xref: /linux/net/wireless/nl80211.c (revision e3b9626f09d429788d929c9b9000a069fcfc056e) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2020 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
68 {
69 	struct cfg80211_registered_device *rdev;
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	ASSERT_RTNL();
78 
79 	if (!have_ifidx && !have_wdev_id)
80 		return ERR_PTR(-EINVAL);
81 
82 	if (have_ifidx)
83 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
84 	if (have_wdev_id) {
85 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
86 		wiphy_idx = wdev_id >> 32;
87 	}
88 
89 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
90 		struct wireless_dev *wdev;
91 
92 		if (wiphy_net(&rdev->wiphy) != netns)
93 			continue;
94 
95 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
96 			continue;
97 
98 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
99 			if (have_ifidx && wdev->netdev &&
100 			    wdev->netdev->ifindex == ifidx) {
101 				result = wdev;
102 				break;
103 			}
104 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
105 				result = wdev;
106 				break;
107 			}
108 		}
109 
110 		if (result)
111 			break;
112 	}
113 
114 	if (result)
115 		return result;
116 	return ERR_PTR(-ENODEV);
117 }
118 
119 static struct cfg80211_registered_device *
120 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
121 {
122 	struct cfg80211_registered_device *rdev = NULL, *tmp;
123 	struct net_device *netdev;
124 
125 	ASSERT_RTNL();
126 
127 	if (!attrs[NL80211_ATTR_WIPHY] &&
128 	    !attrs[NL80211_ATTR_IFINDEX] &&
129 	    !attrs[NL80211_ATTR_WDEV])
130 		return ERR_PTR(-EINVAL);
131 
132 	if (attrs[NL80211_ATTR_WIPHY])
133 		rdev = cfg80211_rdev_by_wiphy_idx(
134 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
135 
136 	if (attrs[NL80211_ATTR_WDEV]) {
137 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
138 		struct wireless_dev *wdev;
139 		bool found = false;
140 
141 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
142 		if (tmp) {
143 			/* make sure wdev exists */
144 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
145 				if (wdev->identifier != (u32)wdev_id)
146 					continue;
147 				found = true;
148 				break;
149 			}
150 
151 			if (!found)
152 				tmp = NULL;
153 
154 			if (rdev && tmp != rdev)
155 				return ERR_PTR(-EINVAL);
156 			rdev = tmp;
157 		}
158 	}
159 
160 	if (attrs[NL80211_ATTR_IFINDEX]) {
161 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
162 
163 		netdev = __dev_get_by_index(netns, ifindex);
164 		if (netdev) {
165 			if (netdev->ieee80211_ptr)
166 				tmp = wiphy_to_rdev(
167 					netdev->ieee80211_ptr->wiphy);
168 			else
169 				tmp = NULL;
170 
171 			/* not wireless device -- return error */
172 			if (!tmp)
173 				return ERR_PTR(-EINVAL);
174 
175 			/* mismatch -- return error */
176 			if (rdev && tmp != rdev)
177 				return ERR_PTR(-EINVAL);
178 
179 			rdev = tmp;
180 		}
181 	}
182 
183 	if (!rdev)
184 		return ERR_PTR(-ENODEV);
185 
186 	if (netns != wiphy_net(&rdev->wiphy))
187 		return ERR_PTR(-ENODEV);
188 
189 	return rdev;
190 }
191 
192 /*
193  * This function returns a pointer to the driver
194  * that the genl_info item that is passed refers to.
195  *
196  * The result of this can be a PTR_ERR and hence must
197  * be checked with IS_ERR() for errors.
198  */
199 static struct cfg80211_registered_device *
200 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
201 {
202 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
203 }
204 
205 static int validate_beacon_head(const struct nlattr *attr,
206 				struct netlink_ext_ack *extack)
207 {
208 	const u8 *data = nla_data(attr);
209 	unsigned int len = nla_len(attr);
210 	const struct element *elem;
211 	const struct ieee80211_mgmt *mgmt = (void *)data;
212 	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
213 					 u.beacon.variable);
214 
215 	if (len < fixedlen)
216 		goto err;
217 
218 	if (ieee80211_hdrlen(mgmt->frame_control) !=
219 	    offsetof(struct ieee80211_mgmt, u.beacon))
220 		goto err;
221 
222 	data += fixedlen;
223 	len -= fixedlen;
224 
225 	for_each_element(elem, data, len) {
226 		/* nothing */
227 	}
228 
229 	if (for_each_element_completed(elem, data, len))
230 		return 0;
231 
232 err:
233 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
234 	return -EINVAL;
235 }
236 
237 static int validate_ie_attr(const struct nlattr *attr,
238 			    struct netlink_ext_ack *extack)
239 {
240 	const u8 *data = nla_data(attr);
241 	unsigned int len = nla_len(attr);
242 	const struct element *elem;
243 
244 	for_each_element(elem, data, len) {
245 		/* nothing */
246 	}
247 
248 	if (for_each_element_completed(elem, data, len))
249 		return 0;
250 
251 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
252 	return -EINVAL;
253 }
254 
255 /* policy for the attributes */
256 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
257 
258 static const struct nla_policy
259 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
260 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
261 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
262 					.len = U8_MAX },
263 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
264 					     .len = U8_MAX },
265 };
266 
267 static const struct nla_policy
268 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
269 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
270 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
271 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
272 		NLA_POLICY_MAX(NLA_U8, 15),
273 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
274 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
275 		NLA_POLICY_MAX(NLA_U8, 15),
276 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
277 		NLA_POLICY_MAX(NLA_U8, 31),
278 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
279 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
280 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
281 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
282 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
283 };
284 
285 static const struct nla_policy
286 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
287 	[NL80211_PMSR_TYPE_FTM] =
288 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
289 };
290 
291 static const struct nla_policy
292 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
293 	[NL80211_PMSR_REQ_ATTR_DATA] =
294 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
295 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
296 };
297 
298 static const struct nla_policy
299 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
300 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
301 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
302 	[NL80211_PMSR_PEER_ATTR_REQ] =
303 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
304 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
305 };
306 
307 static const struct nla_policy
308 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
309 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
310 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
311 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
312 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
313 	[NL80211_PMSR_ATTR_PEERS] =
314 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
315 };
316 
317 static const struct nla_policy
318 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
319 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
320 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
321 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
322 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
323 };
324 
325 static const struct nla_policy
326 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
327 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
328 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
329 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
330 };
331 
332 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
333 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
334 				    .len = NL80211_MAX_SUPP_RATES },
335 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
336 				.len = NL80211_MAX_SUPP_HT_RATES },
337 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
338 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
339 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
340 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
341 						   NL80211_RATE_INFO_HE_GI_0_8,
342 						   NL80211_RATE_INFO_HE_GI_3_2),
343 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
344 						   NL80211_RATE_INFO_HE_1XLTF,
345 						   NL80211_RATE_INFO_HE_4XLTF),
346 };
347 
348 static const struct nla_policy
349 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
350 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
351 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
352 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
353 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
354 	[NL80211_TID_CONFIG_ATTR_NOACK] =
355 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
356 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
357 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
358 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
359 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
360 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
361 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
362 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
363 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
364 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
365 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
366 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
367 			NLA_POLICY_NESTED(nl80211_txattr_policy),
368 };
369 
370 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
371 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
372 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
373 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
374 				      .len = 20-1 },
375 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
376 
377 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
378 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
379 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
380 						NL80211_EDMG_CHANNELS_MIN,
381 						NL80211_EDMG_CHANNELS_MAX),
382 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
383 						NL80211_EDMG_BW_CONFIG_MIN,
384 						NL80211_EDMG_BW_CONFIG_MAX),
385 
386 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
387 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
388 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
389 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
390 
391 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
392 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
393 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
394 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
395 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
396 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
397 
398 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
399 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
400 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
401 
402 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
403 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
404 
405 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
406 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
407 				    .len = WLAN_MAX_KEY_LEN },
408 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
409 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
410 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
411 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
412 	[NL80211_ATTR_KEY_TYPE] =
413 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
414 
415 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
416 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
417 	[NL80211_ATTR_BEACON_HEAD] =
418 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
419 				       IEEE80211_MAX_DATA_LEN),
420 	[NL80211_ATTR_BEACON_TAIL] =
421 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
422 				       IEEE80211_MAX_DATA_LEN),
423 	[NL80211_ATTR_STA_AID] =
424 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
425 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
426 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
427 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
428 					       .len = NL80211_MAX_SUPP_RATES },
429 	[NL80211_ATTR_STA_PLINK_ACTION] =
430 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
431 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
432 		NLA_POLICY_RANGE(NLA_U8,
433 				 NL80211_TX_POWER_AUTOMATIC,
434 				 NL80211_TX_POWER_FIXED),
435 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
436 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
437 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
438 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
439 				   .len = IEEE80211_MAX_MESH_ID_LEN },
440 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
441 
442 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
443 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
444 
445 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
446 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
447 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
448 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
449 					   .len = NL80211_MAX_SUPP_RATES },
450 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
451 
452 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
453 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
454 
455 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
456 
457 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
458 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
459 						   validate_ie_attr,
460 						   IEEE80211_MAX_DATA_LEN),
461 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
462 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
463 
464 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
465 				.len = IEEE80211_MAX_SSID_LEN },
466 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
467 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
468 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
469 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
470 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
471 						  NL80211_MFP_NO,
472 						  NL80211_MFP_OPTIONAL),
473 	[NL80211_ATTR_STA_FLAGS2] = {
474 		.len = sizeof(struct nl80211_sta_flag_update),
475 	},
476 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
477 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
478 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
479 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
480 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
481 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
482 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
484 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
485 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
486 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
487 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
488 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
489 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
490 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
491 				 .len = IEEE80211_MAX_DATA_LEN },
492 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
493 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
494 						   NL80211_PS_DISABLED,
495 						   NL80211_PS_ENABLED),
496 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
497 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
498 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
499 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
500 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
501 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
502 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
503 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
504 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
505 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
506 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
507 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
508 	[NL80211_ATTR_STA_PLINK_STATE] =
509 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
510 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
511 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
512 	[NL80211_ATTR_MESH_PEER_AID] =
513 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
514 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
515 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
516 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
517 	[NL80211_ATTR_HIDDEN_SSID] =
518 		NLA_POLICY_RANGE(NLA_U32,
519 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
520 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
521 	[NL80211_ATTR_IE_PROBE_RESP] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_IE_ASSOC_RESP] =
525 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
526 				       IEEE80211_MAX_DATA_LEN),
527 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
528 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
529 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
530 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
531 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
532 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
533 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
534 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
535 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
536 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
537 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
538 				      .len = IEEE80211_MAX_DATA_LEN },
539 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
540 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
541 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
542 		.len = NL80211_HT_CAPABILITY_LEN
543 	},
544 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
545 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
546 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
547 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
548 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
549 
550 	/* need to include at least Auth Transaction and Status Code */
551 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
552 
553 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
554 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
555 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
556 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
557 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
558 		NLA_POLICY_RANGE(NLA_U32,
559 				 NL80211_MESH_POWER_UNKNOWN + 1,
560 				 NL80211_MESH_POWER_MAX),
561 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
562 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
563 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
564 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
565 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
566 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
568 		.len = NL80211_VHT_CAPABILITY_LEN,
569 	},
570 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
571 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
572 				  .len = IEEE80211_MAX_DATA_LEN },
573 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
574 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
575 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
576 	[NL80211_ATTR_PEER_AID] =
577 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
578 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
579 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
581 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
582 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
583 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
584 	/*
585 	 * The value of the Length field of the Supported Operating
586 	 * Classes element is between 2 and 253.
587 	 */
588 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
589 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
590 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
591 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
592 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
593 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
594 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
595 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
596 						  IEEE80211_QOS_MAP_LEN_MIN,
597 						  IEEE80211_QOS_MAP_LEN_MAX),
598 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
599 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
600 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
601 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
603 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
604 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
605 	[NL80211_ATTR_USER_PRIO] =
606 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
607 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
608 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
609 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
610 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
611 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
612 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
613 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
614 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
615 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
616 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
617 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
618 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
619 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
620 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
621 	},
622 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
623 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
624 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
625 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
626 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
627 				    .len = FILS_MAX_KEK_LEN },
628 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
629 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
630 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
631 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
632 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
633 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
634 	},
635 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
636 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
637 					     .len = FILS_ERP_MAX_USERNAME_LEN },
638 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
639 					  .len = FILS_ERP_MAX_REALM_LEN },
640 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
641 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
642 					.len = FILS_ERP_MAX_RRK_LEN },
643 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
644 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
645 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
646 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
647 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
648 
649 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
650 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
651 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
652 	[NL80211_ATTR_HE_CAPABILITY] =
653 		NLA_POLICY_RANGE(NLA_BINARY,
654 				 NL80211_HE_MIN_CAPABILITY_LEN,
655 				 NL80211_HE_MAX_CAPABILITY_LEN),
656 	[NL80211_ATTR_FTM_RESPONDER] =
657 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
658 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
659 	[NL80211_ATTR_PEER_MEASUREMENTS] =
660 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
661 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
662 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
663 					.len = SAE_PASSWORD_MAX_LEN },
664 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
665 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
666 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
667 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
668 	[NL80211_ATTR_TID_CONFIG] =
669 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
670 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
671 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
672 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
673 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
674 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
675 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
676 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
677 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
678 };
679 
680 /* policy for the key attributes */
681 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
682 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
683 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
684 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
685 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
686 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
687 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
688 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
689 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
690 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
691 };
692 
693 /* policy for the key default flags */
694 static const struct nla_policy
695 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
696 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
697 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
698 };
699 
700 #ifdef CONFIG_PM
701 /* policy for WoWLAN attributes */
702 static const struct nla_policy
703 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
704 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
705 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
706 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
707 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
708 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
709 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
710 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
711 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
712 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
713 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
714 };
715 
716 static const struct nla_policy
717 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
718 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
719 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
720 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
721 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
722 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
723 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
724 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
725 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
726 	},
727 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
728 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
729 	},
730 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
731 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
732 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
733 };
734 #endif /* CONFIG_PM */
735 
736 /* policy for coalesce rule attributes */
737 static const struct nla_policy
738 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
739 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
740 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
741 		NLA_POLICY_RANGE(NLA_U32,
742 				 NL80211_COALESCE_CONDITION_MATCH,
743 				 NL80211_COALESCE_CONDITION_NO_MATCH),
744 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
745 };
746 
747 /* policy for GTK rekey offload attributes */
748 static const struct nla_policy
749 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
750 	[NL80211_REKEY_DATA_KEK] = {
751 		.type = NLA_BINARY,
752 		.len = NL80211_KEK_EXT_LEN
753 	},
754 	[NL80211_REKEY_DATA_KCK] = {
755 		.type = NLA_BINARY,
756 		.len = NL80211_KCK_EXT_LEN
757 	},
758 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
759 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
760 };
761 
762 static const struct nla_policy
763 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
764 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
765 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
766 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
767 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
768 };
769 
770 static const struct nla_policy
771 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
772 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
773 						 .len = IEEE80211_MAX_SSID_LEN },
774 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
775 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
776 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
777 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
778 };
779 
780 static const struct nla_policy
781 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
782 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
783 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
784 };
785 
786 static const struct nla_policy
787 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
788 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
789 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
790 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
791 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
792 	},
793 };
794 
795 /* policy for NAN function attributes */
796 static const struct nla_policy
797 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
798 	[NL80211_NAN_FUNC_TYPE] =
799 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
800 	[NL80211_NAN_FUNC_SERVICE_ID] = {
801 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
802 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
803 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
804 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
805 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
806 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
807 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
808 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
809 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
810 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
811 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
812 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
813 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
814 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
815 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
816 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
817 };
818 
819 /* policy for Service Response Filter attributes */
820 static const struct nla_policy
821 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
822 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
823 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
824 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
825 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
826 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
827 };
828 
829 /* policy for packet pattern attributes */
830 static const struct nla_policy
831 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
832 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
833 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
834 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
835 };
836 
837 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
838 			      struct cfg80211_registered_device **rdev,
839 			      struct wireless_dev **wdev)
840 {
841 	int err;
842 
843 	if (!cb->args[0]) {
844 		struct nlattr **attrbuf;
845 
846 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
847 				  GFP_KERNEL);
848 		if (!attrbuf)
849 			return -ENOMEM;
850 
851 		err = nlmsg_parse_deprecated(cb->nlh,
852 					     GENL_HDRLEN + nl80211_fam.hdrsize,
853 					     attrbuf, nl80211_fam.maxattr,
854 					     nl80211_policy, NULL);
855 		if (err) {
856 			kfree(attrbuf);
857 			return err;
858 		}
859 
860 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
861 						   attrbuf);
862 		kfree(attrbuf);
863 		if (IS_ERR(*wdev))
864 			return PTR_ERR(*wdev);
865 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
866 		/* 0 is the first index - add 1 to parse only once */
867 		cb->args[0] = (*rdev)->wiphy_idx + 1;
868 		cb->args[1] = (*wdev)->identifier;
869 	} else {
870 		/* subtract the 1 again here */
871 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
872 		struct wireless_dev *tmp;
873 
874 		if (!wiphy)
875 			return -ENODEV;
876 		*rdev = wiphy_to_rdev(wiphy);
877 		*wdev = NULL;
878 
879 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
880 			if (tmp->identifier == cb->args[1]) {
881 				*wdev = tmp;
882 				break;
883 			}
884 		}
885 
886 		if (!*wdev)
887 			return -ENODEV;
888 	}
889 
890 	return 0;
891 }
892 
893 /* message building helper */
894 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
895 		     int flags, u8 cmd)
896 {
897 	/* since there is no private header just add the generic one */
898 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
899 }
900 
901 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
902 				     const struct ieee80211_reg_rule *rule)
903 {
904 	int j;
905 	struct nlattr *nl_wmm_rules =
906 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
907 
908 	if (!nl_wmm_rules)
909 		goto nla_put_failure;
910 
911 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
912 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
913 
914 		if (!nl_wmm_rule)
915 			goto nla_put_failure;
916 
917 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
918 				rule->wmm_rule.client[j].cw_min) ||
919 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
920 				rule->wmm_rule.client[j].cw_max) ||
921 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
922 			       rule->wmm_rule.client[j].aifsn) ||
923 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
924 			        rule->wmm_rule.client[j].cot))
925 			goto nla_put_failure;
926 
927 		nla_nest_end(msg, nl_wmm_rule);
928 	}
929 	nla_nest_end(msg, nl_wmm_rules);
930 
931 	return 0;
932 
933 nla_put_failure:
934 	return -ENOBUFS;
935 }
936 
937 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
938 				   struct ieee80211_channel *chan,
939 				   bool large)
940 {
941 	/* Some channels must be completely excluded from the
942 	 * list to protect old user-space tools from breaking
943 	 */
944 	if (!large && chan->flags &
945 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
946 		return 0;
947 
948 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
949 			chan->center_freq))
950 		goto nla_put_failure;
951 
952 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
953 		goto nla_put_failure;
954 
955 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
956 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
957 		goto nla_put_failure;
958 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
959 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
960 			goto nla_put_failure;
961 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
962 			goto nla_put_failure;
963 	}
964 	if (chan->flags & IEEE80211_CHAN_RADAR) {
965 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
966 			goto nla_put_failure;
967 		if (large) {
968 			u32 time;
969 
970 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
971 
972 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
973 					chan->dfs_state))
974 				goto nla_put_failure;
975 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
976 					time))
977 				goto nla_put_failure;
978 			if (nla_put_u32(msg,
979 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
980 					chan->dfs_cac_ms))
981 				goto nla_put_failure;
982 		}
983 	}
984 
985 	if (large) {
986 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
987 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
988 			goto nla_put_failure;
989 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
990 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
991 			goto nla_put_failure;
992 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
993 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
994 			goto nla_put_failure;
995 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
996 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
997 			goto nla_put_failure;
998 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
999 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1000 			goto nla_put_failure;
1001 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1002 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1003 			goto nla_put_failure;
1004 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1005 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1006 			goto nla_put_failure;
1007 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1008 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1009 			goto nla_put_failure;
1010 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1011 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1012 			goto nla_put_failure;
1013 	}
1014 
1015 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1016 			DBM_TO_MBM(chan->max_power)))
1017 		goto nla_put_failure;
1018 
1019 	if (large) {
1020 		const struct ieee80211_reg_rule *rule =
1021 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1022 
1023 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1024 			if (nl80211_msg_put_wmm_rules(msg, rule))
1025 				goto nla_put_failure;
1026 		}
1027 	}
1028 
1029 	return 0;
1030 
1031  nla_put_failure:
1032 	return -ENOBUFS;
1033 }
1034 
1035 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1036 				  struct cfg80211_txq_stats *txqstats,
1037 				  int attrtype)
1038 {
1039 	struct nlattr *txqattr;
1040 
1041 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1042 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1043 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1044 		return false;						  \
1045 	} while (0)
1046 
1047 	txqattr = nla_nest_start_noflag(msg, attrtype);
1048 	if (!txqattr)
1049 		return false;
1050 
1051 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1052 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1053 	PUT_TXQVAL_U32(FLOWS, flows);
1054 	PUT_TXQVAL_U32(DROPS, drops);
1055 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1056 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1057 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1058 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1059 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1060 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1061 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1062 	nla_nest_end(msg, txqattr);
1063 
1064 #undef PUT_TXQVAL_U32
1065 	return true;
1066 }
1067 
1068 /* netlink command implementations */
1069 
1070 struct key_parse {
1071 	struct key_params p;
1072 	int idx;
1073 	int type;
1074 	bool def, defmgmt, defbeacon;
1075 	bool def_uni, def_multi;
1076 };
1077 
1078 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1079 				 struct key_parse *k)
1080 {
1081 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1082 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1083 					      nl80211_key_policy,
1084 					      info->extack);
1085 	if (err)
1086 		return err;
1087 
1088 	k->def = !!tb[NL80211_KEY_DEFAULT];
1089 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1090 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1091 
1092 	if (k->def) {
1093 		k->def_uni = true;
1094 		k->def_multi = true;
1095 	}
1096 	if (k->defmgmt || k->defbeacon)
1097 		k->def_multi = true;
1098 
1099 	if (tb[NL80211_KEY_IDX])
1100 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1101 
1102 	if (tb[NL80211_KEY_DATA]) {
1103 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1104 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1105 	}
1106 
1107 	if (tb[NL80211_KEY_SEQ]) {
1108 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1109 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1110 	}
1111 
1112 	if (tb[NL80211_KEY_CIPHER])
1113 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1114 
1115 	if (tb[NL80211_KEY_TYPE])
1116 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1117 
1118 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1119 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1120 
1121 		err = nla_parse_nested_deprecated(kdt,
1122 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1123 						  tb[NL80211_KEY_DEFAULT_TYPES],
1124 						  nl80211_key_default_policy,
1125 						  info->extack);
1126 		if (err)
1127 			return err;
1128 
1129 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1130 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1131 	}
1132 
1133 	if (tb[NL80211_KEY_MODE])
1134 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1135 
1136 	return 0;
1137 }
1138 
1139 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1140 {
1141 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1142 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1143 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1144 	}
1145 
1146 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1147 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1148 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1149 	}
1150 
1151 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1152 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1153 
1154 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1155 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1156 
1157 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1158 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1159 
1160 	if (k->def) {
1161 		k->def_uni = true;
1162 		k->def_multi = true;
1163 	}
1164 	if (k->defmgmt)
1165 		k->def_multi = true;
1166 
1167 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1168 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1169 
1170 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1171 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1172 		int err = nla_parse_nested_deprecated(kdt,
1173 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1174 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1175 						      nl80211_key_default_policy,
1176 						      info->extack);
1177 		if (err)
1178 			return err;
1179 
1180 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1181 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1182 	}
1183 
1184 	return 0;
1185 }
1186 
1187 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1188 {
1189 	int err;
1190 
1191 	memset(k, 0, sizeof(*k));
1192 	k->idx = -1;
1193 	k->type = -1;
1194 
1195 	if (info->attrs[NL80211_ATTR_KEY])
1196 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1197 	else
1198 		err = nl80211_parse_key_old(info, k);
1199 
1200 	if (err)
1201 		return err;
1202 
1203 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1204 	    (k->defbeacon ? 1 : 0) > 1) {
1205 		GENL_SET_ERR_MSG(info,
1206 				 "key with multiple default flags is invalid");
1207 		return -EINVAL;
1208 	}
1209 
1210 	if (k->defmgmt || k->defbeacon) {
1211 		if (k->def_uni || !k->def_multi) {
1212 			GENL_SET_ERR_MSG(info,
1213 					 "defmgmt/defbeacon key must be mcast");
1214 			return -EINVAL;
1215 		}
1216 	}
1217 
1218 	if (k->idx != -1) {
1219 		if (k->defmgmt) {
1220 			if (k->idx < 4 || k->idx > 5) {
1221 				GENL_SET_ERR_MSG(info,
1222 						 "defmgmt key idx not 4 or 5");
1223 				return -EINVAL;
1224 			}
1225 		} else if (k->defbeacon) {
1226 			if (k->idx < 6 || k->idx > 7) {
1227 				GENL_SET_ERR_MSG(info,
1228 						 "defbeacon key idx not 6 or 7");
1229 				return -EINVAL;
1230 			}
1231 		} else if (k->def) {
1232 			if (k->idx < 0 || k->idx > 3) {
1233 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1234 				return -EINVAL;
1235 			}
1236 		} else {
1237 			if (k->idx < 0 || k->idx > 7) {
1238 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1239 				return -EINVAL;
1240 			}
1241 		}
1242 	}
1243 
1244 	return 0;
1245 }
1246 
1247 static struct cfg80211_cached_keys *
1248 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1249 		       struct genl_info *info, bool *no_ht)
1250 {
1251 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1252 	struct key_parse parse;
1253 	struct nlattr *key;
1254 	struct cfg80211_cached_keys *result;
1255 	int rem, err, def = 0;
1256 	bool have_key = false;
1257 
1258 	nla_for_each_nested(key, keys, rem) {
1259 		have_key = true;
1260 		break;
1261 	}
1262 
1263 	if (!have_key)
1264 		return NULL;
1265 
1266 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1267 	if (!result)
1268 		return ERR_PTR(-ENOMEM);
1269 
1270 	result->def = -1;
1271 
1272 	nla_for_each_nested(key, keys, rem) {
1273 		memset(&parse, 0, sizeof(parse));
1274 		parse.idx = -1;
1275 
1276 		err = nl80211_parse_key_new(info, key, &parse);
1277 		if (err)
1278 			goto error;
1279 		err = -EINVAL;
1280 		if (!parse.p.key)
1281 			goto error;
1282 		if (parse.idx < 0 || parse.idx > 3) {
1283 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1284 			goto error;
1285 		}
1286 		if (parse.def) {
1287 			if (def) {
1288 				GENL_SET_ERR_MSG(info,
1289 						 "only one key can be default");
1290 				goto error;
1291 			}
1292 			def = 1;
1293 			result->def = parse.idx;
1294 			if (!parse.def_uni || !parse.def_multi)
1295 				goto error;
1296 		} else if (parse.defmgmt)
1297 			goto error;
1298 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1299 						     parse.idx, false, NULL);
1300 		if (err)
1301 			goto error;
1302 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1303 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1304 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1305 			err = -EINVAL;
1306 			goto error;
1307 		}
1308 		result->params[parse.idx].cipher = parse.p.cipher;
1309 		result->params[parse.idx].key_len = parse.p.key_len;
1310 		result->params[parse.idx].key = result->data[parse.idx];
1311 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1312 
1313 		/* must be WEP key if we got here */
1314 		if (no_ht)
1315 			*no_ht = true;
1316 	}
1317 
1318 	if (result->def < 0) {
1319 		err = -EINVAL;
1320 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1321 		goto error;
1322 	}
1323 
1324 	return result;
1325  error:
1326 	kfree(result);
1327 	return ERR_PTR(err);
1328 }
1329 
1330 static int nl80211_key_allowed(struct wireless_dev *wdev)
1331 {
1332 	ASSERT_WDEV_LOCK(wdev);
1333 
1334 	switch (wdev->iftype) {
1335 	case NL80211_IFTYPE_AP:
1336 	case NL80211_IFTYPE_AP_VLAN:
1337 	case NL80211_IFTYPE_P2P_GO:
1338 	case NL80211_IFTYPE_MESH_POINT:
1339 		break;
1340 	case NL80211_IFTYPE_ADHOC:
1341 	case NL80211_IFTYPE_STATION:
1342 	case NL80211_IFTYPE_P2P_CLIENT:
1343 		if (!wdev->current_bss)
1344 			return -ENOLINK;
1345 		break;
1346 	case NL80211_IFTYPE_UNSPECIFIED:
1347 	case NL80211_IFTYPE_OCB:
1348 	case NL80211_IFTYPE_MONITOR:
1349 	case NL80211_IFTYPE_NAN:
1350 	case NL80211_IFTYPE_P2P_DEVICE:
1351 	case NL80211_IFTYPE_WDS:
1352 	case NUM_NL80211_IFTYPES:
1353 		return -EINVAL;
1354 	}
1355 
1356 	return 0;
1357 }
1358 
1359 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1360 							u32 freq)
1361 {
1362 	struct ieee80211_channel *chan;
1363 
1364 	chan = ieee80211_get_channel_khz(wiphy, freq);
1365 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1366 		return NULL;
1367 	return chan;
1368 }
1369 
1370 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1371 {
1372 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1373 	int i;
1374 
1375 	if (!nl_modes)
1376 		goto nla_put_failure;
1377 
1378 	i = 0;
1379 	while (ifmodes) {
1380 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1381 			goto nla_put_failure;
1382 		ifmodes >>= 1;
1383 		i++;
1384 	}
1385 
1386 	nla_nest_end(msg, nl_modes);
1387 	return 0;
1388 
1389 nla_put_failure:
1390 	return -ENOBUFS;
1391 }
1392 
1393 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1394 					  struct sk_buff *msg,
1395 					  bool large)
1396 {
1397 	struct nlattr *nl_combis;
1398 	int i, j;
1399 
1400 	nl_combis = nla_nest_start_noflag(msg,
1401 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1402 	if (!nl_combis)
1403 		goto nla_put_failure;
1404 
1405 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1406 		const struct ieee80211_iface_combination *c;
1407 		struct nlattr *nl_combi, *nl_limits;
1408 
1409 		c = &wiphy->iface_combinations[i];
1410 
1411 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1412 		if (!nl_combi)
1413 			goto nla_put_failure;
1414 
1415 		nl_limits = nla_nest_start_noflag(msg,
1416 						  NL80211_IFACE_COMB_LIMITS);
1417 		if (!nl_limits)
1418 			goto nla_put_failure;
1419 
1420 		for (j = 0; j < c->n_limits; j++) {
1421 			struct nlattr *nl_limit;
1422 
1423 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1424 			if (!nl_limit)
1425 				goto nla_put_failure;
1426 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1427 					c->limits[j].max))
1428 				goto nla_put_failure;
1429 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1430 						c->limits[j].types))
1431 				goto nla_put_failure;
1432 			nla_nest_end(msg, nl_limit);
1433 		}
1434 
1435 		nla_nest_end(msg, nl_limits);
1436 
1437 		if (c->beacon_int_infra_match &&
1438 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1439 			goto nla_put_failure;
1440 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1441 				c->num_different_channels) ||
1442 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1443 				c->max_interfaces))
1444 			goto nla_put_failure;
1445 		if (large &&
1446 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1447 				c->radar_detect_widths) ||
1448 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1449 				c->radar_detect_regions)))
1450 			goto nla_put_failure;
1451 		if (c->beacon_int_min_gcd &&
1452 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1453 				c->beacon_int_min_gcd))
1454 			goto nla_put_failure;
1455 
1456 		nla_nest_end(msg, nl_combi);
1457 	}
1458 
1459 	nla_nest_end(msg, nl_combis);
1460 
1461 	return 0;
1462 nla_put_failure:
1463 	return -ENOBUFS;
1464 }
1465 
1466 #ifdef CONFIG_PM
1467 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1468 					struct sk_buff *msg)
1469 {
1470 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1471 	struct nlattr *nl_tcp;
1472 
1473 	if (!tcp)
1474 		return 0;
1475 
1476 	nl_tcp = nla_nest_start_noflag(msg,
1477 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1478 	if (!nl_tcp)
1479 		return -ENOBUFS;
1480 
1481 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1482 			tcp->data_payload_max))
1483 		return -ENOBUFS;
1484 
1485 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1486 			tcp->data_payload_max))
1487 		return -ENOBUFS;
1488 
1489 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1490 		return -ENOBUFS;
1491 
1492 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1493 				sizeof(*tcp->tok), tcp->tok))
1494 		return -ENOBUFS;
1495 
1496 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1497 			tcp->data_interval_max))
1498 		return -ENOBUFS;
1499 
1500 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1501 			tcp->wake_payload_max))
1502 		return -ENOBUFS;
1503 
1504 	nla_nest_end(msg, nl_tcp);
1505 	return 0;
1506 }
1507 
1508 static int nl80211_send_wowlan(struct sk_buff *msg,
1509 			       struct cfg80211_registered_device *rdev,
1510 			       bool large)
1511 {
1512 	struct nlattr *nl_wowlan;
1513 
1514 	if (!rdev->wiphy.wowlan)
1515 		return 0;
1516 
1517 	nl_wowlan = nla_nest_start_noflag(msg,
1518 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1519 	if (!nl_wowlan)
1520 		return -ENOBUFS;
1521 
1522 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1523 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1524 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1525 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1526 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1527 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1528 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1529 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1530 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1531 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1532 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1533 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1534 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1535 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1536 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1537 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1538 		return -ENOBUFS;
1539 
1540 	if (rdev->wiphy.wowlan->n_patterns) {
1541 		struct nl80211_pattern_support pat = {
1542 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1543 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1544 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1545 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1546 		};
1547 
1548 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1549 			    sizeof(pat), &pat))
1550 			return -ENOBUFS;
1551 	}
1552 
1553 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1554 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1555 			rdev->wiphy.wowlan->max_nd_match_sets))
1556 		return -ENOBUFS;
1557 
1558 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1559 		return -ENOBUFS;
1560 
1561 	nla_nest_end(msg, nl_wowlan);
1562 
1563 	return 0;
1564 }
1565 #endif
1566 
1567 static int nl80211_send_coalesce(struct sk_buff *msg,
1568 				 struct cfg80211_registered_device *rdev)
1569 {
1570 	struct nl80211_coalesce_rule_support rule;
1571 
1572 	if (!rdev->wiphy.coalesce)
1573 		return 0;
1574 
1575 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1576 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1577 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1578 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1579 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1580 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1581 
1582 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1583 		return -ENOBUFS;
1584 
1585 	return 0;
1586 }
1587 
1588 static int
1589 nl80211_send_iftype_data(struct sk_buff *msg,
1590 			 const struct ieee80211_supported_band *sband,
1591 			 const struct ieee80211_sband_iftype_data *iftdata)
1592 {
1593 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1594 
1595 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1596 				iftdata->types_mask))
1597 		return -ENOBUFS;
1598 
1599 	if (he_cap->has_he) {
1600 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1601 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1602 			    he_cap->he_cap_elem.mac_cap_info) ||
1603 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1604 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1605 			    he_cap->he_cap_elem.phy_cap_info) ||
1606 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1607 			    sizeof(he_cap->he_mcs_nss_supp),
1608 			    &he_cap->he_mcs_nss_supp) ||
1609 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1610 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1611 			return -ENOBUFS;
1612 	}
1613 
1614 	if (sband->band == NL80211_BAND_6GHZ &&
1615 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1616 		    sizeof(iftdata->he_6ghz_capa),
1617 		    &iftdata->he_6ghz_capa))
1618 		return -ENOBUFS;
1619 
1620 	return 0;
1621 }
1622 
1623 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1624 				      struct ieee80211_supported_band *sband)
1625 {
1626 	struct nlattr *nl_rates, *nl_rate;
1627 	struct ieee80211_rate *rate;
1628 	int i;
1629 
1630 	/* add HT info */
1631 	if (sband->ht_cap.ht_supported &&
1632 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1633 		     sizeof(sband->ht_cap.mcs),
1634 		     &sband->ht_cap.mcs) ||
1635 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1636 			 sband->ht_cap.cap) ||
1637 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1638 			sband->ht_cap.ampdu_factor) ||
1639 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1640 			sband->ht_cap.ampdu_density)))
1641 		return -ENOBUFS;
1642 
1643 	/* add VHT info */
1644 	if (sband->vht_cap.vht_supported &&
1645 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1646 		     sizeof(sband->vht_cap.vht_mcs),
1647 		     &sband->vht_cap.vht_mcs) ||
1648 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1649 			 sband->vht_cap.cap)))
1650 		return -ENOBUFS;
1651 
1652 	if (sband->n_iftype_data) {
1653 		struct nlattr *nl_iftype_data =
1654 			nla_nest_start_noflag(msg,
1655 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1656 		int err;
1657 
1658 		if (!nl_iftype_data)
1659 			return -ENOBUFS;
1660 
1661 		for (i = 0; i < sband->n_iftype_data; i++) {
1662 			struct nlattr *iftdata;
1663 
1664 			iftdata = nla_nest_start_noflag(msg, i + 1);
1665 			if (!iftdata)
1666 				return -ENOBUFS;
1667 
1668 			err = nl80211_send_iftype_data(msg, sband,
1669 						       &sband->iftype_data[i]);
1670 			if (err)
1671 				return err;
1672 
1673 			nla_nest_end(msg, iftdata);
1674 		}
1675 
1676 		nla_nest_end(msg, nl_iftype_data);
1677 	}
1678 
1679 	/* add EDMG info */
1680 	if (sband->edmg_cap.channels &&
1681 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1682 		       sband->edmg_cap.channels) ||
1683 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1684 		       sband->edmg_cap.bw_config)))
1685 
1686 		return -ENOBUFS;
1687 
1688 	/* add bitrates */
1689 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1690 	if (!nl_rates)
1691 		return -ENOBUFS;
1692 
1693 	for (i = 0; i < sband->n_bitrates; i++) {
1694 		nl_rate = nla_nest_start_noflag(msg, i);
1695 		if (!nl_rate)
1696 			return -ENOBUFS;
1697 
1698 		rate = &sband->bitrates[i];
1699 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1700 				rate->bitrate))
1701 			return -ENOBUFS;
1702 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1703 		    nla_put_flag(msg,
1704 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1705 			return -ENOBUFS;
1706 
1707 		nla_nest_end(msg, nl_rate);
1708 	}
1709 
1710 	nla_nest_end(msg, nl_rates);
1711 
1712 	return 0;
1713 }
1714 
1715 static int
1716 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1717 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1718 {
1719 	u16 stypes;
1720 	struct nlattr *nl_ftypes, *nl_ifs;
1721 	enum nl80211_iftype ift;
1722 	int i;
1723 
1724 	if (!mgmt_stypes)
1725 		return 0;
1726 
1727 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1728 	if (!nl_ifs)
1729 		return -ENOBUFS;
1730 
1731 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1732 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1733 		if (!nl_ftypes)
1734 			return -ENOBUFS;
1735 		i = 0;
1736 		stypes = mgmt_stypes[ift].tx;
1737 		while (stypes) {
1738 			if ((stypes & 1) &&
1739 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1740 					(i << 4) | IEEE80211_FTYPE_MGMT))
1741 				return -ENOBUFS;
1742 			stypes >>= 1;
1743 			i++;
1744 		}
1745 		nla_nest_end(msg, nl_ftypes);
1746 	}
1747 
1748 	nla_nest_end(msg, nl_ifs);
1749 
1750 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1751 	if (!nl_ifs)
1752 		return -ENOBUFS;
1753 
1754 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1755 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1756 		if (!nl_ftypes)
1757 			return -ENOBUFS;
1758 		i = 0;
1759 		stypes = mgmt_stypes[ift].rx;
1760 		while (stypes) {
1761 			if ((stypes & 1) &&
1762 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1763 					(i << 4) | IEEE80211_FTYPE_MGMT))
1764 				return -ENOBUFS;
1765 			stypes >>= 1;
1766 			i++;
1767 		}
1768 		nla_nest_end(msg, nl_ftypes);
1769 	}
1770 	nla_nest_end(msg, nl_ifs);
1771 
1772 	return 0;
1773 }
1774 
1775 #define CMD(op, n)							\
1776 	 do {								\
1777 		if (rdev->ops->op) {					\
1778 			i++;						\
1779 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1780 				goto nla_put_failure;			\
1781 		}							\
1782 	} while (0)
1783 
1784 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1785 					struct sk_buff *msg)
1786 {
1787 	int i = 0;
1788 
1789 	/*
1790 	 * do *NOT* add anything into this function, new things need to be
1791 	 * advertised only to new versions of userspace that can deal with
1792 	 * the split (and they can't possibly care about new features...
1793 	 */
1794 	CMD(add_virtual_intf, NEW_INTERFACE);
1795 	CMD(change_virtual_intf, SET_INTERFACE);
1796 	CMD(add_key, NEW_KEY);
1797 	CMD(start_ap, START_AP);
1798 	CMD(add_station, NEW_STATION);
1799 	CMD(add_mpath, NEW_MPATH);
1800 	CMD(update_mesh_config, SET_MESH_CONFIG);
1801 	CMD(change_bss, SET_BSS);
1802 	CMD(auth, AUTHENTICATE);
1803 	CMD(assoc, ASSOCIATE);
1804 	CMD(deauth, DEAUTHENTICATE);
1805 	CMD(disassoc, DISASSOCIATE);
1806 	CMD(join_ibss, JOIN_IBSS);
1807 	CMD(join_mesh, JOIN_MESH);
1808 	CMD(set_pmksa, SET_PMKSA);
1809 	CMD(del_pmksa, DEL_PMKSA);
1810 	CMD(flush_pmksa, FLUSH_PMKSA);
1811 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1812 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1813 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1814 	CMD(mgmt_tx, FRAME);
1815 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1816 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1817 		i++;
1818 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1819 			goto nla_put_failure;
1820 	}
1821 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1822 	    rdev->ops->join_mesh) {
1823 		i++;
1824 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1825 			goto nla_put_failure;
1826 	}
1827 	CMD(set_wds_peer, SET_WDS_PEER);
1828 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1829 		CMD(tdls_mgmt, TDLS_MGMT);
1830 		CMD(tdls_oper, TDLS_OPER);
1831 	}
1832 	if (rdev->wiphy.max_sched_scan_reqs)
1833 		CMD(sched_scan_start, START_SCHED_SCAN);
1834 	CMD(probe_client, PROBE_CLIENT);
1835 	CMD(set_noack_map, SET_NOACK_MAP);
1836 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1837 		i++;
1838 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1839 			goto nla_put_failure;
1840 	}
1841 	CMD(start_p2p_device, START_P2P_DEVICE);
1842 	CMD(set_mcast_rate, SET_MCAST_RATE);
1843 #ifdef CONFIG_NL80211_TESTMODE
1844 	CMD(testmode_cmd, TESTMODE);
1845 #endif
1846 
1847 	if (rdev->ops->connect || rdev->ops->auth) {
1848 		i++;
1849 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1850 			goto nla_put_failure;
1851 	}
1852 
1853 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1854 		i++;
1855 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1856 			goto nla_put_failure;
1857 	}
1858 
1859 	return i;
1860  nla_put_failure:
1861 	return -ENOBUFS;
1862 }
1863 
1864 static int
1865 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1866 			   struct sk_buff *msg)
1867 {
1868 	struct nlattr *ftm;
1869 
1870 	if (!cap->ftm.supported)
1871 		return 0;
1872 
1873 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1874 	if (!ftm)
1875 		return -ENOBUFS;
1876 
1877 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1878 		return -ENOBUFS;
1879 	if (cap->ftm.non_asap &&
1880 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1881 		return -ENOBUFS;
1882 	if (cap->ftm.request_lci &&
1883 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1884 		return -ENOBUFS;
1885 	if (cap->ftm.request_civicloc &&
1886 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1887 		return -ENOBUFS;
1888 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1889 			cap->ftm.preambles))
1890 		return -ENOBUFS;
1891 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1892 			cap->ftm.bandwidths))
1893 		return -ENOBUFS;
1894 	if (cap->ftm.max_bursts_exponent >= 0 &&
1895 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1896 			cap->ftm.max_bursts_exponent))
1897 		return -ENOBUFS;
1898 	if (cap->ftm.max_ftms_per_burst &&
1899 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1900 			cap->ftm.max_ftms_per_burst))
1901 		return -ENOBUFS;
1902 	if (cap->ftm.trigger_based &&
1903 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
1904 		return -ENOBUFS;
1905 	if (cap->ftm.non_trigger_based &&
1906 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
1907 		return -ENOBUFS;
1908 
1909 	nla_nest_end(msg, ftm);
1910 	return 0;
1911 }
1912 
1913 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1914 				  struct sk_buff *msg)
1915 {
1916 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1917 	struct nlattr *pmsr, *caps;
1918 
1919 	if (!cap)
1920 		return 0;
1921 
1922 	/*
1923 	 * we don't need to clean up anything here since the caller
1924 	 * will genlmsg_cancel() if we fail
1925 	 */
1926 
1927 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1928 	if (!pmsr)
1929 		return -ENOBUFS;
1930 
1931 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1932 		return -ENOBUFS;
1933 
1934 	if (cap->report_ap_tsf &&
1935 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1936 		return -ENOBUFS;
1937 
1938 	if (cap->randomize_mac_addr &&
1939 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1940 		return -ENOBUFS;
1941 
1942 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1943 	if (!caps)
1944 		return -ENOBUFS;
1945 
1946 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1947 		return -ENOBUFS;
1948 
1949 	nla_nest_end(msg, caps);
1950 	nla_nest_end(msg, pmsr);
1951 
1952 	return 0;
1953 }
1954 
1955 static int
1956 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
1957 			      struct sk_buff *msg)
1958 {
1959 	int i;
1960 	struct nlattr *nested, *nested_akms;
1961 	const struct wiphy_iftype_akm_suites *iftype_akms;
1962 
1963 	if (!rdev->wiphy.num_iftype_akm_suites ||
1964 	    !rdev->wiphy.iftype_akm_suites)
1965 		return 0;
1966 
1967 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
1968 	if (!nested)
1969 		return -ENOBUFS;
1970 
1971 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
1972 		nested_akms = nla_nest_start(msg, i + 1);
1973 		if (!nested_akms)
1974 			return -ENOBUFS;
1975 
1976 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
1977 
1978 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
1979 					iftype_akms->iftypes_mask))
1980 			return -ENOBUFS;
1981 
1982 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
1983 			    sizeof(u32) * iftype_akms->n_akm_suites,
1984 			    iftype_akms->akm_suites)) {
1985 			return -ENOBUFS;
1986 		}
1987 		nla_nest_end(msg, nested_akms);
1988 	}
1989 
1990 	nla_nest_end(msg, nested);
1991 
1992 	return 0;
1993 }
1994 
1995 static int
1996 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
1997 			       struct sk_buff *msg)
1998 {
1999 	struct nlattr *supp;
2000 
2001 	if (!rdev->wiphy.tid_config_support.vif &&
2002 	    !rdev->wiphy.tid_config_support.peer)
2003 		return 0;
2004 
2005 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2006 	if (!supp)
2007 		return -ENOSPC;
2008 
2009 	if (rdev->wiphy.tid_config_support.vif &&
2010 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2011 			      rdev->wiphy.tid_config_support.vif,
2012 			      NL80211_TID_CONFIG_ATTR_PAD))
2013 		goto fail;
2014 
2015 	if (rdev->wiphy.tid_config_support.peer &&
2016 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2017 			      rdev->wiphy.tid_config_support.peer,
2018 			      NL80211_TID_CONFIG_ATTR_PAD))
2019 		goto fail;
2020 
2021 	/* for now we just use the same value ... makes more sense */
2022 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2023 		       rdev->wiphy.tid_config_support.max_retry))
2024 		goto fail;
2025 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2026 		       rdev->wiphy.tid_config_support.max_retry))
2027 		goto fail;
2028 
2029 	nla_nest_end(msg, supp);
2030 
2031 	return 0;
2032 fail:
2033 	nla_nest_cancel(msg, supp);
2034 	return -ENOBUFS;
2035 }
2036 
2037 struct nl80211_dump_wiphy_state {
2038 	s64 filter_wiphy;
2039 	long start;
2040 	long split_start, band_start, chan_start, capa_start;
2041 	bool split;
2042 };
2043 
2044 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2045 			      enum nl80211_commands cmd,
2046 			      struct sk_buff *msg, u32 portid, u32 seq,
2047 			      int flags, struct nl80211_dump_wiphy_state *state)
2048 {
2049 	void *hdr;
2050 	struct nlattr *nl_bands, *nl_band;
2051 	struct nlattr *nl_freqs, *nl_freq;
2052 	struct nlattr *nl_cmds;
2053 	enum nl80211_band band;
2054 	struct ieee80211_channel *chan;
2055 	int i;
2056 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2057 				rdev->wiphy.mgmt_stypes;
2058 	u32 features;
2059 
2060 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2061 	if (!hdr)
2062 		return -ENOBUFS;
2063 
2064 	if (WARN_ON(!state))
2065 		return -EINVAL;
2066 
2067 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2068 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2069 			   wiphy_name(&rdev->wiphy)) ||
2070 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2071 			cfg80211_rdev_list_generation))
2072 		goto nla_put_failure;
2073 
2074 	if (cmd != NL80211_CMD_NEW_WIPHY)
2075 		goto finish;
2076 
2077 	switch (state->split_start) {
2078 	case 0:
2079 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2080 			       rdev->wiphy.retry_short) ||
2081 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2082 			       rdev->wiphy.retry_long) ||
2083 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2084 				rdev->wiphy.frag_threshold) ||
2085 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2086 				rdev->wiphy.rts_threshold) ||
2087 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2088 			       rdev->wiphy.coverage_class) ||
2089 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2090 			       rdev->wiphy.max_scan_ssids) ||
2091 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2092 			       rdev->wiphy.max_sched_scan_ssids) ||
2093 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2094 				rdev->wiphy.max_scan_ie_len) ||
2095 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2096 				rdev->wiphy.max_sched_scan_ie_len) ||
2097 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2098 			       rdev->wiphy.max_match_sets) ||
2099 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2100 				rdev->wiphy.max_sched_scan_plans) ||
2101 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2102 				rdev->wiphy.max_sched_scan_plan_interval) ||
2103 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2104 				rdev->wiphy.max_sched_scan_plan_iterations))
2105 			goto nla_put_failure;
2106 
2107 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2108 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2109 			goto nla_put_failure;
2110 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2111 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2112 			goto nla_put_failure;
2113 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2114 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2115 			goto nla_put_failure;
2116 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2117 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2118 			goto nla_put_failure;
2119 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2120 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2121 			goto nla_put_failure;
2122 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2123 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2124 			goto nla_put_failure;
2125 		state->split_start++;
2126 		if (state->split)
2127 			break;
2128 		fallthrough;
2129 	case 1:
2130 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2131 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2132 			    rdev->wiphy.cipher_suites))
2133 			goto nla_put_failure;
2134 
2135 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2136 			       rdev->wiphy.max_num_pmkids))
2137 			goto nla_put_failure;
2138 
2139 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2140 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2141 			goto nla_put_failure;
2142 
2143 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2144 				rdev->wiphy.available_antennas_tx) ||
2145 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2146 				rdev->wiphy.available_antennas_rx))
2147 			goto nla_put_failure;
2148 
2149 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2150 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2151 				rdev->wiphy.probe_resp_offload))
2152 			goto nla_put_failure;
2153 
2154 		if ((rdev->wiphy.available_antennas_tx ||
2155 		     rdev->wiphy.available_antennas_rx) &&
2156 		    rdev->ops->get_antenna) {
2157 			u32 tx_ant = 0, rx_ant = 0;
2158 			int res;
2159 
2160 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2161 			if (!res) {
2162 				if (nla_put_u32(msg,
2163 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2164 						tx_ant) ||
2165 				    nla_put_u32(msg,
2166 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2167 						rx_ant))
2168 					goto nla_put_failure;
2169 			}
2170 		}
2171 
2172 		state->split_start++;
2173 		if (state->split)
2174 			break;
2175 		fallthrough;
2176 	case 2:
2177 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2178 					rdev->wiphy.interface_modes))
2179 				goto nla_put_failure;
2180 		state->split_start++;
2181 		if (state->split)
2182 			break;
2183 		fallthrough;
2184 	case 3:
2185 		nl_bands = nla_nest_start_noflag(msg,
2186 						 NL80211_ATTR_WIPHY_BANDS);
2187 		if (!nl_bands)
2188 			goto nla_put_failure;
2189 
2190 		for (band = state->band_start;
2191 		     band < NUM_NL80211_BANDS; band++) {
2192 			struct ieee80211_supported_band *sband;
2193 
2194 			sband = rdev->wiphy.bands[band];
2195 
2196 			if (!sband)
2197 				continue;
2198 
2199 			nl_band = nla_nest_start_noflag(msg, band);
2200 			if (!nl_band)
2201 				goto nla_put_failure;
2202 
2203 			switch (state->chan_start) {
2204 			case 0:
2205 				if (nl80211_send_band_rateinfo(msg, sband))
2206 					goto nla_put_failure;
2207 				state->chan_start++;
2208 				if (state->split)
2209 					break;
2210 				fallthrough;
2211 			default:
2212 				/* add frequencies */
2213 				nl_freqs = nla_nest_start_noflag(msg,
2214 								 NL80211_BAND_ATTR_FREQS);
2215 				if (!nl_freqs)
2216 					goto nla_put_failure;
2217 
2218 				for (i = state->chan_start - 1;
2219 				     i < sband->n_channels;
2220 				     i++) {
2221 					nl_freq = nla_nest_start_noflag(msg,
2222 									i);
2223 					if (!nl_freq)
2224 						goto nla_put_failure;
2225 
2226 					chan = &sband->channels[i];
2227 
2228 					if (nl80211_msg_put_channel(
2229 							msg, &rdev->wiphy, chan,
2230 							state->split))
2231 						goto nla_put_failure;
2232 
2233 					nla_nest_end(msg, nl_freq);
2234 					if (state->split)
2235 						break;
2236 				}
2237 				if (i < sband->n_channels)
2238 					state->chan_start = i + 2;
2239 				else
2240 					state->chan_start = 0;
2241 				nla_nest_end(msg, nl_freqs);
2242 			}
2243 
2244 			nla_nest_end(msg, nl_band);
2245 
2246 			if (state->split) {
2247 				/* start again here */
2248 				if (state->chan_start)
2249 					band--;
2250 				break;
2251 			}
2252 		}
2253 		nla_nest_end(msg, nl_bands);
2254 
2255 		if (band < NUM_NL80211_BANDS)
2256 			state->band_start = band + 1;
2257 		else
2258 			state->band_start = 0;
2259 
2260 		/* if bands & channels are done, continue outside */
2261 		if (state->band_start == 0 && state->chan_start == 0)
2262 			state->split_start++;
2263 		if (state->split)
2264 			break;
2265 		fallthrough;
2266 	case 4:
2267 		nl_cmds = nla_nest_start_noflag(msg,
2268 						NL80211_ATTR_SUPPORTED_COMMANDS);
2269 		if (!nl_cmds)
2270 			goto nla_put_failure;
2271 
2272 		i = nl80211_add_commands_unsplit(rdev, msg);
2273 		if (i < 0)
2274 			goto nla_put_failure;
2275 		if (state->split) {
2276 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2277 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2278 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2279 				CMD(channel_switch, CHANNEL_SWITCH);
2280 			CMD(set_qos_map, SET_QOS_MAP);
2281 			if (rdev->wiphy.features &
2282 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2283 				CMD(add_tx_ts, ADD_TX_TS);
2284 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2285 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2286 			CMD(update_ft_ies, UPDATE_FT_IES);
2287 		}
2288 #undef CMD
2289 
2290 		nla_nest_end(msg, nl_cmds);
2291 		state->split_start++;
2292 		if (state->split)
2293 			break;
2294 		fallthrough;
2295 	case 5:
2296 		if (rdev->ops->remain_on_channel &&
2297 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2298 		    nla_put_u32(msg,
2299 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2300 				rdev->wiphy.max_remain_on_channel_duration))
2301 			goto nla_put_failure;
2302 
2303 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2304 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2305 			goto nla_put_failure;
2306 
2307 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2308 			goto nla_put_failure;
2309 		state->split_start++;
2310 		if (state->split)
2311 			break;
2312 		fallthrough;
2313 	case 6:
2314 #ifdef CONFIG_PM
2315 		if (nl80211_send_wowlan(msg, rdev, state->split))
2316 			goto nla_put_failure;
2317 		state->split_start++;
2318 		if (state->split)
2319 			break;
2320 #else
2321 		state->split_start++;
2322 #endif
2323 		fallthrough;
2324 	case 7:
2325 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2326 					rdev->wiphy.software_iftypes))
2327 			goto nla_put_failure;
2328 
2329 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2330 						   state->split))
2331 			goto nla_put_failure;
2332 
2333 		state->split_start++;
2334 		if (state->split)
2335 			break;
2336 		fallthrough;
2337 	case 8:
2338 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2339 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2340 				rdev->wiphy.ap_sme_capa))
2341 			goto nla_put_failure;
2342 
2343 		features = rdev->wiphy.features;
2344 		/*
2345 		 * We can only add the per-channel limit information if the
2346 		 * dump is split, otherwise it makes it too big. Therefore
2347 		 * only advertise it in that case.
2348 		 */
2349 		if (state->split)
2350 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2351 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2352 			goto nla_put_failure;
2353 
2354 		if (rdev->wiphy.ht_capa_mod_mask &&
2355 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2356 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2357 			    rdev->wiphy.ht_capa_mod_mask))
2358 			goto nla_put_failure;
2359 
2360 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2361 		    rdev->wiphy.max_acl_mac_addrs &&
2362 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2363 				rdev->wiphy.max_acl_mac_addrs))
2364 			goto nla_put_failure;
2365 
2366 		/*
2367 		 * Any information below this point is only available to
2368 		 * applications that can deal with it being split. This
2369 		 * helps ensure that newly added capabilities don't break
2370 		 * older tools by overrunning their buffers.
2371 		 *
2372 		 * We still increment split_start so that in the split
2373 		 * case we'll continue with more data in the next round,
2374 		 * but break unconditionally so unsplit data stops here.
2375 		 */
2376 		state->split_start++;
2377 		break;
2378 	case 9:
2379 		if (rdev->wiphy.extended_capabilities &&
2380 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2381 			     rdev->wiphy.extended_capabilities_len,
2382 			     rdev->wiphy.extended_capabilities) ||
2383 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2384 			     rdev->wiphy.extended_capabilities_len,
2385 			     rdev->wiphy.extended_capabilities_mask)))
2386 			goto nla_put_failure;
2387 
2388 		if (rdev->wiphy.vht_capa_mod_mask &&
2389 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2390 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2391 			    rdev->wiphy.vht_capa_mod_mask))
2392 			goto nla_put_failure;
2393 
2394 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2395 			    rdev->wiphy.perm_addr))
2396 			goto nla_put_failure;
2397 
2398 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2399 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2400 			    rdev->wiphy.addr_mask))
2401 			goto nla_put_failure;
2402 
2403 		if (rdev->wiphy.n_addresses > 1) {
2404 			void *attr;
2405 
2406 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2407 			if (!attr)
2408 				goto nla_put_failure;
2409 
2410 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2411 				if (nla_put(msg, i + 1, ETH_ALEN,
2412 					    rdev->wiphy.addresses[i].addr))
2413 					goto nla_put_failure;
2414 
2415 			nla_nest_end(msg, attr);
2416 		}
2417 
2418 		state->split_start++;
2419 		break;
2420 	case 10:
2421 		if (nl80211_send_coalesce(msg, rdev))
2422 			goto nla_put_failure;
2423 
2424 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2425 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2426 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2427 			goto nla_put_failure;
2428 
2429 		if (rdev->wiphy.max_ap_assoc_sta &&
2430 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2431 				rdev->wiphy.max_ap_assoc_sta))
2432 			goto nla_put_failure;
2433 
2434 		state->split_start++;
2435 		break;
2436 	case 11:
2437 		if (rdev->wiphy.n_vendor_commands) {
2438 			const struct nl80211_vendor_cmd_info *info;
2439 			struct nlattr *nested;
2440 
2441 			nested = nla_nest_start_noflag(msg,
2442 						       NL80211_ATTR_VENDOR_DATA);
2443 			if (!nested)
2444 				goto nla_put_failure;
2445 
2446 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2447 				info = &rdev->wiphy.vendor_commands[i].info;
2448 				if (nla_put(msg, i + 1, sizeof(*info), info))
2449 					goto nla_put_failure;
2450 			}
2451 			nla_nest_end(msg, nested);
2452 		}
2453 
2454 		if (rdev->wiphy.n_vendor_events) {
2455 			const struct nl80211_vendor_cmd_info *info;
2456 			struct nlattr *nested;
2457 
2458 			nested = nla_nest_start_noflag(msg,
2459 						       NL80211_ATTR_VENDOR_EVENTS);
2460 			if (!nested)
2461 				goto nla_put_failure;
2462 
2463 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2464 				info = &rdev->wiphy.vendor_events[i];
2465 				if (nla_put(msg, i + 1, sizeof(*info), info))
2466 					goto nla_put_failure;
2467 			}
2468 			nla_nest_end(msg, nested);
2469 		}
2470 		state->split_start++;
2471 		break;
2472 	case 12:
2473 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2474 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2475 			       rdev->wiphy.max_num_csa_counters))
2476 			goto nla_put_failure;
2477 
2478 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2479 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2480 			goto nla_put_failure;
2481 
2482 		if (rdev->wiphy.max_sched_scan_reqs &&
2483 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2484 				rdev->wiphy.max_sched_scan_reqs))
2485 			goto nla_put_failure;
2486 
2487 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2488 			    sizeof(rdev->wiphy.ext_features),
2489 			    rdev->wiphy.ext_features))
2490 			goto nla_put_failure;
2491 
2492 		if (rdev->wiphy.bss_select_support) {
2493 			struct nlattr *nested;
2494 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2495 
2496 			nested = nla_nest_start_noflag(msg,
2497 						       NL80211_ATTR_BSS_SELECT);
2498 			if (!nested)
2499 				goto nla_put_failure;
2500 
2501 			i = 0;
2502 			while (bss_select_support) {
2503 				if ((bss_select_support & 1) &&
2504 				    nla_put_flag(msg, i))
2505 					goto nla_put_failure;
2506 				i++;
2507 				bss_select_support >>= 1;
2508 			}
2509 			nla_nest_end(msg, nested);
2510 		}
2511 
2512 		state->split_start++;
2513 		break;
2514 	case 13:
2515 		if (rdev->wiphy.num_iftype_ext_capab &&
2516 		    rdev->wiphy.iftype_ext_capab) {
2517 			struct nlattr *nested_ext_capab, *nested;
2518 
2519 			nested = nla_nest_start_noflag(msg,
2520 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2521 			if (!nested)
2522 				goto nla_put_failure;
2523 
2524 			for (i = state->capa_start;
2525 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2526 				const struct wiphy_iftype_ext_capab *capab;
2527 
2528 				capab = &rdev->wiphy.iftype_ext_capab[i];
2529 
2530 				nested_ext_capab = nla_nest_start_noflag(msg,
2531 									 i);
2532 				if (!nested_ext_capab ||
2533 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2534 						capab->iftype) ||
2535 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2536 					    capab->extended_capabilities_len,
2537 					    capab->extended_capabilities) ||
2538 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2539 					    capab->extended_capabilities_len,
2540 					    capab->extended_capabilities_mask))
2541 					goto nla_put_failure;
2542 
2543 				nla_nest_end(msg, nested_ext_capab);
2544 				if (state->split)
2545 					break;
2546 			}
2547 			nla_nest_end(msg, nested);
2548 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2549 				state->capa_start = i + 1;
2550 				break;
2551 			}
2552 		}
2553 
2554 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2555 				rdev->wiphy.nan_supported_bands))
2556 			goto nla_put_failure;
2557 
2558 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2559 					    NL80211_EXT_FEATURE_TXQS)) {
2560 			struct cfg80211_txq_stats txqstats = {};
2561 			int res;
2562 
2563 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2564 			if (!res &&
2565 			    !nl80211_put_txq_stats(msg, &txqstats,
2566 						   NL80211_ATTR_TXQ_STATS))
2567 				goto nla_put_failure;
2568 
2569 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2570 					rdev->wiphy.txq_limit))
2571 				goto nla_put_failure;
2572 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2573 					rdev->wiphy.txq_memory_limit))
2574 				goto nla_put_failure;
2575 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2576 					rdev->wiphy.txq_quantum))
2577 				goto nla_put_failure;
2578 		}
2579 
2580 		state->split_start++;
2581 		break;
2582 	case 14:
2583 		if (nl80211_send_pmsr_capa(rdev, msg))
2584 			goto nla_put_failure;
2585 
2586 		state->split_start++;
2587 		break;
2588 	case 15:
2589 		if (rdev->wiphy.akm_suites &&
2590 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2591 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2592 			    rdev->wiphy.akm_suites))
2593 			goto nla_put_failure;
2594 
2595 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2596 			goto nla_put_failure;
2597 
2598 		if (nl80211_put_tid_config_support(rdev, msg))
2599 			goto nla_put_failure;
2600 
2601 		/* done */
2602 		state->split_start = 0;
2603 		break;
2604 	}
2605  finish:
2606 	genlmsg_end(msg, hdr);
2607 	return 0;
2608 
2609  nla_put_failure:
2610 	genlmsg_cancel(msg, hdr);
2611 	return -EMSGSIZE;
2612 }
2613 
2614 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2615 				    struct netlink_callback *cb,
2616 				    struct nl80211_dump_wiphy_state *state)
2617 {
2618 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2619 	int ret;
2620 
2621 	if (!tb)
2622 		return -ENOMEM;
2623 
2624 	ret = nlmsg_parse_deprecated(cb->nlh,
2625 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2626 				     tb, nl80211_fam.maxattr,
2627 				     nl80211_policy, NULL);
2628 	/* ignore parse errors for backward compatibility */
2629 	if (ret) {
2630 		ret = 0;
2631 		goto out;
2632 	}
2633 
2634 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2635 	if (tb[NL80211_ATTR_WIPHY])
2636 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2637 	if (tb[NL80211_ATTR_WDEV])
2638 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2639 	if (tb[NL80211_ATTR_IFINDEX]) {
2640 		struct net_device *netdev;
2641 		struct cfg80211_registered_device *rdev;
2642 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2643 
2644 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2645 		if (!netdev) {
2646 			ret = -ENODEV;
2647 			goto out;
2648 		}
2649 		if (netdev->ieee80211_ptr) {
2650 			rdev = wiphy_to_rdev(
2651 				netdev->ieee80211_ptr->wiphy);
2652 			state->filter_wiphy = rdev->wiphy_idx;
2653 		}
2654 	}
2655 
2656 	ret = 0;
2657 out:
2658 	kfree(tb);
2659 	return ret;
2660 }
2661 
2662 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2663 {
2664 	int idx = 0, ret;
2665 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2666 	struct cfg80211_registered_device *rdev;
2667 
2668 	rtnl_lock();
2669 	if (!state) {
2670 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2671 		if (!state) {
2672 			rtnl_unlock();
2673 			return -ENOMEM;
2674 		}
2675 		state->filter_wiphy = -1;
2676 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2677 		if (ret) {
2678 			kfree(state);
2679 			rtnl_unlock();
2680 			return ret;
2681 		}
2682 		cb->args[0] = (long)state;
2683 	}
2684 
2685 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2686 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2687 			continue;
2688 		if (++idx <= state->start)
2689 			continue;
2690 		if (state->filter_wiphy != -1 &&
2691 		    state->filter_wiphy != rdev->wiphy_idx)
2692 			continue;
2693 		/* attempt to fit multiple wiphy data chunks into the skb */
2694 		do {
2695 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2696 						 skb,
2697 						 NETLINK_CB(cb->skb).portid,
2698 						 cb->nlh->nlmsg_seq,
2699 						 NLM_F_MULTI, state);
2700 			if (ret < 0) {
2701 				/*
2702 				 * If sending the wiphy data didn't fit (ENOBUFS
2703 				 * or EMSGSIZE returned), this SKB is still
2704 				 * empty (so it's not too big because another
2705 				 * wiphy dataset is already in the skb) and
2706 				 * we've not tried to adjust the dump allocation
2707 				 * yet ... then adjust the alloc size to be
2708 				 * bigger, and return 1 but with the empty skb.
2709 				 * This results in an empty message being RX'ed
2710 				 * in userspace, but that is ignored.
2711 				 *
2712 				 * We can then retry with the larger buffer.
2713 				 */
2714 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2715 				    !skb->len && !state->split &&
2716 				    cb->min_dump_alloc < 4096) {
2717 					cb->min_dump_alloc = 4096;
2718 					state->split_start = 0;
2719 					rtnl_unlock();
2720 					return 1;
2721 				}
2722 				idx--;
2723 				break;
2724 			}
2725 		} while (state->split_start > 0);
2726 		break;
2727 	}
2728 	rtnl_unlock();
2729 
2730 	state->start = idx;
2731 
2732 	return skb->len;
2733 }
2734 
2735 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2736 {
2737 	kfree((void *)cb->args[0]);
2738 	return 0;
2739 }
2740 
2741 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2742 {
2743 	struct sk_buff *msg;
2744 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2745 	struct nl80211_dump_wiphy_state state = {};
2746 
2747 	msg = nlmsg_new(4096, GFP_KERNEL);
2748 	if (!msg)
2749 		return -ENOMEM;
2750 
2751 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2752 			       info->snd_portid, info->snd_seq, 0,
2753 			       &state) < 0) {
2754 		nlmsg_free(msg);
2755 		return -ENOBUFS;
2756 	}
2757 
2758 	return genlmsg_reply(msg, info);
2759 }
2760 
2761 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2762 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2763 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2764 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2765 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2766 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2767 };
2768 
2769 static int parse_txq_params(struct nlattr *tb[],
2770 			    struct ieee80211_txq_params *txq_params)
2771 {
2772 	u8 ac;
2773 
2774 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2775 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2776 	    !tb[NL80211_TXQ_ATTR_AIFS])
2777 		return -EINVAL;
2778 
2779 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2780 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2781 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2782 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2783 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2784 
2785 	if (ac >= NL80211_NUM_ACS)
2786 		return -EINVAL;
2787 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2788 	return 0;
2789 }
2790 
2791 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2792 {
2793 	/*
2794 	 * You can only set the channel explicitly for WDS interfaces,
2795 	 * all others have their channel managed via their respective
2796 	 * "establish a connection" command (connect, join, ...)
2797 	 *
2798 	 * For AP/GO and mesh mode, the channel can be set with the
2799 	 * channel userspace API, but is only stored and passed to the
2800 	 * low-level driver when the AP starts or the mesh is joined.
2801 	 * This is for backward compatibility, userspace can also give
2802 	 * the channel in the start-ap or join-mesh commands instead.
2803 	 *
2804 	 * Monitors are special as they are normally slaved to
2805 	 * whatever else is going on, so they have their own special
2806 	 * operation to set the monitor channel if possible.
2807 	 */
2808 	return !wdev ||
2809 		wdev->iftype == NL80211_IFTYPE_AP ||
2810 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2811 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2812 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2813 }
2814 
2815 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2816 			  struct genl_info *info,
2817 			  struct cfg80211_chan_def *chandef)
2818 {
2819 	struct netlink_ext_ack *extack = info->extack;
2820 	struct nlattr **attrs = info->attrs;
2821 	u32 control_freq;
2822 
2823 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2824 		return -EINVAL;
2825 
2826 	control_freq = MHZ_TO_KHZ(
2827 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
2828 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
2829 		control_freq +=
2830 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
2831 
2832 	memset(chandef, 0, sizeof(*chandef));
2833 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
2834 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2835 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
2836 	chandef->freq1_offset = control_freq % 1000;
2837 	chandef->center_freq2 = 0;
2838 
2839 	/* Primary channel not allowed */
2840 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2841 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2842 				    "Channel is disabled");
2843 		return -EINVAL;
2844 	}
2845 
2846 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2847 		enum nl80211_channel_type chantype;
2848 
2849 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2850 
2851 		switch (chantype) {
2852 		case NL80211_CHAN_NO_HT:
2853 		case NL80211_CHAN_HT20:
2854 		case NL80211_CHAN_HT40PLUS:
2855 		case NL80211_CHAN_HT40MINUS:
2856 			cfg80211_chandef_create(chandef, chandef->chan,
2857 						chantype);
2858 			/* user input for center_freq is incorrect */
2859 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2860 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2861 				NL_SET_ERR_MSG_ATTR(extack,
2862 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2863 						    "bad center frequency 1");
2864 				return -EINVAL;
2865 			}
2866 			/* center_freq2 must be zero */
2867 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2868 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2869 				NL_SET_ERR_MSG_ATTR(extack,
2870 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2871 						    "center frequency 2 can't be used");
2872 				return -EINVAL;
2873 			}
2874 			break;
2875 		default:
2876 			NL_SET_ERR_MSG_ATTR(extack,
2877 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2878 					    "invalid channel type");
2879 			return -EINVAL;
2880 		}
2881 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2882 		chandef->width =
2883 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2884 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
2885 			chandef->center_freq1 =
2886 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2887 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
2888 				chandef->freq1_offset = nla_get_u32(
2889 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
2890 			else
2891 				chandef->freq1_offset = 0;
2892 		}
2893 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2894 			chandef->center_freq2 =
2895 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2896 	}
2897 
2898 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2899 		chandef->edmg.channels =
2900 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2901 
2902 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2903 			chandef->edmg.bw_config =
2904 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2905 	} else {
2906 		chandef->edmg.bw_config = 0;
2907 		chandef->edmg.channels = 0;
2908 	}
2909 
2910 	if (!cfg80211_chandef_valid(chandef)) {
2911 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2912 		return -EINVAL;
2913 	}
2914 
2915 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2916 				     IEEE80211_CHAN_DISABLED)) {
2917 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2918 		return -EINVAL;
2919 	}
2920 
2921 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2922 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2923 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2924 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2925 		return -EINVAL;
2926 	}
2927 
2928 	return 0;
2929 }
2930 
2931 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2932 				 struct net_device *dev,
2933 				 struct genl_info *info)
2934 {
2935 	struct cfg80211_chan_def chandef;
2936 	int result;
2937 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2938 	struct wireless_dev *wdev = NULL;
2939 
2940 	if (dev)
2941 		wdev = dev->ieee80211_ptr;
2942 	if (!nl80211_can_set_dev_channel(wdev))
2943 		return -EOPNOTSUPP;
2944 	if (wdev)
2945 		iftype = wdev->iftype;
2946 
2947 	result = nl80211_parse_chandef(rdev, info, &chandef);
2948 	if (result)
2949 		return result;
2950 
2951 	switch (iftype) {
2952 	case NL80211_IFTYPE_AP:
2953 	case NL80211_IFTYPE_P2P_GO:
2954 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2955 						   iftype)) {
2956 			result = -EINVAL;
2957 			break;
2958 		}
2959 		if (wdev->beacon_interval) {
2960 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2961 			    !(rdev->wiphy.features &
2962 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2963 				result = -EBUSY;
2964 				break;
2965 			}
2966 
2967 			/* Only allow dynamic channel width changes */
2968 			if (chandef.chan != wdev->preset_chandef.chan) {
2969 				result = -EBUSY;
2970 				break;
2971 			}
2972 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2973 			if (result)
2974 				break;
2975 		}
2976 		wdev->preset_chandef = chandef;
2977 		result = 0;
2978 		break;
2979 	case NL80211_IFTYPE_MESH_POINT:
2980 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2981 		break;
2982 	case NL80211_IFTYPE_MONITOR:
2983 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2984 		break;
2985 	default:
2986 		result = -EINVAL;
2987 	}
2988 
2989 	return result;
2990 }
2991 
2992 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2993 {
2994 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2995 	struct net_device *netdev = info->user_ptr[1];
2996 
2997 	return __nl80211_set_channel(rdev, netdev, info);
2998 }
2999 
3000 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
3001 {
3002 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3003 	struct net_device *dev = info->user_ptr[1];
3004 	struct wireless_dev *wdev = dev->ieee80211_ptr;
3005 	const u8 *bssid;
3006 
3007 	if (!info->attrs[NL80211_ATTR_MAC])
3008 		return -EINVAL;
3009 
3010 	if (netif_running(dev))
3011 		return -EBUSY;
3012 
3013 	if (!rdev->ops->set_wds_peer)
3014 		return -EOPNOTSUPP;
3015 
3016 	if (wdev->iftype != NL80211_IFTYPE_WDS)
3017 		return -EOPNOTSUPP;
3018 
3019 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
3020 	return rdev_set_wds_peer(rdev, dev, bssid);
3021 }
3022 
3023 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3024 {
3025 	struct cfg80211_registered_device *rdev;
3026 	struct net_device *netdev = NULL;
3027 	struct wireless_dev *wdev;
3028 	int result = 0, rem_txq_params = 0;
3029 	struct nlattr *nl_txq_params;
3030 	u32 changed;
3031 	u8 retry_short = 0, retry_long = 0;
3032 	u32 frag_threshold = 0, rts_threshold = 0;
3033 	u8 coverage_class = 0;
3034 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3035 
3036 	ASSERT_RTNL();
3037 
3038 	/*
3039 	 * Try to find the wiphy and netdev. Normally this
3040 	 * function shouldn't need the netdev, but this is
3041 	 * done for backward compatibility -- previously
3042 	 * setting the channel was done per wiphy, but now
3043 	 * it is per netdev. Previous userland like hostapd
3044 	 * also passed a netdev to set_wiphy, so that it is
3045 	 * possible to let that go to the right netdev!
3046 	 */
3047 
3048 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3049 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3050 
3051 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3052 		if (netdev && netdev->ieee80211_ptr)
3053 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3054 		else
3055 			netdev = NULL;
3056 	}
3057 
3058 	if (!netdev) {
3059 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3060 						  info->attrs);
3061 		if (IS_ERR(rdev))
3062 			return PTR_ERR(rdev);
3063 		wdev = NULL;
3064 		netdev = NULL;
3065 		result = 0;
3066 	} else
3067 		wdev = netdev->ieee80211_ptr;
3068 
3069 	/*
3070 	 * end workaround code, by now the rdev is available
3071 	 * and locked, and wdev may or may not be NULL.
3072 	 */
3073 
3074 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3075 		result = cfg80211_dev_rename(
3076 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3077 
3078 	if (result)
3079 		return result;
3080 
3081 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3082 		struct ieee80211_txq_params txq_params;
3083 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3084 
3085 		if (!rdev->ops->set_txq_params)
3086 			return -EOPNOTSUPP;
3087 
3088 		if (!netdev)
3089 			return -EINVAL;
3090 
3091 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3092 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3093 			return -EINVAL;
3094 
3095 		if (!netif_running(netdev))
3096 			return -ENETDOWN;
3097 
3098 		nla_for_each_nested(nl_txq_params,
3099 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3100 				    rem_txq_params) {
3101 			result = nla_parse_nested_deprecated(tb,
3102 							     NL80211_TXQ_ATTR_MAX,
3103 							     nl_txq_params,
3104 							     txq_params_policy,
3105 							     info->extack);
3106 			if (result)
3107 				return result;
3108 			result = parse_txq_params(tb, &txq_params);
3109 			if (result)
3110 				return result;
3111 
3112 			result = rdev_set_txq_params(rdev, netdev,
3113 						     &txq_params);
3114 			if (result)
3115 				return result;
3116 		}
3117 	}
3118 
3119 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3120 		result = __nl80211_set_channel(
3121 			rdev,
3122 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3123 			info);
3124 		if (result)
3125 			return result;
3126 	}
3127 
3128 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3129 		struct wireless_dev *txp_wdev = wdev;
3130 		enum nl80211_tx_power_setting type;
3131 		int idx, mbm = 0;
3132 
3133 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3134 			txp_wdev = NULL;
3135 
3136 		if (!rdev->ops->set_tx_power)
3137 			return -EOPNOTSUPP;
3138 
3139 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3140 		type = nla_get_u32(info->attrs[idx]);
3141 
3142 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3143 		    (type != NL80211_TX_POWER_AUTOMATIC))
3144 			return -EINVAL;
3145 
3146 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3147 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3148 			mbm = nla_get_u32(info->attrs[idx]);
3149 		}
3150 
3151 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3152 		if (result)
3153 			return result;
3154 	}
3155 
3156 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3157 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3158 		u32 tx_ant, rx_ant;
3159 
3160 		if ((!rdev->wiphy.available_antennas_tx &&
3161 		     !rdev->wiphy.available_antennas_rx) ||
3162 		    !rdev->ops->set_antenna)
3163 			return -EOPNOTSUPP;
3164 
3165 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3166 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3167 
3168 		/* reject antenna configurations which don't match the
3169 		 * available antenna masks, except for the "all" mask */
3170 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3171 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3172 			return -EINVAL;
3173 
3174 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3175 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3176 
3177 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3178 		if (result)
3179 			return result;
3180 	}
3181 
3182 	changed = 0;
3183 
3184 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3185 		retry_short = nla_get_u8(
3186 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3187 
3188 		changed |= WIPHY_PARAM_RETRY_SHORT;
3189 	}
3190 
3191 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3192 		retry_long = nla_get_u8(
3193 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3194 
3195 		changed |= WIPHY_PARAM_RETRY_LONG;
3196 	}
3197 
3198 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3199 		frag_threshold = nla_get_u32(
3200 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3201 		if (frag_threshold < 256)
3202 			return -EINVAL;
3203 
3204 		if (frag_threshold != (u32) -1) {
3205 			/*
3206 			 * Fragments (apart from the last one) are required to
3207 			 * have even length. Make the fragmentation code
3208 			 * simpler by stripping LSB should someone try to use
3209 			 * odd threshold value.
3210 			 */
3211 			frag_threshold &= ~0x1;
3212 		}
3213 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3214 	}
3215 
3216 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3217 		rts_threshold = nla_get_u32(
3218 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3219 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3220 	}
3221 
3222 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3223 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3224 			return -EINVAL;
3225 
3226 		coverage_class = nla_get_u8(
3227 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3228 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3229 	}
3230 
3231 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3232 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3233 			return -EOPNOTSUPP;
3234 
3235 		changed |= WIPHY_PARAM_DYN_ACK;
3236 	}
3237 
3238 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3239 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3240 					     NL80211_EXT_FEATURE_TXQS))
3241 			return -EOPNOTSUPP;
3242 		txq_limit = nla_get_u32(
3243 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3244 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3245 	}
3246 
3247 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3248 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3249 					     NL80211_EXT_FEATURE_TXQS))
3250 			return -EOPNOTSUPP;
3251 		txq_memory_limit = nla_get_u32(
3252 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3253 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3254 	}
3255 
3256 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3257 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3258 					     NL80211_EXT_FEATURE_TXQS))
3259 			return -EOPNOTSUPP;
3260 		txq_quantum = nla_get_u32(
3261 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3262 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3263 	}
3264 
3265 	if (changed) {
3266 		u8 old_retry_short, old_retry_long;
3267 		u32 old_frag_threshold, old_rts_threshold;
3268 		u8 old_coverage_class;
3269 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3270 
3271 		if (!rdev->ops->set_wiphy_params)
3272 			return -EOPNOTSUPP;
3273 
3274 		old_retry_short = rdev->wiphy.retry_short;
3275 		old_retry_long = rdev->wiphy.retry_long;
3276 		old_frag_threshold = rdev->wiphy.frag_threshold;
3277 		old_rts_threshold = rdev->wiphy.rts_threshold;
3278 		old_coverage_class = rdev->wiphy.coverage_class;
3279 		old_txq_limit = rdev->wiphy.txq_limit;
3280 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3281 		old_txq_quantum = rdev->wiphy.txq_quantum;
3282 
3283 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3284 			rdev->wiphy.retry_short = retry_short;
3285 		if (changed & WIPHY_PARAM_RETRY_LONG)
3286 			rdev->wiphy.retry_long = retry_long;
3287 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3288 			rdev->wiphy.frag_threshold = frag_threshold;
3289 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3290 			rdev->wiphy.rts_threshold = rts_threshold;
3291 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3292 			rdev->wiphy.coverage_class = coverage_class;
3293 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3294 			rdev->wiphy.txq_limit = txq_limit;
3295 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3296 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3297 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3298 			rdev->wiphy.txq_quantum = txq_quantum;
3299 
3300 		result = rdev_set_wiphy_params(rdev, changed);
3301 		if (result) {
3302 			rdev->wiphy.retry_short = old_retry_short;
3303 			rdev->wiphy.retry_long = old_retry_long;
3304 			rdev->wiphy.frag_threshold = old_frag_threshold;
3305 			rdev->wiphy.rts_threshold = old_rts_threshold;
3306 			rdev->wiphy.coverage_class = old_coverage_class;
3307 			rdev->wiphy.txq_limit = old_txq_limit;
3308 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3309 			rdev->wiphy.txq_quantum = old_txq_quantum;
3310 			return result;
3311 		}
3312 	}
3313 	return 0;
3314 }
3315 
3316 static int nl80211_send_chandef(struct sk_buff *msg,
3317 				const struct cfg80211_chan_def *chandef)
3318 {
3319 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3320 		return -EINVAL;
3321 
3322 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3323 			chandef->chan->center_freq))
3324 		return -ENOBUFS;
3325 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3326 			chandef->chan->freq_offset))
3327 		return -ENOBUFS;
3328 	switch (chandef->width) {
3329 	case NL80211_CHAN_WIDTH_20_NOHT:
3330 	case NL80211_CHAN_WIDTH_20:
3331 	case NL80211_CHAN_WIDTH_40:
3332 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3333 				cfg80211_get_chandef_type(chandef)))
3334 			return -ENOBUFS;
3335 		break;
3336 	default:
3337 		break;
3338 	}
3339 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3340 		return -ENOBUFS;
3341 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3342 		return -ENOBUFS;
3343 	if (chandef->center_freq2 &&
3344 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3345 		return -ENOBUFS;
3346 	return 0;
3347 }
3348 
3349 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3350 			      struct cfg80211_registered_device *rdev,
3351 			      struct wireless_dev *wdev,
3352 			      enum nl80211_commands cmd)
3353 {
3354 	struct net_device *dev = wdev->netdev;
3355 	void *hdr;
3356 
3357 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3358 		cmd != NL80211_CMD_DEL_INTERFACE &&
3359 		cmd != NL80211_CMD_SET_INTERFACE);
3360 
3361 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3362 	if (!hdr)
3363 		return -1;
3364 
3365 	if (dev &&
3366 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3367 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3368 		goto nla_put_failure;
3369 
3370 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3371 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3372 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3373 			      NL80211_ATTR_PAD) ||
3374 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3375 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3376 			rdev->devlist_generation ^
3377 			(cfg80211_rdev_list_generation << 2)) ||
3378 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3379 		goto nla_put_failure;
3380 
3381 	if (rdev->ops->get_channel) {
3382 		int ret;
3383 		struct cfg80211_chan_def chandef = {};
3384 
3385 		ret = rdev_get_channel(rdev, wdev, &chandef);
3386 		if (ret == 0) {
3387 			if (nl80211_send_chandef(msg, &chandef))
3388 				goto nla_put_failure;
3389 		}
3390 	}
3391 
3392 	if (rdev->ops->get_tx_power) {
3393 		int dbm, ret;
3394 
3395 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3396 		if (ret == 0 &&
3397 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3398 				DBM_TO_MBM(dbm)))
3399 			goto nla_put_failure;
3400 	}
3401 
3402 	wdev_lock(wdev);
3403 	switch (wdev->iftype) {
3404 	case NL80211_IFTYPE_AP:
3405 		if (wdev->ssid_len &&
3406 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3407 			goto nla_put_failure_locked;
3408 		break;
3409 	case NL80211_IFTYPE_STATION:
3410 	case NL80211_IFTYPE_P2P_CLIENT:
3411 	case NL80211_IFTYPE_ADHOC: {
3412 		const u8 *ssid_ie;
3413 		if (!wdev->current_bss)
3414 			break;
3415 		rcu_read_lock();
3416 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3417 					       WLAN_EID_SSID);
3418 		if (ssid_ie &&
3419 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3420 			goto nla_put_failure_rcu_locked;
3421 		rcu_read_unlock();
3422 		break;
3423 		}
3424 	default:
3425 		/* nothing */
3426 		break;
3427 	}
3428 	wdev_unlock(wdev);
3429 
3430 	if (rdev->ops->get_txq_stats) {
3431 		struct cfg80211_txq_stats txqstats = {};
3432 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3433 
3434 		if (ret == 0 &&
3435 		    !nl80211_put_txq_stats(msg, &txqstats,
3436 					   NL80211_ATTR_TXQ_STATS))
3437 			goto nla_put_failure;
3438 	}
3439 
3440 	genlmsg_end(msg, hdr);
3441 	return 0;
3442 
3443  nla_put_failure_rcu_locked:
3444 	rcu_read_unlock();
3445  nla_put_failure_locked:
3446 	wdev_unlock(wdev);
3447  nla_put_failure:
3448 	genlmsg_cancel(msg, hdr);
3449 	return -EMSGSIZE;
3450 }
3451 
3452 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3453 {
3454 	int wp_idx = 0;
3455 	int if_idx = 0;
3456 	int wp_start = cb->args[0];
3457 	int if_start = cb->args[1];
3458 	int filter_wiphy = -1;
3459 	struct cfg80211_registered_device *rdev;
3460 	struct wireless_dev *wdev;
3461 	int ret;
3462 
3463 	rtnl_lock();
3464 	if (!cb->args[2]) {
3465 		struct nl80211_dump_wiphy_state state = {
3466 			.filter_wiphy = -1,
3467 		};
3468 
3469 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3470 		if (ret)
3471 			goto out_unlock;
3472 
3473 		filter_wiphy = state.filter_wiphy;
3474 
3475 		/*
3476 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3477 		 * value needed to determine that parsing is necessary.
3478 		 */
3479 		if (filter_wiphy >= 0)
3480 			cb->args[2] = filter_wiphy + 1;
3481 		else
3482 			cb->args[2] = -1;
3483 	} else if (cb->args[2] > 0) {
3484 		filter_wiphy = cb->args[2] - 1;
3485 	}
3486 
3487 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3488 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3489 			continue;
3490 		if (wp_idx < wp_start) {
3491 			wp_idx++;
3492 			continue;
3493 		}
3494 
3495 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3496 			continue;
3497 
3498 		if_idx = 0;
3499 
3500 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3501 			if (if_idx < if_start) {
3502 				if_idx++;
3503 				continue;
3504 			}
3505 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3506 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3507 					       rdev, wdev,
3508 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3509 				goto out;
3510 			}
3511 			if_idx++;
3512 		}
3513 
3514 		wp_idx++;
3515 	}
3516  out:
3517 	cb->args[0] = wp_idx;
3518 	cb->args[1] = if_idx;
3519 
3520 	ret = skb->len;
3521  out_unlock:
3522 	rtnl_unlock();
3523 
3524 	return ret;
3525 }
3526 
3527 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3528 {
3529 	struct sk_buff *msg;
3530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3531 	struct wireless_dev *wdev = info->user_ptr[1];
3532 
3533 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3534 	if (!msg)
3535 		return -ENOMEM;
3536 
3537 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3538 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3539 		nlmsg_free(msg);
3540 		return -ENOBUFS;
3541 	}
3542 
3543 	return genlmsg_reply(msg, info);
3544 }
3545 
3546 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3547 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3548 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3549 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3550 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3551 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3552 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3553 };
3554 
3555 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3556 {
3557 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3558 	int flag;
3559 
3560 	*mntrflags = 0;
3561 
3562 	if (!nla)
3563 		return -EINVAL;
3564 
3565 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3566 		return -EINVAL;
3567 
3568 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3569 		if (flags[flag])
3570 			*mntrflags |= (1<<flag);
3571 
3572 	*mntrflags |= MONITOR_FLAG_CHANGED;
3573 
3574 	return 0;
3575 }
3576 
3577 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3578 				     enum nl80211_iftype type,
3579 				     struct genl_info *info,
3580 				     struct vif_params *params)
3581 {
3582 	bool change = false;
3583 	int err;
3584 
3585 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3586 		if (type != NL80211_IFTYPE_MONITOR)
3587 			return -EINVAL;
3588 
3589 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3590 					  &params->flags);
3591 		if (err)
3592 			return err;
3593 
3594 		change = true;
3595 	}
3596 
3597 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3598 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3599 		return -EOPNOTSUPP;
3600 
3601 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3602 		const u8 *mumimo_groups;
3603 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3604 
3605 		if (type != NL80211_IFTYPE_MONITOR)
3606 			return -EINVAL;
3607 
3608 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3609 			return -EOPNOTSUPP;
3610 
3611 		mumimo_groups =
3612 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3613 
3614 		/* bits 0 and 63 are reserved and must be zero */
3615 		if ((mumimo_groups[0] & BIT(0)) ||
3616 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3617 			return -EINVAL;
3618 
3619 		params->vht_mumimo_groups = mumimo_groups;
3620 		change = true;
3621 	}
3622 
3623 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3624 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3625 
3626 		if (type != NL80211_IFTYPE_MONITOR)
3627 			return -EINVAL;
3628 
3629 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3630 			return -EOPNOTSUPP;
3631 
3632 		params->vht_mumimo_follow_addr =
3633 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3634 		change = true;
3635 	}
3636 
3637 	return change ? 1 : 0;
3638 }
3639 
3640 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3641 			       struct net_device *netdev, u8 use_4addr,
3642 			       enum nl80211_iftype iftype)
3643 {
3644 	if (!use_4addr) {
3645 		if (netdev && netif_is_bridge_port(netdev))
3646 			return -EBUSY;
3647 		return 0;
3648 	}
3649 
3650 	switch (iftype) {
3651 	case NL80211_IFTYPE_AP_VLAN:
3652 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3653 			return 0;
3654 		break;
3655 	case NL80211_IFTYPE_STATION:
3656 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3657 			return 0;
3658 		break;
3659 	default:
3660 		break;
3661 	}
3662 
3663 	return -EOPNOTSUPP;
3664 }
3665 
3666 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3667 {
3668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3669 	struct vif_params params;
3670 	int err;
3671 	enum nl80211_iftype otype, ntype;
3672 	struct net_device *dev = info->user_ptr[1];
3673 	bool change = false;
3674 
3675 	memset(&params, 0, sizeof(params));
3676 
3677 	otype = ntype = dev->ieee80211_ptr->iftype;
3678 
3679 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3680 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3681 		if (otype != ntype)
3682 			change = true;
3683 	}
3684 
3685 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3686 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3687 
3688 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3689 			return -EINVAL;
3690 		if (netif_running(dev))
3691 			return -EBUSY;
3692 
3693 		wdev_lock(wdev);
3694 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3695 			     IEEE80211_MAX_MESH_ID_LEN);
3696 		wdev->mesh_id_up_len =
3697 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3698 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3699 		       wdev->mesh_id_up_len);
3700 		wdev_unlock(wdev);
3701 	}
3702 
3703 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3704 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3705 		change = true;
3706 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3707 		if (err)
3708 			return err;
3709 	} else {
3710 		params.use_4addr = -1;
3711 	}
3712 
3713 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3714 	if (err < 0)
3715 		return err;
3716 	if (err > 0)
3717 		change = true;
3718 
3719 	if (change)
3720 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3721 	else
3722 		err = 0;
3723 
3724 	if (!err && params.use_4addr != -1)
3725 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3726 
3727 	if (change && !err) {
3728 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3729 
3730 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3731 	}
3732 
3733 	return err;
3734 }
3735 
3736 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3737 {
3738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3739 	struct vif_params params;
3740 	struct wireless_dev *wdev;
3741 	struct sk_buff *msg;
3742 	int err;
3743 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3744 
3745 	/* to avoid failing a new interface creation due to pending removal */
3746 	cfg80211_destroy_ifaces(rdev);
3747 
3748 	memset(&params, 0, sizeof(params));
3749 
3750 	if (!info->attrs[NL80211_ATTR_IFNAME])
3751 		return -EINVAL;
3752 
3753 	if (info->attrs[NL80211_ATTR_IFTYPE])
3754 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3755 
3756 	if (!rdev->ops->add_virtual_intf)
3757 		return -EOPNOTSUPP;
3758 
3759 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3760 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3761 	    info->attrs[NL80211_ATTR_MAC]) {
3762 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3763 			   ETH_ALEN);
3764 		if (!is_valid_ether_addr(params.macaddr))
3765 			return -EADDRNOTAVAIL;
3766 	}
3767 
3768 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3769 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3770 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3771 		if (err)
3772 			return err;
3773 	}
3774 
3775 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3776 		return -EOPNOTSUPP;
3777 
3778 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3779 	if (err < 0)
3780 		return err;
3781 
3782 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3783 	if (!msg)
3784 		return -ENOMEM;
3785 
3786 	wdev = rdev_add_virtual_intf(rdev,
3787 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3788 				NET_NAME_USER, type, &params);
3789 	if (WARN_ON(!wdev)) {
3790 		nlmsg_free(msg);
3791 		return -EPROTO;
3792 	} else if (IS_ERR(wdev)) {
3793 		nlmsg_free(msg);
3794 		return PTR_ERR(wdev);
3795 	}
3796 
3797 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3798 		wdev->owner_nlportid = info->snd_portid;
3799 
3800 	switch (type) {
3801 	case NL80211_IFTYPE_MESH_POINT:
3802 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3803 			break;
3804 		wdev_lock(wdev);
3805 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3806 			     IEEE80211_MAX_MESH_ID_LEN);
3807 		wdev->mesh_id_up_len =
3808 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3809 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3810 		       wdev->mesh_id_up_len);
3811 		wdev_unlock(wdev);
3812 		break;
3813 	case NL80211_IFTYPE_NAN:
3814 	case NL80211_IFTYPE_P2P_DEVICE:
3815 		/*
3816 		 * P2P Device and NAN do not have a netdev, so don't go
3817 		 * through the netdev notifier and must be added here
3818 		 */
3819 		cfg80211_init_wdev(rdev, wdev);
3820 		break;
3821 	default:
3822 		break;
3823 	}
3824 
3825 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3826 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3827 		nlmsg_free(msg);
3828 		return -ENOBUFS;
3829 	}
3830 
3831 	return genlmsg_reply(msg, info);
3832 }
3833 
3834 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3835 {
3836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3837 	struct wireless_dev *wdev = info->user_ptr[1];
3838 
3839 	if (!rdev->ops->del_virtual_intf)
3840 		return -EOPNOTSUPP;
3841 
3842 	/*
3843 	 * If we remove a wireless device without a netdev then clear
3844 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3845 	 * to check if it needs to do dev_put(). Otherwise it crashes
3846 	 * since the wdev has been freed, unlike with a netdev where
3847 	 * we need the dev_put() for the netdev to really be freed.
3848 	 */
3849 	if (!wdev->netdev)
3850 		info->user_ptr[1] = NULL;
3851 
3852 	return rdev_del_virtual_intf(rdev, wdev);
3853 }
3854 
3855 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3856 {
3857 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3858 	struct net_device *dev = info->user_ptr[1];
3859 	u16 noack_map;
3860 
3861 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3862 		return -EINVAL;
3863 
3864 	if (!rdev->ops->set_noack_map)
3865 		return -EOPNOTSUPP;
3866 
3867 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3868 
3869 	return rdev_set_noack_map(rdev, dev, noack_map);
3870 }
3871 
3872 struct get_key_cookie {
3873 	struct sk_buff *msg;
3874 	int error;
3875 	int idx;
3876 };
3877 
3878 static void get_key_callback(void *c, struct key_params *params)
3879 {
3880 	struct nlattr *key;
3881 	struct get_key_cookie *cookie = c;
3882 
3883 	if ((params->key &&
3884 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3885 		     params->key_len, params->key)) ||
3886 	    (params->seq &&
3887 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3888 		     params->seq_len, params->seq)) ||
3889 	    (params->cipher &&
3890 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3891 			 params->cipher)))
3892 		goto nla_put_failure;
3893 
3894 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3895 	if (!key)
3896 		goto nla_put_failure;
3897 
3898 	if ((params->key &&
3899 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3900 		     params->key_len, params->key)) ||
3901 	    (params->seq &&
3902 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3903 		     params->seq_len, params->seq)) ||
3904 	    (params->cipher &&
3905 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3906 			 params->cipher)))
3907 		goto nla_put_failure;
3908 
3909 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3910 		goto nla_put_failure;
3911 
3912 	nla_nest_end(cookie->msg, key);
3913 
3914 	return;
3915  nla_put_failure:
3916 	cookie->error = 1;
3917 }
3918 
3919 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3920 {
3921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3922 	int err;
3923 	struct net_device *dev = info->user_ptr[1];
3924 	u8 key_idx = 0;
3925 	const u8 *mac_addr = NULL;
3926 	bool pairwise;
3927 	struct get_key_cookie cookie = {
3928 		.error = 0,
3929 	};
3930 	void *hdr;
3931 	struct sk_buff *msg;
3932 	bool bigtk_support = false;
3933 
3934 	if (wiphy_ext_feature_isset(&rdev->wiphy,
3935 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
3936 		bigtk_support = true;
3937 
3938 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
3939 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
3940 	    wiphy_ext_feature_isset(&rdev->wiphy,
3941 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
3942 		bigtk_support = true;
3943 
3944 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
3945 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3946 
3947 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
3948 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
3949 			return -EINVAL;
3950 		}
3951 	}
3952 
3953 	if (info->attrs[NL80211_ATTR_MAC])
3954 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3955 
3956 	pairwise = !!mac_addr;
3957 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3958 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3959 
3960 		if (kt != NL80211_KEYTYPE_GROUP &&
3961 		    kt != NL80211_KEYTYPE_PAIRWISE)
3962 			return -EINVAL;
3963 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3964 	}
3965 
3966 	if (!rdev->ops->get_key)
3967 		return -EOPNOTSUPP;
3968 
3969 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3970 		return -ENOENT;
3971 
3972 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3973 	if (!msg)
3974 		return -ENOMEM;
3975 
3976 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3977 			     NL80211_CMD_NEW_KEY);
3978 	if (!hdr)
3979 		goto nla_put_failure;
3980 
3981 	cookie.msg = msg;
3982 	cookie.idx = key_idx;
3983 
3984 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3985 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3986 		goto nla_put_failure;
3987 	if (mac_addr &&
3988 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3989 		goto nla_put_failure;
3990 
3991 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3992 			   get_key_callback);
3993 
3994 	if (err)
3995 		goto free_msg;
3996 
3997 	if (cookie.error)
3998 		goto nla_put_failure;
3999 
4000 	genlmsg_end(msg, hdr);
4001 	return genlmsg_reply(msg, info);
4002 
4003  nla_put_failure:
4004 	err = -ENOBUFS;
4005  free_msg:
4006 	nlmsg_free(msg);
4007 	return err;
4008 }
4009 
4010 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4011 {
4012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4013 	struct key_parse key;
4014 	int err;
4015 	struct net_device *dev = info->user_ptr[1];
4016 
4017 	err = nl80211_parse_key(info, &key);
4018 	if (err)
4019 		return err;
4020 
4021 	if (key.idx < 0)
4022 		return -EINVAL;
4023 
4024 	/* Only support setting default key and
4025 	 * Extended Key ID action NL80211_KEY_SET_TX.
4026 	 */
4027 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4028 	    !(key.p.mode == NL80211_KEY_SET_TX))
4029 		return -EINVAL;
4030 
4031 	wdev_lock(dev->ieee80211_ptr);
4032 
4033 	if (key.def) {
4034 		if (!rdev->ops->set_default_key) {
4035 			err = -EOPNOTSUPP;
4036 			goto out;
4037 		}
4038 
4039 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4040 		if (err)
4041 			goto out;
4042 
4043 		err = rdev_set_default_key(rdev, dev, key.idx,
4044 						 key.def_uni, key.def_multi);
4045 
4046 		if (err)
4047 			goto out;
4048 
4049 #ifdef CONFIG_CFG80211_WEXT
4050 		dev->ieee80211_ptr->wext.default_key = key.idx;
4051 #endif
4052 	} else if (key.defmgmt) {
4053 		if (key.def_uni || !key.def_multi) {
4054 			err = -EINVAL;
4055 			goto out;
4056 		}
4057 
4058 		if (!rdev->ops->set_default_mgmt_key) {
4059 			err = -EOPNOTSUPP;
4060 			goto out;
4061 		}
4062 
4063 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4064 		if (err)
4065 			goto out;
4066 
4067 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4068 		if (err)
4069 			goto out;
4070 
4071 #ifdef CONFIG_CFG80211_WEXT
4072 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4073 #endif
4074 	} else if (key.defbeacon) {
4075 		if (key.def_uni || !key.def_multi) {
4076 			err = -EINVAL;
4077 			goto out;
4078 		}
4079 
4080 		if (!rdev->ops->set_default_beacon_key) {
4081 			err = -EOPNOTSUPP;
4082 			goto out;
4083 		}
4084 
4085 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4086 		if (err)
4087 			goto out;
4088 
4089 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4090 		if (err)
4091 			goto out;
4092 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4093 		   wiphy_ext_feature_isset(&rdev->wiphy,
4094 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4095 		u8 *mac_addr = NULL;
4096 
4097 		if (info->attrs[NL80211_ATTR_MAC])
4098 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4099 
4100 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4101 			err = -EINVAL;
4102 			goto out;
4103 		}
4104 
4105 		err = rdev_add_key(rdev, dev, key.idx,
4106 				   NL80211_KEYTYPE_PAIRWISE,
4107 				   mac_addr, &key.p);
4108 	} else {
4109 		err = -EINVAL;
4110 	}
4111  out:
4112 	wdev_unlock(dev->ieee80211_ptr);
4113 
4114 	return err;
4115 }
4116 
4117 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4118 {
4119 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4120 	int err;
4121 	struct net_device *dev = info->user_ptr[1];
4122 	struct key_parse key;
4123 	const u8 *mac_addr = NULL;
4124 
4125 	err = nl80211_parse_key(info, &key);
4126 	if (err)
4127 		return err;
4128 
4129 	if (!key.p.key) {
4130 		GENL_SET_ERR_MSG(info, "no key");
4131 		return -EINVAL;
4132 	}
4133 
4134 	if (info->attrs[NL80211_ATTR_MAC])
4135 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4136 
4137 	if (key.type == -1) {
4138 		if (mac_addr)
4139 			key.type = NL80211_KEYTYPE_PAIRWISE;
4140 		else
4141 			key.type = NL80211_KEYTYPE_GROUP;
4142 	}
4143 
4144 	/* for now */
4145 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4146 	    key.type != NL80211_KEYTYPE_GROUP) {
4147 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4148 		return -EINVAL;
4149 	}
4150 
4151 	if (key.type == NL80211_KEYTYPE_GROUP &&
4152 	    info->attrs[NL80211_ATTR_VLAN_ID])
4153 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4154 
4155 	if (!rdev->ops->add_key)
4156 		return -EOPNOTSUPP;
4157 
4158 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4159 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4160 					   mac_addr)) {
4161 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4162 		return -EINVAL;
4163 	}
4164 
4165 	wdev_lock(dev->ieee80211_ptr);
4166 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4167 	if (err)
4168 		GENL_SET_ERR_MSG(info, "key not allowed");
4169 	if (!err) {
4170 		err = rdev_add_key(rdev, dev, key.idx,
4171 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4172 				    mac_addr, &key.p);
4173 		if (err)
4174 			GENL_SET_ERR_MSG(info, "key addition failed");
4175 	}
4176 	wdev_unlock(dev->ieee80211_ptr);
4177 
4178 	return err;
4179 }
4180 
4181 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4182 {
4183 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4184 	int err;
4185 	struct net_device *dev = info->user_ptr[1];
4186 	u8 *mac_addr = NULL;
4187 	struct key_parse key;
4188 
4189 	err = nl80211_parse_key(info, &key);
4190 	if (err)
4191 		return err;
4192 
4193 	if (info->attrs[NL80211_ATTR_MAC])
4194 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4195 
4196 	if (key.type == -1) {
4197 		if (mac_addr)
4198 			key.type = NL80211_KEYTYPE_PAIRWISE;
4199 		else
4200 			key.type = NL80211_KEYTYPE_GROUP;
4201 	}
4202 
4203 	/* for now */
4204 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4205 	    key.type != NL80211_KEYTYPE_GROUP)
4206 		return -EINVAL;
4207 
4208 	if (!rdev->ops->del_key)
4209 		return -EOPNOTSUPP;
4210 
4211 	wdev_lock(dev->ieee80211_ptr);
4212 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4213 
4214 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4215 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4216 		err = -ENOENT;
4217 
4218 	if (!err)
4219 		err = rdev_del_key(rdev, dev, key.idx,
4220 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4221 				   mac_addr);
4222 
4223 #ifdef CONFIG_CFG80211_WEXT
4224 	if (!err) {
4225 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4226 			dev->ieee80211_ptr->wext.default_key = -1;
4227 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4228 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4229 	}
4230 #endif
4231 	wdev_unlock(dev->ieee80211_ptr);
4232 
4233 	return err;
4234 }
4235 
4236 /* This function returns an error or the number of nested attributes */
4237 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4238 {
4239 	struct nlattr *attr;
4240 	int n_entries = 0, tmp;
4241 
4242 	nla_for_each_nested(attr, nl_attr, tmp) {
4243 		if (nla_len(attr) != ETH_ALEN)
4244 			return -EINVAL;
4245 
4246 		n_entries++;
4247 	}
4248 
4249 	return n_entries;
4250 }
4251 
4252 /*
4253  * This function parses ACL information and allocates memory for ACL data.
4254  * On successful return, the calling function is responsible to free the
4255  * ACL buffer returned by this function.
4256  */
4257 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4258 						struct genl_info *info)
4259 {
4260 	enum nl80211_acl_policy acl_policy;
4261 	struct nlattr *attr;
4262 	struct cfg80211_acl_data *acl;
4263 	int i = 0, n_entries, tmp;
4264 
4265 	if (!wiphy->max_acl_mac_addrs)
4266 		return ERR_PTR(-EOPNOTSUPP);
4267 
4268 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4269 		return ERR_PTR(-EINVAL);
4270 
4271 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4272 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4273 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4274 		return ERR_PTR(-EINVAL);
4275 
4276 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4277 		return ERR_PTR(-EINVAL);
4278 
4279 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4280 	if (n_entries < 0)
4281 		return ERR_PTR(n_entries);
4282 
4283 	if (n_entries > wiphy->max_acl_mac_addrs)
4284 		return ERR_PTR(-ENOTSUPP);
4285 
4286 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4287 	if (!acl)
4288 		return ERR_PTR(-ENOMEM);
4289 
4290 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4291 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4292 		i++;
4293 	}
4294 
4295 	acl->n_acl_entries = n_entries;
4296 	acl->acl_policy = acl_policy;
4297 
4298 	return acl;
4299 }
4300 
4301 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4302 {
4303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4304 	struct net_device *dev = info->user_ptr[1];
4305 	struct cfg80211_acl_data *acl;
4306 	int err;
4307 
4308 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4309 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4310 		return -EOPNOTSUPP;
4311 
4312 	if (!dev->ieee80211_ptr->beacon_interval)
4313 		return -EINVAL;
4314 
4315 	acl = parse_acl_data(&rdev->wiphy, info);
4316 	if (IS_ERR(acl))
4317 		return PTR_ERR(acl);
4318 
4319 	err = rdev_set_mac_acl(rdev, dev, acl);
4320 
4321 	kfree(acl);
4322 
4323 	return err;
4324 }
4325 
4326 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4327 			   u8 *rates, u8 rates_len)
4328 {
4329 	u8 i;
4330 	u32 mask = 0;
4331 
4332 	for (i = 0; i < rates_len; i++) {
4333 		int rate = (rates[i] & 0x7f) * 5;
4334 		int ridx;
4335 
4336 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4337 			struct ieee80211_rate *srate =
4338 				&sband->bitrates[ridx];
4339 			if (rate == srate->bitrate) {
4340 				mask |= 1 << ridx;
4341 				break;
4342 			}
4343 		}
4344 		if (ridx == sband->n_bitrates)
4345 			return 0; /* rate not found */
4346 	}
4347 
4348 	return mask;
4349 }
4350 
4351 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4352 			       u8 *rates, u8 rates_len,
4353 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4354 {
4355 	u8 i;
4356 
4357 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4358 
4359 	for (i = 0; i < rates_len; i++) {
4360 		int ridx, rbit;
4361 
4362 		ridx = rates[i] / 8;
4363 		rbit = BIT(rates[i] % 8);
4364 
4365 		/* check validity */
4366 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4367 			return false;
4368 
4369 		/* check availability */
4370 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4371 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4372 			mcs[ridx] |= rbit;
4373 		else
4374 			return false;
4375 	}
4376 
4377 	return true;
4378 }
4379 
4380 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4381 {
4382 	u16 mcs_mask = 0;
4383 
4384 	switch (vht_mcs_map) {
4385 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4386 		break;
4387 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4388 		mcs_mask = 0x00FF;
4389 		break;
4390 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4391 		mcs_mask = 0x01FF;
4392 		break;
4393 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4394 		mcs_mask = 0x03FF;
4395 		break;
4396 	default:
4397 		break;
4398 	}
4399 
4400 	return mcs_mask;
4401 }
4402 
4403 static void vht_build_mcs_mask(u16 vht_mcs_map,
4404 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4405 {
4406 	u8 nss;
4407 
4408 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4409 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4410 		vht_mcs_map >>= 2;
4411 	}
4412 }
4413 
4414 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4415 			     struct nl80211_txrate_vht *txrate,
4416 			     u16 mcs[NL80211_VHT_NSS_MAX])
4417 {
4418 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4419 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4420 	u8 i;
4421 
4422 	if (!sband->vht_cap.vht_supported)
4423 		return false;
4424 
4425 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4426 
4427 	/* Build vht_mcs_mask from VHT capabilities */
4428 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4429 
4430 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4431 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4432 			mcs[i] = txrate->mcs[i];
4433 		else
4434 			return false;
4435 	}
4436 
4437 	return true;
4438 }
4439 
4440 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4441 {
4442 	switch (he_mcs_map) {
4443 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4444 		return 0;
4445 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4446 		return 0x00FF;
4447 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4448 		return 0x03FF;
4449 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4450 		return 0xFFF;
4451 	default:
4452 		break;
4453 	}
4454 	return 0;
4455 }
4456 
4457 static void he_build_mcs_mask(u16 he_mcs_map,
4458 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4459 {
4460 	u8 nss;
4461 
4462 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4463 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4464 		he_mcs_map >>= 2;
4465 	}
4466 }
4467 
4468 static u16 he_get_txmcsmap(struct genl_info *info,
4469 			   const struct ieee80211_sta_he_cap *he_cap)
4470 {
4471 	struct net_device *dev = info->user_ptr[1];
4472 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4473 	__le16	tx_mcs;
4474 
4475 	switch (wdev->chandef.width) {
4476 	case NL80211_CHAN_WIDTH_80P80:
4477 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4478 		break;
4479 	case NL80211_CHAN_WIDTH_160:
4480 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4481 		break;
4482 	default:
4483 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4484 		break;
4485 	}
4486 	return le16_to_cpu(tx_mcs);
4487 }
4488 
4489 static bool he_set_mcs_mask(struct genl_info *info,
4490 			    struct wireless_dev *wdev,
4491 			    struct ieee80211_supported_band *sband,
4492 			    struct nl80211_txrate_he *txrate,
4493 			    u16 mcs[NL80211_HE_NSS_MAX])
4494 {
4495 	const struct ieee80211_sta_he_cap *he_cap;
4496 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4497 	u16 tx_mcs_map = 0;
4498 	u8 i;
4499 
4500 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4501 	if (!he_cap)
4502 		return false;
4503 
4504 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4505 
4506 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4507 
4508 	/* Build he_mcs_mask from HE capabilities */
4509 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4510 
4511 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4512 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4513 			mcs[i] = txrate->mcs[i];
4514 		else
4515 			return false;
4516 	}
4517 
4518 	return true;
4519 }
4520 
4521 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4522 					 struct nlattr *attrs[],
4523 					 enum nl80211_attrs attr,
4524 					 struct cfg80211_bitrate_mask *mask,
4525 					 struct net_device *dev)
4526 {
4527 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4528 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4529 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4530 	int rem, i;
4531 	struct nlattr *tx_rates;
4532 	struct ieee80211_supported_band *sband;
4533 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4534 
4535 	memset(mask, 0, sizeof(*mask));
4536 	/* Default to all rates enabled */
4537 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4538 		const struct ieee80211_sta_he_cap *he_cap;
4539 
4540 		sband = rdev->wiphy.bands[i];
4541 
4542 		if (!sband)
4543 			continue;
4544 
4545 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4546 		memcpy(mask->control[i].ht_mcs,
4547 		       sband->ht_cap.mcs.rx_mask,
4548 		       sizeof(mask->control[i].ht_mcs));
4549 
4550 		if (!sband->vht_cap.vht_supported)
4551 			continue;
4552 
4553 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4554 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4555 
4556 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4557 		if (!he_cap)
4558 			continue;
4559 
4560 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4561 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4562 
4563 		mask->control[i].he_gi = 0xFF;
4564 		mask->control[i].he_ltf = 0xFF;
4565 	}
4566 
4567 	/* if no rates are given set it back to the defaults */
4568 	if (!attrs[attr])
4569 		goto out;
4570 
4571 	/* The nested attribute uses enum nl80211_band as the index. This maps
4572 	 * directly to the enum nl80211_band values used in cfg80211.
4573 	 */
4574 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4575 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4576 		enum nl80211_band band = nla_type(tx_rates);
4577 		int err;
4578 
4579 		if (band < 0 || band >= NUM_NL80211_BANDS)
4580 			return -EINVAL;
4581 		sband = rdev->wiphy.bands[band];
4582 		if (sband == NULL)
4583 			return -EINVAL;
4584 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4585 						  tx_rates,
4586 						  nl80211_txattr_policy,
4587 						  info->extack);
4588 		if (err)
4589 			return err;
4590 		if (tb[NL80211_TXRATE_LEGACY]) {
4591 			mask->control[band].legacy = rateset_to_mask(
4592 				sband,
4593 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4594 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4595 			if ((mask->control[band].legacy == 0) &&
4596 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4597 				return -EINVAL;
4598 		}
4599 		if (tb[NL80211_TXRATE_HT]) {
4600 			if (!ht_rateset_to_mask(
4601 					sband,
4602 					nla_data(tb[NL80211_TXRATE_HT]),
4603 					nla_len(tb[NL80211_TXRATE_HT]),
4604 					mask->control[band].ht_mcs))
4605 				return -EINVAL;
4606 		}
4607 		if (tb[NL80211_TXRATE_VHT]) {
4608 			if (!vht_set_mcs_mask(
4609 					sband,
4610 					nla_data(tb[NL80211_TXRATE_VHT]),
4611 					mask->control[band].vht_mcs))
4612 				return -EINVAL;
4613 		}
4614 		if (tb[NL80211_TXRATE_GI]) {
4615 			mask->control[band].gi =
4616 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4617 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4618 				return -EINVAL;
4619 		}
4620 		if (tb[NL80211_TXRATE_HE] &&
4621 		    !he_set_mcs_mask(info, wdev, sband,
4622 				     nla_data(tb[NL80211_TXRATE_HE]),
4623 				     mask->control[band].he_mcs))
4624 			return -EINVAL;
4625 		if (tb[NL80211_TXRATE_HE_GI])
4626 			mask->control[band].he_gi =
4627 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4628 		if (tb[NL80211_TXRATE_HE_LTF])
4629 			mask->control[band].he_ltf =
4630 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4631 
4632 		if (mask->control[band].legacy == 0) {
4633 			/* don't allow empty legacy rates if HT, VHT or HE
4634 			 * are not even supported.
4635 			 */
4636 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4637 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4638 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4639 				return -EINVAL;
4640 
4641 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4642 				if (mask->control[band].ht_mcs[i])
4643 					goto out;
4644 
4645 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4646 				if (mask->control[band].vht_mcs[i])
4647 					goto out;
4648 
4649 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4650 				if (mask->control[band].he_mcs[i])
4651 					goto out;
4652 
4653 			/* legacy and mcs rates may not be both empty */
4654 			return -EINVAL;
4655 		}
4656 	}
4657 
4658 out:
4659 	return 0;
4660 }
4661 
4662 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4663 				   enum nl80211_band band,
4664 				   struct cfg80211_bitrate_mask *beacon_rate)
4665 {
4666 	u32 count_ht, count_vht, i;
4667 	u32 rate = beacon_rate->control[band].legacy;
4668 
4669 	/* Allow only one rate */
4670 	if (hweight32(rate) > 1)
4671 		return -EINVAL;
4672 
4673 	count_ht = 0;
4674 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4675 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4676 			return -EINVAL;
4677 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4678 			count_ht++;
4679 			if (count_ht > 1)
4680 				return -EINVAL;
4681 		}
4682 		if (count_ht && rate)
4683 			return -EINVAL;
4684 	}
4685 
4686 	count_vht = 0;
4687 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4688 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4689 			return -EINVAL;
4690 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4691 			count_vht++;
4692 			if (count_vht > 1)
4693 				return -EINVAL;
4694 		}
4695 		if (count_vht && rate)
4696 			return -EINVAL;
4697 	}
4698 
4699 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4700 		return -EINVAL;
4701 
4702 	if (rate &&
4703 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4704 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4705 		return -EINVAL;
4706 	if (count_ht &&
4707 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4708 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4709 		return -EINVAL;
4710 	if (count_vht &&
4711 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4712 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4713 		return -EINVAL;
4714 
4715 	return 0;
4716 }
4717 
4718 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4719 				struct nlattr *attrs[],
4720 				struct cfg80211_beacon_data *bcn)
4721 {
4722 	bool haveinfo = false;
4723 	int err;
4724 
4725 	memset(bcn, 0, sizeof(*bcn));
4726 
4727 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4728 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4729 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4730 		if (!bcn->head_len)
4731 			return -EINVAL;
4732 		haveinfo = true;
4733 	}
4734 
4735 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4736 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4737 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4738 		haveinfo = true;
4739 	}
4740 
4741 	if (!haveinfo)
4742 		return -EINVAL;
4743 
4744 	if (attrs[NL80211_ATTR_IE]) {
4745 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4746 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4747 	}
4748 
4749 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4750 		bcn->proberesp_ies =
4751 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4752 		bcn->proberesp_ies_len =
4753 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4754 	}
4755 
4756 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4757 		bcn->assocresp_ies =
4758 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4759 		bcn->assocresp_ies_len =
4760 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4761 	}
4762 
4763 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4764 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4765 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4766 	}
4767 
4768 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4769 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4770 
4771 		err = nla_parse_nested_deprecated(tb,
4772 						  NL80211_FTM_RESP_ATTR_MAX,
4773 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4774 						  NULL, NULL);
4775 		if (err)
4776 			return err;
4777 
4778 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4779 		    wiphy_ext_feature_isset(&rdev->wiphy,
4780 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4781 			bcn->ftm_responder = 1;
4782 		else
4783 			return -EOPNOTSUPP;
4784 
4785 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4786 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4787 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4788 		}
4789 
4790 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4791 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4792 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4793 		}
4794 	} else {
4795 		bcn->ftm_responder = -1;
4796 	}
4797 
4798 	return 0;
4799 }
4800 
4801 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4802 				    struct ieee80211_he_obss_pd *he_obss_pd)
4803 {
4804 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4805 	int err;
4806 
4807 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4808 			       he_obss_pd_policy, NULL);
4809 	if (err)
4810 		return err;
4811 
4812 	if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
4813 	    !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4814 		return -EINVAL;
4815 
4816 	he_obss_pd->min_offset =
4817 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4818 	he_obss_pd->max_offset =
4819 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4820 
4821 	if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
4822 		return -EINVAL;
4823 
4824 	he_obss_pd->enable = true;
4825 
4826 	return 0;
4827 }
4828 
4829 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
4830 				      struct cfg80211_he_bss_color *he_bss_color)
4831 {
4832 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
4833 	int err;
4834 
4835 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
4836 			       he_bss_color_policy, NULL);
4837 	if (err)
4838 		return err;
4839 
4840 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
4841 		return -EINVAL;
4842 
4843 	he_bss_color->color =
4844 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
4845 	he_bss_color->enabled =
4846 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
4847 	he_bss_color->partial =
4848 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
4849 
4850 	return 0;
4851 }
4852 
4853 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4854 					    const u8 *rates)
4855 {
4856 	int i;
4857 
4858 	if (!rates)
4859 		return;
4860 
4861 	for (i = 0; i < rates[1]; i++) {
4862 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4863 			params->ht_required = true;
4864 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4865 			params->vht_required = true;
4866 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
4867 			params->he_required = true;
4868 	}
4869 }
4870 
4871 /*
4872  * Since the nl80211 API didn't include, from the beginning, attributes about
4873  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4874  * benefit of drivers that rebuild IEs in the firmware.
4875  */
4876 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4877 {
4878 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4879 	size_t ies_len = bcn->tail_len;
4880 	const u8 *ies = bcn->tail;
4881 	const u8 *rates;
4882 	const u8 *cap;
4883 
4884 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4885 	nl80211_check_ap_rate_selectors(params, rates);
4886 
4887 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4888 	nl80211_check_ap_rate_selectors(params, rates);
4889 
4890 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4891 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4892 		params->ht_cap = (void *)(cap + 2);
4893 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4894 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4895 		params->vht_cap = (void *)(cap + 2);
4896 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4897 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4898 		params->he_cap = (void *)(cap + 3);
4899 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
4900 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
4901 		params->he_oper = (void *)(cap + 3);
4902 }
4903 
4904 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4905 				   struct cfg80211_ap_settings *params)
4906 {
4907 	struct wireless_dev *wdev;
4908 	bool ret = false;
4909 
4910 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4911 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4912 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4913 			continue;
4914 
4915 		if (!wdev->preset_chandef.chan)
4916 			continue;
4917 
4918 		params->chandef = wdev->preset_chandef;
4919 		ret = true;
4920 		break;
4921 	}
4922 
4923 	return ret;
4924 }
4925 
4926 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4927 				    enum nl80211_auth_type auth_type,
4928 				    enum nl80211_commands cmd)
4929 {
4930 	if (auth_type > NL80211_AUTHTYPE_MAX)
4931 		return false;
4932 
4933 	switch (cmd) {
4934 	case NL80211_CMD_AUTHENTICATE:
4935 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4936 		    auth_type == NL80211_AUTHTYPE_SAE)
4937 			return false;
4938 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4939 					     NL80211_EXT_FEATURE_FILS_STA) &&
4940 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4941 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4942 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4943 			return false;
4944 		return true;
4945 	case NL80211_CMD_CONNECT:
4946 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4947 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4948 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
4949 		    auth_type == NL80211_AUTHTYPE_SAE)
4950 			return false;
4951 
4952 		/* FILS with SK PFS or PK not supported yet */
4953 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4954 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4955 			return false;
4956 		if (!wiphy_ext_feature_isset(
4957 			    &rdev->wiphy,
4958 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4959 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4960 			return false;
4961 		return true;
4962 	case NL80211_CMD_START_AP:
4963 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4964 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
4965 		    auth_type == NL80211_AUTHTYPE_SAE)
4966 			return false;
4967 		/* FILS not supported yet */
4968 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4969 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4970 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4971 			return false;
4972 		return true;
4973 	default:
4974 		return false;
4975 	}
4976 }
4977 
4978 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4979 {
4980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4981 	struct net_device *dev = info->user_ptr[1];
4982 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4983 	struct cfg80211_ap_settings params;
4984 	int err;
4985 
4986 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4987 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4988 		return -EOPNOTSUPP;
4989 
4990 	if (!rdev->ops->start_ap)
4991 		return -EOPNOTSUPP;
4992 
4993 	if (wdev->beacon_interval)
4994 		return -EALREADY;
4995 
4996 	memset(&params, 0, sizeof(params));
4997 
4998 	/* these are required for START_AP */
4999 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5000 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5001 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5002 		return -EINVAL;
5003 
5004 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
5005 	if (err)
5006 		return err;
5007 
5008 	params.beacon_interval =
5009 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5010 	params.dtim_period =
5011 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5012 
5013 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5014 					   params.beacon_interval);
5015 	if (err)
5016 		return err;
5017 
5018 	/*
5019 	 * In theory, some of these attributes should be required here
5020 	 * but since they were not used when the command was originally
5021 	 * added, keep them optional for old user space programs to let
5022 	 * them continue to work with drivers that do not need the
5023 	 * additional information -- drivers must check!
5024 	 */
5025 	if (info->attrs[NL80211_ATTR_SSID]) {
5026 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5027 		params.ssid_len =
5028 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5029 		if (params.ssid_len == 0)
5030 			return -EINVAL;
5031 	}
5032 
5033 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5034 		params.hidden_ssid = nla_get_u32(
5035 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5036 
5037 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5038 
5039 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5040 		params.auth_type = nla_get_u32(
5041 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5042 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
5043 					     NL80211_CMD_START_AP))
5044 			return -EINVAL;
5045 	} else
5046 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5047 
5048 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
5049 				      NL80211_MAX_NR_CIPHER_SUITES);
5050 	if (err)
5051 		return err;
5052 
5053 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5054 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
5055 			return -EOPNOTSUPP;
5056 		params.inactivity_timeout = nla_get_u16(
5057 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5058 	}
5059 
5060 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5061 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5062 			return -EINVAL;
5063 		params.p2p_ctwindow =
5064 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5065 		if (params.p2p_ctwindow != 0 &&
5066 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5067 			return -EINVAL;
5068 	}
5069 
5070 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5071 		u8 tmp;
5072 
5073 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5074 			return -EINVAL;
5075 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5076 		params.p2p_opp_ps = tmp;
5077 		if (params.p2p_opp_ps != 0 &&
5078 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5079 			return -EINVAL;
5080 	}
5081 
5082 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5083 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
5084 		if (err)
5085 			return err;
5086 	} else if (wdev->preset_chandef.chan) {
5087 		params.chandef = wdev->preset_chandef;
5088 	} else if (!nl80211_get_ap_channel(rdev, &params))
5089 		return -EINVAL;
5090 
5091 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
5092 					   wdev->iftype))
5093 		return -EINVAL;
5094 
5095 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5096 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5097 						    NL80211_ATTR_TX_RATES,
5098 						    &params.beacon_rate,
5099 						    dev);
5100 		if (err)
5101 			return err;
5102 
5103 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
5104 					      &params.beacon_rate);
5105 		if (err)
5106 			return err;
5107 	}
5108 
5109 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5110 		params.smps_mode =
5111 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5112 		switch (params.smps_mode) {
5113 		case NL80211_SMPS_OFF:
5114 			break;
5115 		case NL80211_SMPS_STATIC:
5116 			if (!(rdev->wiphy.features &
5117 			      NL80211_FEATURE_STATIC_SMPS))
5118 				return -EINVAL;
5119 			break;
5120 		case NL80211_SMPS_DYNAMIC:
5121 			if (!(rdev->wiphy.features &
5122 			      NL80211_FEATURE_DYNAMIC_SMPS))
5123 				return -EINVAL;
5124 			break;
5125 		default:
5126 			return -EINVAL;
5127 		}
5128 	} else {
5129 		params.smps_mode = NL80211_SMPS_OFF;
5130 	}
5131 
5132 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5133 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
5134 		return -EOPNOTSUPP;
5135 
5136 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5137 		params.acl = parse_acl_data(&rdev->wiphy, info);
5138 		if (IS_ERR(params.acl))
5139 			return PTR_ERR(params.acl);
5140 	}
5141 
5142 	params.twt_responder =
5143 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5144 
5145 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5146 		err = nl80211_parse_he_obss_pd(
5147 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5148 					&params.he_obss_pd);
5149 		if (err)
5150 			goto out;
5151 	}
5152 
5153 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5154 		err = nl80211_parse_he_bss_color(
5155 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5156 					&params.he_bss_color);
5157 		if (err)
5158 			goto out;
5159 	}
5160 
5161 	nl80211_calculate_ap_params(&params);
5162 
5163 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5164 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5165 
5166 	wdev_lock(wdev);
5167 	err = rdev_start_ap(rdev, dev, &params);
5168 	if (!err) {
5169 		wdev->preset_chandef = params.chandef;
5170 		wdev->beacon_interval = params.beacon_interval;
5171 		wdev->chandef = params.chandef;
5172 		wdev->ssid_len = params.ssid_len;
5173 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5174 
5175 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5176 			wdev->conn_owner_nlportid = info->snd_portid;
5177 	}
5178 	wdev_unlock(wdev);
5179 
5180 out:
5181 	kfree(params.acl);
5182 
5183 	return err;
5184 }
5185 
5186 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5187 {
5188 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5189 	struct net_device *dev = info->user_ptr[1];
5190 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5191 	struct cfg80211_beacon_data params;
5192 	int err;
5193 
5194 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5195 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5196 		return -EOPNOTSUPP;
5197 
5198 	if (!rdev->ops->change_beacon)
5199 		return -EOPNOTSUPP;
5200 
5201 	if (!wdev->beacon_interval)
5202 		return -EINVAL;
5203 
5204 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5205 	if (err)
5206 		return err;
5207 
5208 	wdev_lock(wdev);
5209 	err = rdev_change_beacon(rdev, dev, &params);
5210 	wdev_unlock(wdev);
5211 
5212 	return err;
5213 }
5214 
5215 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5216 {
5217 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5218 	struct net_device *dev = info->user_ptr[1];
5219 
5220 	return cfg80211_stop_ap(rdev, dev, false);
5221 }
5222 
5223 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5224 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5225 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5226 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5227 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5228 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5229 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5230 };
5231 
5232 static int parse_station_flags(struct genl_info *info,
5233 			       enum nl80211_iftype iftype,
5234 			       struct station_parameters *params)
5235 {
5236 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5237 	struct nlattr *nla;
5238 	int flag;
5239 
5240 	/*
5241 	 * Try parsing the new attribute first so userspace
5242 	 * can specify both for older kernels.
5243 	 */
5244 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5245 	if (nla) {
5246 		struct nl80211_sta_flag_update *sta_flags;
5247 
5248 		sta_flags = nla_data(nla);
5249 		params->sta_flags_mask = sta_flags->mask;
5250 		params->sta_flags_set = sta_flags->set;
5251 		params->sta_flags_set &= params->sta_flags_mask;
5252 		if ((params->sta_flags_mask |
5253 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5254 			return -EINVAL;
5255 		return 0;
5256 	}
5257 
5258 	/* if present, parse the old attribute */
5259 
5260 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5261 	if (!nla)
5262 		return 0;
5263 
5264 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5265 		return -EINVAL;
5266 
5267 	/*
5268 	 * Only allow certain flags for interface types so that
5269 	 * other attributes are silently ignored. Remember that
5270 	 * this is backward compatibility code with old userspace
5271 	 * and shouldn't be hit in other cases anyway.
5272 	 */
5273 	switch (iftype) {
5274 	case NL80211_IFTYPE_AP:
5275 	case NL80211_IFTYPE_AP_VLAN:
5276 	case NL80211_IFTYPE_P2P_GO:
5277 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5278 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5279 					 BIT(NL80211_STA_FLAG_WME) |
5280 					 BIT(NL80211_STA_FLAG_MFP);
5281 		break;
5282 	case NL80211_IFTYPE_P2P_CLIENT:
5283 	case NL80211_IFTYPE_STATION:
5284 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5285 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5286 		break;
5287 	case NL80211_IFTYPE_MESH_POINT:
5288 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5289 					 BIT(NL80211_STA_FLAG_MFP) |
5290 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5291 		break;
5292 	default:
5293 		return -EINVAL;
5294 	}
5295 
5296 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5297 		if (flags[flag]) {
5298 			params->sta_flags_set |= (1<<flag);
5299 
5300 			/* no longer support new API additions in old API */
5301 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5302 				return -EINVAL;
5303 		}
5304 	}
5305 
5306 	return 0;
5307 }
5308 
5309 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5310 {
5311 	struct nlattr *rate;
5312 	u32 bitrate;
5313 	u16 bitrate_compat;
5314 	enum nl80211_rate_info rate_flg;
5315 
5316 	rate = nla_nest_start_noflag(msg, attr);
5317 	if (!rate)
5318 		return false;
5319 
5320 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5321 	bitrate = cfg80211_calculate_bitrate(info);
5322 	/* report 16-bit bitrate only if we can */
5323 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5324 	if (bitrate > 0 &&
5325 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5326 		return false;
5327 	if (bitrate_compat > 0 &&
5328 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5329 		return false;
5330 
5331 	switch (info->bw) {
5332 	case RATE_INFO_BW_5:
5333 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5334 		break;
5335 	case RATE_INFO_BW_10:
5336 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5337 		break;
5338 	default:
5339 		WARN_ON(1);
5340 		fallthrough;
5341 	case RATE_INFO_BW_20:
5342 		rate_flg = 0;
5343 		break;
5344 	case RATE_INFO_BW_40:
5345 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5346 		break;
5347 	case RATE_INFO_BW_80:
5348 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5349 		break;
5350 	case RATE_INFO_BW_160:
5351 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5352 		break;
5353 	case RATE_INFO_BW_HE_RU:
5354 		rate_flg = 0;
5355 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5356 	}
5357 
5358 	if (rate_flg && nla_put_flag(msg, rate_flg))
5359 		return false;
5360 
5361 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5362 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5363 			return false;
5364 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5365 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5366 			return false;
5367 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5368 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5369 			return false;
5370 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5371 			return false;
5372 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5373 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5374 			return false;
5375 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5376 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5377 			return false;
5378 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5379 			return false;
5380 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5381 			return false;
5382 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5383 			return false;
5384 		if (info->bw == RATE_INFO_BW_HE_RU &&
5385 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5386 			       info->he_ru_alloc))
5387 			return false;
5388 	}
5389 
5390 	nla_nest_end(msg, rate);
5391 	return true;
5392 }
5393 
5394 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5395 			       int id)
5396 {
5397 	void *attr;
5398 	int i = 0;
5399 
5400 	if (!mask)
5401 		return true;
5402 
5403 	attr = nla_nest_start_noflag(msg, id);
5404 	if (!attr)
5405 		return false;
5406 
5407 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5408 		if (!(mask & BIT(i)))
5409 			continue;
5410 
5411 		if (nla_put_u8(msg, i, signal[i]))
5412 			return false;
5413 	}
5414 
5415 	nla_nest_end(msg, attr);
5416 
5417 	return true;
5418 }
5419 
5420 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5421 				u32 seq, int flags,
5422 				struct cfg80211_registered_device *rdev,
5423 				struct net_device *dev,
5424 				const u8 *mac_addr, struct station_info *sinfo)
5425 {
5426 	void *hdr;
5427 	struct nlattr *sinfoattr, *bss_param;
5428 
5429 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5430 	if (!hdr) {
5431 		cfg80211_sinfo_release_content(sinfo);
5432 		return -1;
5433 	}
5434 
5435 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5436 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5437 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5438 		goto nla_put_failure;
5439 
5440 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5441 	if (!sinfoattr)
5442 		goto nla_put_failure;
5443 
5444 #define PUT_SINFO(attr, memb, type) do {				\
5445 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5446 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5447 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5448 			     sinfo->memb))				\
5449 		goto nla_put_failure;					\
5450 	} while (0)
5451 #define PUT_SINFO_U64(attr, memb) do {					\
5452 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5453 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5454 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5455 		goto nla_put_failure;					\
5456 	} while (0)
5457 
5458 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5459 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5460 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5461 
5462 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5463 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5464 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5465 			(u32)sinfo->rx_bytes))
5466 		goto nla_put_failure;
5467 
5468 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5469 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5470 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5471 			(u32)sinfo->tx_bytes))
5472 		goto nla_put_failure;
5473 
5474 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5475 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5476 	PUT_SINFO(LLID, llid, u16);
5477 	PUT_SINFO(PLID, plid, u16);
5478 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5479 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5480 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5481 
5482 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5483 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5484 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5485 
5486 	switch (rdev->wiphy.signal_type) {
5487 	case CFG80211_SIGNAL_TYPE_MBM:
5488 		PUT_SINFO(SIGNAL, signal, u8);
5489 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5490 		break;
5491 	default:
5492 		break;
5493 	}
5494 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5495 		if (!nl80211_put_signal(msg, sinfo->chains,
5496 					sinfo->chain_signal,
5497 					NL80211_STA_INFO_CHAIN_SIGNAL))
5498 			goto nla_put_failure;
5499 	}
5500 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5501 		if (!nl80211_put_signal(msg, sinfo->chains,
5502 					sinfo->chain_signal_avg,
5503 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5504 			goto nla_put_failure;
5505 	}
5506 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5507 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5508 					  NL80211_STA_INFO_TX_BITRATE))
5509 			goto nla_put_failure;
5510 	}
5511 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5512 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5513 					  NL80211_STA_INFO_RX_BITRATE))
5514 			goto nla_put_failure;
5515 	}
5516 
5517 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5518 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5519 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5520 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5521 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5522 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5523 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5524 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5525 	PUT_SINFO(PEER_PM, peer_pm, u32);
5526 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5527 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5528 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
5529 
5530 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5531 		bss_param = nla_nest_start_noflag(msg,
5532 						  NL80211_STA_INFO_BSS_PARAM);
5533 		if (!bss_param)
5534 			goto nla_put_failure;
5535 
5536 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5537 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5538 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5539 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5540 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5541 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5542 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5543 			       sinfo->bss_param.dtim_period) ||
5544 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5545 				sinfo->bss_param.beacon_interval))
5546 			goto nla_put_failure;
5547 
5548 		nla_nest_end(msg, bss_param);
5549 	}
5550 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5551 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5552 		    sizeof(struct nl80211_sta_flag_update),
5553 		    &sinfo->sta_flags))
5554 		goto nla_put_failure;
5555 
5556 	PUT_SINFO_U64(T_OFFSET, t_offset);
5557 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5558 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5559 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5560 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5561 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5562 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5563 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5564 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5565 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5566 	}
5567 
5568 #undef PUT_SINFO
5569 #undef PUT_SINFO_U64
5570 
5571 	if (sinfo->pertid) {
5572 		struct nlattr *tidsattr;
5573 		int tid;
5574 
5575 		tidsattr = nla_nest_start_noflag(msg,
5576 						 NL80211_STA_INFO_TID_STATS);
5577 		if (!tidsattr)
5578 			goto nla_put_failure;
5579 
5580 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5581 			struct cfg80211_tid_stats *tidstats;
5582 			struct nlattr *tidattr;
5583 
5584 			tidstats = &sinfo->pertid[tid];
5585 
5586 			if (!tidstats->filled)
5587 				continue;
5588 
5589 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5590 			if (!tidattr)
5591 				goto nla_put_failure;
5592 
5593 #define PUT_TIDVAL_U64(attr, memb) do {					\
5594 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5595 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5596 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5597 		goto nla_put_failure;					\
5598 	} while (0)
5599 
5600 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5601 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5602 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5603 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5604 
5605 #undef PUT_TIDVAL_U64
5606 			if ((tidstats->filled &
5607 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5608 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5609 						   NL80211_TID_STATS_TXQ_STATS))
5610 				goto nla_put_failure;
5611 
5612 			nla_nest_end(msg, tidattr);
5613 		}
5614 
5615 		nla_nest_end(msg, tidsattr);
5616 	}
5617 
5618 	nla_nest_end(msg, sinfoattr);
5619 
5620 	if (sinfo->assoc_req_ies_len &&
5621 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5622 		    sinfo->assoc_req_ies))
5623 		goto nla_put_failure;
5624 
5625 	cfg80211_sinfo_release_content(sinfo);
5626 	genlmsg_end(msg, hdr);
5627 	return 0;
5628 
5629  nla_put_failure:
5630 	cfg80211_sinfo_release_content(sinfo);
5631 	genlmsg_cancel(msg, hdr);
5632 	return -EMSGSIZE;
5633 }
5634 
5635 static int nl80211_dump_station(struct sk_buff *skb,
5636 				struct netlink_callback *cb)
5637 {
5638 	struct station_info sinfo;
5639 	struct cfg80211_registered_device *rdev;
5640 	struct wireless_dev *wdev;
5641 	u8 mac_addr[ETH_ALEN];
5642 	int sta_idx = cb->args[2];
5643 	int err;
5644 
5645 	rtnl_lock();
5646 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5647 	if (err)
5648 		goto out_err;
5649 
5650 	if (!wdev->netdev) {
5651 		err = -EINVAL;
5652 		goto out_err;
5653 	}
5654 
5655 	if (!rdev->ops->dump_station) {
5656 		err = -EOPNOTSUPP;
5657 		goto out_err;
5658 	}
5659 
5660 	while (1) {
5661 		memset(&sinfo, 0, sizeof(sinfo));
5662 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5663 					mac_addr, &sinfo);
5664 		if (err == -ENOENT)
5665 			break;
5666 		if (err)
5667 			goto out_err;
5668 
5669 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5670 				NETLINK_CB(cb->skb).portid,
5671 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5672 				rdev, wdev->netdev, mac_addr,
5673 				&sinfo) < 0)
5674 			goto out;
5675 
5676 		sta_idx++;
5677 	}
5678 
5679  out:
5680 	cb->args[2] = sta_idx;
5681 	err = skb->len;
5682  out_err:
5683 	rtnl_unlock();
5684 
5685 	return err;
5686 }
5687 
5688 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5689 {
5690 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5691 	struct net_device *dev = info->user_ptr[1];
5692 	struct station_info sinfo;
5693 	struct sk_buff *msg;
5694 	u8 *mac_addr = NULL;
5695 	int err;
5696 
5697 	memset(&sinfo, 0, sizeof(sinfo));
5698 
5699 	if (!info->attrs[NL80211_ATTR_MAC])
5700 		return -EINVAL;
5701 
5702 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5703 
5704 	if (!rdev->ops->get_station)
5705 		return -EOPNOTSUPP;
5706 
5707 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5708 	if (err)
5709 		return err;
5710 
5711 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5712 	if (!msg) {
5713 		cfg80211_sinfo_release_content(&sinfo);
5714 		return -ENOMEM;
5715 	}
5716 
5717 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5718 				 info->snd_portid, info->snd_seq, 0,
5719 				 rdev, dev, mac_addr, &sinfo) < 0) {
5720 		nlmsg_free(msg);
5721 		return -ENOBUFS;
5722 	}
5723 
5724 	return genlmsg_reply(msg, info);
5725 }
5726 
5727 int cfg80211_check_station_change(struct wiphy *wiphy,
5728 				  struct station_parameters *params,
5729 				  enum cfg80211_station_type statype)
5730 {
5731 	if (params->listen_interval != -1 &&
5732 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5733 		return -EINVAL;
5734 
5735 	if (params->support_p2p_ps != -1 &&
5736 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5737 		return -EINVAL;
5738 
5739 	if (params->aid &&
5740 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5741 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5742 		return -EINVAL;
5743 
5744 	/* When you run into this, adjust the code below for the new flag */
5745 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5746 
5747 	switch (statype) {
5748 	case CFG80211_STA_MESH_PEER_KERNEL:
5749 	case CFG80211_STA_MESH_PEER_USER:
5750 		/*
5751 		 * No ignoring the TDLS flag here -- the userspace mesh
5752 		 * code doesn't have the bug of including TDLS in the
5753 		 * mask everywhere.
5754 		 */
5755 		if (params->sta_flags_mask &
5756 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5757 				  BIT(NL80211_STA_FLAG_MFP) |
5758 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5759 			return -EINVAL;
5760 		break;
5761 	case CFG80211_STA_TDLS_PEER_SETUP:
5762 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5763 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5764 			return -EINVAL;
5765 		/* ignore since it can't change */
5766 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5767 		break;
5768 	default:
5769 		/* disallow mesh-specific things */
5770 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5771 			return -EINVAL;
5772 		if (params->local_pm)
5773 			return -EINVAL;
5774 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5775 			return -EINVAL;
5776 	}
5777 
5778 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5779 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5780 		/* TDLS can't be set, ... */
5781 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5782 			return -EINVAL;
5783 		/*
5784 		 * ... but don't bother the driver with it. This works around
5785 		 * a hostapd/wpa_supplicant issue -- it always includes the
5786 		 * TLDS_PEER flag in the mask even for AP mode.
5787 		 */
5788 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5789 	}
5790 
5791 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5792 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5793 		/* reject other things that can't change */
5794 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5795 			return -EINVAL;
5796 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5797 			return -EINVAL;
5798 		if (params->supported_rates)
5799 			return -EINVAL;
5800 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5801 		    params->he_capa)
5802 			return -EINVAL;
5803 	}
5804 
5805 	if (statype != CFG80211_STA_AP_CLIENT &&
5806 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5807 		if (params->vlan)
5808 			return -EINVAL;
5809 	}
5810 
5811 	switch (statype) {
5812 	case CFG80211_STA_AP_MLME_CLIENT:
5813 		/* Use this only for authorizing/unauthorizing a station */
5814 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5815 			return -EOPNOTSUPP;
5816 		break;
5817 	case CFG80211_STA_AP_CLIENT:
5818 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5819 		/* accept only the listed bits */
5820 		if (params->sta_flags_mask &
5821 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5822 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5823 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5824 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5825 				  BIT(NL80211_STA_FLAG_WME) |
5826 				  BIT(NL80211_STA_FLAG_MFP)))
5827 			return -EINVAL;
5828 
5829 		/* but authenticated/associated only if driver handles it */
5830 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5831 		    params->sta_flags_mask &
5832 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5833 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5834 			return -EINVAL;
5835 		break;
5836 	case CFG80211_STA_IBSS:
5837 	case CFG80211_STA_AP_STA:
5838 		/* reject any changes other than AUTHORIZED */
5839 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5840 			return -EINVAL;
5841 		break;
5842 	case CFG80211_STA_TDLS_PEER_SETUP:
5843 		/* reject any changes other than AUTHORIZED or WME */
5844 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5845 					       BIT(NL80211_STA_FLAG_WME)))
5846 			return -EINVAL;
5847 		/* force (at least) rates when authorizing */
5848 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5849 		    !params->supported_rates)
5850 			return -EINVAL;
5851 		break;
5852 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5853 		/* reject any changes */
5854 		return -EINVAL;
5855 	case CFG80211_STA_MESH_PEER_KERNEL:
5856 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5857 			return -EINVAL;
5858 		break;
5859 	case CFG80211_STA_MESH_PEER_USER:
5860 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5861 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5862 			return -EINVAL;
5863 		break;
5864 	}
5865 
5866 	/*
5867 	 * Older kernel versions ignored this attribute entirely, so don't
5868 	 * reject attempts to update it but mark it as unused instead so the
5869 	 * driver won't look at the data.
5870 	 */
5871 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5872 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5873 		params->opmode_notif_used = false;
5874 
5875 	return 0;
5876 }
5877 EXPORT_SYMBOL(cfg80211_check_station_change);
5878 
5879 /*
5880  * Get vlan interface making sure it is running and on the right wiphy.
5881  */
5882 static struct net_device *get_vlan(struct genl_info *info,
5883 				   struct cfg80211_registered_device *rdev)
5884 {
5885 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5886 	struct net_device *v;
5887 	int ret;
5888 
5889 	if (!vlanattr)
5890 		return NULL;
5891 
5892 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5893 	if (!v)
5894 		return ERR_PTR(-ENODEV);
5895 
5896 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5897 		ret = -EINVAL;
5898 		goto error;
5899 	}
5900 
5901 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5902 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5903 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5904 		ret = -EINVAL;
5905 		goto error;
5906 	}
5907 
5908 	if (!netif_running(v)) {
5909 		ret = -ENETDOWN;
5910 		goto error;
5911 	}
5912 
5913 	return v;
5914  error:
5915 	dev_put(v);
5916 	return ERR_PTR(ret);
5917 }
5918 
5919 static const struct nla_policy
5920 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5921 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5922 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5923 };
5924 
5925 static int nl80211_parse_sta_wme(struct genl_info *info,
5926 				 struct station_parameters *params)
5927 {
5928 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5929 	struct nlattr *nla;
5930 	int err;
5931 
5932 	/* parse WME attributes if present */
5933 	if (!info->attrs[NL80211_ATTR_STA_WME])
5934 		return 0;
5935 
5936 	nla = info->attrs[NL80211_ATTR_STA_WME];
5937 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5938 					  nl80211_sta_wme_policy,
5939 					  info->extack);
5940 	if (err)
5941 		return err;
5942 
5943 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5944 		params->uapsd_queues = nla_get_u8(
5945 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5946 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5947 		return -EINVAL;
5948 
5949 	if (tb[NL80211_STA_WME_MAX_SP])
5950 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5951 
5952 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5953 		return -EINVAL;
5954 
5955 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5956 
5957 	return 0;
5958 }
5959 
5960 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5961 				      struct station_parameters *params)
5962 {
5963 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5964 		params->supported_channels =
5965 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5966 		params->supported_channels_len =
5967 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5968 		/*
5969 		 * Need to include at least one (first channel, number of
5970 		 * channels) tuple for each subband (checked in policy),
5971 		 * and must have proper tuples for the rest of the data as well.
5972 		 */
5973 		if (params->supported_channels_len % 2)
5974 			return -EINVAL;
5975 	}
5976 
5977 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5978 		params->supported_oper_classes =
5979 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5980 		params->supported_oper_classes_len =
5981 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5982 	}
5983 	return 0;
5984 }
5985 
5986 static int nl80211_set_station_tdls(struct genl_info *info,
5987 				    struct station_parameters *params)
5988 {
5989 	int err;
5990 	/* Dummy STA entry gets updated once the peer capabilities are known */
5991 	if (info->attrs[NL80211_ATTR_PEER_AID])
5992 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5993 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5994 		params->ht_capa =
5995 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5996 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5997 		params->vht_capa =
5998 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5999 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6000 		params->he_capa =
6001 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6002 		params->he_capa_len =
6003 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6004 	}
6005 
6006 	err = nl80211_parse_sta_channel_info(info, params);
6007 	if (err)
6008 		return err;
6009 
6010 	return nl80211_parse_sta_wme(info, params);
6011 }
6012 
6013 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6014 					     struct station_parameters *params)
6015 {
6016 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6017 	int idx;
6018 
6019 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6020 		if (!rdev->ops->set_tx_power ||
6021 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6022 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6023 			return -EOPNOTSUPP;
6024 
6025 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6026 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6027 
6028 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6029 			idx = NL80211_ATTR_STA_TX_POWER;
6030 
6031 			if (info->attrs[idx])
6032 				params->txpwr.power =
6033 					nla_get_s16(info->attrs[idx]);
6034 			else
6035 				return -EINVAL;
6036 		}
6037 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6038 	}
6039 
6040 	return 0;
6041 }
6042 
6043 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6044 {
6045 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6046 	struct net_device *dev = info->user_ptr[1];
6047 	struct station_parameters params;
6048 	u8 *mac_addr;
6049 	int err;
6050 
6051 	memset(&params, 0, sizeof(params));
6052 
6053 	if (!rdev->ops->change_station)
6054 		return -EOPNOTSUPP;
6055 
6056 	/*
6057 	 * AID and listen_interval properties can be set only for unassociated
6058 	 * station. Include these parameters here and will check them in
6059 	 * cfg80211_check_station_change().
6060 	 */
6061 	if (info->attrs[NL80211_ATTR_STA_AID])
6062 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6063 
6064 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6065 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6066 
6067 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6068 		params.listen_interval =
6069 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6070 	else
6071 		params.listen_interval = -1;
6072 
6073 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6074 		params.support_p2p_ps =
6075 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6076 	else
6077 		params.support_p2p_ps = -1;
6078 
6079 	if (!info->attrs[NL80211_ATTR_MAC])
6080 		return -EINVAL;
6081 
6082 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6083 
6084 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6085 		params.supported_rates =
6086 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6087 		params.supported_rates_len =
6088 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6089 	}
6090 
6091 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6092 		params.capability =
6093 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6094 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6095 	}
6096 
6097 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6098 		params.ext_capab =
6099 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6100 		params.ext_capab_len =
6101 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6102 	}
6103 
6104 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6105 		return -EINVAL;
6106 
6107 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6108 		params.plink_action =
6109 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6110 
6111 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6112 		params.plink_state =
6113 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6114 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6115 			params.peer_aid = nla_get_u16(
6116 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6117 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6118 	}
6119 
6120 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6121 		params.local_pm = nla_get_u32(
6122 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6123 
6124 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6125 		params.opmode_notif_used = true;
6126 		params.opmode_notif =
6127 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6128 	}
6129 
6130 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6131 		params.he_6ghz_capa =
6132 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6133 
6134 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6135 		params.airtime_weight =
6136 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6137 
6138 	if (params.airtime_weight &&
6139 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6140 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6141 		return -EOPNOTSUPP;
6142 
6143 	err = nl80211_parse_sta_txpower_setting(info, &params);
6144 	if (err)
6145 		return err;
6146 
6147 	/* Include parameters for TDLS peer (will check later) */
6148 	err = nl80211_set_station_tdls(info, &params);
6149 	if (err)
6150 		return err;
6151 
6152 	params.vlan = get_vlan(info, rdev);
6153 	if (IS_ERR(params.vlan))
6154 		return PTR_ERR(params.vlan);
6155 
6156 	switch (dev->ieee80211_ptr->iftype) {
6157 	case NL80211_IFTYPE_AP:
6158 	case NL80211_IFTYPE_AP_VLAN:
6159 	case NL80211_IFTYPE_P2P_GO:
6160 	case NL80211_IFTYPE_P2P_CLIENT:
6161 	case NL80211_IFTYPE_STATION:
6162 	case NL80211_IFTYPE_ADHOC:
6163 	case NL80211_IFTYPE_MESH_POINT:
6164 		break;
6165 	default:
6166 		err = -EOPNOTSUPP;
6167 		goto out_put_vlan;
6168 	}
6169 
6170 	/* driver will call cfg80211_check_station_change() */
6171 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6172 
6173  out_put_vlan:
6174 	if (params.vlan)
6175 		dev_put(params.vlan);
6176 
6177 	return err;
6178 }
6179 
6180 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6181 {
6182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6183 	int err;
6184 	struct net_device *dev = info->user_ptr[1];
6185 	struct station_parameters params;
6186 	u8 *mac_addr = NULL;
6187 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6188 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6189 
6190 	memset(&params, 0, sizeof(params));
6191 
6192 	if (!rdev->ops->add_station)
6193 		return -EOPNOTSUPP;
6194 
6195 	if (!info->attrs[NL80211_ATTR_MAC])
6196 		return -EINVAL;
6197 
6198 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6199 		return -EINVAL;
6200 
6201 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6202 		return -EINVAL;
6203 
6204 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6205 	    !info->attrs[NL80211_ATTR_PEER_AID])
6206 		return -EINVAL;
6207 
6208 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6209 	params.supported_rates =
6210 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6211 	params.supported_rates_len =
6212 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6213 	params.listen_interval =
6214 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6215 
6216 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6217 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6218 
6219 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6220 		params.support_p2p_ps =
6221 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6222 	} else {
6223 		/*
6224 		 * if not specified, assume it's supported for P2P GO interface,
6225 		 * and is NOT supported for AP interface
6226 		 */
6227 		params.support_p2p_ps =
6228 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6229 	}
6230 
6231 	if (info->attrs[NL80211_ATTR_PEER_AID])
6232 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6233 	else
6234 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6235 
6236 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6237 		params.capability =
6238 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6239 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6240 	}
6241 
6242 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6243 		params.ext_capab =
6244 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6245 		params.ext_capab_len =
6246 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6247 	}
6248 
6249 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6250 		params.ht_capa =
6251 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6252 
6253 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6254 		params.vht_capa =
6255 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6256 
6257 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6258 		params.he_capa =
6259 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6260 		params.he_capa_len =
6261 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6262 	}
6263 
6264 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6265 		params.he_6ghz_capa =
6266 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6267 
6268 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6269 		params.opmode_notif_used = true;
6270 		params.opmode_notif =
6271 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6272 	}
6273 
6274 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6275 		params.plink_action =
6276 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6277 
6278 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6279 		params.airtime_weight =
6280 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6281 
6282 	if (params.airtime_weight &&
6283 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6284 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6285 		return -EOPNOTSUPP;
6286 
6287 	err = nl80211_parse_sta_txpower_setting(info, &params);
6288 	if (err)
6289 		return err;
6290 
6291 	err = nl80211_parse_sta_channel_info(info, &params);
6292 	if (err)
6293 		return err;
6294 
6295 	err = nl80211_parse_sta_wme(info, &params);
6296 	if (err)
6297 		return err;
6298 
6299 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6300 		return -EINVAL;
6301 
6302 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6303 	 * as userspace might just pass through the capabilities from the IEs
6304 	 * directly, rather than enforcing this restriction and returning an
6305 	 * error in this case.
6306 	 */
6307 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6308 		params.ht_capa = NULL;
6309 		params.vht_capa = NULL;
6310 
6311 		/* HE requires WME */
6312 		if (params.he_capa_len || params.he_6ghz_capa)
6313 			return -EINVAL;
6314 	}
6315 
6316 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6317 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6318 		return -EINVAL;
6319 
6320 	/* When you run into this, adjust the code below for the new flag */
6321 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6322 
6323 	switch (dev->ieee80211_ptr->iftype) {
6324 	case NL80211_IFTYPE_AP:
6325 	case NL80211_IFTYPE_AP_VLAN:
6326 	case NL80211_IFTYPE_P2P_GO:
6327 		/* ignore WME attributes if iface/sta is not capable */
6328 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6329 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6330 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6331 
6332 		/* TDLS peers cannot be added */
6333 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6334 		    info->attrs[NL80211_ATTR_PEER_AID])
6335 			return -EINVAL;
6336 		/* but don't bother the driver with it */
6337 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6338 
6339 		/* allow authenticated/associated only if driver handles it */
6340 		if (!(rdev->wiphy.features &
6341 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6342 		    params.sta_flags_mask & auth_assoc)
6343 			return -EINVAL;
6344 
6345 		/* Older userspace, or userspace wanting to be compatible with
6346 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6347 		 * and assoc flags in the mask, but assumes the station will be
6348 		 * added as associated anyway since this was the required driver
6349 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6350 		 * introduced.
6351 		 * In order to not bother drivers with this quirk in the API
6352 		 * set the flags in both the mask and set for new stations in
6353 		 * this case.
6354 		 */
6355 		if (!(params.sta_flags_mask & auth_assoc)) {
6356 			params.sta_flags_mask |= auth_assoc;
6357 			params.sta_flags_set |= auth_assoc;
6358 		}
6359 
6360 		/* must be last in here for error handling */
6361 		params.vlan = get_vlan(info, rdev);
6362 		if (IS_ERR(params.vlan))
6363 			return PTR_ERR(params.vlan);
6364 		break;
6365 	case NL80211_IFTYPE_MESH_POINT:
6366 		/* ignore uAPSD data */
6367 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6368 
6369 		/* associated is disallowed */
6370 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6371 			return -EINVAL;
6372 		/* TDLS peers cannot be added */
6373 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6374 		    info->attrs[NL80211_ATTR_PEER_AID])
6375 			return -EINVAL;
6376 		break;
6377 	case NL80211_IFTYPE_STATION:
6378 	case NL80211_IFTYPE_P2P_CLIENT:
6379 		/* ignore uAPSD data */
6380 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6381 
6382 		/* these are disallowed */
6383 		if (params.sta_flags_mask &
6384 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6385 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6386 			return -EINVAL;
6387 		/* Only TDLS peers can be added */
6388 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6389 			return -EINVAL;
6390 		/* Can only add if TDLS ... */
6391 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6392 			return -EOPNOTSUPP;
6393 		/* ... with external setup is supported */
6394 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6395 			return -EOPNOTSUPP;
6396 		/*
6397 		 * Older wpa_supplicant versions always mark the TDLS peer
6398 		 * as authorized, but it shouldn't yet be.
6399 		 */
6400 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6401 		break;
6402 	default:
6403 		return -EOPNOTSUPP;
6404 	}
6405 
6406 	/* be aware of params.vlan when changing code here */
6407 
6408 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6409 
6410 	if (params.vlan)
6411 		dev_put(params.vlan);
6412 	return err;
6413 }
6414 
6415 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6416 {
6417 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6418 	struct net_device *dev = info->user_ptr[1];
6419 	struct station_del_parameters params;
6420 
6421 	memset(&params, 0, sizeof(params));
6422 
6423 	if (info->attrs[NL80211_ATTR_MAC])
6424 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6425 
6426 	switch (dev->ieee80211_ptr->iftype) {
6427 	case NL80211_IFTYPE_AP:
6428 	case NL80211_IFTYPE_AP_VLAN:
6429 	case NL80211_IFTYPE_MESH_POINT:
6430 	case NL80211_IFTYPE_P2P_GO:
6431 		/* always accept these */
6432 		break;
6433 	case NL80211_IFTYPE_ADHOC:
6434 		/* conditionally accept */
6435 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6436 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6437 			break;
6438 		return -EINVAL;
6439 	default:
6440 		return -EINVAL;
6441 	}
6442 
6443 	if (!rdev->ops->del_station)
6444 		return -EOPNOTSUPP;
6445 
6446 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6447 		params.subtype =
6448 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6449 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6450 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6451 			return -EINVAL;
6452 	} else {
6453 		/* Default to Deauthentication frame */
6454 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6455 	}
6456 
6457 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6458 		params.reason_code =
6459 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6460 		if (params.reason_code == 0)
6461 			return -EINVAL; /* 0 is reserved */
6462 	} else {
6463 		/* Default to reason code 2 */
6464 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6465 	}
6466 
6467 	return rdev_del_station(rdev, dev, &params);
6468 }
6469 
6470 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6471 				int flags, struct net_device *dev,
6472 				u8 *dst, u8 *next_hop,
6473 				struct mpath_info *pinfo)
6474 {
6475 	void *hdr;
6476 	struct nlattr *pinfoattr;
6477 
6478 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6479 	if (!hdr)
6480 		return -1;
6481 
6482 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6483 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6484 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6485 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6486 		goto nla_put_failure;
6487 
6488 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6489 	if (!pinfoattr)
6490 		goto nla_put_failure;
6491 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6492 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6493 			pinfo->frame_qlen))
6494 		goto nla_put_failure;
6495 	if (((pinfo->filled & MPATH_INFO_SN) &&
6496 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6497 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6498 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6499 			 pinfo->metric)) ||
6500 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6501 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6502 			 pinfo->exptime)) ||
6503 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6504 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6505 			pinfo->flags)) ||
6506 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6507 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6508 			 pinfo->discovery_timeout)) ||
6509 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6510 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6511 			pinfo->discovery_retries)) ||
6512 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6513 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6514 			pinfo->hop_count)) ||
6515 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6516 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6517 			 pinfo->path_change_count)))
6518 		goto nla_put_failure;
6519 
6520 	nla_nest_end(msg, pinfoattr);
6521 
6522 	genlmsg_end(msg, hdr);
6523 	return 0;
6524 
6525  nla_put_failure:
6526 	genlmsg_cancel(msg, hdr);
6527 	return -EMSGSIZE;
6528 }
6529 
6530 static int nl80211_dump_mpath(struct sk_buff *skb,
6531 			      struct netlink_callback *cb)
6532 {
6533 	struct mpath_info pinfo;
6534 	struct cfg80211_registered_device *rdev;
6535 	struct wireless_dev *wdev;
6536 	u8 dst[ETH_ALEN];
6537 	u8 next_hop[ETH_ALEN];
6538 	int path_idx = cb->args[2];
6539 	int err;
6540 
6541 	rtnl_lock();
6542 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6543 	if (err)
6544 		goto out_err;
6545 
6546 	if (!rdev->ops->dump_mpath) {
6547 		err = -EOPNOTSUPP;
6548 		goto out_err;
6549 	}
6550 
6551 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6552 		err = -EOPNOTSUPP;
6553 		goto out_err;
6554 	}
6555 
6556 	while (1) {
6557 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6558 				      next_hop, &pinfo);
6559 		if (err == -ENOENT)
6560 			break;
6561 		if (err)
6562 			goto out_err;
6563 
6564 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6565 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6566 				       wdev->netdev, dst, next_hop,
6567 				       &pinfo) < 0)
6568 			goto out;
6569 
6570 		path_idx++;
6571 	}
6572 
6573  out:
6574 	cb->args[2] = path_idx;
6575 	err = skb->len;
6576  out_err:
6577 	rtnl_unlock();
6578 	return err;
6579 }
6580 
6581 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6582 {
6583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6584 	int err;
6585 	struct net_device *dev = info->user_ptr[1];
6586 	struct mpath_info pinfo;
6587 	struct sk_buff *msg;
6588 	u8 *dst = NULL;
6589 	u8 next_hop[ETH_ALEN];
6590 
6591 	memset(&pinfo, 0, sizeof(pinfo));
6592 
6593 	if (!info->attrs[NL80211_ATTR_MAC])
6594 		return -EINVAL;
6595 
6596 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6597 
6598 	if (!rdev->ops->get_mpath)
6599 		return -EOPNOTSUPP;
6600 
6601 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6602 		return -EOPNOTSUPP;
6603 
6604 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6605 	if (err)
6606 		return err;
6607 
6608 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6609 	if (!msg)
6610 		return -ENOMEM;
6611 
6612 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6613 				 dev, dst, next_hop, &pinfo) < 0) {
6614 		nlmsg_free(msg);
6615 		return -ENOBUFS;
6616 	}
6617 
6618 	return genlmsg_reply(msg, info);
6619 }
6620 
6621 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6622 {
6623 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6624 	struct net_device *dev = info->user_ptr[1];
6625 	u8 *dst = NULL;
6626 	u8 *next_hop = NULL;
6627 
6628 	if (!info->attrs[NL80211_ATTR_MAC])
6629 		return -EINVAL;
6630 
6631 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6632 		return -EINVAL;
6633 
6634 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6635 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6636 
6637 	if (!rdev->ops->change_mpath)
6638 		return -EOPNOTSUPP;
6639 
6640 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6641 		return -EOPNOTSUPP;
6642 
6643 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6644 }
6645 
6646 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6647 {
6648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6649 	struct net_device *dev = info->user_ptr[1];
6650 	u8 *dst = NULL;
6651 	u8 *next_hop = NULL;
6652 
6653 	if (!info->attrs[NL80211_ATTR_MAC])
6654 		return -EINVAL;
6655 
6656 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6657 		return -EINVAL;
6658 
6659 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6660 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6661 
6662 	if (!rdev->ops->add_mpath)
6663 		return -EOPNOTSUPP;
6664 
6665 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6666 		return -EOPNOTSUPP;
6667 
6668 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6669 }
6670 
6671 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6672 {
6673 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6674 	struct net_device *dev = info->user_ptr[1];
6675 	u8 *dst = NULL;
6676 
6677 	if (info->attrs[NL80211_ATTR_MAC])
6678 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6679 
6680 	if (!rdev->ops->del_mpath)
6681 		return -EOPNOTSUPP;
6682 
6683 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6684 		return -EOPNOTSUPP;
6685 
6686 	return rdev_del_mpath(rdev, dev, dst);
6687 }
6688 
6689 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6690 {
6691 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6692 	int err;
6693 	struct net_device *dev = info->user_ptr[1];
6694 	struct mpath_info pinfo;
6695 	struct sk_buff *msg;
6696 	u8 *dst = NULL;
6697 	u8 mpp[ETH_ALEN];
6698 
6699 	memset(&pinfo, 0, sizeof(pinfo));
6700 
6701 	if (!info->attrs[NL80211_ATTR_MAC])
6702 		return -EINVAL;
6703 
6704 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6705 
6706 	if (!rdev->ops->get_mpp)
6707 		return -EOPNOTSUPP;
6708 
6709 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6710 		return -EOPNOTSUPP;
6711 
6712 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6713 	if (err)
6714 		return err;
6715 
6716 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6717 	if (!msg)
6718 		return -ENOMEM;
6719 
6720 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6721 			       dev, dst, mpp, &pinfo) < 0) {
6722 		nlmsg_free(msg);
6723 		return -ENOBUFS;
6724 	}
6725 
6726 	return genlmsg_reply(msg, info);
6727 }
6728 
6729 static int nl80211_dump_mpp(struct sk_buff *skb,
6730 			    struct netlink_callback *cb)
6731 {
6732 	struct mpath_info pinfo;
6733 	struct cfg80211_registered_device *rdev;
6734 	struct wireless_dev *wdev;
6735 	u8 dst[ETH_ALEN];
6736 	u8 mpp[ETH_ALEN];
6737 	int path_idx = cb->args[2];
6738 	int err;
6739 
6740 	rtnl_lock();
6741 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6742 	if (err)
6743 		goto out_err;
6744 
6745 	if (!rdev->ops->dump_mpp) {
6746 		err = -EOPNOTSUPP;
6747 		goto out_err;
6748 	}
6749 
6750 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6751 		err = -EOPNOTSUPP;
6752 		goto out_err;
6753 	}
6754 
6755 	while (1) {
6756 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6757 				    mpp, &pinfo);
6758 		if (err == -ENOENT)
6759 			break;
6760 		if (err)
6761 			goto out_err;
6762 
6763 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6764 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6765 				       wdev->netdev, dst, mpp,
6766 				       &pinfo) < 0)
6767 			goto out;
6768 
6769 		path_idx++;
6770 	}
6771 
6772  out:
6773 	cb->args[2] = path_idx;
6774 	err = skb->len;
6775  out_err:
6776 	rtnl_unlock();
6777 	return err;
6778 }
6779 
6780 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6781 {
6782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6783 	struct net_device *dev = info->user_ptr[1];
6784 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6785 	struct bss_parameters params;
6786 	int err;
6787 
6788 	memset(&params, 0, sizeof(params));
6789 	/* default to not changing parameters */
6790 	params.use_cts_prot = -1;
6791 	params.use_short_preamble = -1;
6792 	params.use_short_slot_time = -1;
6793 	params.ap_isolate = -1;
6794 	params.ht_opmode = -1;
6795 	params.p2p_ctwindow = -1;
6796 	params.p2p_opp_ps = -1;
6797 
6798 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6799 		params.use_cts_prot =
6800 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6801 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6802 		params.use_short_preamble =
6803 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6804 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6805 		params.use_short_slot_time =
6806 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6807 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6808 		params.basic_rates =
6809 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6810 		params.basic_rates_len =
6811 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6812 	}
6813 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6814 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6815 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6816 		params.ht_opmode =
6817 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6818 
6819 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6820 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6821 			return -EINVAL;
6822 		params.p2p_ctwindow =
6823 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6824 		if (params.p2p_ctwindow != 0 &&
6825 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6826 			return -EINVAL;
6827 	}
6828 
6829 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6830 		u8 tmp;
6831 
6832 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6833 			return -EINVAL;
6834 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6835 		params.p2p_opp_ps = tmp;
6836 		if (params.p2p_opp_ps &&
6837 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6838 			return -EINVAL;
6839 	}
6840 
6841 	if (!rdev->ops->change_bss)
6842 		return -EOPNOTSUPP;
6843 
6844 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6845 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6846 		return -EOPNOTSUPP;
6847 
6848 	wdev_lock(wdev);
6849 	err = rdev_change_bss(rdev, dev, &params);
6850 	wdev_unlock(wdev);
6851 
6852 	return err;
6853 }
6854 
6855 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6856 {
6857 	char *data = NULL;
6858 	bool is_indoor;
6859 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6860 	u32 owner_nlportid;
6861 
6862 	/*
6863 	 * You should only get this when cfg80211 hasn't yet initialized
6864 	 * completely when built-in to the kernel right between the time
6865 	 * window between nl80211_init() and regulatory_init(), if that is
6866 	 * even possible.
6867 	 */
6868 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6869 		return -EINPROGRESS;
6870 
6871 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6872 		user_reg_hint_type =
6873 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6874 	else
6875 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6876 
6877 	switch (user_reg_hint_type) {
6878 	case NL80211_USER_REG_HINT_USER:
6879 	case NL80211_USER_REG_HINT_CELL_BASE:
6880 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6881 			return -EINVAL;
6882 
6883 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6884 		return regulatory_hint_user(data, user_reg_hint_type);
6885 	case NL80211_USER_REG_HINT_INDOOR:
6886 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6887 			owner_nlportid = info->snd_portid;
6888 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6889 		} else {
6890 			owner_nlportid = 0;
6891 			is_indoor = true;
6892 		}
6893 
6894 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6895 	default:
6896 		return -EINVAL;
6897 	}
6898 }
6899 
6900 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6901 {
6902 	return reg_reload_regdb();
6903 }
6904 
6905 static int nl80211_get_mesh_config(struct sk_buff *skb,
6906 				   struct genl_info *info)
6907 {
6908 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6909 	struct net_device *dev = info->user_ptr[1];
6910 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6911 	struct mesh_config cur_params;
6912 	int err = 0;
6913 	void *hdr;
6914 	struct nlattr *pinfoattr;
6915 	struct sk_buff *msg;
6916 
6917 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6918 		return -EOPNOTSUPP;
6919 
6920 	if (!rdev->ops->get_mesh_config)
6921 		return -EOPNOTSUPP;
6922 
6923 	wdev_lock(wdev);
6924 	/* If not connected, get default parameters */
6925 	if (!wdev->mesh_id_len)
6926 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6927 	else
6928 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6929 	wdev_unlock(wdev);
6930 
6931 	if (err)
6932 		return err;
6933 
6934 	/* Draw up a netlink message to send back */
6935 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6936 	if (!msg)
6937 		return -ENOMEM;
6938 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6939 			     NL80211_CMD_GET_MESH_CONFIG);
6940 	if (!hdr)
6941 		goto out;
6942 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6943 	if (!pinfoattr)
6944 		goto nla_put_failure;
6945 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6946 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6947 			cur_params.dot11MeshRetryTimeout) ||
6948 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6949 			cur_params.dot11MeshConfirmTimeout) ||
6950 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6951 			cur_params.dot11MeshHoldingTimeout) ||
6952 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6953 			cur_params.dot11MeshMaxPeerLinks) ||
6954 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6955 		       cur_params.dot11MeshMaxRetries) ||
6956 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6957 		       cur_params.dot11MeshTTL) ||
6958 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6959 		       cur_params.element_ttl) ||
6960 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6961 		       cur_params.auto_open_plinks) ||
6962 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6963 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6964 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6965 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6966 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6967 			cur_params.path_refresh_time) ||
6968 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6969 			cur_params.min_discovery_timeout) ||
6970 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6971 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6972 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6973 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6974 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6975 			cur_params.dot11MeshHWMPperrMinInterval) ||
6976 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6977 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6978 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6979 		       cur_params.dot11MeshHWMPRootMode) ||
6980 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6981 			cur_params.dot11MeshHWMPRannInterval) ||
6982 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6983 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6984 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6985 		       cur_params.dot11MeshForwarding) ||
6986 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6987 			cur_params.rssi_threshold) ||
6988 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6989 			cur_params.ht_opmode) ||
6990 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6991 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6992 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6993 			cur_params.dot11MeshHWMProotInterval) ||
6994 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6995 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6996 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6997 			cur_params.power_mode) ||
6998 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6999 			cur_params.dot11MeshAwakeWindowDuration) ||
7000 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7001 			cur_params.plink_timeout) ||
7002 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7003 		       cur_params.dot11MeshConnectedToMeshGate) ||
7004 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7005 		       cur_params.dot11MeshNolearn) ||
7006 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7007 		       cur_params.dot11MeshConnectedToAuthServer))
7008 		goto nla_put_failure;
7009 	nla_nest_end(msg, pinfoattr);
7010 	genlmsg_end(msg, hdr);
7011 	return genlmsg_reply(msg, info);
7012 
7013  nla_put_failure:
7014  out:
7015 	nlmsg_free(msg);
7016 	return -ENOBUFS;
7017 }
7018 
7019 static const struct nla_policy
7020 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7021 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7022 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7023 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7024 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7025 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7026 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7027 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7028 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7029 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7030 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7031 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7032 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7033 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7034 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7035 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7036 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7037 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7038 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7039 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7040 		NLA_POLICY_MIN(NLA_U16, 1),
7041 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7042 		NLA_POLICY_MIN(NLA_U16, 1),
7043 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7044 		NLA_POLICY_MIN(NLA_U16, 1),
7045 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7046 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7047 		NLA_POLICY_MIN(NLA_U16, 1),
7048 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7049 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7050 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7051 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7052 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7053 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7054 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7055 		NLA_POLICY_MIN(NLA_U16, 1),
7056 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7057 		NLA_POLICY_MIN(NLA_U16, 1),
7058 	[NL80211_MESHCONF_POWER_MODE] =
7059 		NLA_POLICY_RANGE(NLA_U32,
7060 				 NL80211_MESH_POWER_ACTIVE,
7061 				 NL80211_MESH_POWER_MAX),
7062 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7063 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7064 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7065 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7066 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7067 };
7068 
7069 static const struct nla_policy
7070 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7071 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7072 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7073 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7074 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7075 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7076 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7077 	[NL80211_MESH_SETUP_IE] =
7078 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7079 				       IEEE80211_MAX_DATA_LEN),
7080 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7081 };
7082 
7083 static int nl80211_parse_mesh_config(struct genl_info *info,
7084 				     struct mesh_config *cfg,
7085 				     u32 *mask_out)
7086 {
7087 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7088 	u32 mask = 0;
7089 	u16 ht_opmode;
7090 
7091 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7092 do {									\
7093 	if (tb[attr]) {							\
7094 		cfg->param = fn(tb[attr]);				\
7095 		mask |= BIT((attr) - 1);				\
7096 	}								\
7097 } while (0)
7098 
7099 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7100 		return -EINVAL;
7101 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7102 		return -EINVAL;
7103 
7104 	/* This makes sure that there aren't more than 32 mesh config
7105 	 * parameters (otherwise our bitfield scheme would not work.) */
7106 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7107 
7108 	/* Fill in the params struct */
7109 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7110 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7111 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7112 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7113 				  nla_get_u16);
7114 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7115 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7116 				  nla_get_u16);
7117 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7118 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7119 				  nla_get_u16);
7120 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7121 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7122 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7123 				  NL80211_MESHCONF_TTL, nla_get_u8);
7124 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7125 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7126 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7127 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7128 				  nla_get_u8);
7129 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7130 				  mask,
7131 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7132 				  nla_get_u32);
7133 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7134 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7135 				  nla_get_u8);
7136 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7137 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7138 				  nla_get_u32);
7139 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7140 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7141 		return -EINVAL;
7142 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7143 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7144 				  nla_get_u16);
7145 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7146 				  mask,
7147 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7148 				  nla_get_u32);
7149 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7150 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7151 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7152 		return -EINVAL;
7153 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7154 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7155 				  nla_get_u16);
7156 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7157 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7158 				  nla_get_u16);
7159 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7160 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7161 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7162 				  nla_get_u16);
7163 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7164 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7165 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7166 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7167 				  nla_get_u16);
7168 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7169 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7170 				  nla_get_u8);
7171 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7172 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7173 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7174 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7175 				  nla_get_s32);
7176 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7177 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7178 				  nla_get_u8);
7179 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7180 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7181 				  nla_get_u8);
7182 	/*
7183 	 * Check HT operation mode based on
7184 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7185 	 */
7186 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7187 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7188 
7189 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7190 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7191 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7192 			return -EINVAL;
7193 
7194 		/* NON_HT_STA bit is reserved, but some programs set it */
7195 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7196 
7197 		cfg->ht_opmode = ht_opmode;
7198 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7199 	}
7200 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7201 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7202 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7203 				  nla_get_u32);
7204 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7205 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7206 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7207 		return -EINVAL;
7208 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7209 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7210 				  nla_get_u16);
7211 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7212 				  mask,
7213 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7214 				  nla_get_u16);
7215 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7216 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7217 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7218 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7219 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7220 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7221 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7222 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7223 	if (mask_out)
7224 		*mask_out = mask;
7225 
7226 	return 0;
7227 
7228 #undef FILL_IN_MESH_PARAM_IF_SET
7229 }
7230 
7231 static int nl80211_parse_mesh_setup(struct genl_info *info,
7232 				     struct mesh_setup *setup)
7233 {
7234 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7235 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7236 
7237 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7238 		return -EINVAL;
7239 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7240 		return -EINVAL;
7241 
7242 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7243 		setup->sync_method =
7244 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7245 		 IEEE80211_SYNC_METHOD_VENDOR :
7246 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7247 
7248 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7249 		setup->path_sel_proto =
7250 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7251 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7252 		 IEEE80211_PATH_PROTOCOL_HWMP;
7253 
7254 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7255 		setup->path_metric =
7256 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7257 		 IEEE80211_PATH_METRIC_VENDOR :
7258 		 IEEE80211_PATH_METRIC_AIRTIME;
7259 
7260 	if (tb[NL80211_MESH_SETUP_IE]) {
7261 		struct nlattr *ieattr =
7262 			tb[NL80211_MESH_SETUP_IE];
7263 		setup->ie = nla_data(ieattr);
7264 		setup->ie_len = nla_len(ieattr);
7265 	}
7266 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7267 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7268 		return -EINVAL;
7269 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7270 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7271 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7272 	if (setup->is_secure)
7273 		setup->user_mpm = true;
7274 
7275 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7276 		if (!setup->user_mpm)
7277 			return -EINVAL;
7278 		setup->auth_id =
7279 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7280 	}
7281 
7282 	return 0;
7283 }
7284 
7285 static int nl80211_update_mesh_config(struct sk_buff *skb,
7286 				      struct genl_info *info)
7287 {
7288 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7289 	struct net_device *dev = info->user_ptr[1];
7290 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7291 	struct mesh_config cfg;
7292 	u32 mask;
7293 	int err;
7294 
7295 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7296 		return -EOPNOTSUPP;
7297 
7298 	if (!rdev->ops->update_mesh_config)
7299 		return -EOPNOTSUPP;
7300 
7301 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7302 	if (err)
7303 		return err;
7304 
7305 	wdev_lock(wdev);
7306 	if (!wdev->mesh_id_len)
7307 		err = -ENOLINK;
7308 
7309 	if (!err)
7310 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7311 
7312 	wdev_unlock(wdev);
7313 
7314 	return err;
7315 }
7316 
7317 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7318 			      struct sk_buff *msg)
7319 {
7320 	struct nlattr *nl_reg_rules;
7321 	unsigned int i;
7322 
7323 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7324 	    (regdom->dfs_region &&
7325 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7326 		goto nla_put_failure;
7327 
7328 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7329 	if (!nl_reg_rules)
7330 		goto nla_put_failure;
7331 
7332 	for (i = 0; i < regdom->n_reg_rules; i++) {
7333 		struct nlattr *nl_reg_rule;
7334 		const struct ieee80211_reg_rule *reg_rule;
7335 		const struct ieee80211_freq_range *freq_range;
7336 		const struct ieee80211_power_rule *power_rule;
7337 		unsigned int max_bandwidth_khz;
7338 
7339 		reg_rule = &regdom->reg_rules[i];
7340 		freq_range = &reg_rule->freq_range;
7341 		power_rule = &reg_rule->power_rule;
7342 
7343 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7344 		if (!nl_reg_rule)
7345 			goto nla_put_failure;
7346 
7347 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7348 		if (!max_bandwidth_khz)
7349 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7350 								  reg_rule);
7351 
7352 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7353 				reg_rule->flags) ||
7354 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7355 				freq_range->start_freq_khz) ||
7356 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7357 				freq_range->end_freq_khz) ||
7358 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7359 				max_bandwidth_khz) ||
7360 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7361 				power_rule->max_antenna_gain) ||
7362 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7363 				power_rule->max_eirp) ||
7364 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7365 				reg_rule->dfs_cac_ms))
7366 			goto nla_put_failure;
7367 
7368 		nla_nest_end(msg, nl_reg_rule);
7369 	}
7370 
7371 	nla_nest_end(msg, nl_reg_rules);
7372 	return 0;
7373 
7374 nla_put_failure:
7375 	return -EMSGSIZE;
7376 }
7377 
7378 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7379 {
7380 	const struct ieee80211_regdomain *regdom = NULL;
7381 	struct cfg80211_registered_device *rdev;
7382 	struct wiphy *wiphy = NULL;
7383 	struct sk_buff *msg;
7384 	void *hdr;
7385 
7386 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7387 	if (!msg)
7388 		return -ENOBUFS;
7389 
7390 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7391 			     NL80211_CMD_GET_REG);
7392 	if (!hdr)
7393 		goto put_failure;
7394 
7395 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7396 		bool self_managed;
7397 
7398 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7399 		if (IS_ERR(rdev)) {
7400 			nlmsg_free(msg);
7401 			return PTR_ERR(rdev);
7402 		}
7403 
7404 		wiphy = &rdev->wiphy;
7405 		self_managed = wiphy->regulatory_flags &
7406 			       REGULATORY_WIPHY_SELF_MANAGED;
7407 		regdom = get_wiphy_regdom(wiphy);
7408 
7409 		/* a self-managed-reg device must have a private regdom */
7410 		if (WARN_ON(!regdom && self_managed)) {
7411 			nlmsg_free(msg);
7412 			return -EINVAL;
7413 		}
7414 
7415 		if (regdom &&
7416 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7417 			goto nla_put_failure;
7418 	}
7419 
7420 	if (!wiphy && reg_last_request_cell_base() &&
7421 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7422 			NL80211_USER_REG_HINT_CELL_BASE))
7423 		goto nla_put_failure;
7424 
7425 	rcu_read_lock();
7426 
7427 	if (!regdom)
7428 		regdom = rcu_dereference(cfg80211_regdomain);
7429 
7430 	if (nl80211_put_regdom(regdom, msg))
7431 		goto nla_put_failure_rcu;
7432 
7433 	rcu_read_unlock();
7434 
7435 	genlmsg_end(msg, hdr);
7436 	return genlmsg_reply(msg, info);
7437 
7438 nla_put_failure_rcu:
7439 	rcu_read_unlock();
7440 nla_put_failure:
7441 put_failure:
7442 	nlmsg_free(msg);
7443 	return -EMSGSIZE;
7444 }
7445 
7446 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7447 			       u32 seq, int flags, struct wiphy *wiphy,
7448 			       const struct ieee80211_regdomain *regdom)
7449 {
7450 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7451 				   NL80211_CMD_GET_REG);
7452 
7453 	if (!hdr)
7454 		return -1;
7455 
7456 	genl_dump_check_consistent(cb, hdr);
7457 
7458 	if (nl80211_put_regdom(regdom, msg))
7459 		goto nla_put_failure;
7460 
7461 	if (!wiphy && reg_last_request_cell_base() &&
7462 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7463 			NL80211_USER_REG_HINT_CELL_BASE))
7464 		goto nla_put_failure;
7465 
7466 	if (wiphy &&
7467 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7468 		goto nla_put_failure;
7469 
7470 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7471 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7472 		goto nla_put_failure;
7473 
7474 	genlmsg_end(msg, hdr);
7475 	return 0;
7476 
7477 nla_put_failure:
7478 	genlmsg_cancel(msg, hdr);
7479 	return -EMSGSIZE;
7480 }
7481 
7482 static int nl80211_get_reg_dump(struct sk_buff *skb,
7483 				struct netlink_callback *cb)
7484 {
7485 	const struct ieee80211_regdomain *regdom = NULL;
7486 	struct cfg80211_registered_device *rdev;
7487 	int err, reg_idx, start = cb->args[2];
7488 
7489 	rtnl_lock();
7490 
7491 	if (cfg80211_regdomain && start == 0) {
7492 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7493 					  NLM_F_MULTI, NULL,
7494 					  rtnl_dereference(cfg80211_regdomain));
7495 		if (err < 0)
7496 			goto out_err;
7497 	}
7498 
7499 	/* the global regdom is idx 0 */
7500 	reg_idx = 1;
7501 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7502 		regdom = get_wiphy_regdom(&rdev->wiphy);
7503 		if (!regdom)
7504 			continue;
7505 
7506 		if (++reg_idx <= start)
7507 			continue;
7508 
7509 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7510 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7511 		if (err < 0) {
7512 			reg_idx--;
7513 			break;
7514 		}
7515 	}
7516 
7517 	cb->args[2] = reg_idx;
7518 	err = skb->len;
7519 out_err:
7520 	rtnl_unlock();
7521 	return err;
7522 }
7523 
7524 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7525 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7526 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7527 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7528 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7529 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7530 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7531 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7532 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7533 };
7534 
7535 static int parse_reg_rule(struct nlattr *tb[],
7536 	struct ieee80211_reg_rule *reg_rule)
7537 {
7538 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7539 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7540 
7541 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7542 		return -EINVAL;
7543 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7544 		return -EINVAL;
7545 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7546 		return -EINVAL;
7547 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7548 		return -EINVAL;
7549 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7550 		return -EINVAL;
7551 
7552 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7553 
7554 	freq_range->start_freq_khz =
7555 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7556 	freq_range->end_freq_khz =
7557 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7558 	freq_range->max_bandwidth_khz =
7559 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7560 
7561 	power_rule->max_eirp =
7562 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7563 
7564 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7565 		power_rule->max_antenna_gain =
7566 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7567 
7568 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7569 		reg_rule->dfs_cac_ms =
7570 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7571 
7572 	return 0;
7573 }
7574 
7575 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7576 {
7577 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7578 	struct nlattr *nl_reg_rule;
7579 	char *alpha2;
7580 	int rem_reg_rules, r;
7581 	u32 num_rules = 0, rule_idx = 0;
7582 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7583 	struct ieee80211_regdomain *rd;
7584 
7585 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7586 		return -EINVAL;
7587 
7588 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7589 		return -EINVAL;
7590 
7591 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7592 
7593 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7594 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7595 
7596 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7597 			    rem_reg_rules) {
7598 		num_rules++;
7599 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7600 			return -EINVAL;
7601 	}
7602 
7603 	if (!reg_is_valid_request(alpha2))
7604 		return -EINVAL;
7605 
7606 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7607 	if (!rd)
7608 		return -ENOMEM;
7609 
7610 	rd->n_reg_rules = num_rules;
7611 	rd->alpha2[0] = alpha2[0];
7612 	rd->alpha2[1] = alpha2[1];
7613 
7614 	/*
7615 	 * Disable DFS master mode if the DFS region was
7616 	 * not supported or known on this kernel.
7617 	 */
7618 	if (reg_supported_dfs_region(dfs_region))
7619 		rd->dfs_region = dfs_region;
7620 
7621 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7622 			    rem_reg_rules) {
7623 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7624 						nl_reg_rule, reg_rule_policy,
7625 						info->extack);
7626 		if (r)
7627 			goto bad_reg;
7628 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7629 		if (r)
7630 			goto bad_reg;
7631 
7632 		rule_idx++;
7633 
7634 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7635 			r = -EINVAL;
7636 			goto bad_reg;
7637 		}
7638 	}
7639 
7640 	/* set_regdom takes ownership of rd */
7641 	return set_regdom(rd, REGD_SOURCE_CRDA);
7642  bad_reg:
7643 	kfree(rd);
7644 	return r;
7645 }
7646 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7647 
7648 static int validate_scan_freqs(struct nlattr *freqs)
7649 {
7650 	struct nlattr *attr1, *attr2;
7651 	int n_channels = 0, tmp1, tmp2;
7652 
7653 	nla_for_each_nested(attr1, freqs, tmp1)
7654 		if (nla_len(attr1) != sizeof(u32))
7655 			return 0;
7656 
7657 	nla_for_each_nested(attr1, freqs, tmp1) {
7658 		n_channels++;
7659 		/*
7660 		 * Some hardware has a limited channel list for
7661 		 * scanning, and it is pretty much nonsensical
7662 		 * to scan for a channel twice, so disallow that
7663 		 * and don't require drivers to check that the
7664 		 * channel list they get isn't longer than what
7665 		 * they can scan, as long as they can scan all
7666 		 * the channels they registered at once.
7667 		 */
7668 		nla_for_each_nested(attr2, freqs, tmp2)
7669 			if (attr1 != attr2 &&
7670 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7671 				return 0;
7672 	}
7673 
7674 	return n_channels;
7675 }
7676 
7677 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7678 {
7679 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7680 }
7681 
7682 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7683 			    struct cfg80211_bss_selection *bss_select)
7684 {
7685 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7686 	struct nlattr *nest;
7687 	int err;
7688 	bool found = false;
7689 	int i;
7690 
7691 	/* only process one nested attribute */
7692 	nest = nla_data(nla);
7693 	if (!nla_ok(nest, nla_len(nest)))
7694 		return -EINVAL;
7695 
7696 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7697 					  nest, nl80211_bss_select_policy,
7698 					  NULL);
7699 	if (err)
7700 		return err;
7701 
7702 	/* only one attribute may be given */
7703 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7704 		if (attr[i]) {
7705 			if (found)
7706 				return -EINVAL;
7707 			found = true;
7708 		}
7709 	}
7710 
7711 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7712 
7713 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7714 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7715 
7716 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7717 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7718 		bss_select->param.band_pref =
7719 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7720 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7721 			return -EINVAL;
7722 	}
7723 
7724 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7725 		struct nl80211_bss_select_rssi_adjust *adj_param;
7726 
7727 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7728 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7729 		bss_select->param.adjust.band = adj_param->band;
7730 		bss_select->param.adjust.delta = adj_param->delta;
7731 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7732 			return -EINVAL;
7733 	}
7734 
7735 	/* user-space did not provide behaviour attribute */
7736 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7737 		return -EINVAL;
7738 
7739 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7740 		return -EINVAL;
7741 
7742 	return 0;
7743 }
7744 
7745 int nl80211_parse_random_mac(struct nlattr **attrs,
7746 			     u8 *mac_addr, u8 *mac_addr_mask)
7747 {
7748 	int i;
7749 
7750 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7751 		eth_zero_addr(mac_addr);
7752 		eth_zero_addr(mac_addr_mask);
7753 		mac_addr[0] = 0x2;
7754 		mac_addr_mask[0] = 0x3;
7755 
7756 		return 0;
7757 	}
7758 
7759 	/* need both or none */
7760 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7761 		return -EINVAL;
7762 
7763 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7764 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7765 
7766 	/* don't allow or configure an mcast address */
7767 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7768 	    is_multicast_ether_addr(mac_addr))
7769 		return -EINVAL;
7770 
7771 	/*
7772 	 * allow users to pass a MAC address that has bits set outside
7773 	 * of the mask, but don't bother drivers with having to deal
7774 	 * with such bits
7775 	 */
7776 	for (i = 0; i < ETH_ALEN; i++)
7777 		mac_addr[i] &= mac_addr_mask[i];
7778 
7779 	return 0;
7780 }
7781 
7782 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7783 {
7784 	ASSERT_WDEV_LOCK(wdev);
7785 
7786 	if (!cfg80211_beaconing_iface_active(wdev))
7787 		return true;
7788 
7789 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7790 		return true;
7791 
7792 	return regulatory_pre_cac_allowed(wdev->wiphy);
7793 }
7794 
7795 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7796 				    enum nl80211_ext_feature_index feat)
7797 {
7798 	if (!(flags & flag))
7799 		return true;
7800 	if (wiphy_ext_feature_isset(wiphy, feat))
7801 		return true;
7802 	return false;
7803 }
7804 
7805 static int
7806 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7807 			 void *request, struct nlattr **attrs,
7808 			 bool is_sched_scan)
7809 {
7810 	u8 *mac_addr, *mac_addr_mask;
7811 	u32 *flags;
7812 	enum nl80211_feature_flags randomness_flag;
7813 
7814 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7815 		return 0;
7816 
7817 	if (is_sched_scan) {
7818 		struct cfg80211_sched_scan_request *req = request;
7819 
7820 		randomness_flag = wdev ?
7821 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7822 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7823 		flags = &req->flags;
7824 		mac_addr = req->mac_addr;
7825 		mac_addr_mask = req->mac_addr_mask;
7826 	} else {
7827 		struct cfg80211_scan_request *req = request;
7828 
7829 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7830 		flags = &req->flags;
7831 		mac_addr = req->mac_addr;
7832 		mac_addr_mask = req->mac_addr_mask;
7833 	}
7834 
7835 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7836 
7837 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7838 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7839 	    !nl80211_check_scan_feat(wiphy, *flags,
7840 				     NL80211_SCAN_FLAG_LOW_SPAN,
7841 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7842 	    !nl80211_check_scan_feat(wiphy, *flags,
7843 				     NL80211_SCAN_FLAG_LOW_POWER,
7844 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7845 	    !nl80211_check_scan_feat(wiphy, *flags,
7846 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7847 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7848 	    !nl80211_check_scan_feat(wiphy, *flags,
7849 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7850 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7851 	    !nl80211_check_scan_feat(wiphy, *flags,
7852 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7853 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7854 	    !nl80211_check_scan_feat(wiphy, *flags,
7855 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7856 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7857 	    !nl80211_check_scan_feat(wiphy, *flags,
7858 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7859 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7860 	    !nl80211_check_scan_feat(wiphy, *flags,
7861 				     NL80211_SCAN_FLAG_RANDOM_SN,
7862 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7863 	    !nl80211_check_scan_feat(wiphy, *flags,
7864 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7865 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7866 		return -EOPNOTSUPP;
7867 
7868 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7869 		int err;
7870 
7871 		if (!(wiphy->features & randomness_flag) ||
7872 		    (wdev && wdev->current_bss))
7873 			return -EOPNOTSUPP;
7874 
7875 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7876 		if (err)
7877 			return err;
7878 	}
7879 
7880 	return 0;
7881 }
7882 
7883 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7884 {
7885 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7886 	struct wireless_dev *wdev = info->user_ptr[1];
7887 	struct cfg80211_scan_request *request;
7888 	struct nlattr *scan_freqs = NULL;
7889 	bool scan_freqs_khz = false;
7890 	struct nlattr *attr;
7891 	struct wiphy *wiphy;
7892 	int err, tmp, n_ssids = 0, n_channels, i;
7893 	size_t ie_len;
7894 
7895 	wiphy = &rdev->wiphy;
7896 
7897 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7898 		return -EOPNOTSUPP;
7899 
7900 	if (!rdev->ops->scan)
7901 		return -EOPNOTSUPP;
7902 
7903 	if (rdev->scan_req || rdev->scan_msg)
7904 		return -EBUSY;
7905 
7906 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
7907 		if (!wiphy_ext_feature_isset(wiphy,
7908 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
7909 			return -EOPNOTSUPP;
7910 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
7911 		scan_freqs_khz = true;
7912 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
7913 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
7914 
7915 	if (scan_freqs) {
7916 		n_channels = validate_scan_freqs(scan_freqs);
7917 		if (!n_channels)
7918 			return -EINVAL;
7919 	} else {
7920 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7921 	}
7922 
7923 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7924 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7925 			n_ssids++;
7926 
7927 	if (n_ssids > wiphy->max_scan_ssids)
7928 		return -EINVAL;
7929 
7930 	if (info->attrs[NL80211_ATTR_IE])
7931 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7932 	else
7933 		ie_len = 0;
7934 
7935 	if (ie_len > wiphy->max_scan_ie_len)
7936 		return -EINVAL;
7937 
7938 	request = kzalloc(sizeof(*request)
7939 			+ sizeof(*request->ssids) * n_ssids
7940 			+ sizeof(*request->channels) * n_channels
7941 			+ ie_len, GFP_KERNEL);
7942 	if (!request)
7943 		return -ENOMEM;
7944 
7945 	if (n_ssids)
7946 		request->ssids = (void *)&request->channels[n_channels];
7947 	request->n_ssids = n_ssids;
7948 	if (ie_len) {
7949 		if (n_ssids)
7950 			request->ie = (void *)(request->ssids + n_ssids);
7951 		else
7952 			request->ie = (void *)(request->channels + n_channels);
7953 	}
7954 
7955 	i = 0;
7956 	if (scan_freqs) {
7957 		/* user specified, bail out if channel not found */
7958 		nla_for_each_nested(attr, scan_freqs, tmp) {
7959 			struct ieee80211_channel *chan;
7960 			int freq = nla_get_u32(attr);
7961 
7962 			if (!scan_freqs_khz)
7963 				freq = MHZ_TO_KHZ(freq);
7964 
7965 			chan = ieee80211_get_channel_khz(wiphy, freq);
7966 			if (!chan) {
7967 				err = -EINVAL;
7968 				goto out_free;
7969 			}
7970 
7971 			/* ignore disabled channels */
7972 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7973 				continue;
7974 
7975 			request->channels[i] = chan;
7976 			i++;
7977 		}
7978 	} else {
7979 		enum nl80211_band band;
7980 
7981 		/* all channels */
7982 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7983 			int j;
7984 
7985 			if (!wiphy->bands[band])
7986 				continue;
7987 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7988 				struct ieee80211_channel *chan;
7989 
7990 				chan = &wiphy->bands[band]->channels[j];
7991 
7992 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7993 					continue;
7994 
7995 				request->channels[i] = chan;
7996 				i++;
7997 			}
7998 		}
7999 	}
8000 
8001 	if (!i) {
8002 		err = -EINVAL;
8003 		goto out_free;
8004 	}
8005 
8006 	request->n_channels = i;
8007 
8008 	wdev_lock(wdev);
8009 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8010 		struct ieee80211_channel *chan;
8011 
8012 		if (request->n_channels != 1) {
8013 			wdev_unlock(wdev);
8014 			err = -EBUSY;
8015 			goto out_free;
8016 		}
8017 
8018 		chan = request->channels[0];
8019 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8020 			wdev_unlock(wdev);
8021 			err = -EBUSY;
8022 			goto out_free;
8023 		}
8024 	}
8025 	wdev_unlock(wdev);
8026 
8027 	i = 0;
8028 	if (n_ssids) {
8029 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8030 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8031 				err = -EINVAL;
8032 				goto out_free;
8033 			}
8034 			request->ssids[i].ssid_len = nla_len(attr);
8035 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8036 			i++;
8037 		}
8038 	}
8039 
8040 	if (info->attrs[NL80211_ATTR_IE]) {
8041 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8042 		memcpy((void *)request->ie,
8043 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8044 		       request->ie_len);
8045 	}
8046 
8047 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8048 		if (wiphy->bands[i])
8049 			request->rates[i] =
8050 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8051 
8052 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8053 		nla_for_each_nested(attr,
8054 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8055 				    tmp) {
8056 			enum nl80211_band band = nla_type(attr);
8057 
8058 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8059 				err = -EINVAL;
8060 				goto out_free;
8061 			}
8062 
8063 			if (!wiphy->bands[band])
8064 				continue;
8065 
8066 			err = ieee80211_get_ratemask(wiphy->bands[band],
8067 						     nla_data(attr),
8068 						     nla_len(attr),
8069 						     &request->rates[band]);
8070 			if (err)
8071 				goto out_free;
8072 		}
8073 	}
8074 
8075 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8076 		if (!wiphy_ext_feature_isset(wiphy,
8077 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
8078 			err = -EOPNOTSUPP;
8079 			goto out_free;
8080 		}
8081 
8082 		request->duration =
8083 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8084 		request->duration_mandatory =
8085 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8086 	}
8087 
8088 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8089 				       false);
8090 	if (err)
8091 		goto out_free;
8092 
8093 	request->no_cck =
8094 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8095 
8096 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8097 	 * BSSID to scan for. This was problematic because that same attribute
8098 	 * was already used for another purpose (local random MAC address). The
8099 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8100 	 * compatibility with older userspace components, also use the
8101 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8102 	 * the specific BSSID use case instead of the random MAC address
8103 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8104 	 */
8105 	if (info->attrs[NL80211_ATTR_BSSID])
8106 		memcpy(request->bssid,
8107 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8108 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8109 		 info->attrs[NL80211_ATTR_MAC])
8110 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8111 		       ETH_ALEN);
8112 	else
8113 		eth_broadcast_addr(request->bssid);
8114 
8115 	request->wdev = wdev;
8116 	request->wiphy = &rdev->wiphy;
8117 	request->scan_start = jiffies;
8118 
8119 	rdev->scan_req = request;
8120 	err = rdev_scan(rdev, request);
8121 
8122 	if (err)
8123 		goto out_free;
8124 
8125 	nl80211_send_scan_start(rdev, wdev);
8126 	if (wdev->netdev)
8127 		dev_hold(wdev->netdev);
8128 
8129 	return 0;
8130 
8131  out_free:
8132 	rdev->scan_req = NULL;
8133 	kfree(request);
8134 
8135 	return err;
8136 }
8137 
8138 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8139 {
8140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8141 	struct wireless_dev *wdev = info->user_ptr[1];
8142 
8143 	if (!rdev->ops->abort_scan)
8144 		return -EOPNOTSUPP;
8145 
8146 	if (rdev->scan_msg)
8147 		return 0;
8148 
8149 	if (!rdev->scan_req)
8150 		return -ENOENT;
8151 
8152 	rdev_abort_scan(rdev, wdev);
8153 	return 0;
8154 }
8155 
8156 static int
8157 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8158 			       struct cfg80211_sched_scan_request *request,
8159 			       struct nlattr **attrs)
8160 {
8161 	int tmp, err, i = 0;
8162 	struct nlattr *attr;
8163 
8164 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8165 		u32 interval;
8166 
8167 		/*
8168 		 * If scan plans are not specified,
8169 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8170 		 * case one scan plan will be set with the specified scan
8171 		 * interval and infinite number of iterations.
8172 		 */
8173 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8174 		if (!interval)
8175 			return -EINVAL;
8176 
8177 		request->scan_plans[0].interval =
8178 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8179 		if (!request->scan_plans[0].interval)
8180 			return -EINVAL;
8181 
8182 		if (request->scan_plans[0].interval >
8183 		    wiphy->max_sched_scan_plan_interval)
8184 			request->scan_plans[0].interval =
8185 				wiphy->max_sched_scan_plan_interval;
8186 
8187 		return 0;
8188 	}
8189 
8190 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8191 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8192 
8193 		if (WARN_ON(i >= n_plans))
8194 			return -EINVAL;
8195 
8196 		err = nla_parse_nested_deprecated(plan,
8197 						  NL80211_SCHED_SCAN_PLAN_MAX,
8198 						  attr, nl80211_plan_policy,
8199 						  NULL);
8200 		if (err)
8201 			return err;
8202 
8203 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8204 			return -EINVAL;
8205 
8206 		request->scan_plans[i].interval =
8207 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8208 		if (!request->scan_plans[i].interval ||
8209 		    request->scan_plans[i].interval >
8210 		    wiphy->max_sched_scan_plan_interval)
8211 			return -EINVAL;
8212 
8213 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8214 			request->scan_plans[i].iterations =
8215 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8216 			if (!request->scan_plans[i].iterations ||
8217 			    (request->scan_plans[i].iterations >
8218 			     wiphy->max_sched_scan_plan_iterations))
8219 				return -EINVAL;
8220 		} else if (i < n_plans - 1) {
8221 			/*
8222 			 * All scan plans but the last one must specify
8223 			 * a finite number of iterations
8224 			 */
8225 			return -EINVAL;
8226 		}
8227 
8228 		i++;
8229 	}
8230 
8231 	/*
8232 	 * The last scan plan must not specify the number of
8233 	 * iterations, it is supposed to run infinitely
8234 	 */
8235 	if (request->scan_plans[n_plans - 1].iterations)
8236 		return  -EINVAL;
8237 
8238 	return 0;
8239 }
8240 
8241 static int
8242 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8243 				       struct cfg80211_match_set *match_sets,
8244 				       struct nlattr *tb_band_rssi,
8245 				       s32 rssi_thold)
8246 {
8247 	struct nlattr *attr;
8248 	int i, tmp, ret = 0;
8249 
8250 	if (!wiphy_ext_feature_isset(wiphy,
8251 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8252 		if (tb_band_rssi)
8253 			ret = -EOPNOTSUPP;
8254 		else
8255 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8256 				match_sets->per_band_rssi_thold[i] =
8257 					NL80211_SCAN_RSSI_THOLD_OFF;
8258 		return ret;
8259 	}
8260 
8261 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8262 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8263 
8264 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8265 		enum nl80211_band band = nla_type(attr);
8266 
8267 		if (band < 0 || band >= NUM_NL80211_BANDS)
8268 			return -EINVAL;
8269 
8270 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8271 	}
8272 
8273 	return 0;
8274 }
8275 
8276 static struct cfg80211_sched_scan_request *
8277 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8278 			 struct nlattr **attrs, int max_match_sets)
8279 {
8280 	struct cfg80211_sched_scan_request *request;
8281 	struct nlattr *attr;
8282 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8283 	enum nl80211_band band;
8284 	size_t ie_len;
8285 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8286 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8287 
8288 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8289 		n_channels = validate_scan_freqs(
8290 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8291 		if (!n_channels)
8292 			return ERR_PTR(-EINVAL);
8293 	} else {
8294 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8295 	}
8296 
8297 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8298 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8299 				    tmp)
8300 			n_ssids++;
8301 
8302 	if (n_ssids > wiphy->max_sched_scan_ssids)
8303 		return ERR_PTR(-EINVAL);
8304 
8305 	/*
8306 	 * First, count the number of 'real' matchsets. Due to an issue with
8307 	 * the old implementation, matchsets containing only the RSSI attribute
8308 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8309 	 * RSSI for all matchsets, rather than their own matchset for reporting
8310 	 * all APs with a strong RSSI. This is needed to be compatible with
8311 	 * older userspace that treated a matchset with only the RSSI as the
8312 	 * global RSSI for all other matchsets - if there are other matchsets.
8313 	 */
8314 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8315 		nla_for_each_nested(attr,
8316 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8317 				    tmp) {
8318 			struct nlattr *rssi;
8319 
8320 			err = nla_parse_nested_deprecated(tb,
8321 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8322 							  attr,
8323 							  nl80211_match_policy,
8324 							  NULL);
8325 			if (err)
8326 				return ERR_PTR(err);
8327 
8328 			/* SSID and BSSID are mutually exclusive */
8329 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8330 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8331 				return ERR_PTR(-EINVAL);
8332 
8333 			/* add other standalone attributes here */
8334 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8335 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8336 				n_match_sets++;
8337 				continue;
8338 			}
8339 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8340 			if (rssi)
8341 				default_match_rssi = nla_get_s32(rssi);
8342 		}
8343 	}
8344 
8345 	/* However, if there's no other matchset, add the RSSI one */
8346 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8347 		n_match_sets = 1;
8348 
8349 	if (n_match_sets > max_match_sets)
8350 		return ERR_PTR(-EINVAL);
8351 
8352 	if (attrs[NL80211_ATTR_IE])
8353 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8354 	else
8355 		ie_len = 0;
8356 
8357 	if (ie_len > wiphy->max_sched_scan_ie_len)
8358 		return ERR_PTR(-EINVAL);
8359 
8360 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8361 		/*
8362 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8363 		 * each scan plan already specifies its own interval
8364 		 */
8365 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8366 			return ERR_PTR(-EINVAL);
8367 
8368 		nla_for_each_nested(attr,
8369 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8370 			n_plans++;
8371 	} else {
8372 		/*
8373 		 * The scan interval attribute is kept for backward
8374 		 * compatibility. If no scan plans are specified and sched scan
8375 		 * interval is specified, one scan plan will be set with this
8376 		 * scan interval and infinite number of iterations.
8377 		 */
8378 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8379 			return ERR_PTR(-EINVAL);
8380 
8381 		n_plans = 1;
8382 	}
8383 
8384 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8385 		return ERR_PTR(-EINVAL);
8386 
8387 	if (!wiphy_ext_feature_isset(
8388 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8389 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8390 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8391 		return ERR_PTR(-EINVAL);
8392 
8393 	request = kzalloc(sizeof(*request)
8394 			+ sizeof(*request->ssids) * n_ssids
8395 			+ sizeof(*request->match_sets) * n_match_sets
8396 			+ sizeof(*request->scan_plans) * n_plans
8397 			+ sizeof(*request->channels) * n_channels
8398 			+ ie_len, GFP_KERNEL);
8399 	if (!request)
8400 		return ERR_PTR(-ENOMEM);
8401 
8402 	if (n_ssids)
8403 		request->ssids = (void *)&request->channels[n_channels];
8404 	request->n_ssids = n_ssids;
8405 	if (ie_len) {
8406 		if (n_ssids)
8407 			request->ie = (void *)(request->ssids + n_ssids);
8408 		else
8409 			request->ie = (void *)(request->channels + n_channels);
8410 	}
8411 
8412 	if (n_match_sets) {
8413 		if (request->ie)
8414 			request->match_sets = (void *)(request->ie + ie_len);
8415 		else if (n_ssids)
8416 			request->match_sets =
8417 				(void *)(request->ssids + n_ssids);
8418 		else
8419 			request->match_sets =
8420 				(void *)(request->channels + n_channels);
8421 	}
8422 	request->n_match_sets = n_match_sets;
8423 
8424 	if (n_match_sets)
8425 		request->scan_plans = (void *)(request->match_sets +
8426 					       n_match_sets);
8427 	else if (request->ie)
8428 		request->scan_plans = (void *)(request->ie + ie_len);
8429 	else if (n_ssids)
8430 		request->scan_plans = (void *)(request->ssids + n_ssids);
8431 	else
8432 		request->scan_plans = (void *)(request->channels + n_channels);
8433 
8434 	request->n_scan_plans = n_plans;
8435 
8436 	i = 0;
8437 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8438 		/* user specified, bail out if channel not found */
8439 		nla_for_each_nested(attr,
8440 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8441 				    tmp) {
8442 			struct ieee80211_channel *chan;
8443 
8444 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8445 
8446 			if (!chan) {
8447 				err = -EINVAL;
8448 				goto out_free;
8449 			}
8450 
8451 			/* ignore disabled channels */
8452 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8453 				continue;
8454 
8455 			request->channels[i] = chan;
8456 			i++;
8457 		}
8458 	} else {
8459 		/* all channels */
8460 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8461 			int j;
8462 
8463 			if (!wiphy->bands[band])
8464 				continue;
8465 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8466 				struct ieee80211_channel *chan;
8467 
8468 				chan = &wiphy->bands[band]->channels[j];
8469 
8470 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8471 					continue;
8472 
8473 				request->channels[i] = chan;
8474 				i++;
8475 			}
8476 		}
8477 	}
8478 
8479 	if (!i) {
8480 		err = -EINVAL;
8481 		goto out_free;
8482 	}
8483 
8484 	request->n_channels = i;
8485 
8486 	i = 0;
8487 	if (n_ssids) {
8488 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8489 				    tmp) {
8490 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8491 				err = -EINVAL;
8492 				goto out_free;
8493 			}
8494 			request->ssids[i].ssid_len = nla_len(attr);
8495 			memcpy(request->ssids[i].ssid, nla_data(attr),
8496 			       nla_len(attr));
8497 			i++;
8498 		}
8499 	}
8500 
8501 	i = 0;
8502 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8503 		nla_for_each_nested(attr,
8504 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8505 				    tmp) {
8506 			struct nlattr *ssid, *bssid, *rssi;
8507 
8508 			err = nla_parse_nested_deprecated(tb,
8509 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8510 							  attr,
8511 							  nl80211_match_policy,
8512 							  NULL);
8513 			if (err)
8514 				goto out_free;
8515 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8516 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8517 
8518 			if (!ssid && !bssid) {
8519 				i++;
8520 				continue;
8521 			}
8522 
8523 			if (WARN_ON(i >= n_match_sets)) {
8524 				/* this indicates a programming error,
8525 				 * the loop above should have verified
8526 				 * things properly
8527 				 */
8528 				err = -EINVAL;
8529 				goto out_free;
8530 			}
8531 
8532 			if (ssid) {
8533 				memcpy(request->match_sets[i].ssid.ssid,
8534 				       nla_data(ssid), nla_len(ssid));
8535 				request->match_sets[i].ssid.ssid_len =
8536 					nla_len(ssid);
8537 			}
8538 			if (bssid)
8539 				memcpy(request->match_sets[i].bssid,
8540 				       nla_data(bssid), ETH_ALEN);
8541 
8542 			/* special attribute - old implementation w/a */
8543 			request->match_sets[i].rssi_thold = default_match_rssi;
8544 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8545 			if (rssi)
8546 				request->match_sets[i].rssi_thold =
8547 					nla_get_s32(rssi);
8548 
8549 			/* Parse per band RSSI attribute */
8550 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8551 				&request->match_sets[i],
8552 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8553 				request->match_sets[i].rssi_thold);
8554 			if (err)
8555 				goto out_free;
8556 
8557 			i++;
8558 		}
8559 
8560 		/* there was no other matchset, so the RSSI one is alone */
8561 		if (i == 0 && n_match_sets)
8562 			request->match_sets[0].rssi_thold = default_match_rssi;
8563 
8564 		request->min_rssi_thold = INT_MAX;
8565 		for (i = 0; i < n_match_sets; i++)
8566 			request->min_rssi_thold =
8567 				min(request->match_sets[i].rssi_thold,
8568 				    request->min_rssi_thold);
8569 	} else {
8570 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8571 	}
8572 
8573 	if (ie_len) {
8574 		request->ie_len = ie_len;
8575 		memcpy((void *)request->ie,
8576 		       nla_data(attrs[NL80211_ATTR_IE]),
8577 		       request->ie_len);
8578 	}
8579 
8580 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8581 	if (err)
8582 		goto out_free;
8583 
8584 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8585 		request->delay =
8586 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8587 
8588 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8589 		request->relative_rssi = nla_get_s8(
8590 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8591 		request->relative_rssi_set = true;
8592 	}
8593 
8594 	if (request->relative_rssi_set &&
8595 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8596 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8597 
8598 		rssi_adjust = nla_data(
8599 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8600 		request->rssi_adjust.band = rssi_adjust->band;
8601 		request->rssi_adjust.delta = rssi_adjust->delta;
8602 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8603 			err = -EINVAL;
8604 			goto out_free;
8605 		}
8606 	}
8607 
8608 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8609 	if (err)
8610 		goto out_free;
8611 
8612 	request->scan_start = jiffies;
8613 
8614 	return request;
8615 
8616 out_free:
8617 	kfree(request);
8618 	return ERR_PTR(err);
8619 }
8620 
8621 static int nl80211_start_sched_scan(struct sk_buff *skb,
8622 				    struct genl_info *info)
8623 {
8624 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8625 	struct net_device *dev = info->user_ptr[1];
8626 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8627 	struct cfg80211_sched_scan_request *sched_scan_req;
8628 	bool want_multi;
8629 	int err;
8630 
8631 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8632 		return -EOPNOTSUPP;
8633 
8634 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8635 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8636 	if (err)
8637 		return err;
8638 
8639 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8640 						  info->attrs,
8641 						  rdev->wiphy.max_match_sets);
8642 
8643 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8644 	if (err)
8645 		goto out_err;
8646 
8647 	/* leave request id zero for legacy request
8648 	 * or if driver does not support multi-scheduled scan
8649 	 */
8650 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8651 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8652 
8653 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8654 	if (err)
8655 		goto out_free;
8656 
8657 	sched_scan_req->dev = dev;
8658 	sched_scan_req->wiphy = &rdev->wiphy;
8659 
8660 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8661 		sched_scan_req->owner_nlportid = info->snd_portid;
8662 
8663 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8664 
8665 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8666 	return 0;
8667 
8668 out_free:
8669 	kfree(sched_scan_req);
8670 out_err:
8671 	return err;
8672 }
8673 
8674 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8675 				   struct genl_info *info)
8676 {
8677 	struct cfg80211_sched_scan_request *req;
8678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8679 	u64 cookie;
8680 
8681 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8682 		return -EOPNOTSUPP;
8683 
8684 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8685 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8686 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8687 	}
8688 
8689 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8690 				     struct cfg80211_sched_scan_request,
8691 				     list);
8692 	if (!req || req->reqid ||
8693 	    (req->owner_nlportid &&
8694 	     req->owner_nlportid != info->snd_portid))
8695 		return -ENOENT;
8696 
8697 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8698 }
8699 
8700 static int nl80211_start_radar_detection(struct sk_buff *skb,
8701 					 struct genl_info *info)
8702 {
8703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8704 	struct net_device *dev = info->user_ptr[1];
8705 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8706 	struct wiphy *wiphy = wdev->wiphy;
8707 	struct cfg80211_chan_def chandef;
8708 	enum nl80211_dfs_regions dfs_region;
8709 	unsigned int cac_time_ms;
8710 	int err;
8711 
8712 	dfs_region = reg_get_dfs_region(wiphy);
8713 	if (dfs_region == NL80211_DFS_UNSET)
8714 		return -EINVAL;
8715 
8716 	err = nl80211_parse_chandef(rdev, info, &chandef);
8717 	if (err)
8718 		return err;
8719 
8720 	if (netif_carrier_ok(dev))
8721 		return -EBUSY;
8722 
8723 	if (wdev->cac_started)
8724 		return -EBUSY;
8725 
8726 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8727 	if (err < 0)
8728 		return err;
8729 
8730 	if (err == 0)
8731 		return -EINVAL;
8732 
8733 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8734 		return -EINVAL;
8735 
8736 	/* CAC start is offloaded to HW and can't be started manually */
8737 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8738 		return -EOPNOTSUPP;
8739 
8740 	if (!rdev->ops->start_radar_detection)
8741 		return -EOPNOTSUPP;
8742 
8743 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8744 	if (WARN_ON(!cac_time_ms))
8745 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8746 
8747 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8748 	if (!err) {
8749 		wdev->chandef = chandef;
8750 		wdev->cac_started = true;
8751 		wdev->cac_start_time = jiffies;
8752 		wdev->cac_time_ms = cac_time_ms;
8753 	}
8754 	return err;
8755 }
8756 
8757 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8758 					  struct genl_info *info)
8759 {
8760 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8761 	struct net_device *dev = info->user_ptr[1];
8762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8763 	struct wiphy *wiphy = wdev->wiphy;
8764 	struct cfg80211_chan_def chandef;
8765 	enum nl80211_dfs_regions dfs_region;
8766 	int err;
8767 
8768 	dfs_region = reg_get_dfs_region(wiphy);
8769 	if (dfs_region == NL80211_DFS_UNSET) {
8770 		GENL_SET_ERR_MSG(info,
8771 				 "DFS Region is not set. Unexpected Radar indication");
8772 		return -EINVAL;
8773 	}
8774 
8775 	err = nl80211_parse_chandef(rdev, info, &chandef);
8776 	if (err) {
8777 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8778 		return err;
8779 	}
8780 
8781 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8782 	if (err < 0) {
8783 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8784 		return err;
8785 	}
8786 
8787 	if (err == 0) {
8788 		GENL_SET_ERR_MSG(info,
8789 				 "Unexpected Radar indication for chandef/iftype");
8790 		return -EINVAL;
8791 	}
8792 
8793 	/* Do not process this notification if radar is already detected
8794 	 * by kernel on this channel, and return success.
8795 	 */
8796 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8797 		return 0;
8798 
8799 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8800 
8801 	cfg80211_sched_dfs_chan_update(rdev);
8802 
8803 	rdev->radar_chandef = chandef;
8804 
8805 	/* Propagate this notification to other radios as well */
8806 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8807 
8808 	return 0;
8809 }
8810 
8811 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8812 {
8813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8814 	struct net_device *dev = info->user_ptr[1];
8815 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8816 	struct cfg80211_csa_settings params;
8817 	/* csa_attrs is defined static to avoid waste of stack size - this
8818 	 * function is called under RTNL lock, so this should not be a problem.
8819 	 */
8820 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8821 	int err;
8822 	bool need_new_beacon = false;
8823 	bool need_handle_dfs_flag = true;
8824 	int len, i;
8825 	u32 cs_count;
8826 
8827 	if (!rdev->ops->channel_switch ||
8828 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8829 		return -EOPNOTSUPP;
8830 
8831 	switch (dev->ieee80211_ptr->iftype) {
8832 	case NL80211_IFTYPE_AP:
8833 	case NL80211_IFTYPE_P2P_GO:
8834 		need_new_beacon = true;
8835 		/* For all modes except AP the handle_dfs flag needs to be
8836 		 * supplied to tell the kernel that userspace will handle radar
8837 		 * events when they happen. Otherwise a switch to a channel
8838 		 * requiring DFS will be rejected.
8839 		 */
8840 		need_handle_dfs_flag = false;
8841 
8842 		/* useless if AP is not running */
8843 		if (!wdev->beacon_interval)
8844 			return -ENOTCONN;
8845 		break;
8846 	case NL80211_IFTYPE_ADHOC:
8847 		if (!wdev->ssid_len)
8848 			return -ENOTCONN;
8849 		break;
8850 	case NL80211_IFTYPE_MESH_POINT:
8851 		if (!wdev->mesh_id_len)
8852 			return -ENOTCONN;
8853 		break;
8854 	default:
8855 		return -EOPNOTSUPP;
8856 	}
8857 
8858 	memset(&params, 0, sizeof(params));
8859 	params.beacon_csa.ftm_responder = -1;
8860 
8861 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8862 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8863 		return -EINVAL;
8864 
8865 	/* only important for AP, IBSS and mesh create IEs internally */
8866 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8867 		return -EINVAL;
8868 
8869 	/* Even though the attribute is u32, the specification says
8870 	 * u8, so let's make sure we don't overflow.
8871 	 */
8872 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8873 	if (cs_count > 255)
8874 		return -EINVAL;
8875 
8876 	params.count = cs_count;
8877 
8878 	if (!need_new_beacon)
8879 		goto skip_beacons;
8880 
8881 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8882 	if (err)
8883 		return err;
8884 
8885 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8886 					  info->attrs[NL80211_ATTR_CSA_IES],
8887 					  nl80211_policy, info->extack);
8888 	if (err)
8889 		return err;
8890 
8891 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8892 	if (err)
8893 		return err;
8894 
8895 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON])
8896 		return -EINVAL;
8897 
8898 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
8899 	if (!len || (len % sizeof(u16)))
8900 		return -EINVAL;
8901 
8902 	params.n_counter_offsets_beacon = len / sizeof(u16);
8903 	if (rdev->wiphy.max_num_csa_counters &&
8904 	    (params.n_counter_offsets_beacon >
8905 	     rdev->wiphy.max_num_csa_counters))
8906 		return -EINVAL;
8907 
8908 	params.counter_offsets_beacon =
8909 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
8910 
8911 	/* sanity checks - counters should fit and be the same */
8912 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8913 		u16 offset = params.counter_offsets_beacon[i];
8914 
8915 		if (offset >= params.beacon_csa.tail_len)
8916 			return -EINVAL;
8917 
8918 		if (params.beacon_csa.tail[offset] != params.count)
8919 			return -EINVAL;
8920 	}
8921 
8922 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
8923 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
8924 		if (!len || (len % sizeof(u16)))
8925 			return -EINVAL;
8926 
8927 		params.n_counter_offsets_presp = len / sizeof(u16);
8928 		if (rdev->wiphy.max_num_csa_counters &&
8929 		    (params.n_counter_offsets_presp >
8930 		     rdev->wiphy.max_num_csa_counters))
8931 			return -EINVAL;
8932 
8933 		params.counter_offsets_presp =
8934 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
8935 
8936 		/* sanity checks - counters should fit and be the same */
8937 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8938 			u16 offset = params.counter_offsets_presp[i];
8939 
8940 			if (offset >= params.beacon_csa.probe_resp_len)
8941 				return -EINVAL;
8942 
8943 			if (params.beacon_csa.probe_resp[offset] !=
8944 			    params.count)
8945 				return -EINVAL;
8946 		}
8947 	}
8948 
8949 skip_beacons:
8950 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8951 	if (err)
8952 		return err;
8953 
8954 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8955 					   wdev->iftype))
8956 		return -EINVAL;
8957 
8958 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8959 					    &params.chandef,
8960 					    wdev->iftype);
8961 	if (err < 0)
8962 		return err;
8963 
8964 	if (err > 0) {
8965 		params.radar_required = true;
8966 		if (need_handle_dfs_flag &&
8967 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8968 			return -EINVAL;
8969 		}
8970 	}
8971 
8972 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8973 		params.block_tx = true;
8974 
8975 	wdev_lock(wdev);
8976 	err = rdev_channel_switch(rdev, dev, &params);
8977 	wdev_unlock(wdev);
8978 
8979 	return err;
8980 }
8981 
8982 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8983 			    u32 seq, int flags,
8984 			    struct cfg80211_registered_device *rdev,
8985 			    struct wireless_dev *wdev,
8986 			    struct cfg80211_internal_bss *intbss)
8987 {
8988 	struct cfg80211_bss *res = &intbss->pub;
8989 	const struct cfg80211_bss_ies *ies;
8990 	void *hdr;
8991 	struct nlattr *bss;
8992 
8993 	ASSERT_WDEV_LOCK(wdev);
8994 
8995 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8996 			     NL80211_CMD_NEW_SCAN_RESULTS);
8997 	if (!hdr)
8998 		return -1;
8999 
9000 	genl_dump_check_consistent(cb, hdr);
9001 
9002 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9003 		goto nla_put_failure;
9004 	if (wdev->netdev &&
9005 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9006 		goto nla_put_failure;
9007 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9008 			      NL80211_ATTR_PAD))
9009 		goto nla_put_failure;
9010 
9011 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9012 	if (!bss)
9013 		goto nla_put_failure;
9014 	if ((!is_zero_ether_addr(res->bssid) &&
9015 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9016 		goto nla_put_failure;
9017 
9018 	rcu_read_lock();
9019 	/* indicate whether we have probe response data or not */
9020 	if (rcu_access_pointer(res->proberesp_ies) &&
9021 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9022 		goto fail_unlock_rcu;
9023 
9024 	/* this pointer prefers to be pointed to probe response data
9025 	 * but is always valid
9026 	 */
9027 	ies = rcu_dereference(res->ies);
9028 	if (ies) {
9029 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9030 				      NL80211_BSS_PAD))
9031 			goto fail_unlock_rcu;
9032 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9033 					ies->len, ies->data))
9034 			goto fail_unlock_rcu;
9035 	}
9036 
9037 	/* and this pointer is always (unless driver didn't know) beacon data */
9038 	ies = rcu_dereference(res->beacon_ies);
9039 	if (ies && ies->from_beacon) {
9040 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9041 				      NL80211_BSS_PAD))
9042 			goto fail_unlock_rcu;
9043 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9044 					ies->len, ies->data))
9045 			goto fail_unlock_rcu;
9046 	}
9047 	rcu_read_unlock();
9048 
9049 	if (res->beacon_interval &&
9050 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9051 		goto nla_put_failure;
9052 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9053 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9054 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9055 			res->channel->freq_offset) ||
9056 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9057 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9058 			jiffies_to_msecs(jiffies - intbss->ts)))
9059 		goto nla_put_failure;
9060 
9061 	if (intbss->parent_tsf &&
9062 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9063 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9064 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9065 		     intbss->parent_bssid)))
9066 		goto nla_put_failure;
9067 
9068 	if (intbss->ts_boottime &&
9069 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9070 			      intbss->ts_boottime, NL80211_BSS_PAD))
9071 		goto nla_put_failure;
9072 
9073 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9074 				intbss->pub.chain_signal,
9075 				NL80211_BSS_CHAIN_SIGNAL))
9076 		goto nla_put_failure;
9077 
9078 	switch (rdev->wiphy.signal_type) {
9079 	case CFG80211_SIGNAL_TYPE_MBM:
9080 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9081 			goto nla_put_failure;
9082 		break;
9083 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9084 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9085 			goto nla_put_failure;
9086 		break;
9087 	default:
9088 		break;
9089 	}
9090 
9091 	switch (wdev->iftype) {
9092 	case NL80211_IFTYPE_P2P_CLIENT:
9093 	case NL80211_IFTYPE_STATION:
9094 		if (intbss == wdev->current_bss &&
9095 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9096 				NL80211_BSS_STATUS_ASSOCIATED))
9097 			goto nla_put_failure;
9098 		break;
9099 	case NL80211_IFTYPE_ADHOC:
9100 		if (intbss == wdev->current_bss &&
9101 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9102 				NL80211_BSS_STATUS_IBSS_JOINED))
9103 			goto nla_put_failure;
9104 		break;
9105 	default:
9106 		break;
9107 	}
9108 
9109 	nla_nest_end(msg, bss);
9110 
9111 	genlmsg_end(msg, hdr);
9112 	return 0;
9113 
9114  fail_unlock_rcu:
9115 	rcu_read_unlock();
9116  nla_put_failure:
9117 	genlmsg_cancel(msg, hdr);
9118 	return -EMSGSIZE;
9119 }
9120 
9121 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9122 {
9123 	struct cfg80211_registered_device *rdev;
9124 	struct cfg80211_internal_bss *scan;
9125 	struct wireless_dev *wdev;
9126 	int start = cb->args[2], idx = 0;
9127 	int err;
9128 
9129 	rtnl_lock();
9130 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9131 	if (err) {
9132 		rtnl_unlock();
9133 		return err;
9134 	}
9135 
9136 	wdev_lock(wdev);
9137 	spin_lock_bh(&rdev->bss_lock);
9138 
9139 	/*
9140 	 * dump_scan will be called multiple times to break up the scan results
9141 	 * into multiple messages.  It is unlikely that any more bss-es will be
9142 	 * expired after the first call, so only call only call this on the
9143 	 * first dump_scan invocation.
9144 	 */
9145 	if (start == 0)
9146 		cfg80211_bss_expire(rdev);
9147 
9148 	cb->seq = rdev->bss_generation;
9149 
9150 	list_for_each_entry(scan, &rdev->bss_list, list) {
9151 		if (++idx <= start)
9152 			continue;
9153 		if (nl80211_send_bss(skb, cb,
9154 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9155 				rdev, wdev, scan) < 0) {
9156 			idx--;
9157 			break;
9158 		}
9159 	}
9160 
9161 	spin_unlock_bh(&rdev->bss_lock);
9162 	wdev_unlock(wdev);
9163 
9164 	cb->args[2] = idx;
9165 	rtnl_unlock();
9166 
9167 	return skb->len;
9168 }
9169 
9170 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9171 			       int flags, struct net_device *dev,
9172 			       bool allow_radio_stats,
9173 			       struct survey_info *survey)
9174 {
9175 	void *hdr;
9176 	struct nlattr *infoattr;
9177 
9178 	/* skip radio stats if userspace didn't request them */
9179 	if (!survey->channel && !allow_radio_stats)
9180 		return 0;
9181 
9182 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9183 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9184 	if (!hdr)
9185 		return -ENOMEM;
9186 
9187 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9188 		goto nla_put_failure;
9189 
9190 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9191 	if (!infoattr)
9192 		goto nla_put_failure;
9193 
9194 	if (survey->channel &&
9195 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9196 			survey->channel->center_freq))
9197 		goto nla_put_failure;
9198 
9199 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9200 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9201 		goto nla_put_failure;
9202 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9203 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9204 		goto nla_put_failure;
9205 	if ((survey->filled & SURVEY_INFO_TIME) &&
9206 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9207 			survey->time, NL80211_SURVEY_INFO_PAD))
9208 		goto nla_put_failure;
9209 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9210 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9211 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9212 		goto nla_put_failure;
9213 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9214 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9215 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9216 		goto nla_put_failure;
9217 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9218 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9219 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9220 		goto nla_put_failure;
9221 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9222 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9223 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9224 		goto nla_put_failure;
9225 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9226 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9227 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9228 		goto nla_put_failure;
9229 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9230 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9231 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9232 		goto nla_put_failure;
9233 
9234 	nla_nest_end(msg, infoattr);
9235 
9236 	genlmsg_end(msg, hdr);
9237 	return 0;
9238 
9239  nla_put_failure:
9240 	genlmsg_cancel(msg, hdr);
9241 	return -EMSGSIZE;
9242 }
9243 
9244 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9245 {
9246 	struct nlattr **attrbuf;
9247 	struct survey_info survey;
9248 	struct cfg80211_registered_device *rdev;
9249 	struct wireless_dev *wdev;
9250 	int survey_idx = cb->args[2];
9251 	int res;
9252 	bool radio_stats;
9253 
9254 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9255 	if (!attrbuf)
9256 		return -ENOMEM;
9257 
9258 	rtnl_lock();
9259 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9260 	if (res)
9261 		goto out_err;
9262 
9263 	/* prepare_wdev_dump parsed the attributes */
9264 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9265 
9266 	if (!wdev->netdev) {
9267 		res = -EINVAL;
9268 		goto out_err;
9269 	}
9270 
9271 	if (!rdev->ops->dump_survey) {
9272 		res = -EOPNOTSUPP;
9273 		goto out_err;
9274 	}
9275 
9276 	while (1) {
9277 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9278 		if (res == -ENOENT)
9279 			break;
9280 		if (res)
9281 			goto out_err;
9282 
9283 		/* don't send disabled channels, but do send non-channel data */
9284 		if (survey.channel &&
9285 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9286 			survey_idx++;
9287 			continue;
9288 		}
9289 
9290 		if (nl80211_send_survey(skb,
9291 				NETLINK_CB(cb->skb).portid,
9292 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9293 				wdev->netdev, radio_stats, &survey) < 0)
9294 			goto out;
9295 		survey_idx++;
9296 	}
9297 
9298  out:
9299 	cb->args[2] = survey_idx;
9300 	res = skb->len;
9301  out_err:
9302 	kfree(attrbuf);
9303 	rtnl_unlock();
9304 	return res;
9305 }
9306 
9307 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9308 {
9309 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9310 				  NL80211_WPA_VERSION_2 |
9311 				  NL80211_WPA_VERSION_3));
9312 }
9313 
9314 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9315 {
9316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9317 	struct net_device *dev = info->user_ptr[1];
9318 	struct ieee80211_channel *chan;
9319 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9320 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9321 	enum nl80211_auth_type auth_type;
9322 	struct key_parse key;
9323 	bool local_state_change;
9324 	u32 freq;
9325 
9326 	if (!info->attrs[NL80211_ATTR_MAC])
9327 		return -EINVAL;
9328 
9329 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9330 		return -EINVAL;
9331 
9332 	if (!info->attrs[NL80211_ATTR_SSID])
9333 		return -EINVAL;
9334 
9335 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9336 		return -EINVAL;
9337 
9338 	err = nl80211_parse_key(info, &key);
9339 	if (err)
9340 		return err;
9341 
9342 	if (key.idx >= 0) {
9343 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9344 			return -EINVAL;
9345 		if (!key.p.key || !key.p.key_len)
9346 			return -EINVAL;
9347 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9348 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9349 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9350 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9351 			return -EINVAL;
9352 		if (key.idx > 3)
9353 			return -EINVAL;
9354 	} else {
9355 		key.p.key_len = 0;
9356 		key.p.key = NULL;
9357 	}
9358 
9359 	if (key.idx >= 0) {
9360 		int i;
9361 		bool ok = false;
9362 
9363 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9364 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9365 				ok = true;
9366 				break;
9367 			}
9368 		}
9369 		if (!ok)
9370 			return -EINVAL;
9371 	}
9372 
9373 	if (!rdev->ops->auth)
9374 		return -EOPNOTSUPP;
9375 
9376 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9377 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9378 		return -EOPNOTSUPP;
9379 
9380 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9381 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9382 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9383 		freq +=
9384 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9385 
9386 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9387 	if (!chan)
9388 		return -EINVAL;
9389 
9390 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9391 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9392 
9393 	if (info->attrs[NL80211_ATTR_IE]) {
9394 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9395 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9396 	}
9397 
9398 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9399 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9400 		return -EINVAL;
9401 
9402 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9403 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9404 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9405 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9406 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9407 		return -EINVAL;
9408 
9409 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9410 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9411 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9412 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9413 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9414 			return -EINVAL;
9415 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9416 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9417 	}
9418 
9419 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9420 
9421 	/*
9422 	 * Since we no longer track auth state, ignore
9423 	 * requests to only change local state.
9424 	 */
9425 	if (local_state_change)
9426 		return 0;
9427 
9428 	wdev_lock(dev->ieee80211_ptr);
9429 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9430 				 ssid, ssid_len, ie, ie_len,
9431 				 key.p.key, key.p.key_len, key.idx,
9432 				 auth_data, auth_data_len);
9433 	wdev_unlock(dev->ieee80211_ptr);
9434 	return err;
9435 }
9436 
9437 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9438 				     struct genl_info *info)
9439 {
9440 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9441 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9442 		return -EINVAL;
9443 	}
9444 
9445 	if (!rdev->ops->tx_control_port ||
9446 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9447 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9448 		return -EOPNOTSUPP;
9449 
9450 	return 0;
9451 }
9452 
9453 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9454 				   struct genl_info *info,
9455 				   struct cfg80211_crypto_settings *settings,
9456 				   int cipher_limit)
9457 {
9458 	memset(settings, 0, sizeof(*settings));
9459 
9460 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9461 
9462 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9463 		u16 proto;
9464 
9465 		proto = nla_get_u16(
9466 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9467 		settings->control_port_ethertype = cpu_to_be16(proto);
9468 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9469 		    proto != ETH_P_PAE)
9470 			return -EINVAL;
9471 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9472 			settings->control_port_no_encrypt = true;
9473 	} else
9474 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9475 
9476 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9477 		int r = validate_pae_over_nl80211(rdev, info);
9478 
9479 		if (r < 0)
9480 			return r;
9481 
9482 		settings->control_port_over_nl80211 = true;
9483 
9484 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9485 			settings->control_port_no_preauth = true;
9486 	}
9487 
9488 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9489 		void *data;
9490 		int len, i;
9491 
9492 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9493 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9494 		settings->n_ciphers_pairwise = len / sizeof(u32);
9495 
9496 		if (len % sizeof(u32))
9497 			return -EINVAL;
9498 
9499 		if (settings->n_ciphers_pairwise > cipher_limit)
9500 			return -EINVAL;
9501 
9502 		memcpy(settings->ciphers_pairwise, data, len);
9503 
9504 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9505 			if (!cfg80211_supported_cipher_suite(
9506 					&rdev->wiphy,
9507 					settings->ciphers_pairwise[i]))
9508 				return -EINVAL;
9509 	}
9510 
9511 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9512 		settings->cipher_group =
9513 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9514 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9515 						     settings->cipher_group))
9516 			return -EINVAL;
9517 	}
9518 
9519 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9520 		settings->wpa_versions =
9521 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9522 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9523 			return -EINVAL;
9524 	}
9525 
9526 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9527 		void *data;
9528 		int len;
9529 
9530 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9531 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9532 		settings->n_akm_suites = len / sizeof(u32);
9533 
9534 		if (len % sizeof(u32))
9535 			return -EINVAL;
9536 
9537 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9538 			return -EINVAL;
9539 
9540 		memcpy(settings->akm_suites, data, len);
9541 	}
9542 
9543 	if (info->attrs[NL80211_ATTR_PMK]) {
9544 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9545 			return -EINVAL;
9546 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9547 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
9548 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9549 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
9550 			return -EINVAL;
9551 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9552 	}
9553 
9554 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9555 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9556 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
9557 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9558 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
9559 			return -EINVAL;
9560 		settings->sae_pwd =
9561 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9562 		settings->sae_pwd_len =
9563 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9564 	}
9565 
9566 	return 0;
9567 }
9568 
9569 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9570 {
9571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9572 	struct net_device *dev = info->user_ptr[1];
9573 	struct ieee80211_channel *chan;
9574 	struct cfg80211_assoc_request req = {};
9575 	const u8 *bssid, *ssid;
9576 	int err, ssid_len = 0;
9577 	u32 freq;
9578 
9579 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9580 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9581 		return -EPERM;
9582 
9583 	if (!info->attrs[NL80211_ATTR_MAC] ||
9584 	    !info->attrs[NL80211_ATTR_SSID] ||
9585 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9586 		return -EINVAL;
9587 
9588 	if (!rdev->ops->assoc)
9589 		return -EOPNOTSUPP;
9590 
9591 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9592 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9593 		return -EOPNOTSUPP;
9594 
9595 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9596 
9597 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9598 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9599 		freq +=
9600 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9601 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9602 	if (!chan)
9603 		return -EINVAL;
9604 
9605 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9606 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9607 
9608 	if (info->attrs[NL80211_ATTR_IE]) {
9609 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9610 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9611 	}
9612 
9613 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9614 		enum nl80211_mfp mfp =
9615 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9616 		if (mfp == NL80211_MFP_REQUIRED)
9617 			req.use_mfp = true;
9618 		else if (mfp != NL80211_MFP_NO)
9619 			return -EINVAL;
9620 	}
9621 
9622 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9623 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9624 
9625 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9626 		req.flags |= ASSOC_REQ_DISABLE_HT;
9627 
9628 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9629 		memcpy(&req.ht_capa_mask,
9630 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9631 		       sizeof(req.ht_capa_mask));
9632 
9633 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9634 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9635 			return -EINVAL;
9636 		memcpy(&req.ht_capa,
9637 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9638 		       sizeof(req.ht_capa));
9639 	}
9640 
9641 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9642 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9643 
9644 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9645 		memcpy(&req.vht_capa_mask,
9646 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9647 		       sizeof(req.vht_capa_mask));
9648 
9649 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9650 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9651 			return -EINVAL;
9652 		memcpy(&req.vht_capa,
9653 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9654 		       sizeof(req.vht_capa));
9655 	}
9656 
9657 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9658 		if (!((rdev->wiphy.features &
9659 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9660 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9661 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9662 					     NL80211_EXT_FEATURE_RRM))
9663 			return -EINVAL;
9664 		req.flags |= ASSOC_REQ_USE_RRM;
9665 	}
9666 
9667 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9668 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9669 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9670 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9671 			return -EINVAL;
9672 		req.fils_nonces =
9673 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9674 	}
9675 
9676 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9677 	if (!err) {
9678 		wdev_lock(dev->ieee80211_ptr);
9679 
9680 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9681 					  ssid, ssid_len, &req);
9682 
9683 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9684 			dev->ieee80211_ptr->conn_owner_nlportid =
9685 				info->snd_portid;
9686 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9687 			       bssid, ETH_ALEN);
9688 		}
9689 
9690 		wdev_unlock(dev->ieee80211_ptr);
9691 	}
9692 
9693 	return err;
9694 }
9695 
9696 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9697 {
9698 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9699 	struct net_device *dev = info->user_ptr[1];
9700 	const u8 *ie = NULL, *bssid;
9701 	int ie_len = 0, err;
9702 	u16 reason_code;
9703 	bool local_state_change;
9704 
9705 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9706 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9707 		return -EPERM;
9708 
9709 	if (!info->attrs[NL80211_ATTR_MAC])
9710 		return -EINVAL;
9711 
9712 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9713 		return -EINVAL;
9714 
9715 	if (!rdev->ops->deauth)
9716 		return -EOPNOTSUPP;
9717 
9718 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9719 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9720 		return -EOPNOTSUPP;
9721 
9722 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9723 
9724 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9725 	if (reason_code == 0) {
9726 		/* Reason Code 0 is reserved */
9727 		return -EINVAL;
9728 	}
9729 
9730 	if (info->attrs[NL80211_ATTR_IE]) {
9731 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9732 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9733 	}
9734 
9735 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9736 
9737 	wdev_lock(dev->ieee80211_ptr);
9738 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9739 				   local_state_change);
9740 	wdev_unlock(dev->ieee80211_ptr);
9741 	return err;
9742 }
9743 
9744 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9745 {
9746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9747 	struct net_device *dev = info->user_ptr[1];
9748 	const u8 *ie = NULL, *bssid;
9749 	int ie_len = 0, err;
9750 	u16 reason_code;
9751 	bool local_state_change;
9752 
9753 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9754 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9755 		return -EPERM;
9756 
9757 	if (!info->attrs[NL80211_ATTR_MAC])
9758 		return -EINVAL;
9759 
9760 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9761 		return -EINVAL;
9762 
9763 	if (!rdev->ops->disassoc)
9764 		return -EOPNOTSUPP;
9765 
9766 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9767 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9768 		return -EOPNOTSUPP;
9769 
9770 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9771 
9772 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9773 	if (reason_code == 0) {
9774 		/* Reason Code 0 is reserved */
9775 		return -EINVAL;
9776 	}
9777 
9778 	if (info->attrs[NL80211_ATTR_IE]) {
9779 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9780 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9781 	}
9782 
9783 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9784 
9785 	wdev_lock(dev->ieee80211_ptr);
9786 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9787 				     local_state_change);
9788 	wdev_unlock(dev->ieee80211_ptr);
9789 	return err;
9790 }
9791 
9792 static bool
9793 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9794 			 int mcast_rate[NUM_NL80211_BANDS],
9795 			 int rateval)
9796 {
9797 	struct wiphy *wiphy = &rdev->wiphy;
9798 	bool found = false;
9799 	int band, i;
9800 
9801 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9802 		struct ieee80211_supported_band *sband;
9803 
9804 		sband = wiphy->bands[band];
9805 		if (!sband)
9806 			continue;
9807 
9808 		for (i = 0; i < sband->n_bitrates; i++) {
9809 			if (sband->bitrates[i].bitrate == rateval) {
9810 				mcast_rate[band] = i + 1;
9811 				found = true;
9812 				break;
9813 			}
9814 		}
9815 	}
9816 
9817 	return found;
9818 }
9819 
9820 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9821 {
9822 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9823 	struct net_device *dev = info->user_ptr[1];
9824 	struct cfg80211_ibss_params ibss;
9825 	struct wiphy *wiphy;
9826 	struct cfg80211_cached_keys *connkeys = NULL;
9827 	int err;
9828 
9829 	memset(&ibss, 0, sizeof(ibss));
9830 
9831 	if (!info->attrs[NL80211_ATTR_SSID] ||
9832 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9833 		return -EINVAL;
9834 
9835 	ibss.beacon_interval = 100;
9836 
9837 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9838 		ibss.beacon_interval =
9839 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9840 
9841 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9842 					   ibss.beacon_interval);
9843 	if (err)
9844 		return err;
9845 
9846 	if (!rdev->ops->join_ibss)
9847 		return -EOPNOTSUPP;
9848 
9849 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9850 		return -EOPNOTSUPP;
9851 
9852 	wiphy = &rdev->wiphy;
9853 
9854 	if (info->attrs[NL80211_ATTR_MAC]) {
9855 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9856 
9857 		if (!is_valid_ether_addr(ibss.bssid))
9858 			return -EINVAL;
9859 	}
9860 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9861 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9862 
9863 	if (info->attrs[NL80211_ATTR_IE]) {
9864 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9865 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9866 	}
9867 
9868 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9869 	if (err)
9870 		return err;
9871 
9872 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9873 				     NL80211_IFTYPE_ADHOC))
9874 		return -EINVAL;
9875 
9876 	switch (ibss.chandef.width) {
9877 	case NL80211_CHAN_WIDTH_5:
9878 	case NL80211_CHAN_WIDTH_10:
9879 	case NL80211_CHAN_WIDTH_20_NOHT:
9880 		break;
9881 	case NL80211_CHAN_WIDTH_20:
9882 	case NL80211_CHAN_WIDTH_40:
9883 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9884 			return -EINVAL;
9885 		break;
9886 	case NL80211_CHAN_WIDTH_80:
9887 	case NL80211_CHAN_WIDTH_80P80:
9888 	case NL80211_CHAN_WIDTH_160:
9889 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9890 			return -EINVAL;
9891 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9892 					     NL80211_EXT_FEATURE_VHT_IBSS))
9893 			return -EINVAL;
9894 		break;
9895 	default:
9896 		return -EINVAL;
9897 	}
9898 
9899 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9900 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9901 
9902 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9903 		u8 *rates =
9904 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9905 		int n_rates =
9906 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9907 		struct ieee80211_supported_band *sband =
9908 			wiphy->bands[ibss.chandef.chan->band];
9909 
9910 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9911 					     &ibss.basic_rates);
9912 		if (err)
9913 			return err;
9914 	}
9915 
9916 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9917 		memcpy(&ibss.ht_capa_mask,
9918 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9919 		       sizeof(ibss.ht_capa_mask));
9920 
9921 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9922 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9923 			return -EINVAL;
9924 		memcpy(&ibss.ht_capa,
9925 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9926 		       sizeof(ibss.ht_capa));
9927 	}
9928 
9929 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9930 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9931 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9932 		return -EINVAL;
9933 
9934 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9935 		bool no_ht = false;
9936 
9937 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9938 		if (IS_ERR(connkeys))
9939 			return PTR_ERR(connkeys);
9940 
9941 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9942 		    no_ht) {
9943 			kfree_sensitive(connkeys);
9944 			return -EINVAL;
9945 		}
9946 	}
9947 
9948 	ibss.control_port =
9949 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9950 
9951 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9952 		int r = validate_pae_over_nl80211(rdev, info);
9953 
9954 		if (r < 0) {
9955 			kfree_sensitive(connkeys);
9956 			return r;
9957 		}
9958 
9959 		ibss.control_port_over_nl80211 = true;
9960 	}
9961 
9962 	ibss.userspace_handles_dfs =
9963 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9964 
9965 	wdev_lock(dev->ieee80211_ptr);
9966 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9967 	if (err)
9968 		kfree_sensitive(connkeys);
9969 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9970 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9971 	wdev_unlock(dev->ieee80211_ptr);
9972 
9973 	return err;
9974 }
9975 
9976 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9977 {
9978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9979 	struct net_device *dev = info->user_ptr[1];
9980 
9981 	if (!rdev->ops->leave_ibss)
9982 		return -EOPNOTSUPP;
9983 
9984 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9985 		return -EOPNOTSUPP;
9986 
9987 	return cfg80211_leave_ibss(rdev, dev, false);
9988 }
9989 
9990 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9991 {
9992 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9993 	struct net_device *dev = info->user_ptr[1];
9994 	int mcast_rate[NUM_NL80211_BANDS];
9995 	u32 nla_rate;
9996 	int err;
9997 
9998 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9999 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10000 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10001 		return -EOPNOTSUPP;
10002 
10003 	if (!rdev->ops->set_mcast_rate)
10004 		return -EOPNOTSUPP;
10005 
10006 	memset(mcast_rate, 0, sizeof(mcast_rate));
10007 
10008 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10009 		return -EINVAL;
10010 
10011 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10012 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10013 		return -EINVAL;
10014 
10015 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10016 
10017 	return err;
10018 }
10019 
10020 static struct sk_buff *
10021 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10022 			    struct wireless_dev *wdev, int approxlen,
10023 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10024 			    enum nl80211_attrs attr,
10025 			    const struct nl80211_vendor_cmd_info *info,
10026 			    gfp_t gfp)
10027 {
10028 	struct sk_buff *skb;
10029 	void *hdr;
10030 	struct nlattr *data;
10031 
10032 	skb = nlmsg_new(approxlen + 100, gfp);
10033 	if (!skb)
10034 		return NULL;
10035 
10036 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10037 	if (!hdr) {
10038 		kfree_skb(skb);
10039 		return NULL;
10040 	}
10041 
10042 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10043 		goto nla_put_failure;
10044 
10045 	if (info) {
10046 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10047 				info->vendor_id))
10048 			goto nla_put_failure;
10049 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10050 				info->subcmd))
10051 			goto nla_put_failure;
10052 	}
10053 
10054 	if (wdev) {
10055 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10056 				      wdev_id(wdev), NL80211_ATTR_PAD))
10057 			goto nla_put_failure;
10058 		if (wdev->netdev &&
10059 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10060 				wdev->netdev->ifindex))
10061 			goto nla_put_failure;
10062 	}
10063 
10064 	data = nla_nest_start_noflag(skb, attr);
10065 	if (!data)
10066 		goto nla_put_failure;
10067 
10068 	((void **)skb->cb)[0] = rdev;
10069 	((void **)skb->cb)[1] = hdr;
10070 	((void **)skb->cb)[2] = data;
10071 
10072 	return skb;
10073 
10074  nla_put_failure:
10075 	kfree_skb(skb);
10076 	return NULL;
10077 }
10078 
10079 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10080 					   struct wireless_dev *wdev,
10081 					   enum nl80211_commands cmd,
10082 					   enum nl80211_attrs attr,
10083 					   unsigned int portid,
10084 					   int vendor_event_idx,
10085 					   int approxlen, gfp_t gfp)
10086 {
10087 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10088 	const struct nl80211_vendor_cmd_info *info;
10089 
10090 	switch (cmd) {
10091 	case NL80211_CMD_TESTMODE:
10092 		if (WARN_ON(vendor_event_idx != -1))
10093 			return NULL;
10094 		info = NULL;
10095 		break;
10096 	case NL80211_CMD_VENDOR:
10097 		if (WARN_ON(vendor_event_idx < 0 ||
10098 			    vendor_event_idx >= wiphy->n_vendor_events))
10099 			return NULL;
10100 		info = &wiphy->vendor_events[vendor_event_idx];
10101 		break;
10102 	default:
10103 		WARN_ON(1);
10104 		return NULL;
10105 	}
10106 
10107 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10108 					   cmd, attr, info, gfp);
10109 }
10110 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10111 
10112 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10113 {
10114 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10115 	void *hdr = ((void **)skb->cb)[1];
10116 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10117 	struct nlattr *data = ((void **)skb->cb)[2];
10118 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10119 
10120 	/* clear CB data for netlink core to own from now on */
10121 	memset(skb->cb, 0, sizeof(skb->cb));
10122 
10123 	nla_nest_end(skb, data);
10124 	genlmsg_end(skb, hdr);
10125 
10126 	if (nlhdr->nlmsg_pid) {
10127 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10128 				nlhdr->nlmsg_pid);
10129 	} else {
10130 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10131 			mcgrp = NL80211_MCGRP_VENDOR;
10132 
10133 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10134 					skb, 0, mcgrp, gfp);
10135 	}
10136 }
10137 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10138 
10139 #ifdef CONFIG_NL80211_TESTMODE
10140 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10141 {
10142 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10143 	struct wireless_dev *wdev =
10144 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
10145 	int err;
10146 
10147 	if (!rdev->ops->testmode_cmd)
10148 		return -EOPNOTSUPP;
10149 
10150 	if (IS_ERR(wdev)) {
10151 		err = PTR_ERR(wdev);
10152 		if (err != -EINVAL)
10153 			return err;
10154 		wdev = NULL;
10155 	} else if (wdev->wiphy != &rdev->wiphy) {
10156 		return -EINVAL;
10157 	}
10158 
10159 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10160 		return -EINVAL;
10161 
10162 	rdev->cur_cmd_info = info;
10163 	err = rdev_testmode_cmd(rdev, wdev,
10164 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10165 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10166 	rdev->cur_cmd_info = NULL;
10167 
10168 	return err;
10169 }
10170 
10171 static int nl80211_testmode_dump(struct sk_buff *skb,
10172 				 struct netlink_callback *cb)
10173 {
10174 	struct cfg80211_registered_device *rdev;
10175 	struct nlattr **attrbuf = NULL;
10176 	int err;
10177 	long phy_idx;
10178 	void *data = NULL;
10179 	int data_len = 0;
10180 
10181 	rtnl_lock();
10182 
10183 	if (cb->args[0]) {
10184 		/*
10185 		 * 0 is a valid index, but not valid for args[0],
10186 		 * so we need to offset by 1.
10187 		 */
10188 		phy_idx = cb->args[0] - 1;
10189 
10190 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10191 		if (!rdev) {
10192 			err = -ENOENT;
10193 			goto out_err;
10194 		}
10195 	} else {
10196 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10197 				  GFP_KERNEL);
10198 		if (!attrbuf) {
10199 			err = -ENOMEM;
10200 			goto out_err;
10201 		}
10202 
10203 		err = nlmsg_parse_deprecated(cb->nlh,
10204 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10205 					     attrbuf, nl80211_fam.maxattr,
10206 					     nl80211_policy, NULL);
10207 		if (err)
10208 			goto out_err;
10209 
10210 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10211 		if (IS_ERR(rdev)) {
10212 			err = PTR_ERR(rdev);
10213 			goto out_err;
10214 		}
10215 		phy_idx = rdev->wiphy_idx;
10216 
10217 		if (attrbuf[NL80211_ATTR_TESTDATA])
10218 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10219 	}
10220 
10221 	if (cb->args[1]) {
10222 		data = nla_data((void *)cb->args[1]);
10223 		data_len = nla_len((void *)cb->args[1]);
10224 	}
10225 
10226 	if (!rdev->ops->testmode_dump) {
10227 		err = -EOPNOTSUPP;
10228 		goto out_err;
10229 	}
10230 
10231 	while (1) {
10232 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10233 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10234 					   NL80211_CMD_TESTMODE);
10235 		struct nlattr *tmdata;
10236 
10237 		if (!hdr)
10238 			break;
10239 
10240 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10241 			genlmsg_cancel(skb, hdr);
10242 			break;
10243 		}
10244 
10245 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10246 		if (!tmdata) {
10247 			genlmsg_cancel(skb, hdr);
10248 			break;
10249 		}
10250 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10251 		nla_nest_end(skb, tmdata);
10252 
10253 		if (err == -ENOBUFS || err == -ENOENT) {
10254 			genlmsg_cancel(skb, hdr);
10255 			break;
10256 		} else if (err) {
10257 			genlmsg_cancel(skb, hdr);
10258 			goto out_err;
10259 		}
10260 
10261 		genlmsg_end(skb, hdr);
10262 	}
10263 
10264 	err = skb->len;
10265 	/* see above */
10266 	cb->args[0] = phy_idx + 1;
10267  out_err:
10268 	kfree(attrbuf);
10269 	rtnl_unlock();
10270 	return err;
10271 }
10272 #endif
10273 
10274 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10275 {
10276 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10277 	struct net_device *dev = info->user_ptr[1];
10278 	struct cfg80211_connect_params connect;
10279 	struct wiphy *wiphy;
10280 	struct cfg80211_cached_keys *connkeys = NULL;
10281 	u32 freq = 0;
10282 	int err;
10283 
10284 	memset(&connect, 0, sizeof(connect));
10285 
10286 	if (!info->attrs[NL80211_ATTR_SSID] ||
10287 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10288 		return -EINVAL;
10289 
10290 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10291 		connect.auth_type =
10292 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10293 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10294 					     NL80211_CMD_CONNECT))
10295 			return -EINVAL;
10296 	} else
10297 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10298 
10299 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10300 
10301 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10302 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10303 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10304 		return -EINVAL;
10305 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10306 
10307 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10308 				      NL80211_MAX_NR_CIPHER_SUITES);
10309 	if (err)
10310 		return err;
10311 
10312 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10313 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10314 		return -EOPNOTSUPP;
10315 
10316 	wiphy = &rdev->wiphy;
10317 
10318 	connect.bg_scan_period = -1;
10319 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10320 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10321 		connect.bg_scan_period =
10322 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10323 	}
10324 
10325 	if (info->attrs[NL80211_ATTR_MAC])
10326 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10327 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10328 		connect.bssid_hint =
10329 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10330 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10331 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10332 
10333 	if (info->attrs[NL80211_ATTR_IE]) {
10334 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10335 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10336 	}
10337 
10338 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10339 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10340 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10341 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10342 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10343 			return -EOPNOTSUPP;
10344 	} else {
10345 		connect.mfp = NL80211_MFP_NO;
10346 	}
10347 
10348 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10349 		connect.prev_bssid =
10350 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10351 
10352 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10353 		freq = MHZ_TO_KHZ(nla_get_u32(
10354 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10355 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10356 		freq +=
10357 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10358 
10359 	if (freq) {
10360 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10361 		if (!connect.channel)
10362 			return -EINVAL;
10363 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10364 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10365 		freq = MHZ_TO_KHZ(freq);
10366 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10367 		if (!connect.channel_hint)
10368 			return -EINVAL;
10369 	}
10370 
10371 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10372 		connect.edmg.channels =
10373 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10374 
10375 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10376 			connect.edmg.bw_config =
10377 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10378 	}
10379 
10380 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10381 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10382 		if (IS_ERR(connkeys))
10383 			return PTR_ERR(connkeys);
10384 	}
10385 
10386 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10387 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10388 
10389 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10390 		memcpy(&connect.ht_capa_mask,
10391 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10392 		       sizeof(connect.ht_capa_mask));
10393 
10394 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10395 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10396 			kfree_sensitive(connkeys);
10397 			return -EINVAL;
10398 		}
10399 		memcpy(&connect.ht_capa,
10400 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10401 		       sizeof(connect.ht_capa));
10402 	}
10403 
10404 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10405 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10406 
10407 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10408 		memcpy(&connect.vht_capa_mask,
10409 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10410 		       sizeof(connect.vht_capa_mask));
10411 
10412 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10413 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10414 			kfree_sensitive(connkeys);
10415 			return -EINVAL;
10416 		}
10417 		memcpy(&connect.vht_capa,
10418 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10419 		       sizeof(connect.vht_capa));
10420 	}
10421 
10422 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10423 		if (!((rdev->wiphy.features &
10424 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10425 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10426 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10427 					     NL80211_EXT_FEATURE_RRM)) {
10428 			kfree_sensitive(connkeys);
10429 			return -EINVAL;
10430 		}
10431 		connect.flags |= ASSOC_REQ_USE_RRM;
10432 	}
10433 
10434 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10435 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10436 		kfree_sensitive(connkeys);
10437 		return -EOPNOTSUPP;
10438 	}
10439 
10440 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10441 		/* bss selection makes no sense if bssid is set */
10442 		if (connect.bssid) {
10443 			kfree_sensitive(connkeys);
10444 			return -EINVAL;
10445 		}
10446 
10447 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10448 				       wiphy, &connect.bss_select);
10449 		if (err) {
10450 			kfree_sensitive(connkeys);
10451 			return err;
10452 		}
10453 	}
10454 
10455 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10456 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10457 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10458 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10459 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10460 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10461 		connect.fils_erp_username =
10462 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10463 		connect.fils_erp_username_len =
10464 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10465 		connect.fils_erp_realm =
10466 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10467 		connect.fils_erp_realm_len =
10468 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10469 		connect.fils_erp_next_seq_num =
10470 			nla_get_u16(
10471 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10472 		connect.fils_erp_rrk =
10473 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10474 		connect.fils_erp_rrk_len =
10475 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10476 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10477 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10478 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10479 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10480 		kfree_sensitive(connkeys);
10481 		return -EINVAL;
10482 	}
10483 
10484 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10485 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10486 			kfree_sensitive(connkeys);
10487 			GENL_SET_ERR_MSG(info,
10488 					 "external auth requires connection ownership");
10489 			return -EINVAL;
10490 		}
10491 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10492 	}
10493 
10494 	wdev_lock(dev->ieee80211_ptr);
10495 
10496 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10497 			       connect.prev_bssid);
10498 	if (err)
10499 		kfree_sensitive(connkeys);
10500 
10501 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10502 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10503 		if (connect.bssid)
10504 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10505 			       connect.bssid, ETH_ALEN);
10506 		else
10507 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
10508 	}
10509 
10510 	wdev_unlock(dev->ieee80211_ptr);
10511 
10512 	return err;
10513 }
10514 
10515 static int nl80211_update_connect_params(struct sk_buff *skb,
10516 					 struct genl_info *info)
10517 {
10518 	struct cfg80211_connect_params connect = {};
10519 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10520 	struct net_device *dev = info->user_ptr[1];
10521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10522 	bool fils_sk_offload;
10523 	u32 auth_type;
10524 	u32 changed = 0;
10525 	int ret;
10526 
10527 	if (!rdev->ops->update_connect_params)
10528 		return -EOPNOTSUPP;
10529 
10530 	if (info->attrs[NL80211_ATTR_IE]) {
10531 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10532 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10533 		changed |= UPDATE_ASSOC_IES;
10534 	}
10535 
10536 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10537 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10538 
10539 	/*
10540 	 * when driver supports fils-sk offload all attributes must be
10541 	 * provided. So the else covers "fils-sk-not-all" and
10542 	 * "no-fils-sk-any".
10543 	 */
10544 	if (fils_sk_offload &&
10545 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10546 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10547 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10548 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10549 		connect.fils_erp_username =
10550 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10551 		connect.fils_erp_username_len =
10552 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10553 		connect.fils_erp_realm =
10554 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10555 		connect.fils_erp_realm_len =
10556 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10557 		connect.fils_erp_next_seq_num =
10558 			nla_get_u16(
10559 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10560 		connect.fils_erp_rrk =
10561 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10562 		connect.fils_erp_rrk_len =
10563 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10564 		changed |= UPDATE_FILS_ERP_INFO;
10565 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10566 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10567 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10568 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10569 		return -EINVAL;
10570 	}
10571 
10572 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10573 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10574 		if (!nl80211_valid_auth_type(rdev, auth_type,
10575 					     NL80211_CMD_CONNECT))
10576 			return -EINVAL;
10577 
10578 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10579 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10580 			return -EINVAL;
10581 
10582 		connect.auth_type = auth_type;
10583 		changed |= UPDATE_AUTH_TYPE;
10584 	}
10585 
10586 	wdev_lock(dev->ieee80211_ptr);
10587 	if (!wdev->current_bss)
10588 		ret = -ENOLINK;
10589 	else
10590 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10591 	wdev_unlock(dev->ieee80211_ptr);
10592 
10593 	return ret;
10594 }
10595 
10596 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10597 {
10598 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10599 	struct net_device *dev = info->user_ptr[1];
10600 	u16 reason;
10601 	int ret;
10602 
10603 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10604 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10605 		return -EPERM;
10606 
10607 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10608 		reason = WLAN_REASON_DEAUTH_LEAVING;
10609 	else
10610 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10611 
10612 	if (reason == 0)
10613 		return -EINVAL;
10614 
10615 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10616 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10617 		return -EOPNOTSUPP;
10618 
10619 	wdev_lock(dev->ieee80211_ptr);
10620 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10621 	wdev_unlock(dev->ieee80211_ptr);
10622 	return ret;
10623 }
10624 
10625 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10626 {
10627 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10628 	struct net *net;
10629 	int err;
10630 
10631 	if (info->attrs[NL80211_ATTR_PID]) {
10632 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10633 
10634 		net = get_net_ns_by_pid(pid);
10635 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10636 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10637 
10638 		net = get_net_ns_by_fd(fd);
10639 	} else {
10640 		return -EINVAL;
10641 	}
10642 
10643 	if (IS_ERR(net))
10644 		return PTR_ERR(net);
10645 
10646 	err = 0;
10647 
10648 	/* check if anything to do */
10649 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10650 		err = cfg80211_switch_netns(rdev, net);
10651 
10652 	put_net(net);
10653 	return err;
10654 }
10655 
10656 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10657 {
10658 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10659 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10660 			struct cfg80211_pmksa *pmksa) = NULL;
10661 	struct net_device *dev = info->user_ptr[1];
10662 	struct cfg80211_pmksa pmksa;
10663 
10664 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10665 
10666 	if (!info->attrs[NL80211_ATTR_PMKID])
10667 		return -EINVAL;
10668 
10669 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10670 
10671 	if (info->attrs[NL80211_ATTR_MAC]) {
10672 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10673 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10674 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10675 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10676 		    info->attrs[NL80211_ATTR_PMK])) {
10677 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10678 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10679 		pmksa.cache_id =
10680 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10681 	} else {
10682 		return -EINVAL;
10683 	}
10684 	if (info->attrs[NL80211_ATTR_PMK]) {
10685 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10686 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10687 	}
10688 
10689 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
10690 		pmksa.pmk_lifetime =
10691 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
10692 
10693 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
10694 		pmksa.pmk_reauth_threshold =
10695 			nla_get_u8(
10696 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
10697 
10698 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10699 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10700 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10701 	      wiphy_ext_feature_isset(&rdev->wiphy,
10702 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10703 		return -EOPNOTSUPP;
10704 
10705 	switch (info->genlhdr->cmd) {
10706 	case NL80211_CMD_SET_PMKSA:
10707 		rdev_ops = rdev->ops->set_pmksa;
10708 		break;
10709 	case NL80211_CMD_DEL_PMKSA:
10710 		rdev_ops = rdev->ops->del_pmksa;
10711 		break;
10712 	default:
10713 		WARN_ON(1);
10714 		break;
10715 	}
10716 
10717 	if (!rdev_ops)
10718 		return -EOPNOTSUPP;
10719 
10720 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10721 }
10722 
10723 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10724 {
10725 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10726 	struct net_device *dev = info->user_ptr[1];
10727 
10728 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10729 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10730 		return -EOPNOTSUPP;
10731 
10732 	if (!rdev->ops->flush_pmksa)
10733 		return -EOPNOTSUPP;
10734 
10735 	return rdev_flush_pmksa(rdev, dev);
10736 }
10737 
10738 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10739 {
10740 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10741 	struct net_device *dev = info->user_ptr[1];
10742 	u8 action_code, dialog_token;
10743 	u32 peer_capability = 0;
10744 	u16 status_code;
10745 	u8 *peer;
10746 	bool initiator;
10747 
10748 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10749 	    !rdev->ops->tdls_mgmt)
10750 		return -EOPNOTSUPP;
10751 
10752 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10753 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10754 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10755 	    !info->attrs[NL80211_ATTR_IE] ||
10756 	    !info->attrs[NL80211_ATTR_MAC])
10757 		return -EINVAL;
10758 
10759 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10760 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10761 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10762 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10763 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10764 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10765 		peer_capability =
10766 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10767 
10768 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10769 			      dialog_token, status_code, peer_capability,
10770 			      initiator,
10771 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10772 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10773 }
10774 
10775 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10776 {
10777 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10778 	struct net_device *dev = info->user_ptr[1];
10779 	enum nl80211_tdls_operation operation;
10780 	u8 *peer;
10781 
10782 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10783 	    !rdev->ops->tdls_oper)
10784 		return -EOPNOTSUPP;
10785 
10786 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10787 	    !info->attrs[NL80211_ATTR_MAC])
10788 		return -EINVAL;
10789 
10790 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10791 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10792 
10793 	return rdev_tdls_oper(rdev, dev, peer, operation);
10794 }
10795 
10796 static int nl80211_remain_on_channel(struct sk_buff *skb,
10797 				     struct genl_info *info)
10798 {
10799 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10800 	struct wireless_dev *wdev = info->user_ptr[1];
10801 	struct cfg80211_chan_def chandef;
10802 	const struct cfg80211_chan_def *compat_chandef;
10803 	struct sk_buff *msg;
10804 	void *hdr;
10805 	u64 cookie;
10806 	u32 duration;
10807 	int err;
10808 
10809 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10810 	    !info->attrs[NL80211_ATTR_DURATION])
10811 		return -EINVAL;
10812 
10813 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10814 
10815 	if (!rdev->ops->remain_on_channel ||
10816 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10817 		return -EOPNOTSUPP;
10818 
10819 	/*
10820 	 * We should be on that channel for at least a minimum amount of
10821 	 * time (10ms) but no longer than the driver supports.
10822 	 */
10823 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10824 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10825 		return -EINVAL;
10826 
10827 	err = nl80211_parse_chandef(rdev, info, &chandef);
10828 	if (err)
10829 		return err;
10830 
10831 	wdev_lock(wdev);
10832 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10833 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10834 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10835 							     &chandef);
10836 		if (compat_chandef != &chandef) {
10837 			wdev_unlock(wdev);
10838 			return -EBUSY;
10839 		}
10840 	}
10841 	wdev_unlock(wdev);
10842 
10843 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10844 	if (!msg)
10845 		return -ENOMEM;
10846 
10847 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10848 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10849 	if (!hdr) {
10850 		err = -ENOBUFS;
10851 		goto free_msg;
10852 	}
10853 
10854 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10855 				     duration, &cookie);
10856 
10857 	if (err)
10858 		goto free_msg;
10859 
10860 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10861 			      NL80211_ATTR_PAD))
10862 		goto nla_put_failure;
10863 
10864 	genlmsg_end(msg, hdr);
10865 
10866 	return genlmsg_reply(msg, info);
10867 
10868  nla_put_failure:
10869 	err = -ENOBUFS;
10870  free_msg:
10871 	nlmsg_free(msg);
10872 	return err;
10873 }
10874 
10875 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10876 					    struct genl_info *info)
10877 {
10878 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10879 	struct wireless_dev *wdev = info->user_ptr[1];
10880 	u64 cookie;
10881 
10882 	if (!info->attrs[NL80211_ATTR_COOKIE])
10883 		return -EINVAL;
10884 
10885 	if (!rdev->ops->cancel_remain_on_channel)
10886 		return -EOPNOTSUPP;
10887 
10888 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10889 
10890 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10891 }
10892 
10893 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10894 				       struct genl_info *info)
10895 {
10896 	struct cfg80211_bitrate_mask mask;
10897 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10898 	struct net_device *dev = info->user_ptr[1];
10899 	int err;
10900 
10901 	if (!rdev->ops->set_bitrate_mask)
10902 		return -EOPNOTSUPP;
10903 
10904 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
10905 					    NL80211_ATTR_TX_RATES, &mask,
10906 					    dev);
10907 	if (err)
10908 		return err;
10909 
10910 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10911 }
10912 
10913 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10914 {
10915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10916 	struct wireless_dev *wdev = info->user_ptr[1];
10917 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10918 
10919 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10920 		return -EINVAL;
10921 
10922 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10923 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10924 
10925 	switch (wdev->iftype) {
10926 	case NL80211_IFTYPE_STATION:
10927 	case NL80211_IFTYPE_ADHOC:
10928 	case NL80211_IFTYPE_P2P_CLIENT:
10929 	case NL80211_IFTYPE_AP:
10930 	case NL80211_IFTYPE_AP_VLAN:
10931 	case NL80211_IFTYPE_MESH_POINT:
10932 	case NL80211_IFTYPE_P2P_GO:
10933 	case NL80211_IFTYPE_P2P_DEVICE:
10934 		break;
10935 	case NL80211_IFTYPE_NAN:
10936 	default:
10937 		return -EOPNOTSUPP;
10938 	}
10939 
10940 	/* not much point in registering if we can't reply */
10941 	if (!rdev->ops->mgmt_tx)
10942 		return -EOPNOTSUPP;
10943 
10944 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
10945 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10946 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
10947 		GENL_SET_ERR_MSG(info,
10948 				 "multicast RX registrations are not supported");
10949 		return -EOPNOTSUPP;
10950 	}
10951 
10952 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10953 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10954 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10955 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
10956 					   info->extack);
10957 }
10958 
10959 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10960 {
10961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10962 	struct wireless_dev *wdev = info->user_ptr[1];
10963 	struct cfg80211_chan_def chandef;
10964 	int err;
10965 	void *hdr = NULL;
10966 	u64 cookie;
10967 	struct sk_buff *msg = NULL;
10968 	struct cfg80211_mgmt_tx_params params = {
10969 		.dont_wait_for_ack =
10970 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10971 	};
10972 
10973 	if (!info->attrs[NL80211_ATTR_FRAME])
10974 		return -EINVAL;
10975 
10976 	if (!rdev->ops->mgmt_tx)
10977 		return -EOPNOTSUPP;
10978 
10979 	switch (wdev->iftype) {
10980 	case NL80211_IFTYPE_P2P_DEVICE:
10981 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10982 			return -EINVAL;
10983 	case NL80211_IFTYPE_STATION:
10984 	case NL80211_IFTYPE_ADHOC:
10985 	case NL80211_IFTYPE_P2P_CLIENT:
10986 	case NL80211_IFTYPE_AP:
10987 	case NL80211_IFTYPE_AP_VLAN:
10988 	case NL80211_IFTYPE_MESH_POINT:
10989 	case NL80211_IFTYPE_P2P_GO:
10990 		break;
10991 	case NL80211_IFTYPE_NAN:
10992 	default:
10993 		return -EOPNOTSUPP;
10994 	}
10995 
10996 	if (info->attrs[NL80211_ATTR_DURATION]) {
10997 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10998 			return -EINVAL;
10999 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11000 
11001 		/*
11002 		 * We should wait on the channel for at least a minimum amount
11003 		 * of time (10ms) but no longer than the driver supports.
11004 		 */
11005 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11006 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11007 			return -EINVAL;
11008 	}
11009 
11010 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11011 
11012 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11013 		return -EINVAL;
11014 
11015 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11016 
11017 	/* get the channel if any has been specified, otherwise pass NULL to
11018 	 * the driver. The latter will use the current one
11019 	 */
11020 	chandef.chan = NULL;
11021 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11022 		err = nl80211_parse_chandef(rdev, info, &chandef);
11023 		if (err)
11024 			return err;
11025 	}
11026 
11027 	if (!chandef.chan && params.offchan)
11028 		return -EINVAL;
11029 
11030 	wdev_lock(wdev);
11031 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11032 		wdev_unlock(wdev);
11033 		return -EBUSY;
11034 	}
11035 	wdev_unlock(wdev);
11036 
11037 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11038 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11039 
11040 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11041 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11042 		int i;
11043 
11044 		if (len % sizeof(u16))
11045 			return -EINVAL;
11046 
11047 		params.n_csa_offsets = len / sizeof(u16);
11048 		params.csa_offsets =
11049 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11050 
11051 		/* check that all the offsets fit the frame */
11052 		for (i = 0; i < params.n_csa_offsets; i++) {
11053 			if (params.csa_offsets[i] >= params.len)
11054 				return -EINVAL;
11055 		}
11056 	}
11057 
11058 	if (!params.dont_wait_for_ack) {
11059 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11060 		if (!msg)
11061 			return -ENOMEM;
11062 
11063 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11064 				     NL80211_CMD_FRAME);
11065 		if (!hdr) {
11066 			err = -ENOBUFS;
11067 			goto free_msg;
11068 		}
11069 	}
11070 
11071 	params.chan = chandef.chan;
11072 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11073 	if (err)
11074 		goto free_msg;
11075 
11076 	if (msg) {
11077 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11078 				      NL80211_ATTR_PAD))
11079 			goto nla_put_failure;
11080 
11081 		genlmsg_end(msg, hdr);
11082 		return genlmsg_reply(msg, info);
11083 	}
11084 
11085 	return 0;
11086 
11087  nla_put_failure:
11088 	err = -ENOBUFS;
11089  free_msg:
11090 	nlmsg_free(msg);
11091 	return err;
11092 }
11093 
11094 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11095 {
11096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11097 	struct wireless_dev *wdev = info->user_ptr[1];
11098 	u64 cookie;
11099 
11100 	if (!info->attrs[NL80211_ATTR_COOKIE])
11101 		return -EINVAL;
11102 
11103 	if (!rdev->ops->mgmt_tx_cancel_wait)
11104 		return -EOPNOTSUPP;
11105 
11106 	switch (wdev->iftype) {
11107 	case NL80211_IFTYPE_STATION:
11108 	case NL80211_IFTYPE_ADHOC:
11109 	case NL80211_IFTYPE_P2P_CLIENT:
11110 	case NL80211_IFTYPE_AP:
11111 	case NL80211_IFTYPE_AP_VLAN:
11112 	case NL80211_IFTYPE_P2P_GO:
11113 	case NL80211_IFTYPE_P2P_DEVICE:
11114 		break;
11115 	case NL80211_IFTYPE_NAN:
11116 	default:
11117 		return -EOPNOTSUPP;
11118 	}
11119 
11120 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11121 
11122 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11123 }
11124 
11125 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11126 {
11127 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11128 	struct wireless_dev *wdev;
11129 	struct net_device *dev = info->user_ptr[1];
11130 	u8 ps_state;
11131 	bool state;
11132 	int err;
11133 
11134 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11135 		return -EINVAL;
11136 
11137 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11138 
11139 	wdev = dev->ieee80211_ptr;
11140 
11141 	if (!rdev->ops->set_power_mgmt)
11142 		return -EOPNOTSUPP;
11143 
11144 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11145 
11146 	if (state == wdev->ps)
11147 		return 0;
11148 
11149 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11150 	if (!err)
11151 		wdev->ps = state;
11152 	return err;
11153 }
11154 
11155 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11156 {
11157 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11158 	enum nl80211_ps_state ps_state;
11159 	struct wireless_dev *wdev;
11160 	struct net_device *dev = info->user_ptr[1];
11161 	struct sk_buff *msg;
11162 	void *hdr;
11163 	int err;
11164 
11165 	wdev = dev->ieee80211_ptr;
11166 
11167 	if (!rdev->ops->set_power_mgmt)
11168 		return -EOPNOTSUPP;
11169 
11170 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11171 	if (!msg)
11172 		return -ENOMEM;
11173 
11174 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11175 			     NL80211_CMD_GET_POWER_SAVE);
11176 	if (!hdr) {
11177 		err = -ENOBUFS;
11178 		goto free_msg;
11179 	}
11180 
11181 	if (wdev->ps)
11182 		ps_state = NL80211_PS_ENABLED;
11183 	else
11184 		ps_state = NL80211_PS_DISABLED;
11185 
11186 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11187 		goto nla_put_failure;
11188 
11189 	genlmsg_end(msg, hdr);
11190 	return genlmsg_reply(msg, info);
11191 
11192  nla_put_failure:
11193 	err = -ENOBUFS;
11194  free_msg:
11195 	nlmsg_free(msg);
11196 	return err;
11197 }
11198 
11199 static const struct nla_policy
11200 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11201 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11202 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11203 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11204 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11205 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11206 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11207 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11208 };
11209 
11210 static int nl80211_set_cqm_txe(struct genl_info *info,
11211 			       u32 rate, u32 pkts, u32 intvl)
11212 {
11213 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11214 	struct net_device *dev = info->user_ptr[1];
11215 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11216 
11217 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11218 		return -EINVAL;
11219 
11220 	if (!rdev->ops->set_cqm_txe_config)
11221 		return -EOPNOTSUPP;
11222 
11223 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11224 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11225 		return -EOPNOTSUPP;
11226 
11227 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11228 }
11229 
11230 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11231 				    struct net_device *dev)
11232 {
11233 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11234 	s32 last, low, high;
11235 	u32 hyst;
11236 	int i, n, low_index;
11237 	int err;
11238 
11239 	/* RSSI reporting disabled? */
11240 	if (!wdev->cqm_config)
11241 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11242 
11243 	/*
11244 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11245 	 * event has been received yet, we should receive an event after a
11246 	 * connection is established and enough beacons received to calculate
11247 	 * the average.
11248 	 */
11249 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11250 	    rdev->ops->get_station) {
11251 		struct station_info sinfo = {};
11252 		u8 *mac_addr;
11253 
11254 		mac_addr = wdev->current_bss->pub.bssid;
11255 
11256 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11257 		if (err)
11258 			return err;
11259 
11260 		cfg80211_sinfo_release_content(&sinfo);
11261 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11262 			wdev->cqm_config->last_rssi_event_value =
11263 				(s8) sinfo.rx_beacon_signal_avg;
11264 	}
11265 
11266 	last = wdev->cqm_config->last_rssi_event_value;
11267 	hyst = wdev->cqm_config->rssi_hyst;
11268 	n = wdev->cqm_config->n_rssi_thresholds;
11269 
11270 	for (i = 0; i < n; i++) {
11271 		i = array_index_nospec(i, n);
11272 		if (last < wdev->cqm_config->rssi_thresholds[i])
11273 			break;
11274 	}
11275 
11276 	low_index = i - 1;
11277 	if (low_index >= 0) {
11278 		low_index = array_index_nospec(low_index, n);
11279 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11280 	} else {
11281 		low = S32_MIN;
11282 	}
11283 	if (i < n) {
11284 		i = array_index_nospec(i, n);
11285 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11286 	} else {
11287 		high = S32_MAX;
11288 	}
11289 
11290 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11291 }
11292 
11293 static int nl80211_set_cqm_rssi(struct genl_info *info,
11294 				const s32 *thresholds, int n_thresholds,
11295 				u32 hysteresis)
11296 {
11297 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11298 	struct net_device *dev = info->user_ptr[1];
11299 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11300 	int i, err;
11301 	s32 prev = S32_MIN;
11302 
11303 	/* Check all values negative and sorted */
11304 	for (i = 0; i < n_thresholds; i++) {
11305 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11306 			return -EINVAL;
11307 
11308 		prev = thresholds[i];
11309 	}
11310 
11311 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11312 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11313 		return -EOPNOTSUPP;
11314 
11315 	wdev_lock(wdev);
11316 	cfg80211_cqm_config_free(wdev);
11317 	wdev_unlock(wdev);
11318 
11319 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11320 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11321 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11322 
11323 		return rdev_set_cqm_rssi_config(rdev, dev,
11324 						thresholds[0], hysteresis);
11325 	}
11326 
11327 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11328 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11329 		return -EOPNOTSUPP;
11330 
11331 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11332 		n_thresholds = 0;
11333 
11334 	wdev_lock(wdev);
11335 	if (n_thresholds) {
11336 		struct cfg80211_cqm_config *cqm_config;
11337 
11338 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11339 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11340 		if (!cqm_config) {
11341 			err = -ENOMEM;
11342 			goto unlock;
11343 		}
11344 
11345 		cqm_config->rssi_hyst = hysteresis;
11346 		cqm_config->n_rssi_thresholds = n_thresholds;
11347 		memcpy(cqm_config->rssi_thresholds, thresholds,
11348 		       n_thresholds * sizeof(s32));
11349 
11350 		wdev->cqm_config = cqm_config;
11351 	}
11352 
11353 	err = cfg80211_cqm_rssi_update(rdev, dev);
11354 
11355 unlock:
11356 	wdev_unlock(wdev);
11357 
11358 	return err;
11359 }
11360 
11361 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11362 {
11363 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11364 	struct nlattr *cqm;
11365 	int err;
11366 
11367 	cqm = info->attrs[NL80211_ATTR_CQM];
11368 	if (!cqm)
11369 		return -EINVAL;
11370 
11371 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11372 					  nl80211_attr_cqm_policy,
11373 					  info->extack);
11374 	if (err)
11375 		return err;
11376 
11377 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11378 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11379 		const s32 *thresholds =
11380 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11381 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11382 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11383 
11384 		if (len % 4)
11385 			return -EINVAL;
11386 
11387 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11388 					    hysteresis);
11389 	}
11390 
11391 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11392 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11393 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11394 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11395 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11396 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11397 
11398 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11399 	}
11400 
11401 	return -EINVAL;
11402 }
11403 
11404 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11405 {
11406 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11407 	struct net_device *dev = info->user_ptr[1];
11408 	struct ocb_setup setup = {};
11409 	int err;
11410 
11411 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11412 	if (err)
11413 		return err;
11414 
11415 	return cfg80211_join_ocb(rdev, dev, &setup);
11416 }
11417 
11418 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11419 {
11420 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11421 	struct net_device *dev = info->user_ptr[1];
11422 
11423 	return cfg80211_leave_ocb(rdev, dev);
11424 }
11425 
11426 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11427 {
11428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11429 	struct net_device *dev = info->user_ptr[1];
11430 	struct mesh_config cfg;
11431 	struct mesh_setup setup;
11432 	int err;
11433 
11434 	/* start with default */
11435 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11436 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11437 
11438 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11439 		/* and parse parameters if given */
11440 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11441 		if (err)
11442 			return err;
11443 	}
11444 
11445 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11446 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11447 		return -EINVAL;
11448 
11449 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11450 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11451 
11452 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11453 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11454 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11455 			return -EINVAL;
11456 
11457 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11458 		setup.beacon_interval =
11459 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11460 
11461 		err = cfg80211_validate_beacon_int(rdev,
11462 						   NL80211_IFTYPE_MESH_POINT,
11463 						   setup.beacon_interval);
11464 		if (err)
11465 			return err;
11466 	}
11467 
11468 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11469 		setup.dtim_period =
11470 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11471 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11472 			return -EINVAL;
11473 	}
11474 
11475 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11476 		/* parse additional setup parameters if given */
11477 		err = nl80211_parse_mesh_setup(info, &setup);
11478 		if (err)
11479 			return err;
11480 	}
11481 
11482 	if (setup.user_mpm)
11483 		cfg.auto_open_plinks = false;
11484 
11485 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11486 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11487 		if (err)
11488 			return err;
11489 	} else {
11490 		/* __cfg80211_join_mesh() will sort it out */
11491 		setup.chandef.chan = NULL;
11492 	}
11493 
11494 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11495 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11496 		int n_rates =
11497 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11498 		struct ieee80211_supported_band *sband;
11499 
11500 		if (!setup.chandef.chan)
11501 			return -EINVAL;
11502 
11503 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11504 
11505 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11506 					     &setup.basic_rates);
11507 		if (err)
11508 			return err;
11509 	}
11510 
11511 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11512 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11513 						    NL80211_ATTR_TX_RATES,
11514 						    &setup.beacon_rate,
11515 						    dev);
11516 		if (err)
11517 			return err;
11518 
11519 		if (!setup.chandef.chan)
11520 			return -EINVAL;
11521 
11522 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11523 					      &setup.beacon_rate);
11524 		if (err)
11525 			return err;
11526 	}
11527 
11528 	setup.userspace_handles_dfs =
11529 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11530 
11531 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11532 		int r = validate_pae_over_nl80211(rdev, info);
11533 
11534 		if (r < 0)
11535 			return r;
11536 
11537 		setup.control_port_over_nl80211 = true;
11538 	}
11539 
11540 	wdev_lock(dev->ieee80211_ptr);
11541 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11542 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11543 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11544 	wdev_unlock(dev->ieee80211_ptr);
11545 
11546 	return err;
11547 }
11548 
11549 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11550 {
11551 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11552 	struct net_device *dev = info->user_ptr[1];
11553 
11554 	return cfg80211_leave_mesh(rdev, dev);
11555 }
11556 
11557 #ifdef CONFIG_PM
11558 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11559 					struct cfg80211_registered_device *rdev)
11560 {
11561 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11562 	struct nlattr *nl_pats, *nl_pat;
11563 	int i, pat_len;
11564 
11565 	if (!wowlan->n_patterns)
11566 		return 0;
11567 
11568 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11569 	if (!nl_pats)
11570 		return -ENOBUFS;
11571 
11572 	for (i = 0; i < wowlan->n_patterns; i++) {
11573 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11574 		if (!nl_pat)
11575 			return -ENOBUFS;
11576 		pat_len = wowlan->patterns[i].pattern_len;
11577 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11578 			    wowlan->patterns[i].mask) ||
11579 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11580 			    wowlan->patterns[i].pattern) ||
11581 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11582 				wowlan->patterns[i].pkt_offset))
11583 			return -ENOBUFS;
11584 		nla_nest_end(msg, nl_pat);
11585 	}
11586 	nla_nest_end(msg, nl_pats);
11587 
11588 	return 0;
11589 }
11590 
11591 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11592 				   struct cfg80211_wowlan_tcp *tcp)
11593 {
11594 	struct nlattr *nl_tcp;
11595 
11596 	if (!tcp)
11597 		return 0;
11598 
11599 	nl_tcp = nla_nest_start_noflag(msg,
11600 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11601 	if (!nl_tcp)
11602 		return -ENOBUFS;
11603 
11604 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11605 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11606 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11607 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11608 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11609 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11610 		    tcp->payload_len, tcp->payload) ||
11611 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11612 			tcp->data_interval) ||
11613 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11614 		    tcp->wake_len, tcp->wake_data) ||
11615 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11616 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11617 		return -ENOBUFS;
11618 
11619 	if (tcp->payload_seq.len &&
11620 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11621 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11622 		return -ENOBUFS;
11623 
11624 	if (tcp->payload_tok.len &&
11625 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11626 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11627 		    &tcp->payload_tok))
11628 		return -ENOBUFS;
11629 
11630 	nla_nest_end(msg, nl_tcp);
11631 
11632 	return 0;
11633 }
11634 
11635 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11636 				  struct cfg80211_sched_scan_request *req)
11637 {
11638 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11639 	int i;
11640 
11641 	if (!req)
11642 		return 0;
11643 
11644 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11645 	if (!nd)
11646 		return -ENOBUFS;
11647 
11648 	if (req->n_scan_plans == 1 &&
11649 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11650 			req->scan_plans[0].interval * 1000))
11651 		return -ENOBUFS;
11652 
11653 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11654 		return -ENOBUFS;
11655 
11656 	if (req->relative_rssi_set) {
11657 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11658 
11659 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11660 			       req->relative_rssi))
11661 			return -ENOBUFS;
11662 
11663 		rssi_adjust.band = req->rssi_adjust.band;
11664 		rssi_adjust.delta = req->rssi_adjust.delta;
11665 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11666 			    sizeof(rssi_adjust), &rssi_adjust))
11667 			return -ENOBUFS;
11668 	}
11669 
11670 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11671 	if (!freqs)
11672 		return -ENOBUFS;
11673 
11674 	for (i = 0; i < req->n_channels; i++) {
11675 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11676 			return -ENOBUFS;
11677 	}
11678 
11679 	nla_nest_end(msg, freqs);
11680 
11681 	if (req->n_match_sets) {
11682 		matches = nla_nest_start_noflag(msg,
11683 						NL80211_ATTR_SCHED_SCAN_MATCH);
11684 		if (!matches)
11685 			return -ENOBUFS;
11686 
11687 		for (i = 0; i < req->n_match_sets; i++) {
11688 			match = nla_nest_start_noflag(msg, i);
11689 			if (!match)
11690 				return -ENOBUFS;
11691 
11692 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11693 				    req->match_sets[i].ssid.ssid_len,
11694 				    req->match_sets[i].ssid.ssid))
11695 				return -ENOBUFS;
11696 			nla_nest_end(msg, match);
11697 		}
11698 		nla_nest_end(msg, matches);
11699 	}
11700 
11701 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11702 	if (!scan_plans)
11703 		return -ENOBUFS;
11704 
11705 	for (i = 0; i < req->n_scan_plans; i++) {
11706 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11707 		if (!scan_plan)
11708 			return -ENOBUFS;
11709 
11710 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11711 				req->scan_plans[i].interval) ||
11712 		    (req->scan_plans[i].iterations &&
11713 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11714 				 req->scan_plans[i].iterations)))
11715 			return -ENOBUFS;
11716 		nla_nest_end(msg, scan_plan);
11717 	}
11718 	nla_nest_end(msg, scan_plans);
11719 
11720 	nla_nest_end(msg, nd);
11721 
11722 	return 0;
11723 }
11724 
11725 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11726 {
11727 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11728 	struct sk_buff *msg;
11729 	void *hdr;
11730 	u32 size = NLMSG_DEFAULT_SIZE;
11731 
11732 	if (!rdev->wiphy.wowlan)
11733 		return -EOPNOTSUPP;
11734 
11735 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11736 		/* adjust size to have room for all the data */
11737 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11738 			rdev->wiphy.wowlan_config->tcp->payload_len +
11739 			rdev->wiphy.wowlan_config->tcp->wake_len +
11740 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11741 	}
11742 
11743 	msg = nlmsg_new(size, GFP_KERNEL);
11744 	if (!msg)
11745 		return -ENOMEM;
11746 
11747 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11748 			     NL80211_CMD_GET_WOWLAN);
11749 	if (!hdr)
11750 		goto nla_put_failure;
11751 
11752 	if (rdev->wiphy.wowlan_config) {
11753 		struct nlattr *nl_wowlan;
11754 
11755 		nl_wowlan = nla_nest_start_noflag(msg,
11756 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11757 		if (!nl_wowlan)
11758 			goto nla_put_failure;
11759 
11760 		if ((rdev->wiphy.wowlan_config->any &&
11761 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11762 		    (rdev->wiphy.wowlan_config->disconnect &&
11763 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11764 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11765 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11766 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11767 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11768 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11769 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11770 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11771 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11772 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11773 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11774 			goto nla_put_failure;
11775 
11776 		if (nl80211_send_wowlan_patterns(msg, rdev))
11777 			goto nla_put_failure;
11778 
11779 		if (nl80211_send_wowlan_tcp(msg,
11780 					    rdev->wiphy.wowlan_config->tcp))
11781 			goto nla_put_failure;
11782 
11783 		if (nl80211_send_wowlan_nd(
11784 			    msg,
11785 			    rdev->wiphy.wowlan_config->nd_config))
11786 			goto nla_put_failure;
11787 
11788 		nla_nest_end(msg, nl_wowlan);
11789 	}
11790 
11791 	genlmsg_end(msg, hdr);
11792 	return genlmsg_reply(msg, info);
11793 
11794 nla_put_failure:
11795 	nlmsg_free(msg);
11796 	return -ENOBUFS;
11797 }
11798 
11799 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11800 				    struct nlattr *attr,
11801 				    struct cfg80211_wowlan *trig)
11802 {
11803 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11804 	struct cfg80211_wowlan_tcp *cfg;
11805 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11806 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11807 	u32 size;
11808 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11809 	int err, port;
11810 
11811 	if (!rdev->wiphy.wowlan->tcp)
11812 		return -EINVAL;
11813 
11814 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11815 					  nl80211_wowlan_tcp_policy, NULL);
11816 	if (err)
11817 		return err;
11818 
11819 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11820 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11821 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11822 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11823 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11824 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11825 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11826 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11827 		return -EINVAL;
11828 
11829 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11830 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11831 		return -EINVAL;
11832 
11833 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11834 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11835 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11836 		return -EINVAL;
11837 
11838 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11839 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11840 		return -EINVAL;
11841 
11842 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11843 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11844 		return -EINVAL;
11845 
11846 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11847 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11848 
11849 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11850 		tokens_size = tokln - sizeof(*tok);
11851 
11852 		if (!tok->len || tokens_size % tok->len)
11853 			return -EINVAL;
11854 		if (!rdev->wiphy.wowlan->tcp->tok)
11855 			return -EINVAL;
11856 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11857 			return -EINVAL;
11858 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11859 			return -EINVAL;
11860 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11861 			return -EINVAL;
11862 		if (tok->offset + tok->len > data_size)
11863 			return -EINVAL;
11864 	}
11865 
11866 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11867 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11868 		if (!rdev->wiphy.wowlan->tcp->seq)
11869 			return -EINVAL;
11870 		if (seq->len == 0 || seq->len > 4)
11871 			return -EINVAL;
11872 		if (seq->len + seq->offset > data_size)
11873 			return -EINVAL;
11874 	}
11875 
11876 	size = sizeof(*cfg);
11877 	size += data_size;
11878 	size += wake_size + wake_mask_size;
11879 	size += tokens_size;
11880 
11881 	cfg = kzalloc(size, GFP_KERNEL);
11882 	if (!cfg)
11883 		return -ENOMEM;
11884 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11885 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11886 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11887 	       ETH_ALEN);
11888 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11889 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11890 	else
11891 		port = 0;
11892 #ifdef CONFIG_INET
11893 	/* allocate a socket and port for it and use it */
11894 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11895 			    IPPROTO_TCP, &cfg->sock, 1);
11896 	if (err) {
11897 		kfree(cfg);
11898 		return err;
11899 	}
11900 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11901 		sock_release(cfg->sock);
11902 		kfree(cfg);
11903 		return -EADDRINUSE;
11904 	}
11905 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11906 #else
11907 	if (!port) {
11908 		kfree(cfg);
11909 		return -EINVAL;
11910 	}
11911 	cfg->src_port = port;
11912 #endif
11913 
11914 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11915 	cfg->payload_len = data_size;
11916 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11917 	memcpy((void *)cfg->payload,
11918 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11919 	       data_size);
11920 	if (seq)
11921 		cfg->payload_seq = *seq;
11922 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11923 	cfg->wake_len = wake_size;
11924 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11925 	memcpy((void *)cfg->wake_data,
11926 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11927 	       wake_size);
11928 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11929 			 data_size + wake_size;
11930 	memcpy((void *)cfg->wake_mask,
11931 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11932 	       wake_mask_size);
11933 	if (tok) {
11934 		cfg->tokens_size = tokens_size;
11935 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11936 	}
11937 
11938 	trig->tcp = cfg;
11939 
11940 	return 0;
11941 }
11942 
11943 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11944 				   const struct wiphy_wowlan_support *wowlan,
11945 				   struct nlattr *attr,
11946 				   struct cfg80211_wowlan *trig)
11947 {
11948 	struct nlattr **tb;
11949 	int err;
11950 
11951 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11952 	if (!tb)
11953 		return -ENOMEM;
11954 
11955 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11956 		err = -EOPNOTSUPP;
11957 		goto out;
11958 	}
11959 
11960 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11961 					  nl80211_policy, NULL);
11962 	if (err)
11963 		goto out;
11964 
11965 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11966 						   wowlan->max_nd_match_sets);
11967 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11968 	if (err)
11969 		trig->nd_config = NULL;
11970 
11971 out:
11972 	kfree(tb);
11973 	return err;
11974 }
11975 
11976 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11977 {
11978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11979 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11980 	struct cfg80211_wowlan new_triggers = {};
11981 	struct cfg80211_wowlan *ntrig;
11982 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11983 	int err, i;
11984 	bool prev_enabled = rdev->wiphy.wowlan_config;
11985 	bool regular = false;
11986 
11987 	if (!wowlan)
11988 		return -EOPNOTSUPP;
11989 
11990 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11991 		cfg80211_rdev_free_wowlan(rdev);
11992 		rdev->wiphy.wowlan_config = NULL;
11993 		goto set_wakeup;
11994 	}
11995 
11996 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11997 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11998 					  nl80211_wowlan_policy, info->extack);
11999 	if (err)
12000 		return err;
12001 
12002 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12003 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12004 			return -EINVAL;
12005 		new_triggers.any = true;
12006 	}
12007 
12008 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12009 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12010 			return -EINVAL;
12011 		new_triggers.disconnect = true;
12012 		regular = true;
12013 	}
12014 
12015 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12016 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12017 			return -EINVAL;
12018 		new_triggers.magic_pkt = true;
12019 		regular = true;
12020 	}
12021 
12022 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12023 		return -EINVAL;
12024 
12025 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12026 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12027 			return -EINVAL;
12028 		new_triggers.gtk_rekey_failure = true;
12029 		regular = true;
12030 	}
12031 
12032 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12033 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12034 			return -EINVAL;
12035 		new_triggers.eap_identity_req = true;
12036 		regular = true;
12037 	}
12038 
12039 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12040 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12041 			return -EINVAL;
12042 		new_triggers.four_way_handshake = true;
12043 		regular = true;
12044 	}
12045 
12046 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12047 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12048 			return -EINVAL;
12049 		new_triggers.rfkill_release = true;
12050 		regular = true;
12051 	}
12052 
12053 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12054 		struct nlattr *pat;
12055 		int n_patterns = 0;
12056 		int rem, pat_len, mask_len, pkt_offset;
12057 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12058 
12059 		regular = true;
12060 
12061 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12062 				    rem)
12063 			n_patterns++;
12064 		if (n_patterns > wowlan->n_patterns)
12065 			return -EINVAL;
12066 
12067 		new_triggers.patterns = kcalloc(n_patterns,
12068 						sizeof(new_triggers.patterns[0]),
12069 						GFP_KERNEL);
12070 		if (!new_triggers.patterns)
12071 			return -ENOMEM;
12072 
12073 		new_triggers.n_patterns = n_patterns;
12074 		i = 0;
12075 
12076 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12077 				    rem) {
12078 			u8 *mask_pat;
12079 
12080 			err = nla_parse_nested_deprecated(pat_tb,
12081 							  MAX_NL80211_PKTPAT,
12082 							  pat,
12083 							  nl80211_packet_pattern_policy,
12084 							  info->extack);
12085 			if (err)
12086 				goto error;
12087 
12088 			err = -EINVAL;
12089 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12090 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12091 				goto error;
12092 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12093 			mask_len = DIV_ROUND_UP(pat_len, 8);
12094 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12095 				goto error;
12096 			if (pat_len > wowlan->pattern_max_len ||
12097 			    pat_len < wowlan->pattern_min_len)
12098 				goto error;
12099 
12100 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12101 				pkt_offset = 0;
12102 			else
12103 				pkt_offset = nla_get_u32(
12104 					pat_tb[NL80211_PKTPAT_OFFSET]);
12105 			if (pkt_offset > wowlan->max_pkt_offset)
12106 				goto error;
12107 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12108 
12109 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12110 			if (!mask_pat) {
12111 				err = -ENOMEM;
12112 				goto error;
12113 			}
12114 			new_triggers.patterns[i].mask = mask_pat;
12115 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12116 			       mask_len);
12117 			mask_pat += mask_len;
12118 			new_triggers.patterns[i].pattern = mask_pat;
12119 			new_triggers.patterns[i].pattern_len = pat_len;
12120 			memcpy(mask_pat,
12121 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12122 			       pat_len);
12123 			i++;
12124 		}
12125 	}
12126 
12127 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12128 		regular = true;
12129 		err = nl80211_parse_wowlan_tcp(
12130 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12131 			&new_triggers);
12132 		if (err)
12133 			goto error;
12134 	}
12135 
12136 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12137 		regular = true;
12138 		err = nl80211_parse_wowlan_nd(
12139 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12140 			&new_triggers);
12141 		if (err)
12142 			goto error;
12143 	}
12144 
12145 	/* The 'any' trigger means the device continues operating more or less
12146 	 * as in its normal operation mode and wakes up the host on most of the
12147 	 * normal interrupts (like packet RX, ...)
12148 	 * It therefore makes little sense to combine with the more constrained
12149 	 * wakeup trigger modes.
12150 	 */
12151 	if (new_triggers.any && regular) {
12152 		err = -EINVAL;
12153 		goto error;
12154 	}
12155 
12156 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12157 	if (!ntrig) {
12158 		err = -ENOMEM;
12159 		goto error;
12160 	}
12161 	cfg80211_rdev_free_wowlan(rdev);
12162 	rdev->wiphy.wowlan_config = ntrig;
12163 
12164  set_wakeup:
12165 	if (rdev->ops->set_wakeup &&
12166 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12167 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12168 
12169 	return 0;
12170  error:
12171 	for (i = 0; i < new_triggers.n_patterns; i++)
12172 		kfree(new_triggers.patterns[i].mask);
12173 	kfree(new_triggers.patterns);
12174 	if (new_triggers.tcp && new_triggers.tcp->sock)
12175 		sock_release(new_triggers.tcp->sock);
12176 	kfree(new_triggers.tcp);
12177 	kfree(new_triggers.nd_config);
12178 	return err;
12179 }
12180 #endif
12181 
12182 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12183 				       struct cfg80211_registered_device *rdev)
12184 {
12185 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12186 	int i, j, pat_len;
12187 	struct cfg80211_coalesce_rules *rule;
12188 
12189 	if (!rdev->coalesce->n_rules)
12190 		return 0;
12191 
12192 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12193 	if (!nl_rules)
12194 		return -ENOBUFS;
12195 
12196 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12197 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12198 		if (!nl_rule)
12199 			return -ENOBUFS;
12200 
12201 		rule = &rdev->coalesce->rules[i];
12202 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12203 				rule->delay))
12204 			return -ENOBUFS;
12205 
12206 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12207 				rule->condition))
12208 			return -ENOBUFS;
12209 
12210 		nl_pats = nla_nest_start_noflag(msg,
12211 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12212 		if (!nl_pats)
12213 			return -ENOBUFS;
12214 
12215 		for (j = 0; j < rule->n_patterns; j++) {
12216 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12217 			if (!nl_pat)
12218 				return -ENOBUFS;
12219 			pat_len = rule->patterns[j].pattern_len;
12220 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12221 				    DIV_ROUND_UP(pat_len, 8),
12222 				    rule->patterns[j].mask) ||
12223 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12224 				    rule->patterns[j].pattern) ||
12225 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12226 					rule->patterns[j].pkt_offset))
12227 				return -ENOBUFS;
12228 			nla_nest_end(msg, nl_pat);
12229 		}
12230 		nla_nest_end(msg, nl_pats);
12231 		nla_nest_end(msg, nl_rule);
12232 	}
12233 	nla_nest_end(msg, nl_rules);
12234 
12235 	return 0;
12236 }
12237 
12238 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12239 {
12240 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12241 	struct sk_buff *msg;
12242 	void *hdr;
12243 
12244 	if (!rdev->wiphy.coalesce)
12245 		return -EOPNOTSUPP;
12246 
12247 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12248 	if (!msg)
12249 		return -ENOMEM;
12250 
12251 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12252 			     NL80211_CMD_GET_COALESCE);
12253 	if (!hdr)
12254 		goto nla_put_failure;
12255 
12256 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12257 		goto nla_put_failure;
12258 
12259 	genlmsg_end(msg, hdr);
12260 	return genlmsg_reply(msg, info);
12261 
12262 nla_put_failure:
12263 	nlmsg_free(msg);
12264 	return -ENOBUFS;
12265 }
12266 
12267 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12268 {
12269 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12270 	int i, j;
12271 	struct cfg80211_coalesce_rules *rule;
12272 
12273 	if (!coalesce)
12274 		return;
12275 
12276 	for (i = 0; i < coalesce->n_rules; i++) {
12277 		rule = &coalesce->rules[i];
12278 		for (j = 0; j < rule->n_patterns; j++)
12279 			kfree(rule->patterns[j].mask);
12280 		kfree(rule->patterns);
12281 	}
12282 	kfree(coalesce->rules);
12283 	kfree(coalesce);
12284 	rdev->coalesce = NULL;
12285 }
12286 
12287 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12288 				       struct nlattr *rule,
12289 				       struct cfg80211_coalesce_rules *new_rule)
12290 {
12291 	int err, i;
12292 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12293 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12294 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12295 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12296 
12297 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12298 					  rule, nl80211_coalesce_policy, NULL);
12299 	if (err)
12300 		return err;
12301 
12302 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12303 		new_rule->delay =
12304 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12305 	if (new_rule->delay > coalesce->max_delay)
12306 		return -EINVAL;
12307 
12308 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12309 		new_rule->condition =
12310 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12311 
12312 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12313 		return -EINVAL;
12314 
12315 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12316 			    rem)
12317 		n_patterns++;
12318 	if (n_patterns > coalesce->n_patterns)
12319 		return -EINVAL;
12320 
12321 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12322 				     GFP_KERNEL);
12323 	if (!new_rule->patterns)
12324 		return -ENOMEM;
12325 
12326 	new_rule->n_patterns = n_patterns;
12327 	i = 0;
12328 
12329 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12330 			    rem) {
12331 		u8 *mask_pat;
12332 
12333 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12334 						  pat,
12335 						  nl80211_packet_pattern_policy,
12336 						  NULL);
12337 		if (err)
12338 			return err;
12339 
12340 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12341 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12342 			return -EINVAL;
12343 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12344 		mask_len = DIV_ROUND_UP(pat_len, 8);
12345 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12346 			return -EINVAL;
12347 		if (pat_len > coalesce->pattern_max_len ||
12348 		    pat_len < coalesce->pattern_min_len)
12349 			return -EINVAL;
12350 
12351 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12352 			pkt_offset = 0;
12353 		else
12354 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12355 		if (pkt_offset > coalesce->max_pkt_offset)
12356 			return -EINVAL;
12357 		new_rule->patterns[i].pkt_offset = pkt_offset;
12358 
12359 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12360 		if (!mask_pat)
12361 			return -ENOMEM;
12362 
12363 		new_rule->patterns[i].mask = mask_pat;
12364 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12365 		       mask_len);
12366 
12367 		mask_pat += mask_len;
12368 		new_rule->patterns[i].pattern = mask_pat;
12369 		new_rule->patterns[i].pattern_len = pat_len;
12370 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12371 		       pat_len);
12372 		i++;
12373 	}
12374 
12375 	return 0;
12376 }
12377 
12378 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12379 {
12380 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12381 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12382 	struct cfg80211_coalesce new_coalesce = {};
12383 	struct cfg80211_coalesce *n_coalesce;
12384 	int err, rem_rule, n_rules = 0, i, j;
12385 	struct nlattr *rule;
12386 	struct cfg80211_coalesce_rules *tmp_rule;
12387 
12388 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12389 		return -EOPNOTSUPP;
12390 
12391 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12392 		cfg80211_rdev_free_coalesce(rdev);
12393 		rdev_set_coalesce(rdev, NULL);
12394 		return 0;
12395 	}
12396 
12397 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12398 			    rem_rule)
12399 		n_rules++;
12400 	if (n_rules > coalesce->n_rules)
12401 		return -EINVAL;
12402 
12403 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12404 				     GFP_KERNEL);
12405 	if (!new_coalesce.rules)
12406 		return -ENOMEM;
12407 
12408 	new_coalesce.n_rules = n_rules;
12409 	i = 0;
12410 
12411 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12412 			    rem_rule) {
12413 		err = nl80211_parse_coalesce_rule(rdev, rule,
12414 						  &new_coalesce.rules[i]);
12415 		if (err)
12416 			goto error;
12417 
12418 		i++;
12419 	}
12420 
12421 	err = rdev_set_coalesce(rdev, &new_coalesce);
12422 	if (err)
12423 		goto error;
12424 
12425 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12426 	if (!n_coalesce) {
12427 		err = -ENOMEM;
12428 		goto error;
12429 	}
12430 	cfg80211_rdev_free_coalesce(rdev);
12431 	rdev->coalesce = n_coalesce;
12432 
12433 	return 0;
12434 error:
12435 	for (i = 0; i < new_coalesce.n_rules; i++) {
12436 		tmp_rule = &new_coalesce.rules[i];
12437 		for (j = 0; j < tmp_rule->n_patterns; j++)
12438 			kfree(tmp_rule->patterns[j].mask);
12439 		kfree(tmp_rule->patterns);
12440 	}
12441 	kfree(new_coalesce.rules);
12442 
12443 	return err;
12444 }
12445 
12446 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12447 {
12448 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12449 	struct net_device *dev = info->user_ptr[1];
12450 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12451 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12452 	struct cfg80211_gtk_rekey_data rekey_data;
12453 	int err;
12454 
12455 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12456 		return -EINVAL;
12457 
12458 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12459 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12460 					  nl80211_rekey_policy, info->extack);
12461 	if (err)
12462 		return err;
12463 
12464 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12465 	    !tb[NL80211_REKEY_DATA_KCK])
12466 		return -EINVAL;
12467 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
12468 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12469 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
12470 		return -ERANGE;
12471 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
12472 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12473 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
12474 		return -ERANGE;
12475 
12476 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12477 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12478 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12479 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
12480 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
12481 	if (tb[NL80211_REKEY_DATA_AKM])
12482 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
12483 
12484 	wdev_lock(wdev);
12485 	if (!wdev->current_bss) {
12486 		err = -ENOTCONN;
12487 		goto out;
12488 	}
12489 
12490 	if (!rdev->ops->set_rekey_data) {
12491 		err = -EOPNOTSUPP;
12492 		goto out;
12493 	}
12494 
12495 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12496  out:
12497 	wdev_unlock(wdev);
12498 	return err;
12499 }
12500 
12501 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12502 					     struct genl_info *info)
12503 {
12504 	struct net_device *dev = info->user_ptr[1];
12505 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12506 
12507 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12508 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12509 		return -EINVAL;
12510 
12511 	if (wdev->ap_unexpected_nlportid)
12512 		return -EBUSY;
12513 
12514 	wdev->ap_unexpected_nlportid = info->snd_portid;
12515 	return 0;
12516 }
12517 
12518 static int nl80211_probe_client(struct sk_buff *skb,
12519 				struct genl_info *info)
12520 {
12521 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12522 	struct net_device *dev = info->user_ptr[1];
12523 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12524 	struct sk_buff *msg;
12525 	void *hdr;
12526 	const u8 *addr;
12527 	u64 cookie;
12528 	int err;
12529 
12530 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12531 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12532 		return -EOPNOTSUPP;
12533 
12534 	if (!info->attrs[NL80211_ATTR_MAC])
12535 		return -EINVAL;
12536 
12537 	if (!rdev->ops->probe_client)
12538 		return -EOPNOTSUPP;
12539 
12540 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12541 	if (!msg)
12542 		return -ENOMEM;
12543 
12544 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12545 			     NL80211_CMD_PROBE_CLIENT);
12546 	if (!hdr) {
12547 		err = -ENOBUFS;
12548 		goto free_msg;
12549 	}
12550 
12551 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12552 
12553 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12554 	if (err)
12555 		goto free_msg;
12556 
12557 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12558 			      NL80211_ATTR_PAD))
12559 		goto nla_put_failure;
12560 
12561 	genlmsg_end(msg, hdr);
12562 
12563 	return genlmsg_reply(msg, info);
12564 
12565  nla_put_failure:
12566 	err = -ENOBUFS;
12567  free_msg:
12568 	nlmsg_free(msg);
12569 	return err;
12570 }
12571 
12572 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12573 {
12574 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12575 	struct cfg80211_beacon_registration *reg, *nreg;
12576 	int rv;
12577 
12578 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12579 		return -EOPNOTSUPP;
12580 
12581 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12582 	if (!nreg)
12583 		return -ENOMEM;
12584 
12585 	/* First, check if already registered. */
12586 	spin_lock_bh(&rdev->beacon_registrations_lock);
12587 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12588 		if (reg->nlportid == info->snd_portid) {
12589 			rv = -EALREADY;
12590 			goto out_err;
12591 		}
12592 	}
12593 	/* Add it to the list */
12594 	nreg->nlportid = info->snd_portid;
12595 	list_add(&nreg->list, &rdev->beacon_registrations);
12596 
12597 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12598 
12599 	return 0;
12600 out_err:
12601 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12602 	kfree(nreg);
12603 	return rv;
12604 }
12605 
12606 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12607 {
12608 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12609 	struct wireless_dev *wdev = info->user_ptr[1];
12610 	int err;
12611 
12612 	if (!rdev->ops->start_p2p_device)
12613 		return -EOPNOTSUPP;
12614 
12615 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12616 		return -EOPNOTSUPP;
12617 
12618 	if (wdev_running(wdev))
12619 		return 0;
12620 
12621 	if (rfkill_blocked(rdev->rfkill))
12622 		return -ERFKILL;
12623 
12624 	err = rdev_start_p2p_device(rdev, wdev);
12625 	if (err)
12626 		return err;
12627 
12628 	wdev->is_running = true;
12629 	rdev->opencount++;
12630 
12631 	return 0;
12632 }
12633 
12634 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12635 {
12636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12637 	struct wireless_dev *wdev = info->user_ptr[1];
12638 
12639 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12640 		return -EOPNOTSUPP;
12641 
12642 	if (!rdev->ops->stop_p2p_device)
12643 		return -EOPNOTSUPP;
12644 
12645 	cfg80211_stop_p2p_device(rdev, wdev);
12646 
12647 	return 0;
12648 }
12649 
12650 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12651 {
12652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12653 	struct wireless_dev *wdev = info->user_ptr[1];
12654 	struct cfg80211_nan_conf conf = {};
12655 	int err;
12656 
12657 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12658 		return -EOPNOTSUPP;
12659 
12660 	if (wdev_running(wdev))
12661 		return -EEXIST;
12662 
12663 	if (rfkill_blocked(rdev->rfkill))
12664 		return -ERFKILL;
12665 
12666 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12667 		return -EINVAL;
12668 
12669 	conf.master_pref =
12670 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12671 
12672 	if (info->attrs[NL80211_ATTR_BANDS]) {
12673 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12674 
12675 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12676 			return -EOPNOTSUPP;
12677 
12678 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12679 			return -EINVAL;
12680 
12681 		conf.bands = bands;
12682 	}
12683 
12684 	err = rdev_start_nan(rdev, wdev, &conf);
12685 	if (err)
12686 		return err;
12687 
12688 	wdev->is_running = true;
12689 	rdev->opencount++;
12690 
12691 	return 0;
12692 }
12693 
12694 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12695 {
12696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12697 	struct wireless_dev *wdev = info->user_ptr[1];
12698 
12699 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12700 		return -EOPNOTSUPP;
12701 
12702 	cfg80211_stop_nan(rdev, wdev);
12703 
12704 	return 0;
12705 }
12706 
12707 static int validate_nan_filter(struct nlattr *filter_attr)
12708 {
12709 	struct nlattr *attr;
12710 	int len = 0, n_entries = 0, rem;
12711 
12712 	nla_for_each_nested(attr, filter_attr, rem) {
12713 		len += nla_len(attr);
12714 		n_entries++;
12715 	}
12716 
12717 	if (len >= U8_MAX)
12718 		return -EINVAL;
12719 
12720 	return n_entries;
12721 }
12722 
12723 static int handle_nan_filter(struct nlattr *attr_filter,
12724 			     struct cfg80211_nan_func *func,
12725 			     bool tx)
12726 {
12727 	struct nlattr *attr;
12728 	int n_entries, rem, i;
12729 	struct cfg80211_nan_func_filter *filter;
12730 
12731 	n_entries = validate_nan_filter(attr_filter);
12732 	if (n_entries < 0)
12733 		return n_entries;
12734 
12735 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12736 
12737 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12738 	if (!filter)
12739 		return -ENOMEM;
12740 
12741 	i = 0;
12742 	nla_for_each_nested(attr, attr_filter, rem) {
12743 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12744 		filter[i].len = nla_len(attr);
12745 		i++;
12746 	}
12747 	if (tx) {
12748 		func->num_tx_filters = n_entries;
12749 		func->tx_filters = filter;
12750 	} else {
12751 		func->num_rx_filters = n_entries;
12752 		func->rx_filters = filter;
12753 	}
12754 
12755 	return 0;
12756 }
12757 
12758 static int nl80211_nan_add_func(struct sk_buff *skb,
12759 				struct genl_info *info)
12760 {
12761 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12762 	struct wireless_dev *wdev = info->user_ptr[1];
12763 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12764 	struct cfg80211_nan_func *func;
12765 	struct sk_buff *msg = NULL;
12766 	void *hdr = NULL;
12767 	int err = 0;
12768 
12769 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12770 		return -EOPNOTSUPP;
12771 
12772 	if (!wdev_running(wdev))
12773 		return -ENOTCONN;
12774 
12775 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12776 		return -EINVAL;
12777 
12778 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12779 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12780 					  nl80211_nan_func_policy,
12781 					  info->extack);
12782 	if (err)
12783 		return err;
12784 
12785 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12786 	if (!func)
12787 		return -ENOMEM;
12788 
12789 	func->cookie = cfg80211_assign_cookie(rdev);
12790 
12791 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
12792 		err = -EINVAL;
12793 		goto out;
12794 	}
12795 
12796 
12797 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12798 
12799 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12800 		err = -EINVAL;
12801 		goto out;
12802 	}
12803 
12804 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12805 	       sizeof(func->service_id));
12806 
12807 	func->close_range =
12808 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12809 
12810 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12811 		func->serv_spec_info_len =
12812 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12813 		func->serv_spec_info =
12814 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12815 				func->serv_spec_info_len,
12816 				GFP_KERNEL);
12817 		if (!func->serv_spec_info) {
12818 			err = -ENOMEM;
12819 			goto out;
12820 		}
12821 	}
12822 
12823 	if (tb[NL80211_NAN_FUNC_TTL])
12824 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12825 
12826 	switch (func->type) {
12827 	case NL80211_NAN_FUNC_PUBLISH:
12828 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12829 			err = -EINVAL;
12830 			goto out;
12831 		}
12832 
12833 		func->publish_type =
12834 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12835 		func->publish_bcast =
12836 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12837 
12838 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12839 			func->publish_bcast) {
12840 			err = -EINVAL;
12841 			goto out;
12842 		}
12843 		break;
12844 	case NL80211_NAN_FUNC_SUBSCRIBE:
12845 		func->subscribe_active =
12846 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12847 		break;
12848 	case NL80211_NAN_FUNC_FOLLOW_UP:
12849 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12850 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12851 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12852 			err = -EINVAL;
12853 			goto out;
12854 		}
12855 
12856 		func->followup_id =
12857 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12858 		func->followup_reqid =
12859 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12860 		memcpy(func->followup_dest.addr,
12861 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12862 		       sizeof(func->followup_dest.addr));
12863 		if (func->ttl) {
12864 			err = -EINVAL;
12865 			goto out;
12866 		}
12867 		break;
12868 	default:
12869 		err = -EINVAL;
12870 		goto out;
12871 	}
12872 
12873 	if (tb[NL80211_NAN_FUNC_SRF]) {
12874 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12875 
12876 		err = nla_parse_nested_deprecated(srf_tb,
12877 						  NL80211_NAN_SRF_ATTR_MAX,
12878 						  tb[NL80211_NAN_FUNC_SRF],
12879 						  nl80211_nan_srf_policy,
12880 						  info->extack);
12881 		if (err)
12882 			goto out;
12883 
12884 		func->srf_include =
12885 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12886 
12887 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12888 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12889 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12890 				err = -EINVAL;
12891 				goto out;
12892 			}
12893 
12894 			func->srf_bf_len =
12895 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12896 			func->srf_bf =
12897 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12898 					func->srf_bf_len, GFP_KERNEL);
12899 			if (!func->srf_bf) {
12900 				err = -ENOMEM;
12901 				goto out;
12902 			}
12903 
12904 			func->srf_bf_idx =
12905 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12906 		} else {
12907 			struct nlattr *attr, *mac_attr =
12908 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12909 			int n_entries, rem, i = 0;
12910 
12911 			if (!mac_attr) {
12912 				err = -EINVAL;
12913 				goto out;
12914 			}
12915 
12916 			n_entries = validate_acl_mac_addrs(mac_attr);
12917 			if (n_entries <= 0) {
12918 				err = -EINVAL;
12919 				goto out;
12920 			}
12921 
12922 			func->srf_num_macs = n_entries;
12923 			func->srf_macs =
12924 				kcalloc(n_entries, sizeof(*func->srf_macs),
12925 					GFP_KERNEL);
12926 			if (!func->srf_macs) {
12927 				err = -ENOMEM;
12928 				goto out;
12929 			}
12930 
12931 			nla_for_each_nested(attr, mac_attr, rem)
12932 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12933 				       sizeof(*func->srf_macs));
12934 		}
12935 	}
12936 
12937 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12938 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12939 					func, true);
12940 		if (err)
12941 			goto out;
12942 	}
12943 
12944 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12945 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12946 					func, false);
12947 		if (err)
12948 			goto out;
12949 	}
12950 
12951 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12952 	if (!msg) {
12953 		err = -ENOMEM;
12954 		goto out;
12955 	}
12956 
12957 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12958 			     NL80211_CMD_ADD_NAN_FUNCTION);
12959 	/* This can't really happen - we just allocated 4KB */
12960 	if (WARN_ON(!hdr)) {
12961 		err = -ENOMEM;
12962 		goto out;
12963 	}
12964 
12965 	err = rdev_add_nan_func(rdev, wdev, func);
12966 out:
12967 	if (err < 0) {
12968 		cfg80211_free_nan_func(func);
12969 		nlmsg_free(msg);
12970 		return err;
12971 	}
12972 
12973 	/* propagate the instance id and cookie to userspace  */
12974 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12975 			      NL80211_ATTR_PAD))
12976 		goto nla_put_failure;
12977 
12978 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12979 	if (!func_attr)
12980 		goto nla_put_failure;
12981 
12982 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12983 		       func->instance_id))
12984 		goto nla_put_failure;
12985 
12986 	nla_nest_end(msg, func_attr);
12987 
12988 	genlmsg_end(msg, hdr);
12989 	return genlmsg_reply(msg, info);
12990 
12991 nla_put_failure:
12992 	nlmsg_free(msg);
12993 	return -ENOBUFS;
12994 }
12995 
12996 static int nl80211_nan_del_func(struct sk_buff *skb,
12997 			       struct genl_info *info)
12998 {
12999 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13000 	struct wireless_dev *wdev = info->user_ptr[1];
13001 	u64 cookie;
13002 
13003 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13004 		return -EOPNOTSUPP;
13005 
13006 	if (!wdev_running(wdev))
13007 		return -ENOTCONN;
13008 
13009 	if (!info->attrs[NL80211_ATTR_COOKIE])
13010 		return -EINVAL;
13011 
13012 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13013 
13014 	rdev_del_nan_func(rdev, wdev, cookie);
13015 
13016 	return 0;
13017 }
13018 
13019 static int nl80211_nan_change_config(struct sk_buff *skb,
13020 				     struct genl_info *info)
13021 {
13022 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13023 	struct wireless_dev *wdev = info->user_ptr[1];
13024 	struct cfg80211_nan_conf conf = {};
13025 	u32 changed = 0;
13026 
13027 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13028 		return -EOPNOTSUPP;
13029 
13030 	if (!wdev_running(wdev))
13031 		return -ENOTCONN;
13032 
13033 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13034 		conf.master_pref =
13035 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13036 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13037 			return -EINVAL;
13038 
13039 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13040 	}
13041 
13042 	if (info->attrs[NL80211_ATTR_BANDS]) {
13043 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13044 
13045 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13046 			return -EOPNOTSUPP;
13047 
13048 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13049 			return -EINVAL;
13050 
13051 		conf.bands = bands;
13052 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13053 	}
13054 
13055 	if (!changed)
13056 		return -EINVAL;
13057 
13058 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13059 }
13060 
13061 void cfg80211_nan_match(struct wireless_dev *wdev,
13062 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13063 {
13064 	struct wiphy *wiphy = wdev->wiphy;
13065 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13066 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13067 	struct sk_buff *msg;
13068 	void *hdr;
13069 
13070 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13071 		return;
13072 
13073 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13074 	if (!msg)
13075 		return;
13076 
13077 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13078 	if (!hdr) {
13079 		nlmsg_free(msg);
13080 		return;
13081 	}
13082 
13083 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13084 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13085 					 wdev->netdev->ifindex)) ||
13086 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13087 			      NL80211_ATTR_PAD))
13088 		goto nla_put_failure;
13089 
13090 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13091 			      NL80211_ATTR_PAD) ||
13092 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13093 		goto nla_put_failure;
13094 
13095 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13096 	if (!match_attr)
13097 		goto nla_put_failure;
13098 
13099 	local_func_attr = nla_nest_start_noflag(msg,
13100 						NL80211_NAN_MATCH_FUNC_LOCAL);
13101 	if (!local_func_attr)
13102 		goto nla_put_failure;
13103 
13104 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13105 		goto nla_put_failure;
13106 
13107 	nla_nest_end(msg, local_func_attr);
13108 
13109 	peer_func_attr = nla_nest_start_noflag(msg,
13110 					       NL80211_NAN_MATCH_FUNC_PEER);
13111 	if (!peer_func_attr)
13112 		goto nla_put_failure;
13113 
13114 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13115 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13116 		goto nla_put_failure;
13117 
13118 	if (match->info && match->info_len &&
13119 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13120 		    match->info))
13121 		goto nla_put_failure;
13122 
13123 	nla_nest_end(msg, peer_func_attr);
13124 	nla_nest_end(msg, match_attr);
13125 	genlmsg_end(msg, hdr);
13126 
13127 	if (!wdev->owner_nlportid)
13128 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13129 					msg, 0, NL80211_MCGRP_NAN, gfp);
13130 	else
13131 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13132 				wdev->owner_nlportid);
13133 
13134 	return;
13135 
13136 nla_put_failure:
13137 	nlmsg_free(msg);
13138 }
13139 EXPORT_SYMBOL(cfg80211_nan_match);
13140 
13141 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13142 				  u8 inst_id,
13143 				  enum nl80211_nan_func_term_reason reason,
13144 				  u64 cookie, gfp_t gfp)
13145 {
13146 	struct wiphy *wiphy = wdev->wiphy;
13147 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13148 	struct sk_buff *msg;
13149 	struct nlattr *func_attr;
13150 	void *hdr;
13151 
13152 	if (WARN_ON(!inst_id))
13153 		return;
13154 
13155 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13156 	if (!msg)
13157 		return;
13158 
13159 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13160 	if (!hdr) {
13161 		nlmsg_free(msg);
13162 		return;
13163 	}
13164 
13165 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13166 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13167 					 wdev->netdev->ifindex)) ||
13168 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13169 			      NL80211_ATTR_PAD))
13170 		goto nla_put_failure;
13171 
13172 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13173 			      NL80211_ATTR_PAD))
13174 		goto nla_put_failure;
13175 
13176 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13177 	if (!func_attr)
13178 		goto nla_put_failure;
13179 
13180 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13181 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13182 		goto nla_put_failure;
13183 
13184 	nla_nest_end(msg, func_attr);
13185 	genlmsg_end(msg, hdr);
13186 
13187 	if (!wdev->owner_nlportid)
13188 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13189 					msg, 0, NL80211_MCGRP_NAN, gfp);
13190 	else
13191 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13192 				wdev->owner_nlportid);
13193 
13194 	return;
13195 
13196 nla_put_failure:
13197 	nlmsg_free(msg);
13198 }
13199 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13200 
13201 static int nl80211_get_protocol_features(struct sk_buff *skb,
13202 					 struct genl_info *info)
13203 {
13204 	void *hdr;
13205 	struct sk_buff *msg;
13206 
13207 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13208 	if (!msg)
13209 		return -ENOMEM;
13210 
13211 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13212 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13213 	if (!hdr)
13214 		goto nla_put_failure;
13215 
13216 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13217 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13218 		goto nla_put_failure;
13219 
13220 	genlmsg_end(msg, hdr);
13221 	return genlmsg_reply(msg, info);
13222 
13223  nla_put_failure:
13224 	kfree_skb(msg);
13225 	return -ENOBUFS;
13226 }
13227 
13228 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13229 {
13230 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13231 	struct cfg80211_update_ft_ies_params ft_params;
13232 	struct net_device *dev = info->user_ptr[1];
13233 
13234 	if (!rdev->ops->update_ft_ies)
13235 		return -EOPNOTSUPP;
13236 
13237 	if (!info->attrs[NL80211_ATTR_MDID] ||
13238 	    !info->attrs[NL80211_ATTR_IE])
13239 		return -EINVAL;
13240 
13241 	memset(&ft_params, 0, sizeof(ft_params));
13242 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13243 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13244 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13245 
13246 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13247 }
13248 
13249 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13250 				       struct genl_info *info)
13251 {
13252 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13253 	struct wireless_dev *wdev = info->user_ptr[1];
13254 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13255 	u16 duration;
13256 	int ret;
13257 
13258 	if (!rdev->ops->crit_proto_start)
13259 		return -EOPNOTSUPP;
13260 
13261 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13262 		return -EINVAL;
13263 
13264 	if (rdev->crit_proto_nlportid)
13265 		return -EBUSY;
13266 
13267 	/* determine protocol if provided */
13268 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13269 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13270 
13271 	if (proto >= NUM_NL80211_CRIT_PROTO)
13272 		return -EINVAL;
13273 
13274 	/* timeout must be provided */
13275 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13276 		return -EINVAL;
13277 
13278 	duration =
13279 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13280 
13281 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13282 	if (!ret)
13283 		rdev->crit_proto_nlportid = info->snd_portid;
13284 
13285 	return ret;
13286 }
13287 
13288 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13289 				      struct genl_info *info)
13290 {
13291 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13292 	struct wireless_dev *wdev = info->user_ptr[1];
13293 
13294 	if (!rdev->ops->crit_proto_stop)
13295 		return -EOPNOTSUPP;
13296 
13297 	if (rdev->crit_proto_nlportid) {
13298 		rdev->crit_proto_nlportid = 0;
13299 		rdev_crit_proto_stop(rdev, wdev);
13300 	}
13301 	return 0;
13302 }
13303 
13304 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13305 				       struct nlattr *attr,
13306 				       struct netlink_ext_ack *extack)
13307 {
13308 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13309 		if (attr->nla_type & NLA_F_NESTED) {
13310 			NL_SET_ERR_MSG_ATTR(extack, attr,
13311 					    "unexpected nested data");
13312 			return -EINVAL;
13313 		}
13314 
13315 		return 0;
13316 	}
13317 
13318 	if (!(attr->nla_type & NLA_F_NESTED)) {
13319 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13320 		return -EINVAL;
13321 	}
13322 
13323 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13324 }
13325 
13326 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13327 {
13328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13329 	struct wireless_dev *wdev =
13330 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
13331 	int i, err;
13332 	u32 vid, subcmd;
13333 
13334 	if (!rdev->wiphy.vendor_commands)
13335 		return -EOPNOTSUPP;
13336 
13337 	if (IS_ERR(wdev)) {
13338 		err = PTR_ERR(wdev);
13339 		if (err != -EINVAL)
13340 			return err;
13341 		wdev = NULL;
13342 	} else if (wdev->wiphy != &rdev->wiphy) {
13343 		return -EINVAL;
13344 	}
13345 
13346 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13347 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13348 		return -EINVAL;
13349 
13350 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13351 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13352 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13353 		const struct wiphy_vendor_command *vcmd;
13354 		void *data = NULL;
13355 		int len = 0;
13356 
13357 		vcmd = &rdev->wiphy.vendor_commands[i];
13358 
13359 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13360 			continue;
13361 
13362 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13363 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13364 			if (!wdev)
13365 				return -EINVAL;
13366 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13367 			    !wdev->netdev)
13368 				return -EINVAL;
13369 
13370 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13371 				if (!wdev_running(wdev))
13372 					return -ENETDOWN;
13373 			}
13374 		} else {
13375 			wdev = NULL;
13376 		}
13377 
13378 		if (!vcmd->doit)
13379 			return -EOPNOTSUPP;
13380 
13381 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13382 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13383 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13384 
13385 			err = nl80211_vendor_check_policy(vcmd,
13386 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13387 					info->extack);
13388 			if (err)
13389 				return err;
13390 		}
13391 
13392 		rdev->cur_cmd_info = info;
13393 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13394 		rdev->cur_cmd_info = NULL;
13395 		return err;
13396 	}
13397 
13398 	return -EOPNOTSUPP;
13399 }
13400 
13401 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13402 				       struct netlink_callback *cb,
13403 				       struct cfg80211_registered_device **rdev,
13404 				       struct wireless_dev **wdev)
13405 {
13406 	struct nlattr **attrbuf;
13407 	u32 vid, subcmd;
13408 	unsigned int i;
13409 	int vcmd_idx = -1;
13410 	int err;
13411 	void *data = NULL;
13412 	unsigned int data_len = 0;
13413 
13414 	if (cb->args[0]) {
13415 		/* subtract the 1 again here */
13416 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13417 		struct wireless_dev *tmp;
13418 
13419 		if (!wiphy)
13420 			return -ENODEV;
13421 		*rdev = wiphy_to_rdev(wiphy);
13422 		*wdev = NULL;
13423 
13424 		if (cb->args[1]) {
13425 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13426 				if (tmp->identifier == cb->args[1] - 1) {
13427 					*wdev = tmp;
13428 					break;
13429 				}
13430 			}
13431 		}
13432 
13433 		/* keep rtnl locked in successful case */
13434 		return 0;
13435 	}
13436 
13437 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13438 	if (!attrbuf)
13439 		return -ENOMEM;
13440 
13441 	err = nlmsg_parse_deprecated(cb->nlh,
13442 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13443 				     attrbuf, nl80211_fam.maxattr,
13444 				     nl80211_policy, NULL);
13445 	if (err)
13446 		goto out;
13447 
13448 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13449 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13450 		err = -EINVAL;
13451 		goto out;
13452 	}
13453 
13454 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
13455 	if (IS_ERR(*wdev))
13456 		*wdev = NULL;
13457 
13458 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13459 	if (IS_ERR(*rdev)) {
13460 		err = PTR_ERR(*rdev);
13461 		goto out;
13462 	}
13463 
13464 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13465 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13466 
13467 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13468 		const struct wiphy_vendor_command *vcmd;
13469 
13470 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13471 
13472 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13473 			continue;
13474 
13475 		if (!vcmd->dumpit) {
13476 			err = -EOPNOTSUPP;
13477 			goto out;
13478 		}
13479 
13480 		vcmd_idx = i;
13481 		break;
13482 	}
13483 
13484 	if (vcmd_idx < 0) {
13485 		err = -EOPNOTSUPP;
13486 		goto out;
13487 	}
13488 
13489 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13490 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13491 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13492 
13493 		err = nl80211_vendor_check_policy(
13494 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13495 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13496 				cb->extack);
13497 		if (err)
13498 			goto out;
13499 	}
13500 
13501 	/* 0 is the first index - add 1 to parse only once */
13502 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13503 	/* add 1 to know if it was NULL */
13504 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13505 	cb->args[2] = vcmd_idx;
13506 	cb->args[3] = (unsigned long)data;
13507 	cb->args[4] = data_len;
13508 
13509 	/* keep rtnl locked in successful case */
13510 	err = 0;
13511 out:
13512 	kfree(attrbuf);
13513 	return err;
13514 }
13515 
13516 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13517 				   struct netlink_callback *cb)
13518 {
13519 	struct cfg80211_registered_device *rdev;
13520 	struct wireless_dev *wdev;
13521 	unsigned int vcmd_idx;
13522 	const struct wiphy_vendor_command *vcmd;
13523 	void *data;
13524 	int data_len;
13525 	int err;
13526 	struct nlattr *vendor_data;
13527 
13528 	rtnl_lock();
13529 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13530 	if (err)
13531 		goto out;
13532 
13533 	vcmd_idx = cb->args[2];
13534 	data = (void *)cb->args[3];
13535 	data_len = cb->args[4];
13536 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13537 
13538 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13539 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13540 		if (!wdev) {
13541 			err = -EINVAL;
13542 			goto out;
13543 		}
13544 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13545 		    !wdev->netdev) {
13546 			err = -EINVAL;
13547 			goto out;
13548 		}
13549 
13550 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13551 			if (!wdev_running(wdev)) {
13552 				err = -ENETDOWN;
13553 				goto out;
13554 			}
13555 		}
13556 	}
13557 
13558 	while (1) {
13559 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13560 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13561 					   NL80211_CMD_VENDOR);
13562 		if (!hdr)
13563 			break;
13564 
13565 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13566 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13567 					       wdev_id(wdev),
13568 					       NL80211_ATTR_PAD))) {
13569 			genlmsg_cancel(skb, hdr);
13570 			break;
13571 		}
13572 
13573 		vendor_data = nla_nest_start_noflag(skb,
13574 						    NL80211_ATTR_VENDOR_DATA);
13575 		if (!vendor_data) {
13576 			genlmsg_cancel(skb, hdr);
13577 			break;
13578 		}
13579 
13580 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13581 				   (unsigned long *)&cb->args[5]);
13582 		nla_nest_end(skb, vendor_data);
13583 
13584 		if (err == -ENOBUFS || err == -ENOENT) {
13585 			genlmsg_cancel(skb, hdr);
13586 			break;
13587 		} else if (err <= 0) {
13588 			genlmsg_cancel(skb, hdr);
13589 			goto out;
13590 		}
13591 
13592 		genlmsg_end(skb, hdr);
13593 	}
13594 
13595 	err = skb->len;
13596  out:
13597 	rtnl_unlock();
13598 	return err;
13599 }
13600 
13601 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13602 					   enum nl80211_commands cmd,
13603 					   enum nl80211_attrs attr,
13604 					   int approxlen)
13605 {
13606 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13607 
13608 	if (WARN_ON(!rdev->cur_cmd_info))
13609 		return NULL;
13610 
13611 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13612 					   rdev->cur_cmd_info->snd_portid,
13613 					   rdev->cur_cmd_info->snd_seq,
13614 					   cmd, attr, NULL, GFP_KERNEL);
13615 }
13616 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13617 
13618 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13619 {
13620 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13621 	void *hdr = ((void **)skb->cb)[1];
13622 	struct nlattr *data = ((void **)skb->cb)[2];
13623 
13624 	/* clear CB data for netlink core to own from now on */
13625 	memset(skb->cb, 0, sizeof(skb->cb));
13626 
13627 	if (WARN_ON(!rdev->cur_cmd_info)) {
13628 		kfree_skb(skb);
13629 		return -EINVAL;
13630 	}
13631 
13632 	nla_nest_end(skb, data);
13633 	genlmsg_end(skb, hdr);
13634 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13635 }
13636 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13637 
13638 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13639 {
13640 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13641 
13642 	if (WARN_ON(!rdev->cur_cmd_info))
13643 		return 0;
13644 
13645 	return rdev->cur_cmd_info->snd_portid;
13646 }
13647 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13648 
13649 static int nl80211_set_qos_map(struct sk_buff *skb,
13650 			       struct genl_info *info)
13651 {
13652 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13653 	struct cfg80211_qos_map *qos_map = NULL;
13654 	struct net_device *dev = info->user_ptr[1];
13655 	u8 *pos, len, num_des, des_len, des;
13656 	int ret;
13657 
13658 	if (!rdev->ops->set_qos_map)
13659 		return -EOPNOTSUPP;
13660 
13661 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13662 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13663 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13664 
13665 		if (len % 2)
13666 			return -EINVAL;
13667 
13668 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13669 		if (!qos_map)
13670 			return -ENOMEM;
13671 
13672 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13673 		if (num_des) {
13674 			des_len = num_des *
13675 				sizeof(struct cfg80211_dscp_exception);
13676 			memcpy(qos_map->dscp_exception, pos, des_len);
13677 			qos_map->num_des = num_des;
13678 			for (des = 0; des < num_des; des++) {
13679 				if (qos_map->dscp_exception[des].up > 7) {
13680 					kfree(qos_map);
13681 					return -EINVAL;
13682 				}
13683 			}
13684 			pos += des_len;
13685 		}
13686 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13687 	}
13688 
13689 	wdev_lock(dev->ieee80211_ptr);
13690 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13691 	if (!ret)
13692 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13693 	wdev_unlock(dev->ieee80211_ptr);
13694 
13695 	kfree(qos_map);
13696 	return ret;
13697 }
13698 
13699 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13700 {
13701 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13702 	struct net_device *dev = info->user_ptr[1];
13703 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13704 	const u8 *peer;
13705 	u8 tsid, up;
13706 	u16 admitted_time = 0;
13707 	int err;
13708 
13709 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13710 		return -EOPNOTSUPP;
13711 
13712 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13713 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13714 		return -EINVAL;
13715 
13716 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13717 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13718 
13719 	/* WMM uses TIDs 0-7 even for TSPEC */
13720 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13721 		/* TODO: handle 802.11 TSPEC/admission control
13722 		 * need more attributes for that (e.g. BA session requirement);
13723 		 * change the WMM adminssion test above to allow both then
13724 		 */
13725 		return -EINVAL;
13726 	}
13727 
13728 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13729 
13730 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13731 		admitted_time =
13732 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13733 		if (!admitted_time)
13734 			return -EINVAL;
13735 	}
13736 
13737 	wdev_lock(wdev);
13738 	switch (wdev->iftype) {
13739 	case NL80211_IFTYPE_STATION:
13740 	case NL80211_IFTYPE_P2P_CLIENT:
13741 		if (wdev->current_bss)
13742 			break;
13743 		err = -ENOTCONN;
13744 		goto out;
13745 	default:
13746 		err = -EOPNOTSUPP;
13747 		goto out;
13748 	}
13749 
13750 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13751 
13752  out:
13753 	wdev_unlock(wdev);
13754 	return err;
13755 }
13756 
13757 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13758 {
13759 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13760 	struct net_device *dev = info->user_ptr[1];
13761 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13762 	const u8 *peer;
13763 	u8 tsid;
13764 	int err;
13765 
13766 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13767 		return -EINVAL;
13768 
13769 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13770 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13771 
13772 	wdev_lock(wdev);
13773 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13774 	wdev_unlock(wdev);
13775 
13776 	return err;
13777 }
13778 
13779 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13780 				       struct genl_info *info)
13781 {
13782 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13783 	struct net_device *dev = info->user_ptr[1];
13784 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13785 	struct cfg80211_chan_def chandef = {};
13786 	const u8 *addr;
13787 	u8 oper_class;
13788 	int err;
13789 
13790 	if (!rdev->ops->tdls_channel_switch ||
13791 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13792 		return -EOPNOTSUPP;
13793 
13794 	switch (dev->ieee80211_ptr->iftype) {
13795 	case NL80211_IFTYPE_STATION:
13796 	case NL80211_IFTYPE_P2P_CLIENT:
13797 		break;
13798 	default:
13799 		return -EOPNOTSUPP;
13800 	}
13801 
13802 	if (!info->attrs[NL80211_ATTR_MAC] ||
13803 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13804 		return -EINVAL;
13805 
13806 	err = nl80211_parse_chandef(rdev, info, &chandef);
13807 	if (err)
13808 		return err;
13809 
13810 	/*
13811 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13812 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13813 	 * specification is not defined for them.
13814 	 */
13815 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13816 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13817 	    chandef.width != NL80211_CHAN_WIDTH_20)
13818 		return -EINVAL;
13819 
13820 	/* we will be active on the TDLS link */
13821 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13822 					   wdev->iftype))
13823 		return -EINVAL;
13824 
13825 	/* don't allow switching to DFS channels */
13826 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13827 		return -EINVAL;
13828 
13829 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13830 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13831 
13832 	wdev_lock(wdev);
13833 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13834 	wdev_unlock(wdev);
13835 
13836 	return err;
13837 }
13838 
13839 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13840 					      struct genl_info *info)
13841 {
13842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13843 	struct net_device *dev = info->user_ptr[1];
13844 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13845 	const u8 *addr;
13846 
13847 	if (!rdev->ops->tdls_channel_switch ||
13848 	    !rdev->ops->tdls_cancel_channel_switch ||
13849 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13850 		return -EOPNOTSUPP;
13851 
13852 	switch (dev->ieee80211_ptr->iftype) {
13853 	case NL80211_IFTYPE_STATION:
13854 	case NL80211_IFTYPE_P2P_CLIENT:
13855 		break;
13856 	default:
13857 		return -EOPNOTSUPP;
13858 	}
13859 
13860 	if (!info->attrs[NL80211_ATTR_MAC])
13861 		return -EINVAL;
13862 
13863 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13864 
13865 	wdev_lock(wdev);
13866 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13867 	wdev_unlock(wdev);
13868 
13869 	return 0;
13870 }
13871 
13872 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13873 					    struct genl_info *info)
13874 {
13875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13876 	struct net_device *dev = info->user_ptr[1];
13877 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13878 	const struct nlattr *nla;
13879 	bool enabled;
13880 
13881 	if (!rdev->ops->set_multicast_to_unicast)
13882 		return -EOPNOTSUPP;
13883 
13884 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13885 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13886 		return -EOPNOTSUPP;
13887 
13888 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13889 	enabled = nla_get_flag(nla);
13890 
13891 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13892 }
13893 
13894 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13895 {
13896 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13897 	struct net_device *dev = info->user_ptr[1];
13898 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13899 	struct cfg80211_pmk_conf pmk_conf = {};
13900 	int ret;
13901 
13902 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13903 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13904 		return -EOPNOTSUPP;
13905 
13906 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13907 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13908 		return -EOPNOTSUPP;
13909 
13910 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13911 		return -EINVAL;
13912 
13913 	wdev_lock(wdev);
13914 	if (!wdev->current_bss) {
13915 		ret = -ENOTCONN;
13916 		goto out;
13917 	}
13918 
13919 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13920 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13921 		ret = -EINVAL;
13922 		goto out;
13923 	}
13924 
13925 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13926 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13927 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13928 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13929 		ret = -EINVAL;
13930 		goto out;
13931 	}
13932 
13933 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
13934 		pmk_conf.pmk_r0_name =
13935 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13936 
13937 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13938 out:
13939 	wdev_unlock(wdev);
13940 	return ret;
13941 }
13942 
13943 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13944 {
13945 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13946 	struct net_device *dev = info->user_ptr[1];
13947 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13948 	const u8 *aa;
13949 	int ret;
13950 
13951 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13952 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13953 		return -EOPNOTSUPP;
13954 
13955 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13956 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13957 		return -EOPNOTSUPP;
13958 
13959 	if (!info->attrs[NL80211_ATTR_MAC])
13960 		return -EINVAL;
13961 
13962 	wdev_lock(wdev);
13963 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13964 	ret = rdev_del_pmk(rdev, dev, aa);
13965 	wdev_unlock(wdev);
13966 
13967 	return ret;
13968 }
13969 
13970 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13971 {
13972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13973 	struct net_device *dev = info->user_ptr[1];
13974 	struct cfg80211_external_auth_params params;
13975 
13976 	if (!rdev->ops->external_auth)
13977 		return -EOPNOTSUPP;
13978 
13979 	if (!info->attrs[NL80211_ATTR_SSID] &&
13980 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13981 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13982 		return -EINVAL;
13983 
13984 	if (!info->attrs[NL80211_ATTR_BSSID])
13985 		return -EINVAL;
13986 
13987 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13988 		return -EINVAL;
13989 
13990 	memset(&params, 0, sizeof(params));
13991 
13992 	if (info->attrs[NL80211_ATTR_SSID]) {
13993 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13994 		if (params.ssid.ssid_len == 0)
13995 			return -EINVAL;
13996 		memcpy(params.ssid.ssid,
13997 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13998 		       params.ssid.ssid_len);
13999 	}
14000 
14001 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14002 	       ETH_ALEN);
14003 
14004 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14005 
14006 	if (info->attrs[NL80211_ATTR_PMKID])
14007 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14008 
14009 	return rdev_external_auth(rdev, dev, &params);
14010 }
14011 
14012 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14013 {
14014 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14015 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14016 	struct net_device *dev = info->user_ptr[1];
14017 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14018 	const u8 *buf;
14019 	size_t len;
14020 	u8 *dest;
14021 	u16 proto;
14022 	bool noencrypt;
14023 	u64 cookie = 0;
14024 	int err;
14025 
14026 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14027 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14028 		return -EOPNOTSUPP;
14029 
14030 	if (!rdev->ops->tx_control_port)
14031 		return -EOPNOTSUPP;
14032 
14033 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14034 	    !info->attrs[NL80211_ATTR_MAC] ||
14035 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14036 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14037 		return -EINVAL;
14038 	}
14039 
14040 	wdev_lock(wdev);
14041 
14042 	switch (wdev->iftype) {
14043 	case NL80211_IFTYPE_AP:
14044 	case NL80211_IFTYPE_P2P_GO:
14045 	case NL80211_IFTYPE_MESH_POINT:
14046 		break;
14047 	case NL80211_IFTYPE_ADHOC:
14048 	case NL80211_IFTYPE_STATION:
14049 	case NL80211_IFTYPE_P2P_CLIENT:
14050 		if (wdev->current_bss)
14051 			break;
14052 		err = -ENOTCONN;
14053 		goto out;
14054 	default:
14055 		err = -EOPNOTSUPP;
14056 		goto out;
14057 	}
14058 
14059 	wdev_unlock(wdev);
14060 
14061 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14062 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14063 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14064 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14065 	noencrypt =
14066 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14067 
14068 	err = rdev_tx_control_port(rdev, dev, buf, len,
14069 				   dest, cpu_to_be16(proto), noencrypt,
14070 				   dont_wait_for_ack ? NULL : &cookie);
14071 	if (!err && !dont_wait_for_ack)
14072 		nl_set_extack_cookie_u64(info->extack, cookie);
14073 	return err;
14074  out:
14075 	wdev_unlock(wdev);
14076 	return err;
14077 }
14078 
14079 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14080 					   struct genl_info *info)
14081 {
14082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14083 	struct net_device *dev = info->user_ptr[1];
14084 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14085 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14086 	struct sk_buff *msg;
14087 	void *hdr;
14088 	struct nlattr *ftm_stats_attr;
14089 	int err;
14090 
14091 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14092 		return -EOPNOTSUPP;
14093 
14094 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14095 	if (err)
14096 		return err;
14097 
14098 	if (!ftm_stats.filled)
14099 		return -ENODATA;
14100 
14101 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14102 	if (!msg)
14103 		return -ENOMEM;
14104 
14105 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14106 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14107 	if (!hdr)
14108 		goto nla_put_failure;
14109 
14110 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14111 		goto nla_put_failure;
14112 
14113 	ftm_stats_attr = nla_nest_start_noflag(msg,
14114 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14115 	if (!ftm_stats_attr)
14116 		goto nla_put_failure;
14117 
14118 #define SET_FTM(field, name, type)					 \
14119 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14120 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14121 			     ftm_stats.field))				 \
14122 		goto nla_put_failure; } while (0)
14123 #define SET_FTM_U64(field, name)					 \
14124 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14125 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14126 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14127 		goto nla_put_failure; } while (0)
14128 
14129 	SET_FTM(success_num, SUCCESS_NUM, u32);
14130 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14131 	SET_FTM(failed_num, FAILED_NUM, u32);
14132 	SET_FTM(asap_num, ASAP_NUM, u32);
14133 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14134 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14135 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14136 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14137 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14138 #undef SET_FTM
14139 
14140 	nla_nest_end(msg, ftm_stats_attr);
14141 
14142 	genlmsg_end(msg, hdr);
14143 	return genlmsg_reply(msg, info);
14144 
14145 nla_put_failure:
14146 	nlmsg_free(msg);
14147 	return -ENOBUFS;
14148 }
14149 
14150 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14151 {
14152 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14153 	struct cfg80211_update_owe_info owe_info;
14154 	struct net_device *dev = info->user_ptr[1];
14155 
14156 	if (!rdev->ops->update_owe_info)
14157 		return -EOPNOTSUPP;
14158 
14159 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14160 	    !info->attrs[NL80211_ATTR_MAC])
14161 		return -EINVAL;
14162 
14163 	memset(&owe_info, 0, sizeof(owe_info));
14164 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14165 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14166 
14167 	if (info->attrs[NL80211_ATTR_IE]) {
14168 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14169 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14170 	}
14171 
14172 	return rdev_update_owe_info(rdev, dev, &owe_info);
14173 }
14174 
14175 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14176 {
14177 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14178 	struct net_device *dev = info->user_ptr[1];
14179 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14180 	struct station_info sinfo = {};
14181 	const u8 *buf;
14182 	size_t len;
14183 	u8 *dest;
14184 	int err;
14185 
14186 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14187 		return -EOPNOTSUPP;
14188 
14189 	if (!info->attrs[NL80211_ATTR_MAC] ||
14190 	    !info->attrs[NL80211_ATTR_FRAME]) {
14191 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14192 		return -EINVAL;
14193 	}
14194 
14195 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14196 		return -EOPNOTSUPP;
14197 
14198 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14199 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14200 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14201 
14202 	if (len < sizeof(struct ethhdr))
14203 		return -EINVAL;
14204 
14205 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14206 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14207 		return -EINVAL;
14208 
14209 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14210 	if (err)
14211 		return err;
14212 
14213 	cfg80211_sinfo_release_content(&sinfo);
14214 
14215 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14216 }
14217 
14218 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14219 			  struct nlattr *attrs[], struct net_device *dev,
14220 			  struct cfg80211_tid_cfg *tid_conf,
14221 			  struct genl_info *info, const u8 *peer)
14222 {
14223 	struct netlink_ext_ack *extack = info->extack;
14224 	u64 mask;
14225 	int err;
14226 
14227 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14228 		return -EINVAL;
14229 
14230 	tid_conf->config_override =
14231 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14232 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14233 
14234 	if (tid_conf->config_override) {
14235 		if (rdev->ops->reset_tid_config) {
14236 			err = rdev_reset_tid_config(rdev, dev, peer,
14237 						    tid_conf->tids);
14238 			if (err)
14239 				return err;
14240 		} else {
14241 			return -EINVAL;
14242 		}
14243 	}
14244 
14245 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14246 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14247 		tid_conf->noack =
14248 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14249 	}
14250 
14251 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14252 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14253 		tid_conf->retry_short =
14254 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14255 
14256 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14257 			return -EINVAL;
14258 	}
14259 
14260 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14261 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14262 		tid_conf->retry_long =
14263 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14264 
14265 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14266 			return -EINVAL;
14267 	}
14268 
14269 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14270 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14271 		tid_conf->ampdu =
14272 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14273 	}
14274 
14275 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14276 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14277 		tid_conf->rtscts =
14278 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14279 	}
14280 
14281 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14282 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14283 		tid_conf->amsdu =
14284 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14285 	}
14286 
14287 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14288 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14289 
14290 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14291 
14292 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14293 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14294 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14295 						    &tid_conf->txrate_mask, dev);
14296 			if (err)
14297 				return err;
14298 
14299 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14300 		}
14301 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14302 	}
14303 
14304 	if (peer)
14305 		mask = rdev->wiphy.tid_config_support.peer;
14306 	else
14307 		mask = rdev->wiphy.tid_config_support.vif;
14308 
14309 	if (tid_conf->mask & ~mask) {
14310 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14311 		return -ENOTSUPP;
14312 	}
14313 
14314 	return 0;
14315 }
14316 
14317 static int nl80211_set_tid_config(struct sk_buff *skb,
14318 				  struct genl_info *info)
14319 {
14320 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14321 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14322 	struct net_device *dev = info->user_ptr[1];
14323 	struct cfg80211_tid_config *tid_config;
14324 	struct nlattr *tid;
14325 	int conf_idx = 0, rem_conf;
14326 	int ret = -EINVAL;
14327 	u32 num_conf = 0;
14328 
14329 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14330 		return -EINVAL;
14331 
14332 	if (!rdev->ops->set_tid_config)
14333 		return -EOPNOTSUPP;
14334 
14335 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14336 			    rem_conf)
14337 		num_conf++;
14338 
14339 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14340 			     GFP_KERNEL);
14341 	if (!tid_config)
14342 		return -ENOMEM;
14343 
14344 	tid_config->n_tid_conf = num_conf;
14345 
14346 	if (info->attrs[NL80211_ATTR_MAC])
14347 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14348 
14349 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14350 			    rem_conf) {
14351 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14352 				       tid, NULL, NULL);
14353 
14354 		if (ret)
14355 			goto bad_tid_conf;
14356 
14357 		ret = parse_tid_conf(rdev, attrs, dev,
14358 				     &tid_config->tid_conf[conf_idx],
14359 				     info, tid_config->peer);
14360 		if (ret)
14361 			goto bad_tid_conf;
14362 
14363 		conf_idx++;
14364 	}
14365 
14366 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14367 
14368 bad_tid_conf:
14369 	kfree(tid_config);
14370 	return ret;
14371 }
14372 
14373 #define NL80211_FLAG_NEED_WIPHY		0x01
14374 #define NL80211_FLAG_NEED_NETDEV	0x02
14375 #define NL80211_FLAG_NEED_RTNL		0x04
14376 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14377 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14378 					 NL80211_FLAG_CHECK_NETDEV_UP)
14379 #define NL80211_FLAG_NEED_WDEV		0x10
14380 /* If a netdev is associated, it must be UP, P2P must be started */
14381 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14382 					 NL80211_FLAG_CHECK_NETDEV_UP)
14383 #define NL80211_FLAG_CLEAR_SKB		0x20
14384 
14385 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14386 			    struct genl_info *info)
14387 {
14388 	struct cfg80211_registered_device *rdev;
14389 	struct wireless_dev *wdev;
14390 	struct net_device *dev;
14391 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
14392 
14393 	if (rtnl)
14394 		rtnl_lock();
14395 
14396 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14397 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14398 		if (IS_ERR(rdev)) {
14399 			if (rtnl)
14400 				rtnl_unlock();
14401 			return PTR_ERR(rdev);
14402 		}
14403 		info->user_ptr[0] = rdev;
14404 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14405 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14406 		ASSERT_RTNL();
14407 
14408 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
14409 						  info->attrs);
14410 		if (IS_ERR(wdev)) {
14411 			if (rtnl)
14412 				rtnl_unlock();
14413 			return PTR_ERR(wdev);
14414 		}
14415 
14416 		dev = wdev->netdev;
14417 		rdev = wiphy_to_rdev(wdev->wiphy);
14418 
14419 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14420 			if (!dev) {
14421 				if (rtnl)
14422 					rtnl_unlock();
14423 				return -EINVAL;
14424 			}
14425 
14426 			info->user_ptr[1] = dev;
14427 		} else {
14428 			info->user_ptr[1] = wdev;
14429 		}
14430 
14431 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14432 		    !wdev_running(wdev)) {
14433 			if (rtnl)
14434 				rtnl_unlock();
14435 			return -ENETDOWN;
14436 		}
14437 
14438 		if (dev)
14439 			dev_hold(dev);
14440 
14441 		info->user_ptr[0] = rdev;
14442 	}
14443 
14444 	return 0;
14445 }
14446 
14447 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14448 			      struct genl_info *info)
14449 {
14450 	if (info->user_ptr[1]) {
14451 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14452 			struct wireless_dev *wdev = info->user_ptr[1];
14453 
14454 			if (wdev->netdev)
14455 				dev_put(wdev->netdev);
14456 		} else {
14457 			dev_put(info->user_ptr[1]);
14458 		}
14459 	}
14460 
14461 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14462 		rtnl_unlock();
14463 
14464 	/* If needed, clear the netlink message payload from the SKB
14465 	 * as it might contain key data that shouldn't stick around on
14466 	 * the heap after the SKB is freed. The netlink message header
14467 	 * is still needed for further processing, so leave it intact.
14468 	 */
14469 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14470 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14471 
14472 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14473 	}
14474 }
14475 
14476 static const struct genl_ops nl80211_ops[] = {
14477 	{
14478 		.cmd = NL80211_CMD_GET_WIPHY,
14479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14480 		.doit = nl80211_get_wiphy,
14481 		.dumpit = nl80211_dump_wiphy,
14482 		.done = nl80211_dump_wiphy_done,
14483 		/* can be retrieved by unprivileged users */
14484 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14485 				  NL80211_FLAG_NEED_RTNL,
14486 	},
14487 	{
14488 		.cmd = NL80211_CMD_SET_WIPHY,
14489 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14490 		.doit = nl80211_set_wiphy,
14491 		.flags = GENL_UNS_ADMIN_PERM,
14492 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14493 	},
14494 	{
14495 		.cmd = NL80211_CMD_GET_INTERFACE,
14496 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14497 		.doit = nl80211_get_interface,
14498 		.dumpit = nl80211_dump_interface,
14499 		/* can be retrieved by unprivileged users */
14500 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14501 				  NL80211_FLAG_NEED_RTNL,
14502 	},
14503 	{
14504 		.cmd = NL80211_CMD_SET_INTERFACE,
14505 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14506 		.doit = nl80211_set_interface,
14507 		.flags = GENL_UNS_ADMIN_PERM,
14508 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14509 				  NL80211_FLAG_NEED_RTNL,
14510 	},
14511 	{
14512 		.cmd = NL80211_CMD_NEW_INTERFACE,
14513 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14514 		.doit = nl80211_new_interface,
14515 		.flags = GENL_UNS_ADMIN_PERM,
14516 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14517 				  NL80211_FLAG_NEED_RTNL,
14518 	},
14519 	{
14520 		.cmd = NL80211_CMD_DEL_INTERFACE,
14521 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14522 		.doit = nl80211_del_interface,
14523 		.flags = GENL_UNS_ADMIN_PERM,
14524 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14525 				  NL80211_FLAG_NEED_RTNL,
14526 	},
14527 	{
14528 		.cmd = NL80211_CMD_GET_KEY,
14529 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14530 		.doit = nl80211_get_key,
14531 		.flags = GENL_UNS_ADMIN_PERM,
14532 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14533 				  NL80211_FLAG_NEED_RTNL,
14534 	},
14535 	{
14536 		.cmd = NL80211_CMD_SET_KEY,
14537 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14538 		.doit = nl80211_set_key,
14539 		.flags = GENL_UNS_ADMIN_PERM,
14540 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14541 				  NL80211_FLAG_NEED_RTNL |
14542 				  NL80211_FLAG_CLEAR_SKB,
14543 	},
14544 	{
14545 		.cmd = NL80211_CMD_NEW_KEY,
14546 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14547 		.doit = nl80211_new_key,
14548 		.flags = GENL_UNS_ADMIN_PERM,
14549 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14550 				  NL80211_FLAG_NEED_RTNL |
14551 				  NL80211_FLAG_CLEAR_SKB,
14552 	},
14553 	{
14554 		.cmd = NL80211_CMD_DEL_KEY,
14555 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14556 		.doit = nl80211_del_key,
14557 		.flags = GENL_UNS_ADMIN_PERM,
14558 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14559 				  NL80211_FLAG_NEED_RTNL,
14560 	},
14561 	{
14562 		.cmd = NL80211_CMD_SET_BEACON,
14563 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14564 		.flags = GENL_UNS_ADMIN_PERM,
14565 		.doit = nl80211_set_beacon,
14566 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14567 				  NL80211_FLAG_NEED_RTNL,
14568 	},
14569 	{
14570 		.cmd = NL80211_CMD_START_AP,
14571 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14572 		.flags = GENL_UNS_ADMIN_PERM,
14573 		.doit = nl80211_start_ap,
14574 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14575 				  NL80211_FLAG_NEED_RTNL,
14576 	},
14577 	{
14578 		.cmd = NL80211_CMD_STOP_AP,
14579 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14580 		.flags = GENL_UNS_ADMIN_PERM,
14581 		.doit = nl80211_stop_ap,
14582 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14583 				  NL80211_FLAG_NEED_RTNL,
14584 	},
14585 	{
14586 		.cmd = NL80211_CMD_GET_STATION,
14587 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14588 		.doit = nl80211_get_station,
14589 		.dumpit = nl80211_dump_station,
14590 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14591 				  NL80211_FLAG_NEED_RTNL,
14592 	},
14593 	{
14594 		.cmd = NL80211_CMD_SET_STATION,
14595 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14596 		.doit = nl80211_set_station,
14597 		.flags = GENL_UNS_ADMIN_PERM,
14598 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14599 				  NL80211_FLAG_NEED_RTNL,
14600 	},
14601 	{
14602 		.cmd = NL80211_CMD_NEW_STATION,
14603 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14604 		.doit = nl80211_new_station,
14605 		.flags = GENL_UNS_ADMIN_PERM,
14606 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14607 				  NL80211_FLAG_NEED_RTNL,
14608 	},
14609 	{
14610 		.cmd = NL80211_CMD_DEL_STATION,
14611 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14612 		.doit = nl80211_del_station,
14613 		.flags = GENL_UNS_ADMIN_PERM,
14614 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14615 				  NL80211_FLAG_NEED_RTNL,
14616 	},
14617 	{
14618 		.cmd = NL80211_CMD_GET_MPATH,
14619 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14620 		.doit = nl80211_get_mpath,
14621 		.dumpit = nl80211_dump_mpath,
14622 		.flags = GENL_UNS_ADMIN_PERM,
14623 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14624 				  NL80211_FLAG_NEED_RTNL,
14625 	},
14626 	{
14627 		.cmd = NL80211_CMD_GET_MPP,
14628 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14629 		.doit = nl80211_get_mpp,
14630 		.dumpit = nl80211_dump_mpp,
14631 		.flags = GENL_UNS_ADMIN_PERM,
14632 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14633 				  NL80211_FLAG_NEED_RTNL,
14634 	},
14635 	{
14636 		.cmd = NL80211_CMD_SET_MPATH,
14637 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14638 		.doit = nl80211_set_mpath,
14639 		.flags = GENL_UNS_ADMIN_PERM,
14640 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14641 				  NL80211_FLAG_NEED_RTNL,
14642 	},
14643 	{
14644 		.cmd = NL80211_CMD_NEW_MPATH,
14645 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14646 		.doit = nl80211_new_mpath,
14647 		.flags = GENL_UNS_ADMIN_PERM,
14648 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14649 				  NL80211_FLAG_NEED_RTNL,
14650 	},
14651 	{
14652 		.cmd = NL80211_CMD_DEL_MPATH,
14653 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14654 		.doit = nl80211_del_mpath,
14655 		.flags = GENL_UNS_ADMIN_PERM,
14656 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14657 				  NL80211_FLAG_NEED_RTNL,
14658 	},
14659 	{
14660 		.cmd = NL80211_CMD_SET_BSS,
14661 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14662 		.doit = nl80211_set_bss,
14663 		.flags = GENL_UNS_ADMIN_PERM,
14664 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14665 				  NL80211_FLAG_NEED_RTNL,
14666 	},
14667 	{
14668 		.cmd = NL80211_CMD_GET_REG,
14669 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14670 		.doit = nl80211_get_reg_do,
14671 		.dumpit = nl80211_get_reg_dump,
14672 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14673 		/* can be retrieved by unprivileged users */
14674 	},
14675 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14676 	{
14677 		.cmd = NL80211_CMD_SET_REG,
14678 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14679 		.doit = nl80211_set_reg,
14680 		.flags = GENL_ADMIN_PERM,
14681 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14682 	},
14683 #endif
14684 	{
14685 		.cmd = NL80211_CMD_REQ_SET_REG,
14686 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14687 		.doit = nl80211_req_set_reg,
14688 		.flags = GENL_ADMIN_PERM,
14689 	},
14690 	{
14691 		.cmd = NL80211_CMD_RELOAD_REGDB,
14692 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14693 		.doit = nl80211_reload_regdb,
14694 		.flags = GENL_ADMIN_PERM,
14695 	},
14696 	{
14697 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14698 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14699 		.doit = nl80211_get_mesh_config,
14700 		/* can be retrieved by unprivileged users */
14701 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14702 				  NL80211_FLAG_NEED_RTNL,
14703 	},
14704 	{
14705 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14707 		.doit = nl80211_update_mesh_config,
14708 		.flags = GENL_UNS_ADMIN_PERM,
14709 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14710 				  NL80211_FLAG_NEED_RTNL,
14711 	},
14712 	{
14713 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14714 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14715 		.doit = nl80211_trigger_scan,
14716 		.flags = GENL_UNS_ADMIN_PERM,
14717 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14718 				  NL80211_FLAG_NEED_RTNL,
14719 	},
14720 	{
14721 		.cmd = NL80211_CMD_ABORT_SCAN,
14722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14723 		.doit = nl80211_abort_scan,
14724 		.flags = GENL_UNS_ADMIN_PERM,
14725 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14726 				  NL80211_FLAG_NEED_RTNL,
14727 	},
14728 	{
14729 		.cmd = NL80211_CMD_GET_SCAN,
14730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14731 		.dumpit = nl80211_dump_scan,
14732 	},
14733 	{
14734 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14736 		.doit = nl80211_start_sched_scan,
14737 		.flags = GENL_UNS_ADMIN_PERM,
14738 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14739 				  NL80211_FLAG_NEED_RTNL,
14740 	},
14741 	{
14742 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14744 		.doit = nl80211_stop_sched_scan,
14745 		.flags = GENL_UNS_ADMIN_PERM,
14746 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14747 				  NL80211_FLAG_NEED_RTNL,
14748 	},
14749 	{
14750 		.cmd = NL80211_CMD_AUTHENTICATE,
14751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14752 		.doit = nl80211_authenticate,
14753 		.flags = GENL_UNS_ADMIN_PERM,
14754 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14755 				  NL80211_FLAG_NEED_RTNL |
14756 				  NL80211_FLAG_CLEAR_SKB,
14757 	},
14758 	{
14759 		.cmd = NL80211_CMD_ASSOCIATE,
14760 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14761 		.doit = nl80211_associate,
14762 		.flags = GENL_UNS_ADMIN_PERM,
14763 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14764 				  NL80211_FLAG_NEED_RTNL |
14765 				  NL80211_FLAG_CLEAR_SKB,
14766 	},
14767 	{
14768 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14770 		.doit = nl80211_deauthenticate,
14771 		.flags = GENL_UNS_ADMIN_PERM,
14772 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14773 				  NL80211_FLAG_NEED_RTNL,
14774 	},
14775 	{
14776 		.cmd = NL80211_CMD_DISASSOCIATE,
14777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14778 		.doit = nl80211_disassociate,
14779 		.flags = GENL_UNS_ADMIN_PERM,
14780 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14781 				  NL80211_FLAG_NEED_RTNL,
14782 	},
14783 	{
14784 		.cmd = NL80211_CMD_JOIN_IBSS,
14785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14786 		.doit = nl80211_join_ibss,
14787 		.flags = GENL_UNS_ADMIN_PERM,
14788 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14789 				  NL80211_FLAG_NEED_RTNL,
14790 	},
14791 	{
14792 		.cmd = NL80211_CMD_LEAVE_IBSS,
14793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14794 		.doit = nl80211_leave_ibss,
14795 		.flags = GENL_UNS_ADMIN_PERM,
14796 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14797 				  NL80211_FLAG_NEED_RTNL,
14798 	},
14799 #ifdef CONFIG_NL80211_TESTMODE
14800 	{
14801 		.cmd = NL80211_CMD_TESTMODE,
14802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14803 		.doit = nl80211_testmode_do,
14804 		.dumpit = nl80211_testmode_dump,
14805 		.flags = GENL_UNS_ADMIN_PERM,
14806 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14807 				  NL80211_FLAG_NEED_RTNL,
14808 	},
14809 #endif
14810 	{
14811 		.cmd = NL80211_CMD_CONNECT,
14812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14813 		.doit = nl80211_connect,
14814 		.flags = GENL_UNS_ADMIN_PERM,
14815 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14816 				  NL80211_FLAG_NEED_RTNL |
14817 				  NL80211_FLAG_CLEAR_SKB,
14818 	},
14819 	{
14820 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
14821 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14822 		.doit = nl80211_update_connect_params,
14823 		.flags = GENL_ADMIN_PERM,
14824 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14825 				  NL80211_FLAG_NEED_RTNL |
14826 				  NL80211_FLAG_CLEAR_SKB,
14827 	},
14828 	{
14829 		.cmd = NL80211_CMD_DISCONNECT,
14830 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14831 		.doit = nl80211_disconnect,
14832 		.flags = GENL_UNS_ADMIN_PERM,
14833 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14834 				  NL80211_FLAG_NEED_RTNL,
14835 	},
14836 	{
14837 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
14838 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14839 		.doit = nl80211_wiphy_netns,
14840 		.flags = GENL_UNS_ADMIN_PERM,
14841 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14842 				  NL80211_FLAG_NEED_RTNL,
14843 	},
14844 	{
14845 		.cmd = NL80211_CMD_GET_SURVEY,
14846 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14847 		.dumpit = nl80211_dump_survey,
14848 	},
14849 	{
14850 		.cmd = NL80211_CMD_SET_PMKSA,
14851 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14852 		.doit = nl80211_setdel_pmksa,
14853 		.flags = GENL_UNS_ADMIN_PERM,
14854 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14855 				  NL80211_FLAG_NEED_RTNL |
14856 				  NL80211_FLAG_CLEAR_SKB,
14857 	},
14858 	{
14859 		.cmd = NL80211_CMD_DEL_PMKSA,
14860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14861 		.doit = nl80211_setdel_pmksa,
14862 		.flags = GENL_UNS_ADMIN_PERM,
14863 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14864 				  NL80211_FLAG_NEED_RTNL,
14865 	},
14866 	{
14867 		.cmd = NL80211_CMD_FLUSH_PMKSA,
14868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14869 		.doit = nl80211_flush_pmksa,
14870 		.flags = GENL_UNS_ADMIN_PERM,
14871 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14872 				  NL80211_FLAG_NEED_RTNL,
14873 	},
14874 	{
14875 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
14876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14877 		.doit = nl80211_remain_on_channel,
14878 		.flags = GENL_UNS_ADMIN_PERM,
14879 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14880 				  NL80211_FLAG_NEED_RTNL,
14881 	},
14882 	{
14883 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14884 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14885 		.doit = nl80211_cancel_remain_on_channel,
14886 		.flags = GENL_UNS_ADMIN_PERM,
14887 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14888 				  NL80211_FLAG_NEED_RTNL,
14889 	},
14890 	{
14891 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14892 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14893 		.doit = nl80211_set_tx_bitrate_mask,
14894 		.flags = GENL_UNS_ADMIN_PERM,
14895 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14896 				  NL80211_FLAG_NEED_RTNL,
14897 	},
14898 	{
14899 		.cmd = NL80211_CMD_REGISTER_FRAME,
14900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14901 		.doit = nl80211_register_mgmt,
14902 		.flags = GENL_UNS_ADMIN_PERM,
14903 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14904 				  NL80211_FLAG_NEED_RTNL,
14905 	},
14906 	{
14907 		.cmd = NL80211_CMD_FRAME,
14908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14909 		.doit = nl80211_tx_mgmt,
14910 		.flags = GENL_UNS_ADMIN_PERM,
14911 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14912 				  NL80211_FLAG_NEED_RTNL,
14913 	},
14914 	{
14915 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14917 		.doit = nl80211_tx_mgmt_cancel_wait,
14918 		.flags = GENL_UNS_ADMIN_PERM,
14919 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14920 				  NL80211_FLAG_NEED_RTNL,
14921 	},
14922 	{
14923 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14925 		.doit = nl80211_set_power_save,
14926 		.flags = GENL_UNS_ADMIN_PERM,
14927 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14928 				  NL80211_FLAG_NEED_RTNL,
14929 	},
14930 	{
14931 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14932 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14933 		.doit = nl80211_get_power_save,
14934 		/* can be retrieved by unprivileged users */
14935 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14936 				  NL80211_FLAG_NEED_RTNL,
14937 	},
14938 	{
14939 		.cmd = NL80211_CMD_SET_CQM,
14940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14941 		.doit = nl80211_set_cqm,
14942 		.flags = GENL_UNS_ADMIN_PERM,
14943 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14944 				  NL80211_FLAG_NEED_RTNL,
14945 	},
14946 	{
14947 		.cmd = NL80211_CMD_SET_CHANNEL,
14948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14949 		.doit = nl80211_set_channel,
14950 		.flags = GENL_UNS_ADMIN_PERM,
14951 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14952 				  NL80211_FLAG_NEED_RTNL,
14953 	},
14954 	{
14955 		.cmd = NL80211_CMD_SET_WDS_PEER,
14956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14957 		.doit = nl80211_set_wds_peer,
14958 		.flags = GENL_UNS_ADMIN_PERM,
14959 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14960 				  NL80211_FLAG_NEED_RTNL,
14961 	},
14962 	{
14963 		.cmd = NL80211_CMD_JOIN_MESH,
14964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14965 		.doit = nl80211_join_mesh,
14966 		.flags = GENL_UNS_ADMIN_PERM,
14967 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14968 				  NL80211_FLAG_NEED_RTNL,
14969 	},
14970 	{
14971 		.cmd = NL80211_CMD_LEAVE_MESH,
14972 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14973 		.doit = nl80211_leave_mesh,
14974 		.flags = GENL_UNS_ADMIN_PERM,
14975 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14976 				  NL80211_FLAG_NEED_RTNL,
14977 	},
14978 	{
14979 		.cmd = NL80211_CMD_JOIN_OCB,
14980 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14981 		.doit = nl80211_join_ocb,
14982 		.flags = GENL_UNS_ADMIN_PERM,
14983 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14984 				  NL80211_FLAG_NEED_RTNL,
14985 	},
14986 	{
14987 		.cmd = NL80211_CMD_LEAVE_OCB,
14988 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14989 		.doit = nl80211_leave_ocb,
14990 		.flags = GENL_UNS_ADMIN_PERM,
14991 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14992 				  NL80211_FLAG_NEED_RTNL,
14993 	},
14994 #ifdef CONFIG_PM
14995 	{
14996 		.cmd = NL80211_CMD_GET_WOWLAN,
14997 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14998 		.doit = nl80211_get_wowlan,
14999 		/* can be retrieved by unprivileged users */
15000 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15001 				  NL80211_FLAG_NEED_RTNL,
15002 	},
15003 	{
15004 		.cmd = NL80211_CMD_SET_WOWLAN,
15005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15006 		.doit = nl80211_set_wowlan,
15007 		.flags = GENL_UNS_ADMIN_PERM,
15008 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15009 				  NL80211_FLAG_NEED_RTNL,
15010 	},
15011 #endif
15012 	{
15013 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15014 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15015 		.doit = nl80211_set_rekey_data,
15016 		.flags = GENL_UNS_ADMIN_PERM,
15017 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15018 				  NL80211_FLAG_NEED_RTNL |
15019 				  NL80211_FLAG_CLEAR_SKB,
15020 	},
15021 	{
15022 		.cmd = NL80211_CMD_TDLS_MGMT,
15023 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15024 		.doit = nl80211_tdls_mgmt,
15025 		.flags = GENL_UNS_ADMIN_PERM,
15026 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15027 				  NL80211_FLAG_NEED_RTNL,
15028 	},
15029 	{
15030 		.cmd = NL80211_CMD_TDLS_OPER,
15031 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15032 		.doit = nl80211_tdls_oper,
15033 		.flags = GENL_UNS_ADMIN_PERM,
15034 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15035 				  NL80211_FLAG_NEED_RTNL,
15036 	},
15037 	{
15038 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15039 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15040 		.doit = nl80211_register_unexpected_frame,
15041 		.flags = GENL_UNS_ADMIN_PERM,
15042 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15043 				  NL80211_FLAG_NEED_RTNL,
15044 	},
15045 	{
15046 		.cmd = NL80211_CMD_PROBE_CLIENT,
15047 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15048 		.doit = nl80211_probe_client,
15049 		.flags = GENL_UNS_ADMIN_PERM,
15050 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15051 				  NL80211_FLAG_NEED_RTNL,
15052 	},
15053 	{
15054 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15055 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15056 		.doit = nl80211_register_beacons,
15057 		.flags = GENL_UNS_ADMIN_PERM,
15058 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15059 				  NL80211_FLAG_NEED_RTNL,
15060 	},
15061 	{
15062 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15063 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15064 		.doit = nl80211_set_noack_map,
15065 		.flags = GENL_UNS_ADMIN_PERM,
15066 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15067 				  NL80211_FLAG_NEED_RTNL,
15068 	},
15069 	{
15070 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15071 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15072 		.doit = nl80211_start_p2p_device,
15073 		.flags = GENL_UNS_ADMIN_PERM,
15074 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15075 				  NL80211_FLAG_NEED_RTNL,
15076 	},
15077 	{
15078 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15080 		.doit = nl80211_stop_p2p_device,
15081 		.flags = GENL_UNS_ADMIN_PERM,
15082 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15083 				  NL80211_FLAG_NEED_RTNL,
15084 	},
15085 	{
15086 		.cmd = NL80211_CMD_START_NAN,
15087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15088 		.doit = nl80211_start_nan,
15089 		.flags = GENL_ADMIN_PERM,
15090 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15091 				  NL80211_FLAG_NEED_RTNL,
15092 	},
15093 	{
15094 		.cmd = NL80211_CMD_STOP_NAN,
15095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15096 		.doit = nl80211_stop_nan,
15097 		.flags = GENL_ADMIN_PERM,
15098 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15099 				  NL80211_FLAG_NEED_RTNL,
15100 	},
15101 	{
15102 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15103 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15104 		.doit = nl80211_nan_add_func,
15105 		.flags = GENL_ADMIN_PERM,
15106 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15107 				  NL80211_FLAG_NEED_RTNL,
15108 	},
15109 	{
15110 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15111 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15112 		.doit = nl80211_nan_del_func,
15113 		.flags = GENL_ADMIN_PERM,
15114 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15115 				  NL80211_FLAG_NEED_RTNL,
15116 	},
15117 	{
15118 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15119 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15120 		.doit = nl80211_nan_change_config,
15121 		.flags = GENL_ADMIN_PERM,
15122 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15123 				  NL80211_FLAG_NEED_RTNL,
15124 	},
15125 	{
15126 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15127 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15128 		.doit = nl80211_set_mcast_rate,
15129 		.flags = GENL_UNS_ADMIN_PERM,
15130 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15131 				  NL80211_FLAG_NEED_RTNL,
15132 	},
15133 	{
15134 		.cmd = NL80211_CMD_SET_MAC_ACL,
15135 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15136 		.doit = nl80211_set_mac_acl,
15137 		.flags = GENL_UNS_ADMIN_PERM,
15138 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15139 				  NL80211_FLAG_NEED_RTNL,
15140 	},
15141 	{
15142 		.cmd = NL80211_CMD_RADAR_DETECT,
15143 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15144 		.doit = nl80211_start_radar_detection,
15145 		.flags = GENL_UNS_ADMIN_PERM,
15146 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15147 				  NL80211_FLAG_NEED_RTNL,
15148 	},
15149 	{
15150 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15152 		.doit = nl80211_get_protocol_features,
15153 	},
15154 	{
15155 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15156 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15157 		.doit = nl80211_update_ft_ies,
15158 		.flags = GENL_UNS_ADMIN_PERM,
15159 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15160 				  NL80211_FLAG_NEED_RTNL,
15161 	},
15162 	{
15163 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15164 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15165 		.doit = nl80211_crit_protocol_start,
15166 		.flags = GENL_UNS_ADMIN_PERM,
15167 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15168 				  NL80211_FLAG_NEED_RTNL,
15169 	},
15170 	{
15171 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15172 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15173 		.doit = nl80211_crit_protocol_stop,
15174 		.flags = GENL_UNS_ADMIN_PERM,
15175 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15176 				  NL80211_FLAG_NEED_RTNL,
15177 	},
15178 	{
15179 		.cmd = NL80211_CMD_GET_COALESCE,
15180 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15181 		.doit = nl80211_get_coalesce,
15182 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15183 				  NL80211_FLAG_NEED_RTNL,
15184 	},
15185 	{
15186 		.cmd = NL80211_CMD_SET_COALESCE,
15187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15188 		.doit = nl80211_set_coalesce,
15189 		.flags = GENL_UNS_ADMIN_PERM,
15190 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15191 				  NL80211_FLAG_NEED_RTNL,
15192 	},
15193 	{
15194 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15196 		.doit = nl80211_channel_switch,
15197 		.flags = GENL_UNS_ADMIN_PERM,
15198 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15199 				  NL80211_FLAG_NEED_RTNL,
15200 	},
15201 	{
15202 		.cmd = NL80211_CMD_VENDOR,
15203 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15204 		.doit = nl80211_vendor_cmd,
15205 		.dumpit = nl80211_vendor_cmd_dump,
15206 		.flags = GENL_UNS_ADMIN_PERM,
15207 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15208 				  NL80211_FLAG_NEED_RTNL |
15209 				  NL80211_FLAG_CLEAR_SKB,
15210 	},
15211 	{
15212 		.cmd = NL80211_CMD_SET_QOS_MAP,
15213 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15214 		.doit = nl80211_set_qos_map,
15215 		.flags = GENL_UNS_ADMIN_PERM,
15216 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15217 				  NL80211_FLAG_NEED_RTNL,
15218 	},
15219 	{
15220 		.cmd = NL80211_CMD_ADD_TX_TS,
15221 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15222 		.doit = nl80211_add_tx_ts,
15223 		.flags = GENL_UNS_ADMIN_PERM,
15224 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15225 				  NL80211_FLAG_NEED_RTNL,
15226 	},
15227 	{
15228 		.cmd = NL80211_CMD_DEL_TX_TS,
15229 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15230 		.doit = nl80211_del_tx_ts,
15231 		.flags = GENL_UNS_ADMIN_PERM,
15232 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15233 				  NL80211_FLAG_NEED_RTNL,
15234 	},
15235 	{
15236 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15237 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15238 		.doit = nl80211_tdls_channel_switch,
15239 		.flags = GENL_UNS_ADMIN_PERM,
15240 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15241 				  NL80211_FLAG_NEED_RTNL,
15242 	},
15243 	{
15244 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15246 		.doit = nl80211_tdls_cancel_channel_switch,
15247 		.flags = GENL_UNS_ADMIN_PERM,
15248 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15249 				  NL80211_FLAG_NEED_RTNL,
15250 	},
15251 	{
15252 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15253 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15254 		.doit = nl80211_set_multicast_to_unicast,
15255 		.flags = GENL_UNS_ADMIN_PERM,
15256 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15257 				  NL80211_FLAG_NEED_RTNL,
15258 	},
15259 	{
15260 		.cmd = NL80211_CMD_SET_PMK,
15261 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15262 		.doit = nl80211_set_pmk,
15263 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15264 				  NL80211_FLAG_NEED_RTNL |
15265 				  NL80211_FLAG_CLEAR_SKB,
15266 	},
15267 	{
15268 		.cmd = NL80211_CMD_DEL_PMK,
15269 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15270 		.doit = nl80211_del_pmk,
15271 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15272 				  NL80211_FLAG_NEED_RTNL,
15273 	},
15274 	{
15275 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15276 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15277 		.doit = nl80211_external_auth,
15278 		.flags = GENL_ADMIN_PERM,
15279 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15280 				  NL80211_FLAG_NEED_RTNL,
15281 	},
15282 	{
15283 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15284 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15285 		.doit = nl80211_tx_control_port,
15286 		.flags = GENL_UNS_ADMIN_PERM,
15287 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15288 				  NL80211_FLAG_NEED_RTNL,
15289 	},
15290 	{
15291 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15293 		.doit = nl80211_get_ftm_responder_stats,
15294 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15295 				  NL80211_FLAG_NEED_RTNL,
15296 	},
15297 	{
15298 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15300 		.doit = nl80211_pmsr_start,
15301 		.flags = GENL_UNS_ADMIN_PERM,
15302 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15303 				  NL80211_FLAG_NEED_RTNL,
15304 	},
15305 	{
15306 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15307 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15308 		.doit = nl80211_notify_radar_detection,
15309 		.flags = GENL_UNS_ADMIN_PERM,
15310 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15311 				  NL80211_FLAG_NEED_RTNL,
15312 	},
15313 	{
15314 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15315 		.doit = nl80211_update_owe_info,
15316 		.flags = GENL_ADMIN_PERM,
15317 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15318 				  NL80211_FLAG_NEED_RTNL,
15319 	},
15320 	{
15321 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15322 		.doit = nl80211_probe_mesh_link,
15323 		.flags = GENL_UNS_ADMIN_PERM,
15324 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15325 				  NL80211_FLAG_NEED_RTNL,
15326 	},
15327 	{
15328 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15329 		.doit = nl80211_set_tid_config,
15330 		.flags = GENL_UNS_ADMIN_PERM,
15331 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15332 				  NL80211_FLAG_NEED_RTNL,
15333 	},
15334 };
15335 
15336 static struct genl_family nl80211_fam __ro_after_init = {
15337 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15338 	.hdrsize = 0,			/* no private header */
15339 	.version = 1,			/* no particular meaning now */
15340 	.maxattr = NL80211_ATTR_MAX,
15341 	.policy = nl80211_policy,
15342 	.netnsok = true,
15343 	.pre_doit = nl80211_pre_doit,
15344 	.post_doit = nl80211_post_doit,
15345 	.module = THIS_MODULE,
15346 	.ops = nl80211_ops,
15347 	.n_ops = ARRAY_SIZE(nl80211_ops),
15348 	.mcgrps = nl80211_mcgrps,
15349 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15350 	.parallel_ops = true,
15351 };
15352 
15353 /* notification functions */
15354 
15355 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15356 			  enum nl80211_commands cmd)
15357 {
15358 	struct sk_buff *msg;
15359 	struct nl80211_dump_wiphy_state state = {};
15360 
15361 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15362 		cmd != NL80211_CMD_DEL_WIPHY);
15363 
15364 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15365 	if (!msg)
15366 		return;
15367 
15368 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15369 		nlmsg_free(msg);
15370 		return;
15371 	}
15372 
15373 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15374 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15375 }
15376 
15377 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15378 				struct wireless_dev *wdev,
15379 				enum nl80211_commands cmd)
15380 {
15381 	struct sk_buff *msg;
15382 
15383 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15384 	if (!msg)
15385 		return;
15386 
15387 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15388 		nlmsg_free(msg);
15389 		return;
15390 	}
15391 
15392 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15393 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15394 }
15395 
15396 static int nl80211_add_scan_req(struct sk_buff *msg,
15397 				struct cfg80211_registered_device *rdev)
15398 {
15399 	struct cfg80211_scan_request *req = rdev->scan_req;
15400 	struct nlattr *nest;
15401 	int i;
15402 
15403 	if (WARN_ON(!req))
15404 		return 0;
15405 
15406 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15407 	if (!nest)
15408 		goto nla_put_failure;
15409 	for (i = 0; i < req->n_ssids; i++) {
15410 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15411 			goto nla_put_failure;
15412 	}
15413 	nla_nest_end(msg, nest);
15414 
15415 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
15416 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
15417 		if (!nest)
15418 			goto nla_put_failure;
15419 		for (i = 0; i < req->n_channels; i++) {
15420 			if (nla_put_u32(msg, i,
15421 				   ieee80211_channel_to_khz(req->channels[i])))
15422 				goto nla_put_failure;
15423 		}
15424 		nla_nest_end(msg, nest);
15425 	} else {
15426 		nest = nla_nest_start_noflag(msg,
15427 					     NL80211_ATTR_SCAN_FREQUENCIES);
15428 		if (!nest)
15429 			goto nla_put_failure;
15430 		for (i = 0; i < req->n_channels; i++) {
15431 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15432 				goto nla_put_failure;
15433 		}
15434 		nla_nest_end(msg, nest);
15435 	}
15436 
15437 	if (req->ie &&
15438 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15439 		goto nla_put_failure;
15440 
15441 	if (req->flags &&
15442 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15443 		goto nla_put_failure;
15444 
15445 	if (req->info.scan_start_tsf &&
15446 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15447 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
15448 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15449 		     req->info.tsf_bssid)))
15450 		goto nla_put_failure;
15451 
15452 	return 0;
15453  nla_put_failure:
15454 	return -ENOBUFS;
15455 }
15456 
15457 static int nl80211_prep_scan_msg(struct sk_buff *msg,
15458 				 struct cfg80211_registered_device *rdev,
15459 				 struct wireless_dev *wdev,
15460 				 u32 portid, u32 seq, int flags,
15461 				 u32 cmd)
15462 {
15463 	void *hdr;
15464 
15465 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15466 	if (!hdr)
15467 		return -1;
15468 
15469 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15470 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15471 					 wdev->netdev->ifindex)) ||
15472 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15473 			      NL80211_ATTR_PAD))
15474 		goto nla_put_failure;
15475 
15476 	/* ignore errors and send incomplete event anyway */
15477 	nl80211_add_scan_req(msg, rdev);
15478 
15479 	genlmsg_end(msg, hdr);
15480 	return 0;
15481 
15482  nla_put_failure:
15483 	genlmsg_cancel(msg, hdr);
15484 	return -EMSGSIZE;
15485 }
15486 
15487 static int
15488 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15489 			    struct cfg80211_sched_scan_request *req, u32 cmd)
15490 {
15491 	void *hdr;
15492 
15493 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15494 	if (!hdr)
15495 		return -1;
15496 
15497 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15498 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15499 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15500 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15501 			      NL80211_ATTR_PAD))
15502 		goto nla_put_failure;
15503 
15504 	genlmsg_end(msg, hdr);
15505 	return 0;
15506 
15507  nla_put_failure:
15508 	genlmsg_cancel(msg, hdr);
15509 	return -EMSGSIZE;
15510 }
15511 
15512 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15513 			     struct wireless_dev *wdev)
15514 {
15515 	struct sk_buff *msg;
15516 
15517 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15518 	if (!msg)
15519 		return;
15520 
15521 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15522 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15523 		nlmsg_free(msg);
15524 		return;
15525 	}
15526 
15527 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15528 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15529 }
15530 
15531 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15532 				       struct wireless_dev *wdev, bool aborted)
15533 {
15534 	struct sk_buff *msg;
15535 
15536 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15537 	if (!msg)
15538 		return NULL;
15539 
15540 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15541 				  aborted ? NL80211_CMD_SCAN_ABORTED :
15542 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15543 		nlmsg_free(msg);
15544 		return NULL;
15545 	}
15546 
15547 	return msg;
15548 }
15549 
15550 /* send message created by nl80211_build_scan_msg() */
15551 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15552 			   struct sk_buff *msg)
15553 {
15554 	if (!msg)
15555 		return;
15556 
15557 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15558 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15559 }
15560 
15561 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
15562 {
15563 	struct sk_buff *msg;
15564 
15565 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15566 	if (!msg)
15567 		return;
15568 
15569 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
15570 		nlmsg_free(msg);
15571 		return;
15572 	}
15573 
15574 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
15575 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15576 }
15577 
15578 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
15579 					  struct regulatory_request *request)
15580 {
15581 	/* Userspace can always count this one always being set */
15582 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
15583 		goto nla_put_failure;
15584 
15585 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
15586 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15587 			       NL80211_REGDOM_TYPE_WORLD))
15588 			goto nla_put_failure;
15589 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
15590 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15591 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
15592 			goto nla_put_failure;
15593 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
15594 		   request->intersect) {
15595 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15596 			       NL80211_REGDOM_TYPE_INTERSECTION))
15597 			goto nla_put_failure;
15598 	} else {
15599 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15600 			       NL80211_REGDOM_TYPE_COUNTRY) ||
15601 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
15602 				   request->alpha2))
15603 			goto nla_put_failure;
15604 	}
15605 
15606 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
15607 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
15608 
15609 		if (wiphy &&
15610 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
15611 			goto nla_put_failure;
15612 
15613 		if (wiphy &&
15614 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
15615 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
15616 			goto nla_put_failure;
15617 	}
15618 
15619 	return true;
15620 
15621 nla_put_failure:
15622 	return false;
15623 }
15624 
15625 /*
15626  * This can happen on global regulatory changes or device specific settings
15627  * based on custom regulatory domains.
15628  */
15629 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
15630 				     struct regulatory_request *request)
15631 {
15632 	struct sk_buff *msg;
15633 	void *hdr;
15634 
15635 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15636 	if (!msg)
15637 		return;
15638 
15639 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15640 	if (!hdr)
15641 		goto nla_put_failure;
15642 
15643 	if (!nl80211_reg_change_event_fill(msg, request))
15644 		goto nla_put_failure;
15645 
15646 	genlmsg_end(msg, hdr);
15647 
15648 	rcu_read_lock();
15649 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15650 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15651 	rcu_read_unlock();
15652 
15653 	return;
15654 
15655 nla_put_failure:
15656 	nlmsg_free(msg);
15657 }
15658 
15659 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15660 				    struct net_device *netdev,
15661 				    const u8 *buf, size_t len,
15662 				    enum nl80211_commands cmd, gfp_t gfp,
15663 				    int uapsd_queues, const u8 *req_ies,
15664 				    size_t req_ies_len)
15665 {
15666 	struct sk_buff *msg;
15667 	void *hdr;
15668 
15669 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15670 	if (!msg)
15671 		return;
15672 
15673 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15674 	if (!hdr) {
15675 		nlmsg_free(msg);
15676 		return;
15677 	}
15678 
15679 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15680 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15681 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15682 	    (req_ies &&
15683 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15684 		goto nla_put_failure;
15685 
15686 	if (uapsd_queues >= 0) {
15687 		struct nlattr *nla_wmm =
15688 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15689 		if (!nla_wmm)
15690 			goto nla_put_failure;
15691 
15692 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15693 			       uapsd_queues))
15694 			goto nla_put_failure;
15695 
15696 		nla_nest_end(msg, nla_wmm);
15697 	}
15698 
15699 	genlmsg_end(msg, hdr);
15700 
15701 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15702 				NL80211_MCGRP_MLME, gfp);
15703 	return;
15704 
15705  nla_put_failure:
15706 	nlmsg_free(msg);
15707 }
15708 
15709 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15710 			  struct net_device *netdev, const u8 *buf,
15711 			  size_t len, gfp_t gfp)
15712 {
15713 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15714 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15715 }
15716 
15717 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15718 			   struct net_device *netdev, const u8 *buf,
15719 			   size_t len, gfp_t gfp, int uapsd_queues,
15720 			   const u8 *req_ies, size_t req_ies_len)
15721 {
15722 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15723 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15724 				req_ies, req_ies_len);
15725 }
15726 
15727 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15728 			 struct net_device *netdev, const u8 *buf,
15729 			 size_t len, gfp_t gfp)
15730 {
15731 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15732 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15733 }
15734 
15735 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15736 			   struct net_device *netdev, const u8 *buf,
15737 			   size_t len, gfp_t gfp)
15738 {
15739 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15740 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15741 }
15742 
15743 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15744 				  size_t len)
15745 {
15746 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15747 	struct wiphy *wiphy = wdev->wiphy;
15748 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15749 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15750 	u32 cmd;
15751 
15752 	if (WARN_ON(len < 2))
15753 		return;
15754 
15755 	if (ieee80211_is_deauth(mgmt->frame_control)) {
15756 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15757 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
15758 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15759 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
15760 		if (wdev->unprot_beacon_reported &&
15761 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
15762 			return;
15763 		cmd = NL80211_CMD_UNPROT_BEACON;
15764 		wdev->unprot_beacon_reported = jiffies;
15765 	} else {
15766 		return;
15767 	}
15768 
15769 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15770 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15771 				NULL, 0);
15772 }
15773 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15774 
15775 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15776 				      struct net_device *netdev, int cmd,
15777 				      const u8 *addr, gfp_t gfp)
15778 {
15779 	struct sk_buff *msg;
15780 	void *hdr;
15781 
15782 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15783 	if (!msg)
15784 		return;
15785 
15786 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15787 	if (!hdr) {
15788 		nlmsg_free(msg);
15789 		return;
15790 	}
15791 
15792 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15793 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15794 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15795 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15796 		goto nla_put_failure;
15797 
15798 	genlmsg_end(msg, hdr);
15799 
15800 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15801 				NL80211_MCGRP_MLME, gfp);
15802 	return;
15803 
15804  nla_put_failure:
15805 	nlmsg_free(msg);
15806 }
15807 
15808 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
15809 			       struct net_device *netdev, const u8 *addr,
15810 			       gfp_t gfp)
15811 {
15812 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
15813 				  addr, gfp);
15814 }
15815 
15816 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
15817 				struct net_device *netdev, const u8 *addr,
15818 				gfp_t gfp)
15819 {
15820 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
15821 				  addr, gfp);
15822 }
15823 
15824 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
15825 				 struct net_device *netdev,
15826 				 struct cfg80211_connect_resp_params *cr,
15827 				 gfp_t gfp)
15828 {
15829 	struct sk_buff *msg;
15830 	void *hdr;
15831 
15832 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
15833 			cr->fils.kek_len + cr->fils.pmk_len +
15834 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15835 	if (!msg)
15836 		return;
15837 
15838 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
15839 	if (!hdr) {
15840 		nlmsg_free(msg);
15841 		return;
15842 	}
15843 
15844 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15845 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15846 	    (cr->bssid &&
15847 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
15848 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
15849 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
15850 			cr->status) ||
15851 	    (cr->status < 0 &&
15852 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15853 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
15854 			  cr->timeout_reason))) ||
15855 	    (cr->req_ie &&
15856 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
15857 	    (cr->resp_ie &&
15858 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
15859 		     cr->resp_ie)) ||
15860 	    (cr->fils.update_erp_next_seq_num &&
15861 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15862 			 cr->fils.erp_next_seq_num)) ||
15863 	    (cr->status == WLAN_STATUS_SUCCESS &&
15864 	     ((cr->fils.kek &&
15865 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
15866 		       cr->fils.kek)) ||
15867 	      (cr->fils.pmk &&
15868 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
15869 	      (cr->fils.pmkid &&
15870 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
15871 		goto nla_put_failure;
15872 
15873 	genlmsg_end(msg, hdr);
15874 
15875 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15876 				NL80211_MCGRP_MLME, gfp);
15877 	return;
15878 
15879  nla_put_failure:
15880 	nlmsg_free(msg);
15881 }
15882 
15883 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
15884 			 struct net_device *netdev,
15885 			 struct cfg80211_roam_info *info, gfp_t gfp)
15886 {
15887 	struct sk_buff *msg;
15888 	void *hdr;
15889 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
15890 
15891 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
15892 			info->fils.kek_len + info->fils.pmk_len +
15893 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15894 	if (!msg)
15895 		return;
15896 
15897 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
15898 	if (!hdr) {
15899 		nlmsg_free(msg);
15900 		return;
15901 	}
15902 
15903 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15904 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15905 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
15906 	    (info->req_ie &&
15907 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
15908 		     info->req_ie)) ||
15909 	    (info->resp_ie &&
15910 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
15911 		     info->resp_ie)) ||
15912 	    (info->fils.update_erp_next_seq_num &&
15913 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15914 			 info->fils.erp_next_seq_num)) ||
15915 	    (info->fils.kek &&
15916 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15917 		     info->fils.kek)) ||
15918 	    (info->fils.pmk &&
15919 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15920 	    (info->fils.pmkid &&
15921 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15922 		goto nla_put_failure;
15923 
15924 	genlmsg_end(msg, hdr);
15925 
15926 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15927 				NL80211_MCGRP_MLME, gfp);
15928 	return;
15929 
15930  nla_put_failure:
15931 	nlmsg_free(msg);
15932 }
15933 
15934 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15935 				  struct net_device *netdev, const u8 *bssid)
15936 {
15937 	struct sk_buff *msg;
15938 	void *hdr;
15939 
15940 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15941 	if (!msg)
15942 		return;
15943 
15944 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15945 	if (!hdr) {
15946 		nlmsg_free(msg);
15947 		return;
15948 	}
15949 
15950 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15951 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15952 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15953 		goto nla_put_failure;
15954 
15955 	genlmsg_end(msg, hdr);
15956 
15957 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15958 				NL80211_MCGRP_MLME, GFP_KERNEL);
15959 	return;
15960 
15961  nla_put_failure:
15962 	nlmsg_free(msg);
15963 }
15964 
15965 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15966 			       struct net_device *netdev, u16 reason,
15967 			       const u8 *ie, size_t ie_len, bool from_ap)
15968 {
15969 	struct sk_buff *msg;
15970 	void *hdr;
15971 
15972 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15973 	if (!msg)
15974 		return;
15975 
15976 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15977 	if (!hdr) {
15978 		nlmsg_free(msg);
15979 		return;
15980 	}
15981 
15982 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15983 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15984 	    (reason &&
15985 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15986 	    (from_ap &&
15987 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15988 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15989 		goto nla_put_failure;
15990 
15991 	genlmsg_end(msg, hdr);
15992 
15993 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15994 				NL80211_MCGRP_MLME, GFP_KERNEL);
15995 	return;
15996 
15997  nla_put_failure:
15998 	nlmsg_free(msg);
15999 }
16000 
16001 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16002 			     struct net_device *netdev, const u8 *bssid,
16003 			     gfp_t gfp)
16004 {
16005 	struct sk_buff *msg;
16006 	void *hdr;
16007 
16008 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16009 	if (!msg)
16010 		return;
16011 
16012 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16013 	if (!hdr) {
16014 		nlmsg_free(msg);
16015 		return;
16016 	}
16017 
16018 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16019 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16020 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16021 		goto nla_put_failure;
16022 
16023 	genlmsg_end(msg, hdr);
16024 
16025 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16026 				NL80211_MCGRP_MLME, gfp);
16027 	return;
16028 
16029  nla_put_failure:
16030 	nlmsg_free(msg);
16031 }
16032 
16033 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16034 					const u8 *ie, u8 ie_len,
16035 					int sig_dbm, gfp_t gfp)
16036 {
16037 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16038 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16039 	struct sk_buff *msg;
16040 	void *hdr;
16041 
16042 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16043 		return;
16044 
16045 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16046 
16047 	msg = nlmsg_new(100 + ie_len, gfp);
16048 	if (!msg)
16049 		return;
16050 
16051 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16052 	if (!hdr) {
16053 		nlmsg_free(msg);
16054 		return;
16055 	}
16056 
16057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16058 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16059 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16060 	    (ie_len && ie &&
16061 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16062 	    (sig_dbm &&
16063 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16064 		goto nla_put_failure;
16065 
16066 	genlmsg_end(msg, hdr);
16067 
16068 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16069 				NL80211_MCGRP_MLME, gfp);
16070 	return;
16071 
16072  nla_put_failure:
16073 	nlmsg_free(msg);
16074 }
16075 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16076 
16077 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16078 				 struct net_device *netdev, const u8 *addr,
16079 				 enum nl80211_key_type key_type, int key_id,
16080 				 const u8 *tsc, gfp_t gfp)
16081 {
16082 	struct sk_buff *msg;
16083 	void *hdr;
16084 
16085 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16086 	if (!msg)
16087 		return;
16088 
16089 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16090 	if (!hdr) {
16091 		nlmsg_free(msg);
16092 		return;
16093 	}
16094 
16095 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16096 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16097 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16098 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16099 	    (key_id != -1 &&
16100 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16101 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16102 		goto nla_put_failure;
16103 
16104 	genlmsg_end(msg, hdr);
16105 
16106 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16107 				NL80211_MCGRP_MLME, gfp);
16108 	return;
16109 
16110  nla_put_failure:
16111 	nlmsg_free(msg);
16112 }
16113 
16114 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16115 				    struct ieee80211_channel *channel_before,
16116 				    struct ieee80211_channel *channel_after)
16117 {
16118 	struct sk_buff *msg;
16119 	void *hdr;
16120 	struct nlattr *nl_freq;
16121 
16122 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16123 	if (!msg)
16124 		return;
16125 
16126 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16127 	if (!hdr) {
16128 		nlmsg_free(msg);
16129 		return;
16130 	}
16131 
16132 	/*
16133 	 * Since we are applying the beacon hint to a wiphy we know its
16134 	 * wiphy_idx is valid
16135 	 */
16136 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16137 		goto nla_put_failure;
16138 
16139 	/* Before */
16140 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16141 	if (!nl_freq)
16142 		goto nla_put_failure;
16143 
16144 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16145 		goto nla_put_failure;
16146 	nla_nest_end(msg, nl_freq);
16147 
16148 	/* After */
16149 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16150 	if (!nl_freq)
16151 		goto nla_put_failure;
16152 
16153 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16154 		goto nla_put_failure;
16155 	nla_nest_end(msg, nl_freq);
16156 
16157 	genlmsg_end(msg, hdr);
16158 
16159 	rcu_read_lock();
16160 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16161 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16162 	rcu_read_unlock();
16163 
16164 	return;
16165 
16166 nla_put_failure:
16167 	nlmsg_free(msg);
16168 }
16169 
16170 static void nl80211_send_remain_on_chan_event(
16171 	int cmd, struct cfg80211_registered_device *rdev,
16172 	struct wireless_dev *wdev, u64 cookie,
16173 	struct ieee80211_channel *chan,
16174 	unsigned int duration, gfp_t gfp)
16175 {
16176 	struct sk_buff *msg;
16177 	void *hdr;
16178 
16179 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16180 	if (!msg)
16181 		return;
16182 
16183 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16184 	if (!hdr) {
16185 		nlmsg_free(msg);
16186 		return;
16187 	}
16188 
16189 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16190 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16191 					 wdev->netdev->ifindex)) ||
16192 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16193 			      NL80211_ATTR_PAD) ||
16194 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
16195 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
16196 			NL80211_CHAN_NO_HT) ||
16197 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16198 			      NL80211_ATTR_PAD))
16199 		goto nla_put_failure;
16200 
16201 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
16202 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
16203 		goto nla_put_failure;
16204 
16205 	genlmsg_end(msg, hdr);
16206 
16207 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16208 				NL80211_MCGRP_MLME, gfp);
16209 	return;
16210 
16211  nla_put_failure:
16212 	nlmsg_free(msg);
16213 }
16214 
16215 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
16216 			       struct ieee80211_channel *chan,
16217 			       unsigned int duration, gfp_t gfp)
16218 {
16219 	struct wiphy *wiphy = wdev->wiphy;
16220 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16221 
16222 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16223 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16224 					  rdev, wdev, cookie, chan,
16225 					  duration, gfp);
16226 }
16227 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16228 
16229 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16230 					struct ieee80211_channel *chan,
16231 					gfp_t gfp)
16232 {
16233 	struct wiphy *wiphy = wdev->wiphy;
16234 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16235 
16236 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16237 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16238 					  rdev, wdev, cookie, chan, 0, gfp);
16239 }
16240 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16241 
16242 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16243 					struct ieee80211_channel *chan,
16244 					gfp_t gfp)
16245 {
16246 	struct wiphy *wiphy = wdev->wiphy;
16247 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16248 
16249 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16250 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16251 					  rdev, wdev, cookie, chan, 0, gfp);
16252 }
16253 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16254 
16255 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16256 		      struct station_info *sinfo, gfp_t gfp)
16257 {
16258 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16259 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16260 	struct sk_buff *msg;
16261 
16262 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16263 
16264 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16265 	if (!msg)
16266 		return;
16267 
16268 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16269 				 rdev, dev, mac_addr, sinfo) < 0) {
16270 		nlmsg_free(msg);
16271 		return;
16272 	}
16273 
16274 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16275 				NL80211_MCGRP_MLME, gfp);
16276 }
16277 EXPORT_SYMBOL(cfg80211_new_sta);
16278 
16279 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16280 			    struct station_info *sinfo, gfp_t gfp)
16281 {
16282 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16283 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16284 	struct sk_buff *msg;
16285 	struct station_info empty_sinfo = {};
16286 
16287 	if (!sinfo)
16288 		sinfo = &empty_sinfo;
16289 
16290 	trace_cfg80211_del_sta(dev, mac_addr);
16291 
16292 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16293 	if (!msg) {
16294 		cfg80211_sinfo_release_content(sinfo);
16295 		return;
16296 	}
16297 
16298 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16299 				 rdev, dev, mac_addr, sinfo) < 0) {
16300 		nlmsg_free(msg);
16301 		return;
16302 	}
16303 
16304 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16305 				NL80211_MCGRP_MLME, gfp);
16306 }
16307 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16308 
16309 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16310 			  enum nl80211_connect_failed_reason reason,
16311 			  gfp_t gfp)
16312 {
16313 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16314 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16315 	struct sk_buff *msg;
16316 	void *hdr;
16317 
16318 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16319 	if (!msg)
16320 		return;
16321 
16322 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16323 	if (!hdr) {
16324 		nlmsg_free(msg);
16325 		return;
16326 	}
16327 
16328 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16329 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16330 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16331 		goto nla_put_failure;
16332 
16333 	genlmsg_end(msg, hdr);
16334 
16335 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16336 				NL80211_MCGRP_MLME, gfp);
16337 	return;
16338 
16339  nla_put_failure:
16340 	nlmsg_free(msg);
16341 }
16342 EXPORT_SYMBOL(cfg80211_conn_failed);
16343 
16344 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16345 				       const u8 *addr, gfp_t gfp)
16346 {
16347 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16348 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16349 	struct sk_buff *msg;
16350 	void *hdr;
16351 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16352 
16353 	if (!nlportid)
16354 		return false;
16355 
16356 	msg = nlmsg_new(100, gfp);
16357 	if (!msg)
16358 		return true;
16359 
16360 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16361 	if (!hdr) {
16362 		nlmsg_free(msg);
16363 		return true;
16364 	}
16365 
16366 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16367 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16368 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16369 		goto nla_put_failure;
16370 
16371 	genlmsg_end(msg, hdr);
16372 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16373 	return true;
16374 
16375  nla_put_failure:
16376 	nlmsg_free(msg);
16377 	return true;
16378 }
16379 
16380 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16381 				const u8 *addr, gfp_t gfp)
16382 {
16383 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16384 	bool ret;
16385 
16386 	trace_cfg80211_rx_spurious_frame(dev, addr);
16387 
16388 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16389 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16390 		trace_cfg80211_return_bool(false);
16391 		return false;
16392 	}
16393 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16394 					 addr, gfp);
16395 	trace_cfg80211_return_bool(ret);
16396 	return ret;
16397 }
16398 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16399 
16400 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16401 					const u8 *addr, gfp_t gfp)
16402 {
16403 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16404 	bool ret;
16405 
16406 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16407 
16408 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16409 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16410 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16411 		trace_cfg80211_return_bool(false);
16412 		return false;
16413 	}
16414 	ret = __nl80211_unexpected_frame(dev,
16415 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16416 					 addr, gfp);
16417 	trace_cfg80211_return_bool(ret);
16418 	return ret;
16419 }
16420 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16421 
16422 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16423 		      struct wireless_dev *wdev, u32 nlportid,
16424 		      int freq, int sig_dbm,
16425 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16426 {
16427 	struct net_device *netdev = wdev->netdev;
16428 	struct sk_buff *msg;
16429 	void *hdr;
16430 
16431 	msg = nlmsg_new(100 + len, gfp);
16432 	if (!msg)
16433 		return -ENOMEM;
16434 
16435 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16436 	if (!hdr) {
16437 		nlmsg_free(msg);
16438 		return -ENOMEM;
16439 	}
16440 
16441 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16442 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16443 					netdev->ifindex)) ||
16444 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16445 			      NL80211_ATTR_PAD) ||
16446 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
16447 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
16448 	    (sig_dbm &&
16449 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16450 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16451 	    (flags &&
16452 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16453 		goto nla_put_failure;
16454 
16455 	genlmsg_end(msg, hdr);
16456 
16457 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16458 
16459  nla_put_failure:
16460 	nlmsg_free(msg);
16461 	return -ENOBUFS;
16462 }
16463 
16464 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
16465 				    const u8 *buf, size_t len, bool ack,
16466 				    gfp_t gfp, enum nl80211_commands command)
16467 {
16468 	struct wiphy *wiphy = wdev->wiphy;
16469 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16470 	struct net_device *netdev = wdev->netdev;
16471 	struct sk_buff *msg;
16472 	void *hdr;
16473 
16474 	if (command == NL80211_CMD_FRAME_TX_STATUS)
16475 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16476 	else
16477 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
16478 
16479 	msg = nlmsg_new(100 + len, gfp);
16480 	if (!msg)
16481 		return;
16482 
16483 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
16484 	if (!hdr) {
16485 		nlmsg_free(msg);
16486 		return;
16487 	}
16488 
16489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16490 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16491 				   netdev->ifindex)) ||
16492 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16493 			      NL80211_ATTR_PAD) ||
16494 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16495 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16496 			      NL80211_ATTR_PAD) ||
16497 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16498 		goto nla_put_failure;
16499 
16500 	genlmsg_end(msg, hdr);
16501 
16502 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16503 				NL80211_MCGRP_MLME, gfp);
16504 	return;
16505 
16506 nla_put_failure:
16507 	nlmsg_free(msg);
16508 }
16509 
16510 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
16511 				     const u8 *buf, size_t len, bool ack,
16512 				     gfp_t gfp)
16513 {
16514 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16515 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
16516 }
16517 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
16518 
16519 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16520 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16521 {
16522 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16523 				NL80211_CMD_FRAME_TX_STATUS);
16524 }
16525 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16526 
16527 static int __nl80211_rx_control_port(struct net_device *dev,
16528 				     struct sk_buff *skb,
16529 				     bool unencrypted, gfp_t gfp)
16530 {
16531 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16532 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16533 	struct ethhdr *ehdr = eth_hdr(skb);
16534 	const u8 *addr = ehdr->h_source;
16535 	u16 proto = be16_to_cpu(skb->protocol);
16536 	struct sk_buff *msg;
16537 	void *hdr;
16538 	struct nlattr *frame;
16539 
16540 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16541 
16542 	if (!nlportid)
16543 		return -ENOENT;
16544 
16545 	msg = nlmsg_new(100 + skb->len, gfp);
16546 	if (!msg)
16547 		return -ENOMEM;
16548 
16549 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
16550 	if (!hdr) {
16551 		nlmsg_free(msg);
16552 		return -ENOBUFS;
16553 	}
16554 
16555 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16556 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16557 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16558 			      NL80211_ATTR_PAD) ||
16559 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16560 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
16561 	    (unencrypted && nla_put_flag(msg,
16562 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
16563 		goto nla_put_failure;
16564 
16565 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
16566 	if (!frame)
16567 		goto nla_put_failure;
16568 
16569 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
16570 	genlmsg_end(msg, hdr);
16571 
16572 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16573 
16574  nla_put_failure:
16575 	nlmsg_free(msg);
16576 	return -ENOBUFS;
16577 }
16578 
16579 bool cfg80211_rx_control_port(struct net_device *dev,
16580 			      struct sk_buff *skb, bool unencrypted)
16581 {
16582 	int ret;
16583 
16584 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
16585 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
16586 	trace_cfg80211_return_bool(ret == 0);
16587 	return ret == 0;
16588 }
16589 EXPORT_SYMBOL(cfg80211_rx_control_port);
16590 
16591 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
16592 					    const char *mac, gfp_t gfp)
16593 {
16594 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16596 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16597 	void **cb;
16598 
16599 	if (!msg)
16600 		return NULL;
16601 
16602 	cb = (void **)msg->cb;
16603 
16604 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
16605 	if (!cb[0]) {
16606 		nlmsg_free(msg);
16607 		return NULL;
16608 	}
16609 
16610 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16611 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16612 		goto nla_put_failure;
16613 
16614 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16615 		goto nla_put_failure;
16616 
16617 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
16618 	if (!cb[1])
16619 		goto nla_put_failure;
16620 
16621 	cb[2] = rdev;
16622 
16623 	return msg;
16624  nla_put_failure:
16625 	nlmsg_free(msg);
16626 	return NULL;
16627 }
16628 
16629 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
16630 {
16631 	void **cb = (void **)msg->cb;
16632 	struct cfg80211_registered_device *rdev = cb[2];
16633 
16634 	nla_nest_end(msg, cb[1]);
16635 	genlmsg_end(msg, cb[0]);
16636 
16637 	memset(msg->cb, 0, sizeof(msg->cb));
16638 
16639 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16640 				NL80211_MCGRP_MLME, gfp);
16641 }
16642 
16643 void cfg80211_cqm_rssi_notify(struct net_device *dev,
16644 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
16645 			      s32 rssi_level, gfp_t gfp)
16646 {
16647 	struct sk_buff *msg;
16648 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16649 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16650 
16651 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
16652 
16653 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
16654 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
16655 		return;
16656 
16657 	if (wdev->cqm_config) {
16658 		wdev->cqm_config->last_rssi_event_value = rssi_level;
16659 
16660 		cfg80211_cqm_rssi_update(rdev, dev);
16661 
16662 		if (rssi_level == 0)
16663 			rssi_level = wdev->cqm_config->last_rssi_event_value;
16664 	}
16665 
16666 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16667 	if (!msg)
16668 		return;
16669 
16670 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16671 			rssi_event))
16672 		goto nla_put_failure;
16673 
16674 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16675 				      rssi_level))
16676 		goto nla_put_failure;
16677 
16678 	cfg80211_send_cqm(msg, gfp);
16679 
16680 	return;
16681 
16682  nla_put_failure:
16683 	nlmsg_free(msg);
16684 }
16685 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16686 
16687 void cfg80211_cqm_txe_notify(struct net_device *dev,
16688 			     const u8 *peer, u32 num_packets,
16689 			     u32 rate, u32 intvl, gfp_t gfp)
16690 {
16691 	struct sk_buff *msg;
16692 
16693 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16694 	if (!msg)
16695 		return;
16696 
16697 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16698 		goto nla_put_failure;
16699 
16700 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16701 		goto nla_put_failure;
16702 
16703 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16704 		goto nla_put_failure;
16705 
16706 	cfg80211_send_cqm(msg, gfp);
16707 	return;
16708 
16709  nla_put_failure:
16710 	nlmsg_free(msg);
16711 }
16712 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16713 
16714 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16715 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16716 {
16717 	struct sk_buff *msg;
16718 
16719 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16720 
16721 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16722 	if (!msg)
16723 		return;
16724 
16725 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16726 		goto nla_put_failure;
16727 
16728 	cfg80211_send_cqm(msg, gfp);
16729 	return;
16730 
16731  nla_put_failure:
16732 	nlmsg_free(msg);
16733 }
16734 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16735 
16736 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16737 {
16738 	struct sk_buff *msg;
16739 
16740 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16741 	if (!msg)
16742 		return;
16743 
16744 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16745 		goto nla_put_failure;
16746 
16747 	cfg80211_send_cqm(msg, gfp);
16748 	return;
16749 
16750  nla_put_failure:
16751 	nlmsg_free(msg);
16752 }
16753 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16754 
16755 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16756 				     struct net_device *netdev, const u8 *bssid,
16757 				     const u8 *replay_ctr, gfp_t gfp)
16758 {
16759 	struct sk_buff *msg;
16760 	struct nlattr *rekey_attr;
16761 	void *hdr;
16762 
16763 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16764 	if (!msg)
16765 		return;
16766 
16767 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16768 	if (!hdr) {
16769 		nlmsg_free(msg);
16770 		return;
16771 	}
16772 
16773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16774 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16775 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16776 		goto nla_put_failure;
16777 
16778 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16779 	if (!rekey_attr)
16780 		goto nla_put_failure;
16781 
16782 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16783 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16784 		goto nla_put_failure;
16785 
16786 	nla_nest_end(msg, rekey_attr);
16787 
16788 	genlmsg_end(msg, hdr);
16789 
16790 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16791 				NL80211_MCGRP_MLME, gfp);
16792 	return;
16793 
16794  nla_put_failure:
16795 	nlmsg_free(msg);
16796 }
16797 
16798 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16799 			       const u8 *replay_ctr, gfp_t gfp)
16800 {
16801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16802 	struct wiphy *wiphy = wdev->wiphy;
16803 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16804 
16805 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16806 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16807 }
16808 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
16809 
16810 static void
16811 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
16812 			       struct net_device *netdev, int index,
16813 			       const u8 *bssid, bool preauth, gfp_t gfp)
16814 {
16815 	struct sk_buff *msg;
16816 	struct nlattr *attr;
16817 	void *hdr;
16818 
16819 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16820 	if (!msg)
16821 		return;
16822 
16823 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
16824 	if (!hdr) {
16825 		nlmsg_free(msg);
16826 		return;
16827 	}
16828 
16829 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16830 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16831 		goto nla_put_failure;
16832 
16833 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
16834 	if (!attr)
16835 		goto nla_put_failure;
16836 
16837 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
16838 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
16839 	    (preauth &&
16840 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
16841 		goto nla_put_failure;
16842 
16843 	nla_nest_end(msg, attr);
16844 
16845 	genlmsg_end(msg, hdr);
16846 
16847 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16848 				NL80211_MCGRP_MLME, gfp);
16849 	return;
16850 
16851  nla_put_failure:
16852 	nlmsg_free(msg);
16853 }
16854 
16855 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
16856 				     const u8 *bssid, bool preauth, gfp_t gfp)
16857 {
16858 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16859 	struct wiphy *wiphy = wdev->wiphy;
16860 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16861 
16862 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
16863 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
16864 }
16865 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
16866 
16867 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
16868 				     struct net_device *netdev,
16869 				     struct cfg80211_chan_def *chandef,
16870 				     gfp_t gfp,
16871 				     enum nl80211_commands notif,
16872 				     u8 count)
16873 {
16874 	struct sk_buff *msg;
16875 	void *hdr;
16876 
16877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16878 	if (!msg)
16879 		return;
16880 
16881 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
16882 	if (!hdr) {
16883 		nlmsg_free(msg);
16884 		return;
16885 	}
16886 
16887 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16888 		goto nla_put_failure;
16889 
16890 	if (nl80211_send_chandef(msg, chandef))
16891 		goto nla_put_failure;
16892 
16893 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
16894 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
16895 			goto nla_put_failure;
16896 
16897 	genlmsg_end(msg, hdr);
16898 
16899 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16900 				NL80211_MCGRP_MLME, gfp);
16901 	return;
16902 
16903  nla_put_failure:
16904 	nlmsg_free(msg);
16905 }
16906 
16907 void cfg80211_ch_switch_notify(struct net_device *dev,
16908 			       struct cfg80211_chan_def *chandef)
16909 {
16910 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16911 	struct wiphy *wiphy = wdev->wiphy;
16912 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16913 
16914 	ASSERT_WDEV_LOCK(wdev);
16915 
16916 	trace_cfg80211_ch_switch_notify(dev, chandef);
16917 
16918 	wdev->chandef = *chandef;
16919 	wdev->preset_chandef = *chandef;
16920 
16921 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
16922 	    !WARN_ON(!wdev->current_bss))
16923 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
16924 
16925 	cfg80211_sched_dfs_chan_update(rdev);
16926 
16927 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16928 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
16929 }
16930 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
16931 
16932 void cfg80211_ch_switch_started_notify(struct net_device *dev,
16933 				       struct cfg80211_chan_def *chandef,
16934 				       u8 count)
16935 {
16936 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16937 	struct wiphy *wiphy = wdev->wiphy;
16938 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16939 
16940 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
16941 
16942 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16943 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
16944 }
16945 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
16946 
16947 void
16948 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
16949 		     const struct cfg80211_chan_def *chandef,
16950 		     enum nl80211_radar_event event,
16951 		     struct net_device *netdev, gfp_t gfp)
16952 {
16953 	struct sk_buff *msg;
16954 	void *hdr;
16955 
16956 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16957 	if (!msg)
16958 		return;
16959 
16960 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16961 	if (!hdr) {
16962 		nlmsg_free(msg);
16963 		return;
16964 	}
16965 
16966 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16967 		goto nla_put_failure;
16968 
16969 	/* NOP and radar events don't need a netdev parameter */
16970 	if (netdev) {
16971 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16972 
16973 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16974 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16975 				      NL80211_ATTR_PAD))
16976 			goto nla_put_failure;
16977 	}
16978 
16979 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16980 		goto nla_put_failure;
16981 
16982 	if (nl80211_send_chandef(msg, chandef))
16983 		goto nla_put_failure;
16984 
16985 	genlmsg_end(msg, hdr);
16986 
16987 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16988 				NL80211_MCGRP_MLME, gfp);
16989 	return;
16990 
16991  nla_put_failure:
16992 	nlmsg_free(msg);
16993 }
16994 
16995 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16996 				       struct sta_opmode_info *sta_opmode,
16997 				       gfp_t gfp)
16998 {
16999 	struct sk_buff *msg;
17000 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17001 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17002 	void *hdr;
17003 
17004 	if (WARN_ON(!mac))
17005 		return;
17006 
17007 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17008 	if (!msg)
17009 		return;
17010 
17011 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17012 	if (!hdr) {
17013 		nlmsg_free(msg);
17014 		return;
17015 	}
17016 
17017 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17018 		goto nla_put_failure;
17019 
17020 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17021 		goto nla_put_failure;
17022 
17023 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17024 		goto nla_put_failure;
17025 
17026 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17027 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17028 		goto nla_put_failure;
17029 
17030 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17031 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17032 		goto nla_put_failure;
17033 
17034 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17035 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17036 		goto nla_put_failure;
17037 
17038 	genlmsg_end(msg, hdr);
17039 
17040 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17041 				NL80211_MCGRP_MLME, gfp);
17042 
17043 	return;
17044 
17045 nla_put_failure:
17046 	nlmsg_free(msg);
17047 }
17048 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17049 
17050 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17051 			   u64 cookie, bool acked, s32 ack_signal,
17052 			   bool is_valid_ack_signal, gfp_t gfp)
17053 {
17054 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17055 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17056 	struct sk_buff *msg;
17057 	void *hdr;
17058 
17059 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17060 
17061 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17062 
17063 	if (!msg)
17064 		return;
17065 
17066 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17067 	if (!hdr) {
17068 		nlmsg_free(msg);
17069 		return;
17070 	}
17071 
17072 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17073 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17074 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17075 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17076 			      NL80211_ATTR_PAD) ||
17077 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17078 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17079 						ack_signal)))
17080 		goto nla_put_failure;
17081 
17082 	genlmsg_end(msg, hdr);
17083 
17084 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17085 				NL80211_MCGRP_MLME, gfp);
17086 	return;
17087 
17088  nla_put_failure:
17089 	nlmsg_free(msg);
17090 }
17091 EXPORT_SYMBOL(cfg80211_probe_status);
17092 
17093 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17094 				     size_t len, int freq, int sig_dbm)
17095 {
17096 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17097 	struct sk_buff *msg;
17098 	void *hdr;
17099 	struct cfg80211_beacon_registration *reg;
17100 
17101 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17102 
17103 	spin_lock_bh(&rdev->beacon_registrations_lock);
17104 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17105 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17106 		if (!msg) {
17107 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17108 			return;
17109 		}
17110 
17111 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17112 		if (!hdr)
17113 			goto nla_put_failure;
17114 
17115 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17116 		    (freq &&
17117 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17118 				  KHZ_TO_MHZ(freq)) ||
17119 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17120 				  freq % 1000))) ||
17121 		    (sig_dbm &&
17122 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17123 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17124 			goto nla_put_failure;
17125 
17126 		genlmsg_end(msg, hdr);
17127 
17128 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17129 	}
17130 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17131 	return;
17132 
17133  nla_put_failure:
17134 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17135 	nlmsg_free(msg);
17136 }
17137 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
17138 
17139 #ifdef CONFIG_PM
17140 static int cfg80211_net_detect_results(struct sk_buff *msg,
17141 				       struct cfg80211_wowlan_wakeup *wakeup)
17142 {
17143 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
17144 	struct nlattr *nl_results, *nl_match, *nl_freqs;
17145 	int i, j;
17146 
17147 	nl_results = nla_nest_start_noflag(msg,
17148 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
17149 	if (!nl_results)
17150 		return -EMSGSIZE;
17151 
17152 	for (i = 0; i < nd->n_matches; i++) {
17153 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
17154 
17155 		nl_match = nla_nest_start_noflag(msg, i);
17156 		if (!nl_match)
17157 			break;
17158 
17159 		/* The SSID attribute is optional in nl80211, but for
17160 		 * simplicity reasons it's always present in the
17161 		 * cfg80211 structure.  If a driver can't pass the
17162 		 * SSID, that needs to be changed.  A zero length SSID
17163 		 * is still a valid SSID (wildcard), so it cannot be
17164 		 * used for this purpose.
17165 		 */
17166 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
17167 			    match->ssid.ssid)) {
17168 			nla_nest_cancel(msg, nl_match);
17169 			goto out;
17170 		}
17171 
17172 		if (match->n_channels) {
17173 			nl_freqs = nla_nest_start_noflag(msg,
17174 							 NL80211_ATTR_SCAN_FREQUENCIES);
17175 			if (!nl_freqs) {
17176 				nla_nest_cancel(msg, nl_match);
17177 				goto out;
17178 			}
17179 
17180 			for (j = 0; j < match->n_channels; j++) {
17181 				if (nla_put_u32(msg, j, match->channels[j])) {
17182 					nla_nest_cancel(msg, nl_freqs);
17183 					nla_nest_cancel(msg, nl_match);
17184 					goto out;
17185 				}
17186 			}
17187 
17188 			nla_nest_end(msg, nl_freqs);
17189 		}
17190 
17191 		nla_nest_end(msg, nl_match);
17192 	}
17193 
17194 out:
17195 	nla_nest_end(msg, nl_results);
17196 	return 0;
17197 }
17198 
17199 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
17200 				   struct cfg80211_wowlan_wakeup *wakeup,
17201 				   gfp_t gfp)
17202 {
17203 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17204 	struct sk_buff *msg;
17205 	void *hdr;
17206 	int size = 200;
17207 
17208 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
17209 
17210 	if (wakeup)
17211 		size += wakeup->packet_present_len;
17212 
17213 	msg = nlmsg_new(size, gfp);
17214 	if (!msg)
17215 		return;
17216 
17217 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
17218 	if (!hdr)
17219 		goto free_msg;
17220 
17221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17222 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17223 			      NL80211_ATTR_PAD))
17224 		goto free_msg;
17225 
17226 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17227 					wdev->netdev->ifindex))
17228 		goto free_msg;
17229 
17230 	if (wakeup) {
17231 		struct nlattr *reasons;
17232 
17233 		reasons = nla_nest_start_noflag(msg,
17234 						NL80211_ATTR_WOWLAN_TRIGGERS);
17235 		if (!reasons)
17236 			goto free_msg;
17237 
17238 		if (wakeup->disconnect &&
17239 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17240 			goto free_msg;
17241 		if (wakeup->magic_pkt &&
17242 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17243 			goto free_msg;
17244 		if (wakeup->gtk_rekey_failure &&
17245 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17246 			goto free_msg;
17247 		if (wakeup->eap_identity_req &&
17248 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17249 			goto free_msg;
17250 		if (wakeup->four_way_handshake &&
17251 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17252 			goto free_msg;
17253 		if (wakeup->rfkill_release &&
17254 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17255 			goto free_msg;
17256 
17257 		if (wakeup->pattern_idx >= 0 &&
17258 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17259 				wakeup->pattern_idx))
17260 			goto free_msg;
17261 
17262 		if (wakeup->tcp_match &&
17263 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17264 			goto free_msg;
17265 
17266 		if (wakeup->tcp_connlost &&
17267 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17268 			goto free_msg;
17269 
17270 		if (wakeup->tcp_nomoretokens &&
17271 		    nla_put_flag(msg,
17272 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17273 			goto free_msg;
17274 
17275 		if (wakeup->packet) {
17276 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17277 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17278 
17279 			if (!wakeup->packet_80211) {
17280 				pkt_attr =
17281 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17282 				len_attr =
17283 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17284 			}
17285 
17286 			if (wakeup->packet_len &&
17287 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17288 				goto free_msg;
17289 
17290 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17291 				    wakeup->packet))
17292 				goto free_msg;
17293 		}
17294 
17295 		if (wakeup->net_detect &&
17296 		    cfg80211_net_detect_results(msg, wakeup))
17297 				goto free_msg;
17298 
17299 		nla_nest_end(msg, reasons);
17300 	}
17301 
17302 	genlmsg_end(msg, hdr);
17303 
17304 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17305 				NL80211_MCGRP_MLME, gfp);
17306 	return;
17307 
17308  free_msg:
17309 	nlmsg_free(msg);
17310 }
17311 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17312 #endif
17313 
17314 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17315 				enum nl80211_tdls_operation oper,
17316 				u16 reason_code, gfp_t gfp)
17317 {
17318 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17319 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17320 	struct sk_buff *msg;
17321 	void *hdr;
17322 
17323 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17324 					 reason_code);
17325 
17326 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17327 	if (!msg)
17328 		return;
17329 
17330 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17331 	if (!hdr) {
17332 		nlmsg_free(msg);
17333 		return;
17334 	}
17335 
17336 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17337 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17338 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17339 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17340 	    (reason_code > 0 &&
17341 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17342 		goto nla_put_failure;
17343 
17344 	genlmsg_end(msg, hdr);
17345 
17346 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17347 				NL80211_MCGRP_MLME, gfp);
17348 	return;
17349 
17350  nla_put_failure:
17351 	nlmsg_free(msg);
17352 }
17353 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17354 
17355 static int nl80211_netlink_notify(struct notifier_block * nb,
17356 				  unsigned long state,
17357 				  void *_notify)
17358 {
17359 	struct netlink_notify *notify = _notify;
17360 	struct cfg80211_registered_device *rdev;
17361 	struct wireless_dev *wdev;
17362 	struct cfg80211_beacon_registration *reg, *tmp;
17363 
17364 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17365 		return NOTIFY_DONE;
17366 
17367 	rcu_read_lock();
17368 
17369 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17370 		struct cfg80211_sched_scan_request *sched_scan_req;
17371 
17372 		list_for_each_entry_rcu(sched_scan_req,
17373 					&rdev->sched_scan_req_list,
17374 					list) {
17375 			if (sched_scan_req->owner_nlportid == notify->portid) {
17376 				sched_scan_req->nl_owner_dead = true;
17377 				schedule_work(&rdev->sched_scan_stop_wk);
17378 			}
17379 		}
17380 
17381 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17382 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17383 
17384 			if (wdev->owner_nlportid == notify->portid) {
17385 				wdev->nl_owner_dead = true;
17386 				schedule_work(&rdev->destroy_work);
17387 			} else if (wdev->conn_owner_nlportid == notify->portid) {
17388 				schedule_work(&wdev->disconnect_wk);
17389 			}
17390 
17391 			cfg80211_release_pmsr(wdev, notify->portid);
17392 		}
17393 
17394 		spin_lock_bh(&rdev->beacon_registrations_lock);
17395 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17396 					 list) {
17397 			if (reg->nlportid == notify->portid) {
17398 				list_del(&reg->list);
17399 				kfree(reg);
17400 				break;
17401 			}
17402 		}
17403 		spin_unlock_bh(&rdev->beacon_registrations_lock);
17404 	}
17405 
17406 	rcu_read_unlock();
17407 
17408 	/*
17409 	 * It is possible that the user space process that is controlling the
17410 	 * indoor setting disappeared, so notify the regulatory core.
17411 	 */
17412 	regulatory_netlink_notify(notify->portid);
17413 	return NOTIFY_OK;
17414 }
17415 
17416 static struct notifier_block nl80211_netlink_notifier = {
17417 	.notifier_call = nl80211_netlink_notify,
17418 };
17419 
17420 void cfg80211_ft_event(struct net_device *netdev,
17421 		       struct cfg80211_ft_event_params *ft_event)
17422 {
17423 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17424 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17425 	struct sk_buff *msg;
17426 	void *hdr;
17427 
17428 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17429 
17430 	if (!ft_event->target_ap)
17431 		return;
17432 
17433 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17434 			GFP_KERNEL);
17435 	if (!msg)
17436 		return;
17437 
17438 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17439 	if (!hdr)
17440 		goto out;
17441 
17442 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17443 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17444 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17445 		goto out;
17446 
17447 	if (ft_event->ies &&
17448 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17449 		goto out;
17450 	if (ft_event->ric_ies &&
17451 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17452 		    ft_event->ric_ies))
17453 		goto out;
17454 
17455 	genlmsg_end(msg, hdr);
17456 
17457 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17458 				NL80211_MCGRP_MLME, GFP_KERNEL);
17459 	return;
17460  out:
17461 	nlmsg_free(msg);
17462 }
17463 EXPORT_SYMBOL(cfg80211_ft_event);
17464 
17465 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17466 {
17467 	struct cfg80211_registered_device *rdev;
17468 	struct sk_buff *msg;
17469 	void *hdr;
17470 	u32 nlportid;
17471 
17472 	rdev = wiphy_to_rdev(wdev->wiphy);
17473 	if (!rdev->crit_proto_nlportid)
17474 		return;
17475 
17476 	nlportid = rdev->crit_proto_nlportid;
17477 	rdev->crit_proto_nlportid = 0;
17478 
17479 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17480 	if (!msg)
17481 		return;
17482 
17483 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17484 	if (!hdr)
17485 		goto nla_put_failure;
17486 
17487 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17488 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17489 			      NL80211_ATTR_PAD))
17490 		goto nla_put_failure;
17491 
17492 	genlmsg_end(msg, hdr);
17493 
17494 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17495 	return;
17496 
17497  nla_put_failure:
17498 	nlmsg_free(msg);
17499 }
17500 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17501 
17502 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17503 {
17504 	struct wiphy *wiphy = wdev->wiphy;
17505 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17506 	struct sk_buff *msg;
17507 	void *hdr;
17508 
17509 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17510 	if (!msg)
17511 		return;
17512 
17513 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17514 	if (!hdr)
17515 		goto out;
17516 
17517 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17518 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17519 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17520 			      NL80211_ATTR_PAD))
17521 		goto out;
17522 
17523 	genlmsg_end(msg, hdr);
17524 
17525 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17526 				NL80211_MCGRP_MLME, GFP_KERNEL);
17527 	return;
17528  out:
17529 	nlmsg_free(msg);
17530 }
17531 
17532 int cfg80211_external_auth_request(struct net_device *dev,
17533 				   struct cfg80211_external_auth_params *params,
17534 				   gfp_t gfp)
17535 {
17536 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17537 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17538 	struct sk_buff *msg;
17539 	void *hdr;
17540 
17541 	if (!wdev->conn_owner_nlportid)
17542 		return -EINVAL;
17543 
17544 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17545 	if (!msg)
17546 		return -ENOMEM;
17547 
17548 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
17549 	if (!hdr)
17550 		goto nla_put_failure;
17551 
17552 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17553 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17554 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
17555 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
17556 			params->action) ||
17557 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
17558 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
17559 		    params->ssid.ssid))
17560 		goto nla_put_failure;
17561 
17562 	genlmsg_end(msg, hdr);
17563 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17564 			wdev->conn_owner_nlportid);
17565 	return 0;
17566 
17567  nla_put_failure:
17568 	nlmsg_free(msg);
17569 	return -ENOBUFS;
17570 }
17571 EXPORT_SYMBOL(cfg80211_external_auth_request);
17572 
17573 void cfg80211_update_owe_info_event(struct net_device *netdev,
17574 				    struct cfg80211_update_owe_info *owe_info,
17575 				    gfp_t gfp)
17576 {
17577 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17578 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17579 	struct sk_buff *msg;
17580 	void *hdr;
17581 
17582 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
17583 
17584 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17585 	if (!msg)
17586 		return;
17587 
17588 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
17589 	if (!hdr)
17590 		goto nla_put_failure;
17591 
17592 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17593 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17594 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
17595 		goto nla_put_failure;
17596 
17597 	if (!owe_info->ie_len ||
17598 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
17599 		goto nla_put_failure;
17600 
17601 	genlmsg_end(msg, hdr);
17602 
17603 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17604 				NL80211_MCGRP_MLME, gfp);
17605 	return;
17606 
17607 nla_put_failure:
17608 	genlmsg_cancel(msg, hdr);
17609 	nlmsg_free(msg);
17610 }
17611 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
17612 
17613 /* initialisation/exit functions */
17614 
17615 int __init nl80211_init(void)
17616 {
17617 	int err;
17618 
17619 	err = genl_register_family(&nl80211_fam);
17620 	if (err)
17621 		return err;
17622 
17623 	err = netlink_register_notifier(&nl80211_netlink_notifier);
17624 	if (err)
17625 		goto err_out;
17626 
17627 	return 0;
17628  err_out:
17629 	genl_unregister_family(&nl80211_fam);
17630 	return err;
17631 }
17632 
17633 void nl80211_exit(void)
17634 {
17635 	netlink_unregister_notifier(&nl80211_netlink_notifier);
17636 	genl_unregister_family(&nl80211_fam);
17637 }
17638