xref: /openbmc/linux/net/wireless/nl80211.c (revision 0bf49ffb) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2020 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	bool s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
233 	unsigned int fixedlen, hdrlen;
234 
235 	if (s1g_bcn) {
236 		fixedlen = offsetof(struct ieee80211_ext,
237 				    u.s1g_beacon.variable);
238 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
239 	} else {
240 		fixedlen = offsetof(struct ieee80211_mgmt,
241 				    u.beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
243 	}
244 
245 	if (len < fixedlen)
246 		goto err;
247 
248 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
249 		goto err;
250 
251 	data += fixedlen;
252 	len -= fixedlen;
253 
254 	for_each_element(elem, data, len) {
255 		/* nothing */
256 	}
257 
258 	if (for_each_element_completed(elem, data, len))
259 		return 0;
260 
261 err:
262 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
263 	return -EINVAL;
264 }
265 
266 static int validate_ie_attr(const struct nlattr *attr,
267 			    struct netlink_ext_ack *extack)
268 {
269 	const u8 *data = nla_data(attr);
270 	unsigned int len = nla_len(attr);
271 	const struct element *elem;
272 
273 	for_each_element(elem, data, len) {
274 		/* nothing */
275 	}
276 
277 	if (for_each_element_completed(elem, data, len))
278 		return 0;
279 
280 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
281 	return -EINVAL;
282 }
283 
284 /* policy for the attributes */
285 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
286 
287 static const struct nla_policy
288 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
289 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
290 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
291 					.len = U8_MAX },
292 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
293 					     .len = U8_MAX },
294 };
295 
296 static const struct nla_policy
297 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
298 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
299 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
300 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
301 		NLA_POLICY_MAX(NLA_U8, 15),
302 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
303 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
304 		NLA_POLICY_MAX(NLA_U8, 15),
305 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
306 		NLA_POLICY_MAX(NLA_U8, 31),
307 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
308 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
309 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
310 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
311 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
312 };
313 
314 static const struct nla_policy
315 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
316 	[NL80211_PMSR_TYPE_FTM] =
317 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
318 };
319 
320 static const struct nla_policy
321 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
322 	[NL80211_PMSR_REQ_ATTR_DATA] =
323 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
324 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
325 };
326 
327 static const struct nla_policy
328 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
329 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
330 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
331 	[NL80211_PMSR_PEER_ATTR_REQ] =
332 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
333 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
334 };
335 
336 static const struct nla_policy
337 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
338 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
339 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
340 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
341 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
342 	[NL80211_PMSR_ATTR_PEERS] =
343 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
344 };
345 
346 static const struct nla_policy
347 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
348 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
349 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
350 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
351 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
352 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
353 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
354 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
355 		NLA_POLICY_EXACT_LEN(8),
356 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
357 		NLA_POLICY_EXACT_LEN(8),
358 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
359 };
360 
361 static const struct nla_policy
362 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
363 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
364 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
365 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
366 };
367 
368 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
369 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
370 				    .len = NL80211_MAX_SUPP_RATES },
371 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
372 				.len = NL80211_MAX_SUPP_HT_RATES },
373 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
374 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
375 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
376 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
377 						   NL80211_RATE_INFO_HE_GI_0_8,
378 						   NL80211_RATE_INFO_HE_GI_3_2),
379 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
380 						   NL80211_RATE_INFO_HE_1XLTF,
381 						   NL80211_RATE_INFO_HE_4XLTF),
382 };
383 
384 static const struct nla_policy
385 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
386 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
387 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
388 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
389 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
390 	[NL80211_TID_CONFIG_ATTR_NOACK] =
391 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
392 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
393 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
394 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
395 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
396 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
397 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
398 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
399 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
400 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
401 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
402 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
403 			NLA_POLICY_NESTED(nl80211_txattr_policy),
404 };
405 
406 static const struct nla_policy
407 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
408 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
409 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
410 	NLA_POLICY_RANGE(NLA_BINARY,
411 			 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
412 			 IEEE80211_MAX_DATA_LEN),
413 };
414 
415 static const struct nla_policy
416 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
417 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
418 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
419 						       .len = IEEE80211_MAX_DATA_LEN }
420 };
421 
422 static const struct nla_policy
423 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
424 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
425 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
426 };
427 
428 static const struct nla_policy
429 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
430 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
431 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
432 };
433 
434 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
435 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
436 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
437 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
438 				      .len = 20-1 },
439 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
440 
441 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
442 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
443 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
444 						NL80211_EDMG_CHANNELS_MIN,
445 						NL80211_EDMG_CHANNELS_MAX),
446 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
447 						NL80211_EDMG_BW_CONFIG_MIN,
448 						NL80211_EDMG_BW_CONFIG_MAX),
449 
450 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
451 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
452 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
453 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
454 
455 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
456 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
457 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
458 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
459 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
460 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
461 
462 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
463 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
464 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
465 
466 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
467 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
468 
469 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
470 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
471 				    .len = WLAN_MAX_KEY_LEN },
472 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
473 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
474 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
475 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
476 	[NL80211_ATTR_KEY_TYPE] =
477 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
478 
479 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
480 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
481 	[NL80211_ATTR_BEACON_HEAD] =
482 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
483 				       IEEE80211_MAX_DATA_LEN),
484 	[NL80211_ATTR_BEACON_TAIL] =
485 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
486 				       IEEE80211_MAX_DATA_LEN),
487 	[NL80211_ATTR_STA_AID] =
488 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
489 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
490 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
491 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
492 					       .len = NL80211_MAX_SUPP_RATES },
493 	[NL80211_ATTR_STA_PLINK_ACTION] =
494 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
495 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
496 		NLA_POLICY_RANGE(NLA_U8,
497 				 NL80211_TX_POWER_AUTOMATIC,
498 				 NL80211_TX_POWER_FIXED),
499 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
500 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
501 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
502 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
503 				   .len = IEEE80211_MAX_MESH_ID_LEN },
504 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
505 
506 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
507 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
508 
509 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
510 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
511 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
512 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
513 					   .len = NL80211_MAX_SUPP_RATES },
514 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
515 
516 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
517 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
518 
519 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
520 
521 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
522 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
523 						   validate_ie_attr,
524 						   IEEE80211_MAX_DATA_LEN),
525 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
526 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
527 
528 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
529 				.len = IEEE80211_MAX_SSID_LEN },
530 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
531 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
532 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
533 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
534 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
535 						  NL80211_MFP_NO,
536 						  NL80211_MFP_OPTIONAL),
537 	[NL80211_ATTR_STA_FLAGS2] = {
538 		.len = sizeof(struct nl80211_sta_flag_update),
539 	},
540 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
541 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
542 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
543 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
544 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
545 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
546 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
547 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
548 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
549 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
550 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
551 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
552 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
553 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
554 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
555 				 .len = IEEE80211_MAX_DATA_LEN },
556 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
557 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
558 						   NL80211_PS_DISABLED,
559 						   NL80211_PS_ENABLED),
560 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
561 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
562 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
563 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
564 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
565 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
566 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
567 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
568 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
569 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
571 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
572 	[NL80211_ATTR_STA_PLINK_STATE] =
573 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
574 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
575 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
576 	[NL80211_ATTR_MESH_PEER_AID] =
577 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
578 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
579 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
580 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
581 	[NL80211_ATTR_HIDDEN_SSID] =
582 		NLA_POLICY_RANGE(NLA_U32,
583 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
584 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
585 	[NL80211_ATTR_IE_PROBE_RESP] =
586 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
587 				       IEEE80211_MAX_DATA_LEN),
588 	[NL80211_ATTR_IE_ASSOC_RESP] =
589 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
590 				       IEEE80211_MAX_DATA_LEN),
591 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
592 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
593 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
594 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
595 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
596 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
597 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
600 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
601 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
602 				      .len = IEEE80211_MAX_DATA_LEN },
603 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
604 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
605 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
606 		.len = NL80211_HT_CAPABILITY_LEN
607 	},
608 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
609 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
610 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
611 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
612 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
613 
614 	/* need to include at least Auth Transaction and Status Code */
615 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
616 
617 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
618 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
619 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
620 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
621 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
622 		NLA_POLICY_RANGE(NLA_U32,
623 				 NL80211_MESH_POWER_UNKNOWN + 1,
624 				 NL80211_MESH_POWER_MAX),
625 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
626 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
627 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
628 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
629 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
630 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
632 		.len = NL80211_VHT_CAPABILITY_LEN,
633 	},
634 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
635 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
636 				  .len = IEEE80211_MAX_DATA_LEN },
637 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
638 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
639 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
640 	[NL80211_ATTR_PEER_AID] =
641 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
642 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
643 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
644 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
645 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
646 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
647 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
648 	/*
649 	 * The value of the Length field of the Supported Operating
650 	 * Classes element is between 2 and 253.
651 	 */
652 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
653 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
654 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
655 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
656 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
657 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
658 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
659 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
660 						  IEEE80211_QOS_MAP_LEN_MIN,
661 						  IEEE80211_QOS_MAP_LEN_MAX),
662 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
663 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
664 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
665 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
666 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
667 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
668 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
669 	[NL80211_ATTR_USER_PRIO] =
670 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
671 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
672 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
673 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
674 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
675 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
676 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
677 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
678 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
679 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
680 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
681 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
682 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
683 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
684 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
685 	},
686 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
687 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
688 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
689 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
690 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
691 				    .len = FILS_MAX_KEK_LEN },
692 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
693 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
694 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
695 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
696 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
697 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
698 	},
699 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
700 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
701 					     .len = FILS_ERP_MAX_USERNAME_LEN },
702 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
703 					  .len = FILS_ERP_MAX_REALM_LEN },
704 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
705 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
706 					.len = FILS_ERP_MAX_RRK_LEN },
707 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
708 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
709 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
710 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
711 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
712 
713 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
714 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
715 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
716 	[NL80211_ATTR_HE_CAPABILITY] =
717 		NLA_POLICY_RANGE(NLA_BINARY,
718 				 NL80211_HE_MIN_CAPABILITY_LEN,
719 				 NL80211_HE_MAX_CAPABILITY_LEN),
720 	[NL80211_ATTR_FTM_RESPONDER] =
721 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
722 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
723 	[NL80211_ATTR_PEER_MEASUREMENTS] =
724 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
725 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
726 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
727 					.len = SAE_PASSWORD_MAX_LEN },
728 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
729 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
730 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
731 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
732 	[NL80211_ATTR_TID_CONFIG] =
733 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
734 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
735 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
736 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
737 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
738 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
739 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
740 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
741 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
742 	[NL80211_ATTR_FILS_DISCOVERY] =
743 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
744 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
745 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
746 	[NL80211_ATTR_S1G_CAPABILITY] =
747 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
748 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
749 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
750 	[NL80211_ATTR_SAE_PWE] =
751 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
752 				 NL80211_SAE_PWE_BOTH),
753 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
754 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
755 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
756 };
757 
758 /* policy for the key attributes */
759 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
760 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
761 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
762 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
763 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
764 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
765 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
766 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
767 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
768 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
769 };
770 
771 /* policy for the key default flags */
772 static const struct nla_policy
773 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
774 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
775 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
776 };
777 
778 #ifdef CONFIG_PM
779 /* policy for WoWLAN attributes */
780 static const struct nla_policy
781 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
782 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
783 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
784 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
785 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
786 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
787 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
788 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
789 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
790 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
791 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
792 };
793 
794 static const struct nla_policy
795 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
796 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
797 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
798 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
799 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
800 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
801 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
802 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
803 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
804 	},
805 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
806 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
807 	},
808 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
809 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
810 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
811 };
812 #endif /* CONFIG_PM */
813 
814 /* policy for coalesce rule attributes */
815 static const struct nla_policy
816 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
817 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
818 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
819 		NLA_POLICY_RANGE(NLA_U32,
820 				 NL80211_COALESCE_CONDITION_MATCH,
821 				 NL80211_COALESCE_CONDITION_NO_MATCH),
822 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
823 };
824 
825 /* policy for GTK rekey offload attributes */
826 static const struct nla_policy
827 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
828 	[NL80211_REKEY_DATA_KEK] = {
829 		.type = NLA_BINARY,
830 		.len = NL80211_KEK_EXT_LEN
831 	},
832 	[NL80211_REKEY_DATA_KCK] = {
833 		.type = NLA_BINARY,
834 		.len = NL80211_KCK_EXT_LEN
835 	},
836 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
837 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
838 };
839 
840 static const struct nla_policy
841 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
842 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
843 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
844 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
845 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
846 };
847 
848 static const struct nla_policy
849 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
850 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
851 						 .len = IEEE80211_MAX_SSID_LEN },
852 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
853 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
854 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
855 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
856 };
857 
858 static const struct nla_policy
859 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
860 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
861 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
862 };
863 
864 static const struct nla_policy
865 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
866 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
867 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
868 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
869 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
870 	},
871 };
872 
873 /* policy for NAN function attributes */
874 static const struct nla_policy
875 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
876 	[NL80211_NAN_FUNC_TYPE] =
877 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
878 	[NL80211_NAN_FUNC_SERVICE_ID] = {
879 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
880 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
881 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
882 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
883 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
884 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
885 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
886 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
887 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
888 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
889 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
890 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
891 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
892 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
893 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
894 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
895 };
896 
897 /* policy for Service Response Filter attributes */
898 static const struct nla_policy
899 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
900 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
901 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
902 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
903 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
904 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
905 };
906 
907 /* policy for packet pattern attributes */
908 static const struct nla_policy
909 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
910 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
911 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
912 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
913 };
914 
915 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
916 			      struct cfg80211_registered_device **rdev,
917 			      struct wireless_dev **wdev)
918 {
919 	int err;
920 
921 	if (!cb->args[0]) {
922 		struct nlattr **attrbuf;
923 
924 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
925 				  GFP_KERNEL);
926 		if (!attrbuf)
927 			return -ENOMEM;
928 
929 		err = nlmsg_parse_deprecated(cb->nlh,
930 					     GENL_HDRLEN + nl80211_fam.hdrsize,
931 					     attrbuf, nl80211_fam.maxattr,
932 					     nl80211_policy, NULL);
933 		if (err) {
934 			kfree(attrbuf);
935 			return err;
936 		}
937 
938 		rtnl_lock();
939 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
940 						   attrbuf);
941 		kfree(attrbuf);
942 		if (IS_ERR(*wdev)) {
943 			rtnl_unlock();
944 			return PTR_ERR(*wdev);
945 		}
946 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
947 		mutex_lock(&(*rdev)->wiphy.mtx);
948 		rtnl_unlock();
949 		/* 0 is the first index - add 1 to parse only once */
950 		cb->args[0] = (*rdev)->wiphy_idx + 1;
951 		cb->args[1] = (*wdev)->identifier;
952 	} else {
953 		/* subtract the 1 again here */
954 		struct wiphy *wiphy;
955 		struct wireless_dev *tmp;
956 
957 		rtnl_lock();
958 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
959 		if (!wiphy) {
960 			rtnl_unlock();
961 			return -ENODEV;
962 		}
963 		*rdev = wiphy_to_rdev(wiphy);
964 		*wdev = NULL;
965 
966 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
967 			if (tmp->identifier == cb->args[1]) {
968 				*wdev = tmp;
969 				break;
970 			}
971 		}
972 
973 		if (!*wdev) {
974 			rtnl_unlock();
975 			return -ENODEV;
976 		}
977 		mutex_lock(&(*rdev)->wiphy.mtx);
978 		rtnl_unlock();
979 	}
980 
981 	return 0;
982 }
983 
984 /* message building helper */
985 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
986 		     int flags, u8 cmd)
987 {
988 	/* since there is no private header just add the generic one */
989 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
990 }
991 
992 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
993 				     const struct ieee80211_reg_rule *rule)
994 {
995 	int j;
996 	struct nlattr *nl_wmm_rules =
997 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
998 
999 	if (!nl_wmm_rules)
1000 		goto nla_put_failure;
1001 
1002 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1003 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1004 
1005 		if (!nl_wmm_rule)
1006 			goto nla_put_failure;
1007 
1008 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1009 				rule->wmm_rule.client[j].cw_min) ||
1010 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1011 				rule->wmm_rule.client[j].cw_max) ||
1012 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1013 			       rule->wmm_rule.client[j].aifsn) ||
1014 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1015 			        rule->wmm_rule.client[j].cot))
1016 			goto nla_put_failure;
1017 
1018 		nla_nest_end(msg, nl_wmm_rule);
1019 	}
1020 	nla_nest_end(msg, nl_wmm_rules);
1021 
1022 	return 0;
1023 
1024 nla_put_failure:
1025 	return -ENOBUFS;
1026 }
1027 
1028 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1029 				   struct ieee80211_channel *chan,
1030 				   bool large)
1031 {
1032 	/* Some channels must be completely excluded from the
1033 	 * list to protect old user-space tools from breaking
1034 	 */
1035 	if (!large && chan->flags &
1036 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1037 		return 0;
1038 	if (!large && chan->freq_offset)
1039 		return 0;
1040 
1041 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1042 			chan->center_freq))
1043 		goto nla_put_failure;
1044 
1045 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1046 		goto nla_put_failure;
1047 
1048 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1049 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1050 		goto nla_put_failure;
1051 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1052 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1053 			goto nla_put_failure;
1054 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1055 			goto nla_put_failure;
1056 	}
1057 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1058 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1059 			goto nla_put_failure;
1060 		if (large) {
1061 			u32 time;
1062 
1063 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1064 
1065 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1066 					chan->dfs_state))
1067 				goto nla_put_failure;
1068 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1069 					time))
1070 				goto nla_put_failure;
1071 			if (nla_put_u32(msg,
1072 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1073 					chan->dfs_cac_ms))
1074 				goto nla_put_failure;
1075 		}
1076 	}
1077 
1078 	if (large) {
1079 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1080 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1081 			goto nla_put_failure;
1082 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1083 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1084 			goto nla_put_failure;
1085 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1086 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1087 			goto nla_put_failure;
1088 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1089 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1090 			goto nla_put_failure;
1091 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1092 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1093 			goto nla_put_failure;
1094 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1095 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1096 			goto nla_put_failure;
1097 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1098 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1099 			goto nla_put_failure;
1100 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1101 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1102 			goto nla_put_failure;
1103 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1104 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1105 			goto nla_put_failure;
1106 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1107 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1108 			goto nla_put_failure;
1109 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1110 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1111 			goto nla_put_failure;
1112 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1113 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1114 			goto nla_put_failure;
1115 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1116 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1117 			goto nla_put_failure;
1118 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1119 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1120 			goto nla_put_failure;
1121 	}
1122 
1123 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1124 			DBM_TO_MBM(chan->max_power)))
1125 		goto nla_put_failure;
1126 
1127 	if (large) {
1128 		const struct ieee80211_reg_rule *rule =
1129 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1130 
1131 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1132 			if (nl80211_msg_put_wmm_rules(msg, rule))
1133 				goto nla_put_failure;
1134 		}
1135 	}
1136 
1137 	return 0;
1138 
1139  nla_put_failure:
1140 	return -ENOBUFS;
1141 }
1142 
1143 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1144 				  struct cfg80211_txq_stats *txqstats,
1145 				  int attrtype)
1146 {
1147 	struct nlattr *txqattr;
1148 
1149 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1150 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1151 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1152 		return false;						  \
1153 	} while (0)
1154 
1155 	txqattr = nla_nest_start_noflag(msg, attrtype);
1156 	if (!txqattr)
1157 		return false;
1158 
1159 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1160 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1161 	PUT_TXQVAL_U32(FLOWS, flows);
1162 	PUT_TXQVAL_U32(DROPS, drops);
1163 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1164 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1165 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1166 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1167 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1168 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1169 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1170 	nla_nest_end(msg, txqattr);
1171 
1172 #undef PUT_TXQVAL_U32
1173 	return true;
1174 }
1175 
1176 /* netlink command implementations */
1177 
1178 struct key_parse {
1179 	struct key_params p;
1180 	int idx;
1181 	int type;
1182 	bool def, defmgmt, defbeacon;
1183 	bool def_uni, def_multi;
1184 };
1185 
1186 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1187 				 struct key_parse *k)
1188 {
1189 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1190 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1191 					      nl80211_key_policy,
1192 					      info->extack);
1193 	if (err)
1194 		return err;
1195 
1196 	k->def = !!tb[NL80211_KEY_DEFAULT];
1197 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1198 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1199 
1200 	if (k->def) {
1201 		k->def_uni = true;
1202 		k->def_multi = true;
1203 	}
1204 	if (k->defmgmt || k->defbeacon)
1205 		k->def_multi = true;
1206 
1207 	if (tb[NL80211_KEY_IDX])
1208 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1209 
1210 	if (tb[NL80211_KEY_DATA]) {
1211 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1212 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1213 	}
1214 
1215 	if (tb[NL80211_KEY_SEQ]) {
1216 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1217 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1218 	}
1219 
1220 	if (tb[NL80211_KEY_CIPHER])
1221 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1222 
1223 	if (tb[NL80211_KEY_TYPE])
1224 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1225 
1226 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1227 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1228 
1229 		err = nla_parse_nested_deprecated(kdt,
1230 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1231 						  tb[NL80211_KEY_DEFAULT_TYPES],
1232 						  nl80211_key_default_policy,
1233 						  info->extack);
1234 		if (err)
1235 			return err;
1236 
1237 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1238 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1239 	}
1240 
1241 	if (tb[NL80211_KEY_MODE])
1242 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1243 
1244 	return 0;
1245 }
1246 
1247 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1248 {
1249 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1250 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1251 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1252 	}
1253 
1254 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1255 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1256 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1257 	}
1258 
1259 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1260 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1261 
1262 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1263 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1264 
1265 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1266 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1267 
1268 	if (k->def) {
1269 		k->def_uni = true;
1270 		k->def_multi = true;
1271 	}
1272 	if (k->defmgmt)
1273 		k->def_multi = true;
1274 
1275 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1276 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1277 
1278 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1279 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1280 		int err = nla_parse_nested_deprecated(kdt,
1281 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1282 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1283 						      nl80211_key_default_policy,
1284 						      info->extack);
1285 		if (err)
1286 			return err;
1287 
1288 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1289 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1290 	}
1291 
1292 	return 0;
1293 }
1294 
1295 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1296 {
1297 	int err;
1298 
1299 	memset(k, 0, sizeof(*k));
1300 	k->idx = -1;
1301 	k->type = -1;
1302 
1303 	if (info->attrs[NL80211_ATTR_KEY])
1304 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1305 	else
1306 		err = nl80211_parse_key_old(info, k);
1307 
1308 	if (err)
1309 		return err;
1310 
1311 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1312 	    (k->defbeacon ? 1 : 0) > 1) {
1313 		GENL_SET_ERR_MSG(info,
1314 				 "key with multiple default flags is invalid");
1315 		return -EINVAL;
1316 	}
1317 
1318 	if (k->defmgmt || k->defbeacon) {
1319 		if (k->def_uni || !k->def_multi) {
1320 			GENL_SET_ERR_MSG(info,
1321 					 "defmgmt/defbeacon key must be mcast");
1322 			return -EINVAL;
1323 		}
1324 	}
1325 
1326 	if (k->idx != -1) {
1327 		if (k->defmgmt) {
1328 			if (k->idx < 4 || k->idx > 5) {
1329 				GENL_SET_ERR_MSG(info,
1330 						 "defmgmt key idx not 4 or 5");
1331 				return -EINVAL;
1332 			}
1333 		} else if (k->defbeacon) {
1334 			if (k->idx < 6 || k->idx > 7) {
1335 				GENL_SET_ERR_MSG(info,
1336 						 "defbeacon key idx not 6 or 7");
1337 				return -EINVAL;
1338 			}
1339 		} else if (k->def) {
1340 			if (k->idx < 0 || k->idx > 3) {
1341 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1342 				return -EINVAL;
1343 			}
1344 		} else {
1345 			if (k->idx < 0 || k->idx > 7) {
1346 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1347 				return -EINVAL;
1348 			}
1349 		}
1350 	}
1351 
1352 	return 0;
1353 }
1354 
1355 static struct cfg80211_cached_keys *
1356 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1357 		       struct genl_info *info, bool *no_ht)
1358 {
1359 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1360 	struct key_parse parse;
1361 	struct nlattr *key;
1362 	struct cfg80211_cached_keys *result;
1363 	int rem, err, def = 0;
1364 	bool have_key = false;
1365 
1366 	nla_for_each_nested(key, keys, rem) {
1367 		have_key = true;
1368 		break;
1369 	}
1370 
1371 	if (!have_key)
1372 		return NULL;
1373 
1374 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1375 	if (!result)
1376 		return ERR_PTR(-ENOMEM);
1377 
1378 	result->def = -1;
1379 
1380 	nla_for_each_nested(key, keys, rem) {
1381 		memset(&parse, 0, sizeof(parse));
1382 		parse.idx = -1;
1383 
1384 		err = nl80211_parse_key_new(info, key, &parse);
1385 		if (err)
1386 			goto error;
1387 		err = -EINVAL;
1388 		if (!parse.p.key)
1389 			goto error;
1390 		if (parse.idx < 0 || parse.idx > 3) {
1391 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1392 			goto error;
1393 		}
1394 		if (parse.def) {
1395 			if (def) {
1396 				GENL_SET_ERR_MSG(info,
1397 						 "only one key can be default");
1398 				goto error;
1399 			}
1400 			def = 1;
1401 			result->def = parse.idx;
1402 			if (!parse.def_uni || !parse.def_multi)
1403 				goto error;
1404 		} else if (parse.defmgmt)
1405 			goto error;
1406 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1407 						     parse.idx, false, NULL);
1408 		if (err)
1409 			goto error;
1410 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1411 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1412 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1413 			err = -EINVAL;
1414 			goto error;
1415 		}
1416 		result->params[parse.idx].cipher = parse.p.cipher;
1417 		result->params[parse.idx].key_len = parse.p.key_len;
1418 		result->params[parse.idx].key = result->data[parse.idx];
1419 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1420 
1421 		/* must be WEP key if we got here */
1422 		if (no_ht)
1423 			*no_ht = true;
1424 	}
1425 
1426 	if (result->def < 0) {
1427 		err = -EINVAL;
1428 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1429 		goto error;
1430 	}
1431 
1432 	return result;
1433  error:
1434 	kfree(result);
1435 	return ERR_PTR(err);
1436 }
1437 
1438 static int nl80211_key_allowed(struct wireless_dev *wdev)
1439 {
1440 	ASSERT_WDEV_LOCK(wdev);
1441 
1442 	switch (wdev->iftype) {
1443 	case NL80211_IFTYPE_AP:
1444 	case NL80211_IFTYPE_AP_VLAN:
1445 	case NL80211_IFTYPE_P2P_GO:
1446 	case NL80211_IFTYPE_MESH_POINT:
1447 		break;
1448 	case NL80211_IFTYPE_ADHOC:
1449 	case NL80211_IFTYPE_STATION:
1450 	case NL80211_IFTYPE_P2P_CLIENT:
1451 		if (!wdev->current_bss)
1452 			return -ENOLINK;
1453 		break;
1454 	case NL80211_IFTYPE_UNSPECIFIED:
1455 	case NL80211_IFTYPE_OCB:
1456 	case NL80211_IFTYPE_MONITOR:
1457 	case NL80211_IFTYPE_NAN:
1458 	case NL80211_IFTYPE_P2P_DEVICE:
1459 	case NL80211_IFTYPE_WDS:
1460 	case NUM_NL80211_IFTYPES:
1461 		return -EINVAL;
1462 	}
1463 
1464 	return 0;
1465 }
1466 
1467 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1468 							u32 freq)
1469 {
1470 	struct ieee80211_channel *chan;
1471 
1472 	chan = ieee80211_get_channel_khz(wiphy, freq);
1473 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1474 		return NULL;
1475 	return chan;
1476 }
1477 
1478 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1479 {
1480 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1481 	int i;
1482 
1483 	if (!nl_modes)
1484 		goto nla_put_failure;
1485 
1486 	i = 0;
1487 	while (ifmodes) {
1488 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1489 			goto nla_put_failure;
1490 		ifmodes >>= 1;
1491 		i++;
1492 	}
1493 
1494 	nla_nest_end(msg, nl_modes);
1495 	return 0;
1496 
1497 nla_put_failure:
1498 	return -ENOBUFS;
1499 }
1500 
1501 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1502 					  struct sk_buff *msg,
1503 					  bool large)
1504 {
1505 	struct nlattr *nl_combis;
1506 	int i, j;
1507 
1508 	nl_combis = nla_nest_start_noflag(msg,
1509 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1510 	if (!nl_combis)
1511 		goto nla_put_failure;
1512 
1513 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1514 		const struct ieee80211_iface_combination *c;
1515 		struct nlattr *nl_combi, *nl_limits;
1516 
1517 		c = &wiphy->iface_combinations[i];
1518 
1519 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1520 		if (!nl_combi)
1521 			goto nla_put_failure;
1522 
1523 		nl_limits = nla_nest_start_noflag(msg,
1524 						  NL80211_IFACE_COMB_LIMITS);
1525 		if (!nl_limits)
1526 			goto nla_put_failure;
1527 
1528 		for (j = 0; j < c->n_limits; j++) {
1529 			struct nlattr *nl_limit;
1530 
1531 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1532 			if (!nl_limit)
1533 				goto nla_put_failure;
1534 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1535 					c->limits[j].max))
1536 				goto nla_put_failure;
1537 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1538 						c->limits[j].types))
1539 				goto nla_put_failure;
1540 			nla_nest_end(msg, nl_limit);
1541 		}
1542 
1543 		nla_nest_end(msg, nl_limits);
1544 
1545 		if (c->beacon_int_infra_match &&
1546 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1547 			goto nla_put_failure;
1548 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1549 				c->num_different_channels) ||
1550 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1551 				c->max_interfaces))
1552 			goto nla_put_failure;
1553 		if (large &&
1554 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1555 				c->radar_detect_widths) ||
1556 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1557 				c->radar_detect_regions)))
1558 			goto nla_put_failure;
1559 		if (c->beacon_int_min_gcd &&
1560 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1561 				c->beacon_int_min_gcd))
1562 			goto nla_put_failure;
1563 
1564 		nla_nest_end(msg, nl_combi);
1565 	}
1566 
1567 	nla_nest_end(msg, nl_combis);
1568 
1569 	return 0;
1570 nla_put_failure:
1571 	return -ENOBUFS;
1572 }
1573 
1574 #ifdef CONFIG_PM
1575 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1576 					struct sk_buff *msg)
1577 {
1578 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1579 	struct nlattr *nl_tcp;
1580 
1581 	if (!tcp)
1582 		return 0;
1583 
1584 	nl_tcp = nla_nest_start_noflag(msg,
1585 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1586 	if (!nl_tcp)
1587 		return -ENOBUFS;
1588 
1589 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1590 			tcp->data_payload_max))
1591 		return -ENOBUFS;
1592 
1593 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1594 			tcp->data_payload_max))
1595 		return -ENOBUFS;
1596 
1597 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1598 		return -ENOBUFS;
1599 
1600 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1601 				sizeof(*tcp->tok), tcp->tok))
1602 		return -ENOBUFS;
1603 
1604 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1605 			tcp->data_interval_max))
1606 		return -ENOBUFS;
1607 
1608 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1609 			tcp->wake_payload_max))
1610 		return -ENOBUFS;
1611 
1612 	nla_nest_end(msg, nl_tcp);
1613 	return 0;
1614 }
1615 
1616 static int nl80211_send_wowlan(struct sk_buff *msg,
1617 			       struct cfg80211_registered_device *rdev,
1618 			       bool large)
1619 {
1620 	struct nlattr *nl_wowlan;
1621 
1622 	if (!rdev->wiphy.wowlan)
1623 		return 0;
1624 
1625 	nl_wowlan = nla_nest_start_noflag(msg,
1626 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1627 	if (!nl_wowlan)
1628 		return -ENOBUFS;
1629 
1630 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1631 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1632 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1633 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1634 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1635 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1636 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1637 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1638 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1639 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1640 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1641 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1642 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1643 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1644 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1645 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1646 		return -ENOBUFS;
1647 
1648 	if (rdev->wiphy.wowlan->n_patterns) {
1649 		struct nl80211_pattern_support pat = {
1650 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1651 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1652 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1653 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1654 		};
1655 
1656 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1657 			    sizeof(pat), &pat))
1658 			return -ENOBUFS;
1659 	}
1660 
1661 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1662 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1663 			rdev->wiphy.wowlan->max_nd_match_sets))
1664 		return -ENOBUFS;
1665 
1666 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1667 		return -ENOBUFS;
1668 
1669 	nla_nest_end(msg, nl_wowlan);
1670 
1671 	return 0;
1672 }
1673 #endif
1674 
1675 static int nl80211_send_coalesce(struct sk_buff *msg,
1676 				 struct cfg80211_registered_device *rdev)
1677 {
1678 	struct nl80211_coalesce_rule_support rule;
1679 
1680 	if (!rdev->wiphy.coalesce)
1681 		return 0;
1682 
1683 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1684 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1685 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1686 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1687 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1688 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1689 
1690 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1691 		return -ENOBUFS;
1692 
1693 	return 0;
1694 }
1695 
1696 static int
1697 nl80211_send_iftype_data(struct sk_buff *msg,
1698 			 const struct ieee80211_supported_band *sband,
1699 			 const struct ieee80211_sband_iftype_data *iftdata)
1700 {
1701 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1702 
1703 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1704 				iftdata->types_mask))
1705 		return -ENOBUFS;
1706 
1707 	if (he_cap->has_he) {
1708 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1709 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1710 			    he_cap->he_cap_elem.mac_cap_info) ||
1711 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1712 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1713 			    he_cap->he_cap_elem.phy_cap_info) ||
1714 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1715 			    sizeof(he_cap->he_mcs_nss_supp),
1716 			    &he_cap->he_mcs_nss_supp) ||
1717 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1718 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1719 			return -ENOBUFS;
1720 	}
1721 
1722 	if (sband->band == NL80211_BAND_6GHZ &&
1723 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1724 		    sizeof(iftdata->he_6ghz_capa),
1725 		    &iftdata->he_6ghz_capa))
1726 		return -ENOBUFS;
1727 
1728 	return 0;
1729 }
1730 
1731 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1732 				      struct ieee80211_supported_band *sband,
1733 				      bool large)
1734 {
1735 	struct nlattr *nl_rates, *nl_rate;
1736 	struct ieee80211_rate *rate;
1737 	int i;
1738 
1739 	/* add HT info */
1740 	if (sband->ht_cap.ht_supported &&
1741 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1742 		     sizeof(sband->ht_cap.mcs),
1743 		     &sband->ht_cap.mcs) ||
1744 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1745 			 sband->ht_cap.cap) ||
1746 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1747 			sband->ht_cap.ampdu_factor) ||
1748 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1749 			sband->ht_cap.ampdu_density)))
1750 		return -ENOBUFS;
1751 
1752 	/* add VHT info */
1753 	if (sband->vht_cap.vht_supported &&
1754 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1755 		     sizeof(sband->vht_cap.vht_mcs),
1756 		     &sband->vht_cap.vht_mcs) ||
1757 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1758 			 sband->vht_cap.cap)))
1759 		return -ENOBUFS;
1760 
1761 	if (large && sband->n_iftype_data) {
1762 		struct nlattr *nl_iftype_data =
1763 			nla_nest_start_noflag(msg,
1764 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1765 		int err;
1766 
1767 		if (!nl_iftype_data)
1768 			return -ENOBUFS;
1769 
1770 		for (i = 0; i < sband->n_iftype_data; i++) {
1771 			struct nlattr *iftdata;
1772 
1773 			iftdata = nla_nest_start_noflag(msg, i + 1);
1774 			if (!iftdata)
1775 				return -ENOBUFS;
1776 
1777 			err = nl80211_send_iftype_data(msg, sband,
1778 						       &sband->iftype_data[i]);
1779 			if (err)
1780 				return err;
1781 
1782 			nla_nest_end(msg, iftdata);
1783 		}
1784 
1785 		nla_nest_end(msg, nl_iftype_data);
1786 	}
1787 
1788 	/* add EDMG info */
1789 	if (large && sband->edmg_cap.channels &&
1790 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1791 		       sband->edmg_cap.channels) ||
1792 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1793 		       sband->edmg_cap.bw_config)))
1794 
1795 		return -ENOBUFS;
1796 
1797 	/* add bitrates */
1798 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1799 	if (!nl_rates)
1800 		return -ENOBUFS;
1801 
1802 	for (i = 0; i < sband->n_bitrates; i++) {
1803 		nl_rate = nla_nest_start_noflag(msg, i);
1804 		if (!nl_rate)
1805 			return -ENOBUFS;
1806 
1807 		rate = &sband->bitrates[i];
1808 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1809 				rate->bitrate))
1810 			return -ENOBUFS;
1811 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1812 		    nla_put_flag(msg,
1813 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1814 			return -ENOBUFS;
1815 
1816 		nla_nest_end(msg, nl_rate);
1817 	}
1818 
1819 	nla_nest_end(msg, nl_rates);
1820 
1821 	return 0;
1822 }
1823 
1824 static int
1825 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1826 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1827 {
1828 	u16 stypes;
1829 	struct nlattr *nl_ftypes, *nl_ifs;
1830 	enum nl80211_iftype ift;
1831 	int i;
1832 
1833 	if (!mgmt_stypes)
1834 		return 0;
1835 
1836 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1837 	if (!nl_ifs)
1838 		return -ENOBUFS;
1839 
1840 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1841 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1842 		if (!nl_ftypes)
1843 			return -ENOBUFS;
1844 		i = 0;
1845 		stypes = mgmt_stypes[ift].tx;
1846 		while (stypes) {
1847 			if ((stypes & 1) &&
1848 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1849 					(i << 4) | IEEE80211_FTYPE_MGMT))
1850 				return -ENOBUFS;
1851 			stypes >>= 1;
1852 			i++;
1853 		}
1854 		nla_nest_end(msg, nl_ftypes);
1855 	}
1856 
1857 	nla_nest_end(msg, nl_ifs);
1858 
1859 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1860 	if (!nl_ifs)
1861 		return -ENOBUFS;
1862 
1863 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1864 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1865 		if (!nl_ftypes)
1866 			return -ENOBUFS;
1867 		i = 0;
1868 		stypes = mgmt_stypes[ift].rx;
1869 		while (stypes) {
1870 			if ((stypes & 1) &&
1871 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1872 					(i << 4) | IEEE80211_FTYPE_MGMT))
1873 				return -ENOBUFS;
1874 			stypes >>= 1;
1875 			i++;
1876 		}
1877 		nla_nest_end(msg, nl_ftypes);
1878 	}
1879 	nla_nest_end(msg, nl_ifs);
1880 
1881 	return 0;
1882 }
1883 
1884 #define CMD(op, n)							\
1885 	 do {								\
1886 		if (rdev->ops->op) {					\
1887 			i++;						\
1888 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1889 				goto nla_put_failure;			\
1890 		}							\
1891 	} while (0)
1892 
1893 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1894 					struct sk_buff *msg)
1895 {
1896 	int i = 0;
1897 
1898 	/*
1899 	 * do *NOT* add anything into this function, new things need to be
1900 	 * advertised only to new versions of userspace that can deal with
1901 	 * the split (and they can't possibly care about new features...
1902 	 */
1903 	CMD(add_virtual_intf, NEW_INTERFACE);
1904 	CMD(change_virtual_intf, SET_INTERFACE);
1905 	CMD(add_key, NEW_KEY);
1906 	CMD(start_ap, START_AP);
1907 	CMD(add_station, NEW_STATION);
1908 	CMD(add_mpath, NEW_MPATH);
1909 	CMD(update_mesh_config, SET_MESH_CONFIG);
1910 	CMD(change_bss, SET_BSS);
1911 	CMD(auth, AUTHENTICATE);
1912 	CMD(assoc, ASSOCIATE);
1913 	CMD(deauth, DEAUTHENTICATE);
1914 	CMD(disassoc, DISASSOCIATE);
1915 	CMD(join_ibss, JOIN_IBSS);
1916 	CMD(join_mesh, JOIN_MESH);
1917 	CMD(set_pmksa, SET_PMKSA);
1918 	CMD(del_pmksa, DEL_PMKSA);
1919 	CMD(flush_pmksa, FLUSH_PMKSA);
1920 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1921 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1922 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1923 	CMD(mgmt_tx, FRAME);
1924 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1925 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1926 		i++;
1927 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1928 			goto nla_put_failure;
1929 	}
1930 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1931 	    rdev->ops->join_mesh) {
1932 		i++;
1933 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1934 			goto nla_put_failure;
1935 	}
1936 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1937 		CMD(tdls_mgmt, TDLS_MGMT);
1938 		CMD(tdls_oper, TDLS_OPER);
1939 	}
1940 	if (rdev->wiphy.max_sched_scan_reqs)
1941 		CMD(sched_scan_start, START_SCHED_SCAN);
1942 	CMD(probe_client, PROBE_CLIENT);
1943 	CMD(set_noack_map, SET_NOACK_MAP);
1944 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1945 		i++;
1946 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1947 			goto nla_put_failure;
1948 	}
1949 	CMD(start_p2p_device, START_P2P_DEVICE);
1950 	CMD(set_mcast_rate, SET_MCAST_RATE);
1951 #ifdef CONFIG_NL80211_TESTMODE
1952 	CMD(testmode_cmd, TESTMODE);
1953 #endif
1954 
1955 	if (rdev->ops->connect || rdev->ops->auth) {
1956 		i++;
1957 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1958 			goto nla_put_failure;
1959 	}
1960 
1961 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1962 		i++;
1963 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1964 			goto nla_put_failure;
1965 	}
1966 
1967 	return i;
1968  nla_put_failure:
1969 	return -ENOBUFS;
1970 }
1971 
1972 static int
1973 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1974 			   struct sk_buff *msg)
1975 {
1976 	struct nlattr *ftm;
1977 
1978 	if (!cap->ftm.supported)
1979 		return 0;
1980 
1981 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1982 	if (!ftm)
1983 		return -ENOBUFS;
1984 
1985 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1986 		return -ENOBUFS;
1987 	if (cap->ftm.non_asap &&
1988 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1989 		return -ENOBUFS;
1990 	if (cap->ftm.request_lci &&
1991 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1992 		return -ENOBUFS;
1993 	if (cap->ftm.request_civicloc &&
1994 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1995 		return -ENOBUFS;
1996 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1997 			cap->ftm.preambles))
1998 		return -ENOBUFS;
1999 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2000 			cap->ftm.bandwidths))
2001 		return -ENOBUFS;
2002 	if (cap->ftm.max_bursts_exponent >= 0 &&
2003 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2004 			cap->ftm.max_bursts_exponent))
2005 		return -ENOBUFS;
2006 	if (cap->ftm.max_ftms_per_burst &&
2007 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2008 			cap->ftm.max_ftms_per_burst))
2009 		return -ENOBUFS;
2010 	if (cap->ftm.trigger_based &&
2011 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2012 		return -ENOBUFS;
2013 	if (cap->ftm.non_trigger_based &&
2014 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2015 		return -ENOBUFS;
2016 
2017 	nla_nest_end(msg, ftm);
2018 	return 0;
2019 }
2020 
2021 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2022 				  struct sk_buff *msg)
2023 {
2024 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2025 	struct nlattr *pmsr, *caps;
2026 
2027 	if (!cap)
2028 		return 0;
2029 
2030 	/*
2031 	 * we don't need to clean up anything here since the caller
2032 	 * will genlmsg_cancel() if we fail
2033 	 */
2034 
2035 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2036 	if (!pmsr)
2037 		return -ENOBUFS;
2038 
2039 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2040 		return -ENOBUFS;
2041 
2042 	if (cap->report_ap_tsf &&
2043 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2044 		return -ENOBUFS;
2045 
2046 	if (cap->randomize_mac_addr &&
2047 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2048 		return -ENOBUFS;
2049 
2050 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2051 	if (!caps)
2052 		return -ENOBUFS;
2053 
2054 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2055 		return -ENOBUFS;
2056 
2057 	nla_nest_end(msg, caps);
2058 	nla_nest_end(msg, pmsr);
2059 
2060 	return 0;
2061 }
2062 
2063 static int
2064 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2065 			      struct sk_buff *msg)
2066 {
2067 	int i;
2068 	struct nlattr *nested, *nested_akms;
2069 	const struct wiphy_iftype_akm_suites *iftype_akms;
2070 
2071 	if (!rdev->wiphy.num_iftype_akm_suites ||
2072 	    !rdev->wiphy.iftype_akm_suites)
2073 		return 0;
2074 
2075 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2076 	if (!nested)
2077 		return -ENOBUFS;
2078 
2079 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2080 		nested_akms = nla_nest_start(msg, i + 1);
2081 		if (!nested_akms)
2082 			return -ENOBUFS;
2083 
2084 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2085 
2086 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2087 					iftype_akms->iftypes_mask))
2088 			return -ENOBUFS;
2089 
2090 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2091 			    sizeof(u32) * iftype_akms->n_akm_suites,
2092 			    iftype_akms->akm_suites)) {
2093 			return -ENOBUFS;
2094 		}
2095 		nla_nest_end(msg, nested_akms);
2096 	}
2097 
2098 	nla_nest_end(msg, nested);
2099 
2100 	return 0;
2101 }
2102 
2103 static int
2104 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2105 			       struct sk_buff *msg)
2106 {
2107 	struct nlattr *supp;
2108 
2109 	if (!rdev->wiphy.tid_config_support.vif &&
2110 	    !rdev->wiphy.tid_config_support.peer)
2111 		return 0;
2112 
2113 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2114 	if (!supp)
2115 		return -ENOSPC;
2116 
2117 	if (rdev->wiphy.tid_config_support.vif &&
2118 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2119 			      rdev->wiphy.tid_config_support.vif,
2120 			      NL80211_TID_CONFIG_ATTR_PAD))
2121 		goto fail;
2122 
2123 	if (rdev->wiphy.tid_config_support.peer &&
2124 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2125 			      rdev->wiphy.tid_config_support.peer,
2126 			      NL80211_TID_CONFIG_ATTR_PAD))
2127 		goto fail;
2128 
2129 	/* for now we just use the same value ... makes more sense */
2130 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2131 		       rdev->wiphy.tid_config_support.max_retry))
2132 		goto fail;
2133 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2134 		       rdev->wiphy.tid_config_support.max_retry))
2135 		goto fail;
2136 
2137 	nla_nest_end(msg, supp);
2138 
2139 	return 0;
2140 fail:
2141 	nla_nest_cancel(msg, supp);
2142 	return -ENOBUFS;
2143 }
2144 
2145 static int
2146 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2147 		      struct sk_buff *msg)
2148 {
2149 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2150 	u8 num_freq_ranges;
2151 	int i;
2152 
2153 	if (!rdev->wiphy.sar_capa)
2154 		return 0;
2155 
2156 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2157 
2158 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2159 	if (!sar_capa)
2160 		return -ENOSPC;
2161 
2162 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2163 		goto fail;
2164 
2165 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2166 	if (!specs)
2167 		goto fail;
2168 
2169 	/* report supported freq_ranges */
2170 	for (i = 0; i < num_freq_ranges; i++) {
2171 		sub_freq_range = nla_nest_start(msg, i + 1);
2172 		if (!sub_freq_range)
2173 			goto fail;
2174 
2175 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2176 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2177 			goto fail;
2178 
2179 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2180 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2181 			goto fail;
2182 
2183 		nla_nest_end(msg, sub_freq_range);
2184 	}
2185 
2186 	nla_nest_end(msg, specs);
2187 	nla_nest_end(msg, sar_capa);
2188 
2189 	return 0;
2190 fail:
2191 	nla_nest_cancel(msg, sar_capa);
2192 	return -ENOBUFS;
2193 }
2194 
2195 struct nl80211_dump_wiphy_state {
2196 	s64 filter_wiphy;
2197 	long start;
2198 	long split_start, band_start, chan_start, capa_start;
2199 	bool split;
2200 };
2201 
2202 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2203 			      enum nl80211_commands cmd,
2204 			      struct sk_buff *msg, u32 portid, u32 seq,
2205 			      int flags, struct nl80211_dump_wiphy_state *state)
2206 {
2207 	void *hdr;
2208 	struct nlattr *nl_bands, *nl_band;
2209 	struct nlattr *nl_freqs, *nl_freq;
2210 	struct nlattr *nl_cmds;
2211 	enum nl80211_band band;
2212 	struct ieee80211_channel *chan;
2213 	int i;
2214 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2215 				rdev->wiphy.mgmt_stypes;
2216 	u32 features;
2217 
2218 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2219 	if (!hdr)
2220 		return -ENOBUFS;
2221 
2222 	if (WARN_ON(!state))
2223 		return -EINVAL;
2224 
2225 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2226 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2227 			   wiphy_name(&rdev->wiphy)) ||
2228 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2229 			cfg80211_rdev_list_generation))
2230 		goto nla_put_failure;
2231 
2232 	if (cmd != NL80211_CMD_NEW_WIPHY)
2233 		goto finish;
2234 
2235 	switch (state->split_start) {
2236 	case 0:
2237 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2238 			       rdev->wiphy.retry_short) ||
2239 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2240 			       rdev->wiphy.retry_long) ||
2241 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2242 				rdev->wiphy.frag_threshold) ||
2243 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2244 				rdev->wiphy.rts_threshold) ||
2245 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2246 			       rdev->wiphy.coverage_class) ||
2247 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2248 			       rdev->wiphy.max_scan_ssids) ||
2249 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2250 			       rdev->wiphy.max_sched_scan_ssids) ||
2251 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2252 				rdev->wiphy.max_scan_ie_len) ||
2253 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2254 				rdev->wiphy.max_sched_scan_ie_len) ||
2255 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2256 			       rdev->wiphy.max_match_sets))
2257 			goto nla_put_failure;
2258 
2259 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2260 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2261 			goto nla_put_failure;
2262 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2263 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2264 			goto nla_put_failure;
2265 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2266 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2267 			goto nla_put_failure;
2268 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2269 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2270 			goto nla_put_failure;
2271 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2272 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2273 			goto nla_put_failure;
2274 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2275 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2276 			goto nla_put_failure;
2277 		state->split_start++;
2278 		if (state->split)
2279 			break;
2280 		fallthrough;
2281 	case 1:
2282 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2283 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2284 			    rdev->wiphy.cipher_suites))
2285 			goto nla_put_failure;
2286 
2287 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2288 			       rdev->wiphy.max_num_pmkids))
2289 			goto nla_put_failure;
2290 
2291 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2292 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2293 			goto nla_put_failure;
2294 
2295 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2296 				rdev->wiphy.available_antennas_tx) ||
2297 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2298 				rdev->wiphy.available_antennas_rx))
2299 			goto nla_put_failure;
2300 
2301 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2302 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2303 				rdev->wiphy.probe_resp_offload))
2304 			goto nla_put_failure;
2305 
2306 		if ((rdev->wiphy.available_antennas_tx ||
2307 		     rdev->wiphy.available_antennas_rx) &&
2308 		    rdev->ops->get_antenna) {
2309 			u32 tx_ant = 0, rx_ant = 0;
2310 			int res;
2311 
2312 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2313 			if (!res) {
2314 				if (nla_put_u32(msg,
2315 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2316 						tx_ant) ||
2317 				    nla_put_u32(msg,
2318 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2319 						rx_ant))
2320 					goto nla_put_failure;
2321 			}
2322 		}
2323 
2324 		state->split_start++;
2325 		if (state->split)
2326 			break;
2327 		fallthrough;
2328 	case 2:
2329 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2330 					rdev->wiphy.interface_modes))
2331 				goto nla_put_failure;
2332 		state->split_start++;
2333 		if (state->split)
2334 			break;
2335 		fallthrough;
2336 	case 3:
2337 		nl_bands = nla_nest_start_noflag(msg,
2338 						 NL80211_ATTR_WIPHY_BANDS);
2339 		if (!nl_bands)
2340 			goto nla_put_failure;
2341 
2342 		for (band = state->band_start;
2343 		     band < NUM_NL80211_BANDS; band++) {
2344 			struct ieee80211_supported_band *sband;
2345 
2346 			/* omit higher bands for ancient software */
2347 			if (band > NL80211_BAND_5GHZ && !state->split)
2348 				break;
2349 
2350 			sband = rdev->wiphy.bands[band];
2351 
2352 			if (!sband)
2353 				continue;
2354 
2355 			nl_band = nla_nest_start_noflag(msg, band);
2356 			if (!nl_band)
2357 				goto nla_put_failure;
2358 
2359 			switch (state->chan_start) {
2360 			case 0:
2361 				if (nl80211_send_band_rateinfo(msg, sband,
2362 							       state->split))
2363 					goto nla_put_failure;
2364 				state->chan_start++;
2365 				if (state->split)
2366 					break;
2367 				fallthrough;
2368 			default:
2369 				/* add frequencies */
2370 				nl_freqs = nla_nest_start_noflag(msg,
2371 								 NL80211_BAND_ATTR_FREQS);
2372 				if (!nl_freqs)
2373 					goto nla_put_failure;
2374 
2375 				for (i = state->chan_start - 1;
2376 				     i < sband->n_channels;
2377 				     i++) {
2378 					nl_freq = nla_nest_start_noflag(msg,
2379 									i);
2380 					if (!nl_freq)
2381 						goto nla_put_failure;
2382 
2383 					chan = &sband->channels[i];
2384 
2385 					if (nl80211_msg_put_channel(
2386 							msg, &rdev->wiphy, chan,
2387 							state->split))
2388 						goto nla_put_failure;
2389 
2390 					nla_nest_end(msg, nl_freq);
2391 					if (state->split)
2392 						break;
2393 				}
2394 				if (i < sband->n_channels)
2395 					state->chan_start = i + 2;
2396 				else
2397 					state->chan_start = 0;
2398 				nla_nest_end(msg, nl_freqs);
2399 			}
2400 
2401 			nla_nest_end(msg, nl_band);
2402 
2403 			if (state->split) {
2404 				/* start again here */
2405 				if (state->chan_start)
2406 					band--;
2407 				break;
2408 			}
2409 		}
2410 		nla_nest_end(msg, nl_bands);
2411 
2412 		if (band < NUM_NL80211_BANDS)
2413 			state->band_start = band + 1;
2414 		else
2415 			state->band_start = 0;
2416 
2417 		/* if bands & channels are done, continue outside */
2418 		if (state->band_start == 0 && state->chan_start == 0)
2419 			state->split_start++;
2420 		if (state->split)
2421 			break;
2422 		fallthrough;
2423 	case 4:
2424 		nl_cmds = nla_nest_start_noflag(msg,
2425 						NL80211_ATTR_SUPPORTED_COMMANDS);
2426 		if (!nl_cmds)
2427 			goto nla_put_failure;
2428 
2429 		i = nl80211_add_commands_unsplit(rdev, msg);
2430 		if (i < 0)
2431 			goto nla_put_failure;
2432 		if (state->split) {
2433 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2434 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2435 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2436 				CMD(channel_switch, CHANNEL_SWITCH);
2437 			CMD(set_qos_map, SET_QOS_MAP);
2438 			if (rdev->wiphy.features &
2439 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2440 				CMD(add_tx_ts, ADD_TX_TS);
2441 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2442 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2443 			CMD(update_ft_ies, UPDATE_FT_IES);
2444 			if (rdev->wiphy.sar_capa)
2445 				CMD(set_sar_specs, SET_SAR_SPECS);
2446 		}
2447 #undef CMD
2448 
2449 		nla_nest_end(msg, nl_cmds);
2450 		state->split_start++;
2451 		if (state->split)
2452 			break;
2453 		fallthrough;
2454 	case 5:
2455 		if (rdev->ops->remain_on_channel &&
2456 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2457 		    nla_put_u32(msg,
2458 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2459 				rdev->wiphy.max_remain_on_channel_duration))
2460 			goto nla_put_failure;
2461 
2462 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2463 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2464 			goto nla_put_failure;
2465 
2466 		state->split_start++;
2467 		if (state->split)
2468 			break;
2469 		fallthrough;
2470 	case 6:
2471 #ifdef CONFIG_PM
2472 		if (nl80211_send_wowlan(msg, rdev, state->split))
2473 			goto nla_put_failure;
2474 		state->split_start++;
2475 		if (state->split)
2476 			break;
2477 #else
2478 		state->split_start++;
2479 #endif
2480 		fallthrough;
2481 	case 7:
2482 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2483 					rdev->wiphy.software_iftypes))
2484 			goto nla_put_failure;
2485 
2486 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2487 						   state->split))
2488 			goto nla_put_failure;
2489 
2490 		state->split_start++;
2491 		if (state->split)
2492 			break;
2493 		fallthrough;
2494 	case 8:
2495 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2496 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2497 				rdev->wiphy.ap_sme_capa))
2498 			goto nla_put_failure;
2499 
2500 		features = rdev->wiphy.features;
2501 		/*
2502 		 * We can only add the per-channel limit information if the
2503 		 * dump is split, otherwise it makes it too big. Therefore
2504 		 * only advertise it in that case.
2505 		 */
2506 		if (state->split)
2507 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2508 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2509 			goto nla_put_failure;
2510 
2511 		if (rdev->wiphy.ht_capa_mod_mask &&
2512 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2513 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2514 			    rdev->wiphy.ht_capa_mod_mask))
2515 			goto nla_put_failure;
2516 
2517 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2518 		    rdev->wiphy.max_acl_mac_addrs &&
2519 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2520 				rdev->wiphy.max_acl_mac_addrs))
2521 			goto nla_put_failure;
2522 
2523 		/*
2524 		 * Any information below this point is only available to
2525 		 * applications that can deal with it being split. This
2526 		 * helps ensure that newly added capabilities don't break
2527 		 * older tools by overrunning their buffers.
2528 		 *
2529 		 * We still increment split_start so that in the split
2530 		 * case we'll continue with more data in the next round,
2531 		 * but break unconditionally so unsplit data stops here.
2532 		 */
2533 		if (state->split)
2534 			state->split_start++;
2535 		else
2536 			state->split_start = 0;
2537 		break;
2538 	case 9:
2539 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2540 			goto nla_put_failure;
2541 
2542 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2543 				rdev->wiphy.max_sched_scan_plans) ||
2544 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2545 				rdev->wiphy.max_sched_scan_plan_interval) ||
2546 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2547 				rdev->wiphy.max_sched_scan_plan_iterations))
2548 			goto nla_put_failure;
2549 
2550 		if (rdev->wiphy.extended_capabilities &&
2551 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2552 			     rdev->wiphy.extended_capabilities_len,
2553 			     rdev->wiphy.extended_capabilities) ||
2554 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2555 			     rdev->wiphy.extended_capabilities_len,
2556 			     rdev->wiphy.extended_capabilities_mask)))
2557 			goto nla_put_failure;
2558 
2559 		if (rdev->wiphy.vht_capa_mod_mask &&
2560 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2561 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2562 			    rdev->wiphy.vht_capa_mod_mask))
2563 			goto nla_put_failure;
2564 
2565 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2566 			    rdev->wiphy.perm_addr))
2567 			goto nla_put_failure;
2568 
2569 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2570 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2571 			    rdev->wiphy.addr_mask))
2572 			goto nla_put_failure;
2573 
2574 		if (rdev->wiphy.n_addresses > 1) {
2575 			void *attr;
2576 
2577 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2578 			if (!attr)
2579 				goto nla_put_failure;
2580 
2581 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2582 				if (nla_put(msg, i + 1, ETH_ALEN,
2583 					    rdev->wiphy.addresses[i].addr))
2584 					goto nla_put_failure;
2585 
2586 			nla_nest_end(msg, attr);
2587 		}
2588 
2589 		state->split_start++;
2590 		break;
2591 	case 10:
2592 		if (nl80211_send_coalesce(msg, rdev))
2593 			goto nla_put_failure;
2594 
2595 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2596 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2597 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2598 			goto nla_put_failure;
2599 
2600 		if (rdev->wiphy.max_ap_assoc_sta &&
2601 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2602 				rdev->wiphy.max_ap_assoc_sta))
2603 			goto nla_put_failure;
2604 
2605 		state->split_start++;
2606 		break;
2607 	case 11:
2608 		if (rdev->wiphy.n_vendor_commands) {
2609 			const struct nl80211_vendor_cmd_info *info;
2610 			struct nlattr *nested;
2611 
2612 			nested = nla_nest_start_noflag(msg,
2613 						       NL80211_ATTR_VENDOR_DATA);
2614 			if (!nested)
2615 				goto nla_put_failure;
2616 
2617 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2618 				info = &rdev->wiphy.vendor_commands[i].info;
2619 				if (nla_put(msg, i + 1, sizeof(*info), info))
2620 					goto nla_put_failure;
2621 			}
2622 			nla_nest_end(msg, nested);
2623 		}
2624 
2625 		if (rdev->wiphy.n_vendor_events) {
2626 			const struct nl80211_vendor_cmd_info *info;
2627 			struct nlattr *nested;
2628 
2629 			nested = nla_nest_start_noflag(msg,
2630 						       NL80211_ATTR_VENDOR_EVENTS);
2631 			if (!nested)
2632 				goto nla_put_failure;
2633 
2634 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2635 				info = &rdev->wiphy.vendor_events[i];
2636 				if (nla_put(msg, i + 1, sizeof(*info), info))
2637 					goto nla_put_failure;
2638 			}
2639 			nla_nest_end(msg, nested);
2640 		}
2641 		state->split_start++;
2642 		break;
2643 	case 12:
2644 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2645 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2646 			       rdev->wiphy.max_num_csa_counters))
2647 			goto nla_put_failure;
2648 
2649 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2650 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2651 			goto nla_put_failure;
2652 
2653 		if (rdev->wiphy.max_sched_scan_reqs &&
2654 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2655 				rdev->wiphy.max_sched_scan_reqs))
2656 			goto nla_put_failure;
2657 
2658 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2659 			    sizeof(rdev->wiphy.ext_features),
2660 			    rdev->wiphy.ext_features))
2661 			goto nla_put_failure;
2662 
2663 		if (rdev->wiphy.bss_select_support) {
2664 			struct nlattr *nested;
2665 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2666 
2667 			nested = nla_nest_start_noflag(msg,
2668 						       NL80211_ATTR_BSS_SELECT);
2669 			if (!nested)
2670 				goto nla_put_failure;
2671 
2672 			i = 0;
2673 			while (bss_select_support) {
2674 				if ((bss_select_support & 1) &&
2675 				    nla_put_flag(msg, i))
2676 					goto nla_put_failure;
2677 				i++;
2678 				bss_select_support >>= 1;
2679 			}
2680 			nla_nest_end(msg, nested);
2681 		}
2682 
2683 		state->split_start++;
2684 		break;
2685 	case 13:
2686 		if (rdev->wiphy.num_iftype_ext_capab &&
2687 		    rdev->wiphy.iftype_ext_capab) {
2688 			struct nlattr *nested_ext_capab, *nested;
2689 
2690 			nested = nla_nest_start_noflag(msg,
2691 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2692 			if (!nested)
2693 				goto nla_put_failure;
2694 
2695 			for (i = state->capa_start;
2696 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2697 				const struct wiphy_iftype_ext_capab *capab;
2698 
2699 				capab = &rdev->wiphy.iftype_ext_capab[i];
2700 
2701 				nested_ext_capab = nla_nest_start_noflag(msg,
2702 									 i);
2703 				if (!nested_ext_capab ||
2704 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2705 						capab->iftype) ||
2706 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2707 					    capab->extended_capabilities_len,
2708 					    capab->extended_capabilities) ||
2709 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2710 					    capab->extended_capabilities_len,
2711 					    capab->extended_capabilities_mask))
2712 					goto nla_put_failure;
2713 
2714 				nla_nest_end(msg, nested_ext_capab);
2715 				if (state->split)
2716 					break;
2717 			}
2718 			nla_nest_end(msg, nested);
2719 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2720 				state->capa_start = i + 1;
2721 				break;
2722 			}
2723 		}
2724 
2725 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2726 				rdev->wiphy.nan_supported_bands))
2727 			goto nla_put_failure;
2728 
2729 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2730 					    NL80211_EXT_FEATURE_TXQS)) {
2731 			struct cfg80211_txq_stats txqstats = {};
2732 			int res;
2733 
2734 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2735 			if (!res &&
2736 			    !nl80211_put_txq_stats(msg, &txqstats,
2737 						   NL80211_ATTR_TXQ_STATS))
2738 				goto nla_put_failure;
2739 
2740 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2741 					rdev->wiphy.txq_limit))
2742 				goto nla_put_failure;
2743 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2744 					rdev->wiphy.txq_memory_limit))
2745 				goto nla_put_failure;
2746 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2747 					rdev->wiphy.txq_quantum))
2748 				goto nla_put_failure;
2749 		}
2750 
2751 		state->split_start++;
2752 		break;
2753 	case 14:
2754 		if (nl80211_send_pmsr_capa(rdev, msg))
2755 			goto nla_put_failure;
2756 
2757 		state->split_start++;
2758 		break;
2759 	case 15:
2760 		if (rdev->wiphy.akm_suites &&
2761 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2762 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2763 			    rdev->wiphy.akm_suites))
2764 			goto nla_put_failure;
2765 
2766 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2767 			goto nla_put_failure;
2768 
2769 		if (nl80211_put_tid_config_support(rdev, msg))
2770 			goto nla_put_failure;
2771 		state->split_start++;
2772 		break;
2773 	case 16:
2774 		if (nl80211_put_sar_specs(rdev, msg))
2775 			goto nla_put_failure;
2776 
2777 		/* done */
2778 		state->split_start = 0;
2779 		break;
2780 	}
2781  finish:
2782 	genlmsg_end(msg, hdr);
2783 	return 0;
2784 
2785  nla_put_failure:
2786 	genlmsg_cancel(msg, hdr);
2787 	return -EMSGSIZE;
2788 }
2789 
2790 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2791 				    struct netlink_callback *cb,
2792 				    struct nl80211_dump_wiphy_state *state)
2793 {
2794 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2795 	int ret;
2796 
2797 	if (!tb)
2798 		return -ENOMEM;
2799 
2800 	ret = nlmsg_parse_deprecated(cb->nlh,
2801 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2802 				     tb, nl80211_fam.maxattr,
2803 				     nl80211_policy, NULL);
2804 	/* ignore parse errors for backward compatibility */
2805 	if (ret) {
2806 		ret = 0;
2807 		goto out;
2808 	}
2809 
2810 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2811 	if (tb[NL80211_ATTR_WIPHY])
2812 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2813 	if (tb[NL80211_ATTR_WDEV])
2814 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2815 	if (tb[NL80211_ATTR_IFINDEX]) {
2816 		struct net_device *netdev;
2817 		struct cfg80211_registered_device *rdev;
2818 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2819 
2820 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2821 		if (!netdev) {
2822 			ret = -ENODEV;
2823 			goto out;
2824 		}
2825 		if (netdev->ieee80211_ptr) {
2826 			rdev = wiphy_to_rdev(
2827 				netdev->ieee80211_ptr->wiphy);
2828 			state->filter_wiphy = rdev->wiphy_idx;
2829 		}
2830 	}
2831 
2832 	ret = 0;
2833 out:
2834 	kfree(tb);
2835 	return ret;
2836 }
2837 
2838 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2839 {
2840 	int idx = 0, ret;
2841 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2842 	struct cfg80211_registered_device *rdev;
2843 
2844 	rtnl_lock();
2845 	if (!state) {
2846 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2847 		if (!state) {
2848 			rtnl_unlock();
2849 			return -ENOMEM;
2850 		}
2851 		state->filter_wiphy = -1;
2852 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2853 		if (ret) {
2854 			kfree(state);
2855 			rtnl_unlock();
2856 			return ret;
2857 		}
2858 		cb->args[0] = (long)state;
2859 	}
2860 
2861 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2862 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2863 			continue;
2864 		if (++idx <= state->start)
2865 			continue;
2866 		if (state->filter_wiphy != -1 &&
2867 		    state->filter_wiphy != rdev->wiphy_idx)
2868 			continue;
2869 		/* attempt to fit multiple wiphy data chunks into the skb */
2870 		do {
2871 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2872 						 skb,
2873 						 NETLINK_CB(cb->skb).portid,
2874 						 cb->nlh->nlmsg_seq,
2875 						 NLM_F_MULTI, state);
2876 			if (ret < 0) {
2877 				/*
2878 				 * If sending the wiphy data didn't fit (ENOBUFS
2879 				 * or EMSGSIZE returned), this SKB is still
2880 				 * empty (so it's not too big because another
2881 				 * wiphy dataset is already in the skb) and
2882 				 * we've not tried to adjust the dump allocation
2883 				 * yet ... then adjust the alloc size to be
2884 				 * bigger, and return 1 but with the empty skb.
2885 				 * This results in an empty message being RX'ed
2886 				 * in userspace, but that is ignored.
2887 				 *
2888 				 * We can then retry with the larger buffer.
2889 				 */
2890 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2891 				    !skb->len && !state->split &&
2892 				    cb->min_dump_alloc < 4096) {
2893 					cb->min_dump_alloc = 4096;
2894 					state->split_start = 0;
2895 					rtnl_unlock();
2896 					return 1;
2897 				}
2898 				idx--;
2899 				break;
2900 			}
2901 		} while (state->split_start > 0);
2902 		break;
2903 	}
2904 	rtnl_unlock();
2905 
2906 	state->start = idx;
2907 
2908 	return skb->len;
2909 }
2910 
2911 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2912 {
2913 	kfree((void *)cb->args[0]);
2914 	return 0;
2915 }
2916 
2917 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2918 {
2919 	struct sk_buff *msg;
2920 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2921 	struct nl80211_dump_wiphy_state state = {};
2922 
2923 	msg = nlmsg_new(4096, GFP_KERNEL);
2924 	if (!msg)
2925 		return -ENOMEM;
2926 
2927 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2928 			       info->snd_portid, info->snd_seq, 0,
2929 			       &state) < 0) {
2930 		nlmsg_free(msg);
2931 		return -ENOBUFS;
2932 	}
2933 
2934 	return genlmsg_reply(msg, info);
2935 }
2936 
2937 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2938 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2939 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2940 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2941 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2942 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2943 };
2944 
2945 static int parse_txq_params(struct nlattr *tb[],
2946 			    struct ieee80211_txq_params *txq_params)
2947 {
2948 	u8 ac;
2949 
2950 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2951 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2952 	    !tb[NL80211_TXQ_ATTR_AIFS])
2953 		return -EINVAL;
2954 
2955 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2956 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2957 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2958 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2959 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2960 
2961 	if (ac >= NL80211_NUM_ACS)
2962 		return -EINVAL;
2963 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2964 	return 0;
2965 }
2966 
2967 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2968 {
2969 	/*
2970 	 * You can only set the channel explicitly for some interfaces,
2971 	 * most have their channel managed via their respective
2972 	 * "establish a connection" command (connect, join, ...)
2973 	 *
2974 	 * For AP/GO and mesh mode, the channel can be set with the
2975 	 * channel userspace API, but is only stored and passed to the
2976 	 * low-level driver when the AP starts or the mesh is joined.
2977 	 * This is for backward compatibility, userspace can also give
2978 	 * the channel in the start-ap or join-mesh commands instead.
2979 	 *
2980 	 * Monitors are special as they are normally slaved to
2981 	 * whatever else is going on, so they have their own special
2982 	 * operation to set the monitor channel if possible.
2983 	 */
2984 	return !wdev ||
2985 		wdev->iftype == NL80211_IFTYPE_AP ||
2986 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2987 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2988 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2989 }
2990 
2991 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2992 			  struct genl_info *info,
2993 			  struct cfg80211_chan_def *chandef)
2994 {
2995 	struct netlink_ext_ack *extack = info->extack;
2996 	struct nlattr **attrs = info->attrs;
2997 	u32 control_freq;
2998 
2999 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
3000 		return -EINVAL;
3001 
3002 	control_freq = MHZ_TO_KHZ(
3003 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3004 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3005 		control_freq +=
3006 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3007 
3008 	memset(chandef, 0, sizeof(*chandef));
3009 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3010 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3011 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3012 	chandef->freq1_offset = control_freq % 1000;
3013 	chandef->center_freq2 = 0;
3014 
3015 	/* Primary channel not allowed */
3016 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3017 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3018 				    "Channel is disabled");
3019 		return -EINVAL;
3020 	}
3021 
3022 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3023 		enum nl80211_channel_type chantype;
3024 
3025 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3026 
3027 		switch (chantype) {
3028 		case NL80211_CHAN_NO_HT:
3029 		case NL80211_CHAN_HT20:
3030 		case NL80211_CHAN_HT40PLUS:
3031 		case NL80211_CHAN_HT40MINUS:
3032 			cfg80211_chandef_create(chandef, chandef->chan,
3033 						chantype);
3034 			/* user input for center_freq is incorrect */
3035 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3036 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3037 				NL_SET_ERR_MSG_ATTR(extack,
3038 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3039 						    "bad center frequency 1");
3040 				return -EINVAL;
3041 			}
3042 			/* center_freq2 must be zero */
3043 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3044 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3045 				NL_SET_ERR_MSG_ATTR(extack,
3046 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3047 						    "center frequency 2 can't be used");
3048 				return -EINVAL;
3049 			}
3050 			break;
3051 		default:
3052 			NL_SET_ERR_MSG_ATTR(extack,
3053 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3054 					    "invalid channel type");
3055 			return -EINVAL;
3056 		}
3057 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3058 		chandef->width =
3059 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3060 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3061 			chandef->center_freq1 =
3062 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3063 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3064 				chandef->freq1_offset = nla_get_u32(
3065 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3066 			else
3067 				chandef->freq1_offset = 0;
3068 		}
3069 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3070 			chandef->center_freq2 =
3071 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3072 	}
3073 
3074 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3075 		chandef->edmg.channels =
3076 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3077 
3078 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3079 			chandef->edmg.bw_config =
3080 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3081 	} else {
3082 		chandef->edmg.bw_config = 0;
3083 		chandef->edmg.channels = 0;
3084 	}
3085 
3086 	if (!cfg80211_chandef_valid(chandef)) {
3087 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3088 		return -EINVAL;
3089 	}
3090 
3091 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3092 				     IEEE80211_CHAN_DISABLED)) {
3093 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3094 		return -EINVAL;
3095 	}
3096 
3097 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3098 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3099 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3100 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3101 		return -EINVAL;
3102 	}
3103 
3104 	return 0;
3105 }
3106 
3107 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3108 				 struct net_device *dev,
3109 				 struct genl_info *info)
3110 {
3111 	struct cfg80211_chan_def chandef;
3112 	int result;
3113 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3114 	struct wireless_dev *wdev = NULL;
3115 
3116 	if (dev)
3117 		wdev = dev->ieee80211_ptr;
3118 	if (!nl80211_can_set_dev_channel(wdev))
3119 		return -EOPNOTSUPP;
3120 	if (wdev)
3121 		iftype = wdev->iftype;
3122 
3123 	result = nl80211_parse_chandef(rdev, info, &chandef);
3124 	if (result)
3125 		return result;
3126 
3127 	switch (iftype) {
3128 	case NL80211_IFTYPE_AP:
3129 	case NL80211_IFTYPE_P2P_GO:
3130 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3131 						   iftype)) {
3132 			result = -EINVAL;
3133 			break;
3134 		}
3135 		if (wdev->beacon_interval) {
3136 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3137 			    !(rdev->wiphy.features &
3138 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
3139 				result = -EBUSY;
3140 				break;
3141 			}
3142 
3143 			/* Only allow dynamic channel width changes */
3144 			if (chandef.chan != wdev->preset_chandef.chan) {
3145 				result = -EBUSY;
3146 				break;
3147 			}
3148 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
3149 			if (result)
3150 				break;
3151 		}
3152 		wdev->preset_chandef = chandef;
3153 		result = 0;
3154 		break;
3155 	case NL80211_IFTYPE_MESH_POINT:
3156 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3157 		break;
3158 	case NL80211_IFTYPE_MONITOR:
3159 		result = cfg80211_set_monitor_channel(rdev, &chandef);
3160 		break;
3161 	default:
3162 		result = -EINVAL;
3163 	}
3164 
3165 	return result;
3166 }
3167 
3168 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3169 {
3170 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3171 	struct net_device *netdev = info->user_ptr[1];
3172 
3173 	return __nl80211_set_channel(rdev, netdev, info);
3174 }
3175 
3176 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3177 {
3178 	struct cfg80211_registered_device *rdev = NULL;
3179 	struct net_device *netdev = NULL;
3180 	struct wireless_dev *wdev;
3181 	int result = 0, rem_txq_params = 0;
3182 	struct nlattr *nl_txq_params;
3183 	u32 changed;
3184 	u8 retry_short = 0, retry_long = 0;
3185 	u32 frag_threshold = 0, rts_threshold = 0;
3186 	u8 coverage_class = 0;
3187 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3188 
3189 	rtnl_lock();
3190 	/*
3191 	 * Try to find the wiphy and netdev. Normally this
3192 	 * function shouldn't need the netdev, but this is
3193 	 * done for backward compatibility -- previously
3194 	 * setting the channel was done per wiphy, but now
3195 	 * it is per netdev. Previous userland like hostapd
3196 	 * also passed a netdev to set_wiphy, so that it is
3197 	 * possible to let that go to the right netdev!
3198 	 */
3199 
3200 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3201 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3202 
3203 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3204 		if (netdev && netdev->ieee80211_ptr)
3205 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3206 		else
3207 			netdev = NULL;
3208 	}
3209 
3210 	if (!netdev) {
3211 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3212 						  info->attrs);
3213 		if (IS_ERR(rdev)) {
3214 			rtnl_unlock();
3215 			return PTR_ERR(rdev);
3216 		}
3217 		wdev = NULL;
3218 		netdev = NULL;
3219 		result = 0;
3220 	} else
3221 		wdev = netdev->ieee80211_ptr;
3222 
3223 	wiphy_lock(&rdev->wiphy);
3224 
3225 	/*
3226 	 * end workaround code, by now the rdev is available
3227 	 * and locked, and wdev may or may not be NULL.
3228 	 */
3229 
3230 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3231 		result = cfg80211_dev_rename(
3232 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3233 	rtnl_unlock();
3234 
3235 	if (result)
3236 		goto out;
3237 
3238 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3239 		struct ieee80211_txq_params txq_params;
3240 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3241 
3242 		if (!rdev->ops->set_txq_params) {
3243 			result = -EOPNOTSUPP;
3244 			goto out;
3245 		}
3246 
3247 		if (!netdev) {
3248 			result = -EINVAL;
3249 			goto out;
3250 		}
3251 
3252 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3253 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3254 			result = -EINVAL;
3255 			goto out;
3256 		}
3257 
3258 		if (!netif_running(netdev)) {
3259 			result = -ENETDOWN;
3260 			goto out;
3261 		}
3262 
3263 		nla_for_each_nested(nl_txq_params,
3264 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3265 				    rem_txq_params) {
3266 			result = nla_parse_nested_deprecated(tb,
3267 							     NL80211_TXQ_ATTR_MAX,
3268 							     nl_txq_params,
3269 							     txq_params_policy,
3270 							     info->extack);
3271 			if (result)
3272 				goto out;
3273 			result = parse_txq_params(tb, &txq_params);
3274 			if (result)
3275 				goto out;
3276 
3277 			result = rdev_set_txq_params(rdev, netdev,
3278 						     &txq_params);
3279 			if (result)
3280 				goto out;
3281 		}
3282 	}
3283 
3284 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3285 		result = __nl80211_set_channel(
3286 			rdev,
3287 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3288 			info);
3289 		if (result)
3290 			goto out;
3291 	}
3292 
3293 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3294 		struct wireless_dev *txp_wdev = wdev;
3295 		enum nl80211_tx_power_setting type;
3296 		int idx, mbm = 0;
3297 
3298 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3299 			txp_wdev = NULL;
3300 
3301 		if (!rdev->ops->set_tx_power) {
3302 			result = -EOPNOTSUPP;
3303 			goto out;
3304 		}
3305 
3306 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3307 		type = nla_get_u32(info->attrs[idx]);
3308 
3309 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3310 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3311 			result = -EINVAL;
3312 			goto out;
3313 		}
3314 
3315 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3316 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3317 			mbm = nla_get_u32(info->attrs[idx]);
3318 		}
3319 
3320 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3321 		if (result)
3322 			goto out;
3323 	}
3324 
3325 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3326 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3327 		u32 tx_ant, rx_ant;
3328 
3329 		if ((!rdev->wiphy.available_antennas_tx &&
3330 		     !rdev->wiphy.available_antennas_rx) ||
3331 		    !rdev->ops->set_antenna) {
3332 			result = -EOPNOTSUPP;
3333 			goto out;
3334 		}
3335 
3336 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3337 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3338 
3339 		/* reject antenna configurations which don't match the
3340 		 * available antenna masks, except for the "all" mask */
3341 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3342 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3343 			result = -EINVAL;
3344 			goto out;
3345 		}
3346 
3347 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3348 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3349 
3350 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3351 		if (result)
3352 			goto out;
3353 	}
3354 
3355 	changed = 0;
3356 
3357 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3358 		retry_short = nla_get_u8(
3359 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3360 
3361 		changed |= WIPHY_PARAM_RETRY_SHORT;
3362 	}
3363 
3364 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3365 		retry_long = nla_get_u8(
3366 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3367 
3368 		changed |= WIPHY_PARAM_RETRY_LONG;
3369 	}
3370 
3371 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3372 		frag_threshold = nla_get_u32(
3373 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3374 		if (frag_threshold < 256) {
3375 			result = -EINVAL;
3376 			goto out;
3377 		}
3378 
3379 		if (frag_threshold != (u32) -1) {
3380 			/*
3381 			 * Fragments (apart from the last one) are required to
3382 			 * have even length. Make the fragmentation code
3383 			 * simpler by stripping LSB should someone try to use
3384 			 * odd threshold value.
3385 			 */
3386 			frag_threshold &= ~0x1;
3387 		}
3388 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3389 	}
3390 
3391 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3392 		rts_threshold = nla_get_u32(
3393 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3394 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3395 	}
3396 
3397 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3398 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3399 			result = -EINVAL;
3400 			goto out;
3401 		}
3402 
3403 		coverage_class = nla_get_u8(
3404 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3405 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3406 	}
3407 
3408 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3409 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3410 			result = -EOPNOTSUPP;
3411 			goto out;
3412 		}
3413 
3414 		changed |= WIPHY_PARAM_DYN_ACK;
3415 	}
3416 
3417 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3418 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3419 					     NL80211_EXT_FEATURE_TXQS)) {
3420 			result = -EOPNOTSUPP;
3421 			goto out;
3422 		}
3423 		txq_limit = nla_get_u32(
3424 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3425 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3426 	}
3427 
3428 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3429 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3430 					     NL80211_EXT_FEATURE_TXQS)) {
3431 			result = -EOPNOTSUPP;
3432 			goto out;
3433 		}
3434 		txq_memory_limit = nla_get_u32(
3435 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3436 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3437 	}
3438 
3439 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3440 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3441 					     NL80211_EXT_FEATURE_TXQS)) {
3442 			result = -EOPNOTSUPP;
3443 			goto out;
3444 		}
3445 		txq_quantum = nla_get_u32(
3446 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3447 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3448 	}
3449 
3450 	if (changed) {
3451 		u8 old_retry_short, old_retry_long;
3452 		u32 old_frag_threshold, old_rts_threshold;
3453 		u8 old_coverage_class;
3454 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3455 
3456 		if (!rdev->ops->set_wiphy_params) {
3457 			result = -EOPNOTSUPP;
3458 			goto out;
3459 		}
3460 
3461 		old_retry_short = rdev->wiphy.retry_short;
3462 		old_retry_long = rdev->wiphy.retry_long;
3463 		old_frag_threshold = rdev->wiphy.frag_threshold;
3464 		old_rts_threshold = rdev->wiphy.rts_threshold;
3465 		old_coverage_class = rdev->wiphy.coverage_class;
3466 		old_txq_limit = rdev->wiphy.txq_limit;
3467 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3468 		old_txq_quantum = rdev->wiphy.txq_quantum;
3469 
3470 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3471 			rdev->wiphy.retry_short = retry_short;
3472 		if (changed & WIPHY_PARAM_RETRY_LONG)
3473 			rdev->wiphy.retry_long = retry_long;
3474 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3475 			rdev->wiphy.frag_threshold = frag_threshold;
3476 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3477 			rdev->wiphy.rts_threshold = rts_threshold;
3478 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3479 			rdev->wiphy.coverage_class = coverage_class;
3480 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3481 			rdev->wiphy.txq_limit = txq_limit;
3482 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3483 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3484 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3485 			rdev->wiphy.txq_quantum = txq_quantum;
3486 
3487 		result = rdev_set_wiphy_params(rdev, changed);
3488 		if (result) {
3489 			rdev->wiphy.retry_short = old_retry_short;
3490 			rdev->wiphy.retry_long = old_retry_long;
3491 			rdev->wiphy.frag_threshold = old_frag_threshold;
3492 			rdev->wiphy.rts_threshold = old_rts_threshold;
3493 			rdev->wiphy.coverage_class = old_coverage_class;
3494 			rdev->wiphy.txq_limit = old_txq_limit;
3495 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3496 			rdev->wiphy.txq_quantum = old_txq_quantum;
3497 			goto out;
3498 		}
3499 	}
3500 
3501 	result = 0;
3502 
3503 out:
3504 	wiphy_unlock(&rdev->wiphy);
3505 	return result;
3506 }
3507 
3508 static int nl80211_send_chandef(struct sk_buff *msg,
3509 				const struct cfg80211_chan_def *chandef)
3510 {
3511 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3512 		return -EINVAL;
3513 
3514 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3515 			chandef->chan->center_freq))
3516 		return -ENOBUFS;
3517 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3518 			chandef->chan->freq_offset))
3519 		return -ENOBUFS;
3520 	switch (chandef->width) {
3521 	case NL80211_CHAN_WIDTH_20_NOHT:
3522 	case NL80211_CHAN_WIDTH_20:
3523 	case NL80211_CHAN_WIDTH_40:
3524 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3525 				cfg80211_get_chandef_type(chandef)))
3526 			return -ENOBUFS;
3527 		break;
3528 	default:
3529 		break;
3530 	}
3531 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3532 		return -ENOBUFS;
3533 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3534 		return -ENOBUFS;
3535 	if (chandef->center_freq2 &&
3536 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3537 		return -ENOBUFS;
3538 	return 0;
3539 }
3540 
3541 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3542 			      struct cfg80211_registered_device *rdev,
3543 			      struct wireless_dev *wdev,
3544 			      enum nl80211_commands cmd)
3545 {
3546 	struct net_device *dev = wdev->netdev;
3547 	void *hdr;
3548 
3549 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3550 		cmd != NL80211_CMD_DEL_INTERFACE &&
3551 		cmd != NL80211_CMD_SET_INTERFACE);
3552 
3553 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3554 	if (!hdr)
3555 		return -1;
3556 
3557 	if (dev &&
3558 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3559 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3560 		goto nla_put_failure;
3561 
3562 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3563 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3564 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3565 			      NL80211_ATTR_PAD) ||
3566 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3567 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3568 			rdev->devlist_generation ^
3569 			(cfg80211_rdev_list_generation << 2)) ||
3570 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3571 		goto nla_put_failure;
3572 
3573 	if (rdev->ops->get_channel) {
3574 		int ret;
3575 		struct cfg80211_chan_def chandef = {};
3576 
3577 		ret = rdev_get_channel(rdev, wdev, &chandef);
3578 		if (ret == 0) {
3579 			if (nl80211_send_chandef(msg, &chandef))
3580 				goto nla_put_failure;
3581 		}
3582 	}
3583 
3584 	if (rdev->ops->get_tx_power) {
3585 		int dbm, ret;
3586 
3587 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3588 		if (ret == 0 &&
3589 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3590 				DBM_TO_MBM(dbm)))
3591 			goto nla_put_failure;
3592 	}
3593 
3594 	wdev_lock(wdev);
3595 	switch (wdev->iftype) {
3596 	case NL80211_IFTYPE_AP:
3597 		if (wdev->ssid_len &&
3598 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3599 			goto nla_put_failure_locked;
3600 		break;
3601 	case NL80211_IFTYPE_STATION:
3602 	case NL80211_IFTYPE_P2P_CLIENT:
3603 	case NL80211_IFTYPE_ADHOC: {
3604 		const u8 *ssid_ie;
3605 		if (!wdev->current_bss)
3606 			break;
3607 		rcu_read_lock();
3608 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3609 					       WLAN_EID_SSID);
3610 		if (ssid_ie &&
3611 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3612 			goto nla_put_failure_rcu_locked;
3613 		rcu_read_unlock();
3614 		break;
3615 		}
3616 	default:
3617 		/* nothing */
3618 		break;
3619 	}
3620 	wdev_unlock(wdev);
3621 
3622 	if (rdev->ops->get_txq_stats) {
3623 		struct cfg80211_txq_stats txqstats = {};
3624 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3625 
3626 		if (ret == 0 &&
3627 		    !nl80211_put_txq_stats(msg, &txqstats,
3628 					   NL80211_ATTR_TXQ_STATS))
3629 			goto nla_put_failure;
3630 	}
3631 
3632 	genlmsg_end(msg, hdr);
3633 	return 0;
3634 
3635  nla_put_failure_rcu_locked:
3636 	rcu_read_unlock();
3637  nla_put_failure_locked:
3638 	wdev_unlock(wdev);
3639  nla_put_failure:
3640 	genlmsg_cancel(msg, hdr);
3641 	return -EMSGSIZE;
3642 }
3643 
3644 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3645 {
3646 	int wp_idx = 0;
3647 	int if_idx = 0;
3648 	int wp_start = cb->args[0];
3649 	int if_start = cb->args[1];
3650 	int filter_wiphy = -1;
3651 	struct cfg80211_registered_device *rdev;
3652 	struct wireless_dev *wdev;
3653 	int ret;
3654 
3655 	rtnl_lock();
3656 	if (!cb->args[2]) {
3657 		struct nl80211_dump_wiphy_state state = {
3658 			.filter_wiphy = -1,
3659 		};
3660 
3661 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3662 		if (ret)
3663 			goto out_unlock;
3664 
3665 		filter_wiphy = state.filter_wiphy;
3666 
3667 		/*
3668 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3669 		 * value needed to determine that parsing is necessary.
3670 		 */
3671 		if (filter_wiphy >= 0)
3672 			cb->args[2] = filter_wiphy + 1;
3673 		else
3674 			cb->args[2] = -1;
3675 	} else if (cb->args[2] > 0) {
3676 		filter_wiphy = cb->args[2] - 1;
3677 	}
3678 
3679 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3680 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3681 			continue;
3682 		if (wp_idx < wp_start) {
3683 			wp_idx++;
3684 			continue;
3685 		}
3686 
3687 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3688 			continue;
3689 
3690 		if_idx = 0;
3691 
3692 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3693 			if (if_idx < if_start) {
3694 				if_idx++;
3695 				continue;
3696 			}
3697 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3698 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3699 					       rdev, wdev,
3700 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3701 				goto out;
3702 			}
3703 			if_idx++;
3704 		}
3705 
3706 		wp_idx++;
3707 	}
3708  out:
3709 	cb->args[0] = wp_idx;
3710 	cb->args[1] = if_idx;
3711 
3712 	ret = skb->len;
3713  out_unlock:
3714 	rtnl_unlock();
3715 
3716 	return ret;
3717 }
3718 
3719 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3720 {
3721 	struct sk_buff *msg;
3722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3723 	struct wireless_dev *wdev = info->user_ptr[1];
3724 
3725 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3726 	if (!msg)
3727 		return -ENOMEM;
3728 
3729 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3730 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3731 		nlmsg_free(msg);
3732 		return -ENOBUFS;
3733 	}
3734 
3735 	return genlmsg_reply(msg, info);
3736 }
3737 
3738 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3739 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3740 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3741 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3742 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3743 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3744 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3745 };
3746 
3747 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3748 {
3749 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3750 	int flag;
3751 
3752 	*mntrflags = 0;
3753 
3754 	if (!nla)
3755 		return -EINVAL;
3756 
3757 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3758 		return -EINVAL;
3759 
3760 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3761 		if (flags[flag])
3762 			*mntrflags |= (1<<flag);
3763 
3764 	*mntrflags |= MONITOR_FLAG_CHANGED;
3765 
3766 	return 0;
3767 }
3768 
3769 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3770 				     enum nl80211_iftype type,
3771 				     struct genl_info *info,
3772 				     struct vif_params *params)
3773 {
3774 	bool change = false;
3775 	int err;
3776 
3777 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3778 		if (type != NL80211_IFTYPE_MONITOR)
3779 			return -EINVAL;
3780 
3781 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3782 					  &params->flags);
3783 		if (err)
3784 			return err;
3785 
3786 		change = true;
3787 	}
3788 
3789 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3790 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3791 		return -EOPNOTSUPP;
3792 
3793 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3794 		const u8 *mumimo_groups;
3795 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3796 
3797 		if (type != NL80211_IFTYPE_MONITOR)
3798 			return -EINVAL;
3799 
3800 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3801 			return -EOPNOTSUPP;
3802 
3803 		mumimo_groups =
3804 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3805 
3806 		/* bits 0 and 63 are reserved and must be zero */
3807 		if ((mumimo_groups[0] & BIT(0)) ||
3808 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3809 			return -EINVAL;
3810 
3811 		params->vht_mumimo_groups = mumimo_groups;
3812 		change = true;
3813 	}
3814 
3815 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3816 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3817 
3818 		if (type != NL80211_IFTYPE_MONITOR)
3819 			return -EINVAL;
3820 
3821 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3822 			return -EOPNOTSUPP;
3823 
3824 		params->vht_mumimo_follow_addr =
3825 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3826 		change = true;
3827 	}
3828 
3829 	return change ? 1 : 0;
3830 }
3831 
3832 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3833 			       struct net_device *netdev, u8 use_4addr,
3834 			       enum nl80211_iftype iftype)
3835 {
3836 	if (!use_4addr) {
3837 		if (netdev && netif_is_bridge_port(netdev))
3838 			return -EBUSY;
3839 		return 0;
3840 	}
3841 
3842 	switch (iftype) {
3843 	case NL80211_IFTYPE_AP_VLAN:
3844 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3845 			return 0;
3846 		break;
3847 	case NL80211_IFTYPE_STATION:
3848 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3849 			return 0;
3850 		break;
3851 	default:
3852 		break;
3853 	}
3854 
3855 	return -EOPNOTSUPP;
3856 }
3857 
3858 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3859 {
3860 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3861 	struct vif_params params;
3862 	int err;
3863 	enum nl80211_iftype otype, ntype;
3864 	struct net_device *dev = info->user_ptr[1];
3865 	bool change = false;
3866 
3867 	memset(&params, 0, sizeof(params));
3868 
3869 	otype = ntype = dev->ieee80211_ptr->iftype;
3870 
3871 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3872 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3873 		if (otype != ntype)
3874 			change = true;
3875 	}
3876 
3877 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3878 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3879 
3880 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3881 			return -EINVAL;
3882 		if (netif_running(dev))
3883 			return -EBUSY;
3884 
3885 		wdev_lock(wdev);
3886 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3887 			     IEEE80211_MAX_MESH_ID_LEN);
3888 		wdev->mesh_id_up_len =
3889 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3890 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3891 		       wdev->mesh_id_up_len);
3892 		wdev_unlock(wdev);
3893 	}
3894 
3895 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3896 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3897 		change = true;
3898 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3899 		if (err)
3900 			return err;
3901 	} else {
3902 		params.use_4addr = -1;
3903 	}
3904 
3905 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3906 	if (err < 0)
3907 		return err;
3908 	if (err > 0)
3909 		change = true;
3910 
3911 	if (change)
3912 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3913 	else
3914 		err = 0;
3915 
3916 	if (!err && params.use_4addr != -1)
3917 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3918 
3919 	if (change && !err) {
3920 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3921 
3922 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3923 	}
3924 
3925 	return err;
3926 }
3927 
3928 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3929 {
3930 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3931 	struct vif_params params;
3932 	struct wireless_dev *wdev;
3933 	struct sk_buff *msg;
3934 	int err;
3935 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3936 
3937 	/* to avoid failing a new interface creation due to pending removal */
3938 	cfg80211_destroy_ifaces(rdev);
3939 
3940 	memset(&params, 0, sizeof(params));
3941 
3942 	if (!info->attrs[NL80211_ATTR_IFNAME])
3943 		return -EINVAL;
3944 
3945 	if (info->attrs[NL80211_ATTR_IFTYPE])
3946 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3947 
3948 	if (!rdev->ops->add_virtual_intf)
3949 		return -EOPNOTSUPP;
3950 
3951 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3952 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3953 	    info->attrs[NL80211_ATTR_MAC]) {
3954 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3955 			   ETH_ALEN);
3956 		if (!is_valid_ether_addr(params.macaddr))
3957 			return -EADDRNOTAVAIL;
3958 	}
3959 
3960 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3961 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3962 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3963 		if (err)
3964 			return err;
3965 	}
3966 
3967 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3968 		return -EOPNOTSUPP;
3969 
3970 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3971 	if (err < 0)
3972 		return err;
3973 
3974 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3975 	if (!msg)
3976 		return -ENOMEM;
3977 
3978 	wdev = rdev_add_virtual_intf(rdev,
3979 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3980 				NET_NAME_USER, type, &params);
3981 	if (WARN_ON(!wdev)) {
3982 		nlmsg_free(msg);
3983 		return -EPROTO;
3984 	} else if (IS_ERR(wdev)) {
3985 		nlmsg_free(msg);
3986 		return PTR_ERR(wdev);
3987 	}
3988 
3989 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3990 		wdev->owner_nlportid = info->snd_portid;
3991 
3992 	switch (type) {
3993 	case NL80211_IFTYPE_MESH_POINT:
3994 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3995 			break;
3996 		wdev_lock(wdev);
3997 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3998 			     IEEE80211_MAX_MESH_ID_LEN);
3999 		wdev->mesh_id_up_len =
4000 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4001 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4002 		       wdev->mesh_id_up_len);
4003 		wdev_unlock(wdev);
4004 		break;
4005 	case NL80211_IFTYPE_NAN:
4006 	case NL80211_IFTYPE_P2P_DEVICE:
4007 		/*
4008 		 * P2P Device and NAN do not have a netdev, so don't go
4009 		 * through the netdev notifier and must be added here
4010 		 */
4011 		cfg80211_init_wdev(wdev);
4012 		cfg80211_register_wdev(rdev, wdev);
4013 		break;
4014 	default:
4015 		break;
4016 	}
4017 
4018 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4019 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4020 		nlmsg_free(msg);
4021 		return -ENOBUFS;
4022 	}
4023 
4024 	return genlmsg_reply(msg, info);
4025 }
4026 
4027 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4028 {
4029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4030 	struct wireless_dev *wdev = info->user_ptr[1];
4031 
4032 	if (!rdev->ops->del_virtual_intf)
4033 		return -EOPNOTSUPP;
4034 
4035 	/*
4036 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4037 	 * reach 0, and thus the rdev cannot be deleted.
4038 	 *
4039 	 * We need to do it for the dev_close(), since that will call
4040 	 * the netdev notifiers, and we need to acquire the mutex there
4041 	 * but don't know if we get there from here or from some other
4042 	 * place (e.g. "ip link set ... down").
4043 	 */
4044 	mutex_unlock(&rdev->wiphy.mtx);
4045 
4046 	/*
4047 	 * If we remove a wireless device without a netdev then clear
4048 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4049 	 * to check if it needs to do dev_put(). Otherwise it crashes
4050 	 * since the wdev has been freed, unlike with a netdev where
4051 	 * we need the dev_put() for the netdev to really be freed.
4052 	 */
4053 	if (!wdev->netdev)
4054 		info->user_ptr[1] = NULL;
4055 	else
4056 		dev_close(wdev->netdev);
4057 
4058 	mutex_lock(&rdev->wiphy.mtx);
4059 
4060 	return rdev_del_virtual_intf(rdev, wdev);
4061 }
4062 
4063 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4064 {
4065 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4066 	struct net_device *dev = info->user_ptr[1];
4067 	u16 noack_map;
4068 
4069 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4070 		return -EINVAL;
4071 
4072 	if (!rdev->ops->set_noack_map)
4073 		return -EOPNOTSUPP;
4074 
4075 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4076 
4077 	return rdev_set_noack_map(rdev, dev, noack_map);
4078 }
4079 
4080 struct get_key_cookie {
4081 	struct sk_buff *msg;
4082 	int error;
4083 	int idx;
4084 };
4085 
4086 static void get_key_callback(void *c, struct key_params *params)
4087 {
4088 	struct nlattr *key;
4089 	struct get_key_cookie *cookie = c;
4090 
4091 	if ((params->key &&
4092 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4093 		     params->key_len, params->key)) ||
4094 	    (params->seq &&
4095 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4096 		     params->seq_len, params->seq)) ||
4097 	    (params->cipher &&
4098 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4099 			 params->cipher)))
4100 		goto nla_put_failure;
4101 
4102 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4103 	if (!key)
4104 		goto nla_put_failure;
4105 
4106 	if ((params->key &&
4107 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4108 		     params->key_len, params->key)) ||
4109 	    (params->seq &&
4110 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4111 		     params->seq_len, params->seq)) ||
4112 	    (params->cipher &&
4113 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4114 			 params->cipher)))
4115 		goto nla_put_failure;
4116 
4117 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4118 		goto nla_put_failure;
4119 
4120 	nla_nest_end(cookie->msg, key);
4121 
4122 	return;
4123  nla_put_failure:
4124 	cookie->error = 1;
4125 }
4126 
4127 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4128 {
4129 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4130 	int err;
4131 	struct net_device *dev = info->user_ptr[1];
4132 	u8 key_idx = 0;
4133 	const u8 *mac_addr = NULL;
4134 	bool pairwise;
4135 	struct get_key_cookie cookie = {
4136 		.error = 0,
4137 	};
4138 	void *hdr;
4139 	struct sk_buff *msg;
4140 	bool bigtk_support = false;
4141 
4142 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4143 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4144 		bigtk_support = true;
4145 
4146 	if ((dev->ieee80211_ptr->iftype == NL80211_IFTYPE_STATION ||
4147 	     dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4148 	    wiphy_ext_feature_isset(&rdev->wiphy,
4149 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4150 		bigtk_support = true;
4151 
4152 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4153 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4154 
4155 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4156 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4157 			return -EINVAL;
4158 		}
4159 	}
4160 
4161 	if (info->attrs[NL80211_ATTR_MAC])
4162 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4163 
4164 	pairwise = !!mac_addr;
4165 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4166 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4167 
4168 		if (kt != NL80211_KEYTYPE_GROUP &&
4169 		    kt != NL80211_KEYTYPE_PAIRWISE)
4170 			return -EINVAL;
4171 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4172 	}
4173 
4174 	if (!rdev->ops->get_key)
4175 		return -EOPNOTSUPP;
4176 
4177 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4178 		return -ENOENT;
4179 
4180 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4181 	if (!msg)
4182 		return -ENOMEM;
4183 
4184 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4185 			     NL80211_CMD_NEW_KEY);
4186 	if (!hdr)
4187 		goto nla_put_failure;
4188 
4189 	cookie.msg = msg;
4190 	cookie.idx = key_idx;
4191 
4192 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4193 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4194 		goto nla_put_failure;
4195 	if (mac_addr &&
4196 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4197 		goto nla_put_failure;
4198 
4199 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
4200 			   get_key_callback);
4201 
4202 	if (err)
4203 		goto free_msg;
4204 
4205 	if (cookie.error)
4206 		goto nla_put_failure;
4207 
4208 	genlmsg_end(msg, hdr);
4209 	return genlmsg_reply(msg, info);
4210 
4211  nla_put_failure:
4212 	err = -ENOBUFS;
4213  free_msg:
4214 	nlmsg_free(msg);
4215 	return err;
4216 }
4217 
4218 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4219 {
4220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4221 	struct key_parse key;
4222 	int err;
4223 	struct net_device *dev = info->user_ptr[1];
4224 
4225 	err = nl80211_parse_key(info, &key);
4226 	if (err)
4227 		return err;
4228 
4229 	if (key.idx < 0)
4230 		return -EINVAL;
4231 
4232 	/* Only support setting default key and
4233 	 * Extended Key ID action NL80211_KEY_SET_TX.
4234 	 */
4235 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4236 	    !(key.p.mode == NL80211_KEY_SET_TX))
4237 		return -EINVAL;
4238 
4239 	wdev_lock(dev->ieee80211_ptr);
4240 
4241 	if (key.def) {
4242 		if (!rdev->ops->set_default_key) {
4243 			err = -EOPNOTSUPP;
4244 			goto out;
4245 		}
4246 
4247 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4248 		if (err)
4249 			goto out;
4250 
4251 		err = rdev_set_default_key(rdev, dev, key.idx,
4252 						 key.def_uni, key.def_multi);
4253 
4254 		if (err)
4255 			goto out;
4256 
4257 #ifdef CONFIG_CFG80211_WEXT
4258 		dev->ieee80211_ptr->wext.default_key = key.idx;
4259 #endif
4260 	} else if (key.defmgmt) {
4261 		if (key.def_uni || !key.def_multi) {
4262 			err = -EINVAL;
4263 			goto out;
4264 		}
4265 
4266 		if (!rdev->ops->set_default_mgmt_key) {
4267 			err = -EOPNOTSUPP;
4268 			goto out;
4269 		}
4270 
4271 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4272 		if (err)
4273 			goto out;
4274 
4275 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4276 		if (err)
4277 			goto out;
4278 
4279 #ifdef CONFIG_CFG80211_WEXT
4280 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4281 #endif
4282 	} else if (key.defbeacon) {
4283 		if (key.def_uni || !key.def_multi) {
4284 			err = -EINVAL;
4285 			goto out;
4286 		}
4287 
4288 		if (!rdev->ops->set_default_beacon_key) {
4289 			err = -EOPNOTSUPP;
4290 			goto out;
4291 		}
4292 
4293 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4294 		if (err)
4295 			goto out;
4296 
4297 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4298 		if (err)
4299 			goto out;
4300 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4301 		   wiphy_ext_feature_isset(&rdev->wiphy,
4302 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4303 		u8 *mac_addr = NULL;
4304 
4305 		if (info->attrs[NL80211_ATTR_MAC])
4306 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4307 
4308 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4309 			err = -EINVAL;
4310 			goto out;
4311 		}
4312 
4313 		err = rdev_add_key(rdev, dev, key.idx,
4314 				   NL80211_KEYTYPE_PAIRWISE,
4315 				   mac_addr, &key.p);
4316 	} else {
4317 		err = -EINVAL;
4318 	}
4319  out:
4320 	wdev_unlock(dev->ieee80211_ptr);
4321 
4322 	return err;
4323 }
4324 
4325 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4326 {
4327 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4328 	int err;
4329 	struct net_device *dev = info->user_ptr[1];
4330 	struct key_parse key;
4331 	const u8 *mac_addr = NULL;
4332 
4333 	err = nl80211_parse_key(info, &key);
4334 	if (err)
4335 		return err;
4336 
4337 	if (!key.p.key) {
4338 		GENL_SET_ERR_MSG(info, "no key");
4339 		return -EINVAL;
4340 	}
4341 
4342 	if (info->attrs[NL80211_ATTR_MAC])
4343 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4344 
4345 	if (key.type == -1) {
4346 		if (mac_addr)
4347 			key.type = NL80211_KEYTYPE_PAIRWISE;
4348 		else
4349 			key.type = NL80211_KEYTYPE_GROUP;
4350 	}
4351 
4352 	/* for now */
4353 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4354 	    key.type != NL80211_KEYTYPE_GROUP) {
4355 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4356 		return -EINVAL;
4357 	}
4358 
4359 	if (key.type == NL80211_KEYTYPE_GROUP &&
4360 	    info->attrs[NL80211_ATTR_VLAN_ID])
4361 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4362 
4363 	if (!rdev->ops->add_key)
4364 		return -EOPNOTSUPP;
4365 
4366 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4367 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4368 					   mac_addr)) {
4369 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4370 		return -EINVAL;
4371 	}
4372 
4373 	wdev_lock(dev->ieee80211_ptr);
4374 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4375 	if (err)
4376 		GENL_SET_ERR_MSG(info, "key not allowed");
4377 	if (!err) {
4378 		err = rdev_add_key(rdev, dev, key.idx,
4379 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4380 				    mac_addr, &key.p);
4381 		if (err)
4382 			GENL_SET_ERR_MSG(info, "key addition failed");
4383 	}
4384 	wdev_unlock(dev->ieee80211_ptr);
4385 
4386 	return err;
4387 }
4388 
4389 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4390 {
4391 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4392 	int err;
4393 	struct net_device *dev = info->user_ptr[1];
4394 	u8 *mac_addr = NULL;
4395 	struct key_parse key;
4396 
4397 	err = nl80211_parse_key(info, &key);
4398 	if (err)
4399 		return err;
4400 
4401 	if (info->attrs[NL80211_ATTR_MAC])
4402 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4403 
4404 	if (key.type == -1) {
4405 		if (mac_addr)
4406 			key.type = NL80211_KEYTYPE_PAIRWISE;
4407 		else
4408 			key.type = NL80211_KEYTYPE_GROUP;
4409 	}
4410 
4411 	/* for now */
4412 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4413 	    key.type != NL80211_KEYTYPE_GROUP)
4414 		return -EINVAL;
4415 
4416 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4417 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4418 		return -EINVAL;
4419 
4420 	if (!rdev->ops->del_key)
4421 		return -EOPNOTSUPP;
4422 
4423 	wdev_lock(dev->ieee80211_ptr);
4424 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4425 
4426 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4427 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4428 		err = -ENOENT;
4429 
4430 	if (!err)
4431 		err = rdev_del_key(rdev, dev, key.idx,
4432 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4433 				   mac_addr);
4434 
4435 #ifdef CONFIG_CFG80211_WEXT
4436 	if (!err) {
4437 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4438 			dev->ieee80211_ptr->wext.default_key = -1;
4439 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4440 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4441 	}
4442 #endif
4443 	wdev_unlock(dev->ieee80211_ptr);
4444 
4445 	return err;
4446 }
4447 
4448 /* This function returns an error or the number of nested attributes */
4449 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4450 {
4451 	struct nlattr *attr;
4452 	int n_entries = 0, tmp;
4453 
4454 	nla_for_each_nested(attr, nl_attr, tmp) {
4455 		if (nla_len(attr) != ETH_ALEN)
4456 			return -EINVAL;
4457 
4458 		n_entries++;
4459 	}
4460 
4461 	return n_entries;
4462 }
4463 
4464 /*
4465  * This function parses ACL information and allocates memory for ACL data.
4466  * On successful return, the calling function is responsible to free the
4467  * ACL buffer returned by this function.
4468  */
4469 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4470 						struct genl_info *info)
4471 {
4472 	enum nl80211_acl_policy acl_policy;
4473 	struct nlattr *attr;
4474 	struct cfg80211_acl_data *acl;
4475 	int i = 0, n_entries, tmp;
4476 
4477 	if (!wiphy->max_acl_mac_addrs)
4478 		return ERR_PTR(-EOPNOTSUPP);
4479 
4480 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4481 		return ERR_PTR(-EINVAL);
4482 
4483 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4484 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4485 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4486 		return ERR_PTR(-EINVAL);
4487 
4488 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4489 		return ERR_PTR(-EINVAL);
4490 
4491 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4492 	if (n_entries < 0)
4493 		return ERR_PTR(n_entries);
4494 
4495 	if (n_entries > wiphy->max_acl_mac_addrs)
4496 		return ERR_PTR(-ENOTSUPP);
4497 
4498 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4499 	if (!acl)
4500 		return ERR_PTR(-ENOMEM);
4501 
4502 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4503 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4504 		i++;
4505 	}
4506 
4507 	acl->n_acl_entries = n_entries;
4508 	acl->acl_policy = acl_policy;
4509 
4510 	return acl;
4511 }
4512 
4513 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4514 {
4515 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4516 	struct net_device *dev = info->user_ptr[1];
4517 	struct cfg80211_acl_data *acl;
4518 	int err;
4519 
4520 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4521 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4522 		return -EOPNOTSUPP;
4523 
4524 	if (!dev->ieee80211_ptr->beacon_interval)
4525 		return -EINVAL;
4526 
4527 	acl = parse_acl_data(&rdev->wiphy, info);
4528 	if (IS_ERR(acl))
4529 		return PTR_ERR(acl);
4530 
4531 	err = rdev_set_mac_acl(rdev, dev, acl);
4532 
4533 	kfree(acl);
4534 
4535 	return err;
4536 }
4537 
4538 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4539 			   u8 *rates, u8 rates_len)
4540 {
4541 	u8 i;
4542 	u32 mask = 0;
4543 
4544 	for (i = 0; i < rates_len; i++) {
4545 		int rate = (rates[i] & 0x7f) * 5;
4546 		int ridx;
4547 
4548 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4549 			struct ieee80211_rate *srate =
4550 				&sband->bitrates[ridx];
4551 			if (rate == srate->bitrate) {
4552 				mask |= 1 << ridx;
4553 				break;
4554 			}
4555 		}
4556 		if (ridx == sband->n_bitrates)
4557 			return 0; /* rate not found */
4558 	}
4559 
4560 	return mask;
4561 }
4562 
4563 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4564 			       u8 *rates, u8 rates_len,
4565 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4566 {
4567 	u8 i;
4568 
4569 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4570 
4571 	for (i = 0; i < rates_len; i++) {
4572 		int ridx, rbit;
4573 
4574 		ridx = rates[i] / 8;
4575 		rbit = BIT(rates[i] % 8);
4576 
4577 		/* check validity */
4578 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4579 			return false;
4580 
4581 		/* check availability */
4582 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4583 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4584 			mcs[ridx] |= rbit;
4585 		else
4586 			return false;
4587 	}
4588 
4589 	return true;
4590 }
4591 
4592 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4593 {
4594 	u16 mcs_mask = 0;
4595 
4596 	switch (vht_mcs_map) {
4597 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4598 		break;
4599 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4600 		mcs_mask = 0x00FF;
4601 		break;
4602 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4603 		mcs_mask = 0x01FF;
4604 		break;
4605 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4606 		mcs_mask = 0x03FF;
4607 		break;
4608 	default:
4609 		break;
4610 	}
4611 
4612 	return mcs_mask;
4613 }
4614 
4615 static void vht_build_mcs_mask(u16 vht_mcs_map,
4616 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4617 {
4618 	u8 nss;
4619 
4620 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4621 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4622 		vht_mcs_map >>= 2;
4623 	}
4624 }
4625 
4626 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4627 			     struct nl80211_txrate_vht *txrate,
4628 			     u16 mcs[NL80211_VHT_NSS_MAX])
4629 {
4630 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4631 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4632 	u8 i;
4633 
4634 	if (!sband->vht_cap.vht_supported)
4635 		return false;
4636 
4637 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4638 
4639 	/* Build vht_mcs_mask from VHT capabilities */
4640 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4641 
4642 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4643 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4644 			mcs[i] = txrate->mcs[i];
4645 		else
4646 			return false;
4647 	}
4648 
4649 	return true;
4650 }
4651 
4652 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
4653 {
4654 	switch (he_mcs_map) {
4655 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
4656 		return 0;
4657 	case IEEE80211_HE_MCS_SUPPORT_0_7:
4658 		return 0x00FF;
4659 	case IEEE80211_HE_MCS_SUPPORT_0_9:
4660 		return 0x03FF;
4661 	case IEEE80211_HE_MCS_SUPPORT_0_11:
4662 		return 0xFFF;
4663 	default:
4664 		break;
4665 	}
4666 	return 0;
4667 }
4668 
4669 static void he_build_mcs_mask(u16 he_mcs_map,
4670 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
4671 {
4672 	u8 nss;
4673 
4674 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
4675 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
4676 		he_mcs_map >>= 2;
4677 	}
4678 }
4679 
4680 static u16 he_get_txmcsmap(struct genl_info *info,
4681 			   const struct ieee80211_sta_he_cap *he_cap)
4682 {
4683 	struct net_device *dev = info->user_ptr[1];
4684 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4685 	__le16	tx_mcs;
4686 
4687 	switch (wdev->chandef.width) {
4688 	case NL80211_CHAN_WIDTH_80P80:
4689 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
4690 		break;
4691 	case NL80211_CHAN_WIDTH_160:
4692 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
4693 		break;
4694 	default:
4695 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
4696 		break;
4697 	}
4698 	return le16_to_cpu(tx_mcs);
4699 }
4700 
4701 static bool he_set_mcs_mask(struct genl_info *info,
4702 			    struct wireless_dev *wdev,
4703 			    struct ieee80211_supported_band *sband,
4704 			    struct nl80211_txrate_he *txrate,
4705 			    u16 mcs[NL80211_HE_NSS_MAX])
4706 {
4707 	const struct ieee80211_sta_he_cap *he_cap;
4708 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
4709 	u16 tx_mcs_map = 0;
4710 	u8 i;
4711 
4712 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4713 	if (!he_cap)
4714 		return false;
4715 
4716 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
4717 
4718 	tx_mcs_map = he_get_txmcsmap(info, he_cap);
4719 
4720 	/* Build he_mcs_mask from HE capabilities */
4721 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4722 
4723 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4724 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4725 			mcs[i] = txrate->mcs[i];
4726 		else
4727 			return false;
4728 	}
4729 
4730 	return true;
4731 }
4732 
4733 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4734 					 struct nlattr *attrs[],
4735 					 enum nl80211_attrs attr,
4736 					 struct cfg80211_bitrate_mask *mask,
4737 					 struct net_device *dev,
4738 					 bool default_all_enabled)
4739 {
4740 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4741 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4742 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4743 	int rem, i;
4744 	struct nlattr *tx_rates;
4745 	struct ieee80211_supported_band *sband;
4746 	u16 vht_tx_mcs_map, he_tx_mcs_map;
4747 
4748 	memset(mask, 0, sizeof(*mask));
4749 	/* Default to all rates enabled */
4750 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4751 		const struct ieee80211_sta_he_cap *he_cap;
4752 
4753 		if (!default_all_enabled)
4754 			break;
4755 
4756 		sband = rdev->wiphy.bands[i];
4757 
4758 		if (!sband)
4759 			continue;
4760 
4761 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4762 		memcpy(mask->control[i].ht_mcs,
4763 		       sband->ht_cap.mcs.rx_mask,
4764 		       sizeof(mask->control[i].ht_mcs));
4765 
4766 		if (!sband->vht_cap.vht_supported)
4767 			continue;
4768 
4769 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4770 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4771 
4772 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
4773 		if (!he_cap)
4774 			continue;
4775 
4776 		he_tx_mcs_map = he_get_txmcsmap(info, he_cap);
4777 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
4778 
4779 		mask->control[i].he_gi = 0xFF;
4780 		mask->control[i].he_ltf = 0xFF;
4781 	}
4782 
4783 	/* if no rates are given set it back to the defaults */
4784 	if (!attrs[attr])
4785 		goto out;
4786 
4787 	/* The nested attribute uses enum nl80211_band as the index. This maps
4788 	 * directly to the enum nl80211_band values used in cfg80211.
4789 	 */
4790 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4791 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
4792 		enum nl80211_band band = nla_type(tx_rates);
4793 		int err;
4794 
4795 		if (band < 0 || band >= NUM_NL80211_BANDS)
4796 			return -EINVAL;
4797 		sband = rdev->wiphy.bands[band];
4798 		if (sband == NULL)
4799 			return -EINVAL;
4800 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4801 						  tx_rates,
4802 						  nl80211_txattr_policy,
4803 						  info->extack);
4804 		if (err)
4805 			return err;
4806 		if (tb[NL80211_TXRATE_LEGACY]) {
4807 			mask->control[band].legacy = rateset_to_mask(
4808 				sband,
4809 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4810 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4811 			if ((mask->control[band].legacy == 0) &&
4812 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4813 				return -EINVAL;
4814 		}
4815 		if (tb[NL80211_TXRATE_HT]) {
4816 			if (!ht_rateset_to_mask(
4817 					sband,
4818 					nla_data(tb[NL80211_TXRATE_HT]),
4819 					nla_len(tb[NL80211_TXRATE_HT]),
4820 					mask->control[band].ht_mcs))
4821 				return -EINVAL;
4822 		}
4823 
4824 		if (tb[NL80211_TXRATE_VHT]) {
4825 			if (!vht_set_mcs_mask(
4826 					sband,
4827 					nla_data(tb[NL80211_TXRATE_VHT]),
4828 					mask->control[band].vht_mcs))
4829 				return -EINVAL;
4830 		}
4831 
4832 		if (tb[NL80211_TXRATE_GI]) {
4833 			mask->control[band].gi =
4834 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4835 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4836 				return -EINVAL;
4837 		}
4838 		if (tb[NL80211_TXRATE_HE] &&
4839 		    !he_set_mcs_mask(info, wdev, sband,
4840 				     nla_data(tb[NL80211_TXRATE_HE]),
4841 				     mask->control[band].he_mcs))
4842 			return -EINVAL;
4843 
4844 		if (tb[NL80211_TXRATE_HE_GI])
4845 			mask->control[band].he_gi =
4846 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
4847 		if (tb[NL80211_TXRATE_HE_LTF])
4848 			mask->control[band].he_ltf =
4849 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
4850 
4851 		if (mask->control[band].legacy == 0) {
4852 			/* don't allow empty legacy rates if HT, VHT or HE
4853 			 * are not even supported.
4854 			 */
4855 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4856 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
4857 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
4858 				return -EINVAL;
4859 
4860 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4861 				if (mask->control[band].ht_mcs[i])
4862 					goto out;
4863 
4864 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4865 				if (mask->control[band].vht_mcs[i])
4866 					goto out;
4867 
4868 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
4869 				if (mask->control[band].he_mcs[i])
4870 					goto out;
4871 
4872 			/* legacy and mcs rates may not be both empty */
4873 			return -EINVAL;
4874 		}
4875 	}
4876 
4877 out:
4878 	return 0;
4879 }
4880 
4881 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4882 				   enum nl80211_band band,
4883 				   struct cfg80211_bitrate_mask *beacon_rate)
4884 {
4885 	u32 count_ht, count_vht, count_he, i;
4886 	u32 rate = beacon_rate->control[band].legacy;
4887 
4888 	/* Allow only one rate */
4889 	if (hweight32(rate) > 1)
4890 		return -EINVAL;
4891 
4892 	count_ht = 0;
4893 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4894 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4895 			return -EINVAL;
4896 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4897 			count_ht++;
4898 			if (count_ht > 1)
4899 				return -EINVAL;
4900 		}
4901 		if (count_ht && rate)
4902 			return -EINVAL;
4903 	}
4904 
4905 	count_vht = 0;
4906 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4907 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4908 			return -EINVAL;
4909 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4910 			count_vht++;
4911 			if (count_vht > 1)
4912 				return -EINVAL;
4913 		}
4914 		if (count_vht && rate)
4915 			return -EINVAL;
4916 	}
4917 
4918 	count_he = 0;
4919 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
4920 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
4921 			return -EINVAL;
4922 		} else if (beacon_rate->control[band].he_mcs[i]) {
4923 			count_he++;
4924 			if (count_he > 1)
4925 				return -EINVAL;
4926 		}
4927 		if (count_he && rate)
4928 			return -EINVAL;
4929 	}
4930 
4931 	if ((count_ht && count_vht && count_he) ||
4932 	    (!rate && !count_ht && !count_vht && !count_he))
4933 		return -EINVAL;
4934 
4935 	if (rate &&
4936 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4937 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4938 		return -EINVAL;
4939 	if (count_ht &&
4940 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4941 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4942 		return -EINVAL;
4943 	if (count_vht &&
4944 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4945 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4946 		return -EINVAL;
4947 	if (count_he &&
4948 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4949 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
4950 		return -EINVAL;
4951 
4952 	return 0;
4953 }
4954 
4955 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4956 				struct nlattr *attrs[],
4957 				struct cfg80211_beacon_data *bcn)
4958 {
4959 	bool haveinfo = false;
4960 	int err;
4961 
4962 	memset(bcn, 0, sizeof(*bcn));
4963 
4964 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4965 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4966 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4967 		if (!bcn->head_len)
4968 			return -EINVAL;
4969 		haveinfo = true;
4970 	}
4971 
4972 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4973 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4974 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4975 		haveinfo = true;
4976 	}
4977 
4978 	if (!haveinfo)
4979 		return -EINVAL;
4980 
4981 	if (attrs[NL80211_ATTR_IE]) {
4982 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4983 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4984 	}
4985 
4986 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4987 		bcn->proberesp_ies =
4988 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4989 		bcn->proberesp_ies_len =
4990 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4991 	}
4992 
4993 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4994 		bcn->assocresp_ies =
4995 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4996 		bcn->assocresp_ies_len =
4997 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4998 	}
4999 
5000 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5001 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5002 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5003 	}
5004 
5005 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5006 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5007 
5008 		err = nla_parse_nested_deprecated(tb,
5009 						  NL80211_FTM_RESP_ATTR_MAX,
5010 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5011 						  NULL, NULL);
5012 		if (err)
5013 			return err;
5014 
5015 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5016 		    wiphy_ext_feature_isset(&rdev->wiphy,
5017 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5018 			bcn->ftm_responder = 1;
5019 		else
5020 			return -EOPNOTSUPP;
5021 
5022 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5023 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5024 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5025 		}
5026 
5027 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5028 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5029 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5030 		}
5031 	} else {
5032 		bcn->ftm_responder = -1;
5033 	}
5034 
5035 	return 0;
5036 }
5037 
5038 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5039 				    struct ieee80211_he_obss_pd *he_obss_pd)
5040 {
5041 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5042 	int err;
5043 
5044 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5045 			       he_obss_pd_policy, NULL);
5046 	if (err)
5047 		return err;
5048 
5049 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5050 		return -EINVAL;
5051 
5052 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5053 
5054 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5055 		he_obss_pd->min_offset =
5056 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5057 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5058 		he_obss_pd->max_offset =
5059 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5060 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5061 		he_obss_pd->non_srg_max_offset =
5062 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5063 
5064 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5065 		return -EINVAL;
5066 
5067 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5068 		memcpy(he_obss_pd->bss_color_bitmap,
5069 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5070 		       sizeof(he_obss_pd->bss_color_bitmap));
5071 
5072 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5073 		memcpy(he_obss_pd->partial_bssid_bitmap,
5074 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5075 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5076 
5077 	he_obss_pd->enable = true;
5078 
5079 	return 0;
5080 }
5081 
5082 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5083 				      struct cfg80211_he_bss_color *he_bss_color)
5084 {
5085 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5086 	int err;
5087 
5088 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5089 			       he_bss_color_policy, NULL);
5090 	if (err)
5091 		return err;
5092 
5093 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5094 		return -EINVAL;
5095 
5096 	he_bss_color->color =
5097 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5098 	he_bss_color->enabled =
5099 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5100 	he_bss_color->partial =
5101 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5102 
5103 	return 0;
5104 }
5105 
5106 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5107 					struct nlattr *attrs,
5108 					struct cfg80211_ap_settings *params)
5109 {
5110 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5111 	int ret;
5112 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5113 
5114 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5115 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5116 		return -EINVAL;
5117 
5118 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5119 			       NULL, NULL);
5120 	if (ret)
5121 		return ret;
5122 
5123 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5124 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5125 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5126 		return -EINVAL;
5127 
5128 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5129 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5130 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5131 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5132 
5133 	return 0;
5134 }
5135 
5136 static int
5137 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5138 				     struct nlattr *attrs,
5139 				     struct cfg80211_ap_settings *params)
5140 {
5141 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5142 	int ret;
5143 	struct cfg80211_unsol_bcast_probe_resp *presp =
5144 					&params->unsol_bcast_probe_resp;
5145 
5146 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5147 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5148 		return -EINVAL;
5149 
5150 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5151 			       attrs, NULL, NULL);
5152 	if (ret)
5153 		return ret;
5154 
5155 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5156 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5157 		return -EINVAL;
5158 
5159 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5160 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5161 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5162 	return 0;
5163 }
5164 
5165 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5166 					    const u8 *rates)
5167 {
5168 	int i;
5169 
5170 	if (!rates)
5171 		return;
5172 
5173 	for (i = 0; i < rates[1]; i++) {
5174 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5175 			params->ht_required = true;
5176 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5177 			params->vht_required = true;
5178 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5179 			params->he_required = true;
5180 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5181 			params->sae_h2e_required = true;
5182 	}
5183 }
5184 
5185 /*
5186  * Since the nl80211 API didn't include, from the beginning, attributes about
5187  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5188  * benefit of drivers that rebuild IEs in the firmware.
5189  */
5190 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5191 {
5192 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5193 	size_t ies_len = bcn->tail_len;
5194 	const u8 *ies = bcn->tail;
5195 	const u8 *rates;
5196 	const u8 *cap;
5197 
5198 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
5199 	nl80211_check_ap_rate_selectors(params, rates);
5200 
5201 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5202 	nl80211_check_ap_rate_selectors(params, rates);
5203 
5204 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5205 	if (cap && cap[1] >= sizeof(*params->ht_cap))
5206 		params->ht_cap = (void *)(cap + 2);
5207 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5208 	if (cap && cap[1] >= sizeof(*params->vht_cap))
5209 		params->vht_cap = (void *)(cap + 2);
5210 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5211 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
5212 		params->he_cap = (void *)(cap + 3);
5213 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5214 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
5215 		params->he_oper = (void *)(cap + 3);
5216 }
5217 
5218 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5219 				   struct cfg80211_ap_settings *params)
5220 {
5221 	struct wireless_dev *wdev;
5222 	bool ret = false;
5223 
5224 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5225 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5226 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5227 			continue;
5228 
5229 		if (!wdev->preset_chandef.chan)
5230 			continue;
5231 
5232 		params->chandef = wdev->preset_chandef;
5233 		ret = true;
5234 		break;
5235 	}
5236 
5237 	return ret;
5238 }
5239 
5240 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5241 				    enum nl80211_auth_type auth_type,
5242 				    enum nl80211_commands cmd)
5243 {
5244 	if (auth_type > NL80211_AUTHTYPE_MAX)
5245 		return false;
5246 
5247 	switch (cmd) {
5248 	case NL80211_CMD_AUTHENTICATE:
5249 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5250 		    auth_type == NL80211_AUTHTYPE_SAE)
5251 			return false;
5252 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5253 					     NL80211_EXT_FEATURE_FILS_STA) &&
5254 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5255 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5256 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5257 			return false;
5258 		return true;
5259 	case NL80211_CMD_CONNECT:
5260 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5261 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5262 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5263 		    auth_type == NL80211_AUTHTYPE_SAE)
5264 			return false;
5265 
5266 		/* FILS with SK PFS or PK not supported yet */
5267 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5268 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5269 			return false;
5270 		if (!wiphy_ext_feature_isset(
5271 			    &rdev->wiphy,
5272 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5273 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5274 			return false;
5275 		return true;
5276 	case NL80211_CMD_START_AP:
5277 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5278 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5279 		    auth_type == NL80211_AUTHTYPE_SAE)
5280 			return false;
5281 		/* FILS not supported yet */
5282 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5283 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5284 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5285 			return false;
5286 		return true;
5287 	default:
5288 		return false;
5289 	}
5290 }
5291 
5292 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5293 {
5294 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5295 	struct net_device *dev = info->user_ptr[1];
5296 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5297 	struct cfg80211_ap_settings params;
5298 	int err;
5299 
5300 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5301 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5302 		return -EOPNOTSUPP;
5303 
5304 	if (!rdev->ops->start_ap)
5305 		return -EOPNOTSUPP;
5306 
5307 	if (wdev->beacon_interval)
5308 		return -EALREADY;
5309 
5310 	memset(&params, 0, sizeof(params));
5311 
5312 	/* these are required for START_AP */
5313 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5314 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5315 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5316 		return -EINVAL;
5317 
5318 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
5319 	if (err)
5320 		return err;
5321 
5322 	params.beacon_interval =
5323 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5324 	params.dtim_period =
5325 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5326 
5327 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5328 					   params.beacon_interval);
5329 	if (err)
5330 		return err;
5331 
5332 	/*
5333 	 * In theory, some of these attributes should be required here
5334 	 * but since they were not used when the command was originally
5335 	 * added, keep them optional for old user space programs to let
5336 	 * them continue to work with drivers that do not need the
5337 	 * additional information -- drivers must check!
5338 	 */
5339 	if (info->attrs[NL80211_ATTR_SSID]) {
5340 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5341 		params.ssid_len =
5342 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5343 		if (params.ssid_len == 0)
5344 			return -EINVAL;
5345 	}
5346 
5347 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5348 		params.hidden_ssid = nla_get_u32(
5349 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5350 
5351 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5352 
5353 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5354 		params.auth_type = nla_get_u32(
5355 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5356 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
5357 					     NL80211_CMD_START_AP))
5358 			return -EINVAL;
5359 	} else
5360 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5361 
5362 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
5363 				      NL80211_MAX_NR_CIPHER_SUITES);
5364 	if (err)
5365 		return err;
5366 
5367 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
5368 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
5369 			return -EOPNOTSUPP;
5370 		params.inactivity_timeout = nla_get_u16(
5371 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
5372 	}
5373 
5374 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
5375 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5376 			return -EINVAL;
5377 		params.p2p_ctwindow =
5378 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
5379 		if (params.p2p_ctwindow != 0 &&
5380 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
5381 			return -EINVAL;
5382 	}
5383 
5384 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
5385 		u8 tmp;
5386 
5387 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5388 			return -EINVAL;
5389 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
5390 		params.p2p_opp_ps = tmp;
5391 		if (params.p2p_opp_ps != 0 &&
5392 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
5393 			return -EINVAL;
5394 	}
5395 
5396 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
5397 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
5398 		if (err)
5399 			return err;
5400 	} else if (wdev->preset_chandef.chan) {
5401 		params.chandef = wdev->preset_chandef;
5402 	} else if (!nl80211_get_ap_channel(rdev, &params))
5403 		return -EINVAL;
5404 
5405 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
5406 					   wdev->iftype))
5407 		return -EINVAL;
5408 
5409 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
5410 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
5411 						    NL80211_ATTR_TX_RATES,
5412 						    &params.beacon_rate,
5413 						    dev, false);
5414 		if (err)
5415 			return err;
5416 
5417 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
5418 					      &params.beacon_rate);
5419 		if (err)
5420 			return err;
5421 	}
5422 
5423 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
5424 		params.smps_mode =
5425 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
5426 		switch (params.smps_mode) {
5427 		case NL80211_SMPS_OFF:
5428 			break;
5429 		case NL80211_SMPS_STATIC:
5430 			if (!(rdev->wiphy.features &
5431 			      NL80211_FEATURE_STATIC_SMPS))
5432 				return -EINVAL;
5433 			break;
5434 		case NL80211_SMPS_DYNAMIC:
5435 			if (!(rdev->wiphy.features &
5436 			      NL80211_FEATURE_DYNAMIC_SMPS))
5437 				return -EINVAL;
5438 			break;
5439 		default:
5440 			return -EINVAL;
5441 		}
5442 	} else {
5443 		params.smps_mode = NL80211_SMPS_OFF;
5444 	}
5445 
5446 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
5447 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
5448 		return -EOPNOTSUPP;
5449 
5450 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
5451 		params.acl = parse_acl_data(&rdev->wiphy, info);
5452 		if (IS_ERR(params.acl))
5453 			return PTR_ERR(params.acl);
5454 	}
5455 
5456 	params.twt_responder =
5457 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5458 
5459 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5460 		err = nl80211_parse_he_obss_pd(
5461 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5462 					&params.he_obss_pd);
5463 		if (err)
5464 			goto out;
5465 	}
5466 
5467 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5468 		err = nl80211_parse_he_bss_color(
5469 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5470 					&params.he_bss_color);
5471 		if (err)
5472 			goto out;
5473 	}
5474 
5475 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
5476 		err = nl80211_parse_fils_discovery(rdev,
5477 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
5478 						   &params);
5479 		if (err)
5480 			goto out;
5481 	}
5482 
5483 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
5484 		err = nl80211_parse_unsol_bcast_probe_resp(
5485 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
5486 			&params);
5487 		if (err)
5488 			return err;
5489 	}
5490 
5491 	nl80211_calculate_ap_params(&params);
5492 
5493 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5494 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5495 
5496 	wdev_lock(wdev);
5497 	err = rdev_start_ap(rdev, dev, &params);
5498 	if (!err) {
5499 		wdev->preset_chandef = params.chandef;
5500 		wdev->beacon_interval = params.beacon_interval;
5501 		wdev->chandef = params.chandef;
5502 		wdev->ssid_len = params.ssid_len;
5503 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5504 
5505 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5506 			wdev->conn_owner_nlportid = info->snd_portid;
5507 	}
5508 	wdev_unlock(wdev);
5509 
5510 out:
5511 	kfree(params.acl);
5512 
5513 	return err;
5514 }
5515 
5516 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5517 {
5518 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5519 	struct net_device *dev = info->user_ptr[1];
5520 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5521 	struct cfg80211_beacon_data params;
5522 	int err;
5523 
5524 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5525 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5526 		return -EOPNOTSUPP;
5527 
5528 	if (!rdev->ops->change_beacon)
5529 		return -EOPNOTSUPP;
5530 
5531 	if (!wdev->beacon_interval)
5532 		return -EINVAL;
5533 
5534 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5535 	if (err)
5536 		return err;
5537 
5538 	wdev_lock(wdev);
5539 	err = rdev_change_beacon(rdev, dev, &params);
5540 	wdev_unlock(wdev);
5541 
5542 	return err;
5543 }
5544 
5545 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5546 {
5547 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5548 	struct net_device *dev = info->user_ptr[1];
5549 
5550 	return cfg80211_stop_ap(rdev, dev, false);
5551 }
5552 
5553 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5554 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5555 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5556 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5557 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5558 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5559 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5560 };
5561 
5562 static int parse_station_flags(struct genl_info *info,
5563 			       enum nl80211_iftype iftype,
5564 			       struct station_parameters *params)
5565 {
5566 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5567 	struct nlattr *nla;
5568 	int flag;
5569 
5570 	/*
5571 	 * Try parsing the new attribute first so userspace
5572 	 * can specify both for older kernels.
5573 	 */
5574 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5575 	if (nla) {
5576 		struct nl80211_sta_flag_update *sta_flags;
5577 
5578 		sta_flags = nla_data(nla);
5579 		params->sta_flags_mask = sta_flags->mask;
5580 		params->sta_flags_set = sta_flags->set;
5581 		params->sta_flags_set &= params->sta_flags_mask;
5582 		if ((params->sta_flags_mask |
5583 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5584 			return -EINVAL;
5585 		return 0;
5586 	}
5587 
5588 	/* if present, parse the old attribute */
5589 
5590 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5591 	if (!nla)
5592 		return 0;
5593 
5594 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5595 		return -EINVAL;
5596 
5597 	/*
5598 	 * Only allow certain flags for interface types so that
5599 	 * other attributes are silently ignored. Remember that
5600 	 * this is backward compatibility code with old userspace
5601 	 * and shouldn't be hit in other cases anyway.
5602 	 */
5603 	switch (iftype) {
5604 	case NL80211_IFTYPE_AP:
5605 	case NL80211_IFTYPE_AP_VLAN:
5606 	case NL80211_IFTYPE_P2P_GO:
5607 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5608 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5609 					 BIT(NL80211_STA_FLAG_WME) |
5610 					 BIT(NL80211_STA_FLAG_MFP);
5611 		break;
5612 	case NL80211_IFTYPE_P2P_CLIENT:
5613 	case NL80211_IFTYPE_STATION:
5614 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5615 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5616 		break;
5617 	case NL80211_IFTYPE_MESH_POINT:
5618 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5619 					 BIT(NL80211_STA_FLAG_MFP) |
5620 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5621 		break;
5622 	default:
5623 		return -EINVAL;
5624 	}
5625 
5626 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5627 		if (flags[flag]) {
5628 			params->sta_flags_set |= (1<<flag);
5629 
5630 			/* no longer support new API additions in old API */
5631 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5632 				return -EINVAL;
5633 		}
5634 	}
5635 
5636 	return 0;
5637 }
5638 
5639 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5640 {
5641 	struct nlattr *rate;
5642 	u32 bitrate;
5643 	u16 bitrate_compat;
5644 	enum nl80211_rate_info rate_flg;
5645 
5646 	rate = nla_nest_start_noflag(msg, attr);
5647 	if (!rate)
5648 		return false;
5649 
5650 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5651 	bitrate = cfg80211_calculate_bitrate(info);
5652 	/* report 16-bit bitrate only if we can */
5653 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5654 	if (bitrate > 0 &&
5655 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5656 		return false;
5657 	if (bitrate_compat > 0 &&
5658 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5659 		return false;
5660 
5661 	switch (info->bw) {
5662 	case RATE_INFO_BW_5:
5663 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5664 		break;
5665 	case RATE_INFO_BW_10:
5666 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5667 		break;
5668 	default:
5669 		WARN_ON(1);
5670 		fallthrough;
5671 	case RATE_INFO_BW_20:
5672 		rate_flg = 0;
5673 		break;
5674 	case RATE_INFO_BW_40:
5675 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5676 		break;
5677 	case RATE_INFO_BW_80:
5678 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5679 		break;
5680 	case RATE_INFO_BW_160:
5681 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5682 		break;
5683 	case RATE_INFO_BW_HE_RU:
5684 		rate_flg = 0;
5685 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5686 	}
5687 
5688 	if (rate_flg && nla_put_flag(msg, rate_flg))
5689 		return false;
5690 
5691 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5692 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5693 			return false;
5694 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5695 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5696 			return false;
5697 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5698 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5699 			return false;
5700 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5701 			return false;
5702 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5703 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5704 			return false;
5705 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5706 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5707 			return false;
5708 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5709 			return false;
5710 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5711 			return false;
5712 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5713 			return false;
5714 		if (info->bw == RATE_INFO_BW_HE_RU &&
5715 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5716 			       info->he_ru_alloc))
5717 			return false;
5718 	}
5719 
5720 	nla_nest_end(msg, rate);
5721 	return true;
5722 }
5723 
5724 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5725 			       int id)
5726 {
5727 	void *attr;
5728 	int i = 0;
5729 
5730 	if (!mask)
5731 		return true;
5732 
5733 	attr = nla_nest_start_noflag(msg, id);
5734 	if (!attr)
5735 		return false;
5736 
5737 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5738 		if (!(mask & BIT(i)))
5739 			continue;
5740 
5741 		if (nla_put_u8(msg, i, signal[i]))
5742 			return false;
5743 	}
5744 
5745 	nla_nest_end(msg, attr);
5746 
5747 	return true;
5748 }
5749 
5750 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5751 				u32 seq, int flags,
5752 				struct cfg80211_registered_device *rdev,
5753 				struct net_device *dev,
5754 				const u8 *mac_addr, struct station_info *sinfo)
5755 {
5756 	void *hdr;
5757 	struct nlattr *sinfoattr, *bss_param;
5758 
5759 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5760 	if (!hdr) {
5761 		cfg80211_sinfo_release_content(sinfo);
5762 		return -1;
5763 	}
5764 
5765 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5766 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5767 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5768 		goto nla_put_failure;
5769 
5770 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5771 	if (!sinfoattr)
5772 		goto nla_put_failure;
5773 
5774 #define PUT_SINFO(attr, memb, type) do {				\
5775 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5776 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5777 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5778 			     sinfo->memb))				\
5779 		goto nla_put_failure;					\
5780 	} while (0)
5781 #define PUT_SINFO_U64(attr, memb) do {					\
5782 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5783 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5784 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5785 		goto nla_put_failure;					\
5786 	} while (0)
5787 
5788 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5789 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5790 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5791 
5792 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5793 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5794 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5795 			(u32)sinfo->rx_bytes))
5796 		goto nla_put_failure;
5797 
5798 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5799 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5800 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5801 			(u32)sinfo->tx_bytes))
5802 		goto nla_put_failure;
5803 
5804 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5805 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5806 	PUT_SINFO(LLID, llid, u16);
5807 	PUT_SINFO(PLID, plid, u16);
5808 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5809 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5810 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5811 
5812 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5813 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5814 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5815 
5816 	switch (rdev->wiphy.signal_type) {
5817 	case CFG80211_SIGNAL_TYPE_MBM:
5818 		PUT_SINFO(SIGNAL, signal, u8);
5819 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5820 		break;
5821 	default:
5822 		break;
5823 	}
5824 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5825 		if (!nl80211_put_signal(msg, sinfo->chains,
5826 					sinfo->chain_signal,
5827 					NL80211_STA_INFO_CHAIN_SIGNAL))
5828 			goto nla_put_failure;
5829 	}
5830 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5831 		if (!nl80211_put_signal(msg, sinfo->chains,
5832 					sinfo->chain_signal_avg,
5833 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5834 			goto nla_put_failure;
5835 	}
5836 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5837 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5838 					  NL80211_STA_INFO_TX_BITRATE))
5839 			goto nla_put_failure;
5840 	}
5841 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5842 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5843 					  NL80211_STA_INFO_RX_BITRATE))
5844 			goto nla_put_failure;
5845 	}
5846 
5847 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5848 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5849 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5850 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5851 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5852 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5853 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5854 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5855 	PUT_SINFO(PEER_PM, peer_pm, u32);
5856 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5857 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5858 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
5859 
5860 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5861 		bss_param = nla_nest_start_noflag(msg,
5862 						  NL80211_STA_INFO_BSS_PARAM);
5863 		if (!bss_param)
5864 			goto nla_put_failure;
5865 
5866 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5867 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5868 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5869 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5870 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5871 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5872 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5873 			       sinfo->bss_param.dtim_period) ||
5874 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5875 				sinfo->bss_param.beacon_interval))
5876 			goto nla_put_failure;
5877 
5878 		nla_nest_end(msg, bss_param);
5879 	}
5880 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5881 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5882 		    sizeof(struct nl80211_sta_flag_update),
5883 		    &sinfo->sta_flags))
5884 		goto nla_put_failure;
5885 
5886 	PUT_SINFO_U64(T_OFFSET, t_offset);
5887 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5888 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5889 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5890 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5891 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5892 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5893 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5894 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5895 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5896 	}
5897 
5898 #undef PUT_SINFO
5899 #undef PUT_SINFO_U64
5900 
5901 	if (sinfo->pertid) {
5902 		struct nlattr *tidsattr;
5903 		int tid;
5904 
5905 		tidsattr = nla_nest_start_noflag(msg,
5906 						 NL80211_STA_INFO_TID_STATS);
5907 		if (!tidsattr)
5908 			goto nla_put_failure;
5909 
5910 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5911 			struct cfg80211_tid_stats *tidstats;
5912 			struct nlattr *tidattr;
5913 
5914 			tidstats = &sinfo->pertid[tid];
5915 
5916 			if (!tidstats->filled)
5917 				continue;
5918 
5919 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5920 			if (!tidattr)
5921 				goto nla_put_failure;
5922 
5923 #define PUT_TIDVAL_U64(attr, memb) do {					\
5924 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5925 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5926 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5927 		goto nla_put_failure;					\
5928 	} while (0)
5929 
5930 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5931 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5932 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5933 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5934 
5935 #undef PUT_TIDVAL_U64
5936 			if ((tidstats->filled &
5937 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5938 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5939 						   NL80211_TID_STATS_TXQ_STATS))
5940 				goto nla_put_failure;
5941 
5942 			nla_nest_end(msg, tidattr);
5943 		}
5944 
5945 		nla_nest_end(msg, tidsattr);
5946 	}
5947 
5948 	nla_nest_end(msg, sinfoattr);
5949 
5950 	if (sinfo->assoc_req_ies_len &&
5951 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5952 		    sinfo->assoc_req_ies))
5953 		goto nla_put_failure;
5954 
5955 	cfg80211_sinfo_release_content(sinfo);
5956 	genlmsg_end(msg, hdr);
5957 	return 0;
5958 
5959  nla_put_failure:
5960 	cfg80211_sinfo_release_content(sinfo);
5961 	genlmsg_cancel(msg, hdr);
5962 	return -EMSGSIZE;
5963 }
5964 
5965 static int nl80211_dump_station(struct sk_buff *skb,
5966 				struct netlink_callback *cb)
5967 {
5968 	struct station_info sinfo;
5969 	struct cfg80211_registered_device *rdev;
5970 	struct wireless_dev *wdev;
5971 	u8 mac_addr[ETH_ALEN];
5972 	int sta_idx = cb->args[2];
5973 	int err;
5974 
5975 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5976 	if (err)
5977 		return err;
5978 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
5979 	__acquire(&rdev->wiphy.mtx);
5980 
5981 	if (!wdev->netdev) {
5982 		err = -EINVAL;
5983 		goto out_err;
5984 	}
5985 
5986 	if (!rdev->ops->dump_station) {
5987 		err = -EOPNOTSUPP;
5988 		goto out_err;
5989 	}
5990 
5991 	while (1) {
5992 		memset(&sinfo, 0, sizeof(sinfo));
5993 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5994 					mac_addr, &sinfo);
5995 		if (err == -ENOENT)
5996 			break;
5997 		if (err)
5998 			goto out_err;
5999 
6000 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6001 				NETLINK_CB(cb->skb).portid,
6002 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6003 				rdev, wdev->netdev, mac_addr,
6004 				&sinfo) < 0)
6005 			goto out;
6006 
6007 		sta_idx++;
6008 	}
6009 
6010  out:
6011 	cb->args[2] = sta_idx;
6012 	err = skb->len;
6013  out_err:
6014 	wiphy_unlock(&rdev->wiphy);
6015 
6016 	return err;
6017 }
6018 
6019 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6020 {
6021 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6022 	struct net_device *dev = info->user_ptr[1];
6023 	struct station_info sinfo;
6024 	struct sk_buff *msg;
6025 	u8 *mac_addr = NULL;
6026 	int err;
6027 
6028 	memset(&sinfo, 0, sizeof(sinfo));
6029 
6030 	if (!info->attrs[NL80211_ATTR_MAC])
6031 		return -EINVAL;
6032 
6033 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6034 
6035 	if (!rdev->ops->get_station)
6036 		return -EOPNOTSUPP;
6037 
6038 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6039 	if (err)
6040 		return err;
6041 
6042 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6043 	if (!msg) {
6044 		cfg80211_sinfo_release_content(&sinfo);
6045 		return -ENOMEM;
6046 	}
6047 
6048 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6049 				 info->snd_portid, info->snd_seq, 0,
6050 				 rdev, dev, mac_addr, &sinfo) < 0) {
6051 		nlmsg_free(msg);
6052 		return -ENOBUFS;
6053 	}
6054 
6055 	return genlmsg_reply(msg, info);
6056 }
6057 
6058 int cfg80211_check_station_change(struct wiphy *wiphy,
6059 				  struct station_parameters *params,
6060 				  enum cfg80211_station_type statype)
6061 {
6062 	if (params->listen_interval != -1 &&
6063 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6064 		return -EINVAL;
6065 
6066 	if (params->support_p2p_ps != -1 &&
6067 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6068 		return -EINVAL;
6069 
6070 	if (params->aid &&
6071 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6072 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6073 		return -EINVAL;
6074 
6075 	/* When you run into this, adjust the code below for the new flag */
6076 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6077 
6078 	switch (statype) {
6079 	case CFG80211_STA_MESH_PEER_KERNEL:
6080 	case CFG80211_STA_MESH_PEER_USER:
6081 		/*
6082 		 * No ignoring the TDLS flag here -- the userspace mesh
6083 		 * code doesn't have the bug of including TDLS in the
6084 		 * mask everywhere.
6085 		 */
6086 		if (params->sta_flags_mask &
6087 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6088 				  BIT(NL80211_STA_FLAG_MFP) |
6089 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6090 			return -EINVAL;
6091 		break;
6092 	case CFG80211_STA_TDLS_PEER_SETUP:
6093 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6094 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6095 			return -EINVAL;
6096 		/* ignore since it can't change */
6097 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6098 		break;
6099 	default:
6100 		/* disallow mesh-specific things */
6101 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6102 			return -EINVAL;
6103 		if (params->local_pm)
6104 			return -EINVAL;
6105 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6106 			return -EINVAL;
6107 	}
6108 
6109 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6110 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6111 		/* TDLS can't be set, ... */
6112 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6113 			return -EINVAL;
6114 		/*
6115 		 * ... but don't bother the driver with it. This works around
6116 		 * a hostapd/wpa_supplicant issue -- it always includes the
6117 		 * TLDS_PEER flag in the mask even for AP mode.
6118 		 */
6119 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6120 	}
6121 
6122 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6123 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6124 		/* reject other things that can't change */
6125 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6126 			return -EINVAL;
6127 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6128 			return -EINVAL;
6129 		if (params->supported_rates)
6130 			return -EINVAL;
6131 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
6132 		    params->he_capa)
6133 			return -EINVAL;
6134 	}
6135 
6136 	if (statype != CFG80211_STA_AP_CLIENT &&
6137 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6138 		if (params->vlan)
6139 			return -EINVAL;
6140 	}
6141 
6142 	switch (statype) {
6143 	case CFG80211_STA_AP_MLME_CLIENT:
6144 		/* Use this only for authorizing/unauthorizing a station */
6145 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6146 			return -EOPNOTSUPP;
6147 		break;
6148 	case CFG80211_STA_AP_CLIENT:
6149 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6150 		/* accept only the listed bits */
6151 		if (params->sta_flags_mask &
6152 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6153 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6154 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6155 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6156 				  BIT(NL80211_STA_FLAG_WME) |
6157 				  BIT(NL80211_STA_FLAG_MFP)))
6158 			return -EINVAL;
6159 
6160 		/* but authenticated/associated only if driver handles it */
6161 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6162 		    params->sta_flags_mask &
6163 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6164 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6165 			return -EINVAL;
6166 		break;
6167 	case CFG80211_STA_IBSS:
6168 	case CFG80211_STA_AP_STA:
6169 		/* reject any changes other than AUTHORIZED */
6170 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6171 			return -EINVAL;
6172 		break;
6173 	case CFG80211_STA_TDLS_PEER_SETUP:
6174 		/* reject any changes other than AUTHORIZED or WME */
6175 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6176 					       BIT(NL80211_STA_FLAG_WME)))
6177 			return -EINVAL;
6178 		/* force (at least) rates when authorizing */
6179 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6180 		    !params->supported_rates)
6181 			return -EINVAL;
6182 		break;
6183 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6184 		/* reject any changes */
6185 		return -EINVAL;
6186 	case CFG80211_STA_MESH_PEER_KERNEL:
6187 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6188 			return -EINVAL;
6189 		break;
6190 	case CFG80211_STA_MESH_PEER_USER:
6191 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6192 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6193 			return -EINVAL;
6194 		break;
6195 	}
6196 
6197 	/*
6198 	 * Older kernel versions ignored this attribute entirely, so don't
6199 	 * reject attempts to update it but mark it as unused instead so the
6200 	 * driver won't look at the data.
6201 	 */
6202 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6203 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6204 		params->opmode_notif_used = false;
6205 
6206 	return 0;
6207 }
6208 EXPORT_SYMBOL(cfg80211_check_station_change);
6209 
6210 /*
6211  * Get vlan interface making sure it is running and on the right wiphy.
6212  */
6213 static struct net_device *get_vlan(struct genl_info *info,
6214 				   struct cfg80211_registered_device *rdev)
6215 {
6216 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6217 	struct net_device *v;
6218 	int ret;
6219 
6220 	if (!vlanattr)
6221 		return NULL;
6222 
6223 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6224 	if (!v)
6225 		return ERR_PTR(-ENODEV);
6226 
6227 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6228 		ret = -EINVAL;
6229 		goto error;
6230 	}
6231 
6232 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
6233 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6234 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6235 		ret = -EINVAL;
6236 		goto error;
6237 	}
6238 
6239 	if (!netif_running(v)) {
6240 		ret = -ENETDOWN;
6241 		goto error;
6242 	}
6243 
6244 	return v;
6245  error:
6246 	dev_put(v);
6247 	return ERR_PTR(ret);
6248 }
6249 
6250 static const struct nla_policy
6251 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
6252 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
6253 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
6254 };
6255 
6256 static int nl80211_parse_sta_wme(struct genl_info *info,
6257 				 struct station_parameters *params)
6258 {
6259 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
6260 	struct nlattr *nla;
6261 	int err;
6262 
6263 	/* parse WME attributes if present */
6264 	if (!info->attrs[NL80211_ATTR_STA_WME])
6265 		return 0;
6266 
6267 	nla = info->attrs[NL80211_ATTR_STA_WME];
6268 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
6269 					  nl80211_sta_wme_policy,
6270 					  info->extack);
6271 	if (err)
6272 		return err;
6273 
6274 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
6275 		params->uapsd_queues = nla_get_u8(
6276 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
6277 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
6278 		return -EINVAL;
6279 
6280 	if (tb[NL80211_STA_WME_MAX_SP])
6281 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
6282 
6283 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
6284 		return -EINVAL;
6285 
6286 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
6287 
6288 	return 0;
6289 }
6290 
6291 static int nl80211_parse_sta_channel_info(struct genl_info *info,
6292 				      struct station_parameters *params)
6293 {
6294 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
6295 		params->supported_channels =
6296 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6297 		params->supported_channels_len =
6298 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
6299 		/*
6300 		 * Need to include at least one (first channel, number of
6301 		 * channels) tuple for each subband (checked in policy),
6302 		 * and must have proper tuples for the rest of the data as well.
6303 		 */
6304 		if (params->supported_channels_len % 2)
6305 			return -EINVAL;
6306 	}
6307 
6308 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
6309 		params->supported_oper_classes =
6310 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6311 		params->supported_oper_classes_len =
6312 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
6313 	}
6314 	return 0;
6315 }
6316 
6317 static int nl80211_set_station_tdls(struct genl_info *info,
6318 				    struct station_parameters *params)
6319 {
6320 	int err;
6321 	/* Dummy STA entry gets updated once the peer capabilities are known */
6322 	if (info->attrs[NL80211_ATTR_PEER_AID])
6323 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6324 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6325 		params->ht_capa =
6326 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6327 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6328 		params->vht_capa =
6329 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6330 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6331 		params->he_capa =
6332 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6333 		params->he_capa_len =
6334 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6335 	}
6336 
6337 	err = nl80211_parse_sta_channel_info(info, params);
6338 	if (err)
6339 		return err;
6340 
6341 	return nl80211_parse_sta_wme(info, params);
6342 }
6343 
6344 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
6345 					     struct station_parameters *params)
6346 {
6347 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6348 	int idx;
6349 
6350 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
6351 		if (!rdev->ops->set_tx_power ||
6352 		    !wiphy_ext_feature_isset(&rdev->wiphy,
6353 					 NL80211_EXT_FEATURE_STA_TX_PWR))
6354 			return -EOPNOTSUPP;
6355 
6356 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
6357 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
6358 
6359 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
6360 			idx = NL80211_ATTR_STA_TX_POWER;
6361 
6362 			if (info->attrs[idx])
6363 				params->txpwr.power =
6364 					nla_get_s16(info->attrs[idx]);
6365 			else
6366 				return -EINVAL;
6367 		}
6368 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
6369 	}
6370 
6371 	return 0;
6372 }
6373 
6374 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
6375 {
6376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6377 	struct net_device *dev = info->user_ptr[1];
6378 	struct station_parameters params;
6379 	u8 *mac_addr;
6380 	int err;
6381 
6382 	memset(&params, 0, sizeof(params));
6383 
6384 	if (!rdev->ops->change_station)
6385 		return -EOPNOTSUPP;
6386 
6387 	/*
6388 	 * AID and listen_interval properties can be set only for unassociated
6389 	 * station. Include these parameters here and will check them in
6390 	 * cfg80211_check_station_change().
6391 	 */
6392 	if (info->attrs[NL80211_ATTR_STA_AID])
6393 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6394 
6395 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6396 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6397 
6398 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6399 		params.listen_interval =
6400 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6401 	else
6402 		params.listen_interval = -1;
6403 
6404 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
6405 		params.support_p2p_ps =
6406 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6407 	else
6408 		params.support_p2p_ps = -1;
6409 
6410 	if (!info->attrs[NL80211_ATTR_MAC])
6411 		return -EINVAL;
6412 
6413 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6414 
6415 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
6416 		params.supported_rates =
6417 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6418 		params.supported_rates_len =
6419 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6420 	}
6421 
6422 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6423 		params.capability =
6424 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6425 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6426 	}
6427 
6428 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6429 		params.ext_capab =
6430 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6431 		params.ext_capab_len =
6432 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6433 	}
6434 
6435 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6436 		return -EINVAL;
6437 
6438 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6439 		params.plink_action =
6440 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6441 
6442 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
6443 		params.plink_state =
6444 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
6445 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
6446 			params.peer_aid = nla_get_u16(
6447 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
6448 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
6449 	}
6450 
6451 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
6452 		params.local_pm = nla_get_u32(
6453 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
6454 
6455 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6456 		params.opmode_notif_used = true;
6457 		params.opmode_notif =
6458 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6459 	}
6460 
6461 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6462 		params.he_6ghz_capa =
6463 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6464 
6465 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6466 		params.airtime_weight =
6467 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6468 
6469 	if (params.airtime_weight &&
6470 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6471 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6472 		return -EOPNOTSUPP;
6473 
6474 	err = nl80211_parse_sta_txpower_setting(info, &params);
6475 	if (err)
6476 		return err;
6477 
6478 	/* Include parameters for TDLS peer (will check later) */
6479 	err = nl80211_set_station_tdls(info, &params);
6480 	if (err)
6481 		return err;
6482 
6483 	params.vlan = get_vlan(info, rdev);
6484 	if (IS_ERR(params.vlan))
6485 		return PTR_ERR(params.vlan);
6486 
6487 	switch (dev->ieee80211_ptr->iftype) {
6488 	case NL80211_IFTYPE_AP:
6489 	case NL80211_IFTYPE_AP_VLAN:
6490 	case NL80211_IFTYPE_P2P_GO:
6491 	case NL80211_IFTYPE_P2P_CLIENT:
6492 	case NL80211_IFTYPE_STATION:
6493 	case NL80211_IFTYPE_ADHOC:
6494 	case NL80211_IFTYPE_MESH_POINT:
6495 		break;
6496 	default:
6497 		err = -EOPNOTSUPP;
6498 		goto out_put_vlan;
6499 	}
6500 
6501 	/* driver will call cfg80211_check_station_change() */
6502 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6503 
6504  out_put_vlan:
6505 	if (params.vlan)
6506 		dev_put(params.vlan);
6507 
6508 	return err;
6509 }
6510 
6511 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6512 {
6513 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6514 	int err;
6515 	struct net_device *dev = info->user_ptr[1];
6516 	struct station_parameters params;
6517 	u8 *mac_addr = NULL;
6518 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6519 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6520 
6521 	memset(&params, 0, sizeof(params));
6522 
6523 	if (!rdev->ops->add_station)
6524 		return -EOPNOTSUPP;
6525 
6526 	if (!info->attrs[NL80211_ATTR_MAC])
6527 		return -EINVAL;
6528 
6529 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6530 		return -EINVAL;
6531 
6532 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6533 		return -EINVAL;
6534 
6535 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6536 	    !info->attrs[NL80211_ATTR_PEER_AID])
6537 		return -EINVAL;
6538 
6539 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6540 	params.supported_rates =
6541 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6542 	params.supported_rates_len =
6543 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6544 	params.listen_interval =
6545 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6546 
6547 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6548 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6549 
6550 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6551 		params.support_p2p_ps =
6552 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6553 	} else {
6554 		/*
6555 		 * if not specified, assume it's supported for P2P GO interface,
6556 		 * and is NOT supported for AP interface
6557 		 */
6558 		params.support_p2p_ps =
6559 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6560 	}
6561 
6562 	if (info->attrs[NL80211_ATTR_PEER_AID])
6563 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6564 	else
6565 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6566 
6567 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6568 		params.capability =
6569 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6570 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6571 	}
6572 
6573 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6574 		params.ext_capab =
6575 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6576 		params.ext_capab_len =
6577 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6578 	}
6579 
6580 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6581 		params.ht_capa =
6582 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6583 
6584 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6585 		params.vht_capa =
6586 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6587 
6588 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6589 		params.he_capa =
6590 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6591 		params.he_capa_len =
6592 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6593 	}
6594 
6595 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
6596 		params.he_6ghz_capa =
6597 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
6598 
6599 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6600 		params.opmode_notif_used = true;
6601 		params.opmode_notif =
6602 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6603 	}
6604 
6605 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6606 		params.plink_action =
6607 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6608 
6609 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6610 		params.airtime_weight =
6611 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6612 
6613 	if (params.airtime_weight &&
6614 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6615 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6616 		return -EOPNOTSUPP;
6617 
6618 	err = nl80211_parse_sta_txpower_setting(info, &params);
6619 	if (err)
6620 		return err;
6621 
6622 	err = nl80211_parse_sta_channel_info(info, &params);
6623 	if (err)
6624 		return err;
6625 
6626 	err = nl80211_parse_sta_wme(info, &params);
6627 	if (err)
6628 		return err;
6629 
6630 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6631 		return -EINVAL;
6632 
6633 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6634 	 * as userspace might just pass through the capabilities from the IEs
6635 	 * directly, rather than enforcing this restriction and returning an
6636 	 * error in this case.
6637 	 */
6638 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6639 		params.ht_capa = NULL;
6640 		params.vht_capa = NULL;
6641 
6642 		/* HE requires WME */
6643 		if (params.he_capa_len || params.he_6ghz_capa)
6644 			return -EINVAL;
6645 	}
6646 
6647 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
6648 	if (params.he_6ghz_capa && (params.ht_capa || params.vht_capa))
6649 		return -EINVAL;
6650 
6651 	/* When you run into this, adjust the code below for the new flag */
6652 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6653 
6654 	switch (dev->ieee80211_ptr->iftype) {
6655 	case NL80211_IFTYPE_AP:
6656 	case NL80211_IFTYPE_AP_VLAN:
6657 	case NL80211_IFTYPE_P2P_GO:
6658 		/* ignore WME attributes if iface/sta is not capable */
6659 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6660 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6661 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6662 
6663 		/* TDLS peers cannot be added */
6664 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6665 		    info->attrs[NL80211_ATTR_PEER_AID])
6666 			return -EINVAL;
6667 		/* but don't bother the driver with it */
6668 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6669 
6670 		/* allow authenticated/associated only if driver handles it */
6671 		if (!(rdev->wiphy.features &
6672 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6673 		    params.sta_flags_mask & auth_assoc)
6674 			return -EINVAL;
6675 
6676 		/* Older userspace, or userspace wanting to be compatible with
6677 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6678 		 * and assoc flags in the mask, but assumes the station will be
6679 		 * added as associated anyway since this was the required driver
6680 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6681 		 * introduced.
6682 		 * In order to not bother drivers with this quirk in the API
6683 		 * set the flags in both the mask and set for new stations in
6684 		 * this case.
6685 		 */
6686 		if (!(params.sta_flags_mask & auth_assoc)) {
6687 			params.sta_flags_mask |= auth_assoc;
6688 			params.sta_flags_set |= auth_assoc;
6689 		}
6690 
6691 		/* must be last in here for error handling */
6692 		params.vlan = get_vlan(info, rdev);
6693 		if (IS_ERR(params.vlan))
6694 			return PTR_ERR(params.vlan);
6695 		break;
6696 	case NL80211_IFTYPE_MESH_POINT:
6697 		/* ignore uAPSD data */
6698 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6699 
6700 		/* associated is disallowed */
6701 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6702 			return -EINVAL;
6703 		/* TDLS peers cannot be added */
6704 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6705 		    info->attrs[NL80211_ATTR_PEER_AID])
6706 			return -EINVAL;
6707 		break;
6708 	case NL80211_IFTYPE_STATION:
6709 	case NL80211_IFTYPE_P2P_CLIENT:
6710 		/* ignore uAPSD data */
6711 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6712 
6713 		/* these are disallowed */
6714 		if (params.sta_flags_mask &
6715 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6716 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6717 			return -EINVAL;
6718 		/* Only TDLS peers can be added */
6719 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6720 			return -EINVAL;
6721 		/* Can only add if TDLS ... */
6722 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6723 			return -EOPNOTSUPP;
6724 		/* ... with external setup is supported */
6725 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6726 			return -EOPNOTSUPP;
6727 		/*
6728 		 * Older wpa_supplicant versions always mark the TDLS peer
6729 		 * as authorized, but it shouldn't yet be.
6730 		 */
6731 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6732 		break;
6733 	default:
6734 		return -EOPNOTSUPP;
6735 	}
6736 
6737 	/* be aware of params.vlan when changing code here */
6738 
6739 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6740 
6741 	if (params.vlan)
6742 		dev_put(params.vlan);
6743 	return err;
6744 }
6745 
6746 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6747 {
6748 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6749 	struct net_device *dev = info->user_ptr[1];
6750 	struct station_del_parameters params;
6751 
6752 	memset(&params, 0, sizeof(params));
6753 
6754 	if (info->attrs[NL80211_ATTR_MAC])
6755 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6756 
6757 	switch (dev->ieee80211_ptr->iftype) {
6758 	case NL80211_IFTYPE_AP:
6759 	case NL80211_IFTYPE_AP_VLAN:
6760 	case NL80211_IFTYPE_MESH_POINT:
6761 	case NL80211_IFTYPE_P2P_GO:
6762 		/* always accept these */
6763 		break;
6764 	case NL80211_IFTYPE_ADHOC:
6765 		/* conditionally accept */
6766 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6767 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6768 			break;
6769 		return -EINVAL;
6770 	default:
6771 		return -EINVAL;
6772 	}
6773 
6774 	if (!rdev->ops->del_station)
6775 		return -EOPNOTSUPP;
6776 
6777 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6778 		params.subtype =
6779 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6780 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6781 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6782 			return -EINVAL;
6783 	} else {
6784 		/* Default to Deauthentication frame */
6785 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6786 	}
6787 
6788 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6789 		params.reason_code =
6790 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6791 		if (params.reason_code == 0)
6792 			return -EINVAL; /* 0 is reserved */
6793 	} else {
6794 		/* Default to reason code 2 */
6795 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6796 	}
6797 
6798 	return rdev_del_station(rdev, dev, &params);
6799 }
6800 
6801 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6802 				int flags, struct net_device *dev,
6803 				u8 *dst, u8 *next_hop,
6804 				struct mpath_info *pinfo)
6805 {
6806 	void *hdr;
6807 	struct nlattr *pinfoattr;
6808 
6809 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6810 	if (!hdr)
6811 		return -1;
6812 
6813 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6814 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6815 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6816 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6817 		goto nla_put_failure;
6818 
6819 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6820 	if (!pinfoattr)
6821 		goto nla_put_failure;
6822 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6823 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6824 			pinfo->frame_qlen))
6825 		goto nla_put_failure;
6826 	if (((pinfo->filled & MPATH_INFO_SN) &&
6827 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6828 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6829 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6830 			 pinfo->metric)) ||
6831 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6832 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6833 			 pinfo->exptime)) ||
6834 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6835 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6836 			pinfo->flags)) ||
6837 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6838 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6839 			 pinfo->discovery_timeout)) ||
6840 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6841 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6842 			pinfo->discovery_retries)) ||
6843 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6844 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6845 			pinfo->hop_count)) ||
6846 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6847 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6848 			 pinfo->path_change_count)))
6849 		goto nla_put_failure;
6850 
6851 	nla_nest_end(msg, pinfoattr);
6852 
6853 	genlmsg_end(msg, hdr);
6854 	return 0;
6855 
6856  nla_put_failure:
6857 	genlmsg_cancel(msg, hdr);
6858 	return -EMSGSIZE;
6859 }
6860 
6861 static int nl80211_dump_mpath(struct sk_buff *skb,
6862 			      struct netlink_callback *cb)
6863 {
6864 	struct mpath_info pinfo;
6865 	struct cfg80211_registered_device *rdev;
6866 	struct wireless_dev *wdev;
6867 	u8 dst[ETH_ALEN];
6868 	u8 next_hop[ETH_ALEN];
6869 	int path_idx = cb->args[2];
6870 	int err;
6871 
6872 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6873 	if (err)
6874 		return err;
6875 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6876 	__acquire(&rdev->wiphy.mtx);
6877 
6878 	if (!rdev->ops->dump_mpath) {
6879 		err = -EOPNOTSUPP;
6880 		goto out_err;
6881 	}
6882 
6883 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6884 		err = -EOPNOTSUPP;
6885 		goto out_err;
6886 	}
6887 
6888 	while (1) {
6889 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6890 				      next_hop, &pinfo);
6891 		if (err == -ENOENT)
6892 			break;
6893 		if (err)
6894 			goto out_err;
6895 
6896 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6897 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6898 				       wdev->netdev, dst, next_hop,
6899 				       &pinfo) < 0)
6900 			goto out;
6901 
6902 		path_idx++;
6903 	}
6904 
6905  out:
6906 	cb->args[2] = path_idx;
6907 	err = skb->len;
6908  out_err:
6909 	wiphy_unlock(&rdev->wiphy);
6910 	return err;
6911 }
6912 
6913 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6914 {
6915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6916 	int err;
6917 	struct net_device *dev = info->user_ptr[1];
6918 	struct mpath_info pinfo;
6919 	struct sk_buff *msg;
6920 	u8 *dst = NULL;
6921 	u8 next_hop[ETH_ALEN];
6922 
6923 	memset(&pinfo, 0, sizeof(pinfo));
6924 
6925 	if (!info->attrs[NL80211_ATTR_MAC])
6926 		return -EINVAL;
6927 
6928 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6929 
6930 	if (!rdev->ops->get_mpath)
6931 		return -EOPNOTSUPP;
6932 
6933 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6934 		return -EOPNOTSUPP;
6935 
6936 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6937 	if (err)
6938 		return err;
6939 
6940 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6941 	if (!msg)
6942 		return -ENOMEM;
6943 
6944 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6945 				 dev, dst, next_hop, &pinfo) < 0) {
6946 		nlmsg_free(msg);
6947 		return -ENOBUFS;
6948 	}
6949 
6950 	return genlmsg_reply(msg, info);
6951 }
6952 
6953 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6954 {
6955 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6956 	struct net_device *dev = info->user_ptr[1];
6957 	u8 *dst = NULL;
6958 	u8 *next_hop = NULL;
6959 
6960 	if (!info->attrs[NL80211_ATTR_MAC])
6961 		return -EINVAL;
6962 
6963 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6964 		return -EINVAL;
6965 
6966 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6967 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6968 
6969 	if (!rdev->ops->change_mpath)
6970 		return -EOPNOTSUPP;
6971 
6972 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6973 		return -EOPNOTSUPP;
6974 
6975 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6976 }
6977 
6978 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6979 {
6980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6981 	struct net_device *dev = info->user_ptr[1];
6982 	u8 *dst = NULL;
6983 	u8 *next_hop = NULL;
6984 
6985 	if (!info->attrs[NL80211_ATTR_MAC])
6986 		return -EINVAL;
6987 
6988 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6989 		return -EINVAL;
6990 
6991 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6992 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6993 
6994 	if (!rdev->ops->add_mpath)
6995 		return -EOPNOTSUPP;
6996 
6997 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6998 		return -EOPNOTSUPP;
6999 
7000 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7001 }
7002 
7003 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7004 {
7005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7006 	struct net_device *dev = info->user_ptr[1];
7007 	u8 *dst = NULL;
7008 
7009 	if (info->attrs[NL80211_ATTR_MAC])
7010 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7011 
7012 	if (!rdev->ops->del_mpath)
7013 		return -EOPNOTSUPP;
7014 
7015 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7016 		return -EOPNOTSUPP;
7017 
7018 	return rdev_del_mpath(rdev, dev, dst);
7019 }
7020 
7021 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7022 {
7023 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7024 	int err;
7025 	struct net_device *dev = info->user_ptr[1];
7026 	struct mpath_info pinfo;
7027 	struct sk_buff *msg;
7028 	u8 *dst = NULL;
7029 	u8 mpp[ETH_ALEN];
7030 
7031 	memset(&pinfo, 0, sizeof(pinfo));
7032 
7033 	if (!info->attrs[NL80211_ATTR_MAC])
7034 		return -EINVAL;
7035 
7036 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7037 
7038 	if (!rdev->ops->get_mpp)
7039 		return -EOPNOTSUPP;
7040 
7041 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7042 		return -EOPNOTSUPP;
7043 
7044 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7045 	if (err)
7046 		return err;
7047 
7048 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7049 	if (!msg)
7050 		return -ENOMEM;
7051 
7052 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7053 			       dev, dst, mpp, &pinfo) < 0) {
7054 		nlmsg_free(msg);
7055 		return -ENOBUFS;
7056 	}
7057 
7058 	return genlmsg_reply(msg, info);
7059 }
7060 
7061 static int nl80211_dump_mpp(struct sk_buff *skb,
7062 			    struct netlink_callback *cb)
7063 {
7064 	struct mpath_info pinfo;
7065 	struct cfg80211_registered_device *rdev;
7066 	struct wireless_dev *wdev;
7067 	u8 dst[ETH_ALEN];
7068 	u8 mpp[ETH_ALEN];
7069 	int path_idx = cb->args[2];
7070 	int err;
7071 
7072 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
7073 	if (err)
7074 		return err;
7075 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7076 	__acquire(&rdev->wiphy.mtx);
7077 
7078 	if (!rdev->ops->dump_mpp) {
7079 		err = -EOPNOTSUPP;
7080 		goto out_err;
7081 	}
7082 
7083 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7084 		err = -EOPNOTSUPP;
7085 		goto out_err;
7086 	}
7087 
7088 	while (1) {
7089 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7090 				    mpp, &pinfo);
7091 		if (err == -ENOENT)
7092 			break;
7093 		if (err)
7094 			goto out_err;
7095 
7096 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7097 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7098 				       wdev->netdev, dst, mpp,
7099 				       &pinfo) < 0)
7100 			goto out;
7101 
7102 		path_idx++;
7103 	}
7104 
7105  out:
7106 	cb->args[2] = path_idx;
7107 	err = skb->len;
7108  out_err:
7109 	wiphy_unlock(&rdev->wiphy);
7110 	return err;
7111 }
7112 
7113 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7114 {
7115 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7116 	struct net_device *dev = info->user_ptr[1];
7117 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7118 	struct bss_parameters params;
7119 	int err;
7120 
7121 	memset(&params, 0, sizeof(params));
7122 	/* default to not changing parameters */
7123 	params.use_cts_prot = -1;
7124 	params.use_short_preamble = -1;
7125 	params.use_short_slot_time = -1;
7126 	params.ap_isolate = -1;
7127 	params.ht_opmode = -1;
7128 	params.p2p_ctwindow = -1;
7129 	params.p2p_opp_ps = -1;
7130 
7131 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7132 		params.use_cts_prot =
7133 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7134 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7135 		params.use_short_preamble =
7136 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7137 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7138 		params.use_short_slot_time =
7139 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7140 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7141 		params.basic_rates =
7142 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7143 		params.basic_rates_len =
7144 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
7145 	}
7146 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
7147 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
7148 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
7149 		params.ht_opmode =
7150 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
7151 
7152 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
7153 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7154 			return -EINVAL;
7155 		params.p2p_ctwindow =
7156 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
7157 		if (params.p2p_ctwindow != 0 &&
7158 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
7159 			return -EINVAL;
7160 	}
7161 
7162 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
7163 		u8 tmp;
7164 
7165 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7166 			return -EINVAL;
7167 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
7168 		params.p2p_opp_ps = tmp;
7169 		if (params.p2p_opp_ps &&
7170 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
7171 			return -EINVAL;
7172 	}
7173 
7174 	if (!rdev->ops->change_bss)
7175 		return -EOPNOTSUPP;
7176 
7177 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7178 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
7179 		return -EOPNOTSUPP;
7180 
7181 	wdev_lock(wdev);
7182 	err = rdev_change_bss(rdev, dev, &params);
7183 	wdev_unlock(wdev);
7184 
7185 	return err;
7186 }
7187 
7188 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
7189 {
7190 	char *data = NULL;
7191 	bool is_indoor;
7192 	enum nl80211_user_reg_hint_type user_reg_hint_type;
7193 	u32 owner_nlportid;
7194 
7195 	/*
7196 	 * You should only get this when cfg80211 hasn't yet initialized
7197 	 * completely when built-in to the kernel right between the time
7198 	 * window between nl80211_init() and regulatory_init(), if that is
7199 	 * even possible.
7200 	 */
7201 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
7202 		return -EINPROGRESS;
7203 
7204 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
7205 		user_reg_hint_type =
7206 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
7207 	else
7208 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
7209 
7210 	switch (user_reg_hint_type) {
7211 	case NL80211_USER_REG_HINT_USER:
7212 	case NL80211_USER_REG_HINT_CELL_BASE:
7213 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7214 			return -EINVAL;
7215 
7216 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7217 		return regulatory_hint_user(data, user_reg_hint_type);
7218 	case NL80211_USER_REG_HINT_INDOOR:
7219 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
7220 			owner_nlportid = info->snd_portid;
7221 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
7222 		} else {
7223 			owner_nlportid = 0;
7224 			is_indoor = true;
7225 		}
7226 
7227 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
7228 	default:
7229 		return -EINVAL;
7230 	}
7231 }
7232 
7233 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
7234 {
7235 	return reg_reload_regdb();
7236 }
7237 
7238 static int nl80211_get_mesh_config(struct sk_buff *skb,
7239 				   struct genl_info *info)
7240 {
7241 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7242 	struct net_device *dev = info->user_ptr[1];
7243 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7244 	struct mesh_config cur_params;
7245 	int err = 0;
7246 	void *hdr;
7247 	struct nlattr *pinfoattr;
7248 	struct sk_buff *msg;
7249 
7250 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7251 		return -EOPNOTSUPP;
7252 
7253 	if (!rdev->ops->get_mesh_config)
7254 		return -EOPNOTSUPP;
7255 
7256 	wdev_lock(wdev);
7257 	/* If not connected, get default parameters */
7258 	if (!wdev->mesh_id_len)
7259 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
7260 	else
7261 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
7262 	wdev_unlock(wdev);
7263 
7264 	if (err)
7265 		return err;
7266 
7267 	/* Draw up a netlink message to send back */
7268 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7269 	if (!msg)
7270 		return -ENOMEM;
7271 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7272 			     NL80211_CMD_GET_MESH_CONFIG);
7273 	if (!hdr)
7274 		goto out;
7275 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
7276 	if (!pinfoattr)
7277 		goto nla_put_failure;
7278 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7279 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
7280 			cur_params.dot11MeshRetryTimeout) ||
7281 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
7282 			cur_params.dot11MeshConfirmTimeout) ||
7283 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
7284 			cur_params.dot11MeshHoldingTimeout) ||
7285 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
7286 			cur_params.dot11MeshMaxPeerLinks) ||
7287 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
7288 		       cur_params.dot11MeshMaxRetries) ||
7289 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
7290 		       cur_params.dot11MeshTTL) ||
7291 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
7292 		       cur_params.element_ttl) ||
7293 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7294 		       cur_params.auto_open_plinks) ||
7295 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7296 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
7297 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7298 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
7299 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
7300 			cur_params.path_refresh_time) ||
7301 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7302 			cur_params.min_discovery_timeout) ||
7303 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7304 			cur_params.dot11MeshHWMPactivePathTimeout) ||
7305 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7306 			cur_params.dot11MeshHWMPpreqMinInterval) ||
7307 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7308 			cur_params.dot11MeshHWMPperrMinInterval) ||
7309 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7310 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
7311 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
7312 		       cur_params.dot11MeshHWMPRootMode) ||
7313 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7314 			cur_params.dot11MeshHWMPRannInterval) ||
7315 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7316 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
7317 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
7318 		       cur_params.dot11MeshForwarding) ||
7319 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
7320 			cur_params.rssi_threshold) ||
7321 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
7322 			cur_params.ht_opmode) ||
7323 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7324 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
7325 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7326 			cur_params.dot11MeshHWMProotInterval) ||
7327 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7328 			cur_params.dot11MeshHWMPconfirmationInterval) ||
7329 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
7330 			cur_params.power_mode) ||
7331 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
7332 			cur_params.dot11MeshAwakeWindowDuration) ||
7333 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
7334 			cur_params.plink_timeout) ||
7335 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
7336 		       cur_params.dot11MeshConnectedToMeshGate) ||
7337 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
7338 		       cur_params.dot11MeshNolearn) ||
7339 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
7340 		       cur_params.dot11MeshConnectedToAuthServer))
7341 		goto nla_put_failure;
7342 	nla_nest_end(msg, pinfoattr);
7343 	genlmsg_end(msg, hdr);
7344 	return genlmsg_reply(msg, info);
7345 
7346  nla_put_failure:
7347  out:
7348 	nlmsg_free(msg);
7349 	return -ENOBUFS;
7350 }
7351 
7352 static const struct nla_policy
7353 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
7354 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
7355 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7356 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
7357 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7358 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
7359 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
7360 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
7361 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
7362 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
7363 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7364 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
7365 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
7366 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
7367 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
7368 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
7369 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
7370 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
7371 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
7372 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
7373 		NLA_POLICY_MIN(NLA_U16, 1),
7374 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
7375 		NLA_POLICY_MIN(NLA_U16, 1),
7376 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
7377 		NLA_POLICY_MIN(NLA_U16, 1),
7378 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
7379 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
7380 		NLA_POLICY_MIN(NLA_U16, 1),
7381 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
7382 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
7383 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
7384 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
7385 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
7386 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
7387 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
7388 		NLA_POLICY_MIN(NLA_U16, 1),
7389 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
7390 		NLA_POLICY_MIN(NLA_U16, 1),
7391 	[NL80211_MESHCONF_POWER_MODE] =
7392 		NLA_POLICY_RANGE(NLA_U32,
7393 				 NL80211_MESH_POWER_ACTIVE,
7394 				 NL80211_MESH_POWER_MAX),
7395 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
7396 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
7397 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7398 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7399 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
7400 };
7401 
7402 static const struct nla_policy
7403 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
7404 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
7405 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
7406 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
7407 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
7408 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
7409 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
7410 	[NL80211_MESH_SETUP_IE] =
7411 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
7412 				       IEEE80211_MAX_DATA_LEN),
7413 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
7414 };
7415 
7416 static int nl80211_parse_mesh_config(struct genl_info *info,
7417 				     struct mesh_config *cfg,
7418 				     u32 *mask_out)
7419 {
7420 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
7421 	u32 mask = 0;
7422 	u16 ht_opmode;
7423 
7424 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
7425 do {									\
7426 	if (tb[attr]) {							\
7427 		cfg->param = fn(tb[attr]);				\
7428 		mask |= BIT((attr) - 1);				\
7429 	}								\
7430 } while (0)
7431 
7432 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
7433 		return -EINVAL;
7434 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
7435 		return -EINVAL;
7436 
7437 	/* This makes sure that there aren't more than 32 mesh config
7438 	 * parameters (otherwise our bitfield scheme would not work.) */
7439 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
7440 
7441 	/* Fill in the params struct */
7442 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
7443 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
7444 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
7445 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
7446 				  nla_get_u16);
7447 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
7448 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
7449 				  nla_get_u16);
7450 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
7451 				  NL80211_MESHCONF_MAX_PEER_LINKS,
7452 				  nla_get_u16);
7453 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
7454 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
7455 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
7456 				  NL80211_MESHCONF_TTL, nla_get_u8);
7457 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
7458 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
7459 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
7460 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
7461 				  nla_get_u8);
7462 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
7463 				  mask,
7464 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
7465 				  nla_get_u32);
7466 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
7467 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
7468 				  nla_get_u8);
7469 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
7470 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
7471 				  nla_get_u32);
7472 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
7473 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
7474 		return -EINVAL;
7475 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
7476 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7477 				  nla_get_u16);
7478 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7479 				  mask,
7480 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7481 				  nla_get_u32);
7482 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7483 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7484 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7485 		return -EINVAL;
7486 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7487 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7488 				  nla_get_u16);
7489 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7490 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7491 				  nla_get_u16);
7492 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7493 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7494 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7495 				  nla_get_u16);
7496 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7497 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7498 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7499 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7500 				  nla_get_u16);
7501 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7502 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7503 				  nla_get_u8);
7504 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7505 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7506 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7507 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7508 				  nla_get_s32);
7509 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7510 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7511 				  nla_get_u8);
7512 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
7513 				  NL80211_MESHCONF_CONNECTED_TO_AS,
7514 				  nla_get_u8);
7515 	/*
7516 	 * Check HT operation mode based on
7517 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7518 	 */
7519 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7520 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7521 
7522 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7523 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7524 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7525 			return -EINVAL;
7526 
7527 		/* NON_HT_STA bit is reserved, but some programs set it */
7528 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7529 
7530 		cfg->ht_opmode = ht_opmode;
7531 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7532 	}
7533 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7534 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7535 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7536 				  nla_get_u32);
7537 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7538 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7539 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7540 		return -EINVAL;
7541 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7542 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7543 				  nla_get_u16);
7544 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7545 				  mask,
7546 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7547 				  nla_get_u16);
7548 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7549 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7550 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7551 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7552 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7553 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7554 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
7555 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
7556 	if (mask_out)
7557 		*mask_out = mask;
7558 
7559 	return 0;
7560 
7561 #undef FILL_IN_MESH_PARAM_IF_SET
7562 }
7563 
7564 static int nl80211_parse_mesh_setup(struct genl_info *info,
7565 				     struct mesh_setup *setup)
7566 {
7567 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7568 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7569 
7570 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7571 		return -EINVAL;
7572 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7573 		return -EINVAL;
7574 
7575 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7576 		setup->sync_method =
7577 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7578 		 IEEE80211_SYNC_METHOD_VENDOR :
7579 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7580 
7581 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7582 		setup->path_sel_proto =
7583 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7584 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7585 		 IEEE80211_PATH_PROTOCOL_HWMP;
7586 
7587 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7588 		setup->path_metric =
7589 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7590 		 IEEE80211_PATH_METRIC_VENDOR :
7591 		 IEEE80211_PATH_METRIC_AIRTIME;
7592 
7593 	if (tb[NL80211_MESH_SETUP_IE]) {
7594 		struct nlattr *ieattr =
7595 			tb[NL80211_MESH_SETUP_IE];
7596 		setup->ie = nla_data(ieattr);
7597 		setup->ie_len = nla_len(ieattr);
7598 	}
7599 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7600 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7601 		return -EINVAL;
7602 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7603 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7604 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7605 	if (setup->is_secure)
7606 		setup->user_mpm = true;
7607 
7608 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7609 		if (!setup->user_mpm)
7610 			return -EINVAL;
7611 		setup->auth_id =
7612 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7613 	}
7614 
7615 	return 0;
7616 }
7617 
7618 static int nl80211_update_mesh_config(struct sk_buff *skb,
7619 				      struct genl_info *info)
7620 {
7621 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7622 	struct net_device *dev = info->user_ptr[1];
7623 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7624 	struct mesh_config cfg;
7625 	u32 mask;
7626 	int err;
7627 
7628 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7629 		return -EOPNOTSUPP;
7630 
7631 	if (!rdev->ops->update_mesh_config)
7632 		return -EOPNOTSUPP;
7633 
7634 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7635 	if (err)
7636 		return err;
7637 
7638 	wdev_lock(wdev);
7639 	if (!wdev->mesh_id_len)
7640 		err = -ENOLINK;
7641 
7642 	if (!err)
7643 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7644 
7645 	wdev_unlock(wdev);
7646 
7647 	return err;
7648 }
7649 
7650 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7651 			      struct sk_buff *msg)
7652 {
7653 	struct nlattr *nl_reg_rules;
7654 	unsigned int i;
7655 
7656 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7657 	    (regdom->dfs_region &&
7658 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7659 		goto nla_put_failure;
7660 
7661 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7662 	if (!nl_reg_rules)
7663 		goto nla_put_failure;
7664 
7665 	for (i = 0; i < regdom->n_reg_rules; i++) {
7666 		struct nlattr *nl_reg_rule;
7667 		const struct ieee80211_reg_rule *reg_rule;
7668 		const struct ieee80211_freq_range *freq_range;
7669 		const struct ieee80211_power_rule *power_rule;
7670 		unsigned int max_bandwidth_khz;
7671 
7672 		reg_rule = &regdom->reg_rules[i];
7673 		freq_range = &reg_rule->freq_range;
7674 		power_rule = &reg_rule->power_rule;
7675 
7676 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7677 		if (!nl_reg_rule)
7678 			goto nla_put_failure;
7679 
7680 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7681 		if (!max_bandwidth_khz)
7682 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7683 								  reg_rule);
7684 
7685 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7686 				reg_rule->flags) ||
7687 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7688 				freq_range->start_freq_khz) ||
7689 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7690 				freq_range->end_freq_khz) ||
7691 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7692 				max_bandwidth_khz) ||
7693 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7694 				power_rule->max_antenna_gain) ||
7695 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7696 				power_rule->max_eirp) ||
7697 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7698 				reg_rule->dfs_cac_ms))
7699 			goto nla_put_failure;
7700 
7701 		nla_nest_end(msg, nl_reg_rule);
7702 	}
7703 
7704 	nla_nest_end(msg, nl_reg_rules);
7705 	return 0;
7706 
7707 nla_put_failure:
7708 	return -EMSGSIZE;
7709 }
7710 
7711 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7712 {
7713 	const struct ieee80211_regdomain *regdom = NULL;
7714 	struct cfg80211_registered_device *rdev;
7715 	struct wiphy *wiphy = NULL;
7716 	struct sk_buff *msg;
7717 	void *hdr;
7718 
7719 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7720 	if (!msg)
7721 		return -ENOBUFS;
7722 
7723 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7724 			     NL80211_CMD_GET_REG);
7725 	if (!hdr)
7726 		goto put_failure;
7727 
7728 	rtnl_lock();
7729 
7730 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7731 		bool self_managed;
7732 
7733 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7734 		if (IS_ERR(rdev)) {
7735 			nlmsg_free(msg);
7736 			rtnl_unlock();
7737 			return PTR_ERR(rdev);
7738 		}
7739 
7740 		wiphy = &rdev->wiphy;
7741 		self_managed = wiphy->regulatory_flags &
7742 			       REGULATORY_WIPHY_SELF_MANAGED;
7743 		regdom = get_wiphy_regdom(wiphy);
7744 
7745 		/* a self-managed-reg device must have a private regdom */
7746 		if (WARN_ON(!regdom && self_managed)) {
7747 			nlmsg_free(msg);
7748 			rtnl_unlock();
7749 			return -EINVAL;
7750 		}
7751 
7752 		if (regdom &&
7753 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7754 			goto nla_put_failure;
7755 	}
7756 
7757 	if (!wiphy && reg_last_request_cell_base() &&
7758 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7759 			NL80211_USER_REG_HINT_CELL_BASE))
7760 		goto nla_put_failure;
7761 
7762 	rcu_read_lock();
7763 
7764 	if (!regdom)
7765 		regdom = rcu_dereference(cfg80211_regdomain);
7766 
7767 	if (nl80211_put_regdom(regdom, msg))
7768 		goto nla_put_failure_rcu;
7769 
7770 	rcu_read_unlock();
7771 
7772 	genlmsg_end(msg, hdr);
7773 	rtnl_unlock();
7774 	return genlmsg_reply(msg, info);
7775 
7776 nla_put_failure_rcu:
7777 	rcu_read_unlock();
7778 nla_put_failure:
7779 	rtnl_unlock();
7780 put_failure:
7781 	nlmsg_free(msg);
7782 	return -EMSGSIZE;
7783 }
7784 
7785 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7786 			       u32 seq, int flags, struct wiphy *wiphy,
7787 			       const struct ieee80211_regdomain *regdom)
7788 {
7789 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7790 				   NL80211_CMD_GET_REG);
7791 
7792 	if (!hdr)
7793 		return -1;
7794 
7795 	genl_dump_check_consistent(cb, hdr);
7796 
7797 	if (nl80211_put_regdom(regdom, msg))
7798 		goto nla_put_failure;
7799 
7800 	if (!wiphy && reg_last_request_cell_base() &&
7801 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7802 			NL80211_USER_REG_HINT_CELL_BASE))
7803 		goto nla_put_failure;
7804 
7805 	if (wiphy &&
7806 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7807 		goto nla_put_failure;
7808 
7809 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7810 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7811 		goto nla_put_failure;
7812 
7813 	genlmsg_end(msg, hdr);
7814 	return 0;
7815 
7816 nla_put_failure:
7817 	genlmsg_cancel(msg, hdr);
7818 	return -EMSGSIZE;
7819 }
7820 
7821 static int nl80211_get_reg_dump(struct sk_buff *skb,
7822 				struct netlink_callback *cb)
7823 {
7824 	const struct ieee80211_regdomain *regdom = NULL;
7825 	struct cfg80211_registered_device *rdev;
7826 	int err, reg_idx, start = cb->args[2];
7827 
7828 	rtnl_lock();
7829 
7830 	if (cfg80211_regdomain && start == 0) {
7831 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7832 					  NLM_F_MULTI, NULL,
7833 					  rtnl_dereference(cfg80211_regdomain));
7834 		if (err < 0)
7835 			goto out_err;
7836 	}
7837 
7838 	/* the global regdom is idx 0 */
7839 	reg_idx = 1;
7840 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7841 		regdom = get_wiphy_regdom(&rdev->wiphy);
7842 		if (!regdom)
7843 			continue;
7844 
7845 		if (++reg_idx <= start)
7846 			continue;
7847 
7848 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7849 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7850 		if (err < 0) {
7851 			reg_idx--;
7852 			break;
7853 		}
7854 	}
7855 
7856 	cb->args[2] = reg_idx;
7857 	err = skb->len;
7858 out_err:
7859 	rtnl_unlock();
7860 	return err;
7861 }
7862 
7863 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7864 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7865 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7866 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7867 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7868 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7869 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7870 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7871 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7872 };
7873 
7874 static int parse_reg_rule(struct nlattr *tb[],
7875 	struct ieee80211_reg_rule *reg_rule)
7876 {
7877 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7878 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7879 
7880 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7881 		return -EINVAL;
7882 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7883 		return -EINVAL;
7884 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7885 		return -EINVAL;
7886 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7887 		return -EINVAL;
7888 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7889 		return -EINVAL;
7890 
7891 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7892 
7893 	freq_range->start_freq_khz =
7894 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7895 	freq_range->end_freq_khz =
7896 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7897 	freq_range->max_bandwidth_khz =
7898 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7899 
7900 	power_rule->max_eirp =
7901 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7902 
7903 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7904 		power_rule->max_antenna_gain =
7905 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7906 
7907 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7908 		reg_rule->dfs_cac_ms =
7909 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7910 
7911 	return 0;
7912 }
7913 
7914 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7915 {
7916 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7917 	struct nlattr *nl_reg_rule;
7918 	char *alpha2;
7919 	int rem_reg_rules, r;
7920 	u32 num_rules = 0, rule_idx = 0;
7921 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7922 	struct ieee80211_regdomain *rd;
7923 
7924 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7925 		return -EINVAL;
7926 
7927 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7928 		return -EINVAL;
7929 
7930 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7931 
7932 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7933 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7934 
7935 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7936 			    rem_reg_rules) {
7937 		num_rules++;
7938 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7939 			return -EINVAL;
7940 	}
7941 
7942 	rtnl_lock();
7943 	if (!reg_is_valid_request(alpha2)) {
7944 		r = -EINVAL;
7945 		goto out;
7946 	}
7947 
7948 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7949 	if (!rd) {
7950 		r = -ENOMEM;
7951 		goto out;
7952 	}
7953 
7954 	rd->n_reg_rules = num_rules;
7955 	rd->alpha2[0] = alpha2[0];
7956 	rd->alpha2[1] = alpha2[1];
7957 
7958 	/*
7959 	 * Disable DFS master mode if the DFS region was
7960 	 * not supported or known on this kernel.
7961 	 */
7962 	if (reg_supported_dfs_region(dfs_region))
7963 		rd->dfs_region = dfs_region;
7964 
7965 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7966 			    rem_reg_rules) {
7967 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7968 						nl_reg_rule, reg_rule_policy,
7969 						info->extack);
7970 		if (r)
7971 			goto bad_reg;
7972 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7973 		if (r)
7974 			goto bad_reg;
7975 
7976 		rule_idx++;
7977 
7978 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7979 			r = -EINVAL;
7980 			goto bad_reg;
7981 		}
7982 	}
7983 
7984 	r = set_regdom(rd, REGD_SOURCE_CRDA);
7985 	/* set_regdom takes ownership of rd */
7986 	rd = NULL;
7987  bad_reg:
7988 	kfree(rd);
7989  out:
7990 	rtnl_unlock();
7991 	return r;
7992 }
7993 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7994 
7995 static int validate_scan_freqs(struct nlattr *freqs)
7996 {
7997 	struct nlattr *attr1, *attr2;
7998 	int n_channels = 0, tmp1, tmp2;
7999 
8000 	nla_for_each_nested(attr1, freqs, tmp1)
8001 		if (nla_len(attr1) != sizeof(u32))
8002 			return 0;
8003 
8004 	nla_for_each_nested(attr1, freqs, tmp1) {
8005 		n_channels++;
8006 		/*
8007 		 * Some hardware has a limited channel list for
8008 		 * scanning, and it is pretty much nonsensical
8009 		 * to scan for a channel twice, so disallow that
8010 		 * and don't require drivers to check that the
8011 		 * channel list they get isn't longer than what
8012 		 * they can scan, as long as they can scan all
8013 		 * the channels they registered at once.
8014 		 */
8015 		nla_for_each_nested(attr2, freqs, tmp2)
8016 			if (attr1 != attr2 &&
8017 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8018 				return 0;
8019 	}
8020 
8021 	return n_channels;
8022 }
8023 
8024 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8025 {
8026 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8027 }
8028 
8029 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8030 			    struct cfg80211_bss_selection *bss_select)
8031 {
8032 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8033 	struct nlattr *nest;
8034 	int err;
8035 	bool found = false;
8036 	int i;
8037 
8038 	/* only process one nested attribute */
8039 	nest = nla_data(nla);
8040 	if (!nla_ok(nest, nla_len(nest)))
8041 		return -EINVAL;
8042 
8043 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8044 					  nest, nl80211_bss_select_policy,
8045 					  NULL);
8046 	if (err)
8047 		return err;
8048 
8049 	/* only one attribute may be given */
8050 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8051 		if (attr[i]) {
8052 			if (found)
8053 				return -EINVAL;
8054 			found = true;
8055 		}
8056 	}
8057 
8058 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8059 
8060 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8061 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8062 
8063 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8064 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8065 		bss_select->param.band_pref =
8066 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8067 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8068 			return -EINVAL;
8069 	}
8070 
8071 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8072 		struct nl80211_bss_select_rssi_adjust *adj_param;
8073 
8074 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8075 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8076 		bss_select->param.adjust.band = adj_param->band;
8077 		bss_select->param.adjust.delta = adj_param->delta;
8078 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8079 			return -EINVAL;
8080 	}
8081 
8082 	/* user-space did not provide behaviour attribute */
8083 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8084 		return -EINVAL;
8085 
8086 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8087 		return -EINVAL;
8088 
8089 	return 0;
8090 }
8091 
8092 int nl80211_parse_random_mac(struct nlattr **attrs,
8093 			     u8 *mac_addr, u8 *mac_addr_mask)
8094 {
8095 	int i;
8096 
8097 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8098 		eth_zero_addr(mac_addr);
8099 		eth_zero_addr(mac_addr_mask);
8100 		mac_addr[0] = 0x2;
8101 		mac_addr_mask[0] = 0x3;
8102 
8103 		return 0;
8104 	}
8105 
8106 	/* need both or none */
8107 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8108 		return -EINVAL;
8109 
8110 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8111 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8112 
8113 	/* don't allow or configure an mcast address */
8114 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8115 	    is_multicast_ether_addr(mac_addr))
8116 		return -EINVAL;
8117 
8118 	/*
8119 	 * allow users to pass a MAC address that has bits set outside
8120 	 * of the mask, but don't bother drivers with having to deal
8121 	 * with such bits
8122 	 */
8123 	for (i = 0; i < ETH_ALEN; i++)
8124 		mac_addr[i] &= mac_addr_mask[i];
8125 
8126 	return 0;
8127 }
8128 
8129 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
8130 {
8131 	ASSERT_WDEV_LOCK(wdev);
8132 
8133 	if (!cfg80211_beaconing_iface_active(wdev))
8134 		return true;
8135 
8136 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
8137 		return true;
8138 
8139 	return regulatory_pre_cac_allowed(wdev->wiphy);
8140 }
8141 
8142 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
8143 				    enum nl80211_ext_feature_index feat)
8144 {
8145 	if (!(flags & flag))
8146 		return true;
8147 	if (wiphy_ext_feature_isset(wiphy, feat))
8148 		return true;
8149 	return false;
8150 }
8151 
8152 static int
8153 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
8154 			 void *request, struct nlattr **attrs,
8155 			 bool is_sched_scan)
8156 {
8157 	u8 *mac_addr, *mac_addr_mask;
8158 	u32 *flags;
8159 	enum nl80211_feature_flags randomness_flag;
8160 
8161 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
8162 		return 0;
8163 
8164 	if (is_sched_scan) {
8165 		struct cfg80211_sched_scan_request *req = request;
8166 
8167 		randomness_flag = wdev ?
8168 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
8169 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
8170 		flags = &req->flags;
8171 		mac_addr = req->mac_addr;
8172 		mac_addr_mask = req->mac_addr_mask;
8173 	} else {
8174 		struct cfg80211_scan_request *req = request;
8175 
8176 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
8177 		flags = &req->flags;
8178 		mac_addr = req->mac_addr;
8179 		mac_addr_mask = req->mac_addr_mask;
8180 	}
8181 
8182 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
8183 
8184 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
8185 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
8186 	    !nl80211_check_scan_feat(wiphy, *flags,
8187 				     NL80211_SCAN_FLAG_LOW_SPAN,
8188 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
8189 	    !nl80211_check_scan_feat(wiphy, *flags,
8190 				     NL80211_SCAN_FLAG_LOW_POWER,
8191 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
8192 	    !nl80211_check_scan_feat(wiphy, *flags,
8193 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
8194 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
8195 	    !nl80211_check_scan_feat(wiphy, *flags,
8196 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
8197 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
8198 	    !nl80211_check_scan_feat(wiphy, *flags,
8199 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
8200 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
8201 	    !nl80211_check_scan_feat(wiphy, *flags,
8202 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
8203 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
8204 	    !nl80211_check_scan_feat(wiphy, *flags,
8205 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
8206 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
8207 	    !nl80211_check_scan_feat(wiphy, *flags,
8208 				     NL80211_SCAN_FLAG_RANDOM_SN,
8209 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
8210 	    !nl80211_check_scan_feat(wiphy, *flags,
8211 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
8212 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
8213 		return -EOPNOTSUPP;
8214 
8215 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
8216 		int err;
8217 
8218 		if (!(wiphy->features & randomness_flag) ||
8219 		    (wdev && wdev->current_bss))
8220 			return -EOPNOTSUPP;
8221 
8222 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
8223 		if (err)
8224 			return err;
8225 	}
8226 
8227 	return 0;
8228 }
8229 
8230 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
8231 {
8232 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8233 	struct wireless_dev *wdev = info->user_ptr[1];
8234 	struct cfg80211_scan_request *request;
8235 	struct nlattr *scan_freqs = NULL;
8236 	bool scan_freqs_khz = false;
8237 	struct nlattr *attr;
8238 	struct wiphy *wiphy;
8239 	int err, tmp, n_ssids = 0, n_channels, i;
8240 	size_t ie_len;
8241 
8242 	wiphy = &rdev->wiphy;
8243 
8244 	if (wdev->iftype == NL80211_IFTYPE_NAN)
8245 		return -EOPNOTSUPP;
8246 
8247 	if (!rdev->ops->scan)
8248 		return -EOPNOTSUPP;
8249 
8250 	if (rdev->scan_req || rdev->scan_msg)
8251 		return -EBUSY;
8252 
8253 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
8254 		if (!wiphy_ext_feature_isset(wiphy,
8255 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
8256 			return -EOPNOTSUPP;
8257 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
8258 		scan_freqs_khz = true;
8259 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
8260 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
8261 
8262 	if (scan_freqs) {
8263 		n_channels = validate_scan_freqs(scan_freqs);
8264 		if (!n_channels)
8265 			return -EINVAL;
8266 	} else {
8267 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8268 	}
8269 
8270 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
8271 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
8272 			n_ssids++;
8273 
8274 	if (n_ssids > wiphy->max_scan_ssids)
8275 		return -EINVAL;
8276 
8277 	if (info->attrs[NL80211_ATTR_IE])
8278 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8279 	else
8280 		ie_len = 0;
8281 
8282 	if (ie_len > wiphy->max_scan_ie_len)
8283 		return -EINVAL;
8284 
8285 	request = kzalloc(sizeof(*request)
8286 			+ sizeof(*request->ssids) * n_ssids
8287 			+ sizeof(*request->channels) * n_channels
8288 			+ ie_len, GFP_KERNEL);
8289 	if (!request)
8290 		return -ENOMEM;
8291 
8292 	if (n_ssids)
8293 		request->ssids = (void *)&request->channels[n_channels];
8294 	request->n_ssids = n_ssids;
8295 	if (ie_len) {
8296 		if (n_ssids)
8297 			request->ie = (void *)(request->ssids + n_ssids);
8298 		else
8299 			request->ie = (void *)(request->channels + n_channels);
8300 	}
8301 
8302 	i = 0;
8303 	if (scan_freqs) {
8304 		/* user specified, bail out if channel not found */
8305 		nla_for_each_nested(attr, scan_freqs, tmp) {
8306 			struct ieee80211_channel *chan;
8307 			int freq = nla_get_u32(attr);
8308 
8309 			if (!scan_freqs_khz)
8310 				freq = MHZ_TO_KHZ(freq);
8311 
8312 			chan = ieee80211_get_channel_khz(wiphy, freq);
8313 			if (!chan) {
8314 				err = -EINVAL;
8315 				goto out_free;
8316 			}
8317 
8318 			/* ignore disabled channels */
8319 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8320 				continue;
8321 
8322 			request->channels[i] = chan;
8323 			i++;
8324 		}
8325 	} else {
8326 		enum nl80211_band band;
8327 
8328 		/* all channels */
8329 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8330 			int j;
8331 
8332 			if (!wiphy->bands[band])
8333 				continue;
8334 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8335 				struct ieee80211_channel *chan;
8336 
8337 				chan = &wiphy->bands[band]->channels[j];
8338 
8339 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8340 					continue;
8341 
8342 				request->channels[i] = chan;
8343 				i++;
8344 			}
8345 		}
8346 	}
8347 
8348 	if (!i) {
8349 		err = -EINVAL;
8350 		goto out_free;
8351 	}
8352 
8353 	request->n_channels = i;
8354 
8355 	wdev_lock(wdev);
8356 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
8357 		struct ieee80211_channel *chan;
8358 
8359 		if (request->n_channels != 1) {
8360 			wdev_unlock(wdev);
8361 			err = -EBUSY;
8362 			goto out_free;
8363 		}
8364 
8365 		chan = request->channels[0];
8366 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
8367 			wdev_unlock(wdev);
8368 			err = -EBUSY;
8369 			goto out_free;
8370 		}
8371 	}
8372 	wdev_unlock(wdev);
8373 
8374 	i = 0;
8375 	if (n_ssids) {
8376 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
8377 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8378 				err = -EINVAL;
8379 				goto out_free;
8380 			}
8381 			request->ssids[i].ssid_len = nla_len(attr);
8382 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
8383 			i++;
8384 		}
8385 	}
8386 
8387 	if (info->attrs[NL80211_ATTR_IE]) {
8388 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
8389 		memcpy((void *)request->ie,
8390 		       nla_data(info->attrs[NL80211_ATTR_IE]),
8391 		       request->ie_len);
8392 	}
8393 
8394 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8395 		if (wiphy->bands[i])
8396 			request->rates[i] =
8397 				(1 << wiphy->bands[i]->n_bitrates) - 1;
8398 
8399 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
8400 		nla_for_each_nested(attr,
8401 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
8402 				    tmp) {
8403 			enum nl80211_band band = nla_type(attr);
8404 
8405 			if (band < 0 || band >= NUM_NL80211_BANDS) {
8406 				err = -EINVAL;
8407 				goto out_free;
8408 			}
8409 
8410 			if (!wiphy->bands[band])
8411 				continue;
8412 
8413 			err = ieee80211_get_ratemask(wiphy->bands[band],
8414 						     nla_data(attr),
8415 						     nla_len(attr),
8416 						     &request->rates[band]);
8417 			if (err)
8418 				goto out_free;
8419 		}
8420 	}
8421 
8422 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
8423 		request->duration =
8424 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
8425 		request->duration_mandatory =
8426 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
8427 	}
8428 
8429 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
8430 				       false);
8431 	if (err)
8432 		goto out_free;
8433 
8434 	request->no_cck =
8435 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
8436 
8437 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
8438 	 * BSSID to scan for. This was problematic because that same attribute
8439 	 * was already used for another purpose (local random MAC address). The
8440 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
8441 	 * compatibility with older userspace components, also use the
8442 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
8443 	 * the specific BSSID use case instead of the random MAC address
8444 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
8445 	 */
8446 	if (info->attrs[NL80211_ATTR_BSSID])
8447 		memcpy(request->bssid,
8448 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
8449 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
8450 		 info->attrs[NL80211_ATTR_MAC])
8451 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
8452 		       ETH_ALEN);
8453 	else
8454 		eth_broadcast_addr(request->bssid);
8455 
8456 	request->wdev = wdev;
8457 	request->wiphy = &rdev->wiphy;
8458 	request->scan_start = jiffies;
8459 
8460 	rdev->scan_req = request;
8461 	err = cfg80211_scan(rdev);
8462 
8463 	if (err)
8464 		goto out_free;
8465 
8466 	nl80211_send_scan_start(rdev, wdev);
8467 	if (wdev->netdev)
8468 		dev_hold(wdev->netdev);
8469 
8470 	return 0;
8471 
8472  out_free:
8473 	rdev->scan_req = NULL;
8474 	kfree(request);
8475 
8476 	return err;
8477 }
8478 
8479 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
8480 {
8481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8482 	struct wireless_dev *wdev = info->user_ptr[1];
8483 
8484 	if (!rdev->ops->abort_scan)
8485 		return -EOPNOTSUPP;
8486 
8487 	if (rdev->scan_msg)
8488 		return 0;
8489 
8490 	if (!rdev->scan_req)
8491 		return -ENOENT;
8492 
8493 	rdev_abort_scan(rdev, wdev);
8494 	return 0;
8495 }
8496 
8497 static int
8498 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8499 			       struct cfg80211_sched_scan_request *request,
8500 			       struct nlattr **attrs)
8501 {
8502 	int tmp, err, i = 0;
8503 	struct nlattr *attr;
8504 
8505 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8506 		u32 interval;
8507 
8508 		/*
8509 		 * If scan plans are not specified,
8510 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8511 		 * case one scan plan will be set with the specified scan
8512 		 * interval and infinite number of iterations.
8513 		 */
8514 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8515 		if (!interval)
8516 			return -EINVAL;
8517 
8518 		request->scan_plans[0].interval =
8519 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8520 		if (!request->scan_plans[0].interval)
8521 			return -EINVAL;
8522 
8523 		if (request->scan_plans[0].interval >
8524 		    wiphy->max_sched_scan_plan_interval)
8525 			request->scan_plans[0].interval =
8526 				wiphy->max_sched_scan_plan_interval;
8527 
8528 		return 0;
8529 	}
8530 
8531 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8532 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8533 
8534 		if (WARN_ON(i >= n_plans))
8535 			return -EINVAL;
8536 
8537 		err = nla_parse_nested_deprecated(plan,
8538 						  NL80211_SCHED_SCAN_PLAN_MAX,
8539 						  attr, nl80211_plan_policy,
8540 						  NULL);
8541 		if (err)
8542 			return err;
8543 
8544 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8545 			return -EINVAL;
8546 
8547 		request->scan_plans[i].interval =
8548 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8549 		if (!request->scan_plans[i].interval ||
8550 		    request->scan_plans[i].interval >
8551 		    wiphy->max_sched_scan_plan_interval)
8552 			return -EINVAL;
8553 
8554 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8555 			request->scan_plans[i].iterations =
8556 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8557 			if (!request->scan_plans[i].iterations ||
8558 			    (request->scan_plans[i].iterations >
8559 			     wiphy->max_sched_scan_plan_iterations))
8560 				return -EINVAL;
8561 		} else if (i < n_plans - 1) {
8562 			/*
8563 			 * All scan plans but the last one must specify
8564 			 * a finite number of iterations
8565 			 */
8566 			return -EINVAL;
8567 		}
8568 
8569 		i++;
8570 	}
8571 
8572 	/*
8573 	 * The last scan plan must not specify the number of
8574 	 * iterations, it is supposed to run infinitely
8575 	 */
8576 	if (request->scan_plans[n_plans - 1].iterations)
8577 		return  -EINVAL;
8578 
8579 	return 0;
8580 }
8581 
8582 static int
8583 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8584 				       struct cfg80211_match_set *match_sets,
8585 				       struct nlattr *tb_band_rssi,
8586 				       s32 rssi_thold)
8587 {
8588 	struct nlattr *attr;
8589 	int i, tmp, ret = 0;
8590 
8591 	if (!wiphy_ext_feature_isset(wiphy,
8592 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8593 		if (tb_band_rssi)
8594 			ret = -EOPNOTSUPP;
8595 		else
8596 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8597 				match_sets->per_band_rssi_thold[i] =
8598 					NL80211_SCAN_RSSI_THOLD_OFF;
8599 		return ret;
8600 	}
8601 
8602 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8603 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8604 
8605 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8606 		enum nl80211_band band = nla_type(attr);
8607 
8608 		if (band < 0 || band >= NUM_NL80211_BANDS)
8609 			return -EINVAL;
8610 
8611 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8612 	}
8613 
8614 	return 0;
8615 }
8616 
8617 static struct cfg80211_sched_scan_request *
8618 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8619 			 struct nlattr **attrs, int max_match_sets)
8620 {
8621 	struct cfg80211_sched_scan_request *request;
8622 	struct nlattr *attr;
8623 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8624 	enum nl80211_band band;
8625 	size_t ie_len;
8626 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8627 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8628 
8629 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8630 		n_channels = validate_scan_freqs(
8631 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8632 		if (!n_channels)
8633 			return ERR_PTR(-EINVAL);
8634 	} else {
8635 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8636 	}
8637 
8638 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8639 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8640 				    tmp)
8641 			n_ssids++;
8642 
8643 	if (n_ssids > wiphy->max_sched_scan_ssids)
8644 		return ERR_PTR(-EINVAL);
8645 
8646 	/*
8647 	 * First, count the number of 'real' matchsets. Due to an issue with
8648 	 * the old implementation, matchsets containing only the RSSI attribute
8649 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8650 	 * RSSI for all matchsets, rather than their own matchset for reporting
8651 	 * all APs with a strong RSSI. This is needed to be compatible with
8652 	 * older userspace that treated a matchset with only the RSSI as the
8653 	 * global RSSI for all other matchsets - if there are other matchsets.
8654 	 */
8655 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8656 		nla_for_each_nested(attr,
8657 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8658 				    tmp) {
8659 			struct nlattr *rssi;
8660 
8661 			err = nla_parse_nested_deprecated(tb,
8662 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8663 							  attr,
8664 							  nl80211_match_policy,
8665 							  NULL);
8666 			if (err)
8667 				return ERR_PTR(err);
8668 
8669 			/* SSID and BSSID are mutually exclusive */
8670 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8671 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8672 				return ERR_PTR(-EINVAL);
8673 
8674 			/* add other standalone attributes here */
8675 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8676 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8677 				n_match_sets++;
8678 				continue;
8679 			}
8680 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8681 			if (rssi)
8682 				default_match_rssi = nla_get_s32(rssi);
8683 		}
8684 	}
8685 
8686 	/* However, if there's no other matchset, add the RSSI one */
8687 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8688 		n_match_sets = 1;
8689 
8690 	if (n_match_sets > max_match_sets)
8691 		return ERR_PTR(-EINVAL);
8692 
8693 	if (attrs[NL80211_ATTR_IE])
8694 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8695 	else
8696 		ie_len = 0;
8697 
8698 	if (ie_len > wiphy->max_sched_scan_ie_len)
8699 		return ERR_PTR(-EINVAL);
8700 
8701 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8702 		/*
8703 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8704 		 * each scan plan already specifies its own interval
8705 		 */
8706 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8707 			return ERR_PTR(-EINVAL);
8708 
8709 		nla_for_each_nested(attr,
8710 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8711 			n_plans++;
8712 	} else {
8713 		/*
8714 		 * The scan interval attribute is kept for backward
8715 		 * compatibility. If no scan plans are specified and sched scan
8716 		 * interval is specified, one scan plan will be set with this
8717 		 * scan interval and infinite number of iterations.
8718 		 */
8719 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8720 			return ERR_PTR(-EINVAL);
8721 
8722 		n_plans = 1;
8723 	}
8724 
8725 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8726 		return ERR_PTR(-EINVAL);
8727 
8728 	if (!wiphy_ext_feature_isset(
8729 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8730 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8731 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8732 		return ERR_PTR(-EINVAL);
8733 
8734 	request = kzalloc(sizeof(*request)
8735 			+ sizeof(*request->ssids) * n_ssids
8736 			+ sizeof(*request->match_sets) * n_match_sets
8737 			+ sizeof(*request->scan_plans) * n_plans
8738 			+ sizeof(*request->channels) * n_channels
8739 			+ ie_len, GFP_KERNEL);
8740 	if (!request)
8741 		return ERR_PTR(-ENOMEM);
8742 
8743 	if (n_ssids)
8744 		request->ssids = (void *)&request->channels[n_channels];
8745 	request->n_ssids = n_ssids;
8746 	if (ie_len) {
8747 		if (n_ssids)
8748 			request->ie = (void *)(request->ssids + n_ssids);
8749 		else
8750 			request->ie = (void *)(request->channels + n_channels);
8751 	}
8752 
8753 	if (n_match_sets) {
8754 		if (request->ie)
8755 			request->match_sets = (void *)(request->ie + ie_len);
8756 		else if (n_ssids)
8757 			request->match_sets =
8758 				(void *)(request->ssids + n_ssids);
8759 		else
8760 			request->match_sets =
8761 				(void *)(request->channels + n_channels);
8762 	}
8763 	request->n_match_sets = n_match_sets;
8764 
8765 	if (n_match_sets)
8766 		request->scan_plans = (void *)(request->match_sets +
8767 					       n_match_sets);
8768 	else if (request->ie)
8769 		request->scan_plans = (void *)(request->ie + ie_len);
8770 	else if (n_ssids)
8771 		request->scan_plans = (void *)(request->ssids + n_ssids);
8772 	else
8773 		request->scan_plans = (void *)(request->channels + n_channels);
8774 
8775 	request->n_scan_plans = n_plans;
8776 
8777 	i = 0;
8778 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8779 		/* user specified, bail out if channel not found */
8780 		nla_for_each_nested(attr,
8781 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8782 				    tmp) {
8783 			struct ieee80211_channel *chan;
8784 
8785 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8786 
8787 			if (!chan) {
8788 				err = -EINVAL;
8789 				goto out_free;
8790 			}
8791 
8792 			/* ignore disabled channels */
8793 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8794 				continue;
8795 
8796 			request->channels[i] = chan;
8797 			i++;
8798 		}
8799 	} else {
8800 		/* all channels */
8801 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8802 			int j;
8803 
8804 			if (!wiphy->bands[band])
8805 				continue;
8806 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8807 				struct ieee80211_channel *chan;
8808 
8809 				chan = &wiphy->bands[band]->channels[j];
8810 
8811 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8812 					continue;
8813 
8814 				request->channels[i] = chan;
8815 				i++;
8816 			}
8817 		}
8818 	}
8819 
8820 	if (!i) {
8821 		err = -EINVAL;
8822 		goto out_free;
8823 	}
8824 
8825 	request->n_channels = i;
8826 
8827 	i = 0;
8828 	if (n_ssids) {
8829 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8830 				    tmp) {
8831 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8832 				err = -EINVAL;
8833 				goto out_free;
8834 			}
8835 			request->ssids[i].ssid_len = nla_len(attr);
8836 			memcpy(request->ssids[i].ssid, nla_data(attr),
8837 			       nla_len(attr));
8838 			i++;
8839 		}
8840 	}
8841 
8842 	i = 0;
8843 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8844 		nla_for_each_nested(attr,
8845 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8846 				    tmp) {
8847 			struct nlattr *ssid, *bssid, *rssi;
8848 
8849 			err = nla_parse_nested_deprecated(tb,
8850 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8851 							  attr,
8852 							  nl80211_match_policy,
8853 							  NULL);
8854 			if (err)
8855 				goto out_free;
8856 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8857 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8858 
8859 			if (!ssid && !bssid) {
8860 				i++;
8861 				continue;
8862 			}
8863 
8864 			if (WARN_ON(i >= n_match_sets)) {
8865 				/* this indicates a programming error,
8866 				 * the loop above should have verified
8867 				 * things properly
8868 				 */
8869 				err = -EINVAL;
8870 				goto out_free;
8871 			}
8872 
8873 			if (ssid) {
8874 				memcpy(request->match_sets[i].ssid.ssid,
8875 				       nla_data(ssid), nla_len(ssid));
8876 				request->match_sets[i].ssid.ssid_len =
8877 					nla_len(ssid);
8878 			}
8879 			if (bssid)
8880 				memcpy(request->match_sets[i].bssid,
8881 				       nla_data(bssid), ETH_ALEN);
8882 
8883 			/* special attribute - old implementation w/a */
8884 			request->match_sets[i].rssi_thold = default_match_rssi;
8885 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8886 			if (rssi)
8887 				request->match_sets[i].rssi_thold =
8888 					nla_get_s32(rssi);
8889 
8890 			/* Parse per band RSSI attribute */
8891 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8892 				&request->match_sets[i],
8893 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8894 				request->match_sets[i].rssi_thold);
8895 			if (err)
8896 				goto out_free;
8897 
8898 			i++;
8899 		}
8900 
8901 		/* there was no other matchset, so the RSSI one is alone */
8902 		if (i == 0 && n_match_sets)
8903 			request->match_sets[0].rssi_thold = default_match_rssi;
8904 
8905 		request->min_rssi_thold = INT_MAX;
8906 		for (i = 0; i < n_match_sets; i++)
8907 			request->min_rssi_thold =
8908 				min(request->match_sets[i].rssi_thold,
8909 				    request->min_rssi_thold);
8910 	} else {
8911 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8912 	}
8913 
8914 	if (ie_len) {
8915 		request->ie_len = ie_len;
8916 		memcpy((void *)request->ie,
8917 		       nla_data(attrs[NL80211_ATTR_IE]),
8918 		       request->ie_len);
8919 	}
8920 
8921 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8922 	if (err)
8923 		goto out_free;
8924 
8925 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8926 		request->delay =
8927 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8928 
8929 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8930 		request->relative_rssi = nla_get_s8(
8931 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8932 		request->relative_rssi_set = true;
8933 	}
8934 
8935 	if (request->relative_rssi_set &&
8936 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8937 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8938 
8939 		rssi_adjust = nla_data(
8940 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8941 		request->rssi_adjust.band = rssi_adjust->band;
8942 		request->rssi_adjust.delta = rssi_adjust->delta;
8943 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8944 			err = -EINVAL;
8945 			goto out_free;
8946 		}
8947 	}
8948 
8949 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8950 	if (err)
8951 		goto out_free;
8952 
8953 	request->scan_start = jiffies;
8954 
8955 	return request;
8956 
8957 out_free:
8958 	kfree(request);
8959 	return ERR_PTR(err);
8960 }
8961 
8962 static int nl80211_start_sched_scan(struct sk_buff *skb,
8963 				    struct genl_info *info)
8964 {
8965 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8966 	struct net_device *dev = info->user_ptr[1];
8967 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8968 	struct cfg80211_sched_scan_request *sched_scan_req;
8969 	bool want_multi;
8970 	int err;
8971 
8972 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8973 		return -EOPNOTSUPP;
8974 
8975 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8976 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8977 	if (err)
8978 		return err;
8979 
8980 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8981 						  info->attrs,
8982 						  rdev->wiphy.max_match_sets);
8983 
8984 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8985 	if (err)
8986 		goto out_err;
8987 
8988 	/* leave request id zero for legacy request
8989 	 * or if driver does not support multi-scheduled scan
8990 	 */
8991 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8992 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8993 
8994 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8995 	if (err)
8996 		goto out_free;
8997 
8998 	sched_scan_req->dev = dev;
8999 	sched_scan_req->wiphy = &rdev->wiphy;
9000 
9001 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9002 		sched_scan_req->owner_nlportid = info->snd_portid;
9003 
9004 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9005 
9006 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9007 	return 0;
9008 
9009 out_free:
9010 	kfree(sched_scan_req);
9011 out_err:
9012 	return err;
9013 }
9014 
9015 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9016 				   struct genl_info *info)
9017 {
9018 	struct cfg80211_sched_scan_request *req;
9019 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9020 	u64 cookie;
9021 
9022 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9023 		return -EOPNOTSUPP;
9024 
9025 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9026 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9027 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9028 	}
9029 
9030 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9031 				     struct cfg80211_sched_scan_request,
9032 				     list);
9033 	if (!req || req->reqid ||
9034 	    (req->owner_nlportid &&
9035 	     req->owner_nlportid != info->snd_portid))
9036 		return -ENOENT;
9037 
9038 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9039 }
9040 
9041 static int nl80211_start_radar_detection(struct sk_buff *skb,
9042 					 struct genl_info *info)
9043 {
9044 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9045 	struct net_device *dev = info->user_ptr[1];
9046 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9047 	struct wiphy *wiphy = wdev->wiphy;
9048 	struct cfg80211_chan_def chandef;
9049 	enum nl80211_dfs_regions dfs_region;
9050 	unsigned int cac_time_ms;
9051 	int err;
9052 
9053 	dfs_region = reg_get_dfs_region(wiphy);
9054 	if (dfs_region == NL80211_DFS_UNSET)
9055 		return -EINVAL;
9056 
9057 	err = nl80211_parse_chandef(rdev, info, &chandef);
9058 	if (err)
9059 		return err;
9060 
9061 	if (netif_carrier_ok(dev))
9062 		return -EBUSY;
9063 
9064 	if (wdev->cac_started)
9065 		return -EBUSY;
9066 
9067 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9068 	if (err < 0)
9069 		return err;
9070 
9071 	if (err == 0)
9072 		return -EINVAL;
9073 
9074 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
9075 		return -EINVAL;
9076 
9077 	/* CAC start is offloaded to HW and can't be started manually */
9078 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
9079 		return -EOPNOTSUPP;
9080 
9081 	if (!rdev->ops->start_radar_detection)
9082 		return -EOPNOTSUPP;
9083 
9084 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9085 	if (WARN_ON(!cac_time_ms))
9086 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9087 
9088 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9089 	if (!err) {
9090 		wdev->chandef = chandef;
9091 		wdev->cac_started = true;
9092 		wdev->cac_start_time = jiffies;
9093 		wdev->cac_time_ms = cac_time_ms;
9094 	}
9095 	return err;
9096 }
9097 
9098 static int nl80211_notify_radar_detection(struct sk_buff *skb,
9099 					  struct genl_info *info)
9100 {
9101 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9102 	struct net_device *dev = info->user_ptr[1];
9103 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9104 	struct wiphy *wiphy = wdev->wiphy;
9105 	struct cfg80211_chan_def chandef;
9106 	enum nl80211_dfs_regions dfs_region;
9107 	int err;
9108 
9109 	dfs_region = reg_get_dfs_region(wiphy);
9110 	if (dfs_region == NL80211_DFS_UNSET) {
9111 		GENL_SET_ERR_MSG(info,
9112 				 "DFS Region is not set. Unexpected Radar indication");
9113 		return -EINVAL;
9114 	}
9115 
9116 	err = nl80211_parse_chandef(rdev, info, &chandef);
9117 	if (err) {
9118 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
9119 		return err;
9120 	}
9121 
9122 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9123 	if (err < 0) {
9124 		GENL_SET_ERR_MSG(info, "chandef is invalid");
9125 		return err;
9126 	}
9127 
9128 	if (err == 0) {
9129 		GENL_SET_ERR_MSG(info,
9130 				 "Unexpected Radar indication for chandef/iftype");
9131 		return -EINVAL;
9132 	}
9133 
9134 	/* Do not process this notification if radar is already detected
9135 	 * by kernel on this channel, and return success.
9136 	 */
9137 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
9138 		return 0;
9139 
9140 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
9141 
9142 	cfg80211_sched_dfs_chan_update(rdev);
9143 
9144 	rdev->radar_chandef = chandef;
9145 
9146 	/* Propagate this notification to other radios as well */
9147 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
9148 
9149 	return 0;
9150 }
9151 
9152 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
9153 {
9154 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9155 	struct net_device *dev = info->user_ptr[1];
9156 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9157 	struct cfg80211_csa_settings params;
9158 	struct nlattr **csa_attrs = NULL;
9159 	int err;
9160 	bool need_new_beacon = false;
9161 	bool need_handle_dfs_flag = true;
9162 	int len, i;
9163 	u32 cs_count;
9164 
9165 	if (!rdev->ops->channel_switch ||
9166 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
9167 		return -EOPNOTSUPP;
9168 
9169 	switch (dev->ieee80211_ptr->iftype) {
9170 	case NL80211_IFTYPE_AP:
9171 	case NL80211_IFTYPE_P2P_GO:
9172 		need_new_beacon = true;
9173 		/* For all modes except AP the handle_dfs flag needs to be
9174 		 * supplied to tell the kernel that userspace will handle radar
9175 		 * events when they happen. Otherwise a switch to a channel
9176 		 * requiring DFS will be rejected.
9177 		 */
9178 		need_handle_dfs_flag = false;
9179 
9180 		/* useless if AP is not running */
9181 		if (!wdev->beacon_interval)
9182 			return -ENOTCONN;
9183 		break;
9184 	case NL80211_IFTYPE_ADHOC:
9185 		if (!wdev->ssid_len)
9186 			return -ENOTCONN;
9187 		break;
9188 	case NL80211_IFTYPE_MESH_POINT:
9189 		if (!wdev->mesh_id_len)
9190 			return -ENOTCONN;
9191 		break;
9192 	default:
9193 		return -EOPNOTSUPP;
9194 	}
9195 
9196 	memset(&params, 0, sizeof(params));
9197 	params.beacon_csa.ftm_responder = -1;
9198 
9199 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
9200 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
9201 		return -EINVAL;
9202 
9203 	/* only important for AP, IBSS and mesh create IEs internally */
9204 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
9205 		return -EINVAL;
9206 
9207 	/* Even though the attribute is u32, the specification says
9208 	 * u8, so let's make sure we don't overflow.
9209 	 */
9210 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
9211 	if (cs_count > 255)
9212 		return -EINVAL;
9213 
9214 	params.count = cs_count;
9215 
9216 	if (!need_new_beacon)
9217 		goto skip_beacons;
9218 
9219 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
9220 	if (err)
9221 		return err;
9222 
9223 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
9224 			    GFP_KERNEL);
9225 	if (!csa_attrs)
9226 		return -ENOMEM;
9227 
9228 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
9229 					  info->attrs[NL80211_ATTR_CSA_IES],
9230 					  nl80211_policy, info->extack);
9231 	if (err)
9232 		goto free;
9233 
9234 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
9235 	if (err)
9236 		goto free;
9237 
9238 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
9239 		err = -EINVAL;
9240 		goto free;
9241 	}
9242 
9243 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9244 	if (!len || (len % sizeof(u16))) {
9245 		err = -EINVAL;
9246 		goto free;
9247 	}
9248 
9249 	params.n_counter_offsets_beacon = len / sizeof(u16);
9250 	if (rdev->wiphy.max_num_csa_counters &&
9251 	    (params.n_counter_offsets_beacon >
9252 	     rdev->wiphy.max_num_csa_counters)) {
9253 		err = -EINVAL;
9254 		goto free;
9255 	}
9256 
9257 	params.counter_offsets_beacon =
9258 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
9259 
9260 	/* sanity checks - counters should fit and be the same */
9261 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
9262 		u16 offset = params.counter_offsets_beacon[i];
9263 
9264 		if (offset >= params.beacon_csa.tail_len) {
9265 			err = -EINVAL;
9266 			goto free;
9267 		}
9268 
9269 		if (params.beacon_csa.tail[offset] != params.count) {
9270 			err = -EINVAL;
9271 			goto free;
9272 		}
9273 	}
9274 
9275 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
9276 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9277 		if (!len || (len % sizeof(u16))) {
9278 			err = -EINVAL;
9279 			goto free;
9280 		}
9281 
9282 		params.n_counter_offsets_presp = len / sizeof(u16);
9283 		if (rdev->wiphy.max_num_csa_counters &&
9284 		    (params.n_counter_offsets_presp >
9285 		     rdev->wiphy.max_num_csa_counters)) {
9286 			err = -EINVAL;
9287 			goto free;
9288 		}
9289 
9290 		params.counter_offsets_presp =
9291 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
9292 
9293 		/* sanity checks - counters should fit and be the same */
9294 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
9295 			u16 offset = params.counter_offsets_presp[i];
9296 
9297 			if (offset >= params.beacon_csa.probe_resp_len) {
9298 				err = -EINVAL;
9299 				goto free;
9300 			}
9301 
9302 			if (params.beacon_csa.probe_resp[offset] !=
9303 			    params.count) {
9304 				err = -EINVAL;
9305 				goto free;
9306 			}
9307 		}
9308 	}
9309 
9310 skip_beacons:
9311 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
9312 	if (err)
9313 		goto free;
9314 
9315 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
9316 					   wdev->iftype)) {
9317 		err = -EINVAL;
9318 		goto free;
9319 	}
9320 
9321 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
9322 					    &params.chandef,
9323 					    wdev->iftype);
9324 	if (err < 0)
9325 		goto free;
9326 
9327 	if (err > 0) {
9328 		params.radar_required = true;
9329 		if (need_handle_dfs_flag &&
9330 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
9331 			err = -EINVAL;
9332 			goto free;
9333 		}
9334 	}
9335 
9336 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
9337 		params.block_tx = true;
9338 
9339 	wdev_lock(wdev);
9340 	err = rdev_channel_switch(rdev, dev, &params);
9341 	wdev_unlock(wdev);
9342 
9343 free:
9344 	kfree(csa_attrs);
9345 	return err;
9346 }
9347 
9348 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
9349 			    u32 seq, int flags,
9350 			    struct cfg80211_registered_device *rdev,
9351 			    struct wireless_dev *wdev,
9352 			    struct cfg80211_internal_bss *intbss)
9353 {
9354 	struct cfg80211_bss *res = &intbss->pub;
9355 	const struct cfg80211_bss_ies *ies;
9356 	void *hdr;
9357 	struct nlattr *bss;
9358 
9359 	ASSERT_WDEV_LOCK(wdev);
9360 
9361 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
9362 			     NL80211_CMD_NEW_SCAN_RESULTS);
9363 	if (!hdr)
9364 		return -1;
9365 
9366 	genl_dump_check_consistent(cb, hdr);
9367 
9368 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
9369 		goto nla_put_failure;
9370 	if (wdev->netdev &&
9371 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
9372 		goto nla_put_failure;
9373 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
9374 			      NL80211_ATTR_PAD))
9375 		goto nla_put_failure;
9376 
9377 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
9378 	if (!bss)
9379 		goto nla_put_failure;
9380 	if ((!is_zero_ether_addr(res->bssid) &&
9381 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
9382 		goto nla_put_failure;
9383 
9384 	rcu_read_lock();
9385 	/* indicate whether we have probe response data or not */
9386 	if (rcu_access_pointer(res->proberesp_ies) &&
9387 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
9388 		goto fail_unlock_rcu;
9389 
9390 	/* this pointer prefers to be pointed to probe response data
9391 	 * but is always valid
9392 	 */
9393 	ies = rcu_dereference(res->ies);
9394 	if (ies) {
9395 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
9396 				      NL80211_BSS_PAD))
9397 			goto fail_unlock_rcu;
9398 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
9399 					ies->len, ies->data))
9400 			goto fail_unlock_rcu;
9401 	}
9402 
9403 	/* and this pointer is always (unless driver didn't know) beacon data */
9404 	ies = rcu_dereference(res->beacon_ies);
9405 	if (ies && ies->from_beacon) {
9406 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
9407 				      NL80211_BSS_PAD))
9408 			goto fail_unlock_rcu;
9409 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
9410 					ies->len, ies->data))
9411 			goto fail_unlock_rcu;
9412 	}
9413 	rcu_read_unlock();
9414 
9415 	if (res->beacon_interval &&
9416 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
9417 		goto nla_put_failure;
9418 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
9419 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
9420 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
9421 			res->channel->freq_offset) ||
9422 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
9423 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
9424 			jiffies_to_msecs(jiffies - intbss->ts)))
9425 		goto nla_put_failure;
9426 
9427 	if (intbss->parent_tsf &&
9428 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
9429 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
9430 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
9431 		     intbss->parent_bssid)))
9432 		goto nla_put_failure;
9433 
9434 	if (intbss->ts_boottime &&
9435 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
9436 			      intbss->ts_boottime, NL80211_BSS_PAD))
9437 		goto nla_put_failure;
9438 
9439 	if (!nl80211_put_signal(msg, intbss->pub.chains,
9440 				intbss->pub.chain_signal,
9441 				NL80211_BSS_CHAIN_SIGNAL))
9442 		goto nla_put_failure;
9443 
9444 	switch (rdev->wiphy.signal_type) {
9445 	case CFG80211_SIGNAL_TYPE_MBM:
9446 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
9447 			goto nla_put_failure;
9448 		break;
9449 	case CFG80211_SIGNAL_TYPE_UNSPEC:
9450 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
9451 			goto nla_put_failure;
9452 		break;
9453 	default:
9454 		break;
9455 	}
9456 
9457 	switch (wdev->iftype) {
9458 	case NL80211_IFTYPE_P2P_CLIENT:
9459 	case NL80211_IFTYPE_STATION:
9460 		if (intbss == wdev->current_bss &&
9461 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9462 				NL80211_BSS_STATUS_ASSOCIATED))
9463 			goto nla_put_failure;
9464 		break;
9465 	case NL80211_IFTYPE_ADHOC:
9466 		if (intbss == wdev->current_bss &&
9467 		    nla_put_u32(msg, NL80211_BSS_STATUS,
9468 				NL80211_BSS_STATUS_IBSS_JOINED))
9469 			goto nla_put_failure;
9470 		break;
9471 	default:
9472 		break;
9473 	}
9474 
9475 	nla_nest_end(msg, bss);
9476 
9477 	genlmsg_end(msg, hdr);
9478 	return 0;
9479 
9480  fail_unlock_rcu:
9481 	rcu_read_unlock();
9482  nla_put_failure:
9483 	genlmsg_cancel(msg, hdr);
9484 	return -EMSGSIZE;
9485 }
9486 
9487 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
9488 {
9489 	struct cfg80211_registered_device *rdev;
9490 	struct cfg80211_internal_bss *scan;
9491 	struct wireless_dev *wdev;
9492 	int start = cb->args[2], idx = 0;
9493 	int err;
9494 
9495 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9496 	if (err)
9497 		return err;
9498 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9499 	__acquire(&rdev->wiphy.mtx);
9500 
9501 	wdev_lock(wdev);
9502 	spin_lock_bh(&rdev->bss_lock);
9503 
9504 	/*
9505 	 * dump_scan will be called multiple times to break up the scan results
9506 	 * into multiple messages.  It is unlikely that any more bss-es will be
9507 	 * expired after the first call, so only call only call this on the
9508 	 * first dump_scan invocation.
9509 	 */
9510 	if (start == 0)
9511 		cfg80211_bss_expire(rdev);
9512 
9513 	cb->seq = rdev->bss_generation;
9514 
9515 	list_for_each_entry(scan, &rdev->bss_list, list) {
9516 		if (++idx <= start)
9517 			continue;
9518 		if (nl80211_send_bss(skb, cb,
9519 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9520 				rdev, wdev, scan) < 0) {
9521 			idx--;
9522 			break;
9523 		}
9524 	}
9525 
9526 	spin_unlock_bh(&rdev->bss_lock);
9527 	wdev_unlock(wdev);
9528 
9529 	cb->args[2] = idx;
9530 	wiphy_unlock(&rdev->wiphy);
9531 
9532 	return skb->len;
9533 }
9534 
9535 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9536 			       int flags, struct net_device *dev,
9537 			       bool allow_radio_stats,
9538 			       struct survey_info *survey)
9539 {
9540 	void *hdr;
9541 	struct nlattr *infoattr;
9542 
9543 	/* skip radio stats if userspace didn't request them */
9544 	if (!survey->channel && !allow_radio_stats)
9545 		return 0;
9546 
9547 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9548 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9549 	if (!hdr)
9550 		return -ENOMEM;
9551 
9552 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9553 		goto nla_put_failure;
9554 
9555 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9556 	if (!infoattr)
9557 		goto nla_put_failure;
9558 
9559 	if (survey->channel &&
9560 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9561 			survey->channel->center_freq))
9562 		goto nla_put_failure;
9563 
9564 	if (survey->channel && survey->channel->freq_offset &&
9565 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
9566 			survey->channel->freq_offset))
9567 		goto nla_put_failure;
9568 
9569 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9570 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9571 		goto nla_put_failure;
9572 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9573 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9574 		goto nla_put_failure;
9575 	if ((survey->filled & SURVEY_INFO_TIME) &&
9576 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9577 			survey->time, NL80211_SURVEY_INFO_PAD))
9578 		goto nla_put_failure;
9579 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9580 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9581 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9582 		goto nla_put_failure;
9583 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9584 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9585 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9586 		goto nla_put_failure;
9587 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9588 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9589 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9590 		goto nla_put_failure;
9591 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9592 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9593 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9594 		goto nla_put_failure;
9595 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9596 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9597 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9598 		goto nla_put_failure;
9599 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9600 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9601 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9602 		goto nla_put_failure;
9603 
9604 	nla_nest_end(msg, infoattr);
9605 
9606 	genlmsg_end(msg, hdr);
9607 	return 0;
9608 
9609  nla_put_failure:
9610 	genlmsg_cancel(msg, hdr);
9611 	return -EMSGSIZE;
9612 }
9613 
9614 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9615 {
9616 	struct nlattr **attrbuf;
9617 	struct survey_info survey;
9618 	struct cfg80211_registered_device *rdev;
9619 	struct wireless_dev *wdev;
9620 	int survey_idx = cb->args[2];
9621 	int res;
9622 	bool radio_stats;
9623 
9624 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9625 	if (!attrbuf)
9626 		return -ENOMEM;
9627 
9628 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9629 	if (res) {
9630 		kfree(attrbuf);
9631 		return res;
9632 	}
9633 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
9634 	__acquire(&rdev->wiphy.mtx);
9635 
9636 	/* prepare_wdev_dump parsed the attributes */
9637 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9638 
9639 	if (!wdev->netdev) {
9640 		res = -EINVAL;
9641 		goto out_err;
9642 	}
9643 
9644 	if (!rdev->ops->dump_survey) {
9645 		res = -EOPNOTSUPP;
9646 		goto out_err;
9647 	}
9648 
9649 	while (1) {
9650 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9651 		if (res == -ENOENT)
9652 			break;
9653 		if (res)
9654 			goto out_err;
9655 
9656 		/* don't send disabled channels, but do send non-channel data */
9657 		if (survey.channel &&
9658 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9659 			survey_idx++;
9660 			continue;
9661 		}
9662 
9663 		if (nl80211_send_survey(skb,
9664 				NETLINK_CB(cb->skb).portid,
9665 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9666 				wdev->netdev, radio_stats, &survey) < 0)
9667 			goto out;
9668 		survey_idx++;
9669 	}
9670 
9671  out:
9672 	cb->args[2] = survey_idx;
9673 	res = skb->len;
9674  out_err:
9675 	kfree(attrbuf);
9676 	wiphy_unlock(&rdev->wiphy);
9677 	return res;
9678 }
9679 
9680 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9681 {
9682 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9683 				  NL80211_WPA_VERSION_2 |
9684 				  NL80211_WPA_VERSION_3));
9685 }
9686 
9687 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9688 {
9689 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9690 	struct net_device *dev = info->user_ptr[1];
9691 	struct ieee80211_channel *chan;
9692 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9693 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9694 	enum nl80211_auth_type auth_type;
9695 	struct key_parse key;
9696 	bool local_state_change;
9697 	u32 freq;
9698 
9699 	if (!info->attrs[NL80211_ATTR_MAC])
9700 		return -EINVAL;
9701 
9702 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9703 		return -EINVAL;
9704 
9705 	if (!info->attrs[NL80211_ATTR_SSID])
9706 		return -EINVAL;
9707 
9708 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9709 		return -EINVAL;
9710 
9711 	err = nl80211_parse_key(info, &key);
9712 	if (err)
9713 		return err;
9714 
9715 	if (key.idx >= 0) {
9716 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9717 			return -EINVAL;
9718 		if (!key.p.key || !key.p.key_len)
9719 			return -EINVAL;
9720 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9721 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9722 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9723 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9724 			return -EINVAL;
9725 		if (key.idx > 3)
9726 			return -EINVAL;
9727 	} else {
9728 		key.p.key_len = 0;
9729 		key.p.key = NULL;
9730 	}
9731 
9732 	if (key.idx >= 0) {
9733 		int i;
9734 		bool ok = false;
9735 
9736 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9737 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9738 				ok = true;
9739 				break;
9740 			}
9741 		}
9742 		if (!ok)
9743 			return -EINVAL;
9744 	}
9745 
9746 	if (!rdev->ops->auth)
9747 		return -EOPNOTSUPP;
9748 
9749 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9750 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9751 		return -EOPNOTSUPP;
9752 
9753 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9754 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9755 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9756 		freq +=
9757 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9758 
9759 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9760 	if (!chan)
9761 		return -EINVAL;
9762 
9763 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9764 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9765 
9766 	if (info->attrs[NL80211_ATTR_IE]) {
9767 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9768 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9769 	}
9770 
9771 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9772 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9773 		return -EINVAL;
9774 
9775 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9776 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9777 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9778 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9779 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9780 		return -EINVAL;
9781 
9782 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9783 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9784 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9785 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9786 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9787 			return -EINVAL;
9788 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9789 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9790 	}
9791 
9792 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9793 
9794 	/*
9795 	 * Since we no longer track auth state, ignore
9796 	 * requests to only change local state.
9797 	 */
9798 	if (local_state_change)
9799 		return 0;
9800 
9801 	wdev_lock(dev->ieee80211_ptr);
9802 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9803 				 ssid, ssid_len, ie, ie_len,
9804 				 key.p.key, key.p.key_len, key.idx,
9805 				 auth_data, auth_data_len);
9806 	wdev_unlock(dev->ieee80211_ptr);
9807 	return err;
9808 }
9809 
9810 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9811 				     struct genl_info *info)
9812 {
9813 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9814 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9815 		return -EINVAL;
9816 	}
9817 
9818 	if (!rdev->ops->tx_control_port ||
9819 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9820 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9821 		return -EOPNOTSUPP;
9822 
9823 	return 0;
9824 }
9825 
9826 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9827 				   struct genl_info *info,
9828 				   struct cfg80211_crypto_settings *settings,
9829 				   int cipher_limit)
9830 {
9831 	memset(settings, 0, sizeof(*settings));
9832 
9833 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9834 
9835 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9836 		u16 proto;
9837 
9838 		proto = nla_get_u16(
9839 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9840 		settings->control_port_ethertype = cpu_to_be16(proto);
9841 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9842 		    proto != ETH_P_PAE)
9843 			return -EINVAL;
9844 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9845 			settings->control_port_no_encrypt = true;
9846 	} else
9847 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9848 
9849 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9850 		int r = validate_pae_over_nl80211(rdev, info);
9851 
9852 		if (r < 0)
9853 			return r;
9854 
9855 		settings->control_port_over_nl80211 = true;
9856 
9857 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9858 			settings->control_port_no_preauth = true;
9859 	}
9860 
9861 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9862 		void *data;
9863 		int len, i;
9864 
9865 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9866 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9867 		settings->n_ciphers_pairwise = len / sizeof(u32);
9868 
9869 		if (len % sizeof(u32))
9870 			return -EINVAL;
9871 
9872 		if (settings->n_ciphers_pairwise > cipher_limit)
9873 			return -EINVAL;
9874 
9875 		memcpy(settings->ciphers_pairwise, data, len);
9876 
9877 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9878 			if (!cfg80211_supported_cipher_suite(
9879 					&rdev->wiphy,
9880 					settings->ciphers_pairwise[i]))
9881 				return -EINVAL;
9882 	}
9883 
9884 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9885 		settings->cipher_group =
9886 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9887 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9888 						     settings->cipher_group))
9889 			return -EINVAL;
9890 	}
9891 
9892 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9893 		settings->wpa_versions =
9894 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9895 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9896 			return -EINVAL;
9897 	}
9898 
9899 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9900 		void *data;
9901 		int len;
9902 
9903 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9904 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9905 		settings->n_akm_suites = len / sizeof(u32);
9906 
9907 		if (len % sizeof(u32))
9908 			return -EINVAL;
9909 
9910 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9911 			return -EINVAL;
9912 
9913 		memcpy(settings->akm_suites, data, len);
9914 	}
9915 
9916 	if (info->attrs[NL80211_ATTR_PMK]) {
9917 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9918 			return -EINVAL;
9919 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9920 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
9921 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9922 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
9923 			return -EINVAL;
9924 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9925 	}
9926 
9927 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9928 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9929 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
9930 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9931 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
9932 			return -EINVAL;
9933 		settings->sae_pwd =
9934 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9935 		settings->sae_pwd_len =
9936 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9937 	}
9938 
9939 	if (info->attrs[NL80211_ATTR_SAE_PWE])
9940 		settings->sae_pwe =
9941 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
9942 	else
9943 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
9944 
9945 	return 0;
9946 }
9947 
9948 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9949 {
9950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9951 	struct net_device *dev = info->user_ptr[1];
9952 	struct ieee80211_channel *chan;
9953 	struct cfg80211_assoc_request req = {};
9954 	const u8 *bssid, *ssid;
9955 	int err, ssid_len = 0;
9956 	u32 freq;
9957 
9958 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9959 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9960 		return -EPERM;
9961 
9962 	if (!info->attrs[NL80211_ATTR_MAC] ||
9963 	    !info->attrs[NL80211_ATTR_SSID] ||
9964 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9965 		return -EINVAL;
9966 
9967 	if (!rdev->ops->assoc)
9968 		return -EOPNOTSUPP;
9969 
9970 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9971 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9972 		return -EOPNOTSUPP;
9973 
9974 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9975 
9976 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
9977 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
9978 		freq +=
9979 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
9980 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
9981 	if (!chan)
9982 		return -EINVAL;
9983 
9984 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9985 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9986 
9987 	if (info->attrs[NL80211_ATTR_IE]) {
9988 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9989 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9990 	}
9991 
9992 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9993 		enum nl80211_mfp mfp =
9994 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9995 		if (mfp == NL80211_MFP_REQUIRED)
9996 			req.use_mfp = true;
9997 		else if (mfp != NL80211_MFP_NO)
9998 			return -EINVAL;
9999 	}
10000 
10001 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10002 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10003 
10004 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10005 		req.flags |= ASSOC_REQ_DISABLE_HT;
10006 
10007 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10008 		memcpy(&req.ht_capa_mask,
10009 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10010 		       sizeof(req.ht_capa_mask));
10011 
10012 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10013 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10014 			return -EINVAL;
10015 		memcpy(&req.ht_capa,
10016 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10017 		       sizeof(req.ht_capa));
10018 	}
10019 
10020 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10021 		req.flags |= ASSOC_REQ_DISABLE_VHT;
10022 
10023 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10024 		req.flags |= ASSOC_REQ_DISABLE_HE;
10025 
10026 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10027 		memcpy(&req.vht_capa_mask,
10028 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10029 		       sizeof(req.vht_capa_mask));
10030 
10031 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10032 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10033 			return -EINVAL;
10034 		memcpy(&req.vht_capa,
10035 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10036 		       sizeof(req.vht_capa));
10037 	}
10038 
10039 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10040 		if (!((rdev->wiphy.features &
10041 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10042 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10043 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10044 					     NL80211_EXT_FEATURE_RRM))
10045 			return -EINVAL;
10046 		req.flags |= ASSOC_REQ_USE_RRM;
10047 	}
10048 
10049 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
10050 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
10051 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
10052 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
10053 			return -EINVAL;
10054 		req.fils_nonces =
10055 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
10056 	}
10057 
10058 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
10059 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
10060 			return -EINVAL;
10061 		memcpy(&req.s1g_capa_mask,
10062 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
10063 		       sizeof(req.s1g_capa_mask));
10064 	}
10065 
10066 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
10067 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
10068 			return -EINVAL;
10069 		memcpy(&req.s1g_capa,
10070 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
10071 		       sizeof(req.s1g_capa));
10072 	}
10073 
10074 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
10075 	if (!err) {
10076 		wdev_lock(dev->ieee80211_ptr);
10077 
10078 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
10079 					  ssid, ssid_len, &req);
10080 
10081 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10082 			dev->ieee80211_ptr->conn_owner_nlportid =
10083 				info->snd_portid;
10084 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10085 			       bssid, ETH_ALEN);
10086 		}
10087 
10088 		wdev_unlock(dev->ieee80211_ptr);
10089 	}
10090 
10091 	return err;
10092 }
10093 
10094 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
10095 {
10096 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10097 	struct net_device *dev = info->user_ptr[1];
10098 	const u8 *ie = NULL, *bssid;
10099 	int ie_len = 0, err;
10100 	u16 reason_code;
10101 	bool local_state_change;
10102 
10103 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10104 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10105 		return -EPERM;
10106 
10107 	if (!info->attrs[NL80211_ATTR_MAC])
10108 		return -EINVAL;
10109 
10110 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10111 		return -EINVAL;
10112 
10113 	if (!rdev->ops->deauth)
10114 		return -EOPNOTSUPP;
10115 
10116 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10117 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10118 		return -EOPNOTSUPP;
10119 
10120 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10121 
10122 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10123 	if (reason_code == 0) {
10124 		/* Reason Code 0 is reserved */
10125 		return -EINVAL;
10126 	}
10127 
10128 	if (info->attrs[NL80211_ATTR_IE]) {
10129 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10130 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10131 	}
10132 
10133 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10134 
10135 	wdev_lock(dev->ieee80211_ptr);
10136 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
10137 				   local_state_change);
10138 	wdev_unlock(dev->ieee80211_ptr);
10139 	return err;
10140 }
10141 
10142 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
10143 {
10144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10145 	struct net_device *dev = info->user_ptr[1];
10146 	const u8 *ie = NULL, *bssid;
10147 	int ie_len = 0, err;
10148 	u16 reason_code;
10149 	bool local_state_change;
10150 
10151 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10152 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10153 		return -EPERM;
10154 
10155 	if (!info->attrs[NL80211_ATTR_MAC])
10156 		return -EINVAL;
10157 
10158 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10159 		return -EINVAL;
10160 
10161 	if (!rdev->ops->disassoc)
10162 		return -EOPNOTSUPP;
10163 
10164 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10165 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10166 		return -EOPNOTSUPP;
10167 
10168 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10169 
10170 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10171 	if (reason_code == 0) {
10172 		/* Reason Code 0 is reserved */
10173 		return -EINVAL;
10174 	}
10175 
10176 	if (info->attrs[NL80211_ATTR_IE]) {
10177 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10178 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10179 	}
10180 
10181 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10182 
10183 	wdev_lock(dev->ieee80211_ptr);
10184 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
10185 				     local_state_change);
10186 	wdev_unlock(dev->ieee80211_ptr);
10187 	return err;
10188 }
10189 
10190 static bool
10191 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
10192 			 int mcast_rate[NUM_NL80211_BANDS],
10193 			 int rateval)
10194 {
10195 	struct wiphy *wiphy = &rdev->wiphy;
10196 	bool found = false;
10197 	int band, i;
10198 
10199 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
10200 		struct ieee80211_supported_band *sband;
10201 
10202 		sband = wiphy->bands[band];
10203 		if (!sband)
10204 			continue;
10205 
10206 		for (i = 0; i < sband->n_bitrates; i++) {
10207 			if (sband->bitrates[i].bitrate == rateval) {
10208 				mcast_rate[band] = i + 1;
10209 				found = true;
10210 				break;
10211 			}
10212 		}
10213 	}
10214 
10215 	return found;
10216 }
10217 
10218 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
10219 {
10220 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10221 	struct net_device *dev = info->user_ptr[1];
10222 	struct cfg80211_ibss_params ibss;
10223 	struct wiphy *wiphy;
10224 	struct cfg80211_cached_keys *connkeys = NULL;
10225 	int err;
10226 
10227 	memset(&ibss, 0, sizeof(ibss));
10228 
10229 	if (!info->attrs[NL80211_ATTR_SSID] ||
10230 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10231 		return -EINVAL;
10232 
10233 	ibss.beacon_interval = 100;
10234 
10235 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
10236 		ibss.beacon_interval =
10237 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
10238 
10239 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
10240 					   ibss.beacon_interval);
10241 	if (err)
10242 		return err;
10243 
10244 	if (!rdev->ops->join_ibss)
10245 		return -EOPNOTSUPP;
10246 
10247 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10248 		return -EOPNOTSUPP;
10249 
10250 	wiphy = &rdev->wiphy;
10251 
10252 	if (info->attrs[NL80211_ATTR_MAC]) {
10253 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10254 
10255 		if (!is_valid_ether_addr(ibss.bssid))
10256 			return -EINVAL;
10257 	}
10258 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10259 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10260 
10261 	if (info->attrs[NL80211_ATTR_IE]) {
10262 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10263 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10264 	}
10265 
10266 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
10267 	if (err)
10268 		return err;
10269 
10270 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
10271 				     NL80211_IFTYPE_ADHOC))
10272 		return -EINVAL;
10273 
10274 	switch (ibss.chandef.width) {
10275 	case NL80211_CHAN_WIDTH_5:
10276 	case NL80211_CHAN_WIDTH_10:
10277 	case NL80211_CHAN_WIDTH_20_NOHT:
10278 		break;
10279 	case NL80211_CHAN_WIDTH_20:
10280 	case NL80211_CHAN_WIDTH_40:
10281 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10282 			return -EINVAL;
10283 		break;
10284 	case NL80211_CHAN_WIDTH_80:
10285 	case NL80211_CHAN_WIDTH_80P80:
10286 	case NL80211_CHAN_WIDTH_160:
10287 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
10288 			return -EINVAL;
10289 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10290 					     NL80211_EXT_FEATURE_VHT_IBSS))
10291 			return -EINVAL;
10292 		break;
10293 	default:
10294 		return -EINVAL;
10295 	}
10296 
10297 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
10298 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
10299 
10300 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
10301 		u8 *rates =
10302 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10303 		int n_rates =
10304 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
10305 		struct ieee80211_supported_band *sband =
10306 			wiphy->bands[ibss.chandef.chan->band];
10307 
10308 		err = ieee80211_get_ratemask(sband, rates, n_rates,
10309 					     &ibss.basic_rates);
10310 		if (err)
10311 			return err;
10312 	}
10313 
10314 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10315 		memcpy(&ibss.ht_capa_mask,
10316 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10317 		       sizeof(ibss.ht_capa_mask));
10318 
10319 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10320 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10321 			return -EINVAL;
10322 		memcpy(&ibss.ht_capa,
10323 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10324 		       sizeof(ibss.ht_capa));
10325 	}
10326 
10327 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
10328 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
10329 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
10330 		return -EINVAL;
10331 
10332 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10333 		bool no_ht = false;
10334 
10335 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
10336 		if (IS_ERR(connkeys))
10337 			return PTR_ERR(connkeys);
10338 
10339 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
10340 		    no_ht) {
10341 			kfree_sensitive(connkeys);
10342 			return -EINVAL;
10343 		}
10344 	}
10345 
10346 	ibss.control_port =
10347 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
10348 
10349 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10350 		int r = validate_pae_over_nl80211(rdev, info);
10351 
10352 		if (r < 0) {
10353 			kfree_sensitive(connkeys);
10354 			return r;
10355 		}
10356 
10357 		ibss.control_port_over_nl80211 = true;
10358 	}
10359 
10360 	ibss.userspace_handles_dfs =
10361 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
10362 
10363 	wdev_lock(dev->ieee80211_ptr);
10364 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
10365 	if (err)
10366 		kfree_sensitive(connkeys);
10367 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
10368 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10369 	wdev_unlock(dev->ieee80211_ptr);
10370 
10371 	return err;
10372 }
10373 
10374 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
10375 {
10376 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10377 	struct net_device *dev = info->user_ptr[1];
10378 
10379 	if (!rdev->ops->leave_ibss)
10380 		return -EOPNOTSUPP;
10381 
10382 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
10383 		return -EOPNOTSUPP;
10384 
10385 	return cfg80211_leave_ibss(rdev, dev, false);
10386 }
10387 
10388 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
10389 {
10390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10391 	struct net_device *dev = info->user_ptr[1];
10392 	int mcast_rate[NUM_NL80211_BANDS];
10393 	u32 nla_rate;
10394 	int err;
10395 
10396 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
10397 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
10398 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
10399 		return -EOPNOTSUPP;
10400 
10401 	if (!rdev->ops->set_mcast_rate)
10402 		return -EOPNOTSUPP;
10403 
10404 	memset(mcast_rate, 0, sizeof(mcast_rate));
10405 
10406 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
10407 		return -EINVAL;
10408 
10409 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
10410 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
10411 		return -EINVAL;
10412 
10413 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
10414 
10415 	return err;
10416 }
10417 
10418 static struct sk_buff *
10419 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
10420 			    struct wireless_dev *wdev, int approxlen,
10421 			    u32 portid, u32 seq, enum nl80211_commands cmd,
10422 			    enum nl80211_attrs attr,
10423 			    const struct nl80211_vendor_cmd_info *info,
10424 			    gfp_t gfp)
10425 {
10426 	struct sk_buff *skb;
10427 	void *hdr;
10428 	struct nlattr *data;
10429 
10430 	skb = nlmsg_new(approxlen + 100, gfp);
10431 	if (!skb)
10432 		return NULL;
10433 
10434 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
10435 	if (!hdr) {
10436 		kfree_skb(skb);
10437 		return NULL;
10438 	}
10439 
10440 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
10441 		goto nla_put_failure;
10442 
10443 	if (info) {
10444 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
10445 				info->vendor_id))
10446 			goto nla_put_failure;
10447 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
10448 				info->subcmd))
10449 			goto nla_put_failure;
10450 	}
10451 
10452 	if (wdev) {
10453 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
10454 				      wdev_id(wdev), NL80211_ATTR_PAD))
10455 			goto nla_put_failure;
10456 		if (wdev->netdev &&
10457 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
10458 				wdev->netdev->ifindex))
10459 			goto nla_put_failure;
10460 	}
10461 
10462 	data = nla_nest_start_noflag(skb, attr);
10463 	if (!data)
10464 		goto nla_put_failure;
10465 
10466 	((void **)skb->cb)[0] = rdev;
10467 	((void **)skb->cb)[1] = hdr;
10468 	((void **)skb->cb)[2] = data;
10469 
10470 	return skb;
10471 
10472  nla_put_failure:
10473 	kfree_skb(skb);
10474 	return NULL;
10475 }
10476 
10477 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
10478 					   struct wireless_dev *wdev,
10479 					   enum nl80211_commands cmd,
10480 					   enum nl80211_attrs attr,
10481 					   unsigned int portid,
10482 					   int vendor_event_idx,
10483 					   int approxlen, gfp_t gfp)
10484 {
10485 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
10486 	const struct nl80211_vendor_cmd_info *info;
10487 
10488 	switch (cmd) {
10489 	case NL80211_CMD_TESTMODE:
10490 		if (WARN_ON(vendor_event_idx != -1))
10491 			return NULL;
10492 		info = NULL;
10493 		break;
10494 	case NL80211_CMD_VENDOR:
10495 		if (WARN_ON(vendor_event_idx < 0 ||
10496 			    vendor_event_idx >= wiphy->n_vendor_events))
10497 			return NULL;
10498 		info = &wiphy->vendor_events[vendor_event_idx];
10499 		break;
10500 	default:
10501 		WARN_ON(1);
10502 		return NULL;
10503 	}
10504 
10505 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
10506 					   cmd, attr, info, gfp);
10507 }
10508 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
10509 
10510 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
10511 {
10512 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
10513 	void *hdr = ((void **)skb->cb)[1];
10514 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
10515 	struct nlattr *data = ((void **)skb->cb)[2];
10516 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
10517 
10518 	/* clear CB data for netlink core to own from now on */
10519 	memset(skb->cb, 0, sizeof(skb->cb));
10520 
10521 	nla_nest_end(skb, data);
10522 	genlmsg_end(skb, hdr);
10523 
10524 	if (nlhdr->nlmsg_pid) {
10525 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
10526 				nlhdr->nlmsg_pid);
10527 	} else {
10528 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
10529 			mcgrp = NL80211_MCGRP_VENDOR;
10530 
10531 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
10532 					skb, 0, mcgrp, gfp);
10533 	}
10534 }
10535 EXPORT_SYMBOL(__cfg80211_send_event_skb);
10536 
10537 #ifdef CONFIG_NL80211_TESTMODE
10538 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
10539 {
10540 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10541 	struct wireless_dev *wdev;
10542 	int err;
10543 
10544 	lockdep_assert_held(&rdev->wiphy.mtx);
10545 
10546 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
10547 					  info->attrs);
10548 
10549 	if (!rdev->ops->testmode_cmd)
10550 		return -EOPNOTSUPP;
10551 
10552 	if (IS_ERR(wdev)) {
10553 		err = PTR_ERR(wdev);
10554 		if (err != -EINVAL)
10555 			return err;
10556 		wdev = NULL;
10557 	} else if (wdev->wiphy != &rdev->wiphy) {
10558 		return -EINVAL;
10559 	}
10560 
10561 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10562 		return -EINVAL;
10563 
10564 	rdev->cur_cmd_info = info;
10565 	err = rdev_testmode_cmd(rdev, wdev,
10566 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10567 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10568 	rdev->cur_cmd_info = NULL;
10569 
10570 	return err;
10571 }
10572 
10573 static int nl80211_testmode_dump(struct sk_buff *skb,
10574 				 struct netlink_callback *cb)
10575 {
10576 	struct cfg80211_registered_device *rdev;
10577 	struct nlattr **attrbuf = NULL;
10578 	int err;
10579 	long phy_idx;
10580 	void *data = NULL;
10581 	int data_len = 0;
10582 
10583 	rtnl_lock();
10584 
10585 	if (cb->args[0]) {
10586 		/*
10587 		 * 0 is a valid index, but not valid for args[0],
10588 		 * so we need to offset by 1.
10589 		 */
10590 		phy_idx = cb->args[0] - 1;
10591 
10592 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10593 		if (!rdev) {
10594 			err = -ENOENT;
10595 			goto out_err;
10596 		}
10597 	} else {
10598 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10599 				  GFP_KERNEL);
10600 		if (!attrbuf) {
10601 			err = -ENOMEM;
10602 			goto out_err;
10603 		}
10604 
10605 		err = nlmsg_parse_deprecated(cb->nlh,
10606 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10607 					     attrbuf, nl80211_fam.maxattr,
10608 					     nl80211_policy, NULL);
10609 		if (err)
10610 			goto out_err;
10611 
10612 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10613 		if (IS_ERR(rdev)) {
10614 			err = PTR_ERR(rdev);
10615 			goto out_err;
10616 		}
10617 		phy_idx = rdev->wiphy_idx;
10618 
10619 		if (attrbuf[NL80211_ATTR_TESTDATA])
10620 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10621 	}
10622 
10623 	if (cb->args[1]) {
10624 		data = nla_data((void *)cb->args[1]);
10625 		data_len = nla_len((void *)cb->args[1]);
10626 	}
10627 
10628 	if (!rdev->ops->testmode_dump) {
10629 		err = -EOPNOTSUPP;
10630 		goto out_err;
10631 	}
10632 
10633 	while (1) {
10634 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10635 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10636 					   NL80211_CMD_TESTMODE);
10637 		struct nlattr *tmdata;
10638 
10639 		if (!hdr)
10640 			break;
10641 
10642 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10643 			genlmsg_cancel(skb, hdr);
10644 			break;
10645 		}
10646 
10647 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10648 		if (!tmdata) {
10649 			genlmsg_cancel(skb, hdr);
10650 			break;
10651 		}
10652 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10653 		nla_nest_end(skb, tmdata);
10654 
10655 		if (err == -ENOBUFS || err == -ENOENT) {
10656 			genlmsg_cancel(skb, hdr);
10657 			break;
10658 		} else if (err) {
10659 			genlmsg_cancel(skb, hdr);
10660 			goto out_err;
10661 		}
10662 
10663 		genlmsg_end(skb, hdr);
10664 	}
10665 
10666 	err = skb->len;
10667 	/* see above */
10668 	cb->args[0] = phy_idx + 1;
10669  out_err:
10670 	kfree(attrbuf);
10671 	rtnl_unlock();
10672 	return err;
10673 }
10674 #endif
10675 
10676 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10677 {
10678 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10679 	struct net_device *dev = info->user_ptr[1];
10680 	struct cfg80211_connect_params connect;
10681 	struct wiphy *wiphy;
10682 	struct cfg80211_cached_keys *connkeys = NULL;
10683 	u32 freq = 0;
10684 	int err;
10685 
10686 	memset(&connect, 0, sizeof(connect));
10687 
10688 	if (!info->attrs[NL80211_ATTR_SSID] ||
10689 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10690 		return -EINVAL;
10691 
10692 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10693 		connect.auth_type =
10694 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10695 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10696 					     NL80211_CMD_CONNECT))
10697 			return -EINVAL;
10698 	} else
10699 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10700 
10701 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10702 
10703 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10704 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10705 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10706 		return -EINVAL;
10707 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10708 
10709 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10710 				      NL80211_MAX_NR_CIPHER_SUITES);
10711 	if (err)
10712 		return err;
10713 
10714 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10715 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10716 		return -EOPNOTSUPP;
10717 
10718 	wiphy = &rdev->wiphy;
10719 
10720 	connect.bg_scan_period = -1;
10721 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10722 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10723 		connect.bg_scan_period =
10724 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10725 	}
10726 
10727 	if (info->attrs[NL80211_ATTR_MAC])
10728 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10729 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10730 		connect.bssid_hint =
10731 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10732 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10733 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10734 
10735 	if (info->attrs[NL80211_ATTR_IE]) {
10736 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10737 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10738 	}
10739 
10740 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10741 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10742 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10743 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10744 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10745 			return -EOPNOTSUPP;
10746 	} else {
10747 		connect.mfp = NL80211_MFP_NO;
10748 	}
10749 
10750 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10751 		connect.prev_bssid =
10752 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10753 
10754 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
10755 		freq = MHZ_TO_KHZ(nla_get_u32(
10756 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10757 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10758 		freq +=
10759 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10760 
10761 	if (freq) {
10762 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
10763 		if (!connect.channel)
10764 			return -EINVAL;
10765 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10766 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10767 		freq = MHZ_TO_KHZ(freq);
10768 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
10769 		if (!connect.channel_hint)
10770 			return -EINVAL;
10771 	}
10772 
10773 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10774 		connect.edmg.channels =
10775 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10776 
10777 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10778 			connect.edmg.bw_config =
10779 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10780 	}
10781 
10782 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10783 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10784 		if (IS_ERR(connkeys))
10785 			return PTR_ERR(connkeys);
10786 	}
10787 
10788 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10789 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10790 
10791 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10792 		memcpy(&connect.ht_capa_mask,
10793 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10794 		       sizeof(connect.ht_capa_mask));
10795 
10796 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10797 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10798 			kfree_sensitive(connkeys);
10799 			return -EINVAL;
10800 		}
10801 		memcpy(&connect.ht_capa,
10802 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10803 		       sizeof(connect.ht_capa));
10804 	}
10805 
10806 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10807 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10808 
10809 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
10810 		connect.flags |= ASSOC_REQ_DISABLE_HE;
10811 
10812 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10813 		memcpy(&connect.vht_capa_mask,
10814 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10815 		       sizeof(connect.vht_capa_mask));
10816 
10817 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10818 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10819 			kfree_sensitive(connkeys);
10820 			return -EINVAL;
10821 		}
10822 		memcpy(&connect.vht_capa,
10823 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10824 		       sizeof(connect.vht_capa));
10825 	}
10826 
10827 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10828 		if (!((rdev->wiphy.features &
10829 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10830 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10831 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10832 					     NL80211_EXT_FEATURE_RRM)) {
10833 			kfree_sensitive(connkeys);
10834 			return -EINVAL;
10835 		}
10836 		connect.flags |= ASSOC_REQ_USE_RRM;
10837 	}
10838 
10839 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10840 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10841 		kfree_sensitive(connkeys);
10842 		return -EOPNOTSUPP;
10843 	}
10844 
10845 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10846 		/* bss selection makes no sense if bssid is set */
10847 		if (connect.bssid) {
10848 			kfree_sensitive(connkeys);
10849 			return -EINVAL;
10850 		}
10851 
10852 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10853 				       wiphy, &connect.bss_select);
10854 		if (err) {
10855 			kfree_sensitive(connkeys);
10856 			return err;
10857 		}
10858 	}
10859 
10860 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10861 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10862 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10863 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10864 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10865 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10866 		connect.fils_erp_username =
10867 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10868 		connect.fils_erp_username_len =
10869 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10870 		connect.fils_erp_realm =
10871 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10872 		connect.fils_erp_realm_len =
10873 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10874 		connect.fils_erp_next_seq_num =
10875 			nla_get_u16(
10876 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10877 		connect.fils_erp_rrk =
10878 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10879 		connect.fils_erp_rrk_len =
10880 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10881 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10882 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10883 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10884 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10885 		kfree_sensitive(connkeys);
10886 		return -EINVAL;
10887 	}
10888 
10889 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10890 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10891 			kfree_sensitive(connkeys);
10892 			GENL_SET_ERR_MSG(info,
10893 					 "external auth requires connection ownership");
10894 			return -EINVAL;
10895 		}
10896 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10897 	}
10898 
10899 	wdev_lock(dev->ieee80211_ptr);
10900 
10901 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10902 			       connect.prev_bssid);
10903 	if (err)
10904 		kfree_sensitive(connkeys);
10905 
10906 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10907 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10908 		if (connect.bssid)
10909 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10910 			       connect.bssid, ETH_ALEN);
10911 		else
10912 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
10913 	}
10914 
10915 	wdev_unlock(dev->ieee80211_ptr);
10916 
10917 	return err;
10918 }
10919 
10920 static int nl80211_update_connect_params(struct sk_buff *skb,
10921 					 struct genl_info *info)
10922 {
10923 	struct cfg80211_connect_params connect = {};
10924 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10925 	struct net_device *dev = info->user_ptr[1];
10926 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10927 	bool fils_sk_offload;
10928 	u32 auth_type;
10929 	u32 changed = 0;
10930 	int ret;
10931 
10932 	if (!rdev->ops->update_connect_params)
10933 		return -EOPNOTSUPP;
10934 
10935 	if (info->attrs[NL80211_ATTR_IE]) {
10936 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10937 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10938 		changed |= UPDATE_ASSOC_IES;
10939 	}
10940 
10941 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10942 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10943 
10944 	/*
10945 	 * when driver supports fils-sk offload all attributes must be
10946 	 * provided. So the else covers "fils-sk-not-all" and
10947 	 * "no-fils-sk-any".
10948 	 */
10949 	if (fils_sk_offload &&
10950 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10951 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10952 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10953 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10954 		connect.fils_erp_username =
10955 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10956 		connect.fils_erp_username_len =
10957 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10958 		connect.fils_erp_realm =
10959 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10960 		connect.fils_erp_realm_len =
10961 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10962 		connect.fils_erp_next_seq_num =
10963 			nla_get_u16(
10964 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10965 		connect.fils_erp_rrk =
10966 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10967 		connect.fils_erp_rrk_len =
10968 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10969 		changed |= UPDATE_FILS_ERP_INFO;
10970 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10971 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10972 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10973 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10974 		return -EINVAL;
10975 	}
10976 
10977 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10978 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10979 		if (!nl80211_valid_auth_type(rdev, auth_type,
10980 					     NL80211_CMD_CONNECT))
10981 			return -EINVAL;
10982 
10983 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10984 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10985 			return -EINVAL;
10986 
10987 		connect.auth_type = auth_type;
10988 		changed |= UPDATE_AUTH_TYPE;
10989 	}
10990 
10991 	wdev_lock(dev->ieee80211_ptr);
10992 	if (!wdev->current_bss)
10993 		ret = -ENOLINK;
10994 	else
10995 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10996 	wdev_unlock(dev->ieee80211_ptr);
10997 
10998 	return ret;
10999 }
11000 
11001 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
11002 {
11003 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11004 	struct net_device *dev = info->user_ptr[1];
11005 	u16 reason;
11006 	int ret;
11007 
11008 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11009 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11010 		return -EPERM;
11011 
11012 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11013 		reason = WLAN_REASON_DEAUTH_LEAVING;
11014 	else
11015 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11016 
11017 	if (reason == 0)
11018 		return -EINVAL;
11019 
11020 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11021 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11022 		return -EOPNOTSUPP;
11023 
11024 	wdev_lock(dev->ieee80211_ptr);
11025 	ret = cfg80211_disconnect(rdev, dev, reason, true);
11026 	wdev_unlock(dev->ieee80211_ptr);
11027 	return ret;
11028 }
11029 
11030 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
11031 {
11032 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11033 	struct net *net;
11034 	int err;
11035 
11036 	if (info->attrs[NL80211_ATTR_PID]) {
11037 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
11038 
11039 		net = get_net_ns_by_pid(pid);
11040 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
11041 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
11042 
11043 		net = get_net_ns_by_fd(fd);
11044 	} else {
11045 		return -EINVAL;
11046 	}
11047 
11048 	if (IS_ERR(net))
11049 		return PTR_ERR(net);
11050 
11051 	err = 0;
11052 
11053 	/* check if anything to do */
11054 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
11055 		err = cfg80211_switch_netns(rdev, net);
11056 
11057 	put_net(net);
11058 	return err;
11059 }
11060 
11061 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
11062 {
11063 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11064 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
11065 			struct cfg80211_pmksa *pmksa) = NULL;
11066 	struct net_device *dev = info->user_ptr[1];
11067 	struct cfg80211_pmksa pmksa;
11068 
11069 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
11070 
11071 	if (!info->attrs[NL80211_ATTR_PMKID])
11072 		return -EINVAL;
11073 
11074 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
11075 
11076 	if (info->attrs[NL80211_ATTR_MAC]) {
11077 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11078 	} else if (info->attrs[NL80211_ATTR_SSID] &&
11079 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
11080 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
11081 		    info->attrs[NL80211_ATTR_PMK])) {
11082 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11083 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11084 		pmksa.cache_id =
11085 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
11086 	} else {
11087 		return -EINVAL;
11088 	}
11089 	if (info->attrs[NL80211_ATTR_PMK]) {
11090 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
11091 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
11092 	}
11093 
11094 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
11095 		pmksa.pmk_lifetime =
11096 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
11097 
11098 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
11099 		pmksa.pmk_reauth_threshold =
11100 			nla_get_u8(
11101 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
11102 
11103 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11104 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
11105 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
11106 	      wiphy_ext_feature_isset(&rdev->wiphy,
11107 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
11108 		return -EOPNOTSUPP;
11109 
11110 	switch (info->genlhdr->cmd) {
11111 	case NL80211_CMD_SET_PMKSA:
11112 		rdev_ops = rdev->ops->set_pmksa;
11113 		break;
11114 	case NL80211_CMD_DEL_PMKSA:
11115 		rdev_ops = rdev->ops->del_pmksa;
11116 		break;
11117 	default:
11118 		WARN_ON(1);
11119 		break;
11120 	}
11121 
11122 	if (!rdev_ops)
11123 		return -EOPNOTSUPP;
11124 
11125 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
11126 }
11127 
11128 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
11129 {
11130 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11131 	struct net_device *dev = info->user_ptr[1];
11132 
11133 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11134 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11135 		return -EOPNOTSUPP;
11136 
11137 	if (!rdev->ops->flush_pmksa)
11138 		return -EOPNOTSUPP;
11139 
11140 	return rdev_flush_pmksa(rdev, dev);
11141 }
11142 
11143 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
11144 {
11145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11146 	struct net_device *dev = info->user_ptr[1];
11147 	u8 action_code, dialog_token;
11148 	u32 peer_capability = 0;
11149 	u16 status_code;
11150 	u8 *peer;
11151 	bool initiator;
11152 
11153 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11154 	    !rdev->ops->tdls_mgmt)
11155 		return -EOPNOTSUPP;
11156 
11157 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
11158 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
11159 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
11160 	    !info->attrs[NL80211_ATTR_IE] ||
11161 	    !info->attrs[NL80211_ATTR_MAC])
11162 		return -EINVAL;
11163 
11164 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11165 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
11166 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
11167 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
11168 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
11169 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
11170 		peer_capability =
11171 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
11172 
11173 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
11174 			      dialog_token, status_code, peer_capability,
11175 			      initiator,
11176 			      nla_data(info->attrs[NL80211_ATTR_IE]),
11177 			      nla_len(info->attrs[NL80211_ATTR_IE]));
11178 }
11179 
11180 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
11181 {
11182 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11183 	struct net_device *dev = info->user_ptr[1];
11184 	enum nl80211_tdls_operation operation;
11185 	u8 *peer;
11186 
11187 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
11188 	    !rdev->ops->tdls_oper)
11189 		return -EOPNOTSUPP;
11190 
11191 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
11192 	    !info->attrs[NL80211_ATTR_MAC])
11193 		return -EINVAL;
11194 
11195 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
11196 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
11197 
11198 	return rdev_tdls_oper(rdev, dev, peer, operation);
11199 }
11200 
11201 static int nl80211_remain_on_channel(struct sk_buff *skb,
11202 				     struct genl_info *info)
11203 {
11204 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11205 	struct wireless_dev *wdev = info->user_ptr[1];
11206 	struct cfg80211_chan_def chandef;
11207 	const struct cfg80211_chan_def *compat_chandef;
11208 	struct sk_buff *msg;
11209 	void *hdr;
11210 	u64 cookie;
11211 	u32 duration;
11212 	int err;
11213 
11214 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11215 	    !info->attrs[NL80211_ATTR_DURATION])
11216 		return -EINVAL;
11217 
11218 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11219 
11220 	if (!rdev->ops->remain_on_channel ||
11221 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
11222 		return -EOPNOTSUPP;
11223 
11224 	/*
11225 	 * We should be on that channel for at least a minimum amount of
11226 	 * time (10ms) but no longer than the driver supports.
11227 	 */
11228 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11229 	    duration > rdev->wiphy.max_remain_on_channel_duration)
11230 		return -EINVAL;
11231 
11232 	err = nl80211_parse_chandef(rdev, info, &chandef);
11233 	if (err)
11234 		return err;
11235 
11236 	wdev_lock(wdev);
11237 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
11238 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
11239 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
11240 							     &chandef);
11241 		if (compat_chandef != &chandef) {
11242 			wdev_unlock(wdev);
11243 			return -EBUSY;
11244 		}
11245 	}
11246 	wdev_unlock(wdev);
11247 
11248 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11249 	if (!msg)
11250 		return -ENOMEM;
11251 
11252 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11253 			     NL80211_CMD_REMAIN_ON_CHANNEL);
11254 	if (!hdr) {
11255 		err = -ENOBUFS;
11256 		goto free_msg;
11257 	}
11258 
11259 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
11260 				     duration, &cookie);
11261 
11262 	if (err)
11263 		goto free_msg;
11264 
11265 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11266 			      NL80211_ATTR_PAD))
11267 		goto nla_put_failure;
11268 
11269 	genlmsg_end(msg, hdr);
11270 
11271 	return genlmsg_reply(msg, info);
11272 
11273  nla_put_failure:
11274 	err = -ENOBUFS;
11275  free_msg:
11276 	nlmsg_free(msg);
11277 	return err;
11278 }
11279 
11280 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
11281 					    struct genl_info *info)
11282 {
11283 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11284 	struct wireless_dev *wdev = info->user_ptr[1];
11285 	u64 cookie;
11286 
11287 	if (!info->attrs[NL80211_ATTR_COOKIE])
11288 		return -EINVAL;
11289 
11290 	if (!rdev->ops->cancel_remain_on_channel)
11291 		return -EOPNOTSUPP;
11292 
11293 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11294 
11295 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
11296 }
11297 
11298 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
11299 				       struct genl_info *info)
11300 {
11301 	struct cfg80211_bitrate_mask mask;
11302 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11303 	struct net_device *dev = info->user_ptr[1];
11304 	int err;
11305 
11306 	if (!rdev->ops->set_bitrate_mask)
11307 		return -EOPNOTSUPP;
11308 
11309 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11310 					    NL80211_ATTR_TX_RATES, &mask,
11311 					    dev, true);
11312 	if (err)
11313 		return err;
11314 
11315 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
11316 }
11317 
11318 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
11319 {
11320 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11321 	struct wireless_dev *wdev = info->user_ptr[1];
11322 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
11323 
11324 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
11325 		return -EINVAL;
11326 
11327 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
11328 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
11329 
11330 	switch (wdev->iftype) {
11331 	case NL80211_IFTYPE_STATION:
11332 	case NL80211_IFTYPE_ADHOC:
11333 	case NL80211_IFTYPE_P2P_CLIENT:
11334 	case NL80211_IFTYPE_AP:
11335 	case NL80211_IFTYPE_AP_VLAN:
11336 	case NL80211_IFTYPE_MESH_POINT:
11337 	case NL80211_IFTYPE_P2P_GO:
11338 	case NL80211_IFTYPE_P2P_DEVICE:
11339 		break;
11340 	case NL80211_IFTYPE_NAN:
11341 	default:
11342 		return -EOPNOTSUPP;
11343 	}
11344 
11345 	/* not much point in registering if we can't reply */
11346 	if (!rdev->ops->mgmt_tx)
11347 		return -EOPNOTSUPP;
11348 
11349 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
11350 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11351 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
11352 		GENL_SET_ERR_MSG(info,
11353 				 "multicast RX registrations are not supported");
11354 		return -EOPNOTSUPP;
11355 	}
11356 
11357 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
11358 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11359 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
11360 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
11361 					   info->extack);
11362 }
11363 
11364 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
11365 {
11366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11367 	struct wireless_dev *wdev = info->user_ptr[1];
11368 	struct cfg80211_chan_def chandef;
11369 	int err;
11370 	void *hdr = NULL;
11371 	u64 cookie;
11372 	struct sk_buff *msg = NULL;
11373 	struct cfg80211_mgmt_tx_params params = {
11374 		.dont_wait_for_ack =
11375 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
11376 	};
11377 
11378 	if (!info->attrs[NL80211_ATTR_FRAME])
11379 		return -EINVAL;
11380 
11381 	if (!rdev->ops->mgmt_tx)
11382 		return -EOPNOTSUPP;
11383 
11384 	switch (wdev->iftype) {
11385 	case NL80211_IFTYPE_P2P_DEVICE:
11386 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
11387 			return -EINVAL;
11388 		break;
11389 	case NL80211_IFTYPE_STATION:
11390 	case NL80211_IFTYPE_ADHOC:
11391 	case NL80211_IFTYPE_P2P_CLIENT:
11392 	case NL80211_IFTYPE_AP:
11393 	case NL80211_IFTYPE_AP_VLAN:
11394 	case NL80211_IFTYPE_MESH_POINT:
11395 	case NL80211_IFTYPE_P2P_GO:
11396 		break;
11397 	case NL80211_IFTYPE_NAN:
11398 	default:
11399 		return -EOPNOTSUPP;
11400 	}
11401 
11402 	if (info->attrs[NL80211_ATTR_DURATION]) {
11403 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11404 			return -EINVAL;
11405 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
11406 
11407 		/*
11408 		 * We should wait on the channel for at least a minimum amount
11409 		 * of time (10ms) but no longer than the driver supports.
11410 		 */
11411 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
11412 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
11413 			return -EINVAL;
11414 	}
11415 
11416 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
11417 
11418 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
11419 		return -EINVAL;
11420 
11421 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
11422 
11423 	/* get the channel if any has been specified, otherwise pass NULL to
11424 	 * the driver. The latter will use the current one
11425 	 */
11426 	chandef.chan = NULL;
11427 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11428 		err = nl80211_parse_chandef(rdev, info, &chandef);
11429 		if (err)
11430 			return err;
11431 	}
11432 
11433 	if (!chandef.chan && params.offchan)
11434 		return -EINVAL;
11435 
11436 	wdev_lock(wdev);
11437 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
11438 		wdev_unlock(wdev);
11439 		return -EBUSY;
11440 	}
11441 	wdev_unlock(wdev);
11442 
11443 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
11444 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
11445 
11446 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
11447 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11448 		int i;
11449 
11450 		if (len % sizeof(u16))
11451 			return -EINVAL;
11452 
11453 		params.n_csa_offsets = len / sizeof(u16);
11454 		params.csa_offsets =
11455 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
11456 
11457 		/* check that all the offsets fit the frame */
11458 		for (i = 0; i < params.n_csa_offsets; i++) {
11459 			if (params.csa_offsets[i] >= params.len)
11460 				return -EINVAL;
11461 		}
11462 	}
11463 
11464 	if (!params.dont_wait_for_ack) {
11465 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11466 		if (!msg)
11467 			return -ENOMEM;
11468 
11469 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11470 				     NL80211_CMD_FRAME);
11471 		if (!hdr) {
11472 			err = -ENOBUFS;
11473 			goto free_msg;
11474 		}
11475 	}
11476 
11477 	params.chan = chandef.chan;
11478 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
11479 	if (err)
11480 		goto free_msg;
11481 
11482 	if (msg) {
11483 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
11484 				      NL80211_ATTR_PAD))
11485 			goto nla_put_failure;
11486 
11487 		genlmsg_end(msg, hdr);
11488 		return genlmsg_reply(msg, info);
11489 	}
11490 
11491 	return 0;
11492 
11493  nla_put_failure:
11494 	err = -ENOBUFS;
11495  free_msg:
11496 	nlmsg_free(msg);
11497 	return err;
11498 }
11499 
11500 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
11501 {
11502 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11503 	struct wireless_dev *wdev = info->user_ptr[1];
11504 	u64 cookie;
11505 
11506 	if (!info->attrs[NL80211_ATTR_COOKIE])
11507 		return -EINVAL;
11508 
11509 	if (!rdev->ops->mgmt_tx_cancel_wait)
11510 		return -EOPNOTSUPP;
11511 
11512 	switch (wdev->iftype) {
11513 	case NL80211_IFTYPE_STATION:
11514 	case NL80211_IFTYPE_ADHOC:
11515 	case NL80211_IFTYPE_P2P_CLIENT:
11516 	case NL80211_IFTYPE_AP:
11517 	case NL80211_IFTYPE_AP_VLAN:
11518 	case NL80211_IFTYPE_P2P_GO:
11519 	case NL80211_IFTYPE_P2P_DEVICE:
11520 		break;
11521 	case NL80211_IFTYPE_NAN:
11522 	default:
11523 		return -EOPNOTSUPP;
11524 	}
11525 
11526 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
11527 
11528 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
11529 }
11530 
11531 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
11532 {
11533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11534 	struct wireless_dev *wdev;
11535 	struct net_device *dev = info->user_ptr[1];
11536 	u8 ps_state;
11537 	bool state;
11538 	int err;
11539 
11540 	if (!info->attrs[NL80211_ATTR_PS_STATE])
11541 		return -EINVAL;
11542 
11543 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
11544 
11545 	wdev = dev->ieee80211_ptr;
11546 
11547 	if (!rdev->ops->set_power_mgmt)
11548 		return -EOPNOTSUPP;
11549 
11550 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
11551 
11552 	if (state == wdev->ps)
11553 		return 0;
11554 
11555 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
11556 	if (!err)
11557 		wdev->ps = state;
11558 	return err;
11559 }
11560 
11561 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
11562 {
11563 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11564 	enum nl80211_ps_state ps_state;
11565 	struct wireless_dev *wdev;
11566 	struct net_device *dev = info->user_ptr[1];
11567 	struct sk_buff *msg;
11568 	void *hdr;
11569 	int err;
11570 
11571 	wdev = dev->ieee80211_ptr;
11572 
11573 	if (!rdev->ops->set_power_mgmt)
11574 		return -EOPNOTSUPP;
11575 
11576 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
11577 	if (!msg)
11578 		return -ENOMEM;
11579 
11580 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11581 			     NL80211_CMD_GET_POWER_SAVE);
11582 	if (!hdr) {
11583 		err = -ENOBUFS;
11584 		goto free_msg;
11585 	}
11586 
11587 	if (wdev->ps)
11588 		ps_state = NL80211_PS_ENABLED;
11589 	else
11590 		ps_state = NL80211_PS_DISABLED;
11591 
11592 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11593 		goto nla_put_failure;
11594 
11595 	genlmsg_end(msg, hdr);
11596 	return genlmsg_reply(msg, info);
11597 
11598  nla_put_failure:
11599 	err = -ENOBUFS;
11600  free_msg:
11601 	nlmsg_free(msg);
11602 	return err;
11603 }
11604 
11605 static const struct nla_policy
11606 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11607 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11608 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11609 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11610 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11611 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11612 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11613 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11614 };
11615 
11616 static int nl80211_set_cqm_txe(struct genl_info *info,
11617 			       u32 rate, u32 pkts, u32 intvl)
11618 {
11619 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11620 	struct net_device *dev = info->user_ptr[1];
11621 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11622 
11623 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11624 		return -EINVAL;
11625 
11626 	if (!rdev->ops->set_cqm_txe_config)
11627 		return -EOPNOTSUPP;
11628 
11629 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11630 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11631 		return -EOPNOTSUPP;
11632 
11633 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11634 }
11635 
11636 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11637 				    struct net_device *dev)
11638 {
11639 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11640 	s32 last, low, high;
11641 	u32 hyst;
11642 	int i, n, low_index;
11643 	int err;
11644 
11645 	/* RSSI reporting disabled? */
11646 	if (!wdev->cqm_config)
11647 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11648 
11649 	/*
11650 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11651 	 * event has been received yet, we should receive an event after a
11652 	 * connection is established and enough beacons received to calculate
11653 	 * the average.
11654 	 */
11655 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11656 	    rdev->ops->get_station) {
11657 		struct station_info sinfo = {};
11658 		u8 *mac_addr;
11659 
11660 		mac_addr = wdev->current_bss->pub.bssid;
11661 
11662 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11663 		if (err)
11664 			return err;
11665 
11666 		cfg80211_sinfo_release_content(&sinfo);
11667 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11668 			wdev->cqm_config->last_rssi_event_value =
11669 				(s8) sinfo.rx_beacon_signal_avg;
11670 	}
11671 
11672 	last = wdev->cqm_config->last_rssi_event_value;
11673 	hyst = wdev->cqm_config->rssi_hyst;
11674 	n = wdev->cqm_config->n_rssi_thresholds;
11675 
11676 	for (i = 0; i < n; i++) {
11677 		i = array_index_nospec(i, n);
11678 		if (last < wdev->cqm_config->rssi_thresholds[i])
11679 			break;
11680 	}
11681 
11682 	low_index = i - 1;
11683 	if (low_index >= 0) {
11684 		low_index = array_index_nospec(low_index, n);
11685 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11686 	} else {
11687 		low = S32_MIN;
11688 	}
11689 	if (i < n) {
11690 		i = array_index_nospec(i, n);
11691 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11692 	} else {
11693 		high = S32_MAX;
11694 	}
11695 
11696 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11697 }
11698 
11699 static int nl80211_set_cqm_rssi(struct genl_info *info,
11700 				const s32 *thresholds, int n_thresholds,
11701 				u32 hysteresis)
11702 {
11703 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11704 	struct net_device *dev = info->user_ptr[1];
11705 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11706 	int i, err;
11707 	s32 prev = S32_MIN;
11708 
11709 	/* Check all values negative and sorted */
11710 	for (i = 0; i < n_thresholds; i++) {
11711 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11712 			return -EINVAL;
11713 
11714 		prev = thresholds[i];
11715 	}
11716 
11717 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11718 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11719 		return -EOPNOTSUPP;
11720 
11721 	wdev_lock(wdev);
11722 	cfg80211_cqm_config_free(wdev);
11723 	wdev_unlock(wdev);
11724 
11725 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11726 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11727 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11728 
11729 		return rdev_set_cqm_rssi_config(rdev, dev,
11730 						thresholds[0], hysteresis);
11731 	}
11732 
11733 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11734 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11735 		return -EOPNOTSUPP;
11736 
11737 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11738 		n_thresholds = 0;
11739 
11740 	wdev_lock(wdev);
11741 	if (n_thresholds) {
11742 		struct cfg80211_cqm_config *cqm_config;
11743 
11744 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11745 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11746 		if (!cqm_config) {
11747 			err = -ENOMEM;
11748 			goto unlock;
11749 		}
11750 
11751 		cqm_config->rssi_hyst = hysteresis;
11752 		cqm_config->n_rssi_thresholds = n_thresholds;
11753 		memcpy(cqm_config->rssi_thresholds, thresholds,
11754 		       n_thresholds * sizeof(s32));
11755 
11756 		wdev->cqm_config = cqm_config;
11757 	}
11758 
11759 	err = cfg80211_cqm_rssi_update(rdev, dev);
11760 
11761 unlock:
11762 	wdev_unlock(wdev);
11763 
11764 	return err;
11765 }
11766 
11767 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11768 {
11769 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11770 	struct nlattr *cqm;
11771 	int err;
11772 
11773 	cqm = info->attrs[NL80211_ATTR_CQM];
11774 	if (!cqm)
11775 		return -EINVAL;
11776 
11777 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11778 					  nl80211_attr_cqm_policy,
11779 					  info->extack);
11780 	if (err)
11781 		return err;
11782 
11783 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11784 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11785 		const s32 *thresholds =
11786 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11787 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11788 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11789 
11790 		if (len % 4)
11791 			return -EINVAL;
11792 
11793 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11794 					    hysteresis);
11795 	}
11796 
11797 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11798 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11799 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11800 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11801 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11802 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11803 
11804 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11805 	}
11806 
11807 	return -EINVAL;
11808 }
11809 
11810 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11811 {
11812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11813 	struct net_device *dev = info->user_ptr[1];
11814 	struct ocb_setup setup = {};
11815 	int err;
11816 
11817 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11818 	if (err)
11819 		return err;
11820 
11821 	return cfg80211_join_ocb(rdev, dev, &setup);
11822 }
11823 
11824 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11825 {
11826 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11827 	struct net_device *dev = info->user_ptr[1];
11828 
11829 	return cfg80211_leave_ocb(rdev, dev);
11830 }
11831 
11832 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11833 {
11834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11835 	struct net_device *dev = info->user_ptr[1];
11836 	struct mesh_config cfg;
11837 	struct mesh_setup setup;
11838 	int err;
11839 
11840 	/* start with default */
11841 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11842 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11843 
11844 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11845 		/* and parse parameters if given */
11846 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11847 		if (err)
11848 			return err;
11849 	}
11850 
11851 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11852 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11853 		return -EINVAL;
11854 
11855 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11856 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11857 
11858 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11859 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11860 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11861 			return -EINVAL;
11862 
11863 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11864 		setup.beacon_interval =
11865 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11866 
11867 		err = cfg80211_validate_beacon_int(rdev,
11868 						   NL80211_IFTYPE_MESH_POINT,
11869 						   setup.beacon_interval);
11870 		if (err)
11871 			return err;
11872 	}
11873 
11874 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11875 		setup.dtim_period =
11876 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11877 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11878 			return -EINVAL;
11879 	}
11880 
11881 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11882 		/* parse additional setup parameters if given */
11883 		err = nl80211_parse_mesh_setup(info, &setup);
11884 		if (err)
11885 			return err;
11886 	}
11887 
11888 	if (setup.user_mpm)
11889 		cfg.auto_open_plinks = false;
11890 
11891 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11892 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11893 		if (err)
11894 			return err;
11895 	} else {
11896 		/* __cfg80211_join_mesh() will sort it out */
11897 		setup.chandef.chan = NULL;
11898 	}
11899 
11900 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11901 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11902 		int n_rates =
11903 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11904 		struct ieee80211_supported_band *sband;
11905 
11906 		if (!setup.chandef.chan)
11907 			return -EINVAL;
11908 
11909 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11910 
11911 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11912 					     &setup.basic_rates);
11913 		if (err)
11914 			return err;
11915 	}
11916 
11917 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11918 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
11919 						    NL80211_ATTR_TX_RATES,
11920 						    &setup.beacon_rate,
11921 						    dev, false);
11922 		if (err)
11923 			return err;
11924 
11925 		if (!setup.chandef.chan)
11926 			return -EINVAL;
11927 
11928 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11929 					      &setup.beacon_rate);
11930 		if (err)
11931 			return err;
11932 	}
11933 
11934 	setup.userspace_handles_dfs =
11935 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11936 
11937 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11938 		int r = validate_pae_over_nl80211(rdev, info);
11939 
11940 		if (r < 0)
11941 			return r;
11942 
11943 		setup.control_port_over_nl80211 = true;
11944 	}
11945 
11946 	wdev_lock(dev->ieee80211_ptr);
11947 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11948 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11949 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11950 	wdev_unlock(dev->ieee80211_ptr);
11951 
11952 	return err;
11953 }
11954 
11955 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11956 {
11957 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11958 	struct net_device *dev = info->user_ptr[1];
11959 
11960 	return cfg80211_leave_mesh(rdev, dev);
11961 }
11962 
11963 #ifdef CONFIG_PM
11964 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11965 					struct cfg80211_registered_device *rdev)
11966 {
11967 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11968 	struct nlattr *nl_pats, *nl_pat;
11969 	int i, pat_len;
11970 
11971 	if (!wowlan->n_patterns)
11972 		return 0;
11973 
11974 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11975 	if (!nl_pats)
11976 		return -ENOBUFS;
11977 
11978 	for (i = 0; i < wowlan->n_patterns; i++) {
11979 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11980 		if (!nl_pat)
11981 			return -ENOBUFS;
11982 		pat_len = wowlan->patterns[i].pattern_len;
11983 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11984 			    wowlan->patterns[i].mask) ||
11985 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11986 			    wowlan->patterns[i].pattern) ||
11987 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11988 				wowlan->patterns[i].pkt_offset))
11989 			return -ENOBUFS;
11990 		nla_nest_end(msg, nl_pat);
11991 	}
11992 	nla_nest_end(msg, nl_pats);
11993 
11994 	return 0;
11995 }
11996 
11997 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11998 				   struct cfg80211_wowlan_tcp *tcp)
11999 {
12000 	struct nlattr *nl_tcp;
12001 
12002 	if (!tcp)
12003 		return 0;
12004 
12005 	nl_tcp = nla_nest_start_noflag(msg,
12006 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
12007 	if (!nl_tcp)
12008 		return -ENOBUFS;
12009 
12010 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
12011 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
12012 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
12013 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
12014 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
12015 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
12016 		    tcp->payload_len, tcp->payload) ||
12017 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
12018 			tcp->data_interval) ||
12019 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
12020 		    tcp->wake_len, tcp->wake_data) ||
12021 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
12022 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
12023 		return -ENOBUFS;
12024 
12025 	if (tcp->payload_seq.len &&
12026 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
12027 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
12028 		return -ENOBUFS;
12029 
12030 	if (tcp->payload_tok.len &&
12031 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
12032 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
12033 		    &tcp->payload_tok))
12034 		return -ENOBUFS;
12035 
12036 	nla_nest_end(msg, nl_tcp);
12037 
12038 	return 0;
12039 }
12040 
12041 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
12042 				  struct cfg80211_sched_scan_request *req)
12043 {
12044 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
12045 	int i;
12046 
12047 	if (!req)
12048 		return 0;
12049 
12050 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
12051 	if (!nd)
12052 		return -ENOBUFS;
12053 
12054 	if (req->n_scan_plans == 1 &&
12055 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
12056 			req->scan_plans[0].interval * 1000))
12057 		return -ENOBUFS;
12058 
12059 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
12060 		return -ENOBUFS;
12061 
12062 	if (req->relative_rssi_set) {
12063 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
12064 
12065 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
12066 			       req->relative_rssi))
12067 			return -ENOBUFS;
12068 
12069 		rssi_adjust.band = req->rssi_adjust.band;
12070 		rssi_adjust.delta = req->rssi_adjust.delta;
12071 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
12072 			    sizeof(rssi_adjust), &rssi_adjust))
12073 			return -ENOBUFS;
12074 	}
12075 
12076 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
12077 	if (!freqs)
12078 		return -ENOBUFS;
12079 
12080 	for (i = 0; i < req->n_channels; i++) {
12081 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
12082 			return -ENOBUFS;
12083 	}
12084 
12085 	nla_nest_end(msg, freqs);
12086 
12087 	if (req->n_match_sets) {
12088 		matches = nla_nest_start_noflag(msg,
12089 						NL80211_ATTR_SCHED_SCAN_MATCH);
12090 		if (!matches)
12091 			return -ENOBUFS;
12092 
12093 		for (i = 0; i < req->n_match_sets; i++) {
12094 			match = nla_nest_start_noflag(msg, i);
12095 			if (!match)
12096 				return -ENOBUFS;
12097 
12098 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
12099 				    req->match_sets[i].ssid.ssid_len,
12100 				    req->match_sets[i].ssid.ssid))
12101 				return -ENOBUFS;
12102 			nla_nest_end(msg, match);
12103 		}
12104 		nla_nest_end(msg, matches);
12105 	}
12106 
12107 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
12108 	if (!scan_plans)
12109 		return -ENOBUFS;
12110 
12111 	for (i = 0; i < req->n_scan_plans; i++) {
12112 		scan_plan = nla_nest_start_noflag(msg, i + 1);
12113 		if (!scan_plan)
12114 			return -ENOBUFS;
12115 
12116 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
12117 				req->scan_plans[i].interval) ||
12118 		    (req->scan_plans[i].iterations &&
12119 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
12120 				 req->scan_plans[i].iterations)))
12121 			return -ENOBUFS;
12122 		nla_nest_end(msg, scan_plan);
12123 	}
12124 	nla_nest_end(msg, scan_plans);
12125 
12126 	nla_nest_end(msg, nd);
12127 
12128 	return 0;
12129 }
12130 
12131 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
12132 {
12133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12134 	struct sk_buff *msg;
12135 	void *hdr;
12136 	u32 size = NLMSG_DEFAULT_SIZE;
12137 
12138 	if (!rdev->wiphy.wowlan)
12139 		return -EOPNOTSUPP;
12140 
12141 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
12142 		/* adjust size to have room for all the data */
12143 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
12144 			rdev->wiphy.wowlan_config->tcp->payload_len +
12145 			rdev->wiphy.wowlan_config->tcp->wake_len +
12146 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
12147 	}
12148 
12149 	msg = nlmsg_new(size, GFP_KERNEL);
12150 	if (!msg)
12151 		return -ENOMEM;
12152 
12153 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12154 			     NL80211_CMD_GET_WOWLAN);
12155 	if (!hdr)
12156 		goto nla_put_failure;
12157 
12158 	if (rdev->wiphy.wowlan_config) {
12159 		struct nlattr *nl_wowlan;
12160 
12161 		nl_wowlan = nla_nest_start_noflag(msg,
12162 						  NL80211_ATTR_WOWLAN_TRIGGERS);
12163 		if (!nl_wowlan)
12164 			goto nla_put_failure;
12165 
12166 		if ((rdev->wiphy.wowlan_config->any &&
12167 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
12168 		    (rdev->wiphy.wowlan_config->disconnect &&
12169 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
12170 		    (rdev->wiphy.wowlan_config->magic_pkt &&
12171 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
12172 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
12173 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
12174 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
12175 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
12176 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
12177 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
12178 		    (rdev->wiphy.wowlan_config->rfkill_release &&
12179 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
12180 			goto nla_put_failure;
12181 
12182 		if (nl80211_send_wowlan_patterns(msg, rdev))
12183 			goto nla_put_failure;
12184 
12185 		if (nl80211_send_wowlan_tcp(msg,
12186 					    rdev->wiphy.wowlan_config->tcp))
12187 			goto nla_put_failure;
12188 
12189 		if (nl80211_send_wowlan_nd(
12190 			    msg,
12191 			    rdev->wiphy.wowlan_config->nd_config))
12192 			goto nla_put_failure;
12193 
12194 		nla_nest_end(msg, nl_wowlan);
12195 	}
12196 
12197 	genlmsg_end(msg, hdr);
12198 	return genlmsg_reply(msg, info);
12199 
12200 nla_put_failure:
12201 	nlmsg_free(msg);
12202 	return -ENOBUFS;
12203 }
12204 
12205 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
12206 				    struct nlattr *attr,
12207 				    struct cfg80211_wowlan *trig)
12208 {
12209 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
12210 	struct cfg80211_wowlan_tcp *cfg;
12211 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
12212 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
12213 	u32 size;
12214 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
12215 	int err, port;
12216 
12217 	if (!rdev->wiphy.wowlan->tcp)
12218 		return -EINVAL;
12219 
12220 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
12221 					  nl80211_wowlan_tcp_policy, NULL);
12222 	if (err)
12223 		return err;
12224 
12225 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
12226 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
12227 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
12228 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
12229 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
12230 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
12231 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
12232 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
12233 		return -EINVAL;
12234 
12235 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
12236 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
12237 		return -EINVAL;
12238 
12239 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
12240 			rdev->wiphy.wowlan->tcp->data_interval_max ||
12241 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
12242 		return -EINVAL;
12243 
12244 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
12245 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
12246 		return -EINVAL;
12247 
12248 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
12249 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
12250 		return -EINVAL;
12251 
12252 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
12253 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12254 
12255 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
12256 		tokens_size = tokln - sizeof(*tok);
12257 
12258 		if (!tok->len || tokens_size % tok->len)
12259 			return -EINVAL;
12260 		if (!rdev->wiphy.wowlan->tcp->tok)
12261 			return -EINVAL;
12262 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
12263 			return -EINVAL;
12264 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
12265 			return -EINVAL;
12266 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
12267 			return -EINVAL;
12268 		if (tok->offset + tok->len > data_size)
12269 			return -EINVAL;
12270 	}
12271 
12272 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
12273 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
12274 		if (!rdev->wiphy.wowlan->tcp->seq)
12275 			return -EINVAL;
12276 		if (seq->len == 0 || seq->len > 4)
12277 			return -EINVAL;
12278 		if (seq->len + seq->offset > data_size)
12279 			return -EINVAL;
12280 	}
12281 
12282 	size = sizeof(*cfg);
12283 	size += data_size;
12284 	size += wake_size + wake_mask_size;
12285 	size += tokens_size;
12286 
12287 	cfg = kzalloc(size, GFP_KERNEL);
12288 	if (!cfg)
12289 		return -ENOMEM;
12290 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
12291 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
12292 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
12293 	       ETH_ALEN);
12294 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
12295 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
12296 	else
12297 		port = 0;
12298 #ifdef CONFIG_INET
12299 	/* allocate a socket and port for it and use it */
12300 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
12301 			    IPPROTO_TCP, &cfg->sock, 1);
12302 	if (err) {
12303 		kfree(cfg);
12304 		return err;
12305 	}
12306 	if (inet_csk_get_port(cfg->sock->sk, port)) {
12307 		sock_release(cfg->sock);
12308 		kfree(cfg);
12309 		return -EADDRINUSE;
12310 	}
12311 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
12312 #else
12313 	if (!port) {
12314 		kfree(cfg);
12315 		return -EINVAL;
12316 	}
12317 	cfg->src_port = port;
12318 #endif
12319 
12320 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
12321 	cfg->payload_len = data_size;
12322 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
12323 	memcpy((void *)cfg->payload,
12324 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
12325 	       data_size);
12326 	if (seq)
12327 		cfg->payload_seq = *seq;
12328 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
12329 	cfg->wake_len = wake_size;
12330 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
12331 	memcpy((void *)cfg->wake_data,
12332 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
12333 	       wake_size);
12334 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
12335 			 data_size + wake_size;
12336 	memcpy((void *)cfg->wake_mask,
12337 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
12338 	       wake_mask_size);
12339 	if (tok) {
12340 		cfg->tokens_size = tokens_size;
12341 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
12342 	}
12343 
12344 	trig->tcp = cfg;
12345 
12346 	return 0;
12347 }
12348 
12349 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
12350 				   const struct wiphy_wowlan_support *wowlan,
12351 				   struct nlattr *attr,
12352 				   struct cfg80211_wowlan *trig)
12353 {
12354 	struct nlattr **tb;
12355 	int err;
12356 
12357 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
12358 	if (!tb)
12359 		return -ENOMEM;
12360 
12361 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
12362 		err = -EOPNOTSUPP;
12363 		goto out;
12364 	}
12365 
12366 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
12367 					  nl80211_policy, NULL);
12368 	if (err)
12369 		goto out;
12370 
12371 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
12372 						   wowlan->max_nd_match_sets);
12373 	err = PTR_ERR_OR_ZERO(trig->nd_config);
12374 	if (err)
12375 		trig->nd_config = NULL;
12376 
12377 out:
12378 	kfree(tb);
12379 	return err;
12380 }
12381 
12382 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
12383 {
12384 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12385 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
12386 	struct cfg80211_wowlan new_triggers = {};
12387 	struct cfg80211_wowlan *ntrig;
12388 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
12389 	int err, i;
12390 	bool prev_enabled = rdev->wiphy.wowlan_config;
12391 	bool regular = false;
12392 
12393 	if (!wowlan)
12394 		return -EOPNOTSUPP;
12395 
12396 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
12397 		cfg80211_rdev_free_wowlan(rdev);
12398 		rdev->wiphy.wowlan_config = NULL;
12399 		goto set_wakeup;
12400 	}
12401 
12402 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
12403 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
12404 					  nl80211_wowlan_policy, info->extack);
12405 	if (err)
12406 		return err;
12407 
12408 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
12409 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
12410 			return -EINVAL;
12411 		new_triggers.any = true;
12412 	}
12413 
12414 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
12415 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
12416 			return -EINVAL;
12417 		new_triggers.disconnect = true;
12418 		regular = true;
12419 	}
12420 
12421 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
12422 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
12423 			return -EINVAL;
12424 		new_triggers.magic_pkt = true;
12425 		regular = true;
12426 	}
12427 
12428 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
12429 		return -EINVAL;
12430 
12431 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
12432 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
12433 			return -EINVAL;
12434 		new_triggers.gtk_rekey_failure = true;
12435 		regular = true;
12436 	}
12437 
12438 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
12439 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
12440 			return -EINVAL;
12441 		new_triggers.eap_identity_req = true;
12442 		regular = true;
12443 	}
12444 
12445 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
12446 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
12447 			return -EINVAL;
12448 		new_triggers.four_way_handshake = true;
12449 		regular = true;
12450 	}
12451 
12452 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
12453 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
12454 			return -EINVAL;
12455 		new_triggers.rfkill_release = true;
12456 		regular = true;
12457 	}
12458 
12459 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
12460 		struct nlattr *pat;
12461 		int n_patterns = 0;
12462 		int rem, pat_len, mask_len, pkt_offset;
12463 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12464 
12465 		regular = true;
12466 
12467 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12468 				    rem)
12469 			n_patterns++;
12470 		if (n_patterns > wowlan->n_patterns)
12471 			return -EINVAL;
12472 
12473 		new_triggers.patterns = kcalloc(n_patterns,
12474 						sizeof(new_triggers.patterns[0]),
12475 						GFP_KERNEL);
12476 		if (!new_triggers.patterns)
12477 			return -ENOMEM;
12478 
12479 		new_triggers.n_patterns = n_patterns;
12480 		i = 0;
12481 
12482 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
12483 				    rem) {
12484 			u8 *mask_pat;
12485 
12486 			err = nla_parse_nested_deprecated(pat_tb,
12487 							  MAX_NL80211_PKTPAT,
12488 							  pat,
12489 							  nl80211_packet_pattern_policy,
12490 							  info->extack);
12491 			if (err)
12492 				goto error;
12493 
12494 			err = -EINVAL;
12495 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
12496 			    !pat_tb[NL80211_PKTPAT_PATTERN])
12497 				goto error;
12498 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12499 			mask_len = DIV_ROUND_UP(pat_len, 8);
12500 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12501 				goto error;
12502 			if (pat_len > wowlan->pattern_max_len ||
12503 			    pat_len < wowlan->pattern_min_len)
12504 				goto error;
12505 
12506 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
12507 				pkt_offset = 0;
12508 			else
12509 				pkt_offset = nla_get_u32(
12510 					pat_tb[NL80211_PKTPAT_OFFSET]);
12511 			if (pkt_offset > wowlan->max_pkt_offset)
12512 				goto error;
12513 			new_triggers.patterns[i].pkt_offset = pkt_offset;
12514 
12515 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12516 			if (!mask_pat) {
12517 				err = -ENOMEM;
12518 				goto error;
12519 			}
12520 			new_triggers.patterns[i].mask = mask_pat;
12521 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12522 			       mask_len);
12523 			mask_pat += mask_len;
12524 			new_triggers.patterns[i].pattern = mask_pat;
12525 			new_triggers.patterns[i].pattern_len = pat_len;
12526 			memcpy(mask_pat,
12527 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12528 			       pat_len);
12529 			i++;
12530 		}
12531 	}
12532 
12533 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
12534 		regular = true;
12535 		err = nl80211_parse_wowlan_tcp(
12536 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
12537 			&new_triggers);
12538 		if (err)
12539 			goto error;
12540 	}
12541 
12542 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
12543 		regular = true;
12544 		err = nl80211_parse_wowlan_nd(
12545 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
12546 			&new_triggers);
12547 		if (err)
12548 			goto error;
12549 	}
12550 
12551 	/* The 'any' trigger means the device continues operating more or less
12552 	 * as in its normal operation mode and wakes up the host on most of the
12553 	 * normal interrupts (like packet RX, ...)
12554 	 * It therefore makes little sense to combine with the more constrained
12555 	 * wakeup trigger modes.
12556 	 */
12557 	if (new_triggers.any && regular) {
12558 		err = -EINVAL;
12559 		goto error;
12560 	}
12561 
12562 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
12563 	if (!ntrig) {
12564 		err = -ENOMEM;
12565 		goto error;
12566 	}
12567 	cfg80211_rdev_free_wowlan(rdev);
12568 	rdev->wiphy.wowlan_config = ntrig;
12569 
12570  set_wakeup:
12571 	if (rdev->ops->set_wakeup &&
12572 	    prev_enabled != !!rdev->wiphy.wowlan_config)
12573 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
12574 
12575 	return 0;
12576  error:
12577 	for (i = 0; i < new_triggers.n_patterns; i++)
12578 		kfree(new_triggers.patterns[i].mask);
12579 	kfree(new_triggers.patterns);
12580 	if (new_triggers.tcp && new_triggers.tcp->sock)
12581 		sock_release(new_triggers.tcp->sock);
12582 	kfree(new_triggers.tcp);
12583 	kfree(new_triggers.nd_config);
12584 	return err;
12585 }
12586 #endif
12587 
12588 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12589 				       struct cfg80211_registered_device *rdev)
12590 {
12591 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12592 	int i, j, pat_len;
12593 	struct cfg80211_coalesce_rules *rule;
12594 
12595 	if (!rdev->coalesce->n_rules)
12596 		return 0;
12597 
12598 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12599 	if (!nl_rules)
12600 		return -ENOBUFS;
12601 
12602 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12603 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12604 		if (!nl_rule)
12605 			return -ENOBUFS;
12606 
12607 		rule = &rdev->coalesce->rules[i];
12608 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12609 				rule->delay))
12610 			return -ENOBUFS;
12611 
12612 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12613 				rule->condition))
12614 			return -ENOBUFS;
12615 
12616 		nl_pats = nla_nest_start_noflag(msg,
12617 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12618 		if (!nl_pats)
12619 			return -ENOBUFS;
12620 
12621 		for (j = 0; j < rule->n_patterns; j++) {
12622 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12623 			if (!nl_pat)
12624 				return -ENOBUFS;
12625 			pat_len = rule->patterns[j].pattern_len;
12626 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12627 				    DIV_ROUND_UP(pat_len, 8),
12628 				    rule->patterns[j].mask) ||
12629 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12630 				    rule->patterns[j].pattern) ||
12631 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12632 					rule->patterns[j].pkt_offset))
12633 				return -ENOBUFS;
12634 			nla_nest_end(msg, nl_pat);
12635 		}
12636 		nla_nest_end(msg, nl_pats);
12637 		nla_nest_end(msg, nl_rule);
12638 	}
12639 	nla_nest_end(msg, nl_rules);
12640 
12641 	return 0;
12642 }
12643 
12644 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12645 {
12646 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12647 	struct sk_buff *msg;
12648 	void *hdr;
12649 
12650 	if (!rdev->wiphy.coalesce)
12651 		return -EOPNOTSUPP;
12652 
12653 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12654 	if (!msg)
12655 		return -ENOMEM;
12656 
12657 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12658 			     NL80211_CMD_GET_COALESCE);
12659 	if (!hdr)
12660 		goto nla_put_failure;
12661 
12662 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12663 		goto nla_put_failure;
12664 
12665 	genlmsg_end(msg, hdr);
12666 	return genlmsg_reply(msg, info);
12667 
12668 nla_put_failure:
12669 	nlmsg_free(msg);
12670 	return -ENOBUFS;
12671 }
12672 
12673 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12674 {
12675 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12676 	int i, j;
12677 	struct cfg80211_coalesce_rules *rule;
12678 
12679 	if (!coalesce)
12680 		return;
12681 
12682 	for (i = 0; i < coalesce->n_rules; i++) {
12683 		rule = &coalesce->rules[i];
12684 		for (j = 0; j < rule->n_patterns; j++)
12685 			kfree(rule->patterns[j].mask);
12686 		kfree(rule->patterns);
12687 	}
12688 	kfree(coalesce->rules);
12689 	kfree(coalesce);
12690 	rdev->coalesce = NULL;
12691 }
12692 
12693 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12694 				       struct nlattr *rule,
12695 				       struct cfg80211_coalesce_rules *new_rule)
12696 {
12697 	int err, i;
12698 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12699 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12700 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12701 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12702 
12703 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12704 					  rule, nl80211_coalesce_policy, NULL);
12705 	if (err)
12706 		return err;
12707 
12708 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12709 		new_rule->delay =
12710 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12711 	if (new_rule->delay > coalesce->max_delay)
12712 		return -EINVAL;
12713 
12714 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12715 		new_rule->condition =
12716 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12717 
12718 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12719 		return -EINVAL;
12720 
12721 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12722 			    rem)
12723 		n_patterns++;
12724 	if (n_patterns > coalesce->n_patterns)
12725 		return -EINVAL;
12726 
12727 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12728 				     GFP_KERNEL);
12729 	if (!new_rule->patterns)
12730 		return -ENOMEM;
12731 
12732 	new_rule->n_patterns = n_patterns;
12733 	i = 0;
12734 
12735 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12736 			    rem) {
12737 		u8 *mask_pat;
12738 
12739 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12740 						  pat,
12741 						  nl80211_packet_pattern_policy,
12742 						  NULL);
12743 		if (err)
12744 			return err;
12745 
12746 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12747 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12748 			return -EINVAL;
12749 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12750 		mask_len = DIV_ROUND_UP(pat_len, 8);
12751 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12752 			return -EINVAL;
12753 		if (pat_len > coalesce->pattern_max_len ||
12754 		    pat_len < coalesce->pattern_min_len)
12755 			return -EINVAL;
12756 
12757 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12758 			pkt_offset = 0;
12759 		else
12760 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12761 		if (pkt_offset > coalesce->max_pkt_offset)
12762 			return -EINVAL;
12763 		new_rule->patterns[i].pkt_offset = pkt_offset;
12764 
12765 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12766 		if (!mask_pat)
12767 			return -ENOMEM;
12768 
12769 		new_rule->patterns[i].mask = mask_pat;
12770 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12771 		       mask_len);
12772 
12773 		mask_pat += mask_len;
12774 		new_rule->patterns[i].pattern = mask_pat;
12775 		new_rule->patterns[i].pattern_len = pat_len;
12776 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12777 		       pat_len);
12778 		i++;
12779 	}
12780 
12781 	return 0;
12782 }
12783 
12784 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12785 {
12786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12787 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12788 	struct cfg80211_coalesce new_coalesce = {};
12789 	struct cfg80211_coalesce *n_coalesce;
12790 	int err, rem_rule, n_rules = 0, i, j;
12791 	struct nlattr *rule;
12792 	struct cfg80211_coalesce_rules *tmp_rule;
12793 
12794 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12795 		return -EOPNOTSUPP;
12796 
12797 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12798 		cfg80211_rdev_free_coalesce(rdev);
12799 		rdev_set_coalesce(rdev, NULL);
12800 		return 0;
12801 	}
12802 
12803 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12804 			    rem_rule)
12805 		n_rules++;
12806 	if (n_rules > coalesce->n_rules)
12807 		return -EINVAL;
12808 
12809 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12810 				     GFP_KERNEL);
12811 	if (!new_coalesce.rules)
12812 		return -ENOMEM;
12813 
12814 	new_coalesce.n_rules = n_rules;
12815 	i = 0;
12816 
12817 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12818 			    rem_rule) {
12819 		err = nl80211_parse_coalesce_rule(rdev, rule,
12820 						  &new_coalesce.rules[i]);
12821 		if (err)
12822 			goto error;
12823 
12824 		i++;
12825 	}
12826 
12827 	err = rdev_set_coalesce(rdev, &new_coalesce);
12828 	if (err)
12829 		goto error;
12830 
12831 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12832 	if (!n_coalesce) {
12833 		err = -ENOMEM;
12834 		goto error;
12835 	}
12836 	cfg80211_rdev_free_coalesce(rdev);
12837 	rdev->coalesce = n_coalesce;
12838 
12839 	return 0;
12840 error:
12841 	for (i = 0; i < new_coalesce.n_rules; i++) {
12842 		tmp_rule = &new_coalesce.rules[i];
12843 		for (j = 0; j < tmp_rule->n_patterns; j++)
12844 			kfree(tmp_rule->patterns[j].mask);
12845 		kfree(tmp_rule->patterns);
12846 	}
12847 	kfree(new_coalesce.rules);
12848 
12849 	return err;
12850 }
12851 
12852 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12853 {
12854 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12855 	struct net_device *dev = info->user_ptr[1];
12856 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12857 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12858 	struct cfg80211_gtk_rekey_data rekey_data = {};
12859 	int err;
12860 
12861 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12862 		return -EINVAL;
12863 
12864 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12865 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12866 					  nl80211_rekey_policy, info->extack);
12867 	if (err)
12868 		return err;
12869 
12870 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12871 	    !tb[NL80211_REKEY_DATA_KCK])
12872 		return -EINVAL;
12873 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
12874 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12875 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
12876 		return -ERANGE;
12877 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
12878 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
12879 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KCK_EXT_LEN))
12880 		return -ERANGE;
12881 
12882 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12883 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12884 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12885 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
12886 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
12887 	if (tb[NL80211_REKEY_DATA_AKM])
12888 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
12889 
12890 	wdev_lock(wdev);
12891 	if (!wdev->current_bss) {
12892 		err = -ENOTCONN;
12893 		goto out;
12894 	}
12895 
12896 	if (!rdev->ops->set_rekey_data) {
12897 		err = -EOPNOTSUPP;
12898 		goto out;
12899 	}
12900 
12901 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12902  out:
12903 	wdev_unlock(wdev);
12904 	return err;
12905 }
12906 
12907 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12908 					     struct genl_info *info)
12909 {
12910 	struct net_device *dev = info->user_ptr[1];
12911 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12912 
12913 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12914 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12915 		return -EINVAL;
12916 
12917 	if (wdev->ap_unexpected_nlportid)
12918 		return -EBUSY;
12919 
12920 	wdev->ap_unexpected_nlportid = info->snd_portid;
12921 	return 0;
12922 }
12923 
12924 static int nl80211_probe_client(struct sk_buff *skb,
12925 				struct genl_info *info)
12926 {
12927 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12928 	struct net_device *dev = info->user_ptr[1];
12929 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12930 	struct sk_buff *msg;
12931 	void *hdr;
12932 	const u8 *addr;
12933 	u64 cookie;
12934 	int err;
12935 
12936 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12937 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12938 		return -EOPNOTSUPP;
12939 
12940 	if (!info->attrs[NL80211_ATTR_MAC])
12941 		return -EINVAL;
12942 
12943 	if (!rdev->ops->probe_client)
12944 		return -EOPNOTSUPP;
12945 
12946 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12947 	if (!msg)
12948 		return -ENOMEM;
12949 
12950 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12951 			     NL80211_CMD_PROBE_CLIENT);
12952 	if (!hdr) {
12953 		err = -ENOBUFS;
12954 		goto free_msg;
12955 	}
12956 
12957 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12958 
12959 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12960 	if (err)
12961 		goto free_msg;
12962 
12963 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12964 			      NL80211_ATTR_PAD))
12965 		goto nla_put_failure;
12966 
12967 	genlmsg_end(msg, hdr);
12968 
12969 	return genlmsg_reply(msg, info);
12970 
12971  nla_put_failure:
12972 	err = -ENOBUFS;
12973  free_msg:
12974 	nlmsg_free(msg);
12975 	return err;
12976 }
12977 
12978 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12979 {
12980 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12981 	struct cfg80211_beacon_registration *reg, *nreg;
12982 	int rv;
12983 
12984 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12985 		return -EOPNOTSUPP;
12986 
12987 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12988 	if (!nreg)
12989 		return -ENOMEM;
12990 
12991 	/* First, check if already registered. */
12992 	spin_lock_bh(&rdev->beacon_registrations_lock);
12993 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12994 		if (reg->nlportid == info->snd_portid) {
12995 			rv = -EALREADY;
12996 			goto out_err;
12997 		}
12998 	}
12999 	/* Add it to the list */
13000 	nreg->nlportid = info->snd_portid;
13001 	list_add(&nreg->list, &rdev->beacon_registrations);
13002 
13003 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13004 
13005 	return 0;
13006 out_err:
13007 	spin_unlock_bh(&rdev->beacon_registrations_lock);
13008 	kfree(nreg);
13009 	return rv;
13010 }
13011 
13012 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
13013 {
13014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13015 	struct wireless_dev *wdev = info->user_ptr[1];
13016 	int err;
13017 
13018 	if (!rdev->ops->start_p2p_device)
13019 		return -EOPNOTSUPP;
13020 
13021 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13022 		return -EOPNOTSUPP;
13023 
13024 	if (wdev_running(wdev))
13025 		return 0;
13026 
13027 	if (rfkill_blocked(rdev->rfkill))
13028 		return -ERFKILL;
13029 
13030 	err = rdev_start_p2p_device(rdev, wdev);
13031 	if (err)
13032 		return err;
13033 
13034 	wdev->is_running = true;
13035 	rdev->opencount++;
13036 
13037 	return 0;
13038 }
13039 
13040 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
13041 {
13042 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13043 	struct wireless_dev *wdev = info->user_ptr[1];
13044 
13045 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
13046 		return -EOPNOTSUPP;
13047 
13048 	if (!rdev->ops->stop_p2p_device)
13049 		return -EOPNOTSUPP;
13050 
13051 	cfg80211_stop_p2p_device(rdev, wdev);
13052 
13053 	return 0;
13054 }
13055 
13056 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
13057 {
13058 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13059 	struct wireless_dev *wdev = info->user_ptr[1];
13060 	struct cfg80211_nan_conf conf = {};
13061 	int err;
13062 
13063 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13064 		return -EOPNOTSUPP;
13065 
13066 	if (wdev_running(wdev))
13067 		return -EEXIST;
13068 
13069 	if (rfkill_blocked(rdev->rfkill))
13070 		return -ERFKILL;
13071 
13072 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
13073 		return -EINVAL;
13074 
13075 	conf.master_pref =
13076 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13077 
13078 	if (info->attrs[NL80211_ATTR_BANDS]) {
13079 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13080 
13081 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13082 			return -EOPNOTSUPP;
13083 
13084 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13085 			return -EINVAL;
13086 
13087 		conf.bands = bands;
13088 	}
13089 
13090 	err = rdev_start_nan(rdev, wdev, &conf);
13091 	if (err)
13092 		return err;
13093 
13094 	wdev->is_running = true;
13095 	rdev->opencount++;
13096 
13097 	return 0;
13098 }
13099 
13100 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
13101 {
13102 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13103 	struct wireless_dev *wdev = info->user_ptr[1];
13104 
13105 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13106 		return -EOPNOTSUPP;
13107 
13108 	cfg80211_stop_nan(rdev, wdev);
13109 
13110 	return 0;
13111 }
13112 
13113 static int validate_nan_filter(struct nlattr *filter_attr)
13114 {
13115 	struct nlattr *attr;
13116 	int len = 0, n_entries = 0, rem;
13117 
13118 	nla_for_each_nested(attr, filter_attr, rem) {
13119 		len += nla_len(attr);
13120 		n_entries++;
13121 	}
13122 
13123 	if (len >= U8_MAX)
13124 		return -EINVAL;
13125 
13126 	return n_entries;
13127 }
13128 
13129 static int handle_nan_filter(struct nlattr *attr_filter,
13130 			     struct cfg80211_nan_func *func,
13131 			     bool tx)
13132 {
13133 	struct nlattr *attr;
13134 	int n_entries, rem, i;
13135 	struct cfg80211_nan_func_filter *filter;
13136 
13137 	n_entries = validate_nan_filter(attr_filter);
13138 	if (n_entries < 0)
13139 		return n_entries;
13140 
13141 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
13142 
13143 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
13144 	if (!filter)
13145 		return -ENOMEM;
13146 
13147 	i = 0;
13148 	nla_for_each_nested(attr, attr_filter, rem) {
13149 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
13150 		filter[i].len = nla_len(attr);
13151 		i++;
13152 	}
13153 	if (tx) {
13154 		func->num_tx_filters = n_entries;
13155 		func->tx_filters = filter;
13156 	} else {
13157 		func->num_rx_filters = n_entries;
13158 		func->rx_filters = filter;
13159 	}
13160 
13161 	return 0;
13162 }
13163 
13164 static int nl80211_nan_add_func(struct sk_buff *skb,
13165 				struct genl_info *info)
13166 {
13167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13168 	struct wireless_dev *wdev = info->user_ptr[1];
13169 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
13170 	struct cfg80211_nan_func *func;
13171 	struct sk_buff *msg = NULL;
13172 	void *hdr = NULL;
13173 	int err = 0;
13174 
13175 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13176 		return -EOPNOTSUPP;
13177 
13178 	if (!wdev_running(wdev))
13179 		return -ENOTCONN;
13180 
13181 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
13182 		return -EINVAL;
13183 
13184 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
13185 					  info->attrs[NL80211_ATTR_NAN_FUNC],
13186 					  nl80211_nan_func_policy,
13187 					  info->extack);
13188 	if (err)
13189 		return err;
13190 
13191 	func = kzalloc(sizeof(*func), GFP_KERNEL);
13192 	if (!func)
13193 		return -ENOMEM;
13194 
13195 	func->cookie = cfg80211_assign_cookie(rdev);
13196 
13197 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
13198 		err = -EINVAL;
13199 		goto out;
13200 	}
13201 
13202 
13203 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
13204 
13205 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
13206 		err = -EINVAL;
13207 		goto out;
13208 	}
13209 
13210 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
13211 	       sizeof(func->service_id));
13212 
13213 	func->close_range =
13214 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
13215 
13216 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
13217 		func->serv_spec_info_len =
13218 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
13219 		func->serv_spec_info =
13220 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
13221 				func->serv_spec_info_len,
13222 				GFP_KERNEL);
13223 		if (!func->serv_spec_info) {
13224 			err = -ENOMEM;
13225 			goto out;
13226 		}
13227 	}
13228 
13229 	if (tb[NL80211_NAN_FUNC_TTL])
13230 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
13231 
13232 	switch (func->type) {
13233 	case NL80211_NAN_FUNC_PUBLISH:
13234 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
13235 			err = -EINVAL;
13236 			goto out;
13237 		}
13238 
13239 		func->publish_type =
13240 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
13241 		func->publish_bcast =
13242 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
13243 
13244 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
13245 			func->publish_bcast) {
13246 			err = -EINVAL;
13247 			goto out;
13248 		}
13249 		break;
13250 	case NL80211_NAN_FUNC_SUBSCRIBE:
13251 		func->subscribe_active =
13252 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
13253 		break;
13254 	case NL80211_NAN_FUNC_FOLLOW_UP:
13255 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
13256 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
13257 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
13258 			err = -EINVAL;
13259 			goto out;
13260 		}
13261 
13262 		func->followup_id =
13263 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
13264 		func->followup_reqid =
13265 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
13266 		memcpy(func->followup_dest.addr,
13267 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
13268 		       sizeof(func->followup_dest.addr));
13269 		if (func->ttl) {
13270 			err = -EINVAL;
13271 			goto out;
13272 		}
13273 		break;
13274 	default:
13275 		err = -EINVAL;
13276 		goto out;
13277 	}
13278 
13279 	if (tb[NL80211_NAN_FUNC_SRF]) {
13280 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
13281 
13282 		err = nla_parse_nested_deprecated(srf_tb,
13283 						  NL80211_NAN_SRF_ATTR_MAX,
13284 						  tb[NL80211_NAN_FUNC_SRF],
13285 						  nl80211_nan_srf_policy,
13286 						  info->extack);
13287 		if (err)
13288 			goto out;
13289 
13290 		func->srf_include =
13291 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
13292 
13293 		if (srf_tb[NL80211_NAN_SRF_BF]) {
13294 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
13295 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
13296 				err = -EINVAL;
13297 				goto out;
13298 			}
13299 
13300 			func->srf_bf_len =
13301 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
13302 			func->srf_bf =
13303 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
13304 					func->srf_bf_len, GFP_KERNEL);
13305 			if (!func->srf_bf) {
13306 				err = -ENOMEM;
13307 				goto out;
13308 			}
13309 
13310 			func->srf_bf_idx =
13311 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
13312 		} else {
13313 			struct nlattr *attr, *mac_attr =
13314 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
13315 			int n_entries, rem, i = 0;
13316 
13317 			if (!mac_attr) {
13318 				err = -EINVAL;
13319 				goto out;
13320 			}
13321 
13322 			n_entries = validate_acl_mac_addrs(mac_attr);
13323 			if (n_entries <= 0) {
13324 				err = -EINVAL;
13325 				goto out;
13326 			}
13327 
13328 			func->srf_num_macs = n_entries;
13329 			func->srf_macs =
13330 				kcalloc(n_entries, sizeof(*func->srf_macs),
13331 					GFP_KERNEL);
13332 			if (!func->srf_macs) {
13333 				err = -ENOMEM;
13334 				goto out;
13335 			}
13336 
13337 			nla_for_each_nested(attr, mac_attr, rem)
13338 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
13339 				       sizeof(*func->srf_macs));
13340 		}
13341 	}
13342 
13343 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
13344 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
13345 					func, true);
13346 		if (err)
13347 			goto out;
13348 	}
13349 
13350 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
13351 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
13352 					func, false);
13353 		if (err)
13354 			goto out;
13355 	}
13356 
13357 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13358 	if (!msg) {
13359 		err = -ENOMEM;
13360 		goto out;
13361 	}
13362 
13363 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13364 			     NL80211_CMD_ADD_NAN_FUNCTION);
13365 	/* This can't really happen - we just allocated 4KB */
13366 	if (WARN_ON(!hdr)) {
13367 		err = -ENOMEM;
13368 		goto out;
13369 	}
13370 
13371 	err = rdev_add_nan_func(rdev, wdev, func);
13372 out:
13373 	if (err < 0) {
13374 		cfg80211_free_nan_func(func);
13375 		nlmsg_free(msg);
13376 		return err;
13377 	}
13378 
13379 	/* propagate the instance id and cookie to userspace  */
13380 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
13381 			      NL80211_ATTR_PAD))
13382 		goto nla_put_failure;
13383 
13384 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13385 	if (!func_attr)
13386 		goto nla_put_failure;
13387 
13388 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
13389 		       func->instance_id))
13390 		goto nla_put_failure;
13391 
13392 	nla_nest_end(msg, func_attr);
13393 
13394 	genlmsg_end(msg, hdr);
13395 	return genlmsg_reply(msg, info);
13396 
13397 nla_put_failure:
13398 	nlmsg_free(msg);
13399 	return -ENOBUFS;
13400 }
13401 
13402 static int nl80211_nan_del_func(struct sk_buff *skb,
13403 			       struct genl_info *info)
13404 {
13405 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13406 	struct wireless_dev *wdev = info->user_ptr[1];
13407 	u64 cookie;
13408 
13409 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13410 		return -EOPNOTSUPP;
13411 
13412 	if (!wdev_running(wdev))
13413 		return -ENOTCONN;
13414 
13415 	if (!info->attrs[NL80211_ATTR_COOKIE])
13416 		return -EINVAL;
13417 
13418 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
13419 
13420 	rdev_del_nan_func(rdev, wdev, cookie);
13421 
13422 	return 0;
13423 }
13424 
13425 static int nl80211_nan_change_config(struct sk_buff *skb,
13426 				     struct genl_info *info)
13427 {
13428 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13429 	struct wireless_dev *wdev = info->user_ptr[1];
13430 	struct cfg80211_nan_conf conf = {};
13431 	u32 changed = 0;
13432 
13433 	if (wdev->iftype != NL80211_IFTYPE_NAN)
13434 		return -EOPNOTSUPP;
13435 
13436 	if (!wdev_running(wdev))
13437 		return -ENOTCONN;
13438 
13439 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
13440 		conf.master_pref =
13441 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
13442 		if (conf.master_pref <= 1 || conf.master_pref == 255)
13443 			return -EINVAL;
13444 
13445 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
13446 	}
13447 
13448 	if (info->attrs[NL80211_ATTR_BANDS]) {
13449 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
13450 
13451 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
13452 			return -EOPNOTSUPP;
13453 
13454 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
13455 			return -EINVAL;
13456 
13457 		conf.bands = bands;
13458 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
13459 	}
13460 
13461 	if (!changed)
13462 		return -EINVAL;
13463 
13464 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
13465 }
13466 
13467 void cfg80211_nan_match(struct wireless_dev *wdev,
13468 			struct cfg80211_nan_match_params *match, gfp_t gfp)
13469 {
13470 	struct wiphy *wiphy = wdev->wiphy;
13471 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13472 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
13473 	struct sk_buff *msg;
13474 	void *hdr;
13475 
13476 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
13477 		return;
13478 
13479 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13480 	if (!msg)
13481 		return;
13482 
13483 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
13484 	if (!hdr) {
13485 		nlmsg_free(msg);
13486 		return;
13487 	}
13488 
13489 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13490 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13491 					 wdev->netdev->ifindex)) ||
13492 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13493 			      NL80211_ATTR_PAD))
13494 		goto nla_put_failure;
13495 
13496 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
13497 			      NL80211_ATTR_PAD) ||
13498 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
13499 		goto nla_put_failure;
13500 
13501 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
13502 	if (!match_attr)
13503 		goto nla_put_failure;
13504 
13505 	local_func_attr = nla_nest_start_noflag(msg,
13506 						NL80211_NAN_MATCH_FUNC_LOCAL);
13507 	if (!local_func_attr)
13508 		goto nla_put_failure;
13509 
13510 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
13511 		goto nla_put_failure;
13512 
13513 	nla_nest_end(msg, local_func_attr);
13514 
13515 	peer_func_attr = nla_nest_start_noflag(msg,
13516 					       NL80211_NAN_MATCH_FUNC_PEER);
13517 	if (!peer_func_attr)
13518 		goto nla_put_failure;
13519 
13520 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
13521 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
13522 		goto nla_put_failure;
13523 
13524 	if (match->info && match->info_len &&
13525 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
13526 		    match->info))
13527 		goto nla_put_failure;
13528 
13529 	nla_nest_end(msg, peer_func_attr);
13530 	nla_nest_end(msg, match_attr);
13531 	genlmsg_end(msg, hdr);
13532 
13533 	if (!wdev->owner_nlportid)
13534 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13535 					msg, 0, NL80211_MCGRP_NAN, gfp);
13536 	else
13537 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13538 				wdev->owner_nlportid);
13539 
13540 	return;
13541 
13542 nla_put_failure:
13543 	nlmsg_free(msg);
13544 }
13545 EXPORT_SYMBOL(cfg80211_nan_match);
13546 
13547 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
13548 				  u8 inst_id,
13549 				  enum nl80211_nan_func_term_reason reason,
13550 				  u64 cookie, gfp_t gfp)
13551 {
13552 	struct wiphy *wiphy = wdev->wiphy;
13553 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13554 	struct sk_buff *msg;
13555 	struct nlattr *func_attr;
13556 	void *hdr;
13557 
13558 	if (WARN_ON(!inst_id))
13559 		return;
13560 
13561 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
13562 	if (!msg)
13563 		return;
13564 
13565 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
13566 	if (!hdr) {
13567 		nlmsg_free(msg);
13568 		return;
13569 	}
13570 
13571 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13572 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
13573 					 wdev->netdev->ifindex)) ||
13574 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
13575 			      NL80211_ATTR_PAD))
13576 		goto nla_put_failure;
13577 
13578 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
13579 			      NL80211_ATTR_PAD))
13580 		goto nla_put_failure;
13581 
13582 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
13583 	if (!func_attr)
13584 		goto nla_put_failure;
13585 
13586 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
13587 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
13588 		goto nla_put_failure;
13589 
13590 	nla_nest_end(msg, func_attr);
13591 	genlmsg_end(msg, hdr);
13592 
13593 	if (!wdev->owner_nlportid)
13594 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13595 					msg, 0, NL80211_MCGRP_NAN, gfp);
13596 	else
13597 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13598 				wdev->owner_nlportid);
13599 
13600 	return;
13601 
13602 nla_put_failure:
13603 	nlmsg_free(msg);
13604 }
13605 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13606 
13607 static int nl80211_get_protocol_features(struct sk_buff *skb,
13608 					 struct genl_info *info)
13609 {
13610 	void *hdr;
13611 	struct sk_buff *msg;
13612 
13613 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13614 	if (!msg)
13615 		return -ENOMEM;
13616 
13617 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13618 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13619 	if (!hdr)
13620 		goto nla_put_failure;
13621 
13622 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13623 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13624 		goto nla_put_failure;
13625 
13626 	genlmsg_end(msg, hdr);
13627 	return genlmsg_reply(msg, info);
13628 
13629  nla_put_failure:
13630 	kfree_skb(msg);
13631 	return -ENOBUFS;
13632 }
13633 
13634 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13635 {
13636 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13637 	struct cfg80211_update_ft_ies_params ft_params;
13638 	struct net_device *dev = info->user_ptr[1];
13639 
13640 	if (!rdev->ops->update_ft_ies)
13641 		return -EOPNOTSUPP;
13642 
13643 	if (!info->attrs[NL80211_ATTR_MDID] ||
13644 	    !info->attrs[NL80211_ATTR_IE])
13645 		return -EINVAL;
13646 
13647 	memset(&ft_params, 0, sizeof(ft_params));
13648 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13649 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13650 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13651 
13652 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13653 }
13654 
13655 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13656 				       struct genl_info *info)
13657 {
13658 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13659 	struct wireless_dev *wdev = info->user_ptr[1];
13660 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13661 	u16 duration;
13662 	int ret;
13663 
13664 	if (!rdev->ops->crit_proto_start)
13665 		return -EOPNOTSUPP;
13666 
13667 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13668 		return -EINVAL;
13669 
13670 	if (rdev->crit_proto_nlportid)
13671 		return -EBUSY;
13672 
13673 	/* determine protocol if provided */
13674 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13675 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13676 
13677 	if (proto >= NUM_NL80211_CRIT_PROTO)
13678 		return -EINVAL;
13679 
13680 	/* timeout must be provided */
13681 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13682 		return -EINVAL;
13683 
13684 	duration =
13685 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13686 
13687 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13688 	if (!ret)
13689 		rdev->crit_proto_nlportid = info->snd_portid;
13690 
13691 	return ret;
13692 }
13693 
13694 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13695 				      struct genl_info *info)
13696 {
13697 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13698 	struct wireless_dev *wdev = info->user_ptr[1];
13699 
13700 	if (!rdev->ops->crit_proto_stop)
13701 		return -EOPNOTSUPP;
13702 
13703 	if (rdev->crit_proto_nlportid) {
13704 		rdev->crit_proto_nlportid = 0;
13705 		rdev_crit_proto_stop(rdev, wdev);
13706 	}
13707 	return 0;
13708 }
13709 
13710 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13711 				       struct nlattr *attr,
13712 				       struct netlink_ext_ack *extack)
13713 {
13714 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13715 		if (attr->nla_type & NLA_F_NESTED) {
13716 			NL_SET_ERR_MSG_ATTR(extack, attr,
13717 					    "unexpected nested data");
13718 			return -EINVAL;
13719 		}
13720 
13721 		return 0;
13722 	}
13723 
13724 	if (!(attr->nla_type & NLA_F_NESTED)) {
13725 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13726 		return -EINVAL;
13727 	}
13728 
13729 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13730 }
13731 
13732 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13733 {
13734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13735 	struct wireless_dev *wdev =
13736 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
13737 					   info->attrs);
13738 	int i, err;
13739 	u32 vid, subcmd;
13740 
13741 	if (!rdev->wiphy.vendor_commands)
13742 		return -EOPNOTSUPP;
13743 
13744 	if (IS_ERR(wdev)) {
13745 		err = PTR_ERR(wdev);
13746 		if (err != -EINVAL)
13747 			return err;
13748 		wdev = NULL;
13749 	} else if (wdev->wiphy != &rdev->wiphy) {
13750 		return -EINVAL;
13751 	}
13752 
13753 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13754 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13755 		return -EINVAL;
13756 
13757 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13758 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13759 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13760 		const struct wiphy_vendor_command *vcmd;
13761 		void *data = NULL;
13762 		int len = 0;
13763 
13764 		vcmd = &rdev->wiphy.vendor_commands[i];
13765 
13766 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13767 			continue;
13768 
13769 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13770 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13771 			if (!wdev)
13772 				return -EINVAL;
13773 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13774 			    !wdev->netdev)
13775 				return -EINVAL;
13776 
13777 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13778 				if (!wdev_running(wdev))
13779 					return -ENETDOWN;
13780 			}
13781 		} else {
13782 			wdev = NULL;
13783 		}
13784 
13785 		if (!vcmd->doit)
13786 			return -EOPNOTSUPP;
13787 
13788 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13789 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13790 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13791 
13792 			err = nl80211_vendor_check_policy(vcmd,
13793 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13794 					info->extack);
13795 			if (err)
13796 				return err;
13797 		}
13798 
13799 		rdev->cur_cmd_info = info;
13800 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13801 		rdev->cur_cmd_info = NULL;
13802 		return err;
13803 	}
13804 
13805 	return -EOPNOTSUPP;
13806 }
13807 
13808 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13809 				       struct netlink_callback *cb,
13810 				       struct cfg80211_registered_device **rdev,
13811 				       struct wireless_dev **wdev)
13812 {
13813 	struct nlattr **attrbuf;
13814 	u32 vid, subcmd;
13815 	unsigned int i;
13816 	int vcmd_idx = -1;
13817 	int err;
13818 	void *data = NULL;
13819 	unsigned int data_len = 0;
13820 
13821 	if (cb->args[0]) {
13822 		/* subtract the 1 again here */
13823 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13824 		struct wireless_dev *tmp;
13825 
13826 		if (!wiphy)
13827 			return -ENODEV;
13828 		*rdev = wiphy_to_rdev(wiphy);
13829 		*wdev = NULL;
13830 
13831 		if (cb->args[1]) {
13832 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13833 				if (tmp->identifier == cb->args[1] - 1) {
13834 					*wdev = tmp;
13835 					break;
13836 				}
13837 			}
13838 		}
13839 
13840 		/* keep rtnl locked in successful case */
13841 		return 0;
13842 	}
13843 
13844 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13845 	if (!attrbuf)
13846 		return -ENOMEM;
13847 
13848 	err = nlmsg_parse_deprecated(cb->nlh,
13849 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13850 				     attrbuf, nl80211_fam.maxattr,
13851 				     nl80211_policy, NULL);
13852 	if (err)
13853 		goto out;
13854 
13855 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13856 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13857 		err = -EINVAL;
13858 		goto out;
13859 	}
13860 
13861 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
13862 	if (IS_ERR(*wdev))
13863 		*wdev = NULL;
13864 
13865 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13866 	if (IS_ERR(*rdev)) {
13867 		err = PTR_ERR(*rdev);
13868 		goto out;
13869 	}
13870 
13871 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13872 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13873 
13874 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13875 		const struct wiphy_vendor_command *vcmd;
13876 
13877 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13878 
13879 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13880 			continue;
13881 
13882 		if (!vcmd->dumpit) {
13883 			err = -EOPNOTSUPP;
13884 			goto out;
13885 		}
13886 
13887 		vcmd_idx = i;
13888 		break;
13889 	}
13890 
13891 	if (vcmd_idx < 0) {
13892 		err = -EOPNOTSUPP;
13893 		goto out;
13894 	}
13895 
13896 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13897 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13898 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13899 
13900 		err = nl80211_vendor_check_policy(
13901 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13902 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13903 				cb->extack);
13904 		if (err)
13905 			goto out;
13906 	}
13907 
13908 	/* 0 is the first index - add 1 to parse only once */
13909 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13910 	/* add 1 to know if it was NULL */
13911 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13912 	cb->args[2] = vcmd_idx;
13913 	cb->args[3] = (unsigned long)data;
13914 	cb->args[4] = data_len;
13915 
13916 	/* keep rtnl locked in successful case */
13917 	err = 0;
13918 out:
13919 	kfree(attrbuf);
13920 	return err;
13921 }
13922 
13923 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13924 				   struct netlink_callback *cb)
13925 {
13926 	struct cfg80211_registered_device *rdev;
13927 	struct wireless_dev *wdev;
13928 	unsigned int vcmd_idx;
13929 	const struct wiphy_vendor_command *vcmd;
13930 	void *data;
13931 	int data_len;
13932 	int err;
13933 	struct nlattr *vendor_data;
13934 
13935 	rtnl_lock();
13936 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13937 	if (err)
13938 		goto out;
13939 
13940 	vcmd_idx = cb->args[2];
13941 	data = (void *)cb->args[3];
13942 	data_len = cb->args[4];
13943 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13944 
13945 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13946 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13947 		if (!wdev) {
13948 			err = -EINVAL;
13949 			goto out;
13950 		}
13951 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13952 		    !wdev->netdev) {
13953 			err = -EINVAL;
13954 			goto out;
13955 		}
13956 
13957 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13958 			if (!wdev_running(wdev)) {
13959 				err = -ENETDOWN;
13960 				goto out;
13961 			}
13962 		}
13963 	}
13964 
13965 	while (1) {
13966 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13967 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13968 					   NL80211_CMD_VENDOR);
13969 		if (!hdr)
13970 			break;
13971 
13972 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13973 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13974 					       wdev_id(wdev),
13975 					       NL80211_ATTR_PAD))) {
13976 			genlmsg_cancel(skb, hdr);
13977 			break;
13978 		}
13979 
13980 		vendor_data = nla_nest_start_noflag(skb,
13981 						    NL80211_ATTR_VENDOR_DATA);
13982 		if (!vendor_data) {
13983 			genlmsg_cancel(skb, hdr);
13984 			break;
13985 		}
13986 
13987 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13988 				   (unsigned long *)&cb->args[5]);
13989 		nla_nest_end(skb, vendor_data);
13990 
13991 		if (err == -ENOBUFS || err == -ENOENT) {
13992 			genlmsg_cancel(skb, hdr);
13993 			break;
13994 		} else if (err <= 0) {
13995 			genlmsg_cancel(skb, hdr);
13996 			goto out;
13997 		}
13998 
13999 		genlmsg_end(skb, hdr);
14000 	}
14001 
14002 	err = skb->len;
14003  out:
14004 	rtnl_unlock();
14005 	return err;
14006 }
14007 
14008 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
14009 					   enum nl80211_commands cmd,
14010 					   enum nl80211_attrs attr,
14011 					   int approxlen)
14012 {
14013 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14014 
14015 	if (WARN_ON(!rdev->cur_cmd_info))
14016 		return NULL;
14017 
14018 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
14019 					   rdev->cur_cmd_info->snd_portid,
14020 					   rdev->cur_cmd_info->snd_seq,
14021 					   cmd, attr, NULL, GFP_KERNEL);
14022 }
14023 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
14024 
14025 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
14026 {
14027 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
14028 	void *hdr = ((void **)skb->cb)[1];
14029 	struct nlattr *data = ((void **)skb->cb)[2];
14030 
14031 	/* clear CB data for netlink core to own from now on */
14032 	memset(skb->cb, 0, sizeof(skb->cb));
14033 
14034 	if (WARN_ON(!rdev->cur_cmd_info)) {
14035 		kfree_skb(skb);
14036 		return -EINVAL;
14037 	}
14038 
14039 	nla_nest_end(skb, data);
14040 	genlmsg_end(skb, hdr);
14041 	return genlmsg_reply(skb, rdev->cur_cmd_info);
14042 }
14043 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
14044 
14045 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
14046 {
14047 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14048 
14049 	if (WARN_ON(!rdev->cur_cmd_info))
14050 		return 0;
14051 
14052 	return rdev->cur_cmd_info->snd_portid;
14053 }
14054 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
14055 
14056 static int nl80211_set_qos_map(struct sk_buff *skb,
14057 			       struct genl_info *info)
14058 {
14059 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14060 	struct cfg80211_qos_map *qos_map = NULL;
14061 	struct net_device *dev = info->user_ptr[1];
14062 	u8 *pos, len, num_des, des_len, des;
14063 	int ret;
14064 
14065 	if (!rdev->ops->set_qos_map)
14066 		return -EOPNOTSUPP;
14067 
14068 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
14069 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
14070 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
14071 
14072 		if (len % 2)
14073 			return -EINVAL;
14074 
14075 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
14076 		if (!qos_map)
14077 			return -ENOMEM;
14078 
14079 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
14080 		if (num_des) {
14081 			des_len = num_des *
14082 				sizeof(struct cfg80211_dscp_exception);
14083 			memcpy(qos_map->dscp_exception, pos, des_len);
14084 			qos_map->num_des = num_des;
14085 			for (des = 0; des < num_des; des++) {
14086 				if (qos_map->dscp_exception[des].up > 7) {
14087 					kfree(qos_map);
14088 					return -EINVAL;
14089 				}
14090 			}
14091 			pos += des_len;
14092 		}
14093 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
14094 	}
14095 
14096 	wdev_lock(dev->ieee80211_ptr);
14097 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
14098 	if (!ret)
14099 		ret = rdev_set_qos_map(rdev, dev, qos_map);
14100 	wdev_unlock(dev->ieee80211_ptr);
14101 
14102 	kfree(qos_map);
14103 	return ret;
14104 }
14105 
14106 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
14107 {
14108 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14109 	struct net_device *dev = info->user_ptr[1];
14110 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14111 	const u8 *peer;
14112 	u8 tsid, up;
14113 	u16 admitted_time = 0;
14114 	int err;
14115 
14116 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
14117 		return -EOPNOTSUPP;
14118 
14119 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
14120 	    !info->attrs[NL80211_ATTR_USER_PRIO])
14121 		return -EINVAL;
14122 
14123 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14124 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
14125 
14126 	/* WMM uses TIDs 0-7 even for TSPEC */
14127 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
14128 		/* TODO: handle 802.11 TSPEC/admission control
14129 		 * need more attributes for that (e.g. BA session requirement);
14130 		 * change the WMM adminssion test above to allow both then
14131 		 */
14132 		return -EINVAL;
14133 	}
14134 
14135 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14136 
14137 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
14138 		admitted_time =
14139 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
14140 		if (!admitted_time)
14141 			return -EINVAL;
14142 	}
14143 
14144 	wdev_lock(wdev);
14145 	switch (wdev->iftype) {
14146 	case NL80211_IFTYPE_STATION:
14147 	case NL80211_IFTYPE_P2P_CLIENT:
14148 		if (wdev->current_bss)
14149 			break;
14150 		err = -ENOTCONN;
14151 		goto out;
14152 	default:
14153 		err = -EOPNOTSUPP;
14154 		goto out;
14155 	}
14156 
14157 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
14158 
14159  out:
14160 	wdev_unlock(wdev);
14161 	return err;
14162 }
14163 
14164 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
14165 {
14166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14167 	struct net_device *dev = info->user_ptr[1];
14168 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14169 	const u8 *peer;
14170 	u8 tsid;
14171 	int err;
14172 
14173 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
14174 		return -EINVAL;
14175 
14176 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
14177 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14178 
14179 	wdev_lock(wdev);
14180 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
14181 	wdev_unlock(wdev);
14182 
14183 	return err;
14184 }
14185 
14186 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
14187 				       struct genl_info *info)
14188 {
14189 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14190 	struct net_device *dev = info->user_ptr[1];
14191 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14192 	struct cfg80211_chan_def chandef = {};
14193 	const u8 *addr;
14194 	u8 oper_class;
14195 	int err;
14196 
14197 	if (!rdev->ops->tdls_channel_switch ||
14198 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14199 		return -EOPNOTSUPP;
14200 
14201 	switch (dev->ieee80211_ptr->iftype) {
14202 	case NL80211_IFTYPE_STATION:
14203 	case NL80211_IFTYPE_P2P_CLIENT:
14204 		break;
14205 	default:
14206 		return -EOPNOTSUPP;
14207 	}
14208 
14209 	if (!info->attrs[NL80211_ATTR_MAC] ||
14210 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
14211 		return -EINVAL;
14212 
14213 	err = nl80211_parse_chandef(rdev, info, &chandef);
14214 	if (err)
14215 		return err;
14216 
14217 	/*
14218 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
14219 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
14220 	 * specification is not defined for them.
14221 	 */
14222 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
14223 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
14224 	    chandef.width != NL80211_CHAN_WIDTH_20)
14225 		return -EINVAL;
14226 
14227 	/* we will be active on the TDLS link */
14228 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
14229 					   wdev->iftype))
14230 		return -EINVAL;
14231 
14232 	/* don't allow switching to DFS channels */
14233 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
14234 		return -EINVAL;
14235 
14236 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14237 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
14238 
14239 	wdev_lock(wdev);
14240 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
14241 	wdev_unlock(wdev);
14242 
14243 	return err;
14244 }
14245 
14246 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
14247 					      struct genl_info *info)
14248 {
14249 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14250 	struct net_device *dev = info->user_ptr[1];
14251 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14252 	const u8 *addr;
14253 
14254 	if (!rdev->ops->tdls_channel_switch ||
14255 	    !rdev->ops->tdls_cancel_channel_switch ||
14256 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
14257 		return -EOPNOTSUPP;
14258 
14259 	switch (dev->ieee80211_ptr->iftype) {
14260 	case NL80211_IFTYPE_STATION:
14261 	case NL80211_IFTYPE_P2P_CLIENT:
14262 		break;
14263 	default:
14264 		return -EOPNOTSUPP;
14265 	}
14266 
14267 	if (!info->attrs[NL80211_ATTR_MAC])
14268 		return -EINVAL;
14269 
14270 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14271 
14272 	wdev_lock(wdev);
14273 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
14274 	wdev_unlock(wdev);
14275 
14276 	return 0;
14277 }
14278 
14279 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
14280 					    struct genl_info *info)
14281 {
14282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14283 	struct net_device *dev = info->user_ptr[1];
14284 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14285 	const struct nlattr *nla;
14286 	bool enabled;
14287 
14288 	if (!rdev->ops->set_multicast_to_unicast)
14289 		return -EOPNOTSUPP;
14290 
14291 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14292 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14293 		return -EOPNOTSUPP;
14294 
14295 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
14296 	enabled = nla_get_flag(nla);
14297 
14298 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
14299 }
14300 
14301 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
14302 {
14303 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14304 	struct net_device *dev = info->user_ptr[1];
14305 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14306 	struct cfg80211_pmk_conf pmk_conf = {};
14307 	int ret;
14308 
14309 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14310 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14311 		return -EOPNOTSUPP;
14312 
14313 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14314 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14315 		return -EOPNOTSUPP;
14316 
14317 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
14318 		return -EINVAL;
14319 
14320 	wdev_lock(wdev);
14321 	if (!wdev->current_bss) {
14322 		ret = -ENOTCONN;
14323 		goto out;
14324 	}
14325 
14326 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14327 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
14328 		ret = -EINVAL;
14329 		goto out;
14330 	}
14331 
14332 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
14333 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
14334 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
14335 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
14336 		ret = -EINVAL;
14337 		goto out;
14338 	}
14339 
14340 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
14341 		pmk_conf.pmk_r0_name =
14342 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
14343 
14344 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
14345 out:
14346 	wdev_unlock(wdev);
14347 	return ret;
14348 }
14349 
14350 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
14351 {
14352 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14353 	struct net_device *dev = info->user_ptr[1];
14354 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14355 	const u8 *aa;
14356 	int ret;
14357 
14358 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
14359 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
14360 		return -EOPNOTSUPP;
14361 
14362 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14363 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
14364 		return -EOPNOTSUPP;
14365 
14366 	if (!info->attrs[NL80211_ATTR_MAC])
14367 		return -EINVAL;
14368 
14369 	wdev_lock(wdev);
14370 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
14371 	ret = rdev_del_pmk(rdev, dev, aa);
14372 	wdev_unlock(wdev);
14373 
14374 	return ret;
14375 }
14376 
14377 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
14378 {
14379 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14380 	struct net_device *dev = info->user_ptr[1];
14381 	struct cfg80211_external_auth_params params;
14382 
14383 	if (!rdev->ops->external_auth)
14384 		return -EOPNOTSUPP;
14385 
14386 	if (!info->attrs[NL80211_ATTR_SSID] &&
14387 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
14388 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
14389 		return -EINVAL;
14390 
14391 	if (!info->attrs[NL80211_ATTR_BSSID])
14392 		return -EINVAL;
14393 
14394 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
14395 		return -EINVAL;
14396 
14397 	memset(&params, 0, sizeof(params));
14398 
14399 	if (info->attrs[NL80211_ATTR_SSID]) {
14400 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
14401 		if (params.ssid.ssid_len == 0)
14402 			return -EINVAL;
14403 		memcpy(params.ssid.ssid,
14404 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
14405 		       params.ssid.ssid_len);
14406 	}
14407 
14408 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
14409 	       ETH_ALEN);
14410 
14411 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14412 
14413 	if (info->attrs[NL80211_ATTR_PMKID])
14414 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
14415 
14416 	return rdev_external_auth(rdev, dev, &params);
14417 }
14418 
14419 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
14420 {
14421 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
14422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14423 	struct net_device *dev = info->user_ptr[1];
14424 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14425 	const u8 *buf;
14426 	size_t len;
14427 	u8 *dest;
14428 	u16 proto;
14429 	bool noencrypt;
14430 	u64 cookie = 0;
14431 	int err;
14432 
14433 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
14434 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
14435 		return -EOPNOTSUPP;
14436 
14437 	if (!rdev->ops->tx_control_port)
14438 		return -EOPNOTSUPP;
14439 
14440 	if (!info->attrs[NL80211_ATTR_FRAME] ||
14441 	    !info->attrs[NL80211_ATTR_MAC] ||
14442 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
14443 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
14444 		return -EINVAL;
14445 	}
14446 
14447 	wdev_lock(wdev);
14448 
14449 	switch (wdev->iftype) {
14450 	case NL80211_IFTYPE_AP:
14451 	case NL80211_IFTYPE_P2P_GO:
14452 	case NL80211_IFTYPE_MESH_POINT:
14453 		break;
14454 	case NL80211_IFTYPE_ADHOC:
14455 	case NL80211_IFTYPE_STATION:
14456 	case NL80211_IFTYPE_P2P_CLIENT:
14457 		if (wdev->current_bss)
14458 			break;
14459 		err = -ENOTCONN;
14460 		goto out;
14461 	default:
14462 		err = -EOPNOTSUPP;
14463 		goto out;
14464 	}
14465 
14466 	wdev_unlock(wdev);
14467 
14468 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14469 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14470 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14471 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
14472 	noencrypt =
14473 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
14474 
14475 	err = rdev_tx_control_port(rdev, dev, buf, len,
14476 				   dest, cpu_to_be16(proto), noencrypt,
14477 				   dont_wait_for_ack ? NULL : &cookie);
14478 	if (!err && !dont_wait_for_ack)
14479 		nl_set_extack_cookie_u64(info->extack, cookie);
14480 	return err;
14481  out:
14482 	wdev_unlock(wdev);
14483 	return err;
14484 }
14485 
14486 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
14487 					   struct genl_info *info)
14488 {
14489 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14490 	struct net_device *dev = info->user_ptr[1];
14491 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14492 	struct cfg80211_ftm_responder_stats ftm_stats = {};
14493 	struct sk_buff *msg;
14494 	void *hdr;
14495 	struct nlattr *ftm_stats_attr;
14496 	int err;
14497 
14498 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
14499 		return -EOPNOTSUPP;
14500 
14501 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
14502 	if (err)
14503 		return err;
14504 
14505 	if (!ftm_stats.filled)
14506 		return -ENODATA;
14507 
14508 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14509 	if (!msg)
14510 		return -ENOMEM;
14511 
14512 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14513 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
14514 	if (!hdr)
14515 		goto nla_put_failure;
14516 
14517 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
14518 		goto nla_put_failure;
14519 
14520 	ftm_stats_attr = nla_nest_start_noflag(msg,
14521 					       NL80211_ATTR_FTM_RESPONDER_STATS);
14522 	if (!ftm_stats_attr)
14523 		goto nla_put_failure;
14524 
14525 #define SET_FTM(field, name, type)					 \
14526 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14527 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
14528 			     ftm_stats.field))				 \
14529 		goto nla_put_failure; } while (0)
14530 #define SET_FTM_U64(field, name)					 \
14531 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
14532 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
14533 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
14534 		goto nla_put_failure; } while (0)
14535 
14536 	SET_FTM(success_num, SUCCESS_NUM, u32);
14537 	SET_FTM(partial_num, PARTIAL_NUM, u32);
14538 	SET_FTM(failed_num, FAILED_NUM, u32);
14539 	SET_FTM(asap_num, ASAP_NUM, u32);
14540 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
14541 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
14542 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
14543 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
14544 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
14545 #undef SET_FTM
14546 
14547 	nla_nest_end(msg, ftm_stats_attr);
14548 
14549 	genlmsg_end(msg, hdr);
14550 	return genlmsg_reply(msg, info);
14551 
14552 nla_put_failure:
14553 	nlmsg_free(msg);
14554 	return -ENOBUFS;
14555 }
14556 
14557 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
14558 {
14559 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14560 	struct cfg80211_update_owe_info owe_info;
14561 	struct net_device *dev = info->user_ptr[1];
14562 
14563 	if (!rdev->ops->update_owe_info)
14564 		return -EOPNOTSUPP;
14565 
14566 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
14567 	    !info->attrs[NL80211_ATTR_MAC])
14568 		return -EINVAL;
14569 
14570 	memset(&owe_info, 0, sizeof(owe_info));
14571 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
14572 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
14573 
14574 	if (info->attrs[NL80211_ATTR_IE]) {
14575 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14576 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14577 	}
14578 
14579 	return rdev_update_owe_info(rdev, dev, &owe_info);
14580 }
14581 
14582 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14583 {
14584 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14585 	struct net_device *dev = info->user_ptr[1];
14586 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14587 	struct station_info sinfo = {};
14588 	const u8 *buf;
14589 	size_t len;
14590 	u8 *dest;
14591 	int err;
14592 
14593 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14594 		return -EOPNOTSUPP;
14595 
14596 	if (!info->attrs[NL80211_ATTR_MAC] ||
14597 	    !info->attrs[NL80211_ATTR_FRAME]) {
14598 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14599 		return -EINVAL;
14600 	}
14601 
14602 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14603 		return -EOPNOTSUPP;
14604 
14605 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14606 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14607 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14608 
14609 	if (len < sizeof(struct ethhdr))
14610 		return -EINVAL;
14611 
14612 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14613 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14614 		return -EINVAL;
14615 
14616 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14617 	if (err)
14618 		return err;
14619 
14620 	cfg80211_sinfo_release_content(&sinfo);
14621 
14622 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14623 }
14624 
14625 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14626 			  struct nlattr *attrs[], struct net_device *dev,
14627 			  struct cfg80211_tid_cfg *tid_conf,
14628 			  struct genl_info *info, const u8 *peer)
14629 {
14630 	struct netlink_ext_ack *extack = info->extack;
14631 	u64 mask;
14632 	int err;
14633 
14634 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14635 		return -EINVAL;
14636 
14637 	tid_conf->config_override =
14638 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14639 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14640 
14641 	if (tid_conf->config_override) {
14642 		if (rdev->ops->reset_tid_config) {
14643 			err = rdev_reset_tid_config(rdev, dev, peer,
14644 						    tid_conf->tids);
14645 			if (err)
14646 				return err;
14647 		} else {
14648 			return -EINVAL;
14649 		}
14650 	}
14651 
14652 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14653 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14654 		tid_conf->noack =
14655 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14656 	}
14657 
14658 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14659 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14660 		tid_conf->retry_short =
14661 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14662 
14663 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14664 			return -EINVAL;
14665 	}
14666 
14667 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14668 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14669 		tid_conf->retry_long =
14670 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14671 
14672 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14673 			return -EINVAL;
14674 	}
14675 
14676 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14677 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14678 		tid_conf->ampdu =
14679 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14680 	}
14681 
14682 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14683 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14684 		tid_conf->rtscts =
14685 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14686 	}
14687 
14688 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
14689 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
14690 		tid_conf->amsdu =
14691 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
14692 	}
14693 
14694 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
14695 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
14696 
14697 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
14698 
14699 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
14700 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
14701 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
14702 						    &tid_conf->txrate_mask, dev,
14703 						    true);
14704 			if (err)
14705 				return err;
14706 
14707 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
14708 		}
14709 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
14710 	}
14711 
14712 	if (peer)
14713 		mask = rdev->wiphy.tid_config_support.peer;
14714 	else
14715 		mask = rdev->wiphy.tid_config_support.vif;
14716 
14717 	if (tid_conf->mask & ~mask) {
14718 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14719 		return -ENOTSUPP;
14720 	}
14721 
14722 	return 0;
14723 }
14724 
14725 static int nl80211_set_tid_config(struct sk_buff *skb,
14726 				  struct genl_info *info)
14727 {
14728 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14729 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14730 	struct net_device *dev = info->user_ptr[1];
14731 	struct cfg80211_tid_config *tid_config;
14732 	struct nlattr *tid;
14733 	int conf_idx = 0, rem_conf;
14734 	int ret = -EINVAL;
14735 	u32 num_conf = 0;
14736 
14737 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14738 		return -EINVAL;
14739 
14740 	if (!rdev->ops->set_tid_config)
14741 		return -EOPNOTSUPP;
14742 
14743 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14744 			    rem_conf)
14745 		num_conf++;
14746 
14747 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14748 			     GFP_KERNEL);
14749 	if (!tid_config)
14750 		return -ENOMEM;
14751 
14752 	tid_config->n_tid_conf = num_conf;
14753 
14754 	if (info->attrs[NL80211_ATTR_MAC])
14755 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14756 
14757 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14758 			    rem_conf) {
14759 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14760 				       tid, NULL, NULL);
14761 
14762 		if (ret)
14763 			goto bad_tid_conf;
14764 
14765 		ret = parse_tid_conf(rdev, attrs, dev,
14766 				     &tid_config->tid_conf[conf_idx],
14767 				     info, tid_config->peer);
14768 		if (ret)
14769 			goto bad_tid_conf;
14770 
14771 		conf_idx++;
14772 	}
14773 
14774 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14775 
14776 bad_tid_conf:
14777 	kfree(tid_config);
14778 	return ret;
14779 }
14780 
14781 #define NL80211_FLAG_NEED_WIPHY		0x01
14782 #define NL80211_FLAG_NEED_NETDEV	0x02
14783 #define NL80211_FLAG_NEED_RTNL		0x04
14784 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14785 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14786 					 NL80211_FLAG_CHECK_NETDEV_UP)
14787 #define NL80211_FLAG_NEED_WDEV		0x10
14788 /* If a netdev is associated, it must be UP, P2P must be started */
14789 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14790 					 NL80211_FLAG_CHECK_NETDEV_UP)
14791 #define NL80211_FLAG_CLEAR_SKB		0x20
14792 
14793 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14794 			    struct genl_info *info)
14795 {
14796 	struct cfg80211_registered_device *rdev = NULL;
14797 	struct wireless_dev *wdev;
14798 	struct net_device *dev;
14799 
14800 	rtnl_lock();
14801 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14802 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14803 		if (IS_ERR(rdev)) {
14804 			rtnl_unlock();
14805 			return PTR_ERR(rdev);
14806 		}
14807 		info->user_ptr[0] = rdev;
14808 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14809 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14810 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
14811 						  info->attrs);
14812 		if (IS_ERR(wdev)) {
14813 			rtnl_unlock();
14814 			return PTR_ERR(wdev);
14815 		}
14816 
14817 		dev = wdev->netdev;
14818 		rdev = wiphy_to_rdev(wdev->wiphy);
14819 
14820 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14821 			if (!dev) {
14822 				rtnl_unlock();
14823 				return -EINVAL;
14824 			}
14825 
14826 			info->user_ptr[1] = dev;
14827 		} else {
14828 			info->user_ptr[1] = wdev;
14829 		}
14830 
14831 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14832 		    !wdev_running(wdev)) {
14833 			rtnl_unlock();
14834 			return -ENETDOWN;
14835 		}
14836 
14837 		if (dev)
14838 			dev_hold(dev);
14839 
14840 		info->user_ptr[0] = rdev;
14841 	}
14842 
14843 	if (rdev) {
14844 		wiphy_lock(&rdev->wiphy);
14845 		/* we keep the mutex locked until post_doit */
14846 		__release(&rdev->wiphy.mtx);
14847 	}
14848 	if (!(ops->internal_flags & NL80211_FLAG_NEED_RTNL))
14849 		rtnl_unlock();
14850 
14851 	return 0;
14852 }
14853 
14854 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14855 			      struct genl_info *info)
14856 {
14857 	if (info->user_ptr[1]) {
14858 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14859 			struct wireless_dev *wdev = info->user_ptr[1];
14860 
14861 			if (wdev->netdev)
14862 				dev_put(wdev->netdev);
14863 		} else {
14864 			dev_put(info->user_ptr[1]);
14865 		}
14866 	}
14867 
14868 	if (info->user_ptr[0]) {
14869 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
14870 
14871 		/* we kept the mutex locked since pre_doit */
14872 		__acquire(&rdev->wiphy.mtx);
14873 		wiphy_unlock(&rdev->wiphy);
14874 	}
14875 
14876 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14877 		rtnl_unlock();
14878 
14879 	/* If needed, clear the netlink message payload from the SKB
14880 	 * as it might contain key data that shouldn't stick around on
14881 	 * the heap after the SKB is freed. The netlink message header
14882 	 * is still needed for further processing, so leave it intact.
14883 	 */
14884 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14885 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14886 
14887 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14888 	}
14889 }
14890 
14891 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
14892 				     struct cfg80211_sar_specs *sar_specs,
14893 				     struct nlattr *spec[], int index)
14894 {
14895 	u32 range_index, i;
14896 
14897 	if (!sar_specs || !spec)
14898 		return -EINVAL;
14899 
14900 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
14901 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
14902 		return -EINVAL;
14903 
14904 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
14905 
14906 	/* check if range_index exceeds num_freq_ranges */
14907 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
14908 		return -EINVAL;
14909 
14910 	/* check if range_index duplicates */
14911 	for (i = 0; i < index; i++) {
14912 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
14913 			return -EINVAL;
14914 	}
14915 
14916 	sar_specs->sub_specs[index].power =
14917 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
14918 
14919 	sar_specs->sub_specs[index].freq_range_index = range_index;
14920 
14921 	return 0;
14922 }
14923 
14924 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
14925 {
14926 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14927 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
14928 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
14929 	struct cfg80211_sar_specs *sar_spec;
14930 	enum nl80211_sar_type type;
14931 	struct nlattr *spec_list;
14932 	u32 specs;
14933 	int rem, err;
14934 
14935 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
14936 		return -EOPNOTSUPP;
14937 
14938 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
14939 		return -EINVAL;
14940 
14941 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
14942 			 info->attrs[NL80211_ATTR_SAR_SPEC],
14943 			 NULL, NULL);
14944 
14945 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
14946 		return -EINVAL;
14947 
14948 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
14949 	if (type != rdev->wiphy.sar_capa->type)
14950 		return -EINVAL;
14951 
14952 	specs = 0;
14953 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
14954 		specs++;
14955 
14956 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
14957 		return -EINVAL;
14958 
14959 	sar_spec = kzalloc(sizeof(*sar_spec) +
14960 			   specs * sizeof(struct cfg80211_sar_sub_specs),
14961 			   GFP_KERNEL);
14962 	if (!sar_spec)
14963 		return -ENOMEM;
14964 
14965 	sar_spec->type = type;
14966 	specs = 0;
14967 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
14968 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
14969 				 spec_list, NULL, NULL);
14970 
14971 		switch (type) {
14972 		case NL80211_SAR_TYPE_POWER:
14973 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
14974 						      spec, specs)) {
14975 				err = -EINVAL;
14976 				goto error;
14977 			}
14978 			break;
14979 		default:
14980 			err = -EINVAL;
14981 			goto error;
14982 		}
14983 		specs++;
14984 	}
14985 
14986 	sar_spec->num_sub_specs = specs;
14987 
14988 	rdev->cur_cmd_info = info;
14989 	err = rdev_set_sar_specs(rdev, sar_spec);
14990 	rdev->cur_cmd_info = NULL;
14991 error:
14992 	kfree(sar_spec);
14993 	return err;
14994 }
14995 
14996 static const struct genl_ops nl80211_ops[] = {
14997 	{
14998 		.cmd = NL80211_CMD_GET_WIPHY,
14999 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15000 		.doit = nl80211_get_wiphy,
15001 		.dumpit = nl80211_dump_wiphy,
15002 		.done = nl80211_dump_wiphy_done,
15003 		/* can be retrieved by unprivileged users */
15004 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15005 	},
15006 };
15007 
15008 static const struct genl_small_ops nl80211_small_ops[] = {
15009 	{
15010 		.cmd = NL80211_CMD_SET_WIPHY,
15011 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15012 		.doit = nl80211_set_wiphy,
15013 		.flags = GENL_UNS_ADMIN_PERM,
15014 	},
15015 	{
15016 		.cmd = NL80211_CMD_GET_INTERFACE,
15017 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15018 		.doit = nl80211_get_interface,
15019 		.dumpit = nl80211_dump_interface,
15020 		/* can be retrieved by unprivileged users */
15021 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15022 	},
15023 	{
15024 		.cmd = NL80211_CMD_SET_INTERFACE,
15025 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15026 		.doit = nl80211_set_interface,
15027 		.flags = GENL_UNS_ADMIN_PERM,
15028 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15029 				  NL80211_FLAG_NEED_RTNL,
15030 	},
15031 	{
15032 		.cmd = NL80211_CMD_NEW_INTERFACE,
15033 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15034 		.doit = nl80211_new_interface,
15035 		.flags = GENL_UNS_ADMIN_PERM,
15036 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15037 				  NL80211_FLAG_NEED_RTNL,
15038 	},
15039 	{
15040 		.cmd = NL80211_CMD_DEL_INTERFACE,
15041 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15042 		.doit = nl80211_del_interface,
15043 		.flags = GENL_UNS_ADMIN_PERM,
15044 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15045 				  NL80211_FLAG_NEED_RTNL,
15046 	},
15047 	{
15048 		.cmd = NL80211_CMD_GET_KEY,
15049 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15050 		.doit = nl80211_get_key,
15051 		.flags = GENL_UNS_ADMIN_PERM,
15052 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15053 	},
15054 	{
15055 		.cmd = NL80211_CMD_SET_KEY,
15056 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15057 		.doit = nl80211_set_key,
15058 		.flags = GENL_UNS_ADMIN_PERM,
15059 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15060 				  NL80211_FLAG_CLEAR_SKB,
15061 	},
15062 	{
15063 		.cmd = NL80211_CMD_NEW_KEY,
15064 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15065 		.doit = nl80211_new_key,
15066 		.flags = GENL_UNS_ADMIN_PERM,
15067 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15068 				  NL80211_FLAG_CLEAR_SKB,
15069 	},
15070 	{
15071 		.cmd = NL80211_CMD_DEL_KEY,
15072 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15073 		.doit = nl80211_del_key,
15074 		.flags = GENL_UNS_ADMIN_PERM,
15075 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15076 	},
15077 	{
15078 		.cmd = NL80211_CMD_SET_BEACON,
15079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15080 		.flags = GENL_UNS_ADMIN_PERM,
15081 		.doit = nl80211_set_beacon,
15082 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15083 	},
15084 	{
15085 		.cmd = NL80211_CMD_START_AP,
15086 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15087 		.flags = GENL_UNS_ADMIN_PERM,
15088 		.doit = nl80211_start_ap,
15089 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15090 	},
15091 	{
15092 		.cmd = NL80211_CMD_STOP_AP,
15093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15094 		.flags = GENL_UNS_ADMIN_PERM,
15095 		.doit = nl80211_stop_ap,
15096 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15097 	},
15098 	{
15099 		.cmd = NL80211_CMD_GET_STATION,
15100 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15101 		.doit = nl80211_get_station,
15102 		.dumpit = nl80211_dump_station,
15103 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15104 	},
15105 	{
15106 		.cmd = NL80211_CMD_SET_STATION,
15107 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15108 		.doit = nl80211_set_station,
15109 		.flags = GENL_UNS_ADMIN_PERM,
15110 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15111 	},
15112 	{
15113 		.cmd = NL80211_CMD_NEW_STATION,
15114 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15115 		.doit = nl80211_new_station,
15116 		.flags = GENL_UNS_ADMIN_PERM,
15117 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15118 	},
15119 	{
15120 		.cmd = NL80211_CMD_DEL_STATION,
15121 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15122 		.doit = nl80211_del_station,
15123 		.flags = GENL_UNS_ADMIN_PERM,
15124 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15125 	},
15126 	{
15127 		.cmd = NL80211_CMD_GET_MPATH,
15128 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15129 		.doit = nl80211_get_mpath,
15130 		.dumpit = nl80211_dump_mpath,
15131 		.flags = GENL_UNS_ADMIN_PERM,
15132 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15133 	},
15134 	{
15135 		.cmd = NL80211_CMD_GET_MPP,
15136 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15137 		.doit = nl80211_get_mpp,
15138 		.dumpit = nl80211_dump_mpp,
15139 		.flags = GENL_UNS_ADMIN_PERM,
15140 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15141 	},
15142 	{
15143 		.cmd = NL80211_CMD_SET_MPATH,
15144 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15145 		.doit = nl80211_set_mpath,
15146 		.flags = GENL_UNS_ADMIN_PERM,
15147 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15148 	},
15149 	{
15150 		.cmd = NL80211_CMD_NEW_MPATH,
15151 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15152 		.doit = nl80211_new_mpath,
15153 		.flags = GENL_UNS_ADMIN_PERM,
15154 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15155 	},
15156 	{
15157 		.cmd = NL80211_CMD_DEL_MPATH,
15158 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15159 		.doit = nl80211_del_mpath,
15160 		.flags = GENL_UNS_ADMIN_PERM,
15161 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15162 	},
15163 	{
15164 		.cmd = NL80211_CMD_SET_BSS,
15165 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15166 		.doit = nl80211_set_bss,
15167 		.flags = GENL_UNS_ADMIN_PERM,
15168 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15169 	},
15170 	{
15171 		.cmd = NL80211_CMD_GET_REG,
15172 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15173 		.doit = nl80211_get_reg_do,
15174 		.dumpit = nl80211_get_reg_dump,
15175 		.internal_flags = 0,
15176 		/* can be retrieved by unprivileged users */
15177 	},
15178 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
15179 	{
15180 		.cmd = NL80211_CMD_SET_REG,
15181 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15182 		.doit = nl80211_set_reg,
15183 		.flags = GENL_ADMIN_PERM,
15184 		.internal_flags = 0,
15185 	},
15186 #endif
15187 	{
15188 		.cmd = NL80211_CMD_REQ_SET_REG,
15189 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15190 		.doit = nl80211_req_set_reg,
15191 		.flags = GENL_ADMIN_PERM,
15192 	},
15193 	{
15194 		.cmd = NL80211_CMD_RELOAD_REGDB,
15195 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15196 		.doit = nl80211_reload_regdb,
15197 		.flags = GENL_ADMIN_PERM,
15198 	},
15199 	{
15200 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
15201 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15202 		.doit = nl80211_get_mesh_config,
15203 		/* can be retrieved by unprivileged users */
15204 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15205 	},
15206 	{
15207 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
15208 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15209 		.doit = nl80211_update_mesh_config,
15210 		.flags = GENL_UNS_ADMIN_PERM,
15211 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15212 	},
15213 	{
15214 		.cmd = NL80211_CMD_TRIGGER_SCAN,
15215 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15216 		.doit = nl80211_trigger_scan,
15217 		.flags = GENL_UNS_ADMIN_PERM,
15218 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15219 	},
15220 	{
15221 		.cmd = NL80211_CMD_ABORT_SCAN,
15222 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15223 		.doit = nl80211_abort_scan,
15224 		.flags = GENL_UNS_ADMIN_PERM,
15225 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15226 	},
15227 	{
15228 		.cmd = NL80211_CMD_GET_SCAN,
15229 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15230 		.dumpit = nl80211_dump_scan,
15231 	},
15232 	{
15233 		.cmd = NL80211_CMD_START_SCHED_SCAN,
15234 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15235 		.doit = nl80211_start_sched_scan,
15236 		.flags = GENL_UNS_ADMIN_PERM,
15237 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15238 	},
15239 	{
15240 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
15241 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15242 		.doit = nl80211_stop_sched_scan,
15243 		.flags = GENL_UNS_ADMIN_PERM,
15244 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15245 	},
15246 	{
15247 		.cmd = NL80211_CMD_AUTHENTICATE,
15248 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15249 		.doit = nl80211_authenticate,
15250 		.flags = GENL_UNS_ADMIN_PERM,
15251 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15252 				  0 |
15253 				  NL80211_FLAG_CLEAR_SKB,
15254 	},
15255 	{
15256 		.cmd = NL80211_CMD_ASSOCIATE,
15257 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15258 		.doit = nl80211_associate,
15259 		.flags = GENL_UNS_ADMIN_PERM,
15260 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15261 				  0 |
15262 				  NL80211_FLAG_CLEAR_SKB,
15263 	},
15264 	{
15265 		.cmd = NL80211_CMD_DEAUTHENTICATE,
15266 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15267 		.doit = nl80211_deauthenticate,
15268 		.flags = GENL_UNS_ADMIN_PERM,
15269 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15270 	},
15271 	{
15272 		.cmd = NL80211_CMD_DISASSOCIATE,
15273 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15274 		.doit = nl80211_disassociate,
15275 		.flags = GENL_UNS_ADMIN_PERM,
15276 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15277 	},
15278 	{
15279 		.cmd = NL80211_CMD_JOIN_IBSS,
15280 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15281 		.doit = nl80211_join_ibss,
15282 		.flags = GENL_UNS_ADMIN_PERM,
15283 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15284 	},
15285 	{
15286 		.cmd = NL80211_CMD_LEAVE_IBSS,
15287 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15288 		.doit = nl80211_leave_ibss,
15289 		.flags = GENL_UNS_ADMIN_PERM,
15290 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15291 	},
15292 #ifdef CONFIG_NL80211_TESTMODE
15293 	{
15294 		.cmd = NL80211_CMD_TESTMODE,
15295 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15296 		.doit = nl80211_testmode_do,
15297 		.dumpit = nl80211_testmode_dump,
15298 		.flags = GENL_UNS_ADMIN_PERM,
15299 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15300 	},
15301 #endif
15302 	{
15303 		.cmd = NL80211_CMD_CONNECT,
15304 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15305 		.doit = nl80211_connect,
15306 		.flags = GENL_UNS_ADMIN_PERM,
15307 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15308 				  0 |
15309 				  NL80211_FLAG_CLEAR_SKB,
15310 	},
15311 	{
15312 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
15313 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15314 		.doit = nl80211_update_connect_params,
15315 		.flags = GENL_ADMIN_PERM,
15316 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15317 				  0 |
15318 				  NL80211_FLAG_CLEAR_SKB,
15319 	},
15320 	{
15321 		.cmd = NL80211_CMD_DISCONNECT,
15322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15323 		.doit = nl80211_disconnect,
15324 		.flags = GENL_UNS_ADMIN_PERM,
15325 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15326 	},
15327 	{
15328 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
15329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15330 		.doit = nl80211_wiphy_netns,
15331 		.flags = GENL_UNS_ADMIN_PERM,
15332 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15333 	},
15334 	{
15335 		.cmd = NL80211_CMD_GET_SURVEY,
15336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15337 		.dumpit = nl80211_dump_survey,
15338 	},
15339 	{
15340 		.cmd = NL80211_CMD_SET_PMKSA,
15341 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15342 		.doit = nl80211_setdel_pmksa,
15343 		.flags = GENL_UNS_ADMIN_PERM,
15344 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15345 				  0 |
15346 				  NL80211_FLAG_CLEAR_SKB,
15347 	},
15348 	{
15349 		.cmd = NL80211_CMD_DEL_PMKSA,
15350 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15351 		.doit = nl80211_setdel_pmksa,
15352 		.flags = GENL_UNS_ADMIN_PERM,
15353 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15354 	},
15355 	{
15356 		.cmd = NL80211_CMD_FLUSH_PMKSA,
15357 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15358 		.doit = nl80211_flush_pmksa,
15359 		.flags = GENL_UNS_ADMIN_PERM,
15360 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15361 	},
15362 	{
15363 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
15364 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15365 		.doit = nl80211_remain_on_channel,
15366 		.flags = GENL_UNS_ADMIN_PERM,
15367 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15368 	},
15369 	{
15370 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
15371 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15372 		.doit = nl80211_cancel_remain_on_channel,
15373 		.flags = GENL_UNS_ADMIN_PERM,
15374 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15375 	},
15376 	{
15377 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
15378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15379 		.doit = nl80211_set_tx_bitrate_mask,
15380 		.flags = GENL_UNS_ADMIN_PERM,
15381 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15382 	},
15383 	{
15384 		.cmd = NL80211_CMD_REGISTER_FRAME,
15385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15386 		.doit = nl80211_register_mgmt,
15387 		.flags = GENL_UNS_ADMIN_PERM,
15388 		.internal_flags = NL80211_FLAG_NEED_WDEV,
15389 	},
15390 	{
15391 		.cmd = NL80211_CMD_FRAME,
15392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15393 		.doit = nl80211_tx_mgmt,
15394 		.flags = GENL_UNS_ADMIN_PERM,
15395 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15396 	},
15397 	{
15398 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
15399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15400 		.doit = nl80211_tx_mgmt_cancel_wait,
15401 		.flags = GENL_UNS_ADMIN_PERM,
15402 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15403 	},
15404 	{
15405 		.cmd = NL80211_CMD_SET_POWER_SAVE,
15406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15407 		.doit = nl80211_set_power_save,
15408 		.flags = GENL_UNS_ADMIN_PERM,
15409 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15410 	},
15411 	{
15412 		.cmd = NL80211_CMD_GET_POWER_SAVE,
15413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15414 		.doit = nl80211_get_power_save,
15415 		/* can be retrieved by unprivileged users */
15416 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15417 	},
15418 	{
15419 		.cmd = NL80211_CMD_SET_CQM,
15420 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15421 		.doit = nl80211_set_cqm,
15422 		.flags = GENL_UNS_ADMIN_PERM,
15423 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15424 	},
15425 	{
15426 		.cmd = NL80211_CMD_SET_CHANNEL,
15427 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15428 		.doit = nl80211_set_channel,
15429 		.flags = GENL_UNS_ADMIN_PERM,
15430 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15431 	},
15432 	{
15433 		.cmd = NL80211_CMD_JOIN_MESH,
15434 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15435 		.doit = nl80211_join_mesh,
15436 		.flags = GENL_UNS_ADMIN_PERM,
15437 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15438 	},
15439 	{
15440 		.cmd = NL80211_CMD_LEAVE_MESH,
15441 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15442 		.doit = nl80211_leave_mesh,
15443 		.flags = GENL_UNS_ADMIN_PERM,
15444 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15445 	},
15446 	{
15447 		.cmd = NL80211_CMD_JOIN_OCB,
15448 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15449 		.doit = nl80211_join_ocb,
15450 		.flags = GENL_UNS_ADMIN_PERM,
15451 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15452 	},
15453 	{
15454 		.cmd = NL80211_CMD_LEAVE_OCB,
15455 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15456 		.doit = nl80211_leave_ocb,
15457 		.flags = GENL_UNS_ADMIN_PERM,
15458 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15459 	},
15460 #ifdef CONFIG_PM
15461 	{
15462 		.cmd = NL80211_CMD_GET_WOWLAN,
15463 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15464 		.doit = nl80211_get_wowlan,
15465 		/* can be retrieved by unprivileged users */
15466 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15467 	},
15468 	{
15469 		.cmd = NL80211_CMD_SET_WOWLAN,
15470 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15471 		.doit = nl80211_set_wowlan,
15472 		.flags = GENL_UNS_ADMIN_PERM,
15473 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15474 	},
15475 #endif
15476 	{
15477 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
15478 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15479 		.doit = nl80211_set_rekey_data,
15480 		.flags = GENL_UNS_ADMIN_PERM,
15481 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15482 				  0 |
15483 				  NL80211_FLAG_CLEAR_SKB,
15484 	},
15485 	{
15486 		.cmd = NL80211_CMD_TDLS_MGMT,
15487 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15488 		.doit = nl80211_tdls_mgmt,
15489 		.flags = GENL_UNS_ADMIN_PERM,
15490 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15491 	},
15492 	{
15493 		.cmd = NL80211_CMD_TDLS_OPER,
15494 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15495 		.doit = nl80211_tdls_oper,
15496 		.flags = GENL_UNS_ADMIN_PERM,
15497 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15498 	},
15499 	{
15500 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
15501 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15502 		.doit = nl80211_register_unexpected_frame,
15503 		.flags = GENL_UNS_ADMIN_PERM,
15504 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15505 	},
15506 	{
15507 		.cmd = NL80211_CMD_PROBE_CLIENT,
15508 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15509 		.doit = nl80211_probe_client,
15510 		.flags = GENL_UNS_ADMIN_PERM,
15511 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15512 	},
15513 	{
15514 		.cmd = NL80211_CMD_REGISTER_BEACONS,
15515 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15516 		.doit = nl80211_register_beacons,
15517 		.flags = GENL_UNS_ADMIN_PERM,
15518 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15519 	},
15520 	{
15521 		.cmd = NL80211_CMD_SET_NOACK_MAP,
15522 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15523 		.doit = nl80211_set_noack_map,
15524 		.flags = GENL_UNS_ADMIN_PERM,
15525 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15526 	},
15527 	{
15528 		.cmd = NL80211_CMD_START_P2P_DEVICE,
15529 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15530 		.doit = nl80211_start_p2p_device,
15531 		.flags = GENL_UNS_ADMIN_PERM,
15532 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15533 				  NL80211_FLAG_NEED_RTNL,
15534 	},
15535 	{
15536 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
15537 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15538 		.doit = nl80211_stop_p2p_device,
15539 		.flags = GENL_UNS_ADMIN_PERM,
15540 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15541 				  NL80211_FLAG_NEED_RTNL,
15542 	},
15543 	{
15544 		.cmd = NL80211_CMD_START_NAN,
15545 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15546 		.doit = nl80211_start_nan,
15547 		.flags = GENL_ADMIN_PERM,
15548 		.internal_flags = NL80211_FLAG_NEED_WDEV |
15549 				  NL80211_FLAG_NEED_RTNL,
15550 	},
15551 	{
15552 		.cmd = NL80211_CMD_STOP_NAN,
15553 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15554 		.doit = nl80211_stop_nan,
15555 		.flags = GENL_ADMIN_PERM,
15556 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15557 				  NL80211_FLAG_NEED_RTNL,
15558 	},
15559 	{
15560 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
15561 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15562 		.doit = nl80211_nan_add_func,
15563 		.flags = GENL_ADMIN_PERM,
15564 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15565 	},
15566 	{
15567 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
15568 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15569 		.doit = nl80211_nan_del_func,
15570 		.flags = GENL_ADMIN_PERM,
15571 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15572 	},
15573 	{
15574 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
15575 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15576 		.doit = nl80211_nan_change_config,
15577 		.flags = GENL_ADMIN_PERM,
15578 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15579 	},
15580 	{
15581 		.cmd = NL80211_CMD_SET_MCAST_RATE,
15582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15583 		.doit = nl80211_set_mcast_rate,
15584 		.flags = GENL_UNS_ADMIN_PERM,
15585 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15586 	},
15587 	{
15588 		.cmd = NL80211_CMD_SET_MAC_ACL,
15589 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15590 		.doit = nl80211_set_mac_acl,
15591 		.flags = GENL_UNS_ADMIN_PERM,
15592 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15593 	},
15594 	{
15595 		.cmd = NL80211_CMD_RADAR_DETECT,
15596 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15597 		.doit = nl80211_start_radar_detection,
15598 		.flags = GENL_UNS_ADMIN_PERM,
15599 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15600 	},
15601 	{
15602 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
15603 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15604 		.doit = nl80211_get_protocol_features,
15605 	},
15606 	{
15607 		.cmd = NL80211_CMD_UPDATE_FT_IES,
15608 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15609 		.doit = nl80211_update_ft_ies,
15610 		.flags = GENL_UNS_ADMIN_PERM,
15611 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15612 	},
15613 	{
15614 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
15615 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15616 		.doit = nl80211_crit_protocol_start,
15617 		.flags = GENL_UNS_ADMIN_PERM,
15618 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15619 	},
15620 	{
15621 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
15622 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15623 		.doit = nl80211_crit_protocol_stop,
15624 		.flags = GENL_UNS_ADMIN_PERM,
15625 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15626 	},
15627 	{
15628 		.cmd = NL80211_CMD_GET_COALESCE,
15629 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15630 		.doit = nl80211_get_coalesce,
15631 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15632 	},
15633 	{
15634 		.cmd = NL80211_CMD_SET_COALESCE,
15635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15636 		.doit = nl80211_set_coalesce,
15637 		.flags = GENL_UNS_ADMIN_PERM,
15638 		.internal_flags = NL80211_FLAG_NEED_WIPHY,
15639 	},
15640 	{
15641 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15642 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15643 		.doit = nl80211_channel_switch,
15644 		.flags = GENL_UNS_ADMIN_PERM,
15645 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15646 	},
15647 	{
15648 		.cmd = NL80211_CMD_VENDOR,
15649 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15650 		.doit = nl80211_vendor_cmd,
15651 		.dumpit = nl80211_vendor_cmd_dump,
15652 		.flags = GENL_UNS_ADMIN_PERM,
15653 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15654 				  0 |
15655 				  NL80211_FLAG_CLEAR_SKB,
15656 	},
15657 	{
15658 		.cmd = NL80211_CMD_SET_QOS_MAP,
15659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15660 		.doit = nl80211_set_qos_map,
15661 		.flags = GENL_UNS_ADMIN_PERM,
15662 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15663 	},
15664 	{
15665 		.cmd = NL80211_CMD_ADD_TX_TS,
15666 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15667 		.doit = nl80211_add_tx_ts,
15668 		.flags = GENL_UNS_ADMIN_PERM,
15669 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15670 	},
15671 	{
15672 		.cmd = NL80211_CMD_DEL_TX_TS,
15673 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15674 		.doit = nl80211_del_tx_ts,
15675 		.flags = GENL_UNS_ADMIN_PERM,
15676 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15677 	},
15678 	{
15679 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15680 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15681 		.doit = nl80211_tdls_channel_switch,
15682 		.flags = GENL_UNS_ADMIN_PERM,
15683 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15684 	},
15685 	{
15686 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15687 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15688 		.doit = nl80211_tdls_cancel_channel_switch,
15689 		.flags = GENL_UNS_ADMIN_PERM,
15690 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15691 	},
15692 	{
15693 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15694 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15695 		.doit = nl80211_set_multicast_to_unicast,
15696 		.flags = GENL_UNS_ADMIN_PERM,
15697 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15698 	},
15699 	{
15700 		.cmd = NL80211_CMD_SET_PMK,
15701 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15702 		.doit = nl80211_set_pmk,
15703 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15704 				  0 |
15705 				  NL80211_FLAG_CLEAR_SKB,
15706 	},
15707 	{
15708 		.cmd = NL80211_CMD_DEL_PMK,
15709 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15710 		.doit = nl80211_del_pmk,
15711 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15712 	},
15713 	{
15714 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15716 		.doit = nl80211_external_auth,
15717 		.flags = GENL_ADMIN_PERM,
15718 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15719 	},
15720 	{
15721 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15722 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15723 		.doit = nl80211_tx_control_port,
15724 		.flags = GENL_UNS_ADMIN_PERM,
15725 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15726 	},
15727 	{
15728 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15730 		.doit = nl80211_get_ftm_responder_stats,
15731 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15732 	},
15733 	{
15734 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15735 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15736 		.doit = nl80211_pmsr_start,
15737 		.flags = GENL_UNS_ADMIN_PERM,
15738 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP,
15739 	},
15740 	{
15741 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15742 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15743 		.doit = nl80211_notify_radar_detection,
15744 		.flags = GENL_UNS_ADMIN_PERM,
15745 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15746 	},
15747 	{
15748 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15749 		.doit = nl80211_update_owe_info,
15750 		.flags = GENL_ADMIN_PERM,
15751 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15752 	},
15753 	{
15754 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15755 		.doit = nl80211_probe_mesh_link,
15756 		.flags = GENL_UNS_ADMIN_PERM,
15757 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP,
15758 	},
15759 	{
15760 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15761 		.doit = nl80211_set_tid_config,
15762 		.flags = GENL_UNS_ADMIN_PERM,
15763 		.internal_flags = NL80211_FLAG_NEED_NETDEV,
15764 	},
15765 	{
15766 		.cmd = NL80211_CMD_SET_SAR_SPECS,
15767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15768 		.doit = nl80211_set_sar_specs,
15769 		.flags = GENL_UNS_ADMIN_PERM,
15770 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15771 				  NL80211_FLAG_NEED_RTNL,
15772 	},
15773 };
15774 
15775 static struct genl_family nl80211_fam __ro_after_init = {
15776 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15777 	.hdrsize = 0,			/* no private header */
15778 	.version = 1,			/* no particular meaning now */
15779 	.maxattr = NL80211_ATTR_MAX,
15780 	.policy = nl80211_policy,
15781 	.netnsok = true,
15782 	.pre_doit = nl80211_pre_doit,
15783 	.post_doit = nl80211_post_doit,
15784 	.module = THIS_MODULE,
15785 	.ops = nl80211_ops,
15786 	.n_ops = ARRAY_SIZE(nl80211_ops),
15787 	.small_ops = nl80211_small_ops,
15788 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
15789 	.mcgrps = nl80211_mcgrps,
15790 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15791 	.parallel_ops = true,
15792 };
15793 
15794 /* notification functions */
15795 
15796 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15797 			  enum nl80211_commands cmd)
15798 {
15799 	struct sk_buff *msg;
15800 	struct nl80211_dump_wiphy_state state = {};
15801 
15802 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15803 		cmd != NL80211_CMD_DEL_WIPHY);
15804 
15805 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15806 	if (!msg)
15807 		return;
15808 
15809 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15810 		nlmsg_free(msg);
15811 		return;
15812 	}
15813 
15814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15815 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15816 }
15817 
15818 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15819 				struct wireless_dev *wdev,
15820 				enum nl80211_commands cmd)
15821 {
15822 	struct sk_buff *msg;
15823 
15824 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15825 	if (!msg)
15826 		return;
15827 
15828 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15829 		nlmsg_free(msg);
15830 		return;
15831 	}
15832 
15833 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15834 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15835 }
15836 
15837 static int nl80211_add_scan_req(struct sk_buff *msg,
15838 				struct cfg80211_registered_device *rdev)
15839 {
15840 	struct cfg80211_scan_request *req = rdev->scan_req;
15841 	struct nlattr *nest;
15842 	int i;
15843 	struct cfg80211_scan_info *info;
15844 
15845 	if (WARN_ON(!req))
15846 		return 0;
15847 
15848 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15849 	if (!nest)
15850 		goto nla_put_failure;
15851 	for (i = 0; i < req->n_ssids; i++) {
15852 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15853 			goto nla_put_failure;
15854 	}
15855 	nla_nest_end(msg, nest);
15856 
15857 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
15858 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
15859 		if (!nest)
15860 			goto nla_put_failure;
15861 		for (i = 0; i < req->n_channels; i++) {
15862 			if (nla_put_u32(msg, i,
15863 				   ieee80211_channel_to_khz(req->channels[i])))
15864 				goto nla_put_failure;
15865 		}
15866 		nla_nest_end(msg, nest);
15867 	} else {
15868 		nest = nla_nest_start_noflag(msg,
15869 					     NL80211_ATTR_SCAN_FREQUENCIES);
15870 		if (!nest)
15871 			goto nla_put_failure;
15872 		for (i = 0; i < req->n_channels; i++) {
15873 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15874 				goto nla_put_failure;
15875 		}
15876 		nla_nest_end(msg, nest);
15877 	}
15878 
15879 	if (req->ie &&
15880 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15881 		goto nla_put_failure;
15882 
15883 	if (req->flags &&
15884 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15885 		goto nla_put_failure;
15886 
15887 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
15888 		&rdev->scan_req->info;
15889 	if (info->scan_start_tsf &&
15890 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15891 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
15892 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15893 		     info->tsf_bssid)))
15894 		goto nla_put_failure;
15895 
15896 	return 0;
15897  nla_put_failure:
15898 	return -ENOBUFS;
15899 }
15900 
15901 static int nl80211_prep_scan_msg(struct sk_buff *msg,
15902 				 struct cfg80211_registered_device *rdev,
15903 				 struct wireless_dev *wdev,
15904 				 u32 portid, u32 seq, int flags,
15905 				 u32 cmd)
15906 {
15907 	void *hdr;
15908 
15909 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15910 	if (!hdr)
15911 		return -1;
15912 
15913 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15914 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15915 					 wdev->netdev->ifindex)) ||
15916 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15917 			      NL80211_ATTR_PAD))
15918 		goto nla_put_failure;
15919 
15920 	/* ignore errors and send incomplete event anyway */
15921 	nl80211_add_scan_req(msg, rdev);
15922 
15923 	genlmsg_end(msg, hdr);
15924 	return 0;
15925 
15926  nla_put_failure:
15927 	genlmsg_cancel(msg, hdr);
15928 	return -EMSGSIZE;
15929 }
15930 
15931 static int
15932 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15933 			    struct cfg80211_sched_scan_request *req, u32 cmd)
15934 {
15935 	void *hdr;
15936 
15937 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15938 	if (!hdr)
15939 		return -1;
15940 
15941 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15942 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15943 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15944 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15945 			      NL80211_ATTR_PAD))
15946 		goto nla_put_failure;
15947 
15948 	genlmsg_end(msg, hdr);
15949 	return 0;
15950 
15951  nla_put_failure:
15952 	genlmsg_cancel(msg, hdr);
15953 	return -EMSGSIZE;
15954 }
15955 
15956 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15957 			     struct wireless_dev *wdev)
15958 {
15959 	struct sk_buff *msg;
15960 
15961 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15962 	if (!msg)
15963 		return;
15964 
15965 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15966 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15967 		nlmsg_free(msg);
15968 		return;
15969 	}
15970 
15971 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15972 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15973 }
15974 
15975 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15976 				       struct wireless_dev *wdev, bool aborted)
15977 {
15978 	struct sk_buff *msg;
15979 
15980 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15981 	if (!msg)
15982 		return NULL;
15983 
15984 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15985 				  aborted ? NL80211_CMD_SCAN_ABORTED :
15986 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15987 		nlmsg_free(msg);
15988 		return NULL;
15989 	}
15990 
15991 	return msg;
15992 }
15993 
15994 /* send message created by nl80211_build_scan_msg() */
15995 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15996 			   struct sk_buff *msg)
15997 {
15998 	if (!msg)
15999 		return;
16000 
16001 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16002 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16003 }
16004 
16005 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
16006 {
16007 	struct sk_buff *msg;
16008 
16009 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16010 	if (!msg)
16011 		return;
16012 
16013 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
16014 		nlmsg_free(msg);
16015 		return;
16016 	}
16017 
16018 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
16019 				NL80211_MCGRP_SCAN, GFP_KERNEL);
16020 }
16021 
16022 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
16023 					  struct regulatory_request *request)
16024 {
16025 	/* Userspace can always count this one always being set */
16026 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
16027 		goto nla_put_failure;
16028 
16029 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
16030 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16031 			       NL80211_REGDOM_TYPE_WORLD))
16032 			goto nla_put_failure;
16033 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
16034 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16035 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
16036 			goto nla_put_failure;
16037 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
16038 		   request->intersect) {
16039 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16040 			       NL80211_REGDOM_TYPE_INTERSECTION))
16041 			goto nla_put_failure;
16042 	} else {
16043 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
16044 			       NL80211_REGDOM_TYPE_COUNTRY) ||
16045 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
16046 				   request->alpha2))
16047 			goto nla_put_failure;
16048 	}
16049 
16050 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
16051 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
16052 
16053 		if (wiphy &&
16054 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
16055 			goto nla_put_failure;
16056 
16057 		if (wiphy &&
16058 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
16059 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
16060 			goto nla_put_failure;
16061 	}
16062 
16063 	return true;
16064 
16065 nla_put_failure:
16066 	return false;
16067 }
16068 
16069 /*
16070  * This can happen on global regulatory changes or device specific settings
16071  * based on custom regulatory domains.
16072  */
16073 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
16074 				     struct regulatory_request *request)
16075 {
16076 	struct sk_buff *msg;
16077 	void *hdr;
16078 
16079 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16080 	if (!msg)
16081 		return;
16082 
16083 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
16084 	if (!hdr)
16085 		goto nla_put_failure;
16086 
16087 	if (!nl80211_reg_change_event_fill(msg, request))
16088 		goto nla_put_failure;
16089 
16090 	genlmsg_end(msg, hdr);
16091 
16092 	rcu_read_lock();
16093 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16094 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16095 	rcu_read_unlock();
16096 
16097 	return;
16098 
16099 nla_put_failure:
16100 	nlmsg_free(msg);
16101 }
16102 
16103 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
16104 				    struct net_device *netdev,
16105 				    const u8 *buf, size_t len,
16106 				    enum nl80211_commands cmd, gfp_t gfp,
16107 				    int uapsd_queues, const u8 *req_ies,
16108 				    size_t req_ies_len, bool reconnect)
16109 {
16110 	struct sk_buff *msg;
16111 	void *hdr;
16112 
16113 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
16114 	if (!msg)
16115 		return;
16116 
16117 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16118 	if (!hdr) {
16119 		nlmsg_free(msg);
16120 		return;
16121 	}
16122 
16123 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16124 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16125 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16126 	    (req_ies &&
16127 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
16128 		goto nla_put_failure;
16129 
16130 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
16131 		goto nla_put_failure;
16132 
16133 	if (uapsd_queues >= 0) {
16134 		struct nlattr *nla_wmm =
16135 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
16136 		if (!nla_wmm)
16137 			goto nla_put_failure;
16138 
16139 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
16140 			       uapsd_queues))
16141 			goto nla_put_failure;
16142 
16143 		nla_nest_end(msg, nla_wmm);
16144 	}
16145 
16146 	genlmsg_end(msg, hdr);
16147 
16148 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16149 				NL80211_MCGRP_MLME, gfp);
16150 	return;
16151 
16152  nla_put_failure:
16153 	nlmsg_free(msg);
16154 }
16155 
16156 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
16157 			  struct net_device *netdev, const u8 *buf,
16158 			  size_t len, gfp_t gfp)
16159 {
16160 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16161 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
16162 				false);
16163 }
16164 
16165 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
16166 			   struct net_device *netdev, const u8 *buf,
16167 			   size_t len, gfp_t gfp, int uapsd_queues,
16168 			   const u8 *req_ies, size_t req_ies_len)
16169 {
16170 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16171 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
16172 				req_ies, req_ies_len, false);
16173 }
16174 
16175 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
16176 			 struct net_device *netdev, const u8 *buf,
16177 			 size_t len, bool reconnect, gfp_t gfp)
16178 {
16179 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16180 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
16181 				reconnect);
16182 }
16183 
16184 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
16185 			   struct net_device *netdev, const u8 *buf,
16186 			   size_t len, bool reconnect, gfp_t gfp)
16187 {
16188 	nl80211_send_mlme_event(rdev, netdev, buf, len,
16189 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
16190 				reconnect);
16191 }
16192 
16193 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
16194 				  size_t len)
16195 {
16196 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16197 	struct wiphy *wiphy = wdev->wiphy;
16198 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16199 	const struct ieee80211_mgmt *mgmt = (void *)buf;
16200 	u32 cmd;
16201 
16202 	if (WARN_ON(len < 2))
16203 		return;
16204 
16205 	if (ieee80211_is_deauth(mgmt->frame_control)) {
16206 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
16207 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
16208 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
16209 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
16210 		if (wdev->unprot_beacon_reported &&
16211 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
16212 			return;
16213 		cmd = NL80211_CMD_UNPROT_BEACON;
16214 		wdev->unprot_beacon_reported = jiffies;
16215 	} else {
16216 		return;
16217 	}
16218 
16219 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
16220 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
16221 				NULL, 0, false);
16222 }
16223 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
16224 
16225 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
16226 				      struct net_device *netdev, int cmd,
16227 				      const u8 *addr, gfp_t gfp)
16228 {
16229 	struct sk_buff *msg;
16230 	void *hdr;
16231 
16232 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16233 	if (!msg)
16234 		return;
16235 
16236 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16237 	if (!hdr) {
16238 		nlmsg_free(msg);
16239 		return;
16240 	}
16241 
16242 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16243 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16244 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16245 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16246 		goto nla_put_failure;
16247 
16248 	genlmsg_end(msg, hdr);
16249 
16250 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16251 				NL80211_MCGRP_MLME, gfp);
16252 	return;
16253 
16254  nla_put_failure:
16255 	nlmsg_free(msg);
16256 }
16257 
16258 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
16259 			       struct net_device *netdev, const u8 *addr,
16260 			       gfp_t gfp)
16261 {
16262 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
16263 				  addr, gfp);
16264 }
16265 
16266 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
16267 				struct net_device *netdev, const u8 *addr,
16268 				gfp_t gfp)
16269 {
16270 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
16271 				  addr, gfp);
16272 }
16273 
16274 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
16275 				 struct net_device *netdev,
16276 				 struct cfg80211_connect_resp_params *cr,
16277 				 gfp_t gfp)
16278 {
16279 	struct sk_buff *msg;
16280 	void *hdr;
16281 
16282 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
16283 			cr->fils.kek_len + cr->fils.pmk_len +
16284 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16285 	if (!msg)
16286 		return;
16287 
16288 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
16289 	if (!hdr) {
16290 		nlmsg_free(msg);
16291 		return;
16292 	}
16293 
16294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16295 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16296 	    (cr->bssid &&
16297 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
16298 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
16299 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
16300 			cr->status) ||
16301 	    (cr->status < 0 &&
16302 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
16303 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
16304 			  cr->timeout_reason))) ||
16305 	    (cr->req_ie &&
16306 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
16307 	    (cr->resp_ie &&
16308 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
16309 		     cr->resp_ie)) ||
16310 	    (cr->fils.update_erp_next_seq_num &&
16311 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16312 			 cr->fils.erp_next_seq_num)) ||
16313 	    (cr->status == WLAN_STATUS_SUCCESS &&
16314 	     ((cr->fils.kek &&
16315 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
16316 		       cr->fils.kek)) ||
16317 	      (cr->fils.pmk &&
16318 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
16319 	      (cr->fils.pmkid &&
16320 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
16321 		goto nla_put_failure;
16322 
16323 	genlmsg_end(msg, hdr);
16324 
16325 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16326 				NL80211_MCGRP_MLME, gfp);
16327 	return;
16328 
16329  nla_put_failure:
16330 	nlmsg_free(msg);
16331 }
16332 
16333 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
16334 			 struct net_device *netdev,
16335 			 struct cfg80211_roam_info *info, gfp_t gfp)
16336 {
16337 	struct sk_buff *msg;
16338 	void *hdr;
16339 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
16340 
16341 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
16342 			info->fils.kek_len + info->fils.pmk_len +
16343 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
16344 	if (!msg)
16345 		return;
16346 
16347 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
16348 	if (!hdr) {
16349 		nlmsg_free(msg);
16350 		return;
16351 	}
16352 
16353 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16354 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16355 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
16356 	    (info->req_ie &&
16357 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
16358 		     info->req_ie)) ||
16359 	    (info->resp_ie &&
16360 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
16361 		     info->resp_ie)) ||
16362 	    (info->fils.update_erp_next_seq_num &&
16363 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
16364 			 info->fils.erp_next_seq_num)) ||
16365 	    (info->fils.kek &&
16366 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
16367 		     info->fils.kek)) ||
16368 	    (info->fils.pmk &&
16369 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
16370 	    (info->fils.pmkid &&
16371 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
16372 		goto nla_put_failure;
16373 
16374 	genlmsg_end(msg, hdr);
16375 
16376 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16377 				NL80211_MCGRP_MLME, gfp);
16378 	return;
16379 
16380  nla_put_failure:
16381 	nlmsg_free(msg);
16382 }
16383 
16384 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
16385 				  struct net_device *netdev, const u8 *bssid)
16386 {
16387 	struct sk_buff *msg;
16388 	void *hdr;
16389 
16390 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
16391 	if (!msg)
16392 		return;
16393 
16394 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
16395 	if (!hdr) {
16396 		nlmsg_free(msg);
16397 		return;
16398 	}
16399 
16400 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16401 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16402 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16403 		goto nla_put_failure;
16404 
16405 	genlmsg_end(msg, hdr);
16406 
16407 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16408 				NL80211_MCGRP_MLME, GFP_KERNEL);
16409 	return;
16410 
16411  nla_put_failure:
16412 	nlmsg_free(msg);
16413 }
16414 
16415 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
16416 			       struct net_device *netdev, u16 reason,
16417 			       const u8 *ie, size_t ie_len, bool from_ap)
16418 {
16419 	struct sk_buff *msg;
16420 	void *hdr;
16421 
16422 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
16423 	if (!msg)
16424 		return;
16425 
16426 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
16427 	if (!hdr) {
16428 		nlmsg_free(msg);
16429 		return;
16430 	}
16431 
16432 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16433 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16434 	    (reason &&
16435 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
16436 	    (from_ap &&
16437 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
16438 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
16439 		goto nla_put_failure;
16440 
16441 	genlmsg_end(msg, hdr);
16442 
16443 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16444 				NL80211_MCGRP_MLME, GFP_KERNEL);
16445 	return;
16446 
16447  nla_put_failure:
16448 	nlmsg_free(msg);
16449 }
16450 
16451 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
16452 			     struct net_device *netdev, const u8 *bssid,
16453 			     gfp_t gfp)
16454 {
16455 	struct sk_buff *msg;
16456 	void *hdr;
16457 
16458 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16459 	if (!msg)
16460 		return;
16461 
16462 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
16463 	if (!hdr) {
16464 		nlmsg_free(msg);
16465 		return;
16466 	}
16467 
16468 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16469 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16470 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16471 		goto nla_put_failure;
16472 
16473 	genlmsg_end(msg, hdr);
16474 
16475 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16476 				NL80211_MCGRP_MLME, gfp);
16477 	return;
16478 
16479  nla_put_failure:
16480 	nlmsg_free(msg);
16481 }
16482 
16483 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
16484 					const u8 *ie, u8 ie_len,
16485 					int sig_dbm, gfp_t gfp)
16486 {
16487 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16488 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16489 	struct sk_buff *msg;
16490 	void *hdr;
16491 
16492 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
16493 		return;
16494 
16495 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
16496 
16497 	msg = nlmsg_new(100 + ie_len, gfp);
16498 	if (!msg)
16499 		return;
16500 
16501 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
16502 	if (!hdr) {
16503 		nlmsg_free(msg);
16504 		return;
16505 	}
16506 
16507 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16508 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16509 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16510 	    (ie_len && ie &&
16511 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
16512 	    (sig_dbm &&
16513 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
16514 		goto nla_put_failure;
16515 
16516 	genlmsg_end(msg, hdr);
16517 
16518 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16519 				NL80211_MCGRP_MLME, gfp);
16520 	return;
16521 
16522  nla_put_failure:
16523 	nlmsg_free(msg);
16524 }
16525 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
16526 
16527 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
16528 				 struct net_device *netdev, const u8 *addr,
16529 				 enum nl80211_key_type key_type, int key_id,
16530 				 const u8 *tsc, gfp_t gfp)
16531 {
16532 	struct sk_buff *msg;
16533 	void *hdr;
16534 
16535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16536 	if (!msg)
16537 		return;
16538 
16539 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
16540 	if (!hdr) {
16541 		nlmsg_free(msg);
16542 		return;
16543 	}
16544 
16545 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16546 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16547 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
16548 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
16549 	    (key_id != -1 &&
16550 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
16551 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
16552 		goto nla_put_failure;
16553 
16554 	genlmsg_end(msg, hdr);
16555 
16556 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16557 				NL80211_MCGRP_MLME, gfp);
16558 	return;
16559 
16560  nla_put_failure:
16561 	nlmsg_free(msg);
16562 }
16563 
16564 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
16565 				    struct ieee80211_channel *channel_before,
16566 				    struct ieee80211_channel *channel_after)
16567 {
16568 	struct sk_buff *msg;
16569 	void *hdr;
16570 	struct nlattr *nl_freq;
16571 
16572 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
16573 	if (!msg)
16574 		return;
16575 
16576 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
16577 	if (!hdr) {
16578 		nlmsg_free(msg);
16579 		return;
16580 	}
16581 
16582 	/*
16583 	 * Since we are applying the beacon hint to a wiphy we know its
16584 	 * wiphy_idx is valid
16585 	 */
16586 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
16587 		goto nla_put_failure;
16588 
16589 	/* Before */
16590 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
16591 	if (!nl_freq)
16592 		goto nla_put_failure;
16593 
16594 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
16595 		goto nla_put_failure;
16596 	nla_nest_end(msg, nl_freq);
16597 
16598 	/* After */
16599 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
16600 	if (!nl_freq)
16601 		goto nla_put_failure;
16602 
16603 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
16604 		goto nla_put_failure;
16605 	nla_nest_end(msg, nl_freq);
16606 
16607 	genlmsg_end(msg, hdr);
16608 
16609 	rcu_read_lock();
16610 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
16611 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
16612 	rcu_read_unlock();
16613 
16614 	return;
16615 
16616 nla_put_failure:
16617 	nlmsg_free(msg);
16618 }
16619 
16620 static void nl80211_send_remain_on_chan_event(
16621 	int cmd, struct cfg80211_registered_device *rdev,
16622 	struct wireless_dev *wdev, u64 cookie,
16623 	struct ieee80211_channel *chan,
16624 	unsigned int duration, gfp_t gfp)
16625 {
16626 	struct sk_buff *msg;
16627 	void *hdr;
16628 
16629 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16630 	if (!msg)
16631 		return;
16632 
16633 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16634 	if (!hdr) {
16635 		nlmsg_free(msg);
16636 		return;
16637 	}
16638 
16639 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16640 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16641 					 wdev->netdev->ifindex)) ||
16642 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16643 			      NL80211_ATTR_PAD) ||
16644 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
16645 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
16646 			NL80211_CHAN_NO_HT) ||
16647 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16648 			      NL80211_ATTR_PAD))
16649 		goto nla_put_failure;
16650 
16651 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
16652 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
16653 		goto nla_put_failure;
16654 
16655 	genlmsg_end(msg, hdr);
16656 
16657 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16658 				NL80211_MCGRP_MLME, gfp);
16659 	return;
16660 
16661  nla_put_failure:
16662 	nlmsg_free(msg);
16663 }
16664 
16665 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
16666 			       struct ieee80211_channel *chan,
16667 			       unsigned int duration, gfp_t gfp)
16668 {
16669 	struct wiphy *wiphy = wdev->wiphy;
16670 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16671 
16672 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16673 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16674 					  rdev, wdev, cookie, chan,
16675 					  duration, gfp);
16676 }
16677 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16678 
16679 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16680 					struct ieee80211_channel *chan,
16681 					gfp_t gfp)
16682 {
16683 	struct wiphy *wiphy = wdev->wiphy;
16684 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16685 
16686 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16687 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16688 					  rdev, wdev, cookie, chan, 0, gfp);
16689 }
16690 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16691 
16692 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16693 					struct ieee80211_channel *chan,
16694 					gfp_t gfp)
16695 {
16696 	struct wiphy *wiphy = wdev->wiphy;
16697 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16698 
16699 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16700 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16701 					  rdev, wdev, cookie, chan, 0, gfp);
16702 }
16703 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16704 
16705 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16706 		      struct station_info *sinfo, gfp_t gfp)
16707 {
16708 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16709 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16710 	struct sk_buff *msg;
16711 
16712 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16713 
16714 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16715 	if (!msg)
16716 		return;
16717 
16718 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16719 				 rdev, dev, mac_addr, sinfo) < 0) {
16720 		nlmsg_free(msg);
16721 		return;
16722 	}
16723 
16724 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16725 				NL80211_MCGRP_MLME, gfp);
16726 }
16727 EXPORT_SYMBOL(cfg80211_new_sta);
16728 
16729 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16730 			    struct station_info *sinfo, gfp_t gfp)
16731 {
16732 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16733 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16734 	struct sk_buff *msg;
16735 	struct station_info empty_sinfo = {};
16736 
16737 	if (!sinfo)
16738 		sinfo = &empty_sinfo;
16739 
16740 	trace_cfg80211_del_sta(dev, mac_addr);
16741 
16742 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16743 	if (!msg) {
16744 		cfg80211_sinfo_release_content(sinfo);
16745 		return;
16746 	}
16747 
16748 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16749 				 rdev, dev, mac_addr, sinfo) < 0) {
16750 		nlmsg_free(msg);
16751 		return;
16752 	}
16753 
16754 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16755 				NL80211_MCGRP_MLME, gfp);
16756 }
16757 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16758 
16759 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16760 			  enum nl80211_connect_failed_reason reason,
16761 			  gfp_t gfp)
16762 {
16763 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16764 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16765 	struct sk_buff *msg;
16766 	void *hdr;
16767 
16768 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16769 	if (!msg)
16770 		return;
16771 
16772 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16773 	if (!hdr) {
16774 		nlmsg_free(msg);
16775 		return;
16776 	}
16777 
16778 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16779 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16780 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16781 		goto nla_put_failure;
16782 
16783 	genlmsg_end(msg, hdr);
16784 
16785 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16786 				NL80211_MCGRP_MLME, gfp);
16787 	return;
16788 
16789  nla_put_failure:
16790 	nlmsg_free(msg);
16791 }
16792 EXPORT_SYMBOL(cfg80211_conn_failed);
16793 
16794 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16795 				       const u8 *addr, gfp_t gfp)
16796 {
16797 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16798 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16799 	struct sk_buff *msg;
16800 	void *hdr;
16801 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16802 
16803 	if (!nlportid)
16804 		return false;
16805 
16806 	msg = nlmsg_new(100, gfp);
16807 	if (!msg)
16808 		return true;
16809 
16810 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16811 	if (!hdr) {
16812 		nlmsg_free(msg);
16813 		return true;
16814 	}
16815 
16816 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16817 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16818 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16819 		goto nla_put_failure;
16820 
16821 	genlmsg_end(msg, hdr);
16822 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16823 	return true;
16824 
16825  nla_put_failure:
16826 	nlmsg_free(msg);
16827 	return true;
16828 }
16829 
16830 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16831 				const u8 *addr, gfp_t gfp)
16832 {
16833 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16834 	bool ret;
16835 
16836 	trace_cfg80211_rx_spurious_frame(dev, addr);
16837 
16838 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16839 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16840 		trace_cfg80211_return_bool(false);
16841 		return false;
16842 	}
16843 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16844 					 addr, gfp);
16845 	trace_cfg80211_return_bool(ret);
16846 	return ret;
16847 }
16848 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16849 
16850 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16851 					const u8 *addr, gfp_t gfp)
16852 {
16853 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16854 	bool ret;
16855 
16856 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16857 
16858 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16859 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16860 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16861 		trace_cfg80211_return_bool(false);
16862 		return false;
16863 	}
16864 	ret = __nl80211_unexpected_frame(dev,
16865 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16866 					 addr, gfp);
16867 	trace_cfg80211_return_bool(ret);
16868 	return ret;
16869 }
16870 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16871 
16872 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16873 		      struct wireless_dev *wdev, u32 nlportid,
16874 		      int freq, int sig_dbm,
16875 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16876 {
16877 	struct net_device *netdev = wdev->netdev;
16878 	struct sk_buff *msg;
16879 	void *hdr;
16880 
16881 	msg = nlmsg_new(100 + len, gfp);
16882 	if (!msg)
16883 		return -ENOMEM;
16884 
16885 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16886 	if (!hdr) {
16887 		nlmsg_free(msg);
16888 		return -ENOMEM;
16889 	}
16890 
16891 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16892 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16893 					netdev->ifindex)) ||
16894 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16895 			      NL80211_ATTR_PAD) ||
16896 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(freq)) ||
16897 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, freq % 1000) ||
16898 	    (sig_dbm &&
16899 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16900 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16901 	    (flags &&
16902 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16903 		goto nla_put_failure;
16904 
16905 	genlmsg_end(msg, hdr);
16906 
16907 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16908 
16909  nla_put_failure:
16910 	nlmsg_free(msg);
16911 	return -ENOBUFS;
16912 }
16913 
16914 static void nl80211_frame_tx_status(struct wireless_dev *wdev, u64 cookie,
16915 				    const u8 *buf, size_t len, bool ack,
16916 				    gfp_t gfp, enum nl80211_commands command)
16917 {
16918 	struct wiphy *wiphy = wdev->wiphy;
16919 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16920 	struct net_device *netdev = wdev->netdev;
16921 	struct sk_buff *msg;
16922 	void *hdr;
16923 
16924 	if (command == NL80211_CMD_FRAME_TX_STATUS)
16925 		trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16926 	else
16927 		trace_cfg80211_control_port_tx_status(wdev, cookie, ack);
16928 
16929 	msg = nlmsg_new(100 + len, gfp);
16930 	if (!msg)
16931 		return;
16932 
16933 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
16934 	if (!hdr) {
16935 		nlmsg_free(msg);
16936 		return;
16937 	}
16938 
16939 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16940 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16941 				   netdev->ifindex)) ||
16942 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16943 			      NL80211_ATTR_PAD) ||
16944 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16945 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16946 			      NL80211_ATTR_PAD) ||
16947 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16948 		goto nla_put_failure;
16949 
16950 	genlmsg_end(msg, hdr);
16951 
16952 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16953 				NL80211_MCGRP_MLME, gfp);
16954 	return;
16955 
16956 nla_put_failure:
16957 	nlmsg_free(msg);
16958 }
16959 
16960 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
16961 				     const u8 *buf, size_t len, bool ack,
16962 				     gfp_t gfp)
16963 {
16964 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16965 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
16966 }
16967 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
16968 
16969 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16970 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16971 {
16972 	nl80211_frame_tx_status(wdev, cookie, buf, len, ack, gfp,
16973 				NL80211_CMD_FRAME_TX_STATUS);
16974 }
16975 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16976 
16977 static int __nl80211_rx_control_port(struct net_device *dev,
16978 				     struct sk_buff *skb,
16979 				     bool unencrypted, gfp_t gfp)
16980 {
16981 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16982 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16983 	struct ethhdr *ehdr = eth_hdr(skb);
16984 	const u8 *addr = ehdr->h_source;
16985 	u16 proto = be16_to_cpu(skb->protocol);
16986 	struct sk_buff *msg;
16987 	void *hdr;
16988 	struct nlattr *frame;
16989 
16990 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16991 
16992 	if (!nlportid)
16993 		return -ENOENT;
16994 
16995 	msg = nlmsg_new(100 + skb->len, gfp);
16996 	if (!msg)
16997 		return -ENOMEM;
16998 
16999 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
17000 	if (!hdr) {
17001 		nlmsg_free(msg);
17002 		return -ENOBUFS;
17003 	}
17004 
17005 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17006 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17007 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17008 			      NL80211_ATTR_PAD) ||
17009 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17010 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
17011 	    (unencrypted && nla_put_flag(msg,
17012 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
17013 		goto nla_put_failure;
17014 
17015 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
17016 	if (!frame)
17017 		goto nla_put_failure;
17018 
17019 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
17020 	genlmsg_end(msg, hdr);
17021 
17022 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17023 
17024  nla_put_failure:
17025 	nlmsg_free(msg);
17026 	return -ENOBUFS;
17027 }
17028 
17029 bool cfg80211_rx_control_port(struct net_device *dev,
17030 			      struct sk_buff *skb, bool unencrypted)
17031 {
17032 	int ret;
17033 
17034 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
17035 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
17036 	trace_cfg80211_return_bool(ret == 0);
17037 	return ret == 0;
17038 }
17039 EXPORT_SYMBOL(cfg80211_rx_control_port);
17040 
17041 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
17042 					    const char *mac, gfp_t gfp)
17043 {
17044 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17045 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17046 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17047 	void **cb;
17048 
17049 	if (!msg)
17050 		return NULL;
17051 
17052 	cb = (void **)msg->cb;
17053 
17054 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
17055 	if (!cb[0]) {
17056 		nlmsg_free(msg);
17057 		return NULL;
17058 	}
17059 
17060 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17061 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17062 		goto nla_put_failure;
17063 
17064 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17065 		goto nla_put_failure;
17066 
17067 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
17068 	if (!cb[1])
17069 		goto nla_put_failure;
17070 
17071 	cb[2] = rdev;
17072 
17073 	return msg;
17074  nla_put_failure:
17075 	nlmsg_free(msg);
17076 	return NULL;
17077 }
17078 
17079 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
17080 {
17081 	void **cb = (void **)msg->cb;
17082 	struct cfg80211_registered_device *rdev = cb[2];
17083 
17084 	nla_nest_end(msg, cb[1]);
17085 	genlmsg_end(msg, cb[0]);
17086 
17087 	memset(msg->cb, 0, sizeof(msg->cb));
17088 
17089 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17090 				NL80211_MCGRP_MLME, gfp);
17091 }
17092 
17093 void cfg80211_cqm_rssi_notify(struct net_device *dev,
17094 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
17095 			      s32 rssi_level, gfp_t gfp)
17096 {
17097 	struct sk_buff *msg;
17098 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17099 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17100 
17101 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
17102 
17103 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
17104 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
17105 		return;
17106 
17107 	if (wdev->cqm_config) {
17108 		wdev->cqm_config->last_rssi_event_value = rssi_level;
17109 
17110 		cfg80211_cqm_rssi_update(rdev, dev);
17111 
17112 		if (rssi_level == 0)
17113 			rssi_level = wdev->cqm_config->last_rssi_event_value;
17114 	}
17115 
17116 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17117 	if (!msg)
17118 		return;
17119 
17120 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
17121 			rssi_event))
17122 		goto nla_put_failure;
17123 
17124 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
17125 				      rssi_level))
17126 		goto nla_put_failure;
17127 
17128 	cfg80211_send_cqm(msg, gfp);
17129 
17130 	return;
17131 
17132  nla_put_failure:
17133 	nlmsg_free(msg);
17134 }
17135 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
17136 
17137 void cfg80211_cqm_txe_notify(struct net_device *dev,
17138 			     const u8 *peer, u32 num_packets,
17139 			     u32 rate, u32 intvl, gfp_t gfp)
17140 {
17141 	struct sk_buff *msg;
17142 
17143 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17144 	if (!msg)
17145 		return;
17146 
17147 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
17148 		goto nla_put_failure;
17149 
17150 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
17151 		goto nla_put_failure;
17152 
17153 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
17154 		goto nla_put_failure;
17155 
17156 	cfg80211_send_cqm(msg, gfp);
17157 	return;
17158 
17159  nla_put_failure:
17160 	nlmsg_free(msg);
17161 }
17162 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
17163 
17164 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
17165 				 const u8 *peer, u32 num_packets, gfp_t gfp)
17166 {
17167 	struct sk_buff *msg;
17168 
17169 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
17170 
17171 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
17172 	if (!msg)
17173 		return;
17174 
17175 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
17176 		goto nla_put_failure;
17177 
17178 	cfg80211_send_cqm(msg, gfp);
17179 	return;
17180 
17181  nla_put_failure:
17182 	nlmsg_free(msg);
17183 }
17184 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
17185 
17186 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
17187 {
17188 	struct sk_buff *msg;
17189 
17190 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
17191 	if (!msg)
17192 		return;
17193 
17194 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
17195 		goto nla_put_failure;
17196 
17197 	cfg80211_send_cqm(msg, gfp);
17198 	return;
17199 
17200  nla_put_failure:
17201 	nlmsg_free(msg);
17202 }
17203 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
17204 
17205 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
17206 				     struct net_device *netdev, const u8 *bssid,
17207 				     const u8 *replay_ctr, gfp_t gfp)
17208 {
17209 	struct sk_buff *msg;
17210 	struct nlattr *rekey_attr;
17211 	void *hdr;
17212 
17213 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17214 	if (!msg)
17215 		return;
17216 
17217 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
17218 	if (!hdr) {
17219 		nlmsg_free(msg);
17220 		return;
17221 	}
17222 
17223 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17224 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17225 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
17226 		goto nla_put_failure;
17227 
17228 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
17229 	if (!rekey_attr)
17230 		goto nla_put_failure;
17231 
17232 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
17233 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
17234 		goto nla_put_failure;
17235 
17236 	nla_nest_end(msg, rekey_attr);
17237 
17238 	genlmsg_end(msg, hdr);
17239 
17240 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17241 				NL80211_MCGRP_MLME, gfp);
17242 	return;
17243 
17244  nla_put_failure:
17245 	nlmsg_free(msg);
17246 }
17247 
17248 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
17249 			       const u8 *replay_ctr, gfp_t gfp)
17250 {
17251 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17252 	struct wiphy *wiphy = wdev->wiphy;
17253 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17254 
17255 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
17256 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
17257 }
17258 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
17259 
17260 static void
17261 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
17262 			       struct net_device *netdev, int index,
17263 			       const u8 *bssid, bool preauth, gfp_t gfp)
17264 {
17265 	struct sk_buff *msg;
17266 	struct nlattr *attr;
17267 	void *hdr;
17268 
17269 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17270 	if (!msg)
17271 		return;
17272 
17273 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
17274 	if (!hdr) {
17275 		nlmsg_free(msg);
17276 		return;
17277 	}
17278 
17279 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17280 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17281 		goto nla_put_failure;
17282 
17283 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
17284 	if (!attr)
17285 		goto nla_put_failure;
17286 
17287 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
17288 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
17289 	    (preauth &&
17290 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
17291 		goto nla_put_failure;
17292 
17293 	nla_nest_end(msg, attr);
17294 
17295 	genlmsg_end(msg, hdr);
17296 
17297 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17298 				NL80211_MCGRP_MLME, gfp);
17299 	return;
17300 
17301  nla_put_failure:
17302 	nlmsg_free(msg);
17303 }
17304 
17305 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
17306 				     const u8 *bssid, bool preauth, gfp_t gfp)
17307 {
17308 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17309 	struct wiphy *wiphy = wdev->wiphy;
17310 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17311 
17312 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
17313 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
17314 }
17315 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
17316 
17317 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
17318 				     struct net_device *netdev,
17319 				     struct cfg80211_chan_def *chandef,
17320 				     gfp_t gfp,
17321 				     enum nl80211_commands notif,
17322 				     u8 count, bool quiet)
17323 {
17324 	struct sk_buff *msg;
17325 	void *hdr;
17326 
17327 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17328 	if (!msg)
17329 		return;
17330 
17331 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
17332 	if (!hdr) {
17333 		nlmsg_free(msg);
17334 		return;
17335 	}
17336 
17337 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
17338 		goto nla_put_failure;
17339 
17340 	if (nl80211_send_chandef(msg, chandef))
17341 		goto nla_put_failure;
17342 
17343 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
17344 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
17345 			goto nla_put_failure;
17346 		if (quiet &&
17347 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
17348 			goto nla_put_failure;
17349 	}
17350 
17351 	genlmsg_end(msg, hdr);
17352 
17353 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17354 				NL80211_MCGRP_MLME, gfp);
17355 	return;
17356 
17357  nla_put_failure:
17358 	nlmsg_free(msg);
17359 }
17360 
17361 void cfg80211_ch_switch_notify(struct net_device *dev,
17362 			       struct cfg80211_chan_def *chandef)
17363 {
17364 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17365 	struct wiphy *wiphy = wdev->wiphy;
17366 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17367 
17368 	ASSERT_WDEV_LOCK(wdev);
17369 
17370 	trace_cfg80211_ch_switch_notify(dev, chandef);
17371 
17372 	wdev->chandef = *chandef;
17373 	wdev->preset_chandef = *chandef;
17374 
17375 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
17376 	    !WARN_ON(!wdev->current_bss))
17377 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
17378 
17379 	cfg80211_sched_dfs_chan_update(rdev);
17380 
17381 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17382 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false);
17383 }
17384 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
17385 
17386 void cfg80211_ch_switch_started_notify(struct net_device *dev,
17387 				       struct cfg80211_chan_def *chandef,
17388 				       u8 count, bool quiet)
17389 {
17390 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17391 	struct wiphy *wiphy = wdev->wiphy;
17392 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17393 
17394 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
17395 
17396 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
17397 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
17398 				 count, quiet);
17399 }
17400 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
17401 
17402 void
17403 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
17404 		     const struct cfg80211_chan_def *chandef,
17405 		     enum nl80211_radar_event event,
17406 		     struct net_device *netdev, gfp_t gfp)
17407 {
17408 	struct sk_buff *msg;
17409 	void *hdr;
17410 
17411 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17412 	if (!msg)
17413 		return;
17414 
17415 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
17416 	if (!hdr) {
17417 		nlmsg_free(msg);
17418 		return;
17419 	}
17420 
17421 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17422 		goto nla_put_failure;
17423 
17424 	/* NOP and radar events don't need a netdev parameter */
17425 	if (netdev) {
17426 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
17427 
17428 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17429 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17430 				      NL80211_ATTR_PAD))
17431 			goto nla_put_failure;
17432 	}
17433 
17434 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
17435 		goto nla_put_failure;
17436 
17437 	if (nl80211_send_chandef(msg, chandef))
17438 		goto nla_put_failure;
17439 
17440 	genlmsg_end(msg, hdr);
17441 
17442 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17443 				NL80211_MCGRP_MLME, gfp);
17444 	return;
17445 
17446  nla_put_failure:
17447 	nlmsg_free(msg);
17448 }
17449 
17450 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
17451 				       struct sta_opmode_info *sta_opmode,
17452 				       gfp_t gfp)
17453 {
17454 	struct sk_buff *msg;
17455 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17456 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17457 	void *hdr;
17458 
17459 	if (WARN_ON(!mac))
17460 		return;
17461 
17462 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17463 	if (!msg)
17464 		return;
17465 
17466 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
17467 	if (!hdr) {
17468 		nlmsg_free(msg);
17469 		return;
17470 	}
17471 
17472 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
17473 		goto nla_put_failure;
17474 
17475 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
17476 		goto nla_put_failure;
17477 
17478 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
17479 		goto nla_put_failure;
17480 
17481 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
17482 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
17483 		goto nla_put_failure;
17484 
17485 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
17486 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
17487 		goto nla_put_failure;
17488 
17489 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
17490 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
17491 		goto nla_put_failure;
17492 
17493 	genlmsg_end(msg, hdr);
17494 
17495 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17496 				NL80211_MCGRP_MLME, gfp);
17497 
17498 	return;
17499 
17500 nla_put_failure:
17501 	nlmsg_free(msg);
17502 }
17503 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
17504 
17505 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
17506 			   u64 cookie, bool acked, s32 ack_signal,
17507 			   bool is_valid_ack_signal, gfp_t gfp)
17508 {
17509 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17510 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17511 	struct sk_buff *msg;
17512 	void *hdr;
17513 
17514 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
17515 
17516 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17517 
17518 	if (!msg)
17519 		return;
17520 
17521 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
17522 	if (!hdr) {
17523 		nlmsg_free(msg);
17524 		return;
17525 	}
17526 
17527 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17528 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17529 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
17530 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
17531 			      NL80211_ATTR_PAD) ||
17532 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
17533 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
17534 						ack_signal)))
17535 		goto nla_put_failure;
17536 
17537 	genlmsg_end(msg, hdr);
17538 
17539 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17540 				NL80211_MCGRP_MLME, gfp);
17541 	return;
17542 
17543  nla_put_failure:
17544 	nlmsg_free(msg);
17545 }
17546 EXPORT_SYMBOL(cfg80211_probe_status);
17547 
17548 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
17549 				     size_t len, int freq, int sig_dbm)
17550 {
17551 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17552 	struct sk_buff *msg;
17553 	void *hdr;
17554 	struct cfg80211_beacon_registration *reg;
17555 
17556 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
17557 
17558 	spin_lock_bh(&rdev->beacon_registrations_lock);
17559 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
17560 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
17561 		if (!msg) {
17562 			spin_unlock_bh(&rdev->beacon_registrations_lock);
17563 			return;
17564 		}
17565 
17566 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
17567 		if (!hdr)
17568 			goto nla_put_failure;
17569 
17570 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17571 		    (freq &&
17572 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
17573 				  KHZ_TO_MHZ(freq)) ||
17574 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
17575 				  freq % 1000))) ||
17576 		    (sig_dbm &&
17577 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
17578 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
17579 			goto nla_put_failure;
17580 
17581 		genlmsg_end(msg, hdr);
17582 
17583 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
17584 	}
17585 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17586 	return;
17587 
17588  nla_put_failure:
17589 	spin_unlock_bh(&rdev->beacon_registrations_lock);
17590 	nlmsg_free(msg);
17591 }
17592 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
17593 
17594 #ifdef CONFIG_PM
17595 static int cfg80211_net_detect_results(struct sk_buff *msg,
17596 				       struct cfg80211_wowlan_wakeup *wakeup)
17597 {
17598 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
17599 	struct nlattr *nl_results, *nl_match, *nl_freqs;
17600 	int i, j;
17601 
17602 	nl_results = nla_nest_start_noflag(msg,
17603 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
17604 	if (!nl_results)
17605 		return -EMSGSIZE;
17606 
17607 	for (i = 0; i < nd->n_matches; i++) {
17608 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
17609 
17610 		nl_match = nla_nest_start_noflag(msg, i);
17611 		if (!nl_match)
17612 			break;
17613 
17614 		/* The SSID attribute is optional in nl80211, but for
17615 		 * simplicity reasons it's always present in the
17616 		 * cfg80211 structure.  If a driver can't pass the
17617 		 * SSID, that needs to be changed.  A zero length SSID
17618 		 * is still a valid SSID (wildcard), so it cannot be
17619 		 * used for this purpose.
17620 		 */
17621 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
17622 			    match->ssid.ssid)) {
17623 			nla_nest_cancel(msg, nl_match);
17624 			goto out;
17625 		}
17626 
17627 		if (match->n_channels) {
17628 			nl_freqs = nla_nest_start_noflag(msg,
17629 							 NL80211_ATTR_SCAN_FREQUENCIES);
17630 			if (!nl_freqs) {
17631 				nla_nest_cancel(msg, nl_match);
17632 				goto out;
17633 			}
17634 
17635 			for (j = 0; j < match->n_channels; j++) {
17636 				if (nla_put_u32(msg, j, match->channels[j])) {
17637 					nla_nest_cancel(msg, nl_freqs);
17638 					nla_nest_cancel(msg, nl_match);
17639 					goto out;
17640 				}
17641 			}
17642 
17643 			nla_nest_end(msg, nl_freqs);
17644 		}
17645 
17646 		nla_nest_end(msg, nl_match);
17647 	}
17648 
17649 out:
17650 	nla_nest_end(msg, nl_results);
17651 	return 0;
17652 }
17653 
17654 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
17655 				   struct cfg80211_wowlan_wakeup *wakeup,
17656 				   gfp_t gfp)
17657 {
17658 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17659 	struct sk_buff *msg;
17660 	void *hdr;
17661 	int size = 200;
17662 
17663 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
17664 
17665 	if (wakeup)
17666 		size += wakeup->packet_present_len;
17667 
17668 	msg = nlmsg_new(size, gfp);
17669 	if (!msg)
17670 		return;
17671 
17672 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
17673 	if (!hdr)
17674 		goto free_msg;
17675 
17676 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17677 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17678 			      NL80211_ATTR_PAD))
17679 		goto free_msg;
17680 
17681 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17682 					wdev->netdev->ifindex))
17683 		goto free_msg;
17684 
17685 	if (wakeup) {
17686 		struct nlattr *reasons;
17687 
17688 		reasons = nla_nest_start_noflag(msg,
17689 						NL80211_ATTR_WOWLAN_TRIGGERS);
17690 		if (!reasons)
17691 			goto free_msg;
17692 
17693 		if (wakeup->disconnect &&
17694 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17695 			goto free_msg;
17696 		if (wakeup->magic_pkt &&
17697 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17698 			goto free_msg;
17699 		if (wakeup->gtk_rekey_failure &&
17700 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17701 			goto free_msg;
17702 		if (wakeup->eap_identity_req &&
17703 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17704 			goto free_msg;
17705 		if (wakeup->four_way_handshake &&
17706 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17707 			goto free_msg;
17708 		if (wakeup->rfkill_release &&
17709 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17710 			goto free_msg;
17711 
17712 		if (wakeup->pattern_idx >= 0 &&
17713 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17714 				wakeup->pattern_idx))
17715 			goto free_msg;
17716 
17717 		if (wakeup->tcp_match &&
17718 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17719 			goto free_msg;
17720 
17721 		if (wakeup->tcp_connlost &&
17722 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17723 			goto free_msg;
17724 
17725 		if (wakeup->tcp_nomoretokens &&
17726 		    nla_put_flag(msg,
17727 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17728 			goto free_msg;
17729 
17730 		if (wakeup->packet) {
17731 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17732 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17733 
17734 			if (!wakeup->packet_80211) {
17735 				pkt_attr =
17736 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17737 				len_attr =
17738 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17739 			}
17740 
17741 			if (wakeup->packet_len &&
17742 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17743 				goto free_msg;
17744 
17745 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17746 				    wakeup->packet))
17747 				goto free_msg;
17748 		}
17749 
17750 		if (wakeup->net_detect &&
17751 		    cfg80211_net_detect_results(msg, wakeup))
17752 				goto free_msg;
17753 
17754 		nla_nest_end(msg, reasons);
17755 	}
17756 
17757 	genlmsg_end(msg, hdr);
17758 
17759 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17760 				NL80211_MCGRP_MLME, gfp);
17761 	return;
17762 
17763  free_msg:
17764 	nlmsg_free(msg);
17765 }
17766 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17767 #endif
17768 
17769 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17770 				enum nl80211_tdls_operation oper,
17771 				u16 reason_code, gfp_t gfp)
17772 {
17773 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17774 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17775 	struct sk_buff *msg;
17776 	void *hdr;
17777 
17778 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17779 					 reason_code);
17780 
17781 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17782 	if (!msg)
17783 		return;
17784 
17785 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17786 	if (!hdr) {
17787 		nlmsg_free(msg);
17788 		return;
17789 	}
17790 
17791 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17792 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17793 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17794 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17795 	    (reason_code > 0 &&
17796 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17797 		goto nla_put_failure;
17798 
17799 	genlmsg_end(msg, hdr);
17800 
17801 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17802 				NL80211_MCGRP_MLME, gfp);
17803 	return;
17804 
17805  nla_put_failure:
17806 	nlmsg_free(msg);
17807 }
17808 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17809 
17810 static int nl80211_netlink_notify(struct notifier_block * nb,
17811 				  unsigned long state,
17812 				  void *_notify)
17813 {
17814 	struct netlink_notify *notify = _notify;
17815 	struct cfg80211_registered_device *rdev;
17816 	struct wireless_dev *wdev;
17817 	struct cfg80211_beacon_registration *reg, *tmp;
17818 
17819 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17820 		return NOTIFY_DONE;
17821 
17822 	rcu_read_lock();
17823 
17824 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17825 		struct cfg80211_sched_scan_request *sched_scan_req;
17826 
17827 		list_for_each_entry_rcu(sched_scan_req,
17828 					&rdev->sched_scan_req_list,
17829 					list) {
17830 			if (sched_scan_req->owner_nlportid == notify->portid) {
17831 				sched_scan_req->nl_owner_dead = true;
17832 				schedule_work(&rdev->sched_scan_stop_wk);
17833 			}
17834 		}
17835 
17836 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17837 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17838 
17839 			if (wdev->owner_nlportid == notify->portid) {
17840 				wdev->nl_owner_dead = true;
17841 				schedule_work(&rdev->destroy_work);
17842 			} else if (wdev->conn_owner_nlportid == notify->portid) {
17843 				schedule_work(&wdev->disconnect_wk);
17844 			}
17845 
17846 			cfg80211_release_pmsr(wdev, notify->portid);
17847 		}
17848 
17849 		spin_lock_bh(&rdev->beacon_registrations_lock);
17850 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17851 					 list) {
17852 			if (reg->nlportid == notify->portid) {
17853 				list_del(&reg->list);
17854 				kfree(reg);
17855 				break;
17856 			}
17857 		}
17858 		spin_unlock_bh(&rdev->beacon_registrations_lock);
17859 	}
17860 
17861 	rcu_read_unlock();
17862 
17863 	/*
17864 	 * It is possible that the user space process that is controlling the
17865 	 * indoor setting disappeared, so notify the regulatory core.
17866 	 */
17867 	regulatory_netlink_notify(notify->portid);
17868 	return NOTIFY_OK;
17869 }
17870 
17871 static struct notifier_block nl80211_netlink_notifier = {
17872 	.notifier_call = nl80211_netlink_notify,
17873 };
17874 
17875 void cfg80211_ft_event(struct net_device *netdev,
17876 		       struct cfg80211_ft_event_params *ft_event)
17877 {
17878 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17879 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17880 	struct sk_buff *msg;
17881 	void *hdr;
17882 
17883 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17884 
17885 	if (!ft_event->target_ap)
17886 		return;
17887 
17888 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17889 			GFP_KERNEL);
17890 	if (!msg)
17891 		return;
17892 
17893 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17894 	if (!hdr)
17895 		goto out;
17896 
17897 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17898 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17899 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17900 		goto out;
17901 
17902 	if (ft_event->ies &&
17903 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17904 		goto out;
17905 	if (ft_event->ric_ies &&
17906 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17907 		    ft_event->ric_ies))
17908 		goto out;
17909 
17910 	genlmsg_end(msg, hdr);
17911 
17912 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17913 				NL80211_MCGRP_MLME, GFP_KERNEL);
17914 	return;
17915  out:
17916 	nlmsg_free(msg);
17917 }
17918 EXPORT_SYMBOL(cfg80211_ft_event);
17919 
17920 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17921 {
17922 	struct cfg80211_registered_device *rdev;
17923 	struct sk_buff *msg;
17924 	void *hdr;
17925 	u32 nlportid;
17926 
17927 	rdev = wiphy_to_rdev(wdev->wiphy);
17928 	if (!rdev->crit_proto_nlportid)
17929 		return;
17930 
17931 	nlportid = rdev->crit_proto_nlportid;
17932 	rdev->crit_proto_nlportid = 0;
17933 
17934 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17935 	if (!msg)
17936 		return;
17937 
17938 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17939 	if (!hdr)
17940 		goto nla_put_failure;
17941 
17942 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17943 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17944 			      NL80211_ATTR_PAD))
17945 		goto nla_put_failure;
17946 
17947 	genlmsg_end(msg, hdr);
17948 
17949 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17950 	return;
17951 
17952  nla_put_failure:
17953 	nlmsg_free(msg);
17954 }
17955 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17956 
17957 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17958 {
17959 	struct wiphy *wiphy = wdev->wiphy;
17960 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17961 	struct sk_buff *msg;
17962 	void *hdr;
17963 
17964 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17965 	if (!msg)
17966 		return;
17967 
17968 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17969 	if (!hdr)
17970 		goto out;
17971 
17972 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17973 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17974 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17975 			      NL80211_ATTR_PAD))
17976 		goto out;
17977 
17978 	genlmsg_end(msg, hdr);
17979 
17980 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17981 				NL80211_MCGRP_MLME, GFP_KERNEL);
17982 	return;
17983  out:
17984 	nlmsg_free(msg);
17985 }
17986 
17987 int cfg80211_external_auth_request(struct net_device *dev,
17988 				   struct cfg80211_external_auth_params *params,
17989 				   gfp_t gfp)
17990 {
17991 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17992 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17993 	struct sk_buff *msg;
17994 	void *hdr;
17995 
17996 	if (!wdev->conn_owner_nlportid)
17997 		return -EINVAL;
17998 
17999 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18000 	if (!msg)
18001 		return -ENOMEM;
18002 
18003 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
18004 	if (!hdr)
18005 		goto nla_put_failure;
18006 
18007 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18008 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18009 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
18010 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
18011 			params->action) ||
18012 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
18013 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
18014 		    params->ssid.ssid))
18015 		goto nla_put_failure;
18016 
18017 	genlmsg_end(msg, hdr);
18018 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
18019 			wdev->conn_owner_nlportid);
18020 	return 0;
18021 
18022  nla_put_failure:
18023 	nlmsg_free(msg);
18024 	return -ENOBUFS;
18025 }
18026 EXPORT_SYMBOL(cfg80211_external_auth_request);
18027 
18028 void cfg80211_update_owe_info_event(struct net_device *netdev,
18029 				    struct cfg80211_update_owe_info *owe_info,
18030 				    gfp_t gfp)
18031 {
18032 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
18033 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18034 	struct sk_buff *msg;
18035 	void *hdr;
18036 
18037 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
18038 
18039 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18040 	if (!msg)
18041 		return;
18042 
18043 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
18044 	if (!hdr)
18045 		goto nla_put_failure;
18046 
18047 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18048 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18049 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
18050 		goto nla_put_failure;
18051 
18052 	if (!owe_info->ie_len ||
18053 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
18054 		goto nla_put_failure;
18055 
18056 	genlmsg_end(msg, hdr);
18057 
18058 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18059 				NL80211_MCGRP_MLME, gfp);
18060 	return;
18061 
18062 nla_put_failure:
18063 	genlmsg_cancel(msg, hdr);
18064 	nlmsg_free(msg);
18065 }
18066 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
18067 
18068 /* initialisation/exit functions */
18069 
18070 int __init nl80211_init(void)
18071 {
18072 	int err;
18073 
18074 	err = genl_register_family(&nl80211_fam);
18075 	if (err)
18076 		return err;
18077 
18078 	err = netlink_register_notifier(&nl80211_netlink_notifier);
18079 	if (err)
18080 		goto err_out;
18081 
18082 	return 0;
18083  err_out:
18084 	genl_unregister_family(&nl80211_fam);
18085 	return err;
18086 }
18087 
18088 void nl80211_exit(void)
18089 {
18090 	netlink_unregister_notifier(&nl80211_netlink_notifier);
18091 	genl_unregister_family(&nl80211_fam);
18092 }
18093