=
11114 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11115 
11116 	if (freq) {
11117 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11118 		if (!connect.channel)
11119 			return -EINVAL;
11120 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11121 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11122 		freq = MHZ_TO_KHZ(freq);
11123 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11124 		if (!connect.channel_hint)
11125 			return -EINVAL;
11126 	}
11127 
11128 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11129 		connect.edmg.channels =
11130 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11131 
11132 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11133 			connect.edmg.bw_config =
11134 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11135 	}
11136 
11137 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11138 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11139 		if (IS_ERR(connkeys))
11140 			return PTR_ERR(connkeys);
11141 	}
11142 
11143 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11144 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11145 
11146 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11147 		memcpy(&connect.ht_capa_mask,
11148 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11149 		       sizeof(connect.ht_capa_mask));
11150 
11151 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11152 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11153 			kfree_sensitive(connkeys);
11154 			return -EINVAL;
11155 		}
11156 		memcpy(&connect.ht_capa,
11157 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11158 		       sizeof(connect.ht_capa));
11159 	}
11160 
11161 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11162 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11163 
11164 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11165 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11166 
11167 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11168 		memcpy(&connect.vht_capa_mask,
11169 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11170 		       sizeof(connect.vht_capa_mask));
11171 
11172 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11173 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11174 			kfree_sensitive(connkeys);
11175 			return -EINVAL;
11176 		}
11177 		memcpy(&connect.vht_capa,
11178 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11179 		       sizeof(connect.vht_capa));
11180 	}
11181 
11182 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11183 		if (!((rdev->wiphy.features &
11184 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11185 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11186 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11187 					     NL80211_EXT_FEATURE_RRM)) {
11188 			kfree_sensitive(connkeys);
11189 			return -EINVAL;
11190 		}
11191 		connect.flags |= ASSOC_REQ_USE_RRM;
11192 	}
11193 
11194 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11195 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11196 		kfree_sensitive(connkeys);
11197 		return -EOPNOTSUPP;
11198 	}
11199 
11200 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11201 		/* bss selection makes no sense if bssid is set */
11202 		if (connect.bssid) {
11203 			kfree_sensitive(connkeys);
11204 			return -EINVAL;
11205 		}
11206 
11207 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11208 				       wiphy, &connect.bss_select);
11209 		if (err) {
11210 			kfree_sensitive(connkeys);
11211 			return err;
11212 		}
11213 	}
11214 
11215 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11216 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11217 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11218 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11219 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11220 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11221 		connect.fils_erp_username =
11222 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11223 		connect.fils_erp_username_len =
11224 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11225 		connect.fils_erp_realm =
11226 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11227 		connect.fils_erp_realm_len =
11228 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11229 		connect.fils_erp_next_seq_num =
11230 			nla_get_u16(
11231 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11232 		connect.fils_erp_rrk =
11233 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11234 		connect.fils_erp_rrk_len =
11235 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11236 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11237 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11238 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11239 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11240 		kfree_sensitive(connkeys);
11241 		return -EINVAL;
11242 	}
11243 
11244 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11245 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11246 			kfree_sensitive(connkeys);
11247 			GENL_SET_ERR_MSG(info,
11248 					 "external auth requires connection ownership");
11249 			return -EINVAL;
11250 		}
11251 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11252 	}
11253 
11254 	wdev_lock(dev->ieee80211_ptr);
11255 
11256 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
11257 			       connect.prev_bssid);
11258 	if (err)
11259 		kfree_sensitive(connkeys);
11260 
11261 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11262 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11263 		if (connect.bssid)
11264 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11265 			       connect.bssid, ETH_ALEN);
11266 		else
11267 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
11268 	}
11269 
11270 	wdev_unlock(dev->ieee80211_ptr);
11271 
11272 	return err;
11273 }
11274 
11275 static int nl80211_update_connect_params(struct sk_buff *skb,
11276 					 struct genl_info *info)
11277 {
11278 	struct cfg80211_connect_params connect = {};
11279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11280 	struct net_device *dev = info->user_ptr[1];
11281 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11282 	bool fils_sk_offload;
11283 	u32 auth_type;
11284 	u32 changed = 0;
11285 	int ret;
11286 
11287 	if (!rdev->ops->update_connect_params)
11288 		return -EOPNOTSUPP;
11289 
11290 	if (info->attrs[NL80211_ATTR_IE]) {
11291 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11292 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11293 		changed |= UPDATE_ASSOC_IES;
11294 	}
11295 
11296 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
11297 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
11298 
11299 	/*
11300 	 * when driver supports fils-sk offload all attributes must be
11301 	 * provided. So the else covers "fils-sk-not-all" and
11302 	 * "no-fils-sk-any".
11303 	 */
11304 	if (fils_sk_offload &&
11305 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11306 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11307 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11308 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11309 		connect.fils_erp_username =
11310 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11311 		connect.fils_erp_username_len =
11312 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11313 		connect.fils_erp_realm =
11314 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11315 		connect.fils_erp_realm_len =
11316 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11317 		connect.fils_erp_next_seq_num =
11318 			nla_get_u16(
11319 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11320 		connect.fils_erp_rrk =
11321 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11322 		connect.fils_erp_rrk_len =
11323 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11324 		changed |= UPDATE_FILS_ERP_INFO;
11325 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11326 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11327 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11328 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11329 		return -EINVAL;
11330 	}
11331 
11332 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11333 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11334 		if (!nl80211_valid_auth_type(rdev, auth_type,
11335 					     NL80211_CMD_CONNECT))
11336 			return -EINVAL;
11337 
11338 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
11339 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
11340 			return -EINVAL;
11341 
11342 		connect.auth_type = auth_type;
11343 		changed |= UPDATE_AUTH_TYPE;
11344 	}
11345 
11346 	wdev_lock(dev->ieee80211_ptr);
11347 	if (!wdev->current_bss)
11348 		ret = -ENOLINK;
11349 	else
11350 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
11351 	wdev_unlock(dev->ieee80211_ptr);
11352 
11353 	return ret;
11354 }
11355 
11356 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11357 {
11358 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11359 	struct net_device *dev = info->user_ptr[1];
11360 	u16 reason;
11361 	int ret;
11362 
11363 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11364 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11365 		return -EPERM;
11366 
11367 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11368 		reason = WLAN_REASON_DEAUTH_LEAVING;
11369 	else
11370 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11371 
11372 	if (reason == 0)
11373 		return -EINVAL;
11374 
11375 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11376 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11377 		return -EOPNOTSUPP;
11378 
11379 	wdev_lock(dev->ieee80211_ptr);
11380 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11381 	wdev_unlock(dev->ieee80211_ptr);
11382 	return ret;
11383 }
11384 
11385 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11386 {
11387 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11388 	struct net *net;
11389 	int err;
11390 
11391 	if (info->attrs[NL80211_ATTR_PID]) {
11392 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11393 
11394 		net = get_net_ns_by_pid(pid);
11395 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11396 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11397 
11398 		net = get_net_ns_by_fd(fd);
11399 	} else {
11400 		return -EINVAL;
11401 	}
11402 
11403 	if (IS_ERR(net))
11404 		return PTR_ERR(net);
11405 
11406 	err = 0;
11407 
11408 	/* check if anything to do */
11409 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11410 		err = cfg80211_switch_netns(rdev, net);
11411 
11412 	put_net(net);
11413 	return err;
11414 }
11415 
11416 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11417 {
11418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11419 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11420 			struct cfg80211_pmksa *pmksa) = NULL;
11421 	struct net_device *dev = info->user_ptr[1];
11422 	struct cfg80211_pmksa pmksa;
11423 
11424 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11425 
11426 	if (!info->attrs[NL80211_ATTR_PMKID])
11427 		return -EINVAL;
11428 
11429 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11430 
11431 	if (info->attrs[NL80211_ATTR_MAC]) {
11432 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11433 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11434 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11435 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11436 		    info->attrs[NL80211_ATTR_PMK])) {
11437 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11438 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11439 		pmksa.cache_id =
11440 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11441 	} else {
11442 		return -EINVAL;
11443 	}
11444 	if (info->attrs[NL80211_ATTR_PMK]) {
11445 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11446 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11447 	}
11448 
11449 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11450 		pmksa.pmk_lifetime =
11451 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11452 
11453 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11454 		pmksa.pmk_reauth_threshold =
11455 			nla_get_u8(
11456 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11457 
11458 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11459 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11460 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11461 	      wiphy_ext_feature_isset(&rdev->wiphy,
11462 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11463 		return -EOPNOTSUPP;
11464 
11465 	switch (info->genlhdr->cmd) {
11466 	case NL80211_CMD_SET_PMKSA:
11467 		rdev_ops = rdev->ops->set_pmksa;
11468 		break;
11469 	case NL80211_CMD_DEL_PMKSA:
11470 		rdev_ops = rdev->ops->del_pmksa;
11471 		break;
11472 	default:
11473 		WARN_ON(1);
11474 		break;
11475 	}
11476 
11477 	if (!rdev_ops)
11478 		return -EOPNOTSUPP;
11479 
11480 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11481 }
11482 
11483 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11484 {
11485 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11486 	struct net_device *dev = info->user_ptr[1];
11487 
11488 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11489 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11490 		return -EOPNOTSUPP;
11491 
11492 	if (!rdev->ops->flush_pmksa)
11493 		return -EOPNOTSUPP;
11494 
11495 	return rdev_flush_pmksa(rdev, dev);
11496 }
11497 
11498 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11499 {
11500 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11501 	struct net_device *dev = info->user_ptr[1];
11502 	u8 action_code, dialog_token;
11503 	u32 peer_capability = 0;
11504 	u16 status_code;
11505 	u8 *peer;
11506 	bool initiator;
11507 
11508 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11509 	    !rdev->ops->tdls_mgmt)
11510 		return -EOPNOTSUPP;
11511 
11512 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11513 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11514 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11515 	    !info->attrs[NL80211_ATTR_IE] ||
11516 	    !info->attrs[NL80211_ATTR_MAC])
11517 		return -EINVAL;
11518 
11519 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11520 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11521 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11522 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11523 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11524 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11525 		peer_capability =
11526 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11527 
11528 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11529 			      dialog_token, status_code, peer_capability,
11530 			      initiator,
11531 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11532 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11533 }
11534 
11535 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11536 {
11537 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11538 	struct net_device *dev = info->user_ptr[1];
11539 	enum nl80211_tdls_operation operation;
11540 	u8 *peer;
11541 
11542 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11543 	    !rdev->ops->tdls_oper)
11544 		return -EOPNOTSUPP;
11545 
11546 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11547 	    !info->attrs[NL80211_ATTR_MAC])
11548 		return -EINVAL;
11549 
11550 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11551 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11552 
11553 	return rdev_tdls_oper(rdev, dev, peer, operation);
11554 }
11555 
11556 static int nl80211_remain_on_channel(struct sk_buff *skb,
11557 				     struct genl_info *info)
11558 {
11559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11560 	struct wireless_dev *wdev = info->user_ptr[1];
11561 	struct cfg80211_chan_def chandef;
11562 	const struct cfg80211_chan_def *compat_chandef;
11563 	struct sk_buff *msg;
11564 	void *hdr;
11565 	u64 cookie;
11566 	u32 duration;
11567 	int err;
11568 
11569 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11570 	    !info->attrs[NL80211_ATTR_DURATION])
11571 		return -EINVAL;
11572 
11573 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11574 
11575 	if (!rdev->ops->remain_on_channel ||
11576 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11577 		return -EOPNOTSUPP;
11578 
11579 	/*
11580 	 * We should be on that channel for at least a minimum amount of
11581 	 * time (10ms) but no longer than the driver supports.
11582 	 */
11583 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11584 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11585 		return -EINVAL;
11586 
11587 	err = nl80211_parse_chandef(rdev, info, &chandef);
11588 	if (err)
11589 		return err;
11590 
11591 	wdev_lock(wdev);
11592 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11593 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11594 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11595 							     &chandef);
11596 		if (compat_chandef != &chandef) {
11597 			wdev_unlock(wdev);
11598 			return -EBUSY;
11599 		}
11600 	}
11601 	wdev_unlock(wdev);
11602 
11603 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11604 	if (!msg)
11605 		return -ENOMEM;
11606 
11607 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11608 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11609 	if (!hdr) {
11610 		err = -ENOBUFS;
11611 		goto free_msg;
11612 	}
11613 
11614 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11615 				     duration, &cookie);
11616 
11617 	if (err)
11618 		goto free_msg;
11619 
11620 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11621 			      NL80211_ATTR_PAD))
11622 		goto nla_put_failure;
11623 
11624 	genlmsg_end(msg, hdr);
11625 
11626 	return genlmsg_reply(msg, info);
11627 
11628  nla_put_failure:
11629 	err = -ENOBUFS;
11630  free_msg:
11631 	nlmsg_free(msg);
11632 	return err;
11633 }
11634 
11635 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11636 					    struct genl_info *info)
11637 {
11638 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11639 	struct wireless_dev *wdev = info->user_ptr[1];
11640 	u64 cookie;
11641 
11642 	if (!info->attrs[NL80211_ATTR_COOKIE])
11643 		return -EINVAL;
11644 
11645 	if (!rdev->ops->cancel_remain_on_channel)
11646 		return -EOPNOTSUPP;
11647 
11648 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11649 
11650 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11651 }
11652 
11653 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11654 				       struct genl_info *info)
11655 {
11656 	struct cfg80211_bitrate_mask mask;
11657 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11658 	struct net_device *dev = info->user_ptr[1];
11659 	int err;
11660 
11661 	if (!rdev->ops->set_bitrate_mask)
11662 		return -EOPNOTSUPP;
11663 
11664 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11665 					    NL80211_ATTR_TX_RATES, &mask,
11666 					    dev, true);
11667 	if (err)
11668 		return err;
11669 
11670 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11671 }
11672 
11673 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11674 {
11675 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11676 	struct wireless_dev *wdev = info->user_ptr[1];
11677 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11678 
11679 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11680 		return -EINVAL;
11681 
11682 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11683 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11684 
11685 	switch (wdev->iftype) {
11686 	case NL80211_IFTYPE_STATION:
11687 	case NL80211_IFTYPE_ADHOC:
11688 	case NL80211_IFTYPE_P2P_CLIENT:
11689 	case NL80211_IFTYPE_AP:
11690 	case NL80211_IFTYPE_AP_VLAN:
11691 	case NL80211_IFTYPE_MESH_POINT:
11692 	case NL80211_IFTYPE_P2P_GO:
11693 	case NL80211_IFTYPE_P2P_DEVICE:
11694 		break;
11695 	case NL80211_IFTYPE_NAN:
11696 	default:
11697 		return -EOPNOTSUPP;
11698 	}
11699 
11700 	/* not much point in registering if we can't reply */
11701 	if (!rdev->ops->mgmt_tx)
11702 		return -EOPNOTSUPP;
11703 
11704 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11705 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11706 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11707 		GENL_SET_ERR_MSG(info,
11708 				 "multicast RX registrations are not supported");
11709 		return -EOPNOTSUPP;
11710 	}
11711 
11712 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11713 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11714 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11715 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11716 					   info->extack);
11717 }
11718 
11719 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11720 {
11721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11722 	struct wireless_dev *wdev = info->user_ptr[1];
11723 	struct cfg80211_chan_def chandef;
11724 	int err;
11725 	void *hdr = NULL;
11726 	u64 cookie;
11727 	struct sk_buff *msg = NULL;
11728 	struct cfg80211_mgmt_tx_params params = {
11729 		.dont_wait_for_ack =
11730 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11731 	};
11732 
11733 	if (!info->attrs[NL80211_ATTR_FRAME])
11734 		return -EINVAL;
11735 
11736 	if (!rdev->ops->mgmt_tx)
11737 		return -EOPNOTSUPP;
11738 
11739 	switch (wdev->iftype) {
11740 	case NL80211_IFTYPE_P2P_DEVICE:
11741 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11742 			return -EINVAL;
11743 		break;
11744 	case NL80211_IFTYPE_STATION:
11745 	case NL80211_IFTYPE_ADHOC:
11746 	case NL80211_IFTYPE_P2P_CLIENT:
11747 	case NL80211_IFTYPE_AP:
11748 	case NL80211_IFTYPE_AP_VLAN:
11749 	case NL80211_IFTYPE_MESH_POINT:
11750 	case NL80211_IFTYPE_P2P_GO:
11751 		break;
11752 	case NL80211_IFTYPE_NAN:
11753 	default:
11754 		return -EOPNOTSUPP;
11755 	}
11756 
11757 	if (info->attrs[NL80211_ATTR_DURATION]) {
11758 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11759 			return -EINVAL;
11760 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11761 
11762 		/*
11763 		 * We should wait on the channel for at least a minimum amount
11764 		 * of time (10ms) but no longer than the driver supports.
11765 		 */
11766 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11767 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11768 			return -EINVAL;
11769 	}
11770 
11771 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11772 
11773 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11774 		return -EINVAL;
11775 
11776 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11777 
11778 	/* get the channel if any has been specified, otherwise pass NULL to
11779 	 * the driver. The latter will use the current one
11780 	 */
11781 	chandef.chan = NULL;
11782 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11783 		err = nl80211_parse_chandef(rdev, info, &chandef);
11784 		if (err)
11785 			return err;
11786 	}
11787 
11788 	if (!chandef.chan && params.offchan)
11789 		return -EINVAL;
11790 
11791 	wdev_lock(wdev);
11792 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11793 		wdev_unlock(wdev);
11794 		return -EBUSY;
11795 	}
11796 	wdev_unlock(wdev);
11797 
11798 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11799 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11800 
11801 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11802 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11803 		int i;
11804 
11805 		if (len % sizeof(u16))
11806 			return -EINVAL;
11807 
11808 		params.n_csa_offsets = len / sizeof(u16);
11809 		params.csa_offsets =
11810 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11811 
11812 		/* check that all the offsets fit the frame */
11813 		for (i = 0; i < params.n_csa_offsets; i++) {
11814 			if (params.csa_offsets[i] >= params.len)
11815 				return -EINVAL;
11816 		}
11817 	}
11818 
11819 	if (!params.dont_wait_for_ack) {
11820 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11821 		if (!msg)
11822 			return -ENOMEM;
11823 
11824 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11825 				     NL80211_CMD_FRAME);
11826 		if (!hdr) {
11827 			err = -ENOBUFS;
11828 			goto free_msg;
11829 		}
11830 	}
11831 
11832 	params.chan = chandef.chan;
11833 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11834 	if (err)
11835 		goto free_msg;
11836 
11837 	if (msg) {
11838 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11839 				      NL80211_ATTR_PAD))
11840 			goto nla_put_failure;
11841 
11842 		genlmsg_end(msg, hdr);
11843 		return genlmsg_reply(msg, info);
11844 	}
11845 
11846 	return 0;
11847 
11848  nla_put_failure:
11849 	err = -ENOBUFS;
11850  free_msg:
11851 	nlmsg_free(msg);
11852 	return err;
11853 }
11854 
11855 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11856 {
11857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11858 	struct wireless_dev *wdev = info->user_ptr[1];
11859 	u64 cookie;
11860 
11861 	if (!info->attrs[NL80211_ATTR_COOKIE])
11862 		return -EINVAL;
11863 
11864 	if (!rdev->ops->mgmt_tx_cancel_wait)
11865 		return -EOPNOTSUPP;
11866 
11867 	switch (wdev->iftype) {
11868 	case NL80211_IFTYPE_STATION:
11869 	case NL80211_IFTYPE_ADHOC:
11870 	case NL80211_IFTYPE_P2P_CLIENT:
11871 	case NL80211_IFTYPE_AP:
11872 	case NL80211_IFTYPE_AP_VLAN:
11873 	case NL80211_IFTYPE_P2P_GO:
11874 	case NL80211_IFTYPE_P2P_DEVICE:
11875 		break;
11876 	case NL80211_IFTYPE_NAN:
11877 	default:
11878 		return -EOPNOTSUPP;
11879 	}
11880 
11881 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11882 
11883 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11884 }
11885 
11886 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11887 {
11888 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11889 	struct wireless_dev *wdev;
11890 	struct net_device *dev = info->user_ptr[1];
11891 	u8 ps_state;
11892 	bool state;
11893 	int err;
11894 
11895 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11896 		return -EINVAL;
11897 
11898 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11899 
11900 	wdev = dev->ieee80211_ptr;
11901 
11902 	if (!rdev->ops->set_power_mgmt)
11903 		return -EOPNOTSUPP;
11904 
11905 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11906 
11907 	if (state == wdev->ps)
11908 		return 0;
11909 
11910 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11911 	if (!err)
11912 		wdev->ps = state;
11913 	return err;
11914 }
11915 
11916 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11917 {
11918 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11919 	enum nl80211_ps_state ps_state;
11920 	struct wireless_dev *wdev;
11921 	struct net_device *dev = info->user_ptr[1];
11922 	struct sk_buff *msg;
11923 	void *hdr;
11924 	int err;
11925 
11926 	wdev = dev->ieee80211_ptr;
11927 
11928 	if (!rdev->ops->set_power_mgmt)
11929 		return -EOPNOTSUPP;
11930 
11931 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11932 	if (!msg)
11933 		return -ENOMEM;
11934 
11935 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11936 			     NL80211_CMD_GET_POWER_SAVE);
11937 	if (!hdr) {
11938 		err = -ENOBUFS;
11939 		goto free_msg;
11940 	}
11941 
11942 	if (wdev->ps)
11943 		ps_state = NL80211_PS_ENABLED;
11944 	else
11945 		ps_state = NL80211_PS_DISABLED;
11946 
11947 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11948 		goto nla_put_failure;
11949 
11950 	genlmsg_end(msg, hdr);
11951 	return genlmsg_reply(msg, info);
11952 
11953  nla_put_failure:
11954 	err = -ENOBUFS;
11955  free_msg:
11956 	nlmsg_free(msg);
11957 	return err;
11958 }
11959 
11960 static const struct nla_policy
11961 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11962 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11963 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11964 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11965 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11966 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11967 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11968 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11969 };
11970 
11971 static int nl80211_set_cqm_txe(struct genl_info *info,
11972 			       u32 rate, u32 pkts, u32 intvl)
11973 {
11974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11975 	struct net_device *dev = info->user_ptr[1];
11976 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11977 
11978 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11979 		return -EINVAL;
11980 
11981 	if (!rdev->ops->set_cqm_txe_config)
11982 		return -EOPNOTSUPP;
11983 
11984 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11985 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11986 		return -EOPNOTSUPP;
11987 
11988 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11989 }
11990 
11991 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11992 				    struct net_device *dev)
11993 {
11994 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11995 	s32 last, low, high;
11996 	u32 hyst;
11997 	int i, n, low_index;
11998 	int err;
11999 
12000 	/* RSSI reporting disabled? */
12001 	if (!wdev->cqm_config)
12002 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12003 
12004 	/*
12005 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12006 	 * event has been received yet, we should receive an event after a
12007 	 * connection is established and enough beacons received to calculate
12008 	 * the average.
12009 	 */
12010 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
12011 	    rdev->ops->get_station) {
12012 		struct station_info sinfo = {};
12013 		u8 *mac_addr;
12014 
12015 		mac_addr = wdev->current_bss->pub.bssid;
12016 
12017 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12018 		if (err)
12019 			return err;
12020 
12021 		cfg80211_sinfo_release_content(&sinfo);
12022 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12023 			wdev->cqm_config->last_rssi_event_value =
12024 				(s8) sinfo.rx_beacon_signal_avg;
12025 	}
12026 
12027 	last = wdev->cqm_config->last_rssi_event_value;
12028 	hyst = wdev->cqm_config->rssi_hyst;
12029 	n = wdev->cqm_config->n_rssi_thresholds;
12030 
12031 	for (i = 0; i < n; i++) {
12032 		i = array_index_nospec(i, n);
12033 		if (last < wdev->cqm_config->rssi_thresholds[i])
12034 			break;
12035 	}
12036 
12037 	low_index = i - 1;
12038 	if (low_index >= 0) {
12039 		low_index = array_index_nospec(low_index, n);
12040 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12041 	} else {
12042 		low = S32_MIN;
12043 	}
12044 	if (i < n) {
12045 		i = array_index_nospec(i, n);
12046 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12047 	} else {
12048 		high = S32_MAX;
12049 	}
12050 
12051 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12052 }
12053 
12054 static int nl80211_set_cqm_rssi(struct genl_info *info,
12055 				const s32 *thresholds, int n_thresholds,
12056 				u32 hysteresis)
12057 {
12058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12059 	struct net_device *dev = info->user_ptr[1];
12060 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12061 	int i, err;
12062 	s32 prev = S32_MIN;
12063 
12064 	/* Check all values negative and sorted */
12065 	for (i = 0; i < n_thresholds; i++) {
12066 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12067 			return -EINVAL;
12068 
12069 		prev = thresholds[i];
12070 	}
12071 
12072 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12073 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12074 		return -EOPNOTSUPP;
12075 
12076 	wdev_lock(wdev);
12077 	cfg80211_cqm_config_free(wdev);
12078 	wdev_unlock(wdev);
12079 
12080 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12081 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12082 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12083 
12084 		return rdev_set_cqm_rssi_config(rdev, dev,
12085 						thresholds[0], hysteresis);
12086 	}
12087 
12088 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12089 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12090 		return -EOPNOTSUPP;
12091 
12092 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12093 		n_thresholds = 0;
12094 
12095 	wdev_lock(wdev);
12096 	if (n_thresholds) {
12097 		struct cfg80211_cqm_config *cqm_config;
12098 
12099 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12100 						 n_thresholds),
12101 				     GFP_KERNEL);
12102 		if (!cqm_config) {
12103 			err = -ENOMEM;
12104 			goto unlock;
12105 		}
12106 
12107 		cqm_config->rssi_hyst = hysteresis;
12108 		cqm_config->n_rssi_thresholds = n_thresholds;
12109 		memcpy(cqm_config->rssi_thresholds, thresholds,
12110 		       flex_array_size(cqm_config, rssi_thresholds,
12111 				       n_thresholds));
12112 
12113 		wdev->cqm_config = cqm_config;
12114 	}
12115 
12116 	err = cfg80211_cqm_rssi_update(rdev, dev);
12117 
12118 unlock:
12119 	wdev_unlock(wdev);
12120 
12121 	return err;
12122 }
12123 
12124 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12125 {
12126 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12127 	struct nlattr *cqm;
12128 	int err;
12129 
12130 	cqm = info->attrs[NL80211_ATTR_CQM];
12131 	if (!cqm)
12132 		return -EINVAL;
12133 
12134 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12135 					  nl80211_attr_cqm_policy,
12136 					  info->extack);
12137 	if (err)
12138 		return err;
12139 
12140 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12141 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12142 		const s32 *thresholds =
12143 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12144 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12145 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12146 
12147 		if (len % 4)
12148 			return -EINVAL;
12149 
12150 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12151 					    hysteresis);
12152 	}
12153 
12154 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12155 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12156 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12157 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12158 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12159 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12160 
12161 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12162 	}
12163 
12164 	return -EINVAL;
12165 }
12166 
12167 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12168 {
12169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12170 	struct net_device *dev = info->user_ptr[1];
12171 	struct ocb_setup setup = {};
12172 	int err;
12173 
12174 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12175 	if (err)
12176 		return err;
12177 
12178 	return cfg80211_join_ocb(rdev, dev, &setup);
12179 }
12180 
12181 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12182 {
12183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12184 	struct net_device *dev = info->user_ptr[1];
12185 
12186 	return cfg80211_leave_ocb(rdev, dev);
12187 }
12188 
12189 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12190 {
12191 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12192 	struct net_device *dev = info->user_ptr[1];
12193 	struct mesh_config cfg;
12194 	struct mesh_setup setup;
12195 	int err;
12196 
12197 	/* start with default */
12198 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12199 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12200 
12201 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12202 		/* and parse parameters if given */
12203 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12204 		if (err)
12205 			return err;
12206 	}
12207 
12208 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
12209 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
12210 		return -EINVAL;
12211 
12212 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
12213 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
12214 
12215 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
12216 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
12217 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
12218 			return -EINVAL;
12219 
12220 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
12221 		setup.beacon_interval =
12222 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
12223 
12224 		err = cfg80211_validate_beacon_int(rdev,
12225 						   NL80211_IFTYPE_MESH_POINT,
12226 						   setup.beacon_interval);
12227 		if (err)
12228 			return err;
12229 	}
12230 
12231 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
12232 		setup.dtim_period =
12233 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
12234 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
12235 			return -EINVAL;
12236 	}
12237 
12238 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
12239 		/* parse additional setup parameters if given */
12240 		err = nl80211_parse_mesh_setup(info, &setup);
12241 		if (err)
12242 			return err;
12243 	}
12244 
12245 	if (setup.user_mpm)
12246 		cfg.auto_open_plinks = false;
12247 
12248 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12249 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12250 		if (err)
12251 			return err;
12252 	} else {
12253 		/* __cfg80211_join_mesh() will sort it out */
12254 		setup.chandef.chan = NULL;
12255 	}
12256 
12257 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
12258 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12259 		int n_rates =
12260 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
12261 		struct ieee80211_supported_band *sband;
12262 
12263 		if (!setup.chandef.chan)
12264 			return -EINVAL;
12265 
12266 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
12267 
12268 		err = ieee80211_get_ratemask(sband, rates, n_rates,
12269 					     &setup.basic_rates);
12270 		if (err)
12271 			return err;
12272 	}
12273 
12274 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
12275 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12276 						    NL80211_ATTR_TX_RATES,
12277 						    &setup.beacon_rate,
12278 						    dev, false);
12279 		if (err)
12280 			return err;
12281 
12282 		if (!setup.chandef.chan)
12283 			return -EINVAL;
12284 
12285 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
12286 					      &setup.beacon_rate);
12287 		if (err)
12288 			return err;
12289 	}
12290 
12291 	setup.userspace_handles_dfs =
12292 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
12293 
12294 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
12295 		int r = validate_pae_over_nl80211(rdev, info);
12296 
12297 		if (r < 0)
12298 			return r;
12299 
12300 		setup.control_port_over_nl80211 = true;
12301 	}
12302 
12303 	wdev_lock(dev->ieee80211_ptr);
12304 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
12305 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
12306 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12307 	wdev_unlock(dev->ieee80211_ptr);
12308 
12309 	return err;
12310 }
12311 
12312 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
12313 {
12314 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12315 	struct net_device *dev = info->user_ptr[1];
12316 
12317 	return cfg80211_leave_mesh(rdev, dev);
12318 }
12319 
12320 #ifdef CONFIG_PM
12321 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
12322 					struct cfg80211_registered_device *rdev)
12323 {
12324 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
12325 	struct nlattr *nl_pats, *nl_pat;
12326 	int i, pat_len;
12327 
12328 	if (!wowlan->n_patterns)
12329 		return 0;
12330 
12331 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
12332 	if (!nl_pats)
12333 		return -ENOBUFS;
12334 
12335 	for (i = 0; i < wowlan->n_patterns; i++) {
12336 		nl_pat = nla_nest_start_noflag(msg, i + 1);
12337 		if (!nl_pat)
12338 			return -ENOBUFS;
12339 		pat_len = wowlan->patterns[i].pattern_len;
12340 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
12341 			    wowlan->patterns[i].mask) ||
12342 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12343 			    wowlan->patterns[i].pattern) ||
12344 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12345 				wowlan->patterns[i].pkt_offset))
12346 			return -ENOBUFS;
12347 		nla_nest_end(msg, nl_pat);
12348 	}
12349 	nla_nest_end(msg, nl_pats);
12350 
12351 	return 0;
12352 }
12353 
12354 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
12355 				   struct cfg80211_wowlan_tcp *tcp)
12356 {
12357 	struct nlattr *nl_tcp;
12358 
12359 	if (!tcp)
12360 		return 0;
12361 
12362 	nl_tcp = nla_nest_start_noflag(msg,
12363 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12364 	if (!nl_tcp)
12365 		return -ENOBUFS;
12366 
12367 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12368 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12369 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12370 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12371 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12372 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12373 		    tcp->payload_len, tcp->payload) ||
12374 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12375 			tcp->data_interval) ||
12376 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12377 		    tcp->wake_len, tcp->wake_data) ||
12378 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12379 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12380 		return -ENOBUFS;
12381 
12382 	if (tcp->payload_seq.len &&
12383 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12384 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12385 		return -ENOBUFS;
12386 
12387 	if (tcp->payload_tok.len &&
12388 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12389 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12390 		    &tcp->payload_tok))
12391 		return -ENOBUFS;
12392 
12393 	nla_nest_end(msg, nl_tcp);
12394 
12395 	return 0;
12396 }
12397 
12398 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12399 				  struct cfg80211_sched_scan_request *req)
12400 {
12401 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12402 	int i;
12403 
12404 	if (!req)
12405 		return 0;
12406 
12407 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12408 	if (!nd)
12409 		return -ENOBUFS;
12410 
12411 	if (req->n_scan_plans == 1 &&
12412 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12413 			req->scan_plans[0].interval * 1000))
12414 		return -ENOBUFS;
12415 
12416 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12417 		return -ENOBUFS;
12418 
12419 	if (req->relative_rssi_set) {
12420 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12421 
12422 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12423 			       req->relative_rssi))
12424 			return -ENOBUFS;
12425 
12426 		rssi_adjust.band = req->rssi_adjust.band;
12427 		rssi_adjust.delta = req->rssi_adjust.delta;
12428 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12429 			    sizeof(rssi_adjust), &rssi_adjust))
12430 			return -ENOBUFS;
12431 	}
12432 
12433 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12434 	if (!freqs)
12435 		return -ENOBUFS;
12436 
12437 	for (i = 0; i < req->n_channels; i++) {
12438 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12439 			return -ENOBUFS;
12440 	}
12441 
12442 	nla_nest_end(msg, freqs);
12443 
12444 	if (req->n_match_sets) {
12445 		matches = nla_nest_start_noflag(msg,
12446 						NL80211_ATTR_SCHED_SCAN_MATCH);
12447 		if (!matches)
12448 			return -ENOBUFS;
12449 
12450 		for (i = 0; i < req->n_match_sets; i++) {
12451 			match = nla_nest_start_noflag(msg, i);
12452 			if (!match)
12453 				return -ENOBUFS;
12454 
12455 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12456 				    req->match_sets[i].ssid.ssid_len,
12457 				    req->match_sets[i].ssid.ssid))
12458 				return -ENOBUFS;
12459 			nla_nest_end(msg, match);
12460 		}
12461 		nla_nest_end(msg, matches);
12462 	}
12463 
12464 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12465 	if (!scan_plans)
12466 		return -ENOBUFS;
12467 
12468 	for (i = 0; i < req->n_scan_plans; i++) {
12469 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12470 		if (!scan_plan)
12471 			return -ENOBUFS;
12472 
12473 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12474 				req->scan_plans[i].interval) ||
12475 		    (req->scan_plans[i].iterations &&
12476 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12477 				 req->scan_plans[i].iterations)))
12478 			return -ENOBUFS;
12479 		nla_nest_end(msg, scan_plan);
12480 	}
12481 	nla_nest_end(msg, scan_plans);
12482 
12483 	nla_nest_end(msg, nd);
12484 
12485 	return 0;
12486 }
12487 
12488 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12489 {
12490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12491 	struct sk_buff *msg;
12492 	void *hdr;
12493 	u32 size = NLMSG_DEFAULT_SIZE;
12494 
12495 	if (!rdev->wiphy.wowlan)
12496 		return -EOPNOTSUPP;
12497 
12498 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12499 		/* adjust size to have room for all the data */
12500 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12501 			rdev->wiphy.wowlan_config->tcp->payload_len +
12502 			rdev->wiphy.wowlan_config->tcp->wake_len +
12503 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12504 	}
12505 
12506 	msg = nlmsg_new(size, GFP_KERNEL);
12507 	if (!msg)
12508 		return -ENOMEM;
12509 
12510 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12511 			     NL80211_CMD_GET_WOWLAN);
12512 	if (!hdr)
12513 		goto nla_put_failure;
12514 
12515 	if (rdev->wiphy.wowlan_config) {
12516 		struct nlattr *nl_wowlan;
12517 
12518 		nl_wowlan = nla_nest_start_noflag(msg,
12519 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12520 		if (!nl_wowlan)
12521 			goto nla_put_failure;
12522 
12523 		if ((rdev->wiphy.wowlan_config->any &&
12524 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12525 		    (rdev->wiphy.wowlan_config->disconnect &&
12526 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12527 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12528 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12529 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12530 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12531 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12532 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12533 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12534 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12535 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12536 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12537 			goto nla_put_failure;
12538 
12539 		if (nl80211_send_wowlan_patterns(msg, rdev))
12540 			goto nla_put_failure;
12541 
12542 		if (nl80211_send_wowlan_tcp(msg,
12543 					    rdev->wiphy.wowlan_config->tcp))
12544 			goto nla_put_failure;
12545 
12546 		if (nl80211_send_wowlan_nd(
12547 			    msg,
12548 			    rdev->wiphy.wowlan_config->nd_config))
12549 			goto nla_put_failure;
12550 
12551 		nla_nest_end(msg, nl_wowlan);
12552 	}
12553 
12554 	genlmsg_end(msg, hdr);
12555 	return genlmsg_reply(msg, info);
12556 
12557 nla_put_failure:
12558 	nlmsg_free(msg);
12559 	return -ENOBUFS;
12560 }
12561 
12562 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12563 				    struct nlattr *attr,
12564 				    struct cfg80211_wowlan *trig)
12565 {
12566 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12567 	struct cfg80211_wowlan_tcp *cfg;
12568 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12569 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12570 	u32 size;
12571 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12572 	int err, port;
12573 
12574 	if (!rdev->wiphy.wowlan->tcp)
12575 		return -EINVAL;
12576 
12577 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12578 					  nl80211_wowlan_tcp_policy, NULL);
12579 	if (err)
12580 		return err;
12581 
12582 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12583 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12584 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12585 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12586 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12587 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12588 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12589 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12590 		return -EINVAL;
12591 
12592 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12593 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12594 		return -EINVAL;
12595 
12596 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12597 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12598 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12599 		return -EINVAL;
12600 
12601 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12602 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12603 		return -EINVAL;
12604 
12605 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12606 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12607 		return -EINVAL;
12608 
12609 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12610 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12611 
12612 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12613 		tokens_size = tokln - sizeof(*tok);
12614 
12615 		if (!tok->len || tokens_size % tok->len)
12616 			return -EINVAL;
12617 		if (!rdev->wiphy.wowlan->tcp->tok)
12618 			return -EINVAL;
12619 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12620 			return -EINVAL;
12621 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12622 			return -EINVAL;
12623 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12624 			return -EINVAL;
12625 		if (tok->offset + tok->len > data_size)
12626 			return -EINVAL;
12627 	}
12628 
12629 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12630 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12631 		if (!rdev->wiphy.wowlan->tcp->seq)
12632 			return -EINVAL;
12633 		if (seq->len == 0 || seq->len > 4)
12634 			return -EINVAL;
12635 		if (seq->len + seq->offset > data_size)
12636 			return -EINVAL;
12637 	}
12638 
12639 	size = sizeof(*cfg);
12640 	size += data_size;
12641 	size += wake_size + wake_mask_size;
12642 	size += tokens_size;
12643 
12644 	cfg = kzalloc(size, GFP_KERNEL);
12645 	if (!cfg)
12646 		return -ENOMEM;
12647 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12648 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12649 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12650 	       ETH_ALEN);
12651 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12652 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12653 	else
12654 		port = 0;
12655 #ifdef CONFIG_INET
12656 	/* allocate a socket and port for it and use it */
12657 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12658 			    IPPROTO_TCP, &cfg->sock, 1);
12659 	if (err) {
12660 		kfree(cfg);
12661 		return err;
12662 	}
12663 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12664 		sock_release(cfg->sock);
12665 		kfree(cfg);
12666 		return -EADDRINUSE;
12667 	}
12668 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12669 #else
12670 	if (!port) {
12671 		kfree(cfg);
12672 		return -EINVAL;
12673 	}
12674 	cfg->src_port = port;
12675 #endif
12676 
12677 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12678 	cfg->payload_len = data_size;
12679 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12680 	memcpy((void *)cfg->payload,
12681 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12682 	       data_size);
12683 	if (seq)
12684 		cfg->payload_seq = *seq;
12685 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12686 	cfg->wake_len = wake_size;
12687 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12688 	memcpy((void *)cfg->wake_data,
12689 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12690 	       wake_size);
12691 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12692 			 data_size + wake_size;
12693 	memcpy((void *)cfg->wake_mask,
12694 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12695 	       wake_mask_size);
12696 	if (tok) {
12697 		cfg->tokens_size = tokens_size;
12698 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12699 	}
12700 
12701 	trig->tcp = cfg;
12702 
12703 	return 0;
12704 }
12705 
12706 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12707 				   const struct wiphy_wowlan_support *wowlan,
12708 				   struct nlattr *attr,
12709 				   struct cfg80211_wowlan *trig)
12710 {
12711 	struct nlattr **tb;
12712 	int err;
12713 
12714 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12715 	if (!tb)
12716 		return -ENOMEM;
12717 
12718 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12719 		err = -EOPNOTSUPP;
12720 		goto out;
12721 	}
12722 
12723 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12724 					  nl80211_policy, NULL);
12725 	if (err)
12726 		goto out;
12727 
12728 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12729 						   wowlan->max_nd_match_sets);
12730 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12731 	if (err)
12732 		trig->nd_config = NULL;
12733 
12734 out:
12735 	kfree(tb);
12736 	return err;
12737 }
12738 
12739 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12740 {
12741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12742 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12743 	struct cfg80211_wowlan new_triggers = {};
12744 	struct cfg80211_wowlan *ntrig;
12745 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12746 	int err, i;
12747 	bool prev_enabled = rdev->wiphy.wowlan_config;
12748 	bool regular = false;
12749 
12750 	if (!wowlan)
12751 		return -EOPNOTSUPP;
12752 
12753 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12754 		cfg80211_rdev_free_wowlan(rdev);
12755 		rdev->wiphy.wowlan_config = NULL;
12756 		goto set_wakeup;
12757 	}
12758 
12759 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12760 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12761 					  nl80211_wowlan_policy, info->extack);
12762 	if (err)
12763 		return err;
12764 
12765 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12766 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12767 			return -EINVAL;
12768 		new_triggers.any = true;
12769 	}
12770 
12771 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12772 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12773 			return -EINVAL;
12774 		new_triggers.disconnect = true;
12775 		regular = true;
12776 	}
12777 
12778 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12779 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12780 			return -EINVAL;
12781 		new_triggers.magic_pkt = true;
12782 		regular = true;
12783 	}
12784 
12785 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12786 		return -EINVAL;
12787 
12788 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12789 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12790 			return -EINVAL;
12791 		new_triggers.gtk_rekey_failure = true;
12792 		regular = true;
12793 	}
12794 
12795 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12796 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12797 			return -EINVAL;
12798 		new_triggers.eap_identity_req = true;
12799 		regular = true;
12800 	}
12801 
12802 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12803 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12804 			return -EINVAL;
12805 		new_triggers.four_way_handshake = true;
12806 		regular = true;
12807 	}
12808 
12809 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12810 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12811 			return -EINVAL;
12812 		new_triggers.rfkill_release = true;
12813 		regular = true;
12814 	}
12815 
12816 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12817 		struct nlattr *pat;
12818 		int n_patterns = 0;
12819 		int rem, pat_len, mask_len, pkt_offset;
12820 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12821 
12822 		regular = true;
12823 
12824 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12825 				    rem)
12826 			n_patterns++;
12827 		if (n_patterns > wowlan->n_patterns)
12828 			return -EINVAL;
12829 
12830 		new_triggers.patterns = kcalloc(n_patterns,
12831 						sizeof(new_triggers.patterns[0]),
12832 						GFP_KERNEL);
12833 		if (!new_triggers.patterns)
12834 			return -ENOMEM;
12835 
12836 		new_triggers.n_patterns = n_patterns;
12837 		i = 0;
12838 
12839 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12840 				    rem) {
12841 			u8 *mask_pat;
12842 
12843 			err = nla_parse_nested_deprecated(pat_tb,
12844 							  MAX_NL80211_PKTPAT,
12845 							  pat,
12846 							  nl80211_packet_pattern_policy,
12847 							  info->extack);
12848 			if (err)
12849 				goto error;
12850 
12851 			err = -EINVAL;
12852 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12853 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12854 				goto error;
12855 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12856 			mask_len = DIV_ROUND_UP(pat_len, 8);
12857 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12858 				goto error;
12859 			if (pat_len > wowlan->pattern_max_len ||
12860 			    pat_len < wowlan->pattern_min_len)
12861 				goto error;
12862 
12863 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12864 				pkt_offset = 0;
12865 			else
12866 				pkt_offset = nla_get_u32(
12867 					pat_tb[NL80211_PKTPAT_OFFSET]);
12868 			if (pkt_offset > wowlan->max_pkt_offset)
12869 				goto error;
12870 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12871 
12872 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12873 			if (!mask_pat) {
12874 				err = -ENOMEM;
12875 				goto error;
12876 			}
12877 			new_triggers.patterns[i].mask = mask_pat;
12878 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12879 			       mask_len);
12880 			mask_pat += mask_len;
12881 			new_triggers.patterns[i].pattern = mask_pat;
12882 			new_triggers.patterns[i].pattern_len = pat_len;
12883 			memcpy(mask_pat,
12884 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12885 			       pat_len);
12886 			i++;
12887 		}
12888 	}
12889 
12890 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12891 		regular = true;
12892 		err = nl80211_parse_wowlan_tcp(
12893 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12894 			&new_triggers);
12895 		if (err)
12896 			goto error;
12897 	}
12898 
12899 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12900 		regular = true;
12901 		err = nl80211_parse_wowlan_nd(
12902 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12903 			&new_triggers);
12904 		if (err)
12905 			goto error;
12906 	}
12907 
12908 	/* The 'any' trigger means the device continues operating more or less
12909 	 * as in its normal operation mode and wakes up the host on most of the
12910 	 * normal interrupts (like packet RX, ...)
12911 	 * It therefore makes little sense to combine with the more constrained
12912 	 * wakeup trigger modes.
12913 	 */
12914 	if (new_triggers.any && regular) {
12915 		err = -EINVAL;
12916 		goto error;
12917 	}
12918 
12919 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12920 	if (!ntrig) {
12921 		err = -ENOMEM;
12922 		goto error;
12923 	}
12924 	cfg80211_rdev_free_wowlan(rdev);
12925 	rdev->wiphy.wowlan_config = ntrig;
12926 
12927  set_wakeup:
12928 	if (rdev->ops->set_wakeup &&
12929 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12930 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12931 
12932 	return 0;
12933  error:
12934 	for (i = 0; i < new_triggers.n_patterns; i++)
12935 		kfree(new_triggers.patterns[i].mask);
12936 	kfree(new_triggers.patterns);
12937 	if (new_triggers.tcp && new_triggers.tcp->sock)
12938 		sock_release(new_triggers.tcp->sock);
12939 	kfree(new_triggers.tcp);
12940 	kfree(new_triggers.nd_config);
12941 	return err;
12942 }
12943 #endif
12944 
12945 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12946 				       struct cfg80211_registered_device *rdev)
12947 {
12948 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12949 	int i, j, pat_len;
12950 	struct cfg80211_coalesce_rules *rule;
12951 
12952 	if (!rdev->coalesce->n_rules)
12953 		return 0;
12954 
12955 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12956 	if (!nl_rules)
12957 		return -ENOBUFS;
12958 
12959 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12960 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12961 		if (!nl_rule)
12962 			return -ENOBUFS;
12963 
12964 		rule = &rdev->coalesce->rules[i];
12965 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12966 				rule->delay))
12967 			return -ENOBUFS;
12968 
12969 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12970 				rule->condition))
12971 			return -ENOBUFS;
12972 
12973 		nl_pats = nla_nest_start_noflag(msg,
12974 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12975 		if (!nl_pats)
12976 			return -ENOBUFS;
12977 
12978 		for (j = 0; j < rule->n_patterns; j++) {
12979 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12980 			if (!nl_pat)
12981 				return -ENOBUFS;
12982 			pat_len = rule->patterns[j].pattern_len;
12983 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12984 				    DIV_ROUND_UP(pat_len, 8),
12985 				    rule->patterns[j].mask) ||
12986 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12987 				    rule->patterns[j].pattern) ||
12988 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12989 					rule->patterns[j].pkt_offset))
12990 				return -ENOBUFS;
12991 			nla_nest_end(msg, nl_pat);
12992 		}
12993 		nla_nest_end(msg, nl_pats);
12994 		nla_nest_end(msg, nl_rule);
12995 	}
12996 	nla_nest_end(msg, nl_rules);
12997 
12998 	return 0;
12999 }
13000 
13001 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13002 {
13003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13004 	struct sk_buff *msg;
13005 	void *hdr;
13006 
13007 	if (!rdev->wiphy.coalesce)
13008 		return -EOPNOTSUPP;
13009 
13010 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13011 	if (!msg)
13012 		return -ENOMEM;
13013 
13014 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13015 			     NL80211_CMD_GET_COALESCE);
13016 	if (!hdr)
13017 		goto nla_put_failure;
13018 
13019 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13020 		goto nla_put_failure;
13021 
13022 	genlmsg_end(msg, hdr);
13023 	return genlmsg_reply(msg, info);
13024 
13025 nla_put_failure:
13026 	nlmsg_free(msg);
13027 	return -ENOBUFS;
13028 }
13029 
13030 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13031 {
13032 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13033 	int i, j;
13034 	struct cfg80211_coalesce_rules *rule;
13035 
13036 	if (!coalesce)
13037 		return;
13038 
13039 	for (i = 0; i < coalesce->n_rules; i++) {
13040 		rule = &coalesce->rules[i];
13041 		for (j = 0; j < rule->n_patterns; j++)
13042 			kfree(rule->patterns[j].mask);
13043 		kfree(rule->patterns);
13044 	}
13045 	kfree(coalesce->rules);
13046 	kfree(coalesce);
13047 	rdev->coalesce = NULL;
13048 }
13049 
13050 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13051 				       struct nlattr *rule,
13052 				       struct cfg80211_coalesce_rules *new_rule)
13053 {
13054 	int err, i;
13055 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13056 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13057 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13058 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13059 
13060 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13061 					  rule, nl80211_coalesce_policy, NULL);
13062 	if (err)
13063 		return err;
13064 
13065 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13066 		new_rule->delay =
13067 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13068 	if (new_rule->delay > coalesce->max_delay)
13069 		return -EINVAL;
13070 
13071 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13072 		new_rule->condition =
13073 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13074 
13075 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13076 		return -EINVAL;
13077 
13078 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13079 			    rem)
13080 		n_patterns++;
13081 	if (n_patterns > coalesce->n_patterns)
13082 		return -EINVAL;
13083 
13084 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13085 				     GFP_KERNEL);
13086 	if (!new_rule->patterns)
13087 		return -ENOMEM;
13088 
13089 	new_rule->n_patterns = n_patterns;
13090 	i = 0;
13091 
13092 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13093 			    rem) {
13094 		u8 *mask_pat;
13095 
13096 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13097 						  pat,
13098 						  nl80211_packet_pattern_policy,
13099 						  NULL);
13100 		if (err)
13101 			return err;
13102 
13103 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13104 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13105 			return -EINVAL;
13106 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13107 		mask_len = DIV_ROUND_UP(pat_len, 8);
13108 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13109 			return -EINVAL;
13110 		if (pat_len > coalesce->pattern_max_len ||
13111 		    pat_len < coalesce->pattern_min_len)
13112 			return -EINVAL;
13113 
13114 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13115 			pkt_offset = 0;
13116 		else
13117 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13118 		if (pkt_offset > coalesce->max_pkt_offset)
13119 			return -EINVAL;
13120 		new_rule->patterns[i].pkt_offset = pkt_offset;
13121 
13122 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13123 		if (!mask_pat)
13124 			return -ENOMEM;
13125 
13126 		new_rule->patterns[i].mask = mask_pat;
13127 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13128 		       mask_len);
13129 
13130 		mask_pat += mask_len;
13131 		new_rule->patterns[i].pattern = mask_pat;
13132 		new_rule->patterns[i].pattern_len = pat_len;
13133 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13134 		       pat_len);
13135 		i++;
13136 	}
13137 
13138 	return 0;
13139 }
13140 
13141 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13142 {
13143 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13144 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13145 	struct cfg80211_coalesce new_coalesce = {};
13146 	struct cfg80211_coalesce *n_coalesce;
13147 	int err, rem_rule, n_rules = 0, i, j;
13148 	struct nlattr *rule;
13149 	struct cfg80211_coalesce_rules *tmp_rule;
13150 
13151 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13152 		return -EOPNOTSUPP;
13153 
13154 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13155 		cfg80211_rdev_free_coalesce(rdev);
13156 		rdev_set_coalesce(rdev, NULL);
13157 		return 0;
13158 	}
13159 
13160 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13161 			    rem_rule)
13162 		n_rules++;
13163 	if (n_rules > coalesce->n_rules)
13164 		return -EINVAL;
13165 
13166 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13167 				     GFP_KERNEL);
13168 	if (!new_coalesce.rules)
13169 		return -ENOMEM;
13170 
13171 	new_coalesce.n_rules = n_rules;
13172 	i = 0;
13173 
13174 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13175 			    rem_rule) {
13176 		err = nl80211_parse_coalesce_rule(rdev, rule,
13177 						  &new_coalesce.rules[i]);
13178 		if (err)
13179 			goto error;
13180 
13181 		i++;
13182 	}
13183 
13184 	err = rdev_set_coalesce(rdev, &new_coalesce);
13185 	if (err)
13186 		goto error;
13187 
13188 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13189 	if (!n_coalesce) {
13190 		err = -ENOMEM;
13191 		goto error;
13192 	}
13193 	cfg80211_rdev_free_coalesce(rdev);
13194 	rdev->coalesce = n_coalesce;
13195 
13196 	return 0;
13197 error:
13198 	for (i = 0; i < new_coalesce.n_rules; i++) {
13199 		tmp_rule = &new_coalesce.rules[i];
13200 		for (j = 0; j < tmp_rule->n_patterns; j++)
13201 			kfree(tmp_rule->patterns[j].mask);
13202 		kfree(tmp_rule->patterns);
13203 	}
13204 	kfree(new_coalesce.rules);
13205 
13206 	return err;
13207 }
13208 
13209 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
13210 {
13211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13212 	struct net_device *dev = info->user_ptr[1];
13213 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13214 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
13215 	struct cfg80211_gtk_rekey_data rekey_data = {};
13216 	int err;
13217 
13218 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
13219 		return -EINVAL;
13220 
13221 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
13222 					  info->attrs[NL80211_ATTR_REKEY_DATA],
13223 					  nl80211_rekey_policy, info->extack);
13224 	if (err)
13225 		return err;
13226 
13227 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
13228 	    !tb[NL80211_REKEY_DATA_KCK])
13229 		return -EINVAL;
13230 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
13231 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13232 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
13233 		return -ERANGE;
13234 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
13235 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
13236 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
13237 		return -ERANGE;
13238 
13239 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
13240 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
13241 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
13242 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
13243 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
13244 	if (tb[NL80211_REKEY_DATA_AKM])
13245 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
13246 
13247 	wdev_lock(wdev);
13248 	if (!wdev->current_bss) {
13249 		err = -ENOTCONN;
13250 		goto out;
13251 	}
13252 
13253 	if (!rdev->ops->set_rekey_data) {
13254 		err = -EOPNOTSUPP;
13255 		goto out;
13256 	}
13257 
13258 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
13259  out:
13260 	wdev_unlock(wdev);
13261 	return err;
13262 }
13263 
13264 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
13265 					     struct genl_info *info)
13266 {
13267 	struct net_device *dev = info->user_ptr[1];
13268 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13269 
13270 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13271 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13272 		return -EINVAL;
13273 
13274 	if (wdev->ap_unexpected_nlportid)
13275 		return -EBUSY;
13276 
13277 	wdev->ap_unexpected_nlportid = info->snd_portid;
13278 	return 0;
13279 }
13280 
13281 static int nl80211_probe_client(struct sk_buff *skb,
13282 				struct genl_info *info)
13283 {
13284 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13285 	struct net_device *dev = info->user_ptr[1];
13286 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13287 	struct sk_buff *msg;
13288 	void *hdr;
13289 	const u8 *addr;
13290 	u64 cookie;
13291 	int err;
13292 
13293 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13294 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13295 		return -EOPNOTSUPP;
13296 
13297 	if (!info->attrs[NL80211_ATTR_MAC])
13298 		return -EINVAL;
13299 
13300 	if (!rdev->ops->probe_client)
13301 		return -EOPNOTSUPP;
13302 
13303 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13304 	if (!msg)
13305 		return -ENOMEM;
13306 
13307 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13308 			     NL80211_CMD_PROBE_CLIENT);
13309 	if (!hdr) {
13310 		err = -ENOBUFS;
13311 		goto free_msg;
13312 	}
13313 
13314 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13315 
13316 	err = rdev_probe_client(rdev, dev, addr, &cookie);
13317 	if (err)
13318 		goto free_msg;
13319 
13320 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13321 			      NL80211_ATTR_PAD))
13322 		goto nla_put_failure;
13323 
13324 	genlmsg_end(msg, hdr);
13325 
13326 	return genlmsg_reply(msg, info);
13327 
13328  nla_put_failure:
13329 	err = -ENOBUFS;
13330  free_msg:
13331 	nlmsg_free(msg);
13332 	return err;
13333 }
13334 
13335 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
13336 {
13337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13338 	struct cfg80211_beacon_registration *reg, *nreg;
13339 	int rv;
13340 
13341 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
13342 		return -EOPNOTSUPP;
13343 
13344 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
13345 	if (!nreg)
13346 		return -ENOMEM;
13347 
13348 	/* First, check if already registered. */
13349 	spin_lock_bh(&rdev->beacon_registrations_lock);
13350 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
13351 		if (reg->nlportid == info->snd_portid) {
13352 			rv = -EALREADY;
13353 			goto out_err;
13354 		}
13355 	}
13356 	/* Add it to the list */
13357 	nreg->nlportid = info->snd_portid;
13358 	list_add(&nreg->list, &rdev->beacon_registrations);
13359 
13360 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13361 
13362 	return 0;
13363 out_err:
13364 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13365 	kfree(nreg);
13366 	return rv;
13367 }
13368 
13369 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13370 {
13371 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13372 	struct wireless_dev *wdev = info->user_ptr[1];
13373 	int err;
13374 
13375 	if (!rdev->ops->start_p2p_device)
13376 		return -EOPNOTSUPP;
13377 
13378 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13379 		return -EOPNOTSUPP;
13380 
13381 	if (wdev_running(wdev))
13382 		return 0;
13383 
13384 	if (rfkill_blocked(rdev->wiphy.rfkill))
13385 		return -ERFKILL;
13386 
13387 	err = rdev_start_p2p_device(rdev, wdev);
13388 	if (err)
13389 		return err;
13390 
13391 	wdev->is_running = true;
13392 	rdev->opencount++;
13393 
13394 	return 0;
13395 }
13396 
13397 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13398 {
13399 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13400 	struct wireless_dev *wdev = info->user_ptr[1];
13401 
13402 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13403 		return -EOPNOTSUPP;
13404 
13405 	if (!rdev->ops->stop_p2p_device)
13406 		return -EOPNOTSUPP;
13407 
13408 	cfg80211_stop_p2p_device(rdev, wdev);
13409 
13410 	return 0;
13411 }
13412 
13413 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13414 {
13415 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13416 	struct wireless_dev *wdev = info->user_ptr[1];
13417 	struct cfg80211_nan_conf conf = {};
13418 	int err;
13419 
13420 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13421 		return -EOPNOTSUPP;
13422 
13423 	if (wdev_running(wdev))
13424 		return -EEXIST;
13425 
13426 	if (rfkill_blocked(rdev->wiphy.rfkill))
13427 		return -ERFKILL;
13428 
13429 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13430 		return -EINVAL;
13431 
13432 	conf.master_pref =
13433 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13434 
13435 	if (info->attrs[NL80211_ATTR_BANDS]) {
13436 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13437 
13438 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13439 			return -EOPNOTSUPP;
13440 
13441 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13442 			return -EINVAL;
13443 
13444 		conf.bands = bands;
13445 	}
13446 
13447 	err = rdev_start_nan(rdev, wdev, &conf);
13448 	if (err)
13449 		return err;
13450 
13451 	wdev->is_running = true;
13452 	rdev->opencount++;
13453 
13454 	return 0;
13455 }
13456 
13457 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13458 {
13459 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13460 	struct wireless_dev *wdev = info->user_ptr[1];
13461 
13462 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13463 		return -EOPNOTSUPP;
13464 
13465 	cfg80211_stop_nan(rdev, wdev);
13466 
13467 	return 0;
13468 }
13469 
13470 static int validate_nan_filter(struct nlattr *filter_attr)
13471 {
13472 	struct nlattr *attr;
13473 	int len = 0, n_entries = 0, rem;
13474 
13475 	nla_for_each_nested(attr, filter_attr, rem) {
13476 		len += nla_len(attr);
13477 		n_entries++;
13478 	}
13479 
13480 	if (len >= U8_MAX)
13481 		return -EINVAL;
13482 
13483 	return n_entries;
13484 }
13485 
13486 static int handle_nan_filter(struct nlattr *attr_filter,
13487 			     struct cfg80211_nan_func *func,
13488 			     bool tx)
13489 {
13490 	struct nlattr *attr;
13491 	int n_entries, rem, i;
13492 	struct cfg80211_nan_func_filter *filter;
13493 
13494 	n_entries = validate_nan_filter(attr_filter);
13495 	if (n_entries < 0)
13496 		return n_entries;
13497 
13498 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13499 
13500 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13501 	if (!filter)
13502 		return -ENOMEM;
13503 
13504 	i = 0;
13505 	nla_for_each_nested(attr, attr_filter, rem) {
13506 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13507 		if (!filter[i].filter)
13508 			goto err;
13509 
13510 		filter[i].len = nla_len(attr);
13511 		i++;
13512 	}
13513 	if (tx) {
13514 		func->num_tx_filters = n_entries;
13515 		func->tx_filters = filter;
13516 	} else {
13517 		func->num_rx_filters = n_entries;
13518 		func->rx_filters = filter;
13519 	}
13520 
13521 	return 0;
13522 
13523 err:
13524 	i = 0;
13525 	nla_for_each_nested(attr, attr_filter, rem) {
13526 		kfree(filter[i].filter);
13527 		i++;
13528 	}
13529 	kfree(filter);
13530 	return -ENOMEM;
13531 }
13532 
13533 static int nl80211_nan_add_func(struct sk_buff *skb,
13534 				struct genl_info *info)
13535 {
13536 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13537 	struct wireless_dev *wdev = info->user_ptr[1];
13538 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13539 	struct cfg80211_nan_func *func;
13540 	struct sk_buff *msg = NULL;
13541 	void *hdr = NULL;
13542 	int err = 0;
13543 
13544 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13545 		return -EOPNOTSUPP;
13546 
13547 	if (!wdev_running(wdev))
13548 		return -ENOTCONN;
13549 
13550 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13551 		return -EINVAL;
13552 
13553 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13554 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13555 					  nl80211_nan_func_policy,
13556 					  info->extack);
13557 	if (err)
13558 		return err;
13559 
13560 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13561 	if (!func)
13562 		return -ENOMEM;
13563 
13564 	func->cookie = cfg80211_assign_cookie(rdev);
13565 
13566 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13567 		err = -EINVAL;
13568 		goto out;
13569 	}
13570 
13571 
13572 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13573 
13574 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13575 		err = -EINVAL;
13576 		goto out;
13577 	}
13578 
13579 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13580 	       sizeof(func->service_id));
13581 
13582 	func->close_range =
13583 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13584 
13585 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13586 		func->serv_spec_info_len =
13587 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13588 		func->serv_spec_info =
13589 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13590 				func->serv_spec_info_len,
13591 				GFP_KERNEL);
13592 		if (!func->serv_spec_info) {
13593 			err = -ENOMEM;
13594 			goto out;
13595 		}
13596 	}
13597 
13598 	if (tb[NL80211_NAN_FUNC_TTL])
13599 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13600 
13601 	switch (func->type) {
13602 	case NL80211_NAN_FUNC_PUBLISH:
13603 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13604 			err = -EINVAL;
13605 			goto out;
13606 		}
13607 
13608 		func->publish_type =
13609 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13610 		func->publish_bcast =
13611 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13612 
13613 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13614 			func->publish_bcast) {
13615 			err = -EINVAL;
13616 			goto out;
13617 		}
13618 		break;
13619 	case NL80211_NAN_FUNC_SUBSCRIBE:
13620 		func->subscribe_active =
13621 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13622 		break;
13623 	case NL80211_NAN_FUNC_FOLLOW_UP:
13624 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13625 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13626 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13627 			err = -EINVAL;
13628 			goto out;
13629 		}
13630 
13631 		func->followup_id =
13632 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13633 		func->followup_reqid =
13634 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13635 		memcpy(func->followup_dest.addr,
13636 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13637 		       sizeof(func->followup_dest.addr));
13638 		if (func->ttl) {
13639 			err = -EINVAL;
13640 			goto out;
13641 		}
13642 		break;
13643 	default:
13644 		err = -EINVAL;
13645 		goto out;
13646 	}
13647 
13648 	if (tb[NL80211_NAN_FUNC_SRF]) {
13649 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13650 
13651 		err = nla_parse_nested_deprecated(srf_tb,
13652 						  NL80211_NAN_SRF_ATTR_MAX,
13653 						  tb[NL80211_NAN_FUNC_SRF],
13654 						  nl80211_nan_srf_policy,
13655 						  info->extack);
13656 		if (err)
13657 			goto out;
13658 
13659 		func->srf_include =
13660 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13661 
13662 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13663 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13664 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13665 				err = -EINVAL;
13666 				goto out;
13667 			}
13668 
13669 			func->srf_bf_len =
13670 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13671 			func->srf_bf =
13672 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13673 					func->srf_bf_len, GFP_KERNEL);
13674 			if (!func->srf_bf) {
13675 				err = -ENOMEM;
13676 				goto out;
13677 			}
13678 
13679 			func->srf_bf_idx =
13680 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13681 		} else {
13682 			struct nlattr *attr, *mac_attr =
13683 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13684 			int n_entries, rem, i = 0;
13685 
13686 			if (!mac_attr) {
13687 				err = -EINVAL;
13688 				goto out;
13689 			}
13690 
13691 			n_entries = validate_acl_mac_addrs(mac_attr);
13692 			if (n_entries <= 0) {
13693 				err = -EINVAL;
13694 				goto out;
13695 			}
13696 
13697 			func->srf_num_macs = n_entries;
13698 			func->srf_macs =
13699 				kcalloc(n_entries, sizeof(*func->srf_macs),
13700 					GFP_KERNEL);
13701 			if (!func->srf_macs) {
13702 				err = -ENOMEM;
13703 				goto out;
13704 			}
13705 
13706 			nla_for_each_nested(attr, mac_attr, rem)
13707 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13708 				       sizeof(*func->srf_macs));
13709 		}
13710 	}
13711 
13712 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13713 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13714 					func, true);
13715 		if (err)
13716 			goto out;
13717 	}
13718 
13719 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13720 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13721 					func, false);
13722 		if (err)
13723 			goto out;
13724 	}
13725 
13726 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13727 	if (!msg) {
13728 		err = -ENOMEM;
13729 		goto out;
13730 	}
13731 
13732 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13733 			     NL80211_CMD_ADD_NAN_FUNCTION);
13734 	/* This can't really happen - we just allocated 4KB */
13735 	if (WARN_ON(!hdr)) {
13736 		err = -ENOMEM;
13737 		goto out;
13738 	}
13739 
13740 	err = rdev_add_nan_func(rdev, wdev, func);
13741 out:
13742 	if (err < 0) {
13743 		cfg80211_free_nan_func(func);
13744 		nlmsg_free(msg);
13745 		return err;
13746 	}
13747 
13748 	/* propagate the instance id and cookie to userspace  */
13749 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13750 			      NL80211_ATTR_PAD))
13751 		goto nla_put_failure;
13752 
13753 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13754 	if (!func_attr)
13755 		goto nla_put_failure;
13756 
13757 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13758 		       func->instance_id))
13759 		goto nla_put_failure;
13760 
13761 	nla_nest_end(msg, func_attr);
13762 
13763 	genlmsg_end(msg, hdr);
13764 	return genlmsg_reply(msg, info);
13765 
13766 nla_put_failure:
13767 	nlmsg_free(msg);
13768 	return -ENOBUFS;
13769 }
13770 
13771 static int nl80211_nan_del_func(struct sk_buff *skb,
13772 			       struct genl_info *info)
13773 {
13774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13775 	struct wireless_dev *wdev = info->user_ptr[1];
13776 	u64 cookie;
13777 
13778 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13779 		return -EOPNOTSUPP;
13780 
13781 	if (!wdev_running(wdev))
13782 		return -ENOTCONN;
13783 
13784 	if (!info->attrs[NL80211_ATTR_COOKIE])
13785 		return -EINVAL;
13786 
13787 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13788 
13789 	rdev_del_nan_func(rdev, wdev, cookie);
13790 
13791 	return 0;
13792 }
13793 
13794 static int nl80211_nan_change_config(struct sk_buff *skb,
13795 				     struct genl_info *info)
13796 {
13797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13798 	struct wireless_dev *wdev = info->user_ptr[1];
13799 	struct cfg80211_nan_conf conf = {};
13800 	u32 changed = 0;
13801 
13802 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13803 		return -EOPNOTSUPP;
13804 
13805 	if (!wdev_running(wdev))
13806 		return -ENOTCONN;
13807 
13808 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13809 		conf.master_pref =
13810 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13811 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13812 			return -EINVAL;
13813 
13814 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13815 	}
13816 
13817 	if (info->attrs[NL80211_ATTR_BANDS]) {
13818 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13819 
13820 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13821 			return -EOPNOTSUPP;
13822 
13823 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13824 			return -EINVAL;
13825 
13826 		conf.bands = bands;
13827 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13828 	}
13829 
13830 	if (!changed)
13831 		return -EINVAL;
13832 
13833 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13834 }
13835 
13836 void cfg80211_nan_match(struct wireless_dev *wdev,
13837 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13838 {
13839 	struct wiphy *wiphy = wdev->wiphy;
13840 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13841 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13842 	struct sk_buff *msg;
13843 	void *hdr;
13844 
13845 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13846 		return;
13847 
13848 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13849 	if (!msg)
13850 		return;
13851 
13852 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13853 	if (!hdr) {
13854 		nlmsg_free(msg);
13855 		return;
13856 	}
13857 
13858 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13859 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13860 					 wdev->netdev->ifindex)) ||
13861 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13862 			      NL80211_ATTR_PAD))
13863 		goto nla_put_failure;
13864 
13865 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13866 			      NL80211_ATTR_PAD) ||
13867 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13868 		goto nla_put_failure;
13869 
13870 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13871 	if (!match_attr)
13872 		goto nla_put_failure;
13873 
13874 	local_func_attr = nla_nest_start_noflag(msg,
13875 						NL80211_NAN_MATCH_FUNC_LOCAL);
13876 	if (!local_func_attr)
13877 		goto nla_put_failure;
13878 
13879 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13880 		goto nla_put_failure;
13881 
13882 	nla_nest_end(msg, local_func_attr);
13883 
13884 	peer_func_attr = nla_nest_start_noflag(msg,
13885 					       NL80211_NAN_MATCH_FUNC_PEER);
13886 	if (!peer_func_attr)
13887 		goto nla_put_failure;
13888 
13889 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13890 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13891 		goto nla_put_failure;
13892 
13893 	if (match->info && match->info_len &&
13894 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13895 		    match->info))
13896 		goto nla_put_failure;
13897 
13898 	nla_nest_end(msg, peer_func_attr);
13899 	nla_nest_end(msg, match_attr);
13900 	genlmsg_end(msg, hdr);
13901 
13902 	if (!wdev->owner_nlportid)
13903 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13904 					msg, 0, NL80211_MCGRP_NAN, gfp);
13905 	else
13906 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13907 				wdev->owner_nlportid);
13908 
13909 	return;
13910 
13911 nla_put_failure:
13912 	nlmsg_free(msg);
13913 }
13914 EXPORT_SYMBOL(cfg80211_nan_match);
13915 
13916 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13917 				  u8 inst_id,
13918 				  enum nl80211_nan_func_term_reason reason,
13919 				  u64 cookie, gfp_t gfp)
13920 {
13921 	struct wiphy *wiphy = wdev->wiphy;
13922 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13923 	struct sk_buff *msg;
13924 	struct nlattr *func_attr;
13925 	void *hdr;
13926 
13927 	if (WARN_ON(!inst_id))
13928 		return;
13929 
13930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13931 	if (!msg)
13932 		return;
13933 
13934 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13935 	if (!hdr) {
13936 		nlmsg_free(msg);
13937 		return;
13938 	}
13939 
13940 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13941 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13942 					 wdev->netdev->ifindex)) ||
13943 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13944 			      NL80211_ATTR_PAD))
13945 		goto nla_put_failure;
13946 
13947 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13948 			      NL80211_ATTR_PAD))
13949 		goto nla_put_failure;
13950 
13951 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13952 	if (!func_attr)
13953 		goto nla_put_failure;
13954 
13955 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13956 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13957 		goto nla_put_failure;
13958 
13959 	nla_nest_end(msg, func_attr);
13960 	genlmsg_end(msg, hdr);
13961 
13962 	if (!wdev->owner_nlportid)
13963 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13964 					msg, 0, NL80211_MCGRP_NAN, gfp);
13965 	else
13966 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13967 				wdev->owner_nlportid);
13968 
13969 	return;
13970 
13971 nla_put_failure:
13972 	nlmsg_free(msg);
13973 }
13974 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13975 
13976 static int nl80211_get_protocol_features(struct sk_buff *skb,
13977 					 struct genl_info *info)
13978 {
13979 	void *hdr;
13980 	struct sk_buff *msg;
13981 
13982 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13983 	if (!msg)
13984 		return -ENOMEM;
13985 
13986 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13987 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13988 	if (!hdr)
13989 		goto nla_put_failure;
13990 
13991 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13992 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13993 		goto nla_put_failure;
13994 
13995 	genlmsg_end(msg, hdr);
13996 	return genlmsg_reply(msg, info);
13997 
13998  nla_put_failure:
13999 	kfree_skb(msg);
14000 	return -ENOBUFS;
14001 }
14002 
14003 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14004 {
14005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14006 	struct cfg80211_update_ft_ies_params ft_params;
14007 	struct net_device *dev = info->user_ptr[1];
14008 
14009 	if (!rdev->ops->update_ft_ies)
14010 		return -EOPNOTSUPP;
14011 
14012 	if (!info->attrs[NL80211_ATTR_MDID] ||
14013 	    !info->attrs[NL80211_ATTR_IE])
14014 		return -EINVAL;
14015 
14016 	memset(&ft_params, 0, sizeof(ft_params));
14017 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14018 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14019 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14020 
14021 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14022 }
14023 
14024 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14025 				       struct genl_info *info)
14026 {
14027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14028 	struct wireless_dev *wdev = info->user_ptr[1];
14029 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14030 	u16 duration;
14031 	int ret;
14032 
14033 	if (!rdev->ops->crit_proto_start)
14034 		return -EOPNOTSUPP;
14035 
14036 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14037 		return -EINVAL;
14038 
14039 	if (rdev->crit_proto_nlportid)
14040 		return -EBUSY;
14041 
14042 	/* determine protocol if provided */
14043 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14044 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14045 
14046 	if (proto >= NUM_NL80211_CRIT_PROTO)
14047 		return -EINVAL;
14048 
14049 	/* timeout must be provided */
14050 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14051 		return -EINVAL;
14052 
14053 	duration =
14054 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14055 
14056 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14057 	if (!ret)
14058 		rdev->crit_proto_nlportid = info->snd_portid;
14059 
14060 	return ret;
14061 }
14062 
14063 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14064 				      struct genl_info *info)
14065 {
14066 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14067 	struct wireless_dev *wdev = info->user_ptr[1];
14068 
14069 	if (!rdev->ops->crit_proto_stop)
14070 		return -EOPNOTSUPP;
14071 
14072 	if (rdev->crit_proto_nlportid) {
14073 		rdev->crit_proto_nlportid = 0;
14074 		rdev_crit_proto_stop(rdev, wdev);
14075 	}
14076 	return 0;
14077 }
14078 
14079 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14080 				       struct nlattr *attr,
14081 				       struct netlink_ext_ack *extack)
14082 {
14083 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14084 		if (attr->nla_type & NLA_F_NESTED) {
14085 			NL_SET_ERR_MSG_ATTR(extack, attr,
14086 					    "unexpected nested data");
14087 			return -EINVAL;
14088 		}
14089 
14090 		return 0;
14091 	}
14092 
14093 	if (!(attr->nla_type & NLA_F_NESTED)) {
14094 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14095 		return -EINVAL;
14096 	}
14097 
14098 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14099 }
14100 
14101 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14102 {
14103 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14104 	struct wireless_dev *wdev =
14105 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14106 					   info->attrs);
14107 	int i, err;
14108 	u32 vid, subcmd;
14109 
14110 	if (!rdev->wiphy.vendor_commands)
14111 		return -EOPNOTSUPP;
14112 
14113 	if (IS_ERR(wdev)) {
14114 		err = PTR_ERR(wdev);
14115 		if (err != -EINVAL)
14116 			return err;
14117 		wdev = NULL;
14118 	} else if (wdev->wiphy != &rdev->wiphy) {
14119 		return -EINVAL;
14120 	}
14121 
14122 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14123 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14124 		return -EINVAL;
14125 
14126 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14127 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14128 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14129 		const struct wiphy_vendor_command *vcmd;
14130 		void *data = NULL;
14131 		int len = 0;
14132 
14133 		vcmd = &rdev->wiphy.vendor_commands[i];
14134 
14135 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14136 			continue;
14137 
14138 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14139 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14140 			if (!wdev)
14141 				return -EINVAL;
14142 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14143 			    !wdev->netdev)
14144 				return -EINVAL;
14145 
14146 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14147 				if (!wdev_running(wdev))
14148 					return -ENETDOWN;
14149 			}
14150 		} else {
14151 			wdev = NULL;
14152 		}
14153 
14154 		if (!vcmd->doit)
14155 			return -EOPNOTSUPP;
14156 
14157 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14158 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14159 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14160 
14161 			err = nl80211_vendor_check_policy(vcmd,
14162 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14163 					info->extack);
14164 			if (err)
14165 				return err;
14166 		}
14167 
14168 		rdev->cur_cmd_info = info;
14169 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14170 		rdev->cur_cmd_info = NULL;
14171 		return err;
14172 	}
14173 
14174 	return -EOPNOTSUPP;
14175 }
14176 
14177 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14178 				       struct netlink_callback *cb,
14179 				       struct cfg80211_registered_device **rdev,
14180 				       struct wireless_dev **wdev)
14181 {
14182 	struct nlattr **attrbuf;
14183 	u32 vid, subcmd;
14184 	unsigned int i;
14185 	int vcmd_idx = -1;
14186 	int err;
14187 	void *data = NULL;
14188 	unsigned int data_len = 0;
14189 
14190 	if (cb->args[0]) {
14191 		/* subtract the 1 again here */
14192 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14193 		struct wireless_dev *tmp;
14194 
14195 		if (!wiphy)
14196 			return -ENODEV;
14197 		*rdev = wiphy_to_rdev(wiphy);
14198 		*wdev = NULL;
14199 
14200 		if (cb->args[1]) {
14201 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14202 				if (tmp->identifier == cb->args[1] - 1) {
14203 					*wdev = tmp;
14204 					break;
14205 				}
14206 			}
14207 		}
14208 
14209 		/* keep rtnl locked in successful case */
14210 		return 0;
14211 	}
14212 
14213 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
14214 	if (!attrbuf)
14215 		return -ENOMEM;
14216 
14217 	err = nlmsg_parse_deprecated(cb->nlh,
14218 				     GENL_HDRLEN + nl80211_fam.hdrsize,
14219 				     attrbuf, nl80211_fam.maxattr,
14220 				     nl80211_policy, NULL);
14221 	if (err)
14222 		goto out;
14223 
14224 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
14225 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
14226 		err = -EINVAL;
14227 		goto out;
14228 	}
14229 
14230 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
14231 	if (IS_ERR(*wdev))
14232 		*wdev = NULL;
14233 
14234 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
14235 	if (IS_ERR(*rdev)) {
14236 		err = PTR_ERR(*rdev);
14237 		goto out;
14238 	}
14239 
14240 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
14241 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
14242 
14243 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
14244 		const struct wiphy_vendor_command *vcmd;
14245 
14246 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
14247 
14248 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14249 			continue;
14250 
14251 		if (!vcmd->dumpit) {
14252 			err = -EOPNOTSUPP;
14253 			goto out;
14254 		}
14255 
14256 		vcmd_idx = i;
14257 		break;
14258 	}
14259 
14260 	if (vcmd_idx < 0) {
14261 		err = -EOPNOTSUPP;
14262 		goto out;
14263 	}
14264 
14265 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
14266 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14267 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
14268 
14269 		err = nl80211_vendor_check_policy(
14270 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
14271 				attrbuf[NL80211_ATTR_VENDOR_DATA],
14272 				cb->extack);
14273 		if (err)
14274 			goto out;
14275 	}
14276 
14277 	/* 0 is the first index - add 1 to parse only once */
14278 	cb->args[0] = (*rdev)->wiphy_idx + 1;
14279 	/* add 1 to know if it was NULL */
14280 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
14281 	cb->args[2] = vcmd_idx;
14282 	cb->args[3] = (unsigned long)data;
14283 	cb->args[4] = data_len;
14284 
14285 	/* keep rtnl locked in successful case */
14286 	err = 0;
14287 out:
14288 	kfree(attrbuf);
14289 	return err;
14290 }
14291 
14292 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
14293 				   struct netlink_callback *cb)
14294 {
14295 	struct cfg80211_registered_device *rdev;
14296 	struct wireless_dev *wdev;
14297 	unsigned int vcmd_idx;
14298 	const struct wiphy_vendor_command *vcmd;
14299 	void *data;
14300 	int data_len;
14301 	int err;
14302 	struct nlattr *vendor_data;
14303 
14304 	rtnl_lock();
14305 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
14306 	if (err)
14307 		goto out;
14308 
14309 	vcmd_idx = cb->args[2];
14310 	data = (void *)cb->args[3];
14311 	data_len = cb->args[4];
14312 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
14313 
14314 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14315 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14316 		if (!wdev) {
14317 			err = -EINVAL;
14318 			goto out;
14319 		}
14320 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14321 		    !wdev->netdev) {
14322 			err = -EINVAL;
14323 			goto out;
14324 		}
14325 
14326 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14327 			if (!wdev_running(wdev)) {
14328 				err = -ENETDOWN;
14329 				goto out;
14330 			}
14331 		}
14332 	}
14333 
14334 	while (1) {
14335 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
14336 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
14337 					   NL80211_CMD_VENDOR);
14338 		if (!hdr)
14339 			break;
14340 
14341 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14342 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
14343 					       wdev_id(wdev),
14344 					       NL80211_ATTR_PAD))) {
14345 			genlmsg_cancel(skb, hdr);
14346 			break;
14347 		}
14348 
14349 		vendor_data = nla_nest_start_noflag(skb,
14350 						    NL80211_ATTR_VENDOR_DATA);
14351 		if (!vendor_data) {
14352 			genlmsg_cancel(skb, hdr);
14353 			break;
14354 		}
14355 
14356 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
14357 				   (unsigned long *)&cb->args[5]);
14358 		nla_nest_end(skb, vendor_data);
14359 
14360 		if (err == -ENOBUFS || err == -ENOENT) {
14361 			genlmsg_cancel(skb, hdr);
14362 			break;
14363 		} else if (err <= 0) {
14364 			genlmsg_cancel(skb, hdr);
14365 			goto out;
14366 		}
14367 
14368 		genlmsg_end(skb, hdr);
14369 	}
14370 
14371 	err = skb->len;
14372  out:
14373 	rtnl_unlock();
14374 	return err;
14375 }
14376 
14377 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14378 					   enum nl80211_commands cmd,
14379 					   enum nl80211_attrs attr,
14380 					   int approxlen)
14381 {
14382 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14383 
14384 	if (WARN_ON(!rdev->cur_cmd_info))
14385 		return NULL;
14386 
14387 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14388 					   rdev->cur_cmd_info->snd_portid,
14389 					   rdev->cur_cmd_info->snd_seq,
14390 					   cmd, attr, NULL, GFP_KERNEL);
14391 }
14392 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14393 
14394 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14395 {
14396 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14397 	void *hdr = ((void **)skb->cb)[1];
14398 	struct nlattr *data = ((void **)skb->cb)[2];
14399 
14400 	/* clear CB data for netlink core to own from now on */
14401 	memset(skb->cb, 0, sizeof(skb->cb));
14402 
14403 	if (WARN_ON(!rdev->cur_cmd_info)) {
14404 		kfree_skb(skb);
14405 		return -EINVAL;
14406 	}
14407 
14408 	nla_nest_end(skb, data);
14409 	genlmsg_end(skb, hdr);
14410 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14411 }
14412 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14413 
14414 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14415 {
14416 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14417 
14418 	if (WARN_ON(!rdev->cur_cmd_info))
14419 		return 0;
14420 
14421 	return rdev->cur_cmd_info->snd_portid;
14422 }
14423 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14424 
14425 static int nl80211_set_qos_map(struct sk_buff *skb,
14426 			       struct genl_info *info)
14427 {
14428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14429 	struct cfg80211_qos_map *qos_map = NULL;
14430 	struct net_device *dev = info->user_ptr[1];
14431 	u8 *pos, len, num_des, des_len, des;
14432 	int ret;
14433 
14434 	if (!rdev->ops->set_qos_map)
14435 		return -EOPNOTSUPP;
14436 
14437 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14438 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14439 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14440 
14441 		if (len % 2)
14442 			return -EINVAL;
14443 
14444 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14445 		if (!qos_map)
14446 			return -ENOMEM;
14447 
14448 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14449 		if (num_des) {
14450 			des_len = num_des *
14451 				sizeof(struct cfg80211_dscp_exception);
14452 			memcpy(qos_map->dscp_exception, pos, des_len);
14453 			qos_map->num_des = num_des;
14454 			for (des = 0; des < num_des; des++) {
14455 				if (qos_map->dscp_exception[des].up > 7) {
14456 					kfree(qos_map);
14457 					return -EINVAL;
14458 				}
14459 			}
14460 			pos += des_len;
14461 		}
14462 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14463 	}
14464 
14465 	wdev_lock(dev->ieee80211_ptr);
14466 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14467 	if (!ret)
14468 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14469 	wdev_unlock(dev->ieee80211_ptr);
14470 
14471 	kfree(qos_map);
14472 	return ret;
14473 }
14474 
14475 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14476 {
14477 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14478 	struct net_device *dev = info->user_ptr[1];
14479 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14480 	const u8 *peer;
14481 	u8 tsid, up;
14482 	u16 admitted_time = 0;
14483 	int err;
14484 
14485 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14486 		return -EOPNOTSUPP;
14487 
14488 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14489 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14490 		return -EINVAL;
14491 
14492 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14493 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14494 
14495 	/* WMM uses TIDs 0-7 even for TSPEC */
14496 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14497 		/* TODO: handle 802.11 TSPEC/admission control
14498 		 * need more attributes for that (e.g. BA session requirement);
14499 		 * change the WMM adminssion test above to allow both then
14500 		 */
14501 		return -EINVAL;
14502 	}
14503 
14504 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14505 
14506 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14507 		admitted_time =
14508 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14509 		if (!admitted_time)
14510 			return -EINVAL;
14511 	}
14512 
14513 	wdev_lock(wdev);
14514 	switch (wdev->iftype) {
14515 	case NL80211_IFTYPE_STATION:
14516 	case NL80211_IFTYPE_P2P_CLIENT:
14517 		if (wdev->current_bss)
14518 			break;
14519 		err = -ENOTCONN;
14520 		goto out;
14521 	default:
14522 		err = -EOPNOTSUPP;
14523 		goto out;
14524 	}
14525 
14526 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14527 
14528  out:
14529 	wdev_unlock(wdev);
14530 	return err;
14531 }
14532 
14533 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14534 {
14535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14536 	struct net_device *dev = info->user_ptr[1];
14537 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14538 	const u8 *peer;
14539 	u8 tsid;
14540 	int err;
14541 
14542 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14543 		return -EINVAL;
14544 
14545 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14546 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14547 
14548 	wdev_lock(wdev);
14549 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14550 	wdev_unlock(wdev);
14551 
14552 	return err;
14553 }
14554 
14555 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14556 				       struct genl_info *info)
14557 {
14558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14559 	struct net_device *dev = info->user_ptr[1];
14560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14561 	struct cfg80211_chan_def chandef = {};
14562 	const u8 *addr;
14563 	u8 oper_class;
14564 	int err;
14565 
14566 	if (!rdev->ops->tdls_channel_switch ||
14567 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14568 		return -EOPNOTSUPP;
14569 
14570 	switch (dev->ieee80211_ptr->iftype) {
14571 	case NL80211_IFTYPE_STATION:
14572 	case NL80211_IFTYPE_P2P_CLIENT:
14573 		break;
14574 	default:
14575 		return -EOPNOTSUPP;
14576 	}
14577 
14578 	if (!info->attrs[NL80211_ATTR_MAC] ||
14579 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14580 		return -EINVAL;
14581 
14582 	err = nl80211_parse_chandef(rdev, info, &chandef);
14583 	if (err)
14584 		return err;
14585 
14586 	/*
14587 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14588 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14589 	 * specification is not defined for them.
14590 	 */
14591 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14592 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14593 	    chandef.width != NL80211_CHAN_WIDTH_20)
14594 		return -EINVAL;
14595 
14596 	/* we will be active on the TDLS link */
14597 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14598 					   wdev->iftype))
14599 		return -EINVAL;
14600 
14601 	/* don't allow switching to DFS channels */
14602 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14603 		return -EINVAL;
14604 
14605 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14606 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14607 
14608 	wdev_lock(wdev);
14609 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14610 	wdev_unlock(wdev);
14611 
14612 	return err;
14613 }
14614 
14615 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14616 					      struct genl_info *info)
14617 {
14618 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14619 	struct net_device *dev = info->user_ptr[1];
14620 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14621 	const u8 *addr;
14622 
14623 	if (!rdev->ops->tdls_channel_switch ||
14624 	    !rdev->ops->tdls_cancel_channel_switch ||
14625 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14626 		return -EOPNOTSUPP;
14627 
14628 	switch (dev->ieee80211_ptr->iftype) {
14629 	case NL80211_IFTYPE_STATION:
14630 	case NL80211_IFTYPE_P2P_CLIENT:
14631 		break;
14632 	default:
14633 		return -EOPNOTSUPP;
14634 	}
14635 
14636 	if (!info->attrs[NL80211_ATTR_MAC])
14637 		return -EINVAL;
14638 
14639 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14640 
14641 	wdev_lock(wdev);
14642 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14643 	wdev_unlock(wdev);
14644 
14645 	return 0;
14646 }
14647 
14648 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14649 					    struct genl_info *info)
14650 {
14651 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14652 	struct net_device *dev = info->user_ptr[1];
14653 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14654 	const struct nlattr *nla;
14655 	bool enabled;
14656 
14657 	if (!rdev->ops->set_multicast_to_unicast)
14658 		return -EOPNOTSUPP;
14659 
14660 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14661 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14662 		return -EOPNOTSUPP;
14663 
14664 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14665 	enabled = nla_get_flag(nla);
14666 
14667 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14668 }
14669 
14670 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14671 {
14672 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14673 	struct net_device *dev = info->user_ptr[1];
14674 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14675 	struct cfg80211_pmk_conf pmk_conf = {};
14676 	int ret;
14677 
14678 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14679 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14680 		return -EOPNOTSUPP;
14681 
14682 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14683 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14684 		return -EOPNOTSUPP;
14685 
14686 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14687 		return -EINVAL;
14688 
14689 	wdev_lock(wdev);
14690 	if (!wdev->current_bss) {
14691 		ret = -ENOTCONN;
14692 		goto out;
14693 	}
14694 
14695 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14696 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14697 		ret = -EINVAL;
14698 		goto out;
14699 	}
14700 
14701 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14702 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14703 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14704 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14705 		ret = -EINVAL;
14706 		goto out;
14707 	}
14708 
14709 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14710 		pmk_conf.pmk_r0_name =
14711 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14712 
14713 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14714 out:
14715 	wdev_unlock(wdev);
14716 	return ret;
14717 }
14718 
14719 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14720 {
14721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14722 	struct net_device *dev = info->user_ptr[1];
14723 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14724 	const u8 *aa;
14725 	int ret;
14726 
14727 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14728 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14729 		return -EOPNOTSUPP;
14730 
14731 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14732 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14733 		return -EOPNOTSUPP;
14734 
14735 	if (!info->attrs[NL80211_ATTR_MAC])
14736 		return -EINVAL;
14737 
14738 	wdev_lock(wdev);
14739 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14740 	ret = rdev_del_pmk(rdev, dev, aa);
14741 	wdev_unlock(wdev);
14742 
14743 	return ret;
14744 }
14745 
14746 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14747 {
14748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14749 	struct net_device *dev = info->user_ptr[1];
14750 	struct cfg80211_external_auth_params params;
14751 
14752 	if (!rdev->ops->external_auth)
14753 		return -EOPNOTSUPP;
14754 
14755 	if (!info->attrs[NL80211_ATTR_SSID] &&
14756 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14757 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14758 		return -EINVAL;
14759 
14760 	if (!info->attrs[NL80211_ATTR_BSSID])
14761 		return -EINVAL;
14762 
14763 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14764 		return -EINVAL;
14765 
14766 	memset(&params, 0, sizeof(params));
14767 
14768 	if (info->attrs[NL80211_ATTR_SSID]) {
14769 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14770 		if (params.ssid.ssid_len == 0)
14771 			return -EINVAL;
14772 		memcpy(params.ssid.ssid,
14773 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14774 		       params.ssid.ssid_len);
14775 	}
14776 
14777 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14778 	       ETH_ALEN);
14779 
14780 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14781 
14782 	if (info->attrs[NL80211_ATTR_PMKID])
14783 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14784 
14785 	return rdev_external_auth(rdev, dev, &params);
14786 }
14787 
14788 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14789 {
14790 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14792 	struct net_device *dev = info->user_ptr[1];
14793 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14794 	const u8 *buf;
14795 	size_t len;
14796 	u8 *dest;
14797 	u16 proto;
14798 	bool noencrypt;
14799 	u64 cookie = 0;
14800 	int err;
14801 
14802 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14803 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14804 		return -EOPNOTSUPP;
14805 
14806 	if (!rdev->ops->tx_control_port)
14807 		return -EOPNOTSUPP;
14808 
14809 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14810 	    !info->attrs[NL80211_ATTR_MAC] ||
14811 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14812 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14813 		return -EINVAL;
14814 	}
14815 
14816 	wdev_lock(wdev);
14817 
14818 	switch (wdev->iftype) {
14819 	case NL80211_IFTYPE_AP:
14820 	case NL80211_IFTYPE_P2P_GO:
14821 	case NL80211_IFTYPE_MESH_POINT:
14822 		break;
14823 	case NL80211_IFTYPE_ADHOC:
14824 	case NL80211_IFTYPE_STATION:
14825 	case NL80211_IFTYPE_P2P_CLIENT:
14826 		if (wdev->current_bss)
14827 			break;
14828 		err = -ENOTCONN;
14829 		goto out;
14830 	default:
14831 		err = -EOPNOTSUPP;
14832 		goto out;
14833 	}
14834 
14835 	wdev_unlock(wdev);
14836 
14837 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14838 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14839 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14840 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14841 	noencrypt =
14842 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14843 
14844 	err = rdev_tx_control_port(rdev, dev, buf, len,
14845 				   dest, cpu_to_be16(proto), noencrypt,
14846 				   dont_wait_for_ack ? NULL : &cookie);
14847 	if (!err && !dont_wait_for_ack)
14848 		nl_set_extack_cookie_u64(info->extack, cookie);
14849 	return err;
14850  out:
14851 	wdev_unlock(wdev);
14852 	return err;
14853 }
14854 
14855 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14856 					   struct genl_info *info)
14857 {
14858 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14859 	struct net_device *dev = info->user_ptr[1];
14860 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14861 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14862 	struct sk_buff *msg;
14863 	void *hdr;
14864 	struct nlattr *ftm_stats_attr;
14865 	int err;
14866 
14867 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14868 		return -EOPNOTSUPP;
14869 
14870 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14871 	if (err)
14872 		return err;
14873 
14874 	if (!ftm_stats.filled)
14875 		return -ENODATA;
14876 
14877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14878 	if (!msg)
14879 		return -ENOMEM;
14880 
14881 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14882 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14883 	if (!hdr)
14884 		goto nla_put_failure;
14885 
14886 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14887 		goto nla_put_failure;
14888 
14889 	ftm_stats_attr = nla_nest_start_noflag(msg,
14890 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14891 	if (!ftm_stats_attr)
14892 		goto nla_put_failure;
14893 
14894 #define SET_FTM(field, name, type)					 \
14895 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14896 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14897 			     ftm_stats.field))				 \
14898 		goto nla_put_failure; } while (0)
14899 #define SET_FTM_U64(field, name)					 \
14900 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14901 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14902 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14903 		goto nla_put_failure; } while (0)
14904 
14905 	SET_FTM(success_num, SUCCESS_NUM, u32);
14906 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14907 	SET_FTM(failed_num, FAILED_NUM, u32);
14908 	SET_FTM(asap_num, ASAP_NUM, u32);
14909 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14910 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14911 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14912 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14913 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14914 #undef SET_FTM
14915 
14916 	nla_nest_end(msg, ftm_stats_attr);
14917 
14918 	genlmsg_end(msg, hdr);
14919 	return genlmsg_reply(msg, info);
14920 
14921 nla_put_failure:
14922 	nlmsg_free(msg);
14923 	return -ENOBUFS;
14924 }
14925 
14926 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14927 {
14928 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14929 	struct cfg80211_update_owe_info owe_info;
14930 	struct net_device *dev = info->user_ptr[1];
14931 
14932 	if (!rdev->ops->update_owe_info)
14933 		return -EOPNOTSUPP;
14934 
14935 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14936 	    !info->attrs[NL80211_ATTR_MAC])
14937 		return -EINVAL;
14938 
14939 	memset(&owe_info, 0, sizeof(owe_info));
14940 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14941 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14942 
14943 	if (info->attrs[NL80211_ATTR_IE]) {
14944 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14945 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14946 	}
14947 
14948 	return rdev_update_owe_info(rdev, dev, &owe_info);
14949 }
14950 
14951 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14952 {
14953 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14954 	struct net_device *dev = info->user_ptr[1];
14955 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14956 	struct station_info sinfo = {};
14957 	const u8 *buf;
14958 	size_t len;
14959 	u8 *dest;
14960 	int err;
14961 
14962 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14963 		return -EOPNOTSUPP;
14964 
14965 	if (!info->attrs[NL80211_ATTR_MAC] ||
14966 	    !info->attrs[NL80211_ATTR_FRAME]) {
14967 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14968 		return -EINVAL;
14969 	}
14970 
14971 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14972 		return -EOPNOTSUPP;
14973 
14974 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14975 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14976 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14977 
14978 	if (len < sizeof(struct ethhdr))
14979 		return -EINVAL;
14980 
14981 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14982 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14983 		return -EINVAL;
14984 
14985 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14986 	if (err)
14987 		return err;
14988 
14989 	cfg80211_sinfo_release_content(&sinfo);
14990 
14991 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14992 }
14993 
14994 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14995 			  struct nlattr *attrs[], struct net_device *dev,
14996 			  struct cfg80211_tid_cfg *tid_conf,
14997 			  struct genl_info *info, const u8 *peer)
14998 {
14999 	struct netlink_ext_ack *extack = info->extack;
15000 	u64 mask;
15001 	int err;
15002 
15003 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15004 		return -EINVAL;
15005 
15006 	tid_conf->config_override =
15007 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15008 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15009 
15010 	if (tid_conf->config_override) {
15011 		if (rdev->ops->reset_tid_config) {
15012 			err = rdev_reset_tid_config(rdev, dev, peer,
15013 						    tid_conf->tids);
15014 			if (err)
15015 				return err;
15016 		} else {
15017 			return -EINVAL;
15018 		}
15019 	}
15020 
15021 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15022 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15023 		tid_conf->noack =
15024 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15025 	}
15026 
15027 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15028 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15029 		tid_conf->retry_short =
15030 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15031 
15032 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15033 			return -EINVAL;
15034 	}
15035 
15036 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15037 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15038 		tid_conf->retry_long =
15039 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15040 
15041 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15042 			return -EINVAL;
15043 	}
15044 
15045 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15046 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15047 		tid_conf->ampdu =
15048 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15049 	}
15050 
15051 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15052 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15053 		tid_conf->rtscts =
15054 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15055 	}
15056 
15057 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15058 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15059 		tid_conf->amsdu =
15060 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15061 	}
15062 
15063 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15064 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15065 
15066 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15067 
15068 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15069 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15070 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15071 						    &tid_conf->txrate_mask, dev,
15072 						    true);
15073 			if (err)
15074 				return err;
15075 
15076 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15077 		}
15078 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15079 	}
15080 
15081 	if (peer)
15082 		mask = rdev->wiphy.tid_config_support.peer;
15083 	else
15084 		mask = rdev->wiphy.tid_config_support.vif;
15085 
15086 	if (tid_conf->mask & ~mask) {
15087 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15088 		return -ENOTSUPP;
15089 	}
15090 
15091 	return 0;
15092 }
15093 
15094 static int nl80211_set_tid_config(struct sk_buff *skb,
15095 				  struct genl_info *info)
15096 {
15097 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15098 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15099 	struct net_device *dev = info->user_ptr[1];
15100 	struct cfg80211_tid_config *tid_config;
15101 	struct nlattr *tid;
15102 	int conf_idx = 0, rem_conf;
15103 	int ret = -EINVAL;
15104 	u32 num_conf = 0;
15105 
15106 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15107 		return -EINVAL;
15108 
15109 	if (!rdev->ops->set_tid_config)
15110 		return -EOPNOTSUPP;
15111 
15112 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15113 			    rem_conf)
15114 		num_conf++;
15115 
15116 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15117 			     GFP_KERNEL);
15118 	if (!tid_config)
15119 		return -ENOMEM;
15120 
15121 	tid_config->n_tid_conf = num_conf;
15122 
15123 	if (info->attrs[NL80211_ATTR_MAC])
15124 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15125 
15126 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15127 			    rem_conf) {
15128 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15129 				       tid, NULL, NULL);
15130 
15131 		if (ret)
15132 			goto bad_tid_conf;
15133 
15134 		ret = parse_tid_conf(rdev, attrs, dev,
15135 				     &tid_config->tid_conf[conf_idx],
15136 				     info, tid_config->peer);
15137 		if (ret)
15138 			goto bad_tid_conf;
15139 
15140 		conf_idx++;
15141 	}
15142 
15143 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15144 
15145 bad_tid_conf:
15146 	kfree(tid_config);
15147 	return ret;
15148 }
15149 
15150 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15151 {
15152 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15153 	struct cfg80211_color_change_settings params = {};
15154 	struct net_device *dev = info->user_ptr[1];
15155 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15156 	struct nlattr **tb;
15157 	u16 offset;
15158 	int err;
15159 
15160 	if (!rdev->ops->color_change)
15161 		return -EOPNOTSUPP;
15162 
15163 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15164 				     NL80211_EXT_FEATURE_BSS_COLOR))
15165 		return -EOPNOTSUPP;
15166 
15167 	if (wdev->iftype != NL80211_IFTYPE_AP)
15168 		return -EOPNOTSUPP;
15169 
15170 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15171 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15172 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15173 		return -EINVAL;
15174 
15175 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15176 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15177 
15178 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next);
15179 	if (err)
15180 		return err;
15181 
15182 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15183 	if (!tb)
15184 		return -ENOMEM;
15185 
15186 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15187 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15188 			       nl80211_policy, info->extack);
15189 	if (err)
15190 		goto out;
15191 
15192 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change);
15193 	if (err)
15194 		goto out;
15195 
15196 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
15197 		err = -EINVAL;
15198 		goto out;
15199 	}
15200 
15201 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
15202 		err = -EINVAL;
15203 		goto out;
15204 	}
15205 
15206 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
15207 	if (offset >= params.beacon_color_change.tail_len) {
15208 		err = -EINVAL;
15209 		goto out;
15210 	}
15211 
15212 	if (params.beacon_color_change.tail[offset] != params.count) {
15213 		err = -EINVAL;
15214 		goto out;
15215 	}
15216 
15217 	params.counter_offset_beacon = offset;
15218 
15219 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
15220 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
15221 		    sizeof(u16)) {
15222 			err = -EINVAL;
15223 			goto out;
15224 		}
15225 
15226 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
15227 		if (offset >= params.beacon_color_change.probe_resp_len) {
15228 			err = -EINVAL;
15229 			goto out;
15230 		}
15231 
15232 		if (params.beacon_color_change.probe_resp[offset] !=
15233 		    params.count) {
15234 			err = -EINVAL;
15235 			goto out;
15236 		}
15237 
15238 		params.counter_offset_presp = offset;
15239 	}
15240 
15241 	wdev_lock(wdev);
15242 	err = rdev_color_change(rdev, dev, &params);
15243 	wdev_unlock(wdev);
15244 
15245 out:
15246 	kfree(params.beacon_next.mbssid_ies);
15247 	kfree(params.beacon_color_change.mbssid_ies);
15248 	kfree(tb);
15249 	return err;
15250 }
15251 
15252 static int nl80211_set_fils_aad(struct sk_buff *skb,
15253 				struct genl_info *info)
15254 {
15255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15256 	struct net_device *dev = info->user_ptr[1];
15257 	struct cfg80211_fils_aad fils_aad = {};
15258 	u8 *nonces;
15259 
15260 	if (!info->attrs[NL80211_ATTR_MAC] ||
15261 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
15262 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
15263 		return -EINVAL;
15264 
15265 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15266 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
15267 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
15268 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
15269 	fils_aad.snonce = nonces;
15270 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
15271 
15272 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
15273 }
15274 
15275 #define NL80211_FLAG_NEED_WIPHY		0x01
15276 #define NL80211_FLAG_NEED_NETDEV	0x02
15277 #define NL80211_FLAG_NEED_RTNL		0x04
15278 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
15279 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
15280 					 NL80211_FLAG_CHECK_NETDEV_UP)
15281 #define NL80211_FLAG_NEED_WDEV		0x10
15282 /* If a netdev is associated, it must be UP, P2P must be started */
15283 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
15284 					 NL80211_FLAG_CHECK_NETDEV_UP)
15285 #define NL80211_FLAG_CLEAR_SKB		0x20
15286 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
15287 
15288 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
15289 			    struct genl_info *info)
15290 {
15291 	struct cfg80211_registered_device *rdev = NULL;
15292 	struct wireless_dev *wdev;
15293 	struct net_device *dev;
15294 
15295 	rtnl_lock();
15296 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
15297 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
15298 		if (IS_ERR(rdev)) {
15299 			rtnl_unlock();
15300 			return PTR_ERR(rdev);
15301 		}
15302 		info->user_ptr[0] = rdev;
15303 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
15304 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15305 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
15306 						  info->attrs);
15307 		if (IS_ERR(wdev)) {
15308 			rtnl_unlock();
15309 			return PTR_ERR(wdev);
15310 		}
15311 
15312 		dev = wdev->netdev;
15313 		rdev = wiphy_to_rdev(wdev->wiphy);
15314 
15315 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
15316 			if (!dev) {
15317 				rtnl_unlock();
15318 				return -EINVAL;
15319 			}
15320 
15321 			info->user_ptr[1] = dev;
15322 		} else {
15323 			info->user_ptr[1] = wdev;
15324 		}
15325 
15326 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
15327 		    !wdev_running(wdev)) {
15328 			rtnl_unlock();
15329 			return -ENETDOWN;
15330 		}
15331 
15332 		dev_hold(dev);
15333 		info->user_ptr[0] = rdev;
15334 	}
15335 
15336 	if (rdev && !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15337 		wiphy_lock(&rdev->wiphy);
15338 		/* we keep the mutex locked until post_doit */
15339 		__release(&rdev->wiphy.mtx);
15340 	}
15341 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
15342 		rtnl_unlock();
15343 
15344 	return 0;
15345 }
15346 
15347 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
15348 			      struct genl_info *info)
15349 {
15350 	if (info->user_ptr[1]) {
15351 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
15352 			struct wireless_dev *wdev = info->user_ptr[1];
15353 
15354 			dev_put(wdev->netdev);
15355 		} else {
15356 			dev_put(info->user_ptr[1]);
15357 		}
15358 	}
15359 
15360 	if (info->user_ptr[0] &&
15361 	    !(ops->internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
15362 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
15363 
15364 		/* we kept the mutex locked since pre_doit */
15365 		__acquire(&rdev->wiphy.mtx);
15366 		wiphy_unlock(&rdev->wiphy);
15367 	}
15368 
15369 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
15370 		rtnl_unlock();
15371 
15372 	/* If needed, clear the netlink message payload from the SKB
15373 	 * as it might contain key data that shouldn't stick around on
15374 	 * the heap after the SKB is freed. The netlink message header
15375 	 * is still needed for further processing, so leave it intact.
15376 	 */
15377 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
15378 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
15379 
15380 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
15381 	}
15382 }
15383 
15384 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
15385 				     struct cfg80211_sar_specs *sar_specs,
15386 				     struct nlattr *spec[], int index)
15387 {
15388 	u32 range_index, i;
15389 
15390 	if (!sar_specs || !spec)
15391 		return -EINVAL;
15392 
15393 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
15394 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
15395 		return -EINVAL;
15396 
15397 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
15398 
15399 	/* check if range_index exceeds num_freq_ranges */
15400 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
15401 		return -EINVAL;
15402 
15403 	/* check if range_index duplicates */
15404 	for (i = 0; i < index; i++) {
15405 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
15406 			return -EINVAL;
15407 	}
15408 
15409 	sar_specs->sub_specs[index].power =
15410 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
15411 
15412 	sar_specs->sub_specs[index].freq_range_index = range_index;
15413 
15414 	return 0;
15415 }
15416 
15417 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
15418 {
15419 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15420 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
15421 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
15422 	struct cfg80211_sar_specs *sar_spec;
15423 	enum nl80211_sar_type type;
15424 	struct nlattr *spec_list;
15425 	u32 specs;
15426 	int rem, err;
15427 
15428 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
15429 		return -EOPNOTSUPP;
15430 
15431 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
15432 		return -EINVAL;
15433 
15434 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
15435 			 info->attrs[NL80211_ATTR_SAR_SPEC],
15436 			 NULL, NULL);
15437 
15438 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
15439 		return -EINVAL;
15440 
15441 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
15442 	if (type != rdev->wiphy.sar_capa->type)
15443 		return -EINVAL;
15444 
15445 	specs = 0;
15446 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
15447 		specs++;
15448 
15449 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
15450 		return -EINVAL;
15451 
15452 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
15453 	if (!sar_spec)
15454 		return -ENOMEM;
15455 
15456 	sar_spec->type = type;
15457 	specs = 0;
15458 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
15459 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
15460 				 spec_list, NULL, NULL);
15461 
15462 		switch (type) {
15463 		case NL80211_SAR_TYPE_POWER:
15464 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
15465 						      spec, specs)) {
15466 				err = -EINVAL;
15467 				goto error;
15468 			}
15469 			break;
15470 		default:
15471 			err = -EINVAL;
15472 			goto error;
15473 		}
15474 		specs++;
15475 	}
15476 
15477 	sar_spec->num_sub_specs = specs;
15478 
15479 	rdev->cur_cmd_info = info;
15480 	err = rdev_set_sar_specs(rdev, sar_spec);
15481 	rdev->cur_cmd_info = NULL;
15482 error:
15483 	kfree(sar_spec);
15484 	return err;
15485 }
15486 
15487 static const struct genl_ops nl80211_ops[] = {
15488 	{
15489 		.cmd = NL80211_CMD_GET_WIPHY,
15490 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15491 		.doit = nl80211_get_wiphy,
15492 		.dumpit = nl80211_dump_wiphy,
15493 		.done = nl80211_dump_wiphy_done,
15494 		/* can be retrieved by unprivileged users */
15495 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15496 	},
15497 };
15498 
15499 static const struct genl_small_ops nl80211_small_ops[] = {
15500 	{
15501 		.cmd = NL80211_CMD_SET_WIPHY,
15502 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15503 		.doit = nl80211_set_wiphy,
15504 		.flags = GENL_UNS_ADMIN_PERM,
15505 	},
15506 	{
15507 		.cmd = NL80211_CMD_GET_INTERFACE,
15508 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15509 		.doit = nl80211_get_interface,
15510 		.dumpit = nl80211_dump_interface,
15511 		/* can be retrieved by unprivileged users */
15512 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15513 	},
15514 	{
15515 		.cmd = NL80211_CMD_SET_INTERFACE,
15516 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15517 		.doit = nl80211_set_interface,
15518 		.flags = GENL_UNS_ADMIN_PERM,
15519 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15520 				  NL80211_FLAG_NEED_RTNL,
15521 	},
15522 	{
15523 		.cmd = NL80211_CMD_NEW_INTERFACE,
15524 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15525 		.doit = nl80211_new_interface,
15526 		.flags = GENL_UNS_ADMIN_PERM,
15527 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15528 				  NL80211_FLAG_NEED_RTNL |
15529 				  /* we take the wiphy mutex later ourselves */
15530 				  NL80211_FLAG_NO_WIPHY_MTX,
15531 	},
15532 	{
15533 		.cmd = NL80211_CMD_DEL_INTERFACE,
15534 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15535 		.doit = nl80211_del_interface,
15536 		.flags = GENL_UNS_ADMIN_PERM,
15537 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15538 				  NL80211_FLAG_NEED_RTNL,
15539 	},
15540 	{
15541 		.cmd = NL80211_CMD_GET_KEY,
15542 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15543 		.doit = nl80211_get_key,
15544 		.flags = GENL_UNS_ADMIN_PERM,
15545 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15546 	},
15547 	{
15548 		.cmd = NL80211_CMD_SET_KEY,
15549 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15550 		.doit = nl80211_set_key,
15551 		.flags = GENL_UNS_ADMIN_PERM,
15552 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15553 				  NL80211_FLAG_CLEAR_SKB,
15554 	},
15555 	{
15556 		.cmd = NL80211_CMD_NEW_KEY,
15557 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15558 		.doit = nl80211_new_key,
15559 		.flags = GENL_UNS_ADMIN_PERM,
15560 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15561 				  NL80211_FLAG_CLEAR_SKB,
15562 	},
15563 	{
15564 		.cmd = NL80211_CMD_DEL_KEY,
15565 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15566 		.doit = nl80211_del_key,
15567 		.flags = GENL_UNS_ADMIN_PERM,
15568 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15569 	},
15570 	{
15571 		.cmd = NL80211_CMD_SET_BEACON,
15572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15573 		.flags = GENL_UNS_ADMIN_PERM,
15574 		.doit = nl80211_set_beacon,
15575 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15576 	},
15577 	{
15578 		.cmd = NL80211_CMD_START_AP,
15579 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15580 		.flags = GENL_UNS_ADMIN_PERM,
15581 		.doit = nl80211_start_ap,
15582 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15583 	},
15584 	{
15585 		.cmd = NL80211_CMD_STOP_AP,
15586 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15587 		.flags = GENL_UNS_ADMIN_PERM,
15588 		.doit = nl80211_stop_ap,
15589 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15590 	},
15591 	{
15592 		.cmd = NL80211_CMD_GET_STATION,
15593 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15594 		.doit = nl80211_get_station,
15595 		.dumpit = nl80211_dump_station,
15596 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15597 	},
15598 	{
15599 		.cmd = NL80211_CMD_SET_STATION,
15600 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15601 		.doit = nl80211_set_station,
15602 		.flags = GENL_UNS_ADMIN_PERM,
15603 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15604 	},
15605 	{
15606 		.cmd = NL80211_CMD_NEW_STATION,
15607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15608 		.doit = nl80211_new_station,
15609 		.flags = GENL_UNS_ADMIN_PERM,
15610 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15611 	},
15612 	{
15613 		.cmd = NL80211_CMD_DEL_STATION,
15614 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15615 		.doit = nl80211_del_station,
15616 		.flags = GENL_UNS_ADMIN_PERM,
15617 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15618 	},
15619 	{
15620 		.cmd = NL80211_CMD_GET_MPATH,
15621 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15622 		.doit = nl80211_get_mpath,
15623 		.dumpit = nl80211_dump_mpath,
15624 		.flags = GENL_UNS_ADMIN_PERM,
15625 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_GET_MPP,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.doit = nl80211_get_mpp,
15631 		.dumpit = nl80211_dump_mpp,
15632 		.flags = GENL_UNS_ADMIN_PERM,
15633 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15634 	},
15635 	{
15636 		.cmd = NL80211_CMD_SET_MPATH,
15637 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15638 		.doit = nl80211_set_mpath,
15639 		.flags = GENL_UNS_ADMIN_PERM,
15640 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15641 	},
15642 	{
15643 		.cmd = NL80211_CMD_NEW_MPATH,
15644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15645 		.doit = nl80211_new_mpath,
15646 		.flags = GENL_UNS_ADMIN_PERM,
15647 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15648 	},
15649 	{
15650 		.cmd = NL80211_CMD_DEL_MPATH,
15651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15652 		.doit = nl80211_del_mpath,
15653 		.flags = GENL_UNS_ADMIN_PERM,
15654 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15655 	},
15656 	{
15657 		.cmd = NL80211_CMD_SET_BSS,
15658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15659 		.doit = nl80211_set_bss,
15660 		.flags = GENL_UNS_ADMIN_PERM,
15661 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15662 	},
15663 	{
15664 		.cmd = NL80211_CMD_GET_REG,
15665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15666 		.doit = nl80211_get_reg_do,
15667 		.dumpit = nl80211_get_reg_dump,
15668 		.internal_flags = 0,
15669 		/* can be retrieved by unprivileged users */
15670 	},
15671 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15672 	{
15673 		.cmd = NL80211_CMD_SET_REG,
15674 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15675 		.doit = nl80211_set_reg,
15676 		.flags = GENL_ADMIN_PERM,
15677 		.internal_flags = 0,
15678 	},
15679 #endif
15680 	{
15681 		.cmd = NL80211_CMD_REQ_SET_REG,
15682 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15683 		.doit = nl80211_req_set_reg,
15684 		.flags = GENL_ADMIN_PERM,
15685 	},
15686 	{
15687 		.cmd = NL80211_CMD_RELOAD_REGDB,
15688 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15689 		.doit = nl80211_reload_regdb,
15690 		.flags = GENL_ADMIN_PERM,
15691 	},
15692 	{
15693 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15695 		.doit = nl80211_get_mesh_config,
15696 		/* can be retrieved by unprivileged users */
15697 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15698 	},
15699 	{
15700 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15702 		.doit = nl80211_update_mesh_config,
15703 		.flags = GENL_UNS_ADMIN_PERM,
15704 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15705 	},
15706 	{
15707 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15708 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15709 		.doit = nl80211_trigger_scan,
15710 		.flags = GENL_UNS_ADMIN_PERM,
15711 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15712 	},
15713 	{
15714 		.cmd = NL80211_CMD_ABORT_SCAN,
15715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15716 		.doit = nl80211_abort_scan,
15717 		.flags = GENL_UNS_ADMIN_PERM,
15718 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15719 	},
15720 	{
15721 		.cmd = NL80211_CMD_GET_SCAN,
15722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15723 		.dumpit = nl80211_dump_scan,
15724 	},
15725 	{
15726 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15727 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15728 		.doit = nl80211_start_sched_scan,
15729 		.flags = GENL_UNS_ADMIN_PERM,
15730 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15731 	},
15732 	{
15733 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15734 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15735 		.doit = nl80211_stop_sched_scan,
15736 		.flags = GENL_UNS_ADMIN_PERM,
15737 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15738 	},
15739 	{
15740 		.cmd = NL80211_CMD_AUTHENTICATE,
15741 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15742 		.doit = nl80211_authenticate,
15743 		.flags = GENL_UNS_ADMIN_PERM,
15744 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15745 				  0 |
15746 				  NL80211_FLAG_CLEAR_SKB,
15747 	},
15748 	{
15749 		.cmd = NL80211_CMD_ASSOCIATE,
15750 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15751 		.doit = nl80211_associate,
15752 		.flags = GENL_UNS_ADMIN_PERM,
15753 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15754 				  0 |
15755 				  NL80211_FLAG_CLEAR_SKB,
15756 	},
15757 	{
15758 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15759 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15760 		.doit = nl80211_deauthenticate,
15761 		.flags = GENL_UNS_ADMIN_PERM,
15762 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15763 	},
15764 	{
15765 		.cmd = NL80211_CMD_DISASSOCIATE,
15766 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15767 		.doit = nl80211_disassociate,
15768 		.flags = GENL_UNS_ADMIN_PERM,
15769 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15770 	},
15771 	{
15772 		.cmd = NL80211_CMD_JOIN_IBSS,
15773 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15774 		.doit = nl80211_join_ibss,
15775 		.flags = GENL_UNS_ADMIN_PERM,
15776 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15777 	},
15778 	{
15779 		.cmd = NL80211_CMD_LEAVE_IBSS,
15780 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15781 		.doit = nl80211_leave_ibss,
15782 		.flags = GENL_UNS_ADMIN_PERM,
15783 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15784 	},
15785 #ifdef CONFIG_NL80211_TESTMODE
15786 	{
15787 		.cmd = NL80211_CMD_TESTMODE,
15788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15789 		.doit = nl80211_testmode_do,
15790 		.dumpit = nl80211_testmode_dump,
15791 		.flags = GENL_UNS_ADMIN_PERM,
15792 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15793 	},
15794 #endif
15795 	{
15796 		.cmd = NL80211_CMD_CONNECT,
15797 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15798 		.doit = nl80211_connect,
15799 		.flags = GENL_UNS_ADMIN_PERM,
15800 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15801 				  0 |
15802 				  NL80211_FLAG_CLEAR_SKB,
15803 	},
15804 	{
15805 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15806 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15807 		.doit = nl80211_update_connect_params,
15808 		.flags = GENL_ADMIN_PERM,
15809 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15810 				  0 |
15811 				  NL80211_FLAG_CLEAR_SKB,
15812 	},
15813 	{
15814 		.cmd = NL80211_CMD_DISCONNECT,
15815 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15816 		.doit = nl80211_disconnect,
15817 		.flags = GENL_UNS_ADMIN_PERM,
15818 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15819 	},
15820 	{
15821 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15822 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15823 		.doit = nl80211_wiphy_netns,
15824 		.flags = GENL_UNS_ADMIN_PERM,
15825 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15826 				  NL80211_FLAG_NEED_RTNL |
15827 				  NL80211_FLAG_NO_WIPHY_MTX,
15828 	},
15829 	{
15830 		.cmd = NL80211_CMD_GET_SURVEY,
15831 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15832 		.dumpit = nl80211_dump_survey,
15833 	},
15834 	{
15835 		.cmd = NL80211_CMD_SET_PMKSA,
15836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15837 		.doit = nl80211_setdel_pmksa,
15838 		.flags = GENL_UNS_ADMIN_PERM,
15839 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15840 				  0 |
15841 				  NL80211_FLAG_CLEAR_SKB,
15842 	},
15843 	{
15844 		.cmd = NL80211_CMD_DEL_PMKSA,
15845 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15846 		.doit = nl80211_setdel_pmksa,
15847 		.flags = GENL_UNS_ADMIN_PERM,
15848 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15849 	},
15850 	{
15851 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15853 		.doit = nl80211_flush_pmksa,
15854 		.flags = GENL_UNS_ADMIN_PERM,
15855 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15856 	},
15857 	{
15858 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15859 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15860 		.doit = nl80211_remain_on_channel,
15861 		.flags = GENL_UNS_ADMIN_PERM,
15862 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15863 	},
15864 	{
15865 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15866 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15867 		.doit = nl80211_cancel_remain_on_channel,
15868 		.flags = GENL_UNS_ADMIN_PERM,
15869 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15870 	},
15871 	{
15872 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15873 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15874 		.doit = nl80211_set_tx_bitrate_mask,
15875 		.flags = GENL_UNS_ADMIN_PERM,
15876 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15877 	},
15878 	{
15879 		.cmd = NL80211_CMD_REGISTER_FRAME,
15880 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15881 		.doit = nl80211_register_mgmt,
15882 		.flags = GENL_UNS_ADMIN_PERM,
15883 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15884 	},
15885 	{
15886 		.cmd = NL80211_CMD_FRAME,
15887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15888 		.doit = nl80211_tx_mgmt,
15889 		.flags = GENL_UNS_ADMIN_PERM,
15890 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15891 	},
15892 	{
15893 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15894 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15895 		.doit = nl80211_tx_mgmt_cancel_wait,
15896 		.flags = GENL_UNS_ADMIN_PERM,
15897 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15898 	},
15899 	{
15900 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15902 		.doit = nl80211_set_power_save,
15903 		.flags = GENL_UNS_ADMIN_PERM,
15904 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15905 	},
15906 	{
15907 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15909 		.doit = nl80211_get_power_save,
15910 		/* can be retrieved by unprivileged users */
15911 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15912 	},
15913 	{
15914 		.cmd = NL80211_CMD_SET_CQM,
15915 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15916 		.doit = nl80211_set_cqm,
15917 		.flags = GENL_UNS_ADMIN_PERM,
15918 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15919 	},
15920 	{
15921 		.cmd = NL80211_CMD_SET_CHANNEL,
15922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15923 		.doit = nl80211_set_channel,
15924 		.flags = GENL_UNS_ADMIN_PERM,
15925 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15926 	},
15927 	{
15928 		.cmd = NL80211_CMD_JOIN_MESH,
15929 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15930 		.doit = nl80211_join_mesh,
15931 		.flags = GENL_UNS_ADMIN_PERM,
15932 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15933 	},
15934 	{
15935 		.cmd = NL80211_CMD_LEAVE_MESH,
15936 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15937 		.doit = nl80211_leave_mesh,
15938 		.flags = GENL_UNS_ADMIN_PERM,
15939 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15940 	},
15941 	{
15942 		.cmd = NL80211_CMD_JOIN_OCB,
15943 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15944 		.doit = nl80211_join_ocb,
15945 		.flags = GENL_UNS_ADMIN_PERM,
15946 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15947 	},
15948 	{
15949 		.cmd = NL80211_CMD_LEAVE_OCB,
15950 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15951 		.doit = nl80211_leave_ocb,
15952 		.flags = GENL_UNS_ADMIN_PERM,
15953 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15954 	},
15955 #ifdef CONFIG_PM
15956 	{
15957 		.cmd = NL80211_CMD_GET_WOWLAN,
15958 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15959 		.doit = nl80211_get_wowlan,
15960 		/* can be retrieved by unprivileged users */
15961 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15962 	},
15963 	{
15964 		.cmd = NL80211_CMD_SET_WOWLAN,
15965 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15966 		.doit = nl80211_set_wowlan,
15967 		.flags = GENL_UNS_ADMIN_PERM,
15968 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15969 	},
15970 #endif
15971 	{
15972 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15973 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15974 		.doit = nl80211_set_rekey_data,
15975 		.flags = GENL_UNS_ADMIN_PERM,
15976 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15977 				  0 |
15978 				  NL80211_FLAG_CLEAR_SKB,
15979 	},
15980 	{
15981 		.cmd = NL80211_CMD_TDLS_MGMT,
15982 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15983 		.doit = nl80211_tdls_mgmt,
15984 		.flags = GENL_UNS_ADMIN_PERM,
15985 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15986 	},
15987 	{
15988 		.cmd = NL80211_CMD_TDLS_OPER,
15989 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15990 		.doit = nl80211_tdls_oper,
15991 		.flags = GENL_UNS_ADMIN_PERM,
15992 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15993 	},
15994 	{
15995 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15996 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15997 		.doit = nl80211_register_unexpected_frame,
15998 		.flags = GENL_UNS_ADMIN_PERM,
15999 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16000 	},
16001 	{
16002 		.cmd = NL80211_CMD_PROBE_CLIENT,
16003 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16004 		.doit = nl80211_probe_client,
16005 		.flags = GENL_UNS_ADMIN_PERM,
16006 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16007 	},
16008 	{
16009 		.cmd = NL80211_CMD_REGISTER_BEACONS,
16010 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16011 		.doit = nl80211_register_beacons,
16012 		.flags = GENL_UNS_ADMIN_PERM,
16013 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16014 	},
16015 	{
16016 		.cmd = NL80211_CMD_SET_NOACK_MAP,
16017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16018 		.doit = nl80211_set_noack_map,
16019 		.flags = GENL_UNS_ADMIN_PERM,
16020 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16021 	},
16022 	{
16023 		.cmd = NL80211_CMD_START_P2P_DEVICE,
16024 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16025 		.doit = nl80211_start_p2p_device,
16026 		.flags = GENL_UNS_ADMIN_PERM,
16027 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16028 				  NL80211_FLAG_NEED_RTNL,
16029 	},
16030 	{
16031 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
16032 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16033 		.doit = nl80211_stop_p2p_device,
16034 		.flags = GENL_UNS_ADMIN_PERM,
16035 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16036 				  NL80211_FLAG_NEED_RTNL,
16037 	},
16038 	{
16039 		.cmd = NL80211_CMD_START_NAN,
16040 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16041 		.doit = nl80211_start_nan,
16042 		.flags = GENL_ADMIN_PERM,
16043 		.internal_flags = NL80211_FLAG_NEED_WDEV |
16044 				  NL80211_FLAG_NEED_RTNL,
16045 	},
16046 	{
16047 		.cmd = NL80211_CMD_STOP_NAN,
16048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16049 		.doit = nl80211_stop_nan,
16050 		.flags = GENL_ADMIN_PERM,
16051 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
16052 				  NL80211_FLAG_NEED_RTNL,
16053 	},
16054 	{
16055 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
16056 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16057 		.doit = nl80211_nan_add_func,
16058 		.flags = GENL_ADMIN_PERM,
16059 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16060 	},
16061 	{
16062 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
16063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16064 		.doit = nl80211_nan_del_func,
16065 		.flags = GENL_ADMIN_PERM,
16066 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16067 	},
16068 	{
16069 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
16070 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16071 		.doit = nl80211_nan_change_config,
16072 		.flags = GENL_ADMIN_PERM,
16073 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16074 	},
16075 	{
16076 		.cmd = NL80211_CMD_SET_MCAST_RATE,
16077 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16078 		.doit = nl80211_set_mcast_rate,
16079 		.flags = GENL_UNS_ADMIN_PERM,
16080 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16081 	},
16082 	{
16083 		.cmd = NL80211_CMD_SET_MAC_ACL,
16084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16085 		.doit = nl80211_set_mac_acl,
16086 		.flags = GENL_UNS_ADMIN_PERM,
16087 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16088 	},
16089 	{
16090 		.cmd = NL80211_CMD_RADAR_DETECT,
16091 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16092 		.doit = nl80211_start_radar_detection,
16093 		.flags = GENL_UNS_ADMIN_PERM,
16094 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16095 				  NL80211_FLAG_NO_WIPHY_MTX,
16096 	},
16097 	{
16098 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
16099 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16100 		.doit = nl80211_get_protocol_features,
16101 	},
16102 	{
16103 		.cmd = NL80211_CMD_UPDATE_FT_IES,
16104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16105 		.doit = nl80211_update_ft_ies,
16106 		.flags = GENL_UNS_ADMIN_PERM,
16107 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16108 	},
16109 	{
16110 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
16111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16112 		.doit = nl80211_crit_protocol_start,
16113 		.flags = GENL_UNS_ADMIN_PERM,
16114 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16115 	},
16116 	{
16117 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
16118 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16119 		.doit = nl80211_crit_protocol_stop,
16120 		.flags = GENL_UNS_ADMIN_PERM,
16121 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16122 	},
16123 	{
16124 		.cmd = NL80211_CMD_GET_COALESCE,
16125 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16126 		.doit = nl80211_get_coalesce,
16127 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16128 	},
16129 	{
16130 		.cmd = NL80211_CMD_SET_COALESCE,
16131 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16132 		.doit = nl80211_set_coalesce,
16133 		.flags = GENL_UNS_ADMIN_PERM,
16134 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
16135 	},
16136 	{
16137 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
16138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16139 		.doit = nl80211_channel_switch,
16140 		.flags = GENL_UNS_ADMIN_PERM,
16141 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16142 	},
16143 	{
16144 		.cmd = NL80211_CMD_VENDOR,
16145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16146 		.doit = nl80211_vendor_cmd,
16147 		.dumpit = nl80211_vendor_cmd_dump,
16148 		.flags = GENL_UNS_ADMIN_PERM,
16149 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16150 				  0 |
16151 				  NL80211_FLAG_CLEAR_SKB,
16152 	},
16153 	{
16154 		.cmd = NL80211_CMD_SET_QOS_MAP,
16155 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16156 		.doit = nl80211_set_qos_map,
16157 		.flags = GENL_UNS_ADMIN_PERM,
16158 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16159 	},
16160 	{
16161 		.cmd = NL80211_CMD_ADD_TX_TS,
16162 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16163 		.doit = nl80211_add_tx_ts,
16164 		.flags = GENL_UNS_ADMIN_PERM,
16165 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16166 	},
16167 	{
16168 		.cmd = NL80211_CMD_DEL_TX_TS,
16169 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16170 		.doit = nl80211_del_tx_ts,
16171 		.flags = GENL_UNS_ADMIN_PERM,
16172 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16173 	},
16174 	{
16175 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
16176 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16177 		.doit = nl80211_tdls_channel_switch,
16178 		.flags = GENL_UNS_ADMIN_PERM,
16179 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16180 	},
16181 	{
16182 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
16183 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16184 		.doit = nl80211_tdls_cancel_channel_switch,
16185 		.flags = GENL_UNS_ADMIN_PERM,
16186 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16187 	},
16188 	{
16189 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
16190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16191 		.doit = nl80211_set_multicast_to_unicast,
16192 		.flags = GENL_UNS_ADMIN_PERM,
16193 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16194 	},
16195 	{
16196 		.cmd = NL80211_CMD_SET_PMK,
16197 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16198 		.doit = nl80211_set_pmk,
16199 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16200 				  0 |
16201 				  NL80211_FLAG_CLEAR_SKB,
16202 	},
16203 	{
16204 		.cmd = NL80211_CMD_DEL_PMK,
16205 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16206 		.doit = nl80211_del_pmk,
16207 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16208 	},
16209 	{
16210 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
16211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16212 		.doit = nl80211_external_auth,
16213 		.flags = GENL_ADMIN_PERM,
16214 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16215 	},
16216 	{
16217 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
16218 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16219 		.doit = nl80211_tx_control_port,
16220 		.flags = GENL_UNS_ADMIN_PERM,
16221 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16222 	},
16223 	{
16224 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
16225 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16226 		.doit = nl80211_get_ftm_responder_stats,
16227 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16228 	},
16229 	{
16230 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
16231 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16232 		.doit = nl80211_pmsr_start,
16233 		.flags = GENL_UNS_ADMIN_PERM,
16234 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
16235 	},
16236 	{
16237 		.cmd = NL80211_CMD_NOTIFY_RADAR,
16238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16239 		.doit = nl80211_notify_radar_detection,
16240 		.flags = GENL_UNS_ADMIN_PERM,
16241 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16242 	},
16243 	{
16244 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
16245 		.doit = nl80211_update_owe_info,
16246 		.flags = GENL_ADMIN_PERM,
16247 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16248 	},
16249 	{
16250 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
16251 		.doit = nl80211_probe_mesh_link,
16252 		.flags = GENL_UNS_ADMIN_PERM,
16253 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16254 	},
16255 	{
16256 		.cmd = NL80211_CMD_SET_TID_CONFIG,
16257 		.doit = nl80211_set_tid_config,
16258 		.flags = GENL_UNS_ADMIN_PERM,
16259 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
16260 	},
16261 	{
16262 		.cmd = NL80211_CMD_SET_SAR_SPECS,
16263 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16264 		.doit = nl80211_set_sar_specs,
16265 		.flags = GENL_UNS_ADMIN_PERM,
16266 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
16267 				  NL80211_FLAG_NEED_RTNL,
16268 	},
16269 	{
16270 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
16271 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16272 		.doit = nl80211_color_change,
16273 		.flags = GENL_UNS_ADMIN_PERM,
16274 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
16275 				  NL80211_FLAG_NEED_RTNL,
16276 	},
16277 	{
16278 		.cmd = NL80211_CMD_SET_FILS_AAD,
16279 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16280 		.doit = nl80211_set_fils_aad,
16281 		.flags = GENL_UNS_ADMIN_PERM,
16282 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
16283 	},
16284 };
16285 
16286 static struct genl_family nl80211_fam __ro_after_init = {
16287 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
16288 	.hdrsize = 0,			/* no private header */
16289 	.version = 1,			/* no particular meaning now */
16290 	.maxattr = NL80211_ATTR_MAX,
16291 	.policy = nl80211_policy,
16292 	.netnsok = true,
16293 	.pre_doit = nl80211_pre_doit,
16294 	.post_doit = nl80211_post_doit,
16295 	.module = THIS_MODULE,
16296 	.ops = nl80211_ops,
16297 	.n_ops = ARRAY_SIZE(nl80211_ops),
16298 	.small_ops = nl80211_small_ops,
16299 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
16300 	.mcgrps = nl80211_mcgrps,
16301 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
16302 	.parallel_ops = true,
16303 };
16304 
16305 /* notification functions */
16306 
16307 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
16308 			  enum nl80211_commands cmd)
16309 {
16310 	struct sk_buff *msg;
16311 	struct nl80211_dump_wiphy_state state = {};
16312 
16313 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
16314 		cmd != NL80211_CMD_DEL_WIPHY);
16315 
16316 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16317 	if (!msg)
16318 		return;
16319 
16320 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
16321 		nlmsg_free(msg);
16322 		return;
16323 	}
16324 
16325 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16326 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16327 }
16328 
16329 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
16330 				struct wireless_dev *wdev,
16331 				enum nl80211_commands cmd)
16332 {
16333 	struct sk_buff *msg;
16334 
16335 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16336 	if (!msg)
16337 		return;
16338 
16339 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
16340 		nlmsg_free(msg);
16341 		return;
16342 	}
16343 
16344 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16345 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
16346 }
16347 
16348 static int nl80211_add_scan_req(struct sk_buff *msg,
16349 				struct cfg80211_registered_device *rdev)
16350 {
16351 	struct cfg80211_scan_request *req = rdev->scan_req;
16352 	struct nlattr *nest;
16353 	int i;
16354 	struct cfg80211_scan_info *info;
16355 
16356 	if (WARN_ON(!req))
16357 		return 0;
16358 
16359 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
16360 	if (!nest)
16361 		goto nla_put_failure;
16362 	for (i = 0; i < req->n_ssids; i++) {
16363 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
16364 			goto nla_put_failure;
16365 	}
16366 	nla_nest_end(msg, nest);
16367 
16368 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
16369 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
16370 		if (!nest)
16371 			goto nla_put_failure;
16372 		for (i = 0; i < req->n_channels; i++) {
16373 			if (nla_put_u32(msg, i,
16374 				   ieee80211_channel_to_khz(req->channels[i])))
16375 				goto nla_put_failure;
16376 		}
16377 		nla_nest_end(msg, nest);
16378 	} else {
16379 		nest = nla_nest_start_noflag(msg,
16380 					     NL80211_ATTR_SCAN_FREQUENCIES);
16381 		if (!nest)
16382 			goto nla_put_failure;
16383 		for (i = 0; i < req->n_channels; i++) {
16384 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
16385 				goto nla_put_failure;
16386 		}
16387 		nla_nest_end(msg, nest);
16388 	}
16389 
16390 	if (req->ie &&
16391 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
16392 		goto nla_put_failure;
16393 
16394 	if (req->flags &&
16395 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
16396 		goto nla_put_failure;
16397 
16398 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
16399 		&rdev->scan_req->info;
16400 	if (info->scan_start_tsf &&
16401 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
16402 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
16403 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
16404 		     info->tsf_bssid)))
16405 		goto nla_put_failure;
16406 
16407 	return 0;
16408  nla_put_failure:
16409 	return -ENOBUFS;
16410 }
16411 
16412 static int nl80211_prep_scan_msg(struct sk_buff *msg,
16413 				 struct cfg80211_registered_device *rdev,
16414 				 struct wireless_dev *wdev,
16415 				 u32 portid, u32 seq, int flags,
16416 				 u32 cmd)
16417 {
16418 	void *hdr;
16419 
16420 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
16421 	if (!hdr)
16422 		return -1;
16423 
16424 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16425 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16426 					 wdev->netdev->ifindex)) ||
16427 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16428 			      NL80211_ATTR_PAD))
16429 		goto nla_put_failure;
16430 
16431 	/* ignore errors and send incomplete event anyway */
16432 	nl80211_add_scan_req(msg, rdev);
16433 
16434 	genlmsg_end(msg, hdr);
16435 	return 0;
16436 
16437  nla_put_failure:
16438 	genlmsg_cancel(msg, hdr);
16439 	return -EMSGSIZE;
16440 }
16441 
16442 static int
16443 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
16444 			    struct cfg80211_sched_scan_request *req, u32 cmd)
16445 {
16446 	void *hdr;
16447 
16448 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16449 	if (!hdr)
16450 		return -1;
16451 
16452 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
16453 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
16454 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
16455 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
16456 			      NL80211_ATTR_PAD))
16457 		goto nla_put_failure;
16458 
16459 	genlmsg_end(msg, hdr);
16460 	return 0;
16461 
16462  nla_put_failure:
16463 	genlmsg_cancel(msg, hdr);
16464 	return -EMSGSIZE;
16465 }
16466 
16467 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
16468 			     struct wireless_dev *wdev)
16469 {
16470 	struct sk_buff *msg;
16471 
16472 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16473 	if (!msg)
16474 		return;
16475 
16476 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16477 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
16478 		nlmsg_free(msg);
16479 		return;
16480 	}
16481 
16482 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16483 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16484 }
16485 
16486 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
16487 				       struct wireless_dev *wdev, bool aborted)
16488 {
16489 	struct sk_buff *msg;
16490 
16491 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16492 	if (!msg)
16493 		return NULL;
16494 
16495 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
16496 				  aborted ? NL80211_CMD_SCAN_ABORTED :
16497 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
16498 		nlmsg_free(msg);
16499 		return NULL;
16500 	}
16501 
16502 	return msg;
16503 }
16504 
16505 /* send message created by nl80211_build_scan_msg() */
16506 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
16507 			   struct sk_buff *msg)
16508 {
16509 	if (!msg)
16510 		return;
16511 
16512 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16513 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16514 }
16515 
16516 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16517 {
16518 	struct sk_buff *msg;
16519 
16520 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16521 	if (!msg)
16522 		return;
16523 
16524 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16525 		nlmsg_free(msg);
16526 		return;
16527 	}
16528 
16529 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16530 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16531 }
16532 
16533 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16534 					  struct regulatory_request *request)
16535 {
16536 	/* Userspace can always count this one always being set */
16537 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16538 		goto nla_put_failure;
16539 
16540 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16541 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16542 			       NL80211_REGDOM_TYPE_WORLD))
16543 			goto nla_put_failure;
16544 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16545 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16546 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16547 			goto nla_put_failure;
16548 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16549 		   request->intersect) {
16550 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16551 			       NL80211_REGDOM_TYPE_INTERSECTION))
16552 			goto nla_put_failure;
16553 	} else {
16554 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16555 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16556 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16557 				   request->alpha2))
16558 			goto nla_put_failure;
16559 	}
16560 
16561 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16562 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16563 
16564 		if (wiphy &&
16565 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16566 			goto nla_put_failure;
16567 
16568 		if (wiphy &&
16569 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16570 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16571 			goto nla_put_failure;
16572 	}
16573 
16574 	return true;
16575 
16576 nla_put_failure:
16577 	return false;
16578 }
16579 
16580 /*
16581  * This can happen on global regulatory changes or device specific settings
16582  * based on custom regulatory domains.
16583  */
16584 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16585 				     struct regulatory_request *request)
16586 {
16587 	struct sk_buff *msg;
16588 	void *hdr;
16589 
16590 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16591 	if (!msg)
16592 		return;
16593 
16594 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16595 	if (!hdr)
16596 		goto nla_put_failure;
16597 
16598 	if (!nl80211_reg_change_event_fill(msg, request))
16599 		goto nla_put_failure;
16600 
16601 	genlmsg_end(msg, hdr);
16602 
16603 	rcu_read_lock();
16604 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16605 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16606 	rcu_read_unlock();
16607 
16608 	return;
16609 
16610 nla_put_failure:
16611 	nlmsg_free(msg);
16612 }
16613 
16614 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16615 				    struct net_device *netdev,
16616 				    const u8 *buf, size_t len,
16617 				    enum nl80211_commands cmd, gfp_t gfp,
16618 				    int uapsd_queues, const u8 *req_ies,
16619 				    size_t req_ies_len, bool reconnect)
16620 {
16621 	struct sk_buff *msg;
16622 	void *hdr;
16623 
16624 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16625 	if (!msg)
16626 		return;
16627 
16628 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16629 	if (!hdr) {
16630 		nlmsg_free(msg);
16631 		return;
16632 	}
16633 
16634 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16635 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16636 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16637 	    (req_ies &&
16638 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16639 		goto nla_put_failure;
16640 
16641 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16642 		goto nla_put_failure;
16643 
16644 	if (uapsd_queues >= 0) {
16645 		struct nlattr *nla_wmm =
16646 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16647 		if (!nla_wmm)
16648 			goto nla_put_failure;
16649 
16650 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16651 			       uapsd_queues))
16652 			goto nla_put_failure;
16653 
16654 		nla_nest_end(msg, nla_wmm);
16655 	}
16656 
16657 	genlmsg_end(msg, hdr);
16658 
16659 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16660 				NL80211_MCGRP_MLME, gfp);
16661 	return;
16662 
16663  nla_put_failure:
16664 	nlmsg_free(msg);
16665 }
16666 
16667 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16668 			  struct net_device *netdev, const u8 *buf,
16669 			  size_t len, gfp_t gfp)
16670 {
16671 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16672 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16673 				false);
16674 }
16675 
16676 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16677 			   struct net_device *netdev, const u8 *buf,
16678 			   size_t len, gfp_t gfp, int uapsd_queues,
16679 			   const u8 *req_ies, size_t req_ies_len)
16680 {
16681 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16682 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16683 				req_ies, req_ies_len, false);
16684 }
16685 
16686 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16687 			 struct net_device *netdev, const u8 *buf,
16688 			 size_t len, bool reconnect, gfp_t gfp)
16689 {
16690 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16691 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16692 				reconnect);
16693 }
16694 
16695 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16696 			   struct net_device *netdev, const u8 *buf,
16697 			   size_t len, bool reconnect, gfp_t gfp)
16698 {
16699 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16700 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16701 				reconnect);
16702 }
16703 
16704 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16705 				  size_t len)
16706 {
16707 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16708 	struct wiphy *wiphy = wdev->wiphy;
16709 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16710 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16711 	u32 cmd;
16712 
16713 	if (WARN_ON(len < 2))
16714 		return;
16715 
16716 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16717 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16718 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16719 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16720 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16721 		if (wdev->unprot_beacon_reported &&
16722 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16723 			return;
16724 		cmd = NL80211_CMD_UNPROT_BEACON;
16725 		wdev->unprot_beacon_reported = jiffies;
16726 	} else {
16727 		return;
16728 	}
16729 
16730 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16731 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16732 				NULL, 0, false);
16733 }
16734 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16735 
16736 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16737 				      struct net_device *netdev, int cmd,
16738 				      const u8 *addr, gfp_t gfp)
16739 {
16740 	struct sk_buff *msg;
16741 	void *hdr;
16742 
16743 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16744 	if (!msg)
16745 		return;
16746 
16747 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16748 	if (!hdr) {
16749 		nlmsg_free(msg);
16750 		return;
16751 	}
16752 
16753 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16754 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16755 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16756 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16757 		goto nla_put_failure;
16758 
16759 	genlmsg_end(msg, hdr);
16760 
16761 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16762 				NL80211_MCGRP_MLME, gfp);
16763 	return;
16764 
16765  nla_put_failure:
16766 	nlmsg_free(msg);
16767 }
16768 
16769 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16770 			       struct net_device *netdev, const u8 *addr,
16771 			       gfp_t gfp)
16772 {
16773 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16774 				  addr, gfp);
16775 }
16776 
16777 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16778 				struct net_device *netdev, const u8 *addr,
16779 				gfp_t gfp)
16780 {
16781 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16782 				  addr, gfp);
16783 }
16784 
16785 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16786 				 struct net_device *netdev,
16787 				 struct cfg80211_connect_resp_params *cr,
16788 				 gfp_t gfp)
16789 {
16790 	struct sk_buff *msg;
16791 	void *hdr;
16792 
16793 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16794 			cr->fils.kek_len + cr->fils.pmk_len +
16795 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16796 	if (!msg)
16797 		return;
16798 
16799 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16800 	if (!hdr) {
16801 		nlmsg_free(msg);
16802 		return;
16803 	}
16804 
16805 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16806 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16807 	    (cr->bssid &&
16808 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16809 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16810 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16811 			cr->status) ||
16812 	    (cr->status < 0 &&
16813 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16814 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16815 			  cr->timeout_reason))) ||
16816 	    (cr->req_ie &&
16817 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16818 	    (cr->resp_ie &&
16819 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16820 		     cr->resp_ie)) ||
16821 	    (cr->fils.update_erp_next_seq_num &&
16822 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16823 			 cr->fils.erp_next_seq_num)) ||
16824 	    (cr->status == WLAN_STATUS_SUCCESS &&
16825 	     ((cr->fils.kek &&
16826 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16827 		       cr->fils.kek)) ||
16828 	      (cr->fils.pmk &&
16829 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16830 	      (cr->fils.pmkid &&
16831 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16832 		goto nla_put_failure;
16833 
16834 	genlmsg_end(msg, hdr);
16835 
16836 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16837 				NL80211_MCGRP_MLME, gfp);
16838 	return;
16839 
16840  nla_put_failure:
16841 	nlmsg_free(msg);
16842 }
16843 
16844 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16845 			 struct net_device *netdev,
16846 			 struct cfg80211_roam_info *info, gfp_t gfp)
16847 {
16848 	struct sk_buff *msg;
16849 	void *hdr;
16850 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16851 
16852 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16853 			info->fils.kek_len + info->fils.pmk_len +
16854 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16855 	if (!msg)
16856 		return;
16857 
16858 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16859 	if (!hdr) {
16860 		nlmsg_free(msg);
16861 		return;
16862 	}
16863 
16864 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16865 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16866 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16867 	    (info->req_ie &&
16868 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16869 		     info->req_ie)) ||
16870 	    (info->resp_ie &&
16871 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16872 		     info->resp_ie)) ||
16873 	    (info->fils.update_erp_next_seq_num &&
16874 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16875 			 info->fils.erp_next_seq_num)) ||
16876 	    (info->fils.kek &&
16877 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16878 		     info->fils.kek)) ||
16879 	    (info->fils.pmk &&
16880 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16881 	    (info->fils.pmkid &&
16882 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16883 		goto nla_put_failure;
16884 
16885 	genlmsg_end(msg, hdr);
16886 
16887 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16888 				NL80211_MCGRP_MLME, gfp);
16889 	return;
16890 
16891  nla_put_failure:
16892 	nlmsg_free(msg);
16893 }
16894 
16895 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16896 				  struct net_device *netdev, const u8 *bssid)
16897 {
16898 	struct sk_buff *msg;
16899 	void *hdr;
16900 
16901 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16902 	if (!msg)
16903 		return;
16904 
16905 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16906 	if (!hdr) {
16907 		nlmsg_free(msg);
16908 		return;
16909 	}
16910 
16911 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16912 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16913 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16914 		goto nla_put_failure;
16915 
16916 	genlmsg_end(msg, hdr);
16917 
16918 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16919 				NL80211_MCGRP_MLME, GFP_KERNEL);
16920 	return;
16921 
16922  nla_put_failure:
16923 	nlmsg_free(msg);
16924 }
16925 
16926 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16927 			       struct net_device *netdev, u16 reason,
16928 			       const u8 *ie, size_t ie_len, bool from_ap)
16929 {
16930 	struct sk_buff *msg;
16931 	void *hdr;
16932 
16933 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16934 	if (!msg)
16935 		return;
16936 
16937 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16938 	if (!hdr) {
16939 		nlmsg_free(msg);
16940 		return;
16941 	}
16942 
16943 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16944 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16945 	    (reason &&
16946 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16947 	    (from_ap &&
16948 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16949 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16950 		goto nla_put_failure;
16951 
16952 	genlmsg_end(msg, hdr);
16953 
16954 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16955 				NL80211_MCGRP_MLME, GFP_KERNEL);
16956 	return;
16957 
16958  nla_put_failure:
16959 	nlmsg_free(msg);
16960 }
16961 
16962 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16963 			     struct net_device *netdev, const u8 *bssid,
16964 			     gfp_t gfp)
16965 {
16966 	struct sk_buff *msg;
16967 	void *hdr;
16968 
16969 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16970 	if (!msg)
16971 		return;
16972 
16973 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16974 	if (!hdr) {
16975 		nlmsg_free(msg);
16976 		return;
16977 	}
16978 
16979 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16980 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16981 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16982 		goto nla_put_failure;
16983 
16984 	genlmsg_end(msg, hdr);
16985 
16986 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16987 				NL80211_MCGRP_MLME, gfp);
16988 	return;
16989 
16990  nla_put_failure:
16991 	nlmsg_free(msg);
16992 }
16993 
16994 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16995 					const u8 *ie, u8 ie_len,
16996 					int sig_dbm, gfp_t gfp)
16997 {
16998 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16999 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17000 	struct sk_buff *msg;
17001 	void *hdr;
17002 
17003 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
17004 		return;
17005 
17006 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
17007 
17008 	msg = nlmsg_new(100 + ie_len, gfp);
17009 	if (!msg)
17010 		return;
17011 
17012 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
17013 	if (!hdr) {
17014 		nlmsg_free(msg);
17015 		return;
17016 	}
17017 
17018 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17019 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17020 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17021 	    (ie_len && ie &&
17022 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
17023 	    (sig_dbm &&
17024 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
17025 		goto nla_put_failure;
17026 
17027 	genlmsg_end(msg, hdr);
17028 
17029 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17030 				NL80211_MCGRP_MLME, gfp);
17031 	return;
17032 
17033  nla_put_failure:
17034 	nlmsg_free(msg);
17035 }
17036 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
17037 
17038 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
17039 				 struct net_device *netdev, const u8 *addr,
17040 				 enum nl80211_key_type key_type, int key_id,
17041 				 const u8 *tsc, gfp_t gfp)
17042 {
17043 	struct sk_buff *msg;
17044 	void *hdr;
17045 
17046 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17047 	if (!msg)
17048 		return;
17049 
17050 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
17051 	if (!hdr) {
17052 		nlmsg_free(msg);
17053 		return;
17054 	}
17055 
17056 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17057 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17058 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
17059 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
17060 	    (key_id != -1 &&
17061 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
17062 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
17063 		goto nla_put_failure;
17064 
17065 	genlmsg_end(msg, hdr);
17066 
17067 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17068 				NL80211_MCGRP_MLME, gfp);
17069 	return;
17070 
17071  nla_put_failure:
17072 	nlmsg_free(msg);
17073 }
17074 
17075 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
17076 				    struct ieee80211_channel *channel_before,
17077 				    struct ieee80211_channel *channel_after)
17078 {
17079 	struct sk_buff *msg;
17080 	void *hdr;
17081 	struct nlattr *nl_freq;
17082 
17083 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
17084 	if (!msg)
17085 		return;
17086 
17087 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
17088 	if (!hdr) {
17089 		nlmsg_free(msg);
17090 		return;
17091 	}
17092 
17093 	/*
17094 	 * Since we are applying the beacon hint to a wiphy we know its
17095 	 * wiphy_idx is valid
17096 	 */
17097 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
17098 		goto nla_put_failure;
17099 
17100 	/* Before */
17101 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
17102 	if (!nl_freq)
17103 		goto nla_put_failure;
17104 
17105 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
17106 		goto nla_put_failure;
17107 	nla_nest_end(msg, nl_freq);
17108 
17109 	/* After */
17110 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
17111 	if (!nl_freq)
17112 		goto nla_put_failure;
17113 
17114 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
17115 		goto nla_put_failure;
17116 	nla_nest_end(msg, nl_freq);
17117 
17118 	genlmsg_end(msg, hdr);
17119 
17120 	rcu_read_lock();
17121 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17122 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17123 	rcu_read_unlock();
17124 
17125 	return;
17126 
17127 nla_put_failure:
17128 	nlmsg_free(msg);
17129 }
17130 
17131 static void nl80211_send_remain_on_chan_event(
17132 	int cmd, struct cfg80211_registered_device *rdev,
17133 	struct wireless_dev *wdev, u64 cookie,
17134 	struct ieee80211_channel *chan,
17135 	unsigned int duration, gfp_t gfp)
17136 {
17137 	struct sk_buff *msg;
17138 	void *hdr;
17139 
17140 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17141 	if (!msg)
17142 		return;
17143 
17144 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17145 	if (!hdr) {
17146 		nlmsg_free(msg);
17147 		return;
17148 	}
17149 
17150 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17151 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17152 					 wdev->netdev->ifindex)) ||
17153 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17154 			      NL80211_ATTR_PAD) ||
17155 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
17156 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
17157 			NL80211_CHAN_NO_HT) ||
17158 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17159 			      NL80211_ATTR_PAD))
17160 		goto nla_put_failure;
17161 
17162 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
17163 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
17164 		goto nla_put_failure;
17165 
17166 	genlmsg_end(msg, hdr);
17167 
17168 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17169 				NL80211_MCGRP_MLME, gfp);
17170 	return;
17171 
17172  nla_put_failure:
17173 	nlmsg_free(msg);
17174 }
17175 
17176 void cfg80211_assoc_comeback(struct net_device *netdev,
17177 			     struct cfg80211_bss *bss, u32 timeout)
17178 {
17179 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
17180 	struct wiphy *wiphy = wdev->wiphy;
17181 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17182 	struct sk_buff *msg;
17183 	void *hdr;
17184 
17185 	trace_cfg80211_assoc_comeback(wdev, bss->bssid, timeout);
17186 
17187 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17188 	if (!msg)
17189 		return;
17190 
17191 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
17192 	if (!hdr) {
17193 		nlmsg_free(msg);
17194 		return;
17195 	}
17196 
17197 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17198 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17199 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bss->bssid) ||
17200 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
17201 		goto nla_put_failure;
17202 
17203 	genlmsg_end(msg, hdr);
17204 
17205 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17206 				NL80211_MCGRP_MLME, GFP_KERNEL);
17207 	return;
17208 
17209  nla_put_failure:
17210 	nlmsg_free(msg);
17211 }
17212 EXPORT_SYMBOL(cfg80211_assoc_comeback);
17213 
17214 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
17215 			       struct ieee80211_channel *chan,
17216 			       unsigned int duration, gfp_t gfp)
17217 {
17218 	struct wiphy *wiphy = wdev->wiphy;
17219 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17220 
17221 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
17222 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
17223 					  rdev, wdev, cookie, chan,
17224 					  duration, gfp);
17225 }
17226 EXPORT_SYMBOL(cfg80211_ready_on_channel);
17227 
17228 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
17229 					struct ieee80211_channel *chan,
17230 					gfp_t gfp)
17231 {
17232 	struct wiphy *wiphy = wdev->wiphy;
17233 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17234 
17235 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
17236 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17237 					  rdev, wdev, cookie, chan, 0, gfp);
17238 }
17239 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
17240 
17241 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
17242 					struct ieee80211_channel *chan,
17243 					gfp_t gfp)
17244 {
17245 	struct wiphy *wiphy = wdev->wiphy;
17246 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17247 
17248 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
17249 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
17250 					  rdev, wdev, cookie, chan, 0, gfp);
17251 }
17252 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
17253 
17254 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
17255 		      struct station_info *sinfo, gfp_t gfp)
17256 {
17257 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17258 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17259 	struct sk_buff *msg;
17260 
17261 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
17262 
17263 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17264 	if (!msg)
17265 		return;
17266 
17267 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
17268 				 rdev, dev, mac_addr, sinfo) < 0) {
17269 		nlmsg_free(msg);
17270 		return;
17271 	}
17272 
17273 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17274 				NL80211_MCGRP_MLME, gfp);
17275 }
17276 EXPORT_SYMBOL(cfg80211_new_sta);
17277 
17278 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
17279 			    struct station_info *sinfo, gfp_t gfp)
17280 {
17281 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17282 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17283 	struct sk_buff *msg;
17284 	struct station_info empty_sinfo = {};
17285 
17286 	if (!sinfo)
17287 		sinfo = &empty_sinfo;
17288 
17289 	trace_cfg80211_del_sta(dev, mac_addr);
17290 
17291 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17292 	if (!msg) {
17293 		cfg80211_sinfo_release_content(sinfo);
17294 		return;
17295 	}
17296 
17297 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
17298 				 rdev, dev, mac_addr, sinfo) < 0) {
17299 		nlmsg_free(msg);
17300 		return;
17301 	}
17302 
17303 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17304 				NL80211_MCGRP_MLME, gfp);
17305 }
17306 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
17307 
17308 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
17309 			  enum nl80211_connect_failed_reason reason,
17310 			  gfp_t gfp)
17311 {
17312 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
17313 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17314 	struct sk_buff *msg;
17315 	void *hdr;
17316 
17317 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
17318 	if (!msg)
17319 		return;
17320 
17321 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
17322 	if (!hdr) {
17323 		nlmsg_free(msg);
17324 		return;
17325 	}
17326 
17327 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17328 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
17329 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
17330 		goto nla_put_failure;
17331 
17332 	genlmsg_end(msg, hdr);
17333 
17334 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17335 				NL80211_MCGRP_MLME, gfp);
17336 	return;
17337 
17338  nla_put_failure:
17339 	nlmsg_free(msg);
17340 }
17341 EXPORT_SYMBOL(cfg80211_conn_failed);
17342 
17343 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
17344 				       const u8 *addr, gfp_t gfp)
17345 {
17346 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17347 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17348 	struct sk_buff *msg;
17349 	void *hdr;
17350 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
17351 
17352 	if (!nlportid)
17353 		return false;
17354 
17355 	msg = nlmsg_new(100, gfp);
17356 	if (!msg)
17357 		return true;
17358 
17359 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17360 	if (!hdr) {
17361 		nlmsg_free(msg);
17362 		return true;
17363 	}
17364 
17365 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17366 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17367 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17368 		goto nla_put_failure;
17369 
17370 	genlmsg_end(msg, hdr);
17371 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17372 	return true;
17373 
17374  nla_put_failure:
17375 	nlmsg_free(msg);
17376 	return true;
17377 }
17378 
17379 bool cfg80211_rx_spurious_frame(struct net_device *dev,
17380 				const u8 *addr, gfp_t gfp)
17381 {
17382 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17383 	bool ret;
17384 
17385 	trace_cfg80211_rx_spurious_frame(dev, addr);
17386 
17387 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17388 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
17389 		trace_cfg80211_return_bool(false);
17390 		return false;
17391 	}
17392 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
17393 					 addr, gfp);
17394 	trace_cfg80211_return_bool(ret);
17395 	return ret;
17396 }
17397 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
17398 
17399 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
17400 					const u8 *addr, gfp_t gfp)
17401 {
17402 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17403 	bool ret;
17404 
17405 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
17406 
17407 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
17408 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
17409 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
17410 		trace_cfg80211_return_bool(false);
17411 		return false;
17412 	}
17413 	ret = __nl80211_unexpected_frame(dev,
17414 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
17415 					 addr, gfp);
17416 	trace_cfg80211_return_bool(ret);
17417 	return ret;
17418 }
17419 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
17420 
17421 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
17422 		      struct wireless_dev *wdev, u32 nlportid,
17423 		      int freq, int sig_dbm,
17424 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
17425 {
17426 	struct net_device *netdev = wdev->netdev;
17427 	struct sk_buff *msg;
17428 	void *hdr;
17429 
17430 	msg = nlmsg_new(100 + len, gfp);
17431 	if (!msg)
17432 		return -ENOMEM;
17433 
17434 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17435 	if (!hdr) {
17436 		nlmsg_free(msg);
17437 		return -ENOMEM;
17438 	}
17439 
17440 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17441 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17442 					netdev->ifindex)) ||
17443 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17444 			      NL80211_ATTR_PAD) ||
17445 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
17446 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
17447 	    (sig_dbm &&
17448 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17449 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17450 	    (flags &&
17451 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
17452 		goto nla_put_failure;
17453 
17454 	genlmsg_end(msg, hdr);
17455 
17456 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17457 
17458  nla_put_failure:
17459 	nlmsg_free(msg);
17460 	return -ENOBUFS;
17461 }
17462 
17463 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
17464 				    const u8 *buf, size_t len, bool ack,
17465 				    gfp_t gfp, enum nl80211_commands command)
17466 {
17467 	struct wiphy *wiphy = wdev->wiphy;
17468 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17469 	struct net_device *netdev = wdev->netdev;
17470 	struct sk_buff *msg;
17471 	void *hdr;
17472 
17473 	if (command == NL80211_CMD_FRAME_TX_STATUS)
17474 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
17475 	else
17476 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
17477 
17478 	msg = nlmsg_new(100 + len, gfp);
17479 	if (!msg)
17480 		return;
17481 
17482 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
17483 	if (!hdr) {
17484 		nlmsg_free(msg);
17485 		return;
17486 	}
17487 
17488 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17489 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17490 				   netdev->ifindex)) ||
17491 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17492 			      NL80211_ATTR_PAD) ||
17493 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17494 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17495 			      NL80211_ATTR_PAD) ||
17496 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
17497 		goto nla_put_failure;
17498 
17499 	genlmsg_end(msg, hdr);
17500 
17501 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17502 				NL80211_MCGRP_MLME, gfp);
17503 	return;
17504 
17505 nla_put_failure:
17506 	nlmsg_free(msg);
17507 }
17508 
17509 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
17510 				     const u8 *buf, size_t len, bool ack,
17511 				     gfp_t gfp)
17512 {
17513 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17514 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
17515 }
17516 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
17517 
17518 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
17519 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
17520 {
17521 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
17522 				NL80211_CMD_FRAME_TX_STATUS);
17523 }
17524 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
17525 
17526 static int __nl80211_rx_control_port(struct net_device *dev,
17527 				     struct sk_buff *skb,
17528 				     bool unencrypted, gfp_t gfp)
17529 {
17530 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17531 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17532 	struct ethhdr *ehdr = eth_hdr(skb);
17533 	const u8 *addr = ehdr->h_source;
17534 	u16 proto = be16_to_cpu(skb->protocol);
17535 	struct sk_buff *msg;
17536 	void *hdr;
17537 	struct nlattr *frame;
17538 
17539 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
17540 
17541 	if (!nlportid)
17542 		return -ENOENT;
17543 
17544 	msg = nlmsg_new(100 + skb->len, gfp);
17545 	if (!msg)
17546 		return -ENOMEM;
17547 
17548 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17549 	if (!hdr) {
17550 		nlmsg_free(msg);
17551 		return -ENOBUFS;
17552 	}
17553 
17554 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17555 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17556 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17557 			      NL80211_ATTR_PAD) ||
17558 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17559 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17560 	    (unencrypted && nla_put_flag(msg,
17561 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17562 		goto nla_put_failure;
17563 
17564 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17565 	if (!frame)
17566 		goto nla_put_failure;
17567 
17568 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17569 	genlmsg_end(msg, hdr);
17570 
17571 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17572 
17573  nla_put_failure:
17574 	nlmsg_free(msg);
17575 	return -ENOBUFS;
17576 }
17577 
17578 bool cfg80211_rx_control_port(struct net_device *dev,
17579 			      struct sk_buff *skb, bool unencrypted)
17580 {
17581 	int ret;
17582 
17583 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17584 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17585 	trace_cfg80211_return_bool(ret == 0);
17586 	return ret == 0;
17587 }
17588 EXPORT_SYMBOL(cfg80211_rx_control_port);
17589 
17590 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17591 					    const char *mac, gfp_t gfp)
17592 {
17593 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17594 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17595 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17596 	void **cb;
17597 
17598 	if (!msg)
17599 		return NULL;
17600 
17601 	cb = (void **)msg->cb;
17602 
17603 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17604 	if (!cb[0]) {
17605 		nlmsg_free(msg);
17606 		return NULL;
17607 	}
17608 
17609 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17610 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17611 		goto nla_put_failure;
17612 
17613 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17614 		goto nla_put_failure;
17615 
17616 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17617 	if (!cb[1])
17618 		goto nla_put_failure;
17619 
17620 	cb[2] = rdev;
17621 
17622 	return msg;
17623  nla_put_failure:
17624 	nlmsg_free(msg);
17625 	return NULL;
17626 }
17627 
17628 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17629 {
17630 	void **cb = (void **)msg->cb;
17631 	struct cfg80211_registered_device *rdev = cb[2];
17632 
17633 	nla_nest_end(msg, cb[1]);
17634 	genlmsg_end(msg, cb[0]);
17635 
17636 	memset(msg->cb, 0, sizeof(msg->cb));
17637 
17638 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17639 				NL80211_MCGRP_MLME, gfp);
17640 }
17641 
17642 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17643 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17644 			      s32 rssi_level, gfp_t gfp)
17645 {
17646 	struct sk_buff *msg;
17647 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17648 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17649 
17650 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17651 
17652 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17653 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17654 		return;
17655 
17656 	if (wdev->cqm_config) {
17657 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17658 
17659 		cfg80211_cqm_rssi_update(rdev, dev);
17660 
17661 		if (rssi_level == 0)
17662 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17663 	}
17664 
17665 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17666 	if (!msg)
17667 		return;
17668 
17669 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17670 			rssi_event))
17671 		goto nla_put_failure;
17672 
17673 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17674 				      rssi_level))
17675 		goto nla_put_failure;
17676 
17677 	cfg80211_send_cqm(msg, gfp);
17678 
17679 	return;
17680 
17681  nla_put_failure:
17682 	nlmsg_free(msg);
17683 }
17684 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17685 
17686 void cfg80211_cqm_txe_notify(struct net_device *dev,
17687 			     const u8 *peer, u32 num_packets,
17688 			     u32 rate, u32 intvl, gfp_t gfp)
17689 {
17690 	struct sk_buff *msg;
17691 
17692 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17693 	if (!msg)
17694 		return;
17695 
17696 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17697 		goto nla_put_failure;
17698 
17699 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17700 		goto nla_put_failure;
17701 
17702 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17703 		goto nla_put_failure;
17704 
17705 	cfg80211_send_cqm(msg, gfp);
17706 	return;
17707 
17708  nla_put_failure:
17709 	nlmsg_free(msg);
17710 }
17711 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17712 
17713 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17714 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17715 {
17716 	struct sk_buff *msg;
17717 
17718 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17719 
17720 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17721 	if (!msg)
17722 		return;
17723 
17724 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17725 		goto nla_put_failure;
17726 
17727 	cfg80211_send_cqm(msg, gfp);
17728 	return;
17729 
17730  nla_put_failure:
17731 	nlmsg_free(msg);
17732 }
17733 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17734 
17735 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17736 {
17737 	struct sk_buff *msg;
17738 
17739 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17740 	if (!msg)
17741 		return;
17742 
17743 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17744 		goto nla_put_failure;
17745 
17746 	cfg80211_send_cqm(msg, gfp);
17747 	return;
17748 
17749  nla_put_failure:
17750 	nlmsg_free(msg);
17751 }
17752 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17753 
17754 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17755 				     struct net_device *netdev, const u8 *bssid,
17756 				     const u8 *replay_ctr, gfp_t gfp)
17757 {
17758 	struct sk_buff *msg;
17759 	struct nlattr *rekey_attr;
17760 	void *hdr;
17761 
17762 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17763 	if (!msg)
17764 		return;
17765 
17766 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17767 	if (!hdr) {
17768 		nlmsg_free(msg);
17769 		return;
17770 	}
17771 
17772 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17773 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17774 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17775 		goto nla_put_failure;
17776 
17777 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17778 	if (!rekey_attr)
17779 		goto nla_put_failure;
17780 
17781 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17782 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17783 		goto nla_put_failure;
17784 
17785 	nla_nest_end(msg, rekey_attr);
17786 
17787 	genlmsg_end(msg, hdr);
17788 
17789 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17790 				NL80211_MCGRP_MLME, gfp);
17791 	return;
17792 
17793  nla_put_failure:
17794 	nlmsg_free(msg);
17795 }
17796 
17797 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17798 			       const u8 *replay_ctr, gfp_t gfp)
17799 {
17800 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17801 	struct wiphy *wiphy = wdev->wiphy;
17802 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17803 
17804 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17805 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17806 }
17807 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17808 
17809 static void
17810 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17811 			       struct net_device *netdev, int index,
17812 			       const u8 *bssid, bool preauth, gfp_t gfp)
17813 {
17814 	struct sk_buff *msg;
17815 	struct nlattr *attr;
17816 	void *hdr;
17817 
17818 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17819 	if (!msg)
17820 		return;
17821 
17822 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17823 	if (!hdr) {
17824 		nlmsg_free(msg);
17825 		return;
17826 	}
17827 
17828 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17829 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17830 		goto nla_put_failure;
17831 
17832 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17833 	if (!attr)
17834 		goto nla_put_failure;
17835 
17836 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17837 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17838 	    (preauth &&
17839 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17840 		goto nla_put_failure;
17841 
17842 	nla_nest_end(msg, attr);
17843 
17844 	genlmsg_end(msg, hdr);
17845 
17846 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17847 				NL80211_MCGRP_MLME, gfp);
17848 	return;
17849 
17850  nla_put_failure:
17851 	nlmsg_free(msg);
17852 }
17853 
17854 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17855 				     const u8 *bssid, bool preauth, gfp_t gfp)
17856 {
17857 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17858 	struct wiphy *wiphy = wdev->wiphy;
17859 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17860 
17861 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17862 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17863 }
17864 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17865 
17866 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17867 				     struct net_device *netdev,
17868 				     struct cfg80211_chan_def *chandef,
17869 				     gfp_t gfp,
17870 				     enum nl80211_commands notif,
17871 				     u8 count, bool quiet)
17872 {
17873 	struct sk_buff *msg;
17874 	void *hdr;
17875 
17876 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17877 	if (!msg)
17878 		return;
17879 
17880 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17881 	if (!hdr) {
17882 		nlmsg_free(msg);
17883 		return;
17884 	}
17885 
17886 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17887 		goto nla_put_failure;
17888 
17889 	if (nl80211_send_chandef(msg, chandef))
17890 		goto nla_put_failure;
17891 
17892 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17893 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17894 			goto nla_put_failure;
17895 		if (quiet &&
17896 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17897 			goto nla_put_failure;
17898 	}
17899 
17900 	genlmsg_end(msg, hdr);
17901 
17902 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17903 				NL80211_MCGRP_MLME, gfp);
17904 	return;
17905 
17906  nla_put_failure:
17907 	nlmsg_free(msg);
17908 }
17909 
17910 void cfg80211_ch_switch_notify(struct net_device *dev,
17911 			       struct cfg80211_chan_def *chandef)
17912 {
17913 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17914 	struct wiphy *wiphy = wdev->wiphy;
17915 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17916 
17917 	ASSERT_WDEV_LOCK(wdev);
17918 
17919 	trace_cfg80211_ch_switch_notify(dev, chandef);
17920 
17921 	wdev->chandef = *chandef;
17922 	wdev->preset_chandef = *chandef;
17923 
17924 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
17925 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
17926 	    !WARN_ON(!wdev->current_bss))
17927 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17928 
17929 	cfg80211_sched_dfs_chan_update(rdev);
17930 
17931 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17932 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17933 }
17934 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17935 
17936 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17937 				       struct cfg80211_chan_def *chandef,
17938 				       u8 count, bool quiet)
17939 {
17940 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17941 	struct wiphy *wiphy = wdev->wiphy;
17942 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17943 
17944 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17945 
17946 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17947 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17948 				 count, quiet);
17949 }
17950 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17951 
17952 int cfg80211_bss_color_notify(struct net_device *dev, gfp_t gfp,
17953 			      enum nl80211_commands cmd, u8 count,
17954 			      u64 color_bitmap)
17955 {
17956 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17957 	struct wiphy *wiphy = wdev->wiphy;
17958 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17959 	struct sk_buff *msg;
17960 	void *hdr;
17961 
17962 	ASSERT_WDEV_LOCK(wdev);
17963 
17964 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
17965 
17966 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17967 	if (!msg)
17968 		return -ENOMEM;
17969 
17970 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17971 	if (!hdr)
17972 		goto nla_put_failure;
17973 
17974 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17975 		goto nla_put_failure;
17976 
17977 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
17978 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
17979 		goto nla_put_failure;
17980 
17981 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
17982 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
17983 			      color_bitmap, NL80211_ATTR_PAD))
17984 		goto nla_put_failure;
17985 
17986 	genlmsg_end(msg, hdr);
17987 
17988 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
17989 				       msg, 0, NL80211_MCGRP_MLME, gfp);
17990 
17991 nla_put_failure:
17992 	nlmsg_free(msg);
17993 	return -EINVAL;
17994 }
17995 EXPORT_SYMBOL(cfg80211_bss_color_notify);
17996 
17997 void
17998 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17999 		     const struct cfg80211_chan_def *chandef,
18000 		     enum nl80211_radar_event event,
18001 		     struct net_device *netdev, gfp_t gfp)
18002 {
18003 	struct sk_buff *msg;
18004 	void *hdr;
18005 
18006 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18007 	if (!msg)
18008 		return;
18009 
18010 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
18011 	if (!hdr) {
18012 		nlmsg_free(msg);
18013 		return;
18014 	}
18015 
18016 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18017 		goto nla_put_failure;
18018 
18019 	/* NOP and radar events don't need a netdev parameter */
18020 	if (netdev) {
18021 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
18022 
18023 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18024 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18025 				      NL80211_ATTR_PAD))
18026 			goto nla_put_failure;
18027 	}
18028 
18029 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
18030 		goto nla_put_failure;
18031 
18032 	if (nl80211_send_chandef(msg, chandef))
18033 		goto nla_put_failure;
18034 
18035 	genlmsg_end(msg, hdr);
18036 
18037 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18038 				NL80211_MCGRP_MLME, gfp);
18039 	return;
18040 
18041  nla_put_failure:
18042 	nlmsg_free(msg);
18043 }
18044 
18045 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
18046 				       struct sta_opmode_info *sta_opmode,
18047 				       gfp_t gfp)
18048 {
18049 	struct sk_buff *msg;
18050 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18051 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18052 	void *hdr;
18053 
18054 	if (WARN_ON(!mac))
18055 		return;
18056 
18057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18058 	if (!msg)
18059 		return;
18060 
18061 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
18062 	if (!hdr) {
18063 		nlmsg_free(msg);
18064 		return;
18065 	}
18066 
18067 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
18068 		goto nla_put_failure;
18069 
18070 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18071 		goto nla_put_failure;
18072 
18073 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18074 		goto nla_put_failure;
18075 
18076 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
18077 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
18078 		goto nla_put_failure;
18079 
18080 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
18081 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
18082 		goto nla_put_failure;
18083 
18084 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
18085 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
18086 		goto nla_put_failure;
18087 
18088 	genlmsg_end(msg, hdr);
18089 
18090 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18091 				NL80211_MCGRP_MLME, gfp);
18092 
18093 	return;
18094 
18095 nla_put_failure:
18096 	nlmsg_free(msg);
18097 }
18098 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
18099 
18100 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
18101 			   u64 cookie, bool acked, s32 ack_signal,
18102 			   bool is_valid_ack_signal, gfp_t gfp)
18103 {
18104 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18105 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18106 	struct sk_buff *msg;
18107 	void *hdr;
18108 
18109 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
18110 
18111 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18112 
18113 	if (!msg)
18114 		return;
18115 
18116 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
18117 	if (!hdr) {
18118 		nlmsg_free(msg);
18119 		return;
18120 	}
18121 
18122 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18123 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18124 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18125 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18126 			      NL80211_ATTR_PAD) ||
18127 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18128 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
18129 						ack_signal)))
18130 		goto nla_put_failure;
18131 
18132 	genlmsg_end(msg, hdr);
18133 
18134 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18135 				NL80211_MCGRP_MLME, gfp);
18136 	return;
18137 
18138  nla_put_failure:
18139 	nlmsg_free(msg);
18140 }
18141 EXPORT_SYMBOL(cfg80211_probe_status);
18142 
18143 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
18144 				     size_t len, int freq, int sig_dbm)
18145 {
18146 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18147 	struct sk_buff *msg;
18148 	void *hdr;
18149 	struct cfg80211_beacon_registration *reg;
18150 
18151 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
18152 
18153 	spin_lock_bh(&rdev->beacon_registrations_lock);
18154 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
18155 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
18156 		if (!msg) {
18157 			spin_unlock_bh(&rdev->beacon_registrations_lock);
18158 			return;
18159 		}
18160 
18161 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18162 		if (!hdr)
18163 			goto nla_put_failure;
18164 
18165 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18166 		    (freq &&
18167 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
18168 				  KHZ_TO_MHZ(freq)) ||
18169 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
18170 				  freq % 1000))) ||
18171 		    (sig_dbm &&
18172 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
18173 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
18174 			goto nla_put_failure;
18175 
18176 		genlmsg_end(msg, hdr);
18177 
18178 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
18179 	}
18180 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18181 	return;
18182 
18183  nla_put_failure:
18184 	spin_unlock_bh(&rdev->beacon_registrations_lock);
18185 	nlmsg_free(msg);
18186 }
18187 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
18188 
18189 #ifdef CONFIG_PM
18190 static int cfg80211_net_detect_results(struct sk_buff *msg,
18191 				       struct cfg80211_wowlan_wakeup *wakeup)
18192 {
18193 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
18194 	struct nlattr *nl_results, *nl_match, *nl_freqs;
18195 	int i, j;
18196 
18197 	nl_results = nla_nest_start_noflag(msg,
18198 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
18199 	if (!nl_results)
18200 		return -EMSGSIZE;
18201 
18202 	for (i = 0; i < nd->n_matches; i++) {
18203 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
18204 
18205 		nl_match = nla_nest_start_noflag(msg, i);
18206 		if (!nl_match)
18207 			break;
18208 
18209 		/* The SSID attribute is optional in nl80211, but for
18210 		 * simplicity reasons it's always present in the
18211 		 * cfg80211 structure.  If a driver can't pass the
18212 		 * SSID, that needs to be changed.  A zero length SSID
18213 		 * is still a valid SSID (wildcard), so it cannot be
18214 		 * used for this purpose.
18215 		 */
18216 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
18217 			    match->ssid.ssid)) {
18218 			nla_nest_cancel(msg, nl_match);
18219 			goto out;
18220 		}
18221 
18222 		if (match->n_channels) {
18223 			nl_freqs = nla_nest_start_noflag(msg,
18224 							 NL80211_ATTR_SCAN_FREQUENCIES);
18225 			if (!nl_freqs) {
18226 				nla_nest_cancel(msg, nl_match);
18227 				goto out;
18228 			}
18229 
18230 			for (j = 0; j < match->n_channels; j++) {
18231 				if (nla_put_u32(msg, j, match->channels[j])) {
18232 					nla_nest_cancel(msg, nl_freqs);
18233 					nla_nest_cancel(msg, nl_match);
18234 					goto out;
18235 				}
18236 			}
18237 
18238 			nla_nest_end(msg, nl_freqs);
18239 		}
18240 
18241 		nla_nest_end(msg, nl_match);
18242 	}
18243 
18244 out:
18245 	nla_nest_end(msg, nl_results);
18246 	return 0;
18247 }
18248 
18249 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
18250 				   struct cfg80211_wowlan_wakeup *wakeup,
18251 				   gfp_t gfp)
18252 {
18253 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18254 	struct sk_buff *msg;
18255 	void *hdr;
18256 	int size = 200;
18257 
18258 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
18259 
18260 	if (wakeup)
18261 		size += wakeup->packet_present_len;
18262 
18263 	msg = nlmsg_new(size, gfp);
18264 	if (!msg)
18265 		return;
18266 
18267 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
18268 	if (!hdr)
18269 		goto free_msg;
18270 
18271 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18272 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18273 			      NL80211_ATTR_PAD))
18274 		goto free_msg;
18275 
18276 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18277 					wdev->netdev->ifindex))
18278 		goto free_msg;
18279 
18280 	if (wakeup) {
18281 		struct nlattr *reasons;
18282 
18283 		reasons = nla_nest_start_noflag(msg,
18284 						NL80211_ATTR_WOWLAN_TRIGGERS);
18285 		if (!reasons)
18286 			goto free_msg;
18287 
18288 		if (wakeup->disconnect &&
18289 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
18290 			goto free_msg;
18291 		if (wakeup->magic_pkt &&
18292 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
18293 			goto free_msg;
18294 		if (wakeup->gtk_rekey_failure &&
18295 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
18296 			goto free_msg;
18297 		if (wakeup->eap_identity_req &&
18298 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
18299 			goto free_msg;
18300 		if (wakeup->four_way_handshake &&
18301 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
18302 			goto free_msg;
18303 		if (wakeup->rfkill_release &&
18304 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
18305 			goto free_msg;
18306 
18307 		if (wakeup->pattern_idx >= 0 &&
18308 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
18309 				wakeup->pattern_idx))
18310 			goto free_msg;
18311 
18312 		if (wakeup->tcp_match &&
18313 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
18314 			goto free_msg;
18315 
18316 		if (wakeup->tcp_connlost &&
18317 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
18318 			goto free_msg;
18319 
18320 		if (wakeup->tcp_nomoretokens &&
18321 		    nla_put_flag(msg,
18322 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
18323 			goto free_msg;
18324 
18325 		if (wakeup->packet) {
18326 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
18327 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
18328 
18329 			if (!wakeup->packet_80211) {
18330 				pkt_attr =
18331 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
18332 				len_attr =
18333 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
18334 			}
18335 
18336 			if (wakeup->packet_len &&
18337 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
18338 				goto free_msg;
18339 
18340 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
18341 				    wakeup->packet))
18342 				goto free_msg;
18343 		}
18344 
18345 		if (wakeup->net_detect &&
18346 		    cfg80211_net_detect_results(msg, wakeup))
18347 				goto free_msg;
18348 
18349 		nla_nest_end(msg, reasons);
18350 	}
18351 
18352 	genlmsg_end(msg, hdr);
18353 
18354 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18355 				NL80211_MCGRP_MLME, gfp);
18356 	return;
18357 
18358  free_msg:
18359 	nlmsg_free(msg);
18360 }
18361 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
18362 #endif
18363 
18364 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
18365 				enum nl80211_tdls_operation oper,
18366 				u16 reason_code, gfp_t gfp)
18367 {
18368 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18369 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18370 	struct sk_buff *msg;
18371 	void *hdr;
18372 
18373 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
18374 					 reason_code);
18375 
18376 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18377 	if (!msg)
18378 		return;
18379 
18380 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
18381 	if (!hdr) {
18382 		nlmsg_free(msg);
18383 		return;
18384 	}
18385 
18386 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18387 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18388 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
18389 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
18390 	    (reason_code > 0 &&
18391 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
18392 		goto nla_put_failure;
18393 
18394 	genlmsg_end(msg, hdr);
18395 
18396 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18397 				NL80211_MCGRP_MLME, gfp);
18398 	return;
18399 
18400  nla_put_failure:
18401 	nlmsg_free(msg);
18402 }
18403 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
18404 
18405 static int nl80211_netlink_notify(struct notifier_block * nb,
18406 				  unsigned long state,
18407 				  void *_notify)
18408 {
18409 	struct netlink_notify *notify = _notify;
18410 	struct cfg80211_registered_device *rdev;
18411 	struct wireless_dev *wdev;
18412 	struct cfg80211_beacon_registration *reg, *tmp;
18413 
18414 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
18415 		return NOTIFY_DONE;
18416 
18417 	rcu_read_lock();
18418 
18419 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
18420 		struct cfg80211_sched_scan_request *sched_scan_req;
18421 
18422 		list_for_each_entry_rcu(sched_scan_req,
18423 					&rdev->sched_scan_req_list,
18424 					list) {
18425 			if (sched_scan_req->owner_nlportid == notify->portid) {
18426 				sched_scan_req->nl_owner_dead = true;
18427 				schedule_work(&rdev->sched_scan_stop_wk);
18428 			}
18429 		}
18430 
18431 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
18432 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
18433 
18434 			if (wdev->owner_nlportid == notify->portid) {
18435 				wdev->nl_owner_dead = true;
18436 				schedule_work(&rdev->destroy_work);
18437 			} else if (wdev->conn_owner_nlportid == notify->portid) {
18438 				schedule_work(&wdev->disconnect_wk);
18439 			}
18440 
18441 			cfg80211_release_pmsr(wdev, notify->portid);
18442 		}
18443 
18444 		spin_lock_bh(&rdev->beacon_registrations_lock);
18445 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
18446 					 list) {
18447 			if (reg->nlportid == notify->portid) {
18448 				list_del(&reg->list);
18449 				kfree(reg);
18450 				break;
18451 			}
18452 		}
18453 		spin_unlock_bh(&rdev->beacon_registrations_lock);
18454 	}
18455 
18456 	rcu_read_unlock();
18457 
18458 	/*
18459 	 * It is possible that the user space process that is controlling the
18460 	 * indoor setting disappeared, so notify the regulatory core.
18461 	 */
18462 	regulatory_netlink_notify(notify->portid);
18463 	return NOTIFY_OK;
18464 }
18465 
18466 static struct notifier_block nl80211_netlink_notifier = {
18467 	.notifier_call = nl80211_netlink_notify,
18468 };
18469 
18470 void cfg80211_ft_event(struct net_device *netdev,
18471 		       struct cfg80211_ft_event_params *ft_event)
18472 {
18473 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18474 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18475 	struct sk_buff *msg;
18476 	void *hdr;
18477 
18478 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
18479 
18480 	if (!ft_event->target_ap)
18481 		return;
18482 
18483 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
18484 			GFP_KERNEL);
18485 	if (!msg)
18486 		return;
18487 
18488 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
18489 	if (!hdr)
18490 		goto out;
18491 
18492 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18493 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18494 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
18495 		goto out;
18496 
18497 	if (ft_event->ies &&
18498 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
18499 		goto out;
18500 	if (ft_event->ric_ies &&
18501 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
18502 		    ft_event->ric_ies))
18503 		goto out;
18504 
18505 	genlmsg_end(msg, hdr);
18506 
18507 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18508 				NL80211_MCGRP_MLME, GFP_KERNEL);
18509 	return;
18510  out:
18511 	nlmsg_free(msg);
18512 }
18513 EXPORT_SYMBOL(cfg80211_ft_event);
18514 
18515 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
18516 {
18517 	struct cfg80211_registered_device *rdev;
18518 	struct sk_buff *msg;
18519 	void *hdr;
18520 	u32 nlportid;
18521 
18522 	rdev = wiphy_to_rdev(wdev->wiphy);
18523 	if (!rdev->crit_proto_nlportid)
18524 		return;
18525 
18526 	nlportid = rdev->crit_proto_nlportid;
18527 	rdev->crit_proto_nlportid = 0;
18528 
18529 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18530 	if (!msg)
18531 		return;
18532 
18533 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
18534 	if (!hdr)
18535 		goto nla_put_failure;
18536 
18537 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18538 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18539 			      NL80211_ATTR_PAD))
18540 		goto nla_put_failure;
18541 
18542 	genlmsg_end(msg, hdr);
18543 
18544 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18545 	return;
18546 
18547  nla_put_failure:
18548 	nlmsg_free(msg);
18549 }
18550 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
18551 
18552 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
18553 {
18554 	struct wiphy *wiphy = wdev->wiphy;
18555 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18556 	struct sk_buff *msg;
18557 	void *hdr;
18558 
18559 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18560 	if (!msg)
18561 		return;
18562 
18563 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
18564 	if (!hdr)
18565 		goto out;
18566 
18567 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18568 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
18569 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18570 			      NL80211_ATTR_PAD))
18571 		goto out;
18572 
18573 	genlmsg_end(msg, hdr);
18574 
18575 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
18576 				NL80211_MCGRP_MLME, GFP_KERNEL);
18577 	return;
18578  out:
18579 	nlmsg_free(msg);
18580 }
18581 
18582 int cfg80211_external_auth_request(struct net_device *dev,
18583 				   struct cfg80211_external_auth_params *params,
18584 				   gfp_t gfp)
18585 {
18586 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18587 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18588 	struct sk_buff *msg;
18589 	void *hdr;
18590 
18591 	if (!wdev->conn_owner_nlportid)
18592 		return -EINVAL;
18593 
18594 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18595 	if (!msg)
18596 		return -ENOMEM;
18597 
18598 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18599 	if (!hdr)
18600 		goto nla_put_failure;
18601 
18602 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18603 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18604 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18605 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18606 			params->action) ||
18607 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18608 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18609 		    params->ssid.ssid))
18610 		goto nla_put_failure;
18611 
18612 	genlmsg_end(msg, hdr);
18613 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18614 			wdev->conn_owner_nlportid);
18615 	return 0;
18616 
18617  nla_put_failure:
18618 	nlmsg_free(msg);
18619 	return -ENOBUFS;
18620 }
18621 EXPORT_SYMBOL(cfg80211_external_auth_request);
18622 
18623 void cfg80211_update_owe_info_event(struct net_device *netdev,
18624 				    struct cfg80211_update_owe_info *owe_info,
18625 				    gfp_t gfp)
18626 {
18627 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18628 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18629 	struct sk_buff *msg;
18630 	void *hdr;
18631 
18632 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18633 
18634 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18635 	if (!msg)
18636 		return;
18637 
18638 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18639 	if (!hdr)
18640 		goto nla_put_failure;
18641 
18642 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18643 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18644 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18645 		goto nla_put_failure;
18646 
18647 	if (!owe_info->ie_len ||
18648 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18649 		goto nla_put_failure;
18650 
18651 	genlmsg_end(msg, hdr);
18652 
18653 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18654 				NL80211_MCGRP_MLME, gfp);
18655 	return;
18656 
18657 nla_put_failure:
18658 	genlmsg_cancel(msg, hdr);
18659 	nlmsg_free(msg);
18660 }
18661 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18662 
18663 /* initialisation/exit functions */
18664 
18665 int __init nl80211_init(void)
18666 {
18667 	int err;
18668 
18669 	err = genl_register_family(&nl80211_fam);
18670 	if (err)
18671 		return err;
18672 
18673 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18674 	if (err)
18675 		goto err_out;
18676 
18677 	return 0;
18678  err_out:
18679 	genl_unregister_family(&nl80211_fam);
18680 	return err;
18681 }
18682 
18683 void nl80211_exit(void)
18684 {
18685 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18686 	genl_unregister_family(&nl80211_fam);
18687 }
18688