xref: /linux/net/wireless/nl80211.c (revision f72aa1b276281b4e4f75261af8425bc99d903f3e) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2024 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	for_each_rdev(rdev) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] = { .type = NLA_U8 },
319 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
320 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_BSS_COLOR] = { .type = NLA_U8 },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static const struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct netlink_range_validation q_range = {
471 	.max = INT_MAX,
472 };
473 
474 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
475 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
476 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
477 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
478 				      .len = 20-1 },
479 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
480 
481 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
482 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
483 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
484 						NL80211_EDMG_CHANNELS_MIN,
485 						NL80211_EDMG_CHANNELS_MAX),
486 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
487 						NL80211_EDMG_BW_CONFIG_MIN,
488 						NL80211_EDMG_BW_CONFIG_MAX),
489 
490 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
491 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
492 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
493 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
494 
495 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
496 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
497 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
498 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
499 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
500 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
501 
502 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
503 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
504 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
505 
506 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
507 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
508 
509 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
510 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
511 				    .len = WLAN_MAX_KEY_LEN },
512 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
513 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
514 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
515 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
516 	[NL80211_ATTR_KEY_TYPE] =
517 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
518 
519 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
520 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
521 	[NL80211_ATTR_BEACON_HEAD] =
522 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
523 				       IEEE80211_MAX_DATA_LEN),
524 	[NL80211_ATTR_BEACON_TAIL] =
525 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
526 				       IEEE80211_MAX_DATA_LEN),
527 	[NL80211_ATTR_STA_AID] =
528 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
529 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
530 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
531 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
532 					       .len = NL80211_MAX_SUPP_RATES },
533 	[NL80211_ATTR_STA_PLINK_ACTION] =
534 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
535 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
536 		NLA_POLICY_RANGE(NLA_U8,
537 				 NL80211_TX_POWER_AUTOMATIC,
538 				 NL80211_TX_POWER_FIXED),
539 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
540 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
541 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
542 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
543 				   .len = IEEE80211_MAX_MESH_ID_LEN },
544 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
545 
546 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
547 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
548 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
549 
550 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
551 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
552 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
553 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
554 					   .len = NL80211_MAX_SUPP_RATES },
555 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
556 
557 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
558 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
559 
560 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
561 
562 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
563 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
564 						   validate_ie_attr,
565 						   IEEE80211_MAX_DATA_LEN),
566 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
567 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
568 
569 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
570 				.len = IEEE80211_MAX_SSID_LEN },
571 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
572 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
573 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
574 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
575 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
576 						  NL80211_MFP_NO,
577 						  NL80211_MFP_OPTIONAL),
578 	[NL80211_ATTR_STA_FLAGS2] =
579 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
580 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
583 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
584 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
585 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
586 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
587 	[NL80211_ATTR_WPA_VERSIONS] =
588 		NLA_POLICY_RANGE(NLA_U32, 0,
589 				 NL80211_WPA_VERSION_1 |
590 				 NL80211_WPA_VERSION_2 |
591 				 NL80211_WPA_VERSION_3),
592 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
593 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
594 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
595 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
596 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
597 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
598 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
599 				 .len = IEEE80211_MAX_DATA_LEN },
600 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
601 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
602 						   NL80211_PS_DISABLED,
603 						   NL80211_PS_ENABLED),
604 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
605 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
607 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
608 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
609 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
610 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
611 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
612 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
613 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
614 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
615 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_STA_PLINK_STATE] =
617 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
618 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
619 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
620 	[NL80211_ATTR_MESH_PEER_AID] =
621 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
622 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
623 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
624 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
625 	[NL80211_ATTR_HIDDEN_SSID] =
626 		NLA_POLICY_RANGE(NLA_U32,
627 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
628 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
629 	[NL80211_ATTR_IE_PROBE_RESP] =
630 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
631 				       IEEE80211_MAX_DATA_LEN),
632 	[NL80211_ATTR_IE_ASSOC_RESP] =
633 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
634 				       IEEE80211_MAX_DATA_LEN),
635 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
637 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
638 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
640 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
641 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
642 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
643 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
645 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
646 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
647 				      .len = IEEE80211_MAX_DATA_LEN },
648 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
649 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
650 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
651 		.len = NL80211_HT_CAPABILITY_LEN
652 	},
653 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
654 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
655 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
656 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
657 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
658 
659 	/* need to include at least Auth Transaction and Status Code */
660 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
661 
662 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
663 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
664 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
665 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
666 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
667 		NLA_POLICY_RANGE(NLA_U32,
668 				 NL80211_MESH_POWER_UNKNOWN + 1,
669 				 NL80211_MESH_POWER_MAX),
670 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
671 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
672 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
673 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
674 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
675 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
677 		.len = NL80211_VHT_CAPABILITY_LEN,
678 	},
679 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
680 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
681 				  .len = IEEE80211_MAX_DATA_LEN },
682 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
683 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
684 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
685 	[NL80211_ATTR_PEER_AID] =
686 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
687 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
688 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
689 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
690 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
691 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
692 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
693 	/*
694 	 * The value of the Length field of the Supported Operating
695 	 * Classes element is between 2 and 253.
696 	 */
697 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
698 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
699 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
700 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
701 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
702 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
703 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
705 						  IEEE80211_QOS_MAP_LEN_MIN,
706 						  IEEE80211_QOS_MAP_LEN_MAX),
707 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
708 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
709 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
710 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
712 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
714 	[NL80211_ATTR_USER_PRIO] =
715 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
716 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
717 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
718 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
719 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
720 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
721 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
722 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
723 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
724 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
725 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
726 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
727 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
728 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
729 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
730 	},
731 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
733 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
734 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
735 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
736 				    .len = FILS_MAX_KEK_LEN },
737 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
738 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
739 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
740 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
741 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
742 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
743 	},
744 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
745 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
746 					     .len = FILS_ERP_MAX_USERNAME_LEN },
747 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
748 					  .len = FILS_ERP_MAX_REALM_LEN },
749 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
750 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
751 					.len = FILS_ERP_MAX_RRK_LEN },
752 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
753 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
754 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
755 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
756 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
757 
758 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
759 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
760 	[NL80211_ATTR_TXQ_QUANTUM] = NLA_POLICY_FULL_RANGE(NLA_U32, &q_range),
761 	[NL80211_ATTR_HE_CAPABILITY] =
762 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
763 				       NL80211_HE_MAX_CAPABILITY_LEN),
764 	[NL80211_ATTR_FTM_RESPONDER] =
765 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
766 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
767 	[NL80211_ATTR_PEER_MEASUREMENTS] =
768 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
769 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
770 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
771 					.len = SAE_PASSWORD_MAX_LEN },
772 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
773 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
774 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
775 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
776 	[NL80211_ATTR_TID_CONFIG] =
777 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
778 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
779 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
780 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
781 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
782 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
783 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
784 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
785 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
786 	[NL80211_ATTR_FILS_DISCOVERY] =
787 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
788 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
789 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
790 	[NL80211_ATTR_S1G_CAPABILITY] =
791 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
792 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
793 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
794 	[NL80211_ATTR_SAE_PWE] =
795 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
796 				 NL80211_SAE_PWE_BOTH),
797 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
798 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
799 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
801 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
802 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
803 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
804 	[NL80211_ATTR_MBSSID_CONFIG] =
805 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
806 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
807 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
808 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
809 	[NL80211_ATTR_EHT_CAPABILITY] =
810 		NLA_POLICY_RANGE(NLA_BINARY,
811 				 NL80211_EHT_MIN_CAPABILITY_LEN,
812 				 NL80211_EHT_MAX_CAPABILITY_LEN),
813 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
814 	[NL80211_ATTR_MLO_LINKS] =
815 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
816 	[NL80211_ATTR_MLO_LINK_ID] =
817 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
818 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
819 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
820 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
821 	[NL80211_ATTR_PUNCT_BITMAP] =
822 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
823 
824 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
825 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
826 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
827 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
828 	[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA] = { .type = NLA_FLAG },
829 	[NL80211_ATTR_MLO_TTLM_DLINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
830 	[NL80211_ATTR_MLO_TTLM_ULINK] = NLA_POLICY_EXACT_LEN(sizeof(u16) * 8),
831 	[NL80211_ATTR_ASSOC_SPP_AMSDU] = { .type = NLA_FLAG },
832 	[NL80211_ATTR_VIF_RADIO_MASK] = { .type = NLA_U32 },
833 };
834 
835 /* policy for the key attributes */
836 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
837 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
838 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
839 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
840 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
841 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
842 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
843 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
844 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
845 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
846 };
847 
848 /* policy for the key default flags */
849 static const struct nla_policy
850 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
851 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
852 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
853 };
854 
855 #ifdef CONFIG_PM
856 /* policy for WoWLAN attributes */
857 static const struct nla_policy
858 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
859 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
860 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
861 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
862 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
863 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
864 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
865 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
866 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
867 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
868 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
869 };
870 
871 static const struct nla_policy
872 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
873 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
874 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
875 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
876 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
877 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
878 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
879 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
880 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
881 	},
882 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
883 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
884 	},
885 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
886 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
887 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
888 };
889 #endif /* CONFIG_PM */
890 
891 /* policy for coalesce rule attributes */
892 static const struct nla_policy
893 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
894 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
895 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
896 		NLA_POLICY_RANGE(NLA_U32,
897 				 NL80211_COALESCE_CONDITION_MATCH,
898 				 NL80211_COALESCE_CONDITION_NO_MATCH),
899 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
900 };
901 
902 /* policy for GTK rekey offload attributes */
903 static const struct nla_policy
904 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
905 	[NL80211_REKEY_DATA_KEK] = {
906 		.type = NLA_BINARY,
907 		.len = NL80211_KEK_EXT_LEN
908 	},
909 	[NL80211_REKEY_DATA_KCK] = {
910 		.type = NLA_BINARY,
911 		.len = NL80211_KCK_EXT_LEN_32
912 	},
913 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
914 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
915 };
916 
917 static const struct nla_policy
918 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
919 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
920 						 .len = IEEE80211_MAX_SSID_LEN },
921 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
922 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
923 };
924 
925 static const struct nla_policy
926 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
927 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
928 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
929 };
930 
931 static const struct nla_policy
932 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
933 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
934 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
935 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
936 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
937 	},
938 };
939 
940 /* policy for NAN function attributes */
941 static const struct nla_policy
942 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
943 	[NL80211_NAN_FUNC_TYPE] =
944 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
945 	[NL80211_NAN_FUNC_SERVICE_ID] = {
946 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
947 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
948 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
949 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
951 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
952 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
953 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
954 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
955 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
956 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
957 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
959 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
960 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
961 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
962 };
963 
964 /* policy for Service Response Filter attributes */
965 static const struct nla_policy
966 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
967 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
968 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
969 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
970 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
971 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
972 };
973 
974 /* policy for packet pattern attributes */
975 static const struct nla_policy
976 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
977 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
978 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
979 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
980 };
981 
982 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
983 				     struct cfg80211_registered_device **rdev,
984 				     struct wireless_dev **wdev,
985 				     struct nlattr **attrbuf)
986 {
987 	int err;
988 
989 	if (!cb->args[0]) {
990 		struct nlattr **attrbuf_free = NULL;
991 
992 		if (!attrbuf) {
993 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
994 					  GFP_KERNEL);
995 			if (!attrbuf)
996 				return -ENOMEM;
997 			attrbuf_free = attrbuf;
998 		}
999 
1000 		err = nlmsg_parse_deprecated(cb->nlh,
1001 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1002 					     attrbuf, nl80211_fam.maxattr,
1003 					     nl80211_policy, NULL);
1004 		if (err) {
1005 			kfree(attrbuf_free);
1006 			return err;
1007 		}
1008 
1009 		rtnl_lock();
1010 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1011 						   attrbuf);
1012 		kfree(attrbuf_free);
1013 		if (IS_ERR(*wdev)) {
1014 			rtnl_unlock();
1015 			return PTR_ERR(*wdev);
1016 		}
1017 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1018 		mutex_lock(&(*rdev)->wiphy.mtx);
1019 		rtnl_unlock();
1020 		/* 0 is the first index - add 1 to parse only once */
1021 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1022 		cb->args[1] = (*wdev)->identifier;
1023 	} else {
1024 		/* subtract the 1 again here */
1025 		struct wiphy *wiphy;
1026 		struct wireless_dev *tmp;
1027 
1028 		rtnl_lock();
1029 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1030 		if (!wiphy) {
1031 			rtnl_unlock();
1032 			return -ENODEV;
1033 		}
1034 		*rdev = wiphy_to_rdev(wiphy);
1035 		*wdev = NULL;
1036 
1037 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1038 			if (tmp->identifier == cb->args[1]) {
1039 				*wdev = tmp;
1040 				break;
1041 			}
1042 		}
1043 
1044 		if (!*wdev) {
1045 			rtnl_unlock();
1046 			return -ENODEV;
1047 		}
1048 		mutex_lock(&(*rdev)->wiphy.mtx);
1049 		rtnl_unlock();
1050 	}
1051 
1052 	return 0;
1053 }
1054 
1055 /* message building helper */
1056 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1057 		     int flags, u8 cmd)
1058 {
1059 	/* since there is no private header just add the generic one */
1060 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1061 }
1062 
1063 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1064 				     const struct ieee80211_reg_rule *rule)
1065 {
1066 	int j;
1067 	struct nlattr *nl_wmm_rules =
1068 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1069 
1070 	if (!nl_wmm_rules)
1071 		goto nla_put_failure;
1072 
1073 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1074 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1075 
1076 		if (!nl_wmm_rule)
1077 			goto nla_put_failure;
1078 
1079 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1080 				rule->wmm_rule.client[j].cw_min) ||
1081 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1082 				rule->wmm_rule.client[j].cw_max) ||
1083 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1084 			       rule->wmm_rule.client[j].aifsn) ||
1085 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1086 			        rule->wmm_rule.client[j].cot))
1087 			goto nla_put_failure;
1088 
1089 		nla_nest_end(msg, nl_wmm_rule);
1090 	}
1091 	nla_nest_end(msg, nl_wmm_rules);
1092 
1093 	return 0;
1094 
1095 nla_put_failure:
1096 	return -ENOBUFS;
1097 }
1098 
1099 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1100 				   struct ieee80211_channel *chan,
1101 				   bool large)
1102 {
1103 	/* Some channels must be completely excluded from the
1104 	 * list to protect old user-space tools from breaking
1105 	 */
1106 	if (!large && chan->flags &
1107 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1108 		return 0;
1109 	if (!large && chan->freq_offset)
1110 		return 0;
1111 
1112 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1113 			chan->center_freq))
1114 		goto nla_put_failure;
1115 
1116 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1117 		goto nla_put_failure;
1118 
1119 	if ((chan->flags & IEEE80211_CHAN_PSD) &&
1120 	    nla_put_s8(msg, NL80211_FREQUENCY_ATTR_PSD, chan->psd))
1121 		goto nla_put_failure;
1122 
1123 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1124 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1125 		goto nla_put_failure;
1126 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1127 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1128 			goto nla_put_failure;
1129 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1130 			goto nla_put_failure;
1131 	}
1132 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1133 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1134 			goto nla_put_failure;
1135 		if (large) {
1136 			u32 time;
1137 
1138 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1139 
1140 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1141 					chan->dfs_state))
1142 				goto nla_put_failure;
1143 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1144 					time))
1145 				goto nla_put_failure;
1146 			if (nla_put_u32(msg,
1147 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1148 					chan->dfs_cac_ms))
1149 				goto nla_put_failure;
1150 		}
1151 	}
1152 
1153 	if (large) {
1154 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1168 			goto nla_put_failure;
1169 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1170 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1171 			goto nla_put_failure;
1172 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1173 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1174 			goto nla_put_failure;
1175 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1176 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1177 			goto nla_put_failure;
1178 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1179 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1180 			goto nla_put_failure;
1181 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1182 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1183 			goto nla_put_failure;
1184 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1185 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1186 			goto nla_put_failure;
1187 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1188 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1189 			goto nla_put_failure;
1190 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1191 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1192 			goto nla_put_failure;
1193 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1194 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1195 			goto nla_put_failure;
1196 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1197 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1198 			goto nla_put_failure;
1199 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1200 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1201 			goto nla_put_failure;
1202 		if ((chan->flags & IEEE80211_CHAN_DFS_CONCURRENT) &&
1203 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DFS_CONCURRENT))
1204 			goto nla_put_failure;
1205 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_VLP_CLIENT) &&
1206 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_VLP_CLIENT))
1207 			goto nla_put_failure;
1208 		if ((chan->flags & IEEE80211_CHAN_NO_6GHZ_AFC_CLIENT) &&
1209 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_6GHZ_AFC_CLIENT))
1210 			goto nla_put_failure;
1211 		if ((chan->flags & IEEE80211_CHAN_CAN_MONITOR) &&
1212 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_CAN_MONITOR))
1213 			goto nla_put_failure;
1214 		if ((chan->flags & IEEE80211_CHAN_ALLOW_6GHZ_VLP_AP) &&
1215 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_ALLOW_6GHZ_VLP_AP))
1216 			goto nla_put_failure;
1217 	}
1218 
1219 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1220 			DBM_TO_MBM(chan->max_power)))
1221 		goto nla_put_failure;
1222 
1223 	if (large) {
1224 		const struct ieee80211_reg_rule *rule =
1225 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1226 
1227 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1228 			if (nl80211_msg_put_wmm_rules(msg, rule))
1229 				goto nla_put_failure;
1230 		}
1231 	}
1232 
1233 	return 0;
1234 
1235  nla_put_failure:
1236 	return -ENOBUFS;
1237 }
1238 
1239 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1240 				  struct cfg80211_txq_stats *txqstats,
1241 				  int attrtype)
1242 {
1243 	struct nlattr *txqattr;
1244 
1245 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1246 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1247 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1248 		return false;						  \
1249 	} while (0)
1250 
1251 	txqattr = nla_nest_start_noflag(msg, attrtype);
1252 	if (!txqattr)
1253 		return false;
1254 
1255 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1256 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1257 	PUT_TXQVAL_U32(FLOWS, flows);
1258 	PUT_TXQVAL_U32(DROPS, drops);
1259 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1260 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1261 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1262 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1263 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1264 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1265 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1266 	nla_nest_end(msg, txqattr);
1267 
1268 #undef PUT_TXQVAL_U32
1269 	return true;
1270 }
1271 
1272 /* netlink command implementations */
1273 
1274 /**
1275  * nl80211_link_id - return link ID
1276  * @attrs: attributes to look at
1277  *
1278  * Returns: the link ID or 0 if not given
1279  *
1280  * Note this function doesn't do any validation of the link
1281  * ID validity wrt. links that were actually added, so it must
1282  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1283  * or if additional validation is done.
1284  */
1285 static unsigned int nl80211_link_id(struct nlattr **attrs)
1286 {
1287 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1288 
1289 	if (!linkid)
1290 		return 0;
1291 
1292 	return nla_get_u8(linkid);
1293 }
1294 
1295 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1296 {
1297 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1298 
1299 	if (!linkid)
1300 		return -1;
1301 
1302 	return nla_get_u8(linkid);
1303 }
1304 
1305 struct key_parse {
1306 	struct key_params p;
1307 	int idx;
1308 	int type;
1309 	bool def, defmgmt, defbeacon;
1310 	bool def_uni, def_multi;
1311 };
1312 
1313 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1314 				 struct key_parse *k)
1315 {
1316 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1317 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1318 					      nl80211_key_policy,
1319 					      info->extack);
1320 	if (err)
1321 		return err;
1322 
1323 	k->def = !!tb[NL80211_KEY_DEFAULT];
1324 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1325 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1326 
1327 	if (k->def) {
1328 		k->def_uni = true;
1329 		k->def_multi = true;
1330 	}
1331 	if (k->defmgmt || k->defbeacon)
1332 		k->def_multi = true;
1333 
1334 	if (tb[NL80211_KEY_IDX])
1335 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1336 
1337 	if (tb[NL80211_KEY_DATA]) {
1338 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1339 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1340 	}
1341 
1342 	if (tb[NL80211_KEY_SEQ]) {
1343 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1344 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1345 	}
1346 
1347 	if (tb[NL80211_KEY_CIPHER])
1348 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1349 
1350 	if (tb[NL80211_KEY_TYPE])
1351 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1352 
1353 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1354 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1355 
1356 		err = nla_parse_nested_deprecated(kdt,
1357 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1358 						  tb[NL80211_KEY_DEFAULT_TYPES],
1359 						  nl80211_key_default_policy,
1360 						  info->extack);
1361 		if (err)
1362 			return err;
1363 
1364 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1365 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1366 	}
1367 
1368 	if (tb[NL80211_KEY_MODE])
1369 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1370 
1371 	return 0;
1372 }
1373 
1374 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1375 {
1376 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1377 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1378 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1379 	}
1380 
1381 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1382 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1383 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1384 	}
1385 
1386 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1387 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1388 
1389 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1390 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1391 
1392 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1393 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1394 
1395 	if (k->def) {
1396 		k->def_uni = true;
1397 		k->def_multi = true;
1398 	}
1399 	if (k->defmgmt)
1400 		k->def_multi = true;
1401 
1402 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1403 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1404 
1405 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1406 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1407 		int err = nla_parse_nested_deprecated(kdt,
1408 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1409 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1410 						      nl80211_key_default_policy,
1411 						      info->extack);
1412 		if (err)
1413 			return err;
1414 
1415 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1416 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1417 	}
1418 
1419 	return 0;
1420 }
1421 
1422 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1423 {
1424 	int err;
1425 
1426 	memset(k, 0, sizeof(*k));
1427 	k->idx = -1;
1428 	k->type = -1;
1429 
1430 	if (info->attrs[NL80211_ATTR_KEY])
1431 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1432 	else
1433 		err = nl80211_parse_key_old(info, k);
1434 
1435 	if (err)
1436 		return err;
1437 
1438 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1439 	    (k->defbeacon ? 1 : 0) > 1) {
1440 		GENL_SET_ERR_MSG(info,
1441 				 "key with multiple default flags is invalid");
1442 		return -EINVAL;
1443 	}
1444 
1445 	if (k->defmgmt || k->defbeacon) {
1446 		if (k->def_uni || !k->def_multi) {
1447 			GENL_SET_ERR_MSG(info,
1448 					 "defmgmt/defbeacon key must be mcast");
1449 			return -EINVAL;
1450 		}
1451 	}
1452 
1453 	if (k->idx != -1) {
1454 		if (k->defmgmt) {
1455 			if (k->idx < 4 || k->idx > 5) {
1456 				GENL_SET_ERR_MSG(info,
1457 						 "defmgmt key idx not 4 or 5");
1458 				return -EINVAL;
1459 			}
1460 		} else if (k->defbeacon) {
1461 			if (k->idx < 6 || k->idx > 7) {
1462 				GENL_SET_ERR_MSG(info,
1463 						 "defbeacon key idx not 6 or 7");
1464 				return -EINVAL;
1465 			}
1466 		} else if (k->def) {
1467 			if (k->idx < 0 || k->idx > 3) {
1468 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1469 				return -EINVAL;
1470 			}
1471 		} else {
1472 			if (k->idx < 0 || k->idx > 7) {
1473 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1474 				return -EINVAL;
1475 			}
1476 		}
1477 	}
1478 
1479 	return 0;
1480 }
1481 
1482 static struct cfg80211_cached_keys *
1483 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1484 		       struct genl_info *info, bool *no_ht)
1485 {
1486 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1487 	struct key_parse parse;
1488 	struct nlattr *key;
1489 	struct cfg80211_cached_keys *result;
1490 	int rem, err, def = 0;
1491 	bool have_key = false;
1492 
1493 	nla_for_each_nested(key, keys, rem) {
1494 		have_key = true;
1495 		break;
1496 	}
1497 
1498 	if (!have_key)
1499 		return NULL;
1500 
1501 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1502 	if (!result)
1503 		return ERR_PTR(-ENOMEM);
1504 
1505 	result->def = -1;
1506 
1507 	nla_for_each_nested(key, keys, rem) {
1508 		memset(&parse, 0, sizeof(parse));
1509 		parse.idx = -1;
1510 
1511 		err = nl80211_parse_key_new(info, key, &parse);
1512 		if (err)
1513 			goto error;
1514 		err = -EINVAL;
1515 		if (!parse.p.key)
1516 			goto error;
1517 		if (parse.idx < 0 || parse.idx > 3) {
1518 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1519 			goto error;
1520 		}
1521 		if (parse.def) {
1522 			if (def) {
1523 				GENL_SET_ERR_MSG(info,
1524 						 "only one key can be default");
1525 				goto error;
1526 			}
1527 			def = 1;
1528 			result->def = parse.idx;
1529 			if (!parse.def_uni || !parse.def_multi)
1530 				goto error;
1531 		} else if (parse.defmgmt)
1532 			goto error;
1533 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1534 						     parse.idx, false, NULL);
1535 		if (err)
1536 			goto error;
1537 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1538 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1539 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1540 			err = -EINVAL;
1541 			goto error;
1542 		}
1543 		result->params[parse.idx].cipher = parse.p.cipher;
1544 		result->params[parse.idx].key_len = parse.p.key_len;
1545 		result->params[parse.idx].key = result->data[parse.idx];
1546 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1547 
1548 		/* must be WEP key if we got here */
1549 		if (no_ht)
1550 			*no_ht = true;
1551 	}
1552 
1553 	if (result->def < 0) {
1554 		err = -EINVAL;
1555 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1556 		goto error;
1557 	}
1558 
1559 	return result;
1560  error:
1561 	kfree(result);
1562 	return ERR_PTR(err);
1563 }
1564 
1565 static int nl80211_key_allowed(struct wireless_dev *wdev)
1566 {
1567 	lockdep_assert_wiphy(wdev->wiphy);
1568 
1569 	switch (wdev->iftype) {
1570 	case NL80211_IFTYPE_AP:
1571 	case NL80211_IFTYPE_AP_VLAN:
1572 	case NL80211_IFTYPE_P2P_GO:
1573 	case NL80211_IFTYPE_MESH_POINT:
1574 		break;
1575 	case NL80211_IFTYPE_ADHOC:
1576 		if (wdev->u.ibss.current_bss)
1577 			return 0;
1578 		return -ENOLINK;
1579 	case NL80211_IFTYPE_STATION:
1580 	case NL80211_IFTYPE_P2P_CLIENT:
1581 		if (wdev->connected)
1582 			return 0;
1583 		return -ENOLINK;
1584 	case NL80211_IFTYPE_NAN:
1585 		if (wiphy_ext_feature_isset(wdev->wiphy,
1586 					    NL80211_EXT_FEATURE_SECURE_NAN))
1587 			return 0;
1588 		return -EINVAL;
1589 	case NL80211_IFTYPE_UNSPECIFIED:
1590 	case NL80211_IFTYPE_OCB:
1591 	case NL80211_IFTYPE_MONITOR:
1592 	case NL80211_IFTYPE_P2P_DEVICE:
1593 	case NL80211_IFTYPE_WDS:
1594 	case NUM_NL80211_IFTYPES:
1595 		return -EINVAL;
1596 	}
1597 
1598 	return 0;
1599 }
1600 
1601 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1602 							u32 freq)
1603 {
1604 	struct ieee80211_channel *chan;
1605 
1606 	chan = ieee80211_get_channel_khz(wiphy, freq);
1607 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1608 		return NULL;
1609 	return chan;
1610 }
1611 
1612 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1613 {
1614 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1615 	int i;
1616 
1617 	if (!nl_modes)
1618 		goto nla_put_failure;
1619 
1620 	i = 0;
1621 	while (ifmodes) {
1622 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1623 			goto nla_put_failure;
1624 		ifmodes >>= 1;
1625 		i++;
1626 	}
1627 
1628 	nla_nest_end(msg, nl_modes);
1629 	return 0;
1630 
1631 nla_put_failure:
1632 	return -ENOBUFS;
1633 }
1634 
1635 static int nl80211_put_ifcomb_data(struct sk_buff *msg, bool large, int idx,
1636 				   const struct ieee80211_iface_combination *c,
1637 				   u16 nested)
1638 {
1639 	struct nlattr *nl_combi, *nl_limits;
1640 	int i;
1641 
1642 	nl_combi = nla_nest_start_noflag(msg, idx | nested);
1643 	if (!nl_combi)
1644 		goto nla_put_failure;
1645 
1646 	nl_limits = nla_nest_start_noflag(msg, NL80211_IFACE_COMB_LIMITS |
1647 					       nested);
1648 	if (!nl_limits)
1649 		goto nla_put_failure;
1650 
1651 	for (i = 0; i < c->n_limits; i++) {
1652 		struct nlattr *nl_limit;
1653 
1654 		nl_limit = nla_nest_start_noflag(msg, i + 1);
1655 		if (!nl_limit)
1656 			goto nla_put_failure;
1657 		if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX, c->limits[i].max))
1658 			goto nla_put_failure;
1659 		if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1660 					c->limits[i].types))
1661 			goto nla_put_failure;
1662 		nla_nest_end(msg, nl_limit);
1663 	}
1664 
1665 	nla_nest_end(msg, nl_limits);
1666 
1667 	if (c->beacon_int_infra_match &&
1668 	    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1669 		goto nla_put_failure;
1670 	if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1671 			c->num_different_channels) ||
1672 	    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1673 			c->max_interfaces))
1674 		goto nla_put_failure;
1675 	if (large &&
1676 	    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1677 			c->radar_detect_widths) ||
1678 	     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1679 			c->radar_detect_regions)))
1680 		goto nla_put_failure;
1681 	if (c->beacon_int_min_gcd &&
1682 	    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1683 			c->beacon_int_min_gcd))
1684 		goto nla_put_failure;
1685 
1686 	nla_nest_end(msg, nl_combi);
1687 
1688 	return 0;
1689 nla_put_failure:
1690 	return -ENOBUFS;
1691 }
1692 
1693 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1694 					  struct sk_buff *msg,
1695 					  int attr, int radio,
1696 					  bool large, u16 nested)
1697 {
1698 	const struct ieee80211_iface_combination *c;
1699 	struct nlattr *nl_combis;
1700 	int i, n;
1701 
1702 	nl_combis = nla_nest_start_noflag(msg, attr | nested);
1703 	if (!nl_combis)
1704 		goto nla_put_failure;
1705 
1706 	if (radio >= 0) {
1707 		c = wiphy->radio[0].iface_combinations;
1708 		n = wiphy->radio[0].n_iface_combinations;
1709 	} else {
1710 		c = wiphy->iface_combinations;
1711 		n = wiphy->n_iface_combinations;
1712 	}
1713 	for (i = 0; i < n; i++)
1714 		if (nl80211_put_ifcomb_data(msg, large, i + 1, &c[i], nested))
1715 			goto nla_put_failure;
1716 
1717 	nla_nest_end(msg, nl_combis);
1718 
1719 	return 0;
1720 nla_put_failure:
1721 	return -ENOBUFS;
1722 }
1723 
1724 #ifdef CONFIG_PM
1725 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1726 					struct sk_buff *msg)
1727 {
1728 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1729 	struct nlattr *nl_tcp;
1730 
1731 	if (!tcp)
1732 		return 0;
1733 
1734 	nl_tcp = nla_nest_start_noflag(msg,
1735 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1736 	if (!nl_tcp)
1737 		return -ENOBUFS;
1738 
1739 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1740 			tcp->data_payload_max))
1741 		return -ENOBUFS;
1742 
1743 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1744 			tcp->data_payload_max))
1745 		return -ENOBUFS;
1746 
1747 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1748 		return -ENOBUFS;
1749 
1750 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1751 				sizeof(*tcp->tok), tcp->tok))
1752 		return -ENOBUFS;
1753 
1754 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1755 			tcp->data_interval_max))
1756 		return -ENOBUFS;
1757 
1758 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1759 			tcp->wake_payload_max))
1760 		return -ENOBUFS;
1761 
1762 	nla_nest_end(msg, nl_tcp);
1763 	return 0;
1764 }
1765 
1766 static int nl80211_send_wowlan(struct sk_buff *msg,
1767 			       struct cfg80211_registered_device *rdev,
1768 			       bool large)
1769 {
1770 	struct nlattr *nl_wowlan;
1771 
1772 	if (!rdev->wiphy.wowlan)
1773 		return 0;
1774 
1775 	nl_wowlan = nla_nest_start_noflag(msg,
1776 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1777 	if (!nl_wowlan)
1778 		return -ENOBUFS;
1779 
1780 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1781 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1782 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1783 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1784 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1785 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1786 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1787 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1788 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1789 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1790 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1791 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1792 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1793 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1794 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1795 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1796 		return -ENOBUFS;
1797 
1798 	if (rdev->wiphy.wowlan->n_patterns) {
1799 		struct nl80211_pattern_support pat = {
1800 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1801 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1802 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1803 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1804 		};
1805 
1806 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1807 			    sizeof(pat), &pat))
1808 			return -ENOBUFS;
1809 	}
1810 
1811 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1812 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1813 			rdev->wiphy.wowlan->max_nd_match_sets))
1814 		return -ENOBUFS;
1815 
1816 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1817 		return -ENOBUFS;
1818 
1819 	nla_nest_end(msg, nl_wowlan);
1820 
1821 	return 0;
1822 }
1823 #endif
1824 
1825 static int nl80211_send_coalesce(struct sk_buff *msg,
1826 				 struct cfg80211_registered_device *rdev)
1827 {
1828 	struct nl80211_coalesce_rule_support rule;
1829 
1830 	if (!rdev->wiphy.coalesce)
1831 		return 0;
1832 
1833 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1834 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1835 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1836 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1837 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1838 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1839 
1840 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1841 		return -ENOBUFS;
1842 
1843 	return 0;
1844 }
1845 
1846 static int
1847 nl80211_send_iftype_data(struct sk_buff *msg,
1848 			 const struct ieee80211_supported_band *sband,
1849 			 const struct ieee80211_sband_iftype_data *iftdata)
1850 {
1851 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1852 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1853 
1854 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1855 				iftdata->types_mask))
1856 		return -ENOBUFS;
1857 
1858 	if (he_cap->has_he) {
1859 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1860 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1861 			    he_cap->he_cap_elem.mac_cap_info) ||
1862 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1863 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1864 			    he_cap->he_cap_elem.phy_cap_info) ||
1865 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1866 			    sizeof(he_cap->he_mcs_nss_supp),
1867 			    &he_cap->he_mcs_nss_supp) ||
1868 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1869 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1870 			return -ENOBUFS;
1871 	}
1872 
1873 	if (eht_cap->has_eht && he_cap->has_he) {
1874 		u8 mcs_nss_size, ppe_thresh_size;
1875 		u16 ppe_thres_hdr;
1876 		bool is_ap;
1877 
1878 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1879 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1880 
1881 		mcs_nss_size =
1882 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1883 						   &eht_cap->eht_cap_elem,
1884 						   is_ap);
1885 
1886 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1887 		ppe_thresh_size =
1888 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1889 					       eht_cap->eht_cap_elem.phy_cap_info);
1890 
1891 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1892 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1893 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1894 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1895 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1896 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1897 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1898 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1899 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1900 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1901 			return -ENOBUFS;
1902 	}
1903 
1904 	if (sband->band == NL80211_BAND_6GHZ &&
1905 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1906 		    sizeof(iftdata->he_6ghz_capa),
1907 		    &iftdata->he_6ghz_capa))
1908 		return -ENOBUFS;
1909 
1910 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1911 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1912 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1913 		return -ENOBUFS;
1914 
1915 	return 0;
1916 }
1917 
1918 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1919 				      struct ieee80211_supported_band *sband,
1920 				      bool large)
1921 {
1922 	struct nlattr *nl_rates, *nl_rate;
1923 	struct ieee80211_rate *rate;
1924 	int i;
1925 
1926 	/* add HT info */
1927 	if (sband->ht_cap.ht_supported &&
1928 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1929 		     sizeof(sband->ht_cap.mcs),
1930 		     &sband->ht_cap.mcs) ||
1931 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1932 			 sband->ht_cap.cap) ||
1933 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1934 			sband->ht_cap.ampdu_factor) ||
1935 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1936 			sband->ht_cap.ampdu_density)))
1937 		return -ENOBUFS;
1938 
1939 	/* add VHT info */
1940 	if (sband->vht_cap.vht_supported &&
1941 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1942 		     sizeof(sband->vht_cap.vht_mcs),
1943 		     &sband->vht_cap.vht_mcs) ||
1944 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1945 			 sband->vht_cap.cap)))
1946 		return -ENOBUFS;
1947 
1948 	if (large && sband->n_iftype_data) {
1949 		struct nlattr *nl_iftype_data =
1950 			nla_nest_start_noflag(msg,
1951 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1952 		const struct ieee80211_sband_iftype_data *iftd;
1953 		int err;
1954 
1955 		if (!nl_iftype_data)
1956 			return -ENOBUFS;
1957 
1958 		for_each_sband_iftype_data(sband, i, iftd) {
1959 			struct nlattr *iftdata;
1960 
1961 			iftdata = nla_nest_start_noflag(msg, i + 1);
1962 			if (!iftdata)
1963 				return -ENOBUFS;
1964 
1965 			err = nl80211_send_iftype_data(msg, sband, iftd);
1966 			if (err)
1967 				return err;
1968 
1969 			nla_nest_end(msg, iftdata);
1970 		}
1971 
1972 		nla_nest_end(msg, nl_iftype_data);
1973 	}
1974 
1975 	/* add EDMG info */
1976 	if (large && sband->edmg_cap.channels &&
1977 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1978 		       sband->edmg_cap.channels) ||
1979 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1980 		       sband->edmg_cap.bw_config)))
1981 
1982 		return -ENOBUFS;
1983 
1984 	/* add bitrates */
1985 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1986 	if (!nl_rates)
1987 		return -ENOBUFS;
1988 
1989 	for (i = 0; i < sband->n_bitrates; i++) {
1990 		nl_rate = nla_nest_start_noflag(msg, i);
1991 		if (!nl_rate)
1992 			return -ENOBUFS;
1993 
1994 		rate = &sband->bitrates[i];
1995 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1996 				rate->bitrate))
1997 			return -ENOBUFS;
1998 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1999 		    nla_put_flag(msg,
2000 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
2001 			return -ENOBUFS;
2002 
2003 		nla_nest_end(msg, nl_rate);
2004 	}
2005 
2006 	nla_nest_end(msg, nl_rates);
2007 
2008 	/* S1G capabilities */
2009 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
2010 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
2011 		     sizeof(sband->s1g_cap.cap),
2012 		     sband->s1g_cap.cap) ||
2013 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
2014 		     sizeof(sband->s1g_cap.nss_mcs),
2015 		     sband->s1g_cap.nss_mcs)))
2016 		return -ENOBUFS;
2017 
2018 	return 0;
2019 }
2020 
2021 static int
2022 nl80211_send_mgmt_stypes(struct sk_buff *msg,
2023 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
2024 {
2025 	u16 stypes;
2026 	struct nlattr *nl_ftypes, *nl_ifs;
2027 	enum nl80211_iftype ift;
2028 	int i;
2029 
2030 	if (!mgmt_stypes)
2031 		return 0;
2032 
2033 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
2034 	if (!nl_ifs)
2035 		return -ENOBUFS;
2036 
2037 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2038 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2039 		if (!nl_ftypes)
2040 			return -ENOBUFS;
2041 		i = 0;
2042 		stypes = mgmt_stypes[ift].tx;
2043 		while (stypes) {
2044 			if ((stypes & 1) &&
2045 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2046 					(i << 4) | IEEE80211_FTYPE_MGMT))
2047 				return -ENOBUFS;
2048 			stypes >>= 1;
2049 			i++;
2050 		}
2051 		nla_nest_end(msg, nl_ftypes);
2052 	}
2053 
2054 	nla_nest_end(msg, nl_ifs);
2055 
2056 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2057 	if (!nl_ifs)
2058 		return -ENOBUFS;
2059 
2060 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2061 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2062 		if (!nl_ftypes)
2063 			return -ENOBUFS;
2064 		i = 0;
2065 		stypes = mgmt_stypes[ift].rx;
2066 		while (stypes) {
2067 			if ((stypes & 1) &&
2068 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2069 					(i << 4) | IEEE80211_FTYPE_MGMT))
2070 				return -ENOBUFS;
2071 			stypes >>= 1;
2072 			i++;
2073 		}
2074 		nla_nest_end(msg, nl_ftypes);
2075 	}
2076 	nla_nest_end(msg, nl_ifs);
2077 
2078 	return 0;
2079 }
2080 
2081 #define CMD(op, n)							\
2082 	 do {								\
2083 		if (rdev->ops->op) {					\
2084 			i++;						\
2085 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2086 				goto nla_put_failure;			\
2087 		}							\
2088 	} while (0)
2089 
2090 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2091 					struct sk_buff *msg)
2092 {
2093 	int i = 0;
2094 
2095 	/*
2096 	 * do *NOT* add anything into this function, new things need to be
2097 	 * advertised only to new versions of userspace that can deal with
2098 	 * the split (and they can't possibly care about new features...
2099 	 */
2100 	CMD(add_virtual_intf, NEW_INTERFACE);
2101 	CMD(change_virtual_intf, SET_INTERFACE);
2102 	CMD(add_key, NEW_KEY);
2103 	CMD(start_ap, START_AP);
2104 	CMD(add_station, NEW_STATION);
2105 	CMD(add_mpath, NEW_MPATH);
2106 	CMD(update_mesh_config, SET_MESH_CONFIG);
2107 	CMD(change_bss, SET_BSS);
2108 	CMD(auth, AUTHENTICATE);
2109 	CMD(assoc, ASSOCIATE);
2110 	CMD(deauth, DEAUTHENTICATE);
2111 	CMD(disassoc, DISASSOCIATE);
2112 	CMD(join_ibss, JOIN_IBSS);
2113 	CMD(join_mesh, JOIN_MESH);
2114 	CMD(set_pmksa, SET_PMKSA);
2115 	CMD(del_pmksa, DEL_PMKSA);
2116 	CMD(flush_pmksa, FLUSH_PMKSA);
2117 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2118 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2119 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2120 	CMD(mgmt_tx, FRAME);
2121 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2122 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2123 		i++;
2124 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2125 			goto nla_put_failure;
2126 	}
2127 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2128 	    rdev->ops->join_mesh) {
2129 		i++;
2130 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2131 			goto nla_put_failure;
2132 	}
2133 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2134 		CMD(tdls_mgmt, TDLS_MGMT);
2135 		CMD(tdls_oper, TDLS_OPER);
2136 	}
2137 	if (rdev->wiphy.max_sched_scan_reqs)
2138 		CMD(sched_scan_start, START_SCHED_SCAN);
2139 	CMD(probe_client, PROBE_CLIENT);
2140 	CMD(set_noack_map, SET_NOACK_MAP);
2141 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2142 		i++;
2143 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2144 			goto nla_put_failure;
2145 	}
2146 	CMD(start_p2p_device, START_P2P_DEVICE);
2147 	CMD(set_mcast_rate, SET_MCAST_RATE);
2148 #ifdef CONFIG_NL80211_TESTMODE
2149 	CMD(testmode_cmd, TESTMODE);
2150 #endif
2151 
2152 	if (rdev->ops->connect || rdev->ops->auth) {
2153 		i++;
2154 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2155 			goto nla_put_failure;
2156 	}
2157 
2158 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2159 		i++;
2160 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2161 			goto nla_put_failure;
2162 	}
2163 
2164 	return i;
2165  nla_put_failure:
2166 	return -ENOBUFS;
2167 }
2168 
2169 static int
2170 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2171 			   struct sk_buff *msg)
2172 {
2173 	struct nlattr *ftm;
2174 
2175 	if (!cap->ftm.supported)
2176 		return 0;
2177 
2178 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2179 	if (!ftm)
2180 		return -ENOBUFS;
2181 
2182 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2183 		return -ENOBUFS;
2184 	if (cap->ftm.non_asap &&
2185 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2186 		return -ENOBUFS;
2187 	if (cap->ftm.request_lci &&
2188 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2189 		return -ENOBUFS;
2190 	if (cap->ftm.request_civicloc &&
2191 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2192 		return -ENOBUFS;
2193 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2194 			cap->ftm.preambles))
2195 		return -ENOBUFS;
2196 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2197 			cap->ftm.bandwidths))
2198 		return -ENOBUFS;
2199 	if (cap->ftm.max_bursts_exponent >= 0 &&
2200 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2201 			cap->ftm.max_bursts_exponent))
2202 		return -ENOBUFS;
2203 	if (cap->ftm.max_ftms_per_burst &&
2204 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2205 			cap->ftm.max_ftms_per_burst))
2206 		return -ENOBUFS;
2207 	if (cap->ftm.trigger_based &&
2208 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2209 		return -ENOBUFS;
2210 	if (cap->ftm.non_trigger_based &&
2211 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2212 		return -ENOBUFS;
2213 
2214 	nla_nest_end(msg, ftm);
2215 	return 0;
2216 }
2217 
2218 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2219 				  struct sk_buff *msg)
2220 {
2221 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2222 	struct nlattr *pmsr, *caps;
2223 
2224 	if (!cap)
2225 		return 0;
2226 
2227 	/*
2228 	 * we don't need to clean up anything here since the caller
2229 	 * will genlmsg_cancel() if we fail
2230 	 */
2231 
2232 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2233 	if (!pmsr)
2234 		return -ENOBUFS;
2235 
2236 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2237 		return -ENOBUFS;
2238 
2239 	if (cap->report_ap_tsf &&
2240 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2241 		return -ENOBUFS;
2242 
2243 	if (cap->randomize_mac_addr &&
2244 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2245 		return -ENOBUFS;
2246 
2247 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2248 	if (!caps)
2249 		return -ENOBUFS;
2250 
2251 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2252 		return -ENOBUFS;
2253 
2254 	nla_nest_end(msg, caps);
2255 	nla_nest_end(msg, pmsr);
2256 
2257 	return 0;
2258 }
2259 
2260 static int
2261 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2262 			      struct sk_buff *msg)
2263 {
2264 	int i;
2265 	struct nlattr *nested, *nested_akms;
2266 	const struct wiphy_iftype_akm_suites *iftype_akms;
2267 
2268 	if (!rdev->wiphy.num_iftype_akm_suites ||
2269 	    !rdev->wiphy.iftype_akm_suites)
2270 		return 0;
2271 
2272 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2273 	if (!nested)
2274 		return -ENOBUFS;
2275 
2276 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2277 		nested_akms = nla_nest_start(msg, i + 1);
2278 		if (!nested_akms)
2279 			return -ENOBUFS;
2280 
2281 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2282 
2283 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2284 					iftype_akms->iftypes_mask))
2285 			return -ENOBUFS;
2286 
2287 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2288 			    sizeof(u32) * iftype_akms->n_akm_suites,
2289 			    iftype_akms->akm_suites)) {
2290 			return -ENOBUFS;
2291 		}
2292 		nla_nest_end(msg, nested_akms);
2293 	}
2294 
2295 	nla_nest_end(msg, nested);
2296 
2297 	return 0;
2298 }
2299 
2300 static int
2301 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2302 			       struct sk_buff *msg)
2303 {
2304 	struct nlattr *supp;
2305 
2306 	if (!rdev->wiphy.tid_config_support.vif &&
2307 	    !rdev->wiphy.tid_config_support.peer)
2308 		return 0;
2309 
2310 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2311 	if (!supp)
2312 		return -ENOSPC;
2313 
2314 	if (rdev->wiphy.tid_config_support.vif &&
2315 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2316 			      rdev->wiphy.tid_config_support.vif,
2317 			      NL80211_TID_CONFIG_ATTR_PAD))
2318 		goto fail;
2319 
2320 	if (rdev->wiphy.tid_config_support.peer &&
2321 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2322 			      rdev->wiphy.tid_config_support.peer,
2323 			      NL80211_TID_CONFIG_ATTR_PAD))
2324 		goto fail;
2325 
2326 	/* for now we just use the same value ... makes more sense */
2327 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2328 		       rdev->wiphy.tid_config_support.max_retry))
2329 		goto fail;
2330 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2331 		       rdev->wiphy.tid_config_support.max_retry))
2332 		goto fail;
2333 
2334 	nla_nest_end(msg, supp);
2335 
2336 	return 0;
2337 fail:
2338 	nla_nest_cancel(msg, supp);
2339 	return -ENOBUFS;
2340 }
2341 
2342 static int
2343 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2344 		      struct sk_buff *msg)
2345 {
2346 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2347 	u8 num_freq_ranges;
2348 	int i;
2349 
2350 	if (!rdev->wiphy.sar_capa)
2351 		return 0;
2352 
2353 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2354 
2355 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2356 	if (!sar_capa)
2357 		return -ENOSPC;
2358 
2359 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2360 		goto fail;
2361 
2362 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2363 	if (!specs)
2364 		goto fail;
2365 
2366 	/* report supported freq_ranges */
2367 	for (i = 0; i < num_freq_ranges; i++) {
2368 		sub_freq_range = nla_nest_start(msg, i + 1);
2369 		if (!sub_freq_range)
2370 			goto fail;
2371 
2372 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2373 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2374 			goto fail;
2375 
2376 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2377 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2378 			goto fail;
2379 
2380 		nla_nest_end(msg, sub_freq_range);
2381 	}
2382 
2383 	nla_nest_end(msg, specs);
2384 	nla_nest_end(msg, sar_capa);
2385 
2386 	return 0;
2387 fail:
2388 	nla_nest_cancel(msg, sar_capa);
2389 	return -ENOBUFS;
2390 }
2391 
2392 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2393 {
2394 	struct nlattr *config;
2395 
2396 	if (!wiphy->mbssid_max_interfaces)
2397 		return 0;
2398 
2399 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2400 	if (!config)
2401 		return -ENOBUFS;
2402 
2403 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2404 		       wiphy->mbssid_max_interfaces))
2405 		goto fail;
2406 
2407 	if (wiphy->ema_max_profile_periodicity &&
2408 	    nla_put_u8(msg,
2409 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2410 		       wiphy->ema_max_profile_periodicity))
2411 		goto fail;
2412 
2413 	nla_nest_end(msg, config);
2414 	return 0;
2415 
2416 fail:
2417 	nla_nest_cancel(msg, config);
2418 	return -ENOBUFS;
2419 }
2420 
2421 static int nl80211_put_radio(struct wiphy *wiphy, struct sk_buff *msg, int idx)
2422 {
2423 	const struct wiphy_radio *r = &wiphy->radio[idx];
2424 	struct nlattr *radio, *freq;
2425 	int i;
2426 
2427 	radio = nla_nest_start(msg, idx);
2428 	if (!radio)
2429 		return -ENOBUFS;
2430 
2431 	if (nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_INDEX, idx))
2432 		goto nla_put_failure;
2433 
2434 	if (r->antenna_mask &&
2435 	    nla_put_u32(msg, NL80211_WIPHY_RADIO_ATTR_ANTENNA_MASK,
2436 			r->antenna_mask))
2437 		goto nla_put_failure;
2438 
2439 	for (i = 0; i < r->n_freq_range; i++) {
2440 		const struct wiphy_radio_freq_range *range = &r->freq_range[i];
2441 
2442 		freq = nla_nest_start(msg, NL80211_WIPHY_RADIO_ATTR_FREQ_RANGE);
2443 		if (!freq)
2444 			goto nla_put_failure;
2445 
2446 		if (nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_START,
2447 				range->start_freq) ||
2448 		    nla_put_u32(msg, NL80211_WIPHY_RADIO_FREQ_ATTR_END,
2449 				range->end_freq))
2450 			goto nla_put_failure;
2451 
2452 		nla_nest_end(msg, freq);
2453 	}
2454 
2455 	for (i = 0; i < r->n_iface_combinations; i++)
2456 		if (nl80211_put_ifcomb_data(msg, true,
2457 					    NL80211_WIPHY_RADIO_ATTR_INTERFACE_COMBINATION,
2458 					    &r->iface_combinations[i],
2459 					    NLA_F_NESTED))
2460 			goto nla_put_failure;
2461 
2462 	nla_nest_end(msg, radio);
2463 
2464 	return 0;
2465 
2466 nla_put_failure:
2467 	return -ENOBUFS;
2468 }
2469 
2470 static int nl80211_put_radios(struct wiphy *wiphy, struct sk_buff *msg)
2471 {
2472 	struct nlattr *radios;
2473 	int i;
2474 
2475 	if (!wiphy->n_radio)
2476 		return 0;
2477 
2478 	radios = nla_nest_start(msg, NL80211_ATTR_WIPHY_RADIOS);
2479 	if (!radios)
2480 		return -ENOBUFS;
2481 
2482 	for (i = 0; i < wiphy->n_radio; i++)
2483 		if (nl80211_put_radio(wiphy, msg, i))
2484 			goto fail;
2485 
2486 	nla_nest_end(msg, radios);
2487 
2488 	if (nl80211_put_iface_combinations(wiphy, msg,
2489 					   NL80211_ATTR_WIPHY_INTERFACE_COMBINATIONS,
2490 					   -1, true, NLA_F_NESTED))
2491 		return -ENOBUFS;
2492 
2493 	return 0;
2494 
2495 fail:
2496 	nla_nest_cancel(msg, radios);
2497 	return -ENOBUFS;
2498 }
2499 
2500 struct nl80211_dump_wiphy_state {
2501 	s64 filter_wiphy;
2502 	long start;
2503 	long split_start, band_start, chan_start, capa_start;
2504 	bool split;
2505 };
2506 
2507 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2508 			      enum nl80211_commands cmd,
2509 			      struct sk_buff *msg, u32 portid, u32 seq,
2510 			      int flags, struct nl80211_dump_wiphy_state *state)
2511 {
2512 	void *hdr;
2513 	struct nlattr *nl_bands, *nl_band;
2514 	struct nlattr *nl_freqs, *nl_freq;
2515 	struct nlattr *nl_cmds;
2516 	enum nl80211_band band;
2517 	struct ieee80211_channel *chan;
2518 	int i;
2519 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2520 				rdev->wiphy.mgmt_stypes;
2521 	u32 features;
2522 
2523 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2524 	if (!hdr)
2525 		return -ENOBUFS;
2526 
2527 	if (WARN_ON(!state))
2528 		return -EINVAL;
2529 
2530 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2531 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2532 			   wiphy_name(&rdev->wiphy)) ||
2533 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2534 			cfg80211_rdev_list_generation))
2535 		goto nla_put_failure;
2536 
2537 	if (cmd != NL80211_CMD_NEW_WIPHY)
2538 		goto finish;
2539 
2540 	switch (state->split_start) {
2541 	case 0:
2542 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2543 			       rdev->wiphy.retry_short) ||
2544 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2545 			       rdev->wiphy.retry_long) ||
2546 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2547 				rdev->wiphy.frag_threshold) ||
2548 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2549 				rdev->wiphy.rts_threshold) ||
2550 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2551 			       rdev->wiphy.coverage_class) ||
2552 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2553 			       rdev->wiphy.max_scan_ssids) ||
2554 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2555 			       rdev->wiphy.max_sched_scan_ssids) ||
2556 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2557 				rdev->wiphy.max_scan_ie_len) ||
2558 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2559 				rdev->wiphy.max_sched_scan_ie_len) ||
2560 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2561 			       rdev->wiphy.max_match_sets))
2562 			goto nla_put_failure;
2563 
2564 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2565 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2566 			goto nla_put_failure;
2567 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2568 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2569 			goto nla_put_failure;
2570 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2571 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2572 			goto nla_put_failure;
2573 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2574 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2575 			goto nla_put_failure;
2576 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2577 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2578 			goto nla_put_failure;
2579 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2580 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2581 			goto nla_put_failure;
2582 		state->split_start++;
2583 		if (state->split)
2584 			break;
2585 		fallthrough;
2586 	case 1:
2587 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2588 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2589 			    rdev->wiphy.cipher_suites))
2590 			goto nla_put_failure;
2591 
2592 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2593 			       rdev->wiphy.max_num_pmkids))
2594 			goto nla_put_failure;
2595 
2596 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2597 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2598 			goto nla_put_failure;
2599 
2600 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2601 				rdev->wiphy.available_antennas_tx) ||
2602 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2603 				rdev->wiphy.available_antennas_rx))
2604 			goto nla_put_failure;
2605 
2606 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2607 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2608 				rdev->wiphy.probe_resp_offload))
2609 			goto nla_put_failure;
2610 
2611 		if ((rdev->wiphy.available_antennas_tx ||
2612 		     rdev->wiphy.available_antennas_rx) &&
2613 		    rdev->ops->get_antenna) {
2614 			u32 tx_ant = 0, rx_ant = 0;
2615 			int res;
2616 
2617 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2618 			if (!res) {
2619 				if (nla_put_u32(msg,
2620 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2621 						tx_ant) ||
2622 				    nla_put_u32(msg,
2623 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2624 						rx_ant))
2625 					goto nla_put_failure;
2626 			}
2627 		}
2628 
2629 		state->split_start++;
2630 		if (state->split)
2631 			break;
2632 		fallthrough;
2633 	case 2:
2634 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2635 					rdev->wiphy.interface_modes))
2636 				goto nla_put_failure;
2637 		state->split_start++;
2638 		if (state->split)
2639 			break;
2640 		fallthrough;
2641 	case 3:
2642 		nl_bands = nla_nest_start_noflag(msg,
2643 						 NL80211_ATTR_WIPHY_BANDS);
2644 		if (!nl_bands)
2645 			goto nla_put_failure;
2646 
2647 		for (band = state->band_start;
2648 		     band < (state->split ?
2649 				NUM_NL80211_BANDS :
2650 				NL80211_BAND_60GHZ + 1);
2651 		     band++) {
2652 			struct ieee80211_supported_band *sband;
2653 
2654 			/* omit higher bands for ancient software */
2655 			if (band > NL80211_BAND_5GHZ && !state->split)
2656 				break;
2657 
2658 			sband = rdev->wiphy.bands[band];
2659 
2660 			if (!sband)
2661 				continue;
2662 
2663 			nl_band = nla_nest_start_noflag(msg, band);
2664 			if (!nl_band)
2665 				goto nla_put_failure;
2666 
2667 			switch (state->chan_start) {
2668 			case 0:
2669 				if (nl80211_send_band_rateinfo(msg, sband,
2670 							       state->split))
2671 					goto nla_put_failure;
2672 				state->chan_start++;
2673 				if (state->split)
2674 					break;
2675 				fallthrough;
2676 			default:
2677 				/* add frequencies */
2678 				nl_freqs = nla_nest_start_noflag(msg,
2679 								 NL80211_BAND_ATTR_FREQS);
2680 				if (!nl_freqs)
2681 					goto nla_put_failure;
2682 
2683 				for (i = state->chan_start - 1;
2684 				     i < sband->n_channels;
2685 				     i++) {
2686 					nl_freq = nla_nest_start_noflag(msg,
2687 									i);
2688 					if (!nl_freq)
2689 						goto nla_put_failure;
2690 
2691 					chan = &sband->channels[i];
2692 
2693 					if (nl80211_msg_put_channel(
2694 							msg, &rdev->wiphy, chan,
2695 							state->split))
2696 						goto nla_put_failure;
2697 
2698 					nla_nest_end(msg, nl_freq);
2699 					if (state->split)
2700 						break;
2701 				}
2702 				if (i < sband->n_channels)
2703 					state->chan_start = i + 2;
2704 				else
2705 					state->chan_start = 0;
2706 				nla_nest_end(msg, nl_freqs);
2707 			}
2708 
2709 			nla_nest_end(msg, nl_band);
2710 
2711 			if (state->split) {
2712 				/* start again here */
2713 				if (state->chan_start)
2714 					band--;
2715 				break;
2716 			}
2717 		}
2718 		nla_nest_end(msg, nl_bands);
2719 
2720 		if (band < NUM_NL80211_BANDS)
2721 			state->band_start = band + 1;
2722 		else
2723 			state->band_start = 0;
2724 
2725 		/* if bands & channels are done, continue outside */
2726 		if (state->band_start == 0 && state->chan_start == 0)
2727 			state->split_start++;
2728 		if (state->split)
2729 			break;
2730 		fallthrough;
2731 	case 4:
2732 		nl_cmds = nla_nest_start_noflag(msg,
2733 						NL80211_ATTR_SUPPORTED_COMMANDS);
2734 		if (!nl_cmds)
2735 			goto nla_put_failure;
2736 
2737 		i = nl80211_add_commands_unsplit(rdev, msg);
2738 		if (i < 0)
2739 			goto nla_put_failure;
2740 		if (state->split) {
2741 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2742 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2743 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2744 				CMD(channel_switch, CHANNEL_SWITCH);
2745 			CMD(set_qos_map, SET_QOS_MAP);
2746 			if (rdev->wiphy.features &
2747 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2748 				CMD(add_tx_ts, ADD_TX_TS);
2749 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2750 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2751 			CMD(update_ft_ies, UPDATE_FT_IES);
2752 			if (rdev->wiphy.sar_capa)
2753 				CMD(set_sar_specs, SET_SAR_SPECS);
2754 		}
2755 #undef CMD
2756 
2757 		nla_nest_end(msg, nl_cmds);
2758 		state->split_start++;
2759 		if (state->split)
2760 			break;
2761 		fallthrough;
2762 	case 5:
2763 		if (rdev->ops->remain_on_channel &&
2764 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2765 		    nla_put_u32(msg,
2766 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2767 				rdev->wiphy.max_remain_on_channel_duration))
2768 			goto nla_put_failure;
2769 
2770 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2771 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2772 			goto nla_put_failure;
2773 
2774 		state->split_start++;
2775 		if (state->split)
2776 			break;
2777 		fallthrough;
2778 	case 6:
2779 #ifdef CONFIG_PM
2780 		if (nl80211_send_wowlan(msg, rdev, state->split))
2781 			goto nla_put_failure;
2782 		state->split_start++;
2783 		if (state->split)
2784 			break;
2785 #else
2786 		state->split_start++;
2787 #endif
2788 		fallthrough;
2789 	case 7:
2790 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2791 					rdev->wiphy.software_iftypes))
2792 			goto nla_put_failure;
2793 
2794 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2795 						   NL80211_ATTR_INTERFACE_COMBINATIONS,
2796 						   rdev->wiphy.n_radio ? 0 : -1,
2797 						   state->split, 0))
2798 			goto nla_put_failure;
2799 
2800 		state->split_start++;
2801 		if (state->split)
2802 			break;
2803 		fallthrough;
2804 	case 8:
2805 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2806 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2807 				rdev->wiphy.ap_sme_capa))
2808 			goto nla_put_failure;
2809 
2810 		features = rdev->wiphy.features;
2811 		/*
2812 		 * We can only add the per-channel limit information if the
2813 		 * dump is split, otherwise it makes it too big. Therefore
2814 		 * only advertise it in that case.
2815 		 */
2816 		if (state->split)
2817 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2818 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2819 			goto nla_put_failure;
2820 
2821 		if (rdev->wiphy.ht_capa_mod_mask &&
2822 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2823 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2824 			    rdev->wiphy.ht_capa_mod_mask))
2825 			goto nla_put_failure;
2826 
2827 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2828 		    rdev->wiphy.max_acl_mac_addrs &&
2829 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2830 				rdev->wiphy.max_acl_mac_addrs))
2831 			goto nla_put_failure;
2832 
2833 		/*
2834 		 * Any information below this point is only available to
2835 		 * applications that can deal with it being split. This
2836 		 * helps ensure that newly added capabilities don't break
2837 		 * older tools by overrunning their buffers.
2838 		 *
2839 		 * We still increment split_start so that in the split
2840 		 * case we'll continue with more data in the next round,
2841 		 * but break unconditionally so unsplit data stops here.
2842 		 */
2843 		if (state->split)
2844 			state->split_start++;
2845 		else
2846 			state->split_start = 0;
2847 		break;
2848 	case 9:
2849 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2850 			goto nla_put_failure;
2851 
2852 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2853 				rdev->wiphy.max_sched_scan_plans) ||
2854 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2855 				rdev->wiphy.max_sched_scan_plan_interval) ||
2856 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2857 				rdev->wiphy.max_sched_scan_plan_iterations))
2858 			goto nla_put_failure;
2859 
2860 		if (rdev->wiphy.extended_capabilities &&
2861 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2862 			     rdev->wiphy.extended_capabilities_len,
2863 			     rdev->wiphy.extended_capabilities) ||
2864 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2865 			     rdev->wiphy.extended_capabilities_len,
2866 			     rdev->wiphy.extended_capabilities_mask)))
2867 			goto nla_put_failure;
2868 
2869 		if (rdev->wiphy.vht_capa_mod_mask &&
2870 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2871 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2872 			    rdev->wiphy.vht_capa_mod_mask))
2873 			goto nla_put_failure;
2874 
2875 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2876 			    rdev->wiphy.perm_addr))
2877 			goto nla_put_failure;
2878 
2879 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2880 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2881 			    rdev->wiphy.addr_mask))
2882 			goto nla_put_failure;
2883 
2884 		if (rdev->wiphy.n_addresses > 1) {
2885 			void *attr;
2886 
2887 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2888 			if (!attr)
2889 				goto nla_put_failure;
2890 
2891 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2892 				if (nla_put(msg, i + 1, ETH_ALEN,
2893 					    rdev->wiphy.addresses[i].addr))
2894 					goto nla_put_failure;
2895 
2896 			nla_nest_end(msg, attr);
2897 		}
2898 
2899 		state->split_start++;
2900 		break;
2901 	case 10:
2902 		if (nl80211_send_coalesce(msg, rdev))
2903 			goto nla_put_failure;
2904 
2905 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2906 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2907 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2908 			goto nla_put_failure;
2909 
2910 		if (rdev->wiphy.max_ap_assoc_sta &&
2911 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2912 				rdev->wiphy.max_ap_assoc_sta))
2913 			goto nla_put_failure;
2914 
2915 		state->split_start++;
2916 		break;
2917 	case 11:
2918 		if (rdev->wiphy.n_vendor_commands) {
2919 			const struct nl80211_vendor_cmd_info *info;
2920 			struct nlattr *nested;
2921 
2922 			nested = nla_nest_start_noflag(msg,
2923 						       NL80211_ATTR_VENDOR_DATA);
2924 			if (!nested)
2925 				goto nla_put_failure;
2926 
2927 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2928 				info = &rdev->wiphy.vendor_commands[i].info;
2929 				if (nla_put(msg, i + 1, sizeof(*info), info))
2930 					goto nla_put_failure;
2931 			}
2932 			nla_nest_end(msg, nested);
2933 		}
2934 
2935 		if (rdev->wiphy.n_vendor_events) {
2936 			const struct nl80211_vendor_cmd_info *info;
2937 			struct nlattr *nested;
2938 
2939 			nested = nla_nest_start_noflag(msg,
2940 						       NL80211_ATTR_VENDOR_EVENTS);
2941 			if (!nested)
2942 				goto nla_put_failure;
2943 
2944 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2945 				info = &rdev->wiphy.vendor_events[i];
2946 				if (nla_put(msg, i + 1, sizeof(*info), info))
2947 					goto nla_put_failure;
2948 			}
2949 			nla_nest_end(msg, nested);
2950 		}
2951 		state->split_start++;
2952 		break;
2953 	case 12:
2954 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2955 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2956 			       rdev->wiphy.max_num_csa_counters))
2957 			goto nla_put_failure;
2958 
2959 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2960 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2961 			goto nla_put_failure;
2962 
2963 		if (rdev->wiphy.max_sched_scan_reqs &&
2964 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2965 				rdev->wiphy.max_sched_scan_reqs))
2966 			goto nla_put_failure;
2967 
2968 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2969 			    sizeof(rdev->wiphy.ext_features),
2970 			    rdev->wiphy.ext_features))
2971 			goto nla_put_failure;
2972 
2973 		if (rdev->wiphy.bss_select_support) {
2974 			struct nlattr *nested;
2975 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2976 
2977 			nested = nla_nest_start_noflag(msg,
2978 						       NL80211_ATTR_BSS_SELECT);
2979 			if (!nested)
2980 				goto nla_put_failure;
2981 
2982 			i = 0;
2983 			while (bss_select_support) {
2984 				if ((bss_select_support & 1) &&
2985 				    nla_put_flag(msg, i))
2986 					goto nla_put_failure;
2987 				i++;
2988 				bss_select_support >>= 1;
2989 			}
2990 			nla_nest_end(msg, nested);
2991 		}
2992 
2993 		state->split_start++;
2994 		break;
2995 	case 13:
2996 		if (rdev->wiphy.num_iftype_ext_capab &&
2997 		    rdev->wiphy.iftype_ext_capab) {
2998 			struct nlattr *nested_ext_capab, *nested;
2999 
3000 			nested = nla_nest_start_noflag(msg,
3001 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
3002 			if (!nested)
3003 				goto nla_put_failure;
3004 
3005 			for (i = state->capa_start;
3006 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
3007 				const struct wiphy_iftype_ext_capab *capab;
3008 
3009 				capab = &rdev->wiphy.iftype_ext_capab[i];
3010 
3011 				nested_ext_capab = nla_nest_start_noflag(msg,
3012 									 i);
3013 				if (!nested_ext_capab ||
3014 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
3015 						capab->iftype) ||
3016 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
3017 					    capab->extended_capabilities_len,
3018 					    capab->extended_capabilities) ||
3019 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
3020 					    capab->extended_capabilities_len,
3021 					    capab->extended_capabilities_mask))
3022 					goto nla_put_failure;
3023 
3024 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
3025 				    (nla_put_u16(msg,
3026 						 NL80211_ATTR_EML_CAPABILITY,
3027 						 capab->eml_capabilities) ||
3028 				     nla_put_u16(msg,
3029 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
3030 						 capab->mld_capa_and_ops)))
3031 					goto nla_put_failure;
3032 
3033 				nla_nest_end(msg, nested_ext_capab);
3034 				if (state->split)
3035 					break;
3036 			}
3037 			nla_nest_end(msg, nested);
3038 			if (i < rdev->wiphy.num_iftype_ext_capab) {
3039 				state->capa_start = i + 1;
3040 				break;
3041 			}
3042 		}
3043 
3044 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
3045 				rdev->wiphy.nan_supported_bands))
3046 			goto nla_put_failure;
3047 
3048 		if (wiphy_ext_feature_isset(&rdev->wiphy,
3049 					    NL80211_EXT_FEATURE_TXQS)) {
3050 			struct cfg80211_txq_stats txqstats = {};
3051 			int res;
3052 
3053 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
3054 			if (!res &&
3055 			    !nl80211_put_txq_stats(msg, &txqstats,
3056 						   NL80211_ATTR_TXQ_STATS))
3057 				goto nla_put_failure;
3058 
3059 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
3060 					rdev->wiphy.txq_limit))
3061 				goto nla_put_failure;
3062 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
3063 					rdev->wiphy.txq_memory_limit))
3064 				goto nla_put_failure;
3065 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
3066 					rdev->wiphy.txq_quantum))
3067 				goto nla_put_failure;
3068 		}
3069 
3070 		state->split_start++;
3071 		break;
3072 	case 14:
3073 		if (nl80211_send_pmsr_capa(rdev, msg))
3074 			goto nla_put_failure;
3075 
3076 		state->split_start++;
3077 		break;
3078 	case 15:
3079 		if (rdev->wiphy.akm_suites &&
3080 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
3081 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
3082 			    rdev->wiphy.akm_suites))
3083 			goto nla_put_failure;
3084 
3085 		if (nl80211_put_iftype_akm_suites(rdev, msg))
3086 			goto nla_put_failure;
3087 
3088 		if (nl80211_put_tid_config_support(rdev, msg))
3089 			goto nla_put_failure;
3090 		state->split_start++;
3091 		break;
3092 	case 16:
3093 		if (nl80211_put_sar_specs(rdev, msg))
3094 			goto nla_put_failure;
3095 
3096 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
3097 			goto nla_put_failure;
3098 
3099 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
3100 				rdev->wiphy.max_num_akm_suites))
3101 			goto nla_put_failure;
3102 
3103 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
3104 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
3105 
3106 		if (rdev->wiphy.hw_timestamp_max_peers &&
3107 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
3108 				rdev->wiphy.hw_timestamp_max_peers))
3109 			goto nla_put_failure;
3110 
3111 		state->split_start++;
3112 		break;
3113 	case 17:
3114 		if (nl80211_put_radios(&rdev->wiphy, msg))
3115 			goto nla_put_failure;
3116 
3117 		/* done */
3118 		state->split_start = 0;
3119 		break;
3120 	}
3121  finish:
3122 	genlmsg_end(msg, hdr);
3123 	return 0;
3124 
3125  nla_put_failure:
3126 	genlmsg_cancel(msg, hdr);
3127 	return -EMSGSIZE;
3128 }
3129 
3130 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3131 				    struct netlink_callback *cb,
3132 				    struct nl80211_dump_wiphy_state *state)
3133 {
3134 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3135 	int ret;
3136 
3137 	if (!tb)
3138 		return -ENOMEM;
3139 
3140 	ret = nlmsg_parse_deprecated(cb->nlh,
3141 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3142 				     tb, nl80211_fam.maxattr,
3143 				     nl80211_policy, NULL);
3144 	/* ignore parse errors for backward compatibility */
3145 	if (ret) {
3146 		ret = 0;
3147 		goto out;
3148 	}
3149 
3150 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3151 	if (tb[NL80211_ATTR_WIPHY])
3152 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3153 	if (tb[NL80211_ATTR_WDEV])
3154 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3155 	if (tb[NL80211_ATTR_IFINDEX]) {
3156 		struct net_device *netdev;
3157 		struct cfg80211_registered_device *rdev;
3158 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3159 
3160 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3161 		if (!netdev) {
3162 			ret = -ENODEV;
3163 			goto out;
3164 		}
3165 		if (netdev->ieee80211_ptr) {
3166 			rdev = wiphy_to_rdev(
3167 				netdev->ieee80211_ptr->wiphy);
3168 			state->filter_wiphy = rdev->wiphy_idx;
3169 		}
3170 	}
3171 
3172 	ret = 0;
3173 out:
3174 	kfree(tb);
3175 	return ret;
3176 }
3177 
3178 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3179 {
3180 	int idx = 0, ret;
3181 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3182 	struct cfg80211_registered_device *rdev;
3183 
3184 	rtnl_lock();
3185 	if (!state) {
3186 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3187 		if (!state) {
3188 			rtnl_unlock();
3189 			return -ENOMEM;
3190 		}
3191 		state->filter_wiphy = -1;
3192 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3193 		if (ret) {
3194 			kfree(state);
3195 			rtnl_unlock();
3196 			return ret;
3197 		}
3198 		cb->args[0] = (long)state;
3199 	}
3200 
3201 	for_each_rdev(rdev) {
3202 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3203 			continue;
3204 		if (++idx <= state->start)
3205 			continue;
3206 		if (state->filter_wiphy != -1 &&
3207 		    state->filter_wiphy != rdev->wiphy_idx)
3208 			continue;
3209 		wiphy_lock(&rdev->wiphy);
3210 		/* attempt to fit multiple wiphy data chunks into the skb */
3211 		do {
3212 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3213 						 skb,
3214 						 NETLINK_CB(cb->skb).portid,
3215 						 cb->nlh->nlmsg_seq,
3216 						 NLM_F_MULTI, state);
3217 			if (ret < 0) {
3218 				/*
3219 				 * If sending the wiphy data didn't fit (ENOBUFS
3220 				 * or EMSGSIZE returned), this SKB is still
3221 				 * empty (so it's not too big because another
3222 				 * wiphy dataset is already in the skb) and
3223 				 * we've not tried to adjust the dump allocation
3224 				 * yet ... then adjust the alloc size to be
3225 				 * bigger, and return 1 but with the empty skb.
3226 				 * This results in an empty message being RX'ed
3227 				 * in userspace, but that is ignored.
3228 				 *
3229 				 * We can then retry with the larger buffer.
3230 				 */
3231 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3232 				    !skb->len && !state->split &&
3233 				    cb->min_dump_alloc < 4096) {
3234 					cb->min_dump_alloc = 4096;
3235 					state->split_start = 0;
3236 					wiphy_unlock(&rdev->wiphy);
3237 					rtnl_unlock();
3238 					return 1;
3239 				}
3240 				idx--;
3241 				break;
3242 			}
3243 		} while (state->split_start > 0);
3244 		wiphy_unlock(&rdev->wiphy);
3245 		break;
3246 	}
3247 	rtnl_unlock();
3248 
3249 	state->start = idx;
3250 
3251 	return skb->len;
3252 }
3253 
3254 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3255 {
3256 	kfree((void *)cb->args[0]);
3257 	return 0;
3258 }
3259 
3260 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3261 {
3262 	struct sk_buff *msg;
3263 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3264 	struct nl80211_dump_wiphy_state state = {};
3265 
3266 	msg = nlmsg_new(4096, GFP_KERNEL);
3267 	if (!msg)
3268 		return -ENOMEM;
3269 
3270 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3271 			       info->snd_portid, info->snd_seq, 0,
3272 			       &state) < 0) {
3273 		nlmsg_free(msg);
3274 		return -ENOBUFS;
3275 	}
3276 
3277 	return genlmsg_reply(msg, info);
3278 }
3279 
3280 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3281 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3282 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3283 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3284 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3285 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3286 };
3287 
3288 static int parse_txq_params(struct nlattr *tb[],
3289 			    struct ieee80211_txq_params *txq_params)
3290 {
3291 	u8 ac;
3292 
3293 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3294 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3295 	    !tb[NL80211_TXQ_ATTR_AIFS])
3296 		return -EINVAL;
3297 
3298 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3299 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3300 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3301 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3302 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3303 
3304 	if (ac >= NL80211_NUM_ACS)
3305 		return -EINVAL;
3306 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3307 	return 0;
3308 }
3309 
3310 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3311 {
3312 	/*
3313 	 * You can only set the channel explicitly for some interfaces,
3314 	 * most have their channel managed via their respective
3315 	 * "establish a connection" command (connect, join, ...)
3316 	 *
3317 	 * For AP/GO and mesh mode, the channel can be set with the
3318 	 * channel userspace API, but is only stored and passed to the
3319 	 * low-level driver when the AP starts or the mesh is joined.
3320 	 * This is for backward compatibility, userspace can also give
3321 	 * the channel in the start-ap or join-mesh commands instead.
3322 	 *
3323 	 * Monitors are special as they are normally slaved to
3324 	 * whatever else is going on, so they have their own special
3325 	 * operation to set the monitor channel if possible.
3326 	 */
3327 	return !wdev ||
3328 		wdev->iftype == NL80211_IFTYPE_AP ||
3329 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3330 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3331 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3332 }
3333 
3334 static int _nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3335 				  struct genl_info *info, bool monitor,
3336 				  struct cfg80211_chan_def *chandef)
3337 {
3338 	struct netlink_ext_ack *extack = info->extack;
3339 	struct nlattr **attrs = info->attrs;
3340 	u32 control_freq;
3341 
3342 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3343 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3344 				    "Frequency is missing");
3345 		return -EINVAL;
3346 	}
3347 
3348 	control_freq = MHZ_TO_KHZ(
3349 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3350 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3351 		control_freq +=
3352 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3353 
3354 	memset(chandef, 0, sizeof(*chandef));
3355 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3356 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3357 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3358 	chandef->freq1_offset = control_freq % 1000;
3359 	chandef->center_freq2 = 0;
3360 
3361 	if (!chandef->chan) {
3362 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3363 				    "Unknown channel");
3364 		return -EINVAL;
3365 	}
3366 
3367 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3368 		enum nl80211_channel_type chantype;
3369 
3370 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3371 
3372 		switch (chantype) {
3373 		case NL80211_CHAN_NO_HT:
3374 		case NL80211_CHAN_HT20:
3375 		case NL80211_CHAN_HT40PLUS:
3376 		case NL80211_CHAN_HT40MINUS:
3377 			cfg80211_chandef_create(chandef, chandef->chan,
3378 						chantype);
3379 			/* user input for center_freq is incorrect */
3380 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3381 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3382 				NL_SET_ERR_MSG_ATTR(extack,
3383 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3384 						    "bad center frequency 1");
3385 				return -EINVAL;
3386 			}
3387 			/* center_freq2 must be zero */
3388 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3389 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3390 				NL_SET_ERR_MSG_ATTR(extack,
3391 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3392 						    "center frequency 2 can't be used");
3393 				return -EINVAL;
3394 			}
3395 			break;
3396 		default:
3397 			NL_SET_ERR_MSG_ATTR(extack,
3398 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3399 					    "invalid channel type");
3400 			return -EINVAL;
3401 		}
3402 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3403 		chandef->width =
3404 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3405 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3406 			/* User input error for channel width doesn't match channel  */
3407 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3408 				NL_SET_ERR_MSG_ATTR(extack,
3409 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3410 						    "bad channel width");
3411 				return -EINVAL;
3412 			}
3413 		}
3414 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3415 			chandef->center_freq1 =
3416 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3417 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3418 				chandef->freq1_offset = nla_get_u32(
3419 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3420 			else
3421 				chandef->freq1_offset = 0;
3422 		}
3423 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3424 			chandef->center_freq2 =
3425 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3426 	}
3427 
3428 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3429 		chandef->edmg.channels =
3430 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3431 
3432 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3433 			chandef->edmg.bw_config =
3434 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3435 	} else {
3436 		chandef->edmg.bw_config = 0;
3437 		chandef->edmg.channels = 0;
3438 	}
3439 
3440 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
3441 		chandef->punctured =
3442 			nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3443 
3444 		if (chandef->punctured &&
3445 		    !wiphy_ext_feature_isset(&rdev->wiphy,
3446 					     NL80211_EXT_FEATURE_PUNCT)) {
3447 			NL_SET_ERR_MSG(extack,
3448 				       "driver doesn't support puncturing");
3449 			return -EINVAL;
3450 		}
3451 	}
3452 
3453 	if (!cfg80211_chandef_valid(chandef)) {
3454 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3455 		return -EINVAL;
3456 	}
3457 
3458 	if (!_cfg80211_chandef_usable(&rdev->wiphy, chandef,
3459 				      IEEE80211_CHAN_DISABLED,
3460 				      monitor ? IEEE80211_CHAN_CAN_MONITOR : 0)) {
3461 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3462 		return -EINVAL;
3463 	}
3464 
3465 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3466 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3467 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3468 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3469 		return -EINVAL;
3470 	}
3471 
3472 	return 0;
3473 }
3474 
3475 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3476 			  struct genl_info *info,
3477 			  struct cfg80211_chan_def *chandef)
3478 {
3479 	return _nl80211_parse_chandef(rdev, info, false, chandef);
3480 }
3481 
3482 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3483 				 struct net_device *dev,
3484 				 struct genl_info *info,
3485 				 int _link_id)
3486 {
3487 	struct cfg80211_chan_def chandef;
3488 	int result;
3489 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3490 	struct wireless_dev *wdev = NULL;
3491 	int link_id = _link_id;
3492 
3493 	if (dev)
3494 		wdev = dev->ieee80211_ptr;
3495 	if (!nl80211_can_set_dev_channel(wdev))
3496 		return -EOPNOTSUPP;
3497 	if (wdev)
3498 		iftype = wdev->iftype;
3499 
3500 	if (link_id < 0) {
3501 		if (wdev && wdev->valid_links)
3502 			return -EINVAL;
3503 		link_id = 0;
3504 	}
3505 
3506 	result = _nl80211_parse_chandef(rdev, info,
3507 					iftype == NL80211_IFTYPE_MONITOR,
3508 					&chandef);
3509 	if (result)
3510 		return result;
3511 
3512 	switch (iftype) {
3513 	case NL80211_IFTYPE_AP:
3514 	case NL80211_IFTYPE_P2P_GO:
3515 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3516 						   iftype))
3517 			return -EINVAL;
3518 		if (wdev->links[link_id].ap.beacon_interval) {
3519 			struct ieee80211_channel *cur_chan;
3520 
3521 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3522 			    !(rdev->wiphy.features &
3523 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3524 				return -EBUSY;
3525 
3526 			/* Only allow dynamic channel width changes */
3527 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3528 			if (chandef.chan != cur_chan)
3529 				return -EBUSY;
3530 
3531 			/* only allow this for regular channel widths */
3532 			switch (wdev->links[link_id].ap.chandef.width) {
3533 			case NL80211_CHAN_WIDTH_20_NOHT:
3534 			case NL80211_CHAN_WIDTH_20:
3535 			case NL80211_CHAN_WIDTH_40:
3536 			case NL80211_CHAN_WIDTH_80:
3537 			case NL80211_CHAN_WIDTH_80P80:
3538 			case NL80211_CHAN_WIDTH_160:
3539 			case NL80211_CHAN_WIDTH_320:
3540 				break;
3541 			default:
3542 				return -EINVAL;
3543 			}
3544 
3545 			switch (chandef.width) {
3546 			case NL80211_CHAN_WIDTH_20_NOHT:
3547 			case NL80211_CHAN_WIDTH_20:
3548 			case NL80211_CHAN_WIDTH_40:
3549 			case NL80211_CHAN_WIDTH_80:
3550 			case NL80211_CHAN_WIDTH_80P80:
3551 			case NL80211_CHAN_WIDTH_160:
3552 			case NL80211_CHAN_WIDTH_320:
3553 				break;
3554 			default:
3555 				return -EINVAL;
3556 			}
3557 
3558 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3559 						       &chandef);
3560 			if (result)
3561 				return result;
3562 			wdev->links[link_id].ap.chandef = chandef;
3563 		} else {
3564 			wdev->u.ap.preset_chandef = chandef;
3565 		}
3566 		return 0;
3567 	case NL80211_IFTYPE_MESH_POINT:
3568 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3569 	case NL80211_IFTYPE_MONITOR:
3570 		return cfg80211_set_monitor_channel(rdev, dev, &chandef);
3571 	default:
3572 		break;
3573 	}
3574 
3575 	return -EINVAL;
3576 }
3577 
3578 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3579 {
3580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3581 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3582 	struct net_device *netdev = info->user_ptr[1];
3583 
3584 	return __nl80211_set_channel(rdev, netdev, info, link_id);
3585 }
3586 
3587 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3588 {
3589 	struct cfg80211_registered_device *rdev = NULL;
3590 	struct net_device *netdev = NULL;
3591 	struct wireless_dev *wdev;
3592 	int result = 0, rem_txq_params = 0;
3593 	struct nlattr *nl_txq_params;
3594 	u32 changed;
3595 	u8 retry_short = 0, retry_long = 0;
3596 	u32 frag_threshold = 0, rts_threshold = 0;
3597 	u8 coverage_class = 0;
3598 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3599 
3600 	rtnl_lock();
3601 	/*
3602 	 * Try to find the wiphy and netdev. Normally this
3603 	 * function shouldn't need the netdev, but this is
3604 	 * done for backward compatibility -- previously
3605 	 * setting the channel was done per wiphy, but now
3606 	 * it is per netdev. Previous userland like hostapd
3607 	 * also passed a netdev to set_wiphy, so that it is
3608 	 * possible to let that go to the right netdev!
3609 	 */
3610 
3611 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3612 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3613 
3614 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3615 		if (netdev && netdev->ieee80211_ptr)
3616 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3617 		else
3618 			netdev = NULL;
3619 	}
3620 
3621 	if (!netdev) {
3622 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3623 						  info->attrs);
3624 		if (IS_ERR(rdev)) {
3625 			rtnl_unlock();
3626 			return PTR_ERR(rdev);
3627 		}
3628 		wdev = NULL;
3629 		netdev = NULL;
3630 		result = 0;
3631 	} else
3632 		wdev = netdev->ieee80211_ptr;
3633 
3634 	wiphy_lock(&rdev->wiphy);
3635 
3636 	/*
3637 	 * end workaround code, by now the rdev is available
3638 	 * and locked, and wdev may or may not be NULL.
3639 	 */
3640 
3641 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3642 		result = cfg80211_dev_rename(
3643 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3644 	rtnl_unlock();
3645 
3646 	if (result)
3647 		goto out;
3648 
3649 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3650 		struct ieee80211_txq_params txq_params;
3651 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3652 
3653 		if (!rdev->ops->set_txq_params) {
3654 			result = -EOPNOTSUPP;
3655 			goto out;
3656 		}
3657 
3658 		if (!netdev) {
3659 			result = -EINVAL;
3660 			goto out;
3661 		}
3662 
3663 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3664 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3665 			result = -EINVAL;
3666 			goto out;
3667 		}
3668 
3669 		if (!netif_running(netdev)) {
3670 			result = -ENETDOWN;
3671 			goto out;
3672 		}
3673 
3674 		nla_for_each_nested(nl_txq_params,
3675 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3676 				    rem_txq_params) {
3677 			result = nla_parse_nested_deprecated(tb,
3678 							     NL80211_TXQ_ATTR_MAX,
3679 							     nl_txq_params,
3680 							     txq_params_policy,
3681 							     info->extack);
3682 			if (result)
3683 				goto out;
3684 			result = parse_txq_params(tb, &txq_params);
3685 			if (result)
3686 				goto out;
3687 
3688 			txq_params.link_id =
3689 				nl80211_link_id_or_invalid(info->attrs);
3690 
3691 			if (txq_params.link_id >= 0 &&
3692 			    !(netdev->ieee80211_ptr->valid_links &
3693 			      BIT(txq_params.link_id)))
3694 				result = -ENOLINK;
3695 			else if (txq_params.link_id >= 0 &&
3696 				 !netdev->ieee80211_ptr->valid_links)
3697 				result = -EINVAL;
3698 			else
3699 				result = rdev_set_txq_params(rdev, netdev,
3700 							     &txq_params);
3701 			if (result)
3702 				goto out;
3703 		}
3704 	}
3705 
3706 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3707 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3708 
3709 		if (wdev) {
3710 			result = __nl80211_set_channel(
3711 				rdev,
3712 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3713 				info, link_id);
3714 		} else {
3715 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3716 		}
3717 
3718 		if (result)
3719 			goto out;
3720 	}
3721 
3722 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3723 		struct wireless_dev *txp_wdev = wdev;
3724 		enum nl80211_tx_power_setting type;
3725 		int idx, mbm = 0;
3726 
3727 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3728 			txp_wdev = NULL;
3729 
3730 		if (!rdev->ops->set_tx_power) {
3731 			result = -EOPNOTSUPP;
3732 			goto out;
3733 		}
3734 
3735 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3736 		type = nla_get_u32(info->attrs[idx]);
3737 
3738 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3739 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3740 			result = -EINVAL;
3741 			goto out;
3742 		}
3743 
3744 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3745 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3746 			mbm = nla_get_u32(info->attrs[idx]);
3747 		}
3748 
3749 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3750 		if (result)
3751 			goto out;
3752 	}
3753 
3754 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3755 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3756 		u32 tx_ant, rx_ant;
3757 
3758 		if ((!rdev->wiphy.available_antennas_tx &&
3759 		     !rdev->wiphy.available_antennas_rx) ||
3760 		    !rdev->ops->set_antenna) {
3761 			result = -EOPNOTSUPP;
3762 			goto out;
3763 		}
3764 
3765 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3766 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3767 
3768 		/* reject antenna configurations which don't match the
3769 		 * available antenna masks, except for the "all" mask */
3770 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3771 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3772 			result = -EINVAL;
3773 			goto out;
3774 		}
3775 
3776 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3777 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3778 
3779 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3780 		if (result)
3781 			goto out;
3782 	}
3783 
3784 	changed = 0;
3785 
3786 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3787 		retry_short = nla_get_u8(
3788 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3789 
3790 		changed |= WIPHY_PARAM_RETRY_SHORT;
3791 	}
3792 
3793 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3794 		retry_long = nla_get_u8(
3795 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3796 
3797 		changed |= WIPHY_PARAM_RETRY_LONG;
3798 	}
3799 
3800 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3801 		frag_threshold = nla_get_u32(
3802 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3803 		if (frag_threshold < 256) {
3804 			result = -EINVAL;
3805 			goto out;
3806 		}
3807 
3808 		if (frag_threshold != (u32) -1) {
3809 			/*
3810 			 * Fragments (apart from the last one) are required to
3811 			 * have even length. Make the fragmentation code
3812 			 * simpler by stripping LSB should someone try to use
3813 			 * odd threshold value.
3814 			 */
3815 			frag_threshold &= ~0x1;
3816 		}
3817 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3818 	}
3819 
3820 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3821 		rts_threshold = nla_get_u32(
3822 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3823 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3824 	}
3825 
3826 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3827 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3828 			result = -EINVAL;
3829 			goto out;
3830 		}
3831 
3832 		coverage_class = nla_get_u8(
3833 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3834 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3835 	}
3836 
3837 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3838 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3839 			result = -EOPNOTSUPP;
3840 			goto out;
3841 		}
3842 
3843 		changed |= WIPHY_PARAM_DYN_ACK;
3844 	}
3845 
3846 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3847 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3848 					     NL80211_EXT_FEATURE_TXQS)) {
3849 			result = -EOPNOTSUPP;
3850 			goto out;
3851 		}
3852 		txq_limit = nla_get_u32(
3853 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3854 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3855 	}
3856 
3857 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3858 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3859 					     NL80211_EXT_FEATURE_TXQS)) {
3860 			result = -EOPNOTSUPP;
3861 			goto out;
3862 		}
3863 		txq_memory_limit = nla_get_u32(
3864 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3865 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3866 	}
3867 
3868 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3869 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3870 					     NL80211_EXT_FEATURE_TXQS)) {
3871 			result = -EOPNOTSUPP;
3872 			goto out;
3873 		}
3874 		txq_quantum = nla_get_u32(
3875 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3876 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3877 	}
3878 
3879 	if (changed) {
3880 		u8 old_retry_short, old_retry_long;
3881 		u32 old_frag_threshold, old_rts_threshold;
3882 		u8 old_coverage_class;
3883 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3884 
3885 		if (!rdev->ops->set_wiphy_params) {
3886 			result = -EOPNOTSUPP;
3887 			goto out;
3888 		}
3889 
3890 		old_retry_short = rdev->wiphy.retry_short;
3891 		old_retry_long = rdev->wiphy.retry_long;
3892 		old_frag_threshold = rdev->wiphy.frag_threshold;
3893 		old_rts_threshold = rdev->wiphy.rts_threshold;
3894 		old_coverage_class = rdev->wiphy.coverage_class;
3895 		old_txq_limit = rdev->wiphy.txq_limit;
3896 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3897 		old_txq_quantum = rdev->wiphy.txq_quantum;
3898 
3899 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3900 			rdev->wiphy.retry_short = retry_short;
3901 		if (changed & WIPHY_PARAM_RETRY_LONG)
3902 			rdev->wiphy.retry_long = retry_long;
3903 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3904 			rdev->wiphy.frag_threshold = frag_threshold;
3905 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3906 			rdev->wiphy.rts_threshold = rts_threshold;
3907 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3908 			rdev->wiphy.coverage_class = coverage_class;
3909 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3910 			rdev->wiphy.txq_limit = txq_limit;
3911 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3912 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3913 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3914 			rdev->wiphy.txq_quantum = txq_quantum;
3915 
3916 		result = rdev_set_wiphy_params(rdev, changed);
3917 		if (result) {
3918 			rdev->wiphy.retry_short = old_retry_short;
3919 			rdev->wiphy.retry_long = old_retry_long;
3920 			rdev->wiphy.frag_threshold = old_frag_threshold;
3921 			rdev->wiphy.rts_threshold = old_rts_threshold;
3922 			rdev->wiphy.coverage_class = old_coverage_class;
3923 			rdev->wiphy.txq_limit = old_txq_limit;
3924 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3925 			rdev->wiphy.txq_quantum = old_txq_quantum;
3926 			goto out;
3927 		}
3928 	}
3929 
3930 	result = 0;
3931 
3932 out:
3933 	wiphy_unlock(&rdev->wiphy);
3934 	return result;
3935 }
3936 
3937 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3938 {
3939 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3940 		return -EINVAL;
3941 
3942 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3943 			chandef->chan->center_freq))
3944 		return -ENOBUFS;
3945 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3946 			chandef->chan->freq_offset))
3947 		return -ENOBUFS;
3948 	switch (chandef->width) {
3949 	case NL80211_CHAN_WIDTH_20_NOHT:
3950 	case NL80211_CHAN_WIDTH_20:
3951 	case NL80211_CHAN_WIDTH_40:
3952 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3953 				cfg80211_get_chandef_type(chandef)))
3954 			return -ENOBUFS;
3955 		break;
3956 	default:
3957 		break;
3958 	}
3959 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3960 		return -ENOBUFS;
3961 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3962 		return -ENOBUFS;
3963 	if (chandef->center_freq2 &&
3964 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3965 		return -ENOBUFS;
3966 	if (chandef->punctured &&
3967 	    nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, chandef->punctured))
3968 		return -ENOBUFS;
3969 
3970 	return 0;
3971 }
3972 EXPORT_SYMBOL(nl80211_send_chandef);
3973 
3974 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3975 			      struct cfg80211_registered_device *rdev,
3976 			      struct wireless_dev *wdev,
3977 			      enum nl80211_commands cmd)
3978 {
3979 	struct net_device *dev = wdev->netdev;
3980 	void *hdr;
3981 
3982 	lockdep_assert_wiphy(&rdev->wiphy);
3983 
3984 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3985 		cmd != NL80211_CMD_DEL_INTERFACE &&
3986 		cmd != NL80211_CMD_SET_INTERFACE);
3987 
3988 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3989 	if (!hdr)
3990 		return -1;
3991 
3992 	if (dev &&
3993 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3994 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3995 		goto nla_put_failure;
3996 
3997 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3998 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3999 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
4000 			      NL80211_ATTR_PAD) ||
4001 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
4002 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
4003 			rdev->devlist_generation ^
4004 			(cfg80211_rdev_list_generation << 2)) ||
4005 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr) ||
4006 	    nla_put_u32(msg, NL80211_ATTR_VIF_RADIO_MASK, wdev->radio_mask))
4007 		goto nla_put_failure;
4008 
4009 	if (rdev->ops->get_channel && !wdev->valid_links) {
4010 		struct cfg80211_chan_def chandef = {};
4011 		int ret;
4012 
4013 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
4014 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4015 			goto nla_put_failure;
4016 	}
4017 
4018 	if (rdev->ops->get_tx_power) {
4019 		int dbm, ret;
4020 
4021 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
4022 		if (ret == 0 &&
4023 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
4024 				DBM_TO_MBM(dbm)))
4025 			goto nla_put_failure;
4026 	}
4027 
4028 	switch (wdev->iftype) {
4029 	case NL80211_IFTYPE_AP:
4030 	case NL80211_IFTYPE_P2P_GO:
4031 		if (wdev->u.ap.ssid_len &&
4032 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
4033 			    wdev->u.ap.ssid))
4034 			goto nla_put_failure;
4035 		break;
4036 	case NL80211_IFTYPE_STATION:
4037 	case NL80211_IFTYPE_P2P_CLIENT:
4038 		if (wdev->u.client.ssid_len &&
4039 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
4040 			    wdev->u.client.ssid))
4041 			goto nla_put_failure;
4042 		break;
4043 	case NL80211_IFTYPE_ADHOC:
4044 		if (wdev->u.ibss.ssid_len &&
4045 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
4046 			    wdev->u.ibss.ssid))
4047 			goto nla_put_failure;
4048 		break;
4049 	default:
4050 		/* nothing */
4051 		break;
4052 	}
4053 
4054 	if (rdev->ops->get_txq_stats) {
4055 		struct cfg80211_txq_stats txqstats = {};
4056 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
4057 
4058 		if (ret == 0 &&
4059 		    !nl80211_put_txq_stats(msg, &txqstats,
4060 					   NL80211_ATTR_TXQ_STATS))
4061 			goto nla_put_failure;
4062 	}
4063 
4064 	if (wdev->valid_links) {
4065 		unsigned int link_id;
4066 		struct nlattr *links = nla_nest_start(msg,
4067 						      NL80211_ATTR_MLO_LINKS);
4068 
4069 		if (!links)
4070 			goto nla_put_failure;
4071 
4072 		for_each_valid_link(wdev, link_id) {
4073 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
4074 			struct cfg80211_chan_def chandef = {};
4075 			int ret;
4076 
4077 			if (!link)
4078 				goto nla_put_failure;
4079 
4080 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
4081 				goto nla_put_failure;
4082 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
4083 				    wdev->links[link_id].addr))
4084 				goto nla_put_failure;
4085 
4086 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
4087 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
4088 				goto nla_put_failure;
4089 
4090 			nla_nest_end(msg, link);
4091 		}
4092 
4093 		nla_nest_end(msg, links);
4094 	}
4095 
4096 	genlmsg_end(msg, hdr);
4097 	return 0;
4098 
4099  nla_put_failure:
4100 	genlmsg_cancel(msg, hdr);
4101 	return -EMSGSIZE;
4102 }
4103 
4104 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
4105 {
4106 	int wp_idx = 0;
4107 	int if_idx = 0;
4108 	int wp_start = cb->args[0];
4109 	int if_start = cb->args[1];
4110 	int filter_wiphy = -1;
4111 	struct cfg80211_registered_device *rdev;
4112 	struct wireless_dev *wdev;
4113 	int ret;
4114 
4115 	rtnl_lock();
4116 	if (!cb->args[2]) {
4117 		struct nl80211_dump_wiphy_state state = {
4118 			.filter_wiphy = -1,
4119 		};
4120 
4121 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
4122 		if (ret)
4123 			goto out_unlock;
4124 
4125 		filter_wiphy = state.filter_wiphy;
4126 
4127 		/*
4128 		 * if filtering, set cb->args[2] to +1 since 0 is the default
4129 		 * value needed to determine that parsing is necessary.
4130 		 */
4131 		if (filter_wiphy >= 0)
4132 			cb->args[2] = filter_wiphy + 1;
4133 		else
4134 			cb->args[2] = -1;
4135 	} else if (cb->args[2] > 0) {
4136 		filter_wiphy = cb->args[2] - 1;
4137 	}
4138 
4139 	for_each_rdev(rdev) {
4140 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
4141 			continue;
4142 		if (wp_idx < wp_start) {
4143 			wp_idx++;
4144 			continue;
4145 		}
4146 
4147 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
4148 			continue;
4149 
4150 		if_idx = 0;
4151 
4152 		wiphy_lock(&rdev->wiphy);
4153 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4154 			if (if_idx < if_start) {
4155 				if_idx++;
4156 				continue;
4157 			}
4158 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4159 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4160 					       rdev, wdev,
4161 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4162 				wiphy_unlock(&rdev->wiphy);
4163 				goto out;
4164 			}
4165 			if_idx++;
4166 		}
4167 		wiphy_unlock(&rdev->wiphy);
4168 
4169 		if_start = 0;
4170 		wp_idx++;
4171 	}
4172  out:
4173 	cb->args[0] = wp_idx;
4174 	cb->args[1] = if_idx;
4175 
4176 	ret = skb->len;
4177  out_unlock:
4178 	rtnl_unlock();
4179 
4180 	return ret;
4181 }
4182 
4183 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4184 {
4185 	struct sk_buff *msg;
4186 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4187 	struct wireless_dev *wdev = info->user_ptr[1];
4188 
4189 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4190 	if (!msg)
4191 		return -ENOMEM;
4192 
4193 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4194 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4195 		nlmsg_free(msg);
4196 		return -ENOBUFS;
4197 	}
4198 
4199 	return genlmsg_reply(msg, info);
4200 }
4201 
4202 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4203 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4204 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4205 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4206 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4207 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4208 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4209 	[NL80211_MNTR_FLAG_SKIP_TX] = { .type = NLA_FLAG },
4210 };
4211 
4212 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4213 {
4214 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4215 	int flag;
4216 
4217 	*mntrflags = 0;
4218 
4219 	if (!nla)
4220 		return -EINVAL;
4221 
4222 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4223 		return -EINVAL;
4224 
4225 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4226 		if (flags[flag])
4227 			*mntrflags |= (1<<flag);
4228 
4229 	*mntrflags |= MONITOR_FLAG_CHANGED;
4230 
4231 	return 0;
4232 }
4233 
4234 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4235 				     enum nl80211_iftype type,
4236 				     struct genl_info *info,
4237 				     struct vif_params *params)
4238 {
4239 	bool change = false;
4240 	int err;
4241 
4242 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4243 		if (type != NL80211_IFTYPE_MONITOR)
4244 			return -EINVAL;
4245 
4246 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4247 					  &params->flags);
4248 		if (err)
4249 			return err;
4250 
4251 		change = true;
4252 	}
4253 
4254 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4255 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4256 		return -EOPNOTSUPP;
4257 
4258 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4259 		const u8 *mumimo_groups;
4260 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4261 
4262 		if (type != NL80211_IFTYPE_MONITOR)
4263 			return -EINVAL;
4264 
4265 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4266 			return -EOPNOTSUPP;
4267 
4268 		mumimo_groups =
4269 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4270 
4271 		/* bits 0 and 63 are reserved and must be zero */
4272 		if ((mumimo_groups[0] & BIT(0)) ||
4273 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4274 			return -EINVAL;
4275 
4276 		params->vht_mumimo_groups = mumimo_groups;
4277 		change = true;
4278 	}
4279 
4280 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4281 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4282 
4283 		if (type != NL80211_IFTYPE_MONITOR)
4284 			return -EINVAL;
4285 
4286 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4287 			return -EOPNOTSUPP;
4288 
4289 		params->vht_mumimo_follow_addr =
4290 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4291 		change = true;
4292 	}
4293 
4294 	return change ? 1 : 0;
4295 }
4296 
4297 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4298 			       struct net_device *netdev, u8 use_4addr,
4299 			       enum nl80211_iftype iftype)
4300 {
4301 	if (!use_4addr) {
4302 		if (netdev && netif_is_bridge_port(netdev))
4303 			return -EBUSY;
4304 		return 0;
4305 	}
4306 
4307 	switch (iftype) {
4308 	case NL80211_IFTYPE_AP_VLAN:
4309 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4310 			return 0;
4311 		break;
4312 	case NL80211_IFTYPE_STATION:
4313 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4314 			return 0;
4315 		break;
4316 	default:
4317 		break;
4318 	}
4319 
4320 	return -EOPNOTSUPP;
4321 }
4322 
4323 static int nl80211_parse_vif_radio_mask(struct genl_info *info,
4324 					u32 *radio_mask)
4325 {
4326 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4327 	struct nlattr *attr = info->attrs[NL80211_ATTR_VIF_RADIO_MASK];
4328 	u32 mask, allowed;
4329 
4330 	if (!attr) {
4331 		*radio_mask = 0;
4332 		return 0;
4333 	}
4334 
4335 	allowed = BIT(rdev->wiphy.n_radio) - 1;
4336 	mask = nla_get_u32(attr);
4337 	if (mask & ~allowed)
4338 		return -EINVAL;
4339 	if (!mask)
4340 		mask = allowed;
4341 	*radio_mask = mask;
4342 
4343 	return 1;
4344 }
4345 
4346 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4347 {
4348 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4349 	struct vif_params params;
4350 	int err;
4351 	enum nl80211_iftype otype, ntype;
4352 	struct net_device *dev = info->user_ptr[1];
4353 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4354 	u32 radio_mask = 0;
4355 	bool change = false;
4356 
4357 	memset(&params, 0, sizeof(params));
4358 
4359 	otype = ntype = dev->ieee80211_ptr->iftype;
4360 
4361 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4362 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4363 		if (otype != ntype)
4364 			change = true;
4365 	}
4366 
4367 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4368 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4369 			return -EINVAL;
4370 		if (otype != NL80211_IFTYPE_MESH_POINT)
4371 			return -EINVAL;
4372 		if (netif_running(dev))
4373 			return -EBUSY;
4374 
4375 		wdev->u.mesh.id_up_len =
4376 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4377 		memcpy(wdev->u.mesh.id,
4378 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4379 		       wdev->u.mesh.id_up_len);
4380 	}
4381 
4382 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4383 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4384 		change = true;
4385 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4386 		if (err)
4387 			return err;
4388 	} else {
4389 		params.use_4addr = -1;
4390 	}
4391 
4392 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4393 	if (err < 0)
4394 		return err;
4395 	if (err > 0)
4396 		change = true;
4397 
4398 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4399 	if (err < 0)
4400 		return err;
4401 	if (err && netif_running(dev))
4402 		return -EBUSY;
4403 
4404 	if (change)
4405 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4406 	else
4407 		err = 0;
4408 
4409 	if (!err && params.use_4addr != -1)
4410 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4411 
4412 	if (radio_mask)
4413 		wdev->radio_mask = radio_mask;
4414 
4415 	if (change && !err)
4416 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4417 
4418 	return err;
4419 }
4420 
4421 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4422 {
4423 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4424 	struct vif_params params;
4425 	struct wireless_dev *wdev;
4426 	struct sk_buff *msg;
4427 	u32 radio_mask;
4428 	int err;
4429 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4430 
4431 	memset(&params, 0, sizeof(params));
4432 
4433 	if (!info->attrs[NL80211_ATTR_IFNAME])
4434 		return -EINVAL;
4435 
4436 	if (info->attrs[NL80211_ATTR_IFTYPE])
4437 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4438 
4439 	if (!rdev->ops->add_virtual_intf)
4440 		return -EOPNOTSUPP;
4441 
4442 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4443 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4444 	    info->attrs[NL80211_ATTR_MAC]) {
4445 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4446 			   ETH_ALEN);
4447 		if (!is_valid_ether_addr(params.macaddr))
4448 			return -EADDRNOTAVAIL;
4449 	}
4450 
4451 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4452 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4453 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4454 		if (err)
4455 			return err;
4456 	}
4457 
4458 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4459 		return -EOPNOTSUPP;
4460 
4461 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4462 	if (err < 0)
4463 		return err;
4464 
4465 	err = nl80211_parse_vif_radio_mask(info, &radio_mask);
4466 	if (err < 0)
4467 		return err;
4468 
4469 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4470 	if (!msg)
4471 		return -ENOMEM;
4472 
4473 	wdev = rdev_add_virtual_intf(rdev,
4474 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4475 				NET_NAME_USER, type, &params);
4476 	if (WARN_ON(!wdev)) {
4477 		nlmsg_free(msg);
4478 		return -EPROTO;
4479 	} else if (IS_ERR(wdev)) {
4480 		nlmsg_free(msg);
4481 		return PTR_ERR(wdev);
4482 	}
4483 
4484 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4485 		wdev->owner_nlportid = info->snd_portid;
4486 
4487 	switch (type) {
4488 	case NL80211_IFTYPE_MESH_POINT:
4489 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4490 			break;
4491 		wdev->u.mesh.id_up_len =
4492 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4493 		memcpy(wdev->u.mesh.id,
4494 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4495 		       wdev->u.mesh.id_up_len);
4496 		break;
4497 	case NL80211_IFTYPE_NAN:
4498 	case NL80211_IFTYPE_P2P_DEVICE:
4499 		/*
4500 		 * P2P Device and NAN do not have a netdev, so don't go
4501 		 * through the netdev notifier and must be added here
4502 		 */
4503 		cfg80211_init_wdev(wdev);
4504 		cfg80211_register_wdev(rdev, wdev);
4505 		break;
4506 	default:
4507 		break;
4508 	}
4509 
4510 	if (radio_mask)
4511 		wdev->radio_mask = radio_mask;
4512 
4513 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4514 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4515 		nlmsg_free(msg);
4516 		return -ENOBUFS;
4517 	}
4518 
4519 	return genlmsg_reply(msg, info);
4520 }
4521 
4522 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4523 {
4524 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4525 	int ret;
4526 
4527 	/* to avoid failing a new interface creation due to pending removal */
4528 	cfg80211_destroy_ifaces(rdev);
4529 
4530 	wiphy_lock(&rdev->wiphy);
4531 	ret = _nl80211_new_interface(skb, info);
4532 	wiphy_unlock(&rdev->wiphy);
4533 
4534 	return ret;
4535 }
4536 
4537 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4538 {
4539 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4540 	struct wireless_dev *wdev = info->user_ptr[1];
4541 
4542 	if (!rdev->ops->del_virtual_intf)
4543 		return -EOPNOTSUPP;
4544 
4545 	/*
4546 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4547 	 * reach 0, and thus the rdev cannot be deleted.
4548 	 *
4549 	 * We need to do it for the dev_close(), since that will call
4550 	 * the netdev notifiers, and we need to acquire the mutex there
4551 	 * but don't know if we get there from here or from some other
4552 	 * place (e.g. "ip link set ... down").
4553 	 */
4554 	mutex_unlock(&rdev->wiphy.mtx);
4555 
4556 	/*
4557 	 * If we remove a wireless device without a netdev then clear
4558 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4559 	 * to check if it needs to do dev_put(). Otherwise it crashes
4560 	 * since the wdev has been freed, unlike with a netdev where
4561 	 * we need the dev_put() for the netdev to really be freed.
4562 	 */
4563 	if (!wdev->netdev)
4564 		info->user_ptr[1] = NULL;
4565 	else
4566 		dev_close(wdev->netdev);
4567 
4568 	mutex_lock(&rdev->wiphy.mtx);
4569 
4570 	return cfg80211_remove_virtual_intf(rdev, wdev);
4571 }
4572 
4573 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4574 {
4575 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4576 	struct net_device *dev = info->user_ptr[1];
4577 	u16 noack_map;
4578 
4579 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4580 		return -EINVAL;
4581 
4582 	if (!rdev->ops->set_noack_map)
4583 		return -EOPNOTSUPP;
4584 
4585 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4586 
4587 	return rdev_set_noack_map(rdev, dev, noack_map);
4588 }
4589 
4590 static int nl80211_validate_key_link_id(struct genl_info *info,
4591 					struct wireless_dev *wdev,
4592 					int link_id, bool pairwise)
4593 {
4594 	if (pairwise) {
4595 		if (link_id != -1) {
4596 			GENL_SET_ERR_MSG(info,
4597 					 "link ID not allowed for pairwise key");
4598 			return -EINVAL;
4599 		}
4600 
4601 		return 0;
4602 	}
4603 
4604 	if (wdev->valid_links) {
4605 		if (link_id == -1) {
4606 			GENL_SET_ERR_MSG(info,
4607 					 "link ID must for MLO group key");
4608 			return -EINVAL;
4609 		}
4610 		if (!(wdev->valid_links & BIT(link_id))) {
4611 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4612 			return -EINVAL;
4613 		}
4614 	} else if (link_id != -1) {
4615 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4616 		return -EINVAL;
4617 	}
4618 
4619 	return 0;
4620 }
4621 
4622 struct get_key_cookie {
4623 	struct sk_buff *msg;
4624 	int error;
4625 	int idx;
4626 };
4627 
4628 static void get_key_callback(void *c, struct key_params *params)
4629 {
4630 	struct nlattr *key;
4631 	struct get_key_cookie *cookie = c;
4632 
4633 	if ((params->seq &&
4634 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4635 		     params->seq_len, params->seq)) ||
4636 	    (params->cipher &&
4637 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4638 			 params->cipher)))
4639 		goto nla_put_failure;
4640 
4641 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4642 	if (!key)
4643 		goto nla_put_failure;
4644 
4645 	if ((params->seq &&
4646 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4647 		     params->seq_len, params->seq)) ||
4648 	    (params->cipher &&
4649 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4650 			 params->cipher)))
4651 		goto nla_put_failure;
4652 
4653 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4654 		goto nla_put_failure;
4655 
4656 	nla_nest_end(cookie->msg, key);
4657 
4658 	return;
4659  nla_put_failure:
4660 	cookie->error = 1;
4661 }
4662 
4663 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4664 {
4665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4666 	int err;
4667 	struct net_device *dev = info->user_ptr[1];
4668 	u8 key_idx = 0;
4669 	const u8 *mac_addr = NULL;
4670 	bool pairwise;
4671 	struct get_key_cookie cookie = {
4672 		.error = 0,
4673 	};
4674 	void *hdr;
4675 	struct sk_buff *msg;
4676 	bool bigtk_support = false;
4677 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4678 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4679 
4680 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4681 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4682 		bigtk_support = true;
4683 
4684 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4685 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4686 	    wiphy_ext_feature_isset(&rdev->wiphy,
4687 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4688 		bigtk_support = true;
4689 
4690 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4691 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4692 
4693 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4694 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4695 			return -EINVAL;
4696 		}
4697 	}
4698 
4699 	if (info->attrs[NL80211_ATTR_MAC])
4700 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4701 
4702 	pairwise = !!mac_addr;
4703 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4704 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4705 
4706 		if (kt != NL80211_KEYTYPE_GROUP &&
4707 		    kt != NL80211_KEYTYPE_PAIRWISE)
4708 			return -EINVAL;
4709 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4710 	}
4711 
4712 	if (!rdev->ops->get_key)
4713 		return -EOPNOTSUPP;
4714 
4715 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4716 		return -ENOENT;
4717 
4718 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4719 	if (!msg)
4720 		return -ENOMEM;
4721 
4722 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4723 			     NL80211_CMD_NEW_KEY);
4724 	if (!hdr)
4725 		goto nla_put_failure;
4726 
4727 	cookie.msg = msg;
4728 	cookie.idx = key_idx;
4729 
4730 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4731 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4732 		goto nla_put_failure;
4733 	if (mac_addr &&
4734 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4735 		goto nla_put_failure;
4736 
4737 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4738 	if (err)
4739 		goto free_msg;
4740 
4741 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4742 			   &cookie, get_key_callback);
4743 
4744 	if (err)
4745 		goto free_msg;
4746 
4747 	if (cookie.error)
4748 		goto nla_put_failure;
4749 
4750 	genlmsg_end(msg, hdr);
4751 	return genlmsg_reply(msg, info);
4752 
4753  nla_put_failure:
4754 	err = -ENOBUFS;
4755  free_msg:
4756 	nlmsg_free(msg);
4757 	return err;
4758 }
4759 
4760 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4761 {
4762 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4763 	struct key_parse key;
4764 	int err;
4765 	struct net_device *dev = info->user_ptr[1];
4766 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4768 
4769 	err = nl80211_parse_key(info, &key);
4770 	if (err)
4771 		return err;
4772 
4773 	if (key.idx < 0)
4774 		return -EINVAL;
4775 
4776 	/* Only support setting default key and
4777 	 * Extended Key ID action NL80211_KEY_SET_TX.
4778 	 */
4779 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4780 	    !(key.p.mode == NL80211_KEY_SET_TX))
4781 		return -EINVAL;
4782 
4783 	if (key.def) {
4784 		if (!rdev->ops->set_default_key)
4785 			return -EOPNOTSUPP;
4786 
4787 		err = nl80211_key_allowed(wdev);
4788 		if (err)
4789 			return err;
4790 
4791 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4792 		if (err)
4793 			return err;
4794 
4795 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4796 					   key.def_uni, key.def_multi);
4797 
4798 		if (err)
4799 			return err;
4800 
4801 #ifdef CONFIG_CFG80211_WEXT
4802 		wdev->wext.default_key = key.idx;
4803 #endif
4804 		return 0;
4805 	} else if (key.defmgmt) {
4806 		if (key.def_uni || !key.def_multi)
4807 			return -EINVAL;
4808 
4809 		if (!rdev->ops->set_default_mgmt_key)
4810 			return -EOPNOTSUPP;
4811 
4812 		err = nl80211_key_allowed(wdev);
4813 		if (err)
4814 			return err;
4815 
4816 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4817 		if (err)
4818 			return err;
4819 
4820 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4821 		if (err)
4822 			return err;
4823 
4824 #ifdef CONFIG_CFG80211_WEXT
4825 		wdev->wext.default_mgmt_key = key.idx;
4826 #endif
4827 		return 0;
4828 	} else if (key.defbeacon) {
4829 		if (key.def_uni || !key.def_multi)
4830 			return -EINVAL;
4831 
4832 		if (!rdev->ops->set_default_beacon_key)
4833 			return -EOPNOTSUPP;
4834 
4835 		err = nl80211_key_allowed(wdev);
4836 		if (err)
4837 			return err;
4838 
4839 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4840 		if (err)
4841 			return err;
4842 
4843 		return rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4844 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4845 		   wiphy_ext_feature_isset(&rdev->wiphy,
4846 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4847 		u8 *mac_addr = NULL;
4848 
4849 		if (info->attrs[NL80211_ATTR_MAC])
4850 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4851 
4852 		if (!mac_addr || key.idx < 0 || key.idx > 1)
4853 			return -EINVAL;
4854 
4855 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4856 		if (err)
4857 			return err;
4858 
4859 		return rdev_add_key(rdev, dev, link_id, key.idx,
4860 				    NL80211_KEYTYPE_PAIRWISE,
4861 				    mac_addr, &key.p);
4862 	}
4863 
4864 	return -EINVAL;
4865 }
4866 
4867 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4868 {
4869 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4870 	int err;
4871 	struct net_device *dev = info->user_ptr[1];
4872 	struct key_parse key;
4873 	const u8 *mac_addr = NULL;
4874 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4875 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4876 
4877 	err = nl80211_parse_key(info, &key);
4878 	if (err)
4879 		return err;
4880 
4881 	if (!key.p.key) {
4882 		GENL_SET_ERR_MSG(info, "no key");
4883 		return -EINVAL;
4884 	}
4885 
4886 	if (info->attrs[NL80211_ATTR_MAC])
4887 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4888 
4889 	if (key.type == -1) {
4890 		if (mac_addr)
4891 			key.type = NL80211_KEYTYPE_PAIRWISE;
4892 		else
4893 			key.type = NL80211_KEYTYPE_GROUP;
4894 	}
4895 
4896 	/* for now */
4897 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4898 	    key.type != NL80211_KEYTYPE_GROUP) {
4899 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4900 		return -EINVAL;
4901 	}
4902 
4903 	if (key.type == NL80211_KEYTYPE_GROUP &&
4904 	    info->attrs[NL80211_ATTR_VLAN_ID])
4905 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4906 
4907 	if (!rdev->ops->add_key)
4908 		return -EOPNOTSUPP;
4909 
4910 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4911 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4912 					   mac_addr)) {
4913 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4914 		return -EINVAL;
4915 	}
4916 
4917 	err = nl80211_key_allowed(wdev);
4918 	if (err)
4919 		GENL_SET_ERR_MSG(info, "key not allowed");
4920 
4921 	if (!err)
4922 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4923 				key.type == NL80211_KEYTYPE_PAIRWISE);
4924 
4925 	if (!err) {
4926 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4927 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4928 				    mac_addr, &key.p);
4929 		if (err)
4930 			GENL_SET_ERR_MSG(info, "key addition failed");
4931 	}
4932 
4933 	return err;
4934 }
4935 
4936 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4937 {
4938 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4939 	int err;
4940 	struct net_device *dev = info->user_ptr[1];
4941 	u8 *mac_addr = NULL;
4942 	struct key_parse key;
4943 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4944 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4945 
4946 	err = nl80211_parse_key(info, &key);
4947 	if (err)
4948 		return err;
4949 
4950 	if (info->attrs[NL80211_ATTR_MAC])
4951 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4952 
4953 	if (key.type == -1) {
4954 		if (mac_addr)
4955 			key.type = NL80211_KEYTYPE_PAIRWISE;
4956 		else
4957 			key.type = NL80211_KEYTYPE_GROUP;
4958 	}
4959 
4960 	/* for now */
4961 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4962 	    key.type != NL80211_KEYTYPE_GROUP)
4963 		return -EINVAL;
4964 
4965 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4966 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4967 		return -EINVAL;
4968 
4969 	if (!rdev->ops->del_key)
4970 		return -EOPNOTSUPP;
4971 
4972 	err = nl80211_key_allowed(wdev);
4973 
4974 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4975 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4976 		err = -ENOENT;
4977 
4978 	if (!err)
4979 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4980 				key.type == NL80211_KEYTYPE_PAIRWISE);
4981 
4982 	if (!err)
4983 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4984 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4985 				   mac_addr);
4986 
4987 #ifdef CONFIG_CFG80211_WEXT
4988 	if (!err) {
4989 		if (key.idx == wdev->wext.default_key)
4990 			wdev->wext.default_key = -1;
4991 		else if (key.idx == wdev->wext.default_mgmt_key)
4992 			wdev->wext.default_mgmt_key = -1;
4993 	}
4994 #endif
4995 
4996 	return err;
4997 }
4998 
4999 /* This function returns an error or the number of nested attributes */
5000 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
5001 {
5002 	struct nlattr *attr;
5003 	int n_entries = 0, tmp;
5004 
5005 	nla_for_each_nested(attr, nl_attr, tmp) {
5006 		if (nla_len(attr) != ETH_ALEN)
5007 			return -EINVAL;
5008 
5009 		n_entries++;
5010 	}
5011 
5012 	return n_entries;
5013 }
5014 
5015 /*
5016  * This function parses ACL information and allocates memory for ACL data.
5017  * On successful return, the calling function is responsible to free the
5018  * ACL buffer returned by this function.
5019  */
5020 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
5021 						struct genl_info *info)
5022 {
5023 	enum nl80211_acl_policy acl_policy;
5024 	struct nlattr *attr;
5025 	struct cfg80211_acl_data *acl;
5026 	int i = 0, n_entries, tmp;
5027 
5028 	if (!wiphy->max_acl_mac_addrs)
5029 		return ERR_PTR(-EOPNOTSUPP);
5030 
5031 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
5032 		return ERR_PTR(-EINVAL);
5033 
5034 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
5035 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
5036 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
5037 		return ERR_PTR(-EINVAL);
5038 
5039 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
5040 		return ERR_PTR(-EINVAL);
5041 
5042 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
5043 	if (n_entries < 0)
5044 		return ERR_PTR(n_entries);
5045 
5046 	if (n_entries > wiphy->max_acl_mac_addrs)
5047 		return ERR_PTR(-EOPNOTSUPP);
5048 
5049 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
5050 	if (!acl)
5051 		return ERR_PTR(-ENOMEM);
5052 	acl->n_acl_entries = n_entries;
5053 
5054 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
5055 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
5056 		i++;
5057 	}
5058 	acl->acl_policy = acl_policy;
5059 
5060 	return acl;
5061 }
5062 
5063 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
5064 {
5065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5066 	struct net_device *dev = info->user_ptr[1];
5067 	struct cfg80211_acl_data *acl;
5068 	int err;
5069 
5070 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5071 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5072 		return -EOPNOTSUPP;
5073 
5074 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
5075 		return -EINVAL;
5076 
5077 	acl = parse_acl_data(&rdev->wiphy, info);
5078 	if (IS_ERR(acl))
5079 		return PTR_ERR(acl);
5080 
5081 	err = rdev_set_mac_acl(rdev, dev, acl);
5082 
5083 	kfree(acl);
5084 
5085 	return err;
5086 }
5087 
5088 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
5089 			   u8 *rates, u8 rates_len)
5090 {
5091 	u8 i;
5092 	u32 mask = 0;
5093 
5094 	for (i = 0; i < rates_len; i++) {
5095 		int rate = (rates[i] & 0x7f) * 5;
5096 		int ridx;
5097 
5098 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
5099 			struct ieee80211_rate *srate =
5100 				&sband->bitrates[ridx];
5101 			if (rate == srate->bitrate) {
5102 				mask |= 1 << ridx;
5103 				break;
5104 			}
5105 		}
5106 		if (ridx == sband->n_bitrates)
5107 			return 0; /* rate not found */
5108 	}
5109 
5110 	return mask;
5111 }
5112 
5113 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
5114 			       u8 *rates, u8 rates_len,
5115 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
5116 {
5117 	u8 i;
5118 
5119 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
5120 
5121 	for (i = 0; i < rates_len; i++) {
5122 		int ridx, rbit;
5123 
5124 		ridx = rates[i] / 8;
5125 		rbit = BIT(rates[i] % 8);
5126 
5127 		/* check validity */
5128 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
5129 			return false;
5130 
5131 		/* check availability */
5132 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
5133 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
5134 			mcs[ridx] |= rbit;
5135 		else
5136 			return false;
5137 	}
5138 
5139 	return true;
5140 }
5141 
5142 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
5143 {
5144 	u16 mcs_mask = 0;
5145 
5146 	switch (vht_mcs_map) {
5147 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
5148 		break;
5149 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
5150 		mcs_mask = 0x00FF;
5151 		break;
5152 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
5153 		mcs_mask = 0x01FF;
5154 		break;
5155 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
5156 		mcs_mask = 0x03FF;
5157 		break;
5158 	default:
5159 		break;
5160 	}
5161 
5162 	return mcs_mask;
5163 }
5164 
5165 static void vht_build_mcs_mask(u16 vht_mcs_map,
5166 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5167 {
5168 	u8 nss;
5169 
5170 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5171 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5172 		vht_mcs_map >>= 2;
5173 	}
5174 }
5175 
5176 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5177 			     struct nl80211_txrate_vht *txrate,
5178 			     u16 mcs[NL80211_VHT_NSS_MAX])
5179 {
5180 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5181 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5182 	u8 i;
5183 
5184 	if (!sband->vht_cap.vht_supported)
5185 		return false;
5186 
5187 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5188 
5189 	/* Build vht_mcs_mask from VHT capabilities */
5190 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5191 
5192 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5193 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5194 			mcs[i] = txrate->mcs[i];
5195 		else
5196 			return false;
5197 	}
5198 
5199 	return true;
5200 }
5201 
5202 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5203 {
5204 	switch (he_mcs_map) {
5205 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5206 		return 0;
5207 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5208 		return 0x00FF;
5209 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5210 		return 0x03FF;
5211 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5212 		return 0xFFF;
5213 	default:
5214 		break;
5215 	}
5216 	return 0;
5217 }
5218 
5219 static void he_build_mcs_mask(u16 he_mcs_map,
5220 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5221 {
5222 	u8 nss;
5223 
5224 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5225 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5226 		he_mcs_map >>= 2;
5227 	}
5228 }
5229 
5230 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5231 			   const struct ieee80211_sta_he_cap *he_cap)
5232 {
5233 	struct net_device *dev = info->user_ptr[1];
5234 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5235 	struct cfg80211_chan_def *chandef;
5236 	__le16 tx_mcs;
5237 
5238 	chandef = wdev_chandef(wdev, link_id);
5239 	if (!chandef) {
5240 		/*
5241 		 * This is probably broken, but we never maintained
5242 		 * a chandef in these cases, so it always was.
5243 		 */
5244 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5245 	}
5246 
5247 	switch (chandef->width) {
5248 	case NL80211_CHAN_WIDTH_80P80:
5249 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5250 		break;
5251 	case NL80211_CHAN_WIDTH_160:
5252 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5253 		break;
5254 	default:
5255 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5256 		break;
5257 	}
5258 
5259 	return le16_to_cpu(tx_mcs);
5260 }
5261 
5262 static bool he_set_mcs_mask(struct genl_info *info,
5263 			    struct wireless_dev *wdev,
5264 			    struct ieee80211_supported_band *sband,
5265 			    struct nl80211_txrate_he *txrate,
5266 			    u16 mcs[NL80211_HE_NSS_MAX],
5267 			    unsigned int link_id)
5268 {
5269 	const struct ieee80211_sta_he_cap *he_cap;
5270 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5271 	u16 tx_mcs_map = 0;
5272 	u8 i;
5273 
5274 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5275 	if (!he_cap)
5276 		return false;
5277 
5278 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5279 
5280 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5281 
5282 	/* Build he_mcs_mask from HE capabilities */
5283 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5284 
5285 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5286 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5287 			mcs[i] = txrate->mcs[i];
5288 		else
5289 			return false;
5290 	}
5291 
5292 	return true;
5293 }
5294 
5295 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5296 					 struct nlattr *attrs[],
5297 					 enum nl80211_attrs attr,
5298 					 struct cfg80211_bitrate_mask *mask,
5299 					 struct net_device *dev,
5300 					 bool default_all_enabled,
5301 					 unsigned int link_id)
5302 {
5303 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5305 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5306 	int rem, i;
5307 	struct nlattr *tx_rates;
5308 	struct ieee80211_supported_band *sband;
5309 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5310 
5311 	memset(mask, 0, sizeof(*mask));
5312 	/* Default to all rates enabled */
5313 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5314 		const struct ieee80211_sta_he_cap *he_cap;
5315 
5316 		if (!default_all_enabled)
5317 			break;
5318 
5319 		sband = rdev->wiphy.bands[i];
5320 
5321 		if (!sband)
5322 			continue;
5323 
5324 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5325 		memcpy(mask->control[i].ht_mcs,
5326 		       sband->ht_cap.mcs.rx_mask,
5327 		       sizeof(mask->control[i].ht_mcs));
5328 
5329 		if (sband->vht_cap.vht_supported) {
5330 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5331 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5332 		}
5333 
5334 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5335 		if (!he_cap)
5336 			continue;
5337 
5338 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5339 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5340 
5341 		mask->control[i].he_gi = 0xFF;
5342 		mask->control[i].he_ltf = 0xFF;
5343 	}
5344 
5345 	/* if no rates are given set it back to the defaults */
5346 	if (!attrs[attr])
5347 		goto out;
5348 
5349 	/* The nested attribute uses enum nl80211_band as the index. This maps
5350 	 * directly to the enum nl80211_band values used in cfg80211.
5351 	 */
5352 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5353 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5354 		enum nl80211_band band = nla_type(tx_rates);
5355 		int err;
5356 
5357 		if (band < 0 || band >= NUM_NL80211_BANDS)
5358 			return -EINVAL;
5359 		sband = rdev->wiphy.bands[band];
5360 		if (sband == NULL)
5361 			return -EINVAL;
5362 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5363 						  tx_rates,
5364 						  nl80211_txattr_policy,
5365 						  info->extack);
5366 		if (err)
5367 			return err;
5368 		if (tb[NL80211_TXRATE_LEGACY]) {
5369 			mask->control[band].legacy = rateset_to_mask(
5370 				sband,
5371 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5372 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5373 			if ((mask->control[band].legacy == 0) &&
5374 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5375 				return -EINVAL;
5376 		}
5377 		if (tb[NL80211_TXRATE_HT]) {
5378 			if (!ht_rateset_to_mask(
5379 					sband,
5380 					nla_data(tb[NL80211_TXRATE_HT]),
5381 					nla_len(tb[NL80211_TXRATE_HT]),
5382 					mask->control[band].ht_mcs))
5383 				return -EINVAL;
5384 		}
5385 
5386 		if (tb[NL80211_TXRATE_VHT]) {
5387 			if (!vht_set_mcs_mask(
5388 					sband,
5389 					nla_data(tb[NL80211_TXRATE_VHT]),
5390 					mask->control[band].vht_mcs))
5391 				return -EINVAL;
5392 		}
5393 
5394 		if (tb[NL80211_TXRATE_GI]) {
5395 			mask->control[band].gi =
5396 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5397 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5398 				return -EINVAL;
5399 		}
5400 		if (tb[NL80211_TXRATE_HE] &&
5401 		    !he_set_mcs_mask(info, wdev, sband,
5402 				     nla_data(tb[NL80211_TXRATE_HE]),
5403 				     mask->control[band].he_mcs,
5404 				     link_id))
5405 			return -EINVAL;
5406 
5407 		if (tb[NL80211_TXRATE_HE_GI])
5408 			mask->control[band].he_gi =
5409 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5410 		if (tb[NL80211_TXRATE_HE_LTF])
5411 			mask->control[band].he_ltf =
5412 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5413 
5414 		if (mask->control[band].legacy == 0) {
5415 			/* don't allow empty legacy rates if HT, VHT or HE
5416 			 * are not even supported.
5417 			 */
5418 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5419 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5420 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5421 				return -EINVAL;
5422 
5423 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5424 				if (mask->control[band].ht_mcs[i])
5425 					goto out;
5426 
5427 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5428 				if (mask->control[band].vht_mcs[i])
5429 					goto out;
5430 
5431 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5432 				if (mask->control[band].he_mcs[i])
5433 					goto out;
5434 
5435 			/* legacy and mcs rates may not be both empty */
5436 			return -EINVAL;
5437 		}
5438 	}
5439 
5440 out:
5441 	return 0;
5442 }
5443 
5444 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5445 				   enum nl80211_band band,
5446 				   struct cfg80211_bitrate_mask *beacon_rate)
5447 {
5448 	u32 count_ht, count_vht, count_he, i;
5449 	u32 rate = beacon_rate->control[band].legacy;
5450 
5451 	/* Allow only one rate */
5452 	if (hweight32(rate) > 1)
5453 		return -EINVAL;
5454 
5455 	count_ht = 0;
5456 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5457 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5458 			return -EINVAL;
5459 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5460 			count_ht++;
5461 			if (count_ht > 1)
5462 				return -EINVAL;
5463 		}
5464 		if (count_ht && rate)
5465 			return -EINVAL;
5466 	}
5467 
5468 	count_vht = 0;
5469 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5470 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5471 			return -EINVAL;
5472 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5473 			count_vht++;
5474 			if (count_vht > 1)
5475 				return -EINVAL;
5476 		}
5477 		if (count_vht && rate)
5478 			return -EINVAL;
5479 	}
5480 
5481 	count_he = 0;
5482 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5483 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5484 			return -EINVAL;
5485 		} else if (beacon_rate->control[band].he_mcs[i]) {
5486 			count_he++;
5487 			if (count_he > 1)
5488 				return -EINVAL;
5489 		}
5490 		if (count_he && rate)
5491 			return -EINVAL;
5492 	}
5493 
5494 	if ((count_ht && count_vht && count_he) ||
5495 	    (!rate && !count_ht && !count_vht && !count_he))
5496 		return -EINVAL;
5497 
5498 	if (rate &&
5499 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5500 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5501 		return -EINVAL;
5502 	if (count_ht &&
5503 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5504 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5505 		return -EINVAL;
5506 	if (count_vht &&
5507 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5508 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5509 		return -EINVAL;
5510 	if (count_he &&
5511 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5512 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5513 		return -EINVAL;
5514 
5515 	return 0;
5516 }
5517 
5518 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5519 				       struct net_device *dev,
5520 				       struct nlattr *attrs,
5521 				       struct cfg80211_mbssid_config *config,
5522 				       u8 num_elems)
5523 {
5524 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5525 
5526 	if (!wiphy->mbssid_max_interfaces)
5527 		return -EOPNOTSUPP;
5528 
5529 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5530 			     NULL) ||
5531 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5532 		return -EINVAL;
5533 
5534 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5535 	if (config->ema) {
5536 		if (!wiphy->ema_max_profile_periodicity)
5537 			return -EOPNOTSUPP;
5538 
5539 		if (num_elems > wiphy->ema_max_profile_periodicity)
5540 			return -EINVAL;
5541 	}
5542 
5543 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5544 	if (config->index >= wiphy->mbssid_max_interfaces ||
5545 	    (!config->index && !num_elems))
5546 		return -EINVAL;
5547 
5548 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5549 		u32 tx_ifindex =
5550 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5551 
5552 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5553 		    (config->index && tx_ifindex == dev->ifindex))
5554 			return -EINVAL;
5555 
5556 		if (tx_ifindex != dev->ifindex) {
5557 			struct net_device *tx_netdev =
5558 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5559 
5560 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5561 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5562 			    tx_netdev->ieee80211_ptr->iftype !=
5563 							NL80211_IFTYPE_AP) {
5564 				dev_put(tx_netdev);
5565 				return -EINVAL;
5566 			}
5567 
5568 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5569 		} else {
5570 			config->tx_wdev = dev->ieee80211_ptr;
5571 		}
5572 	} else if (!config->index) {
5573 		config->tx_wdev = dev->ieee80211_ptr;
5574 	} else {
5575 		return -EINVAL;
5576 	}
5577 
5578 	return 0;
5579 }
5580 
5581 static struct cfg80211_mbssid_elems *
5582 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5583 {
5584 	struct nlattr *nl_elems;
5585 	struct cfg80211_mbssid_elems *elems;
5586 	int rem_elems;
5587 	u8 i = 0, num_elems = 0;
5588 
5589 	if (!wiphy->mbssid_max_interfaces)
5590 		return ERR_PTR(-EINVAL);
5591 
5592 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5593 		if (num_elems >= 255)
5594 			return ERR_PTR(-EINVAL);
5595 		num_elems++;
5596 	}
5597 
5598 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5599 	if (!elems)
5600 		return ERR_PTR(-ENOMEM);
5601 	elems->cnt = num_elems;
5602 
5603 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5604 		elems->elem[i].data = nla_data(nl_elems);
5605 		elems->elem[i].len = nla_len(nl_elems);
5606 		i++;
5607 	}
5608 	return elems;
5609 }
5610 
5611 static struct cfg80211_rnr_elems *
5612 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5613 			struct netlink_ext_ack *extack)
5614 {
5615 	struct nlattr *nl_elems;
5616 	struct cfg80211_rnr_elems *elems;
5617 	int rem_elems;
5618 	u8 i = 0, num_elems = 0;
5619 
5620 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5621 		int ret;
5622 
5623 		ret = validate_ie_attr(nl_elems, extack);
5624 		if (ret)
5625 			return ERR_PTR(ret);
5626 
5627 		num_elems++;
5628 	}
5629 
5630 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5631 	if (!elems)
5632 		return ERR_PTR(-ENOMEM);
5633 	elems->cnt = num_elems;
5634 
5635 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5636 		elems->elem[i].data = nla_data(nl_elems);
5637 		elems->elem[i].len = nla_len(nl_elems);
5638 		i++;
5639 	}
5640 	return elems;
5641 }
5642 
5643 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5644 				      struct cfg80211_he_bss_color *he_bss_color)
5645 {
5646 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5647 	int err;
5648 
5649 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5650 			       he_bss_color_policy, NULL);
5651 	if (err)
5652 		return err;
5653 
5654 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5655 		return -EINVAL;
5656 
5657 	he_bss_color->color =
5658 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5659 	he_bss_color->enabled =
5660 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5661 	he_bss_color->partial =
5662 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5663 
5664 	return 0;
5665 }
5666 
5667 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5668 				struct nlattr *attrs[],
5669 				struct cfg80211_beacon_data *bcn,
5670 				struct netlink_ext_ack *extack)
5671 {
5672 	bool haveinfo = false;
5673 	int err;
5674 
5675 	memset(bcn, 0, sizeof(*bcn));
5676 
5677 	bcn->link_id = nl80211_link_id(attrs);
5678 
5679 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5680 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5681 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5682 		if (!bcn->head_len)
5683 			return -EINVAL;
5684 		haveinfo = true;
5685 	}
5686 
5687 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5688 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5689 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5690 		haveinfo = true;
5691 	}
5692 
5693 	if (!haveinfo)
5694 		return -EINVAL;
5695 
5696 	if (attrs[NL80211_ATTR_IE]) {
5697 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5698 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5699 	}
5700 
5701 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5702 		bcn->proberesp_ies =
5703 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5704 		bcn->proberesp_ies_len =
5705 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5706 	}
5707 
5708 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5709 		bcn->assocresp_ies =
5710 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5711 		bcn->assocresp_ies_len =
5712 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5713 	}
5714 
5715 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5716 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5717 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5718 	}
5719 
5720 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5721 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5722 
5723 		err = nla_parse_nested_deprecated(tb,
5724 						  NL80211_FTM_RESP_ATTR_MAX,
5725 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5726 						  NULL, NULL);
5727 		if (err)
5728 			return err;
5729 
5730 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5731 		    wiphy_ext_feature_isset(&rdev->wiphy,
5732 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5733 			bcn->ftm_responder = 1;
5734 		else
5735 			return -EOPNOTSUPP;
5736 
5737 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5738 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5739 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5740 		}
5741 
5742 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5743 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5744 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5745 		}
5746 	} else {
5747 		bcn->ftm_responder = -1;
5748 	}
5749 
5750 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5751 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5752 						 &bcn->he_bss_color);
5753 		if (err)
5754 			return err;
5755 		bcn->he_bss_color_valid = true;
5756 	}
5757 
5758 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5759 		struct cfg80211_mbssid_elems *mbssid =
5760 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5761 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5762 
5763 		if (IS_ERR(mbssid))
5764 			return PTR_ERR(mbssid);
5765 
5766 		bcn->mbssid_ies = mbssid;
5767 
5768 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5769 			struct cfg80211_rnr_elems *rnr =
5770 				nl80211_parse_rnr_elems(&rdev->wiphy,
5771 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5772 							extack);
5773 
5774 			if (IS_ERR(rnr))
5775 				return PTR_ERR(rnr);
5776 
5777 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5778 				return -EINVAL;
5779 
5780 			bcn->rnr_ies = rnr;
5781 		}
5782 	}
5783 
5784 	return 0;
5785 }
5786 
5787 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5788 				    struct ieee80211_he_obss_pd *he_obss_pd)
5789 {
5790 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5791 	int err;
5792 
5793 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5794 			       he_obss_pd_policy, NULL);
5795 	if (err)
5796 		return err;
5797 
5798 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5799 		return -EINVAL;
5800 
5801 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5802 
5803 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5804 		he_obss_pd->min_offset =
5805 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5806 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5807 		he_obss_pd->max_offset =
5808 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5809 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5810 		he_obss_pd->non_srg_max_offset =
5811 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5812 
5813 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5814 		return -EINVAL;
5815 
5816 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5817 		memcpy(he_obss_pd->bss_color_bitmap,
5818 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5819 		       sizeof(he_obss_pd->bss_color_bitmap));
5820 
5821 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5822 		memcpy(he_obss_pd->partial_bssid_bitmap,
5823 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5824 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5825 
5826 	he_obss_pd->enable = true;
5827 
5828 	return 0;
5829 }
5830 
5831 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5832 					struct nlattr *attrs,
5833 					struct cfg80211_fils_discovery *fd)
5834 {
5835 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5836 	int ret;
5837 
5838 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5839 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5840 		return -EINVAL;
5841 
5842 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5843 			       NULL, NULL);
5844 	if (ret)
5845 		return ret;
5846 
5847 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] &&
5848 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] &&
5849 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]) {
5850 		fd->update = true;
5851 		return 0;
5852 	}
5853 
5854 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5855 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5856 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5857 		return -EINVAL;
5858 
5859 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5860 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5861 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5862 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5863 	fd->update = true;
5864 	return 0;
5865 }
5866 
5867 static int
5868 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5869 				     struct nlattr *attrs,
5870 				     struct cfg80211_unsol_bcast_probe_resp *presp)
5871 {
5872 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5873 	int ret;
5874 
5875 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5876 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5877 		return -EINVAL;
5878 
5879 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5880 			       attrs, NULL, NULL);
5881 	if (ret)
5882 		return ret;
5883 
5884 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] &&
5885 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]) {
5886 		presp->update = true;
5887 		return 0;
5888 	}
5889 
5890 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5891 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5892 		return -EINVAL;
5893 
5894 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5895 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5896 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5897 	presp->update = true;
5898 	return 0;
5899 }
5900 
5901 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5902 					    const struct element *rates)
5903 {
5904 	int i;
5905 
5906 	if (!rates)
5907 		return;
5908 
5909 	for (i = 0; i < rates->datalen; i++) {
5910 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5911 			params->ht_required = true;
5912 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5913 			params->vht_required = true;
5914 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5915 			params->he_required = true;
5916 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5917 			params->sae_h2e_required = true;
5918 	}
5919 }
5920 
5921 /*
5922  * Since the nl80211 API didn't include, from the beginning, attributes about
5923  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5924  * benefit of drivers that rebuild IEs in the firmware.
5925  */
5926 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5927 {
5928 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5929 	size_t ies_len = bcn->tail_len;
5930 	const u8 *ies = bcn->tail;
5931 	const struct element *rates;
5932 	const struct element *cap;
5933 
5934 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5935 	nl80211_check_ap_rate_selectors(params, rates);
5936 
5937 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5938 	nl80211_check_ap_rate_selectors(params, rates);
5939 
5940 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5941 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5942 		params->ht_cap = (void *)cap->data;
5943 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5944 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5945 		params->vht_cap = (void *)cap->data;
5946 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5947 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5948 		params->he_cap = (void *)(cap->data + 1);
5949 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5950 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5951 		params->he_oper = (void *)(cap->data + 1);
5952 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5953 	if (cap) {
5954 		if (!cap->datalen)
5955 			return -EINVAL;
5956 		params->eht_cap = (void *)(cap->data + 1);
5957 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5958 						(const u8 *)params->eht_cap,
5959 						cap->datalen - 1, true))
5960 			return -EINVAL;
5961 	}
5962 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5963 	if (cap) {
5964 		if (!cap->datalen)
5965 			return -EINVAL;
5966 		params->eht_oper = (void *)(cap->data + 1);
5967 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5968 						cap->datalen - 1))
5969 			return -EINVAL;
5970 	}
5971 	return 0;
5972 }
5973 
5974 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5975 				   struct cfg80211_ap_settings *params)
5976 {
5977 	struct wireless_dev *wdev;
5978 
5979 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5980 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5981 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5982 			continue;
5983 
5984 		if (!wdev->u.ap.preset_chandef.chan)
5985 			continue;
5986 
5987 		params->chandef = wdev->u.ap.preset_chandef;
5988 		return true;
5989 	}
5990 
5991 	return false;
5992 }
5993 
5994 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5995 				    enum nl80211_auth_type auth_type,
5996 				    enum nl80211_commands cmd)
5997 {
5998 	if (auth_type > NL80211_AUTHTYPE_MAX)
5999 		return false;
6000 
6001 	switch (cmd) {
6002 	case NL80211_CMD_AUTHENTICATE:
6003 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6004 		    auth_type == NL80211_AUTHTYPE_SAE)
6005 			return false;
6006 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6007 					     NL80211_EXT_FEATURE_FILS_STA) &&
6008 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6009 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6010 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
6011 			return false;
6012 		return true;
6013 	case NL80211_CMD_CONNECT:
6014 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
6015 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6016 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
6017 		    auth_type == NL80211_AUTHTYPE_SAE)
6018 			return false;
6019 
6020 		/* FILS with SK PFS or PK not supported yet */
6021 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6022 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6023 			return false;
6024 		if (!wiphy_ext_feature_isset(
6025 			    &rdev->wiphy,
6026 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
6027 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
6028 			return false;
6029 		return true;
6030 	case NL80211_CMD_START_AP:
6031 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
6032 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
6033 		    auth_type == NL80211_AUTHTYPE_SAE)
6034 			return false;
6035 		/* FILS not supported yet */
6036 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
6037 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
6038 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
6039 			return false;
6040 		return true;
6041 	default:
6042 		return false;
6043 	}
6044 }
6045 
6046 static void nl80211_send_ap_started(struct wireless_dev *wdev,
6047 				    unsigned int link_id)
6048 {
6049 	struct wiphy *wiphy = wdev->wiphy;
6050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
6051 	struct sk_buff *msg;
6052 	void *hdr;
6053 
6054 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6055 	if (!msg)
6056 		return;
6057 
6058 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
6059 	if (!hdr)
6060 		goto out;
6061 
6062 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
6063 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
6064 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
6065 			      NL80211_ATTR_PAD) ||
6066 	    (wdev->u.ap.ssid_len &&
6067 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
6068 		     wdev->u.ap.ssid)) ||
6069 	    (wdev->valid_links &&
6070 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
6071 		goto out;
6072 
6073 	genlmsg_end(msg, hdr);
6074 
6075 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
6076 				NL80211_MCGRP_MLME, GFP_KERNEL);
6077 	return;
6078 out:
6079 	nlmsg_free(msg);
6080 }
6081 
6082 static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
6083 {
6084 	struct ieee80211_channel *channel = params->chandef.chan;
6085 
6086 	if ((params->he_cap ||  params->he_oper) &&
6087 	    (channel->flags & IEEE80211_CHAN_NO_HE))
6088 		return -EOPNOTSUPP;
6089 
6090 	if ((params->eht_cap || params->eht_oper) &&
6091 	    (channel->flags & IEEE80211_CHAN_NO_EHT))
6092 		return -EOPNOTSUPP;
6093 
6094 	return 0;
6095 }
6096 
6097 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
6098 {
6099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6100 	struct cfg80211_beaconing_check_config beacon_check = {};
6101 	unsigned int link_id = nl80211_link_id(info->attrs);
6102 	struct net_device *dev = info->user_ptr[1];
6103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6104 	struct cfg80211_ap_settings *params;
6105 	int err;
6106 
6107 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6108 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6109 		return -EOPNOTSUPP;
6110 
6111 	if (!rdev->ops->start_ap)
6112 		return -EOPNOTSUPP;
6113 
6114 	if (wdev->links[link_id].cac_started)
6115 		return -EBUSY;
6116 
6117 	if (wdev->links[link_id].ap.beacon_interval)
6118 		return -EALREADY;
6119 
6120 	/* these are required for START_AP */
6121 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
6122 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
6123 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
6124 		return -EINVAL;
6125 
6126 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6127 	if (!params)
6128 		return -ENOMEM;
6129 
6130 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6131 				   info->extack);
6132 	if (err)
6133 		goto out;
6134 
6135 	params->beacon_interval =
6136 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
6137 	params->dtim_period =
6138 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
6139 
6140 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
6141 					   params->beacon_interval);
6142 	if (err)
6143 		goto out;
6144 
6145 	/*
6146 	 * In theory, some of these attributes should be required here
6147 	 * but since they were not used when the command was originally
6148 	 * added, keep them optional for old user space programs to let
6149 	 * them continue to work with drivers that do not need the
6150 	 * additional information -- drivers must check!
6151 	 */
6152 	if (info->attrs[NL80211_ATTR_SSID]) {
6153 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
6154 		params->ssid_len =
6155 			nla_len(info->attrs[NL80211_ATTR_SSID]);
6156 		if (params->ssid_len == 0) {
6157 			err = -EINVAL;
6158 			goto out;
6159 		}
6160 
6161 		if (wdev->u.ap.ssid_len &&
6162 		    (wdev->u.ap.ssid_len != params->ssid_len ||
6163 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
6164 			/* require identical SSID for MLO */
6165 			err = -EINVAL;
6166 			goto out;
6167 		}
6168 	} else if (wdev->valid_links) {
6169 		/* require SSID for MLO */
6170 		err = -EINVAL;
6171 		goto out;
6172 	}
6173 
6174 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
6175 		params->hidden_ssid = nla_get_u32(
6176 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
6177 
6178 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
6179 
6180 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
6181 		params->auth_type = nla_get_u32(
6182 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
6183 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
6184 					     NL80211_CMD_START_AP)) {
6185 			err = -EINVAL;
6186 			goto out;
6187 		}
6188 	} else
6189 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
6190 
6191 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6192 				      NL80211_MAX_NR_CIPHER_SUITES);
6193 	if (err)
6194 		goto out;
6195 
6196 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6197 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6198 			err = -EOPNOTSUPP;
6199 			goto out;
6200 		}
6201 		params->inactivity_timeout = nla_get_u16(
6202 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6203 	}
6204 
6205 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6206 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6207 			err = -EINVAL;
6208 			goto out;
6209 		}
6210 		params->p2p_ctwindow =
6211 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6212 		if (params->p2p_ctwindow != 0 &&
6213 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6214 			err = -EINVAL;
6215 			goto out;
6216 		}
6217 	}
6218 
6219 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6220 		u8 tmp;
6221 
6222 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6223 			err = -EINVAL;
6224 			goto out;
6225 		}
6226 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6227 		params->p2p_opp_ps = tmp;
6228 		if (params->p2p_opp_ps != 0 &&
6229 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6230 			err = -EINVAL;
6231 			goto out;
6232 		}
6233 	}
6234 
6235 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6236 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6237 		if (err)
6238 			goto out;
6239 	} else if (wdev->valid_links) {
6240 		/* with MLD need to specify the channel configuration */
6241 		err = -EINVAL;
6242 		goto out;
6243 	} else if (wdev->u.ap.preset_chandef.chan) {
6244 		params->chandef = wdev->u.ap.preset_chandef;
6245 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6246 		err = -EINVAL;
6247 		goto out;
6248 	}
6249 
6250 	beacon_check.iftype = wdev->iftype;
6251 	beacon_check.relax = true;
6252 	beacon_check.reg_power =
6253 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6254 					     params->beacon.tail_len);
6255 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy, &params->chandef,
6256 					  &beacon_check)) {
6257 		err = -EINVAL;
6258 		goto out;
6259 	}
6260 
6261 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6262 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6263 						    NL80211_ATTR_TX_RATES,
6264 						    &params->beacon_rate,
6265 						    dev, false, link_id);
6266 		if (err)
6267 			goto out;
6268 
6269 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6270 					      &params->beacon_rate);
6271 		if (err)
6272 			goto out;
6273 	}
6274 
6275 	if (info->attrs[NL80211_ATTR_SMPS_MODE] &&
6276 	    nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]) != NL80211_SMPS_OFF)
6277 		return -EOPNOTSUPP;
6278 
6279 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6280 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6281 		err = -EOPNOTSUPP;
6282 		goto out;
6283 	}
6284 
6285 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6286 		params->acl = parse_acl_data(&rdev->wiphy, info);
6287 		if (IS_ERR(params->acl)) {
6288 			err = PTR_ERR(params->acl);
6289 			params->acl = NULL;
6290 			goto out;
6291 		}
6292 	}
6293 
6294 	params->twt_responder =
6295 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6296 
6297 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6298 		err = nl80211_parse_he_obss_pd(
6299 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6300 					&params->he_obss_pd);
6301 		if (err)
6302 			goto out;
6303 	}
6304 
6305 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6306 		err = nl80211_parse_fils_discovery(rdev,
6307 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6308 						   &params->fils_discovery);
6309 		if (err)
6310 			goto out;
6311 	}
6312 
6313 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6314 		err = nl80211_parse_unsol_bcast_probe_resp(
6315 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6316 			&params->unsol_bcast_probe_resp);
6317 		if (err)
6318 			goto out;
6319 	}
6320 
6321 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6322 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6323 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6324 						  &params->mbssid_config,
6325 						  params->beacon.mbssid_ies ?
6326 							params->beacon.mbssid_ies->cnt :
6327 							0);
6328 		if (err)
6329 			goto out;
6330 	}
6331 
6332 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6333 		err = -EINVAL;
6334 		goto out;
6335 	}
6336 
6337 	err = nl80211_calculate_ap_params(params);
6338 	if (err)
6339 		goto out;
6340 
6341 	err = nl80211_validate_ap_phy_operation(params);
6342 	if (err)
6343 		goto out;
6344 
6345 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6346 		params->flags = nla_get_u32(
6347 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6348 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6349 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6350 
6351 	if (wdev->conn_owner_nlportid &&
6352 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6353 	    wdev->conn_owner_nlportid != info->snd_portid) {
6354 		err = -EINVAL;
6355 		goto out;
6356 	}
6357 
6358 	/* FIXME: validate MLO/link-id against driver capabilities */
6359 
6360 	err = rdev_start_ap(rdev, dev, params);
6361 	if (!err) {
6362 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6363 		wdev->links[link_id].ap.chandef = params->chandef;
6364 		wdev->u.ap.ssid_len = params->ssid_len;
6365 		memcpy(wdev->u.ap.ssid, params->ssid,
6366 		       params->ssid_len);
6367 
6368 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6369 			wdev->conn_owner_nlportid = info->snd_portid;
6370 
6371 		nl80211_send_ap_started(wdev, link_id);
6372 	}
6373 out:
6374 	kfree(params->acl);
6375 	kfree(params->beacon.mbssid_ies);
6376 	if (params->mbssid_config.tx_wdev &&
6377 	    params->mbssid_config.tx_wdev->netdev &&
6378 	    params->mbssid_config.tx_wdev->netdev != dev)
6379 		dev_put(params->mbssid_config.tx_wdev->netdev);
6380 	kfree(params->beacon.rnr_ies);
6381 	kfree(params);
6382 
6383 	return err;
6384 }
6385 
6386 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6387 {
6388 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6389 	struct cfg80211_beaconing_check_config beacon_check = {};
6390 	unsigned int link_id = nl80211_link_id(info->attrs);
6391 	struct net_device *dev = info->user_ptr[1];
6392 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6393 	struct cfg80211_ap_update *params;
6394 	struct nlattr *attr;
6395 	int err;
6396 
6397 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6398 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6399 		return -EOPNOTSUPP;
6400 
6401 	if (!rdev->ops->change_beacon)
6402 		return -EOPNOTSUPP;
6403 
6404 	if (!wdev->links[link_id].ap.beacon_interval)
6405 		return -EINVAL;
6406 
6407 	params = kzalloc(sizeof(*params), GFP_KERNEL);
6408 	if (!params)
6409 		return -ENOMEM;
6410 
6411 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
6412 				   info->extack);
6413 	if (err)
6414 		goto out;
6415 
6416 	/* recheck beaconing is permitted with possibly changed power type */
6417 	beacon_check.iftype = wdev->iftype;
6418 	beacon_check.relax = true;
6419 	beacon_check.reg_power =
6420 		cfg80211_get_6ghz_power_type(params->beacon.tail,
6421 					     params->beacon.tail_len);
6422 	if (!cfg80211_reg_check_beaconing(&rdev->wiphy,
6423 					  &wdev->links[link_id].ap.chandef,
6424 					  &beacon_check)) {
6425 		err = -EINVAL;
6426 		goto out;
6427 	}
6428 
6429 	attr = info->attrs[NL80211_ATTR_FILS_DISCOVERY];
6430 	if (attr) {
6431 		err = nl80211_parse_fils_discovery(rdev, attr,
6432 						   &params->fils_discovery);
6433 		if (err)
6434 			goto out;
6435 	}
6436 
6437 	attr = info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP];
6438 	if (attr) {
6439 		err = nl80211_parse_unsol_bcast_probe_resp(rdev, attr,
6440 							   &params->unsol_bcast_probe_resp);
6441 		if (err)
6442 			goto out;
6443 	}
6444 
6445 	err = rdev_change_beacon(rdev, dev, params);
6446 
6447 out:
6448 	kfree(params->beacon.mbssid_ies);
6449 	kfree(params->beacon.rnr_ies);
6450 	kfree(params);
6451 	return err;
6452 }
6453 
6454 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6455 {
6456 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6457 	unsigned int link_id = nl80211_link_id(info->attrs);
6458 	struct net_device *dev = info->user_ptr[1];
6459 
6460 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6461 }
6462 
6463 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6464 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6465 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6466 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6467 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6468 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6469 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6470 };
6471 
6472 static int parse_station_flags(struct genl_info *info,
6473 			       enum nl80211_iftype iftype,
6474 			       struct station_parameters *params)
6475 {
6476 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6477 	struct nlattr *nla;
6478 	int flag;
6479 
6480 	/*
6481 	 * Try parsing the new attribute first so userspace
6482 	 * can specify both for older kernels.
6483 	 */
6484 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6485 	if (nla) {
6486 		struct nl80211_sta_flag_update *sta_flags;
6487 
6488 		sta_flags = nla_data(nla);
6489 		params->sta_flags_mask = sta_flags->mask;
6490 		params->sta_flags_set = sta_flags->set;
6491 		params->sta_flags_set &= params->sta_flags_mask;
6492 		if ((params->sta_flags_mask |
6493 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6494 			return -EINVAL;
6495 		return 0;
6496 	}
6497 
6498 	/* if present, parse the old attribute */
6499 
6500 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6501 	if (!nla)
6502 		return 0;
6503 
6504 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6505 		return -EINVAL;
6506 
6507 	/*
6508 	 * Only allow certain flags for interface types so that
6509 	 * other attributes are silently ignored. Remember that
6510 	 * this is backward compatibility code with old userspace
6511 	 * and shouldn't be hit in other cases anyway.
6512 	 */
6513 	switch (iftype) {
6514 	case NL80211_IFTYPE_AP:
6515 	case NL80211_IFTYPE_AP_VLAN:
6516 	case NL80211_IFTYPE_P2P_GO:
6517 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6518 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6519 					 BIT(NL80211_STA_FLAG_WME) |
6520 					 BIT(NL80211_STA_FLAG_MFP);
6521 		break;
6522 	case NL80211_IFTYPE_P2P_CLIENT:
6523 	case NL80211_IFTYPE_STATION:
6524 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6525 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6526 		break;
6527 	case NL80211_IFTYPE_MESH_POINT:
6528 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6529 					 BIT(NL80211_STA_FLAG_MFP) |
6530 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6531 		break;
6532 	default:
6533 		return -EINVAL;
6534 	}
6535 
6536 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6537 		if (flags[flag]) {
6538 			params->sta_flags_set |= (1<<flag);
6539 
6540 			/* no longer support new API additions in old API */
6541 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6542 				return -EINVAL;
6543 		}
6544 	}
6545 
6546 	return 0;
6547 }
6548 
6549 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6550 {
6551 	struct nlattr *rate;
6552 	u32 bitrate;
6553 	u16 bitrate_compat;
6554 	enum nl80211_rate_info rate_flg;
6555 
6556 	rate = nla_nest_start_noflag(msg, attr);
6557 	if (!rate)
6558 		return false;
6559 
6560 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6561 	bitrate = cfg80211_calculate_bitrate(info);
6562 	/* report 16-bit bitrate only if we can */
6563 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6564 	if (bitrate > 0 &&
6565 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6566 		return false;
6567 	if (bitrate_compat > 0 &&
6568 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6569 		return false;
6570 
6571 	switch (info->bw) {
6572 	case RATE_INFO_BW_1:
6573 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6574 		break;
6575 	case RATE_INFO_BW_2:
6576 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6577 		break;
6578 	case RATE_INFO_BW_4:
6579 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6580 		break;
6581 	case RATE_INFO_BW_5:
6582 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6583 		break;
6584 	case RATE_INFO_BW_8:
6585 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6586 		break;
6587 	case RATE_INFO_BW_10:
6588 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6589 		break;
6590 	case RATE_INFO_BW_16:
6591 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6592 		break;
6593 	default:
6594 		WARN_ON(1);
6595 		fallthrough;
6596 	case RATE_INFO_BW_20:
6597 		rate_flg = 0;
6598 		break;
6599 	case RATE_INFO_BW_40:
6600 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6601 		break;
6602 	case RATE_INFO_BW_80:
6603 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6604 		break;
6605 	case RATE_INFO_BW_160:
6606 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6607 		break;
6608 	case RATE_INFO_BW_HE_RU:
6609 		rate_flg = 0;
6610 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6611 		break;
6612 	case RATE_INFO_BW_320:
6613 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6614 		break;
6615 	case RATE_INFO_BW_EHT_RU:
6616 		rate_flg = 0;
6617 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6618 		break;
6619 	}
6620 
6621 	if (rate_flg && nla_put_flag(msg, rate_flg))
6622 		return false;
6623 
6624 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6625 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6626 			return false;
6627 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6628 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6629 			return false;
6630 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6631 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6632 			return false;
6633 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6634 			return false;
6635 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6636 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6637 			return false;
6638 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6639 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6640 			return false;
6641 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6642 			return false;
6643 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6644 			return false;
6645 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6646 			return false;
6647 		if (info->bw == RATE_INFO_BW_HE_RU &&
6648 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6649 			       info->he_ru_alloc))
6650 			return false;
6651 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6652 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6653 			return false;
6654 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6655 			return false;
6656 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6657 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6658 			return false;
6659 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6660 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6661 			return false;
6662 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6663 			return false;
6664 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6665 			return false;
6666 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6667 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6668 			       info->eht_ru_alloc))
6669 			return false;
6670 	}
6671 
6672 	nla_nest_end(msg, rate);
6673 	return true;
6674 }
6675 
6676 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6677 			       int id)
6678 {
6679 	void *attr;
6680 	int i = 0;
6681 
6682 	if (!mask)
6683 		return true;
6684 
6685 	attr = nla_nest_start_noflag(msg, id);
6686 	if (!attr)
6687 		return false;
6688 
6689 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6690 		if (!(mask & BIT(i)))
6691 			continue;
6692 
6693 		if (nla_put_u8(msg, i, signal[i]))
6694 			return false;
6695 	}
6696 
6697 	nla_nest_end(msg, attr);
6698 
6699 	return true;
6700 }
6701 
6702 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6703 				u32 seq, int flags,
6704 				struct cfg80211_registered_device *rdev,
6705 				struct net_device *dev,
6706 				const u8 *mac_addr, struct station_info *sinfo)
6707 {
6708 	void *hdr;
6709 	struct nlattr *sinfoattr, *bss_param;
6710 
6711 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6712 	if (!hdr) {
6713 		cfg80211_sinfo_release_content(sinfo);
6714 		return -1;
6715 	}
6716 
6717 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6718 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6719 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6720 		goto nla_put_failure;
6721 
6722 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6723 	if (!sinfoattr)
6724 		goto nla_put_failure;
6725 
6726 #define PUT_SINFO(attr, memb, type) do {				\
6727 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6728 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6729 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6730 			     sinfo->memb))				\
6731 		goto nla_put_failure;					\
6732 	} while (0)
6733 #define PUT_SINFO_U64(attr, memb) do {					\
6734 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6735 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6736 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6737 		goto nla_put_failure;					\
6738 	} while (0)
6739 
6740 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6741 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6742 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6743 
6744 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6745 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6746 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6747 			(u32)sinfo->rx_bytes))
6748 		goto nla_put_failure;
6749 
6750 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6751 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6752 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6753 			(u32)sinfo->tx_bytes))
6754 		goto nla_put_failure;
6755 
6756 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6757 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6758 	PUT_SINFO(LLID, llid, u16);
6759 	PUT_SINFO(PLID, plid, u16);
6760 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6761 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6762 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6763 
6764 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6765 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6766 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6767 
6768 	switch (rdev->wiphy.signal_type) {
6769 	case CFG80211_SIGNAL_TYPE_MBM:
6770 		PUT_SINFO(SIGNAL, signal, u8);
6771 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6772 		break;
6773 	default:
6774 		break;
6775 	}
6776 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6777 		if (!nl80211_put_signal(msg, sinfo->chains,
6778 					sinfo->chain_signal,
6779 					NL80211_STA_INFO_CHAIN_SIGNAL))
6780 			goto nla_put_failure;
6781 	}
6782 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6783 		if (!nl80211_put_signal(msg, sinfo->chains,
6784 					sinfo->chain_signal_avg,
6785 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6786 			goto nla_put_failure;
6787 	}
6788 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6789 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6790 					  NL80211_STA_INFO_TX_BITRATE))
6791 			goto nla_put_failure;
6792 	}
6793 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6794 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6795 					  NL80211_STA_INFO_RX_BITRATE))
6796 			goto nla_put_failure;
6797 	}
6798 
6799 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6800 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6801 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6802 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6803 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6804 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6805 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6806 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6807 	PUT_SINFO(PEER_PM, peer_pm, u32);
6808 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6809 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6810 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6811 
6812 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6813 		bss_param = nla_nest_start_noflag(msg,
6814 						  NL80211_STA_INFO_BSS_PARAM);
6815 		if (!bss_param)
6816 			goto nla_put_failure;
6817 
6818 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6819 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6820 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6821 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6822 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6823 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6824 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6825 			       sinfo->bss_param.dtim_period) ||
6826 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6827 				sinfo->bss_param.beacon_interval))
6828 			goto nla_put_failure;
6829 
6830 		nla_nest_end(msg, bss_param);
6831 	}
6832 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6833 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6834 		    sizeof(struct nl80211_sta_flag_update),
6835 		    &sinfo->sta_flags))
6836 		goto nla_put_failure;
6837 
6838 	PUT_SINFO_U64(T_OFFSET, t_offset);
6839 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6840 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6841 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6842 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6843 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6844 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6845 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6846 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6847 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6848 	}
6849 
6850 #undef PUT_SINFO
6851 #undef PUT_SINFO_U64
6852 
6853 	if (sinfo->pertid) {
6854 		struct nlattr *tidsattr;
6855 		int tid;
6856 
6857 		tidsattr = nla_nest_start_noflag(msg,
6858 						 NL80211_STA_INFO_TID_STATS);
6859 		if (!tidsattr)
6860 			goto nla_put_failure;
6861 
6862 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6863 			struct cfg80211_tid_stats *tidstats;
6864 			struct nlattr *tidattr;
6865 
6866 			tidstats = &sinfo->pertid[tid];
6867 
6868 			if (!tidstats->filled)
6869 				continue;
6870 
6871 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6872 			if (!tidattr)
6873 				goto nla_put_failure;
6874 
6875 #define PUT_TIDVAL_U64(attr, memb) do {					\
6876 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6877 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6878 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6879 		goto nla_put_failure;					\
6880 	} while (0)
6881 
6882 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6883 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6884 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6885 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6886 
6887 #undef PUT_TIDVAL_U64
6888 			if ((tidstats->filled &
6889 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6890 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6891 						   NL80211_TID_STATS_TXQ_STATS))
6892 				goto nla_put_failure;
6893 
6894 			nla_nest_end(msg, tidattr);
6895 		}
6896 
6897 		nla_nest_end(msg, tidsattr);
6898 	}
6899 
6900 	nla_nest_end(msg, sinfoattr);
6901 
6902 	if (sinfo->assoc_req_ies_len &&
6903 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6904 		    sinfo->assoc_req_ies))
6905 		goto nla_put_failure;
6906 
6907 	if (sinfo->assoc_resp_ies_len &&
6908 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6909 		    sinfo->assoc_resp_ies))
6910 		goto nla_put_failure;
6911 
6912 	if (sinfo->mlo_params_valid) {
6913 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6914 			       sinfo->assoc_link_id))
6915 			goto nla_put_failure;
6916 
6917 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6918 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6919 			    sinfo->mld_addr))
6920 			goto nla_put_failure;
6921 	}
6922 
6923 	cfg80211_sinfo_release_content(sinfo);
6924 	genlmsg_end(msg, hdr);
6925 	return 0;
6926 
6927  nla_put_failure:
6928 	cfg80211_sinfo_release_content(sinfo);
6929 	genlmsg_cancel(msg, hdr);
6930 	return -EMSGSIZE;
6931 }
6932 
6933 static int nl80211_dump_station(struct sk_buff *skb,
6934 				struct netlink_callback *cb)
6935 {
6936 	struct station_info sinfo;
6937 	struct cfg80211_registered_device *rdev;
6938 	struct wireless_dev *wdev;
6939 	u8 mac_addr[ETH_ALEN];
6940 	int sta_idx = cb->args[2];
6941 	int err;
6942 
6943 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6944 	if (err)
6945 		return err;
6946 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6947 	__acquire(&rdev->wiphy.mtx);
6948 
6949 	if (!wdev->netdev) {
6950 		err = -EINVAL;
6951 		goto out_err;
6952 	}
6953 
6954 	if (!rdev->ops->dump_station) {
6955 		err = -EOPNOTSUPP;
6956 		goto out_err;
6957 	}
6958 
6959 	while (1) {
6960 		memset(&sinfo, 0, sizeof(sinfo));
6961 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6962 					mac_addr, &sinfo);
6963 		if (err == -ENOENT)
6964 			break;
6965 		if (err)
6966 			goto out_err;
6967 
6968 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6969 				NETLINK_CB(cb->skb).portid,
6970 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6971 				rdev, wdev->netdev, mac_addr,
6972 				&sinfo) < 0)
6973 			goto out;
6974 
6975 		sta_idx++;
6976 	}
6977 
6978  out:
6979 	cb->args[2] = sta_idx;
6980 	err = skb->len;
6981  out_err:
6982 	wiphy_unlock(&rdev->wiphy);
6983 
6984 	return err;
6985 }
6986 
6987 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6988 {
6989 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6990 	struct net_device *dev = info->user_ptr[1];
6991 	struct station_info sinfo;
6992 	struct sk_buff *msg;
6993 	u8 *mac_addr = NULL;
6994 	int err;
6995 
6996 	memset(&sinfo, 0, sizeof(sinfo));
6997 
6998 	if (!info->attrs[NL80211_ATTR_MAC])
6999 		return -EINVAL;
7000 
7001 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7002 
7003 	if (!rdev->ops->get_station)
7004 		return -EOPNOTSUPP;
7005 
7006 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
7007 	if (err)
7008 		return err;
7009 
7010 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7011 	if (!msg) {
7012 		cfg80211_sinfo_release_content(&sinfo);
7013 		return -ENOMEM;
7014 	}
7015 
7016 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
7017 				 info->snd_portid, info->snd_seq, 0,
7018 				 rdev, dev, mac_addr, &sinfo) < 0) {
7019 		nlmsg_free(msg);
7020 		return -ENOBUFS;
7021 	}
7022 
7023 	return genlmsg_reply(msg, info);
7024 }
7025 
7026 int cfg80211_check_station_change(struct wiphy *wiphy,
7027 				  struct station_parameters *params,
7028 				  enum cfg80211_station_type statype)
7029 {
7030 	if (params->listen_interval != -1 &&
7031 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7032 		return -EINVAL;
7033 
7034 	if (params->support_p2p_ps != -1 &&
7035 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7036 		return -EINVAL;
7037 
7038 	if (params->aid &&
7039 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
7040 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
7041 		return -EINVAL;
7042 
7043 	/* When you run into this, adjust the code below for the new flag */
7044 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7045 
7046 	switch (statype) {
7047 	case CFG80211_STA_MESH_PEER_KERNEL:
7048 	case CFG80211_STA_MESH_PEER_USER:
7049 		/*
7050 		 * No ignoring the TDLS flag here -- the userspace mesh
7051 		 * code doesn't have the bug of including TDLS in the
7052 		 * mask everywhere.
7053 		 */
7054 		if (params->sta_flags_mask &
7055 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7056 				  BIT(NL80211_STA_FLAG_MFP) |
7057 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
7058 			return -EINVAL;
7059 		break;
7060 	case CFG80211_STA_TDLS_PEER_SETUP:
7061 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7062 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7063 			return -EINVAL;
7064 		/* ignore since it can't change */
7065 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7066 		break;
7067 	default:
7068 		/* disallow mesh-specific things */
7069 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
7070 			return -EINVAL;
7071 		if (params->local_pm)
7072 			return -EINVAL;
7073 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7074 			return -EINVAL;
7075 	}
7076 
7077 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7078 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
7079 		/* TDLS can't be set, ... */
7080 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
7081 			return -EINVAL;
7082 		/*
7083 		 * ... but don't bother the driver with it. This works around
7084 		 * a hostapd/wpa_supplicant issue -- it always includes the
7085 		 * TLDS_PEER flag in the mask even for AP mode.
7086 		 */
7087 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7088 	}
7089 
7090 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
7091 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7092 		/* reject other things that can't change */
7093 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
7094 			return -EINVAL;
7095 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
7096 			return -EINVAL;
7097 		if (params->link_sta_params.supported_rates)
7098 			return -EINVAL;
7099 		if (params->ext_capab || params->link_sta_params.ht_capa ||
7100 		    params->link_sta_params.vht_capa ||
7101 		    params->link_sta_params.he_capa ||
7102 		    params->link_sta_params.eht_capa)
7103 			return -EINVAL;
7104 		if (params->sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7105 			return -EINVAL;
7106 	}
7107 
7108 	if (statype != CFG80211_STA_AP_CLIENT &&
7109 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
7110 		if (params->vlan)
7111 			return -EINVAL;
7112 	}
7113 
7114 	switch (statype) {
7115 	case CFG80211_STA_AP_MLME_CLIENT:
7116 		/* Use this only for authorizing/unauthorizing a station */
7117 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
7118 			return -EOPNOTSUPP;
7119 		break;
7120 	case CFG80211_STA_AP_CLIENT:
7121 	case CFG80211_STA_AP_CLIENT_UNASSOC:
7122 		/* accept only the listed bits */
7123 		if (params->sta_flags_mask &
7124 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7125 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7126 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
7127 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
7128 				  BIT(NL80211_STA_FLAG_WME) |
7129 				  BIT(NL80211_STA_FLAG_MFP) |
7130 				  BIT(NL80211_STA_FLAG_SPP_AMSDU)))
7131 			return -EINVAL;
7132 
7133 		/* but authenticated/associated only if driver handles it */
7134 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7135 		    params->sta_flags_mask &
7136 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7137 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
7138 			return -EINVAL;
7139 		break;
7140 	case CFG80211_STA_IBSS:
7141 	case CFG80211_STA_AP_STA:
7142 		/* reject any changes other than AUTHORIZED */
7143 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
7144 			return -EINVAL;
7145 		break;
7146 	case CFG80211_STA_TDLS_PEER_SETUP:
7147 		/* reject any changes other than AUTHORIZED or WME */
7148 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
7149 					       BIT(NL80211_STA_FLAG_WME)))
7150 			return -EINVAL;
7151 		/* force (at least) rates when authorizing */
7152 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
7153 		    !params->link_sta_params.supported_rates)
7154 			return -EINVAL;
7155 		break;
7156 	case CFG80211_STA_TDLS_PEER_ACTIVE:
7157 		/* reject any changes */
7158 		return -EINVAL;
7159 	case CFG80211_STA_MESH_PEER_KERNEL:
7160 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
7161 			return -EINVAL;
7162 		break;
7163 	case CFG80211_STA_MESH_PEER_USER:
7164 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
7165 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
7166 			return -EINVAL;
7167 		break;
7168 	}
7169 
7170 	/*
7171 	 * Older kernel versions ignored this attribute entirely, so don't
7172 	 * reject attempts to update it but mark it as unused instead so the
7173 	 * driver won't look at the data.
7174 	 */
7175 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
7176 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
7177 		params->link_sta_params.opmode_notif_used = false;
7178 
7179 	return 0;
7180 }
7181 EXPORT_SYMBOL(cfg80211_check_station_change);
7182 
7183 /*
7184  * Get vlan interface making sure it is running and on the right wiphy.
7185  */
7186 static struct net_device *get_vlan(struct genl_info *info,
7187 				   struct cfg80211_registered_device *rdev)
7188 {
7189 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
7190 	struct net_device *v;
7191 	int ret;
7192 
7193 	if (!vlanattr)
7194 		return NULL;
7195 
7196 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
7197 	if (!v)
7198 		return ERR_PTR(-ENODEV);
7199 
7200 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
7201 		ret = -EINVAL;
7202 		goto error;
7203 	}
7204 
7205 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7206 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7207 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7208 		ret = -EINVAL;
7209 		goto error;
7210 	}
7211 
7212 	if (!netif_running(v)) {
7213 		ret = -ENETDOWN;
7214 		goto error;
7215 	}
7216 
7217 	return v;
7218  error:
7219 	dev_put(v);
7220 	return ERR_PTR(ret);
7221 }
7222 
7223 static int nl80211_parse_sta_wme(struct genl_info *info,
7224 				 struct station_parameters *params)
7225 {
7226 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7227 	struct nlattr *nla;
7228 	int err;
7229 
7230 	/* parse WME attributes if present */
7231 	if (!info->attrs[NL80211_ATTR_STA_WME])
7232 		return 0;
7233 
7234 	nla = info->attrs[NL80211_ATTR_STA_WME];
7235 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7236 					  nl80211_sta_wme_policy,
7237 					  info->extack);
7238 	if (err)
7239 		return err;
7240 
7241 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7242 		params->uapsd_queues = nla_get_u8(
7243 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7244 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7245 		return -EINVAL;
7246 
7247 	if (tb[NL80211_STA_WME_MAX_SP])
7248 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7249 
7250 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7251 		return -EINVAL;
7252 
7253 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7254 
7255 	return 0;
7256 }
7257 
7258 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7259 				      struct station_parameters *params)
7260 {
7261 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7262 		params->supported_channels =
7263 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7264 		params->supported_channels_len =
7265 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7266 		/*
7267 		 * Need to include at least one (first channel, number of
7268 		 * channels) tuple for each subband (checked in policy),
7269 		 * and must have proper tuples for the rest of the data as well.
7270 		 */
7271 		if (params->supported_channels_len % 2)
7272 			return -EINVAL;
7273 	}
7274 
7275 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7276 		params->supported_oper_classes =
7277 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7278 		params->supported_oper_classes_len =
7279 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7280 	}
7281 	return 0;
7282 }
7283 
7284 static int nl80211_set_station_tdls(struct genl_info *info,
7285 				    struct station_parameters *params)
7286 {
7287 	int err;
7288 	/* Dummy STA entry gets updated once the peer capabilities are known */
7289 	if (info->attrs[NL80211_ATTR_PEER_AID])
7290 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7291 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7292 		params->link_sta_params.ht_capa =
7293 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7294 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7295 		params->link_sta_params.vht_capa =
7296 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7297 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7298 		params->link_sta_params.he_capa =
7299 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7300 		params->link_sta_params.he_capa_len =
7301 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7302 
7303 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7304 			params->link_sta_params.eht_capa =
7305 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7306 			params->link_sta_params.eht_capa_len =
7307 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7308 
7309 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7310 							(const u8 *)params->link_sta_params.eht_capa,
7311 							params->link_sta_params.eht_capa_len,
7312 							false))
7313 				return -EINVAL;
7314 		}
7315 	}
7316 
7317 	err = nl80211_parse_sta_channel_info(info, params);
7318 	if (err)
7319 		return err;
7320 
7321 	return nl80211_parse_sta_wme(info, params);
7322 }
7323 
7324 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7325 					     struct sta_txpwr *txpwr,
7326 					     bool *txpwr_set)
7327 {
7328 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7329 	int idx;
7330 
7331 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7332 		if (!rdev->ops->set_tx_power ||
7333 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7334 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7335 			return -EOPNOTSUPP;
7336 
7337 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7338 		txpwr->type = nla_get_u8(info->attrs[idx]);
7339 
7340 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7341 			idx = NL80211_ATTR_STA_TX_POWER;
7342 
7343 			if (info->attrs[idx])
7344 				txpwr->power = nla_get_s16(info->attrs[idx]);
7345 			else
7346 				return -EINVAL;
7347 		}
7348 
7349 		*txpwr_set = true;
7350 	} else {
7351 		*txpwr_set = false;
7352 	}
7353 
7354 	return 0;
7355 }
7356 
7357 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7358 {
7359 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7360 	struct net_device *dev = info->user_ptr[1];
7361 	struct station_parameters params;
7362 	u8 *mac_addr;
7363 	int err;
7364 
7365 	memset(&params, 0, sizeof(params));
7366 
7367 	if (!rdev->ops->change_station)
7368 		return -EOPNOTSUPP;
7369 
7370 	/*
7371 	 * AID and listen_interval properties can be set only for unassociated
7372 	 * station. Include these parameters here and will check them in
7373 	 * cfg80211_check_station_change().
7374 	 */
7375 	if (info->attrs[NL80211_ATTR_STA_AID])
7376 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7377 
7378 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7379 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7380 
7381 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7382 		params.listen_interval =
7383 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7384 	else
7385 		params.listen_interval = -1;
7386 
7387 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7388 		params.support_p2p_ps =
7389 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7390 	else
7391 		params.support_p2p_ps = -1;
7392 
7393 	if (!info->attrs[NL80211_ATTR_MAC])
7394 		return -EINVAL;
7395 
7396 	params.link_sta_params.link_id =
7397 		nl80211_link_id_or_invalid(info->attrs);
7398 
7399 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7400 		/* If MLD_ADDR attribute is set then this is an MLD station
7401 		 * and the MLD_ADDR attribute holds the MLD address and the
7402 		 * MAC attribute holds for the LINK address.
7403 		 * In that case, the link_id is also expected to be valid.
7404 		 */
7405 		if (params.link_sta_params.link_id < 0)
7406 			return -EINVAL;
7407 
7408 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7409 		params.link_sta_params.mld_mac = mac_addr;
7410 		params.link_sta_params.link_mac =
7411 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7412 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7413 			return -EINVAL;
7414 	} else {
7415 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7416 	}
7417 
7418 
7419 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7420 		params.link_sta_params.supported_rates =
7421 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7422 		params.link_sta_params.supported_rates_len =
7423 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7424 	}
7425 
7426 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7427 		params.capability =
7428 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7429 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7430 	}
7431 
7432 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7433 		params.ext_capab =
7434 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7435 		params.ext_capab_len =
7436 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7437 	}
7438 
7439 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7440 		return -EINVAL;
7441 
7442 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7443 		params.plink_action =
7444 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7445 
7446 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7447 		params.plink_state =
7448 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7449 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7450 			params.peer_aid = nla_get_u16(
7451 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7452 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7453 	}
7454 
7455 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7456 		params.local_pm = nla_get_u32(
7457 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7458 
7459 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7460 		params.link_sta_params.opmode_notif_used = true;
7461 		params.link_sta_params.opmode_notif =
7462 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7463 	}
7464 
7465 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7466 		params.link_sta_params.he_6ghz_capa =
7467 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7468 
7469 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7470 		params.airtime_weight =
7471 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7472 
7473 	if (params.airtime_weight &&
7474 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7475 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7476 		return -EOPNOTSUPP;
7477 
7478 	err = nl80211_parse_sta_txpower_setting(info,
7479 						&params.link_sta_params.txpwr,
7480 						&params.link_sta_params.txpwr_set);
7481 	if (err)
7482 		return err;
7483 
7484 	/* Include parameters for TDLS peer (will check later) */
7485 	err = nl80211_set_station_tdls(info, &params);
7486 	if (err)
7487 		return err;
7488 
7489 	params.vlan = get_vlan(info, rdev);
7490 	if (IS_ERR(params.vlan))
7491 		return PTR_ERR(params.vlan);
7492 
7493 	switch (dev->ieee80211_ptr->iftype) {
7494 	case NL80211_IFTYPE_AP:
7495 	case NL80211_IFTYPE_AP_VLAN:
7496 	case NL80211_IFTYPE_P2P_GO:
7497 	case NL80211_IFTYPE_P2P_CLIENT:
7498 	case NL80211_IFTYPE_STATION:
7499 	case NL80211_IFTYPE_ADHOC:
7500 	case NL80211_IFTYPE_MESH_POINT:
7501 		break;
7502 	default:
7503 		err = -EOPNOTSUPP;
7504 		goto out_put_vlan;
7505 	}
7506 
7507 	/* driver will call cfg80211_check_station_change() */
7508 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7509 
7510  out_put_vlan:
7511 	dev_put(params.vlan);
7512 
7513 	return err;
7514 }
7515 
7516 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7517 {
7518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7519 	int err;
7520 	struct net_device *dev = info->user_ptr[1];
7521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7522 	struct station_parameters params;
7523 	u8 *mac_addr = NULL;
7524 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7525 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7526 
7527 	memset(&params, 0, sizeof(params));
7528 
7529 	if (!rdev->ops->add_station)
7530 		return -EOPNOTSUPP;
7531 
7532 	if (!info->attrs[NL80211_ATTR_MAC])
7533 		return -EINVAL;
7534 
7535 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7536 		return -EINVAL;
7537 
7538 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7539 		return -EINVAL;
7540 
7541 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7542 	    !info->attrs[NL80211_ATTR_PEER_AID])
7543 		return -EINVAL;
7544 
7545 	params.link_sta_params.link_id =
7546 		nl80211_link_id_or_invalid(info->attrs);
7547 
7548 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7549 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7550 		params.link_sta_params.mld_mac = mac_addr;
7551 		params.link_sta_params.link_mac =
7552 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7553 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7554 			return -EINVAL;
7555 	} else {
7556 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7557 	}
7558 
7559 	params.link_sta_params.supported_rates =
7560 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7561 	params.link_sta_params.supported_rates_len =
7562 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7563 	params.listen_interval =
7564 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7565 
7566 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7567 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7568 
7569 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7570 		params.support_p2p_ps =
7571 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7572 	} else {
7573 		/*
7574 		 * if not specified, assume it's supported for P2P GO interface,
7575 		 * and is NOT supported for AP interface
7576 		 */
7577 		params.support_p2p_ps =
7578 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7579 	}
7580 
7581 	if (info->attrs[NL80211_ATTR_PEER_AID])
7582 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7583 	else
7584 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7585 
7586 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7587 		params.capability =
7588 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7589 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7590 	}
7591 
7592 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7593 		params.ext_capab =
7594 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7595 		params.ext_capab_len =
7596 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7597 	}
7598 
7599 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7600 		params.link_sta_params.ht_capa =
7601 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7602 
7603 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7604 		params.link_sta_params.vht_capa =
7605 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7606 
7607 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7608 		params.link_sta_params.he_capa =
7609 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7610 		params.link_sta_params.he_capa_len =
7611 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7612 
7613 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7614 			params.link_sta_params.eht_capa =
7615 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7616 			params.link_sta_params.eht_capa_len =
7617 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7618 
7619 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7620 							(const u8 *)params.link_sta_params.eht_capa,
7621 							params.link_sta_params.eht_capa_len,
7622 							false))
7623 				return -EINVAL;
7624 		}
7625 	}
7626 
7627 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7628 		params.link_sta_params.he_6ghz_capa =
7629 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7630 
7631 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7632 		params.link_sta_params.opmode_notif_used = true;
7633 		params.link_sta_params.opmode_notif =
7634 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7635 	}
7636 
7637 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7638 		params.plink_action =
7639 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7640 
7641 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7642 		params.airtime_weight =
7643 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7644 
7645 	if (params.airtime_weight &&
7646 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7647 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7648 		return -EOPNOTSUPP;
7649 
7650 	err = nl80211_parse_sta_txpower_setting(info,
7651 						&params.link_sta_params.txpwr,
7652 						&params.link_sta_params.txpwr_set);
7653 	if (err)
7654 		return err;
7655 
7656 	err = nl80211_parse_sta_channel_info(info, &params);
7657 	if (err)
7658 		return err;
7659 
7660 	err = nl80211_parse_sta_wme(info, &params);
7661 	if (err)
7662 		return err;
7663 
7664 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7665 		return -EINVAL;
7666 
7667 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7668 	 * as userspace might just pass through the capabilities from the IEs
7669 	 * directly, rather than enforcing this restriction and returning an
7670 	 * error in this case.
7671 	 */
7672 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7673 		params.link_sta_params.ht_capa = NULL;
7674 		params.link_sta_params.vht_capa = NULL;
7675 
7676 		/* HE and EHT require WME */
7677 		if (params.link_sta_params.he_capa_len ||
7678 		    params.link_sta_params.he_6ghz_capa ||
7679 		    params.link_sta_params.eht_capa_len)
7680 			return -EINVAL;
7681 	}
7682 
7683 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7684 	if (params.link_sta_params.he_6ghz_capa &&
7685 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7686 		return -EINVAL;
7687 
7688 	/* When you run into this, adjust the code below for the new flag */
7689 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 8);
7690 
7691 	switch (dev->ieee80211_ptr->iftype) {
7692 	case NL80211_IFTYPE_AP:
7693 	case NL80211_IFTYPE_AP_VLAN:
7694 	case NL80211_IFTYPE_P2P_GO:
7695 		/* ignore WME attributes if iface/sta is not capable */
7696 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7697 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7698 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7699 
7700 		/* TDLS peers cannot be added */
7701 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7702 		    info->attrs[NL80211_ATTR_PEER_AID])
7703 			return -EINVAL;
7704 		/* but don't bother the driver with it */
7705 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7706 
7707 		/* allow authenticated/associated only if driver handles it */
7708 		if (!(rdev->wiphy.features &
7709 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7710 		    params.sta_flags_mask & auth_assoc)
7711 			return -EINVAL;
7712 
7713 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
7714 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT) &&
7715 		    params.sta_flags_mask & BIT(NL80211_STA_FLAG_SPP_AMSDU))
7716 			return -EINVAL;
7717 
7718 		/* Older userspace, or userspace wanting to be compatible with
7719 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7720 		 * and assoc flags in the mask, but assumes the station will be
7721 		 * added as associated anyway since this was the required driver
7722 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7723 		 * introduced.
7724 		 * In order to not bother drivers with this quirk in the API
7725 		 * set the flags in both the mask and set for new stations in
7726 		 * this case.
7727 		 */
7728 		if (!(params.sta_flags_mask & auth_assoc)) {
7729 			params.sta_flags_mask |= auth_assoc;
7730 			params.sta_flags_set |= auth_assoc;
7731 		}
7732 
7733 		/* must be last in here for error handling */
7734 		params.vlan = get_vlan(info, rdev);
7735 		if (IS_ERR(params.vlan))
7736 			return PTR_ERR(params.vlan);
7737 		break;
7738 	case NL80211_IFTYPE_MESH_POINT:
7739 		/* ignore uAPSD data */
7740 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7741 
7742 		/* associated is disallowed */
7743 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7744 			return -EINVAL;
7745 		/* TDLS peers cannot be added */
7746 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7747 		    info->attrs[NL80211_ATTR_PEER_AID])
7748 			return -EINVAL;
7749 		break;
7750 	case NL80211_IFTYPE_STATION:
7751 	case NL80211_IFTYPE_P2P_CLIENT:
7752 		/* ignore uAPSD data */
7753 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7754 
7755 		/* these are disallowed */
7756 		if (params.sta_flags_mask &
7757 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7758 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7759 			return -EINVAL;
7760 		/* Only TDLS peers can be added */
7761 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7762 			return -EINVAL;
7763 		/* Can only add if TDLS ... */
7764 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7765 			return -EOPNOTSUPP;
7766 		/* ... with external setup is supported */
7767 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7768 			return -EOPNOTSUPP;
7769 		/*
7770 		 * Older wpa_supplicant versions always mark the TDLS peer
7771 		 * as authorized, but it shouldn't yet be.
7772 		 */
7773 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7774 		break;
7775 	default:
7776 		return -EOPNOTSUPP;
7777 	}
7778 
7779 	/* be aware of params.vlan when changing code here */
7780 
7781 	if (wdev->valid_links) {
7782 		if (params.link_sta_params.link_id < 0) {
7783 			err = -EINVAL;
7784 			goto out;
7785 		}
7786 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7787 			err = -ENOLINK;
7788 			goto out;
7789 		}
7790 	} else {
7791 		if (params.link_sta_params.link_id >= 0) {
7792 			err = -EINVAL;
7793 			goto out;
7794 		}
7795 	}
7796 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7797 out:
7798 	dev_put(params.vlan);
7799 	return err;
7800 }
7801 
7802 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7803 {
7804 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7805 	struct net_device *dev = info->user_ptr[1];
7806 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7807 	struct station_del_parameters params;
7808 	int link_id = nl80211_link_id_or_invalid(info->attrs);
7809 
7810 	memset(&params, 0, sizeof(params));
7811 
7812 	if (info->attrs[NL80211_ATTR_MAC])
7813 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7814 
7815 	switch (wdev->iftype) {
7816 	case NL80211_IFTYPE_AP:
7817 	case NL80211_IFTYPE_AP_VLAN:
7818 	case NL80211_IFTYPE_MESH_POINT:
7819 	case NL80211_IFTYPE_P2P_GO:
7820 		/* always accept these */
7821 		break;
7822 	case NL80211_IFTYPE_ADHOC:
7823 		/* conditionally accept */
7824 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7825 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7826 			break;
7827 		return -EINVAL;
7828 	default:
7829 		return -EINVAL;
7830 	}
7831 
7832 	if (!rdev->ops->del_station)
7833 		return -EOPNOTSUPP;
7834 
7835 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7836 		params.subtype =
7837 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7838 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7839 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7840 			return -EINVAL;
7841 	} else {
7842 		/* Default to Deauthentication frame */
7843 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7844 	}
7845 
7846 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7847 		params.reason_code =
7848 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7849 		if (params.reason_code == 0)
7850 			return -EINVAL; /* 0 is reserved */
7851 	} else {
7852 		/* Default to reason code 2 */
7853 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7854 	}
7855 
7856 	/* Link ID not expected in case of non-ML operation */
7857 	if (!wdev->valid_links && link_id != -1)
7858 		return -EINVAL;
7859 
7860 	/* If given, a valid link ID should be passed during MLO */
7861 	if (wdev->valid_links && link_id >= 0 &&
7862 	    !(wdev->valid_links & BIT(link_id)))
7863 		return -EINVAL;
7864 
7865 	params.link_id = link_id;
7866 
7867 	return rdev_del_station(rdev, dev, &params);
7868 }
7869 
7870 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7871 				int flags, struct net_device *dev,
7872 				u8 *dst, u8 *next_hop,
7873 				struct mpath_info *pinfo)
7874 {
7875 	void *hdr;
7876 	struct nlattr *pinfoattr;
7877 
7878 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7879 	if (!hdr)
7880 		return -1;
7881 
7882 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7883 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7884 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7885 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7886 		goto nla_put_failure;
7887 
7888 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7889 	if (!pinfoattr)
7890 		goto nla_put_failure;
7891 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7892 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7893 			pinfo->frame_qlen))
7894 		goto nla_put_failure;
7895 	if (((pinfo->filled & MPATH_INFO_SN) &&
7896 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7897 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7898 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7899 			 pinfo->metric)) ||
7900 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7901 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7902 			 pinfo->exptime)) ||
7903 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7904 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7905 			pinfo->flags)) ||
7906 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7907 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7908 			 pinfo->discovery_timeout)) ||
7909 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7910 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7911 			pinfo->discovery_retries)) ||
7912 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7913 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7914 			pinfo->hop_count)) ||
7915 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7916 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7917 			 pinfo->path_change_count)))
7918 		goto nla_put_failure;
7919 
7920 	nla_nest_end(msg, pinfoattr);
7921 
7922 	genlmsg_end(msg, hdr);
7923 	return 0;
7924 
7925  nla_put_failure:
7926 	genlmsg_cancel(msg, hdr);
7927 	return -EMSGSIZE;
7928 }
7929 
7930 static int nl80211_dump_mpath(struct sk_buff *skb,
7931 			      struct netlink_callback *cb)
7932 {
7933 	struct mpath_info pinfo;
7934 	struct cfg80211_registered_device *rdev;
7935 	struct wireless_dev *wdev;
7936 	u8 dst[ETH_ALEN];
7937 	u8 next_hop[ETH_ALEN];
7938 	int path_idx = cb->args[2];
7939 	int err;
7940 
7941 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7942 	if (err)
7943 		return err;
7944 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7945 	__acquire(&rdev->wiphy.mtx);
7946 
7947 	if (!rdev->ops->dump_mpath) {
7948 		err = -EOPNOTSUPP;
7949 		goto out_err;
7950 	}
7951 
7952 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7953 		err = -EOPNOTSUPP;
7954 		goto out_err;
7955 	}
7956 
7957 	while (1) {
7958 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7959 				      next_hop, &pinfo);
7960 		if (err == -ENOENT)
7961 			break;
7962 		if (err)
7963 			goto out_err;
7964 
7965 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7966 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7967 				       wdev->netdev, dst, next_hop,
7968 				       &pinfo) < 0)
7969 			goto out;
7970 
7971 		path_idx++;
7972 	}
7973 
7974  out:
7975 	cb->args[2] = path_idx;
7976 	err = skb->len;
7977  out_err:
7978 	wiphy_unlock(&rdev->wiphy);
7979 	return err;
7980 }
7981 
7982 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7983 {
7984 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7985 	int err;
7986 	struct net_device *dev = info->user_ptr[1];
7987 	struct mpath_info pinfo;
7988 	struct sk_buff *msg;
7989 	u8 *dst = NULL;
7990 	u8 next_hop[ETH_ALEN];
7991 
7992 	memset(&pinfo, 0, sizeof(pinfo));
7993 
7994 	if (!info->attrs[NL80211_ATTR_MAC])
7995 		return -EINVAL;
7996 
7997 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7998 
7999 	if (!rdev->ops->get_mpath)
8000 		return -EOPNOTSUPP;
8001 
8002 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8003 		return -EOPNOTSUPP;
8004 
8005 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
8006 	if (err)
8007 		return err;
8008 
8009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8010 	if (!msg)
8011 		return -ENOMEM;
8012 
8013 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8014 				 dev, dst, next_hop, &pinfo) < 0) {
8015 		nlmsg_free(msg);
8016 		return -ENOBUFS;
8017 	}
8018 
8019 	return genlmsg_reply(msg, info);
8020 }
8021 
8022 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
8023 {
8024 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8025 	struct net_device *dev = info->user_ptr[1];
8026 	u8 *dst = NULL;
8027 	u8 *next_hop = NULL;
8028 
8029 	if (!info->attrs[NL80211_ATTR_MAC])
8030 		return -EINVAL;
8031 
8032 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8033 		return -EINVAL;
8034 
8035 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8036 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8037 
8038 	if (!rdev->ops->change_mpath)
8039 		return -EOPNOTSUPP;
8040 
8041 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8042 		return -EOPNOTSUPP;
8043 
8044 	return rdev_change_mpath(rdev, dev, dst, next_hop);
8045 }
8046 
8047 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
8048 {
8049 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8050 	struct net_device *dev = info->user_ptr[1];
8051 	u8 *dst = NULL;
8052 	u8 *next_hop = NULL;
8053 
8054 	if (!info->attrs[NL80211_ATTR_MAC])
8055 		return -EINVAL;
8056 
8057 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
8058 		return -EINVAL;
8059 
8060 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8061 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
8062 
8063 	if (!rdev->ops->add_mpath)
8064 		return -EOPNOTSUPP;
8065 
8066 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8067 		return -EOPNOTSUPP;
8068 
8069 	return rdev_add_mpath(rdev, dev, dst, next_hop);
8070 }
8071 
8072 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
8073 {
8074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8075 	struct net_device *dev = info->user_ptr[1];
8076 	u8 *dst = NULL;
8077 
8078 	if (info->attrs[NL80211_ATTR_MAC])
8079 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8080 
8081 	if (!rdev->ops->del_mpath)
8082 		return -EOPNOTSUPP;
8083 
8084 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8085 		return -EOPNOTSUPP;
8086 
8087 	return rdev_del_mpath(rdev, dev, dst);
8088 }
8089 
8090 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
8091 {
8092 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8093 	int err;
8094 	struct net_device *dev = info->user_ptr[1];
8095 	struct mpath_info pinfo;
8096 	struct sk_buff *msg;
8097 	u8 *dst = NULL;
8098 	u8 mpp[ETH_ALEN];
8099 
8100 	memset(&pinfo, 0, sizeof(pinfo));
8101 
8102 	if (!info->attrs[NL80211_ATTR_MAC])
8103 		return -EINVAL;
8104 
8105 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
8106 
8107 	if (!rdev->ops->get_mpp)
8108 		return -EOPNOTSUPP;
8109 
8110 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
8111 		return -EOPNOTSUPP;
8112 
8113 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
8114 	if (err)
8115 		return err;
8116 
8117 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8118 	if (!msg)
8119 		return -ENOMEM;
8120 
8121 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
8122 			       dev, dst, mpp, &pinfo) < 0) {
8123 		nlmsg_free(msg);
8124 		return -ENOBUFS;
8125 	}
8126 
8127 	return genlmsg_reply(msg, info);
8128 }
8129 
8130 static int nl80211_dump_mpp(struct sk_buff *skb,
8131 			    struct netlink_callback *cb)
8132 {
8133 	struct mpath_info pinfo;
8134 	struct cfg80211_registered_device *rdev;
8135 	struct wireless_dev *wdev;
8136 	u8 dst[ETH_ALEN];
8137 	u8 mpp[ETH_ALEN];
8138 	int path_idx = cb->args[2];
8139 	int err;
8140 
8141 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
8142 	if (err)
8143 		return err;
8144 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
8145 	__acquire(&rdev->wiphy.mtx);
8146 
8147 	if (!rdev->ops->dump_mpp) {
8148 		err = -EOPNOTSUPP;
8149 		goto out_err;
8150 	}
8151 
8152 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
8153 		err = -EOPNOTSUPP;
8154 		goto out_err;
8155 	}
8156 
8157 	while (1) {
8158 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
8159 				    mpp, &pinfo);
8160 		if (err == -ENOENT)
8161 			break;
8162 		if (err)
8163 			goto out_err;
8164 
8165 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
8166 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
8167 				       wdev->netdev, dst, mpp,
8168 				       &pinfo) < 0)
8169 			goto out;
8170 
8171 		path_idx++;
8172 	}
8173 
8174  out:
8175 	cb->args[2] = path_idx;
8176 	err = skb->len;
8177  out_err:
8178 	wiphy_unlock(&rdev->wiphy);
8179 	return err;
8180 }
8181 
8182 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
8183 {
8184 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8185 	struct net_device *dev = info->user_ptr[1];
8186 	struct bss_parameters params;
8187 
8188 	memset(&params, 0, sizeof(params));
8189 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
8190 	/* default to not changing parameters */
8191 	params.use_cts_prot = -1;
8192 	params.use_short_preamble = -1;
8193 	params.use_short_slot_time = -1;
8194 	params.ap_isolate = -1;
8195 	params.ht_opmode = -1;
8196 	params.p2p_ctwindow = -1;
8197 	params.p2p_opp_ps = -1;
8198 
8199 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
8200 		params.use_cts_prot =
8201 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
8202 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
8203 		params.use_short_preamble =
8204 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
8205 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
8206 		params.use_short_slot_time =
8207 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
8208 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
8209 		params.basic_rates =
8210 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8211 		params.basic_rates_len =
8212 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8213 	}
8214 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8215 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8216 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8217 		params.ht_opmode =
8218 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8219 
8220 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8221 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8222 			return -EINVAL;
8223 		params.p2p_ctwindow =
8224 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8225 		if (params.p2p_ctwindow != 0 &&
8226 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8227 			return -EINVAL;
8228 	}
8229 
8230 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8231 		u8 tmp;
8232 
8233 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8234 			return -EINVAL;
8235 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8236 		params.p2p_opp_ps = tmp;
8237 		if (params.p2p_opp_ps &&
8238 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8239 			return -EINVAL;
8240 	}
8241 
8242 	if (!rdev->ops->change_bss)
8243 		return -EOPNOTSUPP;
8244 
8245 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8246 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8247 		return -EOPNOTSUPP;
8248 
8249 	return rdev_change_bss(rdev, dev, &params);
8250 }
8251 
8252 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8253 {
8254 	char *data = NULL;
8255 	bool is_indoor;
8256 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8257 	u32 owner_nlportid;
8258 
8259 	/*
8260 	 * You should only get this when cfg80211 hasn't yet initialized
8261 	 * completely when built-in to the kernel right between the time
8262 	 * window between nl80211_init() and regulatory_init(), if that is
8263 	 * even possible.
8264 	 */
8265 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8266 		return -EINPROGRESS;
8267 
8268 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8269 		user_reg_hint_type =
8270 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8271 	else
8272 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8273 
8274 	switch (user_reg_hint_type) {
8275 	case NL80211_USER_REG_HINT_USER:
8276 	case NL80211_USER_REG_HINT_CELL_BASE:
8277 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8278 			return -EINVAL;
8279 
8280 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8281 		return regulatory_hint_user(data, user_reg_hint_type);
8282 	case NL80211_USER_REG_HINT_INDOOR:
8283 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8284 			owner_nlportid = info->snd_portid;
8285 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8286 		} else {
8287 			owner_nlportid = 0;
8288 			is_indoor = true;
8289 		}
8290 
8291 		regulatory_hint_indoor(is_indoor, owner_nlportid);
8292 		return 0;
8293 	default:
8294 		return -EINVAL;
8295 	}
8296 }
8297 
8298 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8299 {
8300 	return reg_reload_regdb();
8301 }
8302 
8303 static int nl80211_get_mesh_config(struct sk_buff *skb,
8304 				   struct genl_info *info)
8305 {
8306 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8307 	struct net_device *dev = info->user_ptr[1];
8308 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8309 	struct mesh_config cur_params;
8310 	int err = 0;
8311 	void *hdr;
8312 	struct nlattr *pinfoattr;
8313 	struct sk_buff *msg;
8314 
8315 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8316 		return -EOPNOTSUPP;
8317 
8318 	if (!rdev->ops->get_mesh_config)
8319 		return -EOPNOTSUPP;
8320 
8321 	/* If not connected, get default parameters */
8322 	if (!wdev->u.mesh.id_len)
8323 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8324 	else
8325 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8326 
8327 	if (err)
8328 		return err;
8329 
8330 	/* Draw up a netlink message to send back */
8331 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8332 	if (!msg)
8333 		return -ENOMEM;
8334 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8335 			     NL80211_CMD_GET_MESH_CONFIG);
8336 	if (!hdr)
8337 		goto out;
8338 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8339 	if (!pinfoattr)
8340 		goto nla_put_failure;
8341 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8342 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8343 			cur_params.dot11MeshRetryTimeout) ||
8344 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8345 			cur_params.dot11MeshConfirmTimeout) ||
8346 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8347 			cur_params.dot11MeshHoldingTimeout) ||
8348 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8349 			cur_params.dot11MeshMaxPeerLinks) ||
8350 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8351 		       cur_params.dot11MeshMaxRetries) ||
8352 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8353 		       cur_params.dot11MeshTTL) ||
8354 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8355 		       cur_params.element_ttl) ||
8356 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8357 		       cur_params.auto_open_plinks) ||
8358 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8359 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8360 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8361 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8362 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8363 			cur_params.path_refresh_time) ||
8364 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8365 			cur_params.min_discovery_timeout) ||
8366 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8367 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8368 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8369 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8370 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8371 			cur_params.dot11MeshHWMPperrMinInterval) ||
8372 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8373 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8374 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8375 		       cur_params.dot11MeshHWMPRootMode) ||
8376 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8377 			cur_params.dot11MeshHWMPRannInterval) ||
8378 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8379 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8380 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8381 		       cur_params.dot11MeshForwarding) ||
8382 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8383 			cur_params.rssi_threshold) ||
8384 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8385 			cur_params.ht_opmode) ||
8386 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8387 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8388 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8389 			cur_params.dot11MeshHWMProotInterval) ||
8390 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8391 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8392 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8393 			cur_params.power_mode) ||
8394 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8395 			cur_params.dot11MeshAwakeWindowDuration) ||
8396 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8397 			cur_params.plink_timeout) ||
8398 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8399 		       cur_params.dot11MeshConnectedToMeshGate) ||
8400 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8401 		       cur_params.dot11MeshNolearn) ||
8402 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8403 		       cur_params.dot11MeshConnectedToAuthServer))
8404 		goto nla_put_failure;
8405 	nla_nest_end(msg, pinfoattr);
8406 	genlmsg_end(msg, hdr);
8407 	return genlmsg_reply(msg, info);
8408 
8409  nla_put_failure:
8410  out:
8411 	nlmsg_free(msg);
8412 	return -ENOBUFS;
8413 }
8414 
8415 static const struct nla_policy
8416 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8417 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8418 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8419 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8420 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8421 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8422 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8423 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8424 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8425 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8426 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8427 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8428 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8429 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8430 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8431 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8432 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8433 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8434 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8435 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8436 		NLA_POLICY_MIN(NLA_U16, 1),
8437 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8438 		NLA_POLICY_MIN(NLA_U16, 1),
8439 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8440 		NLA_POLICY_MIN(NLA_U16, 1),
8441 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8442 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8443 		NLA_POLICY_MIN(NLA_U16, 1),
8444 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8445 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8446 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8447 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8448 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8449 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8450 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8451 		NLA_POLICY_MIN(NLA_U16, 1),
8452 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8453 		NLA_POLICY_MIN(NLA_U16, 1),
8454 	[NL80211_MESHCONF_POWER_MODE] =
8455 		NLA_POLICY_RANGE(NLA_U32,
8456 				 NL80211_MESH_POWER_ACTIVE,
8457 				 NL80211_MESH_POWER_MAX),
8458 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8459 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8460 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8461 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8462 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8463 };
8464 
8465 static const struct nla_policy
8466 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8467 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8468 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8469 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8470 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8471 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8472 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8473 	[NL80211_MESH_SETUP_IE] =
8474 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8475 				       IEEE80211_MAX_DATA_LEN),
8476 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8477 };
8478 
8479 static int nl80211_parse_mesh_config(struct genl_info *info,
8480 				     struct mesh_config *cfg,
8481 				     u32 *mask_out)
8482 {
8483 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8484 	u32 mask = 0;
8485 	u16 ht_opmode;
8486 
8487 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8488 do {									\
8489 	if (tb[attr]) {							\
8490 		cfg->param = fn(tb[attr]);				\
8491 		mask |= BIT((attr) - 1);				\
8492 	}								\
8493 } while (0)
8494 
8495 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8496 		return -EINVAL;
8497 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8498 		return -EINVAL;
8499 
8500 	/* This makes sure that there aren't more than 32 mesh config
8501 	 * parameters (otherwise our bitfield scheme would not work.) */
8502 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8503 
8504 	/* Fill in the params struct */
8505 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8506 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8507 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8508 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8509 				  nla_get_u16);
8510 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8511 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8512 				  nla_get_u16);
8513 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8514 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8515 				  nla_get_u16);
8516 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8517 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8518 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8519 				  NL80211_MESHCONF_TTL, nla_get_u8);
8520 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8521 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8522 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8523 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8524 				  nla_get_u8);
8525 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8526 				  mask,
8527 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8528 				  nla_get_u32);
8529 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8530 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8531 				  nla_get_u8);
8532 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8533 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8534 				  nla_get_u32);
8535 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8536 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8537 		return -EINVAL;
8538 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8539 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8540 				  nla_get_u16);
8541 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8542 				  mask,
8543 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8544 				  nla_get_u32);
8545 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8546 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8547 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8548 		return -EINVAL;
8549 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8550 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8551 				  nla_get_u16);
8552 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8553 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8554 				  nla_get_u16);
8555 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8556 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8557 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8558 				  nla_get_u16);
8559 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8560 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8561 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8562 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8563 				  nla_get_u16);
8564 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8565 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8566 				  nla_get_u8);
8567 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8568 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8569 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8570 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8571 				  nla_get_s32);
8572 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8573 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8574 				  nla_get_u8);
8575 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8576 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8577 				  nla_get_u8);
8578 	/*
8579 	 * Check HT operation mode based on
8580 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8581 	 */
8582 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8583 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8584 
8585 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8586 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8587 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8588 			return -EINVAL;
8589 
8590 		/* NON_HT_STA bit is reserved, but some programs set it */
8591 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8592 
8593 		cfg->ht_opmode = ht_opmode;
8594 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8595 	}
8596 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8597 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8598 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8599 				  nla_get_u32);
8600 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8601 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8602 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8603 		return -EINVAL;
8604 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8605 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8606 				  nla_get_u16);
8607 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8608 				  mask,
8609 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8610 				  nla_get_u16);
8611 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8612 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8613 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8614 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8615 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8616 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8617 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8618 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8619 	if (mask_out)
8620 		*mask_out = mask;
8621 
8622 	return 0;
8623 
8624 #undef FILL_IN_MESH_PARAM_IF_SET
8625 }
8626 
8627 static int nl80211_parse_mesh_setup(struct genl_info *info,
8628 				     struct mesh_setup *setup)
8629 {
8630 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8631 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8632 
8633 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8634 		return -EINVAL;
8635 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8636 		return -EINVAL;
8637 
8638 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8639 		setup->sync_method =
8640 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8641 		 IEEE80211_SYNC_METHOD_VENDOR :
8642 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8643 
8644 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8645 		setup->path_sel_proto =
8646 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8647 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8648 		 IEEE80211_PATH_PROTOCOL_HWMP;
8649 
8650 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8651 		setup->path_metric =
8652 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8653 		 IEEE80211_PATH_METRIC_VENDOR :
8654 		 IEEE80211_PATH_METRIC_AIRTIME;
8655 
8656 	if (tb[NL80211_MESH_SETUP_IE]) {
8657 		struct nlattr *ieattr =
8658 			tb[NL80211_MESH_SETUP_IE];
8659 		setup->ie = nla_data(ieattr);
8660 		setup->ie_len = nla_len(ieattr);
8661 	}
8662 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8663 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8664 		return -EINVAL;
8665 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8666 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8667 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8668 	if (setup->is_secure)
8669 		setup->user_mpm = true;
8670 
8671 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8672 		if (!setup->user_mpm)
8673 			return -EINVAL;
8674 		setup->auth_id =
8675 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8676 	}
8677 
8678 	return 0;
8679 }
8680 
8681 static int nl80211_update_mesh_config(struct sk_buff *skb,
8682 				      struct genl_info *info)
8683 {
8684 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8685 	struct net_device *dev = info->user_ptr[1];
8686 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8687 	struct mesh_config cfg = {};
8688 	u32 mask;
8689 	int err;
8690 
8691 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8692 		return -EOPNOTSUPP;
8693 
8694 	if (!rdev->ops->update_mesh_config)
8695 		return -EOPNOTSUPP;
8696 
8697 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8698 	if (err)
8699 		return err;
8700 
8701 	if (!wdev->u.mesh.id_len)
8702 		err = -ENOLINK;
8703 
8704 	if (!err)
8705 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8706 
8707 	return err;
8708 }
8709 
8710 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8711 			      struct sk_buff *msg)
8712 {
8713 	struct nlattr *nl_reg_rules;
8714 	unsigned int i;
8715 
8716 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8717 	    (regdom->dfs_region &&
8718 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8719 		goto nla_put_failure;
8720 
8721 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8722 	if (!nl_reg_rules)
8723 		goto nla_put_failure;
8724 
8725 	for (i = 0; i < regdom->n_reg_rules; i++) {
8726 		struct nlattr *nl_reg_rule;
8727 		const struct ieee80211_reg_rule *reg_rule;
8728 		const struct ieee80211_freq_range *freq_range;
8729 		const struct ieee80211_power_rule *power_rule;
8730 		unsigned int max_bandwidth_khz;
8731 
8732 		reg_rule = &regdom->reg_rules[i];
8733 		freq_range = &reg_rule->freq_range;
8734 		power_rule = &reg_rule->power_rule;
8735 
8736 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8737 		if (!nl_reg_rule)
8738 			goto nla_put_failure;
8739 
8740 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8741 		if (!max_bandwidth_khz)
8742 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8743 								  reg_rule);
8744 
8745 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8746 				reg_rule->flags) ||
8747 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8748 				freq_range->start_freq_khz) ||
8749 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8750 				freq_range->end_freq_khz) ||
8751 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8752 				max_bandwidth_khz) ||
8753 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8754 				power_rule->max_antenna_gain) ||
8755 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8756 				power_rule->max_eirp) ||
8757 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8758 				reg_rule->dfs_cac_ms))
8759 			goto nla_put_failure;
8760 
8761 		if ((reg_rule->flags & NL80211_RRF_PSD) &&
8762 		    nla_put_s8(msg, NL80211_ATTR_POWER_RULE_PSD,
8763 			       reg_rule->psd))
8764 			goto nla_put_failure;
8765 
8766 		nla_nest_end(msg, nl_reg_rule);
8767 	}
8768 
8769 	nla_nest_end(msg, nl_reg_rules);
8770 	return 0;
8771 
8772 nla_put_failure:
8773 	return -EMSGSIZE;
8774 }
8775 
8776 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8777 {
8778 	const struct ieee80211_regdomain *regdom = NULL;
8779 	struct cfg80211_registered_device *rdev;
8780 	struct wiphy *wiphy = NULL;
8781 	struct sk_buff *msg;
8782 	int err = -EMSGSIZE;
8783 	void *hdr;
8784 
8785 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8786 	if (!msg)
8787 		return -ENOBUFS;
8788 
8789 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8790 			     NL80211_CMD_GET_REG);
8791 	if (!hdr)
8792 		goto put_failure;
8793 
8794 	rtnl_lock();
8795 
8796 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8797 		bool self_managed;
8798 
8799 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8800 		if (IS_ERR(rdev)) {
8801 			err = PTR_ERR(rdev);
8802 			goto nla_put_failure;
8803 		}
8804 
8805 		wiphy = &rdev->wiphy;
8806 		self_managed = wiphy->regulatory_flags &
8807 			       REGULATORY_WIPHY_SELF_MANAGED;
8808 
8809 		rcu_read_lock();
8810 
8811 		regdom = get_wiphy_regdom(wiphy);
8812 
8813 		/* a self-managed-reg device must have a private regdom */
8814 		if (WARN_ON(!regdom && self_managed)) {
8815 			err = -EINVAL;
8816 			goto nla_put_failure_rcu;
8817 		}
8818 
8819 		if (regdom &&
8820 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8821 			goto nla_put_failure_rcu;
8822 	} else {
8823 		rcu_read_lock();
8824 	}
8825 
8826 	if (!wiphy && reg_last_request_cell_base() &&
8827 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8828 			NL80211_USER_REG_HINT_CELL_BASE))
8829 		goto nla_put_failure_rcu;
8830 
8831 	if (!regdom)
8832 		regdom = rcu_dereference(cfg80211_regdomain);
8833 
8834 	if (nl80211_put_regdom(regdom, msg))
8835 		goto nla_put_failure_rcu;
8836 
8837 	rcu_read_unlock();
8838 
8839 	genlmsg_end(msg, hdr);
8840 	rtnl_unlock();
8841 	return genlmsg_reply(msg, info);
8842 
8843 nla_put_failure_rcu:
8844 	rcu_read_unlock();
8845 nla_put_failure:
8846 	rtnl_unlock();
8847 put_failure:
8848 	nlmsg_free(msg);
8849 	return err;
8850 }
8851 
8852 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8853 			       u32 seq, int flags, struct wiphy *wiphy,
8854 			       const struct ieee80211_regdomain *regdom)
8855 {
8856 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8857 				   NL80211_CMD_GET_REG);
8858 
8859 	if (!hdr)
8860 		return -1;
8861 
8862 	genl_dump_check_consistent(cb, hdr);
8863 
8864 	if (nl80211_put_regdom(regdom, msg))
8865 		goto nla_put_failure;
8866 
8867 	if (!wiphy && reg_last_request_cell_base() &&
8868 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8869 			NL80211_USER_REG_HINT_CELL_BASE))
8870 		goto nla_put_failure;
8871 
8872 	if (wiphy &&
8873 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8874 		goto nla_put_failure;
8875 
8876 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8877 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8878 		goto nla_put_failure;
8879 
8880 	genlmsg_end(msg, hdr);
8881 	return 0;
8882 
8883 nla_put_failure:
8884 	genlmsg_cancel(msg, hdr);
8885 	return -EMSGSIZE;
8886 }
8887 
8888 static int nl80211_get_reg_dump(struct sk_buff *skb,
8889 				struct netlink_callback *cb)
8890 {
8891 	const struct ieee80211_regdomain *regdom = NULL;
8892 	struct cfg80211_registered_device *rdev;
8893 	int err, reg_idx, start = cb->args[2];
8894 
8895 	rcu_read_lock();
8896 
8897 	if (cfg80211_regdomain && start == 0) {
8898 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8899 					  NLM_F_MULTI, NULL,
8900 					  rcu_dereference(cfg80211_regdomain));
8901 		if (err < 0)
8902 			goto out_err;
8903 	}
8904 
8905 	/* the global regdom is idx 0 */
8906 	reg_idx = 1;
8907 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8908 		regdom = get_wiphy_regdom(&rdev->wiphy);
8909 		if (!regdom)
8910 			continue;
8911 
8912 		if (++reg_idx <= start)
8913 			continue;
8914 
8915 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8916 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8917 		if (err < 0) {
8918 			reg_idx--;
8919 			break;
8920 		}
8921 	}
8922 
8923 	cb->args[2] = reg_idx;
8924 	err = skb->len;
8925 out_err:
8926 	rcu_read_unlock();
8927 	return err;
8928 }
8929 
8930 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8931 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8932 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8933 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8934 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8935 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8936 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8937 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8938 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8939 };
8940 
8941 static int parse_reg_rule(struct nlattr *tb[],
8942 	struct ieee80211_reg_rule *reg_rule)
8943 {
8944 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8945 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8946 
8947 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8948 		return -EINVAL;
8949 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8950 		return -EINVAL;
8951 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8952 		return -EINVAL;
8953 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8954 		return -EINVAL;
8955 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8956 		return -EINVAL;
8957 
8958 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8959 
8960 	freq_range->start_freq_khz =
8961 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8962 	freq_range->end_freq_khz =
8963 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8964 	freq_range->max_bandwidth_khz =
8965 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8966 
8967 	power_rule->max_eirp =
8968 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8969 
8970 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8971 		power_rule->max_antenna_gain =
8972 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8973 
8974 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8975 		reg_rule->dfs_cac_ms =
8976 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8977 
8978 	return 0;
8979 }
8980 
8981 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8982 {
8983 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8984 	struct nlattr *nl_reg_rule;
8985 	char *alpha2;
8986 	int rem_reg_rules, r;
8987 	u32 num_rules = 0, rule_idx = 0;
8988 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8989 	struct ieee80211_regdomain *rd;
8990 
8991 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8992 		return -EINVAL;
8993 
8994 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8995 		return -EINVAL;
8996 
8997 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8998 
8999 	if (info->attrs[NL80211_ATTR_DFS_REGION])
9000 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
9001 
9002 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9003 			    rem_reg_rules) {
9004 		num_rules++;
9005 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
9006 			return -EINVAL;
9007 	}
9008 
9009 	rtnl_lock();
9010 	if (!reg_is_valid_request(alpha2)) {
9011 		r = -EINVAL;
9012 		goto out;
9013 	}
9014 
9015 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
9016 	if (!rd) {
9017 		r = -ENOMEM;
9018 		goto out;
9019 	}
9020 
9021 	rd->n_reg_rules = num_rules;
9022 	rd->alpha2[0] = alpha2[0];
9023 	rd->alpha2[1] = alpha2[1];
9024 
9025 	/*
9026 	 * Disable DFS master mode if the DFS region was
9027 	 * not supported or known on this kernel.
9028 	 */
9029 	if (reg_supported_dfs_region(dfs_region))
9030 		rd->dfs_region = dfs_region;
9031 
9032 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
9033 			    rem_reg_rules) {
9034 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
9035 						nl_reg_rule, reg_rule_policy,
9036 						info->extack);
9037 		if (r)
9038 			goto bad_reg;
9039 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
9040 		if (r)
9041 			goto bad_reg;
9042 
9043 		rule_idx++;
9044 
9045 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
9046 			r = -EINVAL;
9047 			goto bad_reg;
9048 		}
9049 	}
9050 
9051 	r = set_regdom(rd, REGD_SOURCE_CRDA);
9052 	/* set_regdom takes ownership of rd */
9053 	rd = NULL;
9054  bad_reg:
9055 	kfree(rd);
9056  out:
9057 	rtnl_unlock();
9058 	return r;
9059 }
9060 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
9061 
9062 static int validate_scan_freqs(struct nlattr *freqs)
9063 {
9064 	struct nlattr *attr1, *attr2;
9065 	int n_channels = 0, tmp1, tmp2;
9066 
9067 	nla_for_each_nested(attr1, freqs, tmp1)
9068 		if (nla_len(attr1) != sizeof(u32))
9069 			return 0;
9070 
9071 	nla_for_each_nested(attr1, freqs, tmp1) {
9072 		n_channels++;
9073 		/*
9074 		 * Some hardware has a limited channel list for
9075 		 * scanning, and it is pretty much nonsensical
9076 		 * to scan for a channel twice, so disallow that
9077 		 * and don't require drivers to check that the
9078 		 * channel list they get isn't longer than what
9079 		 * they can scan, as long as they can scan all
9080 		 * the channels they registered at once.
9081 		 */
9082 		nla_for_each_nested(attr2, freqs, tmp2)
9083 			if (attr1 != attr2 &&
9084 			    nla_get_u32(attr1) == nla_get_u32(attr2))
9085 				return 0;
9086 	}
9087 
9088 	return n_channels;
9089 }
9090 
9091 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
9092 {
9093 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
9094 }
9095 
9096 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
9097 			    struct cfg80211_bss_selection *bss_select)
9098 {
9099 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
9100 	struct nlattr *nest;
9101 	int err;
9102 	bool found = false;
9103 	int i;
9104 
9105 	/* only process one nested attribute */
9106 	nest = nla_data(nla);
9107 	if (!nla_ok(nest, nla_len(nest)))
9108 		return -EINVAL;
9109 
9110 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
9111 					  nest, nl80211_bss_select_policy,
9112 					  NULL);
9113 	if (err)
9114 		return err;
9115 
9116 	/* only one attribute may be given */
9117 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
9118 		if (attr[i]) {
9119 			if (found)
9120 				return -EINVAL;
9121 			found = true;
9122 		}
9123 	}
9124 
9125 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
9126 
9127 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
9128 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
9129 
9130 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
9131 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
9132 		bss_select->param.band_pref =
9133 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
9134 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
9135 			return -EINVAL;
9136 	}
9137 
9138 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
9139 		struct nl80211_bss_select_rssi_adjust *adj_param;
9140 
9141 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
9142 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
9143 		bss_select->param.adjust.band = adj_param->band;
9144 		bss_select->param.adjust.delta = adj_param->delta;
9145 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
9146 			return -EINVAL;
9147 	}
9148 
9149 	/* user-space did not provide behaviour attribute */
9150 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
9151 		return -EINVAL;
9152 
9153 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
9154 		return -EINVAL;
9155 
9156 	return 0;
9157 }
9158 
9159 int nl80211_parse_random_mac(struct nlattr **attrs,
9160 			     u8 *mac_addr, u8 *mac_addr_mask)
9161 {
9162 	int i;
9163 
9164 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
9165 		eth_zero_addr(mac_addr);
9166 		eth_zero_addr(mac_addr_mask);
9167 		mac_addr[0] = 0x2;
9168 		mac_addr_mask[0] = 0x3;
9169 
9170 		return 0;
9171 	}
9172 
9173 	/* need both or none */
9174 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
9175 		return -EINVAL;
9176 
9177 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
9178 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
9179 
9180 	/* don't allow or configure an mcast address */
9181 	if (!is_multicast_ether_addr(mac_addr_mask) ||
9182 	    is_multicast_ether_addr(mac_addr))
9183 		return -EINVAL;
9184 
9185 	/*
9186 	 * allow users to pass a MAC address that has bits set outside
9187 	 * of the mask, but don't bother drivers with having to deal
9188 	 * with such bits
9189 	 */
9190 	for (i = 0; i < ETH_ALEN; i++)
9191 		mac_addr[i] &= mac_addr_mask[i];
9192 
9193 	return 0;
9194 }
9195 
9196 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
9197 					      struct ieee80211_channel *chan)
9198 {
9199 	unsigned int link_id;
9200 	bool all_ok = true;
9201 
9202 	lockdep_assert_wiphy(wdev->wiphy);
9203 
9204 	if (!cfg80211_wdev_channel_allowed(wdev, chan))
9205 		return false;
9206 
9207 	if (!cfg80211_beaconing_iface_active(wdev))
9208 		return true;
9209 
9210 	/*
9211 	 * FIXME: check if we have a free HW resource/link for chan
9212 	 *
9213 	 * This, as well as the FIXME below, requires knowing the link
9214 	 * capabilities of the hardware.
9215 	 */
9216 
9217 	/* we cannot leave radar channels */
9218 	for_each_valid_link(wdev, link_id) {
9219 		struct cfg80211_chan_def *chandef;
9220 
9221 		chandef = wdev_chandef(wdev, link_id);
9222 		if (!chandef || !chandef->chan)
9223 			continue;
9224 
9225 		/*
9226 		 * FIXME: don't require all_ok, but rather check only the
9227 		 *	  correct HW resource/link onto which 'chan' falls,
9228 		 *	  as only that link leaves the channel for doing
9229 		 *	  the off-channel operation.
9230 		 */
9231 
9232 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9233 			all_ok = false;
9234 	}
9235 
9236 	if (all_ok)
9237 		return true;
9238 
9239 	return regulatory_pre_cac_allowed(wdev->wiphy);
9240 }
9241 
9242 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9243 				    enum nl80211_ext_feature_index feat)
9244 {
9245 	if (!(flags & flag))
9246 		return true;
9247 	if (wiphy_ext_feature_isset(wiphy, feat))
9248 		return true;
9249 	return false;
9250 }
9251 
9252 static int
9253 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9254 			 void *request, struct nlattr **attrs,
9255 			 bool is_sched_scan)
9256 {
9257 	u8 *mac_addr, *mac_addr_mask;
9258 	u32 *flags;
9259 	enum nl80211_feature_flags randomness_flag;
9260 
9261 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9262 		return 0;
9263 
9264 	if (is_sched_scan) {
9265 		struct cfg80211_sched_scan_request *req = request;
9266 
9267 		randomness_flag = wdev ?
9268 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9269 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9270 		flags = &req->flags;
9271 		mac_addr = req->mac_addr;
9272 		mac_addr_mask = req->mac_addr_mask;
9273 	} else {
9274 		struct cfg80211_scan_request *req = request;
9275 
9276 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9277 		flags = &req->flags;
9278 		mac_addr = req->mac_addr;
9279 		mac_addr_mask = req->mac_addr_mask;
9280 	}
9281 
9282 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9283 
9284 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9285 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9286 	    !nl80211_check_scan_feat(wiphy, *flags,
9287 				     NL80211_SCAN_FLAG_LOW_SPAN,
9288 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9289 	    !nl80211_check_scan_feat(wiphy, *flags,
9290 				     NL80211_SCAN_FLAG_LOW_POWER,
9291 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9292 	    !nl80211_check_scan_feat(wiphy, *flags,
9293 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9294 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9295 	    !nl80211_check_scan_feat(wiphy, *flags,
9296 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9297 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9298 	    !nl80211_check_scan_feat(wiphy, *flags,
9299 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9300 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9301 	    !nl80211_check_scan_feat(wiphy, *flags,
9302 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9303 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9304 	    !nl80211_check_scan_feat(wiphy, *flags,
9305 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9306 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9307 	    !nl80211_check_scan_feat(wiphy, *flags,
9308 				     NL80211_SCAN_FLAG_RANDOM_SN,
9309 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9310 	    !nl80211_check_scan_feat(wiphy, *flags,
9311 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9312 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9313 		return -EOPNOTSUPP;
9314 
9315 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9316 		int err;
9317 
9318 		if (!(wiphy->features & randomness_flag) ||
9319 		    (wdev && wdev->connected))
9320 			return -EOPNOTSUPP;
9321 
9322 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9323 		if (err)
9324 			return err;
9325 	}
9326 
9327 	return 0;
9328 }
9329 
9330 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9331 {
9332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9333 	struct wireless_dev *wdev = info->user_ptr[1];
9334 	struct cfg80211_scan_request *request;
9335 	struct nlattr *scan_freqs = NULL;
9336 	bool scan_freqs_khz = false;
9337 	struct nlattr *attr;
9338 	struct wiphy *wiphy;
9339 	int err, tmp, n_ssids = 0, n_channels, i;
9340 	size_t ie_len, size;
9341 	size_t ssids_offset, ie_offset;
9342 
9343 	wiphy = &rdev->wiphy;
9344 
9345 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9346 		return -EOPNOTSUPP;
9347 
9348 	if (!rdev->ops->scan)
9349 		return -EOPNOTSUPP;
9350 
9351 	if (rdev->scan_req || rdev->scan_msg)
9352 		return -EBUSY;
9353 
9354 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9355 		if (!wiphy_ext_feature_isset(wiphy,
9356 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9357 			return -EOPNOTSUPP;
9358 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9359 		scan_freqs_khz = true;
9360 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9361 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9362 
9363 	if (scan_freqs) {
9364 		n_channels = validate_scan_freqs(scan_freqs);
9365 		if (!n_channels)
9366 			return -EINVAL;
9367 	} else {
9368 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9369 	}
9370 
9371 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9372 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9373 			n_ssids++;
9374 
9375 	if (n_ssids > wiphy->max_scan_ssids)
9376 		return -EINVAL;
9377 
9378 	if (info->attrs[NL80211_ATTR_IE])
9379 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9380 	else
9381 		ie_len = 0;
9382 
9383 	if (ie_len > wiphy->max_scan_ie_len)
9384 		return -EINVAL;
9385 
9386 	size = struct_size(request, channels, n_channels);
9387 	ssids_offset = size;
9388 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9389 	ie_offset = size;
9390 	size = size_add(size, ie_len);
9391 	request = kzalloc(size, GFP_KERNEL);
9392 	if (!request)
9393 		return -ENOMEM;
9394 	request->n_channels = n_channels;
9395 
9396 	if (n_ssids)
9397 		request->ssids = (void *)request + ssids_offset;
9398 	request->n_ssids = n_ssids;
9399 	if (ie_len)
9400 		request->ie = (void *)request + ie_offset;
9401 
9402 	i = 0;
9403 	if (scan_freqs) {
9404 		/* user specified, bail out if channel not found */
9405 		nla_for_each_nested(attr, scan_freqs, tmp) {
9406 			struct ieee80211_channel *chan;
9407 			int freq = nla_get_u32(attr);
9408 
9409 			if (!scan_freqs_khz)
9410 				freq = MHZ_TO_KHZ(freq);
9411 
9412 			chan = ieee80211_get_channel_khz(wiphy, freq);
9413 			if (!chan) {
9414 				err = -EINVAL;
9415 				goto out_free;
9416 			}
9417 
9418 			/* ignore disabled channels */
9419 			if (chan->flags & IEEE80211_CHAN_DISABLED ||
9420 			    !cfg80211_wdev_channel_allowed(wdev, chan))
9421 				continue;
9422 
9423 			request->channels[i] = chan;
9424 			i++;
9425 		}
9426 	} else {
9427 		enum nl80211_band band;
9428 
9429 		/* all channels */
9430 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9431 			int j;
9432 
9433 			if (!wiphy->bands[band])
9434 				continue;
9435 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9436 				struct ieee80211_channel *chan;
9437 
9438 				chan = &wiphy->bands[band]->channels[j];
9439 
9440 				if (chan->flags & IEEE80211_CHAN_DISABLED ||
9441 				    !cfg80211_wdev_channel_allowed(wdev, chan))
9442 					continue;
9443 
9444 				request->channels[i] = chan;
9445 				i++;
9446 			}
9447 		}
9448 	}
9449 
9450 	if (!i) {
9451 		err = -EINVAL;
9452 		goto out_free;
9453 	}
9454 
9455 	request->n_channels = i;
9456 
9457 	for (i = 0; i < request->n_channels; i++) {
9458 		struct ieee80211_channel *chan = request->channels[i];
9459 
9460 		/* if we can go off-channel to the target channel we're good */
9461 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9462 			continue;
9463 
9464 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9465 			err = -EBUSY;
9466 			goto out_free;
9467 		}
9468 	}
9469 
9470 	i = 0;
9471 	if (n_ssids) {
9472 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9473 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9474 				err = -EINVAL;
9475 				goto out_free;
9476 			}
9477 			request->ssids[i].ssid_len = nla_len(attr);
9478 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9479 			i++;
9480 		}
9481 	}
9482 
9483 	if (info->attrs[NL80211_ATTR_IE]) {
9484 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9485 		memcpy((void *)request->ie,
9486 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9487 		       request->ie_len);
9488 	}
9489 
9490 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9491 		if (wiphy->bands[i])
9492 			request->rates[i] =
9493 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9494 
9495 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9496 		nla_for_each_nested(attr,
9497 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9498 				    tmp) {
9499 			enum nl80211_band band = nla_type(attr);
9500 
9501 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9502 				err = -EINVAL;
9503 				goto out_free;
9504 			}
9505 
9506 			if (!wiphy->bands[band])
9507 				continue;
9508 
9509 			err = ieee80211_get_ratemask(wiphy->bands[band],
9510 						     nla_data(attr),
9511 						     nla_len(attr),
9512 						     &request->rates[band]);
9513 			if (err)
9514 				goto out_free;
9515 		}
9516 	}
9517 
9518 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9519 		request->duration =
9520 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9521 		request->duration_mandatory =
9522 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9523 	}
9524 
9525 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9526 				       false);
9527 	if (err)
9528 		goto out_free;
9529 
9530 	request->no_cck =
9531 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9532 
9533 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9534 	 * BSSID to scan for. This was problematic because that same attribute
9535 	 * was already used for another purpose (local random MAC address). The
9536 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9537 	 * compatibility with older userspace components, also use the
9538 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9539 	 * the specific BSSID use case instead of the random MAC address
9540 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9541 	 */
9542 	if (info->attrs[NL80211_ATTR_BSSID])
9543 		memcpy(request->bssid,
9544 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9545 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9546 		 info->attrs[NL80211_ATTR_MAC])
9547 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9548 		       ETH_ALEN);
9549 	else
9550 		eth_broadcast_addr(request->bssid);
9551 
9552 	request->tsf_report_link_id = nl80211_link_id_or_invalid(info->attrs);
9553 	request->wdev = wdev;
9554 	request->wiphy = &rdev->wiphy;
9555 	request->scan_start = jiffies;
9556 
9557 	rdev->scan_req = request;
9558 	err = cfg80211_scan(rdev);
9559 
9560 	if (err)
9561 		goto out_free;
9562 
9563 	nl80211_send_scan_start(rdev, wdev);
9564 	dev_hold(wdev->netdev);
9565 
9566 	return 0;
9567 
9568  out_free:
9569 	rdev->scan_req = NULL;
9570 	kfree(request);
9571 
9572 	return err;
9573 }
9574 
9575 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9576 {
9577 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9578 	struct wireless_dev *wdev = info->user_ptr[1];
9579 
9580 	if (!rdev->ops->abort_scan)
9581 		return -EOPNOTSUPP;
9582 
9583 	if (rdev->scan_msg)
9584 		return 0;
9585 
9586 	if (!rdev->scan_req)
9587 		return -ENOENT;
9588 
9589 	rdev_abort_scan(rdev, wdev);
9590 	return 0;
9591 }
9592 
9593 static int
9594 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9595 			       struct cfg80211_sched_scan_request *request,
9596 			       struct nlattr **attrs)
9597 {
9598 	int tmp, err, i = 0;
9599 	struct nlattr *attr;
9600 
9601 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9602 		u32 interval;
9603 
9604 		/*
9605 		 * If scan plans are not specified,
9606 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9607 		 * case one scan plan will be set with the specified scan
9608 		 * interval and infinite number of iterations.
9609 		 */
9610 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9611 		if (!interval)
9612 			return -EINVAL;
9613 
9614 		request->scan_plans[0].interval =
9615 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9616 		if (!request->scan_plans[0].interval)
9617 			return -EINVAL;
9618 
9619 		if (request->scan_plans[0].interval >
9620 		    wiphy->max_sched_scan_plan_interval)
9621 			request->scan_plans[0].interval =
9622 				wiphy->max_sched_scan_plan_interval;
9623 
9624 		return 0;
9625 	}
9626 
9627 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9628 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9629 
9630 		if (WARN_ON(i >= n_plans))
9631 			return -EINVAL;
9632 
9633 		err = nla_parse_nested_deprecated(plan,
9634 						  NL80211_SCHED_SCAN_PLAN_MAX,
9635 						  attr, nl80211_plan_policy,
9636 						  NULL);
9637 		if (err)
9638 			return err;
9639 
9640 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9641 			return -EINVAL;
9642 
9643 		request->scan_plans[i].interval =
9644 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9645 		if (!request->scan_plans[i].interval ||
9646 		    request->scan_plans[i].interval >
9647 		    wiphy->max_sched_scan_plan_interval)
9648 			return -EINVAL;
9649 
9650 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9651 			request->scan_plans[i].iterations =
9652 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9653 			if (!request->scan_plans[i].iterations ||
9654 			    (request->scan_plans[i].iterations >
9655 			     wiphy->max_sched_scan_plan_iterations))
9656 				return -EINVAL;
9657 		} else if (i < n_plans - 1) {
9658 			/*
9659 			 * All scan plans but the last one must specify
9660 			 * a finite number of iterations
9661 			 */
9662 			return -EINVAL;
9663 		}
9664 
9665 		i++;
9666 	}
9667 
9668 	/*
9669 	 * The last scan plan must not specify the number of
9670 	 * iterations, it is supposed to run infinitely
9671 	 */
9672 	if (request->scan_plans[n_plans - 1].iterations)
9673 		return  -EINVAL;
9674 
9675 	return 0;
9676 }
9677 
9678 static struct cfg80211_sched_scan_request *
9679 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9680 			 struct nlattr **attrs, int max_match_sets)
9681 {
9682 	struct cfg80211_sched_scan_request *request;
9683 	struct nlattr *attr;
9684 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9685 	enum nl80211_band band;
9686 	size_t ie_len, size;
9687 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9688 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9689 
9690 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9691 		n_channels = validate_scan_freqs(
9692 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9693 		if (!n_channels)
9694 			return ERR_PTR(-EINVAL);
9695 	} else {
9696 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9697 	}
9698 
9699 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9700 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9701 				    tmp)
9702 			n_ssids++;
9703 
9704 	if (n_ssids > wiphy->max_sched_scan_ssids)
9705 		return ERR_PTR(-EINVAL);
9706 
9707 	/*
9708 	 * First, count the number of 'real' matchsets. Due to an issue with
9709 	 * the old implementation, matchsets containing only the RSSI attribute
9710 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9711 	 * RSSI for all matchsets, rather than their own matchset for reporting
9712 	 * all APs with a strong RSSI. This is needed to be compatible with
9713 	 * older userspace that treated a matchset with only the RSSI as the
9714 	 * global RSSI for all other matchsets - if there are other matchsets.
9715 	 */
9716 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9717 		nla_for_each_nested(attr,
9718 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9719 				    tmp) {
9720 			struct nlattr *rssi;
9721 
9722 			err = nla_parse_nested_deprecated(tb,
9723 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9724 							  attr,
9725 							  nl80211_match_policy,
9726 							  NULL);
9727 			if (err)
9728 				return ERR_PTR(err);
9729 
9730 			/* SSID and BSSID are mutually exclusive */
9731 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9732 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9733 				return ERR_PTR(-EINVAL);
9734 
9735 			/* add other standalone attributes here */
9736 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9737 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9738 				n_match_sets++;
9739 				continue;
9740 			}
9741 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9742 			if (rssi)
9743 				default_match_rssi = nla_get_s32(rssi);
9744 		}
9745 	}
9746 
9747 	/* However, if there's no other matchset, add the RSSI one */
9748 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9749 		n_match_sets = 1;
9750 
9751 	if (n_match_sets > max_match_sets)
9752 		return ERR_PTR(-EINVAL);
9753 
9754 	if (attrs[NL80211_ATTR_IE])
9755 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9756 	else
9757 		ie_len = 0;
9758 
9759 	if (ie_len > wiphy->max_sched_scan_ie_len)
9760 		return ERR_PTR(-EINVAL);
9761 
9762 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9763 		/*
9764 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9765 		 * each scan plan already specifies its own interval
9766 		 */
9767 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9768 			return ERR_PTR(-EINVAL);
9769 
9770 		nla_for_each_nested(attr,
9771 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9772 			n_plans++;
9773 	} else {
9774 		/*
9775 		 * The scan interval attribute is kept for backward
9776 		 * compatibility. If no scan plans are specified and sched scan
9777 		 * interval is specified, one scan plan will be set with this
9778 		 * scan interval and infinite number of iterations.
9779 		 */
9780 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9781 			return ERR_PTR(-EINVAL);
9782 
9783 		n_plans = 1;
9784 	}
9785 
9786 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9787 		return ERR_PTR(-EINVAL);
9788 
9789 	if (!wiphy_ext_feature_isset(
9790 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9791 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9792 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9793 		return ERR_PTR(-EINVAL);
9794 
9795 	size = struct_size(request, channels, n_channels);
9796 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9797 	size = size_add(size, array_size(sizeof(*request->match_sets),
9798 					 n_match_sets));
9799 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9800 					 n_plans));
9801 	size = size_add(size, ie_len);
9802 	request = kzalloc(size, GFP_KERNEL);
9803 	if (!request)
9804 		return ERR_PTR(-ENOMEM);
9805 
9806 	if (n_ssids)
9807 		request->ssids = (void *)request +
9808 			struct_size(request, channels, n_channels);
9809 	request->n_ssids = n_ssids;
9810 	if (ie_len) {
9811 		if (n_ssids)
9812 			request->ie = (void *)(request->ssids + n_ssids);
9813 		else
9814 			request->ie = (void *)(request->channels + n_channels);
9815 	}
9816 
9817 	if (n_match_sets) {
9818 		if (request->ie)
9819 			request->match_sets = (void *)(request->ie + ie_len);
9820 		else if (n_ssids)
9821 			request->match_sets =
9822 				(void *)(request->ssids + n_ssids);
9823 		else
9824 			request->match_sets =
9825 				(void *)(request->channels + n_channels);
9826 	}
9827 	request->n_match_sets = n_match_sets;
9828 
9829 	if (n_match_sets)
9830 		request->scan_plans = (void *)(request->match_sets +
9831 					       n_match_sets);
9832 	else if (request->ie)
9833 		request->scan_plans = (void *)(request->ie + ie_len);
9834 	else if (n_ssids)
9835 		request->scan_plans = (void *)(request->ssids + n_ssids);
9836 	else
9837 		request->scan_plans = (void *)(request->channels + n_channels);
9838 
9839 	request->n_scan_plans = n_plans;
9840 
9841 	i = 0;
9842 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9843 		/* user specified, bail out if channel not found */
9844 		nla_for_each_nested(attr,
9845 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9846 				    tmp) {
9847 			struct ieee80211_channel *chan;
9848 
9849 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9850 
9851 			if (!chan) {
9852 				err = -EINVAL;
9853 				goto out_free;
9854 			}
9855 
9856 			/* ignore disabled channels */
9857 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9858 				continue;
9859 
9860 			request->channels[i] = chan;
9861 			i++;
9862 		}
9863 	} else {
9864 		/* all channels */
9865 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9866 			int j;
9867 
9868 			if (!wiphy->bands[band])
9869 				continue;
9870 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9871 				struct ieee80211_channel *chan;
9872 
9873 				chan = &wiphy->bands[band]->channels[j];
9874 
9875 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9876 					continue;
9877 
9878 				request->channels[i] = chan;
9879 				i++;
9880 			}
9881 		}
9882 	}
9883 
9884 	if (!i) {
9885 		err = -EINVAL;
9886 		goto out_free;
9887 	}
9888 
9889 	request->n_channels = i;
9890 
9891 	i = 0;
9892 	if (n_ssids) {
9893 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9894 				    tmp) {
9895 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9896 				err = -EINVAL;
9897 				goto out_free;
9898 			}
9899 			request->ssids[i].ssid_len = nla_len(attr);
9900 			memcpy(request->ssids[i].ssid, nla_data(attr),
9901 			       nla_len(attr));
9902 			i++;
9903 		}
9904 	}
9905 
9906 	i = 0;
9907 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9908 		nla_for_each_nested(attr,
9909 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9910 				    tmp) {
9911 			struct nlattr *ssid, *bssid, *rssi;
9912 
9913 			err = nla_parse_nested_deprecated(tb,
9914 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9915 							  attr,
9916 							  nl80211_match_policy,
9917 							  NULL);
9918 			if (err)
9919 				goto out_free;
9920 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9921 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9922 
9923 			if (!ssid && !bssid) {
9924 				i++;
9925 				continue;
9926 			}
9927 
9928 			if (WARN_ON(i >= n_match_sets)) {
9929 				/* this indicates a programming error,
9930 				 * the loop above should have verified
9931 				 * things properly
9932 				 */
9933 				err = -EINVAL;
9934 				goto out_free;
9935 			}
9936 
9937 			if (ssid) {
9938 				memcpy(request->match_sets[i].ssid.ssid,
9939 				       nla_data(ssid), nla_len(ssid));
9940 				request->match_sets[i].ssid.ssid_len =
9941 					nla_len(ssid);
9942 			}
9943 			if (bssid)
9944 				memcpy(request->match_sets[i].bssid,
9945 				       nla_data(bssid), ETH_ALEN);
9946 
9947 			/* special attribute - old implementation w/a */
9948 			request->match_sets[i].rssi_thold = default_match_rssi;
9949 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9950 			if (rssi)
9951 				request->match_sets[i].rssi_thold =
9952 					nla_get_s32(rssi);
9953 			i++;
9954 		}
9955 
9956 		/* there was no other matchset, so the RSSI one is alone */
9957 		if (i == 0 && n_match_sets)
9958 			request->match_sets[0].rssi_thold = default_match_rssi;
9959 
9960 		request->min_rssi_thold = INT_MAX;
9961 		for (i = 0; i < n_match_sets; i++)
9962 			request->min_rssi_thold =
9963 				min(request->match_sets[i].rssi_thold,
9964 				    request->min_rssi_thold);
9965 	} else {
9966 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9967 	}
9968 
9969 	if (ie_len) {
9970 		request->ie_len = ie_len;
9971 		memcpy((void *)request->ie,
9972 		       nla_data(attrs[NL80211_ATTR_IE]),
9973 		       request->ie_len);
9974 	}
9975 
9976 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9977 	if (err)
9978 		goto out_free;
9979 
9980 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9981 		request->delay =
9982 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9983 
9984 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9985 		request->relative_rssi = nla_get_s8(
9986 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9987 		request->relative_rssi_set = true;
9988 	}
9989 
9990 	if (request->relative_rssi_set &&
9991 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9992 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9993 
9994 		rssi_adjust = nla_data(
9995 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9996 		request->rssi_adjust.band = rssi_adjust->band;
9997 		request->rssi_adjust.delta = rssi_adjust->delta;
9998 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9999 			err = -EINVAL;
10000 			goto out_free;
10001 		}
10002 	}
10003 
10004 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
10005 	if (err)
10006 		goto out_free;
10007 
10008 	request->scan_start = jiffies;
10009 
10010 	return request;
10011 
10012 out_free:
10013 	kfree(request);
10014 	return ERR_PTR(err);
10015 }
10016 
10017 static int nl80211_start_sched_scan(struct sk_buff *skb,
10018 				    struct genl_info *info)
10019 {
10020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10021 	struct net_device *dev = info->user_ptr[1];
10022 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10023 	struct cfg80211_sched_scan_request *sched_scan_req;
10024 	bool want_multi;
10025 	int err;
10026 
10027 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
10028 		return -EOPNOTSUPP;
10029 
10030 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
10031 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
10032 	if (err)
10033 		return err;
10034 
10035 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
10036 						  info->attrs,
10037 						  rdev->wiphy.max_match_sets);
10038 
10039 	err = PTR_ERR_OR_ZERO(sched_scan_req);
10040 	if (err)
10041 		goto out_err;
10042 
10043 	/* leave request id zero for legacy request
10044 	 * or if driver does not support multi-scheduled scan
10045 	 */
10046 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
10047 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
10048 
10049 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
10050 	if (err)
10051 		goto out_free;
10052 
10053 	sched_scan_req->dev = dev;
10054 	sched_scan_req->wiphy = &rdev->wiphy;
10055 
10056 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10057 		sched_scan_req->owner_nlportid = info->snd_portid;
10058 
10059 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
10060 
10061 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
10062 	return 0;
10063 
10064 out_free:
10065 	kfree(sched_scan_req);
10066 out_err:
10067 	return err;
10068 }
10069 
10070 static int nl80211_stop_sched_scan(struct sk_buff *skb,
10071 				   struct genl_info *info)
10072 {
10073 	struct cfg80211_sched_scan_request *req;
10074 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10075 	u64 cookie;
10076 
10077 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
10078 		return -EOPNOTSUPP;
10079 
10080 	if (info->attrs[NL80211_ATTR_COOKIE]) {
10081 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10082 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
10083 	}
10084 
10085 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
10086 				     struct cfg80211_sched_scan_request,
10087 				     list);
10088 	if (!req || req->reqid ||
10089 	    (req->owner_nlportid &&
10090 	     req->owner_nlportid != info->snd_portid))
10091 		return -ENOENT;
10092 
10093 	return cfg80211_stop_sched_scan_req(rdev, req, false);
10094 }
10095 
10096 static int nl80211_start_radar_detection(struct sk_buff *skb,
10097 					 struct genl_info *info)
10098 {
10099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10100 	struct net_device *dev = info->user_ptr[1];
10101 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10102 	int link_id = nl80211_link_id(info->attrs);
10103 	struct wiphy *wiphy = wdev->wiphy;
10104 	struct cfg80211_chan_def chandef;
10105 	enum nl80211_dfs_regions dfs_region;
10106 	unsigned int cac_time_ms;
10107 	int err = -EINVAL;
10108 
10109 	flush_delayed_work(&rdev->dfs_update_channels_wk);
10110 
10111 	switch (wdev->iftype) {
10112 	case NL80211_IFTYPE_AP:
10113 	case NL80211_IFTYPE_P2P_GO:
10114 	case NL80211_IFTYPE_MESH_POINT:
10115 	case NL80211_IFTYPE_ADHOC:
10116 		break;
10117 	default:
10118 		/* caution - see cfg80211_beaconing_iface_active() below */
10119 		return -EINVAL;
10120 	}
10121 
10122 	wiphy_lock(wiphy);
10123 
10124 	dfs_region = reg_get_dfs_region(wiphy);
10125 	if (dfs_region == NL80211_DFS_UNSET)
10126 		goto unlock;
10127 
10128 	err = nl80211_parse_chandef(rdev, info, &chandef);
10129 	if (err)
10130 		goto unlock;
10131 
10132 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10133 	if (err < 0)
10134 		goto unlock;
10135 
10136 	if (err == 0) {
10137 		err = -EINVAL;
10138 		goto unlock;
10139 	}
10140 
10141 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
10142 		err = -EINVAL;
10143 		goto unlock;
10144 	}
10145 
10146 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
10147 		err = cfg80211_start_background_radar_detection(rdev, wdev,
10148 								&chandef);
10149 		goto unlock;
10150 	}
10151 
10152 	if (cfg80211_beaconing_iface_active(wdev)) {
10153 		/* During MLO other link(s) can beacon, only the current link
10154 		 * can not already beacon
10155 		 */
10156 		if (wdev->valid_links &&
10157 		    !wdev->links[link_id].ap.beacon_interval) {
10158 			/* nothing */
10159 		} else {
10160 			err = -EBUSY;
10161 			goto unlock;
10162 		}
10163 	}
10164 
10165 	if (wdev->links[link_id].cac_started) {
10166 		err = -EBUSY;
10167 		goto unlock;
10168 	}
10169 
10170 	/* CAC start is offloaded to HW and can't be started manually */
10171 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
10172 		err = -EOPNOTSUPP;
10173 		goto unlock;
10174 	}
10175 
10176 	if (!rdev->ops->start_radar_detection) {
10177 		err = -EOPNOTSUPP;
10178 		goto unlock;
10179 	}
10180 
10181 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
10182 	if (WARN_ON(!cac_time_ms))
10183 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
10184 
10185 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms,
10186 					 link_id);
10187 	if (!err) {
10188 		switch (wdev->iftype) {
10189 		case NL80211_IFTYPE_AP:
10190 		case NL80211_IFTYPE_P2P_GO:
10191 			wdev->links[0].ap.chandef = chandef;
10192 			break;
10193 		case NL80211_IFTYPE_ADHOC:
10194 			wdev->u.ibss.chandef = chandef;
10195 			break;
10196 		case NL80211_IFTYPE_MESH_POINT:
10197 			wdev->u.mesh.chandef = chandef;
10198 			break;
10199 		default:
10200 			break;
10201 		}
10202 		wdev->links[link_id].cac_started = true;
10203 		wdev->links[link_id].cac_start_time = jiffies;
10204 		wdev->links[link_id].cac_time_ms = cac_time_ms;
10205 	}
10206 unlock:
10207 	wiphy_unlock(wiphy);
10208 
10209 	return err;
10210 }
10211 
10212 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10213 					  struct genl_info *info)
10214 {
10215 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10216 	struct net_device *dev = info->user_ptr[1];
10217 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10218 	struct wiphy *wiphy = wdev->wiphy;
10219 	struct cfg80211_chan_def chandef;
10220 	enum nl80211_dfs_regions dfs_region;
10221 	int err;
10222 
10223 	dfs_region = reg_get_dfs_region(wiphy);
10224 	if (dfs_region == NL80211_DFS_UNSET) {
10225 		GENL_SET_ERR_MSG(info,
10226 				 "DFS Region is not set. Unexpected Radar indication");
10227 		return -EINVAL;
10228 	}
10229 
10230 	err = nl80211_parse_chandef(rdev, info, &chandef);
10231 	if (err) {
10232 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10233 		return err;
10234 	}
10235 
10236 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10237 	if (err < 0) {
10238 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10239 		return err;
10240 	}
10241 
10242 	if (err == 0) {
10243 		GENL_SET_ERR_MSG(info,
10244 				 "Unexpected Radar indication for chandef/iftype");
10245 		return -EINVAL;
10246 	}
10247 
10248 	/* Do not process this notification if radar is already detected
10249 	 * by kernel on this channel, and return success.
10250 	 */
10251 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10252 		return 0;
10253 
10254 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10255 
10256 	cfg80211_sched_dfs_chan_update(rdev);
10257 
10258 	rdev->radar_chandef = chandef;
10259 
10260 	/* Propagate this notification to other radios as well */
10261 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10262 
10263 	return 0;
10264 }
10265 
10266 static int nl80211_parse_counter_offsets(struct cfg80211_registered_device *rdev,
10267 					 const u8 *data, size_t datalen,
10268 					 int first_count, struct nlattr *attr,
10269 					 const u16 **offsets, unsigned int *n_offsets)
10270 {
10271 	int i;
10272 
10273 	*n_offsets = 0;
10274 
10275 	if (!attr)
10276 		return 0;
10277 
10278 	if (!nla_len(attr) || (nla_len(attr) % sizeof(u16)))
10279 		return -EINVAL;
10280 
10281 	*n_offsets = nla_len(attr) / sizeof(u16);
10282 	if (rdev->wiphy.max_num_csa_counters &&
10283 	    (*n_offsets > rdev->wiphy.max_num_csa_counters))
10284 		return -EINVAL;
10285 
10286 	*offsets = nla_data(attr);
10287 
10288 	/* sanity checks - counters should fit and be the same */
10289 	for (i = 0; i < *n_offsets; i++) {
10290 		u16 offset = (*offsets)[i];
10291 
10292 		if (offset >= datalen)
10293 			return -EINVAL;
10294 
10295 		if (first_count != -1 && data[offset] != first_count)
10296 			return -EINVAL;
10297 	}
10298 
10299 	return 0;
10300 }
10301 
10302 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10303 {
10304 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10305 	unsigned int link_id = nl80211_link_id(info->attrs);
10306 	struct net_device *dev = info->user_ptr[1];
10307 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10308 	struct cfg80211_csa_settings params;
10309 	struct nlattr **csa_attrs = NULL;
10310 	int err;
10311 	bool need_new_beacon = false;
10312 	bool need_handle_dfs_flag = true;
10313 	u32 cs_count;
10314 
10315 	if (!rdev->ops->channel_switch ||
10316 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10317 		return -EOPNOTSUPP;
10318 
10319 	switch (dev->ieee80211_ptr->iftype) {
10320 	case NL80211_IFTYPE_AP:
10321 	case NL80211_IFTYPE_P2P_GO:
10322 		need_new_beacon = true;
10323 		/* For all modes except AP the handle_dfs flag needs to be
10324 		 * supplied to tell the kernel that userspace will handle radar
10325 		 * events when they happen. Otherwise a switch to a channel
10326 		 * requiring DFS will be rejected.
10327 		 */
10328 		need_handle_dfs_flag = false;
10329 
10330 		/* useless if AP is not running */
10331 		if (!wdev->links[link_id].ap.beacon_interval)
10332 			return -ENOTCONN;
10333 		break;
10334 	case NL80211_IFTYPE_ADHOC:
10335 		if (!wdev->u.ibss.ssid_len)
10336 			return -ENOTCONN;
10337 		break;
10338 	case NL80211_IFTYPE_MESH_POINT:
10339 		if (!wdev->u.mesh.id_len)
10340 			return -ENOTCONN;
10341 		break;
10342 	default:
10343 		return -EOPNOTSUPP;
10344 	}
10345 
10346 	memset(&params, 0, sizeof(params));
10347 	params.beacon_csa.ftm_responder = -1;
10348 
10349 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10350 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10351 		return -EINVAL;
10352 
10353 	/* only important for AP, IBSS and mesh create IEs internally */
10354 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10355 		return -EINVAL;
10356 
10357 	/* Even though the attribute is u32, the specification says
10358 	 * u8, so let's make sure we don't overflow.
10359 	 */
10360 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10361 	if (cs_count > 255)
10362 		return -EINVAL;
10363 
10364 	params.count = cs_count;
10365 
10366 	if (!need_new_beacon)
10367 		goto skip_beacons;
10368 
10369 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10370 				   info->extack);
10371 	if (err)
10372 		goto free;
10373 
10374 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10375 			    GFP_KERNEL);
10376 	if (!csa_attrs) {
10377 		err = -ENOMEM;
10378 		goto free;
10379 	}
10380 
10381 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10382 					  info->attrs[NL80211_ATTR_CSA_IES],
10383 					  nl80211_policy, info->extack);
10384 	if (err)
10385 		goto free;
10386 
10387 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10388 				   info->extack);
10389 	if (err)
10390 		goto free;
10391 
10392 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10393 		err = -EINVAL;
10394 		goto free;
10395 	}
10396 
10397 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.tail,
10398 					    params.beacon_csa.tail_len,
10399 					    params.count,
10400 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON],
10401 					    &params.counter_offsets_beacon,
10402 					    &params.n_counter_offsets_beacon);
10403 	if (err)
10404 		goto free;
10405 
10406 	err = nl80211_parse_counter_offsets(rdev, params.beacon_csa.probe_resp,
10407 					    params.beacon_csa.probe_resp_len,
10408 					    params.count,
10409 					    csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP],
10410 					    &params.counter_offsets_presp,
10411 					    &params.n_counter_offsets_presp);
10412 	if (err)
10413 		goto free;
10414 
10415 skip_beacons:
10416 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10417 	if (err)
10418 		goto free;
10419 
10420 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10421 					   wdev->iftype)) {
10422 		err = -EINVAL;
10423 		goto free;
10424 	}
10425 
10426 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10427 					    &params.chandef,
10428 					    wdev->iftype);
10429 	if (err < 0)
10430 		goto free;
10431 
10432 	if (err > 0) {
10433 		params.radar_required = true;
10434 		if (need_handle_dfs_flag &&
10435 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10436 			err = -EINVAL;
10437 			goto free;
10438 		}
10439 	}
10440 
10441 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10442 		params.block_tx = true;
10443 
10444 	params.link_id = link_id;
10445 	err = rdev_channel_switch(rdev, dev, &params);
10446 
10447 free:
10448 	kfree(params.beacon_after.mbssid_ies);
10449 	kfree(params.beacon_csa.mbssid_ies);
10450 	kfree(params.beacon_after.rnr_ies);
10451 	kfree(params.beacon_csa.rnr_ies);
10452 	kfree(csa_attrs);
10453 	return err;
10454 }
10455 
10456 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10457 			    u32 seq, int flags,
10458 			    struct cfg80211_registered_device *rdev,
10459 			    struct wireless_dev *wdev,
10460 			    struct cfg80211_internal_bss *intbss)
10461 {
10462 	struct cfg80211_bss *res = &intbss->pub;
10463 	const struct cfg80211_bss_ies *ies;
10464 	unsigned int link_id;
10465 	void *hdr;
10466 	struct nlattr *bss;
10467 
10468 	lockdep_assert_wiphy(wdev->wiphy);
10469 
10470 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10471 			     NL80211_CMD_NEW_SCAN_RESULTS);
10472 	if (!hdr)
10473 		return -1;
10474 
10475 	genl_dump_check_consistent(cb, hdr);
10476 
10477 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10478 		goto nla_put_failure;
10479 	if (wdev->netdev &&
10480 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10481 		goto nla_put_failure;
10482 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10483 			      NL80211_ATTR_PAD))
10484 		goto nla_put_failure;
10485 
10486 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10487 	if (!bss)
10488 		goto nla_put_failure;
10489 	if ((!is_zero_ether_addr(res->bssid) &&
10490 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10491 		goto nla_put_failure;
10492 
10493 	rcu_read_lock();
10494 	/* indicate whether we have probe response data or not */
10495 	if (rcu_access_pointer(res->proberesp_ies) &&
10496 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10497 		goto fail_unlock_rcu;
10498 
10499 	/* this pointer prefers to be pointed to probe response data
10500 	 * but is always valid
10501 	 */
10502 	ies = rcu_dereference(res->ies);
10503 	if (ies) {
10504 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10505 				      NL80211_BSS_PAD))
10506 			goto fail_unlock_rcu;
10507 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10508 					ies->len, ies->data))
10509 			goto fail_unlock_rcu;
10510 	}
10511 
10512 	/* and this pointer is always (unless driver didn't know) beacon data */
10513 	ies = rcu_dereference(res->beacon_ies);
10514 	if (ies && ies->from_beacon) {
10515 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10516 				      NL80211_BSS_PAD))
10517 			goto fail_unlock_rcu;
10518 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10519 					ies->len, ies->data))
10520 			goto fail_unlock_rcu;
10521 	}
10522 	rcu_read_unlock();
10523 
10524 	if (res->beacon_interval &&
10525 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10526 		goto nla_put_failure;
10527 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10528 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10529 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10530 			res->channel->freq_offset) ||
10531 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10532 			jiffies_to_msecs(jiffies - intbss->ts)))
10533 		goto nla_put_failure;
10534 
10535 	if (intbss->parent_tsf &&
10536 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10537 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10538 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10539 		     intbss->parent_bssid)))
10540 		goto nla_put_failure;
10541 
10542 	if (intbss->ts_boottime &&
10543 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10544 			      intbss->ts_boottime, NL80211_BSS_PAD))
10545 		goto nla_put_failure;
10546 
10547 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10548 				intbss->pub.chain_signal,
10549 				NL80211_BSS_CHAIN_SIGNAL))
10550 		goto nla_put_failure;
10551 
10552 	if (intbss->bss_source != BSS_SOURCE_STA_PROFILE) {
10553 		switch (rdev->wiphy.signal_type) {
10554 		case CFG80211_SIGNAL_TYPE_MBM:
10555 			if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM,
10556 					res->signal))
10557 				goto nla_put_failure;
10558 			break;
10559 		case CFG80211_SIGNAL_TYPE_UNSPEC:
10560 			if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC,
10561 				       res->signal))
10562 				goto nla_put_failure;
10563 			break;
10564 		default:
10565 			break;
10566 		}
10567 	}
10568 
10569 	switch (wdev->iftype) {
10570 	case NL80211_IFTYPE_P2P_CLIENT:
10571 	case NL80211_IFTYPE_STATION:
10572 		for_each_valid_link(wdev, link_id) {
10573 			if (intbss == wdev->links[link_id].client.current_bss &&
10574 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10575 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10576 			     (wdev->valid_links &&
10577 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10578 					  link_id) ||
10579 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10580 				       wdev->u.client.connected_addr)))))
10581 				goto nla_put_failure;
10582 		}
10583 		break;
10584 	case NL80211_IFTYPE_ADHOC:
10585 		if (intbss == wdev->u.ibss.current_bss &&
10586 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10587 				NL80211_BSS_STATUS_IBSS_JOINED))
10588 			goto nla_put_failure;
10589 		break;
10590 	default:
10591 		break;
10592 	}
10593 
10594 	if (nla_put_u32(msg, NL80211_BSS_USE_FOR, res->use_for))
10595 		goto nla_put_failure;
10596 
10597 	if (res->cannot_use_reasons &&
10598 	    nla_put_u64_64bit(msg, NL80211_BSS_CANNOT_USE_REASONS,
10599 			      res->cannot_use_reasons,
10600 			      NL80211_BSS_PAD))
10601 		goto nla_put_failure;
10602 
10603 	nla_nest_end(msg, bss);
10604 
10605 	genlmsg_end(msg, hdr);
10606 	return 0;
10607 
10608  fail_unlock_rcu:
10609 	rcu_read_unlock();
10610  nla_put_failure:
10611 	genlmsg_cancel(msg, hdr);
10612 	return -EMSGSIZE;
10613 }
10614 
10615 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10616 {
10617 	struct cfg80211_registered_device *rdev;
10618 	struct cfg80211_internal_bss *scan;
10619 	struct wireless_dev *wdev;
10620 	struct nlattr **attrbuf;
10621 	int start = cb->args[2], idx = 0;
10622 	bool dump_include_use_data;
10623 	int err;
10624 
10625 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10626 	if (!attrbuf)
10627 		return -ENOMEM;
10628 
10629 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10630 	if (err) {
10631 		kfree(attrbuf);
10632 		return err;
10633 	}
10634 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10635 	__acquire(&rdev->wiphy.mtx);
10636 
10637 	dump_include_use_data =
10638 		attrbuf[NL80211_ATTR_BSS_DUMP_INCLUDE_USE_DATA];
10639 	kfree(attrbuf);
10640 
10641 	spin_lock_bh(&rdev->bss_lock);
10642 
10643 	/*
10644 	 * dump_scan will be called multiple times to break up the scan results
10645 	 * into multiple messages.  It is unlikely that any more bss-es will be
10646 	 * expired after the first call, so only call only call this on the
10647 	 * first dump_scan invocation.
10648 	 */
10649 	if (start == 0)
10650 		cfg80211_bss_expire(rdev);
10651 
10652 	cb->seq = rdev->bss_generation;
10653 
10654 	list_for_each_entry(scan, &rdev->bss_list, list) {
10655 		if (++idx <= start)
10656 			continue;
10657 		if (!dump_include_use_data &&
10658 		    !(scan->pub.use_for & NL80211_BSS_USE_FOR_NORMAL))
10659 			continue;
10660 		if (nl80211_send_bss(skb, cb,
10661 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10662 				rdev, wdev, scan) < 0) {
10663 			idx--;
10664 			break;
10665 		}
10666 	}
10667 
10668 	spin_unlock_bh(&rdev->bss_lock);
10669 
10670 	cb->args[2] = idx;
10671 	wiphy_unlock(&rdev->wiphy);
10672 
10673 	return skb->len;
10674 }
10675 
10676 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10677 			       int flags, struct net_device *dev,
10678 			       bool allow_radio_stats,
10679 			       struct survey_info *survey)
10680 {
10681 	void *hdr;
10682 	struct nlattr *infoattr;
10683 
10684 	/* skip radio stats if userspace didn't request them */
10685 	if (!survey->channel && !allow_radio_stats)
10686 		return 0;
10687 
10688 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10689 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10690 	if (!hdr)
10691 		return -ENOMEM;
10692 
10693 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10694 		goto nla_put_failure;
10695 
10696 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10697 	if (!infoattr)
10698 		goto nla_put_failure;
10699 
10700 	if (survey->channel &&
10701 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10702 			survey->channel->center_freq))
10703 		goto nla_put_failure;
10704 
10705 	if (survey->channel && survey->channel->freq_offset &&
10706 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10707 			survey->channel->freq_offset))
10708 		goto nla_put_failure;
10709 
10710 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10711 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10712 		goto nla_put_failure;
10713 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10714 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10715 		goto nla_put_failure;
10716 	if ((survey->filled & SURVEY_INFO_TIME) &&
10717 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10718 			survey->time, NL80211_SURVEY_INFO_PAD))
10719 		goto nla_put_failure;
10720 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10721 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10722 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10723 		goto nla_put_failure;
10724 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10725 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10726 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10727 		goto nla_put_failure;
10728 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10729 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10730 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10731 		goto nla_put_failure;
10732 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10733 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10734 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10735 		goto nla_put_failure;
10736 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10737 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10738 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10739 		goto nla_put_failure;
10740 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10741 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10742 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10743 		goto nla_put_failure;
10744 
10745 	nla_nest_end(msg, infoattr);
10746 
10747 	genlmsg_end(msg, hdr);
10748 	return 0;
10749 
10750  nla_put_failure:
10751 	genlmsg_cancel(msg, hdr);
10752 	return -EMSGSIZE;
10753 }
10754 
10755 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10756 {
10757 	struct nlattr **attrbuf;
10758 	struct survey_info survey;
10759 	struct cfg80211_registered_device *rdev;
10760 	struct wireless_dev *wdev;
10761 	int survey_idx = cb->args[2];
10762 	int res;
10763 	bool radio_stats;
10764 
10765 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10766 	if (!attrbuf)
10767 		return -ENOMEM;
10768 
10769 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10770 	if (res) {
10771 		kfree(attrbuf);
10772 		return res;
10773 	}
10774 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10775 	__acquire(&rdev->wiphy.mtx);
10776 
10777 	/* prepare_wdev_dump parsed the attributes */
10778 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10779 
10780 	if (!wdev->netdev) {
10781 		res = -EINVAL;
10782 		goto out_err;
10783 	}
10784 
10785 	if (!rdev->ops->dump_survey) {
10786 		res = -EOPNOTSUPP;
10787 		goto out_err;
10788 	}
10789 
10790 	while (1) {
10791 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10792 		if (res == -ENOENT)
10793 			break;
10794 		if (res)
10795 			goto out_err;
10796 
10797 		/* don't send disabled channels, but do send non-channel data */
10798 		if (survey.channel &&
10799 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10800 			survey_idx++;
10801 			continue;
10802 		}
10803 
10804 		if (nl80211_send_survey(skb,
10805 				NETLINK_CB(cb->skb).portid,
10806 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10807 				wdev->netdev, radio_stats, &survey) < 0)
10808 			goto out;
10809 		survey_idx++;
10810 	}
10811 
10812  out:
10813 	cb->args[2] = survey_idx;
10814 	res = skb->len;
10815  out_err:
10816 	kfree(attrbuf);
10817 	wiphy_unlock(&rdev->wiphy);
10818 	return res;
10819 }
10820 
10821 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10822 {
10823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10824 	struct net_device *dev = info->user_ptr[1];
10825 	struct ieee80211_channel *chan;
10826 	const u8 *bssid, *ssid;
10827 	int err, ssid_len;
10828 	enum nl80211_auth_type auth_type;
10829 	struct key_parse key;
10830 	bool local_state_change;
10831 	struct cfg80211_auth_request req = {};
10832 	u32 freq;
10833 
10834 	if (!info->attrs[NL80211_ATTR_MAC])
10835 		return -EINVAL;
10836 
10837 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10838 		return -EINVAL;
10839 
10840 	if (!info->attrs[NL80211_ATTR_SSID])
10841 		return -EINVAL;
10842 
10843 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10844 		return -EINVAL;
10845 
10846 	err = nl80211_parse_key(info, &key);
10847 	if (err)
10848 		return err;
10849 
10850 	if (key.idx >= 0) {
10851 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10852 			return -EINVAL;
10853 		if (!key.p.key || !key.p.key_len)
10854 			return -EINVAL;
10855 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10856 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10857 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10858 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10859 			return -EINVAL;
10860 		if (key.idx > 3)
10861 			return -EINVAL;
10862 	} else {
10863 		key.p.key_len = 0;
10864 		key.p.key = NULL;
10865 	}
10866 
10867 	if (key.idx >= 0) {
10868 		int i;
10869 		bool ok = false;
10870 
10871 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10872 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10873 				ok = true;
10874 				break;
10875 			}
10876 		}
10877 		if (!ok)
10878 			return -EINVAL;
10879 	}
10880 
10881 	if (!rdev->ops->auth)
10882 		return -EOPNOTSUPP;
10883 
10884 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10885 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10886 		return -EOPNOTSUPP;
10887 
10888 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10889 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10890 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10891 		freq +=
10892 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10893 
10894 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10895 	if (!chan)
10896 		return -EINVAL;
10897 
10898 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10899 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10900 
10901 	if (info->attrs[NL80211_ATTR_IE]) {
10902 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10903 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10904 	}
10905 
10906 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10907 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10908 		return -EINVAL;
10909 
10910 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10911 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10912 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10913 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10914 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10915 		return -EINVAL;
10916 
10917 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10918 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10919 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10920 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10921 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10922 			return -EINVAL;
10923 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10924 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10925 	}
10926 
10927 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10928 
10929 	/*
10930 	 * Since we no longer track auth state, ignore
10931 	 * requests to only change local state.
10932 	 */
10933 	if (local_state_change)
10934 		return 0;
10935 
10936 	req.auth_type = auth_type;
10937 	req.key = key.p.key;
10938 	req.key_len = key.p.key_len;
10939 	req.key_idx = key.idx;
10940 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10941 	if (req.link_id >= 0) {
10942 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10943 			return -EINVAL;
10944 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10945 			return -EINVAL;
10946 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10947 		if (!is_valid_ether_addr(req.ap_mld_addr))
10948 			return -EINVAL;
10949 	}
10950 
10951 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10952 				   IEEE80211_BSS_TYPE_ESS,
10953 				   IEEE80211_PRIVACY_ANY);
10954 	if (!req.bss)
10955 		return -ENOENT;
10956 
10957 	err = cfg80211_mlme_auth(rdev, dev, &req);
10958 
10959 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10960 
10961 	return err;
10962 }
10963 
10964 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10965 				     struct genl_info *info)
10966 {
10967 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10968 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10969 		return -EINVAL;
10970 	}
10971 
10972 	if (!rdev->ops->tx_control_port ||
10973 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10974 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10975 		return -EOPNOTSUPP;
10976 
10977 	return 0;
10978 }
10979 
10980 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10981 				   struct genl_info *info,
10982 				   struct cfg80211_crypto_settings *settings,
10983 				   int cipher_limit)
10984 {
10985 	memset(settings, 0, sizeof(*settings));
10986 
10987 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10988 
10989 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10990 		u16 proto;
10991 
10992 		proto = nla_get_u16(
10993 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10994 		settings->control_port_ethertype = cpu_to_be16(proto);
10995 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10996 		    proto != ETH_P_PAE)
10997 			return -EINVAL;
10998 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10999 			settings->control_port_no_encrypt = true;
11000 	} else
11001 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
11002 
11003 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11004 		int r = validate_pae_over_nl80211(rdev, info);
11005 
11006 		if (r < 0)
11007 			return r;
11008 
11009 		settings->control_port_over_nl80211 = true;
11010 
11011 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
11012 			settings->control_port_no_preauth = true;
11013 	}
11014 
11015 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
11016 		void *data;
11017 		int len, i;
11018 
11019 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11020 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
11021 		settings->n_ciphers_pairwise = len / sizeof(u32);
11022 
11023 		if (len % sizeof(u32))
11024 			return -EINVAL;
11025 
11026 		if (settings->n_ciphers_pairwise > cipher_limit)
11027 			return -EINVAL;
11028 
11029 		memcpy(settings->ciphers_pairwise, data, len);
11030 
11031 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
11032 			if (!cfg80211_supported_cipher_suite(
11033 					&rdev->wiphy,
11034 					settings->ciphers_pairwise[i]))
11035 				return -EINVAL;
11036 	}
11037 
11038 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
11039 		settings->cipher_group =
11040 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
11041 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
11042 						     settings->cipher_group))
11043 			return -EINVAL;
11044 	}
11045 
11046 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS])
11047 		settings->wpa_versions =
11048 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
11049 
11050 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
11051 		void *data;
11052 		int len;
11053 
11054 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
11055 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
11056 		settings->n_akm_suites = len / sizeof(u32);
11057 
11058 		if (len % sizeof(u32))
11059 			return -EINVAL;
11060 
11061 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
11062 			return -EINVAL;
11063 
11064 		memcpy(settings->akm_suites, data, len);
11065 	}
11066 
11067 	if (info->attrs[NL80211_ATTR_PMK]) {
11068 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
11069 			return -EINVAL;
11070 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11071 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
11072 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11073 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
11074 			return -EINVAL;
11075 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11076 	}
11077 
11078 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
11079 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11080 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
11081 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11082 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
11083 			return -EINVAL;
11084 		settings->sae_pwd =
11085 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11086 		settings->sae_pwd_len =
11087 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
11088 	}
11089 
11090 	if (info->attrs[NL80211_ATTR_SAE_PWE])
11091 		settings->sae_pwe =
11092 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
11093 	else
11094 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
11095 
11096 	return 0;
11097 }
11098 
11099 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
11100 					      const u8 *ssid, int ssid_len,
11101 					      struct nlattr **attrs,
11102 					      int assoc_link_id, int link_id)
11103 {
11104 	struct ieee80211_channel *chan;
11105 	struct cfg80211_bss *bss;
11106 	const u8 *bssid;
11107 	u32 freq, use_for = 0;
11108 
11109 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
11110 		return ERR_PTR(-EINVAL);
11111 
11112 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
11113 
11114 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
11115 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11116 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11117 
11118 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
11119 	if (!chan)
11120 		return ERR_PTR(-EINVAL);
11121 
11122 	if (assoc_link_id >= 0)
11123 		use_for = NL80211_BSS_USE_FOR_MLD_LINK;
11124 	if (assoc_link_id == link_id)
11125 		use_for |= NL80211_BSS_USE_FOR_NORMAL;
11126 
11127 	bss = __cfg80211_get_bss(&rdev->wiphy, chan, bssid,
11128 				 ssid, ssid_len,
11129 				 IEEE80211_BSS_TYPE_ESS,
11130 				 IEEE80211_PRIVACY_ANY,
11131 				 use_for);
11132 	if (!bss)
11133 		return ERR_PTR(-ENOENT);
11134 
11135 	return bss;
11136 }
11137 
11138 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
11139 {
11140 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11141 	struct net_device *dev = info->user_ptr[1];
11142 	struct cfg80211_assoc_request req = {};
11143 	struct nlattr **attrs = NULL;
11144 	const u8 *ap_addr, *ssid;
11145 	unsigned int link_id;
11146 	int err, ssid_len;
11147 
11148 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11149 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11150 		return -EPERM;
11151 
11152 	if (!info->attrs[NL80211_ATTR_SSID])
11153 		return -EINVAL;
11154 
11155 	if (!rdev->ops->assoc)
11156 		return -EOPNOTSUPP;
11157 
11158 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11159 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11160 		return -EOPNOTSUPP;
11161 
11162 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11163 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11164 
11165 	if (info->attrs[NL80211_ATTR_IE]) {
11166 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11167 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11168 
11169 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11170 					   req.ie, req.ie_len)) {
11171 			NL_SET_ERR_MSG_ATTR(info->extack,
11172 					    info->attrs[NL80211_ATTR_IE],
11173 					    "non-inheritance makes no sense");
11174 			return -EINVAL;
11175 		}
11176 	}
11177 
11178 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11179 		enum nl80211_mfp mfp =
11180 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11181 		if (mfp == NL80211_MFP_REQUIRED)
11182 			req.use_mfp = true;
11183 		else if (mfp != NL80211_MFP_NO)
11184 			return -EINVAL;
11185 	}
11186 
11187 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11188 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11189 
11190 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11191 		req.flags |= ASSOC_REQ_DISABLE_HT;
11192 
11193 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11194 		memcpy(&req.ht_capa_mask,
11195 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11196 		       sizeof(req.ht_capa_mask));
11197 
11198 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11199 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11200 			return -EINVAL;
11201 		memcpy(&req.ht_capa,
11202 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11203 		       sizeof(req.ht_capa));
11204 	}
11205 
11206 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11207 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11208 
11209 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11210 		req.flags |= ASSOC_REQ_DISABLE_HE;
11211 
11212 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11213 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11214 
11215 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11216 		memcpy(&req.vht_capa_mask,
11217 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11218 		       sizeof(req.vht_capa_mask));
11219 
11220 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11221 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11222 			return -EINVAL;
11223 		memcpy(&req.vht_capa,
11224 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11225 		       sizeof(req.vht_capa));
11226 	}
11227 
11228 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11229 		if (!((rdev->wiphy.features &
11230 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11231 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11232 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11233 					     NL80211_EXT_FEATURE_RRM))
11234 			return -EINVAL;
11235 		req.flags |= ASSOC_REQ_USE_RRM;
11236 	}
11237 
11238 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11239 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11240 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11241 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11242 			return -EINVAL;
11243 		req.fils_nonces =
11244 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11245 	}
11246 
11247 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11248 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11249 			return -EINVAL;
11250 		memcpy(&req.s1g_capa_mask,
11251 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11252 		       sizeof(req.s1g_capa_mask));
11253 	}
11254 
11255 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11256 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11257 			return -EINVAL;
11258 		memcpy(&req.s1g_capa,
11259 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11260 		       sizeof(req.s1g_capa));
11261 	}
11262 
11263 	if (nla_get_flag(info->attrs[NL80211_ATTR_ASSOC_SPP_AMSDU])) {
11264 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11265 					     NL80211_EXT_FEATURE_SPP_AMSDU_SUPPORT)) {
11266 			GENL_SET_ERR_MSG(info, "SPP A-MSDUs not supported");
11267 			return -EINVAL;
11268 		}
11269 		req.flags |= ASSOC_REQ_SPP_AMSDU;
11270 	}
11271 
11272 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11273 
11274 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11275 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11276 		struct nlattr *link;
11277 		int rem = 0;
11278 
11279 		if (req.link_id < 0)
11280 			return -EINVAL;
11281 
11282 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11283 			return -EINVAL;
11284 
11285 		if (info->attrs[NL80211_ATTR_MAC] ||
11286 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11287 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11288 			return -EINVAL;
11289 
11290 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11291 		ap_addr = req.ap_mld_addr;
11292 
11293 		attrs = kzalloc(attrsize, GFP_KERNEL);
11294 		if (!attrs)
11295 			return -ENOMEM;
11296 
11297 		nla_for_each_nested(link,
11298 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11299 				    rem) {
11300 			memset(attrs, 0, attrsize);
11301 
11302 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11303 					 link, NULL, NULL);
11304 
11305 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11306 				err = -EINVAL;
11307 				NL_SET_BAD_ATTR(info->extack, link);
11308 				goto free;
11309 			}
11310 
11311 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11312 			/* cannot use the same link ID again */
11313 			if (req.links[link_id].bss) {
11314 				err = -EINVAL;
11315 				NL_SET_BAD_ATTR(info->extack, link);
11316 				goto free;
11317 			}
11318 			req.links[link_id].bss =
11319 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs,
11320 						  req.link_id, link_id);
11321 			if (IS_ERR(req.links[link_id].bss)) {
11322 				err = PTR_ERR(req.links[link_id].bss);
11323 				req.links[link_id].bss = NULL;
11324 				NL_SET_ERR_MSG_ATTR(info->extack,
11325 						    link, "Error fetching BSS for link");
11326 				goto free;
11327 			}
11328 
11329 			if (attrs[NL80211_ATTR_IE]) {
11330 				req.links[link_id].elems =
11331 					nla_data(attrs[NL80211_ATTR_IE]);
11332 				req.links[link_id].elems_len =
11333 					nla_len(attrs[NL80211_ATTR_IE]);
11334 
11335 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11336 						       req.links[link_id].elems,
11337 						       req.links[link_id].elems_len)) {
11338 					NL_SET_ERR_MSG_ATTR(info->extack,
11339 							    attrs[NL80211_ATTR_IE],
11340 							    "cannot deal with fragmentation");
11341 					err = -EINVAL;
11342 					goto free;
11343 				}
11344 
11345 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11346 							   req.links[link_id].elems,
11347 							   req.links[link_id].elems_len)) {
11348 					NL_SET_ERR_MSG_ATTR(info->extack,
11349 							    attrs[NL80211_ATTR_IE],
11350 							    "cannot deal with non-inheritance");
11351 					err = -EINVAL;
11352 					goto free;
11353 				}
11354 			}
11355 
11356 			req.links[link_id].disabled =
11357 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11358 		}
11359 
11360 		if (!req.links[req.link_id].bss) {
11361 			err = -EINVAL;
11362 			goto free;
11363 		}
11364 
11365 		if (req.links[req.link_id].elems_len) {
11366 			GENL_SET_ERR_MSG(info,
11367 					 "cannot have per-link elems on assoc link");
11368 			err = -EINVAL;
11369 			goto free;
11370 		}
11371 
11372 		if (req.links[req.link_id].disabled) {
11373 			GENL_SET_ERR_MSG(info,
11374 					 "cannot have assoc link disabled");
11375 			err = -EINVAL;
11376 			goto free;
11377 		}
11378 
11379 		kfree(attrs);
11380 		attrs = NULL;
11381 	} else {
11382 		if (req.link_id >= 0)
11383 			return -EINVAL;
11384 
11385 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs,
11386 					    -1, -1);
11387 		if (IS_ERR(req.bss))
11388 			return PTR_ERR(req.bss);
11389 		ap_addr = req.bss->bssid;
11390 	}
11391 
11392 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11393 	if (!err) {
11394 		struct nlattr *link;
11395 		int rem = 0;
11396 
11397 		err = cfg80211_mlme_assoc(rdev, dev, &req,
11398 					  info->extack);
11399 
11400 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11401 			dev->ieee80211_ptr->conn_owner_nlportid =
11402 				info->snd_portid;
11403 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11404 			       ap_addr, ETH_ALEN);
11405 		}
11406 
11407 		/* Report error from first problematic link */
11408 		if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11409 			nla_for_each_nested(link,
11410 					    info->attrs[NL80211_ATTR_MLO_LINKS],
11411 					    rem) {
11412 				struct nlattr *link_id_attr =
11413 					nla_find_nested(link, NL80211_ATTR_MLO_LINK_ID);
11414 
11415 				if (!link_id_attr)
11416 					continue;
11417 
11418 				link_id = nla_get_u8(link_id_attr);
11419 
11420 				if (link_id == req.link_id)
11421 					continue;
11422 
11423 				if (!req.links[link_id].error ||
11424 				    WARN_ON(req.links[link_id].error > 0))
11425 					continue;
11426 
11427 				WARN_ON(err >= 0);
11428 
11429 				NL_SET_BAD_ATTR(info->extack, link);
11430 				err = req.links[link_id].error;
11431 				break;
11432 			}
11433 		}
11434 	}
11435 
11436 free:
11437 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11438 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11439 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11440 	kfree(attrs);
11441 
11442 	return err;
11443 }
11444 
11445 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11446 {
11447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11448 	struct net_device *dev = info->user_ptr[1];
11449 	const u8 *ie = NULL, *bssid;
11450 	int ie_len = 0;
11451 	u16 reason_code;
11452 	bool local_state_change;
11453 
11454 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11455 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11456 		return -EPERM;
11457 
11458 	if (!info->attrs[NL80211_ATTR_MAC])
11459 		return -EINVAL;
11460 
11461 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11462 		return -EINVAL;
11463 
11464 	if (!rdev->ops->deauth)
11465 		return -EOPNOTSUPP;
11466 
11467 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11468 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11469 		return -EOPNOTSUPP;
11470 
11471 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11472 
11473 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11474 	if (reason_code == 0) {
11475 		/* Reason Code 0 is reserved */
11476 		return -EINVAL;
11477 	}
11478 
11479 	if (info->attrs[NL80211_ATTR_IE]) {
11480 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11481 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11482 	}
11483 
11484 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11485 
11486 	return cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11487 				    local_state_change);
11488 }
11489 
11490 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11491 {
11492 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11493 	struct net_device *dev = info->user_ptr[1];
11494 	const u8 *ie = NULL, *bssid;
11495 	int ie_len = 0;
11496 	u16 reason_code;
11497 	bool local_state_change;
11498 
11499 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11500 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11501 		return -EPERM;
11502 
11503 	if (!info->attrs[NL80211_ATTR_MAC])
11504 		return -EINVAL;
11505 
11506 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11507 		return -EINVAL;
11508 
11509 	if (!rdev->ops->disassoc)
11510 		return -EOPNOTSUPP;
11511 
11512 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11513 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11514 		return -EOPNOTSUPP;
11515 
11516 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11517 
11518 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11519 	if (reason_code == 0) {
11520 		/* Reason Code 0 is reserved */
11521 		return -EINVAL;
11522 	}
11523 
11524 	if (info->attrs[NL80211_ATTR_IE]) {
11525 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11526 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11527 	}
11528 
11529 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11530 
11531 	return cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11532 				      local_state_change);
11533 }
11534 
11535 static bool
11536 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11537 			 int mcast_rate[NUM_NL80211_BANDS],
11538 			 int rateval)
11539 {
11540 	struct wiphy *wiphy = &rdev->wiphy;
11541 	bool found = false;
11542 	int band, i;
11543 
11544 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11545 		struct ieee80211_supported_band *sband;
11546 
11547 		sband = wiphy->bands[band];
11548 		if (!sband)
11549 			continue;
11550 
11551 		for (i = 0; i < sband->n_bitrates; i++) {
11552 			if (sband->bitrates[i].bitrate == rateval) {
11553 				mcast_rate[band] = i + 1;
11554 				found = true;
11555 				break;
11556 			}
11557 		}
11558 	}
11559 
11560 	return found;
11561 }
11562 
11563 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11564 {
11565 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11566 	struct net_device *dev = info->user_ptr[1];
11567 	struct cfg80211_ibss_params ibss;
11568 	struct wiphy *wiphy;
11569 	struct cfg80211_cached_keys *connkeys = NULL;
11570 	int err;
11571 
11572 	memset(&ibss, 0, sizeof(ibss));
11573 
11574 	if (!info->attrs[NL80211_ATTR_SSID] ||
11575 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11576 		return -EINVAL;
11577 
11578 	ibss.beacon_interval = 100;
11579 
11580 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11581 		ibss.beacon_interval =
11582 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11583 
11584 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11585 					   ibss.beacon_interval);
11586 	if (err)
11587 		return err;
11588 
11589 	if (!rdev->ops->join_ibss)
11590 		return -EOPNOTSUPP;
11591 
11592 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11593 		return -EOPNOTSUPP;
11594 
11595 	wiphy = &rdev->wiphy;
11596 
11597 	if (info->attrs[NL80211_ATTR_MAC]) {
11598 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11599 
11600 		if (!is_valid_ether_addr(ibss.bssid))
11601 			return -EINVAL;
11602 	}
11603 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11604 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11605 
11606 	if (info->attrs[NL80211_ATTR_IE]) {
11607 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11608 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11609 	}
11610 
11611 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11612 	if (err)
11613 		return err;
11614 
11615 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11616 				     NL80211_IFTYPE_ADHOC))
11617 		return -EINVAL;
11618 
11619 	switch (ibss.chandef.width) {
11620 	case NL80211_CHAN_WIDTH_5:
11621 	case NL80211_CHAN_WIDTH_10:
11622 	case NL80211_CHAN_WIDTH_20_NOHT:
11623 		break;
11624 	case NL80211_CHAN_WIDTH_20:
11625 	case NL80211_CHAN_WIDTH_40:
11626 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11627 			return -EINVAL;
11628 		break;
11629 	case NL80211_CHAN_WIDTH_80:
11630 	case NL80211_CHAN_WIDTH_80P80:
11631 	case NL80211_CHAN_WIDTH_160:
11632 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11633 			return -EINVAL;
11634 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11635 					     NL80211_EXT_FEATURE_VHT_IBSS))
11636 			return -EINVAL;
11637 		break;
11638 	case NL80211_CHAN_WIDTH_320:
11639 		return -EINVAL;
11640 	default:
11641 		return -EINVAL;
11642 	}
11643 
11644 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11645 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11646 
11647 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11648 		u8 *rates =
11649 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11650 		int n_rates =
11651 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11652 		struct ieee80211_supported_band *sband =
11653 			wiphy->bands[ibss.chandef.chan->band];
11654 
11655 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11656 					     &ibss.basic_rates);
11657 		if (err)
11658 			return err;
11659 	}
11660 
11661 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11662 		memcpy(&ibss.ht_capa_mask,
11663 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11664 		       sizeof(ibss.ht_capa_mask));
11665 
11666 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11667 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11668 			return -EINVAL;
11669 		memcpy(&ibss.ht_capa,
11670 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11671 		       sizeof(ibss.ht_capa));
11672 	}
11673 
11674 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11675 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11676 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11677 		return -EINVAL;
11678 
11679 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11680 		bool no_ht = false;
11681 
11682 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11683 		if (IS_ERR(connkeys))
11684 			return PTR_ERR(connkeys);
11685 
11686 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11687 		    no_ht) {
11688 			kfree_sensitive(connkeys);
11689 			return -EINVAL;
11690 		}
11691 	}
11692 
11693 	ibss.control_port =
11694 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11695 
11696 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11697 		int r = validate_pae_over_nl80211(rdev, info);
11698 
11699 		if (r < 0) {
11700 			kfree_sensitive(connkeys);
11701 			return r;
11702 		}
11703 
11704 		ibss.control_port_over_nl80211 = true;
11705 	}
11706 
11707 	ibss.userspace_handles_dfs =
11708 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11709 
11710 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11711 	if (err)
11712 		kfree_sensitive(connkeys);
11713 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11714 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11715 
11716 	return err;
11717 }
11718 
11719 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11720 {
11721 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11722 	struct net_device *dev = info->user_ptr[1];
11723 
11724 	if (!rdev->ops->leave_ibss)
11725 		return -EOPNOTSUPP;
11726 
11727 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11728 		return -EOPNOTSUPP;
11729 
11730 	return cfg80211_leave_ibss(rdev, dev, false);
11731 }
11732 
11733 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11734 {
11735 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11736 	struct net_device *dev = info->user_ptr[1];
11737 	int mcast_rate[NUM_NL80211_BANDS];
11738 	u32 nla_rate;
11739 
11740 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11741 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11742 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11743 		return -EOPNOTSUPP;
11744 
11745 	if (!rdev->ops->set_mcast_rate)
11746 		return -EOPNOTSUPP;
11747 
11748 	memset(mcast_rate, 0, sizeof(mcast_rate));
11749 
11750 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11751 		return -EINVAL;
11752 
11753 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11754 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11755 		return -EINVAL;
11756 
11757 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11758 }
11759 
11760 static struct sk_buff *
11761 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11762 			    struct wireless_dev *wdev, int approxlen,
11763 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11764 			    enum nl80211_attrs attr,
11765 			    const struct nl80211_vendor_cmd_info *info,
11766 			    gfp_t gfp)
11767 {
11768 	struct sk_buff *skb;
11769 	void *hdr;
11770 	struct nlattr *data;
11771 
11772 	skb = nlmsg_new(approxlen + 100, gfp);
11773 	if (!skb)
11774 		return NULL;
11775 
11776 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11777 	if (!hdr) {
11778 		kfree_skb(skb);
11779 		return NULL;
11780 	}
11781 
11782 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11783 		goto nla_put_failure;
11784 
11785 	if (info) {
11786 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11787 				info->vendor_id))
11788 			goto nla_put_failure;
11789 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11790 				info->subcmd))
11791 			goto nla_put_failure;
11792 	}
11793 
11794 	if (wdev) {
11795 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11796 				      wdev_id(wdev), NL80211_ATTR_PAD))
11797 			goto nla_put_failure;
11798 		if (wdev->netdev &&
11799 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11800 				wdev->netdev->ifindex))
11801 			goto nla_put_failure;
11802 	}
11803 
11804 	data = nla_nest_start_noflag(skb, attr);
11805 	if (!data)
11806 		goto nla_put_failure;
11807 
11808 	((void **)skb->cb)[0] = rdev;
11809 	((void **)skb->cb)[1] = hdr;
11810 	((void **)skb->cb)[2] = data;
11811 
11812 	return skb;
11813 
11814  nla_put_failure:
11815 	kfree_skb(skb);
11816 	return NULL;
11817 }
11818 
11819 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11820 					   struct wireless_dev *wdev,
11821 					   enum nl80211_commands cmd,
11822 					   enum nl80211_attrs attr,
11823 					   unsigned int portid,
11824 					   int vendor_event_idx,
11825 					   int approxlen, gfp_t gfp)
11826 {
11827 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11828 	const struct nl80211_vendor_cmd_info *info;
11829 
11830 	switch (cmd) {
11831 	case NL80211_CMD_TESTMODE:
11832 		if (WARN_ON(vendor_event_idx != -1))
11833 			return NULL;
11834 		info = NULL;
11835 		break;
11836 	case NL80211_CMD_VENDOR:
11837 		if (WARN_ON(vendor_event_idx < 0 ||
11838 			    vendor_event_idx >= wiphy->n_vendor_events))
11839 			return NULL;
11840 		info = &wiphy->vendor_events[vendor_event_idx];
11841 		break;
11842 	default:
11843 		WARN_ON(1);
11844 		return NULL;
11845 	}
11846 
11847 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11848 					   cmd, attr, info, gfp);
11849 }
11850 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11851 
11852 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11853 {
11854 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11855 	void *hdr = ((void **)skb->cb)[1];
11856 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11857 	struct nlattr *data = ((void **)skb->cb)[2];
11858 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11859 
11860 	/* clear CB data for netlink core to own from now on */
11861 	memset(skb->cb, 0, sizeof(skb->cb));
11862 
11863 	nla_nest_end(skb, data);
11864 	genlmsg_end(skb, hdr);
11865 
11866 	if (nlhdr->nlmsg_pid) {
11867 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11868 				nlhdr->nlmsg_pid);
11869 	} else {
11870 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11871 			mcgrp = NL80211_MCGRP_VENDOR;
11872 
11873 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11874 					skb, 0, mcgrp, gfp);
11875 	}
11876 }
11877 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11878 
11879 #ifdef CONFIG_NL80211_TESTMODE
11880 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11881 {
11882 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11883 	struct wireless_dev *wdev;
11884 	int err;
11885 
11886 	lockdep_assert_held(&rdev->wiphy.mtx);
11887 
11888 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11889 					  info->attrs);
11890 
11891 	if (!rdev->ops->testmode_cmd)
11892 		return -EOPNOTSUPP;
11893 
11894 	if (IS_ERR(wdev)) {
11895 		err = PTR_ERR(wdev);
11896 		if (err != -EINVAL)
11897 			return err;
11898 		wdev = NULL;
11899 	} else if (wdev->wiphy != &rdev->wiphy) {
11900 		return -EINVAL;
11901 	}
11902 
11903 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11904 		return -EINVAL;
11905 
11906 	rdev->cur_cmd_info = info;
11907 	err = rdev_testmode_cmd(rdev, wdev,
11908 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11909 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11910 	rdev->cur_cmd_info = NULL;
11911 
11912 	return err;
11913 }
11914 
11915 static int nl80211_testmode_dump(struct sk_buff *skb,
11916 				 struct netlink_callback *cb)
11917 {
11918 	struct cfg80211_registered_device *rdev;
11919 	struct nlattr **attrbuf = NULL;
11920 	int err;
11921 	long phy_idx;
11922 	void *data = NULL;
11923 	int data_len = 0;
11924 
11925 	rtnl_lock();
11926 
11927 	if (cb->args[0]) {
11928 		/*
11929 		 * 0 is a valid index, but not valid for args[0],
11930 		 * so we need to offset by 1.
11931 		 */
11932 		phy_idx = cb->args[0] - 1;
11933 
11934 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11935 		if (!rdev) {
11936 			err = -ENOENT;
11937 			goto out_err;
11938 		}
11939 	} else {
11940 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11941 				  GFP_KERNEL);
11942 		if (!attrbuf) {
11943 			err = -ENOMEM;
11944 			goto out_err;
11945 		}
11946 
11947 		err = nlmsg_parse_deprecated(cb->nlh,
11948 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11949 					     attrbuf, nl80211_fam.maxattr,
11950 					     nl80211_policy, NULL);
11951 		if (err)
11952 			goto out_err;
11953 
11954 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11955 		if (IS_ERR(rdev)) {
11956 			err = PTR_ERR(rdev);
11957 			goto out_err;
11958 		}
11959 		phy_idx = rdev->wiphy_idx;
11960 
11961 		if (attrbuf[NL80211_ATTR_TESTDATA])
11962 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11963 	}
11964 
11965 	if (cb->args[1]) {
11966 		data = nla_data((void *)cb->args[1]);
11967 		data_len = nla_len((void *)cb->args[1]);
11968 	}
11969 
11970 	if (!rdev->ops->testmode_dump) {
11971 		err = -EOPNOTSUPP;
11972 		goto out_err;
11973 	}
11974 
11975 	while (1) {
11976 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11977 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11978 					   NL80211_CMD_TESTMODE);
11979 		struct nlattr *tmdata;
11980 
11981 		if (!hdr)
11982 			break;
11983 
11984 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11985 			genlmsg_cancel(skb, hdr);
11986 			break;
11987 		}
11988 
11989 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11990 		if (!tmdata) {
11991 			genlmsg_cancel(skb, hdr);
11992 			break;
11993 		}
11994 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11995 		nla_nest_end(skb, tmdata);
11996 
11997 		if (err == -ENOBUFS || err == -ENOENT) {
11998 			genlmsg_cancel(skb, hdr);
11999 			break;
12000 		} else if (err) {
12001 			genlmsg_cancel(skb, hdr);
12002 			goto out_err;
12003 		}
12004 
12005 		genlmsg_end(skb, hdr);
12006 	}
12007 
12008 	err = skb->len;
12009 	/* see above */
12010 	cb->args[0] = phy_idx + 1;
12011  out_err:
12012 	kfree(attrbuf);
12013 	rtnl_unlock();
12014 	return err;
12015 }
12016 #endif
12017 
12018 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
12019 {
12020 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12021 	struct net_device *dev = info->user_ptr[1];
12022 	struct cfg80211_connect_params connect;
12023 	struct wiphy *wiphy;
12024 	struct cfg80211_cached_keys *connkeys = NULL;
12025 	u32 freq = 0;
12026 	int err;
12027 
12028 	memset(&connect, 0, sizeof(connect));
12029 
12030 	if (!info->attrs[NL80211_ATTR_SSID] ||
12031 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
12032 		return -EINVAL;
12033 
12034 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12035 		connect.auth_type =
12036 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12037 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
12038 					     NL80211_CMD_CONNECT))
12039 			return -EINVAL;
12040 	} else
12041 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
12042 
12043 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
12044 
12045 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
12046 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12047 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
12048 		return -EINVAL;
12049 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
12050 
12051 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
12052 				      NL80211_MAX_NR_CIPHER_SUITES);
12053 	if (err)
12054 		return err;
12055 
12056 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12057 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12058 		return -EOPNOTSUPP;
12059 
12060 	wiphy = &rdev->wiphy;
12061 
12062 	connect.bg_scan_period = -1;
12063 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
12064 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
12065 		connect.bg_scan_period =
12066 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
12067 	}
12068 
12069 	if (info->attrs[NL80211_ATTR_MAC])
12070 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12071 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
12072 		connect.bssid_hint =
12073 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
12074 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12075 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12076 
12077 	if (info->attrs[NL80211_ATTR_IE]) {
12078 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12079 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12080 	}
12081 
12082 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
12083 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
12084 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
12085 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12086 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
12087 			return -EOPNOTSUPP;
12088 	} else {
12089 		connect.mfp = NL80211_MFP_NO;
12090 	}
12091 
12092 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
12093 		connect.prev_bssid =
12094 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
12095 
12096 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
12097 		freq = MHZ_TO_KHZ(nla_get_u32(
12098 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
12099 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
12100 		freq +=
12101 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
12102 
12103 	if (freq) {
12104 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
12105 		if (!connect.channel)
12106 			return -EINVAL;
12107 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
12108 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
12109 		freq = MHZ_TO_KHZ(freq);
12110 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
12111 		if (!connect.channel_hint)
12112 			return -EINVAL;
12113 	}
12114 
12115 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
12116 		connect.edmg.channels =
12117 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
12118 
12119 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
12120 			connect.edmg.bw_config =
12121 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
12122 	}
12123 
12124 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
12125 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
12126 		if (IS_ERR(connkeys))
12127 			return PTR_ERR(connkeys);
12128 	}
12129 
12130 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
12131 		connect.flags |= ASSOC_REQ_DISABLE_HT;
12132 
12133 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
12134 		memcpy(&connect.ht_capa_mask,
12135 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
12136 		       sizeof(connect.ht_capa_mask));
12137 
12138 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
12139 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
12140 			kfree_sensitive(connkeys);
12141 			return -EINVAL;
12142 		}
12143 		memcpy(&connect.ht_capa,
12144 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
12145 		       sizeof(connect.ht_capa));
12146 	}
12147 
12148 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
12149 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
12150 
12151 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
12152 		connect.flags |= ASSOC_REQ_DISABLE_HE;
12153 
12154 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
12155 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
12156 
12157 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
12158 		memcpy(&connect.vht_capa_mask,
12159 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
12160 		       sizeof(connect.vht_capa_mask));
12161 
12162 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
12163 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
12164 			kfree_sensitive(connkeys);
12165 			return -EINVAL;
12166 		}
12167 		memcpy(&connect.vht_capa,
12168 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
12169 		       sizeof(connect.vht_capa));
12170 	}
12171 
12172 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
12173 		if (!((rdev->wiphy.features &
12174 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
12175 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
12176 		    !wiphy_ext_feature_isset(&rdev->wiphy,
12177 					     NL80211_EXT_FEATURE_RRM)) {
12178 			kfree_sensitive(connkeys);
12179 			return -EINVAL;
12180 		}
12181 		connect.flags |= ASSOC_REQ_USE_RRM;
12182 	}
12183 
12184 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
12185 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
12186 		kfree_sensitive(connkeys);
12187 		return -EOPNOTSUPP;
12188 	}
12189 
12190 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
12191 		/* bss selection makes no sense if bssid is set */
12192 		if (connect.bssid) {
12193 			kfree_sensitive(connkeys);
12194 			return -EINVAL;
12195 		}
12196 
12197 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
12198 				       wiphy, &connect.bss_select);
12199 		if (err) {
12200 			kfree_sensitive(connkeys);
12201 			return err;
12202 		}
12203 	}
12204 
12205 	if (wiphy_ext_feature_isset(&rdev->wiphy,
12206 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
12207 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12208 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12209 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12210 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12211 		connect.fils_erp_username =
12212 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12213 		connect.fils_erp_username_len =
12214 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12215 		connect.fils_erp_realm =
12216 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12217 		connect.fils_erp_realm_len =
12218 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12219 		connect.fils_erp_next_seq_num =
12220 			nla_get_u16(
12221 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12222 		connect.fils_erp_rrk =
12223 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12224 		connect.fils_erp_rrk_len =
12225 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12226 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12227 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12228 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12229 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12230 		kfree_sensitive(connkeys);
12231 		return -EINVAL;
12232 	}
12233 
12234 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12235 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12236 			kfree_sensitive(connkeys);
12237 			GENL_SET_ERR_MSG(info,
12238 					 "external auth requires connection ownership");
12239 			return -EINVAL;
12240 		}
12241 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12242 	}
12243 
12244 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12245 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12246 
12247 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12248 			       connect.prev_bssid);
12249 	if (err)
12250 		kfree_sensitive(connkeys);
12251 
12252 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12253 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12254 		if (connect.bssid)
12255 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12256 			       connect.bssid, ETH_ALEN);
12257 		else
12258 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12259 	}
12260 
12261 	return err;
12262 }
12263 
12264 static int nl80211_update_connect_params(struct sk_buff *skb,
12265 					 struct genl_info *info)
12266 {
12267 	struct cfg80211_connect_params connect = {};
12268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12269 	struct net_device *dev = info->user_ptr[1];
12270 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12271 	bool fils_sk_offload;
12272 	u32 auth_type;
12273 	u32 changed = 0;
12274 
12275 	if (!rdev->ops->update_connect_params)
12276 		return -EOPNOTSUPP;
12277 
12278 	if (info->attrs[NL80211_ATTR_IE]) {
12279 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12280 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12281 		changed |= UPDATE_ASSOC_IES;
12282 	}
12283 
12284 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12285 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12286 
12287 	/*
12288 	 * when driver supports fils-sk offload all attributes must be
12289 	 * provided. So the else covers "fils-sk-not-all" and
12290 	 * "no-fils-sk-any".
12291 	 */
12292 	if (fils_sk_offload &&
12293 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12294 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12295 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12296 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12297 		connect.fils_erp_username =
12298 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12299 		connect.fils_erp_username_len =
12300 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12301 		connect.fils_erp_realm =
12302 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12303 		connect.fils_erp_realm_len =
12304 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12305 		connect.fils_erp_next_seq_num =
12306 			nla_get_u16(
12307 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12308 		connect.fils_erp_rrk =
12309 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12310 		connect.fils_erp_rrk_len =
12311 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12312 		changed |= UPDATE_FILS_ERP_INFO;
12313 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12314 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12315 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12316 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12317 		return -EINVAL;
12318 	}
12319 
12320 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12321 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12322 		if (!nl80211_valid_auth_type(rdev, auth_type,
12323 					     NL80211_CMD_CONNECT))
12324 			return -EINVAL;
12325 
12326 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12327 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12328 			return -EINVAL;
12329 
12330 		connect.auth_type = auth_type;
12331 		changed |= UPDATE_AUTH_TYPE;
12332 	}
12333 
12334 	if (!wdev->connected)
12335 		return -ENOLINK;
12336 
12337 	return rdev_update_connect_params(rdev, dev, &connect, changed);
12338 }
12339 
12340 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12341 {
12342 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12343 	struct net_device *dev = info->user_ptr[1];
12344 	u16 reason;
12345 
12346 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12347 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12348 		return -EPERM;
12349 
12350 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12351 		reason = WLAN_REASON_DEAUTH_LEAVING;
12352 	else
12353 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12354 
12355 	if (reason == 0)
12356 		return -EINVAL;
12357 
12358 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12359 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12360 		return -EOPNOTSUPP;
12361 
12362 	return cfg80211_disconnect(rdev, dev, reason, true);
12363 }
12364 
12365 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12366 {
12367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12368 	struct net *net;
12369 	int err;
12370 
12371 	if (info->attrs[NL80211_ATTR_PID]) {
12372 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12373 
12374 		net = get_net_ns_by_pid(pid);
12375 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12376 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12377 
12378 		net = get_net_ns_by_fd(fd);
12379 	} else {
12380 		return -EINVAL;
12381 	}
12382 
12383 	if (IS_ERR(net))
12384 		return PTR_ERR(net);
12385 
12386 	err = 0;
12387 
12388 	/* check if anything to do */
12389 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12390 		err = cfg80211_switch_netns(rdev, net);
12391 
12392 	put_net(net);
12393 	return err;
12394 }
12395 
12396 static int nl80211_set_pmksa(struct sk_buff *skb, struct genl_info *info)
12397 {
12398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12399 	struct net_device *dev = info->user_ptr[1];
12400 	struct cfg80211_pmksa pmksa;
12401 	bool ap_pmksa_caching_support = false;
12402 
12403 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12404 
12405 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12406 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12407 
12408 	if (!info->attrs[NL80211_ATTR_PMKID])
12409 		return -EINVAL;
12410 
12411 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12412 
12413 	if (info->attrs[NL80211_ATTR_MAC]) {
12414 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12415 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12416 	           info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12417 	           info->attrs[NL80211_ATTR_PMK]) {
12418 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12419 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12420 		pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12421 	} else {
12422 		return -EINVAL;
12423 	}
12424 
12425 	if (info->attrs[NL80211_ATTR_PMK]) {
12426 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12427 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12428 	}
12429 
12430 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12431 		pmksa.pmk_lifetime =
12432 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12433 
12434 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12435 		pmksa.pmk_reauth_threshold =
12436 			nla_get_u8(info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12437 
12438 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12439 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12440 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12441 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12442 	       ap_pmksa_caching_support))
12443 		return -EOPNOTSUPP;
12444 
12445 	if (!rdev->ops->set_pmksa)
12446 		return -EOPNOTSUPP;
12447 
12448 	return rdev_set_pmksa(rdev, dev, &pmksa);
12449 }
12450 
12451 static int nl80211_del_pmksa(struct sk_buff *skb, struct genl_info *info)
12452 {
12453 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12454 	struct net_device *dev = info->user_ptr[1];
12455 	struct cfg80211_pmksa pmksa;
12456 	bool sae_offload_support = false;
12457 	bool owe_offload_support = false;
12458 	bool ap_pmksa_caching_support = false;
12459 
12460 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12461 
12462 	sae_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12463 		NL80211_EXT_FEATURE_SAE_OFFLOAD);
12464 	owe_offload_support = wiphy_ext_feature_isset(&rdev->wiphy,
12465 		NL80211_EXT_FEATURE_OWE_OFFLOAD);
12466 	ap_pmksa_caching_support = wiphy_ext_feature_isset(&rdev->wiphy,
12467 		NL80211_EXT_FEATURE_AP_PMKSA_CACHING);
12468 
12469 	if (info->attrs[NL80211_ATTR_PMKID])
12470 		pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12471 
12472 	if (info->attrs[NL80211_ATTR_MAC]) {
12473 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12474 	} else if (info->attrs[NL80211_ATTR_SSID]) {
12475 		/* SSID based pmksa flush supported only for FILS,
12476 		 * OWE/SAE OFFLOAD cases
12477 		 */
12478 		if (info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12479 		    info->attrs[NL80211_ATTR_PMK]) {
12480 			pmksa.cache_id = nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12481 		} else if (!sae_offload_support && !owe_offload_support) {
12482 			return -EINVAL;
12483 		}
12484 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12485 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12486 	} else {
12487 		return -EINVAL;
12488 	}
12489 
12490 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12491 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12492 	    !((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP ||
12493 	       dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO) &&
12494 	       ap_pmksa_caching_support))
12495 		return -EOPNOTSUPP;
12496 
12497 	if (!rdev->ops->del_pmksa)
12498 		return -EOPNOTSUPP;
12499 
12500 	return rdev_del_pmksa(rdev, dev, &pmksa);
12501 }
12502 
12503 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12504 {
12505 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12506 	struct net_device *dev = info->user_ptr[1];
12507 
12508 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12509 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12510 		return -EOPNOTSUPP;
12511 
12512 	if (!rdev->ops->flush_pmksa)
12513 		return -EOPNOTSUPP;
12514 
12515 	return rdev_flush_pmksa(rdev, dev);
12516 }
12517 
12518 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12519 {
12520 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12521 	struct net_device *dev = info->user_ptr[1];
12522 	u8 action_code, dialog_token;
12523 	u32 peer_capability = 0;
12524 	u16 status_code;
12525 	u8 *peer;
12526 	int link_id;
12527 	bool initiator;
12528 
12529 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12530 	    !rdev->ops->tdls_mgmt)
12531 		return -EOPNOTSUPP;
12532 
12533 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12534 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12535 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12536 	    !info->attrs[NL80211_ATTR_IE] ||
12537 	    !info->attrs[NL80211_ATTR_MAC])
12538 		return -EINVAL;
12539 
12540 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12541 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12542 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12543 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12544 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12545 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12546 		peer_capability =
12547 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12548 	link_id = nl80211_link_id_or_invalid(info->attrs);
12549 
12550 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12551 			      dialog_token, status_code, peer_capability,
12552 			      initiator,
12553 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12554 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12555 }
12556 
12557 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12558 {
12559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12560 	struct net_device *dev = info->user_ptr[1];
12561 	enum nl80211_tdls_operation operation;
12562 	u8 *peer;
12563 
12564 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12565 	    !rdev->ops->tdls_oper)
12566 		return -EOPNOTSUPP;
12567 
12568 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12569 	    !info->attrs[NL80211_ATTR_MAC])
12570 		return -EINVAL;
12571 
12572 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12573 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12574 
12575 	return rdev_tdls_oper(rdev, dev, peer, operation);
12576 }
12577 
12578 static int nl80211_remain_on_channel(struct sk_buff *skb,
12579 				     struct genl_info *info)
12580 {
12581 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12582 	unsigned int link_id = nl80211_link_id(info->attrs);
12583 	struct wireless_dev *wdev = info->user_ptr[1];
12584 	struct cfg80211_chan_def chandef;
12585 	struct sk_buff *msg;
12586 	void *hdr;
12587 	u64 cookie;
12588 	u32 duration;
12589 	int err;
12590 
12591 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12592 	    !info->attrs[NL80211_ATTR_DURATION])
12593 		return -EINVAL;
12594 
12595 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12596 
12597 	if (!rdev->ops->remain_on_channel ||
12598 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12599 		return -EOPNOTSUPP;
12600 
12601 	/*
12602 	 * We should be on that channel for at least a minimum amount of
12603 	 * time (10ms) but no longer than the driver supports.
12604 	 */
12605 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12606 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12607 		return -EINVAL;
12608 
12609 	err = nl80211_parse_chandef(rdev, info, &chandef);
12610 	if (err)
12611 		return err;
12612 
12613 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12614 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12615 
12616 		oper_chandef = wdev_chandef(wdev, link_id);
12617 
12618 		if (WARN_ON(!oper_chandef)) {
12619 			/* cannot happen since we must beacon to get here */
12620 			WARN_ON(1);
12621 			return -EBUSY;
12622 		}
12623 
12624 		/* note: returns first one if identical chandefs */
12625 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12626 							     oper_chandef);
12627 
12628 		if (compat_chandef != &chandef)
12629 			return -EBUSY;
12630 	}
12631 
12632 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12633 	if (!msg)
12634 		return -ENOMEM;
12635 
12636 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12637 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12638 	if (!hdr) {
12639 		err = -ENOBUFS;
12640 		goto free_msg;
12641 	}
12642 
12643 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12644 				     duration, &cookie);
12645 
12646 	if (err)
12647 		goto free_msg;
12648 
12649 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12650 			      NL80211_ATTR_PAD))
12651 		goto nla_put_failure;
12652 
12653 	genlmsg_end(msg, hdr);
12654 
12655 	return genlmsg_reply(msg, info);
12656 
12657  nla_put_failure:
12658 	err = -ENOBUFS;
12659  free_msg:
12660 	nlmsg_free(msg);
12661 	return err;
12662 }
12663 
12664 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12665 					    struct genl_info *info)
12666 {
12667 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12668 	struct wireless_dev *wdev = info->user_ptr[1];
12669 	u64 cookie;
12670 
12671 	if (!info->attrs[NL80211_ATTR_COOKIE])
12672 		return -EINVAL;
12673 
12674 	if (!rdev->ops->cancel_remain_on_channel)
12675 		return -EOPNOTSUPP;
12676 
12677 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12678 
12679 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12680 }
12681 
12682 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12683 				       struct genl_info *info)
12684 {
12685 	struct cfg80211_bitrate_mask mask;
12686 	unsigned int link_id = nl80211_link_id(info->attrs);
12687 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12688 	struct net_device *dev = info->user_ptr[1];
12689 	int err;
12690 
12691 	if (!rdev->ops->set_bitrate_mask)
12692 		return -EOPNOTSUPP;
12693 
12694 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12695 					    NL80211_ATTR_TX_RATES, &mask,
12696 					    dev, true, link_id);
12697 	if (err)
12698 		return err;
12699 
12700 	return rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12701 }
12702 
12703 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12704 {
12705 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12706 	struct wireless_dev *wdev = info->user_ptr[1];
12707 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12708 
12709 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12710 		return -EINVAL;
12711 
12712 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12713 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12714 
12715 	switch (wdev->iftype) {
12716 	case NL80211_IFTYPE_STATION:
12717 	case NL80211_IFTYPE_ADHOC:
12718 	case NL80211_IFTYPE_P2P_CLIENT:
12719 	case NL80211_IFTYPE_AP:
12720 	case NL80211_IFTYPE_AP_VLAN:
12721 	case NL80211_IFTYPE_MESH_POINT:
12722 	case NL80211_IFTYPE_P2P_GO:
12723 	case NL80211_IFTYPE_P2P_DEVICE:
12724 		break;
12725 	case NL80211_IFTYPE_NAN:
12726 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12727 					     NL80211_EXT_FEATURE_SECURE_NAN))
12728 			return -EOPNOTSUPP;
12729 		break;
12730 	default:
12731 		return -EOPNOTSUPP;
12732 	}
12733 
12734 	/* not much point in registering if we can't reply */
12735 	if (!rdev->ops->mgmt_tx)
12736 		return -EOPNOTSUPP;
12737 
12738 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12739 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12740 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12741 		GENL_SET_ERR_MSG(info,
12742 				 "multicast RX registrations are not supported");
12743 		return -EOPNOTSUPP;
12744 	}
12745 
12746 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12747 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12748 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12749 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12750 					   info->extack);
12751 }
12752 
12753 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12754 {
12755 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12756 	struct wireless_dev *wdev = info->user_ptr[1];
12757 	struct cfg80211_chan_def chandef;
12758 	int err;
12759 	void *hdr = NULL;
12760 	u64 cookie;
12761 	struct sk_buff *msg = NULL;
12762 	struct cfg80211_mgmt_tx_params params = {
12763 		.dont_wait_for_ack =
12764 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12765 	};
12766 
12767 	if (!info->attrs[NL80211_ATTR_FRAME])
12768 		return -EINVAL;
12769 
12770 	if (!rdev->ops->mgmt_tx)
12771 		return -EOPNOTSUPP;
12772 
12773 	switch (wdev->iftype) {
12774 	case NL80211_IFTYPE_P2P_DEVICE:
12775 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12776 			return -EINVAL;
12777 		break;
12778 	case NL80211_IFTYPE_STATION:
12779 	case NL80211_IFTYPE_ADHOC:
12780 	case NL80211_IFTYPE_P2P_CLIENT:
12781 	case NL80211_IFTYPE_AP:
12782 	case NL80211_IFTYPE_AP_VLAN:
12783 	case NL80211_IFTYPE_MESH_POINT:
12784 	case NL80211_IFTYPE_P2P_GO:
12785 		break;
12786 	case NL80211_IFTYPE_NAN:
12787 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12788 					     NL80211_EXT_FEATURE_SECURE_NAN))
12789 			return -EOPNOTSUPP;
12790 		break;
12791 	default:
12792 		return -EOPNOTSUPP;
12793 	}
12794 
12795 	if (info->attrs[NL80211_ATTR_DURATION]) {
12796 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12797 			return -EINVAL;
12798 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12799 
12800 		/*
12801 		 * We should wait on the channel for at least a minimum amount
12802 		 * of time (10ms) but no longer than the driver supports.
12803 		 */
12804 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12805 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12806 			return -EINVAL;
12807 	}
12808 
12809 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12810 
12811 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12812 		return -EINVAL;
12813 
12814 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12815 
12816 	/* get the channel if any has been specified, otherwise pass NULL to
12817 	 * the driver. The latter will use the current one
12818 	 */
12819 	chandef.chan = NULL;
12820 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12821 		err = nl80211_parse_chandef(rdev, info, &chandef);
12822 		if (err)
12823 			return err;
12824 	}
12825 
12826 	if (!chandef.chan && params.offchan)
12827 		return -EINVAL;
12828 
12829 	if (params.offchan &&
12830 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan))
12831 		return -EBUSY;
12832 
12833 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12834 	/*
12835 	 * This now races due to the unlock, but we cannot check
12836 	 * the valid links for the _station_ anyway, so that's up
12837 	 * to the driver.
12838 	 */
12839 	if (params.link_id >= 0 &&
12840 	    !(wdev->valid_links & BIT(params.link_id)))
12841 		return -EINVAL;
12842 
12843 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12844 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12845 
12846 	err = nl80211_parse_counter_offsets(rdev, NULL, params.len, -1,
12847 					    info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX],
12848 					    &params.csa_offsets,
12849 					    &params.n_csa_offsets);
12850 	if (err)
12851 		return err;
12852 
12853 	if (!params.dont_wait_for_ack) {
12854 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12855 		if (!msg)
12856 			return -ENOMEM;
12857 
12858 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12859 				     NL80211_CMD_FRAME);
12860 		if (!hdr) {
12861 			err = -ENOBUFS;
12862 			goto free_msg;
12863 		}
12864 	}
12865 
12866 	params.chan = chandef.chan;
12867 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12868 	if (err)
12869 		goto free_msg;
12870 
12871 	if (msg) {
12872 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12873 				      NL80211_ATTR_PAD))
12874 			goto nla_put_failure;
12875 
12876 		genlmsg_end(msg, hdr);
12877 		return genlmsg_reply(msg, info);
12878 	}
12879 
12880 	return 0;
12881 
12882  nla_put_failure:
12883 	err = -ENOBUFS;
12884  free_msg:
12885 	nlmsg_free(msg);
12886 	return err;
12887 }
12888 
12889 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12890 {
12891 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12892 	struct wireless_dev *wdev = info->user_ptr[1];
12893 	u64 cookie;
12894 
12895 	if (!info->attrs[NL80211_ATTR_COOKIE])
12896 		return -EINVAL;
12897 
12898 	if (!rdev->ops->mgmt_tx_cancel_wait)
12899 		return -EOPNOTSUPP;
12900 
12901 	switch (wdev->iftype) {
12902 	case NL80211_IFTYPE_STATION:
12903 	case NL80211_IFTYPE_ADHOC:
12904 	case NL80211_IFTYPE_P2P_CLIENT:
12905 	case NL80211_IFTYPE_AP:
12906 	case NL80211_IFTYPE_AP_VLAN:
12907 	case NL80211_IFTYPE_P2P_GO:
12908 	case NL80211_IFTYPE_P2P_DEVICE:
12909 		break;
12910 	case NL80211_IFTYPE_NAN:
12911 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12912 					     NL80211_EXT_FEATURE_SECURE_NAN))
12913 			return -EOPNOTSUPP;
12914 		break;
12915 	default:
12916 		return -EOPNOTSUPP;
12917 	}
12918 
12919 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12920 
12921 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12922 }
12923 
12924 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12925 {
12926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12927 	struct wireless_dev *wdev;
12928 	struct net_device *dev = info->user_ptr[1];
12929 	u8 ps_state;
12930 	bool state;
12931 	int err;
12932 
12933 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12934 		return -EINVAL;
12935 
12936 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12937 
12938 	wdev = dev->ieee80211_ptr;
12939 
12940 	if (!rdev->ops->set_power_mgmt)
12941 		return -EOPNOTSUPP;
12942 
12943 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12944 
12945 	if (state == wdev->ps)
12946 		return 0;
12947 
12948 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12949 	if (!err)
12950 		wdev->ps = state;
12951 	return err;
12952 }
12953 
12954 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12955 {
12956 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12957 	enum nl80211_ps_state ps_state;
12958 	struct wireless_dev *wdev;
12959 	struct net_device *dev = info->user_ptr[1];
12960 	struct sk_buff *msg;
12961 	void *hdr;
12962 	int err;
12963 
12964 	wdev = dev->ieee80211_ptr;
12965 
12966 	if (!rdev->ops->set_power_mgmt)
12967 		return -EOPNOTSUPP;
12968 
12969 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12970 	if (!msg)
12971 		return -ENOMEM;
12972 
12973 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12974 			     NL80211_CMD_GET_POWER_SAVE);
12975 	if (!hdr) {
12976 		err = -ENOBUFS;
12977 		goto free_msg;
12978 	}
12979 
12980 	if (wdev->ps)
12981 		ps_state = NL80211_PS_ENABLED;
12982 	else
12983 		ps_state = NL80211_PS_DISABLED;
12984 
12985 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12986 		goto nla_put_failure;
12987 
12988 	genlmsg_end(msg, hdr);
12989 	return genlmsg_reply(msg, info);
12990 
12991  nla_put_failure:
12992 	err = -ENOBUFS;
12993  free_msg:
12994 	nlmsg_free(msg);
12995 	return err;
12996 }
12997 
12998 static const struct nla_policy
12999 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
13000 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
13001 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
13002 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
13003 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
13004 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
13005 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
13006 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
13007 };
13008 
13009 static int nl80211_set_cqm_txe(struct genl_info *info,
13010 			       u32 rate, u32 pkts, u32 intvl)
13011 {
13012 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13013 	struct net_device *dev = info->user_ptr[1];
13014 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13015 
13016 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
13017 		return -EINVAL;
13018 
13019 	if (!rdev->ops->set_cqm_txe_config)
13020 		return -EOPNOTSUPP;
13021 
13022 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13023 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13024 		return -EOPNOTSUPP;
13025 
13026 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
13027 }
13028 
13029 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
13030 				    struct net_device *dev,
13031 				    struct cfg80211_cqm_config *cqm_config)
13032 {
13033 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13034 	s32 last, low, high;
13035 	u32 hyst;
13036 	int i, n, low_index;
13037 	int err;
13038 
13039 	/*
13040 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
13041 	 * event has been received yet, we should receive an event after a
13042 	 * connection is established and enough beacons received to calculate
13043 	 * the average.
13044 	 */
13045 	if (!cqm_config->last_rssi_event_value &&
13046 	    wdev->links[0].client.current_bss &&
13047 	    rdev->ops->get_station) {
13048 		struct station_info sinfo = {};
13049 		u8 *mac_addr;
13050 
13051 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
13052 
13053 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
13054 		if (err)
13055 			return err;
13056 
13057 		cfg80211_sinfo_release_content(&sinfo);
13058 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
13059 			cqm_config->last_rssi_event_value =
13060 				(s8) sinfo.rx_beacon_signal_avg;
13061 	}
13062 
13063 	last = cqm_config->last_rssi_event_value;
13064 	hyst = cqm_config->rssi_hyst;
13065 	n = cqm_config->n_rssi_thresholds;
13066 
13067 	for (i = 0; i < n; i++) {
13068 		i = array_index_nospec(i, n);
13069 		if (last < cqm_config->rssi_thresholds[i])
13070 			break;
13071 	}
13072 
13073 	low_index = i - 1;
13074 	if (low_index >= 0) {
13075 		low_index = array_index_nospec(low_index, n);
13076 		low = cqm_config->rssi_thresholds[low_index] - hyst;
13077 	} else {
13078 		low = S32_MIN;
13079 	}
13080 	if (i < n) {
13081 		i = array_index_nospec(i, n);
13082 		high = cqm_config->rssi_thresholds[i] + hyst - 1;
13083 	} else {
13084 		high = S32_MAX;
13085 	}
13086 
13087 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
13088 }
13089 
13090 static int nl80211_set_cqm_rssi(struct genl_info *info,
13091 				const s32 *thresholds, int n_thresholds,
13092 				u32 hysteresis)
13093 {
13094 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13095 	struct cfg80211_cqm_config *cqm_config = NULL, *old;
13096 	struct net_device *dev = info->user_ptr[1];
13097 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13098 	s32 prev = S32_MIN;
13099 	int i, err;
13100 
13101 	/* Check all values negative and sorted */
13102 	for (i = 0; i < n_thresholds; i++) {
13103 		if (thresholds[i] > 0 || thresholds[i] <= prev)
13104 			return -EINVAL;
13105 
13106 		prev = thresholds[i];
13107 	}
13108 
13109 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13110 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13111 		return -EOPNOTSUPP;
13112 
13113 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
13114 		n_thresholds = 0;
13115 
13116 	old = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
13117 
13118 	/* if already disabled just succeed */
13119 	if (!n_thresholds && !old)
13120 		return 0;
13121 
13122 	if (n_thresholds > 1) {
13123 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
13124 					     NL80211_EXT_FEATURE_CQM_RSSI_LIST) ||
13125 		    !rdev->ops->set_cqm_rssi_range_config)
13126 			return -EOPNOTSUPP;
13127 	} else {
13128 		if (!rdev->ops->set_cqm_rssi_config)
13129 			return -EOPNOTSUPP;
13130 	}
13131 
13132 	if (n_thresholds) {
13133 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
13134 						 n_thresholds),
13135 				     GFP_KERNEL);
13136 		if (!cqm_config)
13137 			return -ENOMEM;
13138 
13139 		cqm_config->rssi_hyst = hysteresis;
13140 		cqm_config->n_rssi_thresholds = n_thresholds;
13141 		memcpy(cqm_config->rssi_thresholds, thresholds,
13142 		       flex_array_size(cqm_config, rssi_thresholds,
13143 				       n_thresholds));
13144 		cqm_config->use_range_api = n_thresholds > 1 ||
13145 					    !rdev->ops->set_cqm_rssi_config;
13146 
13147 		rcu_assign_pointer(wdev->cqm_config, cqm_config);
13148 
13149 		if (cqm_config->use_range_api)
13150 			err = cfg80211_cqm_rssi_update(rdev, dev, cqm_config);
13151 		else
13152 			err = rdev_set_cqm_rssi_config(rdev, dev,
13153 						       thresholds[0],
13154 						       hysteresis);
13155 	} else {
13156 		RCU_INIT_POINTER(wdev->cqm_config, NULL);
13157 		/* if enabled as range also disable via range */
13158 		if (old->use_range_api)
13159 			err = rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
13160 		else
13161 			err = rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
13162 	}
13163 
13164 	if (err) {
13165 		rcu_assign_pointer(wdev->cqm_config, old);
13166 		kfree_rcu(cqm_config, rcu_head);
13167 	} else {
13168 		kfree_rcu(old, rcu_head);
13169 	}
13170 
13171 	return err;
13172 }
13173 
13174 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
13175 {
13176 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
13177 	struct nlattr *cqm;
13178 	int err;
13179 
13180 	cqm = info->attrs[NL80211_ATTR_CQM];
13181 	if (!cqm)
13182 		return -EINVAL;
13183 
13184 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
13185 					  nl80211_attr_cqm_policy,
13186 					  info->extack);
13187 	if (err)
13188 		return err;
13189 
13190 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
13191 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
13192 		const s32 *thresholds =
13193 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13194 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
13195 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
13196 
13197 		if (len % 4)
13198 			return -EINVAL;
13199 
13200 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
13201 					    hysteresis);
13202 	}
13203 
13204 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
13205 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
13206 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
13207 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
13208 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
13209 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
13210 
13211 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
13212 	}
13213 
13214 	return -EINVAL;
13215 }
13216 
13217 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
13218 {
13219 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13220 	struct net_device *dev = info->user_ptr[1];
13221 	struct ocb_setup setup = {};
13222 	int err;
13223 
13224 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13225 	if (err)
13226 		return err;
13227 
13228 	return cfg80211_join_ocb(rdev, dev, &setup);
13229 }
13230 
13231 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
13232 {
13233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13234 	struct net_device *dev = info->user_ptr[1];
13235 
13236 	return cfg80211_leave_ocb(rdev, dev);
13237 }
13238 
13239 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
13240 {
13241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13242 	struct net_device *dev = info->user_ptr[1];
13243 	struct mesh_config cfg;
13244 	struct mesh_setup setup;
13245 	int err;
13246 
13247 	/* start with default */
13248 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13249 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13250 
13251 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13252 		/* and parse parameters if given */
13253 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13254 		if (err)
13255 			return err;
13256 	}
13257 
13258 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13259 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13260 		return -EINVAL;
13261 
13262 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13263 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13264 
13265 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13266 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13267 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13268 			return -EINVAL;
13269 
13270 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13271 		setup.beacon_interval =
13272 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13273 
13274 		err = cfg80211_validate_beacon_int(rdev,
13275 						   NL80211_IFTYPE_MESH_POINT,
13276 						   setup.beacon_interval);
13277 		if (err)
13278 			return err;
13279 	}
13280 
13281 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13282 		setup.dtim_period =
13283 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13284 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13285 			return -EINVAL;
13286 	}
13287 
13288 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13289 		/* parse additional setup parameters if given */
13290 		err = nl80211_parse_mesh_setup(info, &setup);
13291 		if (err)
13292 			return err;
13293 	}
13294 
13295 	if (setup.user_mpm)
13296 		cfg.auto_open_plinks = false;
13297 
13298 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13299 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13300 		if (err)
13301 			return err;
13302 	} else {
13303 		/* __cfg80211_join_mesh() will sort it out */
13304 		setup.chandef.chan = NULL;
13305 	}
13306 
13307 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13308 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13309 		int n_rates =
13310 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13311 		struct ieee80211_supported_band *sband;
13312 
13313 		if (!setup.chandef.chan)
13314 			return -EINVAL;
13315 
13316 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13317 
13318 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13319 					     &setup.basic_rates);
13320 		if (err)
13321 			return err;
13322 	}
13323 
13324 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13325 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13326 						    NL80211_ATTR_TX_RATES,
13327 						    &setup.beacon_rate,
13328 						    dev, false, 0);
13329 		if (err)
13330 			return err;
13331 
13332 		if (!setup.chandef.chan)
13333 			return -EINVAL;
13334 
13335 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13336 					      &setup.beacon_rate);
13337 		if (err)
13338 			return err;
13339 	}
13340 
13341 	setup.userspace_handles_dfs =
13342 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13343 
13344 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13345 		int r = validate_pae_over_nl80211(rdev, info);
13346 
13347 		if (r < 0)
13348 			return r;
13349 
13350 		setup.control_port_over_nl80211 = true;
13351 	}
13352 
13353 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13354 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13355 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13356 
13357 	return err;
13358 }
13359 
13360 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13361 {
13362 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13363 	struct net_device *dev = info->user_ptr[1];
13364 
13365 	return cfg80211_leave_mesh(rdev, dev);
13366 }
13367 
13368 #ifdef CONFIG_PM
13369 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13370 					struct cfg80211_registered_device *rdev)
13371 {
13372 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13373 	struct nlattr *nl_pats, *nl_pat;
13374 	int i, pat_len;
13375 
13376 	if (!wowlan->n_patterns)
13377 		return 0;
13378 
13379 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13380 	if (!nl_pats)
13381 		return -ENOBUFS;
13382 
13383 	for (i = 0; i < wowlan->n_patterns; i++) {
13384 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13385 		if (!nl_pat)
13386 			return -ENOBUFS;
13387 		pat_len = wowlan->patterns[i].pattern_len;
13388 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13389 			    wowlan->patterns[i].mask) ||
13390 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13391 			    wowlan->patterns[i].pattern) ||
13392 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13393 				wowlan->patterns[i].pkt_offset))
13394 			return -ENOBUFS;
13395 		nla_nest_end(msg, nl_pat);
13396 	}
13397 	nla_nest_end(msg, nl_pats);
13398 
13399 	return 0;
13400 }
13401 
13402 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13403 				   struct cfg80211_wowlan_tcp *tcp)
13404 {
13405 	struct nlattr *nl_tcp;
13406 
13407 	if (!tcp)
13408 		return 0;
13409 
13410 	nl_tcp = nla_nest_start_noflag(msg,
13411 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13412 	if (!nl_tcp)
13413 		return -ENOBUFS;
13414 
13415 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13416 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13417 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13418 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13419 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13420 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13421 		    tcp->payload_len, tcp->payload) ||
13422 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13423 			tcp->data_interval) ||
13424 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13425 		    tcp->wake_len, tcp->wake_data) ||
13426 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13427 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13428 		return -ENOBUFS;
13429 
13430 	if (tcp->payload_seq.len &&
13431 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13432 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13433 		return -ENOBUFS;
13434 
13435 	if (tcp->payload_tok.len &&
13436 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13437 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13438 		    &tcp->payload_tok))
13439 		return -ENOBUFS;
13440 
13441 	nla_nest_end(msg, nl_tcp);
13442 
13443 	return 0;
13444 }
13445 
13446 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13447 				  struct cfg80211_sched_scan_request *req)
13448 {
13449 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13450 	int i;
13451 
13452 	if (!req)
13453 		return 0;
13454 
13455 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13456 	if (!nd)
13457 		return -ENOBUFS;
13458 
13459 	if (req->n_scan_plans == 1 &&
13460 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13461 			req->scan_plans[0].interval * 1000))
13462 		return -ENOBUFS;
13463 
13464 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13465 		return -ENOBUFS;
13466 
13467 	if (req->relative_rssi_set) {
13468 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13469 
13470 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13471 			       req->relative_rssi))
13472 			return -ENOBUFS;
13473 
13474 		rssi_adjust.band = req->rssi_adjust.band;
13475 		rssi_adjust.delta = req->rssi_adjust.delta;
13476 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13477 			    sizeof(rssi_adjust), &rssi_adjust))
13478 			return -ENOBUFS;
13479 	}
13480 
13481 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13482 	if (!freqs)
13483 		return -ENOBUFS;
13484 
13485 	for (i = 0; i < req->n_channels; i++) {
13486 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13487 			return -ENOBUFS;
13488 	}
13489 
13490 	nla_nest_end(msg, freqs);
13491 
13492 	if (req->n_match_sets) {
13493 		matches = nla_nest_start_noflag(msg,
13494 						NL80211_ATTR_SCHED_SCAN_MATCH);
13495 		if (!matches)
13496 			return -ENOBUFS;
13497 
13498 		for (i = 0; i < req->n_match_sets; i++) {
13499 			match = nla_nest_start_noflag(msg, i);
13500 			if (!match)
13501 				return -ENOBUFS;
13502 
13503 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13504 				    req->match_sets[i].ssid.ssid_len,
13505 				    req->match_sets[i].ssid.ssid))
13506 				return -ENOBUFS;
13507 			nla_nest_end(msg, match);
13508 		}
13509 		nla_nest_end(msg, matches);
13510 	}
13511 
13512 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13513 	if (!scan_plans)
13514 		return -ENOBUFS;
13515 
13516 	for (i = 0; i < req->n_scan_plans; i++) {
13517 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13518 		if (!scan_plan)
13519 			return -ENOBUFS;
13520 
13521 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13522 				req->scan_plans[i].interval) ||
13523 		    (req->scan_plans[i].iterations &&
13524 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13525 				 req->scan_plans[i].iterations)))
13526 			return -ENOBUFS;
13527 		nla_nest_end(msg, scan_plan);
13528 	}
13529 	nla_nest_end(msg, scan_plans);
13530 
13531 	nla_nest_end(msg, nd);
13532 
13533 	return 0;
13534 }
13535 
13536 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13537 {
13538 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13539 	struct sk_buff *msg;
13540 	void *hdr;
13541 	u32 size = NLMSG_DEFAULT_SIZE;
13542 
13543 	if (!rdev->wiphy.wowlan)
13544 		return -EOPNOTSUPP;
13545 
13546 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13547 		/* adjust size to have room for all the data */
13548 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13549 			rdev->wiphy.wowlan_config->tcp->payload_len +
13550 			rdev->wiphy.wowlan_config->tcp->wake_len +
13551 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13552 	}
13553 
13554 	msg = nlmsg_new(size, GFP_KERNEL);
13555 	if (!msg)
13556 		return -ENOMEM;
13557 
13558 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13559 			     NL80211_CMD_GET_WOWLAN);
13560 	if (!hdr)
13561 		goto nla_put_failure;
13562 
13563 	if (rdev->wiphy.wowlan_config) {
13564 		struct nlattr *nl_wowlan;
13565 
13566 		nl_wowlan = nla_nest_start_noflag(msg,
13567 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13568 		if (!nl_wowlan)
13569 			goto nla_put_failure;
13570 
13571 		if ((rdev->wiphy.wowlan_config->any &&
13572 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13573 		    (rdev->wiphy.wowlan_config->disconnect &&
13574 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13575 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13576 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13577 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13578 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13579 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13580 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13581 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13582 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13583 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13584 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13585 			goto nla_put_failure;
13586 
13587 		if (nl80211_send_wowlan_patterns(msg, rdev))
13588 			goto nla_put_failure;
13589 
13590 		if (nl80211_send_wowlan_tcp(msg,
13591 					    rdev->wiphy.wowlan_config->tcp))
13592 			goto nla_put_failure;
13593 
13594 		if (nl80211_send_wowlan_nd(
13595 			    msg,
13596 			    rdev->wiphy.wowlan_config->nd_config))
13597 			goto nla_put_failure;
13598 
13599 		nla_nest_end(msg, nl_wowlan);
13600 	}
13601 
13602 	genlmsg_end(msg, hdr);
13603 	return genlmsg_reply(msg, info);
13604 
13605 nla_put_failure:
13606 	nlmsg_free(msg);
13607 	return -ENOBUFS;
13608 }
13609 
13610 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13611 				    struct nlattr *attr,
13612 				    struct cfg80211_wowlan *trig)
13613 {
13614 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13615 	struct cfg80211_wowlan_tcp *cfg;
13616 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13617 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13618 	u32 size;
13619 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13620 	int err, port;
13621 
13622 	if (!rdev->wiphy.wowlan->tcp)
13623 		return -EINVAL;
13624 
13625 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13626 					  nl80211_wowlan_tcp_policy, NULL);
13627 	if (err)
13628 		return err;
13629 
13630 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13631 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13632 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13633 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13634 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13635 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13636 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13637 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13638 		return -EINVAL;
13639 
13640 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13641 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13642 		return -EINVAL;
13643 
13644 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13645 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13646 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13647 		return -EINVAL;
13648 
13649 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13650 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13651 		return -EINVAL;
13652 
13653 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13654 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13655 		return -EINVAL;
13656 
13657 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13658 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13659 
13660 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13661 		tokens_size = tokln - sizeof(*tok);
13662 
13663 		if (!tok->len || tokens_size % tok->len)
13664 			return -EINVAL;
13665 		if (!rdev->wiphy.wowlan->tcp->tok)
13666 			return -EINVAL;
13667 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13668 			return -EINVAL;
13669 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13670 			return -EINVAL;
13671 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13672 			return -EINVAL;
13673 		if (tok->offset + tok->len > data_size)
13674 			return -EINVAL;
13675 	}
13676 
13677 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13678 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13679 		if (!rdev->wiphy.wowlan->tcp->seq)
13680 			return -EINVAL;
13681 		if (seq->len == 0 || seq->len > 4)
13682 			return -EINVAL;
13683 		if (seq->len + seq->offset > data_size)
13684 			return -EINVAL;
13685 	}
13686 
13687 	size = sizeof(*cfg);
13688 	size += data_size;
13689 	size += wake_size + wake_mask_size;
13690 	size += tokens_size;
13691 
13692 	cfg = kzalloc(size, GFP_KERNEL);
13693 	if (!cfg)
13694 		return -ENOMEM;
13695 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13696 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13697 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13698 	       ETH_ALEN);
13699 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13700 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13701 	else
13702 		port = 0;
13703 #ifdef CONFIG_INET
13704 	/* allocate a socket and port for it and use it */
13705 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13706 			    IPPROTO_TCP, &cfg->sock, 1);
13707 	if (err) {
13708 		kfree(cfg);
13709 		return err;
13710 	}
13711 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13712 		sock_release(cfg->sock);
13713 		kfree(cfg);
13714 		return -EADDRINUSE;
13715 	}
13716 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13717 #else
13718 	if (!port) {
13719 		kfree(cfg);
13720 		return -EINVAL;
13721 	}
13722 	cfg->src_port = port;
13723 #endif
13724 
13725 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13726 	cfg->payload_len = data_size;
13727 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13728 	memcpy((void *)cfg->payload,
13729 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13730 	       data_size);
13731 	if (seq)
13732 		cfg->payload_seq = *seq;
13733 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13734 	cfg->wake_len = wake_size;
13735 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13736 	memcpy((void *)cfg->wake_data,
13737 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13738 	       wake_size);
13739 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13740 			 data_size + wake_size;
13741 	memcpy((void *)cfg->wake_mask,
13742 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13743 	       wake_mask_size);
13744 	if (tok) {
13745 		cfg->tokens_size = tokens_size;
13746 		cfg->payload_tok = *tok;
13747 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13748 		       tokens_size);
13749 	}
13750 
13751 	trig->tcp = cfg;
13752 
13753 	return 0;
13754 }
13755 
13756 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13757 				   const struct wiphy_wowlan_support *wowlan,
13758 				   struct nlattr *attr,
13759 				   struct cfg80211_wowlan *trig)
13760 {
13761 	struct nlattr **tb;
13762 	int err;
13763 
13764 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13765 	if (!tb)
13766 		return -ENOMEM;
13767 
13768 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13769 		err = -EOPNOTSUPP;
13770 		goto out;
13771 	}
13772 
13773 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13774 					  nl80211_policy, NULL);
13775 	if (err)
13776 		goto out;
13777 
13778 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13779 						   wowlan->max_nd_match_sets);
13780 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13781 	if (err)
13782 		trig->nd_config = NULL;
13783 
13784 out:
13785 	kfree(tb);
13786 	return err;
13787 }
13788 
13789 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13790 {
13791 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13792 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13793 	struct cfg80211_wowlan new_triggers = {};
13794 	struct cfg80211_wowlan *ntrig;
13795 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13796 	int err, i;
13797 	bool prev_enabled = rdev->wiphy.wowlan_config;
13798 	bool regular = false;
13799 
13800 	if (!wowlan)
13801 		return -EOPNOTSUPP;
13802 
13803 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13804 		cfg80211_rdev_free_wowlan(rdev);
13805 		rdev->wiphy.wowlan_config = NULL;
13806 		goto set_wakeup;
13807 	}
13808 
13809 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13810 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13811 					  nl80211_wowlan_policy, info->extack);
13812 	if (err)
13813 		return err;
13814 
13815 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13816 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13817 			return -EINVAL;
13818 		new_triggers.any = true;
13819 	}
13820 
13821 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13822 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13823 			return -EINVAL;
13824 		new_triggers.disconnect = true;
13825 		regular = true;
13826 	}
13827 
13828 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13829 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13830 			return -EINVAL;
13831 		new_triggers.magic_pkt = true;
13832 		regular = true;
13833 	}
13834 
13835 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13836 		return -EINVAL;
13837 
13838 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13839 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13840 			return -EINVAL;
13841 		new_triggers.gtk_rekey_failure = true;
13842 		regular = true;
13843 	}
13844 
13845 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13846 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13847 			return -EINVAL;
13848 		new_triggers.eap_identity_req = true;
13849 		regular = true;
13850 	}
13851 
13852 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13853 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13854 			return -EINVAL;
13855 		new_triggers.four_way_handshake = true;
13856 		regular = true;
13857 	}
13858 
13859 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13860 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13861 			return -EINVAL;
13862 		new_triggers.rfkill_release = true;
13863 		regular = true;
13864 	}
13865 
13866 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13867 		struct nlattr *pat;
13868 		int n_patterns = 0;
13869 		int rem, pat_len, mask_len, pkt_offset;
13870 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13871 
13872 		regular = true;
13873 
13874 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13875 				    rem)
13876 			n_patterns++;
13877 		if (n_patterns > wowlan->n_patterns)
13878 			return -EINVAL;
13879 
13880 		new_triggers.patterns = kcalloc(n_patterns,
13881 						sizeof(new_triggers.patterns[0]),
13882 						GFP_KERNEL);
13883 		if (!new_triggers.patterns)
13884 			return -ENOMEM;
13885 
13886 		new_triggers.n_patterns = n_patterns;
13887 		i = 0;
13888 
13889 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13890 				    rem) {
13891 			u8 *mask_pat;
13892 
13893 			err = nla_parse_nested_deprecated(pat_tb,
13894 							  MAX_NL80211_PKTPAT,
13895 							  pat,
13896 							  nl80211_packet_pattern_policy,
13897 							  info->extack);
13898 			if (err)
13899 				goto error;
13900 
13901 			err = -EINVAL;
13902 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13903 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13904 				goto error;
13905 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13906 			mask_len = DIV_ROUND_UP(pat_len, 8);
13907 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13908 				goto error;
13909 			if (pat_len > wowlan->pattern_max_len ||
13910 			    pat_len < wowlan->pattern_min_len)
13911 				goto error;
13912 
13913 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13914 				pkt_offset = 0;
13915 			else
13916 				pkt_offset = nla_get_u32(
13917 					pat_tb[NL80211_PKTPAT_OFFSET]);
13918 			if (pkt_offset > wowlan->max_pkt_offset)
13919 				goto error;
13920 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13921 
13922 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13923 			if (!mask_pat) {
13924 				err = -ENOMEM;
13925 				goto error;
13926 			}
13927 			new_triggers.patterns[i].mask = mask_pat;
13928 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13929 			       mask_len);
13930 			mask_pat += mask_len;
13931 			new_triggers.patterns[i].pattern = mask_pat;
13932 			new_triggers.patterns[i].pattern_len = pat_len;
13933 			memcpy(mask_pat,
13934 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13935 			       pat_len);
13936 			i++;
13937 		}
13938 	}
13939 
13940 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13941 		regular = true;
13942 		err = nl80211_parse_wowlan_tcp(
13943 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13944 			&new_triggers);
13945 		if (err)
13946 			goto error;
13947 	}
13948 
13949 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13950 		regular = true;
13951 		err = nl80211_parse_wowlan_nd(
13952 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13953 			&new_triggers);
13954 		if (err)
13955 			goto error;
13956 	}
13957 
13958 	/* The 'any' trigger means the device continues operating more or less
13959 	 * as in its normal operation mode and wakes up the host on most of the
13960 	 * normal interrupts (like packet RX, ...)
13961 	 * It therefore makes little sense to combine with the more constrained
13962 	 * wakeup trigger modes.
13963 	 */
13964 	if (new_triggers.any && regular) {
13965 		err = -EINVAL;
13966 		goto error;
13967 	}
13968 
13969 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13970 	if (!ntrig) {
13971 		err = -ENOMEM;
13972 		goto error;
13973 	}
13974 	cfg80211_rdev_free_wowlan(rdev);
13975 	rdev->wiphy.wowlan_config = ntrig;
13976 
13977  set_wakeup:
13978 	if (rdev->ops->set_wakeup &&
13979 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13980 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13981 
13982 	return 0;
13983  error:
13984 	for (i = 0; i < new_triggers.n_patterns; i++)
13985 		kfree(new_triggers.patterns[i].mask);
13986 	kfree(new_triggers.patterns);
13987 	if (new_triggers.tcp && new_triggers.tcp->sock)
13988 		sock_release(new_triggers.tcp->sock);
13989 	kfree(new_triggers.tcp);
13990 	kfree(new_triggers.nd_config);
13991 	return err;
13992 }
13993 #endif
13994 
13995 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13996 				       struct cfg80211_registered_device *rdev)
13997 {
13998 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13999 	int i, j, pat_len;
14000 	struct cfg80211_coalesce_rules *rule;
14001 
14002 	if (!rdev->coalesce->n_rules)
14003 		return 0;
14004 
14005 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
14006 	if (!nl_rules)
14007 		return -ENOBUFS;
14008 
14009 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
14010 		nl_rule = nla_nest_start_noflag(msg, i + 1);
14011 		if (!nl_rule)
14012 			return -ENOBUFS;
14013 
14014 		rule = &rdev->coalesce->rules[i];
14015 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
14016 				rule->delay))
14017 			return -ENOBUFS;
14018 
14019 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
14020 				rule->condition))
14021 			return -ENOBUFS;
14022 
14023 		nl_pats = nla_nest_start_noflag(msg,
14024 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
14025 		if (!nl_pats)
14026 			return -ENOBUFS;
14027 
14028 		for (j = 0; j < rule->n_patterns; j++) {
14029 			nl_pat = nla_nest_start_noflag(msg, j + 1);
14030 			if (!nl_pat)
14031 				return -ENOBUFS;
14032 			pat_len = rule->patterns[j].pattern_len;
14033 			if (nla_put(msg, NL80211_PKTPAT_MASK,
14034 				    DIV_ROUND_UP(pat_len, 8),
14035 				    rule->patterns[j].mask) ||
14036 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
14037 				    rule->patterns[j].pattern) ||
14038 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
14039 					rule->patterns[j].pkt_offset))
14040 				return -ENOBUFS;
14041 			nla_nest_end(msg, nl_pat);
14042 		}
14043 		nla_nest_end(msg, nl_pats);
14044 		nla_nest_end(msg, nl_rule);
14045 	}
14046 	nla_nest_end(msg, nl_rules);
14047 
14048 	return 0;
14049 }
14050 
14051 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
14052 {
14053 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14054 	struct sk_buff *msg;
14055 	void *hdr;
14056 
14057 	if (!rdev->wiphy.coalesce)
14058 		return -EOPNOTSUPP;
14059 
14060 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14061 	if (!msg)
14062 		return -ENOMEM;
14063 
14064 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14065 			     NL80211_CMD_GET_COALESCE);
14066 	if (!hdr)
14067 		goto nla_put_failure;
14068 
14069 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
14070 		goto nla_put_failure;
14071 
14072 	genlmsg_end(msg, hdr);
14073 	return genlmsg_reply(msg, info);
14074 
14075 nla_put_failure:
14076 	nlmsg_free(msg);
14077 	return -ENOBUFS;
14078 }
14079 
14080 void cfg80211_free_coalesce(struct cfg80211_coalesce *coalesce)
14081 {
14082 	int i, j;
14083 	struct cfg80211_coalesce_rules *rule;
14084 
14085 	if (!coalesce)
14086 		return;
14087 
14088 	for (i = 0; i < coalesce->n_rules; i++) {
14089 		rule = &coalesce->rules[i];
14090 		for (j = 0; j < rule->n_patterns; j++)
14091 			kfree(rule->patterns[j].mask);
14092 		kfree(rule->patterns);
14093 	}
14094 	kfree(coalesce);
14095 }
14096 
14097 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
14098 				       struct nlattr *rule,
14099 				       struct cfg80211_coalesce_rules *new_rule)
14100 {
14101 	int err, i;
14102 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14103 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
14104 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
14105 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
14106 
14107 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
14108 					  rule, nl80211_coalesce_policy, NULL);
14109 	if (err)
14110 		return err;
14111 
14112 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
14113 		new_rule->delay =
14114 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
14115 	if (new_rule->delay > coalesce->max_delay)
14116 		return -EINVAL;
14117 
14118 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
14119 		new_rule->condition =
14120 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
14121 
14122 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
14123 		return -EINVAL;
14124 
14125 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14126 			    rem)
14127 		n_patterns++;
14128 	if (n_patterns > coalesce->n_patterns)
14129 		return -EINVAL;
14130 
14131 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
14132 				     GFP_KERNEL);
14133 	if (!new_rule->patterns)
14134 		return -ENOMEM;
14135 
14136 	new_rule->n_patterns = n_patterns;
14137 	i = 0;
14138 
14139 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
14140 			    rem) {
14141 		u8 *mask_pat;
14142 
14143 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
14144 						  pat,
14145 						  nl80211_packet_pattern_policy,
14146 						  NULL);
14147 		if (err)
14148 			return err;
14149 
14150 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
14151 		    !pat_tb[NL80211_PKTPAT_PATTERN])
14152 			return -EINVAL;
14153 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
14154 		mask_len = DIV_ROUND_UP(pat_len, 8);
14155 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
14156 			return -EINVAL;
14157 		if (pat_len > coalesce->pattern_max_len ||
14158 		    pat_len < coalesce->pattern_min_len)
14159 			return -EINVAL;
14160 
14161 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
14162 			pkt_offset = 0;
14163 		else
14164 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
14165 		if (pkt_offset > coalesce->max_pkt_offset)
14166 			return -EINVAL;
14167 		new_rule->patterns[i].pkt_offset = pkt_offset;
14168 
14169 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
14170 		if (!mask_pat)
14171 			return -ENOMEM;
14172 
14173 		new_rule->patterns[i].mask = mask_pat;
14174 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
14175 		       mask_len);
14176 
14177 		mask_pat += mask_len;
14178 		new_rule->patterns[i].pattern = mask_pat;
14179 		new_rule->patterns[i].pattern_len = pat_len;
14180 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
14181 		       pat_len);
14182 		i++;
14183 	}
14184 
14185 	return 0;
14186 }
14187 
14188 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
14189 {
14190 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14191 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
14192 	struct cfg80211_coalesce *new_coalesce;
14193 	int err, rem_rule, n_rules = 0, i;
14194 	struct nlattr *rule;
14195 
14196 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
14197 		return -EOPNOTSUPP;
14198 
14199 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
14200 		cfg80211_free_coalesce(rdev->coalesce);
14201 		rdev->coalesce = NULL;
14202 		rdev_set_coalesce(rdev, NULL);
14203 		return 0;
14204 	}
14205 
14206 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14207 			    rem_rule)
14208 		n_rules++;
14209 	if (n_rules > coalesce->n_rules)
14210 		return -EINVAL;
14211 
14212 	new_coalesce = kzalloc(struct_size(new_coalesce, rules, n_rules),
14213 			       GFP_KERNEL);
14214 	if (!new_coalesce)
14215 		return -ENOMEM;
14216 
14217 	new_coalesce->n_rules = n_rules;
14218 	i = 0;
14219 
14220 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
14221 			    rem_rule) {
14222 		err = nl80211_parse_coalesce_rule(rdev, rule,
14223 						  &new_coalesce->rules[i]);
14224 		if (err)
14225 			goto error;
14226 
14227 		i++;
14228 	}
14229 
14230 	err = rdev_set_coalesce(rdev, new_coalesce);
14231 	if (err)
14232 		goto error;
14233 
14234 	cfg80211_free_coalesce(rdev->coalesce);
14235 	rdev->coalesce = new_coalesce;
14236 
14237 	return 0;
14238 error:
14239 	cfg80211_free_coalesce(new_coalesce);
14240 
14241 	return err;
14242 }
14243 
14244 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14245 {
14246 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14247 	struct net_device *dev = info->user_ptr[1];
14248 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14249 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14250 	struct cfg80211_gtk_rekey_data rekey_data = {};
14251 	int err;
14252 
14253 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14254 		return -EINVAL;
14255 
14256 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14257 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14258 					  nl80211_rekey_policy, info->extack);
14259 	if (err)
14260 		return err;
14261 
14262 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14263 	    !tb[NL80211_REKEY_DATA_KCK])
14264 		return -EINVAL;
14265 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14266 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14267 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14268 		return -ERANGE;
14269 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14270 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14271 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14272 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14273 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14274 		return -ERANGE;
14275 
14276 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14277 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14278 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14279 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14280 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14281 	if (tb[NL80211_REKEY_DATA_AKM])
14282 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14283 
14284 	if (!wdev->connected)
14285 		return -ENOTCONN;
14286 
14287 	if (!rdev->ops->set_rekey_data)
14288 		return -EOPNOTSUPP;
14289 
14290 	return rdev_set_rekey_data(rdev, dev, &rekey_data);
14291 }
14292 
14293 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14294 					     struct genl_info *info)
14295 {
14296 	struct net_device *dev = info->user_ptr[1];
14297 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14298 
14299 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14300 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14301 		return -EINVAL;
14302 
14303 	if (wdev->ap_unexpected_nlportid)
14304 		return -EBUSY;
14305 
14306 	wdev->ap_unexpected_nlportid = info->snd_portid;
14307 	return 0;
14308 }
14309 
14310 static int nl80211_probe_client(struct sk_buff *skb,
14311 				struct genl_info *info)
14312 {
14313 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14314 	struct net_device *dev = info->user_ptr[1];
14315 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14316 	struct sk_buff *msg;
14317 	void *hdr;
14318 	const u8 *addr;
14319 	u64 cookie;
14320 	int err;
14321 
14322 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14323 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14324 		return -EOPNOTSUPP;
14325 
14326 	if (!info->attrs[NL80211_ATTR_MAC])
14327 		return -EINVAL;
14328 
14329 	if (!rdev->ops->probe_client)
14330 		return -EOPNOTSUPP;
14331 
14332 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14333 	if (!msg)
14334 		return -ENOMEM;
14335 
14336 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14337 			     NL80211_CMD_PROBE_CLIENT);
14338 	if (!hdr) {
14339 		err = -ENOBUFS;
14340 		goto free_msg;
14341 	}
14342 
14343 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14344 
14345 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14346 	if (err)
14347 		goto free_msg;
14348 
14349 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14350 			      NL80211_ATTR_PAD))
14351 		goto nla_put_failure;
14352 
14353 	genlmsg_end(msg, hdr);
14354 
14355 	return genlmsg_reply(msg, info);
14356 
14357  nla_put_failure:
14358 	err = -ENOBUFS;
14359  free_msg:
14360 	nlmsg_free(msg);
14361 	return err;
14362 }
14363 
14364 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14365 {
14366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14367 	struct cfg80211_beacon_registration *reg, *nreg;
14368 	int rv;
14369 
14370 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14371 		return -EOPNOTSUPP;
14372 
14373 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14374 	if (!nreg)
14375 		return -ENOMEM;
14376 
14377 	/* First, check if already registered. */
14378 	spin_lock_bh(&rdev->beacon_registrations_lock);
14379 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14380 		if (reg->nlportid == info->snd_portid) {
14381 			rv = -EALREADY;
14382 			goto out_err;
14383 		}
14384 	}
14385 	/* Add it to the list */
14386 	nreg->nlportid = info->snd_portid;
14387 	list_add(&nreg->list, &rdev->beacon_registrations);
14388 
14389 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14390 
14391 	return 0;
14392 out_err:
14393 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14394 	kfree(nreg);
14395 	return rv;
14396 }
14397 
14398 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14399 {
14400 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14401 	struct wireless_dev *wdev = info->user_ptr[1];
14402 	int err;
14403 
14404 	if (!rdev->ops->start_p2p_device)
14405 		return -EOPNOTSUPP;
14406 
14407 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14408 		return -EOPNOTSUPP;
14409 
14410 	if (wdev_running(wdev))
14411 		return 0;
14412 
14413 	if (rfkill_blocked(rdev->wiphy.rfkill))
14414 		return -ERFKILL;
14415 
14416 	err = rdev_start_p2p_device(rdev, wdev);
14417 	if (err)
14418 		return err;
14419 
14420 	wdev->is_running = true;
14421 	rdev->opencount++;
14422 
14423 	return 0;
14424 }
14425 
14426 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14427 {
14428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14429 	struct wireless_dev *wdev = info->user_ptr[1];
14430 
14431 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14432 		return -EOPNOTSUPP;
14433 
14434 	if (!rdev->ops->stop_p2p_device)
14435 		return -EOPNOTSUPP;
14436 
14437 	cfg80211_stop_p2p_device(rdev, wdev);
14438 
14439 	return 0;
14440 }
14441 
14442 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14443 {
14444 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14445 	struct wireless_dev *wdev = info->user_ptr[1];
14446 	struct cfg80211_nan_conf conf = {};
14447 	int err;
14448 
14449 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14450 		return -EOPNOTSUPP;
14451 
14452 	if (wdev_running(wdev))
14453 		return -EEXIST;
14454 
14455 	if (rfkill_blocked(rdev->wiphy.rfkill))
14456 		return -ERFKILL;
14457 
14458 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14459 		return -EINVAL;
14460 
14461 	conf.master_pref =
14462 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14463 
14464 	if (info->attrs[NL80211_ATTR_BANDS]) {
14465 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14466 
14467 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14468 			return -EOPNOTSUPP;
14469 
14470 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14471 			return -EINVAL;
14472 
14473 		conf.bands = bands;
14474 	}
14475 
14476 	err = rdev_start_nan(rdev, wdev, &conf);
14477 	if (err)
14478 		return err;
14479 
14480 	wdev->is_running = true;
14481 	rdev->opencount++;
14482 
14483 	return 0;
14484 }
14485 
14486 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14487 {
14488 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14489 	struct wireless_dev *wdev = info->user_ptr[1];
14490 
14491 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14492 		return -EOPNOTSUPP;
14493 
14494 	cfg80211_stop_nan(rdev, wdev);
14495 
14496 	return 0;
14497 }
14498 
14499 static int validate_nan_filter(struct nlattr *filter_attr)
14500 {
14501 	struct nlattr *attr;
14502 	int len = 0, n_entries = 0, rem;
14503 
14504 	nla_for_each_nested(attr, filter_attr, rem) {
14505 		len += nla_len(attr);
14506 		n_entries++;
14507 	}
14508 
14509 	if (len >= U8_MAX)
14510 		return -EINVAL;
14511 
14512 	return n_entries;
14513 }
14514 
14515 static int handle_nan_filter(struct nlattr *attr_filter,
14516 			     struct cfg80211_nan_func *func,
14517 			     bool tx)
14518 {
14519 	struct nlattr *attr;
14520 	int n_entries, rem, i;
14521 	struct cfg80211_nan_func_filter *filter;
14522 
14523 	n_entries = validate_nan_filter(attr_filter);
14524 	if (n_entries < 0)
14525 		return n_entries;
14526 
14527 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14528 
14529 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14530 	if (!filter)
14531 		return -ENOMEM;
14532 
14533 	i = 0;
14534 	nla_for_each_nested(attr, attr_filter, rem) {
14535 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14536 		if (!filter[i].filter)
14537 			goto err;
14538 
14539 		filter[i].len = nla_len(attr);
14540 		i++;
14541 	}
14542 	if (tx) {
14543 		func->num_tx_filters = n_entries;
14544 		func->tx_filters = filter;
14545 	} else {
14546 		func->num_rx_filters = n_entries;
14547 		func->rx_filters = filter;
14548 	}
14549 
14550 	return 0;
14551 
14552 err:
14553 	i = 0;
14554 	nla_for_each_nested(attr, attr_filter, rem) {
14555 		kfree(filter[i].filter);
14556 		i++;
14557 	}
14558 	kfree(filter);
14559 	return -ENOMEM;
14560 }
14561 
14562 static int nl80211_nan_add_func(struct sk_buff *skb,
14563 				struct genl_info *info)
14564 {
14565 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14566 	struct wireless_dev *wdev = info->user_ptr[1];
14567 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14568 	struct cfg80211_nan_func *func;
14569 	struct sk_buff *msg = NULL;
14570 	void *hdr = NULL;
14571 	int err = 0;
14572 
14573 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14574 		return -EOPNOTSUPP;
14575 
14576 	if (!wdev_running(wdev))
14577 		return -ENOTCONN;
14578 
14579 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14580 		return -EINVAL;
14581 
14582 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14583 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14584 					  nl80211_nan_func_policy,
14585 					  info->extack);
14586 	if (err)
14587 		return err;
14588 
14589 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14590 	if (!func)
14591 		return -ENOMEM;
14592 
14593 	func->cookie = cfg80211_assign_cookie(rdev);
14594 
14595 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14596 		err = -EINVAL;
14597 		goto out;
14598 	}
14599 
14600 
14601 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14602 
14603 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14604 		err = -EINVAL;
14605 		goto out;
14606 	}
14607 
14608 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14609 	       sizeof(func->service_id));
14610 
14611 	func->close_range =
14612 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14613 
14614 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14615 		func->serv_spec_info_len =
14616 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14617 		func->serv_spec_info =
14618 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14619 				func->serv_spec_info_len,
14620 				GFP_KERNEL);
14621 		if (!func->serv_spec_info) {
14622 			err = -ENOMEM;
14623 			goto out;
14624 		}
14625 	}
14626 
14627 	if (tb[NL80211_NAN_FUNC_TTL])
14628 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14629 
14630 	switch (func->type) {
14631 	case NL80211_NAN_FUNC_PUBLISH:
14632 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14633 			err = -EINVAL;
14634 			goto out;
14635 		}
14636 
14637 		func->publish_type =
14638 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14639 		func->publish_bcast =
14640 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14641 
14642 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14643 			func->publish_bcast) {
14644 			err = -EINVAL;
14645 			goto out;
14646 		}
14647 		break;
14648 	case NL80211_NAN_FUNC_SUBSCRIBE:
14649 		func->subscribe_active =
14650 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14651 		break;
14652 	case NL80211_NAN_FUNC_FOLLOW_UP:
14653 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14654 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14655 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14656 			err = -EINVAL;
14657 			goto out;
14658 		}
14659 
14660 		func->followup_id =
14661 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14662 		func->followup_reqid =
14663 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14664 		memcpy(func->followup_dest.addr,
14665 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14666 		       sizeof(func->followup_dest.addr));
14667 		if (func->ttl) {
14668 			err = -EINVAL;
14669 			goto out;
14670 		}
14671 		break;
14672 	default:
14673 		err = -EINVAL;
14674 		goto out;
14675 	}
14676 
14677 	if (tb[NL80211_NAN_FUNC_SRF]) {
14678 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14679 
14680 		err = nla_parse_nested_deprecated(srf_tb,
14681 						  NL80211_NAN_SRF_ATTR_MAX,
14682 						  tb[NL80211_NAN_FUNC_SRF],
14683 						  nl80211_nan_srf_policy,
14684 						  info->extack);
14685 		if (err)
14686 			goto out;
14687 
14688 		func->srf_include =
14689 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14690 
14691 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14692 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14693 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14694 				err = -EINVAL;
14695 				goto out;
14696 			}
14697 
14698 			func->srf_bf_len =
14699 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14700 			func->srf_bf =
14701 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14702 					func->srf_bf_len, GFP_KERNEL);
14703 			if (!func->srf_bf) {
14704 				err = -ENOMEM;
14705 				goto out;
14706 			}
14707 
14708 			func->srf_bf_idx =
14709 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14710 		} else {
14711 			struct nlattr *attr, *mac_attr =
14712 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14713 			int n_entries, rem, i = 0;
14714 
14715 			if (!mac_attr) {
14716 				err = -EINVAL;
14717 				goto out;
14718 			}
14719 
14720 			n_entries = validate_acl_mac_addrs(mac_attr);
14721 			if (n_entries <= 0) {
14722 				err = -EINVAL;
14723 				goto out;
14724 			}
14725 
14726 			func->srf_num_macs = n_entries;
14727 			func->srf_macs =
14728 				kcalloc(n_entries, sizeof(*func->srf_macs),
14729 					GFP_KERNEL);
14730 			if (!func->srf_macs) {
14731 				err = -ENOMEM;
14732 				goto out;
14733 			}
14734 
14735 			nla_for_each_nested(attr, mac_attr, rem)
14736 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14737 				       sizeof(*func->srf_macs));
14738 		}
14739 	}
14740 
14741 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14742 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14743 					func, true);
14744 		if (err)
14745 			goto out;
14746 	}
14747 
14748 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14749 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14750 					func, false);
14751 		if (err)
14752 			goto out;
14753 	}
14754 
14755 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14756 	if (!msg) {
14757 		err = -ENOMEM;
14758 		goto out;
14759 	}
14760 
14761 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14762 			     NL80211_CMD_ADD_NAN_FUNCTION);
14763 	/* This can't really happen - we just allocated 4KB */
14764 	if (WARN_ON(!hdr)) {
14765 		err = -ENOMEM;
14766 		goto out;
14767 	}
14768 
14769 	err = rdev_add_nan_func(rdev, wdev, func);
14770 out:
14771 	if (err < 0) {
14772 		cfg80211_free_nan_func(func);
14773 		nlmsg_free(msg);
14774 		return err;
14775 	}
14776 
14777 	/* propagate the instance id and cookie to userspace  */
14778 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14779 			      NL80211_ATTR_PAD))
14780 		goto nla_put_failure;
14781 
14782 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14783 	if (!func_attr)
14784 		goto nla_put_failure;
14785 
14786 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14787 		       func->instance_id))
14788 		goto nla_put_failure;
14789 
14790 	nla_nest_end(msg, func_attr);
14791 
14792 	genlmsg_end(msg, hdr);
14793 	return genlmsg_reply(msg, info);
14794 
14795 nla_put_failure:
14796 	nlmsg_free(msg);
14797 	return -ENOBUFS;
14798 }
14799 
14800 static int nl80211_nan_del_func(struct sk_buff *skb,
14801 			       struct genl_info *info)
14802 {
14803 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14804 	struct wireless_dev *wdev = info->user_ptr[1];
14805 	u64 cookie;
14806 
14807 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14808 		return -EOPNOTSUPP;
14809 
14810 	if (!wdev_running(wdev))
14811 		return -ENOTCONN;
14812 
14813 	if (!info->attrs[NL80211_ATTR_COOKIE])
14814 		return -EINVAL;
14815 
14816 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14817 
14818 	rdev_del_nan_func(rdev, wdev, cookie);
14819 
14820 	return 0;
14821 }
14822 
14823 static int nl80211_nan_change_config(struct sk_buff *skb,
14824 				     struct genl_info *info)
14825 {
14826 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14827 	struct wireless_dev *wdev = info->user_ptr[1];
14828 	struct cfg80211_nan_conf conf = {};
14829 	u32 changed = 0;
14830 
14831 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14832 		return -EOPNOTSUPP;
14833 
14834 	if (!wdev_running(wdev))
14835 		return -ENOTCONN;
14836 
14837 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14838 		conf.master_pref =
14839 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14840 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14841 			return -EINVAL;
14842 
14843 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14844 	}
14845 
14846 	if (info->attrs[NL80211_ATTR_BANDS]) {
14847 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14848 
14849 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14850 			return -EOPNOTSUPP;
14851 
14852 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14853 			return -EINVAL;
14854 
14855 		conf.bands = bands;
14856 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14857 	}
14858 
14859 	if (!changed)
14860 		return -EINVAL;
14861 
14862 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14863 }
14864 
14865 void cfg80211_nan_match(struct wireless_dev *wdev,
14866 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14867 {
14868 	struct wiphy *wiphy = wdev->wiphy;
14869 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14870 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14871 	struct sk_buff *msg;
14872 	void *hdr;
14873 
14874 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14875 		return;
14876 
14877 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14878 	if (!msg)
14879 		return;
14880 
14881 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14882 	if (!hdr) {
14883 		nlmsg_free(msg);
14884 		return;
14885 	}
14886 
14887 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14888 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14889 					 wdev->netdev->ifindex)) ||
14890 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14891 			      NL80211_ATTR_PAD))
14892 		goto nla_put_failure;
14893 
14894 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14895 			      NL80211_ATTR_PAD) ||
14896 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14897 		goto nla_put_failure;
14898 
14899 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14900 	if (!match_attr)
14901 		goto nla_put_failure;
14902 
14903 	local_func_attr = nla_nest_start_noflag(msg,
14904 						NL80211_NAN_MATCH_FUNC_LOCAL);
14905 	if (!local_func_attr)
14906 		goto nla_put_failure;
14907 
14908 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14909 		goto nla_put_failure;
14910 
14911 	nla_nest_end(msg, local_func_attr);
14912 
14913 	peer_func_attr = nla_nest_start_noflag(msg,
14914 					       NL80211_NAN_MATCH_FUNC_PEER);
14915 	if (!peer_func_attr)
14916 		goto nla_put_failure;
14917 
14918 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14919 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14920 		goto nla_put_failure;
14921 
14922 	if (match->info && match->info_len &&
14923 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14924 		    match->info))
14925 		goto nla_put_failure;
14926 
14927 	nla_nest_end(msg, peer_func_attr);
14928 	nla_nest_end(msg, match_attr);
14929 	genlmsg_end(msg, hdr);
14930 
14931 	if (!wdev->owner_nlportid)
14932 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14933 					msg, 0, NL80211_MCGRP_NAN, gfp);
14934 	else
14935 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14936 				wdev->owner_nlportid);
14937 
14938 	return;
14939 
14940 nla_put_failure:
14941 	nlmsg_free(msg);
14942 }
14943 EXPORT_SYMBOL(cfg80211_nan_match);
14944 
14945 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14946 				  u8 inst_id,
14947 				  enum nl80211_nan_func_term_reason reason,
14948 				  u64 cookie, gfp_t gfp)
14949 {
14950 	struct wiphy *wiphy = wdev->wiphy;
14951 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14952 	struct sk_buff *msg;
14953 	struct nlattr *func_attr;
14954 	void *hdr;
14955 
14956 	if (WARN_ON(!inst_id))
14957 		return;
14958 
14959 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14960 	if (!msg)
14961 		return;
14962 
14963 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14964 	if (!hdr) {
14965 		nlmsg_free(msg);
14966 		return;
14967 	}
14968 
14969 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14970 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14971 					 wdev->netdev->ifindex)) ||
14972 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14973 			      NL80211_ATTR_PAD))
14974 		goto nla_put_failure;
14975 
14976 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14977 			      NL80211_ATTR_PAD))
14978 		goto nla_put_failure;
14979 
14980 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14981 	if (!func_attr)
14982 		goto nla_put_failure;
14983 
14984 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14985 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14986 		goto nla_put_failure;
14987 
14988 	nla_nest_end(msg, func_attr);
14989 	genlmsg_end(msg, hdr);
14990 
14991 	if (!wdev->owner_nlportid)
14992 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14993 					msg, 0, NL80211_MCGRP_NAN, gfp);
14994 	else
14995 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14996 				wdev->owner_nlportid);
14997 
14998 	return;
14999 
15000 nla_put_failure:
15001 	nlmsg_free(msg);
15002 }
15003 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
15004 
15005 static int nl80211_get_protocol_features(struct sk_buff *skb,
15006 					 struct genl_info *info)
15007 {
15008 	void *hdr;
15009 	struct sk_buff *msg;
15010 
15011 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15012 	if (!msg)
15013 		return -ENOMEM;
15014 
15015 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15016 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
15017 	if (!hdr)
15018 		goto nla_put_failure;
15019 
15020 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
15021 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
15022 		goto nla_put_failure;
15023 
15024 	genlmsg_end(msg, hdr);
15025 	return genlmsg_reply(msg, info);
15026 
15027  nla_put_failure:
15028 	kfree_skb(msg);
15029 	return -ENOBUFS;
15030 }
15031 
15032 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
15033 {
15034 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15035 	struct cfg80211_update_ft_ies_params ft_params;
15036 	struct net_device *dev = info->user_ptr[1];
15037 
15038 	if (!rdev->ops->update_ft_ies)
15039 		return -EOPNOTSUPP;
15040 
15041 	if (!info->attrs[NL80211_ATTR_MDID] ||
15042 	    !info->attrs[NL80211_ATTR_IE])
15043 		return -EINVAL;
15044 
15045 	memset(&ft_params, 0, sizeof(ft_params));
15046 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
15047 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15048 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15049 
15050 	return rdev_update_ft_ies(rdev, dev, &ft_params);
15051 }
15052 
15053 static int nl80211_crit_protocol_start(struct sk_buff *skb,
15054 				       struct genl_info *info)
15055 {
15056 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15057 	struct wireless_dev *wdev = info->user_ptr[1];
15058 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
15059 	u16 duration;
15060 	int ret;
15061 
15062 	if (!rdev->ops->crit_proto_start)
15063 		return -EOPNOTSUPP;
15064 
15065 	if (WARN_ON(!rdev->ops->crit_proto_stop))
15066 		return -EINVAL;
15067 
15068 	if (rdev->crit_proto_nlportid)
15069 		return -EBUSY;
15070 
15071 	/* determine protocol if provided */
15072 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
15073 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
15074 
15075 	if (proto >= NUM_NL80211_CRIT_PROTO)
15076 		return -EINVAL;
15077 
15078 	/* timeout must be provided */
15079 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
15080 		return -EINVAL;
15081 
15082 	duration =
15083 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
15084 
15085 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
15086 	if (!ret)
15087 		rdev->crit_proto_nlportid = info->snd_portid;
15088 
15089 	return ret;
15090 }
15091 
15092 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
15093 				      struct genl_info *info)
15094 {
15095 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15096 	struct wireless_dev *wdev = info->user_ptr[1];
15097 
15098 	if (!rdev->ops->crit_proto_stop)
15099 		return -EOPNOTSUPP;
15100 
15101 	if (rdev->crit_proto_nlportid) {
15102 		rdev->crit_proto_nlportid = 0;
15103 		rdev_crit_proto_stop(rdev, wdev);
15104 	}
15105 	return 0;
15106 }
15107 
15108 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
15109 				       struct nlattr *attr,
15110 				       struct netlink_ext_ack *extack)
15111 {
15112 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
15113 		if (attr->nla_type & NLA_F_NESTED) {
15114 			NL_SET_ERR_MSG_ATTR(extack, attr,
15115 					    "unexpected nested data");
15116 			return -EINVAL;
15117 		}
15118 
15119 		return 0;
15120 	}
15121 
15122 	if (!(attr->nla_type & NLA_F_NESTED)) {
15123 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
15124 		return -EINVAL;
15125 	}
15126 
15127 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
15128 }
15129 
15130 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
15131 {
15132 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15133 	struct wireless_dev *wdev =
15134 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
15135 					   info->attrs);
15136 	int i, err;
15137 	u32 vid, subcmd;
15138 
15139 	if (!rdev->wiphy.vendor_commands)
15140 		return -EOPNOTSUPP;
15141 
15142 	if (IS_ERR(wdev)) {
15143 		err = PTR_ERR(wdev);
15144 		if (err != -EINVAL)
15145 			return err;
15146 		wdev = NULL;
15147 	} else if (wdev->wiphy != &rdev->wiphy) {
15148 		return -EINVAL;
15149 	}
15150 
15151 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
15152 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
15153 		return -EINVAL;
15154 
15155 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
15156 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
15157 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
15158 		const struct wiphy_vendor_command *vcmd;
15159 		void *data = NULL;
15160 		int len = 0;
15161 
15162 		vcmd = &rdev->wiphy.vendor_commands[i];
15163 
15164 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15165 			continue;
15166 
15167 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15168 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15169 			if (!wdev)
15170 				return -EINVAL;
15171 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15172 			    !wdev->netdev)
15173 				return -EINVAL;
15174 
15175 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15176 				if (!wdev_running(wdev))
15177 					return -ENETDOWN;
15178 			}
15179 		} else {
15180 			wdev = NULL;
15181 		}
15182 
15183 		if (!vcmd->doit)
15184 			return -EOPNOTSUPP;
15185 
15186 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
15187 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15188 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
15189 
15190 			err = nl80211_vendor_check_policy(vcmd,
15191 					info->attrs[NL80211_ATTR_VENDOR_DATA],
15192 					info->extack);
15193 			if (err)
15194 				return err;
15195 		}
15196 
15197 		rdev->cur_cmd_info = info;
15198 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
15199 		rdev->cur_cmd_info = NULL;
15200 		return err;
15201 	}
15202 
15203 	return -EOPNOTSUPP;
15204 }
15205 
15206 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
15207 				       struct netlink_callback *cb,
15208 				       struct cfg80211_registered_device **rdev,
15209 				       struct wireless_dev **wdev)
15210 {
15211 	struct nlattr **attrbuf;
15212 	u32 vid, subcmd;
15213 	unsigned int i;
15214 	int vcmd_idx = -1;
15215 	int err;
15216 	void *data = NULL;
15217 	unsigned int data_len = 0;
15218 
15219 	if (cb->args[0]) {
15220 		/* subtract the 1 again here */
15221 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15222 		struct wireless_dev *tmp;
15223 
15224 		if (!wiphy)
15225 			return -ENODEV;
15226 		*rdev = wiphy_to_rdev(wiphy);
15227 		*wdev = NULL;
15228 
15229 		if (cb->args[1]) {
15230 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15231 				if (tmp->identifier == cb->args[1] - 1) {
15232 					*wdev = tmp;
15233 					break;
15234 				}
15235 			}
15236 		}
15237 
15238 		/* keep rtnl locked in successful case */
15239 		return 0;
15240 	}
15241 
15242 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15243 	if (!attrbuf)
15244 		return -ENOMEM;
15245 
15246 	err = nlmsg_parse_deprecated(cb->nlh,
15247 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15248 				     attrbuf, nl80211_fam.maxattr,
15249 				     nl80211_policy, NULL);
15250 	if (err)
15251 		goto out;
15252 
15253 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15254 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15255 		err = -EINVAL;
15256 		goto out;
15257 	}
15258 
15259 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15260 	if (IS_ERR(*wdev))
15261 		*wdev = NULL;
15262 
15263 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15264 	if (IS_ERR(*rdev)) {
15265 		err = PTR_ERR(*rdev);
15266 		goto out;
15267 	}
15268 
15269 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15270 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15271 
15272 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15273 		const struct wiphy_vendor_command *vcmd;
15274 
15275 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15276 
15277 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15278 			continue;
15279 
15280 		if (!vcmd->dumpit) {
15281 			err = -EOPNOTSUPP;
15282 			goto out;
15283 		}
15284 
15285 		vcmd_idx = i;
15286 		break;
15287 	}
15288 
15289 	if (vcmd_idx < 0) {
15290 		err = -EOPNOTSUPP;
15291 		goto out;
15292 	}
15293 
15294 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15295 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15296 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15297 
15298 		err = nl80211_vendor_check_policy(
15299 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15300 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15301 				cb->extack);
15302 		if (err)
15303 			goto out;
15304 	}
15305 
15306 	/* 0 is the first index - add 1 to parse only once */
15307 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15308 	/* add 1 to know if it was NULL */
15309 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15310 	cb->args[2] = vcmd_idx;
15311 	cb->args[3] = (unsigned long)data;
15312 	cb->args[4] = data_len;
15313 
15314 	/* keep rtnl locked in successful case */
15315 	err = 0;
15316 out:
15317 	kfree(attrbuf);
15318 	return err;
15319 }
15320 
15321 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15322 				   struct netlink_callback *cb)
15323 {
15324 	struct cfg80211_registered_device *rdev;
15325 	struct wireless_dev *wdev;
15326 	unsigned int vcmd_idx;
15327 	const struct wiphy_vendor_command *vcmd;
15328 	void *data;
15329 	int data_len;
15330 	int err;
15331 	struct nlattr *vendor_data;
15332 
15333 	rtnl_lock();
15334 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15335 	if (err)
15336 		goto out;
15337 
15338 	vcmd_idx = cb->args[2];
15339 	data = (void *)cb->args[3];
15340 	data_len = cb->args[4];
15341 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15342 
15343 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15344 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15345 		if (!wdev) {
15346 			err = -EINVAL;
15347 			goto out;
15348 		}
15349 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15350 		    !wdev->netdev) {
15351 			err = -EINVAL;
15352 			goto out;
15353 		}
15354 
15355 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15356 			if (!wdev_running(wdev)) {
15357 				err = -ENETDOWN;
15358 				goto out;
15359 			}
15360 		}
15361 	}
15362 
15363 	while (1) {
15364 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15365 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15366 					   NL80211_CMD_VENDOR);
15367 		if (!hdr)
15368 			break;
15369 
15370 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15371 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15372 					       wdev_id(wdev),
15373 					       NL80211_ATTR_PAD))) {
15374 			genlmsg_cancel(skb, hdr);
15375 			break;
15376 		}
15377 
15378 		vendor_data = nla_nest_start_noflag(skb,
15379 						    NL80211_ATTR_VENDOR_DATA);
15380 		if (!vendor_data) {
15381 			genlmsg_cancel(skb, hdr);
15382 			break;
15383 		}
15384 
15385 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15386 				   (unsigned long *)&cb->args[5]);
15387 		nla_nest_end(skb, vendor_data);
15388 
15389 		if (err == -ENOBUFS || err == -ENOENT) {
15390 			genlmsg_cancel(skb, hdr);
15391 			break;
15392 		} else if (err <= 0) {
15393 			genlmsg_cancel(skb, hdr);
15394 			goto out;
15395 		}
15396 
15397 		genlmsg_end(skb, hdr);
15398 	}
15399 
15400 	err = skb->len;
15401  out:
15402 	rtnl_unlock();
15403 	return err;
15404 }
15405 
15406 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15407 					   enum nl80211_commands cmd,
15408 					   enum nl80211_attrs attr,
15409 					   int approxlen)
15410 {
15411 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15412 
15413 	if (WARN_ON(!rdev->cur_cmd_info))
15414 		return NULL;
15415 
15416 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15417 					   rdev->cur_cmd_info->snd_portid,
15418 					   rdev->cur_cmd_info->snd_seq,
15419 					   cmd, attr, NULL, GFP_KERNEL);
15420 }
15421 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15422 
15423 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15424 {
15425 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15426 	void *hdr = ((void **)skb->cb)[1];
15427 	struct nlattr *data = ((void **)skb->cb)[2];
15428 
15429 	/* clear CB data for netlink core to own from now on */
15430 	memset(skb->cb, 0, sizeof(skb->cb));
15431 
15432 	if (WARN_ON(!rdev->cur_cmd_info)) {
15433 		kfree_skb(skb);
15434 		return -EINVAL;
15435 	}
15436 
15437 	nla_nest_end(skb, data);
15438 	genlmsg_end(skb, hdr);
15439 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15440 }
15441 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15442 
15443 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15444 {
15445 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15446 
15447 	if (WARN_ON(!rdev->cur_cmd_info))
15448 		return 0;
15449 
15450 	return rdev->cur_cmd_info->snd_portid;
15451 }
15452 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15453 
15454 static int nl80211_set_qos_map(struct sk_buff *skb,
15455 			       struct genl_info *info)
15456 {
15457 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15458 	struct cfg80211_qos_map *qos_map = NULL;
15459 	struct net_device *dev = info->user_ptr[1];
15460 	u8 *pos, len, num_des, des_len, des;
15461 	int ret;
15462 
15463 	if (!rdev->ops->set_qos_map)
15464 		return -EOPNOTSUPP;
15465 
15466 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15467 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15468 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15469 
15470 		if (len % 2)
15471 			return -EINVAL;
15472 
15473 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15474 		if (!qos_map)
15475 			return -ENOMEM;
15476 
15477 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15478 		if (num_des) {
15479 			des_len = num_des *
15480 				sizeof(struct cfg80211_dscp_exception);
15481 			memcpy(qos_map->dscp_exception, pos, des_len);
15482 			qos_map->num_des = num_des;
15483 			for (des = 0; des < num_des; des++) {
15484 				if (qos_map->dscp_exception[des].up > 7) {
15485 					kfree(qos_map);
15486 					return -EINVAL;
15487 				}
15488 			}
15489 			pos += des_len;
15490 		}
15491 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15492 	}
15493 
15494 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15495 	if (!ret)
15496 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15497 
15498 	kfree(qos_map);
15499 	return ret;
15500 }
15501 
15502 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15503 {
15504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15505 	struct net_device *dev = info->user_ptr[1];
15506 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15507 	const u8 *peer;
15508 	u8 tsid, up;
15509 	u16 admitted_time = 0;
15510 
15511 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15512 		return -EOPNOTSUPP;
15513 
15514 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15515 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15516 		return -EINVAL;
15517 
15518 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15519 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15520 
15521 	/* WMM uses TIDs 0-7 even for TSPEC */
15522 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15523 		/* TODO: handle 802.11 TSPEC/admission control
15524 		 * need more attributes for that (e.g. BA session requirement);
15525 		 * change the WMM admission test above to allow both then
15526 		 */
15527 		return -EINVAL;
15528 	}
15529 
15530 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15531 
15532 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15533 		admitted_time =
15534 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15535 		if (!admitted_time)
15536 			return -EINVAL;
15537 	}
15538 
15539 	switch (wdev->iftype) {
15540 	case NL80211_IFTYPE_STATION:
15541 	case NL80211_IFTYPE_P2P_CLIENT:
15542 		if (wdev->connected)
15543 			break;
15544 		return -ENOTCONN;
15545 	default:
15546 		return -EOPNOTSUPP;
15547 	}
15548 
15549 	return rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15550 }
15551 
15552 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15553 {
15554 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15555 	struct net_device *dev = info->user_ptr[1];
15556 	const u8 *peer;
15557 	u8 tsid;
15558 
15559 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15560 		return -EINVAL;
15561 
15562 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15563 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15564 
15565 	return rdev_del_tx_ts(rdev, dev, tsid, peer);
15566 }
15567 
15568 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15569 				       struct genl_info *info)
15570 {
15571 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15572 	struct net_device *dev = info->user_ptr[1];
15573 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15574 	struct cfg80211_chan_def chandef = {};
15575 	const u8 *addr;
15576 	u8 oper_class;
15577 	int err;
15578 
15579 	if (!rdev->ops->tdls_channel_switch ||
15580 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15581 		return -EOPNOTSUPP;
15582 
15583 	switch (dev->ieee80211_ptr->iftype) {
15584 	case NL80211_IFTYPE_STATION:
15585 	case NL80211_IFTYPE_P2P_CLIENT:
15586 		break;
15587 	default:
15588 		return -EOPNOTSUPP;
15589 	}
15590 
15591 	if (!info->attrs[NL80211_ATTR_MAC] ||
15592 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15593 		return -EINVAL;
15594 
15595 	err = nl80211_parse_chandef(rdev, info, &chandef);
15596 	if (err)
15597 		return err;
15598 
15599 	/*
15600 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15601 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15602 	 * specification is not defined for them.
15603 	 */
15604 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15605 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15606 	    chandef.width != NL80211_CHAN_WIDTH_20)
15607 		return -EINVAL;
15608 
15609 	/* we will be active on the TDLS link */
15610 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15611 					   wdev->iftype))
15612 		return -EINVAL;
15613 
15614 	/* don't allow switching to DFS channels */
15615 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15616 		return -EINVAL;
15617 
15618 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15619 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15620 
15621 	return rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15622 }
15623 
15624 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15625 					      struct genl_info *info)
15626 {
15627 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15628 	struct net_device *dev = info->user_ptr[1];
15629 	const u8 *addr;
15630 
15631 	if (!rdev->ops->tdls_channel_switch ||
15632 	    !rdev->ops->tdls_cancel_channel_switch ||
15633 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15634 		return -EOPNOTSUPP;
15635 
15636 	switch (dev->ieee80211_ptr->iftype) {
15637 	case NL80211_IFTYPE_STATION:
15638 	case NL80211_IFTYPE_P2P_CLIENT:
15639 		break;
15640 	default:
15641 		return -EOPNOTSUPP;
15642 	}
15643 
15644 	if (!info->attrs[NL80211_ATTR_MAC])
15645 		return -EINVAL;
15646 
15647 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15648 
15649 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15650 
15651 	return 0;
15652 }
15653 
15654 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15655 					    struct genl_info *info)
15656 {
15657 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15658 	struct net_device *dev = info->user_ptr[1];
15659 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15660 	const struct nlattr *nla;
15661 	bool enabled;
15662 
15663 	if (!rdev->ops->set_multicast_to_unicast)
15664 		return -EOPNOTSUPP;
15665 
15666 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15667 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15668 		return -EOPNOTSUPP;
15669 
15670 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15671 	enabled = nla_get_flag(nla);
15672 
15673 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15674 }
15675 
15676 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15677 {
15678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15679 	struct net_device *dev = info->user_ptr[1];
15680 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15681 	struct cfg80211_pmk_conf pmk_conf = {};
15682 
15683 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15684 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15685 		return -EOPNOTSUPP;
15686 
15687 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15688 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15689 		return -EOPNOTSUPP;
15690 
15691 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15692 		return -EINVAL;
15693 
15694 	if (!wdev->connected)
15695 		return -ENOTCONN;
15696 
15697 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15698 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN))
15699 		return -EINVAL;
15700 
15701 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15702 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15703 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15704 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192)
15705 		return -EINVAL;
15706 
15707 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15708 		pmk_conf.pmk_r0_name =
15709 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15710 
15711 	return rdev_set_pmk(rdev, dev, &pmk_conf);
15712 }
15713 
15714 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15715 {
15716 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15717 	struct net_device *dev = info->user_ptr[1];
15718 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15719 	const u8 *aa;
15720 
15721 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15722 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15723 		return -EOPNOTSUPP;
15724 
15725 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15726 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15727 		return -EOPNOTSUPP;
15728 
15729 	if (!info->attrs[NL80211_ATTR_MAC])
15730 		return -EINVAL;
15731 
15732 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15733 	return rdev_del_pmk(rdev, dev, aa);
15734 }
15735 
15736 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15737 {
15738 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15739 	struct net_device *dev = info->user_ptr[1];
15740 	struct cfg80211_external_auth_params params;
15741 
15742 	if (!rdev->ops->external_auth)
15743 		return -EOPNOTSUPP;
15744 
15745 	if (!info->attrs[NL80211_ATTR_SSID] &&
15746 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15747 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15748 		return -EINVAL;
15749 
15750 	if (!info->attrs[NL80211_ATTR_BSSID])
15751 		return -EINVAL;
15752 
15753 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15754 		return -EINVAL;
15755 
15756 	memset(&params, 0, sizeof(params));
15757 
15758 	if (info->attrs[NL80211_ATTR_SSID]) {
15759 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15760 		if (params.ssid.ssid_len == 0)
15761 			return -EINVAL;
15762 		memcpy(params.ssid.ssid,
15763 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15764 		       params.ssid.ssid_len);
15765 	}
15766 
15767 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15768 	       ETH_ALEN);
15769 
15770 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15771 
15772 	if (info->attrs[NL80211_ATTR_PMKID])
15773 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15774 
15775 	return rdev_external_auth(rdev, dev, &params);
15776 }
15777 
15778 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15779 {
15780 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15781 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15782 	struct net_device *dev = info->user_ptr[1];
15783 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15784 	const u8 *buf;
15785 	size_t len;
15786 	u8 *dest;
15787 	u16 proto;
15788 	bool noencrypt;
15789 	u64 cookie = 0;
15790 	int link_id;
15791 	int err;
15792 
15793 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15794 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15795 		return -EOPNOTSUPP;
15796 
15797 	if (!rdev->ops->tx_control_port)
15798 		return -EOPNOTSUPP;
15799 
15800 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15801 	    !info->attrs[NL80211_ATTR_MAC] ||
15802 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15803 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15804 		return -EINVAL;
15805 	}
15806 
15807 	switch (wdev->iftype) {
15808 	case NL80211_IFTYPE_AP:
15809 	case NL80211_IFTYPE_P2P_GO:
15810 	case NL80211_IFTYPE_MESH_POINT:
15811 		break;
15812 	case NL80211_IFTYPE_ADHOC:
15813 		if (wdev->u.ibss.current_bss)
15814 			break;
15815 		return -ENOTCONN;
15816 	case NL80211_IFTYPE_STATION:
15817 	case NL80211_IFTYPE_P2P_CLIENT:
15818 		if (wdev->connected)
15819 			break;
15820 		return -ENOTCONN;
15821 	default:
15822 		return -EOPNOTSUPP;
15823 	}
15824 
15825 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15826 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15827 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15828 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15829 	noencrypt =
15830 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15831 
15832 	link_id = nl80211_link_id_or_invalid(info->attrs);
15833 
15834 	err = rdev_tx_control_port(rdev, dev, buf, len,
15835 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15836 				   dont_wait_for_ack ? NULL : &cookie);
15837 	if (!err && !dont_wait_for_ack)
15838 		nl_set_extack_cookie_u64(info->extack, cookie);
15839 	return err;
15840 }
15841 
15842 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15843 					   struct genl_info *info)
15844 {
15845 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15846 	struct net_device *dev = info->user_ptr[1];
15847 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15848 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15849 	unsigned int link_id = nl80211_link_id(info->attrs);
15850 	struct sk_buff *msg;
15851 	void *hdr;
15852 	struct nlattr *ftm_stats_attr;
15853 	int err;
15854 
15855 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15856 	    !wdev->links[link_id].ap.beacon_interval)
15857 		return -EOPNOTSUPP;
15858 
15859 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15860 	if (err)
15861 		return err;
15862 
15863 	if (!ftm_stats.filled)
15864 		return -ENODATA;
15865 
15866 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15867 	if (!msg)
15868 		return -ENOMEM;
15869 
15870 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15871 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15872 	if (!hdr)
15873 		goto nla_put_failure;
15874 
15875 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15876 		goto nla_put_failure;
15877 
15878 	ftm_stats_attr = nla_nest_start_noflag(msg,
15879 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15880 	if (!ftm_stats_attr)
15881 		goto nla_put_failure;
15882 
15883 #define SET_FTM(field, name, type)					 \
15884 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15885 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15886 			     ftm_stats.field))				 \
15887 		goto nla_put_failure; } while (0)
15888 #define SET_FTM_U64(field, name)					 \
15889 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15890 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15891 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15892 		goto nla_put_failure; } while (0)
15893 
15894 	SET_FTM(success_num, SUCCESS_NUM, u32);
15895 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15896 	SET_FTM(failed_num, FAILED_NUM, u32);
15897 	SET_FTM(asap_num, ASAP_NUM, u32);
15898 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15899 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15900 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15901 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15902 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15903 #undef SET_FTM
15904 
15905 	nla_nest_end(msg, ftm_stats_attr);
15906 
15907 	genlmsg_end(msg, hdr);
15908 	return genlmsg_reply(msg, info);
15909 
15910 nla_put_failure:
15911 	nlmsg_free(msg);
15912 	return -ENOBUFS;
15913 }
15914 
15915 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15916 {
15917 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15918 	struct cfg80211_update_owe_info owe_info;
15919 	struct net_device *dev = info->user_ptr[1];
15920 
15921 	if (!rdev->ops->update_owe_info)
15922 		return -EOPNOTSUPP;
15923 
15924 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15925 	    !info->attrs[NL80211_ATTR_MAC])
15926 		return -EINVAL;
15927 
15928 	memset(&owe_info, 0, sizeof(owe_info));
15929 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15930 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15931 
15932 	if (info->attrs[NL80211_ATTR_IE]) {
15933 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15934 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15935 	}
15936 
15937 	return rdev_update_owe_info(rdev, dev, &owe_info);
15938 }
15939 
15940 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15941 {
15942 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15943 	struct net_device *dev = info->user_ptr[1];
15944 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15945 	struct station_info sinfo = {};
15946 	const u8 *buf;
15947 	size_t len;
15948 	u8 *dest;
15949 	int err;
15950 
15951 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15952 		return -EOPNOTSUPP;
15953 
15954 	if (!info->attrs[NL80211_ATTR_MAC] ||
15955 	    !info->attrs[NL80211_ATTR_FRAME]) {
15956 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15957 		return -EINVAL;
15958 	}
15959 
15960 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15961 		return -EOPNOTSUPP;
15962 
15963 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15964 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15965 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15966 
15967 	if (len < sizeof(struct ethhdr))
15968 		return -EINVAL;
15969 
15970 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15971 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15972 		return -EINVAL;
15973 
15974 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15975 	if (err)
15976 		return err;
15977 
15978 	cfg80211_sinfo_release_content(&sinfo);
15979 
15980 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15981 }
15982 
15983 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15984 			  struct nlattr *attrs[], struct net_device *dev,
15985 			  struct cfg80211_tid_cfg *tid_conf,
15986 			  struct genl_info *info, const u8 *peer,
15987 			  unsigned int link_id)
15988 {
15989 	struct netlink_ext_ack *extack = info->extack;
15990 	u64 mask;
15991 	int err;
15992 
15993 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15994 		return -EINVAL;
15995 
15996 	tid_conf->config_override =
15997 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15998 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15999 
16000 	if (tid_conf->config_override) {
16001 		if (rdev->ops->reset_tid_config) {
16002 			err = rdev_reset_tid_config(rdev, dev, peer,
16003 						    tid_conf->tids);
16004 			if (err)
16005 				return err;
16006 		} else {
16007 			return -EINVAL;
16008 		}
16009 	}
16010 
16011 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
16012 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
16013 		tid_conf->noack =
16014 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
16015 	}
16016 
16017 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
16018 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
16019 		tid_conf->retry_short =
16020 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
16021 
16022 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
16023 			return -EINVAL;
16024 	}
16025 
16026 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
16027 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
16028 		tid_conf->retry_long =
16029 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
16030 
16031 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
16032 			return -EINVAL;
16033 	}
16034 
16035 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
16036 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
16037 		tid_conf->ampdu =
16038 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
16039 	}
16040 
16041 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
16042 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
16043 		tid_conf->rtscts =
16044 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
16045 	}
16046 
16047 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
16048 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
16049 		tid_conf->amsdu =
16050 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
16051 	}
16052 
16053 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
16054 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
16055 
16056 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
16057 
16058 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
16059 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
16060 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
16061 						    &tid_conf->txrate_mask, dev,
16062 						    true, link_id);
16063 			if (err)
16064 				return err;
16065 
16066 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
16067 		}
16068 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
16069 	}
16070 
16071 	if (peer)
16072 		mask = rdev->wiphy.tid_config_support.peer;
16073 	else
16074 		mask = rdev->wiphy.tid_config_support.vif;
16075 
16076 	if (tid_conf->mask & ~mask) {
16077 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
16078 		return -EOPNOTSUPP;
16079 	}
16080 
16081 	return 0;
16082 }
16083 
16084 static int nl80211_set_tid_config(struct sk_buff *skb,
16085 				  struct genl_info *info)
16086 {
16087 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16088 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
16089 	unsigned int link_id = nl80211_link_id(info->attrs);
16090 	struct net_device *dev = info->user_ptr[1];
16091 	struct cfg80211_tid_config *tid_config;
16092 	struct nlattr *tid;
16093 	int conf_idx = 0, rem_conf;
16094 	int ret = -EINVAL;
16095 	u32 num_conf = 0;
16096 
16097 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
16098 		return -EINVAL;
16099 
16100 	if (!rdev->ops->set_tid_config)
16101 		return -EOPNOTSUPP;
16102 
16103 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16104 			    rem_conf)
16105 		num_conf++;
16106 
16107 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
16108 			     GFP_KERNEL);
16109 	if (!tid_config)
16110 		return -ENOMEM;
16111 
16112 	tid_config->n_tid_conf = num_conf;
16113 
16114 	if (info->attrs[NL80211_ATTR_MAC])
16115 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
16116 
16117 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
16118 			    rem_conf) {
16119 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
16120 				       tid, NULL, NULL);
16121 
16122 		if (ret)
16123 			goto bad_tid_conf;
16124 
16125 		ret = parse_tid_conf(rdev, attrs, dev,
16126 				     &tid_config->tid_conf[conf_idx],
16127 				     info, tid_config->peer, link_id);
16128 		if (ret)
16129 			goto bad_tid_conf;
16130 
16131 		conf_idx++;
16132 	}
16133 
16134 	ret = rdev_set_tid_config(rdev, dev, tid_config);
16135 
16136 bad_tid_conf:
16137 	kfree(tid_config);
16138 	return ret;
16139 }
16140 
16141 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
16142 {
16143 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16144 	struct cfg80211_color_change_settings params = {};
16145 	struct net_device *dev = info->user_ptr[1];
16146 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16147 	struct nlattr **tb;
16148 	u16 offset;
16149 	int err;
16150 
16151 	if (!rdev->ops->color_change)
16152 		return -EOPNOTSUPP;
16153 
16154 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
16155 				     NL80211_EXT_FEATURE_BSS_COLOR))
16156 		return -EOPNOTSUPP;
16157 
16158 	if (wdev->iftype != NL80211_IFTYPE_AP)
16159 		return -EOPNOTSUPP;
16160 
16161 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
16162 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
16163 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
16164 		return -EINVAL;
16165 
16166 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
16167 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16168 
16169 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16170 				   info->extack);
16171 	if (err)
16172 		return err;
16173 
16174 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16175 	if (!tb)
16176 		return -ENOMEM;
16177 
16178 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16179 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16180 			       nl80211_policy, info->extack);
16181 	if (err)
16182 		goto out;
16183 
16184 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16185 				   info->extack);
16186 	if (err)
16187 		goto out;
16188 
16189 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16190 		err = -EINVAL;
16191 		goto out;
16192 	}
16193 
16194 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16195 		err = -EINVAL;
16196 		goto out;
16197 	}
16198 
16199 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16200 	if (offset >= params.beacon_color_change.tail_len) {
16201 		err = -EINVAL;
16202 		goto out;
16203 	}
16204 
16205 	if (params.beacon_color_change.tail[offset] != params.count) {
16206 		err = -EINVAL;
16207 		goto out;
16208 	}
16209 
16210 	params.counter_offset_beacon = offset;
16211 
16212 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16213 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16214 		    sizeof(u16)) {
16215 			err = -EINVAL;
16216 			goto out;
16217 		}
16218 
16219 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16220 		if (offset >= params.beacon_color_change.probe_resp_len) {
16221 			err = -EINVAL;
16222 			goto out;
16223 		}
16224 
16225 		if (params.beacon_color_change.probe_resp[offset] !=
16226 		    params.count) {
16227 			err = -EINVAL;
16228 			goto out;
16229 		}
16230 
16231 		params.counter_offset_presp = offset;
16232 	}
16233 
16234 	params.link_id = nl80211_link_id(info->attrs);
16235 	err = rdev_color_change(rdev, dev, &params);
16236 
16237 out:
16238 	kfree(params.beacon_next.mbssid_ies);
16239 	kfree(params.beacon_color_change.mbssid_ies);
16240 	kfree(params.beacon_next.rnr_ies);
16241 	kfree(params.beacon_color_change.rnr_ies);
16242 	kfree(tb);
16243 	return err;
16244 }
16245 
16246 static int nl80211_set_fils_aad(struct sk_buff *skb,
16247 				struct genl_info *info)
16248 {
16249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16250 	struct net_device *dev = info->user_ptr[1];
16251 	struct cfg80211_fils_aad fils_aad = {};
16252 	u8 *nonces;
16253 
16254 	if (!info->attrs[NL80211_ATTR_MAC] ||
16255 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16256 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16257 		return -EINVAL;
16258 
16259 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16260 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16261 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16262 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16263 	fils_aad.snonce = nonces;
16264 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16265 
16266 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16267 }
16268 
16269 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16270 {
16271 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16272 	unsigned int link_id = nl80211_link_id(info->attrs);
16273 	struct net_device *dev = info->user_ptr[1];
16274 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16275 	int ret;
16276 
16277 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16278 		return -EINVAL;
16279 
16280 	switch (wdev->iftype) {
16281 	case NL80211_IFTYPE_AP:
16282 		break;
16283 	default:
16284 		return -EINVAL;
16285 	}
16286 
16287 	if (!info->attrs[NL80211_ATTR_MAC] ||
16288 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16289 		return -EINVAL;
16290 
16291 	wdev->valid_links |= BIT(link_id);
16292 	ether_addr_copy(wdev->links[link_id].addr,
16293 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16294 
16295 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16296 	if (ret) {
16297 		wdev->valid_links &= ~BIT(link_id);
16298 		eth_zero_addr(wdev->links[link_id].addr);
16299 	}
16300 
16301 	return ret;
16302 }
16303 
16304 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16305 {
16306 	unsigned int link_id = nl80211_link_id(info->attrs);
16307 	struct net_device *dev = info->user_ptr[1];
16308 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16309 
16310 	/* cannot remove if there's no link */
16311 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16312 		return -EINVAL;
16313 
16314 	switch (wdev->iftype) {
16315 	case NL80211_IFTYPE_AP:
16316 		break;
16317 	default:
16318 		return -EINVAL;
16319 	}
16320 
16321 	cfg80211_remove_link(wdev, link_id);
16322 
16323 	return 0;
16324 }
16325 
16326 static int
16327 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16328 			     bool add)
16329 {
16330 	struct link_station_parameters params = {};
16331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16332 	struct net_device *dev = info->user_ptr[1];
16333 	int err;
16334 
16335 	if ((add && !rdev->ops->add_link_station) ||
16336 	    (!add && !rdev->ops->mod_link_station))
16337 		return -EOPNOTSUPP;
16338 
16339 	if (add && !info->attrs[NL80211_ATTR_MAC])
16340 		return -EINVAL;
16341 
16342 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16343 		return -EINVAL;
16344 
16345 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16346 		return -EINVAL;
16347 
16348 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16349 
16350 	if (info->attrs[NL80211_ATTR_MAC]) {
16351 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16352 		if (!is_valid_ether_addr(params.link_mac))
16353 			return -EINVAL;
16354 	}
16355 
16356 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16357 		return -EINVAL;
16358 
16359 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16360 
16361 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16362 		params.supported_rates =
16363 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16364 		params.supported_rates_len =
16365 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16366 	}
16367 
16368 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16369 		params.ht_capa =
16370 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16371 
16372 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16373 		params.vht_capa =
16374 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16375 
16376 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16377 		params.he_capa =
16378 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16379 		params.he_capa_len =
16380 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16381 
16382 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16383 			params.eht_capa =
16384 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16385 			params.eht_capa_len =
16386 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16387 
16388 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16389 							(const u8 *)params.eht_capa,
16390 							params.eht_capa_len,
16391 							false))
16392 				return -EINVAL;
16393 		}
16394 	}
16395 
16396 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16397 		params.he_6ghz_capa =
16398 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16399 
16400 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16401 		params.opmode_notif_used = true;
16402 		params.opmode_notif =
16403 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16404 	}
16405 
16406 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16407 						&params.txpwr_set);
16408 	if (err)
16409 		return err;
16410 
16411 	if (add)
16412 		return rdev_add_link_station(rdev, dev, &params);
16413 
16414 	return rdev_mod_link_station(rdev, dev, &params);
16415 }
16416 
16417 static int
16418 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16419 {
16420 	return nl80211_add_mod_link_station(skb, info, true);
16421 }
16422 
16423 static int
16424 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16425 {
16426 	return nl80211_add_mod_link_station(skb, info, false);
16427 }
16428 
16429 static int
16430 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16431 {
16432 	struct link_station_del_parameters params = {};
16433 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16434 	struct net_device *dev = info->user_ptr[1];
16435 
16436 	if (!rdev->ops->del_link_station)
16437 		return -EOPNOTSUPP;
16438 
16439 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16440 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16441 		return -EINVAL;
16442 
16443 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16444 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16445 
16446 	return rdev_del_link_station(rdev, dev, &params);
16447 }
16448 
16449 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16450 				    struct genl_info *info)
16451 {
16452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16453 	struct net_device *dev = info->user_ptr[1];
16454 	struct cfg80211_set_hw_timestamp hwts = {};
16455 
16456 	if (!rdev->wiphy.hw_timestamp_max_peers)
16457 		return -EOPNOTSUPP;
16458 
16459 	if (!info->attrs[NL80211_ATTR_MAC] &&
16460 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16461 		return -EOPNOTSUPP;
16462 
16463 	if (info->attrs[NL80211_ATTR_MAC])
16464 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16465 
16466 	hwts.enable =
16467 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16468 
16469 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16470 }
16471 
16472 static int
16473 nl80211_set_ttlm(struct sk_buff *skb, struct genl_info *info)
16474 {
16475 	struct cfg80211_ttlm_params params = {};
16476 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16477 	struct net_device *dev = info->user_ptr[1];
16478 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16479 
16480 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
16481 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
16482 		return -EOPNOTSUPP;
16483 
16484 	if (!wdev->connected)
16485 		return -ENOLINK;
16486 
16487 	if (!info->attrs[NL80211_ATTR_MLO_TTLM_DLINK] ||
16488 	    !info->attrs[NL80211_ATTR_MLO_TTLM_ULINK])
16489 		return -EINVAL;
16490 
16491 	nla_memcpy(params.dlink,
16492 		   info->attrs[NL80211_ATTR_MLO_TTLM_DLINK],
16493 		   sizeof(params.dlink));
16494 	nla_memcpy(params.ulink,
16495 		   info->attrs[NL80211_ATTR_MLO_TTLM_ULINK],
16496 		   sizeof(params.ulink));
16497 
16498 	return rdev_set_ttlm(rdev, dev, &params);
16499 }
16500 
16501 #define NL80211_FLAG_NEED_WIPHY		0x01
16502 #define NL80211_FLAG_NEED_NETDEV	0x02
16503 #define NL80211_FLAG_NEED_RTNL		0x04
16504 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16505 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16506 					 NL80211_FLAG_CHECK_NETDEV_UP)
16507 #define NL80211_FLAG_NEED_WDEV		0x10
16508 /* If a netdev is associated, it must be UP, P2P must be started */
16509 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16510 					 NL80211_FLAG_CHECK_NETDEV_UP)
16511 #define NL80211_FLAG_CLEAR_SKB		0x20
16512 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16513 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16514 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16515 
16516 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16517 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16518 	SELECTOR(__sel, WIPHY,				\
16519 		 NL80211_FLAG_NEED_WIPHY)		\
16520 	SELECTOR(__sel, WDEV,				\
16521 		 NL80211_FLAG_NEED_WDEV)		\
16522 	SELECTOR(__sel, NETDEV,				\
16523 		 NL80211_FLAG_NEED_NETDEV)		\
16524 	SELECTOR(__sel, NETDEV_LINK,			\
16525 		 NL80211_FLAG_NEED_NETDEV |		\
16526 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16527 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16528 		 NL80211_FLAG_NEED_NETDEV |		\
16529 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16530 	SELECTOR(__sel, WIPHY_RTNL,			\
16531 		 NL80211_FLAG_NEED_WIPHY |		\
16532 		 NL80211_FLAG_NEED_RTNL)		\
16533 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16534 		 NL80211_FLAG_NEED_WIPHY |		\
16535 		 NL80211_FLAG_NEED_RTNL |		\
16536 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16537 	SELECTOR(__sel, WDEV_RTNL,			\
16538 		 NL80211_FLAG_NEED_WDEV |		\
16539 		 NL80211_FLAG_NEED_RTNL)		\
16540 	SELECTOR(__sel, NETDEV_RTNL,			\
16541 		 NL80211_FLAG_NEED_NETDEV |		\
16542 		 NL80211_FLAG_NEED_RTNL)		\
16543 	SELECTOR(__sel, NETDEV_UP,			\
16544 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16545 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16546 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16547 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16548 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16549 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16550 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16551 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16552 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16553 		 NL80211_FLAG_CLEAR_SKB |		\
16554 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16555 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16556 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16557 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16558 	SELECTOR(__sel, NETDEV_UP_NOTMX_MLO,		\
16559 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16560 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16561 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16562 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16563 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16564 		 NL80211_FLAG_CLEAR_SKB)		\
16565 	SELECTOR(__sel, WDEV_UP,			\
16566 		 NL80211_FLAG_NEED_WDEV_UP)		\
16567 	SELECTOR(__sel, WDEV_UP_LINK,			\
16568 		 NL80211_FLAG_NEED_WDEV_UP |		\
16569 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16570 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16571 		 NL80211_FLAG_NEED_WDEV_UP |		\
16572 		 NL80211_FLAG_NEED_RTNL)		\
16573 	SELECTOR(__sel, WIPHY_CLEAR,			\
16574 		 NL80211_FLAG_NEED_WIPHY |		\
16575 		 NL80211_FLAG_CLEAR_SKB)
16576 
16577 enum nl80211_internal_flags_selector {
16578 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16579 	INTERNAL_FLAG_SELECTORS(_)
16580 #undef SELECTOR
16581 };
16582 
16583 static u32 nl80211_internal_flags[] = {
16584 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16585 	INTERNAL_FLAG_SELECTORS(_)
16586 #undef SELECTOR
16587 };
16588 
16589 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16590 			    struct sk_buff *skb,
16591 			    struct genl_info *info)
16592 {
16593 	struct cfg80211_registered_device *rdev = NULL;
16594 	struct wireless_dev *wdev = NULL;
16595 	struct net_device *dev = NULL;
16596 	u32 internal_flags;
16597 	int err;
16598 
16599 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16600 		return -EINVAL;
16601 
16602 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16603 
16604 	rtnl_lock();
16605 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16606 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16607 		if (IS_ERR(rdev)) {
16608 			err = PTR_ERR(rdev);
16609 			goto out_unlock;
16610 		}
16611 		info->user_ptr[0] = rdev;
16612 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16613 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16614 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16615 						  info->attrs);
16616 		if (IS_ERR(wdev)) {
16617 			err = PTR_ERR(wdev);
16618 			goto out_unlock;
16619 		}
16620 
16621 		dev = wdev->netdev;
16622 		dev_hold(dev);
16623 		rdev = wiphy_to_rdev(wdev->wiphy);
16624 
16625 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16626 			if (!dev) {
16627 				err = -EINVAL;
16628 				goto out_unlock;
16629 			}
16630 
16631 			info->user_ptr[1] = dev;
16632 		} else {
16633 			info->user_ptr[1] = wdev;
16634 		}
16635 
16636 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16637 		    !wdev_running(wdev)) {
16638 			err = -ENETDOWN;
16639 			goto out_unlock;
16640 		}
16641 
16642 		info->user_ptr[0] = rdev;
16643 	}
16644 
16645 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16646 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16647 
16648 		if (!wdev) {
16649 			err = -EINVAL;
16650 			goto out_unlock;
16651 		}
16652 
16653 		/* MLO -> require valid link ID */
16654 		if (wdev->valid_links &&
16655 		    (!link_id ||
16656 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16657 			err = -EINVAL;
16658 			goto out_unlock;
16659 		}
16660 
16661 		/* non-MLO -> no link ID attribute accepted */
16662 		if (!wdev->valid_links && link_id) {
16663 			err = -EINVAL;
16664 			goto out_unlock;
16665 		}
16666 	}
16667 
16668 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16669 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16670 		    (wdev && wdev->valid_links)) {
16671 			err = -EINVAL;
16672 			goto out_unlock;
16673 		}
16674 	}
16675 
16676 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16677 		wiphy_lock(&rdev->wiphy);
16678 		/* we keep the mutex locked until post_doit */
16679 		__release(&rdev->wiphy.mtx);
16680 	}
16681 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16682 		rtnl_unlock();
16683 
16684 	return 0;
16685 out_unlock:
16686 	rtnl_unlock();
16687 	dev_put(dev);
16688 	return err;
16689 }
16690 
16691 static void nl80211_post_doit(const struct genl_split_ops *ops,
16692 			      struct sk_buff *skb,
16693 			      struct genl_info *info)
16694 {
16695 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16696 
16697 	if (info->user_ptr[1]) {
16698 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16699 			struct wireless_dev *wdev = info->user_ptr[1];
16700 
16701 			dev_put(wdev->netdev);
16702 		} else {
16703 			dev_put(info->user_ptr[1]);
16704 		}
16705 	}
16706 
16707 	if (info->user_ptr[0] &&
16708 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16709 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16710 
16711 		/* we kept the mutex locked since pre_doit */
16712 		__acquire(&rdev->wiphy.mtx);
16713 		wiphy_unlock(&rdev->wiphy);
16714 	}
16715 
16716 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16717 		rtnl_unlock();
16718 
16719 	/* If needed, clear the netlink message payload from the SKB
16720 	 * as it might contain key data that shouldn't stick around on
16721 	 * the heap after the SKB is freed. The netlink message header
16722 	 * is still needed for further processing, so leave it intact.
16723 	 */
16724 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16725 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16726 
16727 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16728 	}
16729 }
16730 
16731 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16732 				     struct cfg80211_sar_specs *sar_specs,
16733 				     struct nlattr *spec[], int index)
16734 {
16735 	u32 range_index, i;
16736 
16737 	if (!sar_specs || !spec)
16738 		return -EINVAL;
16739 
16740 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16741 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16742 		return -EINVAL;
16743 
16744 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16745 
16746 	/* check if range_index exceeds num_freq_ranges */
16747 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16748 		return -EINVAL;
16749 
16750 	/* check if range_index duplicates */
16751 	for (i = 0; i < index; i++) {
16752 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16753 			return -EINVAL;
16754 	}
16755 
16756 	sar_specs->sub_specs[index].power =
16757 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16758 
16759 	sar_specs->sub_specs[index].freq_range_index = range_index;
16760 
16761 	return 0;
16762 }
16763 
16764 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16765 {
16766 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16767 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16768 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16769 	struct cfg80211_sar_specs *sar_spec;
16770 	enum nl80211_sar_type type;
16771 	struct nlattr *spec_list;
16772 	u32 specs;
16773 	int rem, err;
16774 
16775 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16776 		return -EOPNOTSUPP;
16777 
16778 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16779 		return -EINVAL;
16780 
16781 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16782 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16783 			 NULL, NULL);
16784 
16785 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16786 		return -EINVAL;
16787 
16788 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16789 	if (type != rdev->wiphy.sar_capa->type)
16790 		return -EINVAL;
16791 
16792 	specs = 0;
16793 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16794 		specs++;
16795 
16796 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16797 		return -EINVAL;
16798 
16799 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16800 	if (!sar_spec)
16801 		return -ENOMEM;
16802 
16803 	sar_spec->type = type;
16804 	specs = 0;
16805 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16806 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16807 				 spec_list, NULL, NULL);
16808 
16809 		switch (type) {
16810 		case NL80211_SAR_TYPE_POWER:
16811 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16812 						      spec, specs)) {
16813 				err = -EINVAL;
16814 				goto error;
16815 			}
16816 			break;
16817 		default:
16818 			err = -EINVAL;
16819 			goto error;
16820 		}
16821 		specs++;
16822 	}
16823 
16824 	sar_spec->num_sub_specs = specs;
16825 
16826 	rdev->cur_cmd_info = info;
16827 	err = rdev_set_sar_specs(rdev, sar_spec);
16828 	rdev->cur_cmd_info = NULL;
16829 error:
16830 	kfree(sar_spec);
16831 	return err;
16832 }
16833 
16834 #define SELECTOR(__sel, name, value) \
16835 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16836 int __missing_selector(void);
16837 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16838 
16839 static const struct genl_ops nl80211_ops[] = {
16840 	{
16841 		.cmd = NL80211_CMD_GET_WIPHY,
16842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16843 		.doit = nl80211_get_wiphy,
16844 		.dumpit = nl80211_dump_wiphy,
16845 		.done = nl80211_dump_wiphy_done,
16846 		/* can be retrieved by unprivileged users */
16847 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16848 	},
16849 };
16850 
16851 static const struct genl_small_ops nl80211_small_ops[] = {
16852 	{
16853 		.cmd = NL80211_CMD_SET_WIPHY,
16854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16855 		.doit = nl80211_set_wiphy,
16856 		.flags = GENL_UNS_ADMIN_PERM,
16857 	},
16858 	{
16859 		.cmd = NL80211_CMD_GET_INTERFACE,
16860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16861 		.doit = nl80211_get_interface,
16862 		.dumpit = nl80211_dump_interface,
16863 		/* can be retrieved by unprivileged users */
16864 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16865 	},
16866 	{
16867 		.cmd = NL80211_CMD_SET_INTERFACE,
16868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16869 		.doit = nl80211_set_interface,
16870 		.flags = GENL_UNS_ADMIN_PERM,
16871 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16872 					 NL80211_FLAG_NEED_RTNL),
16873 	},
16874 	{
16875 		.cmd = NL80211_CMD_NEW_INTERFACE,
16876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16877 		.doit = nl80211_new_interface,
16878 		.flags = GENL_UNS_ADMIN_PERM,
16879 		.internal_flags =
16880 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16881 			       NL80211_FLAG_NEED_RTNL |
16882 			       /* we take the wiphy mutex later ourselves */
16883 			       NL80211_FLAG_NO_WIPHY_MTX),
16884 	},
16885 	{
16886 		.cmd = NL80211_CMD_DEL_INTERFACE,
16887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16888 		.doit = nl80211_del_interface,
16889 		.flags = GENL_UNS_ADMIN_PERM,
16890 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16891 					 NL80211_FLAG_NEED_RTNL),
16892 	},
16893 	{
16894 		.cmd = NL80211_CMD_GET_KEY,
16895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16896 		.doit = nl80211_get_key,
16897 		.flags = GENL_UNS_ADMIN_PERM,
16898 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16899 	},
16900 	{
16901 		.cmd = NL80211_CMD_SET_KEY,
16902 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16903 		.doit = nl80211_set_key,
16904 		.flags = GENL_UNS_ADMIN_PERM,
16905 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16906 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16907 					 NL80211_FLAG_CLEAR_SKB),
16908 	},
16909 	{
16910 		.cmd = NL80211_CMD_NEW_KEY,
16911 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16912 		.doit = nl80211_new_key,
16913 		.flags = GENL_UNS_ADMIN_PERM,
16914 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16915 					 NL80211_FLAG_CLEAR_SKB),
16916 	},
16917 	{
16918 		.cmd = NL80211_CMD_DEL_KEY,
16919 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16920 		.doit = nl80211_del_key,
16921 		.flags = GENL_UNS_ADMIN_PERM,
16922 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16923 	},
16924 	{
16925 		.cmd = NL80211_CMD_SET_BEACON,
16926 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16927 		.flags = GENL_UNS_ADMIN_PERM,
16928 		.doit = nl80211_set_beacon,
16929 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16930 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16931 	},
16932 	{
16933 		.cmd = NL80211_CMD_START_AP,
16934 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16935 		.flags = GENL_UNS_ADMIN_PERM,
16936 		.doit = nl80211_start_ap,
16937 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16938 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16939 	},
16940 	{
16941 		.cmd = NL80211_CMD_STOP_AP,
16942 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16943 		.flags = GENL_UNS_ADMIN_PERM,
16944 		.doit = nl80211_stop_ap,
16945 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16946 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16947 	},
16948 	{
16949 		.cmd = NL80211_CMD_GET_STATION,
16950 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16951 		.doit = nl80211_get_station,
16952 		.dumpit = nl80211_dump_station,
16953 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16954 	},
16955 	{
16956 		.cmd = NL80211_CMD_SET_STATION,
16957 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16958 		.doit = nl80211_set_station,
16959 		.flags = GENL_UNS_ADMIN_PERM,
16960 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16961 	},
16962 	{
16963 		.cmd = NL80211_CMD_NEW_STATION,
16964 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16965 		.doit = nl80211_new_station,
16966 		.flags = GENL_UNS_ADMIN_PERM,
16967 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_DEL_STATION,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_del_station,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on
16975 		 * whether MAC address is passed or not. If MAC address is
16976 		 * passed, then even during MLO, link ID is not required.
16977 		 */
16978 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16979 	},
16980 	{
16981 		.cmd = NL80211_CMD_GET_MPATH,
16982 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16983 		.doit = nl80211_get_mpath,
16984 		.dumpit = nl80211_dump_mpath,
16985 		.flags = GENL_UNS_ADMIN_PERM,
16986 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16987 	},
16988 	{
16989 		.cmd = NL80211_CMD_GET_MPP,
16990 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16991 		.doit = nl80211_get_mpp,
16992 		.dumpit = nl80211_dump_mpp,
16993 		.flags = GENL_UNS_ADMIN_PERM,
16994 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16995 	},
16996 	{
16997 		.cmd = NL80211_CMD_SET_MPATH,
16998 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16999 		.doit = nl80211_set_mpath,
17000 		.flags = GENL_UNS_ADMIN_PERM,
17001 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17002 	},
17003 	{
17004 		.cmd = NL80211_CMD_NEW_MPATH,
17005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17006 		.doit = nl80211_new_mpath,
17007 		.flags = GENL_UNS_ADMIN_PERM,
17008 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17009 	},
17010 	{
17011 		.cmd = NL80211_CMD_DEL_MPATH,
17012 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17013 		.doit = nl80211_del_mpath,
17014 		.flags = GENL_UNS_ADMIN_PERM,
17015 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17016 	},
17017 	{
17018 		.cmd = NL80211_CMD_SET_BSS,
17019 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17020 		.doit = nl80211_set_bss,
17021 		.flags = GENL_UNS_ADMIN_PERM,
17022 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17023 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17024 	},
17025 	{
17026 		.cmd = NL80211_CMD_GET_REG,
17027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17028 		.doit = nl80211_get_reg_do,
17029 		.dumpit = nl80211_get_reg_dump,
17030 		/* can be retrieved by unprivileged users */
17031 	},
17032 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
17033 	{
17034 		.cmd = NL80211_CMD_SET_REG,
17035 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17036 		.doit = nl80211_set_reg,
17037 		.flags = GENL_ADMIN_PERM,
17038 	},
17039 #endif
17040 	{
17041 		.cmd = NL80211_CMD_REQ_SET_REG,
17042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17043 		.doit = nl80211_req_set_reg,
17044 		.flags = GENL_ADMIN_PERM,
17045 	},
17046 	{
17047 		.cmd = NL80211_CMD_RELOAD_REGDB,
17048 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17049 		.doit = nl80211_reload_regdb,
17050 		.flags = GENL_ADMIN_PERM,
17051 	},
17052 	{
17053 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
17054 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17055 		.doit = nl80211_get_mesh_config,
17056 		/* can be retrieved by unprivileged users */
17057 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17058 	},
17059 	{
17060 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
17061 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17062 		.doit = nl80211_update_mesh_config,
17063 		.flags = GENL_UNS_ADMIN_PERM,
17064 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17065 	},
17066 	{
17067 		.cmd = NL80211_CMD_TRIGGER_SCAN,
17068 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17069 		.doit = nl80211_trigger_scan,
17070 		.flags = GENL_UNS_ADMIN_PERM,
17071 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17072 	},
17073 	{
17074 		.cmd = NL80211_CMD_ABORT_SCAN,
17075 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17076 		.doit = nl80211_abort_scan,
17077 		.flags = GENL_UNS_ADMIN_PERM,
17078 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17079 	},
17080 	{
17081 		.cmd = NL80211_CMD_GET_SCAN,
17082 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17083 		.dumpit = nl80211_dump_scan,
17084 	},
17085 	{
17086 		.cmd = NL80211_CMD_START_SCHED_SCAN,
17087 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17088 		.doit = nl80211_start_sched_scan,
17089 		.flags = GENL_UNS_ADMIN_PERM,
17090 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17091 	},
17092 	{
17093 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
17094 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17095 		.doit = nl80211_stop_sched_scan,
17096 		.flags = GENL_UNS_ADMIN_PERM,
17097 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17098 	},
17099 	{
17100 		.cmd = NL80211_CMD_AUTHENTICATE,
17101 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17102 		.doit = nl80211_authenticate,
17103 		.flags = GENL_UNS_ADMIN_PERM,
17104 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17105 					 NL80211_FLAG_CLEAR_SKB),
17106 	},
17107 	{
17108 		.cmd = NL80211_CMD_ASSOCIATE,
17109 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17110 		.doit = nl80211_associate,
17111 		.flags = GENL_UNS_ADMIN_PERM,
17112 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17113 					 NL80211_FLAG_CLEAR_SKB),
17114 	},
17115 	{
17116 		.cmd = NL80211_CMD_DEAUTHENTICATE,
17117 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17118 		.doit = nl80211_deauthenticate,
17119 		.flags = GENL_UNS_ADMIN_PERM,
17120 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17121 	},
17122 	{
17123 		.cmd = NL80211_CMD_DISASSOCIATE,
17124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17125 		.doit = nl80211_disassociate,
17126 		.flags = GENL_UNS_ADMIN_PERM,
17127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17128 	},
17129 	{
17130 		.cmd = NL80211_CMD_JOIN_IBSS,
17131 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17132 		.doit = nl80211_join_ibss,
17133 		.flags = GENL_UNS_ADMIN_PERM,
17134 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17135 	},
17136 	{
17137 		.cmd = NL80211_CMD_LEAVE_IBSS,
17138 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17139 		.doit = nl80211_leave_ibss,
17140 		.flags = GENL_UNS_ADMIN_PERM,
17141 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17142 	},
17143 #ifdef CONFIG_NL80211_TESTMODE
17144 	{
17145 		.cmd = NL80211_CMD_TESTMODE,
17146 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17147 		.doit = nl80211_testmode_do,
17148 		.dumpit = nl80211_testmode_dump,
17149 		.flags = GENL_UNS_ADMIN_PERM,
17150 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17151 	},
17152 #endif
17153 	{
17154 		.cmd = NL80211_CMD_CONNECT,
17155 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17156 		.doit = nl80211_connect,
17157 		.flags = GENL_UNS_ADMIN_PERM,
17158 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17159 					 NL80211_FLAG_CLEAR_SKB),
17160 	},
17161 	{
17162 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
17163 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17164 		.doit = nl80211_update_connect_params,
17165 		.flags = GENL_ADMIN_PERM,
17166 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17167 					 NL80211_FLAG_CLEAR_SKB),
17168 	},
17169 	{
17170 		.cmd = NL80211_CMD_DISCONNECT,
17171 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17172 		.doit = nl80211_disconnect,
17173 		.flags = GENL_UNS_ADMIN_PERM,
17174 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17175 	},
17176 	{
17177 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
17178 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17179 		.doit = nl80211_wiphy_netns,
17180 		.flags = GENL_UNS_ADMIN_PERM,
17181 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17182 					 NL80211_FLAG_NEED_RTNL |
17183 					 NL80211_FLAG_NO_WIPHY_MTX),
17184 	},
17185 	{
17186 		.cmd = NL80211_CMD_GET_SURVEY,
17187 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17188 		.dumpit = nl80211_dump_survey,
17189 	},
17190 	{
17191 		.cmd = NL80211_CMD_SET_PMKSA,
17192 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17193 		.doit = nl80211_set_pmksa,
17194 		.flags = GENL_UNS_ADMIN_PERM,
17195 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17196 					 NL80211_FLAG_CLEAR_SKB),
17197 	},
17198 	{
17199 		.cmd = NL80211_CMD_DEL_PMKSA,
17200 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17201 		.doit = nl80211_del_pmksa,
17202 		.flags = GENL_UNS_ADMIN_PERM,
17203 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17204 	},
17205 	{
17206 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17207 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17208 		.doit = nl80211_flush_pmksa,
17209 		.flags = GENL_UNS_ADMIN_PERM,
17210 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17211 	},
17212 	{
17213 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17214 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17215 		.doit = nl80211_remain_on_channel,
17216 		.flags = GENL_UNS_ADMIN_PERM,
17217 		/* FIXME: requiring a link ID here is probably not good */
17218 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17219 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17220 	},
17221 	{
17222 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17223 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17224 		.doit = nl80211_cancel_remain_on_channel,
17225 		.flags = GENL_UNS_ADMIN_PERM,
17226 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17227 	},
17228 	{
17229 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17230 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17231 		.doit = nl80211_set_tx_bitrate_mask,
17232 		.flags = GENL_UNS_ADMIN_PERM,
17233 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17234 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17235 	},
17236 	{
17237 		.cmd = NL80211_CMD_REGISTER_FRAME,
17238 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17239 		.doit = nl80211_register_mgmt,
17240 		.flags = GENL_UNS_ADMIN_PERM,
17241 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17242 	},
17243 	{
17244 		.cmd = NL80211_CMD_FRAME,
17245 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17246 		.doit = nl80211_tx_mgmt,
17247 		.flags = GENL_UNS_ADMIN_PERM,
17248 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17249 	},
17250 	{
17251 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17252 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17253 		.doit = nl80211_tx_mgmt_cancel_wait,
17254 		.flags = GENL_UNS_ADMIN_PERM,
17255 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17256 	},
17257 	{
17258 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17260 		.doit = nl80211_set_power_save,
17261 		.flags = GENL_UNS_ADMIN_PERM,
17262 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17263 	},
17264 	{
17265 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17267 		.doit = nl80211_get_power_save,
17268 		/* can be retrieved by unprivileged users */
17269 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17270 	},
17271 	{
17272 		.cmd = NL80211_CMD_SET_CQM,
17273 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17274 		.doit = nl80211_set_cqm,
17275 		.flags = GENL_UNS_ADMIN_PERM,
17276 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17277 	},
17278 	{
17279 		.cmd = NL80211_CMD_SET_CHANNEL,
17280 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17281 		.doit = nl80211_set_channel,
17282 		.flags = GENL_UNS_ADMIN_PERM,
17283 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17284 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17285 	},
17286 	{
17287 		.cmd = NL80211_CMD_JOIN_MESH,
17288 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17289 		.doit = nl80211_join_mesh,
17290 		.flags = GENL_UNS_ADMIN_PERM,
17291 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17292 	},
17293 	{
17294 		.cmd = NL80211_CMD_LEAVE_MESH,
17295 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17296 		.doit = nl80211_leave_mesh,
17297 		.flags = GENL_UNS_ADMIN_PERM,
17298 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17299 	},
17300 	{
17301 		.cmd = NL80211_CMD_JOIN_OCB,
17302 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17303 		.doit = nl80211_join_ocb,
17304 		.flags = GENL_UNS_ADMIN_PERM,
17305 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17306 	},
17307 	{
17308 		.cmd = NL80211_CMD_LEAVE_OCB,
17309 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17310 		.doit = nl80211_leave_ocb,
17311 		.flags = GENL_UNS_ADMIN_PERM,
17312 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17313 	},
17314 #ifdef CONFIG_PM
17315 	{
17316 		.cmd = NL80211_CMD_GET_WOWLAN,
17317 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17318 		.doit = nl80211_get_wowlan,
17319 		/* can be retrieved by unprivileged users */
17320 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17321 	},
17322 	{
17323 		.cmd = NL80211_CMD_SET_WOWLAN,
17324 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17325 		.doit = nl80211_set_wowlan,
17326 		.flags = GENL_UNS_ADMIN_PERM,
17327 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17328 	},
17329 #endif
17330 	{
17331 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17332 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17333 		.doit = nl80211_set_rekey_data,
17334 		.flags = GENL_UNS_ADMIN_PERM,
17335 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17336 					 NL80211_FLAG_CLEAR_SKB),
17337 	},
17338 	{
17339 		.cmd = NL80211_CMD_TDLS_MGMT,
17340 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17341 		.doit = nl80211_tdls_mgmt,
17342 		.flags = GENL_UNS_ADMIN_PERM,
17343 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17344 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17345 	},
17346 	{
17347 		.cmd = NL80211_CMD_TDLS_OPER,
17348 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17349 		.doit = nl80211_tdls_oper,
17350 		.flags = GENL_UNS_ADMIN_PERM,
17351 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17352 	},
17353 	{
17354 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17355 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17356 		.doit = nl80211_register_unexpected_frame,
17357 		.flags = GENL_UNS_ADMIN_PERM,
17358 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17359 	},
17360 	{
17361 		.cmd = NL80211_CMD_PROBE_CLIENT,
17362 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17363 		.doit = nl80211_probe_client,
17364 		.flags = GENL_UNS_ADMIN_PERM,
17365 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17366 	},
17367 	{
17368 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17369 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17370 		.doit = nl80211_register_beacons,
17371 		.flags = GENL_UNS_ADMIN_PERM,
17372 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17373 	},
17374 	{
17375 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17377 		.doit = nl80211_set_noack_map,
17378 		.flags = GENL_UNS_ADMIN_PERM,
17379 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17380 	},
17381 	{
17382 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17383 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17384 		.doit = nl80211_start_p2p_device,
17385 		.flags = GENL_UNS_ADMIN_PERM,
17386 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17387 					 NL80211_FLAG_NEED_RTNL),
17388 	},
17389 	{
17390 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17391 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17392 		.doit = nl80211_stop_p2p_device,
17393 		.flags = GENL_UNS_ADMIN_PERM,
17394 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17395 					 NL80211_FLAG_NEED_RTNL),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_START_NAN,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_start_nan,
17401 		.flags = GENL_ADMIN_PERM,
17402 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17403 					 NL80211_FLAG_NEED_RTNL),
17404 	},
17405 	{
17406 		.cmd = NL80211_CMD_STOP_NAN,
17407 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17408 		.doit = nl80211_stop_nan,
17409 		.flags = GENL_ADMIN_PERM,
17410 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17411 					 NL80211_FLAG_NEED_RTNL),
17412 	},
17413 	{
17414 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17415 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17416 		.doit = nl80211_nan_add_func,
17417 		.flags = GENL_ADMIN_PERM,
17418 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17419 	},
17420 	{
17421 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17422 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17423 		.doit = nl80211_nan_del_func,
17424 		.flags = GENL_ADMIN_PERM,
17425 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17426 	},
17427 	{
17428 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17429 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17430 		.doit = nl80211_nan_change_config,
17431 		.flags = GENL_ADMIN_PERM,
17432 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17433 	},
17434 	{
17435 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17436 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17437 		.doit = nl80211_set_mcast_rate,
17438 		.flags = GENL_UNS_ADMIN_PERM,
17439 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17440 	},
17441 	{
17442 		.cmd = NL80211_CMD_SET_MAC_ACL,
17443 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17444 		.doit = nl80211_set_mac_acl,
17445 		.flags = GENL_UNS_ADMIN_PERM,
17446 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17447 					 NL80211_FLAG_MLO_UNSUPPORTED),
17448 	},
17449 	{
17450 		.cmd = NL80211_CMD_RADAR_DETECT,
17451 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17452 		.doit = nl80211_start_radar_detection,
17453 		.flags = GENL_UNS_ADMIN_PERM,
17454 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17455 					 NL80211_FLAG_NO_WIPHY_MTX |
17456 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17457 	},
17458 	{
17459 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17460 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17461 		.doit = nl80211_get_protocol_features,
17462 	},
17463 	{
17464 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17465 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17466 		.doit = nl80211_update_ft_ies,
17467 		.flags = GENL_UNS_ADMIN_PERM,
17468 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17469 	},
17470 	{
17471 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17472 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17473 		.doit = nl80211_crit_protocol_start,
17474 		.flags = GENL_UNS_ADMIN_PERM,
17475 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17476 	},
17477 	{
17478 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17479 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17480 		.doit = nl80211_crit_protocol_stop,
17481 		.flags = GENL_UNS_ADMIN_PERM,
17482 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17483 	},
17484 	{
17485 		.cmd = NL80211_CMD_GET_COALESCE,
17486 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17487 		.doit = nl80211_get_coalesce,
17488 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17489 	},
17490 	{
17491 		.cmd = NL80211_CMD_SET_COALESCE,
17492 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17493 		.doit = nl80211_set_coalesce,
17494 		.flags = GENL_UNS_ADMIN_PERM,
17495 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17496 	},
17497 	{
17498 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17499 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17500 		.doit = nl80211_channel_switch,
17501 		.flags = GENL_UNS_ADMIN_PERM,
17502 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17503 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17504 	},
17505 	{
17506 		.cmd = NL80211_CMD_VENDOR,
17507 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17508 		.doit = nl80211_vendor_cmd,
17509 		.dumpit = nl80211_vendor_cmd_dump,
17510 		.flags = GENL_UNS_ADMIN_PERM,
17511 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17512 					 NL80211_FLAG_CLEAR_SKB),
17513 	},
17514 	{
17515 		.cmd = NL80211_CMD_SET_QOS_MAP,
17516 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17517 		.doit = nl80211_set_qos_map,
17518 		.flags = GENL_UNS_ADMIN_PERM,
17519 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17520 	},
17521 	{
17522 		.cmd = NL80211_CMD_ADD_TX_TS,
17523 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17524 		.doit = nl80211_add_tx_ts,
17525 		.flags = GENL_UNS_ADMIN_PERM,
17526 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17527 					 NL80211_FLAG_MLO_UNSUPPORTED),
17528 	},
17529 	{
17530 		.cmd = NL80211_CMD_DEL_TX_TS,
17531 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17532 		.doit = nl80211_del_tx_ts,
17533 		.flags = GENL_UNS_ADMIN_PERM,
17534 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17535 	},
17536 	{
17537 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17538 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17539 		.doit = nl80211_tdls_channel_switch,
17540 		.flags = GENL_UNS_ADMIN_PERM,
17541 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17542 	},
17543 	{
17544 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17545 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17546 		.doit = nl80211_tdls_cancel_channel_switch,
17547 		.flags = GENL_UNS_ADMIN_PERM,
17548 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17549 	},
17550 	{
17551 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17552 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17553 		.doit = nl80211_set_multicast_to_unicast,
17554 		.flags = GENL_UNS_ADMIN_PERM,
17555 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17556 	},
17557 	{
17558 		.cmd = NL80211_CMD_SET_PMK,
17559 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17560 		.doit = nl80211_set_pmk,
17561 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17562 					 NL80211_FLAG_CLEAR_SKB),
17563 	},
17564 	{
17565 		.cmd = NL80211_CMD_DEL_PMK,
17566 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17567 		.doit = nl80211_del_pmk,
17568 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17569 	},
17570 	{
17571 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17572 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17573 		.doit = nl80211_external_auth,
17574 		.flags = GENL_ADMIN_PERM,
17575 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17576 	},
17577 	{
17578 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17579 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17580 		.doit = nl80211_tx_control_port,
17581 		.flags = GENL_UNS_ADMIN_PERM,
17582 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17583 	},
17584 	{
17585 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17586 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17587 		.doit = nl80211_get_ftm_responder_stats,
17588 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17589 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17590 	},
17591 	{
17592 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17593 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17594 		.doit = nl80211_pmsr_start,
17595 		.flags = GENL_UNS_ADMIN_PERM,
17596 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17597 	},
17598 	{
17599 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17600 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17601 		.doit = nl80211_notify_radar_detection,
17602 		.flags = GENL_UNS_ADMIN_PERM,
17603 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17604 	},
17605 	{
17606 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17607 		.doit = nl80211_update_owe_info,
17608 		.flags = GENL_ADMIN_PERM,
17609 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17610 	},
17611 	{
17612 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17613 		.doit = nl80211_probe_mesh_link,
17614 		.flags = GENL_UNS_ADMIN_PERM,
17615 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17616 	},
17617 	{
17618 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17619 		.doit = nl80211_set_tid_config,
17620 		.flags = GENL_UNS_ADMIN_PERM,
17621 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17622 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17623 	},
17624 	{
17625 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17626 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17627 		.doit = nl80211_set_sar_specs,
17628 		.flags = GENL_UNS_ADMIN_PERM,
17629 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17630 					 NL80211_FLAG_NEED_RTNL),
17631 	},
17632 	{
17633 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17634 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17635 		.doit = nl80211_color_change,
17636 		.flags = GENL_UNS_ADMIN_PERM,
17637 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17638 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17639 	},
17640 	{
17641 		.cmd = NL80211_CMD_SET_FILS_AAD,
17642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17643 		.doit = nl80211_set_fils_aad,
17644 		.flags = GENL_UNS_ADMIN_PERM,
17645 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17646 	},
17647 	{
17648 		.cmd = NL80211_CMD_ADD_LINK,
17649 		.doit = nl80211_add_link,
17650 		.flags = GENL_UNS_ADMIN_PERM,
17651 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17652 	},
17653 	{
17654 		.cmd = NL80211_CMD_REMOVE_LINK,
17655 		.doit = nl80211_remove_link,
17656 		.flags = GENL_UNS_ADMIN_PERM,
17657 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17658 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17659 	},
17660 	{
17661 		.cmd = NL80211_CMD_ADD_LINK_STA,
17662 		.doit = nl80211_add_link_station,
17663 		.flags = GENL_UNS_ADMIN_PERM,
17664 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17665 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17666 	},
17667 	{
17668 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17669 		.doit = nl80211_modify_link_station,
17670 		.flags = GENL_UNS_ADMIN_PERM,
17671 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17672 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17673 	},
17674 	{
17675 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17676 		.doit = nl80211_remove_link_station,
17677 		.flags = GENL_UNS_ADMIN_PERM,
17678 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17679 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17680 	},
17681 	{
17682 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17683 		.doit = nl80211_set_hw_timestamp,
17684 		.flags = GENL_UNS_ADMIN_PERM,
17685 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17686 	},
17687 	{
17688 		.cmd = NL80211_CMD_SET_TID_TO_LINK_MAPPING,
17689 		.doit = nl80211_set_ttlm,
17690 		.flags = GENL_UNS_ADMIN_PERM,
17691 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17692 	},
17693 };
17694 
17695 static struct genl_family nl80211_fam __ro_after_init = {
17696 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17697 	.hdrsize = 0,			/* no private header */
17698 	.version = 1,			/* no particular meaning now */
17699 	.maxattr = NL80211_ATTR_MAX,
17700 	.policy = nl80211_policy,
17701 	.netnsok = true,
17702 	.pre_doit = nl80211_pre_doit,
17703 	.post_doit = nl80211_post_doit,
17704 	.module = THIS_MODULE,
17705 	.ops = nl80211_ops,
17706 	.n_ops = ARRAY_SIZE(nl80211_ops),
17707 	.small_ops = nl80211_small_ops,
17708 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17709 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17710 	.mcgrps = nl80211_mcgrps,
17711 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17712 	.parallel_ops = true,
17713 };
17714 
17715 /* notification functions */
17716 
17717 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17718 			  enum nl80211_commands cmd)
17719 {
17720 	struct sk_buff *msg;
17721 	struct nl80211_dump_wiphy_state state = {};
17722 
17723 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17724 		cmd != NL80211_CMD_DEL_WIPHY);
17725 
17726 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17727 	if (!msg)
17728 		return;
17729 
17730 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17731 		nlmsg_free(msg);
17732 		return;
17733 	}
17734 
17735 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17736 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17737 }
17738 
17739 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17740 				struct wireless_dev *wdev,
17741 				enum nl80211_commands cmd)
17742 {
17743 	struct sk_buff *msg;
17744 
17745 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17746 	if (!msg)
17747 		return;
17748 
17749 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17750 		nlmsg_free(msg);
17751 		return;
17752 	}
17753 
17754 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17755 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17756 }
17757 
17758 static int nl80211_add_scan_req(struct sk_buff *msg,
17759 				struct cfg80211_registered_device *rdev)
17760 {
17761 	struct cfg80211_scan_request *req = rdev->scan_req;
17762 	struct nlattr *nest;
17763 	int i;
17764 	struct cfg80211_scan_info *info;
17765 
17766 	if (WARN_ON(!req))
17767 		return 0;
17768 
17769 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17770 	if (!nest)
17771 		goto nla_put_failure;
17772 	for (i = 0; i < req->n_ssids; i++) {
17773 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17774 			goto nla_put_failure;
17775 	}
17776 	nla_nest_end(msg, nest);
17777 
17778 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17779 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17780 		if (!nest)
17781 			goto nla_put_failure;
17782 		for (i = 0; i < req->n_channels; i++) {
17783 			if (nla_put_u32(msg, i,
17784 				   ieee80211_channel_to_khz(req->channels[i])))
17785 				goto nla_put_failure;
17786 		}
17787 		nla_nest_end(msg, nest);
17788 	} else {
17789 		nest = nla_nest_start_noflag(msg,
17790 					     NL80211_ATTR_SCAN_FREQUENCIES);
17791 		if (!nest)
17792 			goto nla_put_failure;
17793 		for (i = 0; i < req->n_channels; i++) {
17794 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17795 				goto nla_put_failure;
17796 		}
17797 		nla_nest_end(msg, nest);
17798 	}
17799 
17800 	if (req->ie &&
17801 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17802 		goto nla_put_failure;
17803 
17804 	if (req->flags &&
17805 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17806 		goto nla_put_failure;
17807 
17808 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17809 		&rdev->scan_req->info;
17810 	if (info->scan_start_tsf &&
17811 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17812 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17813 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17814 		     info->tsf_bssid)))
17815 		goto nla_put_failure;
17816 
17817 	return 0;
17818  nla_put_failure:
17819 	return -ENOBUFS;
17820 }
17821 
17822 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17823 				 struct cfg80211_registered_device *rdev,
17824 				 struct wireless_dev *wdev,
17825 				 u32 portid, u32 seq, int flags,
17826 				 u32 cmd)
17827 {
17828 	void *hdr;
17829 
17830 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17831 	if (!hdr)
17832 		return -1;
17833 
17834 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17835 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17836 					 wdev->netdev->ifindex)) ||
17837 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17838 			      NL80211_ATTR_PAD))
17839 		goto nla_put_failure;
17840 
17841 	/* ignore errors and send incomplete event anyway */
17842 	nl80211_add_scan_req(msg, rdev);
17843 
17844 	genlmsg_end(msg, hdr);
17845 	return 0;
17846 
17847  nla_put_failure:
17848 	genlmsg_cancel(msg, hdr);
17849 	return -EMSGSIZE;
17850 }
17851 
17852 static int
17853 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17854 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17855 {
17856 	void *hdr;
17857 
17858 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17859 	if (!hdr)
17860 		return -1;
17861 
17862 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17863 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17864 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17865 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17866 			      NL80211_ATTR_PAD))
17867 		goto nla_put_failure;
17868 
17869 	genlmsg_end(msg, hdr);
17870 	return 0;
17871 
17872  nla_put_failure:
17873 	genlmsg_cancel(msg, hdr);
17874 	return -EMSGSIZE;
17875 }
17876 
17877 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17878 			     struct wireless_dev *wdev)
17879 {
17880 	struct sk_buff *msg;
17881 
17882 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17883 	if (!msg)
17884 		return;
17885 
17886 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17887 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17888 		nlmsg_free(msg);
17889 		return;
17890 	}
17891 
17892 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17893 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17894 }
17895 
17896 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17897 				       struct wireless_dev *wdev, bool aborted)
17898 {
17899 	struct sk_buff *msg;
17900 
17901 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17902 	if (!msg)
17903 		return NULL;
17904 
17905 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17906 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17907 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17908 		nlmsg_free(msg);
17909 		return NULL;
17910 	}
17911 
17912 	return msg;
17913 }
17914 
17915 /* send message created by nl80211_build_scan_msg() */
17916 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17917 			   struct sk_buff *msg)
17918 {
17919 	if (!msg)
17920 		return;
17921 
17922 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17923 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17924 }
17925 
17926 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17927 {
17928 	struct sk_buff *msg;
17929 
17930 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17931 	if (!msg)
17932 		return;
17933 
17934 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17935 		nlmsg_free(msg);
17936 		return;
17937 	}
17938 
17939 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17940 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17941 }
17942 
17943 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17944 					  struct regulatory_request *request)
17945 {
17946 	/* Userspace can always count this one always being set */
17947 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17948 		goto nla_put_failure;
17949 
17950 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17951 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17952 			       NL80211_REGDOM_TYPE_WORLD))
17953 			goto nla_put_failure;
17954 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17955 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17956 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17957 			goto nla_put_failure;
17958 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17959 		   request->intersect) {
17960 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17961 			       NL80211_REGDOM_TYPE_INTERSECTION))
17962 			goto nla_put_failure;
17963 	} else {
17964 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17965 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17966 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17967 				   request->alpha2))
17968 			goto nla_put_failure;
17969 	}
17970 
17971 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17972 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17973 
17974 		if (wiphy &&
17975 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17976 			goto nla_put_failure;
17977 
17978 		if (wiphy &&
17979 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17980 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17981 			goto nla_put_failure;
17982 	}
17983 
17984 	return true;
17985 
17986 nla_put_failure:
17987 	return false;
17988 }
17989 
17990 /*
17991  * This can happen on global regulatory changes or device specific settings
17992  * based on custom regulatory domains.
17993  */
17994 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17995 				     struct regulatory_request *request)
17996 {
17997 	struct sk_buff *msg;
17998 	void *hdr;
17999 
18000 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18001 	if (!msg)
18002 		return;
18003 
18004 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
18005 	if (!hdr)
18006 		goto nla_put_failure;
18007 
18008 	if (!nl80211_reg_change_event_fill(msg, request))
18009 		goto nla_put_failure;
18010 
18011 	genlmsg_end(msg, hdr);
18012 
18013 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18014 				NL80211_MCGRP_REGULATORY);
18015 
18016 	return;
18017 
18018 nla_put_failure:
18019 	nlmsg_free(msg);
18020 }
18021 
18022 struct nl80211_mlme_event {
18023 	enum nl80211_commands cmd;
18024 	const u8 *buf;
18025 	size_t buf_len;
18026 	int uapsd_queues;
18027 	const u8 *req_ies;
18028 	size_t req_ies_len;
18029 	bool reconnect;
18030 };
18031 
18032 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
18033 				    struct net_device *netdev,
18034 				    const struct nl80211_mlme_event *event,
18035 				    gfp_t gfp)
18036 {
18037 	struct sk_buff *msg;
18038 	void *hdr;
18039 
18040 	msg = nlmsg_new(100 + event->buf_len + event->req_ies_len, gfp);
18041 	if (!msg)
18042 		return;
18043 
18044 	hdr = nl80211hdr_put(msg, 0, 0, 0, event->cmd);
18045 	if (!hdr) {
18046 		nlmsg_free(msg);
18047 		return;
18048 	}
18049 
18050 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18051 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18052 	    nla_put(msg, NL80211_ATTR_FRAME, event->buf_len, event->buf) ||
18053 	    (event->req_ies &&
18054 	     nla_put(msg, NL80211_ATTR_REQ_IE, event->req_ies_len,
18055 		     event->req_ies)))
18056 		goto nla_put_failure;
18057 
18058 	if (event->reconnect &&
18059 	    nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
18060 		goto nla_put_failure;
18061 
18062 	if (event->uapsd_queues >= 0) {
18063 		struct nlattr *nla_wmm =
18064 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
18065 		if (!nla_wmm)
18066 			goto nla_put_failure;
18067 
18068 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
18069 			       event->uapsd_queues))
18070 			goto nla_put_failure;
18071 
18072 		nla_nest_end(msg, nla_wmm);
18073 	}
18074 
18075 	genlmsg_end(msg, hdr);
18076 
18077 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18078 				NL80211_MCGRP_MLME, gfp);
18079 	return;
18080 
18081  nla_put_failure:
18082 	nlmsg_free(msg);
18083 }
18084 
18085 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
18086 			  struct net_device *netdev, const u8 *buf,
18087 			  size_t len, gfp_t gfp)
18088 {
18089 	struct nl80211_mlme_event event = {
18090 		.cmd = NL80211_CMD_AUTHENTICATE,
18091 		.buf = buf,
18092 		.buf_len = len,
18093 		.uapsd_queues = -1,
18094 	};
18095 
18096 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18097 }
18098 
18099 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
18100 			   struct net_device *netdev,
18101 			   const struct cfg80211_rx_assoc_resp_data *data)
18102 {
18103 	struct nl80211_mlme_event event = {
18104 		.cmd = NL80211_CMD_ASSOCIATE,
18105 		.buf = data->buf,
18106 		.buf_len = data->len,
18107 		.uapsd_queues = data->uapsd_queues,
18108 		.req_ies = data->req_ies,
18109 		.req_ies_len = data->req_ies_len,
18110 	};
18111 
18112 	nl80211_send_mlme_event(rdev, netdev, &event, GFP_KERNEL);
18113 }
18114 
18115 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
18116 			 struct net_device *netdev, const u8 *buf,
18117 			 size_t len, bool reconnect, gfp_t gfp)
18118 {
18119 	struct nl80211_mlme_event event = {
18120 		.cmd = NL80211_CMD_DEAUTHENTICATE,
18121 		.buf = buf,
18122 		.buf_len = len,
18123 		.reconnect = reconnect,
18124 		.uapsd_queues = -1,
18125 	};
18126 
18127 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18128 }
18129 
18130 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
18131 			   struct net_device *netdev, const u8 *buf,
18132 			   size_t len, bool reconnect, gfp_t gfp)
18133 {
18134 	struct nl80211_mlme_event event = {
18135 		.cmd = NL80211_CMD_DISASSOCIATE,
18136 		.buf = buf,
18137 		.buf_len = len,
18138 		.reconnect = reconnect,
18139 		.uapsd_queues = -1,
18140 	};
18141 
18142 	nl80211_send_mlme_event(rdev, netdev, &event, gfp);
18143 }
18144 
18145 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
18146 				  size_t len)
18147 {
18148 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18149 	struct wiphy *wiphy = wdev->wiphy;
18150 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18151 	const struct ieee80211_mgmt *mgmt = (void *)buf;
18152 	struct nl80211_mlme_event event = {
18153 		.buf = buf,
18154 		.buf_len = len,
18155 		.uapsd_queues = -1,
18156 	};
18157 
18158 	if (WARN_ON(len < 2))
18159 		return;
18160 
18161 	if (ieee80211_is_deauth(mgmt->frame_control)) {
18162 		event.cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
18163 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
18164 		event.cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
18165 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
18166 		if (wdev->unprot_beacon_reported &&
18167 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
18168 			return;
18169 		event.cmd = NL80211_CMD_UNPROT_BEACON;
18170 		wdev->unprot_beacon_reported = jiffies;
18171 	} else {
18172 		return;
18173 	}
18174 
18175 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
18176 	nl80211_send_mlme_event(rdev, dev, &event, GFP_ATOMIC);
18177 }
18178 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
18179 
18180 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
18181 				      struct net_device *netdev, int cmd,
18182 				      const u8 *addr, gfp_t gfp)
18183 {
18184 	struct sk_buff *msg;
18185 	void *hdr;
18186 
18187 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18188 	if (!msg)
18189 		return;
18190 
18191 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18192 	if (!hdr) {
18193 		nlmsg_free(msg);
18194 		return;
18195 	}
18196 
18197 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18198 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18199 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18200 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18201 		goto nla_put_failure;
18202 
18203 	genlmsg_end(msg, hdr);
18204 
18205 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18206 				NL80211_MCGRP_MLME, gfp);
18207 	return;
18208 
18209  nla_put_failure:
18210 	nlmsg_free(msg);
18211 }
18212 
18213 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
18214 			       struct net_device *netdev, const u8 *addr,
18215 			       gfp_t gfp)
18216 {
18217 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
18218 				  addr, gfp);
18219 }
18220 
18221 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
18222 				struct net_device *netdev, const u8 *addr,
18223 				gfp_t gfp)
18224 {
18225 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
18226 				  addr, gfp);
18227 }
18228 
18229 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18230 				 struct net_device *netdev,
18231 				 struct cfg80211_connect_resp_params *cr,
18232 				 gfp_t gfp)
18233 {
18234 	struct sk_buff *msg;
18235 	void *hdr;
18236 	unsigned int link;
18237 	size_t link_info_size = 0;
18238 	const u8 *connected_addr = cr->valid_links ?
18239 				   cr->ap_mld_addr : cr->links[0].bssid;
18240 
18241 	if (cr->valid_links) {
18242 		for_each_valid_link(cr, link) {
18243 			/* Nested attribute header */
18244 			link_info_size += NLA_HDRLEN;
18245 			/* Link ID */
18246 			link_info_size += nla_total_size(sizeof(u8));
18247 			link_info_size += cr->links[link].addr ?
18248 					  nla_total_size(ETH_ALEN) : 0;
18249 			link_info_size += (cr->links[link].bssid ||
18250 					   cr->links[link].bss) ?
18251 					  nla_total_size(ETH_ALEN) : 0;
18252 			link_info_size += nla_total_size(sizeof(u16));
18253 		}
18254 	}
18255 
18256 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18257 			cr->fils.kek_len + cr->fils.pmk_len +
18258 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18259 			gfp);
18260 	if (!msg)
18261 		return;
18262 
18263 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18264 	if (!hdr) {
18265 		nlmsg_free(msg);
18266 		return;
18267 	}
18268 
18269 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18270 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18271 	    (connected_addr &&
18272 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18273 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18274 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18275 			cr->status) ||
18276 	    (cr->status < 0 &&
18277 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18278 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18279 			  cr->timeout_reason))) ||
18280 	    (cr->req_ie &&
18281 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18282 	    (cr->resp_ie &&
18283 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18284 		     cr->resp_ie)) ||
18285 	    (cr->fils.update_erp_next_seq_num &&
18286 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18287 			 cr->fils.erp_next_seq_num)) ||
18288 	    (cr->status == WLAN_STATUS_SUCCESS &&
18289 	     ((cr->fils.kek &&
18290 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18291 		       cr->fils.kek)) ||
18292 	      (cr->fils.pmk &&
18293 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18294 	      (cr->fils.pmkid &&
18295 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18296 		goto nla_put_failure;
18297 
18298 	if (cr->valid_links) {
18299 		int i = 1;
18300 		struct nlattr *nested;
18301 
18302 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18303 		if (!nested)
18304 			goto nla_put_failure;
18305 
18306 		for_each_valid_link(cr, link) {
18307 			struct nlattr *nested_mlo_links;
18308 			const u8 *bssid = cr->links[link].bss ?
18309 					  cr->links[link].bss->bssid :
18310 					  cr->links[link].bssid;
18311 
18312 			nested_mlo_links = nla_nest_start(msg, i);
18313 			if (!nested_mlo_links)
18314 				goto nla_put_failure;
18315 
18316 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18317 			    (bssid &&
18318 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18319 			    (cr->links[link].addr &&
18320 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18321 				     cr->links[link].addr)) ||
18322 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18323 					cr->links[link].status))
18324 				goto nla_put_failure;
18325 
18326 			nla_nest_end(msg, nested_mlo_links);
18327 			i++;
18328 		}
18329 		nla_nest_end(msg, nested);
18330 	}
18331 
18332 	genlmsg_end(msg, hdr);
18333 
18334 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18335 				NL80211_MCGRP_MLME, gfp);
18336 	return;
18337 
18338  nla_put_failure:
18339 	nlmsg_free(msg);
18340 }
18341 
18342 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18343 			 struct net_device *netdev,
18344 			 struct cfg80211_roam_info *info, gfp_t gfp)
18345 {
18346 	struct sk_buff *msg;
18347 	void *hdr;
18348 	size_t link_info_size = 0;
18349 	unsigned int link;
18350 	const u8 *connected_addr = info->ap_mld_addr ?
18351 				   info->ap_mld_addr :
18352 				   (info->links[0].bss ?
18353 				    info->links[0].bss->bssid :
18354 				    info->links[0].bssid);
18355 
18356 	if (info->valid_links) {
18357 		for_each_valid_link(info, link) {
18358 			/* Nested attribute header */
18359 			link_info_size += NLA_HDRLEN;
18360 			/* Link ID */
18361 			link_info_size += nla_total_size(sizeof(u8));
18362 			link_info_size += info->links[link].addr ?
18363 					  nla_total_size(ETH_ALEN) : 0;
18364 			link_info_size += (info->links[link].bssid ||
18365 					   info->links[link].bss) ?
18366 					  nla_total_size(ETH_ALEN) : 0;
18367 		}
18368 	}
18369 
18370 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18371 			info->fils.kek_len + info->fils.pmk_len +
18372 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18373 			link_info_size, gfp);
18374 	if (!msg)
18375 		return;
18376 
18377 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18378 	if (!hdr) {
18379 		nlmsg_free(msg);
18380 		return;
18381 	}
18382 
18383 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18384 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18385 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18386 	    (info->req_ie &&
18387 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18388 		     info->req_ie)) ||
18389 	    (info->resp_ie &&
18390 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18391 		     info->resp_ie)) ||
18392 	    (info->fils.update_erp_next_seq_num &&
18393 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18394 			 info->fils.erp_next_seq_num)) ||
18395 	    (info->fils.kek &&
18396 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18397 		     info->fils.kek)) ||
18398 	    (info->fils.pmk &&
18399 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18400 	    (info->fils.pmkid &&
18401 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18402 		goto nla_put_failure;
18403 
18404 	if (info->valid_links) {
18405 		int i = 1;
18406 		struct nlattr *nested;
18407 
18408 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18409 		if (!nested)
18410 			goto nla_put_failure;
18411 
18412 		for_each_valid_link(info, link) {
18413 			struct nlattr *nested_mlo_links;
18414 			const u8 *bssid = info->links[link].bss ?
18415 					  info->links[link].bss->bssid :
18416 					  info->links[link].bssid;
18417 
18418 			nested_mlo_links = nla_nest_start(msg, i);
18419 			if (!nested_mlo_links)
18420 				goto nla_put_failure;
18421 
18422 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18423 			    (bssid &&
18424 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18425 			    (info->links[link].addr &&
18426 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18427 				     info->links[link].addr)))
18428 				goto nla_put_failure;
18429 
18430 			nla_nest_end(msg, nested_mlo_links);
18431 			i++;
18432 		}
18433 		nla_nest_end(msg, nested);
18434 	}
18435 
18436 	genlmsg_end(msg, hdr);
18437 
18438 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18439 				NL80211_MCGRP_MLME, gfp);
18440 	return;
18441 
18442  nla_put_failure:
18443 	nlmsg_free(msg);
18444 }
18445 
18446 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18447 				  struct net_device *netdev, const u8 *peer_addr,
18448 				  const u8 *td_bitmap, u8 td_bitmap_len)
18449 {
18450 	struct sk_buff *msg;
18451 	void *hdr;
18452 
18453 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18454 	if (!msg)
18455 		return;
18456 
18457 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18458 	if (!hdr) {
18459 		nlmsg_free(msg);
18460 		return;
18461 	}
18462 
18463 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18464 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18465 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer_addr))
18466 		goto nla_put_failure;
18467 
18468 	if ((td_bitmap_len > 0) && td_bitmap)
18469 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18470 			    td_bitmap_len, td_bitmap))
18471 			goto nla_put_failure;
18472 
18473 	genlmsg_end(msg, hdr);
18474 
18475 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18476 				NL80211_MCGRP_MLME, GFP_KERNEL);
18477 	return;
18478 
18479  nla_put_failure:
18480 	nlmsg_free(msg);
18481 }
18482 
18483 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18484 			       struct net_device *netdev, u16 reason,
18485 			       const u8 *ie, size_t ie_len, bool from_ap)
18486 {
18487 	struct sk_buff *msg;
18488 	void *hdr;
18489 
18490 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18491 	if (!msg)
18492 		return;
18493 
18494 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18495 	if (!hdr) {
18496 		nlmsg_free(msg);
18497 		return;
18498 	}
18499 
18500 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18501 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18502 	    (reason &&
18503 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18504 	    (from_ap &&
18505 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18506 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18507 		goto nla_put_failure;
18508 
18509 	genlmsg_end(msg, hdr);
18510 
18511 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18512 				NL80211_MCGRP_MLME, GFP_KERNEL);
18513 	return;
18514 
18515  nla_put_failure:
18516 	nlmsg_free(msg);
18517 }
18518 
18519 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18520 {
18521 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18522 	struct wiphy *wiphy = wdev->wiphy;
18523 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18524 	struct sk_buff *msg;
18525 	struct nlattr *links;
18526 	void *hdr;
18527 
18528 	lockdep_assert_wiphy(wdev->wiphy);
18529 	trace_cfg80211_links_removed(dev, link_mask);
18530 
18531 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18532 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18533 		return;
18534 
18535 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18536 		    (wdev->valid_links & link_mask) != link_mask ||
18537 		    wdev->valid_links == link_mask))
18538 		return;
18539 
18540 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18541 	wdev->valid_links &= ~link_mask;
18542 
18543 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18544 	if (!msg)
18545 		return;
18546 
18547 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18548 	if (!hdr) {
18549 		nlmsg_free(msg);
18550 		return;
18551 	}
18552 
18553 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18554 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18555 		goto nla_put_failure;
18556 
18557 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18558 	if (!links)
18559 		goto nla_put_failure;
18560 
18561 	while (link_mask) {
18562 		struct nlattr *link;
18563 		int link_id = __ffs(link_mask);
18564 
18565 		link = nla_nest_start(msg, link_id + 1);
18566 		if (!link)
18567 			goto nla_put_failure;
18568 
18569 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18570 			goto nla_put_failure;
18571 
18572 		nla_nest_end(msg, link);
18573 		link_mask &= ~(1 << link_id);
18574 	}
18575 
18576 	nla_nest_end(msg, links);
18577 
18578 	genlmsg_end(msg, hdr);
18579 
18580 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18581 				NL80211_MCGRP_MLME, GFP_KERNEL);
18582 	return;
18583 
18584  nla_put_failure:
18585 	nlmsg_free(msg);
18586 }
18587 EXPORT_SYMBOL(cfg80211_links_removed);
18588 
18589 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18590 			     struct net_device *netdev, const u8 *bssid,
18591 			     gfp_t gfp)
18592 {
18593 	struct sk_buff *msg;
18594 	void *hdr;
18595 
18596 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18597 	if (!msg)
18598 		return;
18599 
18600 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18601 	if (!hdr) {
18602 		nlmsg_free(msg);
18603 		return;
18604 	}
18605 
18606 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18607 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18608 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18609 		goto nla_put_failure;
18610 
18611 	genlmsg_end(msg, hdr);
18612 
18613 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18614 				NL80211_MCGRP_MLME, gfp);
18615 	return;
18616 
18617  nla_put_failure:
18618 	nlmsg_free(msg);
18619 }
18620 
18621 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18622 					const u8 *ie, u8 ie_len,
18623 					int sig_dbm, gfp_t gfp)
18624 {
18625 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18626 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18627 	struct sk_buff *msg;
18628 	void *hdr;
18629 
18630 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18631 		return;
18632 
18633 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18634 
18635 	msg = nlmsg_new(100 + ie_len, gfp);
18636 	if (!msg)
18637 		return;
18638 
18639 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18640 	if (!hdr) {
18641 		nlmsg_free(msg);
18642 		return;
18643 	}
18644 
18645 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18646 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18647 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18648 	    (ie_len && ie &&
18649 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18650 	    (sig_dbm &&
18651 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18652 		goto nla_put_failure;
18653 
18654 	genlmsg_end(msg, hdr);
18655 
18656 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18657 				NL80211_MCGRP_MLME, gfp);
18658 	return;
18659 
18660  nla_put_failure:
18661 	nlmsg_free(msg);
18662 }
18663 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18664 
18665 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18666 				 struct net_device *netdev, const u8 *addr,
18667 				 enum nl80211_key_type key_type, int key_id,
18668 				 const u8 *tsc, gfp_t gfp)
18669 {
18670 	struct sk_buff *msg;
18671 	void *hdr;
18672 
18673 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18674 	if (!msg)
18675 		return;
18676 
18677 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18678 	if (!hdr) {
18679 		nlmsg_free(msg);
18680 		return;
18681 	}
18682 
18683 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18684 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18685 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18686 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18687 	    (key_id != -1 &&
18688 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18689 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18690 		goto nla_put_failure;
18691 
18692 	genlmsg_end(msg, hdr);
18693 
18694 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18695 				NL80211_MCGRP_MLME, gfp);
18696 	return;
18697 
18698  nla_put_failure:
18699 	nlmsg_free(msg);
18700 }
18701 
18702 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18703 				    struct ieee80211_channel *channel_before,
18704 				    struct ieee80211_channel *channel_after)
18705 {
18706 	struct sk_buff *msg;
18707 	void *hdr;
18708 	struct nlattr *nl_freq;
18709 
18710 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18711 	if (!msg)
18712 		return;
18713 
18714 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18715 	if (!hdr) {
18716 		nlmsg_free(msg);
18717 		return;
18718 	}
18719 
18720 	/*
18721 	 * Since we are applying the beacon hint to a wiphy we know its
18722 	 * wiphy_idx is valid
18723 	 */
18724 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18725 		goto nla_put_failure;
18726 
18727 	/* Before */
18728 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18729 	if (!nl_freq)
18730 		goto nla_put_failure;
18731 
18732 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18733 		goto nla_put_failure;
18734 	nla_nest_end(msg, nl_freq);
18735 
18736 	/* After */
18737 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18738 	if (!nl_freq)
18739 		goto nla_put_failure;
18740 
18741 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18742 		goto nla_put_failure;
18743 	nla_nest_end(msg, nl_freq);
18744 
18745 	genlmsg_end(msg, hdr);
18746 
18747 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18748 				NL80211_MCGRP_REGULATORY);
18749 
18750 	return;
18751 
18752 nla_put_failure:
18753 	nlmsg_free(msg);
18754 }
18755 
18756 static void nl80211_send_remain_on_chan_event(
18757 	int cmd, struct cfg80211_registered_device *rdev,
18758 	struct wireless_dev *wdev, u64 cookie,
18759 	struct ieee80211_channel *chan,
18760 	unsigned int duration, gfp_t gfp)
18761 {
18762 	struct sk_buff *msg;
18763 	void *hdr;
18764 
18765 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18766 	if (!msg)
18767 		return;
18768 
18769 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18770 	if (!hdr) {
18771 		nlmsg_free(msg);
18772 		return;
18773 	}
18774 
18775 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18776 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18777 					 wdev->netdev->ifindex)) ||
18778 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18779 			      NL80211_ATTR_PAD) ||
18780 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18781 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18782 			NL80211_CHAN_NO_HT) ||
18783 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18784 			      NL80211_ATTR_PAD))
18785 		goto nla_put_failure;
18786 
18787 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18788 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18789 		goto nla_put_failure;
18790 
18791 	genlmsg_end(msg, hdr);
18792 
18793 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18794 				NL80211_MCGRP_MLME, gfp);
18795 	return;
18796 
18797  nla_put_failure:
18798 	nlmsg_free(msg);
18799 }
18800 
18801 void cfg80211_assoc_comeback(struct net_device *netdev,
18802 			     const u8 *ap_addr, u32 timeout)
18803 {
18804 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18805 	struct wiphy *wiphy = wdev->wiphy;
18806 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18807 	struct sk_buff *msg;
18808 	void *hdr;
18809 
18810 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18811 
18812 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18813 	if (!msg)
18814 		return;
18815 
18816 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18817 	if (!hdr) {
18818 		nlmsg_free(msg);
18819 		return;
18820 	}
18821 
18822 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18823 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18824 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18825 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18826 		goto nla_put_failure;
18827 
18828 	genlmsg_end(msg, hdr);
18829 
18830 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18831 				NL80211_MCGRP_MLME, GFP_KERNEL);
18832 	return;
18833 
18834  nla_put_failure:
18835 	nlmsg_free(msg);
18836 }
18837 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18838 
18839 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18840 			       struct ieee80211_channel *chan,
18841 			       unsigned int duration, gfp_t gfp)
18842 {
18843 	struct wiphy *wiphy = wdev->wiphy;
18844 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18845 
18846 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18847 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18848 					  rdev, wdev, cookie, chan,
18849 					  duration, gfp);
18850 }
18851 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18852 
18853 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18854 					struct ieee80211_channel *chan,
18855 					gfp_t gfp)
18856 {
18857 	struct wiphy *wiphy = wdev->wiphy;
18858 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18859 
18860 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18861 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18862 					  rdev, wdev, cookie, chan, 0, gfp);
18863 }
18864 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18865 
18866 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18867 					struct ieee80211_channel *chan,
18868 					gfp_t gfp)
18869 {
18870 	struct wiphy *wiphy = wdev->wiphy;
18871 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18872 
18873 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18874 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18875 					  rdev, wdev, cookie, chan, 0, gfp);
18876 }
18877 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18878 
18879 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18880 		      struct station_info *sinfo, gfp_t gfp)
18881 {
18882 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18883 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18884 	struct sk_buff *msg;
18885 
18886 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18887 
18888 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18889 	if (!msg)
18890 		return;
18891 
18892 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18893 				 rdev, dev, mac_addr, sinfo) < 0) {
18894 		nlmsg_free(msg);
18895 		return;
18896 	}
18897 
18898 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18899 				NL80211_MCGRP_MLME, gfp);
18900 }
18901 EXPORT_SYMBOL(cfg80211_new_sta);
18902 
18903 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18904 			    struct station_info *sinfo, gfp_t gfp)
18905 {
18906 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18907 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18908 	struct sk_buff *msg;
18909 	struct station_info empty_sinfo = {};
18910 
18911 	if (!sinfo)
18912 		sinfo = &empty_sinfo;
18913 
18914 	trace_cfg80211_del_sta(dev, mac_addr);
18915 
18916 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18917 	if (!msg) {
18918 		cfg80211_sinfo_release_content(sinfo);
18919 		return;
18920 	}
18921 
18922 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18923 				 rdev, dev, mac_addr, sinfo) < 0) {
18924 		nlmsg_free(msg);
18925 		return;
18926 	}
18927 
18928 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18929 				NL80211_MCGRP_MLME, gfp);
18930 }
18931 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18932 
18933 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18934 			  enum nl80211_connect_failed_reason reason,
18935 			  gfp_t gfp)
18936 {
18937 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18938 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18939 	struct sk_buff *msg;
18940 	void *hdr;
18941 
18942 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18943 	if (!msg)
18944 		return;
18945 
18946 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18947 	if (!hdr) {
18948 		nlmsg_free(msg);
18949 		return;
18950 	}
18951 
18952 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18953 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18954 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18955 		goto nla_put_failure;
18956 
18957 	genlmsg_end(msg, hdr);
18958 
18959 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18960 				NL80211_MCGRP_MLME, gfp);
18961 	return;
18962 
18963  nla_put_failure:
18964 	nlmsg_free(msg);
18965 }
18966 EXPORT_SYMBOL(cfg80211_conn_failed);
18967 
18968 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18969 				       const u8 *addr, gfp_t gfp)
18970 {
18971 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18972 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18973 	struct sk_buff *msg;
18974 	void *hdr;
18975 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18976 
18977 	if (!nlportid)
18978 		return false;
18979 
18980 	msg = nlmsg_new(100, gfp);
18981 	if (!msg)
18982 		return true;
18983 
18984 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18985 	if (!hdr) {
18986 		nlmsg_free(msg);
18987 		return true;
18988 	}
18989 
18990 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18991 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18992 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18993 		goto nla_put_failure;
18994 
18995 	genlmsg_end(msg, hdr);
18996 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18997 	return true;
18998 
18999  nla_put_failure:
19000 	nlmsg_free(msg);
19001 	return true;
19002 }
19003 
19004 bool cfg80211_rx_spurious_frame(struct net_device *dev,
19005 				const u8 *addr, gfp_t gfp)
19006 {
19007 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19008 	bool ret;
19009 
19010 	trace_cfg80211_rx_spurious_frame(dev, addr);
19011 
19012 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19013 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
19014 		trace_cfg80211_return_bool(false);
19015 		return false;
19016 	}
19017 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
19018 					 addr, gfp);
19019 	trace_cfg80211_return_bool(ret);
19020 	return ret;
19021 }
19022 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
19023 
19024 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
19025 					const u8 *addr, gfp_t gfp)
19026 {
19027 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19028 	bool ret;
19029 
19030 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
19031 
19032 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
19033 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
19034 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
19035 		trace_cfg80211_return_bool(false);
19036 		return false;
19037 	}
19038 	ret = __nl80211_unexpected_frame(dev,
19039 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
19040 					 addr, gfp);
19041 	trace_cfg80211_return_bool(ret);
19042 	return ret;
19043 }
19044 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
19045 
19046 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
19047 		      struct wireless_dev *wdev, u32 nlportid,
19048 		      struct cfg80211_rx_info *info, gfp_t gfp)
19049 {
19050 	struct net_device *netdev = wdev->netdev;
19051 	struct sk_buff *msg;
19052 	void *hdr;
19053 
19054 	msg = nlmsg_new(100 + info->len, gfp);
19055 	if (!msg)
19056 		return -ENOMEM;
19057 
19058 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19059 	if (!hdr) {
19060 		nlmsg_free(msg);
19061 		return -ENOMEM;
19062 	}
19063 
19064 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19065 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19066 					netdev->ifindex)) ||
19067 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19068 			      NL80211_ATTR_PAD) ||
19069 	    (info->have_link_id &&
19070 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
19071 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
19072 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
19073 	    (info->sig_dbm &&
19074 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
19075 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
19076 	    (info->flags &&
19077 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
19078 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
19079 						  NL80211_ATTR_RX_HW_TIMESTAMP,
19080 						  info->rx_tstamp,
19081 						  NL80211_ATTR_PAD)) ||
19082 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
19083 						   NL80211_ATTR_TX_HW_TIMESTAMP,
19084 						   info->ack_tstamp,
19085 						   NL80211_ATTR_PAD)))
19086 		goto nla_put_failure;
19087 
19088 	genlmsg_end(msg, hdr);
19089 
19090 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19091 
19092  nla_put_failure:
19093 	nlmsg_free(msg);
19094 	return -ENOBUFS;
19095 }
19096 
19097 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
19098 				    struct cfg80211_tx_status *status,
19099 				    gfp_t gfp, enum nl80211_commands command)
19100 {
19101 	struct wiphy *wiphy = wdev->wiphy;
19102 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19103 	struct net_device *netdev = wdev->netdev;
19104 	struct sk_buff *msg;
19105 	void *hdr;
19106 
19107 	if (command == NL80211_CMD_FRAME_TX_STATUS)
19108 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
19109 					      status->ack);
19110 	else
19111 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
19112 						      status->ack);
19113 
19114 	msg = nlmsg_new(100 + status->len, gfp);
19115 	if (!msg)
19116 		return;
19117 
19118 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
19119 	if (!hdr) {
19120 		nlmsg_free(msg);
19121 		return;
19122 	}
19123 
19124 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19125 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19126 				   netdev->ifindex)) ||
19127 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19128 			      NL80211_ATTR_PAD) ||
19129 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
19130 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
19131 			      NL80211_ATTR_PAD) ||
19132 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19133 	    (status->tx_tstamp &&
19134 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
19135 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
19136 	    (status->ack_tstamp &&
19137 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
19138 			       status->ack_tstamp, NL80211_ATTR_PAD)))
19139 		goto nla_put_failure;
19140 
19141 	genlmsg_end(msg, hdr);
19142 
19143 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19144 				NL80211_MCGRP_MLME, gfp);
19145 	return;
19146 
19147 nla_put_failure:
19148 	nlmsg_free(msg);
19149 }
19150 
19151 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
19152 				     const u8 *buf, size_t len, bool ack,
19153 				     gfp_t gfp)
19154 {
19155 	struct cfg80211_tx_status status = {
19156 		.cookie = cookie,
19157 		.buf = buf,
19158 		.len = len,
19159 		.ack = ack
19160 	};
19161 
19162 	nl80211_frame_tx_status(wdev, &status, gfp,
19163 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
19164 }
19165 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
19166 
19167 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
19168 				 struct cfg80211_tx_status *status, gfp_t gfp)
19169 {
19170 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
19171 }
19172 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
19173 
19174 static int __nl80211_rx_control_port(struct net_device *dev,
19175 				     struct sk_buff *skb,
19176 				     bool unencrypted,
19177 				     int link_id,
19178 				     gfp_t gfp)
19179 {
19180 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19181 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19182 	struct ethhdr *ehdr = eth_hdr(skb);
19183 	const u8 *addr = ehdr->h_source;
19184 	u16 proto = be16_to_cpu(skb->protocol);
19185 	struct sk_buff *msg;
19186 	void *hdr;
19187 	struct nlattr *frame;
19188 
19189 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
19190 
19191 	if (!nlportid)
19192 		return -ENOENT;
19193 
19194 	msg = nlmsg_new(100 + skb->len, gfp);
19195 	if (!msg)
19196 		return -ENOMEM;
19197 
19198 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
19199 	if (!hdr) {
19200 		nlmsg_free(msg);
19201 		return -ENOBUFS;
19202 	}
19203 
19204 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19205 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19206 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19207 			      NL80211_ATTR_PAD) ||
19208 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19209 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
19210 	    (link_id >= 0 &&
19211 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
19212 	    (unencrypted && nla_put_flag(msg,
19213 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
19214 		goto nla_put_failure;
19215 
19216 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
19217 	if (!frame)
19218 		goto nla_put_failure;
19219 
19220 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
19221 	genlmsg_end(msg, hdr);
19222 
19223 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19224 
19225  nla_put_failure:
19226 	nlmsg_free(msg);
19227 	return -ENOBUFS;
19228 }
19229 
19230 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19231 			      bool unencrypted, int link_id)
19232 {
19233 	int ret;
19234 
19235 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19236 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19237 					GFP_ATOMIC);
19238 	trace_cfg80211_return_bool(ret == 0);
19239 	return ret == 0;
19240 }
19241 EXPORT_SYMBOL(cfg80211_rx_control_port);
19242 
19243 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19244 					    const char *mac, gfp_t gfp)
19245 {
19246 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19247 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19248 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19249 	void **cb;
19250 
19251 	if (!msg)
19252 		return NULL;
19253 
19254 	cb = (void **)msg->cb;
19255 
19256 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19257 	if (!cb[0]) {
19258 		nlmsg_free(msg);
19259 		return NULL;
19260 	}
19261 
19262 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19263 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19264 		goto nla_put_failure;
19265 
19266 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19267 		goto nla_put_failure;
19268 
19269 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19270 	if (!cb[1])
19271 		goto nla_put_failure;
19272 
19273 	cb[2] = rdev;
19274 
19275 	return msg;
19276  nla_put_failure:
19277 	nlmsg_free(msg);
19278 	return NULL;
19279 }
19280 
19281 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19282 {
19283 	void **cb = (void **)msg->cb;
19284 	struct cfg80211_registered_device *rdev = cb[2];
19285 
19286 	nla_nest_end(msg, cb[1]);
19287 	genlmsg_end(msg, cb[0]);
19288 
19289 	memset(msg->cb, 0, sizeof(msg->cb));
19290 
19291 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19292 				NL80211_MCGRP_MLME, gfp);
19293 }
19294 
19295 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19296 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19297 			      s32 rssi_level, gfp_t gfp)
19298 {
19299 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19300 	struct cfg80211_cqm_config *cqm_config;
19301 
19302 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19303 
19304 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19305 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19306 		return;
19307 
19308 	rcu_read_lock();
19309 	cqm_config = rcu_dereference(wdev->cqm_config);
19310 	if (cqm_config) {
19311 		cqm_config->last_rssi_event_value = rssi_level;
19312 		cqm_config->last_rssi_event_type = rssi_event;
19313 		wiphy_work_queue(wdev->wiphy, &wdev->cqm_rssi_work);
19314 	}
19315 	rcu_read_unlock();
19316 }
19317 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19318 
19319 void cfg80211_cqm_rssi_notify_work(struct wiphy *wiphy, struct wiphy_work *work)
19320 {
19321 	struct wireless_dev *wdev = container_of(work, struct wireless_dev,
19322 						 cqm_rssi_work);
19323 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19324 	enum nl80211_cqm_rssi_threshold_event rssi_event;
19325 	struct cfg80211_cqm_config *cqm_config;
19326 	struct sk_buff *msg;
19327 	s32 rssi_level;
19328 
19329 	cqm_config = wiphy_dereference(wdev->wiphy, wdev->cqm_config);
19330 	if (!cqm_config)
19331 		return;
19332 
19333 	if (cqm_config->use_range_api)
19334 		cfg80211_cqm_rssi_update(rdev, wdev->netdev, cqm_config);
19335 
19336 	rssi_level = cqm_config->last_rssi_event_value;
19337 	rssi_event = cqm_config->last_rssi_event_type;
19338 
19339 	msg = cfg80211_prepare_cqm(wdev->netdev, NULL, GFP_KERNEL);
19340 	if (!msg)
19341 		return;
19342 
19343 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19344 			rssi_event))
19345 		goto nla_put_failure;
19346 
19347 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19348 				      rssi_level))
19349 		goto nla_put_failure;
19350 
19351 	cfg80211_send_cqm(msg, GFP_KERNEL);
19352 
19353 	return;
19354 
19355  nla_put_failure:
19356 	nlmsg_free(msg);
19357 }
19358 
19359 void cfg80211_cqm_txe_notify(struct net_device *dev,
19360 			     const u8 *peer, u32 num_packets,
19361 			     u32 rate, u32 intvl, gfp_t gfp)
19362 {
19363 	struct sk_buff *msg;
19364 
19365 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19366 	if (!msg)
19367 		return;
19368 
19369 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19370 		goto nla_put_failure;
19371 
19372 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19373 		goto nla_put_failure;
19374 
19375 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19376 		goto nla_put_failure;
19377 
19378 	cfg80211_send_cqm(msg, gfp);
19379 	return;
19380 
19381  nla_put_failure:
19382 	nlmsg_free(msg);
19383 }
19384 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19385 
19386 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19387 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19388 {
19389 	struct sk_buff *msg;
19390 
19391 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19392 
19393 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19394 	if (!msg)
19395 		return;
19396 
19397 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19398 		goto nla_put_failure;
19399 
19400 	cfg80211_send_cqm(msg, gfp);
19401 	return;
19402 
19403  nla_put_failure:
19404 	nlmsg_free(msg);
19405 }
19406 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19407 
19408 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19409 {
19410 	struct sk_buff *msg;
19411 
19412 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19413 	if (!msg)
19414 		return;
19415 
19416 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19417 		goto nla_put_failure;
19418 
19419 	cfg80211_send_cqm(msg, gfp);
19420 	return;
19421 
19422  nla_put_failure:
19423 	nlmsg_free(msg);
19424 }
19425 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19426 
19427 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19428 				     struct net_device *netdev, const u8 *bssid,
19429 				     const u8 *replay_ctr, gfp_t gfp)
19430 {
19431 	struct sk_buff *msg;
19432 	struct nlattr *rekey_attr;
19433 	void *hdr;
19434 
19435 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19436 	if (!msg)
19437 		return;
19438 
19439 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19440 	if (!hdr) {
19441 		nlmsg_free(msg);
19442 		return;
19443 	}
19444 
19445 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19446 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19447 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19448 		goto nla_put_failure;
19449 
19450 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19451 	if (!rekey_attr)
19452 		goto nla_put_failure;
19453 
19454 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19455 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19456 		goto nla_put_failure;
19457 
19458 	nla_nest_end(msg, rekey_attr);
19459 
19460 	genlmsg_end(msg, hdr);
19461 
19462 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19463 				NL80211_MCGRP_MLME, gfp);
19464 	return;
19465 
19466  nla_put_failure:
19467 	nlmsg_free(msg);
19468 }
19469 
19470 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19471 			       const u8 *replay_ctr, gfp_t gfp)
19472 {
19473 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19474 	struct wiphy *wiphy = wdev->wiphy;
19475 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19476 
19477 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19478 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19479 }
19480 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19481 
19482 static void
19483 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19484 			       struct net_device *netdev, int index,
19485 			       const u8 *bssid, bool preauth, gfp_t gfp)
19486 {
19487 	struct sk_buff *msg;
19488 	struct nlattr *attr;
19489 	void *hdr;
19490 
19491 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19492 	if (!msg)
19493 		return;
19494 
19495 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19496 	if (!hdr) {
19497 		nlmsg_free(msg);
19498 		return;
19499 	}
19500 
19501 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19502 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19503 		goto nla_put_failure;
19504 
19505 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19506 	if (!attr)
19507 		goto nla_put_failure;
19508 
19509 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19510 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19511 	    (preauth &&
19512 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19513 		goto nla_put_failure;
19514 
19515 	nla_nest_end(msg, attr);
19516 
19517 	genlmsg_end(msg, hdr);
19518 
19519 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19520 				NL80211_MCGRP_MLME, gfp);
19521 	return;
19522 
19523  nla_put_failure:
19524 	nlmsg_free(msg);
19525 }
19526 
19527 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19528 				     const u8 *bssid, bool preauth, gfp_t gfp)
19529 {
19530 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19531 	struct wiphy *wiphy = wdev->wiphy;
19532 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19533 
19534 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19535 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19536 }
19537 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19538 
19539 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19540 				     struct net_device *netdev,
19541 				     unsigned int link_id,
19542 				     struct cfg80211_chan_def *chandef,
19543 				     gfp_t gfp,
19544 				     enum nl80211_commands notif,
19545 				     u8 count, bool quiet)
19546 {
19547 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19548 	struct sk_buff *msg;
19549 	void *hdr;
19550 
19551 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19552 	if (!msg)
19553 		return;
19554 
19555 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19556 	if (!hdr) {
19557 		nlmsg_free(msg);
19558 		return;
19559 	}
19560 
19561 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19562 		goto nla_put_failure;
19563 
19564 	if (wdev->valid_links &&
19565 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19566 		goto nla_put_failure;
19567 
19568 	if (nl80211_send_chandef(msg, chandef))
19569 		goto nla_put_failure;
19570 
19571 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19572 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19573 			goto nla_put_failure;
19574 		if (quiet &&
19575 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19576 			goto nla_put_failure;
19577 	}
19578 
19579 	genlmsg_end(msg, hdr);
19580 
19581 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19582 				NL80211_MCGRP_MLME, gfp);
19583 	return;
19584 
19585  nla_put_failure:
19586 	nlmsg_free(msg);
19587 }
19588 
19589 void cfg80211_ch_switch_notify(struct net_device *dev,
19590 			       struct cfg80211_chan_def *chandef,
19591 			       unsigned int link_id)
19592 {
19593 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19594 	struct wiphy *wiphy = wdev->wiphy;
19595 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19596 
19597 	lockdep_assert_wiphy(wdev->wiphy);
19598 	WARN_INVALID_LINK_ID(wdev, link_id);
19599 
19600 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id);
19601 
19602 	switch (wdev->iftype) {
19603 	case NL80211_IFTYPE_STATION:
19604 	case NL80211_IFTYPE_P2P_CLIENT:
19605 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19606 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19607 							chandef->chan);
19608 		break;
19609 	case NL80211_IFTYPE_MESH_POINT:
19610 		wdev->u.mesh.chandef = *chandef;
19611 		wdev->u.mesh.preset_chandef = *chandef;
19612 		break;
19613 	case NL80211_IFTYPE_AP:
19614 	case NL80211_IFTYPE_P2P_GO:
19615 		wdev->links[link_id].ap.chandef = *chandef;
19616 		break;
19617 	case NL80211_IFTYPE_ADHOC:
19618 		wdev->u.ibss.chandef = *chandef;
19619 		break;
19620 	default:
19621 		WARN_ON(1);
19622 		break;
19623 	}
19624 
19625 	cfg80211_schedule_channels_check(wdev);
19626 	cfg80211_sched_dfs_chan_update(rdev);
19627 
19628 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19629 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
19630 }
19631 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19632 
19633 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19634 				       struct cfg80211_chan_def *chandef,
19635 				       unsigned int link_id, u8 count,
19636 				       bool quiet)
19637 {
19638 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19639 	struct wiphy *wiphy = wdev->wiphy;
19640 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19641 
19642 	lockdep_assert_wiphy(wdev->wiphy);
19643 	WARN_INVALID_LINK_ID(wdev, link_id);
19644 
19645 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id);
19646 
19647 
19648 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19649 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19650 				 count, quiet);
19651 }
19652 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19653 
19654 int cfg80211_bss_color_notify(struct net_device *dev,
19655 			      enum nl80211_commands cmd, u8 count,
19656 			      u64 color_bitmap, u8 link_id)
19657 {
19658 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19659 	struct wiphy *wiphy = wdev->wiphy;
19660 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19661 	struct sk_buff *msg;
19662 	void *hdr;
19663 
19664 	lockdep_assert_wiphy(wdev->wiphy);
19665 
19666 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19667 
19668 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19669 	if (!msg)
19670 		return -ENOMEM;
19671 
19672 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19673 	if (!hdr)
19674 		goto nla_put_failure;
19675 
19676 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19677 		goto nla_put_failure;
19678 
19679 	if (wdev->valid_links &&
19680 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19681 		goto nla_put_failure;
19682 
19683 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19684 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19685 		goto nla_put_failure;
19686 
19687 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19688 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19689 			      color_bitmap, NL80211_ATTR_PAD))
19690 		goto nla_put_failure;
19691 
19692 	genlmsg_end(msg, hdr);
19693 
19694 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19695 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19696 
19697 nla_put_failure:
19698 	nlmsg_free(msg);
19699 	return -EINVAL;
19700 }
19701 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19702 
19703 void
19704 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19705 		     const struct cfg80211_chan_def *chandef,
19706 		     enum nl80211_radar_event event,
19707 		     struct net_device *netdev, gfp_t gfp)
19708 {
19709 	struct sk_buff *msg;
19710 	void *hdr;
19711 
19712 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19713 	if (!msg)
19714 		return;
19715 
19716 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19717 	if (!hdr) {
19718 		nlmsg_free(msg);
19719 		return;
19720 	}
19721 
19722 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19723 		goto nla_put_failure;
19724 
19725 	/* NOP and radar events don't need a netdev parameter */
19726 	if (netdev) {
19727 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19728 
19729 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19730 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19731 				      NL80211_ATTR_PAD))
19732 			goto nla_put_failure;
19733 	}
19734 
19735 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19736 		goto nla_put_failure;
19737 
19738 	if (nl80211_send_chandef(msg, chandef))
19739 		goto nla_put_failure;
19740 
19741 	genlmsg_end(msg, hdr);
19742 
19743 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19744 				NL80211_MCGRP_MLME, gfp);
19745 	return;
19746 
19747  nla_put_failure:
19748 	nlmsg_free(msg);
19749 }
19750 
19751 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19752 				       struct sta_opmode_info *sta_opmode,
19753 				       gfp_t gfp)
19754 {
19755 	struct sk_buff *msg;
19756 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19757 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19758 	void *hdr;
19759 
19760 	if (WARN_ON(!mac))
19761 		return;
19762 
19763 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19764 	if (!msg)
19765 		return;
19766 
19767 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19768 	if (!hdr) {
19769 		nlmsg_free(msg);
19770 		return;
19771 	}
19772 
19773 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19774 		goto nla_put_failure;
19775 
19776 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19777 		goto nla_put_failure;
19778 
19779 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19780 		goto nla_put_failure;
19781 
19782 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19783 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19784 		goto nla_put_failure;
19785 
19786 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19787 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19788 		goto nla_put_failure;
19789 
19790 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19791 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19792 		goto nla_put_failure;
19793 
19794 	genlmsg_end(msg, hdr);
19795 
19796 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19797 				NL80211_MCGRP_MLME, gfp);
19798 
19799 	return;
19800 
19801 nla_put_failure:
19802 	nlmsg_free(msg);
19803 }
19804 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19805 
19806 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19807 			   u64 cookie, bool acked, s32 ack_signal,
19808 			   bool is_valid_ack_signal, gfp_t gfp)
19809 {
19810 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19811 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19812 	struct sk_buff *msg;
19813 	void *hdr;
19814 
19815 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19816 
19817 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19818 
19819 	if (!msg)
19820 		return;
19821 
19822 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19823 	if (!hdr) {
19824 		nlmsg_free(msg);
19825 		return;
19826 	}
19827 
19828 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19829 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19830 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19831 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19832 			      NL80211_ATTR_PAD) ||
19833 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19834 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19835 						ack_signal)))
19836 		goto nla_put_failure;
19837 
19838 	genlmsg_end(msg, hdr);
19839 
19840 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19841 				NL80211_MCGRP_MLME, gfp);
19842 	return;
19843 
19844  nla_put_failure:
19845 	nlmsg_free(msg);
19846 }
19847 EXPORT_SYMBOL(cfg80211_probe_status);
19848 
19849 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19850 				     size_t len, int freq, int sig_dbm)
19851 {
19852 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19853 	struct sk_buff *msg;
19854 	void *hdr;
19855 	struct cfg80211_beacon_registration *reg;
19856 
19857 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19858 
19859 	spin_lock_bh(&rdev->beacon_registrations_lock);
19860 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19861 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19862 		if (!msg) {
19863 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19864 			return;
19865 		}
19866 
19867 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19868 		if (!hdr)
19869 			goto nla_put_failure;
19870 
19871 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19872 		    (freq &&
19873 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19874 				  KHZ_TO_MHZ(freq)) ||
19875 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19876 				  freq % 1000))) ||
19877 		    (sig_dbm &&
19878 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19879 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19880 			goto nla_put_failure;
19881 
19882 		genlmsg_end(msg, hdr);
19883 
19884 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19885 	}
19886 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19887 	return;
19888 
19889  nla_put_failure:
19890 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19891 	nlmsg_free(msg);
19892 }
19893 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19894 
19895 #ifdef CONFIG_PM
19896 static int cfg80211_net_detect_results(struct sk_buff *msg,
19897 				       struct cfg80211_wowlan_wakeup *wakeup)
19898 {
19899 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19900 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19901 	int i, j;
19902 
19903 	nl_results = nla_nest_start_noflag(msg,
19904 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19905 	if (!nl_results)
19906 		return -EMSGSIZE;
19907 
19908 	for (i = 0; i < nd->n_matches; i++) {
19909 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19910 
19911 		nl_match = nla_nest_start_noflag(msg, i);
19912 		if (!nl_match)
19913 			break;
19914 
19915 		/* The SSID attribute is optional in nl80211, but for
19916 		 * simplicity reasons it's always present in the
19917 		 * cfg80211 structure.  If a driver can't pass the
19918 		 * SSID, that needs to be changed.  A zero length SSID
19919 		 * is still a valid SSID (wildcard), so it cannot be
19920 		 * used for this purpose.
19921 		 */
19922 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19923 			    match->ssid.ssid)) {
19924 			nla_nest_cancel(msg, nl_match);
19925 			goto out;
19926 		}
19927 
19928 		if (match->n_channels) {
19929 			nl_freqs = nla_nest_start_noflag(msg,
19930 							 NL80211_ATTR_SCAN_FREQUENCIES);
19931 			if (!nl_freqs) {
19932 				nla_nest_cancel(msg, nl_match);
19933 				goto out;
19934 			}
19935 
19936 			for (j = 0; j < match->n_channels; j++) {
19937 				if (nla_put_u32(msg, j, match->channels[j])) {
19938 					nla_nest_cancel(msg, nl_freqs);
19939 					nla_nest_cancel(msg, nl_match);
19940 					goto out;
19941 				}
19942 			}
19943 
19944 			nla_nest_end(msg, nl_freqs);
19945 		}
19946 
19947 		nla_nest_end(msg, nl_match);
19948 	}
19949 
19950 out:
19951 	nla_nest_end(msg, nl_results);
19952 	return 0;
19953 }
19954 
19955 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19956 				   struct cfg80211_wowlan_wakeup *wakeup,
19957 				   gfp_t gfp)
19958 {
19959 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19960 	struct sk_buff *msg;
19961 	void *hdr;
19962 	int size = 200;
19963 
19964 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19965 
19966 	if (wakeup)
19967 		size += wakeup->packet_present_len;
19968 
19969 	msg = nlmsg_new(size, gfp);
19970 	if (!msg)
19971 		return;
19972 
19973 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19974 	if (!hdr)
19975 		goto free_msg;
19976 
19977 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19978 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19979 			      NL80211_ATTR_PAD))
19980 		goto free_msg;
19981 
19982 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19983 					wdev->netdev->ifindex))
19984 		goto free_msg;
19985 
19986 	if (wakeup) {
19987 		struct nlattr *reasons;
19988 
19989 		reasons = nla_nest_start_noflag(msg,
19990 						NL80211_ATTR_WOWLAN_TRIGGERS);
19991 		if (!reasons)
19992 			goto free_msg;
19993 
19994 		if (wakeup->disconnect &&
19995 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19996 			goto free_msg;
19997 		if (wakeup->magic_pkt &&
19998 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19999 			goto free_msg;
20000 		if (wakeup->gtk_rekey_failure &&
20001 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
20002 			goto free_msg;
20003 		if (wakeup->eap_identity_req &&
20004 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
20005 			goto free_msg;
20006 		if (wakeup->four_way_handshake &&
20007 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
20008 			goto free_msg;
20009 		if (wakeup->rfkill_release &&
20010 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
20011 			goto free_msg;
20012 
20013 		if (wakeup->pattern_idx >= 0 &&
20014 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
20015 				wakeup->pattern_idx))
20016 			goto free_msg;
20017 
20018 		if (wakeup->tcp_match &&
20019 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
20020 			goto free_msg;
20021 
20022 		if (wakeup->tcp_connlost &&
20023 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
20024 			goto free_msg;
20025 
20026 		if (wakeup->tcp_nomoretokens &&
20027 		    nla_put_flag(msg,
20028 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
20029 			goto free_msg;
20030 
20031 		if (wakeup->unprot_deauth_disassoc &&
20032 		    nla_put_flag(msg,
20033 				 NL80211_WOWLAN_TRIG_UNPROTECTED_DEAUTH_DISASSOC))
20034 			goto free_msg;
20035 
20036 		if (wakeup->packet) {
20037 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
20038 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
20039 
20040 			if (!wakeup->packet_80211) {
20041 				pkt_attr =
20042 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
20043 				len_attr =
20044 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
20045 			}
20046 
20047 			if (wakeup->packet_len &&
20048 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
20049 				goto free_msg;
20050 
20051 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
20052 				    wakeup->packet))
20053 				goto free_msg;
20054 		}
20055 
20056 		if (wakeup->net_detect &&
20057 		    cfg80211_net_detect_results(msg, wakeup))
20058 				goto free_msg;
20059 
20060 		nla_nest_end(msg, reasons);
20061 	}
20062 
20063 	genlmsg_end(msg, hdr);
20064 
20065 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20066 				NL80211_MCGRP_MLME, gfp);
20067 	return;
20068 
20069  free_msg:
20070 	nlmsg_free(msg);
20071 }
20072 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
20073 #endif
20074 
20075 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
20076 				enum nl80211_tdls_operation oper,
20077 				u16 reason_code, gfp_t gfp)
20078 {
20079 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20080 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20081 	struct sk_buff *msg;
20082 	void *hdr;
20083 
20084 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
20085 					 reason_code);
20086 
20087 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20088 	if (!msg)
20089 		return;
20090 
20091 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
20092 	if (!hdr) {
20093 		nlmsg_free(msg);
20094 		return;
20095 	}
20096 
20097 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20098 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20099 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
20100 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
20101 	    (reason_code > 0 &&
20102 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
20103 		goto nla_put_failure;
20104 
20105 	genlmsg_end(msg, hdr);
20106 
20107 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20108 				NL80211_MCGRP_MLME, gfp);
20109 	return;
20110 
20111  nla_put_failure:
20112 	nlmsg_free(msg);
20113 }
20114 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
20115 
20116 static int nl80211_netlink_notify(struct notifier_block * nb,
20117 				  unsigned long state,
20118 				  void *_notify)
20119 {
20120 	struct netlink_notify *notify = _notify;
20121 	struct cfg80211_registered_device *rdev;
20122 	struct wireless_dev *wdev;
20123 	struct cfg80211_beacon_registration *reg, *tmp;
20124 
20125 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
20126 		return NOTIFY_DONE;
20127 
20128 	rcu_read_lock();
20129 
20130 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
20131 		struct cfg80211_sched_scan_request *sched_scan_req;
20132 
20133 		list_for_each_entry_rcu(sched_scan_req,
20134 					&rdev->sched_scan_req_list,
20135 					list) {
20136 			if (sched_scan_req->owner_nlportid == notify->portid) {
20137 				sched_scan_req->nl_owner_dead = true;
20138 				wiphy_work_queue(&rdev->wiphy,
20139 						 &rdev->sched_scan_stop_wk);
20140 			}
20141 		}
20142 
20143 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
20144 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
20145 
20146 			if (wdev->owner_nlportid == notify->portid) {
20147 				wdev->nl_owner_dead = true;
20148 				schedule_work(&rdev->destroy_work);
20149 			} else if (wdev->conn_owner_nlportid == notify->portid) {
20150 				schedule_work(&wdev->disconnect_wk);
20151 			}
20152 
20153 			cfg80211_release_pmsr(wdev, notify->portid);
20154 		}
20155 
20156 		spin_lock_bh(&rdev->beacon_registrations_lock);
20157 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
20158 					 list) {
20159 			if (reg->nlportid == notify->portid) {
20160 				list_del(&reg->list);
20161 				kfree(reg);
20162 				break;
20163 			}
20164 		}
20165 		spin_unlock_bh(&rdev->beacon_registrations_lock);
20166 	}
20167 
20168 	rcu_read_unlock();
20169 
20170 	/*
20171 	 * It is possible that the user space process that is controlling the
20172 	 * indoor setting disappeared, so notify the regulatory core.
20173 	 */
20174 	regulatory_netlink_notify(notify->portid);
20175 	return NOTIFY_OK;
20176 }
20177 
20178 static struct notifier_block nl80211_netlink_notifier = {
20179 	.notifier_call = nl80211_netlink_notify,
20180 };
20181 
20182 void cfg80211_ft_event(struct net_device *netdev,
20183 		       struct cfg80211_ft_event_params *ft_event)
20184 {
20185 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20186 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20187 	struct sk_buff *msg;
20188 	void *hdr;
20189 
20190 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
20191 
20192 	if (!ft_event->target_ap)
20193 		return;
20194 
20195 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
20196 			GFP_KERNEL);
20197 	if (!msg)
20198 		return;
20199 
20200 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
20201 	if (!hdr)
20202 		goto out;
20203 
20204 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20205 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20206 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
20207 		goto out;
20208 
20209 	if (ft_event->ies &&
20210 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
20211 		goto out;
20212 	if (ft_event->ric_ies &&
20213 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
20214 		    ft_event->ric_ies))
20215 		goto out;
20216 
20217 	genlmsg_end(msg, hdr);
20218 
20219 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20220 				NL80211_MCGRP_MLME, GFP_KERNEL);
20221 	return;
20222  out:
20223 	nlmsg_free(msg);
20224 }
20225 EXPORT_SYMBOL(cfg80211_ft_event);
20226 
20227 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
20228 {
20229 	struct cfg80211_registered_device *rdev;
20230 	struct sk_buff *msg;
20231 	void *hdr;
20232 	u32 nlportid;
20233 
20234 	rdev = wiphy_to_rdev(wdev->wiphy);
20235 	if (!rdev->crit_proto_nlportid)
20236 		return;
20237 
20238 	nlportid = rdev->crit_proto_nlportid;
20239 	rdev->crit_proto_nlportid = 0;
20240 
20241 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20242 	if (!msg)
20243 		return;
20244 
20245 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
20246 	if (!hdr)
20247 		goto nla_put_failure;
20248 
20249 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20250 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20251 			      NL80211_ATTR_PAD))
20252 		goto nla_put_failure;
20253 
20254 	genlmsg_end(msg, hdr);
20255 
20256 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20257 	return;
20258 
20259  nla_put_failure:
20260 	nlmsg_free(msg);
20261 }
20262 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20263 
20264 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20265 {
20266 	struct wiphy *wiphy = wdev->wiphy;
20267 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20268 	struct sk_buff *msg;
20269 	void *hdr;
20270 
20271 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20272 	if (!msg)
20273 		return;
20274 
20275 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20276 	if (!hdr)
20277 		goto out;
20278 
20279 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20280 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20281 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20282 			      NL80211_ATTR_PAD) ||
20283 	    (wdev->valid_links &&
20284 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20285 		goto out;
20286 
20287 	genlmsg_end(msg, hdr);
20288 
20289 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20290 				NL80211_MCGRP_MLME, GFP_KERNEL);
20291 	return;
20292  out:
20293 	nlmsg_free(msg);
20294 }
20295 
20296 int cfg80211_external_auth_request(struct net_device *dev,
20297 				   struct cfg80211_external_auth_params *params,
20298 				   gfp_t gfp)
20299 {
20300 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20301 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20302 	struct sk_buff *msg;
20303 	void *hdr;
20304 
20305 	if (!wdev->conn_owner_nlportid)
20306 		return -EINVAL;
20307 
20308 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20309 	if (!msg)
20310 		return -ENOMEM;
20311 
20312 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20313 	if (!hdr)
20314 		goto nla_put_failure;
20315 
20316 	/* Some historical mistakes in drivers <-> userspace interface (notably
20317 	 * between drivers and wpa_supplicant) led to a big-endian conversion
20318 	 * being needed on NL80211_ATTR_AKM_SUITES _only_ when its value is
20319 	 * WLAN_AKM_SUITE_SAE. This is now fixed on userspace side, but for the
20320 	 * benefit of older wpa_supplicant versions, send this particular value
20321 	 * in big-endian. Note that newer wpa_supplicant will also detect this
20322 	 * particular value in big endian still, so it all continues to work.
20323 	 */
20324 	if (params->key_mgmt_suite == WLAN_AKM_SUITE_SAE) {
20325 		if (nla_put_be32(msg, NL80211_ATTR_AKM_SUITES,
20326 				 cpu_to_be32(WLAN_AKM_SUITE_SAE)))
20327 			goto nla_put_failure;
20328 	} else {
20329 		if (nla_put_u32(msg, NL80211_ATTR_AKM_SUITES,
20330 				params->key_mgmt_suite))
20331 			goto nla_put_failure;
20332 	}
20333 
20334 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20335 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20336 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20337 			params->action) ||
20338 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20339 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20340 		    params->ssid.ssid) ||
20341 	    (!is_zero_ether_addr(params->mld_addr) &&
20342 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20343 		goto nla_put_failure;
20344 
20345 	genlmsg_end(msg, hdr);
20346 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20347 			wdev->conn_owner_nlportid);
20348 	return 0;
20349 
20350  nla_put_failure:
20351 	nlmsg_free(msg);
20352 	return -ENOBUFS;
20353 }
20354 EXPORT_SYMBOL(cfg80211_external_auth_request);
20355 
20356 void cfg80211_update_owe_info_event(struct net_device *netdev,
20357 				    struct cfg80211_update_owe_info *owe_info,
20358 				    gfp_t gfp)
20359 {
20360 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20361 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20362 	struct sk_buff *msg;
20363 	void *hdr;
20364 
20365 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20366 
20367 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20368 	if (!msg)
20369 		return;
20370 
20371 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20372 	if (!hdr)
20373 		goto nla_put_failure;
20374 
20375 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20376 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20377 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20378 		goto nla_put_failure;
20379 
20380 	if (!owe_info->ie_len ||
20381 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20382 		goto nla_put_failure;
20383 
20384 	if (owe_info->assoc_link_id != -1) {
20385 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20386 			       owe_info->assoc_link_id))
20387 			goto nla_put_failure;
20388 
20389 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20390 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20391 			    owe_info->peer_mld_addr))
20392 			goto nla_put_failure;
20393 	}
20394 
20395 	genlmsg_end(msg, hdr);
20396 
20397 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20398 				NL80211_MCGRP_MLME, gfp);
20399 	return;
20400 
20401 nla_put_failure:
20402 	genlmsg_cancel(msg, hdr);
20403 	nlmsg_free(msg);
20404 }
20405 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20406 
20407 void cfg80211_schedule_channels_check(struct wireless_dev *wdev)
20408 {
20409 	struct wiphy *wiphy = wdev->wiphy;
20410 
20411 	/* Schedule channels check if NO_IR or DFS relaxations are supported */
20412 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
20413 	    (wiphy_ext_feature_isset(wiphy,
20414 				     NL80211_EXT_FEATURE_DFS_CONCURRENT) ||
20415 	    (IS_ENABLED(CONFIG_CFG80211_REG_RELAX_NO_IR) &&
20416 	     wiphy->regulatory_flags & REGULATORY_ENABLE_RELAX_NO_IR)))
20417 		reg_check_channels();
20418 }
20419 EXPORT_SYMBOL(cfg80211_schedule_channels_check);
20420 
20421 /* initialisation/exit functions */
20422 
20423 int __init nl80211_init(void)
20424 {
20425 	int err;
20426 
20427 	err = genl_register_family(&nl80211_fam);
20428 	if (err)
20429 		return err;
20430 
20431 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20432 	if (err)
20433 		goto err_out;
20434 
20435 	return 0;
20436  err_out:
20437 	genl_unregister_family(&nl80211_fam);
20438 	return err;
20439 }
20440 
20441 void nl80211_exit(void)
20442 {
20443 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20444 	genl_unregister_family(&nl80211_fam);
20445 }
20446