xref: /linux/net/wireless/nl80211.c (revision dc5a6164fedacdcdbb51a2a340ca264191a5b82c) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 static int validate_supported_selectors(const struct nlattr *attr,
298 					struct netlink_ext_ack *extack)
299 {
300 	const u8 *supported_selectors = nla_data(attr);
301 	u8 supported_selectors_len = nla_len(attr);
302 
303 	/* The top bit must not be set as it is not part of the selector */
304 	for (int i = 0; i < supported_selectors_len; i++) {
305 		if (supported_selectors[i] & 0x80)
306 			return -EINVAL;
307 	}
308 
309 	return 0;
310 }
311 
312 /* policy for the attributes */
313 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
314 
315 static const struct nla_policy
316 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
317 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
318 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
319 					.len = U8_MAX },
320 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
321 					     .len = U8_MAX },
322 };
323 
324 static const struct nla_policy
325 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
326 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
327 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
328 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
329 		NLA_POLICY_MAX(NLA_U8, 15),
330 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
331 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
332 		NLA_POLICY_MAX(NLA_U8, 15),
333 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
334 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
335 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
336 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
337 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
338 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
339 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
340 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
341 };
342 
343 static const struct nla_policy
344 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
345 	[NL80211_PMSR_TYPE_FTM] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
347 };
348 
349 static const struct nla_policy
350 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
351 	[NL80211_PMSR_REQ_ATTR_DATA] =
352 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
353 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
354 };
355 
356 static const struct nla_policy
357 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
358 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
359 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
360 	[NL80211_PMSR_PEER_ATTR_REQ] =
361 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
362 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
363 };
364 
365 static const struct nla_policy
366 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
367 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
368 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
369 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
370 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
371 	[NL80211_PMSR_ATTR_PEERS] =
372 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
373 };
374 
375 static const struct nla_policy
376 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
377 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
378 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
379 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
380 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
381 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
382 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
383 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
384 		NLA_POLICY_EXACT_LEN(8),
385 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
386 		NLA_POLICY_EXACT_LEN(8),
387 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
388 };
389 
390 static const struct nla_policy
391 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
392 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
393 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
394 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
395 };
396 
397 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
398 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
399 				    .len = NL80211_MAX_SUPP_RATES },
400 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
401 				.len = NL80211_MAX_SUPP_HT_RATES },
402 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
403 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
404 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
405 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
406 						   NL80211_RATE_INFO_HE_GI_0_8,
407 						   NL80211_RATE_INFO_HE_GI_3_2),
408 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
409 						   NL80211_RATE_INFO_HE_1XLTF,
410 						   NL80211_RATE_INFO_HE_4XLTF),
411 };
412 
413 static const struct nla_policy
414 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
415 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
416 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
417 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
418 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
419 	[NL80211_TID_CONFIG_ATTR_NOACK] =
420 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
421 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
422 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
423 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
424 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
425 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
426 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
427 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
428 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
429 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
430 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
431 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
432 			NLA_POLICY_NESTED(nl80211_txattr_policy),
433 };
434 
435 static const struct nla_policy
436 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
437 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
438 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
439 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
440 			NLA_POLICY_RANGE(NLA_BINARY,
441 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
442 					 IEEE80211_MAX_DATA_LEN),
443 };
444 
445 static const struct nla_policy
446 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
447 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
448 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
449 						       .len = IEEE80211_MAX_DATA_LEN }
450 };
451 
452 static const struct nla_policy
453 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
454 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
455 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
456 };
457 
458 static const struct nla_policy
459 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
460 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
461 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
462 };
463 
464 static const struct nla_policy
465 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
466 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
467 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
468 						NLA_POLICY_MIN(NLA_U8, 1),
469 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
470 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
471 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
472 };
473 
474 static const struct nla_policy
475 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
476 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
477 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
478 };
479 
480 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
481 	.min = 0,
482 	.max = 0xffff,
483 };
484 
485 static const struct netlink_range_validation q_range = {
486 	.max = INT_MAX,
487 };
488 
489 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
490 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
491 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
492 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
493 				      .len = 20-1 },
494 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
495 
496 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
497 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
499 						NL80211_EDMG_CHANNELS_MIN,
500 						NL80211_EDMG_CHANNELS_MAX),
501 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
502 						NL80211_EDMG_BW_CONFIG_MIN,
503 						NL80211_EDMG_BW_CONFIG_MAX),
504 
505 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
506 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
507 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
508 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
509 
510 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
511 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
512 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
513 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
514 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
515 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
516 
517 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
518 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
519 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
520 
521 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
522 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
523 
524 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
525 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
526 				    .len = WLAN_MAX_KEY_LEN },
527 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
528 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
529 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
530 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
531 	[NL80211_ATTR_KEY_TYPE] =
532 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
533 
534 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
535 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
536 	[NL80211_ATTR_BEACON_HEAD] =
537 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
538 				       IEEE80211_MAX_DATA_LEN),
539 	[NL80211_ATTR_BEACON_TAIL] =
540 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
541 				       IEEE80211_MAX_DATA_LEN),
542 	[NL80211_ATTR_STA_AID] =
543 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
544 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
545 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
546 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
547 					       .len = NL80211_MAX_SUPP_RATES },
548 	[NL80211_ATTR_STA_PLINK_ACTION] =
549 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
550 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
551 		NLA_POLICY_RANGE(NLA_U8,
552 				 NL80211_TX_POWER_AUTOMATIC,
553 				 NL80211_TX_POWER_FIXED),
554 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
555 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
556 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
557 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
558 				   .len = IEEE80211_MAX_MESH_ID_LEN },
559 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
560 
561 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
562 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
563 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
566 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
567 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
568 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
569 					   .len = NL80211_MAX_SUPP_RATES },
570 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
571 
572 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
573 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
574 
575 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
576 
577 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
578 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
579 						   validate_ie_attr,
580 						   IEEE80211_MAX_DATA_LEN),
581 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
582 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
583 
584 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
585 				.len = IEEE80211_MAX_SSID_LEN },
586 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
587 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
588 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
589 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
590 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
591 						  NL80211_MFP_NO,
592 						  NL80211_MFP_OPTIONAL),
593 	[NL80211_ATTR_STA_FLAGS2] =
594 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
595 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
596 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
597 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
600 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
601 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
602 	[NL80211_ATTR_WPA_VERSIONS] =
603 		NLA_POLICY_RANGE(NLA_U32, 0,
604 				 NL80211_WPA_VERSION_1 |
605 				 NL80211_WPA_VERSION_2 |
606 				 NL80211_WPA_VERSION_3),
607 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
608 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
609 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
610 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
611 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
612 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
613 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
614 				 .len = IEEE80211_MAX_DATA_LEN },
615 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
616 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
617 						   NL80211_PS_DISABLED,
618 						   NL80211_PS_ENABLED),
619 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
620 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
621 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
622 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
623 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
624 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
625 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
626 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
627 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
628 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
629 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
630 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
631 	[NL80211_ATTR_STA_PLINK_STATE] =
632 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
633 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
634 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_MESH_PEER_AID] =
636 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
637 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
638 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
639 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
640 	[NL80211_ATTR_HIDDEN_SSID] =
641 		NLA_POLICY_RANGE(NLA_U32,
642 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
643 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
644 	[NL80211_ATTR_IE_PROBE_RESP] =
645 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
646 				       IEEE80211_MAX_DATA_LEN),
647 	[NL80211_ATTR_IE_ASSOC_RESP] =
648 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
649 				       IEEE80211_MAX_DATA_LEN),
650 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
651 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
652 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
653 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
654 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
655 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
656 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
657 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
658 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
659 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
660 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
661 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
662 				      .len = IEEE80211_MAX_DATA_LEN },
663 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
664 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
665 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
666 		.len = NL80211_HT_CAPABILITY_LEN
667 	},
668 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
669 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
670 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
671 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
672 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
673 
674 	/* need to include at least Auth Transaction and Status Code */
675 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
676 
677 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
678 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
679 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
680 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
681 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
682 		NLA_POLICY_RANGE(NLA_U32,
683 				 NL80211_MESH_POWER_UNKNOWN + 1,
684 				 NL80211_MESH_POWER_MAX),
685 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
686 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
687 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
688 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
689 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
690 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
691 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
692 		.len = NL80211_VHT_CAPABILITY_LEN,
693 	},
694 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
695 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
696 				  .len = IEEE80211_MAX_DATA_LEN },
697 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
698 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
699 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
700 	[NL80211_ATTR_PEER_AID] =
701 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
702 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
703 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
704 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
705 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
706 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
707 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
708 	/*
709 	 * The value of the Length field of the Supported Operating
710 	 * Classes element is between 2 and 253.
711 	 */
712 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
713 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
714 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
715 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
716 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
717 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
718 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
719 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
720 						  IEEE80211_QOS_MAP_LEN_MIN,
721 						  IEEE80211_QOS_MAP_LEN_MAX),
722 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
723 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
724 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
725 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
726 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
727 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
728 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
729 	[NL80211_ATTR_USER_PRIO] =
730 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
731 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
732 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
733 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
734 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
735 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
736 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
737 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
738 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
739 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
740 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
741 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
742 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
743 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
744 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
745 	},
746 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
747 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
748 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
749 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
750 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
751 				    .len = FILS_MAX_KEK_LEN },
752 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
753 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
754 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
755 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
756 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
757 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
758 	},
759 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
760 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
761 					     .len = FILS_ERP_MAX_USERNAME_LEN },
762 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
763 					  .len = FILS_ERP_MAX_REALM_LEN },
764 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
765 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
766 					.len = FILS_ERP_MAX_RRK_LEN },
767 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
768 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
769 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
770 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
771 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
772 
773 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
774 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
775 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
776 	[NL80211_ATTR_HE_CAPABILITY] =
777 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
778 				       NL80211_HE_MAX_CAPABILITY_LEN),
779 	[NL80211_ATTR_FTM_RESPONDER] =
780 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
781 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
782 	[NL80211_ATTR_PEER_MEASUREMENTS] =
783 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
784 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
785 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
786 					.len = SAE_PASSWORD_MAX_LEN },
787 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
788 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
789 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
790 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
791 	[NL80211_ATTR_TID_CONFIG] =
792 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
793 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
794 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
795 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
796 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
797 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
798 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
799 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
800 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
801 	[NL80211_ATTR_FILS_DISCOVERY] =
802 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
803 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
804 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
805 	[NL80211_ATTR_S1G_CAPABILITY] =
806 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
807 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
808 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
809 	[NL80211_ATTR_SAE_PWE] =
810 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
811 				 NL80211_SAE_PWE_BOTH),
812 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
813 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
814 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
815 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
816 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
817 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
818 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
819 	[NL80211_ATTR_MBSSID_CONFIG] =
820 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
821 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
822 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
823 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
824 	[NL80211_ATTR_EHT_CAPABILITY] =
825 		NLA_POLICY_RANGE(NLA_BINARY,
826 				 NL80211_EHT_MIN_CAPABILITY_LEN,
827 				 NL80211_EHT_MAX_CAPABILITY_LEN),
828 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_LINKS] =
830 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
831 	[NL80211_ATTR_MLO_LINK_ID] =
832 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS - 1),
833 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
834 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
835 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
836 	[NL80211_ATTR_PUNCT_BITMAP] =
837 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
838 
839 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
840 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
841 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
842 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
843 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
844 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
845 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
846 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
847 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
848 	[NL80211_ATTR_SUPPORTED_SELECTORS] =
849 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_supported_selectors,
850 				       NL80211_MAX_SUPP_SELECTORS),
851 	[NL80211_ATTR_MLO_RECONF_REM_LINKS] = { .type = NLA_U16 },
852 	[NL80211_ATTR_EPCS] = { .type = NLA_FLAG },
853 };
854 
855 /* policy for the key attributes */
856 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
857 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
858 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
859 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
860 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
861 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
862 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
863 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
864 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
865 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
866 };
867 
868 /* policy for the key default flags */
869 static const struct nla_policy
870 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
871 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
872 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
873 };
874 
875 #ifdef CONFIG_PM
876 /* policy for WoWLAN attributes */
877 static const struct nla_policy
878 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
879 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
880 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
881 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
882 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
883 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
884 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
885 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
886 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
887 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
888 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
889 };
890 
891 static const struct nla_policy
892 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
893 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
894 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
895 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
896 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
897 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
898 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
899 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
900 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
901 	},
902 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
903 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
904 	},
905 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
906 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
907 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
908 };
909 #endif /* CONFIG_PM */
910 
911 /* policy for coalesce rule attributes */
912 static const struct nla_policy
913 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
914 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
915 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
916 		NLA_POLICY_RANGE(NLA_U32,
917 				 NL80211_COALESCE_CONDITION_MATCH,
918 				 NL80211_COALESCE_CONDITION_NO_MATCH),
919 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
920 };
921 
922 /* policy for GTK rekey offload attributes */
923 static const struct nla_policy
924 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
925 	[NL80211_REKEY_DATA_KEK] = {
926 		.type = NLA_BINARY,
927 		.len = NL80211_KEK_EXT_LEN
928 	},
929 	[NL80211_REKEY_DATA_KCK] = {
930 		.type = NLA_BINARY,
931 		.len = NL80211_KCK_EXT_LEN_32
932 	},
933 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
934 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
935 };
936 
937 static const struct nla_policy
938 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
939 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
940 						 .len = IEEE80211_MAX_SSID_LEN },
941 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
942 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
943 };
944 
945 static const struct nla_policy
946 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
947 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
948 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
949 };
950 
951 static const struct nla_policy
952 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
953 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
954 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
955 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
956 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
957 	},
958 };
959 
960 /* policy for NAN function attributes */
961 static const struct nla_policy
962 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
963 	[NL80211_NAN_FUNC_TYPE] =
964 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
965 	[NL80211_NAN_FUNC_SERVICE_ID] = {
966 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
967 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
968 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
969 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
970 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
971 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
972 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
973 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
974 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
975 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
976 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
977 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
978 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
979 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
980 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
981 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
982 };
983 
984 /* policy for Service Response Filter attributes */
985 static const struct nla_policy
986 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
987 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
988 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
989 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
990 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
991 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
992 };
993 
994 /* policy for packet pattern attributes */
995 static const struct nla_policy
996 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
997 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
998 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
999 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
1000 };
1001 
1002 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
1003 				     struct cfg80211_registered_device **rdev,
1004 				     struct wireless_dev **wdev,
1005 				     struct nlattr **attrbuf)
1006 {
1007 	int err;
1008 
1009 	if (!cb->args[0]) {
1010 		struct nlattr **attrbuf_free = NULL;
1011 
1012 		if (!attrbuf) {
1013 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
1014 					  GFP_KERNEL);
1015 			if (!attrbuf)
1016 				return -ENOMEM;
1017 			attrbuf_free = attrbuf;
1018 		}
1019 
1020 		err = nlmsg_parse_deprecated(cb->nlh,
1021 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1022 					     attrbuf, nl80211_fam.maxattr,
1023 					     nl80211_policy, NULL);
1024 		if (err) {
1025 			kfree(attrbuf_free);
1026 			return err;
1027 		}
1028 
1029 		rtnl_lock();
1030 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1031 						   attrbuf);
1032 		kfree(attrbuf_free);
1033 		if (IS_ERR(*wdev)) {
1034 			rtnl_unlock();
1035 			return PTR_ERR(*wdev);
1036 		}
1037 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1038 		mutex_lock(&(*rdev)->wiphy.mtx);
1039 		rtnl_unlock();
1040 		/* 0 is the first index - add 1 to parse only once */
1041 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1042 		cb->args[1] = (*wdev)->identifier;
1043 	} else {
1044 		/* subtract the 1 again here */
1045 		struct wiphy *wiphy;
1046 		struct wireless_dev *tmp;
1047 
1048 		rtnl_lock();
1049 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1050 		if (!wiphy) {
1051 			rtnl_unlock();
1052 			return -ENODEV;
1053 		}
1054 		*rdev = wiphy_to_rdev(wiphy);
1055 		*wdev = NULL;
1056 
1057 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1058 			if (tmp->identifier == cb->args[1]) {
1059 				*wdev = tmp;
1060 				break;
1061 			}
1062 		}
1063 
1064 		if (!*wdev) {
1065 			rtnl_unlock();
1066 			return -ENODEV;
1067 		}
1068 		mutex_lock(&(*rdev)->wiphy.mtx);
1069 		rtnl_unlock();
1070 	}
1071 
1072 	return 0;
1073 }
1074 
1075 /* message building helper */
1076 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1077 		     int flags, u8 cmd)
1078 {
1079 	/* since there is no private header just add the generic one */
1080 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1081 }
1082 
1083 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1084 				     const struct ieee80211_reg_rule *rule)
1085 {
1086 	int j;
1087 	struct nlattr *nl_wmm_rules =
1088 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1089 
1090 	if (!nl_wmm_rules)
1091 		goto nla_put_failure;
1092 
1093 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1094 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1095 
1096 		if (!nl_wmm_rule)
1097 			goto nla_put_failure;
1098 
1099 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1100 				rule->wmm_rule.client[j].cw_min) ||
1101 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1102 				rule->wmm_rule.client[j].cw_max) ||
1103 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1104 			       rule->wmm_rule.client[j].aifsn) ||
1105 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1106 			        rule->wmm_rule.client[j].cot))
1107 			goto nla_put_failure;
1108 
1109 		nla_nest_end(msg, nl_wmm_rule);
1110 	}
1111 	nla_nest_end(msg, nl_wmm_rules);
1112 
1113 	return 0;
1114 
1115 nla_put_failure:
1116 	return -ENOBUFS;
1117 }
1118 
1119 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1120 				   struct ieee80211_channel *chan,
1121 				   bool large)
1122 {
1123 	/* Some channels must be completely excluded from the
1124 	 * list to protect old user-space tools from breaking
1125 	 */
1126 	if (!large && chan->flags &
1127 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1128 		return 0;
1129 	if (!large && chan->freq_offset)
1130 		return 0;
1131 
1132 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1133 			chan->center_freq))
1134 		goto nla_put_failure;
1135 
1136 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1137 		goto nla_put_failure;
1138 
1139 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1140 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1141 		goto nla_put_failure;
1142 
1143 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1144 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1145 		goto nla_put_failure;
1146 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1147 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1148 			goto nla_put_failure;
1149 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1150 			goto nla_put_failure;
1151 	}
1152 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1153 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1154 			goto nla_put_failure;
1155 		if (large) {
1156 			u32 time;
1157 
1158 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1159 
1160 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1161 					chan->dfs_state))
1162 				goto nla_put_failure;
1163 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1164 					time))
1165 				goto nla_put_failure;
1166 			if (nla_put_u32(msg,
1167 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1168 					chan->dfs_cac_ms))
1169 				goto nla_put_failure;
1170 		}
1171 	}
1172 
1173 	if (large) {
1174 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1194 			goto nla_put_failure;
1195 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1196 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1197 			goto nla_put_failure;
1198 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1199 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1200 			goto nla_put_failure;
1201 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1202 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1203 			goto nla_put_failure;
1204 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1205 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1206 			goto nla_put_failure;
1207 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1208 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1209 			goto nla_put_failure;
1210 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1211 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1212 			goto nla_put_failure;
1213 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1214 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1215 			goto nla_put_failure;
1216 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1217 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1218 			goto nla_put_failure;
1219 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1220 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1221 			goto nla_put_failure;
1222 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1223 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1224 			goto nla_put_failure;
1225 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1226 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1227 			goto nla_put_failure;
1228 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1229 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1230 			goto nla_put_failure;
1231 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1232 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1233 			goto nla_put_failure;
1234 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1235 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1236 			goto nla_put_failure;
1237 	}
1238 
1239 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1240 			DBM_TO_MBM(chan->max_power)))
1241 		goto nla_put_failure;
1242 
1243 	if (large) {
1244 		const struct ieee80211_reg_rule *rule =
1245 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1246 
1247 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1248 			if (nl80211_msg_put_wmm_rules(msg, rule))
1249 				goto nla_put_failure;
1250 		}
1251 	}
1252 
1253 	return 0;
1254 
1255  nla_put_failure:
1256 	return -ENOBUFS;
1257 }
1258 
1259 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1260 				  struct cfg80211_txq_stats *txqstats,
1261 				  int attrtype)
1262 {
1263 	struct nlattr *txqattr;
1264 
1265 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1266 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1267 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1268 		return false;						  \
1269 	} while (0)
1270 
1271 	txqattr = nla_nest_start_noflag(msg, attrtype);
1272 	if (!txqattr)
1273 		return false;
1274 
1275 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1276 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1277 	PUT_TXQVAL_U32(FLOWS, flows);
1278 	PUT_TXQVAL_U32(DROPS, drops);
1279 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1280 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1281 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1282 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1283 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1284 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1285 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1286 	nla_nest_end(msg, txqattr);
1287 
1288 #undef PUT_TXQVAL_U32
1289 	return true;
1290 }
1291 
1292 /* netlink command implementations */
1293 
1294 /**
1295  * nl80211_link_id - return link ID
1296  * @attrs: attributes to look at
1297  *
1298  * Returns: the link ID or 0 if not given
1299  *
1300  * Note this function doesn't do any validation of the link
1301  * ID validity wrt. links that were actually added, so it must
1302  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1303  * or if additional validation is done.
1304  */
1305 static unsigned int nl80211_link_id(struct nlattr **attrs)
1306 {
1307 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1308 
1309 	return nla_get_u8_default(linkid, 0);
1310 }
1311 
1312 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1313 {
1314 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1315 
1316 	if (!linkid)
1317 		return -1;
1318 
1319 	return nla_get_u8(linkid);
1320 }
1321 
1322 struct key_parse {
1323 	struct key_params p;
1324 	int idx;
1325 	int type;
1326 	bool def, defmgmt, defbeacon;
1327 	bool def_uni, def_multi;
1328 };
1329 
1330 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1331 				 struct key_parse *k)
1332 {
1333 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1334 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1335 					      nl80211_key_policy,
1336 					      info->extack);
1337 	if (err)
1338 		return err;
1339 
1340 	k->def = !!tb[NL80211_KEY_DEFAULT];
1341 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1342 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1343 
1344 	if (k->def) {
1345 		k->def_uni = true;
1346 		k->def_multi = true;
1347 	}
1348 	if (k->defmgmt || k->defbeacon)
1349 		k->def_multi = true;
1350 
1351 	if (tb[NL80211_KEY_IDX])
1352 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1353 
1354 	if (tb[NL80211_KEY_DATA]) {
1355 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1356 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1357 	}
1358 
1359 	if (tb[NL80211_KEY_SEQ]) {
1360 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1361 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1362 	}
1363 
1364 	if (tb[NL80211_KEY_CIPHER])
1365 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1366 
1367 	if (tb[NL80211_KEY_TYPE])
1368 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1369 
1370 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1371 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1372 
1373 		err = nla_parse_nested_deprecated(kdt,
1374 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1375 						  tb[NL80211_KEY_DEFAULT_TYPES],
1376 						  nl80211_key_default_policy,
1377 						  info->extack);
1378 		if (err)
1379 			return err;
1380 
1381 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1382 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1383 	}
1384 
1385 	if (tb[NL80211_KEY_MODE])
1386 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1387 
1388 	return 0;
1389 }
1390 
1391 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1392 {
1393 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1394 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1395 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1396 	}
1397 
1398 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1399 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1400 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1401 	}
1402 
1403 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1404 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1405 
1406 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1407 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1408 
1409 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1410 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1411 
1412 	if (k->def) {
1413 		k->def_uni = true;
1414 		k->def_multi = true;
1415 	}
1416 	if (k->defmgmt)
1417 		k->def_multi = true;
1418 
1419 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1420 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1421 
1422 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1423 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1424 		int err = nla_parse_nested_deprecated(kdt,
1425 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1426 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1427 						      nl80211_key_default_policy,
1428 						      info->extack);
1429 		if (err)
1430 			return err;
1431 
1432 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1433 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1434 	}
1435 
1436 	return 0;
1437 }
1438 
1439 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1440 {
1441 	int err;
1442 
1443 	memset(k, 0, sizeof(*k));
1444 	k->idx = -1;
1445 	k->type = -1;
1446 
1447 	if (info->attrs[NL80211_ATTR_KEY])
1448 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1449 	else
1450 		err = nl80211_parse_key_old(info, k);
1451 
1452 	if (err)
1453 		return err;
1454 
1455 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1456 	    (k->defbeacon ? 1 : 0) > 1) {
1457 		GENL_SET_ERR_MSG(info,
1458 				 "key with multiple default flags is invalid");
1459 		return -EINVAL;
1460 	}
1461 
1462 	if (k->defmgmt || k->defbeacon) {
1463 		if (k->def_uni || !k->def_multi) {
1464 			GENL_SET_ERR_MSG(info,
1465 					 "defmgmt/defbeacon key must be mcast");
1466 			return -EINVAL;
1467 		}
1468 	}
1469 
1470 	if (k->idx != -1) {
1471 		if (k->defmgmt) {
1472 			if (k->idx < 4 || k->idx > 5) {
1473 				GENL_SET_ERR_MSG(info,
1474 						 "defmgmt key idx not 4 or 5");
1475 				return -EINVAL;
1476 			}
1477 		} else if (k->defbeacon) {
1478 			if (k->idx < 6 || k->idx > 7) {
1479 				GENL_SET_ERR_MSG(info,
1480 						 "defbeacon key idx not 6 or 7");
1481 				return -EINVAL;
1482 			}
1483 		} else if (k->def) {
1484 			if (k->idx < 0 || k->idx > 3) {
1485 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1486 				return -EINVAL;
1487 			}
1488 		} else {
1489 			if (k->idx < 0 || k->idx > 7) {
1490 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1491 				return -EINVAL;
1492 			}
1493 		}
1494 	}
1495 
1496 	return 0;
1497 }
1498 
1499 static struct cfg80211_cached_keys *
1500 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1501 		       struct genl_info *info, bool *no_ht)
1502 {
1503 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1504 	struct key_parse parse;
1505 	struct nlattr *key;
1506 	struct cfg80211_cached_keys *result;
1507 	int rem, err, def = 0;
1508 	bool have_key = false;
1509 
1510 	nla_for_each_nested(key, keys, rem) {
1511 		have_key = true;
1512 		break;
1513 	}
1514 
1515 	if (!have_key)
1516 		return NULL;
1517 
1518 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1519 	if (!result)
1520 		return ERR_PTR(-ENOMEM);
1521 
1522 	result->def = -1;
1523 
1524 	nla_for_each_nested(key, keys, rem) {
1525 		memset(&parse, 0, sizeof(parse));
1526 		parse.idx = -1;
1527 
1528 		err = nl80211_parse_key_new(info, key, &parse);
1529 		if (err)
1530 			goto error;
1531 		err = -EINVAL;
1532 		if (!parse.p.key)
1533 			goto error;
1534 		if (parse.idx < 0 || parse.idx > 3) {
1535 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1536 			goto error;
1537 		}
1538 		if (parse.def) {
1539 			if (def) {
1540 				GENL_SET_ERR_MSG(info,
1541 						 "only one key can be default");
1542 				goto error;
1543 			}
1544 			def = 1;
1545 			result->def = parse.idx;
1546 			if (!parse.def_uni || !parse.def_multi)
1547 				goto error;
1548 		} else if (parse.defmgmt)
1549 			goto error;
1550 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1551 						     parse.idx, false, NULL);
1552 		if (err)
1553 			goto error;
1554 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1555 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1556 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1557 			err = -EINVAL;
1558 			goto error;
1559 		}
1560 		result->params[parse.idx].cipher = parse.p.cipher;
1561 		result->params[parse.idx].key_len = parse.p.key_len;
1562 		result->params[parse.idx].key = result->data[parse.idx];
1563 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1564 
1565 		/* must be WEP key if we got here */
1566 		if (no_ht)
1567 			*no_ht = true;
1568 	}
1569 
1570 	if (result->def < 0) {
1571 		err = -EINVAL;
1572 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1573 		goto error;
1574 	}
1575 
1576 	return result;
1577  error:
1578 	kfree(result);
1579 	return ERR_PTR(err);
1580 }
1581 
1582 static int nl80211_key_allowed(struct wireless_dev *wdev)
1583 {
1584 	lockdep_assert_wiphy(wdev->wiphy);
1585 
1586 	switch (wdev->iftype) {
1587 	case NL80211_IFTYPE_AP:
1588 	case NL80211_IFTYPE_AP_VLAN:
1589 	case NL80211_IFTYPE_P2P_GO:
1590 	case NL80211_IFTYPE_MESH_POINT:
1591 		break;
1592 	case NL80211_IFTYPE_ADHOC:
1593 		if (wdev->u.ibss.current_bss)
1594 			return 0;
1595 		return -ENOLINK;
1596 	case NL80211_IFTYPE_STATION:
1597 	case NL80211_IFTYPE_P2P_CLIENT:
1598 		if (wdev->connected)
1599 			return 0;
1600 		return -ENOLINK;
1601 	case NL80211_IFTYPE_NAN:
1602 		if (wiphy_ext_feature_isset(wdev->wiphy,
1603 					    NL80211_EXT_FEATURE_SECURE_NAN))
1604 			return 0;
1605 		return -EINVAL;
1606 	case NL80211_IFTYPE_UNSPECIFIED:
1607 	case NL80211_IFTYPE_OCB:
1608 	case NL80211_IFTYPE_MONITOR:
1609 	case NL80211_IFTYPE_P2P_DEVICE:
1610 	case NL80211_IFTYPE_WDS:
1611 	case NUM_NL80211_IFTYPES:
1612 		return -EINVAL;
1613 	}
1614 
1615 	return 0;
1616 }
1617 
1618 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1619 							u32 freq)
1620 {
1621 	struct ieee80211_channel *chan;
1622 
1623 	chan = ieee80211_get_channel_khz(wiphy, freq);
1624 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1625 		return NULL;
1626 	return chan;
1627 }
1628 
1629 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1630 {
1631 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1632 	int i;
1633 
1634 	if (!nl_modes)
1635 		goto nla_put_failure;
1636 
1637 	i = 0;
1638 	while (ifmodes) {
1639 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1640 			goto nla_put_failure;
1641 		ifmodes >>= 1;
1642 		i++;
1643 	}
1644 
1645 	nla_nest_end(msg, nl_modes);
1646 	return 0;
1647 
1648 nla_put_failure:
1649 	return -ENOBUFS;
1650 }
1651 
1652 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1653 				   const struct ieee80211_iface_combination *c,
1654 				   u16 nested)
1655 {
1656 	struct nlattr *nl_combi, *nl_limits;
1657 	int i;
1658 
1659 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1660 	if (!nl_combi)
1661 		goto nla_put_failure;
1662 
1663 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1664 					       nested);
1665 	if (!nl_limits)
1666 		goto nla_put_failure;
1667 
1668 	for (i = 0; i < c->n_limits; i++) {
1669 		struct nlattr *nl_limit;
1670 
1671 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1672 		if (!nl_limit)
1673 			goto nla_put_failure;
1674 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1675 			goto nla_put_failure;
1676 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1677 					c->limits[i].types))
1678 			goto nla_put_failure;
1679 		nla_nest_end(msg, nl_limit);
1680 	}
1681 
1682 	nla_nest_end(msg, nl_limits);
1683 
1684 	if (c->beacon_int_infra_match &&
1685 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1686 		goto nla_put_failure;
1687 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1688 			c->num_different_channels) ||
1689 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1690 			c->max_interfaces))
1691 		goto nla_put_failure;
1692 	if (large &&
1693 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1694 			c->radar_detect_widths) ||
1695 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1696 			c->radar_detect_regions)))
1697 		goto nla_put_failure;
1698 	if (c->beacon_int_min_gcd &&
1699 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1700 			c->beacon_int_min_gcd))
1701 		goto nla_put_failure;
1702 
1703 	nla_nest_end(msg, nl_combi);
1704 
1705 	return 0;
1706 nla_put_failure:
1707 	return -ENOBUFS;
1708 }
1709 
1710 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1711 					  struct sk_buff *msg,
1712 					  int attr, int radio,
1713 					  bool large, u16 nested)
1714 {
1715 	const struct ieee80211_iface_combination *c;
1716 	struct nlattr *nl_combis;
1717 	int i, n;
1718 
1719 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1720 	if (!nl_combis)
1721 		goto nla_put_failure;
1722 
1723 	if (radio >= 0) {
1724 		c = wiphy->radio[0].iface_combinations;
1725 		n = wiphy->radio[0].n_iface_combinations;
1726 	} else {
1727 		c = wiphy->iface_combinations;
1728 		n = wiphy->n_iface_combinations;
1729 	}
1730 	for (i = 0; i < n; i++)
1731 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1732 			goto nla_put_failure;
1733 
1734 	nla_nest_end(msg, nl_combis);
1735 
1736 	return 0;
1737 nla_put_failure:
1738 	return -ENOBUFS;
1739 }
1740 
1741 #ifdef CONFIG_PM
1742 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1743 					struct sk_buff *msg)
1744 {
1745 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1746 	struct nlattr *nl_tcp;
1747 
1748 	if (!tcp)
1749 		return 0;
1750 
1751 	nl_tcp = nla_nest_start_noflag(msg,
1752 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1753 	if (!nl_tcp)
1754 		return -ENOBUFS;
1755 
1756 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1757 			tcp->data_payload_max))
1758 		return -ENOBUFS;
1759 
1760 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1761 			tcp->data_payload_max))
1762 		return -ENOBUFS;
1763 
1764 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1765 		return -ENOBUFS;
1766 
1767 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1768 				sizeof(*tcp->tok), tcp->tok))
1769 		return -ENOBUFS;
1770 
1771 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1772 			tcp->data_interval_max))
1773 		return -ENOBUFS;
1774 
1775 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1776 			tcp->wake_payload_max))
1777 		return -ENOBUFS;
1778 
1779 	nla_nest_end(msg, nl_tcp);
1780 	return 0;
1781 }
1782 
1783 static int nl80211_send_wowlan(struct sk_buff *msg,
1784 			       struct cfg80211_registered_device *rdev,
1785 			       bool large)
1786 {
1787 	struct nlattr *nl_wowlan;
1788 
1789 	if (!rdev->wiphy.wowlan)
1790 		return 0;
1791 
1792 	nl_wowlan = nla_nest_start_noflag(msg,
1793 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1794 	if (!nl_wowlan)
1795 		return -ENOBUFS;
1796 
1797 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1798 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1799 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1800 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1801 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1802 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1803 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1804 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1805 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1806 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1807 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1808 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1809 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1810 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1811 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1812 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1813 		return -ENOBUFS;
1814 
1815 	if (rdev->wiphy.wowlan->n_patterns) {
1816 		struct nl80211_pattern_support pat = {
1817 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1818 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1819 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1820 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1821 		};
1822 
1823 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1824 			    sizeof(pat), &pat))
1825 			return -ENOBUFS;
1826 	}
1827 
1828 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1829 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1830 			rdev->wiphy.wowlan->max_nd_match_sets))
1831 		return -ENOBUFS;
1832 
1833 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1834 		return -ENOBUFS;
1835 
1836 	nla_nest_end(msg, nl_wowlan);
1837 
1838 	return 0;
1839 }
1840 #endif
1841 
1842 static int nl80211_send_coalesce(struct sk_buff *msg,
1843 				 struct cfg80211_registered_device *rdev)
1844 {
1845 	struct nl80211_coalesce_rule_support rule;
1846 
1847 	if (!rdev->wiphy.coalesce)
1848 		return 0;
1849 
1850 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1851 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1852 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1853 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1854 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1855 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1856 
1857 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1858 		return -ENOBUFS;
1859 
1860 	return 0;
1861 }
1862 
1863 static int
1864 nl80211_send_iftype_data(struct sk_buff *msg,
1865 			 const struct ieee80211_supported_band *sband,
1866 			 const struct ieee80211_sband_iftype_data *iftdata)
1867 {
1868 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1869 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1870 
1871 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1872 				iftdata->types_mask))
1873 		return -ENOBUFS;
1874 
1875 	if (he_cap->has_he) {
1876 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1877 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1878 			    he_cap->he_cap_elem.mac_cap_info) ||
1879 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1880 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1881 			    he_cap->he_cap_elem.phy_cap_info) ||
1882 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1883 			    sizeof(he_cap->he_mcs_nss_supp),
1884 			    &he_cap->he_mcs_nss_supp) ||
1885 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1886 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1887 			return -ENOBUFS;
1888 	}
1889 
1890 	if (eht_cap->has_eht && he_cap->has_he) {
1891 		u8 mcs_nss_size, ppe_thresh_size;
1892 		u16 ppe_thres_hdr;
1893 		bool is_ap;
1894 
1895 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1896 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1897 
1898 		mcs_nss_size =
1899 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1900 						   &eht_cap->eht_cap_elem,
1901 						   is_ap);
1902 
1903 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1904 		ppe_thresh_size =
1905 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1906 					       eht_cap->eht_cap_elem.phy_cap_info);
1907 
1908 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1909 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1910 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1911 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1912 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1913 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1914 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1915 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1916 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1917 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1918 			return -ENOBUFS;
1919 	}
1920 
1921 	if (sband->band == NL80211_BAND_6GHZ &&
1922 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1923 		    sizeof(iftdata->he_6ghz_capa),
1924 		    &iftdata->he_6ghz_capa))
1925 		return -ENOBUFS;
1926 
1927 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1928 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1929 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1930 		return -ENOBUFS;
1931 
1932 	return 0;
1933 }
1934 
1935 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1936 				      struct ieee80211_supported_band *sband,
1937 				      bool large)
1938 {
1939 	struct nlattr *nl_rates, *nl_rate;
1940 	struct ieee80211_rate *rate;
1941 	int i;
1942 
1943 	/* add HT info */
1944 	if (sband->ht_cap.ht_supported &&
1945 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1946 		     sizeof(sband->ht_cap.mcs),
1947 		     &sband->ht_cap.mcs) ||
1948 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1949 			 sband->ht_cap.cap) ||
1950 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1951 			sband->ht_cap.ampdu_factor) ||
1952 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1953 			sband->ht_cap.ampdu_density)))
1954 		return -ENOBUFS;
1955 
1956 	/* add VHT info */
1957 	if (sband->vht_cap.vht_supported &&
1958 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1959 		     sizeof(sband->vht_cap.vht_mcs),
1960 		     &sband->vht_cap.vht_mcs) ||
1961 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1962 			 sband->vht_cap.cap)))
1963 		return -ENOBUFS;
1964 
1965 	if (large && sband->n_iftype_data) {
1966 		struct nlattr *nl_iftype_data =
1967 			nla_nest_start_noflag(msg,
1968 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1969 		const struct ieee80211_sband_iftype_data *iftd;
1970 		int err;
1971 
1972 		if (!nl_iftype_data)
1973 			return -ENOBUFS;
1974 
1975 		for_each_sband_iftype_data(sband, i, iftd) {
1976 			struct nlattr *iftdata;
1977 
1978 			iftdata = nla_nest_start_noflag(msg, i + 1);
1979 			if (!iftdata)
1980 				return -ENOBUFS;
1981 
1982 			err = nl80211_send_iftype_data(msg, sband, iftd);
1983 			if (err)
1984 				return err;
1985 
1986 			nla_nest_end(msg, iftdata);
1987 		}
1988 
1989 		nla_nest_end(msg, nl_iftype_data);
1990 	}
1991 
1992 	/* add EDMG info */
1993 	if (large && sband->edmg_cap.channels &&
1994 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1995 		       sband->edmg_cap.channels) ||
1996 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1997 		       sband->edmg_cap.bw_config)))
1998 
1999 		return -ENOBUFS;
2000 
2001 	/* add bitrates */
2002 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
2003 	if (!nl_rates)
2004 		return -ENOBUFS;
2005 
2006 	for (i = 0; i < sband->n_bitrates; i++) {
2007 		nl_rate = nla_nest_start_noflag(msg, i);
2008 		if (!nl_rate)
2009 			return -ENOBUFS;
2010 
2011 		rate = &sband->bitrates[i];
2012 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
2013 				rate->bitrate))
2014 			return -ENOBUFS;
2015 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
2016 		    nla_put_flag(msg,
2017 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2018 			return -ENOBUFS;
2019 
2020 		nla_nest_end(msg, nl_rate);
2021 	}
2022 
2023 	nla_nest_end(msg, nl_rates);
2024 
2025 	/* S1G capabilities */
2026 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2027 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2028 		     sizeof(sband->s1g_cap.cap),
2029 		     sband->s1g_cap.cap) ||
2030 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2031 		     sizeof(sband->s1g_cap.nss_mcs),
2032 		     sband->s1g_cap.nss_mcs)))
2033 		return -ENOBUFS;
2034 
2035 	return 0;
2036 }
2037 
2038 static int
2039 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2040 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2041 {
2042 	u16 stypes;
2043 	struct nlattr *nl_ftypes, *nl_ifs;
2044 	enum nl80211_iftype ift;
2045 	int i;
2046 
2047 	if (!mgmt_stypes)
2048 		return 0;
2049 
2050 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2051 	if (!nl_ifs)
2052 		return -ENOBUFS;
2053 
2054 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2055 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2056 		if (!nl_ftypes)
2057 			return -ENOBUFS;
2058 		i = 0;
2059 		stypes = mgmt_stypes[ift].tx;
2060 		while (stypes) {
2061 			if ((stypes & 1) &&
2062 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2063 					(i << 4) | IEEE80211_FTYPE_MGMT))
2064 				return -ENOBUFS;
2065 			stypes >>= 1;
2066 			i++;
2067 		}
2068 		nla_nest_end(msg, nl_ftypes);
2069 	}
2070 
2071 	nla_nest_end(msg, nl_ifs);
2072 
2073 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2074 	if (!nl_ifs)
2075 		return -ENOBUFS;
2076 
2077 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2078 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2079 		if (!nl_ftypes)
2080 			return -ENOBUFS;
2081 		i = 0;
2082 		stypes = mgmt_stypes[ift].rx;
2083 		while (stypes) {
2084 			if ((stypes & 1) &&
2085 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2086 					(i << 4) | IEEE80211_FTYPE_MGMT))
2087 				return -ENOBUFS;
2088 			stypes >>= 1;
2089 			i++;
2090 		}
2091 		nla_nest_end(msg, nl_ftypes);
2092 	}
2093 	nla_nest_end(msg, nl_ifs);
2094 
2095 	return 0;
2096 }
2097 
2098 #define CMD(op, n)							\
2099 	 do {								\
2100 		if (rdev->ops->op) {					\
2101 			i++;						\
2102 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2103 				goto nla_put_failure;			\
2104 		}							\
2105 	} while (0)
2106 
2107 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2108 					struct sk_buff *msg)
2109 {
2110 	int i = 0;
2111 
2112 	/*
2113 	 * do *NOT* add anything into this function, new things need to be
2114 	 * advertised only to new versions of userspace that can deal with
2115 	 * the split (and they can't possibly care about new features...
2116 	 */
2117 	CMD(add_virtual_intf, NEW_INTERFACE);
2118 	CMD(change_virtual_intf, SET_INTERFACE);
2119 	CMD(add_key, NEW_KEY);
2120 	CMD(start_ap, START_AP);
2121 	CMD(add_station, NEW_STATION);
2122 	CMD(add_mpath, NEW_MPATH);
2123 	CMD(update_mesh_config, SET_MESH_CONFIG);
2124 	CMD(change_bss, SET_BSS);
2125 	CMD(auth, AUTHENTICATE);
2126 	CMD(assoc, ASSOCIATE);
2127 	CMD(deauth, DEAUTHENTICATE);
2128 	CMD(disassoc, DISASSOCIATE);
2129 	CMD(join_ibss, JOIN_IBSS);
2130 	CMD(join_mesh, JOIN_MESH);
2131 	CMD(set_pmksa, SET_PMKSA);
2132 	CMD(del_pmksa, DEL_PMKSA);
2133 	CMD(flush_pmksa, FLUSH_PMKSA);
2134 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2135 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2136 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2137 	CMD(mgmt_tx, FRAME);
2138 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2139 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2140 		i++;
2141 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2142 			goto nla_put_failure;
2143 	}
2144 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2145 	    rdev->ops->join_mesh) {
2146 		i++;
2147 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2148 			goto nla_put_failure;
2149 	}
2150 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2151 		CMD(tdls_mgmt, TDLS_MGMT);
2152 		CMD(tdls_oper, TDLS_OPER);
2153 	}
2154 	if (rdev->wiphy.max_sched_scan_reqs)
2155 		CMD(sched_scan_start, START_SCHED_SCAN);
2156 	CMD(probe_client, PROBE_CLIENT);
2157 	CMD(set_noack_map, SET_NOACK_MAP);
2158 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2159 		i++;
2160 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2161 			goto nla_put_failure;
2162 	}
2163 	CMD(start_p2p_device, START_P2P_DEVICE);
2164 	CMD(set_mcast_rate, SET_MCAST_RATE);
2165 #ifdef CONFIG_NL80211_TESTMODE
2166 	CMD(testmode_cmd, TESTMODE);
2167 #endif
2168 
2169 	if (rdev->ops->connect || rdev->ops->auth) {
2170 		i++;
2171 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2172 			goto nla_put_failure;
2173 	}
2174 
2175 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2176 		i++;
2177 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2178 			goto nla_put_failure;
2179 	}
2180 
2181 	return i;
2182  nla_put_failure:
2183 	return -ENOBUFS;
2184 }
2185 
2186 static int
2187 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2188 			   struct sk_buff *msg)
2189 {
2190 	struct nlattr *ftm;
2191 
2192 	if (!cap->ftm.supported)
2193 		return 0;
2194 
2195 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2196 	if (!ftm)
2197 		return -ENOBUFS;
2198 
2199 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2200 		return -ENOBUFS;
2201 	if (cap->ftm.non_asap &&
2202 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2203 		return -ENOBUFS;
2204 	if (cap->ftm.request_lci &&
2205 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2206 		return -ENOBUFS;
2207 	if (cap->ftm.request_civicloc &&
2208 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2209 		return -ENOBUFS;
2210 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2211 			cap->ftm.preambles))
2212 		return -ENOBUFS;
2213 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2214 			cap->ftm.bandwidths))
2215 		return -ENOBUFS;
2216 	if (cap->ftm.max_bursts_exponent >= 0 &&
2217 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2218 			cap->ftm.max_bursts_exponent))
2219 		return -ENOBUFS;
2220 	if (cap->ftm.max_ftms_per_burst &&
2221 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2222 			cap->ftm.max_ftms_per_burst))
2223 		return -ENOBUFS;
2224 	if (cap->ftm.trigger_based &&
2225 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2226 		return -ENOBUFS;
2227 	if (cap->ftm.non_trigger_based &&
2228 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2229 		return -ENOBUFS;
2230 
2231 	nla_nest_end(msg, ftm);
2232 	return 0;
2233 }
2234 
2235 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2236 				  struct sk_buff *msg)
2237 {
2238 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2239 	struct nlattr *pmsr, *caps;
2240 
2241 	if (!cap)
2242 		return 0;
2243 
2244 	/*
2245 	 * we don't need to clean up anything here since the caller
2246 	 * will genlmsg_cancel() if we fail
2247 	 */
2248 
2249 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2250 	if (!pmsr)
2251 		return -ENOBUFS;
2252 
2253 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2254 		return -ENOBUFS;
2255 
2256 	if (cap->report_ap_tsf &&
2257 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2258 		return -ENOBUFS;
2259 
2260 	if (cap->randomize_mac_addr &&
2261 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2262 		return -ENOBUFS;
2263 
2264 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2265 	if (!caps)
2266 		return -ENOBUFS;
2267 
2268 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2269 		return -ENOBUFS;
2270 
2271 	nla_nest_end(msg, caps);
2272 	nla_nest_end(msg, pmsr);
2273 
2274 	return 0;
2275 }
2276 
2277 static int
2278 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2279 			      struct sk_buff *msg)
2280 {
2281 	int i;
2282 	struct nlattr *nested, *nested_akms;
2283 	const struct wiphy_iftype_akm_suites *iftype_akms;
2284 
2285 	if (!rdev->wiphy.num_iftype_akm_suites ||
2286 	    !rdev->wiphy.iftype_akm_suites)
2287 		return 0;
2288 
2289 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2290 	if (!nested)
2291 		return -ENOBUFS;
2292 
2293 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2294 		nested_akms = nla_nest_start(msg, i + 1);
2295 		if (!nested_akms)
2296 			return -ENOBUFS;
2297 
2298 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2299 
2300 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2301 					iftype_akms->iftypes_mask))
2302 			return -ENOBUFS;
2303 
2304 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2305 			    sizeof(u32) * iftype_akms->n_akm_suites,
2306 			    iftype_akms->akm_suites)) {
2307 			return -ENOBUFS;
2308 		}
2309 		nla_nest_end(msg, nested_akms);
2310 	}
2311 
2312 	nla_nest_end(msg, nested);
2313 
2314 	return 0;
2315 }
2316 
2317 static int
2318 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2319 			       struct sk_buff *msg)
2320 {
2321 	struct nlattr *supp;
2322 
2323 	if (!rdev->wiphy.tid_config_support.vif &&
2324 	    !rdev->wiphy.tid_config_support.peer)
2325 		return 0;
2326 
2327 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2328 	if (!supp)
2329 		return -ENOSPC;
2330 
2331 	if (rdev->wiphy.tid_config_support.vif &&
2332 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2333 			      rdev->wiphy.tid_config_support.vif,
2334 			      NL80211_TID_CONFIG_ATTR_PAD))
2335 		goto fail;
2336 
2337 	if (rdev->wiphy.tid_config_support.peer &&
2338 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2339 			      rdev->wiphy.tid_config_support.peer,
2340 			      NL80211_TID_CONFIG_ATTR_PAD))
2341 		goto fail;
2342 
2343 	/* for now we just use the same value ... makes more sense */
2344 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2345 		       rdev->wiphy.tid_config_support.max_retry))
2346 		goto fail;
2347 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2348 		       rdev->wiphy.tid_config_support.max_retry))
2349 		goto fail;
2350 
2351 	nla_nest_end(msg, supp);
2352 
2353 	return 0;
2354 fail:
2355 	nla_nest_cancel(msg, supp);
2356 	return -ENOBUFS;
2357 }
2358 
2359 static int
2360 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2361 		      struct sk_buff *msg)
2362 {
2363 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2364 	u8 num_freq_ranges;
2365 	int i;
2366 
2367 	if (!rdev->wiphy.sar_capa)
2368 		return 0;
2369 
2370 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2371 
2372 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2373 	if (!sar_capa)
2374 		return -ENOSPC;
2375 
2376 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2377 		goto fail;
2378 
2379 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2380 	if (!specs)
2381 		goto fail;
2382 
2383 	/* report supported freq_ranges */
2384 	for (i = 0; i < num_freq_ranges; i++) {
2385 		sub_freq_range = nla_nest_start(msg, i + 1);
2386 		if (!sub_freq_range)
2387 			goto fail;
2388 
2389 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2390 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2391 			goto fail;
2392 
2393 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2394 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2395 			goto fail;
2396 
2397 		nla_nest_end(msg, sub_freq_range);
2398 	}
2399 
2400 	nla_nest_end(msg, specs);
2401 	nla_nest_end(msg, sar_capa);
2402 
2403 	return 0;
2404 fail:
2405 	nla_nest_cancel(msg, sar_capa);
2406 	return -ENOBUFS;
2407 }
2408 
2409 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2410 {
2411 	struct nlattr *config;
2412 
2413 	if (!wiphy->mbssid_max_interfaces)
2414 		return 0;
2415 
2416 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2417 	if (!config)
2418 		return -ENOBUFS;
2419 
2420 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2421 		       wiphy->mbssid_max_interfaces))
2422 		goto fail;
2423 
2424 	if (wiphy->ema_max_profile_periodicity &&
2425 	    nla_put_u8(msg,
2426 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2427 		       wiphy->ema_max_profile_periodicity))
2428 		goto fail;
2429 
2430 	nla_nest_end(msg, config);
2431 	return 0;
2432 
2433 fail:
2434 	nla_nest_cancel(msg, config);
2435 	return -ENOBUFS;
2436 }
2437 
2438 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2439 {
2440 	const struct wiphy_radio *r = &wiphy->radio[idx];
2441 	struct nlattr *radio, *freq;
2442 	int i;
2443 
2444 	radio = nla_nest_start(msg, idx);
2445 	if (!radio)
2446 		return -ENOBUFS;
2447 
2448 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2449 		goto nla_put_failure;
2450 
2451 	if (r->antenna_mask &&
2452 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2453 			r->antenna_mask))
2454 		goto nla_put_failure;
2455 
2456 	for (i = 0; i < r->n_freq_range; i++) {
2457 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2458 
2459 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2460 		if (!freq)
2461 			goto nla_put_failure;
2462 
2463 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2464 				range->start_freq) ||
2465 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2466 				range->end_freq))
2467 			goto nla_put_failure;
2468 
2469 		nla_nest_end(msg, freq);
2470 	}
2471 
2472 	for (i = 0; i < r->n_iface_combinations; i++)
2473 		if (nl80211_put_ifcomb_data(msg, true,
2474 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2475 					    &r->iface_combinations[i],
2476 					    NLA_F_NESTED))
2477 			goto nla_put_failure;
2478 
2479 	nla_nest_end(msg, radio);
2480 
2481 	return 0;
2482 
2483 nla_put_failure:
2484 	return -ENOBUFS;
2485 }
2486 
2487 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2488 {
2489 	struct nlattr *radios;
2490 	int i;
2491 
2492 	if (!wiphy->n_radio)
2493 		return 0;
2494 
2495 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2496 	if (!radios)
2497 		return -ENOBUFS;
2498 
2499 	for (i = 0; i < wiphy->n_radio; i++)
2500 		if (nl80211_put_radio(wiphy, msg, i))
2501 			goto fail;
2502 
2503 	nla_nest_end(msg, radios);
2504 
2505 	if (nl80211_put_iface_combinations(wiphy, msg,
2506 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2507 					   -1, true, NLA_F_NESTED))
2508 		return -ENOBUFS;
2509 
2510 	return 0;
2511 
2512 fail:
2513 	nla_nest_cancel(msg, radios);
2514 	return -ENOBUFS;
2515 }
2516 
2517 struct nl80211_dump_wiphy_state {
2518 	s64 filter_wiphy;
2519 	long start;
2520 	long split_start, band_start, chan_start, capa_start;
2521 	bool split;
2522 };
2523 
2524 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2525 			      enum nl80211_commands cmd,
2526 			      struct sk_buff *msg, u32 portid, u32 seq,
2527 			      int flags, struct nl80211_dump_wiphy_state *state)
2528 {
2529 	void *hdr;
2530 	struct nlattr *nl_bands, *nl_band;
2531 	struct nlattr *nl_freqs, *nl_freq;
2532 	struct nlattr *nl_cmds;
2533 	enum nl80211_band band;
2534 	struct ieee80211_channel *chan;
2535 	int i;
2536 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2537 				rdev->wiphy.mgmt_stypes;
2538 	u32 features;
2539 
2540 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2541 	if (!hdr)
2542 		return -ENOBUFS;
2543 
2544 	if (WARN_ON(!state))
2545 		return -EINVAL;
2546 
2547 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2548 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2549 			   wiphy_name(&rdev->wiphy)) ||
2550 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2551 			cfg80211_rdev_list_generation))
2552 		goto nla_put_failure;
2553 
2554 	if (cmd != NL80211_CMD_NEW_WIPHY)
2555 		goto finish;
2556 
2557 	switch (state->split_start) {
2558 	case 0:
2559 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2560 			       rdev->wiphy.retry_short) ||
2561 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2562 			       rdev->wiphy.retry_long) ||
2563 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2564 				rdev->wiphy.frag_threshold) ||
2565 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2566 				rdev->wiphy.rts_threshold) ||
2567 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2568 			       rdev->wiphy.coverage_class) ||
2569 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2570 			       rdev->wiphy.max_scan_ssids) ||
2571 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2572 			       rdev->wiphy.max_sched_scan_ssids) ||
2573 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2574 				rdev->wiphy.max_scan_ie_len) ||
2575 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2576 				rdev->wiphy.max_sched_scan_ie_len) ||
2577 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2578 			       rdev->wiphy.max_match_sets))
2579 			goto nla_put_failure;
2580 
2581 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2582 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2583 			goto nla_put_failure;
2584 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2585 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2586 			goto nla_put_failure;
2587 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2588 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2589 			goto nla_put_failure;
2590 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2591 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2592 			goto nla_put_failure;
2593 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2594 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2595 			goto nla_put_failure;
2596 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2597 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2598 			goto nla_put_failure;
2599 		state->split_start++;
2600 		if (state->split)
2601 			break;
2602 		fallthrough;
2603 	case 1:
2604 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2605 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2606 			    rdev->wiphy.cipher_suites))
2607 			goto nla_put_failure;
2608 
2609 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2610 			       rdev->wiphy.max_num_pmkids))
2611 			goto nla_put_failure;
2612 
2613 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2614 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2615 			goto nla_put_failure;
2616 
2617 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2618 				rdev->wiphy.available_antennas_tx) ||
2619 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2620 				rdev->wiphy.available_antennas_rx))
2621 			goto nla_put_failure;
2622 
2623 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2624 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2625 				rdev->wiphy.probe_resp_offload))
2626 			goto nla_put_failure;
2627 
2628 		if ((rdev->wiphy.available_antennas_tx ||
2629 		     rdev->wiphy.available_antennas_rx) &&
2630 		    rdev->ops->get_antenna) {
2631 			u32 tx_ant = 0, rx_ant = 0;
2632 			int res;
2633 
2634 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2635 			if (!res) {
2636 				if (nla_put_u32(msg,
2637 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2638 						tx_ant) ||
2639 				    nla_put_u32(msg,
2640 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2641 						rx_ant))
2642 					goto nla_put_failure;
2643 			}
2644 		}
2645 
2646 		state->split_start++;
2647 		if (state->split)
2648 			break;
2649 		fallthrough;
2650 	case 2:
2651 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2652 					rdev->wiphy.interface_modes))
2653 				goto nla_put_failure;
2654 		state->split_start++;
2655 		if (state->split)
2656 			break;
2657 		fallthrough;
2658 	case 3:
2659 		nl_bands = nla_nest_start_noflag(msg,
2660 						 NL80211_ATTR_WIPHY_BANDS);
2661 		if (!nl_bands)
2662 			goto nla_put_failure;
2663 
2664 		for (band = state->band_start;
2665 		     band < (state->split ?
2666 				NUM_NL80211_BANDS :
2667 				NL80211_BAND_60GHZ + 1);
2668 		     band++) {
2669 			struct ieee80211_supported_band *sband;
2670 
2671 			/* omit higher bands for ancient software */
2672 			if (band > NL80211_BAND_5GHZ && !state->split)
2673 				break;
2674 
2675 			sband = rdev->wiphy.bands[band];
2676 
2677 			if (!sband)
2678 				continue;
2679 
2680 			nl_band = nla_nest_start_noflag(msg, band);
2681 			if (!nl_band)
2682 				goto nla_put_failure;
2683 
2684 			switch (state->chan_start) {
2685 			case 0:
2686 				if (nl80211_send_band_rateinfo(msg, sband,
2687 							       state->split))
2688 					goto nla_put_failure;
2689 				state->chan_start++;
2690 				if (state->split)
2691 					break;
2692 				fallthrough;
2693 			default:
2694 				/* add frequencies */
2695 				nl_freqs = nla_nest_start_noflag(msg,
2696 								 NL80211_BAND_ATTR_FREQS);
2697 				if (!nl_freqs)
2698 					goto nla_put_failure;
2699 
2700 				for (i = state->chan_start - 1;
2701 				     i < sband->n_channels;
2702 				     i++) {
2703 					nl_freq = nla_nest_start_noflag(msg,
2704 									i);
2705 					if (!nl_freq)
2706 						goto nla_put_failure;
2707 
2708 					chan = &sband->channels[i];
2709 
2710 					if (nl80211_msg_put_channel(
2711 							msg, &rdev->wiphy, chan,
2712 							state->split))
2713 						goto nla_put_failure;
2714 
2715 					nla_nest_end(msg, nl_freq);
2716 					if (state->split)
2717 						break;
2718 				}
2719 				if (i < sband->n_channels)
2720 					state->chan_start = i + 2;
2721 				else
2722 					state->chan_start = 0;
2723 				nla_nest_end(msg, nl_freqs);
2724 			}
2725 
2726 			nla_nest_end(msg, nl_band);
2727 
2728 			if (state->split) {
2729 				/* start again here */
2730 				if (state->chan_start)
2731 					band--;
2732 				break;
2733 			}
2734 		}
2735 		nla_nest_end(msg, nl_bands);
2736 
2737 		if (band < NUM_NL80211_BANDS)
2738 			state->band_start = band + 1;
2739 		else
2740 			state->band_start = 0;
2741 
2742 		/* if bands & channels are done, continue outside */
2743 		if (state->band_start == 0 && state->chan_start == 0)
2744 			state->split_start++;
2745 		if (state->split)
2746 			break;
2747 		fallthrough;
2748 	case 4:
2749 		nl_cmds = nla_nest_start_noflag(msg,
2750 						NL80211_ATTR_SUPPORTED_COMMANDS);
2751 		if (!nl_cmds)
2752 			goto nla_put_failure;
2753 
2754 		i = nl80211_add_commands_unsplit(rdev, msg);
2755 		if (i < 0)
2756 			goto nla_put_failure;
2757 		if (state->split) {
2758 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2759 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2760 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2761 				CMD(channel_switch, CHANNEL_SWITCH);
2762 			CMD(set_qos_map, SET_QOS_MAP);
2763 			if (rdev->wiphy.features &
2764 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2765 				CMD(add_tx_ts, ADD_TX_TS);
2766 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2767 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2768 			CMD(update_ft_ies, UPDATE_FT_IES);
2769 			if (rdev->wiphy.sar_capa)
2770 				CMD(set_sar_specs, SET_SAR_SPECS);
2771 		}
2772 #undef CMD
2773 
2774 		nla_nest_end(msg, nl_cmds);
2775 		state->split_start++;
2776 		if (state->split)
2777 			break;
2778 		fallthrough;
2779 	case 5:
2780 		if (rdev->ops->remain_on_channel &&
2781 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2782 		    nla_put_u32(msg,
2783 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2784 				rdev->wiphy.max_remain_on_channel_duration))
2785 			goto nla_put_failure;
2786 
2787 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2788 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2789 			goto nla_put_failure;
2790 
2791 		state->split_start++;
2792 		if (state->split)
2793 			break;
2794 		fallthrough;
2795 	case 6:
2796 #ifdef CONFIG_PM
2797 		if (nl80211_send_wowlan(msg, rdev, state->split))
2798 			goto nla_put_failure;
2799 		state->split_start++;
2800 		if (state->split)
2801 			break;
2802 #else
2803 		state->split_start++;
2804 #endif
2805 		fallthrough;
2806 	case 7:
2807 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2808 					rdev->wiphy.software_iftypes))
2809 			goto nla_put_failure;
2810 
2811 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2812 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2813 						   rdev->wiphy.n_radio ? 0 : -1,
2814 						   state->split, 0))
2815 			goto nla_put_failure;
2816 
2817 		state->split_start++;
2818 		if (state->split)
2819 			break;
2820 		fallthrough;
2821 	case 8:
2822 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2823 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2824 				rdev->wiphy.ap_sme_capa))
2825 			goto nla_put_failure;
2826 
2827 		features = rdev->wiphy.features;
2828 		/*
2829 		 * We can only add the per-channel limit information if the
2830 		 * dump is split, otherwise it makes it too big. Therefore
2831 		 * only advertise it in that case.
2832 		 */
2833 		if (state->split)
2834 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2835 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2836 			goto nla_put_failure;
2837 
2838 		if (rdev->wiphy.ht_capa_mod_mask &&
2839 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2840 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2841 			    rdev->wiphy.ht_capa_mod_mask))
2842 			goto nla_put_failure;
2843 
2844 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2845 		    rdev->wiphy.max_acl_mac_addrs &&
2846 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2847 				rdev->wiphy.max_acl_mac_addrs))
2848 			goto nla_put_failure;
2849 
2850 		/*
2851 		 * Any information below this point is only available to
2852 		 * applications that can deal with it being split. This
2853 		 * helps ensure that newly added capabilities don't break
2854 		 * older tools by overrunning their buffers.
2855 		 *
2856 		 * We still increment split_start so that in the split
2857 		 * case we'll continue with more data in the next round,
2858 		 * but break unconditionally so unsplit data stops here.
2859 		 */
2860 		if (state->split)
2861 			state->split_start++;
2862 		else
2863 			state->split_start = 0;
2864 		break;
2865 	case 9:
2866 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2867 			goto nla_put_failure;
2868 
2869 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2870 				rdev->wiphy.max_sched_scan_plans) ||
2871 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2872 				rdev->wiphy.max_sched_scan_plan_interval) ||
2873 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2874 				rdev->wiphy.max_sched_scan_plan_iterations))
2875 			goto nla_put_failure;
2876 
2877 		if (rdev->wiphy.extended_capabilities &&
2878 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2879 			     rdev->wiphy.extended_capabilities_len,
2880 			     rdev->wiphy.extended_capabilities) ||
2881 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2882 			     rdev->wiphy.extended_capabilities_len,
2883 			     rdev->wiphy.extended_capabilities_mask)))
2884 			goto nla_put_failure;
2885 
2886 		if (rdev->wiphy.vht_capa_mod_mask &&
2887 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2888 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2889 			    rdev->wiphy.vht_capa_mod_mask))
2890 			goto nla_put_failure;
2891 
2892 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2893 			    rdev->wiphy.perm_addr))
2894 			goto nla_put_failure;
2895 
2896 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2897 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2898 			    rdev->wiphy.addr_mask))
2899 			goto nla_put_failure;
2900 
2901 		if (rdev->wiphy.n_addresses > 1) {
2902 			void *attr;
2903 
2904 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2905 			if (!attr)
2906 				goto nla_put_failure;
2907 
2908 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2909 				if (nla_put(msg, i + 1, ETH_ALEN,
2910 					    rdev->wiphy.addresses[i].addr))
2911 					goto nla_put_failure;
2912 
2913 			nla_nest_end(msg, attr);
2914 		}
2915 
2916 		state->split_start++;
2917 		break;
2918 	case 10:
2919 		if (nl80211_send_coalesce(msg, rdev))
2920 			goto nla_put_failure;
2921 
2922 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2923 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2924 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2925 			goto nla_put_failure;
2926 
2927 		if (rdev->wiphy.max_ap_assoc_sta &&
2928 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2929 				rdev->wiphy.max_ap_assoc_sta))
2930 			goto nla_put_failure;
2931 
2932 		state->split_start++;
2933 		break;
2934 	case 11:
2935 		if (rdev->wiphy.n_vendor_commands) {
2936 			const struct nl80211_vendor_cmd_info *info;
2937 			struct nlattr *nested;
2938 
2939 			nested = nla_nest_start_noflag(msg,
2940 						       NL80211_ATTR_VENDOR_DATA);
2941 			if (!nested)
2942 				goto nla_put_failure;
2943 
2944 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2945 				info = &rdev->wiphy.vendor_commands[i].info;
2946 				if (nla_put(msg, i + 1, sizeof(*info), info))
2947 					goto nla_put_failure;
2948 			}
2949 			nla_nest_end(msg, nested);
2950 		}
2951 
2952 		if (rdev->wiphy.n_vendor_events) {
2953 			const struct nl80211_vendor_cmd_info *info;
2954 			struct nlattr *nested;
2955 
2956 			nested = nla_nest_start_noflag(msg,
2957 						       NL80211_ATTR_VENDOR_EVENTS);
2958 			if (!nested)
2959 				goto nla_put_failure;
2960 
2961 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2962 				info = &rdev->wiphy.vendor_events[i];
2963 				if (nla_put(msg, i + 1, sizeof(*info), info))
2964 					goto nla_put_failure;
2965 			}
2966 			nla_nest_end(msg, nested);
2967 		}
2968 		state->split_start++;
2969 		break;
2970 	case 12:
2971 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2972 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2973 			       rdev->wiphy.max_num_csa_counters))
2974 			goto nla_put_failure;
2975 
2976 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2977 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2978 			goto nla_put_failure;
2979 
2980 		if (rdev->wiphy.max_sched_scan_reqs &&
2981 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2982 				rdev->wiphy.max_sched_scan_reqs))
2983 			goto nla_put_failure;
2984 
2985 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2986 			    sizeof(rdev->wiphy.ext_features),
2987 			    rdev->wiphy.ext_features))
2988 			goto nla_put_failure;
2989 
2990 		if (rdev->wiphy.bss_select_support) {
2991 			struct nlattr *nested;
2992 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2993 
2994 			nested = nla_nest_start_noflag(msg,
2995 						       NL80211_ATTR_BSS_SELECT);
2996 			if (!nested)
2997 				goto nla_put_failure;
2998 
2999 			i = 0;
3000 			while (bss_select_support) {
3001 				if ((bss_select_support & 1) &&
3002 				    nla_put_flag(msg, i))
3003 					goto nla_put_failure;
3004 				i++;
3005 				bss_select_support >>= 1;
3006 			}
3007 			nla_nest_end(msg, nested);
3008 		}
3009 
3010 		state->split_start++;
3011 		break;
3012 	case 13:
3013 		if (rdev->wiphy.num_iftype_ext_capab &&
3014 		    rdev->wiphy.iftype_ext_capab) {
3015 			struct nlattr *nested_ext_capab, *nested;
3016 
3017 			nested = nla_nest_start_noflag(msg,
3018 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3019 			if (!nested)
3020 				goto nla_put_failure;
3021 
3022 			for (i = state->capa_start;
3023 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3024 				const struct wiphy_iftype_ext_capab *capab;
3025 
3026 				capab = &rdev->wiphy.iftype_ext_capab[i];
3027 
3028 				nested_ext_capab = nla_nest_start_noflag(msg,
3029 									 i);
3030 				if (!nested_ext_capab ||
3031 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3032 						capab->iftype) ||
3033 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3034 					    capab->extended_capabilities_len,
3035 					    capab->extended_capabilities) ||
3036 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3037 					    capab->extended_capabilities_len,
3038 					    capab->extended_capabilities_mask))
3039 					goto nla_put_failure;
3040 
3041 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3042 				    (nla_put_u16(msg,
3043 						 NL80211_ATTR_EML_CAPABILITY,
3044 						 capab->eml_capabilities) ||
3045 				     nla_put_u16(msg,
3046 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3047 						 capab->mld_capa_and_ops)))
3048 					goto nla_put_failure;
3049 
3050 				nla_nest_end(msg, nested_ext_capab);
3051 				if (state->split)
3052 					break;
3053 			}
3054 			nla_nest_end(msg, nested);
3055 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3056 				state->capa_start = i + 1;
3057 				break;
3058 			}
3059 		}
3060 
3061 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3062 				rdev->wiphy.nan_supported_bands))
3063 			goto nla_put_failure;
3064 
3065 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3066 					    NL80211_EXT_FEATURE_TXQS)) {
3067 			struct cfg80211_txq_stats txqstats = {};
3068 			int res;
3069 
3070 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3071 			if (!res &&
3072 			    !nl80211_put_txq_stats(msg, &txqstats,
3073 						   NL80211_ATTR_TXQ_STATS))
3074 				goto nla_put_failure;
3075 
3076 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3077 					rdev->wiphy.txq_limit))
3078 				goto nla_put_failure;
3079 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3080 					rdev->wiphy.txq_memory_limit))
3081 				goto nla_put_failure;
3082 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3083 					rdev->wiphy.txq_quantum))
3084 				goto nla_put_failure;
3085 		}
3086 
3087 		state->split_start++;
3088 		break;
3089 	case 14:
3090 		if (nl80211_send_pmsr_capa(rdev, msg))
3091 			goto nla_put_failure;
3092 
3093 		state->split_start++;
3094 		break;
3095 	case 15:
3096 		if (rdev->wiphy.akm_suites &&
3097 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3098 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3099 			    rdev->wiphy.akm_suites))
3100 			goto nla_put_failure;
3101 
3102 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3103 			goto nla_put_failure;
3104 
3105 		if (nl80211_put_tid_config_support(rdev, msg))
3106 			goto nla_put_failure;
3107 		state->split_start++;
3108 		break;
3109 	case 16:
3110 		if (nl80211_put_sar_specs(rdev, msg))
3111 			goto nla_put_failure;
3112 
3113 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3114 			goto nla_put_failure;
3115 
3116 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3117 				rdev->wiphy.max_num_akm_suites))
3118 			goto nla_put_failure;
3119 
3120 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3121 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3122 
3123 		if (rdev->wiphy.hw_timestamp_max_peers &&
3124 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3125 				rdev->wiphy.hw_timestamp_max_peers))
3126 			goto nla_put_failure;
3127 
3128 		state->split_start++;
3129 		break;
3130 	case 17:
3131 		if (nl80211_put_radios(&rdev->wiphy, msg))
3132 			goto nla_put_failure;
3133 
3134 		/* done */
3135 		state->split_start = 0;
3136 		break;
3137 	}
3138  finish:
3139 	genlmsg_end(msg, hdr);
3140 	return 0;
3141 
3142  nla_put_failure:
3143 	genlmsg_cancel(msg, hdr);
3144 	return -EMSGSIZE;
3145 }
3146 
3147 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3148 				    struct netlink_callback *cb,
3149 				    struct nl80211_dump_wiphy_state *state)
3150 {
3151 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3152 	int ret;
3153 
3154 	if (!tb)
3155 		return -ENOMEM;
3156 
3157 	ret = nlmsg_parse_deprecated(cb->nlh,
3158 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3159 				     tb, nl80211_fam.maxattr,
3160 				     nl80211_policy, NULL);
3161 	/* ignore parse errors for backward compatibility */
3162 	if (ret) {
3163 		ret = 0;
3164 		goto out;
3165 	}
3166 
3167 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3168 	if (tb[NL80211_ATTR_WIPHY])
3169 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3170 	if (tb[NL80211_ATTR_WDEV])
3171 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3172 	if (tb[NL80211_ATTR_IFINDEX]) {
3173 		struct net_device *netdev;
3174 		struct cfg80211_registered_device *rdev;
3175 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3176 
3177 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3178 		if (!netdev) {
3179 			ret = -ENODEV;
3180 			goto out;
3181 		}
3182 		if (netdev->ieee80211_ptr) {
3183 			rdev = wiphy_to_rdev(
3184 				netdev->ieee80211_ptr->wiphy);
3185 			state->filter_wiphy = rdev->wiphy_idx;
3186 		}
3187 	}
3188 
3189 	ret = 0;
3190 out:
3191 	kfree(tb);
3192 	return ret;
3193 }
3194 
3195 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3196 {
3197 	int idx = 0, ret;
3198 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3199 	struct cfg80211_registered_device *rdev;
3200 
3201 	rtnl_lock();
3202 	if (!state) {
3203 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3204 		if (!state) {
3205 			rtnl_unlock();
3206 			return -ENOMEM;
3207 		}
3208 		state->filter_wiphy = -1;
3209 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3210 		if (ret) {
3211 			kfree(state);
3212 			rtnl_unlock();
3213 			return ret;
3214 		}
3215 		cb->args[0] = (long)state;
3216 	}
3217 
3218 	for_each_rdev(rdev) {
3219 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3220 			continue;
3221 		if (++idx <= state->start)
3222 			continue;
3223 		if (state->filter_wiphy != -1 &&
3224 		    state->filter_wiphy != rdev->wiphy_idx)
3225 			continue;
3226 		wiphy_lock(&rdev->wiphy);
3227 		/* attempt to fit multiple wiphy data chunks into the skb */
3228 		do {
3229 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3230 						 skb,
3231 						 NETLINK_CB(cb->skb).portid,
3232 						 cb->nlh->nlmsg_seq,
3233 						 NLM_F_MULTI, state);
3234 			if (ret < 0) {
3235 				/*
3236 				 * If sending the wiphy data didn't fit (ENOBUFS
3237 				 * or EMSGSIZE returned), this SKB is still
3238 				 * empty (so it's not too big because another
3239 				 * wiphy dataset is already in the skb) and
3240 				 * we've not tried to adjust the dump allocation
3241 				 * yet ... then adjust the alloc size to be
3242 				 * bigger, and return 1 but with the empty skb.
3243 				 * This results in an empty message being RX'ed
3244 				 * in userspace, but that is ignored.
3245 				 *
3246 				 * We can then retry with the larger buffer.
3247 				 */
3248 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3249 				    !skb->len && !state->split &&
3250 				    cb->min_dump_alloc < 4096) {
3251 					cb->min_dump_alloc = 4096;
3252 					state->split_start = 0;
3253 					wiphy_unlock(&rdev->wiphy);
3254 					rtnl_unlock();
3255 					return 1;
3256 				}
3257 				idx--;
3258 				break;
3259 			}
3260 		} while (state->split_start > 0);
3261 		wiphy_unlock(&rdev->wiphy);
3262 		break;
3263 	}
3264 	rtnl_unlock();
3265 
3266 	state->start = idx;
3267 
3268 	return skb->len;
3269 }
3270 
3271 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3272 {
3273 	kfree((void *)cb->args[0]);
3274 	return 0;
3275 }
3276 
3277 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3278 {
3279 	struct sk_buff *msg;
3280 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3281 	struct nl80211_dump_wiphy_state state = {};
3282 
3283 	msg = nlmsg_new(4096, GFP_KERNEL);
3284 	if (!msg)
3285 		return -ENOMEM;
3286 
3287 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3288 			       info->snd_portid, info->snd_seq, 0,
3289 			       &state) < 0) {
3290 		nlmsg_free(msg);
3291 		return -ENOBUFS;
3292 	}
3293 
3294 	return genlmsg_reply(msg, info);
3295 }
3296 
3297 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3298 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3299 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3300 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3301 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3302 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3303 };
3304 
3305 static int parse_txq_params(struct nlattr *tb[],
3306 			    struct ieee80211_txq_params *txq_params)
3307 {
3308 	u8 ac;
3309 
3310 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3311 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3312 	    !tb[NL80211_TXQ_ATTR_AIFS])
3313 		return -EINVAL;
3314 
3315 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3316 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3317 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3318 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3319 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3320 
3321 	if (ac >= NL80211_NUM_ACS)
3322 		return -EINVAL;
3323 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3324 	return 0;
3325 }
3326 
3327 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3328 {
3329 	/*
3330 	 * You can only set the channel explicitly for some interfaces,
3331 	 * most have their channel managed via their respective
3332 	 * "establish a connection" command (connect, join, ...)
3333 	 *
3334 	 * For AP/GO and mesh mode, the channel can be set with the
3335 	 * channel userspace API, but is only stored and passed to the
3336 	 * low-level driver when the AP starts or the mesh is joined.
3337 	 * This is for backward compatibility, userspace can also give
3338 	 * the channel in the start-ap or join-mesh commands instead.
3339 	 *
3340 	 * Monitors are special as they are normally slaved to
3341 	 * whatever else is going on, so they have their own special
3342 	 * operation to set the monitor channel if possible.
3343 	 */
3344 	return !wdev ||
3345 		wdev->iftype == NL80211_IFTYPE_AP ||
3346 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3347 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3348 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3349 }
3350 
3351 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3352 				  struct genl_info *info, bool monitor,
3353 				  struct cfg80211_chan_def *chandef)
3354 {
3355 	struct netlink_ext_ack *extack = info->extack;
3356 	struct nlattr **attrs = info->attrs;
3357 	u32 control_freq;
3358 
3359 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3360 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3361 				    "Frequency is missing");
3362 		return -EINVAL;
3363 	}
3364 
3365 	control_freq = MHZ_TO_KHZ(
3366 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3367 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3368 		control_freq +=
3369 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3370 
3371 	memset(chandef, 0, sizeof(*chandef));
3372 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3373 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3374 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3375 	chandef->freq1_offset = control_freq % 1000;
3376 	chandef->center_freq2 = 0;
3377 
3378 	if (!chandef->chan) {
3379 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3380 				    "Unknown channel");
3381 		return -EINVAL;
3382 	}
3383 
3384 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3385 		enum nl80211_channel_type chantype;
3386 
3387 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3388 
3389 		switch (chantype) {
3390 		case NL80211_CHAN_NO_HT:
3391 		case NL80211_CHAN_HT20:
3392 		case NL80211_CHAN_HT40PLUS:
3393 		case NL80211_CHAN_HT40MINUS:
3394 			cfg80211_chandef_create(chandef, chandef->chan,
3395 						chantype);
3396 			/* user input for center_freq is incorrect */
3397 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3398 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3399 				NL_SET_ERR_MSG_ATTR(extack,
3400 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3401 						    "bad center frequency 1");
3402 				return -EINVAL;
3403 			}
3404 			/* center_freq2 must be zero */
3405 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3406 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3407 				NL_SET_ERR_MSG_ATTR(extack,
3408 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3409 						    "center frequency 2 can't be used");
3410 				return -EINVAL;
3411 			}
3412 			break;
3413 		default:
3414 			NL_SET_ERR_MSG_ATTR(extack,
3415 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3416 					    "invalid channel type");
3417 			return -EINVAL;
3418 		}
3419 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3420 		chandef->width =
3421 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3422 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3423 			/* User input error for channel width doesn't match channel  */
3424 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3425 				NL_SET_ERR_MSG_ATTR(extack,
3426 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3427 						    "bad channel width");
3428 				return -EINVAL;
3429 			}
3430 		}
3431 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3432 			chandef->center_freq1 =
3433 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3434 			chandef->freq1_offset =
3435 				nla_get_u32_default(attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET],
3436 						    0);
3437 		}
3438 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3439 			chandef->center_freq2 =
3440 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3441 	}
3442 
3443 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3444 		chandef->edmg.channels =
3445 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3446 
3447 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3448 			chandef->edmg.bw_config =
3449 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3450 	} else {
3451 		chandef->edmg.bw_config = 0;
3452 		chandef->edmg.channels = 0;
3453 	}
3454 
3455 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3456 		chandef->punctured =
3457 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3458 
3459 		if (chandef->punctured &&
3460 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3461 					     NL80211_EXT_FEATURE_PUNCT)) {
3462 			NL_SET_ERR_MSG(extack,
3463 				       "driver doesn't support puncturing");
3464 			return -EINVAL;
3465 		}
3466 	}
3467 
3468 	if (!cfg80211_chandef_valid(chandef)) {
3469 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3470 		return -EINVAL;
3471 	}
3472 
3473 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3474 				      IEEE80211_CHAN_DISABLED,
3475 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3476 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3477 		return -EINVAL;
3478 	}
3479 
3480 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3481 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3482 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3483 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3484 		return -EINVAL;
3485 	}
3486 
3487 	return 0;
3488 }
3489 
3490 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3491 			  struct genl_info *info,
3492 			  struct cfg80211_chan_def *chandef)
3493 {
3494 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3495 }
3496 
3497 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3498 				 struct net_device *dev,
3499 				 struct genl_info *info,
3500 				 int _link_id)
3501 {
3502 	struct cfg80211_chan_def chandef;
3503 	int result;
3504 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3505 	struct wireless_dev *wdev = NULL;
3506 	int link_id = _link_id;
3507 
3508 	if (dev)
3509 		wdev = dev->ieee80211_ptr;
3510 	if (!nl80211_can_set_dev_channel(wdev))
3511 		return -EOPNOTSUPP;
3512 	if (wdev)
3513 		iftype = wdev->iftype;
3514 
3515 	if (link_id < 0) {
3516 		if (wdev && wdev->valid_links)
3517 			return -EINVAL;
3518 		link_id = 0;
3519 	}
3520 
3521 	result = _nl80211_parse_chandef(rdev, info,
3522 					iftype == NL80211_IFTYPE_MONITOR,
3523 					&chandef);
3524 	if (result)
3525 		return result;
3526 
3527 	switch (iftype) {
3528 	case NL80211_IFTYPE_AP:
3529 	case NL80211_IFTYPE_P2P_GO:
3530 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3531 						   iftype))
3532 			return -EINVAL;
3533 		if (wdev->links[link_id].ap.beacon_interval) {
3534 			struct ieee80211_channel *cur_chan;
3535 
3536 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3537 			    !(rdev->wiphy.features &
3538 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3539 				return -EBUSY;
3540 
3541 			/* Only allow dynamic channel width changes */
3542 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3543 			if (chandef.chan != cur_chan)
3544 				return -EBUSY;
3545 
3546 			/* only allow this for regular channel widths */
3547 			switch (wdev->links[link_id].ap.chandef.width) {
3548 			case NL80211_CHAN_WIDTH_20_NOHT:
3549 			case NL80211_CHAN_WIDTH_20:
3550 			case NL80211_CHAN_WIDTH_40:
3551 			case NL80211_CHAN_WIDTH_80:
3552 			case NL80211_CHAN_WIDTH_80P80:
3553 			case NL80211_CHAN_WIDTH_160:
3554 			case NL80211_CHAN_WIDTH_320:
3555 				break;
3556 			default:
3557 				return -EINVAL;
3558 			}
3559 
3560 			switch (chandef.width) {
3561 			case NL80211_CHAN_WIDTH_20_NOHT:
3562 			case NL80211_CHAN_WIDTH_20:
3563 			case NL80211_CHAN_WIDTH_40:
3564 			case NL80211_CHAN_WIDTH_80:
3565 			case NL80211_CHAN_WIDTH_80P80:
3566 			case NL80211_CHAN_WIDTH_160:
3567 			case NL80211_CHAN_WIDTH_320:
3568 				break;
3569 			default:
3570 				return -EINVAL;
3571 			}
3572 
3573 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3574 						       &chandef);
3575 			if (result)
3576 				return result;
3577 			wdev->links[link_id].ap.chandef = chandef;
3578 		} else {
3579 			wdev->u.ap.preset_chandef = chandef;
3580 		}
3581 		return 0;
3582 	case NL80211_IFTYPE_MESH_POINT:
3583 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3584 	case NL80211_IFTYPE_MONITOR:
3585 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3586 	default:
3587 		break;
3588 	}
3589 
3590 	return -EINVAL;
3591 }
3592 
3593 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3594 {
3595 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3596 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3597 	struct net_device *netdev = info->user_ptr[1];
3598 
3599 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3600 }
3601 
3602 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3603 {
3604 	struct cfg80211_registered_device *rdev = NULL;
3605 	struct net_device *netdev = NULL;
3606 	struct wireless_dev *wdev;
3607 	int result = 0, rem_txq_params = 0;
3608 	struct nlattr *nl_txq_params;
3609 	u32 changed;
3610 	u8 retry_short = 0, retry_long = 0;
3611 	u32 frag_threshold = 0, rts_threshold = 0;
3612 	u8 coverage_class = 0;
3613 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3614 
3615 	rtnl_lock();
3616 	/*
3617 	 * Try to find the wiphy and netdev. Normally this
3618 	 * function shouldn't need the netdev, but this is
3619 	 * done for backward compatibility -- previously
3620 	 * setting the channel was done per wiphy, but now
3621 	 * it is per netdev. Previous userland like hostapd
3622 	 * also passed a netdev to set_wiphy, so that it is
3623 	 * possible to let that go to the right netdev!
3624 	 */
3625 
3626 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3627 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3628 
3629 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3630 		if (netdev && netdev->ieee80211_ptr)
3631 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3632 		else
3633 			netdev = NULL;
3634 	}
3635 
3636 	if (!netdev) {
3637 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3638 						  info->attrs);
3639 		if (IS_ERR(rdev)) {
3640 			rtnl_unlock();
3641 			return PTR_ERR(rdev);
3642 		}
3643 		wdev = NULL;
3644 		netdev = NULL;
3645 		result = 0;
3646 	} else
3647 		wdev = netdev->ieee80211_ptr;
3648 
3649 	guard(wiphy)(&rdev->wiphy);
3650 
3651 	/*
3652 	 * end workaround code, by now the rdev is available
3653 	 * and locked, and wdev may or may not be NULL.
3654 	 */
3655 
3656 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3657 		result = cfg80211_dev_rename(
3658 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3659 	rtnl_unlock();
3660 
3661 	if (result)
3662 		return result;
3663 
3664 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3665 		struct ieee80211_txq_params txq_params;
3666 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3667 
3668 		if (!rdev->ops->set_txq_params)
3669 			return -EOPNOTSUPP;
3670 
3671 		if (!netdev)
3672 			return -EINVAL;
3673 
3674 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3675 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3676 			return -EINVAL;
3677 
3678 		if (!netif_running(netdev))
3679 			return -ENETDOWN;
3680 
3681 		nla_for_each_nested(nl_txq_params,
3682 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3683 				    rem_txq_params) {
3684 			result = nla_parse_nested_deprecated(tb,
3685 							     NL80211_TXQ_ATTR_MAX,
3686 							     nl_txq_params,
3687 							     txq_params_policy,
3688 							     info->extack);
3689 			if (result)
3690 				return result;
3691 
3692 			result = parse_txq_params(tb, &txq_params);
3693 			if (result)
3694 				return result;
3695 
3696 			txq_params.link_id =
3697 				nl80211_link_id_or_invalid(info->attrs);
3698 
3699 			if (txq_params.link_id >= 0 &&
3700 			    !(netdev->ieee80211_ptr->valid_links &
3701 			      BIT(txq_params.link_id)))
3702 				result = -ENOLINK;
3703 			else if (txq_params.link_id >= 0 &&
3704 				 !netdev->ieee80211_ptr->valid_links)
3705 				result = -EINVAL;
3706 			else
3707 				result = rdev_set_txq_params(rdev, netdev,
3708 							     &txq_params);
3709 			if (result)
3710 				return result;
3711 		}
3712 	}
3713 
3714 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3715 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3716 
3717 		if (wdev) {
3718 			result = __nl80211_set_channel(
3719 				rdev,
3720 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3721 				info, link_id);
3722 		} else {
3723 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3724 		}
3725 
3726 		if (result)
3727 			return result;
3728 	}
3729 
3730 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3731 		struct wireless_dev *txp_wdev = wdev;
3732 		enum nl80211_tx_power_setting type;
3733 		int idx, mbm = 0;
3734 
3735 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3736 			txp_wdev = NULL;
3737 
3738 		if (!rdev->ops->set_tx_power)
3739 			return -EOPNOTSUPP;
3740 
3741 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3742 		type = nla_get_u32(info->attrs[idx]);
3743 
3744 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3745 		    (type != NL80211_TX_POWER_AUTOMATIC))
3746 			return -EINVAL;
3747 
3748 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3749 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3750 			mbm = nla_get_u32(info->attrs[idx]);
3751 		}
3752 
3753 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3754 		if (result)
3755 			return result;
3756 	}
3757 
3758 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3759 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3760 		u32 tx_ant, rx_ant;
3761 
3762 		if ((!rdev->wiphy.available_antennas_tx &&
3763 		     !rdev->wiphy.available_antennas_rx) ||
3764 		    !rdev->ops->set_antenna)
3765 			return -EOPNOTSUPP;
3766 
3767 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3768 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3769 
3770 		/* reject antenna configurations which don't match the
3771 		 * available antenna masks, except for the "all" mask */
3772 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3773 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3774 			return -EINVAL;
3775 
3776 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3777 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3778 
3779 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3780 		if (result)
3781 			return result;
3782 	}
3783 
3784 	changed = 0;
3785 
3786 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3787 		retry_short = nla_get_u8(
3788 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3789 
3790 		changed |= WIPHY_PARAM_RETRY_SHORT;
3791 	}
3792 
3793 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3794 		retry_long = nla_get_u8(
3795 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3796 
3797 		changed |= WIPHY_PARAM_RETRY_LONG;
3798 	}
3799 
3800 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3801 		frag_threshold = nla_get_u32(
3802 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3803 		if (frag_threshold < 256)
3804 			return -EINVAL;
3805 
3806 		if (frag_threshold != (u32) -1) {
3807 			/*
3808 			 * Fragments (apart from the last one) are required to
3809 			 * have even length. Make the fragmentation code
3810 			 * simpler by stripping LSB should someone try to use
3811 			 * odd threshold value.
3812 			 */
3813 			frag_threshold &= ~0x1;
3814 		}
3815 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3816 	}
3817 
3818 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3819 		rts_threshold = nla_get_u32(
3820 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3821 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3822 	}
3823 
3824 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3825 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3826 			return -EINVAL;
3827 
3828 		coverage_class = nla_get_u8(
3829 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3830 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3831 	}
3832 
3833 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3834 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3835 			return -EOPNOTSUPP;
3836 
3837 		changed |= WIPHY_PARAM_DYN_ACK;
3838 	}
3839 
3840 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3841 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3842 					     NL80211_EXT_FEATURE_TXQS))
3843 			return -EOPNOTSUPP;
3844 
3845 		txq_limit = nla_get_u32(
3846 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3847 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3848 	}
3849 
3850 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3851 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3852 					     NL80211_EXT_FEATURE_TXQS))
3853 			return -EOPNOTSUPP;
3854 
3855 		txq_memory_limit = nla_get_u32(
3856 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3857 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3858 	}
3859 
3860 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3861 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3862 					     NL80211_EXT_FEATURE_TXQS))
3863 			return -EOPNOTSUPP;
3864 
3865 		txq_quantum = nla_get_u32(
3866 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3867 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3868 	}
3869 
3870 	if (changed) {
3871 		u8 old_retry_short, old_retry_long;
3872 		u32 old_frag_threshold, old_rts_threshold;
3873 		u8 old_coverage_class;
3874 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3875 
3876 		if (!rdev->ops->set_wiphy_params)
3877 			return -EOPNOTSUPP;
3878 
3879 		old_retry_short = rdev->wiphy.retry_short;
3880 		old_retry_long = rdev->wiphy.retry_long;
3881 		old_frag_threshold = rdev->wiphy.frag_threshold;
3882 		old_rts_threshold = rdev->wiphy.rts_threshold;
3883 		old_coverage_class = rdev->wiphy.coverage_class;
3884 		old_txq_limit = rdev->wiphy.txq_limit;
3885 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3886 		old_txq_quantum = rdev->wiphy.txq_quantum;
3887 
3888 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3889 			rdev->wiphy.retry_short = retry_short;
3890 		if (changed & WIPHY_PARAM_RETRY_LONG)
3891 			rdev->wiphy.retry_long = retry_long;
3892 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3893 			rdev->wiphy.frag_threshold = frag_threshold;
3894 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3895 			rdev->wiphy.rts_threshold = rts_threshold;
3896 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3897 			rdev->wiphy.coverage_class = coverage_class;
3898 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3899 			rdev->wiphy.txq_limit = txq_limit;
3900 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3901 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3902 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3903 			rdev->wiphy.txq_quantum = txq_quantum;
3904 
3905 		result = rdev_set_wiphy_params(rdev, changed);
3906 		if (result) {
3907 			rdev->wiphy.retry_short = old_retry_short;
3908 			rdev->wiphy.retry_long = old_retry_long;
3909 			rdev->wiphy.frag_threshold = old_frag_threshold;
3910 			rdev->wiphy.rts_threshold = old_rts_threshold;
3911 			rdev->wiphy.coverage_class = old_coverage_class;
3912 			rdev->wiphy.txq_limit = old_txq_limit;
3913 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3914 			rdev->wiphy.txq_quantum = old_txq_quantum;
3915 			return result;
3916 		}
3917 	}
3918 
3919 	return 0;
3920 }
3921 
3922 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3923 {
3924 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3925 		return -EINVAL;
3926 
3927 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3928 			chandef->chan->center_freq))
3929 		return -ENOBUFS;
3930 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3931 			chandef->chan->freq_offset))
3932 		return -ENOBUFS;
3933 	switch (chandef->width) {
3934 	case NL80211_CHAN_WIDTH_20_NOHT:
3935 	case NL80211_CHAN_WIDTH_20:
3936 	case NL80211_CHAN_WIDTH_40:
3937 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3938 				cfg80211_get_chandef_type(chandef)))
3939 			return -ENOBUFS;
3940 		break;
3941 	default:
3942 		break;
3943 	}
3944 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3945 		return -ENOBUFS;
3946 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3947 		return -ENOBUFS;
3948 	if (chandef->center_freq2 &&
3949 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3950 		return -ENOBUFS;
3951 	if (chandef->punctured &&
3952 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3953 		return -ENOBUFS;
3954 
3955 	return 0;
3956 }
3957 EXPORT_SYMBOL(nl80211_send_chandef);
3958 
3959 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3960 			      struct cfg80211_registered_device *rdev,
3961 			      struct wireless_dev *wdev,
3962 			      enum nl80211_commands cmd)
3963 {
3964 	struct net_device *dev = wdev->netdev;
3965 	void *hdr;
3966 
3967 	lockdep_assert_wiphy(&rdev->wiphy);
3968 
3969 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3970 		cmd != NL80211_CMD_DEL_INTERFACE &&
3971 		cmd != NL80211_CMD_SET_INTERFACE);
3972 
3973 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3974 	if (!hdr)
3975 		return -1;
3976 
3977 	if (dev &&
3978 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3979 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3980 		goto nla_put_failure;
3981 
3982 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3983 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3984 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3985 			      NL80211_ATTR_PAD) ||
3986 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3987 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3988 			rdev->devlist_generation ^
3989 			(cfg80211_rdev_list_generation << 2)) ||
3990 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
3991 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
3992 		goto nla_put_failure;
3993 
3994 	if (rdev->ops->get_channel && !wdev->valid_links) {
3995 		struct cfg80211_chan_def chandef = {};
3996 		int ret;
3997 
3998 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3999 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4000 			goto nla_put_failure;
4001 	}
4002 
4003 	if (rdev->ops->get_tx_power && !wdev->valid_links) {
4004 		int dbm, ret;
4005 
4006 		ret = rdev_get_tx_power(rdev, wdev, 0, &dbm);
4007 		if (ret == 0 &&
4008 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4009 				DBM_TO_MBM(dbm)))
4010 			goto nla_put_failure;
4011 	}
4012 
4013 	switch (wdev->iftype) {
4014 	case NL80211_IFTYPE_AP:
4015 	case NL80211_IFTYPE_P2P_GO:
4016 		if (wdev->u.ap.ssid_len &&
4017 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4018 			    wdev->u.ap.ssid))
4019 			goto nla_put_failure;
4020 		break;
4021 	case NL80211_IFTYPE_STATION:
4022 	case NL80211_IFTYPE_P2P_CLIENT:
4023 		if (wdev->u.client.ssid_len &&
4024 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4025 			    wdev->u.client.ssid))
4026 			goto nla_put_failure;
4027 		break;
4028 	case NL80211_IFTYPE_ADHOC:
4029 		if (wdev->u.ibss.ssid_len &&
4030 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4031 			    wdev->u.ibss.ssid))
4032 			goto nla_put_failure;
4033 		break;
4034 	default:
4035 		/* nothing */
4036 		break;
4037 	}
4038 
4039 	if (rdev->ops->get_txq_stats) {
4040 		struct cfg80211_txq_stats txqstats = {};
4041 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4042 
4043 		if (ret == 0 &&
4044 		    !nl80211_put_txq_stats(msg, &txqstats,
4045 					   NL80211_ATTR_TXQ_STATS))
4046 			goto nla_put_failure;
4047 	}
4048 
4049 	if (wdev->valid_links) {
4050 		unsigned int link_id;
4051 		struct nlattr *links = nla_nest_start(msg,
4052 						      NL80211_ATTR_MLO_LINKS);
4053 
4054 		if (!links)
4055 			goto nla_put_failure;
4056 
4057 		for_each_valid_link(wdev, link_id) {
4058 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4059 			struct cfg80211_chan_def chandef = {};
4060 			int ret;
4061 
4062 			if (!link)
4063 				goto nla_put_failure;
4064 
4065 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4066 				goto nla_put_failure;
4067 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4068 				    wdev->links[link_id].addr))
4069 				goto nla_put_failure;
4070 
4071 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4072 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4073 				goto nla_put_failure;
4074 
4075 			if (rdev->ops->get_tx_power) {
4076 				int dbm, ret;
4077 
4078 				ret = rdev_get_tx_power(rdev, wdev, link_id, &dbm);
4079 				if (ret == 0 &&
4080 				    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4081 						DBM_TO_MBM(dbm)))
4082 					goto nla_put_failure;
4083 			}
4084 			nla_nest_end(msg, link);
4085 		}
4086 
4087 		nla_nest_end(msg, links);
4088 	}
4089 
4090 	genlmsg_end(msg, hdr);
4091 	return 0;
4092 
4093  nla_put_failure:
4094 	genlmsg_cancel(msg, hdr);
4095 	return -EMSGSIZE;
4096 }
4097 
4098 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4099 {
4100 	int wp_idx = 0;
4101 	int if_idx = 0;
4102 	int wp_start = cb->args[0];
4103 	int if_start = cb->args[1];
4104 	int filter_wiphy = -1;
4105 	struct cfg80211_registered_device *rdev;
4106 	struct wireless_dev *wdev;
4107 	int ret;
4108 
4109 	rtnl_lock();
4110 	if (!cb->args[2]) {
4111 		struct nl80211_dump_wiphy_state state = {
4112 			.filter_wiphy = -1,
4113 		};
4114 
4115 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4116 		if (ret)
4117 			goto out_unlock;
4118 
4119 		filter_wiphy = state.filter_wiphy;
4120 
4121 		/*
4122 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4123 		 * value needed to determine that parsing is necessary.
4124 		 */
4125 		if (filter_wiphy >= 0)
4126 			cb->args[2] = filter_wiphy + 1;
4127 		else
4128 			cb->args[2] = -1;
4129 	} else if (cb->args[2] > 0) {
4130 		filter_wiphy = cb->args[2] - 1;
4131 	}
4132 
4133 	for_each_rdev(rdev) {
4134 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4135 			continue;
4136 		if (wp_idx < wp_start) {
4137 			wp_idx++;
4138 			continue;
4139 		}
4140 
4141 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4142 			continue;
4143 
4144 		if_idx = 0;
4145 
4146 		guard(wiphy)(&rdev->wiphy);
4147 
4148 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4149 			if (if_idx < if_start) {
4150 				if_idx++;
4151 				continue;
4152 			}
4153 
4154 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4155 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4156 					       rdev, wdev,
4157 					       NL80211_CMD_NEW_INTERFACE) < 0)
4158 				goto out;
4159 
4160 			if_idx++;
4161 		}
4162 
4163 		if_start = 0;
4164 		wp_idx++;
4165 	}
4166  out:
4167 	cb->args[0] = wp_idx;
4168 	cb->args[1] = if_idx;
4169 
4170 	ret = skb->len;
4171  out_unlock:
4172 	rtnl_unlock();
4173 
4174 	return ret;
4175 }
4176 
4177 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4178 {
4179 	struct sk_buff *msg;
4180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4181 	struct wireless_dev *wdev = info->user_ptr[1];
4182 
4183 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4184 	if (!msg)
4185 		return -ENOMEM;
4186 
4187 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4188 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4189 		nlmsg_free(msg);
4190 		return -ENOBUFS;
4191 	}
4192 
4193 	return genlmsg_reply(msg, info);
4194 }
4195 
4196 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4197 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4198 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4199 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4200 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4201 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4202 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4203 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4204 };
4205 
4206 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4207 {
4208 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4209 	int flag;
4210 
4211 	*mntrflags = 0;
4212 
4213 	if (!nla)
4214 		return -EINVAL;
4215 
4216 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4217 		return -EINVAL;
4218 
4219 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4220 		if (flags[flag])
4221 			*mntrflags |= (1<<flag);
4222 
4223 	*mntrflags |= MONITOR_FLAG_CHANGED;
4224 
4225 	return 0;
4226 }
4227 
4228 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4229 				     enum nl80211_iftype type,
4230 				     struct genl_info *info,
4231 				     struct vif_params *params)
4232 {
4233 	bool change = false;
4234 	int err;
4235 
4236 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4237 		if (type != NL80211_IFTYPE_MONITOR)
4238 			return -EINVAL;
4239 
4240 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4241 					  &params->flags);
4242 		if (err)
4243 			return err;
4244 
4245 		change = true;
4246 	}
4247 
4248 	/* MONITOR_FLAG_COOK_FRAMES is deprecated, refuse cooperation */
4249 	if (params->flags & MONITOR_FLAG_COOK_FRAMES)
4250 		return -EOPNOTSUPP;
4251 
4252 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4253 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4254 		return -EOPNOTSUPP;
4255 
4256 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4257 		const u8 *mumimo_groups;
4258 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4259 
4260 		if (type != NL80211_IFTYPE_MONITOR)
4261 			return -EINVAL;
4262 
4263 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4264 			return -EOPNOTSUPP;
4265 
4266 		mumimo_groups =
4267 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4268 
4269 		/* bits 0 and 63 are reserved and must be zero */
4270 		if ((mumimo_groups[0] & BIT(0)) ||
4271 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4272 			return -EINVAL;
4273 
4274 		params->vht_mumimo_groups = mumimo_groups;
4275 		change = true;
4276 	}
4277 
4278 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4279 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4280 
4281 		if (type != NL80211_IFTYPE_MONITOR)
4282 			return -EINVAL;
4283 
4284 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4285 			return -EOPNOTSUPP;
4286 
4287 		params->vht_mumimo_follow_addr =
4288 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4289 		change = true;
4290 	}
4291 
4292 	return change ? 1 : 0;
4293 }
4294 
4295 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4296 			       struct net_device *netdev, u8 use_4addr,
4297 			       enum nl80211_iftype iftype)
4298 {
4299 	if (!use_4addr) {
4300 		if (netdev && netif_is_bridge_port(netdev))
4301 			return -EBUSY;
4302 		return 0;
4303 	}
4304 
4305 	switch (iftype) {
4306 	case NL80211_IFTYPE_AP_VLAN:
4307 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4308 			return 0;
4309 		break;
4310 	case NL80211_IFTYPE_STATION:
4311 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4312 			return 0;
4313 		break;
4314 	default:
4315 		break;
4316 	}
4317 
4318 	return -EOPNOTSUPP;
4319 }
4320 
4321 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4322 					u32 *radio_mask)
4323 {
4324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4325 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4326 	u32 mask, allowed;
4327 
4328 	if (!attr) {
4329 		*radio_mask = 0;
4330 		return 0;
4331 	}
4332 
4333 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4334 	mask = nla_get_u32(attr);
4335 	if (mask & ~allowed)
4336 		return -EINVAL;
4337 	if (!mask)
4338 		mask = allowed;
4339 	*radio_mask = mask;
4340 
4341 	return 1;
4342 }
4343 
4344 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4345 {
4346 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4347 	struct vif_params params;
4348 	int err;
4349 	enum nl80211_iftype otype, ntype;
4350 	struct net_device *dev = info->user_ptr[1];
4351 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4352 	u32 radio_mask = 0;
4353 	bool change = false;
4354 
4355 	memset(&params, 0, sizeof(params));
4356 
4357 	otype = ntype = dev->ieee80211_ptr->iftype;
4358 
4359 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4360 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4361 		if (otype != ntype)
4362 			change = true;
4363 	}
4364 
4365 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4366 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4367 			return -EINVAL;
4368 		if (otype != NL80211_IFTYPE_MESH_POINT)
4369 			return -EINVAL;
4370 		if (netif_running(dev))
4371 			return -EBUSY;
4372 
4373 		wdev->u.mesh.id_up_len =
4374 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4375 		memcpy(wdev->u.mesh.id,
4376 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4377 		       wdev->u.mesh.id_up_len);
4378 	}
4379 
4380 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4381 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4382 		change = true;
4383 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4384 		if (err)
4385 			return err;
4386 	} else {
4387 		params.use_4addr = -1;
4388 	}
4389 
4390 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4391 	if (err < 0)
4392 		return err;
4393 	if (err > 0)
4394 		change = true;
4395 
4396 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4397 	if (err < 0)
4398 		return err;
4399 	if (err && netif_running(dev))
4400 		return -EBUSY;
4401 
4402 	if (change)
4403 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4404 	else
4405 		err = 0;
4406 
4407 	if (!err && params.use_4addr != -1)
4408 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4409 
4410 	if (radio_mask)
4411 		wdev->radio_mask = radio_mask;
4412 
4413 	if (change && !err)
4414 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4415 
4416 	return err;
4417 }
4418 
4419 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4420 {
4421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4422 	struct vif_params params;
4423 	struct wireless_dev *wdev;
4424 	struct sk_buff *msg;
4425 	u32 radio_mask;
4426 	int err;
4427 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4428 
4429 	memset(&params, 0, sizeof(params));
4430 
4431 	if (!info->attrs[NL80211_ATTR_IFNAME])
4432 		return -EINVAL;
4433 
4434 	if (info->attrs[NL80211_ATTR_IFTYPE])
4435 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4436 
4437 	if (!rdev->ops->add_virtual_intf)
4438 		return -EOPNOTSUPP;
4439 
4440 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4441 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4442 	    info->attrs[NL80211_ATTR_MAC]) {
4443 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4444 			   ETH_ALEN);
4445 		if (!is_valid_ether_addr(params.macaddr))
4446 			return -EADDRNOTAVAIL;
4447 	}
4448 
4449 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4450 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4451 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4452 		if (err)
4453 			return err;
4454 	}
4455 
4456 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4457 		return -EOPNOTSUPP;
4458 
4459 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4460 	if (err < 0)
4461 		return err;
4462 
4463 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4464 	if (err < 0)
4465 		return err;
4466 
4467 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4468 	if (!msg)
4469 		return -ENOMEM;
4470 
4471 	wdev = rdev_add_virtual_intf(rdev,
4472 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4473 				NET_NAME_USER, type, &params);
4474 	if (WARN_ON(!wdev)) {
4475 		nlmsg_free(msg);
4476 		return -EPROTO;
4477 	} else if (IS_ERR(wdev)) {
4478 		nlmsg_free(msg);
4479 		return PTR_ERR(wdev);
4480 	}
4481 
4482 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4483 		wdev->owner_nlportid = info->snd_portid;
4484 
4485 	switch (type) {
4486 	case NL80211_IFTYPE_MESH_POINT:
4487 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4488 			break;
4489 		wdev->u.mesh.id_up_len =
4490 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4491 		memcpy(wdev->u.mesh.id,
4492 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4493 		       wdev->u.mesh.id_up_len);
4494 		break;
4495 	case NL80211_IFTYPE_NAN:
4496 	case NL80211_IFTYPE_P2P_DEVICE:
4497 		/*
4498 		 * P2P Device and NAN do not have a netdev, so don't go
4499 		 * through the netdev notifier and must be added here
4500 		 */
4501 		cfg80211_init_wdev(wdev);
4502 		cfg80211_register_wdev(rdev, wdev);
4503 		break;
4504 	default:
4505 		break;
4506 	}
4507 
4508 	if (radio_mask)
4509 		wdev->radio_mask = radio_mask;
4510 
4511 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4512 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4513 		nlmsg_free(msg);
4514 		return -ENOBUFS;
4515 	}
4516 
4517 	return genlmsg_reply(msg, info);
4518 }
4519 
4520 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4521 {
4522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4523 
4524 	/* to avoid failing a new interface creation due to pending removal */
4525 	cfg80211_destroy_ifaces(rdev);
4526 
4527 	guard(wiphy)(&rdev->wiphy);
4528 
4529 	return _nl80211_new_interface(skb, info);
4530 }
4531 
4532 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4533 {
4534 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4535 	struct wireless_dev *wdev = info->user_ptr[1];
4536 
4537 	if (!rdev->ops->del_virtual_intf)
4538 		return -EOPNOTSUPP;
4539 
4540 	/*
4541 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4542 	 * reach 0, and thus the rdev cannot be deleted.
4543 	 *
4544 	 * We need to do it for the dev_close(), since that will call
4545 	 * the netdev notifiers, and we need to acquire the mutex there
4546 	 * but don't know if we get there from here or from some other
4547 	 * place (e.g. "ip link set ... down").
4548 	 */
4549 	mutex_unlock(&rdev->wiphy.mtx);
4550 
4551 	/*
4552 	 * If we remove a wireless device without a netdev then clear
4553 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4554 	 * to check if it needs to do dev_put(). Otherwise it crashes
4555 	 * since the wdev has been freed, unlike with a netdev where
4556 	 * we need the dev_put() for the netdev to really be freed.
4557 	 */
4558 	if (!wdev->netdev)
4559 		info->user_ptr[1] = NULL;
4560 	else
4561 		dev_close(wdev->netdev);
4562 
4563 	mutex_lock(&rdev->wiphy.mtx);
4564 
4565 	return cfg80211_remove_virtual_intf(rdev, wdev);
4566 }
4567 
4568 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4569 {
4570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4571 	struct net_device *dev = info->user_ptr[1];
4572 	u16 noack_map;
4573 
4574 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4575 		return -EINVAL;
4576 
4577 	if (!rdev->ops->set_noack_map)
4578 		return -EOPNOTSUPP;
4579 
4580 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4581 
4582 	return rdev_set_noack_map(rdev, dev, noack_map);
4583 }
4584 
4585 static int nl80211_validate_key_link_id(struct genl_info *info,
4586 					struct wireless_dev *wdev,
4587 					int link_id, bool pairwise)
4588 {
4589 	if (pairwise) {
4590 		if (link_id != -1) {
4591 			GENL_SET_ERR_MSG(info,
4592 					 "link ID not allowed for pairwise key");
4593 			return -EINVAL;
4594 		}
4595 
4596 		return 0;
4597 	}
4598 
4599 	if (wdev->valid_links) {
4600 		if (link_id == -1) {
4601 			GENL_SET_ERR_MSG(info,
4602 					 "link ID must for MLO group key");
4603 			return -EINVAL;
4604 		}
4605 		if (!(wdev->valid_links & BIT(link_id))) {
4606 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4607 			return -EINVAL;
4608 		}
4609 	} else if (link_id != -1) {
4610 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4611 		return -EINVAL;
4612 	}
4613 
4614 	return 0;
4615 }
4616 
4617 struct get_key_cookie {
4618 	struct sk_buff *msg;
4619 	int error;
4620 	int idx;
4621 };
4622 
4623 static void get_key_callback(void *c, struct key_params *params)
4624 {
4625 	struct nlattr *key;
4626 	struct get_key_cookie *cookie = c;
4627 
4628 	if ((params->seq &&
4629 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4630 		     params->seq_len, params->seq)) ||
4631 	    (params->cipher &&
4632 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4633 			 params->cipher)))
4634 		goto nla_put_failure;
4635 
4636 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4637 	if (!key)
4638 		goto nla_put_failure;
4639 
4640 	if ((params->seq &&
4641 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4642 		     params->seq_len, params->seq)) ||
4643 	    (params->cipher &&
4644 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4645 			 params->cipher)))
4646 		goto nla_put_failure;
4647 
4648 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4649 		goto nla_put_failure;
4650 
4651 	nla_nest_end(cookie->msg, key);
4652 
4653 	return;
4654  nla_put_failure:
4655 	cookie->error = 1;
4656 }
4657 
4658 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4659 {
4660 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4661 	int err;
4662 	struct net_device *dev = info->user_ptr[1];
4663 	u8 key_idx = 0;
4664 	const u8 *mac_addr = NULL;
4665 	bool pairwise;
4666 	struct get_key_cookie cookie = {
4667 		.error = 0,
4668 	};
4669 	void *hdr;
4670 	struct sk_buff *msg;
4671 	bool bigtk_support = false;
4672 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4673 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4674 
4675 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4676 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4677 		bigtk_support = true;
4678 
4679 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4680 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4681 	    wiphy_ext_feature_isset(&rdev->wiphy,
4682 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4683 		bigtk_support = true;
4684 
4685 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4686 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4687 
4688 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4689 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4690 			return -EINVAL;
4691 		}
4692 	}
4693 
4694 	if (info->attrs[NL80211_ATTR_MAC])
4695 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4696 
4697 	pairwise = !!mac_addr;
4698 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4699 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4700 
4701 		if (kt != NL80211_KEYTYPE_GROUP &&
4702 		    kt != NL80211_KEYTYPE_PAIRWISE)
4703 			return -EINVAL;
4704 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4705 	}
4706 
4707 	if (!rdev->ops->get_key)
4708 		return -EOPNOTSUPP;
4709 
4710 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4711 		return -ENOENT;
4712 
4713 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4714 	if (!msg)
4715 		return -ENOMEM;
4716 
4717 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4718 			     NL80211_CMD_NEW_KEY);
4719 	if (!hdr)
4720 		goto nla_put_failure;
4721 
4722 	cookie.msg = msg;
4723 	cookie.idx = key_idx;
4724 
4725 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4726 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4727 		goto nla_put_failure;
4728 	if (mac_addr &&
4729 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4730 		goto nla_put_failure;
4731 
4732 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4733 	if (err)
4734 		goto free_msg;
4735 
4736 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4737 			   &cookie, get_key_callback);
4738 
4739 	if (err)
4740 		goto free_msg;
4741 
4742 	if (cookie.error)
4743 		goto nla_put_failure;
4744 
4745 	genlmsg_end(msg, hdr);
4746 	return genlmsg_reply(msg, info);
4747 
4748  nla_put_failure:
4749 	err = -ENOBUFS;
4750  free_msg:
4751 	nlmsg_free(msg);
4752 	return err;
4753 }
4754 
4755 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4756 {
4757 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4758 	struct key_parse key;
4759 	int err;
4760 	struct net_device *dev = info->user_ptr[1];
4761 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4763 
4764 	err = nl80211_parse_key(info, &key);
4765 	if (err)
4766 		return err;
4767 
4768 	if (key.idx < 0)
4769 		return -EINVAL;
4770 
4771 	/* Only support setting default key and
4772 	 * Extended Key ID action NL80211_KEY_SET_TX.
4773 	 */
4774 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4775 	    !(key.p.mode == NL80211_KEY_SET_TX))
4776 		return -EINVAL;
4777 
4778 	if (key.def) {
4779 		if (!rdev->ops->set_default_key)
4780 			return -EOPNOTSUPP;
4781 
4782 		err = nl80211_key_allowed(wdev);
4783 		if (err)
4784 			return err;
4785 
4786 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4787 		if (err)
4788 			return err;
4789 
4790 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4791 					   key.def_uni, key.def_multi);
4792 
4793 		if (err)
4794 			return err;
4795 
4796 #ifdef CONFIG_CFG80211_WEXT
4797 		wdev->wext.default_key = key.idx;
4798 #endif
4799 		return 0;
4800 	} else if (key.defmgmt) {
4801 		if (key.def_uni || !key.def_multi)
4802 			return -EINVAL;
4803 
4804 		if (!rdev->ops->set_default_mgmt_key)
4805 			return -EOPNOTSUPP;
4806 
4807 		err = nl80211_key_allowed(wdev);
4808 		if (err)
4809 			return err;
4810 
4811 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4812 		if (err)
4813 			return err;
4814 
4815 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4816 		if (err)
4817 			return err;
4818 
4819 #ifdef CONFIG_CFG80211_WEXT
4820 		wdev->wext.default_mgmt_key = key.idx;
4821 #endif
4822 		return 0;
4823 	} else if (key.defbeacon) {
4824 		if (key.def_uni || !key.def_multi)
4825 			return -EINVAL;
4826 
4827 		if (!rdev->ops->set_default_beacon_key)
4828 			return -EOPNOTSUPP;
4829 
4830 		err = nl80211_key_allowed(wdev);
4831 		if (err)
4832 			return err;
4833 
4834 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4835 		if (err)
4836 			return err;
4837 
4838 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4839 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4840 		   wiphy_ext_feature_isset(&rdev->wiphy,
4841 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4842 		u8 *mac_addr = NULL;
4843 
4844 		if (info->attrs[NL80211_ATTR_MAC])
4845 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4846 
4847 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4848 			return -EINVAL;
4849 
4850 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4851 		if (err)
4852 			return err;
4853 
4854 		return rdev_add_key(rdev, dev, link_id, key.idx,
4855 				    NL80211_KEYTYPE_PAIRWISE,
4856 				    mac_addr, &key.p);
4857 	}
4858 
4859 	return -EINVAL;
4860 }
4861 
4862 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4863 {
4864 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4865 	int err;
4866 	struct net_device *dev = info->user_ptr[1];
4867 	struct key_parse key;
4868 	const u8 *mac_addr = NULL;
4869 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4870 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4871 
4872 	err = nl80211_parse_key(info, &key);
4873 	if (err)
4874 		return err;
4875 
4876 	if (!key.p.key) {
4877 		GENL_SET_ERR_MSG(info, "no key");
4878 		return -EINVAL;
4879 	}
4880 
4881 	if (info->attrs[NL80211_ATTR_MAC])
4882 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4883 
4884 	if (key.type == -1) {
4885 		if (mac_addr)
4886 			key.type = NL80211_KEYTYPE_PAIRWISE;
4887 		else
4888 			key.type = NL80211_KEYTYPE_GROUP;
4889 	}
4890 
4891 	/* for now */
4892 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4893 	    key.type != NL80211_KEYTYPE_GROUP) {
4894 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4895 		return -EINVAL;
4896 	}
4897 
4898 	if (key.type == NL80211_KEYTYPE_GROUP &&
4899 	    info->attrs[NL80211_ATTR_VLAN_ID])
4900 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4901 
4902 	if (!rdev->ops->add_key)
4903 		return -EOPNOTSUPP;
4904 
4905 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4906 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4907 					   mac_addr)) {
4908 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4909 		return -EINVAL;
4910 	}
4911 
4912 	err = nl80211_key_allowed(wdev);
4913 	if (err)
4914 		GENL_SET_ERR_MSG(info, "key not allowed");
4915 
4916 	if (!err)
4917 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4918 				key.type == NL80211_KEYTYPE_PAIRWISE);
4919 
4920 	if (!err) {
4921 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4922 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4923 				    mac_addr, &key.p);
4924 		if (err)
4925 			GENL_SET_ERR_MSG(info, "key addition failed");
4926 	}
4927 
4928 	return err;
4929 }
4930 
4931 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4932 {
4933 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4934 	int err;
4935 	struct net_device *dev = info->user_ptr[1];
4936 	u8 *mac_addr = NULL;
4937 	struct key_parse key;
4938 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4939 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4940 
4941 	err = nl80211_parse_key(info, &key);
4942 	if (err)
4943 		return err;
4944 
4945 	if (info->attrs[NL80211_ATTR_MAC])
4946 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4947 
4948 	if (key.type == -1) {
4949 		if (mac_addr)
4950 			key.type = NL80211_KEYTYPE_PAIRWISE;
4951 		else
4952 			key.type = NL80211_KEYTYPE_GROUP;
4953 	}
4954 
4955 	/* for now */
4956 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4957 	    key.type != NL80211_KEYTYPE_GROUP)
4958 		return -EINVAL;
4959 
4960 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4961 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4962 		return -EINVAL;
4963 
4964 	if (!rdev->ops->del_key)
4965 		return -EOPNOTSUPP;
4966 
4967 	err = nl80211_key_allowed(wdev);
4968 
4969 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4970 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4971 		err = -ENOENT;
4972 
4973 	if (!err)
4974 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4975 				key.type == NL80211_KEYTYPE_PAIRWISE);
4976 
4977 	if (!err)
4978 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4979 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4980 				   mac_addr);
4981 
4982 #ifdef CONFIG_CFG80211_WEXT
4983 	if (!err) {
4984 		if (key.idx == wdev->wext.default_key)
4985 			wdev->wext.default_key = -1;
4986 		else if (key.idx == wdev->wext.default_mgmt_key)
4987 			wdev->wext.default_mgmt_key = -1;
4988 	}
4989 #endif
4990 
4991 	return err;
4992 }
4993 
4994 /* This function returns an error or the number of nested attributes */
4995 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4996 {
4997 	struct nlattr *attr;
4998 	int n_entries = 0, tmp;
4999 
5000 	nla_for_each_nested(attr, nl_attr, tmp) {
5001 		if (nla_len(attr) != ETH_ALEN)
5002 			return -EINVAL;
5003 
5004 		n_entries++;
5005 	}
5006 
5007 	return n_entries;
5008 }
5009 
5010 /*
5011  * This function parses ACL information and allocates memory for ACL data.
5012  * On successful return, the calling function is responsible to free the
5013  * ACL buffer returned by this function.
5014  */
5015 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5016 						struct genl_info *info)
5017 {
5018 	enum nl80211_acl_policy acl_policy;
5019 	struct nlattr *attr;
5020 	struct cfg80211_acl_data *acl;
5021 	int i = 0, n_entries, tmp;
5022 
5023 	if (!wiphy->max_acl_mac_addrs)
5024 		return ERR_PTR(-EOPNOTSUPP);
5025 
5026 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5027 		return ERR_PTR(-EINVAL);
5028 
5029 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5030 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5031 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5032 		return ERR_PTR(-EINVAL);
5033 
5034 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5035 		return ERR_PTR(-EINVAL);
5036 
5037 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5038 	if (n_entries < 0)
5039 		return ERR_PTR(n_entries);
5040 
5041 	if (n_entries > wiphy->max_acl_mac_addrs)
5042 		return ERR_PTR(-EOPNOTSUPP);
5043 
5044 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5045 	if (!acl)
5046 		return ERR_PTR(-ENOMEM);
5047 	acl->n_acl_entries = n_entries;
5048 
5049 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5050 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5051 		i++;
5052 	}
5053 	acl->acl_policy = acl_policy;
5054 
5055 	return acl;
5056 }
5057 
5058 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5059 {
5060 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5061 	struct net_device *dev = info->user_ptr[1];
5062 	struct cfg80211_acl_data *acl;
5063 	int err;
5064 
5065 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5066 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5067 		return -EOPNOTSUPP;
5068 
5069 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5070 		return -EINVAL;
5071 
5072 	acl = parse_acl_data(&rdev->wiphy, info);
5073 	if (IS_ERR(acl))
5074 		return PTR_ERR(acl);
5075 
5076 	err = rdev_set_mac_acl(rdev, dev, acl);
5077 
5078 	kfree(acl);
5079 
5080 	return err;
5081 }
5082 
5083 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5084 			   u8 *rates, u8 rates_len)
5085 {
5086 	u8 i;
5087 	u32 mask = 0;
5088 
5089 	for (i = 0; i < rates_len; i++) {
5090 		int rate = (rates[i] & 0x7f) * 5;
5091 		int ridx;
5092 
5093 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5094 			struct ieee80211_rate *srate =
5095 				&sband->bitrates[ridx];
5096 			if (rate == srate->bitrate) {
5097 				mask |= 1 << ridx;
5098 				break;
5099 			}
5100 		}
5101 		if (ridx == sband->n_bitrates)
5102 			return 0; /* rate not found */
5103 	}
5104 
5105 	return mask;
5106 }
5107 
5108 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5109 			       u8 *rates, u8 rates_len,
5110 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5111 {
5112 	u8 i;
5113 
5114 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5115 
5116 	for (i = 0; i < rates_len; i++) {
5117 		int ridx, rbit;
5118 
5119 		ridx = rates[i] / 8;
5120 		rbit = BIT(rates[i] % 8);
5121 
5122 		/* check validity */
5123 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5124 			return false;
5125 
5126 		/* check availability */
5127 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5128 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5129 			mcs[ridx] |= rbit;
5130 		else
5131 			return false;
5132 	}
5133 
5134 	return true;
5135 }
5136 
5137 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5138 {
5139 	u16 mcs_mask = 0;
5140 
5141 	switch (vht_mcs_map) {
5142 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5143 		break;
5144 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5145 		mcs_mask = 0x00FF;
5146 		break;
5147 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5148 		mcs_mask = 0x01FF;
5149 		break;
5150 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5151 		mcs_mask = 0x03FF;
5152 		break;
5153 	default:
5154 		break;
5155 	}
5156 
5157 	return mcs_mask;
5158 }
5159 
5160 static void vht_build_mcs_mask(u16 vht_mcs_map,
5161 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5162 {
5163 	u8 nss;
5164 
5165 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5166 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5167 		vht_mcs_map >>= 2;
5168 	}
5169 }
5170 
5171 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5172 			     struct nl80211_txrate_vht *txrate,
5173 			     u16 mcs[NL80211_VHT_NSS_MAX])
5174 {
5175 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5176 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5177 	u8 i;
5178 
5179 	if (!sband->vht_cap.vht_supported)
5180 		return false;
5181 
5182 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5183 
5184 	/* Build vht_mcs_mask from VHT capabilities */
5185 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5186 
5187 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5188 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5189 			mcs[i] = txrate->mcs[i];
5190 		else
5191 			return false;
5192 	}
5193 
5194 	return true;
5195 }
5196 
5197 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5198 {
5199 	switch (he_mcs_map) {
5200 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5201 		return 0;
5202 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5203 		return 0x00FF;
5204 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5205 		return 0x03FF;
5206 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5207 		return 0xFFF;
5208 	default:
5209 		break;
5210 	}
5211 	return 0;
5212 }
5213 
5214 static void he_build_mcs_mask(u16 he_mcs_map,
5215 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5216 {
5217 	u8 nss;
5218 
5219 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5220 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5221 		he_mcs_map >>= 2;
5222 	}
5223 }
5224 
5225 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5226 			   const struct ieee80211_sta_he_cap *he_cap)
5227 {
5228 	struct net_device *dev = info->user_ptr[1];
5229 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5230 	struct cfg80211_chan_def *chandef;
5231 	__le16 tx_mcs;
5232 
5233 	chandef = wdev_chandef(wdev, link_id);
5234 	if (!chandef) {
5235 		/*
5236 		 * This is probably broken, but we never maintained
5237 		 * a chandef in these cases, so it always was.
5238 		 */
5239 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5240 	}
5241 
5242 	switch (chandef->width) {
5243 	case NL80211_CHAN_WIDTH_80P80:
5244 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5245 		break;
5246 	case NL80211_CHAN_WIDTH_160:
5247 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5248 		break;
5249 	default:
5250 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5251 		break;
5252 	}
5253 
5254 	return le16_to_cpu(tx_mcs);
5255 }
5256 
5257 static bool he_set_mcs_mask(struct genl_info *info,
5258 			    struct wireless_dev *wdev,
5259 			    struct ieee80211_supported_band *sband,
5260 			    struct nl80211_txrate_he *txrate,
5261 			    u16 mcs[NL80211_HE_NSS_MAX],
5262 			    unsigned int link_id)
5263 {
5264 	const struct ieee80211_sta_he_cap *he_cap;
5265 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5266 	u16 tx_mcs_map = 0;
5267 	u8 i;
5268 
5269 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5270 	if (!he_cap)
5271 		return false;
5272 
5273 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5274 
5275 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5276 
5277 	/* Build he_mcs_mask from HE capabilities */
5278 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5279 
5280 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5281 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5282 			mcs[i] = txrate->mcs[i];
5283 		else
5284 			return false;
5285 	}
5286 
5287 	return true;
5288 }
5289 
5290 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5291 					 struct nlattr *attrs[],
5292 					 enum nl80211_attrs attr,
5293 					 struct cfg80211_bitrate_mask *mask,
5294 					 struct net_device *dev,
5295 					 bool default_all_enabled,
5296 					 unsigned int link_id)
5297 {
5298 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5299 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5300 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5301 	int rem, i;
5302 	struct nlattr *tx_rates;
5303 	struct ieee80211_supported_band *sband;
5304 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5305 
5306 	memset(mask, 0, sizeof(*mask));
5307 	/* Default to all rates enabled */
5308 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5309 		const struct ieee80211_sta_he_cap *he_cap;
5310 
5311 		if (!default_all_enabled)
5312 			break;
5313 
5314 		sband = rdev->wiphy.bands[i];
5315 
5316 		if (!sband)
5317 			continue;
5318 
5319 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5320 		memcpy(mask->control[i].ht_mcs,
5321 		       sband->ht_cap.mcs.rx_mask,
5322 		       sizeof(mask->control[i].ht_mcs));
5323 
5324 		if (sband->vht_cap.vht_supported) {
5325 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5326 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5327 		}
5328 
5329 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5330 		if (!he_cap)
5331 			continue;
5332 
5333 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5334 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5335 
5336 		mask->control[i].he_gi = 0xFF;
5337 		mask->control[i].he_ltf = 0xFF;
5338 	}
5339 
5340 	/* if no rates are given set it back to the defaults */
5341 	if (!attrs[attr])
5342 		goto out;
5343 
5344 	/* The nested attribute uses enum nl80211_band as the index. This maps
5345 	 * directly to the enum nl80211_band values used in cfg80211.
5346 	 */
5347 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5348 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5349 		enum nl80211_band band = nla_type(tx_rates);
5350 		int err;
5351 
5352 		if (band < 0 || band >= NUM_NL80211_BANDS)
5353 			return -EINVAL;
5354 		sband = rdev->wiphy.bands[band];
5355 		if (sband == NULL)
5356 			return -EINVAL;
5357 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5358 						  tx_rates,
5359 						  nl80211_txattr_policy,
5360 						  info->extack);
5361 		if (err)
5362 			return err;
5363 		if (tb[NL80211_TXRATE_LEGACY]) {
5364 			mask->control[band].legacy = rateset_to_mask(
5365 				sband,
5366 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5367 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5368 			if ((mask->control[band].legacy == 0) &&
5369 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5370 				return -EINVAL;
5371 		}
5372 		if (tb[NL80211_TXRATE_HT]) {
5373 			if (!ht_rateset_to_mask(
5374 					sband,
5375 					nla_data(tb[NL80211_TXRATE_HT]),
5376 					nla_len(tb[NL80211_TXRATE_HT]),
5377 					mask->control[band].ht_mcs))
5378 				return -EINVAL;
5379 		}
5380 
5381 		if (tb[NL80211_TXRATE_VHT]) {
5382 			if (!vht_set_mcs_mask(
5383 					sband,
5384 					nla_data(tb[NL80211_TXRATE_VHT]),
5385 					mask->control[band].vht_mcs))
5386 				return -EINVAL;
5387 		}
5388 
5389 		if (tb[NL80211_TXRATE_GI]) {
5390 			mask->control[band].gi =
5391 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5392 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5393 				return -EINVAL;
5394 		}
5395 		if (tb[NL80211_TXRATE_HE] &&
5396 		    !he_set_mcs_mask(info, wdev, sband,
5397 				     nla_data(tb[NL80211_TXRATE_HE]),
5398 				     mask->control[band].he_mcs,
5399 				     link_id))
5400 			return -EINVAL;
5401 
5402 		if (tb[NL80211_TXRATE_HE_GI])
5403 			mask->control[band].he_gi =
5404 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5405 		if (tb[NL80211_TXRATE_HE_LTF])
5406 			mask->control[band].he_ltf =
5407 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5408 
5409 		if (mask->control[band].legacy == 0) {
5410 			/* don't allow empty legacy rates if HT, VHT or HE
5411 			 * are not even supported.
5412 			 */
5413 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5414 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5415 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5416 				return -EINVAL;
5417 
5418 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5419 				if (mask->control[band].ht_mcs[i])
5420 					goto out;
5421 
5422 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5423 				if (mask->control[band].vht_mcs[i])
5424 					goto out;
5425 
5426 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5427 				if (mask->control[band].he_mcs[i])
5428 					goto out;
5429 
5430 			/* legacy and mcs rates may not be both empty */
5431 			return -EINVAL;
5432 		}
5433 	}
5434 
5435 out:
5436 	return 0;
5437 }
5438 
5439 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5440 				   enum nl80211_band band,
5441 				   struct cfg80211_bitrate_mask *beacon_rate)
5442 {
5443 	u32 count_ht, count_vht, count_he, i;
5444 	u32 rate = beacon_rate->control[band].legacy;
5445 
5446 	/* Allow only one rate */
5447 	if (hweight32(rate) > 1)
5448 		return -EINVAL;
5449 
5450 	count_ht = 0;
5451 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5452 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5453 			return -EINVAL;
5454 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5455 			count_ht++;
5456 			if (count_ht > 1)
5457 				return -EINVAL;
5458 		}
5459 		if (count_ht && rate)
5460 			return -EINVAL;
5461 	}
5462 
5463 	count_vht = 0;
5464 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5465 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5466 			return -EINVAL;
5467 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5468 			count_vht++;
5469 			if (count_vht > 1)
5470 				return -EINVAL;
5471 		}
5472 		if (count_vht && rate)
5473 			return -EINVAL;
5474 	}
5475 
5476 	count_he = 0;
5477 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5478 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5479 			return -EINVAL;
5480 		} else if (beacon_rate->control[band].he_mcs[i]) {
5481 			count_he++;
5482 			if (count_he > 1)
5483 				return -EINVAL;
5484 		}
5485 		if (count_he && rate)
5486 			return -EINVAL;
5487 	}
5488 
5489 	if ((count_ht && count_vht && count_he) ||
5490 	    (!rate && !count_ht && !count_vht && !count_he))
5491 		return -EINVAL;
5492 
5493 	if (rate &&
5494 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5495 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5496 		return -EINVAL;
5497 	if (count_ht &&
5498 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5499 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5500 		return -EINVAL;
5501 	if (count_vht &&
5502 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5503 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5504 		return -EINVAL;
5505 	if (count_he &&
5506 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5507 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5508 		return -EINVAL;
5509 
5510 	return 0;
5511 }
5512 
5513 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5514 				       struct net_device *dev,
5515 				       struct nlattr *attrs,
5516 				       struct cfg80211_mbssid_config *config,
5517 				       u8 num_elems)
5518 {
5519 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5520 
5521 	if (!wiphy->mbssid_max_interfaces)
5522 		return -EOPNOTSUPP;
5523 
5524 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5525 			     NULL) ||
5526 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5527 		return -EINVAL;
5528 
5529 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5530 	if (config->ema) {
5531 		if (!wiphy->ema_max_profile_periodicity)
5532 			return -EOPNOTSUPP;
5533 
5534 		if (num_elems > wiphy->ema_max_profile_periodicity)
5535 			return -EINVAL;
5536 	}
5537 
5538 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5539 	if (config->index >= wiphy->mbssid_max_interfaces ||
5540 	    (!config->index && !num_elems))
5541 		return -EINVAL;
5542 
5543 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5544 		u32 tx_ifindex =
5545 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5546 
5547 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5548 		    (config->index && tx_ifindex == dev->ifindex))
5549 			return -EINVAL;
5550 
5551 		if (tx_ifindex != dev->ifindex) {
5552 			struct net_device *tx_netdev =
5553 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5554 
5555 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5556 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5557 			    tx_netdev->ieee80211_ptr->iftype !=
5558 							NL80211_IFTYPE_AP) {
5559 				dev_put(tx_netdev);
5560 				return -EINVAL;
5561 			}
5562 
5563 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5564 		} else {
5565 			config->tx_wdev = dev->ieee80211_ptr;
5566 		}
5567 	} else if (!config->index) {
5568 		config->tx_wdev = dev->ieee80211_ptr;
5569 	} else {
5570 		return -EINVAL;
5571 	}
5572 
5573 	return 0;
5574 }
5575 
5576 static struct cfg80211_mbssid_elems *
5577 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5578 {
5579 	struct nlattr *nl_elems;
5580 	struct cfg80211_mbssid_elems *elems;
5581 	int rem_elems;
5582 	u8 i = 0, num_elems = 0;
5583 
5584 	if (!wiphy->mbssid_max_interfaces)
5585 		return ERR_PTR(-EINVAL);
5586 
5587 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5588 		if (num_elems >= 255)
5589 			return ERR_PTR(-EINVAL);
5590 		num_elems++;
5591 	}
5592 
5593 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5594 	if (!elems)
5595 		return ERR_PTR(-ENOMEM);
5596 	elems->cnt = num_elems;
5597 
5598 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5599 		elems->elem[i].data = nla_data(nl_elems);
5600 		elems->elem[i].len = nla_len(nl_elems);
5601 		i++;
5602 	}
5603 	return elems;
5604 }
5605 
5606 static struct cfg80211_rnr_elems *
5607 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5608 			struct netlink_ext_ack *extack)
5609 {
5610 	struct nlattr *nl_elems;
5611 	struct cfg80211_rnr_elems *elems;
5612 	int rem_elems;
5613 	u8 i = 0, num_elems = 0;
5614 
5615 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5616 		int ret;
5617 
5618 		ret = validate_ie_attr(nl_elems, extack);
5619 		if (ret)
5620 			return ERR_PTR(ret);
5621 
5622 		num_elems++;
5623 	}
5624 
5625 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5626 	if (!elems)
5627 		return ERR_PTR(-ENOMEM);
5628 	elems->cnt = num_elems;
5629 
5630 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5631 		elems->elem[i].data = nla_data(nl_elems);
5632 		elems->elem[i].len = nla_len(nl_elems);
5633 		i++;
5634 	}
5635 	return elems;
5636 }
5637 
5638 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5639 				      struct cfg80211_he_bss_color *he_bss_color)
5640 {
5641 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5642 	int err;
5643 
5644 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5645 			       he_bss_color_policy, NULL);
5646 	if (err)
5647 		return err;
5648 
5649 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5650 		return -EINVAL;
5651 
5652 	he_bss_color->color =
5653 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5654 	he_bss_color->enabled =
5655 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5656 	he_bss_color->partial =
5657 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5658 
5659 	return 0;
5660 }
5661 
5662 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5663 				struct nlattr *attrs[],
5664 				struct cfg80211_beacon_data *bcn,
5665 				struct netlink_ext_ack *extack)
5666 {
5667 	bool haveinfo = false;
5668 	int err;
5669 
5670 	memset(bcn, 0, sizeof(*bcn));
5671 
5672 	bcn->link_id = nl80211_link_id(attrs);
5673 
5674 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5675 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5676 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5677 		if (!bcn->head_len)
5678 			return -EINVAL;
5679 		haveinfo = true;
5680 	}
5681 
5682 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5683 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5684 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5685 		haveinfo = true;
5686 	}
5687 
5688 	if (!haveinfo)
5689 		return -EINVAL;
5690 
5691 	if (attrs[NL80211_ATTR_IE]) {
5692 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5693 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5694 	}
5695 
5696 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5697 		bcn->proberesp_ies =
5698 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5699 		bcn->proberesp_ies_len =
5700 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5701 	}
5702 
5703 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5704 		bcn->assocresp_ies =
5705 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5706 		bcn->assocresp_ies_len =
5707 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5708 	}
5709 
5710 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5711 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5712 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5713 	}
5714 
5715 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5716 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5717 
5718 		err = nla_parse_nested_deprecated(tb,
5719 						  NL80211_FTM_RESP_ATTR_MAX,
5720 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5721 						  NULL, NULL);
5722 		if (err)
5723 			return err;
5724 
5725 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5726 		    wiphy_ext_feature_isset(&rdev->wiphy,
5727 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5728 			bcn->ftm_responder = 1;
5729 		else
5730 			return -EOPNOTSUPP;
5731 
5732 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5733 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5734 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5735 		}
5736 
5737 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5738 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5739 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5740 		}
5741 	} else {
5742 		bcn->ftm_responder = -1;
5743 	}
5744 
5745 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5746 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5747 						 &bcn->he_bss_color);
5748 		if (err)
5749 			return err;
5750 		bcn->he_bss_color_valid = true;
5751 	}
5752 
5753 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5754 		struct cfg80211_mbssid_elems *mbssid =
5755 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5756 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5757 
5758 		if (IS_ERR(mbssid))
5759 			return PTR_ERR(mbssid);
5760 
5761 		bcn->mbssid_ies = mbssid;
5762 
5763 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5764 			struct cfg80211_rnr_elems *rnr =
5765 				nl80211_parse_rnr_elems(&rdev->wiphy,
5766 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5767 							extack);
5768 
5769 			if (IS_ERR(rnr))
5770 				return PTR_ERR(rnr);
5771 
5772 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5773 				return -EINVAL;
5774 
5775 			bcn->rnr_ies = rnr;
5776 		}
5777 	}
5778 
5779 	return 0;
5780 }
5781 
5782 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5783 				    struct ieee80211_he_obss_pd *he_obss_pd)
5784 {
5785 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5786 	int err;
5787 
5788 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5789 			       he_obss_pd_policy, NULL);
5790 	if (err)
5791 		return err;
5792 
5793 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5794 		return -EINVAL;
5795 
5796 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5797 
5798 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5799 		he_obss_pd->min_offset =
5800 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5801 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5802 		he_obss_pd->max_offset =
5803 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5804 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5805 		he_obss_pd->non_srg_max_offset =
5806 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5807 
5808 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5809 		return -EINVAL;
5810 
5811 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5812 		memcpy(he_obss_pd->bss_color_bitmap,
5813 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5814 		       sizeof(he_obss_pd->bss_color_bitmap));
5815 
5816 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5817 		memcpy(he_obss_pd->partial_bssid_bitmap,
5818 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5819 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5820 
5821 	he_obss_pd->enable = true;
5822 
5823 	return 0;
5824 }
5825 
5826 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5827 					struct nlattr *attrs,
5828 					struct cfg80211_fils_discovery *fd)
5829 {
5830 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5831 	int ret;
5832 
5833 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5834 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5835 		return -EINVAL;
5836 
5837 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5838 			       NULL, NULL);
5839 	if (ret)
5840 		return ret;
5841 
5842 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5843 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5844 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5845 		fd->update = true;
5846 		return 0;
5847 	}
5848 
5849 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5850 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5851 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5852 		return -EINVAL;
5853 
5854 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5855 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5856 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5857 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5858 	fd->update = true;
5859 	return 0;
5860 }
5861 
5862 static int
5863 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5864 				     struct nlattr *attrs,
5865 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5866 {
5867 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5868 	int ret;
5869 
5870 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5871 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5872 		return -EINVAL;
5873 
5874 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5875 			       attrs, NULL, NULL);
5876 	if (ret)
5877 		return ret;
5878 
5879 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5880 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5881 		presp->update = true;
5882 		return 0;
5883 	}
5884 
5885 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5886 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5887 		return -EINVAL;
5888 
5889 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5890 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5891 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5892 	presp->update = true;
5893 	return 0;
5894 }
5895 
5896 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5897 					    const struct element *rates)
5898 {
5899 	int i;
5900 
5901 	if (!rates)
5902 		return;
5903 
5904 	for (i = 0; i < rates->datalen; i++) {
5905 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5906 			params->ht_required = true;
5907 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5908 			params->vht_required = true;
5909 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5910 			params->he_required = true;
5911 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5912 			params->sae_h2e_required = true;
5913 	}
5914 }
5915 
5916 /*
5917  * Since the nl80211 API didn't include, from the beginning, attributes about
5918  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5919  * benefit of drivers that rebuild IEs in the firmware.
5920  */
5921 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5922 {
5923 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5924 	size_t ies_len = bcn->tail_len;
5925 	const u8 *ies = bcn->tail;
5926 	const struct element *rates;
5927 	const struct element *cap;
5928 
5929 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5930 	nl80211_check_ap_rate_selectors(params, rates);
5931 
5932 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5933 	nl80211_check_ap_rate_selectors(params, rates);
5934 
5935 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5936 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5937 		params->ht_cap = (void *)cap->data;
5938 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5939 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5940 		params->vht_cap = (void *)cap->data;
5941 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5942 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5943 		params->he_cap = (void *)(cap->data + 1);
5944 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5945 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5946 		params->he_oper = (void *)(cap->data + 1);
5947 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5948 	if (cap) {
5949 		if (!cap->datalen)
5950 			return -EINVAL;
5951 		params->eht_cap = (void *)(cap->data + 1);
5952 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5953 						(const u8 *)params->eht_cap,
5954 						cap->datalen - 1, true))
5955 			return -EINVAL;
5956 	}
5957 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5958 	if (cap) {
5959 		if (!cap->datalen)
5960 			return -EINVAL;
5961 		params->eht_oper = (void *)(cap->data + 1);
5962 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5963 						cap->datalen - 1))
5964 			return -EINVAL;
5965 	}
5966 	return 0;
5967 }
5968 
5969 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5970 				   struct cfg80211_ap_settings *params)
5971 {
5972 	struct wireless_dev *wdev;
5973 
5974 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5975 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5976 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5977 			continue;
5978 
5979 		if (!wdev->u.ap.preset_chandef.chan)
5980 			continue;
5981 
5982 		params->chandef = wdev->u.ap.preset_chandef;
5983 		return true;
5984 	}
5985 
5986 	return false;
5987 }
5988 
5989 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5990 				    enum nl80211_auth_type auth_type,
5991 				    enum nl80211_commands cmd)
5992 {
5993 	if (auth_type > NL80211_AUTHTYPE_MAX)
5994 		return false;
5995 
5996 	switch (cmd) {
5997 	case NL80211_CMD_AUTHENTICATE:
5998 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5999 		    auth_type == NL80211_AUTHTYPE_SAE)
6000 			return false;
6001 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6002 					     NL80211_EXT_FEATURE_FILS_STA) &&
6003 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6004 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6005 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6006 			return false;
6007 		return true;
6008 	case NL80211_CMD_CONNECT:
6009 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6010 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6011 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6012 		    auth_type == NL80211_AUTHTYPE_SAE)
6013 			return false;
6014 
6015 		/* FILS with SK PFS or PK not supported yet */
6016 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6017 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6018 			return false;
6019 		if (!wiphy_ext_feature_isset(
6020 			    &rdev->wiphy,
6021 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6022 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6023 			return false;
6024 		return true;
6025 	case NL80211_CMD_START_AP:
6026 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6027 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6028 		    auth_type == NL80211_AUTHTYPE_SAE)
6029 			return false;
6030 		/* FILS not supported yet */
6031 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6032 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6033 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6034 			return false;
6035 		return true;
6036 	default:
6037 		return false;
6038 	}
6039 }
6040 
6041 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6042 				    unsigned int link_id)
6043 {
6044 	struct wiphy *wiphy = wdev->wiphy;
6045 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6046 	struct sk_buff *msg;
6047 	void *hdr;
6048 
6049 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6050 	if (!msg)
6051 		return;
6052 
6053 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6054 	if (!hdr)
6055 		goto out;
6056 
6057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6058 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6059 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6060 			      NL80211_ATTR_PAD) ||
6061 	    (wdev->u.ap.ssid_len &&
6062 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6063 		     wdev->u.ap.ssid)) ||
6064 	    (wdev->valid_links &&
6065 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6066 		goto out;
6067 
6068 	genlmsg_end(msg, hdr);
6069 
6070 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6071 				NL80211_MCGRP_MLME, GFP_KERNEL);
6072 	return;
6073 out:
6074 	nlmsg_free(msg);
6075 }
6076 
6077 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6078 {
6079 	struct ieee80211_channel *channel = params->chandef.chan;
6080 
6081 	if ((params->he_cap ||  params->he_oper) &&
6082 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6083 		return -EOPNOTSUPP;
6084 
6085 	if ((params->eht_cap || params->eht_oper) &&
6086 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6087 		return -EOPNOTSUPP;
6088 
6089 	return 0;
6090 }
6091 
6092 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6093 {
6094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6095 	struct cfg80211_beaconing_check_config beacon_check = {};
6096 	unsigned int link_id = nl80211_link_id(info->attrs);
6097 	struct net_device *dev = info->user_ptr[1];
6098 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6099 	struct cfg80211_ap_settings *params;
6100 	int err;
6101 
6102 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6103 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6104 		return -EOPNOTSUPP;
6105 
6106 	if (!rdev->ops->start_ap)
6107 		return -EOPNOTSUPP;
6108 
6109 	if (wdev->links[link_id].cac_started)
6110 		return -EBUSY;
6111 
6112 	if (wdev->links[link_id].ap.beacon_interval)
6113 		return -EALREADY;
6114 
6115 	/* these are required for START_AP */
6116 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6117 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6118 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6119 		return -EINVAL;
6120 
6121 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6122 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6123 		return -EOPNOTSUPP;
6124 
6125 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6126 	if (!params)
6127 		return -ENOMEM;
6128 
6129 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6130 				   info->extack);
6131 	if (err)
6132 		goto out;
6133 
6134 	params->beacon_interval =
6135 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6136 	params->dtim_period =
6137 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6138 
6139 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6140 					   params->beacon_interval);
6141 	if (err)
6142 		goto out;
6143 
6144 	/*
6145 	 * In theory, some of these attributes should be required here
6146 	 * but since they were not used when the command was originally
6147 	 * added, keep them optional for old user space programs to let
6148 	 * them continue to work with drivers that do not need the
6149 	 * additional information -- drivers must check!
6150 	 */
6151 	if (info->attrs[NL80211_ATTR_SSID]) {
6152 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6153 		params->ssid_len =
6154 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6155 		if (params->ssid_len == 0) {
6156 			err = -EINVAL;
6157 			goto out;
6158 		}
6159 
6160 		if (wdev->u.ap.ssid_len &&
6161 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6162 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6163 			/* require identical SSID for MLO */
6164 			err = -EINVAL;
6165 			goto out;
6166 		}
6167 	} else if (wdev->valid_links) {
6168 		/* require SSID for MLO */
6169 		err = -EINVAL;
6170 		goto out;
6171 	}
6172 
6173 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6174 		params->hidden_ssid = nla_get_u32(
6175 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6176 
6177 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6178 
6179 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6180 		params->auth_type = nla_get_u32(
6181 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6182 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6183 					     NL80211_CMD_START_AP)) {
6184 			err = -EINVAL;
6185 			goto out;
6186 		}
6187 	} else
6188 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6189 
6190 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6191 				      NL80211_MAX_NR_CIPHER_SUITES);
6192 	if (err)
6193 		goto out;
6194 
6195 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6196 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6197 			err = -EOPNOTSUPP;
6198 			goto out;
6199 		}
6200 		params->inactivity_timeout = nla_get_u16(
6201 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6202 	}
6203 
6204 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6205 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6206 			err = -EINVAL;
6207 			goto out;
6208 		}
6209 		params->p2p_ctwindow =
6210 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6211 		if (params->p2p_ctwindow != 0 &&
6212 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6213 			err = -EINVAL;
6214 			goto out;
6215 		}
6216 	}
6217 
6218 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6219 		u8 tmp;
6220 
6221 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6222 			err = -EINVAL;
6223 			goto out;
6224 		}
6225 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6226 		params->p2p_opp_ps = tmp;
6227 		if (params->p2p_opp_ps != 0 &&
6228 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6229 			err = -EINVAL;
6230 			goto out;
6231 		}
6232 	}
6233 
6234 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6235 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6236 		if (err)
6237 			goto out;
6238 	} else if (wdev->valid_links) {
6239 		/* with MLD need to specify the channel configuration */
6240 		err = -EINVAL;
6241 		goto out;
6242 	} else if (wdev->u.ap.preset_chandef.chan) {
6243 		params->chandef = wdev->u.ap.preset_chandef;
6244 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6245 		err = -EINVAL;
6246 		goto out;
6247 	}
6248 
6249 	beacon_check.iftype = wdev->iftype;
6250 	beacon_check.relax = true;
6251 	beacon_check.reg_power =
6252 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6253 					     params->beacon.tail_len);
6254 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6255 					  &beacon_check)) {
6256 		err = -EINVAL;
6257 		goto out;
6258 	}
6259 
6260 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6261 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6262 						    NL80211_ATTR_TX_RATES,
6263 						    &params->beacon_rate,
6264 						    dev, false, link_id);
6265 		if (err)
6266 			goto out;
6267 
6268 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6269 					      &params->beacon_rate);
6270 		if (err)
6271 			goto out;
6272 	}
6273 
6274 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6275 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6276 		err = -EOPNOTSUPP;
6277 		goto out;
6278 	}
6279 
6280 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6281 		params->acl = parse_acl_data(&rdev->wiphy, info);
6282 		if (IS_ERR(params->acl)) {
6283 			err = PTR_ERR(params->acl);
6284 			params->acl = NULL;
6285 			goto out;
6286 		}
6287 	}
6288 
6289 	params->twt_responder =
6290 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6291 
6292 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6293 		err = nl80211_parse_he_obss_pd(
6294 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6295 					&params->he_obss_pd);
6296 		if (err)
6297 			goto out;
6298 	}
6299 
6300 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6301 		err = nl80211_parse_fils_discovery(rdev,
6302 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6303 						   &params->fils_discovery);
6304 		if (err)
6305 			goto out;
6306 	}
6307 
6308 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6309 		err = nl80211_parse_unsol_bcast_probe_resp(
6310 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6311 			&params->unsol_bcast_probe_resp);
6312 		if (err)
6313 			goto out;
6314 	}
6315 
6316 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6317 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6318 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6319 						  &params->mbssid_config,
6320 						  params->beacon.mbssid_ies ?
6321 							params->beacon.mbssid_ies->cnt :
6322 							0);
6323 		if (err)
6324 			goto out;
6325 	}
6326 
6327 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6328 		err = -EINVAL;
6329 		goto out;
6330 	}
6331 
6332 	err = nl80211_calculate_ap_params(params);
6333 	if (err)
6334 		goto out;
6335 
6336 	err = nl80211_validate_ap_phy_operation(params);
6337 	if (err)
6338 		goto out;
6339 
6340 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6341 		params->flags = nla_get_u32(
6342 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6343 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6344 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6345 
6346 	if (wdev->conn_owner_nlportid &&
6347 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6348 	    wdev->conn_owner_nlportid != info->snd_portid) {
6349 		err = -EINVAL;
6350 		goto out;
6351 	}
6352 
6353 	/* FIXME: validate MLO/link-id against driver capabilities */
6354 
6355 	err = rdev_start_ap(rdev, dev, params);
6356 	if (!err) {
6357 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6358 		wdev->links[link_id].ap.chandef = params->chandef;
6359 		wdev->u.ap.ssid_len = params->ssid_len;
6360 		memcpy(wdev->u.ap.ssid, params->ssid,
6361 		       params->ssid_len);
6362 
6363 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6364 			wdev->conn_owner_nlportid = info->snd_portid;
6365 
6366 		nl80211_send_ap_started(wdev, link_id);
6367 	}
6368 out:
6369 	kfree(params->acl);
6370 	kfree(params->beacon.mbssid_ies);
6371 	if (params->mbssid_config.tx_wdev &&
6372 	    params->mbssid_config.tx_wdev->netdev &&
6373 	    params->mbssid_config.tx_wdev->netdev != dev)
6374 		dev_put(params->mbssid_config.tx_wdev->netdev);
6375 	kfree(params->beacon.rnr_ies);
6376 	kfree(params);
6377 
6378 	return err;
6379 }
6380 
6381 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6382 {
6383 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6384 	struct cfg80211_beaconing_check_config beacon_check = {};
6385 	unsigned int link_id = nl80211_link_id(info->attrs);
6386 	struct net_device *dev = info->user_ptr[1];
6387 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6388 	struct cfg80211_ap_update *params;
6389 	struct nlattr *attr;
6390 	int err;
6391 
6392 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6393 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6394 		return -EOPNOTSUPP;
6395 
6396 	if (!rdev->ops->change_beacon)
6397 		return -EOPNOTSUPP;
6398 
6399 	if (!wdev->links[link_id].ap.beacon_interval)
6400 		return -EINVAL;
6401 
6402 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6403 	if (!params)
6404 		return -ENOMEM;
6405 
6406 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6407 				   info->extack);
6408 	if (err)
6409 		goto out;
6410 
6411 	/* recheck beaconing is permitted with possibly changed power type */
6412 	beacon_check.iftype = wdev->iftype;
6413 	beacon_check.relax = true;
6414 	beacon_check.reg_power =
6415 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6416 					     params->beacon.tail_len);
6417 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6418 					  &wdev->links[link_id].ap.chandef,
6419 					  &beacon_check)) {
6420 		err = -EINVAL;
6421 		goto out;
6422 	}
6423 
6424 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6425 	if (attr) {
6426 		err = nl80211_parse_fils_discovery(rdev, attr,
6427 						   &params->fils_discovery);
6428 		if (err)
6429 			goto out;
6430 	}
6431 
6432 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6433 	if (attr) {
6434 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6435 							   &params->unsol_bcast_probe_resp);
6436 		if (err)
6437 			goto out;
6438 	}
6439 
6440 	err = rdev_change_beacon(rdev, dev, params);
6441 
6442 out:
6443 	kfree(params->beacon.mbssid_ies);
6444 	kfree(params->beacon.rnr_ies);
6445 	kfree(params);
6446 	return err;
6447 }
6448 
6449 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6450 {
6451 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6452 	unsigned int link_id = nl80211_link_id(info->attrs);
6453 	struct net_device *dev = info->user_ptr[1];
6454 
6455 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6456 }
6457 
6458 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6459 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6460 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6461 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6462 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6463 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6464 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6465 };
6466 
6467 static int parse_station_flags(struct genl_info *info,
6468 			       enum nl80211_iftype iftype,
6469 			       struct station_parameters *params)
6470 {
6471 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6472 	struct nlattr *nla;
6473 	int flag;
6474 
6475 	/*
6476 	 * Try parsing the new attribute first so userspace
6477 	 * can specify both for older kernels.
6478 	 */
6479 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6480 	if (nla) {
6481 		struct nl80211_sta_flag_update *sta_flags;
6482 
6483 		sta_flags = nla_data(nla);
6484 		params->sta_flags_mask = sta_flags->mask;
6485 		params->sta_flags_set = sta_flags->set;
6486 		params->sta_flags_set &= params->sta_flags_mask;
6487 		if ((params->sta_flags_mask |
6488 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6489 			return -EINVAL;
6490 		return 0;
6491 	}
6492 
6493 	/* if present, parse the old attribute */
6494 
6495 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6496 	if (!nla)
6497 		return 0;
6498 
6499 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6500 		return -EINVAL;
6501 
6502 	/*
6503 	 * Only allow certain flags for interface types so that
6504 	 * other attributes are silently ignored. Remember that
6505 	 * this is backward compatibility code with old userspace
6506 	 * and shouldn't be hit in other cases anyway.
6507 	 */
6508 	switch (iftype) {
6509 	case NL80211_IFTYPE_AP:
6510 	case NL80211_IFTYPE_AP_VLAN:
6511 	case NL80211_IFTYPE_P2P_GO:
6512 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6513 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6514 					 BIT(NL80211_STA_FLAG_WME) |
6515 					 BIT(NL80211_STA_FLAG_MFP);
6516 		break;
6517 	case NL80211_IFTYPE_P2P_CLIENT:
6518 	case NL80211_IFTYPE_STATION:
6519 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6520 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6521 		break;
6522 	case NL80211_IFTYPE_MESH_POINT:
6523 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6524 					 BIT(NL80211_STA_FLAG_MFP) |
6525 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6526 		break;
6527 	default:
6528 		return -EINVAL;
6529 	}
6530 
6531 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6532 		if (flags[flag]) {
6533 			params->sta_flags_set |= (1<<flag);
6534 
6535 			/* no longer support new API additions in old API */
6536 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6537 				return -EINVAL;
6538 		}
6539 	}
6540 
6541 	return 0;
6542 }
6543 
6544 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6545 {
6546 	struct nlattr *rate;
6547 	u32 bitrate;
6548 	u16 bitrate_compat;
6549 	enum nl80211_rate_info rate_flg;
6550 
6551 	rate = nla_nest_start_noflag(msg, attr);
6552 	if (!rate)
6553 		return false;
6554 
6555 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6556 	bitrate = cfg80211_calculate_bitrate(info);
6557 	/* report 16-bit bitrate only if we can */
6558 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6559 	if (bitrate > 0 &&
6560 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6561 		return false;
6562 	if (bitrate_compat > 0 &&
6563 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6564 		return false;
6565 
6566 	switch (info->bw) {
6567 	case RATE_INFO_BW_1:
6568 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6569 		break;
6570 	case RATE_INFO_BW_2:
6571 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6572 		break;
6573 	case RATE_INFO_BW_4:
6574 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6575 		break;
6576 	case RATE_INFO_BW_5:
6577 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6578 		break;
6579 	case RATE_INFO_BW_8:
6580 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6581 		break;
6582 	case RATE_INFO_BW_10:
6583 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6584 		break;
6585 	case RATE_INFO_BW_16:
6586 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6587 		break;
6588 	default:
6589 		WARN_ON(1);
6590 		fallthrough;
6591 	case RATE_INFO_BW_20:
6592 		rate_flg = 0;
6593 		break;
6594 	case RATE_INFO_BW_40:
6595 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6596 		break;
6597 	case RATE_INFO_BW_80:
6598 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6599 		break;
6600 	case RATE_INFO_BW_160:
6601 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6602 		break;
6603 	case RATE_INFO_BW_HE_RU:
6604 		rate_flg = 0;
6605 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6606 		break;
6607 	case RATE_INFO_BW_320:
6608 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6609 		break;
6610 	case RATE_INFO_BW_EHT_RU:
6611 		rate_flg = 0;
6612 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6613 		break;
6614 	}
6615 
6616 	if (rate_flg && nla_put_flag(msg, rate_flg))
6617 		return false;
6618 
6619 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6620 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6621 			return false;
6622 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6623 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6624 			return false;
6625 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6626 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6627 			return false;
6628 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6629 			return false;
6630 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6631 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6632 			return false;
6633 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6634 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6635 			return false;
6636 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6637 			return false;
6638 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6639 			return false;
6640 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6641 			return false;
6642 		if (info->bw == RATE_INFO_BW_HE_RU &&
6643 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6644 			       info->he_ru_alloc))
6645 			return false;
6646 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6647 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6648 			return false;
6649 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6650 			return false;
6651 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6652 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6653 			return false;
6654 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6655 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6656 			return false;
6657 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6658 			return false;
6659 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6660 			return false;
6661 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6662 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6663 			       info->eht_ru_alloc))
6664 			return false;
6665 	}
6666 
6667 	nla_nest_end(msg, rate);
6668 	return true;
6669 }
6670 
6671 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6672 			       int id)
6673 {
6674 	void *attr;
6675 	int i = 0;
6676 
6677 	if (!mask)
6678 		return true;
6679 
6680 	attr = nla_nest_start_noflag(msg, id);
6681 	if (!attr)
6682 		return false;
6683 
6684 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6685 		if (!(mask & BIT(i)))
6686 			continue;
6687 
6688 		if (nla_put_u8(msg, i, signal[i]))
6689 			return false;
6690 	}
6691 
6692 	nla_nest_end(msg, attr);
6693 
6694 	return true;
6695 }
6696 
6697 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6698 				u32 seq, int flags,
6699 				struct cfg80211_registered_device *rdev,
6700 				struct net_device *dev,
6701 				const u8 *mac_addr, struct station_info *sinfo)
6702 {
6703 	void *hdr;
6704 	struct nlattr *sinfoattr, *bss_param;
6705 
6706 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6707 	if (!hdr) {
6708 		cfg80211_sinfo_release_content(sinfo);
6709 		return -1;
6710 	}
6711 
6712 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6713 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6714 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6715 		goto nla_put_failure;
6716 
6717 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6718 	if (!sinfoattr)
6719 		goto nla_put_failure;
6720 
6721 #define PUT_SINFO(attr, memb, type) do {				\
6722 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6723 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6724 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6725 			     sinfo->memb))				\
6726 		goto nla_put_failure;					\
6727 	} while (0)
6728 #define PUT_SINFO_U64(attr, memb) do {					\
6729 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6730 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6731 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6732 		goto nla_put_failure;					\
6733 	} while (0)
6734 
6735 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6736 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6737 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6738 
6739 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6740 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6741 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6742 			(u32)sinfo->rx_bytes))
6743 		goto nla_put_failure;
6744 
6745 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6746 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6747 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6748 			(u32)sinfo->tx_bytes))
6749 		goto nla_put_failure;
6750 
6751 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6752 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6753 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6754 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6755 
6756 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6757 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6758 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6759 
6760 	switch (rdev->wiphy.signal_type) {
6761 	case CFG80211_SIGNAL_TYPE_MBM:
6762 		PUT_SINFO(SIGNAL, signal, u8);
6763 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6764 		break;
6765 	default:
6766 		break;
6767 	}
6768 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6769 		if (!nl80211_put_signal(msg, sinfo->chains,
6770 					sinfo->chain_signal,
6771 					NL80211_STA_INFO_CHAIN_SIGNAL))
6772 			goto nla_put_failure;
6773 	}
6774 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6775 		if (!nl80211_put_signal(msg, sinfo->chains,
6776 					sinfo->chain_signal_avg,
6777 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6778 			goto nla_put_failure;
6779 	}
6780 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6781 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6782 					  NL80211_STA_INFO_TX_BITRATE))
6783 			goto nla_put_failure;
6784 	}
6785 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6786 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6787 					  NL80211_STA_INFO_RX_BITRATE))
6788 			goto nla_put_failure;
6789 	}
6790 
6791 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6792 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6793 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6794 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6795 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6796 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6797 
6798 	PUT_SINFO(LLID, llid, u16);
6799 	PUT_SINFO(PLID, plid, u16);
6800 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6801 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6802 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6803 	PUT_SINFO(PEER_PM, peer_pm, u32);
6804 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6805 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6806 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6807 	PUT_SINFO_U64(T_OFFSET, t_offset);
6808 
6809 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6810 		bss_param = nla_nest_start_noflag(msg,
6811 						  NL80211_STA_INFO_BSS_PARAM);
6812 		if (!bss_param)
6813 			goto nla_put_failure;
6814 
6815 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6816 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6817 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6818 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6819 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6820 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6821 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6822 			       sinfo->bss_param.dtim_period) ||
6823 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6824 				sinfo->bss_param.beacon_interval))
6825 			goto nla_put_failure;
6826 
6827 		nla_nest_end(msg, bss_param);
6828 	}
6829 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6830 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6831 		    sizeof(struct nl80211_sta_flag_update),
6832 		    &sinfo->sta_flags))
6833 		goto nla_put_failure;
6834 
6835 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6836 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6837 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6838 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6839 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6840 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6841 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6842 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6843 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6844 	}
6845 
6846 #undef PUT_SINFO
6847 #undef PUT_SINFO_U64
6848 
6849 	if (sinfo->pertid) {
6850 		struct nlattr *tidsattr;
6851 		int tid;
6852 
6853 		tidsattr = nla_nest_start_noflag(msg,
6854 						 NL80211_STA_INFO_TID_STATS);
6855 		if (!tidsattr)
6856 			goto nla_put_failure;
6857 
6858 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6859 			struct cfg80211_tid_stats *tidstats;
6860 			struct nlattr *tidattr;
6861 
6862 			tidstats = &sinfo->pertid[tid];
6863 
6864 			if (!tidstats->filled)
6865 				continue;
6866 
6867 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6868 			if (!tidattr)
6869 				goto nla_put_failure;
6870 
6871 #define PUT_TIDVAL_U64(attr, memb) do {					\
6872 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6873 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6874 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6875 		goto nla_put_failure;					\
6876 	} while (0)
6877 
6878 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6879 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6880 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6881 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6882 
6883 #undef PUT_TIDVAL_U64
6884 			if ((tidstats->filled &
6885 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6886 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6887 						   NL80211_TID_STATS_TXQ_STATS))
6888 				goto nla_put_failure;
6889 
6890 			nla_nest_end(msg, tidattr);
6891 		}
6892 
6893 		nla_nest_end(msg, tidsattr);
6894 	}
6895 
6896 	nla_nest_end(msg, sinfoattr);
6897 
6898 	if (sinfo->assoc_req_ies_len &&
6899 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6900 		    sinfo->assoc_req_ies))
6901 		goto nla_put_failure;
6902 
6903 	if (sinfo->assoc_resp_ies_len &&
6904 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6905 		    sinfo->assoc_resp_ies))
6906 		goto nla_put_failure;
6907 
6908 	if (sinfo->mlo_params_valid) {
6909 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6910 			       sinfo->assoc_link_id))
6911 			goto nla_put_failure;
6912 
6913 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6914 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6915 			    sinfo->mld_addr))
6916 			goto nla_put_failure;
6917 	}
6918 
6919 	cfg80211_sinfo_release_content(sinfo);
6920 	genlmsg_end(msg, hdr);
6921 	return 0;
6922 
6923  nla_put_failure:
6924 	cfg80211_sinfo_release_content(sinfo);
6925 	genlmsg_cancel(msg, hdr);
6926 	return -EMSGSIZE;
6927 }
6928 
6929 static int nl80211_dump_station(struct sk_buff *skb,
6930 				struct netlink_callback *cb)
6931 {
6932 	struct station_info sinfo;
6933 	struct cfg80211_registered_device *rdev;
6934 	struct wireless_dev *wdev;
6935 	u8 mac_addr[ETH_ALEN];
6936 	int sta_idx = cb->args[2];
6937 	int err;
6938 
6939 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6940 	if (err)
6941 		return err;
6942 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6943 	__acquire(&rdev->wiphy.mtx);
6944 
6945 	if (!wdev->netdev) {
6946 		err = -EINVAL;
6947 		goto out_err;
6948 	}
6949 
6950 	if (!rdev->ops->dump_station) {
6951 		err = -EOPNOTSUPP;
6952 		goto out_err;
6953 	}
6954 
6955 	while (1) {
6956 		memset(&sinfo, 0, sizeof(sinfo));
6957 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6958 					mac_addr, &sinfo);
6959 		if (err == -ENOENT)
6960 			break;
6961 		if (err)
6962 			goto out_err;
6963 
6964 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6965 				NETLINK_CB(cb->skb).portid,
6966 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6967 				rdev, wdev->netdev, mac_addr,
6968 				&sinfo) < 0)
6969 			goto out;
6970 
6971 		sta_idx++;
6972 	}
6973 
6974  out:
6975 	cb->args[2] = sta_idx;
6976 	err = skb->len;
6977  out_err:
6978 	wiphy_unlock(&rdev->wiphy);
6979 
6980 	return err;
6981 }
6982 
6983 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6984 {
6985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6986 	struct net_device *dev = info->user_ptr[1];
6987 	struct station_info sinfo;
6988 	struct sk_buff *msg;
6989 	u8 *mac_addr = NULL;
6990 	int err;
6991 
6992 	memset(&sinfo, 0, sizeof(sinfo));
6993 
6994 	if (!info->attrs[NL80211_ATTR_MAC])
6995 		return -EINVAL;
6996 
6997 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6998 
6999 	if (!rdev->ops->get_station)
7000 		return -EOPNOTSUPP;
7001 
7002 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7003 	if (err)
7004 		return err;
7005 
7006 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7007 	if (!msg) {
7008 		cfg80211_sinfo_release_content(&sinfo);
7009 		return -ENOMEM;
7010 	}
7011 
7012 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7013 				 info->snd_portid, info->snd_seq, 0,
7014 				 rdev, dev, mac_addr, &sinfo) < 0) {
7015 		nlmsg_free(msg);
7016 		return -ENOBUFS;
7017 	}
7018 
7019 	return genlmsg_reply(msg, info);
7020 }
7021 
7022 int cfg80211_check_station_change(struct wiphy *wiphy,
7023 				  struct station_parameters *params,
7024 				  enum cfg80211_station_type statype)
7025 {
7026 	if (params->listen_interval != -1 &&
7027 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7028 		return -EINVAL;
7029 
7030 	if (params->support_p2p_ps != -1 &&
7031 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7032 		return -EINVAL;
7033 
7034 	if (params->aid &&
7035 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7036 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7037 		return -EINVAL;
7038 
7039 	/* When you run into this, adjust the code below for the new flag */
7040 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7041 
7042 	switch (statype) {
7043 	case CFG80211_STA_MESH_PEER_KERNEL:
7044 	case CFG80211_STA_MESH_PEER_USER:
7045 		/*
7046 		 * No ignoring the TDLS flag here -- the userspace mesh
7047 		 * code doesn't have the bug of including TDLS in the
7048 		 * mask everywhere.
7049 		 */
7050 		if (params->sta_flags_mask &
7051 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7052 				  BIT(NL80211_STA_FLAG_MFP) |
7053 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7054 			return -EINVAL;
7055 		break;
7056 	case CFG80211_STA_TDLS_PEER_SETUP:
7057 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7058 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7059 			return -EINVAL;
7060 		/* ignore since it can't change */
7061 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7062 		break;
7063 	default:
7064 		/* disallow mesh-specific things */
7065 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7066 			return -EINVAL;
7067 		if (params->local_pm)
7068 			return -EINVAL;
7069 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7070 			return -EINVAL;
7071 	}
7072 
7073 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7074 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7075 		/* TDLS can't be set, ... */
7076 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7077 			return -EINVAL;
7078 		/*
7079 		 * ... but don't bother the driver with it. This works around
7080 		 * a hostapd/wpa_supplicant issue -- it always includes the
7081 		 * TLDS_PEER flag in the mask even for AP mode.
7082 		 */
7083 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7084 	}
7085 
7086 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7087 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7088 		/* reject other things that can't change */
7089 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7090 			return -EINVAL;
7091 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7092 			return -EINVAL;
7093 		if (params->link_sta_params.supported_rates)
7094 			return -EINVAL;
7095 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7096 		    params->link_sta_params.vht_capa ||
7097 		    params->link_sta_params.he_capa ||
7098 		    params->link_sta_params.eht_capa)
7099 			return -EINVAL;
7100 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7101 			return -EINVAL;
7102 	}
7103 
7104 	if (statype != CFG80211_STA_AP_CLIENT &&
7105 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7106 		if (params->vlan)
7107 			return -EINVAL;
7108 	}
7109 
7110 	switch (statype) {
7111 	case CFG80211_STA_AP_MLME_CLIENT:
7112 		/* Use this only for authorizing/unauthorizing a station */
7113 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7114 			return -EOPNOTSUPP;
7115 		break;
7116 	case CFG80211_STA_AP_CLIENT:
7117 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7118 		/* accept only the listed bits */
7119 		if (params->sta_flags_mask &
7120 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7121 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7122 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7123 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7124 				  BIT(NL80211_STA_FLAG_WME) |
7125 				  BIT(NL80211_STA_FLAG_MFP) |
7126 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7127 			return -EINVAL;
7128 
7129 		/* but authenticated/associated only if driver handles it */
7130 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7131 		    params->sta_flags_mask &
7132 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7133 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7134 			return -EINVAL;
7135 		break;
7136 	case CFG80211_STA_IBSS:
7137 	case CFG80211_STA_AP_STA:
7138 		/* reject any changes other than AUTHORIZED */
7139 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7140 			return -EINVAL;
7141 		break;
7142 	case CFG80211_STA_TDLS_PEER_SETUP:
7143 		/* reject any changes other than AUTHORIZED or WME */
7144 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7145 					       BIT(NL80211_STA_FLAG_WME)))
7146 			return -EINVAL;
7147 		/* force (at least) rates when authorizing */
7148 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7149 		    !params->link_sta_params.supported_rates)
7150 			return -EINVAL;
7151 		break;
7152 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7153 		/* reject any changes */
7154 		return -EINVAL;
7155 	case CFG80211_STA_MESH_PEER_KERNEL:
7156 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7157 			return -EINVAL;
7158 		break;
7159 	case CFG80211_STA_MESH_PEER_USER:
7160 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7161 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7162 			return -EINVAL;
7163 		break;
7164 	}
7165 
7166 	/*
7167 	 * Older kernel versions ignored this attribute entirely, so don't
7168 	 * reject attempts to update it but mark it as unused instead so the
7169 	 * driver won't look at the data.
7170 	 */
7171 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7172 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7173 		params->link_sta_params.opmode_notif_used = false;
7174 
7175 	return 0;
7176 }
7177 EXPORT_SYMBOL(cfg80211_check_station_change);
7178 
7179 /*
7180  * Get vlan interface making sure it is running and on the right wiphy.
7181  */
7182 static struct net_device *get_vlan(struct genl_info *info,
7183 				   struct cfg80211_registered_device *rdev)
7184 {
7185 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7186 	struct net_device *v;
7187 	int ret;
7188 
7189 	if (!vlanattr)
7190 		return NULL;
7191 
7192 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7193 	if (!v)
7194 		return ERR_PTR(-ENODEV);
7195 
7196 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7197 		ret = -EINVAL;
7198 		goto error;
7199 	}
7200 
7201 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7202 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7203 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7204 		ret = -EINVAL;
7205 		goto error;
7206 	}
7207 
7208 	if (!netif_running(v)) {
7209 		ret = -ENETDOWN;
7210 		goto error;
7211 	}
7212 
7213 	return v;
7214  error:
7215 	dev_put(v);
7216 	return ERR_PTR(ret);
7217 }
7218 
7219 static int nl80211_parse_sta_wme(struct genl_info *info,
7220 				 struct station_parameters *params)
7221 {
7222 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7223 	struct nlattr *nla;
7224 	int err;
7225 
7226 	/* parse WME attributes if present */
7227 	if (!info->attrs[NL80211_ATTR_STA_WME])
7228 		return 0;
7229 
7230 	nla = info->attrs[NL80211_ATTR_STA_WME];
7231 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7232 					  nl80211_sta_wme_policy,
7233 					  info->extack);
7234 	if (err)
7235 		return err;
7236 
7237 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7238 		params->uapsd_queues = nla_get_u8(
7239 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7240 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7241 		return -EINVAL;
7242 
7243 	if (tb[NL80211_STA_WME_MAX_SP])
7244 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7245 
7246 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7247 		return -EINVAL;
7248 
7249 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7250 
7251 	return 0;
7252 }
7253 
7254 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7255 				      struct station_parameters *params)
7256 {
7257 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7258 		params->supported_channels =
7259 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7260 		params->supported_channels_len =
7261 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7262 		/*
7263 		 * Need to include at least one (first channel, number of
7264 		 * channels) tuple for each subband (checked in policy),
7265 		 * and must have proper tuples for the rest of the data as well.
7266 		 */
7267 		if (params->supported_channels_len % 2)
7268 			return -EINVAL;
7269 	}
7270 
7271 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7272 		params->supported_oper_classes =
7273 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7274 		params->supported_oper_classes_len =
7275 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7276 	}
7277 	return 0;
7278 }
7279 
7280 static int nl80211_set_station_tdls(struct genl_info *info,
7281 				    struct station_parameters *params)
7282 {
7283 	int err;
7284 	/* Dummy STA entry gets updated once the peer capabilities are known */
7285 	if (info->attrs[NL80211_ATTR_PEER_AID])
7286 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7287 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7288 		params->link_sta_params.ht_capa =
7289 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7290 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7291 		params->link_sta_params.vht_capa =
7292 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7293 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7294 		params->link_sta_params.he_capa =
7295 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7296 		params->link_sta_params.he_capa_len =
7297 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7298 
7299 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7300 			params->link_sta_params.eht_capa =
7301 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7302 			params->link_sta_params.eht_capa_len =
7303 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7304 
7305 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7306 							(const u8 *)params->link_sta_params.eht_capa,
7307 							params->link_sta_params.eht_capa_len,
7308 							false))
7309 				return -EINVAL;
7310 		}
7311 	}
7312 
7313 	err = nl80211_parse_sta_channel_info(info, params);
7314 	if (err)
7315 		return err;
7316 
7317 	return nl80211_parse_sta_wme(info, params);
7318 }
7319 
7320 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7321 					     struct sta_txpwr *txpwr,
7322 					     bool *txpwr_set)
7323 {
7324 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7325 	int idx;
7326 
7327 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7328 		if (!rdev->ops->set_tx_power ||
7329 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7330 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7331 			return -EOPNOTSUPP;
7332 
7333 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7334 		txpwr->type = nla_get_u8(info->attrs[idx]);
7335 
7336 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7337 			idx = NL80211_ATTR_STA_TX_POWER;
7338 
7339 			if (info->attrs[idx])
7340 				txpwr->power = nla_get_s16(info->attrs[idx]);
7341 			else
7342 				return -EINVAL;
7343 		}
7344 
7345 		*txpwr_set = true;
7346 	} else {
7347 		*txpwr_set = false;
7348 	}
7349 
7350 	return 0;
7351 }
7352 
7353 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7354 {
7355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7356 	struct net_device *dev = info->user_ptr[1];
7357 	struct station_parameters params;
7358 	u8 *mac_addr;
7359 	int err;
7360 
7361 	memset(&params, 0, sizeof(params));
7362 
7363 	if (!rdev->ops->change_station)
7364 		return -EOPNOTSUPP;
7365 
7366 	/*
7367 	 * AID and listen_interval properties can be set only for unassociated
7368 	 * station. Include these parameters here and will check them in
7369 	 * cfg80211_check_station_change().
7370 	 */
7371 	if (info->attrs[NL80211_ATTR_STA_AID])
7372 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7373 
7374 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7375 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7376 
7377 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7378 		params.listen_interval =
7379 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7380 	else
7381 		params.listen_interval = -1;
7382 
7383 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7384 		params.support_p2p_ps =
7385 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7386 	else
7387 		params.support_p2p_ps = -1;
7388 
7389 	if (!info->attrs[NL80211_ATTR_MAC])
7390 		return -EINVAL;
7391 
7392 	params.link_sta_params.link_id =
7393 		nl80211_link_id_or_invalid(info->attrs);
7394 
7395 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7396 		/* If MLD_ADDR attribute is set then this is an MLD station
7397 		 * and the MLD_ADDR attribute holds the MLD address and the
7398 		 * MAC attribute holds for the LINK address.
7399 		 * In that case, the link_id is also expected to be valid.
7400 		 */
7401 		if (params.link_sta_params.link_id < 0)
7402 			return -EINVAL;
7403 
7404 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7405 		params.link_sta_params.mld_mac = mac_addr;
7406 		params.link_sta_params.link_mac =
7407 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7408 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7409 			return -EINVAL;
7410 	} else {
7411 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7412 	}
7413 
7414 
7415 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7416 		params.link_sta_params.supported_rates =
7417 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7418 		params.link_sta_params.supported_rates_len =
7419 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7420 	}
7421 
7422 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7423 		params.capability =
7424 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7425 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7426 	}
7427 
7428 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7429 		params.ext_capab =
7430 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7431 		params.ext_capab_len =
7432 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7433 	}
7434 
7435 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7436 		return -EINVAL;
7437 
7438 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7439 		params.plink_action =
7440 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7441 
7442 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7443 		params.plink_state =
7444 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7445 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7446 			params.peer_aid = nla_get_u16(
7447 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7448 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7449 	}
7450 
7451 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7452 		params.local_pm = nla_get_u32(
7453 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7454 
7455 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7456 		params.link_sta_params.opmode_notif_used = true;
7457 		params.link_sta_params.opmode_notif =
7458 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7459 	}
7460 
7461 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7462 		params.link_sta_params.he_6ghz_capa =
7463 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7464 
7465 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7466 		params.airtime_weight =
7467 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7468 
7469 	if (params.airtime_weight &&
7470 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7471 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7472 		return -EOPNOTSUPP;
7473 
7474 	err = nl80211_parse_sta_txpower_setting(info,
7475 						&params.link_sta_params.txpwr,
7476 						&params.link_sta_params.txpwr_set);
7477 	if (err)
7478 		return err;
7479 
7480 	/* Include parameters for TDLS peer (will check later) */
7481 	err = nl80211_set_station_tdls(info, &params);
7482 	if (err)
7483 		return err;
7484 
7485 	params.vlan = get_vlan(info, rdev);
7486 	if (IS_ERR(params.vlan))
7487 		return PTR_ERR(params.vlan);
7488 
7489 	switch (dev->ieee80211_ptr->iftype) {
7490 	case NL80211_IFTYPE_AP:
7491 	case NL80211_IFTYPE_AP_VLAN:
7492 	case NL80211_IFTYPE_P2P_GO:
7493 	case NL80211_IFTYPE_P2P_CLIENT:
7494 	case NL80211_IFTYPE_STATION:
7495 	case NL80211_IFTYPE_ADHOC:
7496 	case NL80211_IFTYPE_MESH_POINT:
7497 		break;
7498 	default:
7499 		err = -EOPNOTSUPP;
7500 		goto out_put_vlan;
7501 	}
7502 
7503 	/* driver will call cfg80211_check_station_change() */
7504 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7505 
7506  out_put_vlan:
7507 	dev_put(params.vlan);
7508 
7509 	return err;
7510 }
7511 
7512 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7513 {
7514 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7515 	int err;
7516 	struct net_device *dev = info->user_ptr[1];
7517 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7518 	struct station_parameters params;
7519 	u8 *mac_addr = NULL;
7520 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7521 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7522 
7523 	memset(&params, 0, sizeof(params));
7524 
7525 	if (!rdev->ops->add_station)
7526 		return -EOPNOTSUPP;
7527 
7528 	if (!info->attrs[NL80211_ATTR_MAC])
7529 		return -EINVAL;
7530 
7531 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7532 		return -EINVAL;
7533 
7534 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7535 		return -EINVAL;
7536 
7537 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7538 	    !info->attrs[NL80211_ATTR_PEER_AID])
7539 		return -EINVAL;
7540 
7541 	params.link_sta_params.link_id =
7542 		nl80211_link_id_or_invalid(info->attrs);
7543 
7544 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7545 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7546 		params.link_sta_params.mld_mac = mac_addr;
7547 		params.link_sta_params.link_mac =
7548 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7549 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7550 			return -EINVAL;
7551 	} else {
7552 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7553 	}
7554 
7555 	params.link_sta_params.supported_rates =
7556 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7557 	params.link_sta_params.supported_rates_len =
7558 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7559 	params.listen_interval =
7560 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7561 
7562 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7563 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7564 
7565 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7566 		params.support_p2p_ps =
7567 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7568 	} else {
7569 		/*
7570 		 * if not specified, assume it's supported for P2P GO interface,
7571 		 * and is NOT supported for AP interface
7572 		 */
7573 		params.support_p2p_ps =
7574 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7575 	}
7576 
7577 	if (info->attrs[NL80211_ATTR_PEER_AID])
7578 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7579 	else
7580 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7581 
7582 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7583 		params.capability =
7584 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7585 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7586 	}
7587 
7588 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7589 		params.ext_capab =
7590 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7591 		params.ext_capab_len =
7592 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7593 	}
7594 
7595 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7596 		params.link_sta_params.ht_capa =
7597 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7598 
7599 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7600 		params.link_sta_params.vht_capa =
7601 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7602 
7603 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7604 		params.link_sta_params.he_capa =
7605 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7606 		params.link_sta_params.he_capa_len =
7607 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7608 
7609 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7610 			params.link_sta_params.eht_capa =
7611 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7612 			params.link_sta_params.eht_capa_len =
7613 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7614 
7615 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7616 							(const u8 *)params.link_sta_params.eht_capa,
7617 							params.link_sta_params.eht_capa_len,
7618 							false))
7619 				return -EINVAL;
7620 		}
7621 	}
7622 
7623 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7624 		params.link_sta_params.he_6ghz_capa =
7625 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7626 
7627 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7628 		params.link_sta_params.opmode_notif_used = true;
7629 		params.link_sta_params.opmode_notif =
7630 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7631 	}
7632 
7633 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7634 		params.plink_action =
7635 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7636 
7637 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7638 		params.airtime_weight =
7639 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7640 
7641 	if (params.airtime_weight &&
7642 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7643 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7644 		return -EOPNOTSUPP;
7645 
7646 	err = nl80211_parse_sta_txpower_setting(info,
7647 						&params.link_sta_params.txpwr,
7648 						&params.link_sta_params.txpwr_set);
7649 	if (err)
7650 		return err;
7651 
7652 	err = nl80211_parse_sta_channel_info(info, &params);
7653 	if (err)
7654 		return err;
7655 
7656 	err = nl80211_parse_sta_wme(info, &params);
7657 	if (err)
7658 		return err;
7659 
7660 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7661 		return -EINVAL;
7662 
7663 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7664 	 * as userspace might just pass through the capabilities from the IEs
7665 	 * directly, rather than enforcing this restriction and returning an
7666 	 * error in this case.
7667 	 */
7668 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7669 		params.link_sta_params.ht_capa = NULL;
7670 		params.link_sta_params.vht_capa = NULL;
7671 
7672 		/* HE and EHT require WME */
7673 		if (params.link_sta_params.he_capa_len ||
7674 		    params.link_sta_params.he_6ghz_capa ||
7675 		    params.link_sta_params.eht_capa_len)
7676 			return -EINVAL;
7677 	}
7678 
7679 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7680 	if (params.link_sta_params.he_6ghz_capa &&
7681 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7682 		return -EINVAL;
7683 
7684 	/* When you run into this, adjust the code below for the new flag */
7685 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7686 
7687 	switch (dev->ieee80211_ptr->iftype) {
7688 	case NL80211_IFTYPE_AP:
7689 	case NL80211_IFTYPE_AP_VLAN:
7690 	case NL80211_IFTYPE_P2P_GO:
7691 		/* ignore WME attributes if iface/sta is not capable */
7692 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7693 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7694 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7695 
7696 		/* TDLS peers cannot be added */
7697 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7698 		    info->attrs[NL80211_ATTR_PEER_AID])
7699 			return -EINVAL;
7700 		/* but don't bother the driver with it */
7701 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7702 
7703 		/* allow authenticated/associated only if driver handles it */
7704 		if (!(rdev->wiphy.features &
7705 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7706 		    params.sta_flags_mask & auth_assoc)
7707 			return -EINVAL;
7708 
7709 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7710 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7711 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7712 			return -EINVAL;
7713 
7714 		/* Older userspace, or userspace wanting to be compatible with
7715 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7716 		 * and assoc flags in the mask, but assumes the station will be
7717 		 * added as associated anyway since this was the required driver
7718 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7719 		 * introduced.
7720 		 * In order to not bother drivers with this quirk in the API
7721 		 * set the flags in both the mask and set for new stations in
7722 		 * this case.
7723 		 */
7724 		if (!(params.sta_flags_mask & auth_assoc)) {
7725 			params.sta_flags_mask |= auth_assoc;
7726 			params.sta_flags_set |= auth_assoc;
7727 		}
7728 
7729 		/* must be last in here for error handling */
7730 		params.vlan = get_vlan(info, rdev);
7731 		if (IS_ERR(params.vlan))
7732 			return PTR_ERR(params.vlan);
7733 		break;
7734 	case NL80211_IFTYPE_MESH_POINT:
7735 		/* ignore uAPSD data */
7736 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7737 
7738 		/* associated is disallowed */
7739 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7740 			return -EINVAL;
7741 		/* TDLS peers cannot be added */
7742 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7743 		    info->attrs[NL80211_ATTR_PEER_AID])
7744 			return -EINVAL;
7745 		break;
7746 	case NL80211_IFTYPE_STATION:
7747 	case NL80211_IFTYPE_P2P_CLIENT:
7748 		/* ignore uAPSD data */
7749 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7750 
7751 		/* these are disallowed */
7752 		if (params.sta_flags_mask &
7753 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7754 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7755 			return -EINVAL;
7756 		/* Only TDLS peers can be added */
7757 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7758 			return -EINVAL;
7759 		/* Can only add if TDLS ... */
7760 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7761 			return -EOPNOTSUPP;
7762 		/* ... with external setup is supported */
7763 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7764 			return -EOPNOTSUPP;
7765 		/*
7766 		 * Older wpa_supplicant versions always mark the TDLS peer
7767 		 * as authorized, but it shouldn't yet be.
7768 		 */
7769 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7770 		break;
7771 	default:
7772 		return -EOPNOTSUPP;
7773 	}
7774 
7775 	/* be aware of params.vlan when changing code here */
7776 
7777 	if (wdev->valid_links) {
7778 		if (params.link_sta_params.link_id < 0) {
7779 			err = -EINVAL;
7780 			goto out;
7781 		}
7782 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7783 			err = -ENOLINK;
7784 			goto out;
7785 		}
7786 	} else {
7787 		if (params.link_sta_params.link_id >= 0) {
7788 			err = -EINVAL;
7789 			goto out;
7790 		}
7791 	}
7792 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7793 out:
7794 	dev_put(params.vlan);
7795 	return err;
7796 }
7797 
7798 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7799 {
7800 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7801 	struct net_device *dev = info->user_ptr[1];
7802 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7803 	struct station_del_parameters params;
7804 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7805 
7806 	memset(&params, 0, sizeof(params));
7807 
7808 	if (info->attrs[NL80211_ATTR_MAC])
7809 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7810 
7811 	switch (wdev->iftype) {
7812 	case NL80211_IFTYPE_AP:
7813 	case NL80211_IFTYPE_AP_VLAN:
7814 	case NL80211_IFTYPE_MESH_POINT:
7815 	case NL80211_IFTYPE_P2P_GO:
7816 		/* always accept these */
7817 		break;
7818 	case NL80211_IFTYPE_ADHOC:
7819 		/* conditionally accept */
7820 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7821 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7822 			break;
7823 		return -EINVAL;
7824 	default:
7825 		return -EINVAL;
7826 	}
7827 
7828 	if (!rdev->ops->del_station)
7829 		return -EOPNOTSUPP;
7830 
7831 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7832 		params.subtype =
7833 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7834 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7835 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7836 			return -EINVAL;
7837 	} else {
7838 		/* Default to Deauthentication frame */
7839 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7840 	}
7841 
7842 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7843 		params.reason_code =
7844 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7845 		if (params.reason_code == 0)
7846 			return -EINVAL; /* 0 is reserved */
7847 	} else {
7848 		/* Default to reason code 2 */
7849 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7850 	}
7851 
7852 	/* Link ID not expected in case of non-ML operation */
7853 	if (!wdev->valid_links && link_id != -1)
7854 		return -EINVAL;
7855 
7856 	/* If given, a valid link ID should be passed during MLO */
7857 	if (wdev->valid_links && link_id >= 0 &&
7858 	    !(wdev->valid_links & BIT(link_id)))
7859 		return -EINVAL;
7860 
7861 	params.link_id = link_id;
7862 
7863 	return rdev_del_station(rdev, dev, &params);
7864 }
7865 
7866 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7867 				int flags, struct net_device *dev,
7868 				u8 *dst, u8 *next_hop,
7869 				struct mpath_info *pinfo)
7870 {
7871 	void *hdr;
7872 	struct nlattr *pinfoattr;
7873 
7874 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7875 	if (!hdr)
7876 		return -1;
7877 
7878 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7879 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7880 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7881 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7882 		goto nla_put_failure;
7883 
7884 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7885 	if (!pinfoattr)
7886 		goto nla_put_failure;
7887 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7888 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7889 			pinfo->frame_qlen))
7890 		goto nla_put_failure;
7891 	if (((pinfo->filled & MPATH_INFO_SN) &&
7892 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7893 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7894 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7895 			 pinfo->metric)) ||
7896 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7897 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7898 			 pinfo->exptime)) ||
7899 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7900 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7901 			pinfo->flags)) ||
7902 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7903 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7904 			 pinfo->discovery_timeout)) ||
7905 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7906 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7907 			pinfo->discovery_retries)) ||
7908 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7909 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7910 			pinfo->hop_count)) ||
7911 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7912 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7913 			 pinfo->path_change_count)))
7914 		goto nla_put_failure;
7915 
7916 	nla_nest_end(msg, pinfoattr);
7917 
7918 	genlmsg_end(msg, hdr);
7919 	return 0;
7920 
7921  nla_put_failure:
7922 	genlmsg_cancel(msg, hdr);
7923 	return -EMSGSIZE;
7924 }
7925 
7926 static int nl80211_dump_mpath(struct sk_buff *skb,
7927 			      struct netlink_callback *cb)
7928 {
7929 	struct mpath_info pinfo;
7930 	struct cfg80211_registered_device *rdev;
7931 	struct wireless_dev *wdev;
7932 	u8 dst[ETH_ALEN];
7933 	u8 next_hop[ETH_ALEN];
7934 	int path_idx = cb->args[2];
7935 	int err;
7936 
7937 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7938 	if (err)
7939 		return err;
7940 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7941 	__acquire(&rdev->wiphy.mtx);
7942 
7943 	if (!rdev->ops->dump_mpath) {
7944 		err = -EOPNOTSUPP;
7945 		goto out_err;
7946 	}
7947 
7948 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7949 		err = -EOPNOTSUPP;
7950 		goto out_err;
7951 	}
7952 
7953 	while (1) {
7954 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7955 				      next_hop, &pinfo);
7956 		if (err == -ENOENT)
7957 			break;
7958 		if (err)
7959 			goto out_err;
7960 
7961 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7962 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7963 				       wdev->netdev, dst, next_hop,
7964 				       &pinfo) < 0)
7965 			goto out;
7966 
7967 		path_idx++;
7968 	}
7969 
7970  out:
7971 	cb->args[2] = path_idx;
7972 	err = skb->len;
7973  out_err:
7974 	wiphy_unlock(&rdev->wiphy);
7975 	return err;
7976 }
7977 
7978 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7979 {
7980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7981 	int err;
7982 	struct net_device *dev = info->user_ptr[1];
7983 	struct mpath_info pinfo;
7984 	struct sk_buff *msg;
7985 	u8 *dst = NULL;
7986 	u8 next_hop[ETH_ALEN];
7987 
7988 	memset(&pinfo, 0, sizeof(pinfo));
7989 
7990 	if (!info->attrs[NL80211_ATTR_MAC])
7991 		return -EINVAL;
7992 
7993 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7994 
7995 	if (!rdev->ops->get_mpath)
7996 		return -EOPNOTSUPP;
7997 
7998 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7999 		return -EOPNOTSUPP;
8000 
8001 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8002 	if (err)
8003 		return err;
8004 
8005 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8006 	if (!msg)
8007 		return -ENOMEM;
8008 
8009 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8010 				 dev, dst, next_hop, &pinfo) < 0) {
8011 		nlmsg_free(msg);
8012 		return -ENOBUFS;
8013 	}
8014 
8015 	return genlmsg_reply(msg, info);
8016 }
8017 
8018 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8019 {
8020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8021 	struct net_device *dev = info->user_ptr[1];
8022 	u8 *dst = NULL;
8023 	u8 *next_hop = NULL;
8024 
8025 	if (!info->attrs[NL80211_ATTR_MAC])
8026 		return -EINVAL;
8027 
8028 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8029 		return -EINVAL;
8030 
8031 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8032 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8033 
8034 	if (!rdev->ops->change_mpath)
8035 		return -EOPNOTSUPP;
8036 
8037 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8038 		return -EOPNOTSUPP;
8039 
8040 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8041 }
8042 
8043 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8044 {
8045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8046 	struct net_device *dev = info->user_ptr[1];
8047 	u8 *dst = NULL;
8048 	u8 *next_hop = NULL;
8049 
8050 	if (!info->attrs[NL80211_ATTR_MAC])
8051 		return -EINVAL;
8052 
8053 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8054 		return -EINVAL;
8055 
8056 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8057 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8058 
8059 	if (!rdev->ops->add_mpath)
8060 		return -EOPNOTSUPP;
8061 
8062 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8063 		return -EOPNOTSUPP;
8064 
8065 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8066 }
8067 
8068 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8069 {
8070 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8071 	struct net_device *dev = info->user_ptr[1];
8072 	u8 *dst = NULL;
8073 
8074 	if (info->attrs[NL80211_ATTR_MAC])
8075 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8076 
8077 	if (!rdev->ops->del_mpath)
8078 		return -EOPNOTSUPP;
8079 
8080 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8081 		return -EOPNOTSUPP;
8082 
8083 	return rdev_del_mpath(rdev, dev, dst);
8084 }
8085 
8086 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8087 {
8088 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8089 	int err;
8090 	struct net_device *dev = info->user_ptr[1];
8091 	struct mpath_info pinfo;
8092 	struct sk_buff *msg;
8093 	u8 *dst = NULL;
8094 	u8 mpp[ETH_ALEN];
8095 
8096 	memset(&pinfo, 0, sizeof(pinfo));
8097 
8098 	if (!info->attrs[NL80211_ATTR_MAC])
8099 		return -EINVAL;
8100 
8101 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8102 
8103 	if (!rdev->ops->get_mpp)
8104 		return -EOPNOTSUPP;
8105 
8106 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8107 		return -EOPNOTSUPP;
8108 
8109 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8110 	if (err)
8111 		return err;
8112 
8113 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8114 	if (!msg)
8115 		return -ENOMEM;
8116 
8117 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8118 			       dev, dst, mpp, &pinfo) < 0) {
8119 		nlmsg_free(msg);
8120 		return -ENOBUFS;
8121 	}
8122 
8123 	return genlmsg_reply(msg, info);
8124 }
8125 
8126 static int nl80211_dump_mpp(struct sk_buff *skb,
8127 			    struct netlink_callback *cb)
8128 {
8129 	struct mpath_info pinfo;
8130 	struct cfg80211_registered_device *rdev;
8131 	struct wireless_dev *wdev;
8132 	u8 dst[ETH_ALEN];
8133 	u8 mpp[ETH_ALEN];
8134 	int path_idx = cb->args[2];
8135 	int err;
8136 
8137 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8138 	if (err)
8139 		return err;
8140 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8141 	__acquire(&rdev->wiphy.mtx);
8142 
8143 	if (!rdev->ops->dump_mpp) {
8144 		err = -EOPNOTSUPP;
8145 		goto out_err;
8146 	}
8147 
8148 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8149 		err = -EOPNOTSUPP;
8150 		goto out_err;
8151 	}
8152 
8153 	while (1) {
8154 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8155 				    mpp, &pinfo);
8156 		if (err == -ENOENT)
8157 			break;
8158 		if (err)
8159 			goto out_err;
8160 
8161 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8162 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8163 				       wdev->netdev, dst, mpp,
8164 				       &pinfo) < 0)
8165 			goto out;
8166 
8167 		path_idx++;
8168 	}
8169 
8170  out:
8171 	cb->args[2] = path_idx;
8172 	err = skb->len;
8173  out_err:
8174 	wiphy_unlock(&rdev->wiphy);
8175 	return err;
8176 }
8177 
8178 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8179 {
8180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8181 	struct net_device *dev = info->user_ptr[1];
8182 	struct bss_parameters params;
8183 
8184 	memset(&params, 0, sizeof(params));
8185 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8186 	/* default to not changing parameters */
8187 	params.use_cts_prot = -1;
8188 	params.use_short_preamble = -1;
8189 	params.use_short_slot_time = -1;
8190 	params.ap_isolate = -1;
8191 	params.ht_opmode = -1;
8192 	params.p2p_ctwindow = -1;
8193 	params.p2p_opp_ps = -1;
8194 
8195 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8196 		params.use_cts_prot =
8197 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8198 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8199 		params.use_short_preamble =
8200 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8201 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8202 		params.use_short_slot_time =
8203 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8204 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8205 		params.basic_rates =
8206 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8207 		params.basic_rates_len =
8208 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8209 	}
8210 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8211 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8212 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8213 		params.ht_opmode =
8214 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8215 
8216 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8217 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8218 			return -EINVAL;
8219 		params.p2p_ctwindow =
8220 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8221 		if (params.p2p_ctwindow != 0 &&
8222 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8223 			return -EINVAL;
8224 	}
8225 
8226 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8227 		u8 tmp;
8228 
8229 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8230 			return -EINVAL;
8231 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8232 		params.p2p_opp_ps = tmp;
8233 		if (params.p2p_opp_ps &&
8234 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8235 			return -EINVAL;
8236 	}
8237 
8238 	if (!rdev->ops->change_bss)
8239 		return -EOPNOTSUPP;
8240 
8241 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8242 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8243 		return -EOPNOTSUPP;
8244 
8245 	return rdev_change_bss(rdev, dev, &params);
8246 }
8247 
8248 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8249 {
8250 	char *data = NULL;
8251 	bool is_indoor;
8252 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8253 	u32 owner_nlportid;
8254 
8255 	/*
8256 	 * You should only get this when cfg80211 hasn't yet initialized
8257 	 * completely when built-in to the kernel right between the time
8258 	 * window between nl80211_init() and regulatory_init(), if that is
8259 	 * even possible.
8260 	 */
8261 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8262 		return -EINPROGRESS;
8263 
8264 	user_reg_hint_type =
8265 		nla_get_u32_default(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE],
8266 				    NL80211_USER_REG_HINT_USER);
8267 
8268 	switch (user_reg_hint_type) {
8269 	case NL80211_USER_REG_HINT_USER:
8270 	case NL80211_USER_REG_HINT_CELL_BASE:
8271 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8272 			return -EINVAL;
8273 
8274 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8275 		return regulatory_hint_user(data, user_reg_hint_type);
8276 	case NL80211_USER_REG_HINT_INDOOR:
8277 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8278 			owner_nlportid = info->snd_portid;
8279 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8280 		} else {
8281 			owner_nlportid = 0;
8282 			is_indoor = true;
8283 		}
8284 
8285 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8286 		return 0;
8287 	default:
8288 		return -EINVAL;
8289 	}
8290 }
8291 
8292 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8293 {
8294 	return reg_reload_regdb();
8295 }
8296 
8297 static int nl80211_get_mesh_config(struct sk_buff *skb,
8298 				   struct genl_info *info)
8299 {
8300 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8301 	struct net_device *dev = info->user_ptr[1];
8302 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8303 	struct mesh_config cur_params;
8304 	int err = 0;
8305 	void *hdr;
8306 	struct nlattr *pinfoattr;
8307 	struct sk_buff *msg;
8308 
8309 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8310 		return -EOPNOTSUPP;
8311 
8312 	if (!rdev->ops->get_mesh_config)
8313 		return -EOPNOTSUPP;
8314 
8315 	/* If not connected, get default parameters */
8316 	if (!wdev->u.mesh.id_len)
8317 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8318 	else
8319 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8320 
8321 	if (err)
8322 		return err;
8323 
8324 	/* Draw up a netlink message to send back */
8325 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8326 	if (!msg)
8327 		return -ENOMEM;
8328 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8329 			     NL80211_CMD_GET_MESH_CONFIG);
8330 	if (!hdr)
8331 		goto out;
8332 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8333 	if (!pinfoattr)
8334 		goto nla_put_failure;
8335 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8336 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8337 			cur_params.dot11MeshRetryTimeout) ||
8338 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8339 			cur_params.dot11MeshConfirmTimeout) ||
8340 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8341 			cur_params.dot11MeshHoldingTimeout) ||
8342 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8343 			cur_params.dot11MeshMaxPeerLinks) ||
8344 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8345 		       cur_params.dot11MeshMaxRetries) ||
8346 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8347 		       cur_params.dot11MeshTTL) ||
8348 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8349 		       cur_params.element_ttl) ||
8350 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8351 		       cur_params.auto_open_plinks) ||
8352 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8353 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8354 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8355 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8356 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8357 			cur_params.path_refresh_time) ||
8358 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8359 			cur_params.min_discovery_timeout) ||
8360 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8361 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8362 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8363 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8364 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8365 			cur_params.dot11MeshHWMPperrMinInterval) ||
8366 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8367 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8368 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8369 		       cur_params.dot11MeshHWMPRootMode) ||
8370 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8371 			cur_params.dot11MeshHWMPRannInterval) ||
8372 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8373 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8374 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8375 		       cur_params.dot11MeshForwarding) ||
8376 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8377 			cur_params.rssi_threshold) ||
8378 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8379 			cur_params.ht_opmode) ||
8380 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8381 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8382 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8383 			cur_params.dot11MeshHWMProotInterval) ||
8384 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8385 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8386 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8387 			cur_params.power_mode) ||
8388 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8389 			cur_params.dot11MeshAwakeWindowDuration) ||
8390 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8391 			cur_params.plink_timeout) ||
8392 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8393 		       cur_params.dot11MeshConnectedToMeshGate) ||
8394 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8395 		       cur_params.dot11MeshNolearn) ||
8396 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8397 		       cur_params.dot11MeshConnectedToAuthServer))
8398 		goto nla_put_failure;
8399 	nla_nest_end(msg, pinfoattr);
8400 	genlmsg_end(msg, hdr);
8401 	return genlmsg_reply(msg, info);
8402 
8403  nla_put_failure:
8404  out:
8405 	nlmsg_free(msg);
8406 	return -ENOBUFS;
8407 }
8408 
8409 static const struct nla_policy
8410 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8411 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8412 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8413 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8414 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8415 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8416 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8417 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8418 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8419 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8420 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8421 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8422 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8423 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8424 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8425 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8426 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8427 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8428 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8429 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8430 		NLA_POLICY_MIN(NLA_U16, 1),
8431 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8432 		NLA_POLICY_MIN(NLA_U16, 1),
8433 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8434 		NLA_POLICY_MIN(NLA_U16, 1),
8435 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8436 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8437 		NLA_POLICY_MIN(NLA_U16, 1),
8438 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8439 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8440 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8441 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8442 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8443 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8444 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8445 		NLA_POLICY_MIN(NLA_U16, 1),
8446 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8447 		NLA_POLICY_MIN(NLA_U16, 1),
8448 	[NL80211_MESHCONF_POWER_MODE] =
8449 		NLA_POLICY_RANGE(NLA_U32,
8450 				 NL80211_MESH_POWER_ACTIVE,
8451 				 NL80211_MESH_POWER_MAX),
8452 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8453 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8454 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8455 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8456 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8457 };
8458 
8459 static const struct nla_policy
8460 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8461 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8462 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8463 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8464 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8465 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8466 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8467 	[NL80211_MESH_SETUP_IE] =
8468 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8469 				       IEEE80211_MAX_DATA_LEN),
8470 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8471 };
8472 
8473 static int nl80211_parse_mesh_config(struct genl_info *info,
8474 				     struct mesh_config *cfg,
8475 				     u32 *mask_out)
8476 {
8477 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8478 	u32 mask = 0;
8479 	u16 ht_opmode;
8480 
8481 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8482 do {									\
8483 	if (tb[attr]) {							\
8484 		cfg->param = fn(tb[attr]);				\
8485 		mask |= BIT((attr) - 1);				\
8486 	}								\
8487 } while (0)
8488 
8489 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8490 		return -EINVAL;
8491 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8492 		return -EINVAL;
8493 
8494 	/* This makes sure that there aren't more than 32 mesh config
8495 	 * parameters (otherwise our bitfield scheme would not work.) */
8496 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8497 
8498 	/* Fill in the params struct */
8499 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8500 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8502 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8503 				  nla_get_u16);
8504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8505 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8506 				  nla_get_u16);
8507 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8508 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8509 				  nla_get_u16);
8510 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8511 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8512 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8513 				  NL80211_MESHCONF_TTL, nla_get_u8);
8514 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8515 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8516 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8517 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8518 				  nla_get_u8);
8519 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8520 				  mask,
8521 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8522 				  nla_get_u32);
8523 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8524 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8525 				  nla_get_u8);
8526 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8527 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8528 				  nla_get_u32);
8529 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8530 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8531 		return -EINVAL;
8532 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8533 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8534 				  nla_get_u16);
8535 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8536 				  mask,
8537 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8538 				  nla_get_u32);
8539 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8540 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8541 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8542 		return -EINVAL;
8543 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8544 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8545 				  nla_get_u16);
8546 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8547 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8548 				  nla_get_u16);
8549 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8550 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8551 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8552 				  nla_get_u16);
8553 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8554 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8555 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8556 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8557 				  nla_get_u16);
8558 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8559 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8560 				  nla_get_u8);
8561 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8562 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8563 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8564 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8565 				  nla_get_s32);
8566 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8567 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8568 				  nla_get_u8);
8569 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8570 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8571 				  nla_get_u8);
8572 	/*
8573 	 * Check HT operation mode based on
8574 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8575 	 */
8576 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8577 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8578 
8579 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8580 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8581 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8582 			return -EINVAL;
8583 
8584 		/* NON_HT_STA bit is reserved, but some programs set it */
8585 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8586 
8587 		cfg->ht_opmode = ht_opmode;
8588 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8589 	}
8590 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8591 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8592 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8593 				  nla_get_u32);
8594 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8595 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8596 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8597 		return -EINVAL;
8598 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8599 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8600 				  nla_get_u16);
8601 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8602 				  mask,
8603 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8604 				  nla_get_u16);
8605 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8606 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8607 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8608 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8609 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8610 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8611 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8612 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8613 	if (mask_out)
8614 		*mask_out = mask;
8615 
8616 	return 0;
8617 
8618 #undef FILL_IN_MESH_PARAM_IF_SET
8619 }
8620 
8621 static int nl80211_parse_mesh_setup(struct genl_info *info,
8622 				     struct mesh_setup *setup)
8623 {
8624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8625 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8626 
8627 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8628 		return -EINVAL;
8629 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8630 		return -EINVAL;
8631 
8632 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8633 		setup->sync_method =
8634 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8635 		 IEEE80211_SYNC_METHOD_VENDOR :
8636 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8637 
8638 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8639 		setup->path_sel_proto =
8640 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8641 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8642 		 IEEE80211_PATH_PROTOCOL_HWMP;
8643 
8644 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8645 		setup->path_metric =
8646 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8647 		 IEEE80211_PATH_METRIC_VENDOR :
8648 		 IEEE80211_PATH_METRIC_AIRTIME;
8649 
8650 	if (tb[NL80211_MESH_SETUP_IE]) {
8651 		struct nlattr *ieattr =
8652 			tb[NL80211_MESH_SETUP_IE];
8653 		setup->ie = nla_data(ieattr);
8654 		setup->ie_len = nla_len(ieattr);
8655 	}
8656 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8657 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8658 		return -EINVAL;
8659 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8660 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8661 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8662 	if (setup->is_secure)
8663 		setup->user_mpm = true;
8664 
8665 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8666 		if (!setup->user_mpm)
8667 			return -EINVAL;
8668 		setup->auth_id =
8669 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8670 	}
8671 
8672 	return 0;
8673 }
8674 
8675 static int nl80211_update_mesh_config(struct sk_buff *skb,
8676 				      struct genl_info *info)
8677 {
8678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8679 	struct net_device *dev = info->user_ptr[1];
8680 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8681 	struct mesh_config cfg = {};
8682 	u32 mask;
8683 	int err;
8684 
8685 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8686 		return -EOPNOTSUPP;
8687 
8688 	if (!rdev->ops->update_mesh_config)
8689 		return -EOPNOTSUPP;
8690 
8691 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8692 	if (err)
8693 		return err;
8694 
8695 	if (!wdev->u.mesh.id_len)
8696 		err = -ENOLINK;
8697 
8698 	if (!err)
8699 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8700 
8701 	return err;
8702 }
8703 
8704 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8705 			      struct sk_buff *msg)
8706 {
8707 	struct nlattr *nl_reg_rules;
8708 	unsigned int i;
8709 
8710 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8711 	    (regdom->dfs_region &&
8712 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8713 		goto nla_put_failure;
8714 
8715 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8716 	if (!nl_reg_rules)
8717 		goto nla_put_failure;
8718 
8719 	for (i = 0; i < regdom->n_reg_rules; i++) {
8720 		struct nlattr *nl_reg_rule;
8721 		const struct ieee80211_reg_rule *reg_rule;
8722 		const struct ieee80211_freq_range *freq_range;
8723 		const struct ieee80211_power_rule *power_rule;
8724 		unsigned int max_bandwidth_khz;
8725 
8726 		reg_rule = &regdom->reg_rules[i];
8727 		freq_range = &reg_rule->freq_range;
8728 		power_rule = &reg_rule->power_rule;
8729 
8730 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8731 		if (!nl_reg_rule)
8732 			goto nla_put_failure;
8733 
8734 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8735 		if (!max_bandwidth_khz)
8736 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8737 								  reg_rule);
8738 
8739 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8740 				reg_rule->flags) ||
8741 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8742 				freq_range->start_freq_khz) ||
8743 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8744 				freq_range->end_freq_khz) ||
8745 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8746 				max_bandwidth_khz) ||
8747 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8748 				power_rule->max_antenna_gain) ||
8749 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8750 				power_rule->max_eirp) ||
8751 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8752 				reg_rule->dfs_cac_ms))
8753 			goto nla_put_failure;
8754 
8755 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8756 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8757 			       reg_rule->psd))
8758 			goto nla_put_failure;
8759 
8760 		nla_nest_end(msg, nl_reg_rule);
8761 	}
8762 
8763 	nla_nest_end(msg, nl_reg_rules);
8764 	return 0;
8765 
8766 nla_put_failure:
8767 	return -EMSGSIZE;
8768 }
8769 
8770 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8771 {
8772 	const struct ieee80211_regdomain *regdom = NULL;
8773 	struct cfg80211_registered_device *rdev;
8774 	struct wiphy *wiphy = NULL;
8775 	struct sk_buff *msg;
8776 	int err = -EMSGSIZE;
8777 	void *hdr;
8778 
8779 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8780 	if (!msg)
8781 		return -ENOBUFS;
8782 
8783 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8784 			     NL80211_CMD_GET_REG);
8785 	if (!hdr)
8786 		goto put_failure;
8787 
8788 	rtnl_lock();
8789 
8790 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8791 		bool self_managed;
8792 
8793 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8794 		if (IS_ERR(rdev)) {
8795 			err = PTR_ERR(rdev);
8796 			goto nla_put_failure;
8797 		}
8798 
8799 		wiphy = &rdev->wiphy;
8800 		self_managed = wiphy->regulatory_flags &
8801 			       REGULATORY_WIPHY_SELF_MANAGED;
8802 
8803 		rcu_read_lock();
8804 
8805 		regdom = get_wiphy_regdom(wiphy);
8806 
8807 		/* a self-managed-reg device must have a private regdom */
8808 		if (WARN_ON(!regdom && self_managed)) {
8809 			err = -EINVAL;
8810 			goto nla_put_failure_rcu;
8811 		}
8812 
8813 		if (regdom &&
8814 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8815 			goto nla_put_failure_rcu;
8816 	} else {
8817 		rcu_read_lock();
8818 	}
8819 
8820 	if (!wiphy && reg_last_request_cell_base() &&
8821 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8822 			NL80211_USER_REG_HINT_CELL_BASE))
8823 		goto nla_put_failure_rcu;
8824 
8825 	if (!regdom)
8826 		regdom = rcu_dereference(cfg80211_regdomain);
8827 
8828 	if (nl80211_put_regdom(regdom, msg))
8829 		goto nla_put_failure_rcu;
8830 
8831 	rcu_read_unlock();
8832 
8833 	genlmsg_end(msg, hdr);
8834 	rtnl_unlock();
8835 	return genlmsg_reply(msg, info);
8836 
8837 nla_put_failure_rcu:
8838 	rcu_read_unlock();
8839 nla_put_failure:
8840 	rtnl_unlock();
8841 put_failure:
8842 	nlmsg_free(msg);
8843 	return err;
8844 }
8845 
8846 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8847 			       u32 seq, int flags, struct wiphy *wiphy,
8848 			       const struct ieee80211_regdomain *regdom)
8849 {
8850 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8851 				   NL80211_CMD_GET_REG);
8852 
8853 	if (!hdr)
8854 		return -1;
8855 
8856 	genl_dump_check_consistent(cb, hdr);
8857 
8858 	if (nl80211_put_regdom(regdom, msg))
8859 		goto nla_put_failure;
8860 
8861 	if (!wiphy && reg_last_request_cell_base() &&
8862 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8863 			NL80211_USER_REG_HINT_CELL_BASE))
8864 		goto nla_put_failure;
8865 
8866 	if (wiphy &&
8867 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8868 		goto nla_put_failure;
8869 
8870 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8871 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8872 		goto nla_put_failure;
8873 
8874 	genlmsg_end(msg, hdr);
8875 	return 0;
8876 
8877 nla_put_failure:
8878 	genlmsg_cancel(msg, hdr);
8879 	return -EMSGSIZE;
8880 }
8881 
8882 static int nl80211_get_reg_dump(struct sk_buff *skb,
8883 				struct netlink_callback *cb)
8884 {
8885 	const struct ieee80211_regdomain *regdom = NULL;
8886 	struct cfg80211_registered_device *rdev;
8887 	int err, reg_idx, start = cb->args[2];
8888 
8889 	rcu_read_lock();
8890 
8891 	if (cfg80211_regdomain && start == 0) {
8892 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8893 					  NLM_F_MULTI, NULL,
8894 					  rcu_dereference(cfg80211_regdomain));
8895 		if (err < 0)
8896 			goto out_err;
8897 	}
8898 
8899 	/* the global regdom is idx 0 */
8900 	reg_idx = 1;
8901 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8902 		regdom = get_wiphy_regdom(&rdev->wiphy);
8903 		if (!regdom)
8904 			continue;
8905 
8906 		if (++reg_idx <= start)
8907 			continue;
8908 
8909 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8910 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8911 		if (err < 0) {
8912 			reg_idx--;
8913 			break;
8914 		}
8915 	}
8916 
8917 	cb->args[2] = reg_idx;
8918 	err = skb->len;
8919 out_err:
8920 	rcu_read_unlock();
8921 	return err;
8922 }
8923 
8924 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8925 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8926 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8927 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8928 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8929 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8930 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8931 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8932 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8933 };
8934 
8935 static int parse_reg_rule(struct nlattr *tb[],
8936 	struct ieee80211_reg_rule *reg_rule)
8937 {
8938 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8939 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8940 
8941 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8942 		return -EINVAL;
8943 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8944 		return -EINVAL;
8945 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8946 		return -EINVAL;
8947 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8948 		return -EINVAL;
8949 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8950 		return -EINVAL;
8951 
8952 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8953 
8954 	freq_range->start_freq_khz =
8955 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8956 	freq_range->end_freq_khz =
8957 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8958 	freq_range->max_bandwidth_khz =
8959 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8960 
8961 	power_rule->max_eirp =
8962 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8963 
8964 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8965 		power_rule->max_antenna_gain =
8966 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8967 
8968 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8969 		reg_rule->dfs_cac_ms =
8970 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8971 
8972 	return 0;
8973 }
8974 
8975 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8976 {
8977 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8978 	struct nlattr *nl_reg_rule;
8979 	char *alpha2;
8980 	int rem_reg_rules, r;
8981 	u32 num_rules = 0, rule_idx = 0;
8982 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8983 	struct ieee80211_regdomain *rd;
8984 
8985 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8986 		return -EINVAL;
8987 
8988 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8989 		return -EINVAL;
8990 
8991 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8992 
8993 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8994 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8995 
8996 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8997 			    rem_reg_rules) {
8998 		num_rules++;
8999 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9000 			return -EINVAL;
9001 	}
9002 
9003 	rtnl_lock();
9004 	if (!reg_is_valid_request(alpha2)) {
9005 		r = -EINVAL;
9006 		goto out;
9007 	}
9008 
9009 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9010 	if (!rd) {
9011 		r = -ENOMEM;
9012 		goto out;
9013 	}
9014 
9015 	rd->n_reg_rules = num_rules;
9016 	rd->alpha2[0] = alpha2[0];
9017 	rd->alpha2[1] = alpha2[1];
9018 
9019 	/*
9020 	 * Disable DFS master mode if the DFS region was
9021 	 * not supported or known on this kernel.
9022 	 */
9023 	if (reg_supported_dfs_region(dfs_region))
9024 		rd->dfs_region = dfs_region;
9025 
9026 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9027 			    rem_reg_rules) {
9028 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9029 						nl_reg_rule, reg_rule_policy,
9030 						info->extack);
9031 		if (r)
9032 			goto bad_reg;
9033 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9034 		if (r)
9035 			goto bad_reg;
9036 
9037 		rule_idx++;
9038 
9039 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9040 			r = -EINVAL;
9041 			goto bad_reg;
9042 		}
9043 	}
9044 
9045 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9046 	/* set_regdom takes ownership of rd */
9047 	rd = NULL;
9048  bad_reg:
9049 	kfree(rd);
9050  out:
9051 	rtnl_unlock();
9052 	return r;
9053 }
9054 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9055 
9056 static int validate_scan_freqs(struct nlattr *freqs)
9057 {
9058 	struct nlattr *attr1, *attr2;
9059 	int n_channels = 0, tmp1, tmp2;
9060 
9061 	nla_for_each_nested(attr1, freqs, tmp1)
9062 		if (nla_len(attr1) != sizeof(u32))
9063 			return 0;
9064 
9065 	nla_for_each_nested(attr1, freqs, tmp1) {
9066 		n_channels++;
9067 		/*
9068 		 * Some hardware has a limited channel list for
9069 		 * scanning, and it is pretty much nonsensical
9070 		 * to scan for a channel twice, so disallow that
9071 		 * and don't require drivers to check that the
9072 		 * channel list they get isn't longer than what
9073 		 * they can scan, as long as they can scan all
9074 		 * the channels they registered at once.
9075 		 */
9076 		nla_for_each_nested(attr2, freqs, tmp2)
9077 			if (attr1 != attr2 &&
9078 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9079 				return 0;
9080 	}
9081 
9082 	return n_channels;
9083 }
9084 
9085 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9086 {
9087 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9088 }
9089 
9090 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9091 			    struct cfg80211_bss_selection *bss_select)
9092 {
9093 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9094 	struct nlattr *nest;
9095 	int err;
9096 	bool found = false;
9097 	int i;
9098 
9099 	/* only process one nested attribute */
9100 	nest = nla_data(nla);
9101 	if (!nla_ok(nest, nla_len(nest)))
9102 		return -EINVAL;
9103 
9104 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9105 					  nest, nl80211_bss_select_policy,
9106 					  NULL);
9107 	if (err)
9108 		return err;
9109 
9110 	/* only one attribute may be given */
9111 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9112 		if (attr[i]) {
9113 			if (found)
9114 				return -EINVAL;
9115 			found = true;
9116 		}
9117 	}
9118 
9119 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9120 
9121 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9122 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9123 
9124 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9125 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9126 		bss_select->param.band_pref =
9127 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9128 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9129 			return -EINVAL;
9130 	}
9131 
9132 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9133 		struct nl80211_bss_select_rssi_adjust *adj_param;
9134 
9135 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9136 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9137 		bss_select->param.adjust.band = adj_param->band;
9138 		bss_select->param.adjust.delta = adj_param->delta;
9139 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9140 			return -EINVAL;
9141 	}
9142 
9143 	/* user-space did not provide behaviour attribute */
9144 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9145 		return -EINVAL;
9146 
9147 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9148 		return -EINVAL;
9149 
9150 	return 0;
9151 }
9152 
9153 int nl80211_parse_random_mac(struct nlattr **attrs,
9154 			     u8 *mac_addr, u8 *mac_addr_mask)
9155 {
9156 	int i;
9157 
9158 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9159 		eth_zero_addr(mac_addr);
9160 		eth_zero_addr(mac_addr_mask);
9161 		mac_addr[0] = 0x2;
9162 		mac_addr_mask[0] = 0x3;
9163 
9164 		return 0;
9165 	}
9166 
9167 	/* need both or none */
9168 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9169 		return -EINVAL;
9170 
9171 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9172 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9173 
9174 	/* don't allow or configure an mcast address */
9175 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9176 	    is_multicast_ether_addr(mac_addr))
9177 		return -EINVAL;
9178 
9179 	/*
9180 	 * allow users to pass a MAC address that has bits set outside
9181 	 * of the mask, but don't bother drivers with having to deal
9182 	 * with such bits
9183 	 */
9184 	for (i = 0; i < ETH_ALEN; i++)
9185 		mac_addr[i] &= mac_addr_mask[i];
9186 
9187 	return 0;
9188 }
9189 
9190 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9191 					      struct ieee80211_channel *chan)
9192 {
9193 	unsigned int link_id;
9194 	bool all_ok = true;
9195 
9196 	lockdep_assert_wiphy(wdev->wiphy);
9197 
9198 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
9199 		return false;
9200 
9201 	if (!cfg80211_beaconing_iface_active(wdev))
9202 		return true;
9203 
9204 	/*
9205 	 * FIXME: check if we have a free HW resource/link for chan
9206 	 *
9207 	 * This, as well as the FIXME below, requires knowing the link
9208 	 * capabilities of the hardware.
9209 	 */
9210 
9211 	/* we cannot leave radar channels */
9212 	for_each_valid_link(wdev, link_id) {
9213 		struct cfg80211_chan_def *chandef;
9214 
9215 		chandef = wdev_chandef(wdev, link_id);
9216 		if (!chandef || !chandef->chan)
9217 			continue;
9218 
9219 		/*
9220 		 * FIXME: don't require all_ok, but rather check only the
9221 		 *	  correct HW resource/link onto which 'chan' falls,
9222 		 *	  as only that link leaves the channel for doing
9223 		 *	  the off-channel operation.
9224 		 */
9225 
9226 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9227 			all_ok = false;
9228 	}
9229 
9230 	if (all_ok)
9231 		return true;
9232 
9233 	return regulatory_pre_cac_allowed(wdev->wiphy);
9234 }
9235 
9236 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9237 				    enum nl80211_ext_feature_index feat)
9238 {
9239 	if (!(flags & flag))
9240 		return true;
9241 	if (wiphy_ext_feature_isset(wiphy, feat))
9242 		return true;
9243 	return false;
9244 }
9245 
9246 static int
9247 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9248 			 void *request, struct nlattr **attrs,
9249 			 bool is_sched_scan)
9250 {
9251 	u8 *mac_addr, *mac_addr_mask;
9252 	u32 *flags;
9253 	enum nl80211_feature_flags randomness_flag;
9254 
9255 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9256 		return 0;
9257 
9258 	if (is_sched_scan) {
9259 		struct cfg80211_sched_scan_request *req = request;
9260 
9261 		randomness_flag = wdev ?
9262 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9263 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9264 		flags = &req->flags;
9265 		mac_addr = req->mac_addr;
9266 		mac_addr_mask = req->mac_addr_mask;
9267 	} else {
9268 		struct cfg80211_scan_request *req = request;
9269 
9270 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9271 		flags = &req->flags;
9272 		mac_addr = req->mac_addr;
9273 		mac_addr_mask = req->mac_addr_mask;
9274 	}
9275 
9276 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9277 
9278 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9279 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9280 	    !nl80211_check_scan_feat(wiphy, *flags,
9281 				     NL80211_SCAN_FLAG_LOW_SPAN,
9282 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9283 	    !nl80211_check_scan_feat(wiphy, *flags,
9284 				     NL80211_SCAN_FLAG_LOW_POWER,
9285 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9288 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9289 	    !nl80211_check_scan_feat(wiphy, *flags,
9290 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9291 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9292 	    !nl80211_check_scan_feat(wiphy, *flags,
9293 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9294 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9295 	    !nl80211_check_scan_feat(wiphy, *flags,
9296 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9297 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9298 	    !nl80211_check_scan_feat(wiphy, *flags,
9299 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9300 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9301 	    !nl80211_check_scan_feat(wiphy, *flags,
9302 				     NL80211_SCAN_FLAG_RANDOM_SN,
9303 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9304 	    !nl80211_check_scan_feat(wiphy, *flags,
9305 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9306 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9307 		return -EOPNOTSUPP;
9308 
9309 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9310 		int err;
9311 
9312 		if (!(wiphy->features & randomness_flag) ||
9313 		    (wdev && wdev->connected))
9314 			return -EOPNOTSUPP;
9315 
9316 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9317 		if (err)
9318 			return err;
9319 	}
9320 
9321 	return 0;
9322 }
9323 
9324 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9325 {
9326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9327 	struct wireless_dev *wdev = info->user_ptr[1];
9328 	struct cfg80211_scan_request *request;
9329 	struct nlattr *scan_freqs = NULL;
9330 	bool scan_freqs_khz = false;
9331 	struct nlattr *attr;
9332 	struct wiphy *wiphy;
9333 	int err, tmp, n_ssids = 0, n_channels, i;
9334 	size_t ie_len, size;
9335 	size_t ssids_offset, ie_offset;
9336 
9337 	wiphy = &rdev->wiphy;
9338 
9339 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9340 		return -EOPNOTSUPP;
9341 
9342 	if (!rdev->ops->scan)
9343 		return -EOPNOTSUPP;
9344 
9345 	if (rdev->scan_req || rdev->scan_msg)
9346 		return -EBUSY;
9347 
9348 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9349 		if (!wiphy_ext_feature_isset(wiphy,
9350 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9351 			return -EOPNOTSUPP;
9352 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9353 		scan_freqs_khz = true;
9354 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9355 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9356 
9357 	if (scan_freqs) {
9358 		n_channels = validate_scan_freqs(scan_freqs);
9359 		if (!n_channels)
9360 			return -EINVAL;
9361 	} else {
9362 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9363 	}
9364 
9365 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9366 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9367 			n_ssids++;
9368 
9369 	if (n_ssids > wiphy->max_scan_ssids)
9370 		return -EINVAL;
9371 
9372 	if (info->attrs[NL80211_ATTR_IE])
9373 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9374 	else
9375 		ie_len = 0;
9376 
9377 	if (ie_len > wiphy->max_scan_ie_len)
9378 		return -EINVAL;
9379 
9380 	size = struct_size(request, channels, n_channels);
9381 	ssids_offset = size;
9382 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9383 	ie_offset = size;
9384 	size = size_add(size, ie_len);
9385 	request = kzalloc(size, GFP_KERNEL);
9386 	if (!request)
9387 		return -ENOMEM;
9388 	request->n_channels = n_channels;
9389 
9390 	if (n_ssids)
9391 		request->ssids = (void *)request + ssids_offset;
9392 	request->n_ssids = n_ssids;
9393 	if (ie_len)
9394 		request->ie = (void *)request + ie_offset;
9395 
9396 	i = 0;
9397 	if (scan_freqs) {
9398 		/* user specified, bail out if channel not found */
9399 		nla_for_each_nested(attr, scan_freqs, tmp) {
9400 			struct ieee80211_channel *chan;
9401 			int freq = nla_get_u32(attr);
9402 
9403 			if (!scan_freqs_khz)
9404 				freq = MHZ_TO_KHZ(freq);
9405 
9406 			chan = ieee80211_get_channel_khz(wiphy, freq);
9407 			if (!chan) {
9408 				err = -EINVAL;
9409 				goto out_free;
9410 			}
9411 
9412 			/* ignore disabled channels */
9413 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
9414 			    !cfg80211_wdev_channel_allowed(wdev, chan))
9415 				continue;
9416 
9417 			request->channels[i] = chan;
9418 			i++;
9419 		}
9420 	} else {
9421 		enum nl80211_band band;
9422 
9423 		/* all channels */
9424 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9425 			int j;
9426 
9427 			if (!wiphy->bands[band])
9428 				continue;
9429 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9430 				struct ieee80211_channel *chan;
9431 
9432 				chan = &wiphy->bands[band]->channels[j];
9433 
9434 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
9435 				    !cfg80211_wdev_channel_allowed(wdev, chan))
9436 					continue;
9437 
9438 				request->channels[i] = chan;
9439 				i++;
9440 			}
9441 		}
9442 	}
9443 
9444 	if (!i) {
9445 		err = -EINVAL;
9446 		goto out_free;
9447 	}
9448 
9449 	request->n_channels = i;
9450 
9451 	for (i = 0; i < request->n_channels; i++) {
9452 		struct ieee80211_channel *chan = request->channels[i];
9453 
9454 		/* if we can go off-channel to the target channel we're good */
9455 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9456 			continue;
9457 
9458 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9459 			err = -EBUSY;
9460 			goto out_free;
9461 		}
9462 	}
9463 
9464 	i = 0;
9465 	if (n_ssids) {
9466 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9467 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9468 				err = -EINVAL;
9469 				goto out_free;
9470 			}
9471 			request->ssids[i].ssid_len = nla_len(attr);
9472 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9473 			i++;
9474 		}
9475 	}
9476 
9477 	if (info->attrs[NL80211_ATTR_IE]) {
9478 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9479 		memcpy((void *)request->ie,
9480 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9481 		       request->ie_len);
9482 	}
9483 
9484 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9485 		if (wiphy->bands[i])
9486 			request->rates[i] =
9487 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9488 
9489 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9490 		nla_for_each_nested(attr,
9491 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9492 				    tmp) {
9493 			enum nl80211_band band = nla_type(attr);
9494 
9495 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9496 				err = -EINVAL;
9497 				goto out_free;
9498 			}
9499 
9500 			if (!wiphy->bands[band])
9501 				continue;
9502 
9503 			err = ieee80211_get_ratemask(wiphy->bands[band],
9504 						     nla_data(attr),
9505 						     nla_len(attr),
9506 						     &request->rates[band]);
9507 			if (err)
9508 				goto out_free;
9509 		}
9510 	}
9511 
9512 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9513 		request->duration =
9514 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9515 		request->duration_mandatory =
9516 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9517 	}
9518 
9519 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9520 				       false);
9521 	if (err)
9522 		goto out_free;
9523 
9524 	request->no_cck =
9525 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9526 
9527 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9528 	 * BSSID to scan for. This was problematic because that same attribute
9529 	 * was already used for another purpose (local random MAC address). The
9530 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9531 	 * compatibility with older userspace components, also use the
9532 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9533 	 * the specific BSSID use case instead of the random MAC address
9534 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9535 	 */
9536 	if (info->attrs[NL80211_ATTR_BSSID])
9537 		memcpy(request->bssid,
9538 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9539 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9540 		 info->attrs[NL80211_ATTR_MAC])
9541 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9542 		       ETH_ALEN);
9543 	else
9544 		eth_broadcast_addr(request->bssid);
9545 
9546 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9547 	request->wdev = wdev;
9548 	request->wiphy = &rdev->wiphy;
9549 	request->scan_start = jiffies;
9550 
9551 	rdev->scan_req = request;
9552 	err = cfg80211_scan(rdev);
9553 
9554 	if (err)
9555 		goto out_free;
9556 
9557 	nl80211_send_scan_start(rdev, wdev);
9558 	dev_hold(wdev->netdev);
9559 
9560 	return 0;
9561 
9562  out_free:
9563 	rdev->scan_req = NULL;
9564 	kfree(request);
9565 
9566 	return err;
9567 }
9568 
9569 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9570 {
9571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9572 	struct wireless_dev *wdev = info->user_ptr[1];
9573 
9574 	if (!rdev->ops->abort_scan)
9575 		return -EOPNOTSUPP;
9576 
9577 	if (rdev->scan_msg)
9578 		return 0;
9579 
9580 	if (!rdev->scan_req)
9581 		return -ENOENT;
9582 
9583 	rdev_abort_scan(rdev, wdev);
9584 	return 0;
9585 }
9586 
9587 static int
9588 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9589 			       struct cfg80211_sched_scan_request *request,
9590 			       struct nlattr **attrs)
9591 {
9592 	int tmp, err, i = 0;
9593 	struct nlattr *attr;
9594 
9595 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9596 		u32 interval;
9597 
9598 		/*
9599 		 * If scan plans are not specified,
9600 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9601 		 * case one scan plan will be set with the specified scan
9602 		 * interval and infinite number of iterations.
9603 		 */
9604 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9605 		if (!interval)
9606 			return -EINVAL;
9607 
9608 		request->scan_plans[0].interval =
9609 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9610 		if (!request->scan_plans[0].interval)
9611 			return -EINVAL;
9612 
9613 		if (request->scan_plans[0].interval >
9614 		    wiphy->max_sched_scan_plan_interval)
9615 			request->scan_plans[0].interval =
9616 				wiphy->max_sched_scan_plan_interval;
9617 
9618 		return 0;
9619 	}
9620 
9621 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9622 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9623 
9624 		if (WARN_ON(i >= n_plans))
9625 			return -EINVAL;
9626 
9627 		err = nla_parse_nested_deprecated(plan,
9628 						  NL80211_SCHED_SCAN_PLAN_MAX,
9629 						  attr, nl80211_plan_policy,
9630 						  NULL);
9631 		if (err)
9632 			return err;
9633 
9634 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9635 			return -EINVAL;
9636 
9637 		request->scan_plans[i].interval =
9638 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9639 		if (!request->scan_plans[i].interval ||
9640 		    request->scan_plans[i].interval >
9641 		    wiphy->max_sched_scan_plan_interval)
9642 			return -EINVAL;
9643 
9644 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9645 			request->scan_plans[i].iterations =
9646 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9647 			if (!request->scan_plans[i].iterations ||
9648 			    (request->scan_plans[i].iterations >
9649 			     wiphy->max_sched_scan_plan_iterations))
9650 				return -EINVAL;
9651 		} else if (i < n_plans - 1) {
9652 			/*
9653 			 * All scan plans but the last one must specify
9654 			 * a finite number of iterations
9655 			 */
9656 			return -EINVAL;
9657 		}
9658 
9659 		i++;
9660 	}
9661 
9662 	/*
9663 	 * The last scan plan must not specify the number of
9664 	 * iterations, it is supposed to run infinitely
9665 	 */
9666 	if (request->scan_plans[n_plans - 1].iterations)
9667 		return  -EINVAL;
9668 
9669 	return 0;
9670 }
9671 
9672 static struct cfg80211_sched_scan_request *
9673 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9674 			 struct nlattr **attrs, int max_match_sets)
9675 {
9676 	struct cfg80211_sched_scan_request *request;
9677 	struct nlattr *attr;
9678 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9679 	enum nl80211_band band;
9680 	size_t ie_len, size;
9681 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9682 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9683 
9684 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9685 		n_channels = validate_scan_freqs(
9686 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9687 		if (!n_channels)
9688 			return ERR_PTR(-EINVAL);
9689 	} else {
9690 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9691 	}
9692 
9693 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9694 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9695 				    tmp)
9696 			n_ssids++;
9697 
9698 	if (n_ssids > wiphy->max_sched_scan_ssids)
9699 		return ERR_PTR(-EINVAL);
9700 
9701 	/*
9702 	 * First, count the number of 'real' matchsets. Due to an issue with
9703 	 * the old implementation, matchsets containing only the RSSI attribute
9704 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9705 	 * RSSI for all matchsets, rather than their own matchset for reporting
9706 	 * all APs with a strong RSSI. This is needed to be compatible with
9707 	 * older userspace that treated a matchset with only the RSSI as the
9708 	 * global RSSI for all other matchsets - if there are other matchsets.
9709 	 */
9710 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9711 		nla_for_each_nested(attr,
9712 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9713 				    tmp) {
9714 			struct nlattr *rssi;
9715 
9716 			err = nla_parse_nested_deprecated(tb,
9717 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9718 							  attr,
9719 							  nl80211_match_policy,
9720 							  NULL);
9721 			if (err)
9722 				return ERR_PTR(err);
9723 
9724 			/* SSID and BSSID are mutually exclusive */
9725 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9726 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9727 				return ERR_PTR(-EINVAL);
9728 
9729 			/* add other standalone attributes here */
9730 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9731 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9732 				n_match_sets++;
9733 				continue;
9734 			}
9735 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9736 			if (rssi)
9737 				default_match_rssi = nla_get_s32(rssi);
9738 		}
9739 	}
9740 
9741 	/* However, if there's no other matchset, add the RSSI one */
9742 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9743 		n_match_sets = 1;
9744 
9745 	if (n_match_sets > max_match_sets)
9746 		return ERR_PTR(-EINVAL);
9747 
9748 	if (attrs[NL80211_ATTR_IE])
9749 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9750 	else
9751 		ie_len = 0;
9752 
9753 	if (ie_len > wiphy->max_sched_scan_ie_len)
9754 		return ERR_PTR(-EINVAL);
9755 
9756 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9757 		/*
9758 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9759 		 * each scan plan already specifies its own interval
9760 		 */
9761 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9762 			return ERR_PTR(-EINVAL);
9763 
9764 		nla_for_each_nested(attr,
9765 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9766 			n_plans++;
9767 	} else {
9768 		/*
9769 		 * The scan interval attribute is kept for backward
9770 		 * compatibility. If no scan plans are specified and sched scan
9771 		 * interval is specified, one scan plan will be set with this
9772 		 * scan interval and infinite number of iterations.
9773 		 */
9774 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9775 			return ERR_PTR(-EINVAL);
9776 
9777 		n_plans = 1;
9778 	}
9779 
9780 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9781 		return ERR_PTR(-EINVAL);
9782 
9783 	if (!wiphy_ext_feature_isset(
9784 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9785 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9786 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9787 		return ERR_PTR(-EINVAL);
9788 
9789 	size = struct_size(request, channels, n_channels);
9790 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9791 	size = size_add(size, array_size(sizeof(*request->match_sets),
9792 					 n_match_sets));
9793 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9794 					 n_plans));
9795 	size = size_add(size, ie_len);
9796 	request = kzalloc(size, GFP_KERNEL);
9797 	if (!request)
9798 		return ERR_PTR(-ENOMEM);
9799 	request->n_channels = n_channels;
9800 
9801 	if (n_ssids)
9802 		request->ssids = (void *)request +
9803 			struct_size(request, channels, n_channels);
9804 	request->n_ssids = n_ssids;
9805 	if (ie_len) {
9806 		if (n_ssids)
9807 			request->ie = (void *)(request->ssids + n_ssids);
9808 		else
9809 			request->ie = (void *)(request->channels + n_channels);
9810 	}
9811 
9812 	if (n_match_sets) {
9813 		if (request->ie)
9814 			request->match_sets = (void *)(request->ie + ie_len);
9815 		else if (n_ssids)
9816 			request->match_sets =
9817 				(void *)(request->ssids + n_ssids);
9818 		else
9819 			request->match_sets =
9820 				(void *)(request->channels + n_channels);
9821 	}
9822 	request->n_match_sets = n_match_sets;
9823 
9824 	if (n_match_sets)
9825 		request->scan_plans = (void *)(request->match_sets +
9826 					       n_match_sets);
9827 	else if (request->ie)
9828 		request->scan_plans = (void *)(request->ie + ie_len);
9829 	else if (n_ssids)
9830 		request->scan_plans = (void *)(request->ssids + n_ssids);
9831 	else
9832 		request->scan_plans = (void *)(request->channels + n_channels);
9833 
9834 	request->n_scan_plans = n_plans;
9835 
9836 	i = 0;
9837 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9838 		/* user specified, bail out if channel not found */
9839 		nla_for_each_nested(attr,
9840 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9841 				    tmp) {
9842 			struct ieee80211_channel *chan;
9843 
9844 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9845 
9846 			if (!chan) {
9847 				err = -EINVAL;
9848 				goto out_free;
9849 			}
9850 
9851 			/* ignore disabled channels */
9852 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9853 				continue;
9854 
9855 			request->channels[i] = chan;
9856 			i++;
9857 		}
9858 	} else {
9859 		/* all channels */
9860 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9861 			int j;
9862 
9863 			if (!wiphy->bands[band])
9864 				continue;
9865 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9866 				struct ieee80211_channel *chan;
9867 
9868 				chan = &wiphy->bands[band]->channels[j];
9869 
9870 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9871 					continue;
9872 
9873 				request->channels[i] = chan;
9874 				i++;
9875 			}
9876 		}
9877 	}
9878 
9879 	if (!i) {
9880 		err = -EINVAL;
9881 		goto out_free;
9882 	}
9883 
9884 	request->n_channels = i;
9885 
9886 	i = 0;
9887 	if (n_ssids) {
9888 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9889 				    tmp) {
9890 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9891 				err = -EINVAL;
9892 				goto out_free;
9893 			}
9894 			request->ssids[i].ssid_len = nla_len(attr);
9895 			memcpy(request->ssids[i].ssid, nla_data(attr),
9896 			       nla_len(attr));
9897 			i++;
9898 		}
9899 	}
9900 
9901 	i = 0;
9902 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9903 		nla_for_each_nested(attr,
9904 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9905 				    tmp) {
9906 			struct nlattr *ssid, *bssid, *rssi;
9907 
9908 			err = nla_parse_nested_deprecated(tb,
9909 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9910 							  attr,
9911 							  nl80211_match_policy,
9912 							  NULL);
9913 			if (err)
9914 				goto out_free;
9915 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9916 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9917 
9918 			if (!ssid && !bssid) {
9919 				i++;
9920 				continue;
9921 			}
9922 
9923 			if (WARN_ON(i >= n_match_sets)) {
9924 				/* this indicates a programming error,
9925 				 * the loop above should have verified
9926 				 * things properly
9927 				 */
9928 				err = -EINVAL;
9929 				goto out_free;
9930 			}
9931 
9932 			if (ssid) {
9933 				memcpy(request->match_sets[i].ssid.ssid,
9934 				       nla_data(ssid), nla_len(ssid));
9935 				request->match_sets[i].ssid.ssid_len =
9936 					nla_len(ssid);
9937 			}
9938 			if (bssid)
9939 				memcpy(request->match_sets[i].bssid,
9940 				       nla_data(bssid), ETH_ALEN);
9941 
9942 			/* special attribute - old implementation w/a */
9943 			request->match_sets[i].rssi_thold = default_match_rssi;
9944 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9945 			if (rssi)
9946 				request->match_sets[i].rssi_thold =
9947 					nla_get_s32(rssi);
9948 			i++;
9949 		}
9950 
9951 		/* there was no other matchset, so the RSSI one is alone */
9952 		if (i == 0 && n_match_sets)
9953 			request->match_sets[0].rssi_thold = default_match_rssi;
9954 
9955 		request->min_rssi_thold = INT_MAX;
9956 		for (i = 0; i < n_match_sets; i++)
9957 			request->min_rssi_thold =
9958 				min(request->match_sets[i].rssi_thold,
9959 				    request->min_rssi_thold);
9960 	} else {
9961 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9962 	}
9963 
9964 	if (ie_len) {
9965 		request->ie_len = ie_len;
9966 		memcpy((void *)request->ie,
9967 		       nla_data(attrs[NL80211_ATTR_IE]),
9968 		       request->ie_len);
9969 	}
9970 
9971 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9972 	if (err)
9973 		goto out_free;
9974 
9975 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9976 		request->delay =
9977 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9978 
9979 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9980 		request->relative_rssi = nla_get_s8(
9981 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9982 		request->relative_rssi_set = true;
9983 	}
9984 
9985 	if (request->relative_rssi_set &&
9986 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9987 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9988 
9989 		rssi_adjust = nla_data(
9990 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9991 		request->rssi_adjust.band = rssi_adjust->band;
9992 		request->rssi_adjust.delta = rssi_adjust->delta;
9993 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9994 			err = -EINVAL;
9995 			goto out_free;
9996 		}
9997 	}
9998 
9999 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10000 	if (err)
10001 		goto out_free;
10002 
10003 	request->scan_start = jiffies;
10004 
10005 	return request;
10006 
10007 out_free:
10008 	kfree(request);
10009 	return ERR_PTR(err);
10010 }
10011 
10012 static int nl80211_start_sched_scan(struct sk_buff *skb,
10013 				    struct genl_info *info)
10014 {
10015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10016 	struct net_device *dev = info->user_ptr[1];
10017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10018 	struct cfg80211_sched_scan_request *sched_scan_req;
10019 	bool want_multi;
10020 	int err;
10021 
10022 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10023 		return -EOPNOTSUPP;
10024 
10025 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10026 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10027 	if (err)
10028 		return err;
10029 
10030 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10031 						  info->attrs,
10032 						  rdev->wiphy.max_match_sets);
10033 
10034 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10035 	if (err)
10036 		goto out_err;
10037 
10038 	/* leave request id zero for legacy request
10039 	 * or if driver does not support multi-scheduled scan
10040 	 */
10041 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10042 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10043 
10044 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10045 	if (err)
10046 		goto out_free;
10047 
10048 	sched_scan_req->dev = dev;
10049 	sched_scan_req->wiphy = &rdev->wiphy;
10050 
10051 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10052 		sched_scan_req->owner_nlportid = info->snd_portid;
10053 
10054 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10055 
10056 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10057 	return 0;
10058 
10059 out_free:
10060 	kfree(sched_scan_req);
10061 out_err:
10062 	return err;
10063 }
10064 
10065 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10066 				   struct genl_info *info)
10067 {
10068 	struct cfg80211_sched_scan_request *req;
10069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10070 	u64 cookie;
10071 
10072 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10073 		return -EOPNOTSUPP;
10074 
10075 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10076 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10077 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10078 	}
10079 
10080 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10081 				     struct cfg80211_sched_scan_request,
10082 				     list);
10083 	if (!req || req->reqid ||
10084 	    (req->owner_nlportid &&
10085 	     req->owner_nlportid != info->snd_portid))
10086 		return -ENOENT;
10087 
10088 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10089 }
10090 
10091 static int nl80211_start_radar_detection(struct sk_buff *skb,
10092 					 struct genl_info *info)
10093 {
10094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10095 	struct net_device *dev = info->user_ptr[1];
10096 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10097 	int link_id = nl80211_link_id(info->attrs);
10098 	struct wiphy *wiphy = wdev->wiphy;
10099 	struct cfg80211_chan_def chandef;
10100 	enum nl80211_dfs_regions dfs_region;
10101 	unsigned int cac_time_ms;
10102 	int err;
10103 
10104 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10105 
10106 	switch (wdev->iftype) {
10107 	case NL80211_IFTYPE_AP:
10108 	case NL80211_IFTYPE_P2P_GO:
10109 	case NL80211_IFTYPE_MESH_POINT:
10110 	case NL80211_IFTYPE_ADHOC:
10111 		break;
10112 	default:
10113 		/* caution - see cfg80211_beaconing_iface_active() below */
10114 		return -EINVAL;
10115 	}
10116 
10117 	guard(wiphy)(wiphy);
10118 
10119 	dfs_region = reg_get_dfs_region(wiphy);
10120 	if (dfs_region == NL80211_DFS_UNSET)
10121 		return -EINVAL;
10122 
10123 	err = nl80211_parse_chandef(rdev, info, &chandef);
10124 	if (err)
10125 		return err;
10126 
10127 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10128 	if (err < 0)
10129 		return err;
10130 
10131 	if (err == 0)
10132 		return -EINVAL;
10133 
10134 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
10135 		return -EINVAL;
10136 
10137 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND]))
10138 		return cfg80211_start_background_radar_detection(rdev, wdev,
10139 								 &chandef);
10140 
10141 	if (cfg80211_beaconing_iface_active(wdev)) {
10142 		/* During MLO other link(s) can beacon, only the current link
10143 		 * can not already beacon
10144 		 */
10145 		if (wdev->valid_links &&
10146 		    !wdev->links[link_id].ap.beacon_interval) {
10147 			/* nothing */
10148 		} else {
10149 			return -EBUSY;
10150 		}
10151 	}
10152 
10153 	if (wdev->links[link_id].cac_started)
10154 		return -EBUSY;
10155 
10156 	/* CAC start is offloaded to HW and can't be started manually */
10157 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
10158 		return -EOPNOTSUPP;
10159 
10160 	if (!rdev->ops->start_radar_detection)
10161 		return -EOPNOTSUPP;
10162 
10163 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10164 	if (WARN_ON(!cac_time_ms))
10165 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10166 
10167 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10168 					 link_id);
10169 	if (err)
10170 		return err;
10171 
10172 	switch (wdev->iftype) {
10173 	case NL80211_IFTYPE_AP:
10174 	case NL80211_IFTYPE_P2P_GO:
10175 		wdev->links[0].ap.chandef = chandef;
10176 		break;
10177 	case NL80211_IFTYPE_ADHOC:
10178 		wdev->u.ibss.chandef = chandef;
10179 		break;
10180 	case NL80211_IFTYPE_MESH_POINT:
10181 		wdev->u.mesh.chandef = chandef;
10182 		break;
10183 	default:
10184 		break;
10185 	}
10186 	wdev->links[link_id].cac_started = true;
10187 	wdev->links[link_id].cac_start_time = jiffies;
10188 	wdev->links[link_id].cac_time_ms = cac_time_ms;
10189 
10190 	return 0;
10191 }
10192 
10193 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10194 					  struct genl_info *info)
10195 {
10196 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10197 	struct net_device *dev = info->user_ptr[1];
10198 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10199 	struct wiphy *wiphy = wdev->wiphy;
10200 	struct cfg80211_chan_def chandef;
10201 	enum nl80211_dfs_regions dfs_region;
10202 	int err;
10203 
10204 	dfs_region = reg_get_dfs_region(wiphy);
10205 	if (dfs_region == NL80211_DFS_UNSET) {
10206 		GENL_SET_ERR_MSG(info,
10207 				 "DFS Region is not set. Unexpected Radar indication");
10208 		return -EINVAL;
10209 	}
10210 
10211 	err = nl80211_parse_chandef(rdev, info, &chandef);
10212 	if (err) {
10213 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10214 		return err;
10215 	}
10216 
10217 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10218 	if (err < 0) {
10219 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10220 		return err;
10221 	}
10222 
10223 	if (err == 0) {
10224 		GENL_SET_ERR_MSG(info,
10225 				 "Unexpected Radar indication for chandef/iftype");
10226 		return -EINVAL;
10227 	}
10228 
10229 	/* Do not process this notification if radar is already detected
10230 	 * by kernel on this channel, and return success.
10231 	 */
10232 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10233 		return 0;
10234 
10235 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10236 
10237 	cfg80211_sched_dfs_chan_update(rdev);
10238 
10239 	rdev->radar_chandef = chandef;
10240 
10241 	/* Propagate this notification to other radios as well */
10242 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10243 
10244 	return 0;
10245 }
10246 
10247 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10248 					 const u8 *data, size_t datalen,
10249 					 int first_count, struct nlattr *attr,
10250 					 const u16 **offsets, unsigned int *n_offsets)
10251 {
10252 	int i;
10253 
10254 	*n_offsets = 0;
10255 
10256 	if (!attr)
10257 		return 0;
10258 
10259 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10260 		return -EINVAL;
10261 
10262 	*n_offsets = nla_len(attr) / sizeof(u16);
10263 	if (rdev->wiphy.max_num_csa_counters &&
10264 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10265 		return -EINVAL;
10266 
10267 	*offsets = nla_data(attr);
10268 
10269 	/* sanity checks - counters should fit and be the same */
10270 	for (i = 0; i < *n_offsets; i++) {
10271 		u16 offset = (*offsets)[i];
10272 
10273 		if (offset >= datalen)
10274 			return -EINVAL;
10275 
10276 		if (first_count != -1 && data[offset] != first_count)
10277 			return -EINVAL;
10278 	}
10279 
10280 	return 0;
10281 }
10282 
10283 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10284 {
10285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10286 	unsigned int link_id = nl80211_link_id(info->attrs);
10287 	struct net_device *dev = info->user_ptr[1];
10288 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10289 	struct cfg80211_csa_settings params;
10290 	struct nlattr **csa_attrs = NULL;
10291 	int err;
10292 	bool need_new_beacon = false;
10293 	bool need_handle_dfs_flag = true;
10294 	u32 cs_count;
10295 
10296 	if (!rdev->ops->channel_switch ||
10297 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10298 		return -EOPNOTSUPP;
10299 
10300 	switch (dev->ieee80211_ptr->iftype) {
10301 	case NL80211_IFTYPE_AP:
10302 	case NL80211_IFTYPE_P2P_GO:
10303 		need_new_beacon = true;
10304 		/* For all modes except AP the handle_dfs flag needs to be
10305 		 * supplied to tell the kernel that userspace will handle radar
10306 		 * events when they happen. Otherwise a switch to a channel
10307 		 * requiring DFS will be rejected.
10308 		 */
10309 		need_handle_dfs_flag = false;
10310 
10311 		/* useless if AP is not running */
10312 		if (!wdev->links[link_id].ap.beacon_interval)
10313 			return -ENOTCONN;
10314 		break;
10315 	case NL80211_IFTYPE_ADHOC:
10316 		if (!wdev->u.ibss.ssid_len)
10317 			return -ENOTCONN;
10318 		break;
10319 	case NL80211_IFTYPE_MESH_POINT:
10320 		if (!wdev->u.mesh.id_len)
10321 			return -ENOTCONN;
10322 		break;
10323 	default:
10324 		return -EOPNOTSUPP;
10325 	}
10326 
10327 	memset(&params, 0, sizeof(params));
10328 	params.beacon_csa.ftm_responder = -1;
10329 
10330 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10331 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10332 		return -EINVAL;
10333 
10334 	/* only important for AP, IBSS and mesh create IEs internally */
10335 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10336 		return -EINVAL;
10337 
10338 	/* Even though the attribute is u32, the specification says
10339 	 * u8, so let's make sure we don't overflow.
10340 	 */
10341 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10342 	if (cs_count > 255)
10343 		return -EINVAL;
10344 
10345 	params.count = cs_count;
10346 
10347 	if (!need_new_beacon)
10348 		goto skip_beacons;
10349 
10350 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10351 				   info->extack);
10352 	if (err)
10353 		goto free;
10354 
10355 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10356 			    GFP_KERNEL);
10357 	if (!csa_attrs) {
10358 		err = -ENOMEM;
10359 		goto free;
10360 	}
10361 
10362 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10363 					  info->attrs[NL80211_ATTR_CSA_IES],
10364 					  nl80211_policy, info->extack);
10365 	if (err)
10366 		goto free;
10367 
10368 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10369 				   info->extack);
10370 	if (err)
10371 		goto free;
10372 
10373 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10374 		err = -EINVAL;
10375 		goto free;
10376 	}
10377 
10378 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10379 					    params.beacon_csa.tail_len,
10380 					    params.count,
10381 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10382 					    &params.counter_offsets_beacon,
10383 					    &params.n_counter_offsets_beacon);
10384 	if (err)
10385 		goto free;
10386 
10387 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10388 					    params.beacon_csa.probe_resp_len,
10389 					    params.count,
10390 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10391 					    &params.counter_offsets_presp,
10392 					    &params.n_counter_offsets_presp);
10393 	if (err)
10394 		goto free;
10395 
10396 skip_beacons:
10397 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10398 	if (err)
10399 		goto free;
10400 
10401 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10402 					   wdev->iftype)) {
10403 		err = -EINVAL;
10404 		goto free;
10405 	}
10406 
10407 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10408 					    &params.chandef,
10409 					    wdev->iftype);
10410 	if (err < 0)
10411 		goto free;
10412 
10413 	if (err > 0) {
10414 		params.radar_required = true;
10415 		if (need_handle_dfs_flag &&
10416 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10417 			err = -EINVAL;
10418 			goto free;
10419 		}
10420 	}
10421 
10422 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10423 		params.block_tx = true;
10424 
10425 	params.link_id = link_id;
10426 	err = rdev_channel_switch(rdev, dev, &params);
10427 
10428 free:
10429 	kfree(params.beacon_after.mbssid_ies);
10430 	kfree(params.beacon_csa.mbssid_ies);
10431 	kfree(params.beacon_after.rnr_ies);
10432 	kfree(params.beacon_csa.rnr_ies);
10433 	kfree(csa_attrs);
10434 	return err;
10435 }
10436 
10437 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10438 			    u32 seq, int flags,
10439 			    struct cfg80211_registered_device *rdev,
10440 			    struct wireless_dev *wdev,
10441 			    struct cfg80211_internal_bss *intbss)
10442 {
10443 	struct cfg80211_bss *res = &intbss->pub;
10444 	const struct cfg80211_bss_ies *ies;
10445 	unsigned int link_id;
10446 	void *hdr;
10447 	struct nlattr *bss;
10448 
10449 	lockdep_assert_wiphy(wdev->wiphy);
10450 
10451 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10452 			     NL80211_CMD_NEW_SCAN_RESULTS);
10453 	if (!hdr)
10454 		return -1;
10455 
10456 	genl_dump_check_consistent(cb, hdr);
10457 
10458 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10459 		goto nla_put_failure;
10460 	if (wdev->netdev &&
10461 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10462 		goto nla_put_failure;
10463 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10464 			      NL80211_ATTR_PAD))
10465 		goto nla_put_failure;
10466 
10467 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10468 	if (!bss)
10469 		goto nla_put_failure;
10470 	if ((!is_zero_ether_addr(res->bssid) &&
10471 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10472 		goto nla_put_failure;
10473 
10474 	rcu_read_lock();
10475 	/* indicate whether we have probe response data or not */
10476 	if (rcu_access_pointer(res->proberesp_ies) &&
10477 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10478 		goto fail_unlock_rcu;
10479 
10480 	/* this pointer prefers to be pointed to probe response data
10481 	 * but is always valid
10482 	 */
10483 	ies = rcu_dereference(res->ies);
10484 	if (ies) {
10485 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10486 				      NL80211_BSS_PAD))
10487 			goto fail_unlock_rcu;
10488 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10489 					ies->len, ies->data))
10490 			goto fail_unlock_rcu;
10491 	}
10492 
10493 	/* and this pointer is always (unless driver didn't know) beacon data */
10494 	ies = rcu_dereference(res->beacon_ies);
10495 	if (ies && ies->from_beacon) {
10496 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10497 				      NL80211_BSS_PAD))
10498 			goto fail_unlock_rcu;
10499 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10500 					ies->len, ies->data))
10501 			goto fail_unlock_rcu;
10502 	}
10503 	rcu_read_unlock();
10504 
10505 	if (res->beacon_interval &&
10506 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10507 		goto nla_put_failure;
10508 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10509 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10510 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10511 			res->channel->freq_offset) ||
10512 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10513 			jiffies_to_msecs(jiffies - intbss->ts)))
10514 		goto nla_put_failure;
10515 
10516 	if (intbss->parent_tsf &&
10517 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10518 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10519 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10520 		     intbss->parent_bssid)))
10521 		goto nla_put_failure;
10522 
10523 	if (res->ts_boottime &&
10524 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10525 			      res->ts_boottime, NL80211_BSS_PAD))
10526 		goto nla_put_failure;
10527 
10528 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10529 				intbss->pub.chain_signal,
10530 				NL80211_BSS_CHAIN_SIGNAL))
10531 		goto nla_put_failure;
10532 
10533 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
10534 		switch (rdev->wiphy.signal_type) {
10535 		case CFG80211_SIGNAL_TYPE_MBM:
10536 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
10537 					res->signal))
10538 				goto nla_put_failure;
10539 			break;
10540 		case CFG80211_SIGNAL_TYPE_UNSPEC:
10541 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
10542 				       res->signal))
10543 				goto nla_put_failure;
10544 			break;
10545 		default:
10546 			break;
10547 		}
10548 	}
10549 
10550 	switch (wdev->iftype) {
10551 	case NL80211_IFTYPE_P2P_CLIENT:
10552 	case NL80211_IFTYPE_STATION:
10553 		for_each_valid_link(wdev, link_id) {
10554 			if (intbss == wdev->links[link_id].client.current_bss &&
10555 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10556 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10557 			     (wdev->valid_links &&
10558 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10559 					  link_id) ||
10560 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10561 				       wdev->u.client.connected_addr)))))
10562 				goto nla_put_failure;
10563 		}
10564 		break;
10565 	case NL80211_IFTYPE_ADHOC:
10566 		if (intbss == wdev->u.ibss.current_bss &&
10567 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10568 				NL80211_BSS_STATUS_IBSS_JOINED))
10569 			goto nla_put_failure;
10570 		break;
10571 	default:
10572 		break;
10573 	}
10574 
10575 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10576 		goto nla_put_failure;
10577 
10578 	if (res->cannot_use_reasons &&
10579 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10580 			      res->cannot_use_reasons,
10581 			      NL80211_BSS_PAD))
10582 		goto nla_put_failure;
10583 
10584 	nla_nest_end(msg, bss);
10585 
10586 	genlmsg_end(msg, hdr);
10587 	return 0;
10588 
10589  fail_unlock_rcu:
10590 	rcu_read_unlock();
10591  nla_put_failure:
10592 	genlmsg_cancel(msg, hdr);
10593 	return -EMSGSIZE;
10594 }
10595 
10596 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10597 {
10598 	struct cfg80211_registered_device *rdev;
10599 	struct cfg80211_internal_bss *scan;
10600 	struct wireless_dev *wdev;
10601 	struct nlattr **attrbuf;
10602 	int start = cb->args[2], idx = 0;
10603 	bool dump_include_use_data;
10604 	int err;
10605 
10606 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10607 	if (!attrbuf)
10608 		return -ENOMEM;
10609 
10610 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10611 	if (err) {
10612 		kfree(attrbuf);
10613 		return err;
10614 	}
10615 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10616 	__acquire(&rdev->wiphy.mtx);
10617 
10618 	dump_include_use_data =
10619 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10620 	kfree(attrbuf);
10621 
10622 	spin_lock_bh(&rdev->bss_lock);
10623 
10624 	/*
10625 	 * dump_scan will be called multiple times to break up the scan results
10626 	 * into multiple messages.  It is unlikely that any more bss-es will be
10627 	 * expired after the first call, so only call only call this on the
10628 	 * first dump_scan invocation.
10629 	 */
10630 	if (start == 0)
10631 		cfg80211_bss_expire(rdev);
10632 
10633 	cb->seq = rdev->bss_generation;
10634 
10635 	list_for_each_entry(scan, &rdev->bss_list, list) {
10636 		if (++idx <= start)
10637 			continue;
10638 		if (!dump_include_use_data &&
10639 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10640 			continue;
10641 		if (nl80211_send_bss(skb, cb,
10642 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10643 				rdev, wdev, scan) < 0) {
10644 			idx--;
10645 			break;
10646 		}
10647 	}
10648 
10649 	spin_unlock_bh(&rdev->bss_lock);
10650 
10651 	cb->args[2] = idx;
10652 	wiphy_unlock(&rdev->wiphy);
10653 
10654 	return skb->len;
10655 }
10656 
10657 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10658 			       int flags, struct net_device *dev,
10659 			       bool allow_radio_stats,
10660 			       struct survey_info *survey)
10661 {
10662 	void *hdr;
10663 	struct nlattr *infoattr;
10664 
10665 	/* skip radio stats if userspace didn't request them */
10666 	if (!survey->channel && !allow_radio_stats)
10667 		return 0;
10668 
10669 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10670 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10671 	if (!hdr)
10672 		return -ENOMEM;
10673 
10674 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10675 		goto nla_put_failure;
10676 
10677 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10678 	if (!infoattr)
10679 		goto nla_put_failure;
10680 
10681 	if (survey->channel &&
10682 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10683 			survey->channel->center_freq))
10684 		goto nla_put_failure;
10685 
10686 	if (survey->channel && survey->channel->freq_offset &&
10687 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10688 			survey->channel->freq_offset))
10689 		goto nla_put_failure;
10690 
10691 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10692 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10693 		goto nla_put_failure;
10694 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10695 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10696 		goto nla_put_failure;
10697 	if ((survey->filled & SURVEY_INFO_TIME) &&
10698 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10699 			survey->time, NL80211_SURVEY_INFO_PAD))
10700 		goto nla_put_failure;
10701 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10702 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10703 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10704 		goto nla_put_failure;
10705 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10706 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10707 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10708 		goto nla_put_failure;
10709 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10710 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10711 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10712 		goto nla_put_failure;
10713 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10714 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10715 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10716 		goto nla_put_failure;
10717 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10718 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10719 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10720 		goto nla_put_failure;
10721 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10722 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10723 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10724 		goto nla_put_failure;
10725 
10726 	nla_nest_end(msg, infoattr);
10727 
10728 	genlmsg_end(msg, hdr);
10729 	return 0;
10730 
10731  nla_put_failure:
10732 	genlmsg_cancel(msg, hdr);
10733 	return -EMSGSIZE;
10734 }
10735 
10736 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10737 {
10738 	struct nlattr **attrbuf;
10739 	struct survey_info survey;
10740 	struct cfg80211_registered_device *rdev;
10741 	struct wireless_dev *wdev;
10742 	int survey_idx = cb->args[2];
10743 	int res;
10744 	bool radio_stats;
10745 
10746 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10747 	if (!attrbuf)
10748 		return -ENOMEM;
10749 
10750 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10751 	if (res) {
10752 		kfree(attrbuf);
10753 		return res;
10754 	}
10755 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10756 	__acquire(&rdev->wiphy.mtx);
10757 
10758 	/* prepare_wdev_dump parsed the attributes */
10759 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10760 
10761 	if (!wdev->netdev) {
10762 		res = -EINVAL;
10763 		goto out_err;
10764 	}
10765 
10766 	if (!rdev->ops->dump_survey) {
10767 		res = -EOPNOTSUPP;
10768 		goto out_err;
10769 	}
10770 
10771 	while (1) {
10772 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10773 		if (res == -ENOENT)
10774 			break;
10775 		if (res)
10776 			goto out_err;
10777 
10778 		/* don't send disabled channels, but do send non-channel data */
10779 		if (survey.channel &&
10780 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10781 			survey_idx++;
10782 			continue;
10783 		}
10784 
10785 		if (nl80211_send_survey(skb,
10786 				NETLINK_CB(cb->skb).portid,
10787 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10788 				wdev->netdev, radio_stats, &survey) < 0)
10789 			goto out;
10790 		survey_idx++;
10791 	}
10792 
10793  out:
10794 	cb->args[2] = survey_idx;
10795 	res = skb->len;
10796  out_err:
10797 	kfree(attrbuf);
10798 	wiphy_unlock(&rdev->wiphy);
10799 	return res;
10800 }
10801 
10802 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10803 {
10804 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10805 	struct net_device *dev = info->user_ptr[1];
10806 	struct ieee80211_channel *chan;
10807 	const u8 *bssid, *ssid;
10808 	int err, ssid_len;
10809 	enum nl80211_auth_type auth_type;
10810 	struct key_parse key;
10811 	bool local_state_change;
10812 	struct cfg80211_auth_request req = {};
10813 	u32 freq;
10814 
10815 	if (!info->attrs[NL80211_ATTR_MAC])
10816 		return -EINVAL;
10817 
10818 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10819 		return -EINVAL;
10820 
10821 	if (!info->attrs[NL80211_ATTR_SSID])
10822 		return -EINVAL;
10823 
10824 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10825 		return -EINVAL;
10826 
10827 	err = nl80211_parse_key(info, &key);
10828 	if (err)
10829 		return err;
10830 
10831 	if (key.idx >= 0) {
10832 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10833 			return -EINVAL;
10834 		if (!key.p.key || !key.p.key_len)
10835 			return -EINVAL;
10836 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10837 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10838 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10839 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10840 			return -EINVAL;
10841 		if (key.idx > 3)
10842 			return -EINVAL;
10843 	} else {
10844 		key.p.key_len = 0;
10845 		key.p.key = NULL;
10846 	}
10847 
10848 	if (key.idx >= 0) {
10849 		int i;
10850 		bool ok = false;
10851 
10852 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10853 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10854 				ok = true;
10855 				break;
10856 			}
10857 		}
10858 		if (!ok)
10859 			return -EINVAL;
10860 	}
10861 
10862 	if (!rdev->ops->auth)
10863 		return -EOPNOTSUPP;
10864 
10865 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10866 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10867 		return -EOPNOTSUPP;
10868 
10869 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10870 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10871 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10872 		freq +=
10873 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10874 
10875 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10876 	if (!chan)
10877 		return -EINVAL;
10878 
10879 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10880 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10881 
10882 	if (info->attrs[NL80211_ATTR_IE]) {
10883 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10884 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10885 	}
10886 
10887 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
10888 		req.supported_selectors =
10889 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10890 		req.supported_selectors_len =
10891 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
10892 	}
10893 
10894 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10895 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10896 		return -EINVAL;
10897 
10898 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10899 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10900 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10901 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10902 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10903 		return -EINVAL;
10904 
10905 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10906 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10907 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10908 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10909 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10910 			return -EINVAL;
10911 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10912 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10913 	}
10914 
10915 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10916 
10917 	/*
10918 	 * Since we no longer track auth state, ignore
10919 	 * requests to only change local state.
10920 	 */
10921 	if (local_state_change)
10922 		return 0;
10923 
10924 	req.auth_type = auth_type;
10925 	req.key = key.p.key;
10926 	req.key_len = key.p.key_len;
10927 	req.key_idx = key.idx;
10928 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10929 	if (req.link_id >= 0) {
10930 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10931 			return -EINVAL;
10932 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10933 			return -EINVAL;
10934 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10935 		if (!is_valid_ether_addr(req.ap_mld_addr))
10936 			return -EINVAL;
10937 	}
10938 
10939 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10940 				   IEEE80211_BSS_TYPE_ESS,
10941 				   IEEE80211_PRIVACY_ANY);
10942 	if (!req.bss)
10943 		return -ENOENT;
10944 
10945 	err = cfg80211_mlme_auth(rdev, dev, &req);
10946 
10947 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10948 
10949 	return err;
10950 }
10951 
10952 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10953 				     struct genl_info *info)
10954 {
10955 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10956 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10957 		return -EINVAL;
10958 	}
10959 
10960 	if (!rdev->ops->tx_control_port ||
10961 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10962 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10963 		return -EOPNOTSUPP;
10964 
10965 	return 0;
10966 }
10967 
10968 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10969 				   struct genl_info *info,
10970 				   struct cfg80211_crypto_settings *settings,
10971 				   int cipher_limit)
10972 {
10973 	memset(settings, 0, sizeof(*settings));
10974 
10975 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10976 
10977 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10978 		u16 proto;
10979 
10980 		proto = nla_get_u16(
10981 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10982 		settings->control_port_ethertype = cpu_to_be16(proto);
10983 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10984 		    proto != ETH_P_PAE)
10985 			return -EINVAL;
10986 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10987 			settings->control_port_no_encrypt = true;
10988 	} else
10989 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10990 
10991 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10992 		int r = validate_pae_over_nl80211(rdev, info);
10993 
10994 		if (r < 0)
10995 			return r;
10996 
10997 		settings->control_port_over_nl80211 = true;
10998 
10999 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11000 			settings->control_port_no_preauth = true;
11001 	}
11002 
11003 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11004 		void *data;
11005 		int len, i;
11006 
11007 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11008 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11009 		settings->n_ciphers_pairwise = len / sizeof(u32);
11010 
11011 		if (len % sizeof(u32))
11012 			return -EINVAL;
11013 
11014 		if (settings->n_ciphers_pairwise > cipher_limit)
11015 			return -EINVAL;
11016 
11017 		memcpy(settings->ciphers_pairwise, data, len);
11018 
11019 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11020 			if (!cfg80211_supported_cipher_suite(
11021 					&rdev->wiphy,
11022 					settings->ciphers_pairwise[i]))
11023 				return -EINVAL;
11024 	}
11025 
11026 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11027 		settings->cipher_group =
11028 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11029 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11030 						     settings->cipher_group))
11031 			return -EINVAL;
11032 	}
11033 
11034 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11035 		settings->wpa_versions =
11036 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11037 
11038 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11039 		void *data;
11040 		int len;
11041 
11042 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11043 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11044 		settings->n_akm_suites = len / sizeof(u32);
11045 
11046 		if (len % sizeof(u32))
11047 			return -EINVAL;
11048 
11049 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11050 			return -EINVAL;
11051 
11052 		memcpy(settings->akm_suites, data, len);
11053 	}
11054 
11055 	if (info->attrs[NL80211_ATTR_PMK]) {
11056 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11057 			return -EINVAL;
11058 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11059 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11060 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11061 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11062 			return -EINVAL;
11063 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11064 	}
11065 
11066 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11067 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11068 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11069 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11070 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11071 			return -EINVAL;
11072 		settings->sae_pwd =
11073 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11074 		settings->sae_pwd_len =
11075 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11076 	}
11077 
11078 	settings->sae_pwe =
11079 		nla_get_u8_default(info->attrs[NL80211_ATTR_SAE_PWE],
11080 				   NL80211_SAE_PWE_UNSPECIFIED);
11081 
11082 	return 0;
11083 }
11084 
11085 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11086 					      const u8 *ssid, int ssid_len,
11087 					      struct nlattr **attrs,
11088 					      int assoc_link_id, int link_id)
11089 {
11090 	struct ieee80211_channel *chan;
11091 	struct cfg80211_bss *bss;
11092 	const u8 *bssid;
11093 	u32 freq, use_for = 0;
11094 
11095 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11096 		return ERR_PTR(-EINVAL);
11097 
11098 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11099 
11100 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11101 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11102 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11103 
11104 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11105 	if (!chan)
11106 		return ERR_PTR(-EINVAL);
11107 
11108 	if (assoc_link_id >= 0)
11109 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11110 	if (assoc_link_id == link_id)
11111 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11112 
11113 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11114 				 ssid, ssid_len,
11115 				 IEEE80211_BSS_TYPE_ESS,
11116 				 IEEE80211_PRIVACY_ANY,
11117 				 use_for);
11118 	if (!bss)
11119 		return ERR_PTR(-ENOENT);
11120 
11121 	return bss;
11122 }
11123 
11124 static int nl80211_process_links(struct cfg80211_registered_device *rdev,
11125 				 struct cfg80211_assoc_link *links,
11126 				 const u8 *ssid, int ssid_len,
11127 				 struct genl_info *info)
11128 {
11129 	unsigned int attrsize = NUM_NL80211_ATTR * sizeof(struct nlattr *);
11130 	struct nlattr **attrs __free(kfree) = kzalloc(attrsize, GFP_KERNEL);
11131 	struct nlattr *link;
11132 	unsigned int link_id;
11133 	int rem, err;
11134 
11135 	if (!attrs)
11136 		return -ENOMEM;
11137 
11138 	nla_for_each_nested(link, info->attrs[NL80211_ATTR_MLO_LINKS], rem) {
11139 		memset(attrs, 0, attrsize);
11140 
11141 		nla_parse_nested(attrs, NL80211_ATTR_MAX, link, NULL, NULL);
11142 
11143 		if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11144 			NL_SET_BAD_ATTR(info->extack, link);
11145 			return -EINVAL;
11146 		}
11147 
11148 		link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11149 		/* cannot use the same link ID again */
11150 		if (links[link_id].bss) {
11151 			NL_SET_BAD_ATTR(info->extack, link);
11152 			return -EINVAL;
11153 		}
11154 		links[link_id].bss =
11155 			nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11156 					  link_id, link_id);
11157 		if (IS_ERR(links[link_id].bss)) {
11158 			err = PTR_ERR(links[link_id].bss);
11159 			links[link_id].bss = NULL;
11160 			NL_SET_ERR_MSG_ATTR(info->extack, link,
11161 					    "Error fetching BSS for link");
11162 			return err;
11163 		}
11164 
11165 		if (attrs[NL80211_ATTR_IE]) {
11166 			links[link_id].elems = nla_data(attrs[NL80211_ATTR_IE]);
11167 			links[link_id].elems_len =
11168 				nla_len(attrs[NL80211_ATTR_IE]);
11169 
11170 			if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11171 					       links[link_id].elems,
11172 					       links[link_id].elems_len)) {
11173 				NL_SET_ERR_MSG_ATTR(info->extack,
11174 						    attrs[NL80211_ATTR_IE],
11175 						    "cannot deal with fragmentation");
11176 				return -EINVAL;
11177 			}
11178 
11179 			if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11180 						   links[link_id].elems,
11181 						   links[link_id].elems_len)) {
11182 				NL_SET_ERR_MSG_ATTR(info->extack,
11183 						    attrs[NL80211_ATTR_IE],
11184 						    "cannot deal with non-inheritance");
11185 				return -EINVAL;
11186 			}
11187 		}
11188 
11189 		links[link_id].disabled =
11190 			nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11191 	}
11192 
11193 	return 0;
11194 }
11195 
11196 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11197 {
11198 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11199 	struct net_device *dev = info->user_ptr[1];
11200 	struct cfg80211_assoc_request req = {};
11201 	const u8 *ap_addr, *ssid;
11202 	unsigned int link_id;
11203 	int err, ssid_len;
11204 
11205 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11206 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11207 		return -EPERM;
11208 
11209 	if (!info->attrs[NL80211_ATTR_SSID])
11210 		return -EINVAL;
11211 
11212 	if (!rdev->ops->assoc)
11213 		return -EOPNOTSUPP;
11214 
11215 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11216 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11217 		return -EOPNOTSUPP;
11218 
11219 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11220 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11221 
11222 	if (info->attrs[NL80211_ATTR_IE]) {
11223 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11224 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11225 
11226 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11227 					   req.ie, req.ie_len)) {
11228 			NL_SET_ERR_MSG_ATTR(info->extack,
11229 					    info->attrs[NL80211_ATTR_IE],
11230 					    "non-inheritance makes no sense");
11231 			return -EINVAL;
11232 		}
11233 	}
11234 
11235 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11236 		enum nl80211_mfp mfp =
11237 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11238 		if (mfp == NL80211_MFP_REQUIRED)
11239 			req.use_mfp = true;
11240 		else if (mfp != NL80211_MFP_NO)
11241 			return -EINVAL;
11242 	}
11243 
11244 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11245 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11246 
11247 	if (info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]) {
11248 		req.supported_selectors =
11249 			nla_data(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11250 		req.supported_selectors_len =
11251 			nla_len(info->attrs[NL80211_ATTR_SUPPORTED_SELECTORS]);
11252 	}
11253 
11254 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11255 		req.flags |= ASSOC_REQ_DISABLE_HT;
11256 
11257 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11258 		memcpy(&req.ht_capa_mask,
11259 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11260 		       sizeof(req.ht_capa_mask));
11261 
11262 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11263 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11264 			return -EINVAL;
11265 		memcpy(&req.ht_capa,
11266 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11267 		       sizeof(req.ht_capa));
11268 	}
11269 
11270 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11271 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11272 
11273 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11274 		req.flags |= ASSOC_REQ_DISABLE_HE;
11275 
11276 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11277 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11278 
11279 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11280 		memcpy(&req.vht_capa_mask,
11281 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11282 		       sizeof(req.vht_capa_mask));
11283 
11284 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11285 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11286 			return -EINVAL;
11287 		memcpy(&req.vht_capa,
11288 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11289 		       sizeof(req.vht_capa));
11290 	}
11291 
11292 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11293 		if (!((rdev->wiphy.features &
11294 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11295 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11296 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11297 					     NL80211_EXT_FEATURE_RRM))
11298 			return -EINVAL;
11299 		req.flags |= ASSOC_REQ_USE_RRM;
11300 	}
11301 
11302 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11303 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11304 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11305 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11306 			return -EINVAL;
11307 		req.fils_nonces =
11308 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11309 	}
11310 
11311 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11312 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11313 			return -EINVAL;
11314 		memcpy(&req.s1g_capa_mask,
11315 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11316 		       sizeof(req.s1g_capa_mask));
11317 	}
11318 
11319 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11320 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11321 			return -EINVAL;
11322 		memcpy(&req.s1g_capa,
11323 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11324 		       sizeof(req.s1g_capa));
11325 	}
11326 
11327 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11328 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11329 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11330 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11331 			return -EINVAL;
11332 		}
11333 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11334 	}
11335 
11336 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11337 
11338 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11339 		if (req.link_id < 0)
11340 			return -EINVAL;
11341 
11342 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11343 			return -EINVAL;
11344 
11345 		if (info->attrs[NL80211_ATTR_MAC] ||
11346 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11347 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11348 			return -EINVAL;
11349 
11350 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11351 		ap_addr = req.ap_mld_addr;
11352 
11353 		err = nl80211_process_links(rdev, req.links, ssid, ssid_len,
11354 					    info);
11355 		if (err)
11356 			goto free;
11357 
11358 		if (!req.links[req.link_id].bss) {
11359 			err = -EINVAL;
11360 			goto free;
11361 		}
11362 
11363 		if (req.links[req.link_id].elems_len) {
11364 			GENL_SET_ERR_MSG(info,
11365 					 "cannot have per-link elems on assoc link");
11366 			err = -EINVAL;
11367 			goto free;
11368 		}
11369 
11370 		if (req.links[req.link_id].disabled) {
11371 			GENL_SET_ERR_MSG(info,
11372 					 "cannot have assoc link disabled");
11373 			err = -EINVAL;
11374 			goto free;
11375 		}
11376 	} else {
11377 		if (req.link_id >= 0)
11378 			return -EINVAL;
11379 
11380 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11381 					    -1, -1);
11382 		if (IS_ERR(req.bss))
11383 			return PTR_ERR(req.bss);
11384 		ap_addr = req.bss->bssid;
11385 	}
11386 
11387 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11388 	if (!err) {
11389 		struct nlattr *link;
11390 		int rem = 0;
11391 
11392 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11393 					  info->extack);
11394 
11395 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11396 			dev->ieee80211_ptr->conn_owner_nlportid =
11397 				info->snd_portid;
11398 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11399 			       ap_addr, ETH_ALEN);
11400 		}
11401 
11402 		/* Report error from first problematic link */
11403 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11404 			nla_for_each_nested(link,
11405 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11406 					    rem) {
11407 				struct nlattr *link_id_attr =
11408 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11409 
11410 				if (!link_id_attr)
11411 					continue;
11412 
11413 				link_id = nla_get_u8(link_id_attr);
11414 
11415 				if (link_id == req.link_id)
11416 					continue;
11417 
11418 				if (!req.links[link_id].error ||
11419 				    WARN_ON(req.links[link_id].error > 0))
11420 					continue;
11421 
11422 				WARN_ON(err >= 0);
11423 
11424 				NL_SET_BAD_ATTR(info->extack, link);
11425 				err = req.links[link_id].error;
11426 				break;
11427 			}
11428 		}
11429 	}
11430 
11431 free:
11432 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11433 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11434 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11435 
11436 	return err;
11437 }
11438 
11439 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11440 {
11441 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11442 	struct net_device *dev = info->user_ptr[1];
11443 	const u8 *ie = NULL, *bssid;
11444 	int ie_len = 0;
11445 	u16 reason_code;
11446 	bool local_state_change;
11447 
11448 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11449 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11450 		return -EPERM;
11451 
11452 	if (!info->attrs[NL80211_ATTR_MAC])
11453 		return -EINVAL;
11454 
11455 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11456 		return -EINVAL;
11457 
11458 	if (!rdev->ops->deauth)
11459 		return -EOPNOTSUPP;
11460 
11461 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11462 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11463 		return -EOPNOTSUPP;
11464 
11465 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11466 
11467 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11468 	if (reason_code == 0) {
11469 		/* Reason Code 0 is reserved */
11470 		return -EINVAL;
11471 	}
11472 
11473 	if (info->attrs[NL80211_ATTR_IE]) {
11474 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11475 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11476 	}
11477 
11478 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11479 
11480 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11481 				    local_state_change);
11482 }
11483 
11484 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11485 {
11486 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11487 	struct net_device *dev = info->user_ptr[1];
11488 	const u8 *ie = NULL, *bssid;
11489 	int ie_len = 0;
11490 	u16 reason_code;
11491 	bool local_state_change;
11492 
11493 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11494 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11495 		return -EPERM;
11496 
11497 	if (!info->attrs[NL80211_ATTR_MAC])
11498 		return -EINVAL;
11499 
11500 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11501 		return -EINVAL;
11502 
11503 	if (!rdev->ops->disassoc)
11504 		return -EOPNOTSUPP;
11505 
11506 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11507 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11508 		return -EOPNOTSUPP;
11509 
11510 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11511 
11512 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11513 	if (reason_code == 0) {
11514 		/* Reason Code 0 is reserved */
11515 		return -EINVAL;
11516 	}
11517 
11518 	if (info->attrs[NL80211_ATTR_IE]) {
11519 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11520 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11521 	}
11522 
11523 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11524 
11525 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11526 				      local_state_change);
11527 }
11528 
11529 static bool
11530 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11531 			 int mcast_rate[NUM_NL80211_BANDS],
11532 			 int rateval)
11533 {
11534 	struct wiphy *wiphy = &rdev->wiphy;
11535 	bool found = false;
11536 	int band, i;
11537 
11538 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11539 		struct ieee80211_supported_band *sband;
11540 
11541 		sband = wiphy->bands[band];
11542 		if (!sband)
11543 			continue;
11544 
11545 		for (i = 0; i < sband->n_bitrates; i++) {
11546 			if (sband->bitrates[i].bitrate == rateval) {
11547 				mcast_rate[band] = i + 1;
11548 				found = true;
11549 				break;
11550 			}
11551 		}
11552 	}
11553 
11554 	return found;
11555 }
11556 
11557 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11558 {
11559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11560 	struct net_device *dev = info->user_ptr[1];
11561 	struct cfg80211_ibss_params ibss;
11562 	struct wiphy *wiphy;
11563 	struct cfg80211_cached_keys *connkeys = NULL;
11564 	int err;
11565 
11566 	memset(&ibss, 0, sizeof(ibss));
11567 
11568 	if (!info->attrs[NL80211_ATTR_SSID] ||
11569 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11570 		return -EINVAL;
11571 
11572 	ibss.beacon_interval = 100;
11573 
11574 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11575 		ibss.beacon_interval =
11576 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11577 
11578 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11579 					   ibss.beacon_interval);
11580 	if (err)
11581 		return err;
11582 
11583 	if (!rdev->ops->join_ibss)
11584 		return -EOPNOTSUPP;
11585 
11586 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11587 		return -EOPNOTSUPP;
11588 
11589 	wiphy = &rdev->wiphy;
11590 
11591 	if (info->attrs[NL80211_ATTR_MAC]) {
11592 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11593 
11594 		if (!is_valid_ether_addr(ibss.bssid))
11595 			return -EINVAL;
11596 	}
11597 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11598 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11599 
11600 	if (info->attrs[NL80211_ATTR_IE]) {
11601 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11602 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11603 	}
11604 
11605 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11606 	if (err)
11607 		return err;
11608 
11609 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11610 				     NL80211_IFTYPE_ADHOC))
11611 		return -EINVAL;
11612 
11613 	switch (ibss.chandef.width) {
11614 	case NL80211_CHAN_WIDTH_5:
11615 	case NL80211_CHAN_WIDTH_10:
11616 	case NL80211_CHAN_WIDTH_20_NOHT:
11617 		break;
11618 	case NL80211_CHAN_WIDTH_20:
11619 	case NL80211_CHAN_WIDTH_40:
11620 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11621 			return -EINVAL;
11622 		break;
11623 	case NL80211_CHAN_WIDTH_80:
11624 	case NL80211_CHAN_WIDTH_80P80:
11625 	case NL80211_CHAN_WIDTH_160:
11626 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11627 			return -EINVAL;
11628 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11629 					     NL80211_EXT_FEATURE_VHT_IBSS))
11630 			return -EINVAL;
11631 		break;
11632 	case NL80211_CHAN_WIDTH_320:
11633 		return -EINVAL;
11634 	default:
11635 		return -EINVAL;
11636 	}
11637 
11638 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11639 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11640 
11641 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11642 		u8 *rates =
11643 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11644 		int n_rates =
11645 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11646 		struct ieee80211_supported_band *sband =
11647 			wiphy->bands[ibss.chandef.chan->band];
11648 
11649 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11650 					     &ibss.basic_rates);
11651 		if (err)
11652 			return err;
11653 	}
11654 
11655 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11656 		memcpy(&ibss.ht_capa_mask,
11657 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11658 		       sizeof(ibss.ht_capa_mask));
11659 
11660 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11661 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11662 			return -EINVAL;
11663 		memcpy(&ibss.ht_capa,
11664 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11665 		       sizeof(ibss.ht_capa));
11666 	}
11667 
11668 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11669 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11670 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11671 		return -EINVAL;
11672 
11673 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11674 		bool no_ht = false;
11675 
11676 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11677 		if (IS_ERR(connkeys))
11678 			return PTR_ERR(connkeys);
11679 
11680 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11681 		    no_ht) {
11682 			kfree_sensitive(connkeys);
11683 			return -EINVAL;
11684 		}
11685 	}
11686 
11687 	ibss.control_port =
11688 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11689 
11690 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11691 		int r = validate_pae_over_nl80211(rdev, info);
11692 
11693 		if (r < 0) {
11694 			kfree_sensitive(connkeys);
11695 			return r;
11696 		}
11697 
11698 		ibss.control_port_over_nl80211 = true;
11699 	}
11700 
11701 	ibss.userspace_handles_dfs =
11702 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11703 
11704 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11705 	if (err)
11706 		kfree_sensitive(connkeys);
11707 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11708 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11709 
11710 	return err;
11711 }
11712 
11713 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11714 {
11715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11716 	struct net_device *dev = info->user_ptr[1];
11717 
11718 	if (!rdev->ops->leave_ibss)
11719 		return -EOPNOTSUPP;
11720 
11721 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11722 		return -EOPNOTSUPP;
11723 
11724 	return cfg80211_leave_ibss(rdev, dev, false);
11725 }
11726 
11727 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11728 {
11729 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11730 	struct net_device *dev = info->user_ptr[1];
11731 	int mcast_rate[NUM_NL80211_BANDS];
11732 	u32 nla_rate;
11733 
11734 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11735 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11736 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11737 		return -EOPNOTSUPP;
11738 
11739 	if (!rdev->ops->set_mcast_rate)
11740 		return -EOPNOTSUPP;
11741 
11742 	memset(mcast_rate, 0, sizeof(mcast_rate));
11743 
11744 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11745 		return -EINVAL;
11746 
11747 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11748 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11749 		return -EINVAL;
11750 
11751 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11752 }
11753 
11754 static struct sk_buff *
11755 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11756 			    struct wireless_dev *wdev, int approxlen,
11757 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11758 			    enum nl80211_attrs attr,
11759 			    const struct nl80211_vendor_cmd_info *info,
11760 			    gfp_t gfp)
11761 {
11762 	struct sk_buff *skb;
11763 	void *hdr;
11764 	struct nlattr *data;
11765 
11766 	skb = nlmsg_new(approxlen + 100, gfp);
11767 	if (!skb)
11768 		return NULL;
11769 
11770 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11771 	if (!hdr) {
11772 		kfree_skb(skb);
11773 		return NULL;
11774 	}
11775 
11776 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11777 		goto nla_put_failure;
11778 
11779 	if (info) {
11780 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11781 				info->vendor_id))
11782 			goto nla_put_failure;
11783 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11784 				info->subcmd))
11785 			goto nla_put_failure;
11786 	}
11787 
11788 	if (wdev) {
11789 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11790 				      wdev_id(wdev), NL80211_ATTR_PAD))
11791 			goto nla_put_failure;
11792 		if (wdev->netdev &&
11793 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11794 				wdev->netdev->ifindex))
11795 			goto nla_put_failure;
11796 	}
11797 
11798 	data = nla_nest_start_noflag(skb, attr);
11799 	if (!data)
11800 		goto nla_put_failure;
11801 
11802 	((void **)skb->cb)[0] = rdev;
11803 	((void **)skb->cb)[1] = hdr;
11804 	((void **)skb->cb)[2] = data;
11805 
11806 	return skb;
11807 
11808  nla_put_failure:
11809 	kfree_skb(skb);
11810 	return NULL;
11811 }
11812 
11813 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11814 					   struct wireless_dev *wdev,
11815 					   enum nl80211_commands cmd,
11816 					   enum nl80211_attrs attr,
11817 					   unsigned int portid,
11818 					   int vendor_event_idx,
11819 					   int approxlen, gfp_t gfp)
11820 {
11821 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11822 	const struct nl80211_vendor_cmd_info *info;
11823 
11824 	switch (cmd) {
11825 	case NL80211_CMD_TESTMODE:
11826 		if (WARN_ON(vendor_event_idx != -1))
11827 			return NULL;
11828 		info = NULL;
11829 		break;
11830 	case NL80211_CMD_VENDOR:
11831 		if (WARN_ON(vendor_event_idx < 0 ||
11832 			    vendor_event_idx >= wiphy->n_vendor_events))
11833 			return NULL;
11834 		info = &wiphy->vendor_events[vendor_event_idx];
11835 		break;
11836 	default:
11837 		WARN_ON(1);
11838 		return NULL;
11839 	}
11840 
11841 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11842 					   cmd, attr, info, gfp);
11843 }
11844 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11845 
11846 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11847 {
11848 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11849 	void *hdr = ((void **)skb->cb)[1];
11850 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11851 	struct nlattr *data = ((void **)skb->cb)[2];
11852 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11853 
11854 	/* clear CB data for netlink core to own from now on */
11855 	memset(skb->cb, 0, sizeof(skb->cb));
11856 
11857 	nla_nest_end(skb, data);
11858 	genlmsg_end(skb, hdr);
11859 
11860 	if (nlhdr->nlmsg_pid) {
11861 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11862 				nlhdr->nlmsg_pid);
11863 	} else {
11864 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11865 			mcgrp = NL80211_MCGRP_VENDOR;
11866 
11867 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11868 					skb, 0, mcgrp, gfp);
11869 	}
11870 }
11871 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11872 
11873 #ifdef CONFIG_NL80211_TESTMODE
11874 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11875 {
11876 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11877 	struct wireless_dev *wdev;
11878 	int err;
11879 
11880 	lockdep_assert_held(&rdev->wiphy.mtx);
11881 
11882 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11883 					  info->attrs);
11884 
11885 	if (!rdev->ops->testmode_cmd)
11886 		return -EOPNOTSUPP;
11887 
11888 	if (IS_ERR(wdev)) {
11889 		err = PTR_ERR(wdev);
11890 		if (err != -EINVAL)
11891 			return err;
11892 		wdev = NULL;
11893 	} else if (wdev->wiphy != &rdev->wiphy) {
11894 		return -EINVAL;
11895 	}
11896 
11897 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11898 		return -EINVAL;
11899 
11900 	rdev->cur_cmd_info = info;
11901 	err = rdev_testmode_cmd(rdev, wdev,
11902 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11903 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11904 	rdev->cur_cmd_info = NULL;
11905 
11906 	return err;
11907 }
11908 
11909 static int nl80211_testmode_dump(struct sk_buff *skb,
11910 				 struct netlink_callback *cb)
11911 {
11912 	struct cfg80211_registered_device *rdev;
11913 	struct nlattr **attrbuf = NULL;
11914 	int err;
11915 	long phy_idx;
11916 	void *data = NULL;
11917 	int data_len = 0;
11918 
11919 	rtnl_lock();
11920 
11921 	if (cb->args[0]) {
11922 		/*
11923 		 * 0 is a valid index, but not valid for args[0],
11924 		 * so we need to offset by 1.
11925 		 */
11926 		phy_idx = cb->args[0] - 1;
11927 
11928 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11929 		if (!rdev) {
11930 			err = -ENOENT;
11931 			goto out_err;
11932 		}
11933 	} else {
11934 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11935 				  GFP_KERNEL);
11936 		if (!attrbuf) {
11937 			err = -ENOMEM;
11938 			goto out_err;
11939 		}
11940 
11941 		err = nlmsg_parse_deprecated(cb->nlh,
11942 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11943 					     attrbuf, nl80211_fam.maxattr,
11944 					     nl80211_policy, NULL);
11945 		if (err)
11946 			goto out_err;
11947 
11948 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11949 		if (IS_ERR(rdev)) {
11950 			err = PTR_ERR(rdev);
11951 			goto out_err;
11952 		}
11953 		phy_idx = rdev->wiphy_idx;
11954 
11955 		if (attrbuf[NL80211_ATTR_TESTDATA])
11956 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11957 	}
11958 
11959 	if (cb->args[1]) {
11960 		data = nla_data((void *)cb->args[1]);
11961 		data_len = nla_len((void *)cb->args[1]);
11962 	}
11963 
11964 	if (!rdev->ops->testmode_dump) {
11965 		err = -EOPNOTSUPP;
11966 		goto out_err;
11967 	}
11968 
11969 	while (1) {
11970 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11971 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11972 					   NL80211_CMD_TESTMODE);
11973 		struct nlattr *tmdata;
11974 
11975 		if (!hdr)
11976 			break;
11977 
11978 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11979 			genlmsg_cancel(skb, hdr);
11980 			break;
11981 		}
11982 
11983 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11984 		if (!tmdata) {
11985 			genlmsg_cancel(skb, hdr);
11986 			break;
11987 		}
11988 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11989 		nla_nest_end(skb, tmdata);
11990 
11991 		if (err == -ENOBUFS || err == -ENOENT) {
11992 			genlmsg_cancel(skb, hdr);
11993 			break;
11994 		} else if (err) {
11995 			genlmsg_cancel(skb, hdr);
11996 			goto out_err;
11997 		}
11998 
11999 		genlmsg_end(skb, hdr);
12000 	}
12001 
12002 	err = skb->len;
12003 	/* see above */
12004 	cb->args[0] = phy_idx + 1;
12005  out_err:
12006 	kfree(attrbuf);
12007 	rtnl_unlock();
12008 	return err;
12009 }
12010 #endif
12011 
12012 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12013 {
12014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12015 	struct net_device *dev = info->user_ptr[1];
12016 	struct cfg80211_connect_params connect;
12017 	struct wiphy *wiphy;
12018 	struct cfg80211_cached_keys *connkeys = NULL;
12019 	u32 freq = 0;
12020 	int err;
12021 
12022 	memset(&connect, 0, sizeof(connect));
12023 
12024 	if (!info->attrs[NL80211_ATTR_SSID] ||
12025 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12026 		return -EINVAL;
12027 
12028 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12029 		connect.auth_type =
12030 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12031 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12032 					     NL80211_CMD_CONNECT))
12033 			return -EINVAL;
12034 	} else
12035 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12036 
12037 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12038 
12039 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12040 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12041 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12042 		return -EINVAL;
12043 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12044 
12045 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12046 				      NL80211_MAX_NR_CIPHER_SUITES);
12047 	if (err)
12048 		return err;
12049 
12050 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12051 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12052 		return -EOPNOTSUPP;
12053 
12054 	wiphy = &rdev->wiphy;
12055 
12056 	connect.bg_scan_period = -1;
12057 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12058 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12059 		connect.bg_scan_period =
12060 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12061 	}
12062 
12063 	if (info->attrs[NL80211_ATTR_MAC])
12064 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12065 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12066 		connect.bssid_hint =
12067 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12068 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12069 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12070 
12071 	if (info->attrs[NL80211_ATTR_IE]) {
12072 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12073 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12074 	}
12075 
12076 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12077 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12078 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12079 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12080 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12081 			return -EOPNOTSUPP;
12082 	} else {
12083 		connect.mfp = NL80211_MFP_NO;
12084 	}
12085 
12086 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12087 		connect.prev_bssid =
12088 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12089 
12090 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12091 		freq = MHZ_TO_KHZ(nla_get_u32(
12092 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12093 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12094 		freq +=
12095 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12096 
12097 	if (freq) {
12098 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12099 		if (!connect.channel)
12100 			return -EINVAL;
12101 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12102 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12103 		freq = MHZ_TO_KHZ(freq);
12104 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12105 		if (!connect.channel_hint)
12106 			return -EINVAL;
12107 	}
12108 
12109 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12110 		connect.edmg.channels =
12111 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12112 
12113 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12114 			connect.edmg.bw_config =
12115 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12116 	}
12117 
12118 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12119 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12120 		if (IS_ERR(connkeys))
12121 			return PTR_ERR(connkeys);
12122 	}
12123 
12124 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12125 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12126 
12127 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12128 		memcpy(&connect.ht_capa_mask,
12129 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12130 		       sizeof(connect.ht_capa_mask));
12131 
12132 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12133 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12134 			kfree_sensitive(connkeys);
12135 			return -EINVAL;
12136 		}
12137 		memcpy(&connect.ht_capa,
12138 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12139 		       sizeof(connect.ht_capa));
12140 	}
12141 
12142 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12143 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12144 
12145 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12146 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12147 
12148 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12149 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12150 
12151 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12152 		memcpy(&connect.vht_capa_mask,
12153 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12154 		       sizeof(connect.vht_capa_mask));
12155 
12156 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12157 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12158 			kfree_sensitive(connkeys);
12159 			return -EINVAL;
12160 		}
12161 		memcpy(&connect.vht_capa,
12162 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12163 		       sizeof(connect.vht_capa));
12164 	}
12165 
12166 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12167 		if (!((rdev->wiphy.features &
12168 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12169 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12170 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12171 					     NL80211_EXT_FEATURE_RRM)) {
12172 			kfree_sensitive(connkeys);
12173 			return -EINVAL;
12174 		}
12175 		connect.flags |= ASSOC_REQ_USE_RRM;
12176 	}
12177 
12178 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12179 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12180 		kfree_sensitive(connkeys);
12181 		return -EOPNOTSUPP;
12182 	}
12183 
12184 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12185 		/* bss selection makes no sense if bssid is set */
12186 		if (connect.bssid) {
12187 			kfree_sensitive(connkeys);
12188 			return -EINVAL;
12189 		}
12190 
12191 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12192 				       wiphy, &connect.bss_select);
12193 		if (err) {
12194 			kfree_sensitive(connkeys);
12195 			return err;
12196 		}
12197 	}
12198 
12199 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12200 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12201 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12202 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12203 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12204 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12205 		connect.fils_erp_username =
12206 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12207 		connect.fils_erp_username_len =
12208 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12209 		connect.fils_erp_realm =
12210 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12211 		connect.fils_erp_realm_len =
12212 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12213 		connect.fils_erp_next_seq_num =
12214 			nla_get_u16(
12215 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12216 		connect.fils_erp_rrk =
12217 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12218 		connect.fils_erp_rrk_len =
12219 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12220 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12221 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12222 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12223 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12224 		kfree_sensitive(connkeys);
12225 		return -EINVAL;
12226 	}
12227 
12228 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12229 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12230 			kfree_sensitive(connkeys);
12231 			GENL_SET_ERR_MSG(info,
12232 					 "external auth requires connection ownership");
12233 			return -EINVAL;
12234 		}
12235 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12236 	}
12237 
12238 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12239 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12240 
12241 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12242 			       connect.prev_bssid);
12243 	if (err)
12244 		kfree_sensitive(connkeys);
12245 
12246 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12247 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12248 		if (connect.bssid)
12249 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12250 			       connect.bssid, ETH_ALEN);
12251 		else
12252 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12253 	}
12254 
12255 	return err;
12256 }
12257 
12258 static int nl80211_update_connect_params(struct sk_buff *skb,
12259 					 struct genl_info *info)
12260 {
12261 	struct cfg80211_connect_params connect = {};
12262 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12263 	struct net_device *dev = info->user_ptr[1];
12264 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12265 	bool fils_sk_offload;
12266 	u32 auth_type;
12267 	u32 changed = 0;
12268 
12269 	if (!rdev->ops->update_connect_params)
12270 		return -EOPNOTSUPP;
12271 
12272 	if (info->attrs[NL80211_ATTR_IE]) {
12273 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12274 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12275 		changed |= UPDATE_ASSOC_IES;
12276 	}
12277 
12278 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12279 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12280 
12281 	/*
12282 	 * when driver supports fils-sk offload all attributes must be
12283 	 * provided. So the else covers "fils-sk-not-all" and
12284 	 * "no-fils-sk-any".
12285 	 */
12286 	if (fils_sk_offload &&
12287 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12288 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12289 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12290 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12291 		connect.fils_erp_username =
12292 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12293 		connect.fils_erp_username_len =
12294 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12295 		connect.fils_erp_realm =
12296 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12297 		connect.fils_erp_realm_len =
12298 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12299 		connect.fils_erp_next_seq_num =
12300 			nla_get_u16(
12301 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12302 		connect.fils_erp_rrk =
12303 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12304 		connect.fils_erp_rrk_len =
12305 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12306 		changed |= UPDATE_FILS_ERP_INFO;
12307 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12308 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12309 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12310 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12311 		return -EINVAL;
12312 	}
12313 
12314 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12315 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12316 		if (!nl80211_valid_auth_type(rdev, auth_type,
12317 					     NL80211_CMD_CONNECT))
12318 			return -EINVAL;
12319 
12320 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12321 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12322 			return -EINVAL;
12323 
12324 		connect.auth_type = auth_type;
12325 		changed |= UPDATE_AUTH_TYPE;
12326 	}
12327 
12328 	if (!wdev->connected)
12329 		return -ENOLINK;
12330 
12331 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12332 }
12333 
12334 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12335 {
12336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12337 	struct net_device *dev = info->user_ptr[1];
12338 	u16 reason;
12339 
12340 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12341 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12342 		return -EPERM;
12343 
12344 	reason = nla_get_u16_default(info->attrs[NL80211_ATTR_REASON_CODE],
12345 				     WLAN_REASON_DEAUTH_LEAVING);
12346 
12347 	if (reason == 0)
12348 		return -EINVAL;
12349 
12350 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12351 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12352 		return -EOPNOTSUPP;
12353 
12354 	return cfg80211_disconnect(rdev, dev, reason, true);
12355 }
12356 
12357 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12358 {
12359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12360 	struct net *net;
12361 	int err;
12362 
12363 	if (info->attrs[NL80211_ATTR_PID]) {
12364 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12365 
12366 		net = get_net_ns_by_pid(pid);
12367 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12368 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12369 
12370 		net = get_net_ns_by_fd(fd);
12371 	} else {
12372 		return -EINVAL;
12373 	}
12374 
12375 	if (IS_ERR(net))
12376 		return PTR_ERR(net);
12377 
12378 	err = 0;
12379 
12380 	/* check if anything to do */
12381 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12382 		err = cfg80211_switch_netns(rdev, net);
12383 
12384 	put_net(net);
12385 	return err;
12386 }
12387 
12388 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12389 {
12390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12391 	struct net_device *dev = info->user_ptr[1];
12392 	struct cfg80211_pmksa pmksa;
12393 	bool ap_pmksa_caching_support = false;
12394 
12395 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12396 
12397 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12398 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12399 
12400 	if (!info->attrs[NL80211_ATTR_PMKID])
12401 		return -EINVAL;
12402 
12403 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12404 
12405 	if (info->attrs[NL80211_ATTR_MAC]) {
12406 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12407 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12408 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12409 	           info->attrs[NL80211_ATTR_PMK]) {
12410 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12411 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12412 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12413 	} else {
12414 		return -EINVAL;
12415 	}
12416 
12417 	if (info->attrs[NL80211_ATTR_PMK]) {
12418 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12419 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12420 	}
12421 
12422 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12423 		pmksa.pmk_lifetime =
12424 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12425 
12426 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12427 		pmksa.pmk_reauth_threshold =
12428 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12429 
12430 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12431 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12432 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12433 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12434 	       ap_pmksa_caching_support))
12435 		return -EOPNOTSUPP;
12436 
12437 	if (!rdev->ops->set_pmksa)
12438 		return -EOPNOTSUPP;
12439 
12440 	return rdev_set_pmksa(rdev, dev, &pmksa);
12441 }
12442 
12443 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12444 {
12445 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12446 	struct net_device *dev = info->user_ptr[1];
12447 	struct cfg80211_pmksa pmksa;
12448 	bool sae_offload_support = false;
12449 	bool owe_offload_support = false;
12450 	bool ap_pmksa_caching_support = false;
12451 
12452 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12453 
12454 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12455 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12456 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12457 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12458 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12459 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12460 
12461 	if (info->attrs[NL80211_ATTR_PMKID])
12462 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12463 
12464 	if (info->attrs[NL80211_ATTR_MAC]) {
12465 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12466 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12467 		/* SSID based pmksa flush supported only for FILS,
12468 		 * OWE/SAE OFFLOAD cases
12469 		 */
12470 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12471 		    info->attrs[NL80211_ATTR_PMK]) {
12472 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12473 		} else if (!sae_offload_support && !owe_offload_support) {
12474 			return -EINVAL;
12475 		}
12476 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12477 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12478 	} else {
12479 		return -EINVAL;
12480 	}
12481 
12482 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12483 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12484 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12485 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12486 	       ap_pmksa_caching_support))
12487 		return -EOPNOTSUPP;
12488 
12489 	if (!rdev->ops->del_pmksa)
12490 		return -EOPNOTSUPP;
12491 
12492 	return rdev_del_pmksa(rdev, dev, &pmksa);
12493 }
12494 
12495 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12496 {
12497 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12498 	struct net_device *dev = info->user_ptr[1];
12499 
12500 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12501 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12502 		return -EOPNOTSUPP;
12503 
12504 	if (!rdev->ops->flush_pmksa)
12505 		return -EOPNOTSUPP;
12506 
12507 	return rdev_flush_pmksa(rdev, dev);
12508 }
12509 
12510 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12511 {
12512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12513 	struct net_device *dev = info->user_ptr[1];
12514 	u8 action_code, dialog_token;
12515 	u32 peer_capability = 0;
12516 	u16 status_code;
12517 	u8 *peer;
12518 	int link_id;
12519 	bool initiator;
12520 
12521 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12522 	    !rdev->ops->tdls_mgmt)
12523 		return -EOPNOTSUPP;
12524 
12525 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12526 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12527 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12528 	    !info->attrs[NL80211_ATTR_IE] ||
12529 	    !info->attrs[NL80211_ATTR_MAC])
12530 		return -EINVAL;
12531 
12532 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12533 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12534 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12535 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12536 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12537 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12538 		peer_capability =
12539 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12540 	link_id = nl80211_link_id_or_invalid(info->attrs);
12541 
12542 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12543 			      dialog_token, status_code, peer_capability,
12544 			      initiator,
12545 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12546 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12547 }
12548 
12549 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12550 {
12551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12552 	struct net_device *dev = info->user_ptr[1];
12553 	enum nl80211_tdls_operation operation;
12554 	u8 *peer;
12555 
12556 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12557 	    !rdev->ops->tdls_oper)
12558 		return -EOPNOTSUPP;
12559 
12560 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12561 	    !info->attrs[NL80211_ATTR_MAC])
12562 		return -EINVAL;
12563 
12564 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12565 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12566 
12567 	return rdev_tdls_oper(rdev, dev, peer, operation);
12568 }
12569 
12570 static int nl80211_remain_on_channel(struct sk_buff *skb,
12571 				     struct genl_info *info)
12572 {
12573 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12574 	unsigned int link_id = nl80211_link_id(info->attrs);
12575 	struct wireless_dev *wdev = info->user_ptr[1];
12576 	struct cfg80211_chan_def chandef;
12577 	struct sk_buff *msg;
12578 	void *hdr;
12579 	u64 cookie;
12580 	u32 duration;
12581 	int err;
12582 
12583 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12584 	    !info->attrs[NL80211_ATTR_DURATION])
12585 		return -EINVAL;
12586 
12587 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12588 
12589 	if (!rdev->ops->remain_on_channel ||
12590 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12591 		return -EOPNOTSUPP;
12592 
12593 	/*
12594 	 * We should be on that channel for at least a minimum amount of
12595 	 * time (10ms) but no longer than the driver supports.
12596 	 */
12597 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12598 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12599 		return -EINVAL;
12600 
12601 	err = nl80211_parse_chandef(rdev, info, &chandef);
12602 	if (err)
12603 		return err;
12604 
12605 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12606 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12607 
12608 		oper_chandef = wdev_chandef(wdev, link_id);
12609 
12610 		if (WARN_ON(!oper_chandef)) {
12611 			/* cannot happen since we must beacon to get here */
12612 			WARN_ON(1);
12613 			return -EBUSY;
12614 		}
12615 
12616 		/* note: returns first one if identical chandefs */
12617 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12618 							     oper_chandef);
12619 
12620 		if (compat_chandef != &chandef)
12621 			return -EBUSY;
12622 	}
12623 
12624 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12625 	if (!msg)
12626 		return -ENOMEM;
12627 
12628 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12629 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12630 	if (!hdr) {
12631 		err = -ENOBUFS;
12632 		goto free_msg;
12633 	}
12634 
12635 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12636 				     duration, &cookie);
12637 
12638 	if (err)
12639 		goto free_msg;
12640 
12641 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12642 			      NL80211_ATTR_PAD))
12643 		goto nla_put_failure;
12644 
12645 	genlmsg_end(msg, hdr);
12646 
12647 	return genlmsg_reply(msg, info);
12648 
12649  nla_put_failure:
12650 	err = -ENOBUFS;
12651  free_msg:
12652 	nlmsg_free(msg);
12653 	return err;
12654 }
12655 
12656 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12657 					    struct genl_info *info)
12658 {
12659 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12660 	struct wireless_dev *wdev = info->user_ptr[1];
12661 	u64 cookie;
12662 
12663 	if (!info->attrs[NL80211_ATTR_COOKIE])
12664 		return -EINVAL;
12665 
12666 	if (!rdev->ops->cancel_remain_on_channel)
12667 		return -EOPNOTSUPP;
12668 
12669 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12670 
12671 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12672 }
12673 
12674 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12675 				       struct genl_info *info)
12676 {
12677 	struct cfg80211_bitrate_mask mask;
12678 	unsigned int link_id = nl80211_link_id(info->attrs);
12679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12680 	struct net_device *dev = info->user_ptr[1];
12681 	int err;
12682 
12683 	if (!rdev->ops->set_bitrate_mask)
12684 		return -EOPNOTSUPP;
12685 
12686 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12687 					    NL80211_ATTR_TX_RATES, &mask,
12688 					    dev, true, link_id);
12689 	if (err)
12690 		return err;
12691 
12692 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12693 }
12694 
12695 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12696 {
12697 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12698 	struct wireless_dev *wdev = info->user_ptr[1];
12699 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12700 
12701 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12702 		return -EINVAL;
12703 
12704 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12705 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12706 
12707 	switch (wdev->iftype) {
12708 	case NL80211_IFTYPE_STATION:
12709 	case NL80211_IFTYPE_ADHOC:
12710 	case NL80211_IFTYPE_P2P_CLIENT:
12711 	case NL80211_IFTYPE_AP:
12712 	case NL80211_IFTYPE_AP_VLAN:
12713 	case NL80211_IFTYPE_MESH_POINT:
12714 	case NL80211_IFTYPE_P2P_GO:
12715 	case NL80211_IFTYPE_P2P_DEVICE:
12716 		break;
12717 	case NL80211_IFTYPE_NAN:
12718 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12719 					     NL80211_EXT_FEATURE_SECURE_NAN))
12720 			return -EOPNOTSUPP;
12721 		break;
12722 	default:
12723 		return -EOPNOTSUPP;
12724 	}
12725 
12726 	/* not much point in registering if we can't reply */
12727 	if (!rdev->ops->mgmt_tx)
12728 		return -EOPNOTSUPP;
12729 
12730 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12731 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12732 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12733 		GENL_SET_ERR_MSG(info,
12734 				 "multicast RX registrations are not supported");
12735 		return -EOPNOTSUPP;
12736 	}
12737 
12738 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12739 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12740 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12741 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12742 					   info->extack);
12743 }
12744 
12745 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12746 {
12747 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12748 	struct wireless_dev *wdev = info->user_ptr[1];
12749 	struct cfg80211_chan_def chandef;
12750 	int err;
12751 	void *hdr = NULL;
12752 	u64 cookie;
12753 	struct sk_buff *msg = NULL;
12754 	struct cfg80211_mgmt_tx_params params = {
12755 		.dont_wait_for_ack =
12756 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12757 	};
12758 
12759 	if (!info->attrs[NL80211_ATTR_FRAME])
12760 		return -EINVAL;
12761 
12762 	if (!rdev->ops->mgmt_tx)
12763 		return -EOPNOTSUPP;
12764 
12765 	switch (wdev->iftype) {
12766 	case NL80211_IFTYPE_P2P_DEVICE:
12767 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12768 			return -EINVAL;
12769 		break;
12770 	case NL80211_IFTYPE_STATION:
12771 	case NL80211_IFTYPE_ADHOC:
12772 	case NL80211_IFTYPE_P2P_CLIENT:
12773 	case NL80211_IFTYPE_AP:
12774 	case NL80211_IFTYPE_AP_VLAN:
12775 	case NL80211_IFTYPE_MESH_POINT:
12776 	case NL80211_IFTYPE_P2P_GO:
12777 		break;
12778 	case NL80211_IFTYPE_NAN:
12779 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12780 					     NL80211_EXT_FEATURE_SECURE_NAN))
12781 			return -EOPNOTSUPP;
12782 		break;
12783 	default:
12784 		return -EOPNOTSUPP;
12785 	}
12786 
12787 	if (info->attrs[NL80211_ATTR_DURATION]) {
12788 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12789 			return -EINVAL;
12790 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12791 
12792 		/*
12793 		 * We should wait on the channel for at least a minimum amount
12794 		 * of time (10ms) but no longer than the driver supports.
12795 		 */
12796 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12797 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12798 			return -EINVAL;
12799 	}
12800 
12801 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12802 
12803 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12804 		return -EINVAL;
12805 
12806 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12807 
12808 	/* get the channel if any has been specified, otherwise pass NULL to
12809 	 * the driver. The latter will use the current one
12810 	 */
12811 	chandef.chan = NULL;
12812 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12813 		err = nl80211_parse_chandef(rdev, info, &chandef);
12814 		if (err)
12815 			return err;
12816 	}
12817 
12818 	if (!chandef.chan && params.offchan)
12819 		return -EINVAL;
12820 
12821 	if (params.offchan &&
12822 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12823 		return -EBUSY;
12824 
12825 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12826 	/*
12827 	 * This now races due to the unlock, but we cannot check
12828 	 * the valid links for the _station_ anyway, so that's up
12829 	 * to the driver.
12830 	 */
12831 	if (params.link_id >= 0 &&
12832 	    !(wdev->valid_links & BIT(params.link_id)))
12833 		return -EINVAL;
12834 
12835 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12836 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12837 
12838 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12839 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12840 					    &params.csa_offsets,
12841 					    &params.n_csa_offsets);
12842 	if (err)
12843 		return err;
12844 
12845 	if (!params.dont_wait_for_ack) {
12846 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12847 		if (!msg)
12848 			return -ENOMEM;
12849 
12850 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12851 				     NL80211_CMD_FRAME);
12852 		if (!hdr) {
12853 			err = -ENOBUFS;
12854 			goto free_msg;
12855 		}
12856 	}
12857 
12858 	params.chan = chandef.chan;
12859 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12860 	if (err)
12861 		goto free_msg;
12862 
12863 	if (msg) {
12864 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12865 				      NL80211_ATTR_PAD))
12866 			goto nla_put_failure;
12867 
12868 		genlmsg_end(msg, hdr);
12869 		return genlmsg_reply(msg, info);
12870 	}
12871 
12872 	return 0;
12873 
12874  nla_put_failure:
12875 	err = -ENOBUFS;
12876  free_msg:
12877 	nlmsg_free(msg);
12878 	return err;
12879 }
12880 
12881 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12882 {
12883 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12884 	struct wireless_dev *wdev = info->user_ptr[1];
12885 	u64 cookie;
12886 
12887 	if (!info->attrs[NL80211_ATTR_COOKIE])
12888 		return -EINVAL;
12889 
12890 	if (!rdev->ops->mgmt_tx_cancel_wait)
12891 		return -EOPNOTSUPP;
12892 
12893 	switch (wdev->iftype) {
12894 	case NL80211_IFTYPE_STATION:
12895 	case NL80211_IFTYPE_ADHOC:
12896 	case NL80211_IFTYPE_P2P_CLIENT:
12897 	case NL80211_IFTYPE_AP:
12898 	case NL80211_IFTYPE_AP_VLAN:
12899 	case NL80211_IFTYPE_P2P_GO:
12900 	case NL80211_IFTYPE_P2P_DEVICE:
12901 		break;
12902 	case NL80211_IFTYPE_NAN:
12903 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12904 					     NL80211_EXT_FEATURE_SECURE_NAN))
12905 			return -EOPNOTSUPP;
12906 		break;
12907 	default:
12908 		return -EOPNOTSUPP;
12909 	}
12910 
12911 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12912 
12913 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12914 }
12915 
12916 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12917 {
12918 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12919 	struct wireless_dev *wdev;
12920 	struct net_device *dev = info->user_ptr[1];
12921 	u8 ps_state;
12922 	bool state;
12923 	int err;
12924 
12925 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12926 		return -EINVAL;
12927 
12928 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12929 
12930 	wdev = dev->ieee80211_ptr;
12931 
12932 	if (!rdev->ops->set_power_mgmt)
12933 		return -EOPNOTSUPP;
12934 
12935 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12936 
12937 	if (state == wdev->ps)
12938 		return 0;
12939 
12940 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12941 	if (!err)
12942 		wdev->ps = state;
12943 	return err;
12944 }
12945 
12946 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12947 {
12948 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12949 	enum nl80211_ps_state ps_state;
12950 	struct wireless_dev *wdev;
12951 	struct net_device *dev = info->user_ptr[1];
12952 	struct sk_buff *msg;
12953 	void *hdr;
12954 	int err;
12955 
12956 	wdev = dev->ieee80211_ptr;
12957 
12958 	if (!rdev->ops->set_power_mgmt)
12959 		return -EOPNOTSUPP;
12960 
12961 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12962 	if (!msg)
12963 		return -ENOMEM;
12964 
12965 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12966 			     NL80211_CMD_GET_POWER_SAVE);
12967 	if (!hdr) {
12968 		err = -ENOBUFS;
12969 		goto free_msg;
12970 	}
12971 
12972 	if (wdev->ps)
12973 		ps_state = NL80211_PS_ENABLED;
12974 	else
12975 		ps_state = NL80211_PS_DISABLED;
12976 
12977 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12978 		goto nla_put_failure;
12979 
12980 	genlmsg_end(msg, hdr);
12981 	return genlmsg_reply(msg, info);
12982 
12983  nla_put_failure:
12984 	err = -ENOBUFS;
12985  free_msg:
12986 	nlmsg_free(msg);
12987 	return err;
12988 }
12989 
12990 static const struct nla_policy
12991 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12992 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12993 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12994 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12995 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12996 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12997 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12998 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12999 };
13000 
13001 static int nl80211_set_cqm_txe(struct genl_info *info,
13002 			       u32 rate, u32 pkts, u32 intvl)
13003 {
13004 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13005 	struct net_device *dev = info->user_ptr[1];
13006 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13007 
13008 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13009 		return -EINVAL;
13010 
13011 	if (!rdev->ops->set_cqm_txe_config)
13012 		return -EOPNOTSUPP;
13013 
13014 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13015 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13016 		return -EOPNOTSUPP;
13017 
13018 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13019 }
13020 
13021 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13022 				    struct net_device *dev,
13023 				    struct cfg80211_cqm_config *cqm_config)
13024 {
13025 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13026 	s32 last, low, high;
13027 	u32 hyst;
13028 	int i, n, low_index;
13029 	int err;
13030 
13031 	/*
13032 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13033 	 * event has been received yet, we should receive an event after a
13034 	 * connection is established and enough beacons received to calculate
13035 	 * the average.
13036 	 */
13037 	if (!cqm_config->last_rssi_event_value &&
13038 	    wdev->links[0].client.current_bss &&
13039 	    rdev->ops->get_station) {
13040 		struct station_info sinfo = {};
13041 		u8 *mac_addr;
13042 
13043 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13044 
13045 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13046 		if (err)
13047 			return err;
13048 
13049 		cfg80211_sinfo_release_content(&sinfo);
13050 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13051 			cqm_config->last_rssi_event_value =
13052 				(s8) sinfo.rx_beacon_signal_avg;
13053 	}
13054 
13055 	last = cqm_config->last_rssi_event_value;
13056 	hyst = cqm_config->rssi_hyst;
13057 	n = cqm_config->n_rssi_thresholds;
13058 
13059 	for (i = 0; i < n; i++) {
13060 		i = array_index_nospec(i, n);
13061 		if (last < cqm_config->rssi_thresholds[i])
13062 			break;
13063 	}
13064 
13065 	low_index = i - 1;
13066 	if (low_index >= 0) {
13067 		low_index = array_index_nospec(low_index, n);
13068 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13069 	} else {
13070 		low = S32_MIN;
13071 	}
13072 	if (i < n) {
13073 		i = array_index_nospec(i, n);
13074 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13075 	} else {
13076 		high = S32_MAX;
13077 	}
13078 
13079 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13080 }
13081 
13082 static int nl80211_set_cqm_rssi(struct genl_info *info,
13083 				const s32 *thresholds, int n_thresholds,
13084 				u32 hysteresis)
13085 {
13086 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13087 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13088 	struct net_device *dev = info->user_ptr[1];
13089 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13090 	s32 prev = S32_MIN;
13091 	int i, err;
13092 
13093 	/* Check all values negative and sorted */
13094 	for (i = 0; i < n_thresholds; i++) {
13095 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13096 			return -EINVAL;
13097 
13098 		prev = thresholds[i];
13099 	}
13100 
13101 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13102 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13103 		return -EOPNOTSUPP;
13104 
13105 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13106 		n_thresholds = 0;
13107 
13108 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13109 
13110 	/* if already disabled just succeed */
13111 	if (!n_thresholds && !old)
13112 		return 0;
13113 
13114 	if (n_thresholds > 1) {
13115 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13116 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13117 		    !rdev->ops->set_cqm_rssi_range_config)
13118 			return -EOPNOTSUPP;
13119 	} else {
13120 		if (!rdev->ops->set_cqm_rssi_config)
13121 			return -EOPNOTSUPP;
13122 	}
13123 
13124 	if (n_thresholds) {
13125 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13126 						 n_thresholds),
13127 				     GFP_KERNEL);
13128 		if (!cqm_config)
13129 			return -ENOMEM;
13130 
13131 		cqm_config->rssi_hyst = hysteresis;
13132 		cqm_config->n_rssi_thresholds = n_thresholds;
13133 		memcpy(cqm_config->rssi_thresholds, thresholds,
13134 		       flex_array_size(cqm_config, rssi_thresholds,
13135 				       n_thresholds));
13136 		cqm_config->use_range_api = n_thresholds > 1 ||
13137 					    !rdev->ops->set_cqm_rssi_config;
13138 
13139 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13140 
13141 		if (cqm_config->use_range_api)
13142 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13143 		else
13144 			err = rdev_set_cqm_rssi_config(rdev, dev,
13145 						       thresholds[0],
13146 						       hysteresis);
13147 	} else {
13148 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13149 		/* if enabled as range also disable via range */
13150 		if (old->use_range_api)
13151 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13152 		else
13153 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13154 	}
13155 
13156 	if (err) {
13157 		rcu_assign_pointer(wdev->cqm_config, old);
13158 		kfree_rcu(cqm_config, rcu_head);
13159 	} else {
13160 		kfree_rcu(old, rcu_head);
13161 	}
13162 
13163 	return err;
13164 }
13165 
13166 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13167 {
13168 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13169 	struct nlattr *cqm;
13170 	int err;
13171 
13172 	cqm = info->attrs[NL80211_ATTR_CQM];
13173 	if (!cqm)
13174 		return -EINVAL;
13175 
13176 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13177 					  nl80211_attr_cqm_policy,
13178 					  info->extack);
13179 	if (err)
13180 		return err;
13181 
13182 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13183 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13184 		const s32 *thresholds =
13185 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13186 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13187 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13188 
13189 		if (len % 4)
13190 			return -EINVAL;
13191 
13192 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13193 					    hysteresis);
13194 	}
13195 
13196 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13197 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13198 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13199 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13200 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13201 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13202 
13203 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13204 	}
13205 
13206 	return -EINVAL;
13207 }
13208 
13209 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13210 {
13211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13212 	struct net_device *dev = info->user_ptr[1];
13213 	struct ocb_setup setup = {};
13214 	int err;
13215 
13216 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13217 	if (err)
13218 		return err;
13219 
13220 	return cfg80211_join_ocb(rdev, dev, &setup);
13221 }
13222 
13223 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13224 {
13225 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13226 	struct net_device *dev = info->user_ptr[1];
13227 
13228 	return cfg80211_leave_ocb(rdev, dev);
13229 }
13230 
13231 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13232 {
13233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13234 	struct net_device *dev = info->user_ptr[1];
13235 	struct mesh_config cfg;
13236 	struct mesh_setup setup;
13237 	int err;
13238 
13239 	/* start with default */
13240 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13241 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13242 
13243 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13244 		/* and parse parameters if given */
13245 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13246 		if (err)
13247 			return err;
13248 	}
13249 
13250 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13251 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13252 		return -EINVAL;
13253 
13254 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13255 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13256 
13257 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13258 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13259 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13260 			return -EINVAL;
13261 
13262 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13263 		setup.beacon_interval =
13264 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13265 
13266 		err = cfg80211_validate_beacon_int(rdev,
13267 						   NL80211_IFTYPE_MESH_POINT,
13268 						   setup.beacon_interval);
13269 		if (err)
13270 			return err;
13271 	}
13272 
13273 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13274 		setup.dtim_period =
13275 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13276 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13277 			return -EINVAL;
13278 	}
13279 
13280 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13281 		/* parse additional setup parameters if given */
13282 		err = nl80211_parse_mesh_setup(info, &setup);
13283 		if (err)
13284 			return err;
13285 	}
13286 
13287 	if (setup.user_mpm)
13288 		cfg.auto_open_plinks = false;
13289 
13290 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13291 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13292 		if (err)
13293 			return err;
13294 	} else {
13295 		/* __cfg80211_join_mesh() will sort it out */
13296 		setup.chandef.chan = NULL;
13297 	}
13298 
13299 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13300 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13301 		int n_rates =
13302 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13303 		struct ieee80211_supported_band *sband;
13304 
13305 		if (!setup.chandef.chan)
13306 			return -EINVAL;
13307 
13308 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13309 
13310 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13311 					     &setup.basic_rates);
13312 		if (err)
13313 			return err;
13314 	}
13315 
13316 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13317 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13318 						    NL80211_ATTR_TX_RATES,
13319 						    &setup.beacon_rate,
13320 						    dev, false, 0);
13321 		if (err)
13322 			return err;
13323 
13324 		if (!setup.chandef.chan)
13325 			return -EINVAL;
13326 
13327 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13328 					      &setup.beacon_rate);
13329 		if (err)
13330 			return err;
13331 	}
13332 
13333 	setup.userspace_handles_dfs =
13334 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13335 
13336 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13337 		int r = validate_pae_over_nl80211(rdev, info);
13338 
13339 		if (r < 0)
13340 			return r;
13341 
13342 		setup.control_port_over_nl80211 = true;
13343 	}
13344 
13345 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13346 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13347 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13348 
13349 	return err;
13350 }
13351 
13352 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13353 {
13354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13355 	struct net_device *dev = info->user_ptr[1];
13356 
13357 	return cfg80211_leave_mesh(rdev, dev);
13358 }
13359 
13360 #ifdef CONFIG_PM
13361 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13362 					struct cfg80211_registered_device *rdev)
13363 {
13364 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13365 	struct nlattr *nl_pats, *nl_pat;
13366 	int i, pat_len;
13367 
13368 	if (!wowlan->n_patterns)
13369 		return 0;
13370 
13371 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13372 	if (!nl_pats)
13373 		return -ENOBUFS;
13374 
13375 	for (i = 0; i < wowlan->n_patterns; i++) {
13376 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13377 		if (!nl_pat)
13378 			return -ENOBUFS;
13379 		pat_len = wowlan->patterns[i].pattern_len;
13380 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13381 			    wowlan->patterns[i].mask) ||
13382 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13383 			    wowlan->patterns[i].pattern) ||
13384 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13385 				wowlan->patterns[i].pkt_offset))
13386 			return -ENOBUFS;
13387 		nla_nest_end(msg, nl_pat);
13388 	}
13389 	nla_nest_end(msg, nl_pats);
13390 
13391 	return 0;
13392 }
13393 
13394 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13395 				   struct cfg80211_wowlan_tcp *tcp)
13396 {
13397 	struct nlattr *nl_tcp;
13398 
13399 	if (!tcp)
13400 		return 0;
13401 
13402 	nl_tcp = nla_nest_start_noflag(msg,
13403 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13404 	if (!nl_tcp)
13405 		return -ENOBUFS;
13406 
13407 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13408 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13409 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13410 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13411 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13412 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13413 		    tcp->payload_len, tcp->payload) ||
13414 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13415 			tcp->data_interval) ||
13416 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13417 		    tcp->wake_len, tcp->wake_data) ||
13418 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13419 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13420 		return -ENOBUFS;
13421 
13422 	if (tcp->payload_seq.len &&
13423 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13424 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13425 		return -ENOBUFS;
13426 
13427 	if (tcp->payload_tok.len &&
13428 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13429 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13430 		    &tcp->payload_tok))
13431 		return -ENOBUFS;
13432 
13433 	nla_nest_end(msg, nl_tcp);
13434 
13435 	return 0;
13436 }
13437 
13438 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13439 				  struct cfg80211_sched_scan_request *req)
13440 {
13441 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13442 	int i;
13443 
13444 	if (!req)
13445 		return 0;
13446 
13447 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13448 	if (!nd)
13449 		return -ENOBUFS;
13450 
13451 	if (req->n_scan_plans == 1 &&
13452 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13453 			req->scan_plans[0].interval * 1000))
13454 		return -ENOBUFS;
13455 
13456 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13457 		return -ENOBUFS;
13458 
13459 	if (req->relative_rssi_set) {
13460 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13461 
13462 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13463 			       req->relative_rssi))
13464 			return -ENOBUFS;
13465 
13466 		rssi_adjust.band = req->rssi_adjust.band;
13467 		rssi_adjust.delta = req->rssi_adjust.delta;
13468 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13469 			    sizeof(rssi_adjust), &rssi_adjust))
13470 			return -ENOBUFS;
13471 	}
13472 
13473 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13474 	if (!freqs)
13475 		return -ENOBUFS;
13476 
13477 	for (i = 0; i < req->n_channels; i++) {
13478 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13479 			return -ENOBUFS;
13480 	}
13481 
13482 	nla_nest_end(msg, freqs);
13483 
13484 	if (req->n_match_sets) {
13485 		matches = nla_nest_start_noflag(msg,
13486 						NL80211_ATTR_SCHED_SCAN_MATCH);
13487 		if (!matches)
13488 			return -ENOBUFS;
13489 
13490 		for (i = 0; i < req->n_match_sets; i++) {
13491 			match = nla_nest_start_noflag(msg, i);
13492 			if (!match)
13493 				return -ENOBUFS;
13494 
13495 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13496 				    req->match_sets[i].ssid.ssid_len,
13497 				    req->match_sets[i].ssid.ssid))
13498 				return -ENOBUFS;
13499 			nla_nest_end(msg, match);
13500 		}
13501 		nla_nest_end(msg, matches);
13502 	}
13503 
13504 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13505 	if (!scan_plans)
13506 		return -ENOBUFS;
13507 
13508 	for (i = 0; i < req->n_scan_plans; i++) {
13509 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13510 		if (!scan_plan)
13511 			return -ENOBUFS;
13512 
13513 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13514 				req->scan_plans[i].interval) ||
13515 		    (req->scan_plans[i].iterations &&
13516 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13517 				 req->scan_plans[i].iterations)))
13518 			return -ENOBUFS;
13519 		nla_nest_end(msg, scan_plan);
13520 	}
13521 	nla_nest_end(msg, scan_plans);
13522 
13523 	nla_nest_end(msg, nd);
13524 
13525 	return 0;
13526 }
13527 
13528 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13529 {
13530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13531 	struct sk_buff *msg;
13532 	void *hdr;
13533 	u32 size = NLMSG_DEFAULT_SIZE;
13534 
13535 	if (!rdev->wiphy.wowlan)
13536 		return -EOPNOTSUPP;
13537 
13538 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13539 		/* adjust size to have room for all the data */
13540 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13541 			rdev->wiphy.wowlan_config->tcp->payload_len +
13542 			rdev->wiphy.wowlan_config->tcp->wake_len +
13543 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13544 	}
13545 
13546 	msg = nlmsg_new(size, GFP_KERNEL);
13547 	if (!msg)
13548 		return -ENOMEM;
13549 
13550 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13551 			     NL80211_CMD_GET_WOWLAN);
13552 	if (!hdr)
13553 		goto nla_put_failure;
13554 
13555 	if (rdev->wiphy.wowlan_config) {
13556 		struct nlattr *nl_wowlan;
13557 
13558 		nl_wowlan = nla_nest_start_noflag(msg,
13559 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13560 		if (!nl_wowlan)
13561 			goto nla_put_failure;
13562 
13563 		if ((rdev->wiphy.wowlan_config->any &&
13564 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13565 		    (rdev->wiphy.wowlan_config->disconnect &&
13566 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13567 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13568 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13569 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13570 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13571 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13572 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13573 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13574 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13575 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13576 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13577 			goto nla_put_failure;
13578 
13579 		if (nl80211_send_wowlan_patterns(msg, rdev))
13580 			goto nla_put_failure;
13581 
13582 		if (nl80211_send_wowlan_tcp(msg,
13583 					    rdev->wiphy.wowlan_config->tcp))
13584 			goto nla_put_failure;
13585 
13586 		if (nl80211_send_wowlan_nd(
13587 			    msg,
13588 			    rdev->wiphy.wowlan_config->nd_config))
13589 			goto nla_put_failure;
13590 
13591 		nla_nest_end(msg, nl_wowlan);
13592 	}
13593 
13594 	genlmsg_end(msg, hdr);
13595 	return genlmsg_reply(msg, info);
13596 
13597 nla_put_failure:
13598 	nlmsg_free(msg);
13599 	return -ENOBUFS;
13600 }
13601 
13602 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13603 				    struct nlattr *attr,
13604 				    struct cfg80211_wowlan *trig)
13605 {
13606 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13607 	struct cfg80211_wowlan_tcp *cfg;
13608 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13609 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13610 	u32 size;
13611 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13612 	int err, port;
13613 
13614 	if (!rdev->wiphy.wowlan->tcp)
13615 		return -EINVAL;
13616 
13617 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13618 					  nl80211_wowlan_tcp_policy, NULL);
13619 	if (err)
13620 		return err;
13621 
13622 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13623 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13624 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13625 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13626 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13627 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13628 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13629 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13630 		return -EINVAL;
13631 
13632 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13633 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13634 		return -EINVAL;
13635 
13636 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13637 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13638 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13639 		return -EINVAL;
13640 
13641 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13642 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13643 		return -EINVAL;
13644 
13645 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13646 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13647 		return -EINVAL;
13648 
13649 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13650 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13651 
13652 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13653 		tokens_size = tokln - sizeof(*tok);
13654 
13655 		if (!tok->len || tokens_size % tok->len)
13656 			return -EINVAL;
13657 		if (!rdev->wiphy.wowlan->tcp->tok)
13658 			return -EINVAL;
13659 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13660 			return -EINVAL;
13661 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13662 			return -EINVAL;
13663 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13664 			return -EINVAL;
13665 		if (tok->offset + tok->len > data_size)
13666 			return -EINVAL;
13667 	}
13668 
13669 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13670 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13671 		if (!rdev->wiphy.wowlan->tcp->seq)
13672 			return -EINVAL;
13673 		if (seq->len == 0 || seq->len > 4)
13674 			return -EINVAL;
13675 		if (seq->len + seq->offset > data_size)
13676 			return -EINVAL;
13677 	}
13678 
13679 	size = sizeof(*cfg);
13680 	size += data_size;
13681 	size += wake_size + wake_mask_size;
13682 	size += tokens_size;
13683 
13684 	cfg = kzalloc(size, GFP_KERNEL);
13685 	if (!cfg)
13686 		return -ENOMEM;
13687 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13688 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13689 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13690 	       ETH_ALEN);
13691 	port = nla_get_u16_default(tb[NL80211_WOWLAN_TCP_SRC_PORT], 0);
13692 #ifdef CONFIG_INET
13693 	/* allocate a socket and port for it and use it */
13694 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13695 			    IPPROTO_TCP, &cfg->sock, 1);
13696 	if (err) {
13697 		kfree(cfg);
13698 		return err;
13699 	}
13700 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13701 		sock_release(cfg->sock);
13702 		kfree(cfg);
13703 		return -EADDRINUSE;
13704 	}
13705 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13706 #else
13707 	if (!port) {
13708 		kfree(cfg);
13709 		return -EINVAL;
13710 	}
13711 	cfg->src_port = port;
13712 #endif
13713 
13714 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13715 	cfg->payload_len = data_size;
13716 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13717 	memcpy((void *)cfg->payload,
13718 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13719 	       data_size);
13720 	if (seq)
13721 		cfg->payload_seq = *seq;
13722 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13723 	cfg->wake_len = wake_size;
13724 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13725 	memcpy((void *)cfg->wake_data,
13726 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13727 	       wake_size);
13728 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13729 			 data_size + wake_size;
13730 	memcpy((void *)cfg->wake_mask,
13731 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13732 	       wake_mask_size);
13733 	if (tok) {
13734 		cfg->tokens_size = tokens_size;
13735 		cfg->payload_tok = *tok;
13736 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13737 		       tokens_size);
13738 	}
13739 
13740 	trig->tcp = cfg;
13741 
13742 	return 0;
13743 }
13744 
13745 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13746 				   const struct wiphy_wowlan_support *wowlan,
13747 				   struct nlattr *attr,
13748 				   struct cfg80211_wowlan *trig)
13749 {
13750 	struct nlattr **tb;
13751 	int err;
13752 
13753 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13754 	if (!tb)
13755 		return -ENOMEM;
13756 
13757 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13758 		err = -EOPNOTSUPP;
13759 		goto out;
13760 	}
13761 
13762 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13763 					  nl80211_policy, NULL);
13764 	if (err)
13765 		goto out;
13766 
13767 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13768 						   wowlan->max_nd_match_sets);
13769 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13770 	if (err)
13771 		trig->nd_config = NULL;
13772 
13773 out:
13774 	kfree(tb);
13775 	return err;
13776 }
13777 
13778 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13779 {
13780 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13781 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13782 	struct cfg80211_wowlan new_triggers = {};
13783 	struct cfg80211_wowlan *ntrig;
13784 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13785 	int err, i;
13786 	bool prev_enabled = rdev->wiphy.wowlan_config;
13787 	bool regular = false;
13788 
13789 	if (!wowlan)
13790 		return -EOPNOTSUPP;
13791 
13792 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13793 		cfg80211_rdev_free_wowlan(rdev);
13794 		rdev->wiphy.wowlan_config = NULL;
13795 		goto set_wakeup;
13796 	}
13797 
13798 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13799 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13800 					  nl80211_wowlan_policy, info->extack);
13801 	if (err)
13802 		return err;
13803 
13804 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13805 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13806 			return -EINVAL;
13807 		new_triggers.any = true;
13808 	}
13809 
13810 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13811 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13812 			return -EINVAL;
13813 		new_triggers.disconnect = true;
13814 		regular = true;
13815 	}
13816 
13817 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13818 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13819 			return -EINVAL;
13820 		new_triggers.magic_pkt = true;
13821 		regular = true;
13822 	}
13823 
13824 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13825 		return -EINVAL;
13826 
13827 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13828 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13829 			return -EINVAL;
13830 		new_triggers.gtk_rekey_failure = true;
13831 		regular = true;
13832 	}
13833 
13834 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13835 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13836 			return -EINVAL;
13837 		new_triggers.eap_identity_req = true;
13838 		regular = true;
13839 	}
13840 
13841 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13842 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13843 			return -EINVAL;
13844 		new_triggers.four_way_handshake = true;
13845 		regular = true;
13846 	}
13847 
13848 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13849 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13850 			return -EINVAL;
13851 		new_triggers.rfkill_release = true;
13852 		regular = true;
13853 	}
13854 
13855 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13856 		struct nlattr *pat;
13857 		int n_patterns = 0;
13858 		int rem, pat_len, mask_len, pkt_offset;
13859 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13860 
13861 		regular = true;
13862 
13863 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13864 				    rem)
13865 			n_patterns++;
13866 		if (n_patterns > wowlan->n_patterns)
13867 			return -EINVAL;
13868 
13869 		new_triggers.patterns = kcalloc(n_patterns,
13870 						sizeof(new_triggers.patterns[0]),
13871 						GFP_KERNEL);
13872 		if (!new_triggers.patterns)
13873 			return -ENOMEM;
13874 
13875 		new_triggers.n_patterns = n_patterns;
13876 		i = 0;
13877 
13878 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13879 				    rem) {
13880 			u8 *mask_pat;
13881 
13882 			err = nla_parse_nested_deprecated(pat_tb,
13883 							  MAX_NL80211_PKTPAT,
13884 							  pat,
13885 							  nl80211_packet_pattern_policy,
13886 							  info->extack);
13887 			if (err)
13888 				goto error;
13889 
13890 			err = -EINVAL;
13891 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13892 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13893 				goto error;
13894 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13895 			mask_len = DIV_ROUND_UP(pat_len, 8);
13896 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13897 				goto error;
13898 			if (pat_len > wowlan->pattern_max_len ||
13899 			    pat_len < wowlan->pattern_min_len)
13900 				goto error;
13901 
13902 			pkt_offset =
13903 				nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
13904 						    0);
13905 			if (pkt_offset > wowlan->max_pkt_offset)
13906 				goto error;
13907 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13908 
13909 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13910 			if (!mask_pat) {
13911 				err = -ENOMEM;
13912 				goto error;
13913 			}
13914 			new_triggers.patterns[i].mask = mask_pat;
13915 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13916 			       mask_len);
13917 			mask_pat += mask_len;
13918 			new_triggers.patterns[i].pattern = mask_pat;
13919 			new_triggers.patterns[i].pattern_len = pat_len;
13920 			memcpy(mask_pat,
13921 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13922 			       pat_len);
13923 			i++;
13924 		}
13925 	}
13926 
13927 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13928 		regular = true;
13929 		err = nl80211_parse_wowlan_tcp(
13930 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13931 			&new_triggers);
13932 		if (err)
13933 			goto error;
13934 	}
13935 
13936 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13937 		regular = true;
13938 		err = nl80211_parse_wowlan_nd(
13939 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13940 			&new_triggers);
13941 		if (err)
13942 			goto error;
13943 	}
13944 
13945 	/* The 'any' trigger means the device continues operating more or less
13946 	 * as in its normal operation mode and wakes up the host on most of the
13947 	 * normal interrupts (like packet RX, ...)
13948 	 * It therefore makes little sense to combine with the more constrained
13949 	 * wakeup trigger modes.
13950 	 */
13951 	if (new_triggers.any && regular) {
13952 		err = -EINVAL;
13953 		goto error;
13954 	}
13955 
13956 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13957 	if (!ntrig) {
13958 		err = -ENOMEM;
13959 		goto error;
13960 	}
13961 	cfg80211_rdev_free_wowlan(rdev);
13962 	rdev->wiphy.wowlan_config = ntrig;
13963 
13964  set_wakeup:
13965 	if (rdev->ops->set_wakeup &&
13966 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13967 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13968 
13969 	return 0;
13970  error:
13971 	for (i = 0; i < new_triggers.n_patterns; i++)
13972 		kfree(new_triggers.patterns[i].mask);
13973 	kfree(new_triggers.patterns);
13974 	if (new_triggers.tcp && new_triggers.tcp->sock)
13975 		sock_release(new_triggers.tcp->sock);
13976 	kfree(new_triggers.tcp);
13977 	kfree(new_triggers.nd_config);
13978 	return err;
13979 }
13980 #endif
13981 
13982 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13983 				       struct cfg80211_registered_device *rdev)
13984 {
13985 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13986 	int i, j, pat_len;
13987 	struct cfg80211_coalesce_rules *rule;
13988 
13989 	if (!rdev->coalesce->n_rules)
13990 		return 0;
13991 
13992 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13993 	if (!nl_rules)
13994 		return -ENOBUFS;
13995 
13996 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13997 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13998 		if (!nl_rule)
13999 			return -ENOBUFS;
14000 
14001 		rule = &rdev->coalesce->rules[i];
14002 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14003 				rule->delay))
14004 			return -ENOBUFS;
14005 
14006 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14007 				rule->condition))
14008 			return -ENOBUFS;
14009 
14010 		nl_pats = nla_nest_start_noflag(msg,
14011 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14012 		if (!nl_pats)
14013 			return -ENOBUFS;
14014 
14015 		for (j = 0; j < rule->n_patterns; j++) {
14016 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14017 			if (!nl_pat)
14018 				return -ENOBUFS;
14019 			pat_len = rule->patterns[j].pattern_len;
14020 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14021 				    DIV_ROUND_UP(pat_len, 8),
14022 				    rule->patterns[j].mask) ||
14023 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14024 				    rule->patterns[j].pattern) ||
14025 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14026 					rule->patterns[j].pkt_offset))
14027 				return -ENOBUFS;
14028 			nla_nest_end(msg, nl_pat);
14029 		}
14030 		nla_nest_end(msg, nl_pats);
14031 		nla_nest_end(msg, nl_rule);
14032 	}
14033 	nla_nest_end(msg, nl_rules);
14034 
14035 	return 0;
14036 }
14037 
14038 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14039 {
14040 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14041 	struct sk_buff *msg;
14042 	void *hdr;
14043 
14044 	if (!rdev->wiphy.coalesce)
14045 		return -EOPNOTSUPP;
14046 
14047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14048 	if (!msg)
14049 		return -ENOMEM;
14050 
14051 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14052 			     NL80211_CMD_GET_COALESCE);
14053 	if (!hdr)
14054 		goto nla_put_failure;
14055 
14056 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14057 		goto nla_put_failure;
14058 
14059 	genlmsg_end(msg, hdr);
14060 	return genlmsg_reply(msg, info);
14061 
14062 nla_put_failure:
14063 	nlmsg_free(msg);
14064 	return -ENOBUFS;
14065 }
14066 
14067 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14068 {
14069 	int i, j;
14070 	struct cfg80211_coalesce_rules *rule;
14071 
14072 	if (!coalesce)
14073 		return;
14074 
14075 	for (i = 0; i < coalesce->n_rules; i++) {
14076 		rule = &coalesce->rules[i];
14077 		for (j = 0; j < rule->n_patterns; j++)
14078 			kfree(rule->patterns[j].mask);
14079 		kfree(rule->patterns);
14080 	}
14081 	kfree(coalesce);
14082 }
14083 
14084 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14085 				       struct nlattr *rule,
14086 				       struct cfg80211_coalesce_rules *new_rule)
14087 {
14088 	int err, i;
14089 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14090 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14091 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14092 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14093 
14094 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14095 					  rule, nl80211_coalesce_policy, NULL);
14096 	if (err)
14097 		return err;
14098 
14099 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14100 		new_rule->delay =
14101 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14102 	if (new_rule->delay > coalesce->max_delay)
14103 		return -EINVAL;
14104 
14105 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14106 		new_rule->condition =
14107 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14108 
14109 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14110 		return -EINVAL;
14111 
14112 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14113 			    rem)
14114 		n_patterns++;
14115 	if (n_patterns > coalesce->n_patterns)
14116 		return -EINVAL;
14117 
14118 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14119 				     GFP_KERNEL);
14120 	if (!new_rule->patterns)
14121 		return -ENOMEM;
14122 
14123 	new_rule->n_patterns = n_patterns;
14124 	i = 0;
14125 
14126 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14127 			    rem) {
14128 		u8 *mask_pat;
14129 
14130 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14131 						  pat,
14132 						  nl80211_packet_pattern_policy,
14133 						  NULL);
14134 		if (err)
14135 			return err;
14136 
14137 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14138 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14139 			return -EINVAL;
14140 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14141 		mask_len = DIV_ROUND_UP(pat_len, 8);
14142 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14143 			return -EINVAL;
14144 		if (pat_len > coalesce->pattern_max_len ||
14145 		    pat_len < coalesce->pattern_min_len)
14146 			return -EINVAL;
14147 
14148 		pkt_offset = nla_get_u32_default(pat_tb[NL80211_PKTPAT_OFFSET],
14149 						 0);
14150 		if (pkt_offset > coalesce->max_pkt_offset)
14151 			return -EINVAL;
14152 		new_rule->patterns[i].pkt_offset = pkt_offset;
14153 
14154 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14155 		if (!mask_pat)
14156 			return -ENOMEM;
14157 
14158 		new_rule->patterns[i].mask = mask_pat;
14159 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14160 		       mask_len);
14161 
14162 		mask_pat += mask_len;
14163 		new_rule->patterns[i].pattern = mask_pat;
14164 		new_rule->patterns[i].pattern_len = pat_len;
14165 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14166 		       pat_len);
14167 		i++;
14168 	}
14169 
14170 	return 0;
14171 }
14172 
14173 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14174 {
14175 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14176 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14177 	struct cfg80211_coalesce *new_coalesce;
14178 	int err, rem_rule, n_rules = 0, i;
14179 	struct nlattr *rule;
14180 
14181 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14182 		return -EOPNOTSUPP;
14183 
14184 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14185 		cfg80211_free_coalesce(rdev->coalesce);
14186 		rdev->coalesce = NULL;
14187 		rdev_set_coalesce(rdev, NULL);
14188 		return 0;
14189 	}
14190 
14191 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14192 			    rem_rule)
14193 		n_rules++;
14194 	if (n_rules > coalesce->n_rules)
14195 		return -EINVAL;
14196 
14197 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14198 			       GFP_KERNEL);
14199 	if (!new_coalesce)
14200 		return -ENOMEM;
14201 
14202 	new_coalesce->n_rules = n_rules;
14203 	i = 0;
14204 
14205 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14206 			    rem_rule) {
14207 		err = nl80211_parse_coalesce_rule(rdev, rule,
14208 						  &new_coalesce->rules[i]);
14209 		if (err)
14210 			goto error;
14211 
14212 		i++;
14213 	}
14214 
14215 	err = rdev_set_coalesce(rdev, new_coalesce);
14216 	if (err)
14217 		goto error;
14218 
14219 	cfg80211_free_coalesce(rdev->coalesce);
14220 	rdev->coalesce = new_coalesce;
14221 
14222 	return 0;
14223 error:
14224 	cfg80211_free_coalesce(new_coalesce);
14225 
14226 	return err;
14227 }
14228 
14229 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14230 {
14231 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14232 	struct net_device *dev = info->user_ptr[1];
14233 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14234 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14235 	struct cfg80211_gtk_rekey_data rekey_data = {};
14236 	int err;
14237 
14238 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14239 		return -EINVAL;
14240 
14241 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14242 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14243 					  nl80211_rekey_policy, info->extack);
14244 	if (err)
14245 		return err;
14246 
14247 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14248 	    !tb[NL80211_REKEY_DATA_KCK])
14249 		return -EINVAL;
14250 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14251 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14252 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14253 		return -ERANGE;
14254 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14255 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14256 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14257 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14258 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14259 		return -ERANGE;
14260 
14261 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14262 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14263 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14264 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14265 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14266 	if (tb[NL80211_REKEY_DATA_AKM])
14267 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14268 
14269 	if (!wdev->connected)
14270 		return -ENOTCONN;
14271 
14272 	if (!rdev->ops->set_rekey_data)
14273 		return -EOPNOTSUPP;
14274 
14275 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14276 }
14277 
14278 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14279 					     struct genl_info *info)
14280 {
14281 	struct net_device *dev = info->user_ptr[1];
14282 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14283 
14284 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14285 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14286 		return -EINVAL;
14287 
14288 	if (wdev->ap_unexpected_nlportid)
14289 		return -EBUSY;
14290 
14291 	wdev->ap_unexpected_nlportid = info->snd_portid;
14292 	return 0;
14293 }
14294 
14295 static int nl80211_probe_client(struct sk_buff *skb,
14296 				struct genl_info *info)
14297 {
14298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14299 	struct net_device *dev = info->user_ptr[1];
14300 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14301 	struct sk_buff *msg;
14302 	void *hdr;
14303 	const u8 *addr;
14304 	u64 cookie;
14305 	int err;
14306 
14307 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14308 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14309 		return -EOPNOTSUPP;
14310 
14311 	if (!info->attrs[NL80211_ATTR_MAC])
14312 		return -EINVAL;
14313 
14314 	if (!rdev->ops->probe_client)
14315 		return -EOPNOTSUPP;
14316 
14317 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14318 	if (!msg)
14319 		return -ENOMEM;
14320 
14321 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14322 			     NL80211_CMD_PROBE_CLIENT);
14323 	if (!hdr) {
14324 		err = -ENOBUFS;
14325 		goto free_msg;
14326 	}
14327 
14328 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14329 
14330 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14331 	if (err)
14332 		goto free_msg;
14333 
14334 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14335 			      NL80211_ATTR_PAD))
14336 		goto nla_put_failure;
14337 
14338 	genlmsg_end(msg, hdr);
14339 
14340 	return genlmsg_reply(msg, info);
14341 
14342  nla_put_failure:
14343 	err = -ENOBUFS;
14344  free_msg:
14345 	nlmsg_free(msg);
14346 	return err;
14347 }
14348 
14349 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14350 {
14351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14352 	struct cfg80211_beacon_registration *reg, *nreg;
14353 	int rv;
14354 
14355 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14356 		return -EOPNOTSUPP;
14357 
14358 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14359 	if (!nreg)
14360 		return -ENOMEM;
14361 
14362 	/* First, check if already registered. */
14363 	spin_lock_bh(&rdev->beacon_registrations_lock);
14364 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14365 		if (reg->nlportid == info->snd_portid) {
14366 			rv = -EALREADY;
14367 			goto out_err;
14368 		}
14369 	}
14370 	/* Add it to the list */
14371 	nreg->nlportid = info->snd_portid;
14372 	list_add(&nreg->list, &rdev->beacon_registrations);
14373 
14374 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14375 
14376 	return 0;
14377 out_err:
14378 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14379 	kfree(nreg);
14380 	return rv;
14381 }
14382 
14383 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14384 {
14385 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14386 	struct wireless_dev *wdev = info->user_ptr[1];
14387 	int err;
14388 
14389 	if (!rdev->ops->start_p2p_device)
14390 		return -EOPNOTSUPP;
14391 
14392 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14393 		return -EOPNOTSUPP;
14394 
14395 	if (wdev_running(wdev))
14396 		return 0;
14397 
14398 	if (rfkill_blocked(rdev->wiphy.rfkill))
14399 		return -ERFKILL;
14400 
14401 	err = rdev_start_p2p_device(rdev, wdev);
14402 	if (err)
14403 		return err;
14404 
14405 	wdev->is_running = true;
14406 	rdev->opencount++;
14407 
14408 	return 0;
14409 }
14410 
14411 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14412 {
14413 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14414 	struct wireless_dev *wdev = info->user_ptr[1];
14415 
14416 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14417 		return -EOPNOTSUPP;
14418 
14419 	if (!rdev->ops->stop_p2p_device)
14420 		return -EOPNOTSUPP;
14421 
14422 	cfg80211_stop_p2p_device(rdev, wdev);
14423 
14424 	return 0;
14425 }
14426 
14427 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14428 {
14429 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14430 	struct wireless_dev *wdev = info->user_ptr[1];
14431 	struct cfg80211_nan_conf conf = {};
14432 	int err;
14433 
14434 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14435 		return -EOPNOTSUPP;
14436 
14437 	if (wdev_running(wdev))
14438 		return -EEXIST;
14439 
14440 	if (rfkill_blocked(rdev->wiphy.rfkill))
14441 		return -ERFKILL;
14442 
14443 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14444 		return -EINVAL;
14445 
14446 	conf.master_pref =
14447 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14448 
14449 	if (info->attrs[NL80211_ATTR_BANDS]) {
14450 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14451 
14452 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14453 			return -EOPNOTSUPP;
14454 
14455 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14456 			return -EINVAL;
14457 
14458 		conf.bands = bands;
14459 	}
14460 
14461 	err = rdev_start_nan(rdev, wdev, &conf);
14462 	if (err)
14463 		return err;
14464 
14465 	wdev->is_running = true;
14466 	rdev->opencount++;
14467 
14468 	return 0;
14469 }
14470 
14471 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14472 {
14473 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14474 	struct wireless_dev *wdev = info->user_ptr[1];
14475 
14476 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14477 		return -EOPNOTSUPP;
14478 
14479 	cfg80211_stop_nan(rdev, wdev);
14480 
14481 	return 0;
14482 }
14483 
14484 static int validate_nan_filter(struct nlattr *filter_attr)
14485 {
14486 	struct nlattr *attr;
14487 	int len = 0, n_entries = 0, rem;
14488 
14489 	nla_for_each_nested(attr, filter_attr, rem) {
14490 		len += nla_len(attr);
14491 		n_entries++;
14492 	}
14493 
14494 	if (len >= U8_MAX)
14495 		return -EINVAL;
14496 
14497 	return n_entries;
14498 }
14499 
14500 static int handle_nan_filter(struct nlattr *attr_filter,
14501 			     struct cfg80211_nan_func *func,
14502 			     bool tx)
14503 {
14504 	struct nlattr *attr;
14505 	int n_entries, rem, i;
14506 	struct cfg80211_nan_func_filter *filter;
14507 
14508 	n_entries = validate_nan_filter(attr_filter);
14509 	if (n_entries < 0)
14510 		return n_entries;
14511 
14512 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14513 
14514 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14515 	if (!filter)
14516 		return -ENOMEM;
14517 
14518 	i = 0;
14519 	nla_for_each_nested(attr, attr_filter, rem) {
14520 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14521 		if (!filter[i].filter)
14522 			goto err;
14523 
14524 		filter[i].len = nla_len(attr);
14525 		i++;
14526 	}
14527 	if (tx) {
14528 		func->num_tx_filters = n_entries;
14529 		func->tx_filters = filter;
14530 	} else {
14531 		func->num_rx_filters = n_entries;
14532 		func->rx_filters = filter;
14533 	}
14534 
14535 	return 0;
14536 
14537 err:
14538 	i = 0;
14539 	nla_for_each_nested(attr, attr_filter, rem) {
14540 		kfree(filter[i].filter);
14541 		i++;
14542 	}
14543 	kfree(filter);
14544 	return -ENOMEM;
14545 }
14546 
14547 static int nl80211_nan_add_func(struct sk_buff *skb,
14548 				struct genl_info *info)
14549 {
14550 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14551 	struct wireless_dev *wdev = info->user_ptr[1];
14552 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14553 	struct cfg80211_nan_func *func;
14554 	struct sk_buff *msg = NULL;
14555 	void *hdr = NULL;
14556 	int err = 0;
14557 
14558 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14559 		return -EOPNOTSUPP;
14560 
14561 	if (!wdev_running(wdev))
14562 		return -ENOTCONN;
14563 
14564 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14565 		return -EINVAL;
14566 
14567 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14568 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14569 					  nl80211_nan_func_policy,
14570 					  info->extack);
14571 	if (err)
14572 		return err;
14573 
14574 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14575 	if (!func)
14576 		return -ENOMEM;
14577 
14578 	func->cookie = cfg80211_assign_cookie(rdev);
14579 
14580 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14581 		err = -EINVAL;
14582 		goto out;
14583 	}
14584 
14585 
14586 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14587 
14588 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14589 		err = -EINVAL;
14590 		goto out;
14591 	}
14592 
14593 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14594 	       sizeof(func->service_id));
14595 
14596 	func->close_range =
14597 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14598 
14599 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14600 		func->serv_spec_info_len =
14601 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14602 		func->serv_spec_info =
14603 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14604 				func->serv_spec_info_len,
14605 				GFP_KERNEL);
14606 		if (!func->serv_spec_info) {
14607 			err = -ENOMEM;
14608 			goto out;
14609 		}
14610 	}
14611 
14612 	if (tb[NL80211_NAN_FUNC_TTL])
14613 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14614 
14615 	switch (func->type) {
14616 	case NL80211_NAN_FUNC_PUBLISH:
14617 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14618 			err = -EINVAL;
14619 			goto out;
14620 		}
14621 
14622 		func->publish_type =
14623 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14624 		func->publish_bcast =
14625 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14626 
14627 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14628 			func->publish_bcast) {
14629 			err = -EINVAL;
14630 			goto out;
14631 		}
14632 		break;
14633 	case NL80211_NAN_FUNC_SUBSCRIBE:
14634 		func->subscribe_active =
14635 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14636 		break;
14637 	case NL80211_NAN_FUNC_FOLLOW_UP:
14638 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14639 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14640 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14641 			err = -EINVAL;
14642 			goto out;
14643 		}
14644 
14645 		func->followup_id =
14646 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14647 		func->followup_reqid =
14648 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14649 		memcpy(func->followup_dest.addr,
14650 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14651 		       sizeof(func->followup_dest.addr));
14652 		if (func->ttl) {
14653 			err = -EINVAL;
14654 			goto out;
14655 		}
14656 		break;
14657 	default:
14658 		err = -EINVAL;
14659 		goto out;
14660 	}
14661 
14662 	if (tb[NL80211_NAN_FUNC_SRF]) {
14663 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14664 
14665 		err = nla_parse_nested_deprecated(srf_tb,
14666 						  NL80211_NAN_SRF_ATTR_MAX,
14667 						  tb[NL80211_NAN_FUNC_SRF],
14668 						  nl80211_nan_srf_policy,
14669 						  info->extack);
14670 		if (err)
14671 			goto out;
14672 
14673 		func->srf_include =
14674 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14675 
14676 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14677 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14678 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14679 				err = -EINVAL;
14680 				goto out;
14681 			}
14682 
14683 			func->srf_bf_len =
14684 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14685 			func->srf_bf =
14686 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14687 					func->srf_bf_len, GFP_KERNEL);
14688 			if (!func->srf_bf) {
14689 				err = -ENOMEM;
14690 				goto out;
14691 			}
14692 
14693 			func->srf_bf_idx =
14694 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14695 		} else {
14696 			struct nlattr *attr, *mac_attr =
14697 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14698 			int n_entries, rem, i = 0;
14699 
14700 			if (!mac_attr) {
14701 				err = -EINVAL;
14702 				goto out;
14703 			}
14704 
14705 			n_entries = validate_acl_mac_addrs(mac_attr);
14706 			if (n_entries <= 0) {
14707 				err = -EINVAL;
14708 				goto out;
14709 			}
14710 
14711 			func->srf_num_macs = n_entries;
14712 			func->srf_macs =
14713 				kcalloc(n_entries, sizeof(*func->srf_macs),
14714 					GFP_KERNEL);
14715 			if (!func->srf_macs) {
14716 				err = -ENOMEM;
14717 				goto out;
14718 			}
14719 
14720 			nla_for_each_nested(attr, mac_attr, rem)
14721 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14722 				       sizeof(*func->srf_macs));
14723 		}
14724 	}
14725 
14726 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14727 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14728 					func, true);
14729 		if (err)
14730 			goto out;
14731 	}
14732 
14733 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14734 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14735 					func, false);
14736 		if (err)
14737 			goto out;
14738 	}
14739 
14740 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14741 	if (!msg) {
14742 		err = -ENOMEM;
14743 		goto out;
14744 	}
14745 
14746 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14747 			     NL80211_CMD_ADD_NAN_FUNCTION);
14748 	/* This can't really happen - we just allocated 4KB */
14749 	if (WARN_ON(!hdr)) {
14750 		err = -ENOMEM;
14751 		goto out;
14752 	}
14753 
14754 	err = rdev_add_nan_func(rdev, wdev, func);
14755 out:
14756 	if (err < 0) {
14757 		cfg80211_free_nan_func(func);
14758 		nlmsg_free(msg);
14759 		return err;
14760 	}
14761 
14762 	/* propagate the instance id and cookie to userspace  */
14763 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14764 			      NL80211_ATTR_PAD))
14765 		goto nla_put_failure;
14766 
14767 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14768 	if (!func_attr)
14769 		goto nla_put_failure;
14770 
14771 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14772 		       func->instance_id))
14773 		goto nla_put_failure;
14774 
14775 	nla_nest_end(msg, func_attr);
14776 
14777 	genlmsg_end(msg, hdr);
14778 	return genlmsg_reply(msg, info);
14779 
14780 nla_put_failure:
14781 	nlmsg_free(msg);
14782 	return -ENOBUFS;
14783 }
14784 
14785 static int nl80211_nan_del_func(struct sk_buff *skb,
14786 			       struct genl_info *info)
14787 {
14788 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14789 	struct wireless_dev *wdev = info->user_ptr[1];
14790 	u64 cookie;
14791 
14792 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14793 		return -EOPNOTSUPP;
14794 
14795 	if (!wdev_running(wdev))
14796 		return -ENOTCONN;
14797 
14798 	if (!info->attrs[NL80211_ATTR_COOKIE])
14799 		return -EINVAL;
14800 
14801 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14802 
14803 	rdev_del_nan_func(rdev, wdev, cookie);
14804 
14805 	return 0;
14806 }
14807 
14808 static int nl80211_nan_change_config(struct sk_buff *skb,
14809 				     struct genl_info *info)
14810 {
14811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14812 	struct wireless_dev *wdev = info->user_ptr[1];
14813 	struct cfg80211_nan_conf conf = {};
14814 	u32 changed = 0;
14815 
14816 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14817 		return -EOPNOTSUPP;
14818 
14819 	if (!wdev_running(wdev))
14820 		return -ENOTCONN;
14821 
14822 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14823 		conf.master_pref =
14824 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14825 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14826 			return -EINVAL;
14827 
14828 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14829 	}
14830 
14831 	if (info->attrs[NL80211_ATTR_BANDS]) {
14832 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14833 
14834 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14835 			return -EOPNOTSUPP;
14836 
14837 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14838 			return -EINVAL;
14839 
14840 		conf.bands = bands;
14841 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14842 	}
14843 
14844 	if (!changed)
14845 		return -EINVAL;
14846 
14847 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14848 }
14849 
14850 void cfg80211_nan_match(struct wireless_dev *wdev,
14851 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14852 {
14853 	struct wiphy *wiphy = wdev->wiphy;
14854 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14855 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14856 	struct sk_buff *msg;
14857 	void *hdr;
14858 
14859 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14860 		return;
14861 
14862 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14863 	if (!msg)
14864 		return;
14865 
14866 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14867 	if (!hdr) {
14868 		nlmsg_free(msg);
14869 		return;
14870 	}
14871 
14872 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14873 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14874 					 wdev->netdev->ifindex)) ||
14875 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14876 			      NL80211_ATTR_PAD))
14877 		goto nla_put_failure;
14878 
14879 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14880 			      NL80211_ATTR_PAD) ||
14881 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14882 		goto nla_put_failure;
14883 
14884 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14885 	if (!match_attr)
14886 		goto nla_put_failure;
14887 
14888 	local_func_attr = nla_nest_start_noflag(msg,
14889 						NL80211_NAN_MATCH_FUNC_LOCAL);
14890 	if (!local_func_attr)
14891 		goto nla_put_failure;
14892 
14893 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14894 		goto nla_put_failure;
14895 
14896 	nla_nest_end(msg, local_func_attr);
14897 
14898 	peer_func_attr = nla_nest_start_noflag(msg,
14899 					       NL80211_NAN_MATCH_FUNC_PEER);
14900 	if (!peer_func_attr)
14901 		goto nla_put_failure;
14902 
14903 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14904 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14905 		goto nla_put_failure;
14906 
14907 	if (match->info && match->info_len &&
14908 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14909 		    match->info))
14910 		goto nla_put_failure;
14911 
14912 	nla_nest_end(msg, peer_func_attr);
14913 	nla_nest_end(msg, match_attr);
14914 	genlmsg_end(msg, hdr);
14915 
14916 	if (!wdev->owner_nlportid)
14917 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14918 					msg, 0, NL80211_MCGRP_NAN, gfp);
14919 	else
14920 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14921 				wdev->owner_nlportid);
14922 
14923 	return;
14924 
14925 nla_put_failure:
14926 	nlmsg_free(msg);
14927 }
14928 EXPORT_SYMBOL(cfg80211_nan_match);
14929 
14930 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14931 				  u8 inst_id,
14932 				  enum nl80211_nan_func_term_reason reason,
14933 				  u64 cookie, gfp_t gfp)
14934 {
14935 	struct wiphy *wiphy = wdev->wiphy;
14936 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14937 	struct sk_buff *msg;
14938 	struct nlattr *func_attr;
14939 	void *hdr;
14940 
14941 	if (WARN_ON(!inst_id))
14942 		return;
14943 
14944 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14945 	if (!msg)
14946 		return;
14947 
14948 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14949 	if (!hdr) {
14950 		nlmsg_free(msg);
14951 		return;
14952 	}
14953 
14954 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14955 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14956 					 wdev->netdev->ifindex)) ||
14957 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14958 			      NL80211_ATTR_PAD))
14959 		goto nla_put_failure;
14960 
14961 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14962 			      NL80211_ATTR_PAD))
14963 		goto nla_put_failure;
14964 
14965 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14966 	if (!func_attr)
14967 		goto nla_put_failure;
14968 
14969 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14970 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14971 		goto nla_put_failure;
14972 
14973 	nla_nest_end(msg, func_attr);
14974 	genlmsg_end(msg, hdr);
14975 
14976 	if (!wdev->owner_nlportid)
14977 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14978 					msg, 0, NL80211_MCGRP_NAN, gfp);
14979 	else
14980 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14981 				wdev->owner_nlportid);
14982 
14983 	return;
14984 
14985 nla_put_failure:
14986 	nlmsg_free(msg);
14987 }
14988 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14989 
14990 static int nl80211_get_protocol_features(struct sk_buff *skb,
14991 					 struct genl_info *info)
14992 {
14993 	void *hdr;
14994 	struct sk_buff *msg;
14995 
14996 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14997 	if (!msg)
14998 		return -ENOMEM;
14999 
15000 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15001 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15002 	if (!hdr)
15003 		goto nla_put_failure;
15004 
15005 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15006 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15007 		goto nla_put_failure;
15008 
15009 	genlmsg_end(msg, hdr);
15010 	return genlmsg_reply(msg, info);
15011 
15012  nla_put_failure:
15013 	kfree_skb(msg);
15014 	return -ENOBUFS;
15015 }
15016 
15017 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15018 {
15019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15020 	struct cfg80211_update_ft_ies_params ft_params;
15021 	struct net_device *dev = info->user_ptr[1];
15022 
15023 	if (!rdev->ops->update_ft_ies)
15024 		return -EOPNOTSUPP;
15025 
15026 	if (!info->attrs[NL80211_ATTR_MDID] ||
15027 	    !info->attrs[NL80211_ATTR_IE])
15028 		return -EINVAL;
15029 
15030 	memset(&ft_params, 0, sizeof(ft_params));
15031 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15032 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15033 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15034 
15035 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15036 }
15037 
15038 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15039 				       struct genl_info *info)
15040 {
15041 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15042 	struct wireless_dev *wdev = info->user_ptr[1];
15043 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15044 	u16 duration;
15045 	int ret;
15046 
15047 	if (!rdev->ops->crit_proto_start)
15048 		return -EOPNOTSUPP;
15049 
15050 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15051 		return -EINVAL;
15052 
15053 	if (rdev->crit_proto_nlportid)
15054 		return -EBUSY;
15055 
15056 	/* determine protocol if provided */
15057 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15058 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15059 
15060 	if (proto >= NUM_NL80211_CRIT_PROTO)
15061 		return -EINVAL;
15062 
15063 	/* timeout must be provided */
15064 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15065 		return -EINVAL;
15066 
15067 	duration =
15068 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15069 
15070 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15071 	if (!ret)
15072 		rdev->crit_proto_nlportid = info->snd_portid;
15073 
15074 	return ret;
15075 }
15076 
15077 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15078 				      struct genl_info *info)
15079 {
15080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15081 	struct wireless_dev *wdev = info->user_ptr[1];
15082 
15083 	if (!rdev->ops->crit_proto_stop)
15084 		return -EOPNOTSUPP;
15085 
15086 	if (rdev->crit_proto_nlportid) {
15087 		rdev->crit_proto_nlportid = 0;
15088 		rdev_crit_proto_stop(rdev, wdev);
15089 	}
15090 	return 0;
15091 }
15092 
15093 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15094 				       struct nlattr *attr,
15095 				       struct netlink_ext_ack *extack)
15096 {
15097 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15098 		if (attr->nla_type & NLA_F_NESTED) {
15099 			NL_SET_ERR_MSG_ATTR(extack, attr,
15100 					    "unexpected nested data");
15101 			return -EINVAL;
15102 		}
15103 
15104 		return 0;
15105 	}
15106 
15107 	if (!(attr->nla_type & NLA_F_NESTED)) {
15108 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15109 		return -EINVAL;
15110 	}
15111 
15112 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15113 }
15114 
15115 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15116 {
15117 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15118 	struct wireless_dev *wdev =
15119 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15120 					   info->attrs);
15121 	int i, err;
15122 	u32 vid, subcmd;
15123 
15124 	if (!rdev->wiphy.vendor_commands)
15125 		return -EOPNOTSUPP;
15126 
15127 	if (IS_ERR(wdev)) {
15128 		err = PTR_ERR(wdev);
15129 		if (err != -EINVAL)
15130 			return err;
15131 		wdev = NULL;
15132 	} else if (wdev->wiphy != &rdev->wiphy) {
15133 		return -EINVAL;
15134 	}
15135 
15136 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15137 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15138 		return -EINVAL;
15139 
15140 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15141 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15142 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15143 		const struct wiphy_vendor_command *vcmd;
15144 		void *data = NULL;
15145 		int len = 0;
15146 
15147 		vcmd = &rdev->wiphy.vendor_commands[i];
15148 
15149 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15150 			continue;
15151 
15152 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15153 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15154 			if (!wdev)
15155 				return -EINVAL;
15156 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15157 			    !wdev->netdev)
15158 				return -EINVAL;
15159 
15160 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15161 				if (!wdev_running(wdev))
15162 					return -ENETDOWN;
15163 			}
15164 		} else {
15165 			wdev = NULL;
15166 		}
15167 
15168 		if (!vcmd->doit)
15169 			return -EOPNOTSUPP;
15170 
15171 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15172 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15173 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15174 
15175 			err = nl80211_vendor_check_policy(vcmd,
15176 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15177 					info->extack);
15178 			if (err)
15179 				return err;
15180 		}
15181 
15182 		rdev->cur_cmd_info = info;
15183 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15184 		rdev->cur_cmd_info = NULL;
15185 		return err;
15186 	}
15187 
15188 	return -EOPNOTSUPP;
15189 }
15190 
15191 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15192 				       struct netlink_callback *cb,
15193 				       struct cfg80211_registered_device **rdev,
15194 				       struct wireless_dev **wdev)
15195 {
15196 	struct nlattr **attrbuf;
15197 	u32 vid, subcmd;
15198 	unsigned int i;
15199 	int vcmd_idx = -1;
15200 	int err;
15201 	void *data = NULL;
15202 	unsigned int data_len = 0;
15203 
15204 	if (cb->args[0]) {
15205 		/* subtract the 1 again here */
15206 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15207 		struct wireless_dev *tmp;
15208 
15209 		if (!wiphy)
15210 			return -ENODEV;
15211 		*rdev = wiphy_to_rdev(wiphy);
15212 		*wdev = NULL;
15213 
15214 		if (cb->args[1]) {
15215 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15216 				if (tmp->identifier == cb->args[1] - 1) {
15217 					*wdev = tmp;
15218 					break;
15219 				}
15220 			}
15221 		}
15222 
15223 		/* keep rtnl locked in successful case */
15224 		return 0;
15225 	}
15226 
15227 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15228 	if (!attrbuf)
15229 		return -ENOMEM;
15230 
15231 	err = nlmsg_parse_deprecated(cb->nlh,
15232 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15233 				     attrbuf, nl80211_fam.maxattr,
15234 				     nl80211_policy, NULL);
15235 	if (err)
15236 		goto out;
15237 
15238 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15239 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15240 		err = -EINVAL;
15241 		goto out;
15242 	}
15243 
15244 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15245 	if (IS_ERR(*wdev))
15246 		*wdev = NULL;
15247 
15248 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15249 	if (IS_ERR(*rdev)) {
15250 		err = PTR_ERR(*rdev);
15251 		goto out;
15252 	}
15253 
15254 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15255 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15256 
15257 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15258 		const struct wiphy_vendor_command *vcmd;
15259 
15260 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15261 
15262 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15263 			continue;
15264 
15265 		if (!vcmd->dumpit) {
15266 			err = -EOPNOTSUPP;
15267 			goto out;
15268 		}
15269 
15270 		vcmd_idx = i;
15271 		break;
15272 	}
15273 
15274 	if (vcmd_idx < 0) {
15275 		err = -EOPNOTSUPP;
15276 		goto out;
15277 	}
15278 
15279 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15280 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15281 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15282 
15283 		err = nl80211_vendor_check_policy(
15284 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15285 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15286 				cb->extack);
15287 		if (err)
15288 			goto out;
15289 	}
15290 
15291 	/* 0 is the first index - add 1 to parse only once */
15292 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15293 	/* add 1 to know if it was NULL */
15294 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15295 	cb->args[2] = vcmd_idx;
15296 	cb->args[3] = (unsigned long)data;
15297 	cb->args[4] = data_len;
15298 
15299 	/* keep rtnl locked in successful case */
15300 	err = 0;
15301 out:
15302 	kfree(attrbuf);
15303 	return err;
15304 }
15305 
15306 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15307 				   struct netlink_callback *cb)
15308 {
15309 	struct cfg80211_registered_device *rdev;
15310 	struct wireless_dev *wdev;
15311 	unsigned int vcmd_idx;
15312 	const struct wiphy_vendor_command *vcmd;
15313 	void *data;
15314 	int data_len;
15315 	int err;
15316 	struct nlattr *vendor_data;
15317 
15318 	rtnl_lock();
15319 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15320 	if (err)
15321 		goto out;
15322 
15323 	vcmd_idx = cb->args[2];
15324 	data = (void *)cb->args[3];
15325 	data_len = cb->args[4];
15326 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15327 
15328 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15329 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15330 		if (!wdev) {
15331 			err = -EINVAL;
15332 			goto out;
15333 		}
15334 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15335 		    !wdev->netdev) {
15336 			err = -EINVAL;
15337 			goto out;
15338 		}
15339 
15340 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15341 			if (!wdev_running(wdev)) {
15342 				err = -ENETDOWN;
15343 				goto out;
15344 			}
15345 		}
15346 	}
15347 
15348 	while (1) {
15349 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15350 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15351 					   NL80211_CMD_VENDOR);
15352 		if (!hdr)
15353 			break;
15354 
15355 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15356 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15357 					       wdev_id(wdev),
15358 					       NL80211_ATTR_PAD))) {
15359 			genlmsg_cancel(skb, hdr);
15360 			break;
15361 		}
15362 
15363 		vendor_data = nla_nest_start_noflag(skb,
15364 						    NL80211_ATTR_VENDOR_DATA);
15365 		if (!vendor_data) {
15366 			genlmsg_cancel(skb, hdr);
15367 			break;
15368 		}
15369 
15370 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15371 				   (unsigned long *)&cb->args[5]);
15372 		nla_nest_end(skb, vendor_data);
15373 
15374 		if (err == -ENOBUFS || err == -ENOENT) {
15375 			genlmsg_cancel(skb, hdr);
15376 			break;
15377 		} else if (err <= 0) {
15378 			genlmsg_cancel(skb, hdr);
15379 			goto out;
15380 		}
15381 
15382 		genlmsg_end(skb, hdr);
15383 	}
15384 
15385 	err = skb->len;
15386  out:
15387 	rtnl_unlock();
15388 	return err;
15389 }
15390 
15391 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15392 					   enum nl80211_commands cmd,
15393 					   enum nl80211_attrs attr,
15394 					   int approxlen)
15395 {
15396 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15397 
15398 	if (WARN_ON(!rdev->cur_cmd_info))
15399 		return NULL;
15400 
15401 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15402 					   rdev->cur_cmd_info->snd_portid,
15403 					   rdev->cur_cmd_info->snd_seq,
15404 					   cmd, attr, NULL, GFP_KERNEL);
15405 }
15406 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15407 
15408 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15409 {
15410 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15411 	void *hdr = ((void **)skb->cb)[1];
15412 	struct nlattr *data = ((void **)skb->cb)[2];
15413 
15414 	/* clear CB data for netlink core to own from now on */
15415 	memset(skb->cb, 0, sizeof(skb->cb));
15416 
15417 	if (WARN_ON(!rdev->cur_cmd_info)) {
15418 		kfree_skb(skb);
15419 		return -EINVAL;
15420 	}
15421 
15422 	nla_nest_end(skb, data);
15423 	genlmsg_end(skb, hdr);
15424 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15425 }
15426 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15427 
15428 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15429 {
15430 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15431 
15432 	if (WARN_ON(!rdev->cur_cmd_info))
15433 		return 0;
15434 
15435 	return rdev->cur_cmd_info->snd_portid;
15436 }
15437 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15438 
15439 static int nl80211_set_qos_map(struct sk_buff *skb,
15440 			       struct genl_info *info)
15441 {
15442 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15443 	struct cfg80211_qos_map *qos_map = NULL;
15444 	struct net_device *dev = info->user_ptr[1];
15445 	u8 *pos, len, num_des, des_len, des;
15446 	int ret;
15447 
15448 	if (!rdev->ops->set_qos_map)
15449 		return -EOPNOTSUPP;
15450 
15451 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15452 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15453 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15454 
15455 		if (len % 2)
15456 			return -EINVAL;
15457 
15458 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15459 		if (!qos_map)
15460 			return -ENOMEM;
15461 
15462 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15463 		if (num_des) {
15464 			des_len = num_des *
15465 				sizeof(struct cfg80211_dscp_exception);
15466 			memcpy(qos_map->dscp_exception, pos, des_len);
15467 			qos_map->num_des = num_des;
15468 			for (des = 0; des < num_des; des++) {
15469 				if (qos_map->dscp_exception[des].up > 7) {
15470 					kfree(qos_map);
15471 					return -EINVAL;
15472 				}
15473 			}
15474 			pos += des_len;
15475 		}
15476 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15477 	}
15478 
15479 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15480 	if (!ret)
15481 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15482 
15483 	kfree(qos_map);
15484 	return ret;
15485 }
15486 
15487 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15488 {
15489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15490 	struct net_device *dev = info->user_ptr[1];
15491 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15492 	const u8 *peer;
15493 	u8 tsid, up;
15494 	u16 admitted_time = 0;
15495 
15496 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15497 		return -EOPNOTSUPP;
15498 
15499 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15500 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15501 		return -EINVAL;
15502 
15503 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15504 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15505 
15506 	/* WMM uses TIDs 0-7 even for TSPEC */
15507 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15508 		/* TODO: handle 802.11 TSPEC/admission control
15509 		 * need more attributes for that (e.g. BA session requirement);
15510 		 * change the WMM admission test above to allow both then
15511 		 */
15512 		return -EINVAL;
15513 	}
15514 
15515 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15516 
15517 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15518 		admitted_time =
15519 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15520 		if (!admitted_time)
15521 			return -EINVAL;
15522 	}
15523 
15524 	switch (wdev->iftype) {
15525 	case NL80211_IFTYPE_STATION:
15526 	case NL80211_IFTYPE_P2P_CLIENT:
15527 		if (wdev->connected)
15528 			break;
15529 		return -ENOTCONN;
15530 	default:
15531 		return -EOPNOTSUPP;
15532 	}
15533 
15534 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15535 }
15536 
15537 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15538 {
15539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15540 	struct net_device *dev = info->user_ptr[1];
15541 	const u8 *peer;
15542 	u8 tsid;
15543 
15544 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15545 		return -EINVAL;
15546 
15547 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15548 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15549 
15550 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15551 }
15552 
15553 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15554 				       struct genl_info *info)
15555 {
15556 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15557 	struct net_device *dev = info->user_ptr[1];
15558 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15559 	struct cfg80211_chan_def chandef = {};
15560 	const u8 *addr;
15561 	u8 oper_class;
15562 	int err;
15563 
15564 	if (!rdev->ops->tdls_channel_switch ||
15565 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15566 		return -EOPNOTSUPP;
15567 
15568 	switch (dev->ieee80211_ptr->iftype) {
15569 	case NL80211_IFTYPE_STATION:
15570 	case NL80211_IFTYPE_P2P_CLIENT:
15571 		break;
15572 	default:
15573 		return -EOPNOTSUPP;
15574 	}
15575 
15576 	if (!info->attrs[NL80211_ATTR_MAC] ||
15577 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15578 		return -EINVAL;
15579 
15580 	err = nl80211_parse_chandef(rdev, info, &chandef);
15581 	if (err)
15582 		return err;
15583 
15584 	/*
15585 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15586 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15587 	 * specification is not defined for them.
15588 	 */
15589 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15590 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15591 	    chandef.width != NL80211_CHAN_WIDTH_20)
15592 		return -EINVAL;
15593 
15594 	/* we will be active on the TDLS link */
15595 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15596 					   wdev->iftype))
15597 		return -EINVAL;
15598 
15599 	/* don't allow switching to DFS channels */
15600 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15601 		return -EINVAL;
15602 
15603 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15604 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15605 
15606 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15607 }
15608 
15609 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15610 					      struct genl_info *info)
15611 {
15612 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15613 	struct net_device *dev = info->user_ptr[1];
15614 	const u8 *addr;
15615 
15616 	if (!rdev->ops->tdls_channel_switch ||
15617 	    !rdev->ops->tdls_cancel_channel_switch ||
15618 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15619 		return -EOPNOTSUPP;
15620 
15621 	switch (dev->ieee80211_ptr->iftype) {
15622 	case NL80211_IFTYPE_STATION:
15623 	case NL80211_IFTYPE_P2P_CLIENT:
15624 		break;
15625 	default:
15626 		return -EOPNOTSUPP;
15627 	}
15628 
15629 	if (!info->attrs[NL80211_ATTR_MAC])
15630 		return -EINVAL;
15631 
15632 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15633 
15634 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15635 
15636 	return 0;
15637 }
15638 
15639 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15640 					    struct genl_info *info)
15641 {
15642 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15643 	struct net_device *dev = info->user_ptr[1];
15644 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15645 	const struct nlattr *nla;
15646 	bool enabled;
15647 
15648 	if (!rdev->ops->set_multicast_to_unicast)
15649 		return -EOPNOTSUPP;
15650 
15651 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15652 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15653 		return -EOPNOTSUPP;
15654 
15655 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15656 	enabled = nla_get_flag(nla);
15657 
15658 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15659 }
15660 
15661 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15662 {
15663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15664 	struct net_device *dev = info->user_ptr[1];
15665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15666 	struct cfg80211_pmk_conf pmk_conf = {};
15667 
15668 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15669 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15670 		return -EOPNOTSUPP;
15671 
15672 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15673 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15674 		return -EOPNOTSUPP;
15675 
15676 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15677 		return -EINVAL;
15678 
15679 	if (!wdev->connected)
15680 		return -ENOTCONN;
15681 
15682 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15683 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15684 		return -EINVAL;
15685 
15686 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15687 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15688 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15689 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15690 		return -EINVAL;
15691 
15692 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15693 		pmk_conf.pmk_r0_name =
15694 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15695 
15696 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15697 }
15698 
15699 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15700 {
15701 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15702 	struct net_device *dev = info->user_ptr[1];
15703 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15704 	const u8 *aa;
15705 
15706 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15707 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15708 		return -EOPNOTSUPP;
15709 
15710 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15711 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15712 		return -EOPNOTSUPP;
15713 
15714 	if (!info->attrs[NL80211_ATTR_MAC])
15715 		return -EINVAL;
15716 
15717 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15718 	return rdev_del_pmk(rdev, dev, aa);
15719 }
15720 
15721 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15722 {
15723 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15724 	struct net_device *dev = info->user_ptr[1];
15725 	struct cfg80211_external_auth_params params;
15726 
15727 	if (!rdev->ops->external_auth)
15728 		return -EOPNOTSUPP;
15729 
15730 	if (!info->attrs[NL80211_ATTR_SSID] &&
15731 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15732 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15733 		return -EINVAL;
15734 
15735 	if (!info->attrs[NL80211_ATTR_BSSID])
15736 		return -EINVAL;
15737 
15738 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15739 		return -EINVAL;
15740 
15741 	memset(&params, 0, sizeof(params));
15742 
15743 	if (info->attrs[NL80211_ATTR_SSID]) {
15744 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15745 		if (params.ssid.ssid_len == 0)
15746 			return -EINVAL;
15747 		memcpy(params.ssid.ssid,
15748 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15749 		       params.ssid.ssid_len);
15750 	}
15751 
15752 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15753 	       ETH_ALEN);
15754 
15755 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15756 
15757 	if (info->attrs[NL80211_ATTR_PMKID])
15758 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15759 
15760 	return rdev_external_auth(rdev, dev, &params);
15761 }
15762 
15763 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15764 {
15765 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15767 	struct net_device *dev = info->user_ptr[1];
15768 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15769 	const u8 *buf;
15770 	size_t len;
15771 	u8 *dest;
15772 	u16 proto;
15773 	bool noencrypt;
15774 	u64 cookie = 0;
15775 	int link_id;
15776 	int err;
15777 
15778 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15779 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15780 		return -EOPNOTSUPP;
15781 
15782 	if (!rdev->ops->tx_control_port)
15783 		return -EOPNOTSUPP;
15784 
15785 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15786 	    !info->attrs[NL80211_ATTR_MAC] ||
15787 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15788 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15789 		return -EINVAL;
15790 	}
15791 
15792 	switch (wdev->iftype) {
15793 	case NL80211_IFTYPE_AP:
15794 	case NL80211_IFTYPE_P2P_GO:
15795 	case NL80211_IFTYPE_MESH_POINT:
15796 		break;
15797 	case NL80211_IFTYPE_ADHOC:
15798 		if (wdev->u.ibss.current_bss)
15799 			break;
15800 		return -ENOTCONN;
15801 	case NL80211_IFTYPE_STATION:
15802 	case NL80211_IFTYPE_P2P_CLIENT:
15803 		if (wdev->connected)
15804 			break;
15805 		return -ENOTCONN;
15806 	default:
15807 		return -EOPNOTSUPP;
15808 	}
15809 
15810 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15811 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15812 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15813 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15814 	noencrypt =
15815 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15816 
15817 	link_id = nl80211_link_id_or_invalid(info->attrs);
15818 
15819 	err = rdev_tx_control_port(rdev, dev, buf, len,
15820 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15821 				   dont_wait_for_ack ? NULL : &cookie);
15822 	if (!err && !dont_wait_for_ack)
15823 		nl_set_extack_cookie_u64(info->extack, cookie);
15824 	return err;
15825 }
15826 
15827 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15828 					   struct genl_info *info)
15829 {
15830 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15831 	struct net_device *dev = info->user_ptr[1];
15832 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15833 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15834 	unsigned int link_id = nl80211_link_id(info->attrs);
15835 	struct sk_buff *msg;
15836 	void *hdr;
15837 	struct nlattr *ftm_stats_attr;
15838 	int err;
15839 
15840 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15841 	    !wdev->links[link_id].ap.beacon_interval)
15842 		return -EOPNOTSUPP;
15843 
15844 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15845 	if (err)
15846 		return err;
15847 
15848 	if (!ftm_stats.filled)
15849 		return -ENODATA;
15850 
15851 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15852 	if (!msg)
15853 		return -ENOMEM;
15854 
15855 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15856 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15857 	if (!hdr)
15858 		goto nla_put_failure;
15859 
15860 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15861 		goto nla_put_failure;
15862 
15863 	ftm_stats_attr = nla_nest_start_noflag(msg,
15864 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15865 	if (!ftm_stats_attr)
15866 		goto nla_put_failure;
15867 
15868 #define SET_FTM(field, name, type)					 \
15869 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15870 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15871 			     ftm_stats.field))				 \
15872 		goto nla_put_failure; } while (0)
15873 #define SET_FTM_U64(field, name)					 \
15874 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15875 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15876 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15877 		goto nla_put_failure; } while (0)
15878 
15879 	SET_FTM(success_num, SUCCESS_NUM, u32);
15880 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15881 	SET_FTM(failed_num, FAILED_NUM, u32);
15882 	SET_FTM(asap_num, ASAP_NUM, u32);
15883 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15884 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15885 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15886 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15887 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15888 #undef SET_FTM
15889 
15890 	nla_nest_end(msg, ftm_stats_attr);
15891 
15892 	genlmsg_end(msg, hdr);
15893 	return genlmsg_reply(msg, info);
15894 
15895 nla_put_failure:
15896 	nlmsg_free(msg);
15897 	return -ENOBUFS;
15898 }
15899 
15900 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15901 {
15902 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15903 	struct cfg80211_update_owe_info owe_info;
15904 	struct net_device *dev = info->user_ptr[1];
15905 
15906 	if (!rdev->ops->update_owe_info)
15907 		return -EOPNOTSUPP;
15908 
15909 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15910 	    !info->attrs[NL80211_ATTR_MAC])
15911 		return -EINVAL;
15912 
15913 	memset(&owe_info, 0, sizeof(owe_info));
15914 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15915 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15916 
15917 	if (info->attrs[NL80211_ATTR_IE]) {
15918 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15919 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15920 	}
15921 
15922 	return rdev_update_owe_info(rdev, dev, &owe_info);
15923 }
15924 
15925 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15926 {
15927 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15928 	struct net_device *dev = info->user_ptr[1];
15929 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15930 	struct station_info sinfo = {};
15931 	const u8 *buf;
15932 	size_t len;
15933 	u8 *dest;
15934 	int err;
15935 
15936 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15937 		return -EOPNOTSUPP;
15938 
15939 	if (!info->attrs[NL80211_ATTR_MAC] ||
15940 	    !info->attrs[NL80211_ATTR_FRAME]) {
15941 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15942 		return -EINVAL;
15943 	}
15944 
15945 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15946 		return -EOPNOTSUPP;
15947 
15948 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15949 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15950 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15951 
15952 	if (len < sizeof(struct ethhdr))
15953 		return -EINVAL;
15954 
15955 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15956 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15957 		return -EINVAL;
15958 
15959 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15960 	if (err)
15961 		return err;
15962 
15963 	cfg80211_sinfo_release_content(&sinfo);
15964 
15965 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15966 }
15967 
15968 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15969 			  struct nlattr *attrs[], struct net_device *dev,
15970 			  struct cfg80211_tid_cfg *tid_conf,
15971 			  struct genl_info *info, const u8 *peer,
15972 			  unsigned int link_id)
15973 {
15974 	struct netlink_ext_ack *extack = info->extack;
15975 	u64 mask;
15976 	int err;
15977 
15978 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15979 		return -EINVAL;
15980 
15981 	tid_conf->config_override =
15982 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15983 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15984 
15985 	if (tid_conf->config_override) {
15986 		if (rdev->ops->reset_tid_config) {
15987 			err = rdev_reset_tid_config(rdev, dev, peer,
15988 						    tid_conf->tids);
15989 			if (err)
15990 				return err;
15991 		} else {
15992 			return -EINVAL;
15993 		}
15994 	}
15995 
15996 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15997 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15998 		tid_conf->noack =
15999 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16000 	}
16001 
16002 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16003 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16004 		tid_conf->retry_short =
16005 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16006 
16007 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16008 			return -EINVAL;
16009 	}
16010 
16011 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16012 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16013 		tid_conf->retry_long =
16014 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16015 
16016 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16017 			return -EINVAL;
16018 	}
16019 
16020 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16021 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16022 		tid_conf->ampdu =
16023 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16024 	}
16025 
16026 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16027 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16028 		tid_conf->rtscts =
16029 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16030 	}
16031 
16032 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16033 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16034 		tid_conf->amsdu =
16035 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16036 	}
16037 
16038 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16039 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16040 
16041 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16042 
16043 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16044 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16045 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16046 						    &tid_conf->txrate_mask, dev,
16047 						    true, link_id);
16048 			if (err)
16049 				return err;
16050 
16051 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16052 		}
16053 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16054 	}
16055 
16056 	if (peer)
16057 		mask = rdev->wiphy.tid_config_support.peer;
16058 	else
16059 		mask = rdev->wiphy.tid_config_support.vif;
16060 
16061 	if (tid_conf->mask & ~mask) {
16062 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16063 		return -EOPNOTSUPP;
16064 	}
16065 
16066 	return 0;
16067 }
16068 
16069 static int nl80211_set_tid_config(struct sk_buff *skb,
16070 				  struct genl_info *info)
16071 {
16072 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16073 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16074 	unsigned int link_id = nl80211_link_id(info->attrs);
16075 	struct net_device *dev = info->user_ptr[1];
16076 	struct cfg80211_tid_config *tid_config;
16077 	struct nlattr *tid;
16078 	int conf_idx = 0, rem_conf;
16079 	int ret = -EINVAL;
16080 	u32 num_conf = 0;
16081 
16082 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16083 		return -EINVAL;
16084 
16085 	if (!rdev->ops->set_tid_config)
16086 		return -EOPNOTSUPP;
16087 
16088 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16089 			    rem_conf)
16090 		num_conf++;
16091 
16092 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16093 			     GFP_KERNEL);
16094 	if (!tid_config)
16095 		return -ENOMEM;
16096 
16097 	tid_config->n_tid_conf = num_conf;
16098 
16099 	if (info->attrs[NL80211_ATTR_MAC])
16100 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16101 
16102 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16103 			    rem_conf) {
16104 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16105 				       tid, NULL, NULL);
16106 
16107 		if (ret)
16108 			goto bad_tid_conf;
16109 
16110 		ret = parse_tid_conf(rdev, attrs, dev,
16111 				     &tid_config->tid_conf[conf_idx],
16112 				     info, tid_config->peer, link_id);
16113 		if (ret)
16114 			goto bad_tid_conf;
16115 
16116 		conf_idx++;
16117 	}
16118 
16119 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16120 
16121 bad_tid_conf:
16122 	kfree(tid_config);
16123 	return ret;
16124 }
16125 
16126 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16127 {
16128 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16129 	struct cfg80211_color_change_settings params = {};
16130 	struct net_device *dev = info->user_ptr[1];
16131 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16132 	struct nlattr **tb;
16133 	u16 offset;
16134 	int err;
16135 
16136 	if (!rdev->ops->color_change)
16137 		return -EOPNOTSUPP;
16138 
16139 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16140 				     NL80211_EXT_FEATURE_BSS_COLOR))
16141 		return -EOPNOTSUPP;
16142 
16143 	if (wdev->iftype != NL80211_IFTYPE_AP)
16144 		return -EOPNOTSUPP;
16145 
16146 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16147 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16148 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16149 		return -EINVAL;
16150 
16151 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16152 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16153 
16154 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16155 				   info->extack);
16156 	if (err)
16157 		return err;
16158 
16159 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16160 	if (!tb)
16161 		return -ENOMEM;
16162 
16163 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16164 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16165 			       nl80211_policy, info->extack);
16166 	if (err)
16167 		goto out;
16168 
16169 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16170 				   info->extack);
16171 	if (err)
16172 		goto out;
16173 
16174 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16175 		err = -EINVAL;
16176 		goto out;
16177 	}
16178 
16179 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16180 		err = -EINVAL;
16181 		goto out;
16182 	}
16183 
16184 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16185 	if (offset >= params.beacon_color_change.tail_len) {
16186 		err = -EINVAL;
16187 		goto out;
16188 	}
16189 
16190 	if (params.beacon_color_change.tail[offset] != params.count) {
16191 		err = -EINVAL;
16192 		goto out;
16193 	}
16194 
16195 	params.counter_offset_beacon = offset;
16196 
16197 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16198 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16199 		    sizeof(u16)) {
16200 			err = -EINVAL;
16201 			goto out;
16202 		}
16203 
16204 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16205 		if (offset >= params.beacon_color_change.probe_resp_len) {
16206 			err = -EINVAL;
16207 			goto out;
16208 		}
16209 
16210 		if (params.beacon_color_change.probe_resp[offset] !=
16211 		    params.count) {
16212 			err = -EINVAL;
16213 			goto out;
16214 		}
16215 
16216 		params.counter_offset_presp = offset;
16217 	}
16218 
16219 	params.link_id = nl80211_link_id(info->attrs);
16220 	err = rdev_color_change(rdev, dev, &params);
16221 
16222 out:
16223 	kfree(params.beacon_next.mbssid_ies);
16224 	kfree(params.beacon_color_change.mbssid_ies);
16225 	kfree(params.beacon_next.rnr_ies);
16226 	kfree(params.beacon_color_change.rnr_ies);
16227 	kfree(tb);
16228 	return err;
16229 }
16230 
16231 static int nl80211_set_fils_aad(struct sk_buff *skb,
16232 				struct genl_info *info)
16233 {
16234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16235 	struct net_device *dev = info->user_ptr[1];
16236 	struct cfg80211_fils_aad fils_aad = {};
16237 	u8 *nonces;
16238 
16239 	if (!info->attrs[NL80211_ATTR_MAC] ||
16240 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16241 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16242 		return -EINVAL;
16243 
16244 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16245 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16246 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16247 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16248 	fils_aad.snonce = nonces;
16249 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16250 
16251 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16252 }
16253 
16254 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16255 {
16256 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16257 	unsigned int link_id = nl80211_link_id(info->attrs);
16258 	struct net_device *dev = info->user_ptr[1];
16259 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16260 	int ret;
16261 
16262 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16263 		return -EINVAL;
16264 
16265 	switch (wdev->iftype) {
16266 	case NL80211_IFTYPE_AP:
16267 		break;
16268 	default:
16269 		return -EINVAL;
16270 	}
16271 
16272 	if (!info->attrs[NL80211_ATTR_MAC] ||
16273 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16274 		return -EINVAL;
16275 
16276 	wdev->valid_links |= BIT(link_id);
16277 	ether_addr_copy(wdev->links[link_id].addr,
16278 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16279 
16280 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16281 	if (ret) {
16282 		wdev->valid_links &= ~BIT(link_id);
16283 		eth_zero_addr(wdev->links[link_id].addr);
16284 	}
16285 
16286 	return ret;
16287 }
16288 
16289 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16290 {
16291 	unsigned int link_id = nl80211_link_id(info->attrs);
16292 	struct net_device *dev = info->user_ptr[1];
16293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16294 
16295 	/* cannot remove if there's no link */
16296 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16297 		return -EINVAL;
16298 
16299 	switch (wdev->iftype) {
16300 	case NL80211_IFTYPE_AP:
16301 		break;
16302 	default:
16303 		return -EINVAL;
16304 	}
16305 
16306 	cfg80211_remove_link(wdev, link_id);
16307 
16308 	return 0;
16309 }
16310 
16311 static int
16312 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16313 			     bool add)
16314 {
16315 	struct link_station_parameters params = {};
16316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16317 	struct net_device *dev = info->user_ptr[1];
16318 	int err;
16319 
16320 	if ((add && !rdev->ops->add_link_station) ||
16321 	    (!add && !rdev->ops->mod_link_station))
16322 		return -EOPNOTSUPP;
16323 
16324 	if (add && !info->attrs[NL80211_ATTR_MAC])
16325 		return -EINVAL;
16326 
16327 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16328 		return -EINVAL;
16329 
16330 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16331 		return -EINVAL;
16332 
16333 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16334 
16335 	if (info->attrs[NL80211_ATTR_MAC]) {
16336 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16337 		if (!is_valid_ether_addr(params.link_mac))
16338 			return -EINVAL;
16339 	}
16340 
16341 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16342 		return -EINVAL;
16343 
16344 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16345 
16346 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16347 		params.supported_rates =
16348 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16349 		params.supported_rates_len =
16350 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16351 	}
16352 
16353 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16354 		params.ht_capa =
16355 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16356 
16357 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16358 		params.vht_capa =
16359 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16360 
16361 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16362 		params.he_capa =
16363 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16364 		params.he_capa_len =
16365 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16366 
16367 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16368 			params.eht_capa =
16369 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16370 			params.eht_capa_len =
16371 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16372 
16373 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16374 							(const u8 *)params.eht_capa,
16375 							params.eht_capa_len,
16376 							false))
16377 				return -EINVAL;
16378 		}
16379 	}
16380 
16381 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16382 		params.he_6ghz_capa =
16383 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16384 
16385 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16386 		params.opmode_notif_used = true;
16387 		params.opmode_notif =
16388 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16389 	}
16390 
16391 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16392 						&params.txpwr_set);
16393 	if (err)
16394 		return err;
16395 
16396 	if (add)
16397 		return rdev_add_link_station(rdev, dev, &params);
16398 
16399 	return rdev_mod_link_station(rdev, dev, &params);
16400 }
16401 
16402 static int
16403 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16404 {
16405 	return nl80211_add_mod_link_station(skb, info, true);
16406 }
16407 
16408 static int
16409 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16410 {
16411 	return nl80211_add_mod_link_station(skb, info, false);
16412 }
16413 
16414 static int
16415 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16416 {
16417 	struct link_station_del_parameters params = {};
16418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16419 	struct net_device *dev = info->user_ptr[1];
16420 
16421 	if (!rdev->ops->del_link_station)
16422 		return -EOPNOTSUPP;
16423 
16424 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16425 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16426 		return -EINVAL;
16427 
16428 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16429 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16430 
16431 	return rdev_del_link_station(rdev, dev, &params);
16432 }
16433 
16434 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16435 				    struct genl_info *info)
16436 {
16437 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16438 	struct net_device *dev = info->user_ptr[1];
16439 	struct cfg80211_set_hw_timestamp hwts = {};
16440 
16441 	if (!rdev->wiphy.hw_timestamp_max_peers)
16442 		return -EOPNOTSUPP;
16443 
16444 	if (!info->attrs[NL80211_ATTR_MAC] &&
16445 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16446 		return -EOPNOTSUPP;
16447 
16448 	if (info->attrs[NL80211_ATTR_MAC])
16449 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16450 
16451 	hwts.enable =
16452 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16453 
16454 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16455 }
16456 
16457 static int
16458 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16459 {
16460 	struct cfg80211_ttlm_params params = {};
16461 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16462 	struct net_device *dev = info->user_ptr[1];
16463 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16464 
16465 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16466 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16467 		return -EOPNOTSUPP;
16468 
16469 	if (!wdev->connected)
16470 		return -ENOLINK;
16471 
16472 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16473 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16474 		return -EINVAL;
16475 
16476 	nla_memcpy(params.dlink,
16477 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16478 		   sizeof(params.dlink));
16479 	nla_memcpy(params.ulink,
16480 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16481 		   sizeof(params.ulink));
16482 
16483 	return rdev_set_ttlm(rdev, dev, &params);
16484 }
16485 
16486 static int nl80211_assoc_ml_reconf(struct sk_buff *skb, struct genl_info *info)
16487 {
16488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16489 	struct net_device *dev = info->user_ptr[1];
16490 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16491 	struct cfg80211_assoc_link links[IEEE80211_MLD_MAX_NUM_LINKS] = {};
16492 	unsigned int link_id;
16493 	u16 add_links, rem_links;
16494 	int err;
16495 
16496 	if (!wdev->valid_links)
16497 		return -EINVAL;
16498 
16499 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
16500 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
16501 		return -EPERM;
16502 
16503 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
16504 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
16505 		return -EOPNOTSUPP;
16506 
16507 	add_links = 0;
16508 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
16509 		err = nl80211_process_links(rdev, links, NULL, 0, info);
16510 		if (err)
16511 			return err;
16512 
16513 		for (link_id = 0; link_id < IEEE80211_MLD_MAX_NUM_LINKS;
16514 		     link_id++) {
16515 			if (!links[link_id].bss)
16516 				continue;
16517 			add_links |= BIT(link_id);
16518 		}
16519 	}
16520 
16521 	if (info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS])
16522 		rem_links =
16523 			nla_get_u16(info->attrs[NL80211_ATTR_MLO_RECONF_REM_LINKS]);
16524 	else
16525 		rem_links = 0;
16526 
16527 	/* Validate that existing links are not added, removed links are valid
16528 	 * and don't allow adding and removing the same links
16529 	 */
16530 	if ((add_links & rem_links) || !(add_links | rem_links) ||
16531 	    (wdev->valid_links & add_links) ||
16532 	    ((wdev->valid_links & rem_links) != rem_links)) {
16533 		err = -EINVAL;
16534 		goto out;
16535 	}
16536 
16537 	err = cfg80211_assoc_ml_reconf(rdev, dev, links, rem_links);
16538 
16539 out:
16540 	for (link_id = 0; link_id < ARRAY_SIZE(links); link_id++)
16541 		cfg80211_put_bss(&rdev->wiphy, links[link_id].bss);
16542 
16543 	return err;
16544 }
16545 
16546 static int
16547 nl80211_epcs_cfg(struct sk_buff *skb, struct genl_info *info)
16548 {
16549 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16550 	struct net_device *dev = info->user_ptr[1];
16551 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16552 	bool val;
16553 
16554 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16555 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16556 		return -EOPNOTSUPP;
16557 
16558 	if (!wdev->connected)
16559 		return -ENOLINK;
16560 
16561 	val = nla_get_flag(info->attrs[NL80211_ATTR_EPCS]);
16562 
16563 	return rdev_set_epcs(rdev, dev, val);
16564 }
16565 
16566 #define NL80211_FLAG_NEED_WIPHY		0x01
16567 #define NL80211_FLAG_NEED_NETDEV	0x02
16568 #define NL80211_FLAG_NEED_RTNL		0x04
16569 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16570 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16571 					 NL80211_FLAG_CHECK_NETDEV_UP)
16572 #define NL80211_FLAG_NEED_WDEV		0x10
16573 /* If a netdev is associated, it must be UP, P2P must be started */
16574 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16575 					 NL80211_FLAG_CHECK_NETDEV_UP)
16576 #define NL80211_FLAG_CLEAR_SKB		0x20
16577 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16578 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16579 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16580 
16581 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16582 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16583 	SELECTOR(__sel, WIPHY,				\
16584 		 NL80211_FLAG_NEED_WIPHY)		\
16585 	SELECTOR(__sel, WDEV,				\
16586 		 NL80211_FLAG_NEED_WDEV)		\
16587 	SELECTOR(__sel, NETDEV,				\
16588 		 NL80211_FLAG_NEED_NETDEV)		\
16589 	SELECTOR(__sel, NETDEV_LINK,			\
16590 		 NL80211_FLAG_NEED_NETDEV |		\
16591 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16592 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16593 		 NL80211_FLAG_NEED_NETDEV |		\
16594 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16595 	SELECTOR(__sel, WIPHY_RTNL,			\
16596 		 NL80211_FLAG_NEED_WIPHY |		\
16597 		 NL80211_FLAG_NEED_RTNL)		\
16598 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16599 		 NL80211_FLAG_NEED_WIPHY |		\
16600 		 NL80211_FLAG_NEED_RTNL |		\
16601 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16602 	SELECTOR(__sel, WDEV_RTNL,			\
16603 		 NL80211_FLAG_NEED_WDEV |		\
16604 		 NL80211_FLAG_NEED_RTNL)		\
16605 	SELECTOR(__sel, NETDEV_RTNL,			\
16606 		 NL80211_FLAG_NEED_NETDEV |		\
16607 		 NL80211_FLAG_NEED_RTNL)		\
16608 	SELECTOR(__sel, NETDEV_UP,			\
16609 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16610 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16611 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16612 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16613 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16614 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16615 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16616 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16617 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16618 		 NL80211_FLAG_CLEAR_SKB |		\
16619 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16620 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16621 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16622 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16623 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
16624 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16625 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16626 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16627 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16628 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16629 		 NL80211_FLAG_CLEAR_SKB)		\
16630 	SELECTOR(__sel, WDEV_UP,			\
16631 		 NL80211_FLAG_NEED_WDEV_UP)		\
16632 	SELECTOR(__sel, WDEV_UP_LINK,			\
16633 		 NL80211_FLAG_NEED_WDEV_UP |		\
16634 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16635 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16636 		 NL80211_FLAG_NEED_WDEV_UP |		\
16637 		 NL80211_FLAG_NEED_RTNL)		\
16638 	SELECTOR(__sel, WIPHY_CLEAR,			\
16639 		 NL80211_FLAG_NEED_WIPHY |		\
16640 		 NL80211_FLAG_CLEAR_SKB)
16641 
16642 enum nl80211_internal_flags_selector {
16643 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16644 	INTERNAL_FLAG_SELECTORS(_)
16645 #undef SELECTOR
16646 };
16647 
16648 static u32 nl80211_internal_flags[] = {
16649 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16650 	INTERNAL_FLAG_SELECTORS(_)
16651 #undef SELECTOR
16652 };
16653 
16654 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16655 			    struct sk_buff *skb,
16656 			    struct genl_info *info)
16657 {
16658 	struct cfg80211_registered_device *rdev = NULL;
16659 	struct wireless_dev *wdev = NULL;
16660 	struct net_device *dev = NULL;
16661 	u32 internal_flags;
16662 	int err;
16663 
16664 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16665 		return -EINVAL;
16666 
16667 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16668 
16669 	rtnl_lock();
16670 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16671 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16672 		if (IS_ERR(rdev)) {
16673 			err = PTR_ERR(rdev);
16674 			goto out_unlock;
16675 		}
16676 		info->user_ptr[0] = rdev;
16677 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16678 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16679 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16680 						  info->attrs);
16681 		if (IS_ERR(wdev)) {
16682 			err = PTR_ERR(wdev);
16683 			goto out_unlock;
16684 		}
16685 
16686 		dev = wdev->netdev;
16687 		dev_hold(dev);
16688 		rdev = wiphy_to_rdev(wdev->wiphy);
16689 
16690 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16691 			if (!dev) {
16692 				err = -EINVAL;
16693 				goto out_unlock;
16694 			}
16695 
16696 			info->user_ptr[1] = dev;
16697 		} else {
16698 			info->user_ptr[1] = wdev;
16699 		}
16700 
16701 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16702 		    !wdev_running(wdev)) {
16703 			err = -ENETDOWN;
16704 			goto out_unlock;
16705 		}
16706 
16707 		info->user_ptr[0] = rdev;
16708 	}
16709 
16710 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16711 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16712 
16713 		if (!wdev) {
16714 			err = -EINVAL;
16715 			goto out_unlock;
16716 		}
16717 
16718 		/* MLO -> require valid link ID */
16719 		if (wdev->valid_links &&
16720 		    (!link_id ||
16721 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16722 			err = -EINVAL;
16723 			goto out_unlock;
16724 		}
16725 
16726 		/* non-MLO -> no link ID attribute accepted */
16727 		if (!wdev->valid_links && link_id) {
16728 			err = -EINVAL;
16729 			goto out_unlock;
16730 		}
16731 	}
16732 
16733 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16734 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16735 		    (wdev && wdev->valid_links)) {
16736 			err = -EINVAL;
16737 			goto out_unlock;
16738 		}
16739 	}
16740 
16741 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16742 		wiphy_lock(&rdev->wiphy);
16743 		/* we keep the mutex locked until post_doit */
16744 		__release(&rdev->wiphy.mtx);
16745 	}
16746 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16747 		rtnl_unlock();
16748 
16749 	return 0;
16750 out_unlock:
16751 	rtnl_unlock();
16752 	dev_put(dev);
16753 	return err;
16754 }
16755 
16756 static void nl80211_post_doit(const struct genl_split_ops *ops,
16757 			      struct sk_buff *skb,
16758 			      struct genl_info *info)
16759 {
16760 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16761 
16762 	if (info->user_ptr[1]) {
16763 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16764 			struct wireless_dev *wdev = info->user_ptr[1];
16765 
16766 			dev_put(wdev->netdev);
16767 		} else {
16768 			dev_put(info->user_ptr[1]);
16769 		}
16770 	}
16771 
16772 	if (info->user_ptr[0] &&
16773 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16774 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16775 
16776 		/* we kept the mutex locked since pre_doit */
16777 		__acquire(&rdev->wiphy.mtx);
16778 		wiphy_unlock(&rdev->wiphy);
16779 	}
16780 
16781 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16782 		rtnl_unlock();
16783 
16784 	/* If needed, clear the netlink message payload from the SKB
16785 	 * as it might contain key data that shouldn't stick around on
16786 	 * the heap after the SKB is freed. The netlink message header
16787 	 * is still needed for further processing, so leave it intact.
16788 	 */
16789 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16790 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16791 
16792 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16793 	}
16794 }
16795 
16796 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16797 				     struct cfg80211_sar_specs *sar_specs,
16798 				     struct nlattr *spec[], int index)
16799 {
16800 	u32 range_index, i;
16801 
16802 	if (!sar_specs || !spec)
16803 		return -EINVAL;
16804 
16805 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16806 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16807 		return -EINVAL;
16808 
16809 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16810 
16811 	/* check if range_index exceeds num_freq_ranges */
16812 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16813 		return -EINVAL;
16814 
16815 	/* check if range_index duplicates */
16816 	for (i = 0; i < index; i++) {
16817 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16818 			return -EINVAL;
16819 	}
16820 
16821 	sar_specs->sub_specs[index].power =
16822 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16823 
16824 	sar_specs->sub_specs[index].freq_range_index = range_index;
16825 
16826 	return 0;
16827 }
16828 
16829 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16830 {
16831 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16832 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16833 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16834 	struct cfg80211_sar_specs *sar_spec;
16835 	enum nl80211_sar_type type;
16836 	struct nlattr *spec_list;
16837 	u32 specs;
16838 	int rem, err;
16839 
16840 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16841 		return -EOPNOTSUPP;
16842 
16843 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16844 		return -EINVAL;
16845 
16846 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16847 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16848 			 NULL, NULL);
16849 
16850 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16851 		return -EINVAL;
16852 
16853 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16854 	if (type != rdev->wiphy.sar_capa->type)
16855 		return -EINVAL;
16856 
16857 	specs = 0;
16858 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16859 		specs++;
16860 
16861 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16862 		return -EINVAL;
16863 
16864 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16865 	if (!sar_spec)
16866 		return -ENOMEM;
16867 
16868 	sar_spec->type = type;
16869 	specs = 0;
16870 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16871 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16872 				 spec_list, NULL, NULL);
16873 
16874 		switch (type) {
16875 		case NL80211_SAR_TYPE_POWER:
16876 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16877 						      spec, specs)) {
16878 				err = -EINVAL;
16879 				goto error;
16880 			}
16881 			break;
16882 		default:
16883 			err = -EINVAL;
16884 			goto error;
16885 		}
16886 		specs++;
16887 	}
16888 
16889 	sar_spec->num_sub_specs = specs;
16890 
16891 	rdev->cur_cmd_info = info;
16892 	err = rdev_set_sar_specs(rdev, sar_spec);
16893 	rdev->cur_cmd_info = NULL;
16894 error:
16895 	kfree(sar_spec);
16896 	return err;
16897 }
16898 
16899 #define SELECTOR(__sel, name, value) \
16900 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16901 int __missing_selector(void);
16902 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16903 
16904 static const struct genl_ops nl80211_ops[] = {
16905 	{
16906 		.cmd = NL80211_CMD_GET_WIPHY,
16907 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16908 		.doit = nl80211_get_wiphy,
16909 		.dumpit = nl80211_dump_wiphy,
16910 		.done = nl80211_dump_wiphy_done,
16911 		/* can be retrieved by unprivileged users */
16912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16913 	},
16914 };
16915 
16916 static const struct genl_small_ops nl80211_small_ops[] = {
16917 	{
16918 		.cmd = NL80211_CMD_SET_WIPHY,
16919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16920 		.doit = nl80211_set_wiphy,
16921 		.flags = GENL_UNS_ADMIN_PERM,
16922 	},
16923 	{
16924 		.cmd = NL80211_CMD_GET_INTERFACE,
16925 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16926 		.doit = nl80211_get_interface,
16927 		.dumpit = nl80211_dump_interface,
16928 		/* can be retrieved by unprivileged users */
16929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16930 	},
16931 	{
16932 		.cmd = NL80211_CMD_SET_INTERFACE,
16933 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16934 		.doit = nl80211_set_interface,
16935 		.flags = GENL_UNS_ADMIN_PERM,
16936 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16937 					 NL80211_FLAG_NEED_RTNL),
16938 	},
16939 	{
16940 		.cmd = NL80211_CMD_NEW_INTERFACE,
16941 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16942 		.doit = nl80211_new_interface,
16943 		.flags = GENL_UNS_ADMIN_PERM,
16944 		.internal_flags =
16945 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16946 			       NL80211_FLAG_NEED_RTNL |
16947 			       /* we take the wiphy mutex later ourselves */
16948 			       NL80211_FLAG_NO_WIPHY_MTX),
16949 	},
16950 	{
16951 		.cmd = NL80211_CMD_DEL_INTERFACE,
16952 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16953 		.doit = nl80211_del_interface,
16954 		.flags = GENL_UNS_ADMIN_PERM,
16955 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16956 					 NL80211_FLAG_NEED_RTNL),
16957 	},
16958 	{
16959 		.cmd = NL80211_CMD_GET_KEY,
16960 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16961 		.doit = nl80211_get_key,
16962 		.flags = GENL_UNS_ADMIN_PERM,
16963 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16964 	},
16965 	{
16966 		.cmd = NL80211_CMD_SET_KEY,
16967 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16968 		.doit = nl80211_set_key,
16969 		.flags = GENL_UNS_ADMIN_PERM,
16970 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16971 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16972 					 NL80211_FLAG_CLEAR_SKB),
16973 	},
16974 	{
16975 		.cmd = NL80211_CMD_NEW_KEY,
16976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16977 		.doit = nl80211_new_key,
16978 		.flags = GENL_UNS_ADMIN_PERM,
16979 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16980 					 NL80211_FLAG_CLEAR_SKB),
16981 	},
16982 	{
16983 		.cmd = NL80211_CMD_DEL_KEY,
16984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16985 		.doit = nl80211_del_key,
16986 		.flags = GENL_UNS_ADMIN_PERM,
16987 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16988 	},
16989 	{
16990 		.cmd = NL80211_CMD_SET_BEACON,
16991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16992 		.flags = GENL_UNS_ADMIN_PERM,
16993 		.doit = nl80211_set_beacon,
16994 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16995 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16996 	},
16997 	{
16998 		.cmd = NL80211_CMD_START_AP,
16999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17000 		.flags = GENL_UNS_ADMIN_PERM,
17001 		.doit = nl80211_start_ap,
17002 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17003 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17004 	},
17005 	{
17006 		.cmd = NL80211_CMD_STOP_AP,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.flags = GENL_UNS_ADMIN_PERM,
17009 		.doit = nl80211_stop_ap,
17010 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17011 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17012 	},
17013 	{
17014 		.cmd = NL80211_CMD_GET_STATION,
17015 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17016 		.doit = nl80211_get_station,
17017 		.dumpit = nl80211_dump_station,
17018 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17019 	},
17020 	{
17021 		.cmd = NL80211_CMD_SET_STATION,
17022 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17023 		.doit = nl80211_set_station,
17024 		.flags = GENL_UNS_ADMIN_PERM,
17025 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17026 	},
17027 	{
17028 		.cmd = NL80211_CMD_NEW_STATION,
17029 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17030 		.doit = nl80211_new_station,
17031 		.flags = GENL_UNS_ADMIN_PERM,
17032 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17033 	},
17034 	{
17035 		.cmd = NL80211_CMD_DEL_STATION,
17036 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17037 		.doit = nl80211_del_station,
17038 		.flags = GENL_UNS_ADMIN_PERM,
17039 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
17040 		 * whether MAC address is passed or not. If MAC address is
17041 		 * passed, then even during MLO, link ID is not required.
17042 		 */
17043 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17044 	},
17045 	{
17046 		.cmd = NL80211_CMD_GET_MPATH,
17047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17048 		.doit = nl80211_get_mpath,
17049 		.dumpit = nl80211_dump_mpath,
17050 		.flags = GENL_UNS_ADMIN_PERM,
17051 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17052 	},
17053 	{
17054 		.cmd = NL80211_CMD_GET_MPP,
17055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17056 		.doit = nl80211_get_mpp,
17057 		.dumpit = nl80211_dump_mpp,
17058 		.flags = GENL_UNS_ADMIN_PERM,
17059 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17060 	},
17061 	{
17062 		.cmd = NL80211_CMD_SET_MPATH,
17063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17064 		.doit = nl80211_set_mpath,
17065 		.flags = GENL_UNS_ADMIN_PERM,
17066 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17067 	},
17068 	{
17069 		.cmd = NL80211_CMD_NEW_MPATH,
17070 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17071 		.doit = nl80211_new_mpath,
17072 		.flags = GENL_UNS_ADMIN_PERM,
17073 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17074 	},
17075 	{
17076 		.cmd = NL80211_CMD_DEL_MPATH,
17077 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17078 		.doit = nl80211_del_mpath,
17079 		.flags = GENL_UNS_ADMIN_PERM,
17080 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17081 	},
17082 	{
17083 		.cmd = NL80211_CMD_SET_BSS,
17084 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17085 		.doit = nl80211_set_bss,
17086 		.flags = GENL_UNS_ADMIN_PERM,
17087 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17088 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17089 	},
17090 	{
17091 		.cmd = NL80211_CMD_GET_REG,
17092 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17093 		.doit = nl80211_get_reg_do,
17094 		.dumpit = nl80211_get_reg_dump,
17095 		/* can be retrieved by unprivileged users */
17096 	},
17097 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17098 	{
17099 		.cmd = NL80211_CMD_SET_REG,
17100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17101 		.doit = nl80211_set_reg,
17102 		.flags = GENL_ADMIN_PERM,
17103 	},
17104 #endif
17105 	{
17106 		.cmd = NL80211_CMD_REQ_SET_REG,
17107 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17108 		.doit = nl80211_req_set_reg,
17109 		.flags = GENL_ADMIN_PERM,
17110 	},
17111 	{
17112 		.cmd = NL80211_CMD_RELOAD_REGDB,
17113 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17114 		.doit = nl80211_reload_regdb,
17115 		.flags = GENL_ADMIN_PERM,
17116 	},
17117 	{
17118 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17120 		.doit = nl80211_get_mesh_config,
17121 		/* can be retrieved by unprivileged users */
17122 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17123 	},
17124 	{
17125 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17126 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17127 		.doit = nl80211_update_mesh_config,
17128 		.flags = GENL_UNS_ADMIN_PERM,
17129 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17130 	},
17131 	{
17132 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17133 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17134 		.doit = nl80211_trigger_scan,
17135 		.flags = GENL_UNS_ADMIN_PERM,
17136 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17137 	},
17138 	{
17139 		.cmd = NL80211_CMD_ABORT_SCAN,
17140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17141 		.doit = nl80211_abort_scan,
17142 		.flags = GENL_UNS_ADMIN_PERM,
17143 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17144 	},
17145 	{
17146 		.cmd = NL80211_CMD_GET_SCAN,
17147 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17148 		.dumpit = nl80211_dump_scan,
17149 	},
17150 	{
17151 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17152 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17153 		.doit = nl80211_start_sched_scan,
17154 		.flags = GENL_UNS_ADMIN_PERM,
17155 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17156 	},
17157 	{
17158 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17159 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17160 		.doit = nl80211_stop_sched_scan,
17161 		.flags = GENL_UNS_ADMIN_PERM,
17162 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17163 	},
17164 	{
17165 		.cmd = NL80211_CMD_AUTHENTICATE,
17166 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17167 		.doit = nl80211_authenticate,
17168 		.flags = GENL_UNS_ADMIN_PERM,
17169 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17170 					 NL80211_FLAG_CLEAR_SKB),
17171 	},
17172 	{
17173 		.cmd = NL80211_CMD_ASSOCIATE,
17174 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17175 		.doit = nl80211_associate,
17176 		.flags = GENL_UNS_ADMIN_PERM,
17177 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17178 					 NL80211_FLAG_CLEAR_SKB),
17179 	},
17180 	{
17181 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17182 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17183 		.doit = nl80211_deauthenticate,
17184 		.flags = GENL_UNS_ADMIN_PERM,
17185 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17186 	},
17187 	{
17188 		.cmd = NL80211_CMD_DISASSOCIATE,
17189 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17190 		.doit = nl80211_disassociate,
17191 		.flags = GENL_UNS_ADMIN_PERM,
17192 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17193 	},
17194 	{
17195 		.cmd = NL80211_CMD_JOIN_IBSS,
17196 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17197 		.doit = nl80211_join_ibss,
17198 		.flags = GENL_UNS_ADMIN_PERM,
17199 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17200 	},
17201 	{
17202 		.cmd = NL80211_CMD_LEAVE_IBSS,
17203 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17204 		.doit = nl80211_leave_ibss,
17205 		.flags = GENL_UNS_ADMIN_PERM,
17206 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17207 	},
17208 #ifdef CONFIG_NL80211_TESTMODE
17209 	{
17210 		.cmd = NL80211_CMD_TESTMODE,
17211 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17212 		.doit = nl80211_testmode_do,
17213 		.dumpit = nl80211_testmode_dump,
17214 		.flags = GENL_UNS_ADMIN_PERM,
17215 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17216 	},
17217 #endif
17218 	{
17219 		.cmd = NL80211_CMD_CONNECT,
17220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17221 		.doit = nl80211_connect,
17222 		.flags = GENL_UNS_ADMIN_PERM,
17223 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17224 					 NL80211_FLAG_CLEAR_SKB),
17225 	},
17226 	{
17227 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17229 		.doit = nl80211_update_connect_params,
17230 		.flags = GENL_ADMIN_PERM,
17231 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17232 					 NL80211_FLAG_CLEAR_SKB),
17233 	},
17234 	{
17235 		.cmd = NL80211_CMD_DISCONNECT,
17236 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17237 		.doit = nl80211_disconnect,
17238 		.flags = GENL_UNS_ADMIN_PERM,
17239 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17240 	},
17241 	{
17242 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17243 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17244 		.doit = nl80211_wiphy_netns,
17245 		.flags = GENL_UNS_ADMIN_PERM,
17246 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17247 					 NL80211_FLAG_NEED_RTNL |
17248 					 NL80211_FLAG_NO_WIPHY_MTX),
17249 	},
17250 	{
17251 		.cmd = NL80211_CMD_GET_SURVEY,
17252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253 		.dumpit = nl80211_dump_survey,
17254 	},
17255 	{
17256 		.cmd = NL80211_CMD_SET_PMKSA,
17257 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17258 		.doit = nl80211_set_pmksa,
17259 		.flags = GENL_UNS_ADMIN_PERM,
17260 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17261 					 NL80211_FLAG_CLEAR_SKB),
17262 	},
17263 	{
17264 		.cmd = NL80211_CMD_DEL_PMKSA,
17265 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17266 		.doit = nl80211_del_pmksa,
17267 		.flags = GENL_UNS_ADMIN_PERM,
17268 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17269 	},
17270 	{
17271 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17272 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17273 		.doit = nl80211_flush_pmksa,
17274 		.flags = GENL_UNS_ADMIN_PERM,
17275 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17276 	},
17277 	{
17278 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17279 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17280 		.doit = nl80211_remain_on_channel,
17281 		.flags = GENL_UNS_ADMIN_PERM,
17282 		/* FIXME: requiring a link ID here is probably not good */
17283 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17284 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17285 	},
17286 	{
17287 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17289 		.doit = nl80211_cancel_remain_on_channel,
17290 		.flags = GENL_UNS_ADMIN_PERM,
17291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17292 	},
17293 	{
17294 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17295 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17296 		.doit = nl80211_set_tx_bitrate_mask,
17297 		.flags = GENL_UNS_ADMIN_PERM,
17298 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17299 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17300 	},
17301 	{
17302 		.cmd = NL80211_CMD_REGISTER_FRAME,
17303 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17304 		.doit = nl80211_register_mgmt,
17305 		.flags = GENL_UNS_ADMIN_PERM,
17306 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17307 	},
17308 	{
17309 		.cmd = NL80211_CMD_FRAME,
17310 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17311 		.doit = nl80211_tx_mgmt,
17312 		.flags = GENL_UNS_ADMIN_PERM,
17313 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17314 	},
17315 	{
17316 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17317 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17318 		.doit = nl80211_tx_mgmt_cancel_wait,
17319 		.flags = GENL_UNS_ADMIN_PERM,
17320 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17321 	},
17322 	{
17323 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17324 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17325 		.doit = nl80211_set_power_save,
17326 		.flags = GENL_UNS_ADMIN_PERM,
17327 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17328 	},
17329 	{
17330 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17331 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17332 		.doit = nl80211_get_power_save,
17333 		/* can be retrieved by unprivileged users */
17334 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17335 	},
17336 	{
17337 		.cmd = NL80211_CMD_SET_CQM,
17338 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17339 		.doit = nl80211_set_cqm,
17340 		.flags = GENL_UNS_ADMIN_PERM,
17341 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17342 	},
17343 	{
17344 		.cmd = NL80211_CMD_SET_CHANNEL,
17345 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17346 		.doit = nl80211_set_channel,
17347 		.flags = GENL_UNS_ADMIN_PERM,
17348 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17349 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17350 	},
17351 	{
17352 		.cmd = NL80211_CMD_JOIN_MESH,
17353 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17354 		.doit = nl80211_join_mesh,
17355 		.flags = GENL_UNS_ADMIN_PERM,
17356 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17357 	},
17358 	{
17359 		.cmd = NL80211_CMD_LEAVE_MESH,
17360 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17361 		.doit = nl80211_leave_mesh,
17362 		.flags = GENL_UNS_ADMIN_PERM,
17363 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17364 	},
17365 	{
17366 		.cmd = NL80211_CMD_JOIN_OCB,
17367 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17368 		.doit = nl80211_join_ocb,
17369 		.flags = GENL_UNS_ADMIN_PERM,
17370 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17371 	},
17372 	{
17373 		.cmd = NL80211_CMD_LEAVE_OCB,
17374 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17375 		.doit = nl80211_leave_ocb,
17376 		.flags = GENL_UNS_ADMIN_PERM,
17377 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17378 	},
17379 #ifdef CONFIG_PM
17380 	{
17381 		.cmd = NL80211_CMD_GET_WOWLAN,
17382 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17383 		.doit = nl80211_get_wowlan,
17384 		/* can be retrieved by unprivileged users */
17385 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17386 	},
17387 	{
17388 		.cmd = NL80211_CMD_SET_WOWLAN,
17389 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17390 		.doit = nl80211_set_wowlan,
17391 		.flags = GENL_UNS_ADMIN_PERM,
17392 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17393 	},
17394 #endif
17395 	{
17396 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17397 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17398 		.doit = nl80211_set_rekey_data,
17399 		.flags = GENL_UNS_ADMIN_PERM,
17400 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17401 					 NL80211_FLAG_CLEAR_SKB),
17402 	},
17403 	{
17404 		.cmd = NL80211_CMD_TDLS_MGMT,
17405 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17406 		.doit = nl80211_tdls_mgmt,
17407 		.flags = GENL_UNS_ADMIN_PERM,
17408 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17409 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17410 	},
17411 	{
17412 		.cmd = NL80211_CMD_TDLS_OPER,
17413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17414 		.doit = nl80211_tdls_oper,
17415 		.flags = GENL_UNS_ADMIN_PERM,
17416 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17417 	},
17418 	{
17419 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17421 		.doit = nl80211_register_unexpected_frame,
17422 		.flags = GENL_UNS_ADMIN_PERM,
17423 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17424 	},
17425 	{
17426 		.cmd = NL80211_CMD_PROBE_CLIENT,
17427 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17428 		.doit = nl80211_probe_client,
17429 		.flags = GENL_UNS_ADMIN_PERM,
17430 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17431 	},
17432 	{
17433 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17434 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17435 		.doit = nl80211_register_beacons,
17436 		.flags = GENL_UNS_ADMIN_PERM,
17437 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17438 	},
17439 	{
17440 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17441 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17442 		.doit = nl80211_set_noack_map,
17443 		.flags = GENL_UNS_ADMIN_PERM,
17444 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17445 	},
17446 	{
17447 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17449 		.doit = nl80211_start_p2p_device,
17450 		.flags = GENL_UNS_ADMIN_PERM,
17451 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17452 					 NL80211_FLAG_NEED_RTNL),
17453 	},
17454 	{
17455 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17456 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17457 		.doit = nl80211_stop_p2p_device,
17458 		.flags = GENL_UNS_ADMIN_PERM,
17459 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17460 					 NL80211_FLAG_NEED_RTNL),
17461 	},
17462 	{
17463 		.cmd = NL80211_CMD_START_NAN,
17464 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17465 		.doit = nl80211_start_nan,
17466 		.flags = GENL_ADMIN_PERM,
17467 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17468 					 NL80211_FLAG_NEED_RTNL),
17469 	},
17470 	{
17471 		.cmd = NL80211_CMD_STOP_NAN,
17472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17473 		.doit = nl80211_stop_nan,
17474 		.flags = GENL_ADMIN_PERM,
17475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17476 					 NL80211_FLAG_NEED_RTNL),
17477 	},
17478 	{
17479 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17480 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17481 		.doit = nl80211_nan_add_func,
17482 		.flags = GENL_ADMIN_PERM,
17483 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17484 	},
17485 	{
17486 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17487 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17488 		.doit = nl80211_nan_del_func,
17489 		.flags = GENL_ADMIN_PERM,
17490 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17491 	},
17492 	{
17493 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17495 		.doit = nl80211_nan_change_config,
17496 		.flags = GENL_ADMIN_PERM,
17497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17498 	},
17499 	{
17500 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17502 		.doit = nl80211_set_mcast_rate,
17503 		.flags = GENL_UNS_ADMIN_PERM,
17504 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17505 	},
17506 	{
17507 		.cmd = NL80211_CMD_SET_MAC_ACL,
17508 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17509 		.doit = nl80211_set_mac_acl,
17510 		.flags = GENL_UNS_ADMIN_PERM,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17512 					 NL80211_FLAG_MLO_UNSUPPORTED),
17513 	},
17514 	{
17515 		.cmd = NL80211_CMD_RADAR_DETECT,
17516 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17517 		.doit = nl80211_start_radar_detection,
17518 		.flags = GENL_UNS_ADMIN_PERM,
17519 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17520 					 NL80211_FLAG_NO_WIPHY_MTX |
17521 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17522 	},
17523 	{
17524 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17525 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17526 		.doit = nl80211_get_protocol_features,
17527 	},
17528 	{
17529 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17530 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17531 		.doit = nl80211_update_ft_ies,
17532 		.flags = GENL_UNS_ADMIN_PERM,
17533 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17534 	},
17535 	{
17536 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17537 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17538 		.doit = nl80211_crit_protocol_start,
17539 		.flags = GENL_UNS_ADMIN_PERM,
17540 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17541 	},
17542 	{
17543 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17544 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17545 		.doit = nl80211_crit_protocol_stop,
17546 		.flags = GENL_UNS_ADMIN_PERM,
17547 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17548 	},
17549 	{
17550 		.cmd = NL80211_CMD_GET_COALESCE,
17551 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17552 		.doit = nl80211_get_coalesce,
17553 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17554 	},
17555 	{
17556 		.cmd = NL80211_CMD_SET_COALESCE,
17557 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17558 		.doit = nl80211_set_coalesce,
17559 		.flags = GENL_UNS_ADMIN_PERM,
17560 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17561 	},
17562 	{
17563 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17564 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17565 		.doit = nl80211_channel_switch,
17566 		.flags = GENL_UNS_ADMIN_PERM,
17567 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17568 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17569 	},
17570 	{
17571 		.cmd = NL80211_CMD_VENDOR,
17572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17573 		.doit = nl80211_vendor_cmd,
17574 		.dumpit = nl80211_vendor_cmd_dump,
17575 		.flags = GENL_UNS_ADMIN_PERM,
17576 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17577 					 NL80211_FLAG_CLEAR_SKB),
17578 	},
17579 	{
17580 		.cmd = NL80211_CMD_SET_QOS_MAP,
17581 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17582 		.doit = nl80211_set_qos_map,
17583 		.flags = GENL_UNS_ADMIN_PERM,
17584 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17585 	},
17586 	{
17587 		.cmd = NL80211_CMD_ADD_TX_TS,
17588 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17589 		.doit = nl80211_add_tx_ts,
17590 		.flags = GENL_UNS_ADMIN_PERM,
17591 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17592 					 NL80211_FLAG_MLO_UNSUPPORTED),
17593 	},
17594 	{
17595 		.cmd = NL80211_CMD_DEL_TX_TS,
17596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17597 		.doit = nl80211_del_tx_ts,
17598 		.flags = GENL_UNS_ADMIN_PERM,
17599 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17600 	},
17601 	{
17602 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17603 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17604 		.doit = nl80211_tdls_channel_switch,
17605 		.flags = GENL_UNS_ADMIN_PERM,
17606 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17607 	},
17608 	{
17609 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17610 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17611 		.doit = nl80211_tdls_cancel_channel_switch,
17612 		.flags = GENL_UNS_ADMIN_PERM,
17613 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17614 	},
17615 	{
17616 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17617 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17618 		.doit = nl80211_set_multicast_to_unicast,
17619 		.flags = GENL_UNS_ADMIN_PERM,
17620 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17621 	},
17622 	{
17623 		.cmd = NL80211_CMD_SET_PMK,
17624 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17625 		.doit = nl80211_set_pmk,
17626 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17627 					 NL80211_FLAG_CLEAR_SKB),
17628 	},
17629 	{
17630 		.cmd = NL80211_CMD_DEL_PMK,
17631 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17632 		.doit = nl80211_del_pmk,
17633 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17634 	},
17635 	{
17636 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17637 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17638 		.doit = nl80211_external_auth,
17639 		.flags = GENL_ADMIN_PERM,
17640 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17641 	},
17642 	{
17643 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17644 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17645 		.doit = nl80211_tx_control_port,
17646 		.flags = GENL_UNS_ADMIN_PERM,
17647 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17648 	},
17649 	{
17650 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17652 		.doit = nl80211_get_ftm_responder_stats,
17653 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17654 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17655 	},
17656 	{
17657 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17659 		.doit = nl80211_pmsr_start,
17660 		.flags = GENL_UNS_ADMIN_PERM,
17661 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17662 	},
17663 	{
17664 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17666 		.doit = nl80211_notify_radar_detection,
17667 		.flags = GENL_UNS_ADMIN_PERM,
17668 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17669 	},
17670 	{
17671 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17672 		.doit = nl80211_update_owe_info,
17673 		.flags = GENL_ADMIN_PERM,
17674 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17675 	},
17676 	{
17677 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17678 		.doit = nl80211_probe_mesh_link,
17679 		.flags = GENL_UNS_ADMIN_PERM,
17680 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17681 	},
17682 	{
17683 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17684 		.doit = nl80211_set_tid_config,
17685 		.flags = GENL_UNS_ADMIN_PERM,
17686 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17687 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17688 	},
17689 	{
17690 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17691 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17692 		.doit = nl80211_set_sar_specs,
17693 		.flags = GENL_UNS_ADMIN_PERM,
17694 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17695 					 NL80211_FLAG_NEED_RTNL),
17696 	},
17697 	{
17698 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17700 		.doit = nl80211_color_change,
17701 		.flags = GENL_UNS_ADMIN_PERM,
17702 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17703 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17704 	},
17705 	{
17706 		.cmd = NL80211_CMD_SET_FILS_AAD,
17707 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17708 		.doit = nl80211_set_fils_aad,
17709 		.flags = GENL_UNS_ADMIN_PERM,
17710 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17711 	},
17712 	{
17713 		.cmd = NL80211_CMD_ADD_LINK,
17714 		.doit = nl80211_add_link,
17715 		.flags = GENL_UNS_ADMIN_PERM,
17716 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17717 	},
17718 	{
17719 		.cmd = NL80211_CMD_REMOVE_LINK,
17720 		.doit = nl80211_remove_link,
17721 		.flags = GENL_UNS_ADMIN_PERM,
17722 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17723 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17724 	},
17725 	{
17726 		.cmd = NL80211_CMD_ADD_LINK_STA,
17727 		.doit = nl80211_add_link_station,
17728 		.flags = GENL_UNS_ADMIN_PERM,
17729 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17730 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17731 	},
17732 	{
17733 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17734 		.doit = nl80211_modify_link_station,
17735 		.flags = GENL_UNS_ADMIN_PERM,
17736 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17737 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17738 	},
17739 	{
17740 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17741 		.doit = nl80211_remove_link_station,
17742 		.flags = GENL_UNS_ADMIN_PERM,
17743 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17744 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17745 	},
17746 	{
17747 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17748 		.doit = nl80211_set_hw_timestamp,
17749 		.flags = GENL_UNS_ADMIN_PERM,
17750 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17751 	},
17752 	{
17753 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17754 		.doit = nl80211_set_ttlm,
17755 		.flags = GENL_UNS_ADMIN_PERM,
17756 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17757 	},
17758 	{
17759 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
17760 		.doit = nl80211_assoc_ml_reconf,
17761 		.flags = GENL_UNS_ADMIN_PERM,
17762 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17763 	},
17764 	{
17765 		.cmd = NL80211_CMD_EPCS_CFG,
17766 		.doit = nl80211_epcs_cfg,
17767 		.flags = GENL_UNS_ADMIN_PERM,
17768 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17769 	},
17770 };
17771 
17772 static struct genl_family nl80211_fam __ro_after_init = {
17773 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17774 	.hdrsize = 0,			/* no private header */
17775 	.version = 1,			/* no particular meaning now */
17776 	.maxattr = NL80211_ATTR_MAX,
17777 	.policy = nl80211_policy,
17778 	.netnsok = true,
17779 	.pre_doit = nl80211_pre_doit,
17780 	.post_doit = nl80211_post_doit,
17781 	.module = THIS_MODULE,
17782 	.ops = nl80211_ops,
17783 	.n_ops = ARRAY_SIZE(nl80211_ops),
17784 	.small_ops = nl80211_small_ops,
17785 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17786 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17787 	.mcgrps = nl80211_mcgrps,
17788 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17789 	.parallel_ops = true,
17790 };
17791 
17792 /* notification functions */
17793 
17794 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17795 			  enum nl80211_commands cmd)
17796 {
17797 	struct sk_buff *msg;
17798 	struct nl80211_dump_wiphy_state state = {};
17799 
17800 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17801 		cmd != NL80211_CMD_DEL_WIPHY);
17802 
17803 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17804 	if (!msg)
17805 		return;
17806 
17807 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17808 		nlmsg_free(msg);
17809 		return;
17810 	}
17811 
17812 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17813 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17814 }
17815 
17816 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17817 				struct wireless_dev *wdev,
17818 				enum nl80211_commands cmd)
17819 {
17820 	struct sk_buff *msg;
17821 
17822 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17823 	if (!msg)
17824 		return;
17825 
17826 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17827 		nlmsg_free(msg);
17828 		return;
17829 	}
17830 
17831 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17832 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17833 }
17834 
17835 static int nl80211_add_scan_req(struct sk_buff *msg,
17836 				struct cfg80211_registered_device *rdev)
17837 {
17838 	struct cfg80211_scan_request *req = rdev->scan_req;
17839 	struct nlattr *nest;
17840 	int i;
17841 	struct cfg80211_scan_info *info;
17842 
17843 	if (WARN_ON(!req))
17844 		return 0;
17845 
17846 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17847 	if (!nest)
17848 		goto nla_put_failure;
17849 	for (i = 0; i < req->n_ssids; i++) {
17850 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17851 			goto nla_put_failure;
17852 	}
17853 	nla_nest_end(msg, nest);
17854 
17855 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17856 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17857 		if (!nest)
17858 			goto nla_put_failure;
17859 		for (i = 0; i < req->n_channels; i++) {
17860 			if (nla_put_u32(msg, i,
17861 				   ieee80211_channel_to_khz(req->channels[i])))
17862 				goto nla_put_failure;
17863 		}
17864 		nla_nest_end(msg, nest);
17865 	} else {
17866 		nest = nla_nest_start_noflag(msg,
17867 					     NL80211_ATTR_SCAN_FREQUENCIES);
17868 		if (!nest)
17869 			goto nla_put_failure;
17870 		for (i = 0; i < req->n_channels; i++) {
17871 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17872 				goto nla_put_failure;
17873 		}
17874 		nla_nest_end(msg, nest);
17875 	}
17876 
17877 	if (req->ie &&
17878 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17879 		goto nla_put_failure;
17880 
17881 	if (req->flags &&
17882 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17883 		goto nla_put_failure;
17884 
17885 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17886 		&rdev->scan_req->info;
17887 	if (info->scan_start_tsf &&
17888 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17889 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17890 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17891 		     info->tsf_bssid)))
17892 		goto nla_put_failure;
17893 
17894 	return 0;
17895  nla_put_failure:
17896 	return -ENOBUFS;
17897 }
17898 
17899 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17900 				 struct cfg80211_registered_device *rdev,
17901 				 struct wireless_dev *wdev,
17902 				 u32 portid, u32 seq, int flags,
17903 				 u32 cmd)
17904 {
17905 	void *hdr;
17906 
17907 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17908 	if (!hdr)
17909 		return -1;
17910 
17911 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17912 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17913 					 wdev->netdev->ifindex)) ||
17914 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17915 			      NL80211_ATTR_PAD))
17916 		goto nla_put_failure;
17917 
17918 	/* ignore errors and send incomplete event anyway */
17919 	nl80211_add_scan_req(msg, rdev);
17920 
17921 	genlmsg_end(msg, hdr);
17922 	return 0;
17923 
17924  nla_put_failure:
17925 	genlmsg_cancel(msg, hdr);
17926 	return -EMSGSIZE;
17927 }
17928 
17929 static int
17930 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17931 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17932 {
17933 	void *hdr;
17934 
17935 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17936 	if (!hdr)
17937 		return -1;
17938 
17939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17940 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17941 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17942 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17943 			      NL80211_ATTR_PAD))
17944 		goto nla_put_failure;
17945 
17946 	genlmsg_end(msg, hdr);
17947 	return 0;
17948 
17949  nla_put_failure:
17950 	genlmsg_cancel(msg, hdr);
17951 	return -EMSGSIZE;
17952 }
17953 
17954 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17955 			     struct wireless_dev *wdev)
17956 {
17957 	struct sk_buff *msg;
17958 
17959 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17960 	if (!msg)
17961 		return;
17962 
17963 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17964 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17965 		nlmsg_free(msg);
17966 		return;
17967 	}
17968 
17969 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17970 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17971 }
17972 
17973 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17974 				       struct wireless_dev *wdev, bool aborted)
17975 {
17976 	struct sk_buff *msg;
17977 
17978 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17979 	if (!msg)
17980 		return NULL;
17981 
17982 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17983 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17984 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17985 		nlmsg_free(msg);
17986 		return NULL;
17987 	}
17988 
17989 	return msg;
17990 }
17991 
17992 /* send message created by nl80211_build_scan_msg() */
17993 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17994 			   struct sk_buff *msg)
17995 {
17996 	if (!msg)
17997 		return;
17998 
17999 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18000 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18001 }
18002 
18003 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
18004 {
18005 	struct sk_buff *msg;
18006 
18007 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18008 	if (!msg)
18009 		return;
18010 
18011 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
18012 		nlmsg_free(msg);
18013 		return;
18014 	}
18015 
18016 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
18017 				NL80211_MCGRP_SCAN, GFP_KERNEL);
18018 }
18019 
18020 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
18021 					  struct regulatory_request *request)
18022 {
18023 	/* Userspace can always count this one always being set */
18024 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
18025 		goto nla_put_failure;
18026 
18027 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
18028 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18029 			       NL80211_REGDOM_TYPE_WORLD))
18030 			goto nla_put_failure;
18031 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
18032 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18033 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
18034 			goto nla_put_failure;
18035 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
18036 		   request->intersect) {
18037 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18038 			       NL80211_REGDOM_TYPE_INTERSECTION))
18039 			goto nla_put_failure;
18040 	} else {
18041 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
18042 			       NL80211_REGDOM_TYPE_COUNTRY) ||
18043 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
18044 				   request->alpha2))
18045 			goto nla_put_failure;
18046 	}
18047 
18048 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
18049 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
18050 
18051 		if (wiphy &&
18052 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
18053 			goto nla_put_failure;
18054 
18055 		if (wiphy &&
18056 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
18057 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
18058 			goto nla_put_failure;
18059 	}
18060 
18061 	return true;
18062 
18063 nla_put_failure:
18064 	return false;
18065 }
18066 
18067 /*
18068  * This can happen on global regulatory changes or device specific settings
18069  * based on custom regulatory domains.
18070  */
18071 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
18072 				     struct regulatory_request *request)
18073 {
18074 	struct sk_buff *msg;
18075 	void *hdr;
18076 
18077 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18078 	if (!msg)
18079 		return;
18080 
18081 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
18082 	if (!hdr)
18083 		goto nla_put_failure;
18084 
18085 	if (!nl80211_reg_change_event_fill(msg, request))
18086 		goto nla_put_failure;
18087 
18088 	genlmsg_end(msg, hdr);
18089 
18090 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18091 				NL80211_MCGRP_REGULATORY);
18092 
18093 	return;
18094 
18095 nla_put_failure:
18096 	nlmsg_free(msg);
18097 }
18098 
18099 struct nl80211_mlme_event {
18100 	enum nl80211_commands cmd;
18101 	const u8 *buf;
18102 	size_t buf_len;
18103 	int uapsd_queues;
18104 	const u8 *req_ies;
18105 	size_t req_ies_len;
18106 	bool reconnect;
18107 };
18108 
18109 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18110 				    struct net_device *netdev,
18111 				    const struct nl80211_mlme_event *event,
18112 				    gfp_t gfp)
18113 {
18114 	struct sk_buff *msg;
18115 	void *hdr;
18116 
18117 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18118 	if (!msg)
18119 		return;
18120 
18121 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18122 	if (!hdr) {
18123 		nlmsg_free(msg);
18124 		return;
18125 	}
18126 
18127 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18128 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18129 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18130 	    (event->req_ies &&
18131 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18132 		     event->req_ies)))
18133 		goto nla_put_failure;
18134 
18135 	if (event->reconnect &&
18136 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18137 		goto nla_put_failure;
18138 
18139 	if (event->uapsd_queues >= 0) {
18140 		struct nlattr *nla_wmm =
18141 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18142 		if (!nla_wmm)
18143 			goto nla_put_failure;
18144 
18145 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18146 			       event->uapsd_queues))
18147 			goto nla_put_failure;
18148 
18149 		nla_nest_end(msg, nla_wmm);
18150 	}
18151 
18152 	genlmsg_end(msg, hdr);
18153 
18154 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18155 				NL80211_MCGRP_MLME, gfp);
18156 	return;
18157 
18158  nla_put_failure:
18159 	nlmsg_free(msg);
18160 }
18161 
18162 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18163 			  struct net_device *netdev, const u8 *buf,
18164 			  size_t len, gfp_t gfp)
18165 {
18166 	struct nl80211_mlme_event event = {
18167 		.cmd = NL80211_CMD_AUTHENTICATE,
18168 		.buf = buf,
18169 		.buf_len = len,
18170 		.uapsd_queues = -1,
18171 	};
18172 
18173 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18174 }
18175 
18176 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18177 			   struct net_device *netdev,
18178 			   const struct cfg80211_rx_assoc_resp_data *data)
18179 {
18180 	struct nl80211_mlme_event event = {
18181 		.cmd = NL80211_CMD_ASSOCIATE,
18182 		.buf = data->buf,
18183 		.buf_len = data->len,
18184 		.uapsd_queues = data->uapsd_queues,
18185 		.req_ies = data->req_ies,
18186 		.req_ies_len = data->req_ies_len,
18187 	};
18188 
18189 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18190 }
18191 
18192 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18193 			 struct net_device *netdev, const u8 *buf,
18194 			 size_t len, bool reconnect, gfp_t gfp)
18195 {
18196 	struct nl80211_mlme_event event = {
18197 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18198 		.buf = buf,
18199 		.buf_len = len,
18200 		.reconnect = reconnect,
18201 		.uapsd_queues = -1,
18202 	};
18203 
18204 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18205 }
18206 
18207 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18208 			   struct net_device *netdev, const u8 *buf,
18209 			   size_t len, bool reconnect, gfp_t gfp)
18210 {
18211 	struct nl80211_mlme_event event = {
18212 		.cmd = NL80211_CMD_DISASSOCIATE,
18213 		.buf = buf,
18214 		.buf_len = len,
18215 		.reconnect = reconnect,
18216 		.uapsd_queues = -1,
18217 	};
18218 
18219 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18220 }
18221 
18222 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18223 				  size_t len)
18224 {
18225 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18226 	struct wiphy *wiphy = wdev->wiphy;
18227 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18228 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18229 	struct nl80211_mlme_event event = {
18230 		.buf = buf,
18231 		.buf_len = len,
18232 		.uapsd_queues = -1,
18233 	};
18234 
18235 	if (WARN_ON(len < 2))
18236 		return;
18237 
18238 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18239 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18240 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18241 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18242 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18243 		if (wdev->unprot_beacon_reported &&
18244 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18245 			return;
18246 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18247 		wdev->unprot_beacon_reported = jiffies;
18248 	} else {
18249 		return;
18250 	}
18251 
18252 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18253 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18254 }
18255 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18256 
18257 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18258 				      struct net_device *netdev, int cmd,
18259 				      const u8 *addr, gfp_t gfp)
18260 {
18261 	struct sk_buff *msg;
18262 	void *hdr;
18263 
18264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18265 	if (!msg)
18266 		return;
18267 
18268 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18269 	if (!hdr) {
18270 		nlmsg_free(msg);
18271 		return;
18272 	}
18273 
18274 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18275 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18276 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18277 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18278 		goto nla_put_failure;
18279 
18280 	genlmsg_end(msg, hdr);
18281 
18282 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18283 				NL80211_MCGRP_MLME, gfp);
18284 	return;
18285 
18286  nla_put_failure:
18287 	nlmsg_free(msg);
18288 }
18289 
18290 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18291 			       struct net_device *netdev, const u8 *addr,
18292 			       gfp_t gfp)
18293 {
18294 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18295 				  addr, gfp);
18296 }
18297 
18298 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18299 				struct net_device *netdev, const u8 *addr,
18300 				gfp_t gfp)
18301 {
18302 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18303 				  addr, gfp);
18304 }
18305 
18306 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18307 				 struct net_device *netdev,
18308 				 struct cfg80211_connect_resp_params *cr,
18309 				 gfp_t gfp)
18310 {
18311 	struct sk_buff *msg;
18312 	void *hdr;
18313 	unsigned int link;
18314 	size_t link_info_size = 0;
18315 	const u8 *connected_addr = cr->valid_links ?
18316 				   cr->ap_mld_addr : cr->links[0].bssid;
18317 
18318 	if (cr->valid_links) {
18319 		for_each_valid_link(cr, link) {
18320 			/* Nested attribute header */
18321 			link_info_size += NLA_HDRLEN;
18322 			/* Link ID */
18323 			link_info_size += nla_total_size(sizeof(u8));
18324 			link_info_size += cr->links[link].addr ?
18325 					  nla_total_size(ETH_ALEN) : 0;
18326 			link_info_size += (cr->links[link].bssid ||
18327 					   cr->links[link].bss) ?
18328 					  nla_total_size(ETH_ALEN) : 0;
18329 			link_info_size += nla_total_size(sizeof(u16));
18330 		}
18331 	}
18332 
18333 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18334 			cr->fils.kek_len + cr->fils.pmk_len +
18335 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18336 			gfp);
18337 	if (!msg)
18338 		return;
18339 
18340 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18341 	if (!hdr) {
18342 		nlmsg_free(msg);
18343 		return;
18344 	}
18345 
18346 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18347 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18348 	    (connected_addr &&
18349 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18350 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18351 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18352 			cr->status) ||
18353 	    (cr->status < 0 &&
18354 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18355 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18356 			  cr->timeout_reason))) ||
18357 	    (cr->req_ie &&
18358 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18359 	    (cr->resp_ie &&
18360 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18361 		     cr->resp_ie)) ||
18362 	    (cr->fils.update_erp_next_seq_num &&
18363 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18364 			 cr->fils.erp_next_seq_num)) ||
18365 	    (cr->status == WLAN_STATUS_SUCCESS &&
18366 	     ((cr->fils.kek &&
18367 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18368 		       cr->fils.kek)) ||
18369 	      (cr->fils.pmk &&
18370 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18371 	      (cr->fils.pmkid &&
18372 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18373 		goto nla_put_failure;
18374 
18375 	if (cr->valid_links) {
18376 		int i = 1;
18377 		struct nlattr *nested;
18378 
18379 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18380 		if (!nested)
18381 			goto nla_put_failure;
18382 
18383 		for_each_valid_link(cr, link) {
18384 			struct nlattr *nested_mlo_links;
18385 			const u8 *bssid = cr->links[link].bss ?
18386 					  cr->links[link].bss->bssid :
18387 					  cr->links[link].bssid;
18388 
18389 			nested_mlo_links = nla_nest_start(msg, i);
18390 			if (!nested_mlo_links)
18391 				goto nla_put_failure;
18392 
18393 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18394 			    (bssid &&
18395 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18396 			    (cr->links[link].addr &&
18397 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18398 				     cr->links[link].addr)) ||
18399 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18400 					cr->links[link].status))
18401 				goto nla_put_failure;
18402 
18403 			nla_nest_end(msg, nested_mlo_links);
18404 			i++;
18405 		}
18406 		nla_nest_end(msg, nested);
18407 	}
18408 
18409 	genlmsg_end(msg, hdr);
18410 
18411 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18412 				NL80211_MCGRP_MLME, gfp);
18413 	return;
18414 
18415  nla_put_failure:
18416 	nlmsg_free(msg);
18417 }
18418 
18419 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18420 			 struct net_device *netdev,
18421 			 struct cfg80211_roam_info *info, gfp_t gfp)
18422 {
18423 	struct sk_buff *msg;
18424 	void *hdr;
18425 	size_t link_info_size = 0;
18426 	unsigned int link;
18427 	const u8 *connected_addr = info->ap_mld_addr ?
18428 				   info->ap_mld_addr :
18429 				   (info->links[0].bss ?
18430 				    info->links[0].bss->bssid :
18431 				    info->links[0].bssid);
18432 
18433 	if (info->valid_links) {
18434 		for_each_valid_link(info, link) {
18435 			/* Nested attribute header */
18436 			link_info_size += NLA_HDRLEN;
18437 			/* Link ID */
18438 			link_info_size += nla_total_size(sizeof(u8));
18439 			link_info_size += info->links[link].addr ?
18440 					  nla_total_size(ETH_ALEN) : 0;
18441 			link_info_size += (info->links[link].bssid ||
18442 					   info->links[link].bss) ?
18443 					  nla_total_size(ETH_ALEN) : 0;
18444 		}
18445 	}
18446 
18447 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18448 			info->fils.kek_len + info->fils.pmk_len +
18449 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18450 			link_info_size, gfp);
18451 	if (!msg)
18452 		return;
18453 
18454 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18455 	if (!hdr) {
18456 		nlmsg_free(msg);
18457 		return;
18458 	}
18459 
18460 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18461 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18462 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18463 	    (info->req_ie &&
18464 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18465 		     info->req_ie)) ||
18466 	    (info->resp_ie &&
18467 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18468 		     info->resp_ie)) ||
18469 	    (info->fils.update_erp_next_seq_num &&
18470 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18471 			 info->fils.erp_next_seq_num)) ||
18472 	    (info->fils.kek &&
18473 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18474 		     info->fils.kek)) ||
18475 	    (info->fils.pmk &&
18476 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18477 	    (info->fils.pmkid &&
18478 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18479 		goto nla_put_failure;
18480 
18481 	if (info->valid_links) {
18482 		int i = 1;
18483 		struct nlattr *nested;
18484 
18485 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18486 		if (!nested)
18487 			goto nla_put_failure;
18488 
18489 		for_each_valid_link(info, link) {
18490 			struct nlattr *nested_mlo_links;
18491 			const u8 *bssid = info->links[link].bss ?
18492 					  info->links[link].bss->bssid :
18493 					  info->links[link].bssid;
18494 
18495 			nested_mlo_links = nla_nest_start(msg, i);
18496 			if (!nested_mlo_links)
18497 				goto nla_put_failure;
18498 
18499 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18500 			    (bssid &&
18501 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18502 			    (info->links[link].addr &&
18503 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18504 				     info->links[link].addr)))
18505 				goto nla_put_failure;
18506 
18507 			nla_nest_end(msg, nested_mlo_links);
18508 			i++;
18509 		}
18510 		nla_nest_end(msg, nested);
18511 	}
18512 
18513 	genlmsg_end(msg, hdr);
18514 
18515 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18516 				NL80211_MCGRP_MLME, gfp);
18517 	return;
18518 
18519  nla_put_failure:
18520 	nlmsg_free(msg);
18521 }
18522 
18523 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18524 				  struct net_device *netdev, const u8 *peer_addr,
18525 				  const u8 *td_bitmap, u8 td_bitmap_len)
18526 {
18527 	struct sk_buff *msg;
18528 	void *hdr;
18529 
18530 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18531 	if (!msg)
18532 		return;
18533 
18534 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18535 	if (!hdr) {
18536 		nlmsg_free(msg);
18537 		return;
18538 	}
18539 
18540 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18541 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18542 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18543 		goto nla_put_failure;
18544 
18545 	if (td_bitmap_len > 0 && td_bitmap &&
18546 	    nla_put(msg, NL80211_ATTR_TD_BITMAP, td_bitmap_len, td_bitmap))
18547 		goto nla_put_failure;
18548 
18549 	genlmsg_end(msg, hdr);
18550 
18551 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18552 				NL80211_MCGRP_MLME, GFP_KERNEL);
18553 	return;
18554 
18555  nla_put_failure:
18556 	nlmsg_free(msg);
18557 }
18558 
18559 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18560 			       struct net_device *netdev, u16 reason,
18561 			       const u8 *ie, size_t ie_len, bool from_ap)
18562 {
18563 	struct sk_buff *msg;
18564 	void *hdr;
18565 
18566 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18567 	if (!msg)
18568 		return;
18569 
18570 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18571 	if (!hdr) {
18572 		nlmsg_free(msg);
18573 		return;
18574 	}
18575 
18576 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18577 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18578 	    (reason &&
18579 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18580 	    (from_ap &&
18581 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18582 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18583 		goto nla_put_failure;
18584 
18585 	genlmsg_end(msg, hdr);
18586 
18587 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18588 				NL80211_MCGRP_MLME, GFP_KERNEL);
18589 	return;
18590 
18591  nla_put_failure:
18592 	nlmsg_free(msg);
18593 }
18594 
18595 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18596 {
18597 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18598 	struct wiphy *wiphy = wdev->wiphy;
18599 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18600 	struct sk_buff *msg;
18601 	struct nlattr *links;
18602 	void *hdr;
18603 
18604 	lockdep_assert_wiphy(wdev->wiphy);
18605 	trace_cfg80211_links_removed(dev, link_mask);
18606 
18607 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18608 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18609 		return;
18610 
18611 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18612 		    (wdev->valid_links & link_mask) != link_mask ||
18613 		    wdev->valid_links == link_mask))
18614 		return;
18615 
18616 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18617 	wdev->valid_links &= ~link_mask;
18618 
18619 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18620 	if (!msg)
18621 		return;
18622 
18623 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18624 	if (!hdr) {
18625 		nlmsg_free(msg);
18626 		return;
18627 	}
18628 
18629 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18630 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18631 		goto nla_put_failure;
18632 
18633 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18634 	if (!links)
18635 		goto nla_put_failure;
18636 
18637 	while (link_mask) {
18638 		struct nlattr *link;
18639 		int link_id = __ffs(link_mask);
18640 
18641 		link = nla_nest_start(msg, link_id + 1);
18642 		if (!link)
18643 			goto nla_put_failure;
18644 
18645 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18646 			goto nla_put_failure;
18647 
18648 		nla_nest_end(msg, link);
18649 		link_mask &= ~(1 << link_id);
18650 	}
18651 
18652 	nla_nest_end(msg, links);
18653 
18654 	genlmsg_end(msg, hdr);
18655 
18656 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18657 				NL80211_MCGRP_MLME, GFP_KERNEL);
18658 	return;
18659 
18660  nla_put_failure:
18661 	nlmsg_free(msg);
18662 }
18663 EXPORT_SYMBOL(cfg80211_links_removed);
18664 
18665 void nl80211_mlo_reconf_add_done(struct net_device *dev,
18666 				 struct cfg80211_mlo_reconf_done_data *data)
18667 {
18668 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18669 	struct wiphy *wiphy = wdev->wiphy;
18670 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18671 	struct nl80211_mlme_event event = {
18672 		.cmd = NL80211_CMD_ASSOC_MLO_RECONF,
18673 		.buf = data->buf,
18674 		.buf_len = data->len,
18675 		.uapsd_queues = -1,
18676 	};
18677 
18678 	nl80211_send_mlme_event(rdev, dev, &event, GFP_KERNEL);
18679 }
18680 EXPORT_SYMBOL(nl80211_mlo_reconf_add_done);
18681 
18682 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18683 			     struct net_device *netdev, const u8 *bssid,
18684 			     gfp_t gfp)
18685 {
18686 	struct sk_buff *msg;
18687 	void *hdr;
18688 
18689 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18690 	if (!msg)
18691 		return;
18692 
18693 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18694 	if (!hdr) {
18695 		nlmsg_free(msg);
18696 		return;
18697 	}
18698 
18699 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18700 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18701 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18702 		goto nla_put_failure;
18703 
18704 	genlmsg_end(msg, hdr);
18705 
18706 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18707 				NL80211_MCGRP_MLME, gfp);
18708 	return;
18709 
18710  nla_put_failure:
18711 	nlmsg_free(msg);
18712 }
18713 
18714 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18715 					const u8 *ie, u8 ie_len,
18716 					int sig_dbm, gfp_t gfp)
18717 {
18718 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18719 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18720 	struct sk_buff *msg;
18721 	void *hdr;
18722 
18723 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18724 		return;
18725 
18726 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18727 
18728 	msg = nlmsg_new(100 + ie_len, gfp);
18729 	if (!msg)
18730 		return;
18731 
18732 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18733 	if (!hdr) {
18734 		nlmsg_free(msg);
18735 		return;
18736 	}
18737 
18738 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18739 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18740 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18741 	    (ie_len && ie &&
18742 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18743 	    (sig_dbm &&
18744 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18745 		goto nla_put_failure;
18746 
18747 	genlmsg_end(msg, hdr);
18748 
18749 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18750 				NL80211_MCGRP_MLME, gfp);
18751 	return;
18752 
18753  nla_put_failure:
18754 	nlmsg_free(msg);
18755 }
18756 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18757 
18758 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18759 				 struct net_device *netdev, const u8 *addr,
18760 				 enum nl80211_key_type key_type, int key_id,
18761 				 const u8 *tsc, gfp_t gfp)
18762 {
18763 	struct sk_buff *msg;
18764 	void *hdr;
18765 
18766 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18767 	if (!msg)
18768 		return;
18769 
18770 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18771 	if (!hdr) {
18772 		nlmsg_free(msg);
18773 		return;
18774 	}
18775 
18776 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18777 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18778 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18779 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18780 	    (key_id != -1 &&
18781 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18782 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18783 		goto nla_put_failure;
18784 
18785 	genlmsg_end(msg, hdr);
18786 
18787 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18788 				NL80211_MCGRP_MLME, gfp);
18789 	return;
18790 
18791  nla_put_failure:
18792 	nlmsg_free(msg);
18793 }
18794 
18795 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18796 				    struct ieee80211_channel *channel_before,
18797 				    struct ieee80211_channel *channel_after)
18798 {
18799 	struct sk_buff *msg;
18800 	void *hdr;
18801 	struct nlattr *nl_freq;
18802 
18803 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18804 	if (!msg)
18805 		return;
18806 
18807 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18808 	if (!hdr) {
18809 		nlmsg_free(msg);
18810 		return;
18811 	}
18812 
18813 	/*
18814 	 * Since we are applying the beacon hint to a wiphy we know its
18815 	 * wiphy_idx is valid
18816 	 */
18817 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18818 		goto nla_put_failure;
18819 
18820 	/* Before */
18821 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18822 	if (!nl_freq)
18823 		goto nla_put_failure;
18824 
18825 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18826 		goto nla_put_failure;
18827 	nla_nest_end(msg, nl_freq);
18828 
18829 	/* After */
18830 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18831 	if (!nl_freq)
18832 		goto nla_put_failure;
18833 
18834 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18835 		goto nla_put_failure;
18836 	nla_nest_end(msg, nl_freq);
18837 
18838 	genlmsg_end(msg, hdr);
18839 
18840 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18841 				NL80211_MCGRP_REGULATORY);
18842 
18843 	return;
18844 
18845 nla_put_failure:
18846 	nlmsg_free(msg);
18847 }
18848 
18849 static void nl80211_send_remain_on_chan_event(
18850 	int cmd, struct cfg80211_registered_device *rdev,
18851 	struct wireless_dev *wdev, u64 cookie,
18852 	struct ieee80211_channel *chan,
18853 	unsigned int duration, gfp_t gfp)
18854 {
18855 	struct sk_buff *msg;
18856 	void *hdr;
18857 
18858 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18859 	if (!msg)
18860 		return;
18861 
18862 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18863 	if (!hdr) {
18864 		nlmsg_free(msg);
18865 		return;
18866 	}
18867 
18868 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18869 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18870 					 wdev->netdev->ifindex)) ||
18871 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18872 			      NL80211_ATTR_PAD) ||
18873 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18874 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18875 			NL80211_CHAN_NO_HT) ||
18876 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18877 			      NL80211_ATTR_PAD))
18878 		goto nla_put_failure;
18879 
18880 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18881 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18882 		goto nla_put_failure;
18883 
18884 	genlmsg_end(msg, hdr);
18885 
18886 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18887 				NL80211_MCGRP_MLME, gfp);
18888 	return;
18889 
18890  nla_put_failure:
18891 	nlmsg_free(msg);
18892 }
18893 
18894 void cfg80211_assoc_comeback(struct net_device *netdev,
18895 			     const u8 *ap_addr, u32 timeout)
18896 {
18897 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18898 	struct wiphy *wiphy = wdev->wiphy;
18899 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18900 	struct sk_buff *msg;
18901 	void *hdr;
18902 
18903 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18904 
18905 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18906 	if (!msg)
18907 		return;
18908 
18909 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18910 	if (!hdr) {
18911 		nlmsg_free(msg);
18912 		return;
18913 	}
18914 
18915 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18916 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18917 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18918 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18919 		goto nla_put_failure;
18920 
18921 	genlmsg_end(msg, hdr);
18922 
18923 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18924 				NL80211_MCGRP_MLME, GFP_KERNEL);
18925 	return;
18926 
18927  nla_put_failure:
18928 	nlmsg_free(msg);
18929 }
18930 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18931 
18932 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18933 			       struct ieee80211_channel *chan,
18934 			       unsigned int duration, gfp_t gfp)
18935 {
18936 	struct wiphy *wiphy = wdev->wiphy;
18937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18938 
18939 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18940 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18941 					  rdev, wdev, cookie, chan,
18942 					  duration, gfp);
18943 }
18944 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18945 
18946 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18947 					struct ieee80211_channel *chan,
18948 					gfp_t gfp)
18949 {
18950 	struct wiphy *wiphy = wdev->wiphy;
18951 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18952 
18953 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18954 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18955 					  rdev, wdev, cookie, chan, 0, gfp);
18956 }
18957 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18958 
18959 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18960 					struct ieee80211_channel *chan,
18961 					gfp_t gfp)
18962 {
18963 	struct wiphy *wiphy = wdev->wiphy;
18964 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18965 
18966 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18967 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18968 					  rdev, wdev, cookie, chan, 0, gfp);
18969 }
18970 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18971 
18972 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18973 		      struct station_info *sinfo, gfp_t gfp)
18974 {
18975 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18976 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18977 	struct sk_buff *msg;
18978 
18979 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18980 
18981 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18982 	if (!msg)
18983 		return;
18984 
18985 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18986 				 rdev, dev, mac_addr, sinfo) < 0) {
18987 		nlmsg_free(msg);
18988 		return;
18989 	}
18990 
18991 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18992 				NL80211_MCGRP_MLME, gfp);
18993 }
18994 EXPORT_SYMBOL(cfg80211_new_sta);
18995 
18996 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18997 			    struct station_info *sinfo, gfp_t gfp)
18998 {
18999 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19000 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19001 	struct sk_buff *msg;
19002 	struct station_info empty_sinfo = {};
19003 
19004 	if (!sinfo)
19005 		sinfo = &empty_sinfo;
19006 
19007 	trace_cfg80211_del_sta(dev, mac_addr);
19008 
19009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19010 	if (!msg) {
19011 		cfg80211_sinfo_release_content(sinfo);
19012 		return;
19013 	}
19014 
19015 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
19016 				 rdev, dev, mac_addr, sinfo) < 0) {
19017 		nlmsg_free(msg);
19018 		return;
19019 	}
19020 
19021 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19022 				NL80211_MCGRP_MLME, gfp);
19023 }
19024 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
19025 
19026 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
19027 			  enum nl80211_connect_failed_reason reason,
19028 			  gfp_t gfp)
19029 {
19030 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
19031 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19032 	struct sk_buff *msg;
19033 	void *hdr;
19034 
19035 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
19036 	if (!msg)
19037 		return;
19038 
19039 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
19040 	if (!hdr) {
19041 		nlmsg_free(msg);
19042 		return;
19043 	}
19044 
19045 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19046 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
19047 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
19048 		goto nla_put_failure;
19049 
19050 	genlmsg_end(msg, hdr);
19051 
19052 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19053 				NL80211_MCGRP_MLME, gfp);
19054 	return;
19055 
19056  nla_put_failure:
19057 	nlmsg_free(msg);
19058 }
19059 EXPORT_SYMBOL(cfg80211_conn_failed);
19060 
19061 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
19062 				       const u8 *addr, gfp_t gfp)
19063 {
19064 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19066 	struct sk_buff *msg;
19067 	void *hdr;
19068 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
19069 
19070 	if (!nlportid)
19071 		return false;
19072 
19073 	msg = nlmsg_new(100, gfp);
19074 	if (!msg)
19075 		return true;
19076 
19077 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19078 	if (!hdr) {
19079 		nlmsg_free(msg);
19080 		return true;
19081 	}
19082 
19083 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19084 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19085 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
19086 		goto nla_put_failure;
19087 
19088 	genlmsg_end(msg, hdr);
19089 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19090 	return true;
19091 
19092  nla_put_failure:
19093 	nlmsg_free(msg);
19094 	return true;
19095 }
19096 
19097 bool cfg80211_rx_spurious_frame(struct net_device *dev,
19098 				const u8 *addr, gfp_t gfp)
19099 {
19100 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19101 	bool ret;
19102 
19103 	trace_cfg80211_rx_spurious_frame(dev, addr);
19104 
19105 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19106 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
19107 		trace_cfg80211_return_bool(false);
19108 		return false;
19109 	}
19110 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
19111 					 addr, gfp);
19112 	trace_cfg80211_return_bool(ret);
19113 	return ret;
19114 }
19115 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19116 
19117 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19118 					const u8 *addr, gfp_t gfp)
19119 {
19120 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19121 	bool ret;
19122 
19123 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19124 
19125 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19126 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19127 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19128 		trace_cfg80211_return_bool(false);
19129 		return false;
19130 	}
19131 	ret = __nl80211_unexpected_frame(dev,
19132 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19133 					 addr, gfp);
19134 	trace_cfg80211_return_bool(ret);
19135 	return ret;
19136 }
19137 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19138 
19139 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19140 		      struct wireless_dev *wdev, u32 nlportid,
19141 		      struct cfg80211_rx_info *info, gfp_t gfp)
19142 {
19143 	struct net_device *netdev = wdev->netdev;
19144 	struct sk_buff *msg;
19145 	void *hdr;
19146 
19147 	msg = nlmsg_new(100 + info->len, gfp);
19148 	if (!msg)
19149 		return -ENOMEM;
19150 
19151 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19152 	if (!hdr) {
19153 		nlmsg_free(msg);
19154 		return -ENOMEM;
19155 	}
19156 
19157 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19158 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19159 					netdev->ifindex)) ||
19160 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19161 			      NL80211_ATTR_PAD) ||
19162 	    (info->have_link_id &&
19163 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19164 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19165 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19166 	    (info->sig_dbm &&
19167 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19168 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19169 	    (info->flags &&
19170 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19171 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19172 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19173 						  info->rx_tstamp,
19174 						  NL80211_ATTR_PAD)) ||
19175 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19176 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19177 						   info->ack_tstamp,
19178 						   NL80211_ATTR_PAD)))
19179 		goto nla_put_failure;
19180 
19181 	genlmsg_end(msg, hdr);
19182 
19183 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19184 
19185  nla_put_failure:
19186 	nlmsg_free(msg);
19187 	return -ENOBUFS;
19188 }
19189 
19190 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19191 				    struct cfg80211_tx_status *status,
19192 				    gfp_t gfp, enum nl80211_commands command)
19193 {
19194 	struct wiphy *wiphy = wdev->wiphy;
19195 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19196 	struct net_device *netdev = wdev->netdev;
19197 	struct sk_buff *msg;
19198 	void *hdr;
19199 
19200 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19201 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19202 					      status->ack);
19203 	else
19204 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19205 						      status->ack);
19206 
19207 	msg = nlmsg_new(100 + status->len, gfp);
19208 	if (!msg)
19209 		return;
19210 
19211 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19212 	if (!hdr) {
19213 		nlmsg_free(msg);
19214 		return;
19215 	}
19216 
19217 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19218 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19219 				   netdev->ifindex)) ||
19220 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19221 			      NL80211_ATTR_PAD) ||
19222 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19223 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19224 			      NL80211_ATTR_PAD) ||
19225 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19226 	    (status->tx_tstamp &&
19227 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19228 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19229 	    (status->ack_tstamp &&
19230 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19231 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19232 		goto nla_put_failure;
19233 
19234 	genlmsg_end(msg, hdr);
19235 
19236 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19237 				NL80211_MCGRP_MLME, gfp);
19238 	return;
19239 
19240 nla_put_failure:
19241 	nlmsg_free(msg);
19242 }
19243 
19244 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19245 				     const u8 *buf, size_t len, bool ack,
19246 				     gfp_t gfp)
19247 {
19248 	struct cfg80211_tx_status status = {
19249 		.cookie = cookie,
19250 		.buf = buf,
19251 		.len = len,
19252 		.ack = ack
19253 	};
19254 
19255 	nl80211_frame_tx_status(wdev, &status, gfp,
19256 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19257 }
19258 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19259 
19260 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19261 				 struct cfg80211_tx_status *status, gfp_t gfp)
19262 {
19263 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19264 }
19265 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19266 
19267 static int __nl80211_rx_control_port(struct net_device *dev,
19268 				     struct sk_buff *skb,
19269 				     bool unencrypted,
19270 				     int link_id,
19271 				     gfp_t gfp)
19272 {
19273 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19274 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19275 	struct ethhdr *ehdr = eth_hdr(skb);
19276 	const u8 *addr = ehdr->h_source;
19277 	u16 proto = be16_to_cpu(skb->protocol);
19278 	struct sk_buff *msg;
19279 	void *hdr;
19280 	struct nlattr *frame;
19281 
19282 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19283 
19284 	if (!nlportid)
19285 		return -ENOENT;
19286 
19287 	msg = nlmsg_new(100 + skb->len, gfp);
19288 	if (!msg)
19289 		return -ENOMEM;
19290 
19291 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19292 	if (!hdr) {
19293 		nlmsg_free(msg);
19294 		return -ENOBUFS;
19295 	}
19296 
19297 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19298 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19299 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19300 			      NL80211_ATTR_PAD) ||
19301 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19302 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19303 	    (link_id >= 0 &&
19304 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19305 	    (unencrypted && nla_put_flag(msg,
19306 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19307 		goto nla_put_failure;
19308 
19309 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19310 	if (!frame)
19311 		goto nla_put_failure;
19312 
19313 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19314 	genlmsg_end(msg, hdr);
19315 
19316 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19317 
19318  nla_put_failure:
19319 	nlmsg_free(msg);
19320 	return -ENOBUFS;
19321 }
19322 
19323 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19324 			      bool unencrypted, int link_id)
19325 {
19326 	int ret;
19327 
19328 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19329 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19330 					GFP_ATOMIC);
19331 	trace_cfg80211_return_bool(ret == 0);
19332 	return ret == 0;
19333 }
19334 EXPORT_SYMBOL(cfg80211_rx_control_port);
19335 
19336 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19337 					    const char *mac, gfp_t gfp)
19338 {
19339 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19340 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19341 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19342 	void **cb;
19343 
19344 	if (!msg)
19345 		return NULL;
19346 
19347 	cb = (void **)msg->cb;
19348 
19349 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19350 	if (!cb[0]) {
19351 		nlmsg_free(msg);
19352 		return NULL;
19353 	}
19354 
19355 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19356 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19357 		goto nla_put_failure;
19358 
19359 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19360 		goto nla_put_failure;
19361 
19362 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19363 	if (!cb[1])
19364 		goto nla_put_failure;
19365 
19366 	cb[2] = rdev;
19367 
19368 	return msg;
19369  nla_put_failure:
19370 	nlmsg_free(msg);
19371 	return NULL;
19372 }
19373 
19374 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19375 {
19376 	void **cb = (void **)msg->cb;
19377 	struct cfg80211_registered_device *rdev = cb[2];
19378 
19379 	nla_nest_end(msg, cb[1]);
19380 	genlmsg_end(msg, cb[0]);
19381 
19382 	memset(msg->cb, 0, sizeof(msg->cb));
19383 
19384 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19385 				NL80211_MCGRP_MLME, gfp);
19386 }
19387 
19388 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19389 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19390 			      s32 rssi_level, gfp_t gfp)
19391 {
19392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19393 	struct cfg80211_cqm_config *cqm_config;
19394 
19395 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19396 
19397 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19398 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19399 		return;
19400 
19401 	rcu_read_lock();
19402 	cqm_config = rcu_dereference(wdev->cqm_config);
19403 	if (cqm_config) {
19404 		cqm_config->last_rssi_event_value = rssi_level;
19405 		cqm_config->last_rssi_event_type = rssi_event;
19406 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19407 	}
19408 	rcu_read_unlock();
19409 }
19410 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19411 
19412 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19413 {
19414 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19415 						 cqm_rssi_work);
19416 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19417 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19418 	struct cfg80211_cqm_config *cqm_config;
19419 	struct sk_buff *msg;
19420 	s32 rssi_level;
19421 
19422 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19423 	if (!cqm_config)
19424 		return;
19425 
19426 	if (cqm_config->use_range_api)
19427 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19428 
19429 	rssi_level = cqm_config->last_rssi_event_value;
19430 	rssi_event = cqm_config->last_rssi_event_type;
19431 
19432 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19433 	if (!msg)
19434 		return;
19435 
19436 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19437 			rssi_event))
19438 		goto nla_put_failure;
19439 
19440 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19441 				      rssi_level))
19442 		goto nla_put_failure;
19443 
19444 	cfg80211_send_cqm(msg, GFP_KERNEL);
19445 
19446 	return;
19447 
19448  nla_put_failure:
19449 	nlmsg_free(msg);
19450 }
19451 
19452 void cfg80211_cqm_txe_notify(struct net_device *dev,
19453 			     const u8 *peer, u32 num_packets,
19454 			     u32 rate, u32 intvl, gfp_t gfp)
19455 {
19456 	struct sk_buff *msg;
19457 
19458 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19459 	if (!msg)
19460 		return;
19461 
19462 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19463 		goto nla_put_failure;
19464 
19465 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19466 		goto nla_put_failure;
19467 
19468 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19469 		goto nla_put_failure;
19470 
19471 	cfg80211_send_cqm(msg, gfp);
19472 	return;
19473 
19474  nla_put_failure:
19475 	nlmsg_free(msg);
19476 }
19477 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19478 
19479 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19480 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19481 {
19482 	struct sk_buff *msg;
19483 
19484 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19485 
19486 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19487 	if (!msg)
19488 		return;
19489 
19490 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19491 		goto nla_put_failure;
19492 
19493 	cfg80211_send_cqm(msg, gfp);
19494 	return;
19495 
19496  nla_put_failure:
19497 	nlmsg_free(msg);
19498 }
19499 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19500 
19501 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19502 {
19503 	struct sk_buff *msg;
19504 
19505 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19506 	if (!msg)
19507 		return;
19508 
19509 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19510 		goto nla_put_failure;
19511 
19512 	cfg80211_send_cqm(msg, gfp);
19513 	return;
19514 
19515  nla_put_failure:
19516 	nlmsg_free(msg);
19517 }
19518 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19519 
19520 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19521 				     struct net_device *netdev, const u8 *bssid,
19522 				     const u8 *replay_ctr, gfp_t gfp)
19523 {
19524 	struct sk_buff *msg;
19525 	struct nlattr *rekey_attr;
19526 	void *hdr;
19527 
19528 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19529 	if (!msg)
19530 		return;
19531 
19532 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19533 	if (!hdr) {
19534 		nlmsg_free(msg);
19535 		return;
19536 	}
19537 
19538 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19539 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19540 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19541 		goto nla_put_failure;
19542 
19543 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19544 	if (!rekey_attr)
19545 		goto nla_put_failure;
19546 
19547 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19548 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19549 		goto nla_put_failure;
19550 
19551 	nla_nest_end(msg, rekey_attr);
19552 
19553 	genlmsg_end(msg, hdr);
19554 
19555 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19556 				NL80211_MCGRP_MLME, gfp);
19557 	return;
19558 
19559  nla_put_failure:
19560 	nlmsg_free(msg);
19561 }
19562 
19563 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19564 			       const u8 *replay_ctr, gfp_t gfp)
19565 {
19566 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19567 	struct wiphy *wiphy = wdev->wiphy;
19568 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19569 
19570 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19571 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19572 }
19573 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19574 
19575 static void
19576 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19577 			       struct net_device *netdev, int index,
19578 			       const u8 *bssid, bool preauth, gfp_t gfp)
19579 {
19580 	struct sk_buff *msg;
19581 	struct nlattr *attr;
19582 	void *hdr;
19583 
19584 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19585 	if (!msg)
19586 		return;
19587 
19588 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19589 	if (!hdr) {
19590 		nlmsg_free(msg);
19591 		return;
19592 	}
19593 
19594 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19595 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19596 		goto nla_put_failure;
19597 
19598 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19599 	if (!attr)
19600 		goto nla_put_failure;
19601 
19602 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19603 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19604 	    (preauth &&
19605 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19606 		goto nla_put_failure;
19607 
19608 	nla_nest_end(msg, attr);
19609 
19610 	genlmsg_end(msg, hdr);
19611 
19612 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19613 				NL80211_MCGRP_MLME, gfp);
19614 	return;
19615 
19616  nla_put_failure:
19617 	nlmsg_free(msg);
19618 }
19619 
19620 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19621 				     const u8 *bssid, bool preauth, gfp_t gfp)
19622 {
19623 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19624 	struct wiphy *wiphy = wdev->wiphy;
19625 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19626 
19627 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19628 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19629 }
19630 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19631 
19632 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19633 				     struct net_device *netdev,
19634 				     unsigned int link_id,
19635 				     struct cfg80211_chan_def *chandef,
19636 				     gfp_t gfp,
19637 				     enum nl80211_commands notif,
19638 				     u8 count, bool quiet)
19639 {
19640 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19641 	struct sk_buff *msg;
19642 	void *hdr;
19643 
19644 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19645 	if (!msg)
19646 		return;
19647 
19648 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19649 	if (!hdr) {
19650 		nlmsg_free(msg);
19651 		return;
19652 	}
19653 
19654 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19655 		goto nla_put_failure;
19656 
19657 	if (wdev->valid_links &&
19658 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19659 		goto nla_put_failure;
19660 
19661 	if (nl80211_send_chandef(msg, chandef))
19662 		goto nla_put_failure;
19663 
19664 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19665 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19666 			goto nla_put_failure;
19667 		if (quiet &&
19668 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19669 			goto nla_put_failure;
19670 	}
19671 
19672 	genlmsg_end(msg, hdr);
19673 
19674 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19675 				NL80211_MCGRP_MLME, gfp);
19676 	return;
19677 
19678  nla_put_failure:
19679 	nlmsg_free(msg);
19680 }
19681 
19682 void cfg80211_ch_switch_notify(struct net_device *dev,
19683 			       struct cfg80211_chan_def *chandef,
19684 			       unsigned int link_id)
19685 {
19686 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19687 	struct wiphy *wiphy = wdev->wiphy;
19688 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19689 
19690 	lockdep_assert_wiphy(wdev->wiphy);
19691 	WARN_INVALID_LINK_ID(wdev, link_id);
19692 
19693 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19694 
19695 	switch (wdev->iftype) {
19696 	case NL80211_IFTYPE_STATION:
19697 	case NL80211_IFTYPE_P2P_CLIENT:
19698 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19699 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19700 							chandef->chan);
19701 		break;
19702 	case NL80211_IFTYPE_MESH_POINT:
19703 		wdev->u.mesh.chandef = *chandef;
19704 		wdev->u.mesh.preset_chandef = *chandef;
19705 		break;
19706 	case NL80211_IFTYPE_AP:
19707 	case NL80211_IFTYPE_P2P_GO:
19708 		wdev->links[link_id].ap.chandef = *chandef;
19709 		break;
19710 	case NL80211_IFTYPE_ADHOC:
19711 		wdev->u.ibss.chandef = *chandef;
19712 		break;
19713 	default:
19714 		WARN_ON(1);
19715 		break;
19716 	}
19717 
19718 	cfg80211_schedule_channels_check(wdev);
19719 	cfg80211_sched_dfs_chan_update(rdev);
19720 
19721 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19722 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19723 }
19724 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19725 
19726 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19727 				       struct cfg80211_chan_def *chandef,
19728 				       unsigned int link_id, u8 count,
19729 				       bool quiet)
19730 {
19731 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19732 	struct wiphy *wiphy = wdev->wiphy;
19733 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19734 
19735 	lockdep_assert_wiphy(wdev->wiphy);
19736 	WARN_INVALID_LINK_ID(wdev, link_id);
19737 
19738 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19739 
19740 
19741 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19742 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19743 				 count, quiet);
19744 }
19745 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19746 
19747 int cfg80211_bss_color_notify(struct net_device *dev,
19748 			      enum nl80211_commands cmd, u8 count,
19749 			      u64 color_bitmap, u8 link_id)
19750 {
19751 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19752 	struct wiphy *wiphy = wdev->wiphy;
19753 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19754 	struct sk_buff *msg;
19755 	void *hdr;
19756 
19757 	lockdep_assert_wiphy(wdev->wiphy);
19758 
19759 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19760 
19761 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19762 	if (!msg)
19763 		return -ENOMEM;
19764 
19765 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19766 	if (!hdr)
19767 		goto nla_put_failure;
19768 
19769 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19770 		goto nla_put_failure;
19771 
19772 	if (wdev->valid_links &&
19773 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19774 		goto nla_put_failure;
19775 
19776 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19777 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19778 		goto nla_put_failure;
19779 
19780 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19781 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19782 			      color_bitmap, NL80211_ATTR_PAD))
19783 		goto nla_put_failure;
19784 
19785 	genlmsg_end(msg, hdr);
19786 
19787 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19788 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19789 
19790 nla_put_failure:
19791 	nlmsg_free(msg);
19792 	return -EINVAL;
19793 }
19794 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19795 
19796 void
19797 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19798 		     const struct cfg80211_chan_def *chandef,
19799 		     enum nl80211_radar_event event,
19800 		     struct net_device *netdev, gfp_t gfp)
19801 {
19802 	struct sk_buff *msg;
19803 	void *hdr;
19804 
19805 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19806 	if (!msg)
19807 		return;
19808 
19809 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19810 	if (!hdr) {
19811 		nlmsg_free(msg);
19812 		return;
19813 	}
19814 
19815 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19816 		goto nla_put_failure;
19817 
19818 	/* NOP and radar events don't need a netdev parameter */
19819 	if (netdev) {
19820 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19821 
19822 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19823 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19824 				      NL80211_ATTR_PAD))
19825 			goto nla_put_failure;
19826 	}
19827 
19828 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19829 		goto nla_put_failure;
19830 
19831 	if (nl80211_send_chandef(msg, chandef))
19832 		goto nla_put_failure;
19833 
19834 	genlmsg_end(msg, hdr);
19835 
19836 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19837 				NL80211_MCGRP_MLME, gfp);
19838 	return;
19839 
19840  nla_put_failure:
19841 	nlmsg_free(msg);
19842 }
19843 
19844 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19845 				       struct sta_opmode_info *sta_opmode,
19846 				       gfp_t gfp)
19847 {
19848 	struct sk_buff *msg;
19849 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19850 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19851 	void *hdr;
19852 
19853 	if (WARN_ON(!mac))
19854 		return;
19855 
19856 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19857 	if (!msg)
19858 		return;
19859 
19860 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19861 	if (!hdr) {
19862 		nlmsg_free(msg);
19863 		return;
19864 	}
19865 
19866 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19867 		goto nla_put_failure;
19868 
19869 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19870 		goto nla_put_failure;
19871 
19872 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19873 		goto nla_put_failure;
19874 
19875 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19876 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19877 		goto nla_put_failure;
19878 
19879 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19880 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19881 		goto nla_put_failure;
19882 
19883 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19884 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19885 		goto nla_put_failure;
19886 
19887 	genlmsg_end(msg, hdr);
19888 
19889 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19890 				NL80211_MCGRP_MLME, gfp);
19891 
19892 	return;
19893 
19894 nla_put_failure:
19895 	nlmsg_free(msg);
19896 }
19897 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19898 
19899 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19900 			   u64 cookie, bool acked, s32 ack_signal,
19901 			   bool is_valid_ack_signal, gfp_t gfp)
19902 {
19903 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19904 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19905 	struct sk_buff *msg;
19906 	void *hdr;
19907 
19908 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19909 
19910 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19911 
19912 	if (!msg)
19913 		return;
19914 
19915 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19916 	if (!hdr) {
19917 		nlmsg_free(msg);
19918 		return;
19919 	}
19920 
19921 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19922 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19923 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19924 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19925 			      NL80211_ATTR_PAD) ||
19926 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19927 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19928 						ack_signal)))
19929 		goto nla_put_failure;
19930 
19931 	genlmsg_end(msg, hdr);
19932 
19933 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19934 				NL80211_MCGRP_MLME, gfp);
19935 	return;
19936 
19937  nla_put_failure:
19938 	nlmsg_free(msg);
19939 }
19940 EXPORT_SYMBOL(cfg80211_probe_status);
19941 
19942 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19943 				     size_t len, int freq, int sig_dbm)
19944 {
19945 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19946 	struct sk_buff *msg;
19947 	void *hdr;
19948 	struct cfg80211_beacon_registration *reg;
19949 
19950 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19951 
19952 	spin_lock_bh(&rdev->beacon_registrations_lock);
19953 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19954 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19955 		if (!msg) {
19956 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19957 			return;
19958 		}
19959 
19960 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19961 		if (!hdr)
19962 			goto nla_put_failure;
19963 
19964 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19965 		    (freq &&
19966 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19967 				  KHZ_TO_MHZ(freq)) ||
19968 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19969 				  freq % 1000))) ||
19970 		    (sig_dbm &&
19971 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19972 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19973 			goto nla_put_failure;
19974 
19975 		genlmsg_end(msg, hdr);
19976 
19977 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19978 	}
19979 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19980 	return;
19981 
19982  nla_put_failure:
19983 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19984 	nlmsg_free(msg);
19985 }
19986 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19987 
19988 #ifdef CONFIG_PM
19989 static int cfg80211_net_detect_results(struct sk_buff *msg,
19990 				       struct cfg80211_wowlan_wakeup *wakeup)
19991 {
19992 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19993 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19994 	int i, j;
19995 
19996 	nl_results = nla_nest_start_noflag(msg,
19997 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19998 	if (!nl_results)
19999 		return -EMSGSIZE;
20000 
20001 	for (i = 0; i < nd->n_matches; i++) {
20002 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
20003 
20004 		nl_match = nla_nest_start_noflag(msg, i);
20005 		if (!nl_match)
20006 			break;
20007 
20008 		/* The SSID attribute is optional in nl80211, but for
20009 		 * simplicity reasons it's always present in the
20010 		 * cfg80211 structure.  If a driver can't pass the
20011 		 * SSID, that needs to be changed.  A zero length SSID
20012 		 * is still a valid SSID (wildcard), so it cannot be
20013 		 * used for this purpose.
20014 		 */
20015 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
20016 			    match->ssid.ssid)) {
20017 			nla_nest_cancel(msg, nl_match);
20018 			goto out;
20019 		}
20020 
20021 		if (match->n_channels) {
20022 			nl_freqs = nla_nest_start_noflag(msg,
20023 							 NL80211_ATTR_SCAN_FREQUENCIES);
20024 			if (!nl_freqs) {
20025 				nla_nest_cancel(msg, nl_match);
20026 				goto out;
20027 			}
20028 
20029 			for (j = 0; j < match->n_channels; j++) {
20030 				if (nla_put_u32(msg, j, match->channels[j])) {
20031 					nla_nest_cancel(msg, nl_freqs);
20032 					nla_nest_cancel(msg, nl_match);
20033 					goto out;
20034 				}
20035 			}
20036 
20037 			nla_nest_end(msg, nl_freqs);
20038 		}
20039 
20040 		nla_nest_end(msg, nl_match);
20041 	}
20042 
20043 out:
20044 	nla_nest_end(msg, nl_results);
20045 	return 0;
20046 }
20047 
20048 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
20049 				   struct cfg80211_wowlan_wakeup *wakeup,
20050 				   gfp_t gfp)
20051 {
20052 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20053 	struct sk_buff *msg;
20054 	void *hdr;
20055 	int size = 200;
20056 
20057 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
20058 
20059 	if (wakeup)
20060 		size += wakeup->packet_present_len;
20061 
20062 	msg = nlmsg_new(size, gfp);
20063 	if (!msg)
20064 		return;
20065 
20066 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
20067 	if (!hdr)
20068 		goto free_msg;
20069 
20070 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20071 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20072 			      NL80211_ATTR_PAD))
20073 		goto free_msg;
20074 
20075 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
20076 					wdev->netdev->ifindex))
20077 		goto free_msg;
20078 
20079 	if (wakeup) {
20080 		struct nlattr *reasons;
20081 
20082 		reasons = nla_nest_start_noflag(msg,
20083 						NL80211_ATTR_WOWLAN_TRIGGERS);
20084 		if (!reasons)
20085 			goto free_msg;
20086 
20087 		if (wakeup->disconnect &&
20088 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
20089 			goto free_msg;
20090 		if (wakeup->magic_pkt &&
20091 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
20092 			goto free_msg;
20093 		if (wakeup->gtk_rekey_failure &&
20094 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
20095 			goto free_msg;
20096 		if (wakeup->eap_identity_req &&
20097 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
20098 			goto free_msg;
20099 		if (wakeup->four_way_handshake &&
20100 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
20101 			goto free_msg;
20102 		if (wakeup->rfkill_release &&
20103 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
20104 			goto free_msg;
20105 
20106 		if (wakeup->pattern_idx >= 0 &&
20107 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
20108 				wakeup->pattern_idx))
20109 			goto free_msg;
20110 
20111 		if (wakeup->tcp_match &&
20112 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
20113 			goto free_msg;
20114 
20115 		if (wakeup->tcp_connlost &&
20116 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20117 			goto free_msg;
20118 
20119 		if (wakeup->tcp_nomoretokens &&
20120 		    nla_put_flag(msg,
20121 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20122 			goto free_msg;
20123 
20124 		if (wakeup->unprot_deauth_disassoc &&
20125 		    nla_put_flag(msg,
20126 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20127 			goto free_msg;
20128 
20129 		if (wakeup->packet) {
20130 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20131 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20132 
20133 			if (!wakeup->packet_80211) {
20134 				pkt_attr =
20135 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20136 				len_attr =
20137 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20138 			}
20139 
20140 			if (wakeup->packet_len &&
20141 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20142 				goto free_msg;
20143 
20144 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20145 				    wakeup->packet))
20146 				goto free_msg;
20147 		}
20148 
20149 		if (wakeup->net_detect &&
20150 		    cfg80211_net_detect_results(msg, wakeup))
20151 				goto free_msg;
20152 
20153 		nla_nest_end(msg, reasons);
20154 	}
20155 
20156 	genlmsg_end(msg, hdr);
20157 
20158 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20159 				NL80211_MCGRP_MLME, gfp);
20160 	return;
20161 
20162  free_msg:
20163 	nlmsg_free(msg);
20164 }
20165 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20166 #endif
20167 
20168 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20169 				enum nl80211_tdls_operation oper,
20170 				u16 reason_code, gfp_t gfp)
20171 {
20172 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20173 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20174 	struct sk_buff *msg;
20175 	void *hdr;
20176 
20177 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20178 					 reason_code);
20179 
20180 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20181 	if (!msg)
20182 		return;
20183 
20184 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20185 	if (!hdr) {
20186 		nlmsg_free(msg);
20187 		return;
20188 	}
20189 
20190 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20191 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20192 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20193 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20194 	    (reason_code > 0 &&
20195 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20196 		goto nla_put_failure;
20197 
20198 	genlmsg_end(msg, hdr);
20199 
20200 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20201 				NL80211_MCGRP_MLME, gfp);
20202 	return;
20203 
20204  nla_put_failure:
20205 	nlmsg_free(msg);
20206 }
20207 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20208 
20209 static int nl80211_netlink_notify(struct notifier_block * nb,
20210 				  unsigned long state,
20211 				  void *_notify)
20212 {
20213 	struct netlink_notify *notify = _notify;
20214 	struct cfg80211_registered_device *rdev;
20215 	struct wireless_dev *wdev;
20216 	struct cfg80211_beacon_registration *reg, *tmp;
20217 
20218 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20219 		return NOTIFY_DONE;
20220 
20221 	rcu_read_lock();
20222 
20223 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20224 		struct cfg80211_sched_scan_request *sched_scan_req;
20225 
20226 		list_for_each_entry_rcu(sched_scan_req,
20227 					&rdev->sched_scan_req_list,
20228 					list) {
20229 			if (sched_scan_req->owner_nlportid == notify->portid) {
20230 				sched_scan_req->nl_owner_dead = true;
20231 				wiphy_work_queue(&rdev->wiphy,
20232 						 &rdev->sched_scan_stop_wk);
20233 			}
20234 		}
20235 
20236 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20237 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20238 
20239 			if (wdev->owner_nlportid == notify->portid) {
20240 				wdev->nl_owner_dead = true;
20241 				schedule_work(&rdev->destroy_work);
20242 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20243 				schedule_work(&wdev->disconnect_wk);
20244 			}
20245 
20246 			cfg80211_release_pmsr(wdev, notify->portid);
20247 		}
20248 
20249 		spin_lock_bh(&rdev->beacon_registrations_lock);
20250 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20251 					 list) {
20252 			if (reg->nlportid == notify->portid) {
20253 				list_del(&reg->list);
20254 				kfree(reg);
20255 				break;
20256 			}
20257 		}
20258 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20259 	}
20260 
20261 	rcu_read_unlock();
20262 
20263 	/*
20264 	 * It is possible that the user space process that is controlling the
20265 	 * indoor setting disappeared, so notify the regulatory core.
20266 	 */
20267 	regulatory_netlink_notify(notify->portid);
20268 	return NOTIFY_OK;
20269 }
20270 
20271 static struct notifier_block nl80211_netlink_notifier = {
20272 	.notifier_call = nl80211_netlink_notify,
20273 };
20274 
20275 void cfg80211_ft_event(struct net_device *netdev,
20276 		       struct cfg80211_ft_event_params *ft_event)
20277 {
20278 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20279 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20280 	struct sk_buff *msg;
20281 	void *hdr;
20282 
20283 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20284 
20285 	if (!ft_event->target_ap)
20286 		return;
20287 
20288 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20289 			GFP_KERNEL);
20290 	if (!msg)
20291 		return;
20292 
20293 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20294 	if (!hdr)
20295 		goto out;
20296 
20297 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20298 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20299 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20300 		goto out;
20301 
20302 	if (ft_event->ies &&
20303 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20304 		goto out;
20305 	if (ft_event->ric_ies &&
20306 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20307 		    ft_event->ric_ies))
20308 		goto out;
20309 
20310 	genlmsg_end(msg, hdr);
20311 
20312 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20313 				NL80211_MCGRP_MLME, GFP_KERNEL);
20314 	return;
20315  out:
20316 	nlmsg_free(msg);
20317 }
20318 EXPORT_SYMBOL(cfg80211_ft_event);
20319 
20320 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20321 {
20322 	struct cfg80211_registered_device *rdev;
20323 	struct sk_buff *msg;
20324 	void *hdr;
20325 	u32 nlportid;
20326 
20327 	rdev = wiphy_to_rdev(wdev->wiphy);
20328 	if (!rdev->crit_proto_nlportid)
20329 		return;
20330 
20331 	nlportid = rdev->crit_proto_nlportid;
20332 	rdev->crit_proto_nlportid = 0;
20333 
20334 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20335 	if (!msg)
20336 		return;
20337 
20338 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20339 	if (!hdr)
20340 		goto nla_put_failure;
20341 
20342 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20343 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20344 			      NL80211_ATTR_PAD))
20345 		goto nla_put_failure;
20346 
20347 	genlmsg_end(msg, hdr);
20348 
20349 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20350 	return;
20351 
20352  nla_put_failure:
20353 	nlmsg_free(msg);
20354 }
20355 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20356 
20357 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20358 {
20359 	struct wiphy *wiphy = wdev->wiphy;
20360 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20361 	struct sk_buff *msg;
20362 	void *hdr;
20363 
20364 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20365 	if (!msg)
20366 		return;
20367 
20368 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20369 	if (!hdr)
20370 		goto out;
20371 
20372 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20373 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20374 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20375 			      NL80211_ATTR_PAD) ||
20376 	    (wdev->valid_links &&
20377 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20378 		goto out;
20379 
20380 	genlmsg_end(msg, hdr);
20381 
20382 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20383 				NL80211_MCGRP_MLME, GFP_KERNEL);
20384 	return;
20385  out:
20386 	nlmsg_free(msg);
20387 }
20388 
20389 int cfg80211_external_auth_request(struct net_device *dev,
20390 				   struct cfg80211_external_auth_params *params,
20391 				   gfp_t gfp)
20392 {
20393 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20394 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20395 	struct sk_buff *msg;
20396 	void *hdr;
20397 
20398 	if (!wdev->conn_owner_nlportid)
20399 		return -EINVAL;
20400 
20401 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20402 	if (!msg)
20403 		return -ENOMEM;
20404 
20405 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20406 	if (!hdr)
20407 		goto nla_put_failure;
20408 
20409 	/* Some historical mistakes in drivers <-> userspace interface (notably
20410 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20411 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20412 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20413 	 * benefit of older wpa_supplicant versions, send this particular value
20414 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20415 	 * particular value in big endian still, so it all continues to work.
20416 	 */
20417 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20418 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20419 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20420 			goto nla_put_failure;
20421 	} else {
20422 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20423 				params->key_mgmt_suite))
20424 			goto nla_put_failure;
20425 	}
20426 
20427 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20428 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20429 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20430 			params->action) ||
20431 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20432 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20433 		    params->ssid.ssid) ||
20434 	    (!is_zero_ether_addr(params->mld_addr) &&
20435 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20436 		goto nla_put_failure;
20437 
20438 	genlmsg_end(msg, hdr);
20439 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20440 			wdev->conn_owner_nlportid);
20441 	return 0;
20442 
20443  nla_put_failure:
20444 	nlmsg_free(msg);
20445 	return -ENOBUFS;
20446 }
20447 EXPORT_SYMBOL(cfg80211_external_auth_request);
20448 
20449 void cfg80211_update_owe_info_event(struct net_device *netdev,
20450 				    struct cfg80211_update_owe_info *owe_info,
20451 				    gfp_t gfp)
20452 {
20453 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20454 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20455 	struct sk_buff *msg;
20456 	void *hdr;
20457 
20458 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20459 
20460 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20461 	if (!msg)
20462 		return;
20463 
20464 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20465 	if (!hdr)
20466 		goto nla_put_failure;
20467 
20468 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20469 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20470 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20471 		goto nla_put_failure;
20472 
20473 	if (!owe_info->ie_len ||
20474 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20475 		goto nla_put_failure;
20476 
20477 	if (owe_info->assoc_link_id != -1) {
20478 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20479 			       owe_info->assoc_link_id))
20480 			goto nla_put_failure;
20481 
20482 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20483 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20484 			    owe_info->peer_mld_addr))
20485 			goto nla_put_failure;
20486 	}
20487 
20488 	genlmsg_end(msg, hdr);
20489 
20490 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20491 				NL80211_MCGRP_MLME, gfp);
20492 	return;
20493 
20494 nla_put_failure:
20495 	genlmsg_cancel(msg, hdr);
20496 	nlmsg_free(msg);
20497 }
20498 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20499 
20500 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20501 {
20502 	struct wiphy *wiphy = wdev->wiphy;
20503 
20504 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20505 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20506 	    (wiphy_ext_feature_isset(wiphy,
20507 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20508 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20509 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20510 		reg_check_channels();
20511 }
20512 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20513 
20514 void cfg80211_epcs_changed(struct net_device *netdev, bool enabled)
20515 {
20516 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
20517 	struct wiphy *wiphy = wdev->wiphy;
20518 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20519 	struct sk_buff *msg;
20520 	void *hdr;
20521 
20522 	trace_cfg80211_epcs_changed(wdev, enabled);
20523 
20524 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20525 	if (!msg)
20526 		return;
20527 
20528 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EPCS_CFG);
20529 	if (!hdr) {
20530 		nlmsg_free(msg);
20531 		return;
20532 	}
20533 
20534 	if (enabled && nla_put_flag(msg, NL80211_ATTR_EPCS))
20535 		goto nla_put_failure;
20536 
20537 	genlmsg_end(msg, hdr);
20538 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20539 				NL80211_MCGRP_MLME, GFP_KERNEL);
20540 	return;
20541 
20542  nla_put_failure:
20543 	nlmsg_free(msg);
20544 }
20545 EXPORT_SYMBOL(cfg80211_epcs_changed);
20546 
20547 /* initialisation/exit functions */
20548 
20549 int __init nl80211_init(void)
20550 {
20551 	int err;
20552 
20553 	err = genl_register_family(&nl80211_fam);
20554 	if (err)
20555 		return err;
20556 
20557 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20558 	if (err)
20559 		goto err_out;
20560 
20561 	return 0;
20562  err_out:
20563 	genl_unregister_family(&nl80211_fam);
20564 	return err;
20565 }
20566 
20567 void nl80211_exit(void)
20568 {
20569 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20570 	genl_unregister_family(&nl80211_fam);
20571 }
20572