xref: /openbmc/linux/net/wireless/nl80211.c (revision 15e3ae36) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2020 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct net *netns, struct nlattr **attrs)
68 {
69 	struct cfg80211_registered_device *rdev;
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	ASSERT_RTNL();
78 
79 	if (!have_ifidx && !have_wdev_id)
80 		return ERR_PTR(-EINVAL);
81 
82 	if (have_ifidx)
83 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
84 	if (have_wdev_id) {
85 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
86 		wiphy_idx = wdev_id >> 32;
87 	}
88 
89 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
90 		struct wireless_dev *wdev;
91 
92 		if (wiphy_net(&rdev->wiphy) != netns)
93 			continue;
94 
95 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
96 			continue;
97 
98 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
99 			if (have_ifidx && wdev->netdev &&
100 			    wdev->netdev->ifindex == ifidx) {
101 				result = wdev;
102 				break;
103 			}
104 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
105 				result = wdev;
106 				break;
107 			}
108 		}
109 
110 		if (result)
111 			break;
112 	}
113 
114 	if (result)
115 		return result;
116 	return ERR_PTR(-ENODEV);
117 }
118 
119 static struct cfg80211_registered_device *
120 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
121 {
122 	struct cfg80211_registered_device *rdev = NULL, *tmp;
123 	struct net_device *netdev;
124 
125 	ASSERT_RTNL();
126 
127 	if (!attrs[NL80211_ATTR_WIPHY] &&
128 	    !attrs[NL80211_ATTR_IFINDEX] &&
129 	    !attrs[NL80211_ATTR_WDEV])
130 		return ERR_PTR(-EINVAL);
131 
132 	if (attrs[NL80211_ATTR_WIPHY])
133 		rdev = cfg80211_rdev_by_wiphy_idx(
134 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
135 
136 	if (attrs[NL80211_ATTR_WDEV]) {
137 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
138 		struct wireless_dev *wdev;
139 		bool found = false;
140 
141 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
142 		if (tmp) {
143 			/* make sure wdev exists */
144 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
145 				if (wdev->identifier != (u32)wdev_id)
146 					continue;
147 				found = true;
148 				break;
149 			}
150 
151 			if (!found)
152 				tmp = NULL;
153 
154 			if (rdev && tmp != rdev)
155 				return ERR_PTR(-EINVAL);
156 			rdev = tmp;
157 		}
158 	}
159 
160 	if (attrs[NL80211_ATTR_IFINDEX]) {
161 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
162 
163 		netdev = __dev_get_by_index(netns, ifindex);
164 		if (netdev) {
165 			if (netdev->ieee80211_ptr)
166 				tmp = wiphy_to_rdev(
167 					netdev->ieee80211_ptr->wiphy);
168 			else
169 				tmp = NULL;
170 
171 			/* not wireless device -- return error */
172 			if (!tmp)
173 				return ERR_PTR(-EINVAL);
174 
175 			/* mismatch -- return error */
176 			if (rdev && tmp != rdev)
177 				return ERR_PTR(-EINVAL);
178 
179 			rdev = tmp;
180 		}
181 	}
182 
183 	if (!rdev)
184 		return ERR_PTR(-ENODEV);
185 
186 	if (netns != wiphy_net(&rdev->wiphy))
187 		return ERR_PTR(-ENODEV);
188 
189 	return rdev;
190 }
191 
192 /*
193  * This function returns a pointer to the driver
194  * that the genl_info item that is passed refers to.
195  *
196  * The result of this can be a PTR_ERR and hence must
197  * be checked with IS_ERR() for errors.
198  */
199 static struct cfg80211_registered_device *
200 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
201 {
202 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
203 }
204 
205 static int validate_beacon_head(const struct nlattr *attr,
206 				struct netlink_ext_ack *extack)
207 {
208 	const u8 *data = nla_data(attr);
209 	unsigned int len = nla_len(attr);
210 	const struct element *elem;
211 	const struct ieee80211_mgmt *mgmt = (void *)data;
212 	unsigned int fixedlen = offsetof(struct ieee80211_mgmt,
213 					 u.beacon.variable);
214 
215 	if (len < fixedlen)
216 		goto err;
217 
218 	if (ieee80211_hdrlen(mgmt->frame_control) !=
219 	    offsetof(struct ieee80211_mgmt, u.beacon))
220 		goto err;
221 
222 	data += fixedlen;
223 	len -= fixedlen;
224 
225 	for_each_element(elem, data, len) {
226 		/* nothing */
227 	}
228 
229 	if (for_each_element_completed(elem, data, len))
230 		return 0;
231 
232 err:
233 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
234 	return -EINVAL;
235 }
236 
237 static int validate_ie_attr(const struct nlattr *attr,
238 			    struct netlink_ext_ack *extack)
239 {
240 	const u8 *data = nla_data(attr);
241 	unsigned int len = nla_len(attr);
242 	const struct element *elem;
243 
244 	for_each_element(elem, data, len) {
245 		/* nothing */
246 	}
247 
248 	if (for_each_element_completed(elem, data, len))
249 		return 0;
250 
251 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
252 	return -EINVAL;
253 }
254 
255 /* policy for the attributes */
256 static const struct nla_policy
257 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
258 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
259 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
260 					.len = U8_MAX },
261 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
262 					     .len = U8_MAX },
263 };
264 
265 static const struct nla_policy
266 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
267 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
268 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
269 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
270 		NLA_POLICY_MAX(NLA_U8, 15),
271 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
272 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
273 		NLA_POLICY_MAX(NLA_U8, 15),
274 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
275 		NLA_POLICY_MAX(NLA_U8, 31),
276 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
277 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
278 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
279 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
280 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
281 };
282 
283 static const struct nla_policy
284 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
285 	[NL80211_PMSR_TYPE_FTM] =
286 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
287 };
288 
289 static const struct nla_policy
290 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
291 	[NL80211_PMSR_REQ_ATTR_DATA] =
292 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
293 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
294 };
295 
296 static const struct nla_policy
297 nl80211_psmr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
298 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
299 	/*
300 	 * we could specify this again to be the top-level policy,
301 	 * but that would open us up to recursion problems ...
302 	 */
303 	[NL80211_PMSR_PEER_ATTR_CHAN] = { .type = NLA_NESTED },
304 	[NL80211_PMSR_PEER_ATTR_REQ] =
305 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
306 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
312 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
313 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
314 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
315 	[NL80211_PMSR_ATTR_PEERS] =
316 		NLA_POLICY_NESTED_ARRAY(nl80211_psmr_peer_attr_policy),
317 };
318 
319 static const struct nla_policy
320 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
321 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
322 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
323 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
324 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
325 };
326 
327 static const struct nla_policy
328 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
329 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
330 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
331 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
332 };
333 
334 static const struct nla_policy
335 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
336 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
337 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
338 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
339 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
340 	[NL80211_TID_CONFIG_ATTR_NOACK] =
341 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
342 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
343 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
344 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
345 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
346 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
347 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
348 };
349 
350 const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
351 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
352 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
353 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
354 				      .len = 20-1 },
355 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
356 
357 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
358 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
359 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
360 						NL80211_EDMG_CHANNELS_MIN,
361 						NL80211_EDMG_CHANNELS_MAX),
362 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
363 						NL80211_EDMG_BW_CONFIG_MIN,
364 						NL80211_EDMG_BW_CONFIG_MAX),
365 
366 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
367 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
368 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
369 
370 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
371 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
372 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
373 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
374 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
375 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
376 
377 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
378 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
379 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
380 
381 	[NL80211_ATTR_MAC] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
382 	[NL80211_ATTR_PREV_BSSID] = {
383 		.type = NLA_EXACT_LEN_WARN,
384 		.len = ETH_ALEN
385 	},
386 
387 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
388 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
389 				    .len = WLAN_MAX_KEY_LEN },
390 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
391 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
392 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
393 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
394 	[NL80211_ATTR_KEY_TYPE] =
395 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
396 
397 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
398 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
399 	[NL80211_ATTR_BEACON_HEAD] =
400 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
401 				       IEEE80211_MAX_DATA_LEN),
402 	[NL80211_ATTR_BEACON_TAIL] =
403 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
404 				       IEEE80211_MAX_DATA_LEN),
405 	[NL80211_ATTR_STA_AID] =
406 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
407 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
408 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
409 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
410 					       .len = NL80211_MAX_SUPP_RATES },
411 	[NL80211_ATTR_STA_PLINK_ACTION] =
412 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
413 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
414 		NLA_POLICY_RANGE(NLA_U8,
415 				 NL80211_TX_POWER_AUTOMATIC,
416 				 NL80211_TX_POWER_FIXED),
417 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
418 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
419 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
420 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
421 				   .len = IEEE80211_MAX_MESH_ID_LEN },
422 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
423 
424 	[NL80211_ATTR_REG_ALPHA2] = { .type = NLA_STRING, .len = 2 },
425 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
426 
427 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
428 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
429 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
430 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
431 					   .len = NL80211_MAX_SUPP_RATES },
432 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
433 
434 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
435 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
436 
437 	[NL80211_ATTR_HT_CAPABILITY] = {
438 		.type = NLA_EXACT_LEN_WARN,
439 		.len = NL80211_HT_CAPABILITY_LEN
440 	},
441 
442 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
443 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
444 						   validate_ie_attr,
445 						   IEEE80211_MAX_DATA_LEN),
446 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
447 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
448 
449 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
450 				.len = IEEE80211_MAX_SSID_LEN },
451 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
452 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
453 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
454 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
455 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
456 						  NL80211_MFP_NO,
457 						  NL80211_MFP_OPTIONAL),
458 	[NL80211_ATTR_STA_FLAGS2] = {
459 		.len = sizeof(struct nl80211_sta_flag_update),
460 	},
461 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
462 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
463 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
464 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
465 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
466 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
467 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
468 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
469 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
470 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
471 	[NL80211_ATTR_PMKID] = {
472 		.type = NLA_EXACT_LEN_WARN,
473 		.len = WLAN_PMKID_LEN
474 	},
475 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
476 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
477 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
478 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
479 				 .len = IEEE80211_MAX_DATA_LEN },
480 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
481 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
482 						   NL80211_PS_DISABLED,
483 						   NL80211_PS_ENABLED),
484 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
485 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
486 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
487 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
488 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
489 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
490 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
491 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
492 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
493 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
494 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
495 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
496 	[NL80211_ATTR_STA_PLINK_STATE] =
497 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
498 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
499 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
500 	[NL80211_ATTR_MESH_PEER_AID] =
501 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
502 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
503 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
504 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
505 	[NL80211_ATTR_HIDDEN_SSID] =
506 		NLA_POLICY_RANGE(NLA_U32,
507 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
508 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
509 	[NL80211_ATTR_IE_PROBE_RESP] =
510 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
511 				       IEEE80211_MAX_DATA_LEN),
512 	[NL80211_ATTR_IE_ASSOC_RESP] =
513 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
514 				       IEEE80211_MAX_DATA_LEN),
515 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
516 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
517 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
518 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
519 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
520 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
521 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
522 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
523 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
524 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
525 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
526 				      .len = IEEE80211_MAX_DATA_LEN },
527 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
528 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
529 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
530 		.len = NL80211_HT_CAPABILITY_LEN
531 	},
532 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
533 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
534 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
535 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
536 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
537 	[NL80211_ATTR_AUTH_DATA] = { .type = NLA_BINARY, },
538 	[NL80211_ATTR_VHT_CAPABILITY] = {
539 		.type = NLA_EXACT_LEN_WARN,
540 		.len = NL80211_VHT_CAPABILITY_LEN
541 	},
542 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
543 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
544 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
545 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
546 		NLA_POLICY_RANGE(NLA_U32,
547 				 NL80211_MESH_POWER_UNKNOWN + 1,
548 				 NL80211_MESH_POWER_MAX),
549 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
550 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
551 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
552 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
553 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
554 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
555 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
556 		.len = NL80211_VHT_CAPABILITY_LEN,
557 	},
558 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
559 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
560 				  .len = IEEE80211_MAX_DATA_LEN },
561 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
562 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] = { .type = NLA_U16 },
563 	[NL80211_ATTR_PEER_AID] =
564 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
565 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
566 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
567 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
568 	[NL80211_ATTR_CSA_C_OFF_BEACON] = { .type = NLA_BINARY },
569 	[NL80211_ATTR_CSA_C_OFF_PRESP] = { .type = NLA_BINARY },
570 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = { .type = NLA_BINARY },
571 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] = { .type = NLA_BINARY },
572 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
573 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
574 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
575 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
576 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
577 	[NL80211_ATTR_QOS_MAP] = { .type = NLA_BINARY,
578 				   .len = IEEE80211_QOS_MAP_LEN_MAX },
579 	[NL80211_ATTR_MAC_HINT] = {
580 		.type = NLA_EXACT_LEN_WARN,
581 		.len = ETH_ALEN
582 	},
583 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
584 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
585 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
586 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
587 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
588 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
589 	[NL80211_ATTR_USER_PRIO] =
590 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
591 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
592 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
593 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
594 	[NL80211_ATTR_MAC_MASK] = {
595 		.type = NLA_EXACT_LEN_WARN,
596 		.len = ETH_ALEN
597 	},
598 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
599 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
600 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
601 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
602 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
603 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
604 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
605 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
606 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
607 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
608 	},
609 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = {
610 		.type = NLA_EXACT_LEN_WARN,
611 		.len = ETH_ALEN
612 	},
613 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
614 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
615 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
617 				    .len = FILS_MAX_KEK_LEN },
618 	[NL80211_ATTR_FILS_NONCES] = {
619 		.type = NLA_EXACT_LEN_WARN,
620 		.len = 2 * FILS_NONCE_LEN
621 	},
622 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
623 	[NL80211_ATTR_BSSID] = { .type = NLA_EXACT_LEN_WARN, .len = ETH_ALEN },
624 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
625 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
626 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
627 	},
628 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
629 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
630 					     .len = FILS_ERP_MAX_USERNAME_LEN },
631 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
632 					  .len = FILS_ERP_MAX_REALM_LEN },
633 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
634 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
635 					.len = FILS_ERP_MAX_RRK_LEN },
636 	[NL80211_ATTR_FILS_CACHE_ID] = { .type = NLA_EXACT_LEN_WARN, .len = 2 },
637 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
638 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
639 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
640 
641 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
642 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
643 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
644 	[NL80211_ATTR_HE_CAPABILITY] = { .type = NLA_BINARY,
645 					 .len = NL80211_HE_MAX_CAPABILITY_LEN },
646 
647 	[NL80211_ATTR_FTM_RESPONDER] = {
648 		.type = NLA_NESTED,
649 		.validation_data = nl80211_ftm_responder_policy,
650 	},
651 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
652 	[NL80211_ATTR_PEER_MEASUREMENTS] =
653 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
654 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
655 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
656 					.len = SAE_PASSWORD_MAX_LEN },
657 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
658 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
659 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
660 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
661 	[NL80211_ATTR_TID_CONFIG] =
662 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
663 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
664 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
665 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
666 };
667 
668 /* policy for the key attributes */
669 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
670 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
671 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
672 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
673 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
674 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
675 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
676 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
677 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
678 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
679 };
680 
681 /* policy for the key default flags */
682 static const struct nla_policy
683 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
684 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
685 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
686 };
687 
688 #ifdef CONFIG_PM
689 /* policy for WoWLAN attributes */
690 static const struct nla_policy
691 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
692 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
693 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
694 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
695 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
696 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
697 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
698 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
699 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
700 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
701 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
702 };
703 
704 static const struct nla_policy
705 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
706 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
707 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
708 	[NL80211_WOWLAN_TCP_DST_MAC] = {
709 		.type = NLA_EXACT_LEN_WARN,
710 		.len = ETH_ALEN
711 	},
712 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
713 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
714 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
715 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
716 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
717 	},
718 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
719 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
720 	},
721 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
722 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = { .type = NLA_MIN_LEN, .len = 1 },
723 	[NL80211_WOWLAN_TCP_WAKE_MASK] = { .type = NLA_MIN_LEN, .len = 1 },
724 };
725 #endif /* CONFIG_PM */
726 
727 /* policy for coalesce rule attributes */
728 static const struct nla_policy
729 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
730 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
731 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
732 		NLA_POLICY_RANGE(NLA_U32,
733 				 NL80211_COALESCE_CONDITION_MATCH,
734 				 NL80211_COALESCE_CONDITION_NO_MATCH),
735 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
736 };
737 
738 /* policy for GTK rekey offload attributes */
739 static const struct nla_policy
740 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
741 	[NL80211_REKEY_DATA_KEK] = {
742 		.type = NLA_EXACT_LEN_WARN,
743 		.len = NL80211_KEK_LEN,
744 	},
745 	[NL80211_REKEY_DATA_KCK] = {
746 		.type = NLA_EXACT_LEN_WARN,
747 		.len = NL80211_KCK_LEN,
748 	},
749 	[NL80211_REKEY_DATA_REPLAY_CTR] = {
750 		.type = NLA_EXACT_LEN_WARN,
751 		.len = NL80211_REPLAY_CTR_LEN
752 	},
753 };
754 
755 static const struct nla_policy
756 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
757 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
758 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
759 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
760 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
761 };
762 
763 static const struct nla_policy
764 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
765 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
766 						 .len = IEEE80211_MAX_SSID_LEN },
767 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = {
768 		.type = NLA_EXACT_LEN_WARN,
769 		.len = ETH_ALEN
770 	},
771 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
772 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
773 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
774 };
775 
776 static const struct nla_policy
777 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
778 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
779 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
780 };
781 
782 static const struct nla_policy
783 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
784 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
785 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
786 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
787 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
788 	},
789 };
790 
791 /* policy for NAN function attributes */
792 static const struct nla_policy
793 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
794 	[NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 },
795 	[NL80211_NAN_FUNC_SERVICE_ID] = {
796 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
797 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
798 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
799 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
800 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
801 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
802 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = {
803 		.type = NLA_EXACT_LEN_WARN,
804 		.len = ETH_ALEN
805 	},
806 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
807 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
808 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
809 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
810 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
811 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
812 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
813 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
814 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
815 };
816 
817 /* policy for Service Response Filter attributes */
818 static const struct nla_policy
819 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
820 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
821 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
822 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
823 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
824 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
825 };
826 
827 /* policy for packet pattern attributes */
828 static const struct nla_policy
829 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
830 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
831 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
832 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
833 };
834 
835 int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
836 			      struct cfg80211_registered_device **rdev,
837 			      struct wireless_dev **wdev)
838 {
839 	int err;
840 
841 	if (!cb->args[0]) {
842 		struct nlattr **attrbuf;
843 
844 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
845 				  GFP_KERNEL);
846 		if (!attrbuf)
847 			return -ENOMEM;
848 
849 		err = nlmsg_parse_deprecated(cb->nlh,
850 					     GENL_HDRLEN + nl80211_fam.hdrsize,
851 					     attrbuf, nl80211_fam.maxattr,
852 					     nl80211_policy, NULL);
853 		if (err) {
854 			kfree(attrbuf);
855 			return err;
856 		}
857 
858 		*wdev = __cfg80211_wdev_from_attrs(sock_net(cb->skb->sk),
859 						   attrbuf);
860 		kfree(attrbuf);
861 		if (IS_ERR(*wdev))
862 			return PTR_ERR(*wdev);
863 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
864 		/* 0 is the first index - add 1 to parse only once */
865 		cb->args[0] = (*rdev)->wiphy_idx + 1;
866 		cb->args[1] = (*wdev)->identifier;
867 	} else {
868 		/* subtract the 1 again here */
869 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
870 		struct wireless_dev *tmp;
871 
872 		if (!wiphy)
873 			return -ENODEV;
874 		*rdev = wiphy_to_rdev(wiphy);
875 		*wdev = NULL;
876 
877 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
878 			if (tmp->identifier == cb->args[1]) {
879 				*wdev = tmp;
880 				break;
881 			}
882 		}
883 
884 		if (!*wdev)
885 			return -ENODEV;
886 	}
887 
888 	return 0;
889 }
890 
891 /* message building helper */
892 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
893 		     int flags, u8 cmd)
894 {
895 	/* since there is no private header just add the generic one */
896 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
897 }
898 
899 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
900 				     const struct ieee80211_reg_rule *rule)
901 {
902 	int j;
903 	struct nlattr *nl_wmm_rules =
904 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
905 
906 	if (!nl_wmm_rules)
907 		goto nla_put_failure;
908 
909 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
910 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
911 
912 		if (!nl_wmm_rule)
913 			goto nla_put_failure;
914 
915 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
916 				rule->wmm_rule.client[j].cw_min) ||
917 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
918 				rule->wmm_rule.client[j].cw_max) ||
919 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
920 			       rule->wmm_rule.client[j].aifsn) ||
921 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
922 			        rule->wmm_rule.client[j].cot))
923 			goto nla_put_failure;
924 
925 		nla_nest_end(msg, nl_wmm_rule);
926 	}
927 	nla_nest_end(msg, nl_wmm_rules);
928 
929 	return 0;
930 
931 nla_put_failure:
932 	return -ENOBUFS;
933 }
934 
935 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
936 				   struct ieee80211_channel *chan,
937 				   bool large)
938 {
939 	/* Some channels must be completely excluded from the
940 	 * list to protect old user-space tools from breaking
941 	 */
942 	if (!large && chan->flags &
943 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
944 		return 0;
945 
946 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
947 			chan->center_freq))
948 		goto nla_put_failure;
949 
950 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
951 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
952 		goto nla_put_failure;
953 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
954 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
955 			goto nla_put_failure;
956 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
957 			goto nla_put_failure;
958 	}
959 	if (chan->flags & IEEE80211_CHAN_RADAR) {
960 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
961 			goto nla_put_failure;
962 		if (large) {
963 			u32 time;
964 
965 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
966 
967 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
968 					chan->dfs_state))
969 				goto nla_put_failure;
970 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
971 					time))
972 				goto nla_put_failure;
973 			if (nla_put_u32(msg,
974 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
975 					chan->dfs_cac_ms))
976 				goto nla_put_failure;
977 		}
978 	}
979 
980 	if (large) {
981 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
982 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
983 			goto nla_put_failure;
984 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
985 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
986 			goto nla_put_failure;
987 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
988 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
989 			goto nla_put_failure;
990 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
991 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
992 			goto nla_put_failure;
993 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
994 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
995 			goto nla_put_failure;
996 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
997 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
998 			goto nla_put_failure;
999 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1000 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1001 			goto nla_put_failure;
1002 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1003 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1004 			goto nla_put_failure;
1005 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1006 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1007 			goto nla_put_failure;
1008 	}
1009 
1010 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1011 			DBM_TO_MBM(chan->max_power)))
1012 		goto nla_put_failure;
1013 
1014 	if (large) {
1015 		const struct ieee80211_reg_rule *rule =
1016 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1017 
1018 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1019 			if (nl80211_msg_put_wmm_rules(msg, rule))
1020 				goto nla_put_failure;
1021 		}
1022 	}
1023 
1024 	return 0;
1025 
1026  nla_put_failure:
1027 	return -ENOBUFS;
1028 }
1029 
1030 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1031 				  struct cfg80211_txq_stats *txqstats,
1032 				  int attrtype)
1033 {
1034 	struct nlattr *txqattr;
1035 
1036 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1037 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1038 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1039 		return false;						  \
1040 	} while (0)
1041 
1042 	txqattr = nla_nest_start_noflag(msg, attrtype);
1043 	if (!txqattr)
1044 		return false;
1045 
1046 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1047 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1048 	PUT_TXQVAL_U32(FLOWS, flows);
1049 	PUT_TXQVAL_U32(DROPS, drops);
1050 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1051 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1052 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1053 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1054 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1055 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1056 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1057 	nla_nest_end(msg, txqattr);
1058 
1059 #undef PUT_TXQVAL_U32
1060 	return true;
1061 }
1062 
1063 /* netlink command implementations */
1064 
1065 struct key_parse {
1066 	struct key_params p;
1067 	int idx;
1068 	int type;
1069 	bool def, defmgmt, defbeacon;
1070 	bool def_uni, def_multi;
1071 };
1072 
1073 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1074 				 struct key_parse *k)
1075 {
1076 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1077 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1078 					      nl80211_key_policy,
1079 					      info->extack);
1080 	if (err)
1081 		return err;
1082 
1083 	k->def = !!tb[NL80211_KEY_DEFAULT];
1084 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1085 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1086 
1087 	if (k->def) {
1088 		k->def_uni = true;
1089 		k->def_multi = true;
1090 	}
1091 	if (k->defmgmt || k->defbeacon)
1092 		k->def_multi = true;
1093 
1094 	if (tb[NL80211_KEY_IDX])
1095 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1096 
1097 	if (tb[NL80211_KEY_DATA]) {
1098 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1099 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1100 	}
1101 
1102 	if (tb[NL80211_KEY_SEQ]) {
1103 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1104 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1105 	}
1106 
1107 	if (tb[NL80211_KEY_CIPHER])
1108 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1109 
1110 	if (tb[NL80211_KEY_TYPE])
1111 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1112 
1113 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1114 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1115 
1116 		err = nla_parse_nested_deprecated(kdt,
1117 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1118 						  tb[NL80211_KEY_DEFAULT_TYPES],
1119 						  nl80211_key_default_policy,
1120 						  info->extack);
1121 		if (err)
1122 			return err;
1123 
1124 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1125 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1126 	}
1127 
1128 	if (tb[NL80211_KEY_MODE])
1129 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1130 
1131 	return 0;
1132 }
1133 
1134 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1135 {
1136 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1137 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1138 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1139 	}
1140 
1141 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1142 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1143 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1144 	}
1145 
1146 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1147 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1148 
1149 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1150 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1151 
1152 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1153 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1154 
1155 	if (k->def) {
1156 		k->def_uni = true;
1157 		k->def_multi = true;
1158 	}
1159 	if (k->defmgmt)
1160 		k->def_multi = true;
1161 
1162 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1163 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1164 
1165 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1166 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1167 		int err = nla_parse_nested_deprecated(kdt,
1168 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1169 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1170 						      nl80211_key_default_policy,
1171 						      info->extack);
1172 		if (err)
1173 			return err;
1174 
1175 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1176 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1177 	}
1178 
1179 	return 0;
1180 }
1181 
1182 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1183 {
1184 	int err;
1185 
1186 	memset(k, 0, sizeof(*k));
1187 	k->idx = -1;
1188 	k->type = -1;
1189 
1190 	if (info->attrs[NL80211_ATTR_KEY])
1191 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1192 	else
1193 		err = nl80211_parse_key_old(info, k);
1194 
1195 	if (err)
1196 		return err;
1197 
1198 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1199 	    (k->defbeacon ? 1 : 0) > 1) {
1200 		GENL_SET_ERR_MSG(info,
1201 				 "key with multiple default flags is invalid");
1202 		return -EINVAL;
1203 	}
1204 
1205 	if (k->defmgmt || k->defbeacon) {
1206 		if (k->def_uni || !k->def_multi) {
1207 			GENL_SET_ERR_MSG(info,
1208 					 "defmgmt/defbeacon key must be mcast");
1209 			return -EINVAL;
1210 		}
1211 	}
1212 
1213 	if (k->idx != -1) {
1214 		if (k->defmgmt) {
1215 			if (k->idx < 4 || k->idx > 5) {
1216 				GENL_SET_ERR_MSG(info,
1217 						 "defmgmt key idx not 4 or 5");
1218 				return -EINVAL;
1219 			}
1220 		} else if (k->defbeacon) {
1221 			if (k->idx < 6 || k->idx > 7) {
1222 				GENL_SET_ERR_MSG(info,
1223 						 "defbeacon key idx not 6 or 7");
1224 				return -EINVAL;
1225 			}
1226 		} else if (k->def) {
1227 			if (k->idx < 0 || k->idx > 3) {
1228 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1229 				return -EINVAL;
1230 			}
1231 		} else {
1232 			if (k->idx < 0 || k->idx > 7) {
1233 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1234 				return -EINVAL;
1235 			}
1236 		}
1237 	}
1238 
1239 	return 0;
1240 }
1241 
1242 static struct cfg80211_cached_keys *
1243 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1244 		       struct genl_info *info, bool *no_ht)
1245 {
1246 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1247 	struct key_parse parse;
1248 	struct nlattr *key;
1249 	struct cfg80211_cached_keys *result;
1250 	int rem, err, def = 0;
1251 	bool have_key = false;
1252 
1253 	nla_for_each_nested(key, keys, rem) {
1254 		have_key = true;
1255 		break;
1256 	}
1257 
1258 	if (!have_key)
1259 		return NULL;
1260 
1261 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1262 	if (!result)
1263 		return ERR_PTR(-ENOMEM);
1264 
1265 	result->def = -1;
1266 
1267 	nla_for_each_nested(key, keys, rem) {
1268 		memset(&parse, 0, sizeof(parse));
1269 		parse.idx = -1;
1270 
1271 		err = nl80211_parse_key_new(info, key, &parse);
1272 		if (err)
1273 			goto error;
1274 		err = -EINVAL;
1275 		if (!parse.p.key)
1276 			goto error;
1277 		if (parse.idx < 0 || parse.idx > 3) {
1278 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1279 			goto error;
1280 		}
1281 		if (parse.def) {
1282 			if (def) {
1283 				GENL_SET_ERR_MSG(info,
1284 						 "only one key can be default");
1285 				goto error;
1286 			}
1287 			def = 1;
1288 			result->def = parse.idx;
1289 			if (!parse.def_uni || !parse.def_multi)
1290 				goto error;
1291 		} else if (parse.defmgmt)
1292 			goto error;
1293 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1294 						     parse.idx, false, NULL);
1295 		if (err)
1296 			goto error;
1297 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1298 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1299 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1300 			err = -EINVAL;
1301 			goto error;
1302 		}
1303 		result->params[parse.idx].cipher = parse.p.cipher;
1304 		result->params[parse.idx].key_len = parse.p.key_len;
1305 		result->params[parse.idx].key = result->data[parse.idx];
1306 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1307 
1308 		/* must be WEP key if we got here */
1309 		if (no_ht)
1310 			*no_ht = true;
1311 	}
1312 
1313 	if (result->def < 0) {
1314 		err = -EINVAL;
1315 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1316 		goto error;
1317 	}
1318 
1319 	return result;
1320  error:
1321 	kfree(result);
1322 	return ERR_PTR(err);
1323 }
1324 
1325 static int nl80211_key_allowed(struct wireless_dev *wdev)
1326 {
1327 	ASSERT_WDEV_LOCK(wdev);
1328 
1329 	switch (wdev->iftype) {
1330 	case NL80211_IFTYPE_AP:
1331 	case NL80211_IFTYPE_AP_VLAN:
1332 	case NL80211_IFTYPE_P2P_GO:
1333 	case NL80211_IFTYPE_MESH_POINT:
1334 		break;
1335 	case NL80211_IFTYPE_ADHOC:
1336 	case NL80211_IFTYPE_STATION:
1337 	case NL80211_IFTYPE_P2P_CLIENT:
1338 		if (!wdev->current_bss)
1339 			return -ENOLINK;
1340 		break;
1341 	case NL80211_IFTYPE_UNSPECIFIED:
1342 	case NL80211_IFTYPE_OCB:
1343 	case NL80211_IFTYPE_MONITOR:
1344 	case NL80211_IFTYPE_NAN:
1345 	case NL80211_IFTYPE_P2P_DEVICE:
1346 	case NL80211_IFTYPE_WDS:
1347 	case NUM_NL80211_IFTYPES:
1348 		return -EINVAL;
1349 	}
1350 
1351 	return 0;
1352 }
1353 
1354 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1355 							struct nlattr *tb)
1356 {
1357 	struct ieee80211_channel *chan;
1358 
1359 	if (tb == NULL)
1360 		return NULL;
1361 	chan = ieee80211_get_channel(wiphy, nla_get_u32(tb));
1362 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1363 		return NULL;
1364 	return chan;
1365 }
1366 
1367 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1368 {
1369 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1370 	int i;
1371 
1372 	if (!nl_modes)
1373 		goto nla_put_failure;
1374 
1375 	i = 0;
1376 	while (ifmodes) {
1377 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1378 			goto nla_put_failure;
1379 		ifmodes >>= 1;
1380 		i++;
1381 	}
1382 
1383 	nla_nest_end(msg, nl_modes);
1384 	return 0;
1385 
1386 nla_put_failure:
1387 	return -ENOBUFS;
1388 }
1389 
1390 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1391 					  struct sk_buff *msg,
1392 					  bool large)
1393 {
1394 	struct nlattr *nl_combis;
1395 	int i, j;
1396 
1397 	nl_combis = nla_nest_start_noflag(msg,
1398 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1399 	if (!nl_combis)
1400 		goto nla_put_failure;
1401 
1402 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1403 		const struct ieee80211_iface_combination *c;
1404 		struct nlattr *nl_combi, *nl_limits;
1405 
1406 		c = &wiphy->iface_combinations[i];
1407 
1408 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1409 		if (!nl_combi)
1410 			goto nla_put_failure;
1411 
1412 		nl_limits = nla_nest_start_noflag(msg,
1413 						  NL80211_IFACE_COMB_LIMITS);
1414 		if (!nl_limits)
1415 			goto nla_put_failure;
1416 
1417 		for (j = 0; j < c->n_limits; j++) {
1418 			struct nlattr *nl_limit;
1419 
1420 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1421 			if (!nl_limit)
1422 				goto nla_put_failure;
1423 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1424 					c->limits[j].max))
1425 				goto nla_put_failure;
1426 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1427 						c->limits[j].types))
1428 				goto nla_put_failure;
1429 			nla_nest_end(msg, nl_limit);
1430 		}
1431 
1432 		nla_nest_end(msg, nl_limits);
1433 
1434 		if (c->beacon_int_infra_match &&
1435 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1436 			goto nla_put_failure;
1437 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1438 				c->num_different_channels) ||
1439 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1440 				c->max_interfaces))
1441 			goto nla_put_failure;
1442 		if (large &&
1443 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1444 				c->radar_detect_widths) ||
1445 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1446 				c->radar_detect_regions)))
1447 			goto nla_put_failure;
1448 		if (c->beacon_int_min_gcd &&
1449 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1450 				c->beacon_int_min_gcd))
1451 			goto nla_put_failure;
1452 
1453 		nla_nest_end(msg, nl_combi);
1454 	}
1455 
1456 	nla_nest_end(msg, nl_combis);
1457 
1458 	return 0;
1459 nla_put_failure:
1460 	return -ENOBUFS;
1461 }
1462 
1463 #ifdef CONFIG_PM
1464 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1465 					struct sk_buff *msg)
1466 {
1467 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1468 	struct nlattr *nl_tcp;
1469 
1470 	if (!tcp)
1471 		return 0;
1472 
1473 	nl_tcp = nla_nest_start_noflag(msg,
1474 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1475 	if (!nl_tcp)
1476 		return -ENOBUFS;
1477 
1478 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1479 			tcp->data_payload_max))
1480 		return -ENOBUFS;
1481 
1482 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1483 			tcp->data_payload_max))
1484 		return -ENOBUFS;
1485 
1486 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1487 		return -ENOBUFS;
1488 
1489 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1490 				sizeof(*tcp->tok), tcp->tok))
1491 		return -ENOBUFS;
1492 
1493 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1494 			tcp->data_interval_max))
1495 		return -ENOBUFS;
1496 
1497 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1498 			tcp->wake_payload_max))
1499 		return -ENOBUFS;
1500 
1501 	nla_nest_end(msg, nl_tcp);
1502 	return 0;
1503 }
1504 
1505 static int nl80211_send_wowlan(struct sk_buff *msg,
1506 			       struct cfg80211_registered_device *rdev,
1507 			       bool large)
1508 {
1509 	struct nlattr *nl_wowlan;
1510 
1511 	if (!rdev->wiphy.wowlan)
1512 		return 0;
1513 
1514 	nl_wowlan = nla_nest_start_noflag(msg,
1515 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1516 	if (!nl_wowlan)
1517 		return -ENOBUFS;
1518 
1519 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1520 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1521 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1522 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1523 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1524 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1525 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1526 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1527 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1528 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1529 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1530 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1531 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1532 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1533 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1534 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1535 		return -ENOBUFS;
1536 
1537 	if (rdev->wiphy.wowlan->n_patterns) {
1538 		struct nl80211_pattern_support pat = {
1539 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1540 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1541 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1542 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1543 		};
1544 
1545 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1546 			    sizeof(pat), &pat))
1547 			return -ENOBUFS;
1548 	}
1549 
1550 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1551 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1552 			rdev->wiphy.wowlan->max_nd_match_sets))
1553 		return -ENOBUFS;
1554 
1555 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1556 		return -ENOBUFS;
1557 
1558 	nla_nest_end(msg, nl_wowlan);
1559 
1560 	return 0;
1561 }
1562 #endif
1563 
1564 static int nl80211_send_coalesce(struct sk_buff *msg,
1565 				 struct cfg80211_registered_device *rdev)
1566 {
1567 	struct nl80211_coalesce_rule_support rule;
1568 
1569 	if (!rdev->wiphy.coalesce)
1570 		return 0;
1571 
1572 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1573 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1574 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1575 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1576 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1577 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1578 
1579 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1580 		return -ENOBUFS;
1581 
1582 	return 0;
1583 }
1584 
1585 static int
1586 nl80211_send_iftype_data(struct sk_buff *msg,
1587 			 const struct ieee80211_sband_iftype_data *iftdata)
1588 {
1589 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1590 
1591 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1592 				iftdata->types_mask))
1593 		return -ENOBUFS;
1594 
1595 	if (he_cap->has_he) {
1596 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1597 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1598 			    he_cap->he_cap_elem.mac_cap_info) ||
1599 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1600 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1601 			    he_cap->he_cap_elem.phy_cap_info) ||
1602 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1603 			    sizeof(he_cap->he_mcs_nss_supp),
1604 			    &he_cap->he_mcs_nss_supp) ||
1605 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1606 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1607 			return -ENOBUFS;
1608 	}
1609 
1610 	return 0;
1611 }
1612 
1613 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1614 				      struct ieee80211_supported_band *sband)
1615 {
1616 	struct nlattr *nl_rates, *nl_rate;
1617 	struct ieee80211_rate *rate;
1618 	int i;
1619 
1620 	/* add HT info */
1621 	if (sband->ht_cap.ht_supported &&
1622 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1623 		     sizeof(sband->ht_cap.mcs),
1624 		     &sband->ht_cap.mcs) ||
1625 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1626 			 sband->ht_cap.cap) ||
1627 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1628 			sband->ht_cap.ampdu_factor) ||
1629 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1630 			sband->ht_cap.ampdu_density)))
1631 		return -ENOBUFS;
1632 
1633 	/* add VHT info */
1634 	if (sband->vht_cap.vht_supported &&
1635 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1636 		     sizeof(sband->vht_cap.vht_mcs),
1637 		     &sband->vht_cap.vht_mcs) ||
1638 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1639 			 sband->vht_cap.cap)))
1640 		return -ENOBUFS;
1641 
1642 	if (sband->n_iftype_data) {
1643 		struct nlattr *nl_iftype_data =
1644 			nla_nest_start_noflag(msg,
1645 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1646 		int err;
1647 
1648 		if (!nl_iftype_data)
1649 			return -ENOBUFS;
1650 
1651 		for (i = 0; i < sband->n_iftype_data; i++) {
1652 			struct nlattr *iftdata;
1653 
1654 			iftdata = nla_nest_start_noflag(msg, i + 1);
1655 			if (!iftdata)
1656 				return -ENOBUFS;
1657 
1658 			err = nl80211_send_iftype_data(msg,
1659 						       &sband->iftype_data[i]);
1660 			if (err)
1661 				return err;
1662 
1663 			nla_nest_end(msg, iftdata);
1664 		}
1665 
1666 		nla_nest_end(msg, nl_iftype_data);
1667 	}
1668 
1669 	/* add EDMG info */
1670 	if (sband->edmg_cap.channels &&
1671 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1672 		       sband->edmg_cap.channels) ||
1673 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1674 		       sband->edmg_cap.bw_config)))
1675 
1676 		return -ENOBUFS;
1677 
1678 	/* add bitrates */
1679 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1680 	if (!nl_rates)
1681 		return -ENOBUFS;
1682 
1683 	for (i = 0; i < sband->n_bitrates; i++) {
1684 		nl_rate = nla_nest_start_noflag(msg, i);
1685 		if (!nl_rate)
1686 			return -ENOBUFS;
1687 
1688 		rate = &sband->bitrates[i];
1689 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1690 				rate->bitrate))
1691 			return -ENOBUFS;
1692 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1693 		    nla_put_flag(msg,
1694 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1695 			return -ENOBUFS;
1696 
1697 		nla_nest_end(msg, nl_rate);
1698 	}
1699 
1700 	nla_nest_end(msg, nl_rates);
1701 
1702 	return 0;
1703 }
1704 
1705 static int
1706 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1707 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1708 {
1709 	u16 stypes;
1710 	struct nlattr *nl_ftypes, *nl_ifs;
1711 	enum nl80211_iftype ift;
1712 	int i;
1713 
1714 	if (!mgmt_stypes)
1715 		return 0;
1716 
1717 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1718 	if (!nl_ifs)
1719 		return -ENOBUFS;
1720 
1721 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1722 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1723 		if (!nl_ftypes)
1724 			return -ENOBUFS;
1725 		i = 0;
1726 		stypes = mgmt_stypes[ift].tx;
1727 		while (stypes) {
1728 			if ((stypes & 1) &&
1729 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1730 					(i << 4) | IEEE80211_FTYPE_MGMT))
1731 				return -ENOBUFS;
1732 			stypes >>= 1;
1733 			i++;
1734 		}
1735 		nla_nest_end(msg, nl_ftypes);
1736 	}
1737 
1738 	nla_nest_end(msg, nl_ifs);
1739 
1740 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
1741 	if (!nl_ifs)
1742 		return -ENOBUFS;
1743 
1744 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
1745 		nl_ftypes = nla_nest_start_noflag(msg, ift);
1746 		if (!nl_ftypes)
1747 			return -ENOBUFS;
1748 		i = 0;
1749 		stypes = mgmt_stypes[ift].rx;
1750 		while (stypes) {
1751 			if ((stypes & 1) &&
1752 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
1753 					(i << 4) | IEEE80211_FTYPE_MGMT))
1754 				return -ENOBUFS;
1755 			stypes >>= 1;
1756 			i++;
1757 		}
1758 		nla_nest_end(msg, nl_ftypes);
1759 	}
1760 	nla_nest_end(msg, nl_ifs);
1761 
1762 	return 0;
1763 }
1764 
1765 #define CMD(op, n)							\
1766 	 do {								\
1767 		if (rdev->ops->op) {					\
1768 			i++;						\
1769 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
1770 				goto nla_put_failure;			\
1771 		}							\
1772 	} while (0)
1773 
1774 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
1775 					struct sk_buff *msg)
1776 {
1777 	int i = 0;
1778 
1779 	/*
1780 	 * do *NOT* add anything into this function, new things need to be
1781 	 * advertised only to new versions of userspace that can deal with
1782 	 * the split (and they can't possibly care about new features...
1783 	 */
1784 	CMD(add_virtual_intf, NEW_INTERFACE);
1785 	CMD(change_virtual_intf, SET_INTERFACE);
1786 	CMD(add_key, NEW_KEY);
1787 	CMD(start_ap, START_AP);
1788 	CMD(add_station, NEW_STATION);
1789 	CMD(add_mpath, NEW_MPATH);
1790 	CMD(update_mesh_config, SET_MESH_CONFIG);
1791 	CMD(change_bss, SET_BSS);
1792 	CMD(auth, AUTHENTICATE);
1793 	CMD(assoc, ASSOCIATE);
1794 	CMD(deauth, DEAUTHENTICATE);
1795 	CMD(disassoc, DISASSOCIATE);
1796 	CMD(join_ibss, JOIN_IBSS);
1797 	CMD(join_mesh, JOIN_MESH);
1798 	CMD(set_pmksa, SET_PMKSA);
1799 	CMD(del_pmksa, DEL_PMKSA);
1800 	CMD(flush_pmksa, FLUSH_PMKSA);
1801 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
1802 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
1803 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
1804 	CMD(mgmt_tx, FRAME);
1805 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
1806 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
1807 		i++;
1808 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
1809 			goto nla_put_failure;
1810 	}
1811 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
1812 	    rdev->ops->join_mesh) {
1813 		i++;
1814 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
1815 			goto nla_put_failure;
1816 	}
1817 	CMD(set_wds_peer, SET_WDS_PEER);
1818 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
1819 		CMD(tdls_mgmt, TDLS_MGMT);
1820 		CMD(tdls_oper, TDLS_OPER);
1821 	}
1822 	if (rdev->wiphy.max_sched_scan_reqs)
1823 		CMD(sched_scan_start, START_SCHED_SCAN);
1824 	CMD(probe_client, PROBE_CLIENT);
1825 	CMD(set_noack_map, SET_NOACK_MAP);
1826 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
1827 		i++;
1828 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
1829 			goto nla_put_failure;
1830 	}
1831 	CMD(start_p2p_device, START_P2P_DEVICE);
1832 	CMD(set_mcast_rate, SET_MCAST_RATE);
1833 #ifdef CONFIG_NL80211_TESTMODE
1834 	CMD(testmode_cmd, TESTMODE);
1835 #endif
1836 
1837 	if (rdev->ops->connect || rdev->ops->auth) {
1838 		i++;
1839 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
1840 			goto nla_put_failure;
1841 	}
1842 
1843 	if (rdev->ops->disconnect || rdev->ops->deauth) {
1844 		i++;
1845 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
1846 			goto nla_put_failure;
1847 	}
1848 
1849 	return i;
1850  nla_put_failure:
1851 	return -ENOBUFS;
1852 }
1853 
1854 static int
1855 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
1856 			   struct sk_buff *msg)
1857 {
1858 	struct nlattr *ftm;
1859 
1860 	if (!cap->ftm.supported)
1861 		return 0;
1862 
1863 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
1864 	if (!ftm)
1865 		return -ENOBUFS;
1866 
1867 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
1868 		return -ENOBUFS;
1869 	if (cap->ftm.non_asap &&
1870 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
1871 		return -ENOBUFS;
1872 	if (cap->ftm.request_lci &&
1873 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
1874 		return -ENOBUFS;
1875 	if (cap->ftm.request_civicloc &&
1876 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
1877 		return -ENOBUFS;
1878 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
1879 			cap->ftm.preambles))
1880 		return -ENOBUFS;
1881 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
1882 			cap->ftm.bandwidths))
1883 		return -ENOBUFS;
1884 	if (cap->ftm.max_bursts_exponent >= 0 &&
1885 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
1886 			cap->ftm.max_bursts_exponent))
1887 		return -ENOBUFS;
1888 	if (cap->ftm.max_ftms_per_burst &&
1889 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
1890 			cap->ftm.max_ftms_per_burst))
1891 		return -ENOBUFS;
1892 	if (cap->ftm.trigger_based &&
1893 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
1894 		return -ENOBUFS;
1895 	if (cap->ftm.non_trigger_based &&
1896 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
1897 		return -ENOBUFS;
1898 
1899 	nla_nest_end(msg, ftm);
1900 	return 0;
1901 }
1902 
1903 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
1904 				  struct sk_buff *msg)
1905 {
1906 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
1907 	struct nlattr *pmsr, *caps;
1908 
1909 	if (!cap)
1910 		return 0;
1911 
1912 	/*
1913 	 * we don't need to clean up anything here since the caller
1914 	 * will genlmsg_cancel() if we fail
1915 	 */
1916 
1917 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
1918 	if (!pmsr)
1919 		return -ENOBUFS;
1920 
1921 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
1922 		return -ENOBUFS;
1923 
1924 	if (cap->report_ap_tsf &&
1925 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
1926 		return -ENOBUFS;
1927 
1928 	if (cap->randomize_mac_addr &&
1929 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
1930 		return -ENOBUFS;
1931 
1932 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
1933 	if (!caps)
1934 		return -ENOBUFS;
1935 
1936 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
1937 		return -ENOBUFS;
1938 
1939 	nla_nest_end(msg, caps);
1940 	nla_nest_end(msg, pmsr);
1941 
1942 	return 0;
1943 }
1944 
1945 static int
1946 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
1947 			      struct sk_buff *msg)
1948 {
1949 	int i;
1950 	struct nlattr *nested, *nested_akms;
1951 	const struct wiphy_iftype_akm_suites *iftype_akms;
1952 
1953 	if (!rdev->wiphy.num_iftype_akm_suites ||
1954 	    !rdev->wiphy.iftype_akm_suites)
1955 		return 0;
1956 
1957 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
1958 	if (!nested)
1959 		return -ENOBUFS;
1960 
1961 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
1962 		nested_akms = nla_nest_start(msg, i + 1);
1963 		if (!nested_akms)
1964 			return -ENOBUFS;
1965 
1966 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
1967 
1968 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
1969 					iftype_akms->iftypes_mask))
1970 			return -ENOBUFS;
1971 
1972 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
1973 			    sizeof(u32) * iftype_akms->n_akm_suites,
1974 			    iftype_akms->akm_suites)) {
1975 			return -ENOBUFS;
1976 		}
1977 		nla_nest_end(msg, nested_akms);
1978 	}
1979 
1980 	nla_nest_end(msg, nested);
1981 
1982 	return 0;
1983 }
1984 
1985 static int
1986 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
1987 			       struct sk_buff *msg)
1988 {
1989 	struct nlattr *supp;
1990 
1991 	if (!rdev->wiphy.tid_config_support.vif &&
1992 	    !rdev->wiphy.tid_config_support.peer)
1993 		return 0;
1994 
1995 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
1996 	if (!supp)
1997 		return -ENOSPC;
1998 
1999 	if (rdev->wiphy.tid_config_support.vif &&
2000 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2001 			      rdev->wiphy.tid_config_support.vif,
2002 			      NL80211_TID_CONFIG_ATTR_PAD))
2003 		goto fail;
2004 
2005 	if (rdev->wiphy.tid_config_support.peer &&
2006 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2007 			      rdev->wiphy.tid_config_support.peer,
2008 			      NL80211_TID_CONFIG_ATTR_PAD))
2009 		goto fail;
2010 
2011 	/* for now we just use the same value ... makes more sense */
2012 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2013 		       rdev->wiphy.tid_config_support.max_retry))
2014 		goto fail;
2015 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2016 		       rdev->wiphy.tid_config_support.max_retry))
2017 		goto fail;
2018 
2019 	nla_nest_end(msg, supp);
2020 
2021 	return 0;
2022 fail:
2023 	nla_nest_cancel(msg, supp);
2024 	return -ENOBUFS;
2025 }
2026 
2027 struct nl80211_dump_wiphy_state {
2028 	s64 filter_wiphy;
2029 	long start;
2030 	long split_start, band_start, chan_start, capa_start;
2031 	bool split;
2032 };
2033 
2034 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2035 			      enum nl80211_commands cmd,
2036 			      struct sk_buff *msg, u32 portid, u32 seq,
2037 			      int flags, struct nl80211_dump_wiphy_state *state)
2038 {
2039 	void *hdr;
2040 	struct nlattr *nl_bands, *nl_band;
2041 	struct nlattr *nl_freqs, *nl_freq;
2042 	struct nlattr *nl_cmds;
2043 	enum nl80211_band band;
2044 	struct ieee80211_channel *chan;
2045 	int i;
2046 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2047 				rdev->wiphy.mgmt_stypes;
2048 	u32 features;
2049 
2050 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2051 	if (!hdr)
2052 		return -ENOBUFS;
2053 
2054 	if (WARN_ON(!state))
2055 		return -EINVAL;
2056 
2057 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2058 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2059 			   wiphy_name(&rdev->wiphy)) ||
2060 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2061 			cfg80211_rdev_list_generation))
2062 		goto nla_put_failure;
2063 
2064 	if (cmd != NL80211_CMD_NEW_WIPHY)
2065 		goto finish;
2066 
2067 	switch (state->split_start) {
2068 	case 0:
2069 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2070 			       rdev->wiphy.retry_short) ||
2071 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2072 			       rdev->wiphy.retry_long) ||
2073 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2074 				rdev->wiphy.frag_threshold) ||
2075 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2076 				rdev->wiphy.rts_threshold) ||
2077 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2078 			       rdev->wiphy.coverage_class) ||
2079 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2080 			       rdev->wiphy.max_scan_ssids) ||
2081 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2082 			       rdev->wiphy.max_sched_scan_ssids) ||
2083 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2084 				rdev->wiphy.max_scan_ie_len) ||
2085 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2086 				rdev->wiphy.max_sched_scan_ie_len) ||
2087 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2088 			       rdev->wiphy.max_match_sets) ||
2089 		    nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2090 				rdev->wiphy.max_sched_scan_plans) ||
2091 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2092 				rdev->wiphy.max_sched_scan_plan_interval) ||
2093 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2094 				rdev->wiphy.max_sched_scan_plan_iterations))
2095 			goto nla_put_failure;
2096 
2097 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2098 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2099 			goto nla_put_failure;
2100 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2101 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2102 			goto nla_put_failure;
2103 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2104 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2105 			goto nla_put_failure;
2106 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2107 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2108 			goto nla_put_failure;
2109 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2110 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2111 			goto nla_put_failure;
2112 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2113 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2114 			goto nla_put_failure;
2115 		state->split_start++;
2116 		if (state->split)
2117 			break;
2118 		/* fall through */
2119 	case 1:
2120 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2121 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2122 			    rdev->wiphy.cipher_suites))
2123 			goto nla_put_failure;
2124 
2125 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2126 			       rdev->wiphy.max_num_pmkids))
2127 			goto nla_put_failure;
2128 
2129 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2130 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2131 			goto nla_put_failure;
2132 
2133 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2134 				rdev->wiphy.available_antennas_tx) ||
2135 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2136 				rdev->wiphy.available_antennas_rx))
2137 			goto nla_put_failure;
2138 
2139 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2140 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2141 				rdev->wiphy.probe_resp_offload))
2142 			goto nla_put_failure;
2143 
2144 		if ((rdev->wiphy.available_antennas_tx ||
2145 		     rdev->wiphy.available_antennas_rx) &&
2146 		    rdev->ops->get_antenna) {
2147 			u32 tx_ant = 0, rx_ant = 0;
2148 			int res;
2149 
2150 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2151 			if (!res) {
2152 				if (nla_put_u32(msg,
2153 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2154 						tx_ant) ||
2155 				    nla_put_u32(msg,
2156 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2157 						rx_ant))
2158 					goto nla_put_failure;
2159 			}
2160 		}
2161 
2162 		state->split_start++;
2163 		if (state->split)
2164 			break;
2165 		/* fall through */
2166 	case 2:
2167 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2168 					rdev->wiphy.interface_modes))
2169 				goto nla_put_failure;
2170 		state->split_start++;
2171 		if (state->split)
2172 			break;
2173 		/* fall through */
2174 	case 3:
2175 		nl_bands = nla_nest_start_noflag(msg,
2176 						 NL80211_ATTR_WIPHY_BANDS);
2177 		if (!nl_bands)
2178 			goto nla_put_failure;
2179 
2180 		for (band = state->band_start;
2181 		     band < NUM_NL80211_BANDS; band++) {
2182 			struct ieee80211_supported_band *sband;
2183 
2184 			sband = rdev->wiphy.bands[band];
2185 
2186 			if (!sband)
2187 				continue;
2188 
2189 			nl_band = nla_nest_start_noflag(msg, band);
2190 			if (!nl_band)
2191 				goto nla_put_failure;
2192 
2193 			switch (state->chan_start) {
2194 			case 0:
2195 				if (nl80211_send_band_rateinfo(msg, sband))
2196 					goto nla_put_failure;
2197 				state->chan_start++;
2198 				if (state->split)
2199 					break;
2200 				/* fall through */
2201 			default:
2202 				/* add frequencies */
2203 				nl_freqs = nla_nest_start_noflag(msg,
2204 								 NL80211_BAND_ATTR_FREQS);
2205 				if (!nl_freqs)
2206 					goto nla_put_failure;
2207 
2208 				for (i = state->chan_start - 1;
2209 				     i < sband->n_channels;
2210 				     i++) {
2211 					nl_freq = nla_nest_start_noflag(msg,
2212 									i);
2213 					if (!nl_freq)
2214 						goto nla_put_failure;
2215 
2216 					chan = &sband->channels[i];
2217 
2218 					if (nl80211_msg_put_channel(
2219 							msg, &rdev->wiphy, chan,
2220 							state->split))
2221 						goto nla_put_failure;
2222 
2223 					nla_nest_end(msg, nl_freq);
2224 					if (state->split)
2225 						break;
2226 				}
2227 				if (i < sband->n_channels)
2228 					state->chan_start = i + 2;
2229 				else
2230 					state->chan_start = 0;
2231 				nla_nest_end(msg, nl_freqs);
2232 			}
2233 
2234 			nla_nest_end(msg, nl_band);
2235 
2236 			if (state->split) {
2237 				/* start again here */
2238 				if (state->chan_start)
2239 					band--;
2240 				break;
2241 			}
2242 		}
2243 		nla_nest_end(msg, nl_bands);
2244 
2245 		if (band < NUM_NL80211_BANDS)
2246 			state->band_start = band + 1;
2247 		else
2248 			state->band_start = 0;
2249 
2250 		/* if bands & channels are done, continue outside */
2251 		if (state->band_start == 0 && state->chan_start == 0)
2252 			state->split_start++;
2253 		if (state->split)
2254 			break;
2255 		/* fall through */
2256 	case 4:
2257 		nl_cmds = nla_nest_start_noflag(msg,
2258 						NL80211_ATTR_SUPPORTED_COMMANDS);
2259 		if (!nl_cmds)
2260 			goto nla_put_failure;
2261 
2262 		i = nl80211_add_commands_unsplit(rdev, msg);
2263 		if (i < 0)
2264 			goto nla_put_failure;
2265 		if (state->split) {
2266 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2267 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2268 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2269 				CMD(channel_switch, CHANNEL_SWITCH);
2270 			CMD(set_qos_map, SET_QOS_MAP);
2271 			if (rdev->wiphy.features &
2272 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2273 				CMD(add_tx_ts, ADD_TX_TS);
2274 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2275 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2276 			CMD(update_ft_ies, UPDATE_FT_IES);
2277 		}
2278 #undef CMD
2279 
2280 		nla_nest_end(msg, nl_cmds);
2281 		state->split_start++;
2282 		if (state->split)
2283 			break;
2284 		/* fall through */
2285 	case 5:
2286 		if (rdev->ops->remain_on_channel &&
2287 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2288 		    nla_put_u32(msg,
2289 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2290 				rdev->wiphy.max_remain_on_channel_duration))
2291 			goto nla_put_failure;
2292 
2293 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2294 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2295 			goto nla_put_failure;
2296 
2297 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2298 			goto nla_put_failure;
2299 		state->split_start++;
2300 		if (state->split)
2301 			break;
2302 		/* fall through */
2303 	case 6:
2304 #ifdef CONFIG_PM
2305 		if (nl80211_send_wowlan(msg, rdev, state->split))
2306 			goto nla_put_failure;
2307 		state->split_start++;
2308 		if (state->split)
2309 			break;
2310 #else
2311 		state->split_start++;
2312 #endif
2313 		/* fall through */
2314 	case 7:
2315 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2316 					rdev->wiphy.software_iftypes))
2317 			goto nla_put_failure;
2318 
2319 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2320 						   state->split))
2321 			goto nla_put_failure;
2322 
2323 		state->split_start++;
2324 		if (state->split)
2325 			break;
2326 		/* fall through */
2327 	case 8:
2328 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2329 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2330 				rdev->wiphy.ap_sme_capa))
2331 			goto nla_put_failure;
2332 
2333 		features = rdev->wiphy.features;
2334 		/*
2335 		 * We can only add the per-channel limit information if the
2336 		 * dump is split, otherwise it makes it too big. Therefore
2337 		 * only advertise it in that case.
2338 		 */
2339 		if (state->split)
2340 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2341 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2342 			goto nla_put_failure;
2343 
2344 		if (rdev->wiphy.ht_capa_mod_mask &&
2345 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2346 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2347 			    rdev->wiphy.ht_capa_mod_mask))
2348 			goto nla_put_failure;
2349 
2350 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2351 		    rdev->wiphy.max_acl_mac_addrs &&
2352 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2353 				rdev->wiphy.max_acl_mac_addrs))
2354 			goto nla_put_failure;
2355 
2356 		/*
2357 		 * Any information below this point is only available to
2358 		 * applications that can deal with it being split. This
2359 		 * helps ensure that newly added capabilities don't break
2360 		 * older tools by overrunning their buffers.
2361 		 *
2362 		 * We still increment split_start so that in the split
2363 		 * case we'll continue with more data in the next round,
2364 		 * but break unconditionally so unsplit data stops here.
2365 		 */
2366 		state->split_start++;
2367 		break;
2368 	case 9:
2369 		if (rdev->wiphy.extended_capabilities &&
2370 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2371 			     rdev->wiphy.extended_capabilities_len,
2372 			     rdev->wiphy.extended_capabilities) ||
2373 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2374 			     rdev->wiphy.extended_capabilities_len,
2375 			     rdev->wiphy.extended_capabilities_mask)))
2376 			goto nla_put_failure;
2377 
2378 		if (rdev->wiphy.vht_capa_mod_mask &&
2379 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2380 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2381 			    rdev->wiphy.vht_capa_mod_mask))
2382 			goto nla_put_failure;
2383 
2384 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2385 			    rdev->wiphy.perm_addr))
2386 			goto nla_put_failure;
2387 
2388 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2389 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2390 			    rdev->wiphy.addr_mask))
2391 			goto nla_put_failure;
2392 
2393 		if (rdev->wiphy.n_addresses > 1) {
2394 			void *attr;
2395 
2396 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2397 			if (!attr)
2398 				goto nla_put_failure;
2399 
2400 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2401 				if (nla_put(msg, i + 1, ETH_ALEN,
2402 					    rdev->wiphy.addresses[i].addr))
2403 					goto nla_put_failure;
2404 
2405 			nla_nest_end(msg, attr);
2406 		}
2407 
2408 		state->split_start++;
2409 		break;
2410 	case 10:
2411 		if (nl80211_send_coalesce(msg, rdev))
2412 			goto nla_put_failure;
2413 
2414 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2415 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2416 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2417 			goto nla_put_failure;
2418 
2419 		if (rdev->wiphy.max_ap_assoc_sta &&
2420 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2421 				rdev->wiphy.max_ap_assoc_sta))
2422 			goto nla_put_failure;
2423 
2424 		state->split_start++;
2425 		break;
2426 	case 11:
2427 		if (rdev->wiphy.n_vendor_commands) {
2428 			const struct nl80211_vendor_cmd_info *info;
2429 			struct nlattr *nested;
2430 
2431 			nested = nla_nest_start_noflag(msg,
2432 						       NL80211_ATTR_VENDOR_DATA);
2433 			if (!nested)
2434 				goto nla_put_failure;
2435 
2436 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2437 				info = &rdev->wiphy.vendor_commands[i].info;
2438 				if (nla_put(msg, i + 1, sizeof(*info), info))
2439 					goto nla_put_failure;
2440 			}
2441 			nla_nest_end(msg, nested);
2442 		}
2443 
2444 		if (rdev->wiphy.n_vendor_events) {
2445 			const struct nl80211_vendor_cmd_info *info;
2446 			struct nlattr *nested;
2447 
2448 			nested = nla_nest_start_noflag(msg,
2449 						       NL80211_ATTR_VENDOR_EVENTS);
2450 			if (!nested)
2451 				goto nla_put_failure;
2452 
2453 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2454 				info = &rdev->wiphy.vendor_events[i];
2455 				if (nla_put(msg, i + 1, sizeof(*info), info))
2456 					goto nla_put_failure;
2457 			}
2458 			nla_nest_end(msg, nested);
2459 		}
2460 		state->split_start++;
2461 		break;
2462 	case 12:
2463 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2464 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2465 			       rdev->wiphy.max_num_csa_counters))
2466 			goto nla_put_failure;
2467 
2468 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2469 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2470 			goto nla_put_failure;
2471 
2472 		if (rdev->wiphy.max_sched_scan_reqs &&
2473 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2474 				rdev->wiphy.max_sched_scan_reqs))
2475 			goto nla_put_failure;
2476 
2477 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2478 			    sizeof(rdev->wiphy.ext_features),
2479 			    rdev->wiphy.ext_features))
2480 			goto nla_put_failure;
2481 
2482 		if (rdev->wiphy.bss_select_support) {
2483 			struct nlattr *nested;
2484 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2485 
2486 			nested = nla_nest_start_noflag(msg,
2487 						       NL80211_ATTR_BSS_SELECT);
2488 			if (!nested)
2489 				goto nla_put_failure;
2490 
2491 			i = 0;
2492 			while (bss_select_support) {
2493 				if ((bss_select_support & 1) &&
2494 				    nla_put_flag(msg, i))
2495 					goto nla_put_failure;
2496 				i++;
2497 				bss_select_support >>= 1;
2498 			}
2499 			nla_nest_end(msg, nested);
2500 		}
2501 
2502 		state->split_start++;
2503 		break;
2504 	case 13:
2505 		if (rdev->wiphy.num_iftype_ext_capab &&
2506 		    rdev->wiphy.iftype_ext_capab) {
2507 			struct nlattr *nested_ext_capab, *nested;
2508 
2509 			nested = nla_nest_start_noflag(msg,
2510 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2511 			if (!nested)
2512 				goto nla_put_failure;
2513 
2514 			for (i = state->capa_start;
2515 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2516 				const struct wiphy_iftype_ext_capab *capab;
2517 
2518 				capab = &rdev->wiphy.iftype_ext_capab[i];
2519 
2520 				nested_ext_capab = nla_nest_start_noflag(msg,
2521 									 i);
2522 				if (!nested_ext_capab ||
2523 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2524 						capab->iftype) ||
2525 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2526 					    capab->extended_capabilities_len,
2527 					    capab->extended_capabilities) ||
2528 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2529 					    capab->extended_capabilities_len,
2530 					    capab->extended_capabilities_mask))
2531 					goto nla_put_failure;
2532 
2533 				nla_nest_end(msg, nested_ext_capab);
2534 				if (state->split)
2535 					break;
2536 			}
2537 			nla_nest_end(msg, nested);
2538 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2539 				state->capa_start = i + 1;
2540 				break;
2541 			}
2542 		}
2543 
2544 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2545 				rdev->wiphy.nan_supported_bands))
2546 			goto nla_put_failure;
2547 
2548 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2549 					    NL80211_EXT_FEATURE_TXQS)) {
2550 			struct cfg80211_txq_stats txqstats = {};
2551 			int res;
2552 
2553 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2554 			if (!res &&
2555 			    !nl80211_put_txq_stats(msg, &txqstats,
2556 						   NL80211_ATTR_TXQ_STATS))
2557 				goto nla_put_failure;
2558 
2559 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2560 					rdev->wiphy.txq_limit))
2561 				goto nla_put_failure;
2562 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2563 					rdev->wiphy.txq_memory_limit))
2564 				goto nla_put_failure;
2565 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2566 					rdev->wiphy.txq_quantum))
2567 				goto nla_put_failure;
2568 		}
2569 
2570 		state->split_start++;
2571 		break;
2572 	case 14:
2573 		if (nl80211_send_pmsr_capa(rdev, msg))
2574 			goto nla_put_failure;
2575 
2576 		state->split_start++;
2577 		break;
2578 	case 15:
2579 		if (rdev->wiphy.akm_suites &&
2580 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2581 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2582 			    rdev->wiphy.akm_suites))
2583 			goto nla_put_failure;
2584 
2585 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2586 			goto nla_put_failure;
2587 
2588 		if (nl80211_put_tid_config_support(rdev, msg))
2589 			goto nla_put_failure;
2590 
2591 		/* done */
2592 		state->split_start = 0;
2593 		break;
2594 	}
2595  finish:
2596 	genlmsg_end(msg, hdr);
2597 	return 0;
2598 
2599  nla_put_failure:
2600 	genlmsg_cancel(msg, hdr);
2601 	return -EMSGSIZE;
2602 }
2603 
2604 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
2605 				    struct netlink_callback *cb,
2606 				    struct nl80211_dump_wiphy_state *state)
2607 {
2608 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
2609 	int ret;
2610 
2611 	if (!tb)
2612 		return -ENOMEM;
2613 
2614 	ret = nlmsg_parse_deprecated(cb->nlh,
2615 				     GENL_HDRLEN + nl80211_fam.hdrsize,
2616 				     tb, nl80211_fam.maxattr,
2617 				     nl80211_policy, NULL);
2618 	/* ignore parse errors for backward compatibility */
2619 	if (ret) {
2620 		ret = 0;
2621 		goto out;
2622 	}
2623 
2624 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
2625 	if (tb[NL80211_ATTR_WIPHY])
2626 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
2627 	if (tb[NL80211_ATTR_WDEV])
2628 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
2629 	if (tb[NL80211_ATTR_IFINDEX]) {
2630 		struct net_device *netdev;
2631 		struct cfg80211_registered_device *rdev;
2632 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
2633 
2634 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
2635 		if (!netdev) {
2636 			ret = -ENODEV;
2637 			goto out;
2638 		}
2639 		if (netdev->ieee80211_ptr) {
2640 			rdev = wiphy_to_rdev(
2641 				netdev->ieee80211_ptr->wiphy);
2642 			state->filter_wiphy = rdev->wiphy_idx;
2643 		}
2644 	}
2645 
2646 	ret = 0;
2647 out:
2648 	kfree(tb);
2649 	return ret;
2650 }
2651 
2652 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
2653 {
2654 	int idx = 0, ret;
2655 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
2656 	struct cfg80211_registered_device *rdev;
2657 
2658 	rtnl_lock();
2659 	if (!state) {
2660 		state = kzalloc(sizeof(*state), GFP_KERNEL);
2661 		if (!state) {
2662 			rtnl_unlock();
2663 			return -ENOMEM;
2664 		}
2665 		state->filter_wiphy = -1;
2666 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
2667 		if (ret) {
2668 			kfree(state);
2669 			rtnl_unlock();
2670 			return ret;
2671 		}
2672 		cb->args[0] = (long)state;
2673 	}
2674 
2675 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
2676 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
2677 			continue;
2678 		if (++idx <= state->start)
2679 			continue;
2680 		if (state->filter_wiphy != -1 &&
2681 		    state->filter_wiphy != rdev->wiphy_idx)
2682 			continue;
2683 		/* attempt to fit multiple wiphy data chunks into the skb */
2684 		do {
2685 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
2686 						 skb,
2687 						 NETLINK_CB(cb->skb).portid,
2688 						 cb->nlh->nlmsg_seq,
2689 						 NLM_F_MULTI, state);
2690 			if (ret < 0) {
2691 				/*
2692 				 * If sending the wiphy data didn't fit (ENOBUFS
2693 				 * or EMSGSIZE returned), this SKB is still
2694 				 * empty (so it's not too big because another
2695 				 * wiphy dataset is already in the skb) and
2696 				 * we've not tried to adjust the dump allocation
2697 				 * yet ... then adjust the alloc size to be
2698 				 * bigger, and return 1 but with the empty skb.
2699 				 * This results in an empty message being RX'ed
2700 				 * in userspace, but that is ignored.
2701 				 *
2702 				 * We can then retry with the larger buffer.
2703 				 */
2704 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2705 				    !skb->len && !state->split &&
2706 				    cb->min_dump_alloc < 4096) {
2707 					cb->min_dump_alloc = 4096;
2708 					state->split_start = 0;
2709 					rtnl_unlock();
2710 					return 1;
2711 				}
2712 				idx--;
2713 				break;
2714 			}
2715 		} while (state->split_start > 0);
2716 		break;
2717 	}
2718 	rtnl_unlock();
2719 
2720 	state->start = idx;
2721 
2722 	return skb->len;
2723 }
2724 
2725 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
2726 {
2727 	kfree((void *)cb->args[0]);
2728 	return 0;
2729 }
2730 
2731 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
2732 {
2733 	struct sk_buff *msg;
2734 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2735 	struct nl80211_dump_wiphy_state state = {};
2736 
2737 	msg = nlmsg_new(4096, GFP_KERNEL);
2738 	if (!msg)
2739 		return -ENOMEM;
2740 
2741 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
2742 			       info->snd_portid, info->snd_seq, 0,
2743 			       &state) < 0) {
2744 		nlmsg_free(msg);
2745 		return -ENOBUFS;
2746 	}
2747 
2748 	return genlmsg_reply(msg, info);
2749 }
2750 
2751 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
2752 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
2753 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
2754 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
2755 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
2756 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
2757 };
2758 
2759 static int parse_txq_params(struct nlattr *tb[],
2760 			    struct ieee80211_txq_params *txq_params)
2761 {
2762 	u8 ac;
2763 
2764 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
2765 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
2766 	    !tb[NL80211_TXQ_ATTR_AIFS])
2767 		return -EINVAL;
2768 
2769 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
2770 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
2771 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
2772 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
2773 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
2774 
2775 	if (ac >= NL80211_NUM_ACS)
2776 		return -EINVAL;
2777 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
2778 	return 0;
2779 }
2780 
2781 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
2782 {
2783 	/*
2784 	 * You can only set the channel explicitly for WDS interfaces,
2785 	 * all others have their channel managed via their respective
2786 	 * "establish a connection" command (connect, join, ...)
2787 	 *
2788 	 * For AP/GO and mesh mode, the channel can be set with the
2789 	 * channel userspace API, but is only stored and passed to the
2790 	 * low-level driver when the AP starts or the mesh is joined.
2791 	 * This is for backward compatibility, userspace can also give
2792 	 * the channel in the start-ap or join-mesh commands instead.
2793 	 *
2794 	 * Monitors are special as they are normally slaved to
2795 	 * whatever else is going on, so they have their own special
2796 	 * operation to set the monitor channel if possible.
2797 	 */
2798 	return !wdev ||
2799 		wdev->iftype == NL80211_IFTYPE_AP ||
2800 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
2801 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
2802 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
2803 }
2804 
2805 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
2806 			  struct genl_info *info,
2807 			  struct cfg80211_chan_def *chandef)
2808 {
2809 	struct netlink_ext_ack *extack = info->extack;
2810 	struct nlattr **attrs = info->attrs;
2811 	u32 control_freq;
2812 
2813 	if (!attrs[NL80211_ATTR_WIPHY_FREQ])
2814 		return -EINVAL;
2815 
2816 	control_freq = nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]);
2817 
2818 	memset(chandef, 0, sizeof(*chandef));
2819 
2820 	chandef->chan = ieee80211_get_channel(&rdev->wiphy, control_freq);
2821 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
2822 	chandef->center_freq1 = control_freq;
2823 	chandef->center_freq2 = 0;
2824 
2825 	/* Primary channel not allowed */
2826 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
2827 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
2828 				    "Channel is disabled");
2829 		return -EINVAL;
2830 	}
2831 
2832 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
2833 		enum nl80211_channel_type chantype;
2834 
2835 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
2836 
2837 		switch (chantype) {
2838 		case NL80211_CHAN_NO_HT:
2839 		case NL80211_CHAN_HT20:
2840 		case NL80211_CHAN_HT40PLUS:
2841 		case NL80211_CHAN_HT40MINUS:
2842 			cfg80211_chandef_create(chandef, chandef->chan,
2843 						chantype);
2844 			/* user input for center_freq is incorrect */
2845 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
2846 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
2847 				NL_SET_ERR_MSG_ATTR(extack,
2848 						    attrs[NL80211_ATTR_CENTER_FREQ1],
2849 						    "bad center frequency 1");
2850 				return -EINVAL;
2851 			}
2852 			/* center_freq2 must be zero */
2853 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
2854 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
2855 				NL_SET_ERR_MSG_ATTR(extack,
2856 						    attrs[NL80211_ATTR_CENTER_FREQ2],
2857 						    "center frequency 2 can't be used");
2858 				return -EINVAL;
2859 			}
2860 			break;
2861 		default:
2862 			NL_SET_ERR_MSG_ATTR(extack,
2863 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
2864 					    "invalid channel type");
2865 			return -EINVAL;
2866 		}
2867 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
2868 		chandef->width =
2869 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
2870 		if (attrs[NL80211_ATTR_CENTER_FREQ1])
2871 			chandef->center_freq1 =
2872 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
2873 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
2874 			chandef->center_freq2 =
2875 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
2876 	}
2877 
2878 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
2879 		chandef->edmg.channels =
2880 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
2881 
2882 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
2883 			chandef->edmg.bw_config =
2884 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
2885 	} else {
2886 		chandef->edmg.bw_config = 0;
2887 		chandef->edmg.channels = 0;
2888 	}
2889 
2890 	if (!cfg80211_chandef_valid(chandef)) {
2891 		NL_SET_ERR_MSG(extack, "invalid channel definition");
2892 		return -EINVAL;
2893 	}
2894 
2895 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
2896 				     IEEE80211_CHAN_DISABLED)) {
2897 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
2898 		return -EINVAL;
2899 	}
2900 
2901 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
2902 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
2903 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
2904 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
2905 		return -EINVAL;
2906 	}
2907 
2908 	return 0;
2909 }
2910 
2911 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
2912 				 struct net_device *dev,
2913 				 struct genl_info *info)
2914 {
2915 	struct cfg80211_chan_def chandef;
2916 	int result;
2917 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
2918 	struct wireless_dev *wdev = NULL;
2919 
2920 	if (dev)
2921 		wdev = dev->ieee80211_ptr;
2922 	if (!nl80211_can_set_dev_channel(wdev))
2923 		return -EOPNOTSUPP;
2924 	if (wdev)
2925 		iftype = wdev->iftype;
2926 
2927 	result = nl80211_parse_chandef(rdev, info, &chandef);
2928 	if (result)
2929 		return result;
2930 
2931 	switch (iftype) {
2932 	case NL80211_IFTYPE_AP:
2933 	case NL80211_IFTYPE_P2P_GO:
2934 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
2935 						   iftype)) {
2936 			result = -EINVAL;
2937 			break;
2938 		}
2939 		if (wdev->beacon_interval) {
2940 			if (!dev || !rdev->ops->set_ap_chanwidth ||
2941 			    !(rdev->wiphy.features &
2942 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE)) {
2943 				result = -EBUSY;
2944 				break;
2945 			}
2946 
2947 			/* Only allow dynamic channel width changes */
2948 			if (chandef.chan != wdev->preset_chandef.chan) {
2949 				result = -EBUSY;
2950 				break;
2951 			}
2952 			result = rdev_set_ap_chanwidth(rdev, dev, &chandef);
2953 			if (result)
2954 				break;
2955 		}
2956 		wdev->preset_chandef = chandef;
2957 		result = 0;
2958 		break;
2959 	case NL80211_IFTYPE_MESH_POINT:
2960 		result = cfg80211_set_mesh_channel(rdev, wdev, &chandef);
2961 		break;
2962 	case NL80211_IFTYPE_MONITOR:
2963 		result = cfg80211_set_monitor_channel(rdev, &chandef);
2964 		break;
2965 	default:
2966 		result = -EINVAL;
2967 	}
2968 
2969 	return result;
2970 }
2971 
2972 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
2973 {
2974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2975 	struct net_device *netdev = info->user_ptr[1];
2976 
2977 	return __nl80211_set_channel(rdev, netdev, info);
2978 }
2979 
2980 static int nl80211_set_wds_peer(struct sk_buff *skb, struct genl_info *info)
2981 {
2982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
2983 	struct net_device *dev = info->user_ptr[1];
2984 	struct wireless_dev *wdev = dev->ieee80211_ptr;
2985 	const u8 *bssid;
2986 
2987 	if (!info->attrs[NL80211_ATTR_MAC])
2988 		return -EINVAL;
2989 
2990 	if (netif_running(dev))
2991 		return -EBUSY;
2992 
2993 	if (!rdev->ops->set_wds_peer)
2994 		return -EOPNOTSUPP;
2995 
2996 	if (wdev->iftype != NL80211_IFTYPE_WDS)
2997 		return -EOPNOTSUPP;
2998 
2999 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
3000 	return rdev_set_wds_peer(rdev, dev, bssid);
3001 }
3002 
3003 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3004 {
3005 	struct cfg80211_registered_device *rdev;
3006 	struct net_device *netdev = NULL;
3007 	struct wireless_dev *wdev;
3008 	int result = 0, rem_txq_params = 0;
3009 	struct nlattr *nl_txq_params;
3010 	u32 changed;
3011 	u8 retry_short = 0, retry_long = 0;
3012 	u32 frag_threshold = 0, rts_threshold = 0;
3013 	u8 coverage_class = 0;
3014 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3015 
3016 	ASSERT_RTNL();
3017 
3018 	/*
3019 	 * Try to find the wiphy and netdev. Normally this
3020 	 * function shouldn't need the netdev, but this is
3021 	 * done for backward compatibility -- previously
3022 	 * setting the channel was done per wiphy, but now
3023 	 * it is per netdev. Previous userland like hostapd
3024 	 * also passed a netdev to set_wiphy, so that it is
3025 	 * possible to let that go to the right netdev!
3026 	 */
3027 
3028 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3029 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3030 
3031 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3032 		if (netdev && netdev->ieee80211_ptr)
3033 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3034 		else
3035 			netdev = NULL;
3036 	}
3037 
3038 	if (!netdev) {
3039 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3040 						  info->attrs);
3041 		if (IS_ERR(rdev))
3042 			return PTR_ERR(rdev);
3043 		wdev = NULL;
3044 		netdev = NULL;
3045 		result = 0;
3046 	} else
3047 		wdev = netdev->ieee80211_ptr;
3048 
3049 	/*
3050 	 * end workaround code, by now the rdev is available
3051 	 * and locked, and wdev may or may not be NULL.
3052 	 */
3053 
3054 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3055 		result = cfg80211_dev_rename(
3056 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3057 
3058 	if (result)
3059 		return result;
3060 
3061 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3062 		struct ieee80211_txq_params txq_params;
3063 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3064 
3065 		if (!rdev->ops->set_txq_params)
3066 			return -EOPNOTSUPP;
3067 
3068 		if (!netdev)
3069 			return -EINVAL;
3070 
3071 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3072 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
3073 			return -EINVAL;
3074 
3075 		if (!netif_running(netdev))
3076 			return -ENETDOWN;
3077 
3078 		nla_for_each_nested(nl_txq_params,
3079 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3080 				    rem_txq_params) {
3081 			result = nla_parse_nested_deprecated(tb,
3082 							     NL80211_TXQ_ATTR_MAX,
3083 							     nl_txq_params,
3084 							     txq_params_policy,
3085 							     info->extack);
3086 			if (result)
3087 				return result;
3088 			result = parse_txq_params(tb, &txq_params);
3089 			if (result)
3090 				return result;
3091 
3092 			result = rdev_set_txq_params(rdev, netdev,
3093 						     &txq_params);
3094 			if (result)
3095 				return result;
3096 		}
3097 	}
3098 
3099 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3100 		result = __nl80211_set_channel(
3101 			rdev,
3102 			nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3103 			info);
3104 		if (result)
3105 			return result;
3106 	}
3107 
3108 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3109 		struct wireless_dev *txp_wdev = wdev;
3110 		enum nl80211_tx_power_setting type;
3111 		int idx, mbm = 0;
3112 
3113 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3114 			txp_wdev = NULL;
3115 
3116 		if (!rdev->ops->set_tx_power)
3117 			return -EOPNOTSUPP;
3118 
3119 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3120 		type = nla_get_u32(info->attrs[idx]);
3121 
3122 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3123 		    (type != NL80211_TX_POWER_AUTOMATIC))
3124 			return -EINVAL;
3125 
3126 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3127 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3128 			mbm = nla_get_u32(info->attrs[idx]);
3129 		}
3130 
3131 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3132 		if (result)
3133 			return result;
3134 	}
3135 
3136 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3137 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3138 		u32 tx_ant, rx_ant;
3139 
3140 		if ((!rdev->wiphy.available_antennas_tx &&
3141 		     !rdev->wiphy.available_antennas_rx) ||
3142 		    !rdev->ops->set_antenna)
3143 			return -EOPNOTSUPP;
3144 
3145 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3146 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3147 
3148 		/* reject antenna configurations which don't match the
3149 		 * available antenna masks, except for the "all" mask */
3150 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3151 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx)))
3152 			return -EINVAL;
3153 
3154 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3155 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3156 
3157 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3158 		if (result)
3159 			return result;
3160 	}
3161 
3162 	changed = 0;
3163 
3164 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3165 		retry_short = nla_get_u8(
3166 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3167 
3168 		changed |= WIPHY_PARAM_RETRY_SHORT;
3169 	}
3170 
3171 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3172 		retry_long = nla_get_u8(
3173 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3174 
3175 		changed |= WIPHY_PARAM_RETRY_LONG;
3176 	}
3177 
3178 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3179 		frag_threshold = nla_get_u32(
3180 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3181 		if (frag_threshold < 256)
3182 			return -EINVAL;
3183 
3184 		if (frag_threshold != (u32) -1) {
3185 			/*
3186 			 * Fragments (apart from the last one) are required to
3187 			 * have even length. Make the fragmentation code
3188 			 * simpler by stripping LSB should someone try to use
3189 			 * odd threshold value.
3190 			 */
3191 			frag_threshold &= ~0x1;
3192 		}
3193 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3194 	}
3195 
3196 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3197 		rts_threshold = nla_get_u32(
3198 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3199 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3200 	}
3201 
3202 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3203 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK])
3204 			return -EINVAL;
3205 
3206 		coverage_class = nla_get_u8(
3207 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3208 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3209 	}
3210 
3211 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3212 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION))
3213 			return -EOPNOTSUPP;
3214 
3215 		changed |= WIPHY_PARAM_DYN_ACK;
3216 	}
3217 
3218 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3219 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3220 					     NL80211_EXT_FEATURE_TXQS))
3221 			return -EOPNOTSUPP;
3222 		txq_limit = nla_get_u32(
3223 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3224 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3225 	}
3226 
3227 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3228 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3229 					     NL80211_EXT_FEATURE_TXQS))
3230 			return -EOPNOTSUPP;
3231 		txq_memory_limit = nla_get_u32(
3232 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3233 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3234 	}
3235 
3236 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3237 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3238 					     NL80211_EXT_FEATURE_TXQS))
3239 			return -EOPNOTSUPP;
3240 		txq_quantum = nla_get_u32(
3241 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3242 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3243 	}
3244 
3245 	if (changed) {
3246 		u8 old_retry_short, old_retry_long;
3247 		u32 old_frag_threshold, old_rts_threshold;
3248 		u8 old_coverage_class;
3249 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3250 
3251 		if (!rdev->ops->set_wiphy_params)
3252 			return -EOPNOTSUPP;
3253 
3254 		old_retry_short = rdev->wiphy.retry_short;
3255 		old_retry_long = rdev->wiphy.retry_long;
3256 		old_frag_threshold = rdev->wiphy.frag_threshold;
3257 		old_rts_threshold = rdev->wiphy.rts_threshold;
3258 		old_coverage_class = rdev->wiphy.coverage_class;
3259 		old_txq_limit = rdev->wiphy.txq_limit;
3260 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3261 		old_txq_quantum = rdev->wiphy.txq_quantum;
3262 
3263 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3264 			rdev->wiphy.retry_short = retry_short;
3265 		if (changed & WIPHY_PARAM_RETRY_LONG)
3266 			rdev->wiphy.retry_long = retry_long;
3267 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3268 			rdev->wiphy.frag_threshold = frag_threshold;
3269 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3270 			rdev->wiphy.rts_threshold = rts_threshold;
3271 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3272 			rdev->wiphy.coverage_class = coverage_class;
3273 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3274 			rdev->wiphy.txq_limit = txq_limit;
3275 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3276 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3277 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3278 			rdev->wiphy.txq_quantum = txq_quantum;
3279 
3280 		result = rdev_set_wiphy_params(rdev, changed);
3281 		if (result) {
3282 			rdev->wiphy.retry_short = old_retry_short;
3283 			rdev->wiphy.retry_long = old_retry_long;
3284 			rdev->wiphy.frag_threshold = old_frag_threshold;
3285 			rdev->wiphy.rts_threshold = old_rts_threshold;
3286 			rdev->wiphy.coverage_class = old_coverage_class;
3287 			rdev->wiphy.txq_limit = old_txq_limit;
3288 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3289 			rdev->wiphy.txq_quantum = old_txq_quantum;
3290 			return result;
3291 		}
3292 	}
3293 	return 0;
3294 }
3295 
3296 static int nl80211_send_chandef(struct sk_buff *msg,
3297 				const struct cfg80211_chan_def *chandef)
3298 {
3299 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3300 		return -EINVAL;
3301 
3302 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3303 			chandef->chan->center_freq))
3304 		return -ENOBUFS;
3305 	switch (chandef->width) {
3306 	case NL80211_CHAN_WIDTH_20_NOHT:
3307 	case NL80211_CHAN_WIDTH_20:
3308 	case NL80211_CHAN_WIDTH_40:
3309 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3310 				cfg80211_get_chandef_type(chandef)))
3311 			return -ENOBUFS;
3312 		break;
3313 	default:
3314 		break;
3315 	}
3316 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3317 		return -ENOBUFS;
3318 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3319 		return -ENOBUFS;
3320 	if (chandef->center_freq2 &&
3321 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3322 		return -ENOBUFS;
3323 	return 0;
3324 }
3325 
3326 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3327 			      struct cfg80211_registered_device *rdev,
3328 			      struct wireless_dev *wdev,
3329 			      enum nl80211_commands cmd)
3330 {
3331 	struct net_device *dev = wdev->netdev;
3332 	void *hdr;
3333 
3334 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3335 		cmd != NL80211_CMD_DEL_INTERFACE &&
3336 		cmd != NL80211_CMD_SET_INTERFACE);
3337 
3338 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3339 	if (!hdr)
3340 		return -1;
3341 
3342 	if (dev &&
3343 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3344 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3345 		goto nla_put_failure;
3346 
3347 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3348 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3349 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3350 			      NL80211_ATTR_PAD) ||
3351 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3352 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3353 			rdev->devlist_generation ^
3354 			(cfg80211_rdev_list_generation << 2)) ||
3355 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3356 		goto nla_put_failure;
3357 
3358 	if (rdev->ops->get_channel) {
3359 		int ret;
3360 		struct cfg80211_chan_def chandef = {};
3361 
3362 		ret = rdev_get_channel(rdev, wdev, &chandef);
3363 		if (ret == 0) {
3364 			if (nl80211_send_chandef(msg, &chandef))
3365 				goto nla_put_failure;
3366 		}
3367 	}
3368 
3369 	if (rdev->ops->get_tx_power) {
3370 		int dbm, ret;
3371 
3372 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3373 		if (ret == 0 &&
3374 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3375 				DBM_TO_MBM(dbm)))
3376 			goto nla_put_failure;
3377 	}
3378 
3379 	wdev_lock(wdev);
3380 	switch (wdev->iftype) {
3381 	case NL80211_IFTYPE_AP:
3382 		if (wdev->ssid_len &&
3383 		    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
3384 			goto nla_put_failure_locked;
3385 		break;
3386 	case NL80211_IFTYPE_STATION:
3387 	case NL80211_IFTYPE_P2P_CLIENT:
3388 	case NL80211_IFTYPE_ADHOC: {
3389 		const u8 *ssid_ie;
3390 		if (!wdev->current_bss)
3391 			break;
3392 		rcu_read_lock();
3393 		ssid_ie = ieee80211_bss_get_ie(&wdev->current_bss->pub,
3394 					       WLAN_EID_SSID);
3395 		if (ssid_ie &&
3396 		    nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
3397 			goto nla_put_failure_rcu_locked;
3398 		rcu_read_unlock();
3399 		break;
3400 		}
3401 	default:
3402 		/* nothing */
3403 		break;
3404 	}
3405 	wdev_unlock(wdev);
3406 
3407 	if (rdev->ops->get_txq_stats) {
3408 		struct cfg80211_txq_stats txqstats = {};
3409 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3410 
3411 		if (ret == 0 &&
3412 		    !nl80211_put_txq_stats(msg, &txqstats,
3413 					   NL80211_ATTR_TXQ_STATS))
3414 			goto nla_put_failure;
3415 	}
3416 
3417 	genlmsg_end(msg, hdr);
3418 	return 0;
3419 
3420  nla_put_failure_rcu_locked:
3421 	rcu_read_unlock();
3422  nla_put_failure_locked:
3423 	wdev_unlock(wdev);
3424  nla_put_failure:
3425 	genlmsg_cancel(msg, hdr);
3426 	return -EMSGSIZE;
3427 }
3428 
3429 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3430 {
3431 	int wp_idx = 0;
3432 	int if_idx = 0;
3433 	int wp_start = cb->args[0];
3434 	int if_start = cb->args[1];
3435 	int filter_wiphy = -1;
3436 	struct cfg80211_registered_device *rdev;
3437 	struct wireless_dev *wdev;
3438 	int ret;
3439 
3440 	rtnl_lock();
3441 	if (!cb->args[2]) {
3442 		struct nl80211_dump_wiphy_state state = {
3443 			.filter_wiphy = -1,
3444 		};
3445 
3446 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3447 		if (ret)
3448 			goto out_unlock;
3449 
3450 		filter_wiphy = state.filter_wiphy;
3451 
3452 		/*
3453 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3454 		 * value needed to determine that parsing is necessary.
3455 		 */
3456 		if (filter_wiphy >= 0)
3457 			cb->args[2] = filter_wiphy + 1;
3458 		else
3459 			cb->args[2] = -1;
3460 	} else if (cb->args[2] > 0) {
3461 		filter_wiphy = cb->args[2] - 1;
3462 	}
3463 
3464 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3465 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3466 			continue;
3467 		if (wp_idx < wp_start) {
3468 			wp_idx++;
3469 			continue;
3470 		}
3471 
3472 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3473 			continue;
3474 
3475 		if_idx = 0;
3476 
3477 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
3478 			if (if_idx < if_start) {
3479 				if_idx++;
3480 				continue;
3481 			}
3482 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
3483 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
3484 					       rdev, wdev,
3485 					       NL80211_CMD_NEW_INTERFACE) < 0) {
3486 				goto out;
3487 			}
3488 			if_idx++;
3489 		}
3490 
3491 		wp_idx++;
3492 	}
3493  out:
3494 	cb->args[0] = wp_idx;
3495 	cb->args[1] = if_idx;
3496 
3497 	ret = skb->len;
3498  out_unlock:
3499 	rtnl_unlock();
3500 
3501 	return ret;
3502 }
3503 
3504 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
3505 {
3506 	struct sk_buff *msg;
3507 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3508 	struct wireless_dev *wdev = info->user_ptr[1];
3509 
3510 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3511 	if (!msg)
3512 		return -ENOMEM;
3513 
3514 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3515 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3516 		nlmsg_free(msg);
3517 		return -ENOBUFS;
3518 	}
3519 
3520 	return genlmsg_reply(msg, info);
3521 }
3522 
3523 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
3524 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
3525 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
3526 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
3527 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
3528 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
3529 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
3530 };
3531 
3532 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
3533 {
3534 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
3535 	int flag;
3536 
3537 	*mntrflags = 0;
3538 
3539 	if (!nla)
3540 		return -EINVAL;
3541 
3542 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
3543 		return -EINVAL;
3544 
3545 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
3546 		if (flags[flag])
3547 			*mntrflags |= (1<<flag);
3548 
3549 	*mntrflags |= MONITOR_FLAG_CHANGED;
3550 
3551 	return 0;
3552 }
3553 
3554 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
3555 				     enum nl80211_iftype type,
3556 				     struct genl_info *info,
3557 				     struct vif_params *params)
3558 {
3559 	bool change = false;
3560 	int err;
3561 
3562 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
3563 		if (type != NL80211_IFTYPE_MONITOR)
3564 			return -EINVAL;
3565 
3566 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
3567 					  &params->flags);
3568 		if (err)
3569 			return err;
3570 
3571 		change = true;
3572 	}
3573 
3574 	if (params->flags & MONITOR_FLAG_ACTIVE &&
3575 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
3576 		return -EOPNOTSUPP;
3577 
3578 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
3579 		const u8 *mumimo_groups;
3580 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3581 
3582 		if (type != NL80211_IFTYPE_MONITOR)
3583 			return -EINVAL;
3584 
3585 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3586 			return -EOPNOTSUPP;
3587 
3588 		mumimo_groups =
3589 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
3590 
3591 		/* bits 0 and 63 are reserved and must be zero */
3592 		if ((mumimo_groups[0] & BIT(0)) ||
3593 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
3594 			return -EINVAL;
3595 
3596 		params->vht_mumimo_groups = mumimo_groups;
3597 		change = true;
3598 	}
3599 
3600 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
3601 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
3602 
3603 		if (type != NL80211_IFTYPE_MONITOR)
3604 			return -EINVAL;
3605 
3606 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
3607 			return -EOPNOTSUPP;
3608 
3609 		params->vht_mumimo_follow_addr =
3610 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
3611 		change = true;
3612 	}
3613 
3614 	return change ? 1 : 0;
3615 }
3616 
3617 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
3618 			       struct net_device *netdev, u8 use_4addr,
3619 			       enum nl80211_iftype iftype)
3620 {
3621 	if (!use_4addr) {
3622 		if (netdev && netif_is_bridge_port(netdev))
3623 			return -EBUSY;
3624 		return 0;
3625 	}
3626 
3627 	switch (iftype) {
3628 	case NL80211_IFTYPE_AP_VLAN:
3629 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
3630 			return 0;
3631 		break;
3632 	case NL80211_IFTYPE_STATION:
3633 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
3634 			return 0;
3635 		break;
3636 	default:
3637 		break;
3638 	}
3639 
3640 	return -EOPNOTSUPP;
3641 }
3642 
3643 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
3644 {
3645 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3646 	struct vif_params params;
3647 	int err;
3648 	enum nl80211_iftype otype, ntype;
3649 	struct net_device *dev = info->user_ptr[1];
3650 	bool change = false;
3651 
3652 	memset(&params, 0, sizeof(params));
3653 
3654 	otype = ntype = dev->ieee80211_ptr->iftype;
3655 
3656 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
3657 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3658 		if (otype != ntype)
3659 			change = true;
3660 	}
3661 
3662 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
3663 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3664 
3665 		if (ntype != NL80211_IFTYPE_MESH_POINT)
3666 			return -EINVAL;
3667 		if (netif_running(dev))
3668 			return -EBUSY;
3669 
3670 		wdev_lock(wdev);
3671 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3672 			     IEEE80211_MAX_MESH_ID_LEN);
3673 		wdev->mesh_id_up_len =
3674 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3675 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3676 		       wdev->mesh_id_up_len);
3677 		wdev_unlock(wdev);
3678 	}
3679 
3680 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3681 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3682 		change = true;
3683 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
3684 		if (err)
3685 			return err;
3686 	} else {
3687 		params.use_4addr = -1;
3688 	}
3689 
3690 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
3691 	if (err < 0)
3692 		return err;
3693 	if (err > 0)
3694 		change = true;
3695 
3696 	if (change)
3697 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
3698 	else
3699 		err = 0;
3700 
3701 	if (!err && params.use_4addr != -1)
3702 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
3703 
3704 	if (change && !err) {
3705 		struct wireless_dev *wdev = dev->ieee80211_ptr;
3706 
3707 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
3708 	}
3709 
3710 	return err;
3711 }
3712 
3713 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
3714 {
3715 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3716 	struct vif_params params;
3717 	struct wireless_dev *wdev;
3718 	struct sk_buff *msg;
3719 	int err;
3720 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
3721 
3722 	/* to avoid failing a new interface creation due to pending removal */
3723 	cfg80211_destroy_ifaces(rdev);
3724 
3725 	memset(&params, 0, sizeof(params));
3726 
3727 	if (!info->attrs[NL80211_ATTR_IFNAME])
3728 		return -EINVAL;
3729 
3730 	if (info->attrs[NL80211_ATTR_IFTYPE])
3731 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
3732 
3733 	if (!rdev->ops->add_virtual_intf)
3734 		return -EOPNOTSUPP;
3735 
3736 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
3737 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
3738 	    info->attrs[NL80211_ATTR_MAC]) {
3739 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
3740 			   ETH_ALEN);
3741 		if (!is_valid_ether_addr(params.macaddr))
3742 			return -EADDRNOTAVAIL;
3743 	}
3744 
3745 	if (info->attrs[NL80211_ATTR_4ADDR]) {
3746 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
3747 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
3748 		if (err)
3749 			return err;
3750 	}
3751 
3752 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
3753 		return -EOPNOTSUPP;
3754 
3755 	err = nl80211_parse_mon_options(rdev, type, info, &params);
3756 	if (err < 0)
3757 		return err;
3758 
3759 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3760 	if (!msg)
3761 		return -ENOMEM;
3762 
3763 	wdev = rdev_add_virtual_intf(rdev,
3764 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
3765 				NET_NAME_USER, type, &params);
3766 	if (WARN_ON(!wdev)) {
3767 		nlmsg_free(msg);
3768 		return -EPROTO;
3769 	} else if (IS_ERR(wdev)) {
3770 		nlmsg_free(msg);
3771 		return PTR_ERR(wdev);
3772 	}
3773 
3774 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
3775 		wdev->owner_nlportid = info->snd_portid;
3776 
3777 	switch (type) {
3778 	case NL80211_IFTYPE_MESH_POINT:
3779 		if (!info->attrs[NL80211_ATTR_MESH_ID])
3780 			break;
3781 		wdev_lock(wdev);
3782 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
3783 			     IEEE80211_MAX_MESH_ID_LEN);
3784 		wdev->mesh_id_up_len =
3785 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
3786 		memcpy(wdev->ssid, nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
3787 		       wdev->mesh_id_up_len);
3788 		wdev_unlock(wdev);
3789 		break;
3790 	case NL80211_IFTYPE_NAN:
3791 	case NL80211_IFTYPE_P2P_DEVICE:
3792 		/*
3793 		 * P2P Device and NAN do not have a netdev, so don't go
3794 		 * through the netdev notifier and must be added here
3795 		 */
3796 		cfg80211_init_wdev(rdev, wdev);
3797 		break;
3798 	default:
3799 		break;
3800 	}
3801 
3802 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
3803 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
3804 		nlmsg_free(msg);
3805 		return -ENOBUFS;
3806 	}
3807 
3808 	return genlmsg_reply(msg, info);
3809 }
3810 
3811 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
3812 {
3813 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3814 	struct wireless_dev *wdev = info->user_ptr[1];
3815 
3816 	if (!rdev->ops->del_virtual_intf)
3817 		return -EOPNOTSUPP;
3818 
3819 	/*
3820 	 * If we remove a wireless device without a netdev then clear
3821 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
3822 	 * to check if it needs to do dev_put(). Otherwise it crashes
3823 	 * since the wdev has been freed, unlike with a netdev where
3824 	 * we need the dev_put() for the netdev to really be freed.
3825 	 */
3826 	if (!wdev->netdev)
3827 		info->user_ptr[1] = NULL;
3828 
3829 	return rdev_del_virtual_intf(rdev, wdev);
3830 }
3831 
3832 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
3833 {
3834 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3835 	struct net_device *dev = info->user_ptr[1];
3836 	u16 noack_map;
3837 
3838 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
3839 		return -EINVAL;
3840 
3841 	if (!rdev->ops->set_noack_map)
3842 		return -EOPNOTSUPP;
3843 
3844 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
3845 
3846 	return rdev_set_noack_map(rdev, dev, noack_map);
3847 }
3848 
3849 struct get_key_cookie {
3850 	struct sk_buff *msg;
3851 	int error;
3852 	int idx;
3853 };
3854 
3855 static void get_key_callback(void *c, struct key_params *params)
3856 {
3857 	struct nlattr *key;
3858 	struct get_key_cookie *cookie = c;
3859 
3860 	if ((params->key &&
3861 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
3862 		     params->key_len, params->key)) ||
3863 	    (params->seq &&
3864 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
3865 		     params->seq_len, params->seq)) ||
3866 	    (params->cipher &&
3867 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
3868 			 params->cipher)))
3869 		goto nla_put_failure;
3870 
3871 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
3872 	if (!key)
3873 		goto nla_put_failure;
3874 
3875 	if ((params->key &&
3876 	     nla_put(cookie->msg, NL80211_KEY_DATA,
3877 		     params->key_len, params->key)) ||
3878 	    (params->seq &&
3879 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
3880 		     params->seq_len, params->seq)) ||
3881 	    (params->cipher &&
3882 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
3883 			 params->cipher)))
3884 		goto nla_put_failure;
3885 
3886 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
3887 		goto nla_put_failure;
3888 
3889 	nla_nest_end(cookie->msg, key);
3890 
3891 	return;
3892  nla_put_failure:
3893 	cookie->error = 1;
3894 }
3895 
3896 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
3897 {
3898 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3899 	int err;
3900 	struct net_device *dev = info->user_ptr[1];
3901 	u8 key_idx = 0;
3902 	const u8 *mac_addr = NULL;
3903 	bool pairwise;
3904 	struct get_key_cookie cookie = {
3905 		.error = 0,
3906 	};
3907 	void *hdr;
3908 	struct sk_buff *msg;
3909 
3910 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
3911 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
3912 		if (key_idx > 5 &&
3913 		    !wiphy_ext_feature_isset(
3914 			    &rdev->wiphy,
3915 			    NL80211_EXT_FEATURE_BEACON_PROTECTION))
3916 			return -EINVAL;
3917 	}
3918 
3919 	if (info->attrs[NL80211_ATTR_MAC])
3920 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
3921 
3922 	pairwise = !!mac_addr;
3923 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
3924 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
3925 
3926 		if (kt != NL80211_KEYTYPE_GROUP &&
3927 		    kt != NL80211_KEYTYPE_PAIRWISE)
3928 			return -EINVAL;
3929 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
3930 	}
3931 
3932 	if (!rdev->ops->get_key)
3933 		return -EOPNOTSUPP;
3934 
3935 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
3936 		return -ENOENT;
3937 
3938 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3939 	if (!msg)
3940 		return -ENOMEM;
3941 
3942 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
3943 			     NL80211_CMD_NEW_KEY);
3944 	if (!hdr)
3945 		goto nla_put_failure;
3946 
3947 	cookie.msg = msg;
3948 	cookie.idx = key_idx;
3949 
3950 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3951 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
3952 		goto nla_put_failure;
3953 	if (mac_addr &&
3954 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
3955 		goto nla_put_failure;
3956 
3957 	err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
3958 			   get_key_callback);
3959 
3960 	if (err)
3961 		goto free_msg;
3962 
3963 	if (cookie.error)
3964 		goto nla_put_failure;
3965 
3966 	genlmsg_end(msg, hdr);
3967 	return genlmsg_reply(msg, info);
3968 
3969  nla_put_failure:
3970 	err = -ENOBUFS;
3971  free_msg:
3972 	nlmsg_free(msg);
3973 	return err;
3974 }
3975 
3976 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
3977 {
3978 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3979 	struct key_parse key;
3980 	int err;
3981 	struct net_device *dev = info->user_ptr[1];
3982 
3983 	err = nl80211_parse_key(info, &key);
3984 	if (err)
3985 		return err;
3986 
3987 	if (key.idx < 0)
3988 		return -EINVAL;
3989 
3990 	/* Only support setting default key and
3991 	 * Extended Key ID action NL80211_KEY_SET_TX.
3992 	 */
3993 	if (!key.def && !key.defmgmt && !key.defbeacon &&
3994 	    !(key.p.mode == NL80211_KEY_SET_TX))
3995 		return -EINVAL;
3996 
3997 	wdev_lock(dev->ieee80211_ptr);
3998 
3999 	if (key.def) {
4000 		if (!rdev->ops->set_default_key) {
4001 			err = -EOPNOTSUPP;
4002 			goto out;
4003 		}
4004 
4005 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4006 		if (err)
4007 			goto out;
4008 
4009 		err = rdev_set_default_key(rdev, dev, key.idx,
4010 						 key.def_uni, key.def_multi);
4011 
4012 		if (err)
4013 			goto out;
4014 
4015 #ifdef CONFIG_CFG80211_WEXT
4016 		dev->ieee80211_ptr->wext.default_key = key.idx;
4017 #endif
4018 	} else if (key.defmgmt) {
4019 		if (key.def_uni || !key.def_multi) {
4020 			err = -EINVAL;
4021 			goto out;
4022 		}
4023 
4024 		if (!rdev->ops->set_default_mgmt_key) {
4025 			err = -EOPNOTSUPP;
4026 			goto out;
4027 		}
4028 
4029 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4030 		if (err)
4031 			goto out;
4032 
4033 		err = rdev_set_default_mgmt_key(rdev, dev, key.idx);
4034 		if (err)
4035 			goto out;
4036 
4037 #ifdef CONFIG_CFG80211_WEXT
4038 		dev->ieee80211_ptr->wext.default_mgmt_key = key.idx;
4039 #endif
4040 	} else if (key.defbeacon) {
4041 		if (key.def_uni || !key.def_multi) {
4042 			err = -EINVAL;
4043 			goto out;
4044 		}
4045 
4046 		if (!rdev->ops->set_default_beacon_key) {
4047 			err = -EOPNOTSUPP;
4048 			goto out;
4049 		}
4050 
4051 		err = nl80211_key_allowed(dev->ieee80211_ptr);
4052 		if (err)
4053 			goto out;
4054 
4055 		err = rdev_set_default_beacon_key(rdev, dev, key.idx);
4056 		if (err)
4057 			goto out;
4058 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4059 		   wiphy_ext_feature_isset(&rdev->wiphy,
4060 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4061 		u8 *mac_addr = NULL;
4062 
4063 		if (info->attrs[NL80211_ATTR_MAC])
4064 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4065 
4066 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4067 			err = -EINVAL;
4068 			goto out;
4069 		}
4070 
4071 		err = rdev_add_key(rdev, dev, key.idx,
4072 				   NL80211_KEYTYPE_PAIRWISE,
4073 				   mac_addr, &key.p);
4074 	} else {
4075 		err = -EINVAL;
4076 	}
4077  out:
4078 	wdev_unlock(dev->ieee80211_ptr);
4079 
4080 	return err;
4081 }
4082 
4083 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4084 {
4085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4086 	int err;
4087 	struct net_device *dev = info->user_ptr[1];
4088 	struct key_parse key;
4089 	const u8 *mac_addr = NULL;
4090 
4091 	err = nl80211_parse_key(info, &key);
4092 	if (err)
4093 		return err;
4094 
4095 	if (!key.p.key) {
4096 		GENL_SET_ERR_MSG(info, "no key");
4097 		return -EINVAL;
4098 	}
4099 
4100 	if (info->attrs[NL80211_ATTR_MAC])
4101 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4102 
4103 	if (key.type == -1) {
4104 		if (mac_addr)
4105 			key.type = NL80211_KEYTYPE_PAIRWISE;
4106 		else
4107 			key.type = NL80211_KEYTYPE_GROUP;
4108 	}
4109 
4110 	/* for now */
4111 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4112 	    key.type != NL80211_KEYTYPE_GROUP) {
4113 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4114 		return -EINVAL;
4115 	}
4116 
4117 	if (key.type == NL80211_KEYTYPE_GROUP &&
4118 	    info->attrs[NL80211_ATTR_VLAN_ID])
4119 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4120 
4121 	if (!rdev->ops->add_key)
4122 		return -EOPNOTSUPP;
4123 
4124 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4125 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4126 					   mac_addr)) {
4127 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4128 		return -EINVAL;
4129 	}
4130 
4131 	wdev_lock(dev->ieee80211_ptr);
4132 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4133 	if (err)
4134 		GENL_SET_ERR_MSG(info, "key not allowed");
4135 	if (!err) {
4136 		err = rdev_add_key(rdev, dev, key.idx,
4137 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4138 				    mac_addr, &key.p);
4139 		if (err)
4140 			GENL_SET_ERR_MSG(info, "key addition failed");
4141 	}
4142 	wdev_unlock(dev->ieee80211_ptr);
4143 
4144 	return err;
4145 }
4146 
4147 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4148 {
4149 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4150 	int err;
4151 	struct net_device *dev = info->user_ptr[1];
4152 	u8 *mac_addr = NULL;
4153 	struct key_parse key;
4154 
4155 	err = nl80211_parse_key(info, &key);
4156 	if (err)
4157 		return err;
4158 
4159 	if (info->attrs[NL80211_ATTR_MAC])
4160 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4161 
4162 	if (key.type == -1) {
4163 		if (mac_addr)
4164 			key.type = NL80211_KEYTYPE_PAIRWISE;
4165 		else
4166 			key.type = NL80211_KEYTYPE_GROUP;
4167 	}
4168 
4169 	/* for now */
4170 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4171 	    key.type != NL80211_KEYTYPE_GROUP)
4172 		return -EINVAL;
4173 
4174 	if (!rdev->ops->del_key)
4175 		return -EOPNOTSUPP;
4176 
4177 	wdev_lock(dev->ieee80211_ptr);
4178 	err = nl80211_key_allowed(dev->ieee80211_ptr);
4179 
4180 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4181 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4182 		err = -ENOENT;
4183 
4184 	if (!err)
4185 		err = rdev_del_key(rdev, dev, key.idx,
4186 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4187 				   mac_addr);
4188 
4189 #ifdef CONFIG_CFG80211_WEXT
4190 	if (!err) {
4191 		if (key.idx == dev->ieee80211_ptr->wext.default_key)
4192 			dev->ieee80211_ptr->wext.default_key = -1;
4193 		else if (key.idx == dev->ieee80211_ptr->wext.default_mgmt_key)
4194 			dev->ieee80211_ptr->wext.default_mgmt_key = -1;
4195 	}
4196 #endif
4197 	wdev_unlock(dev->ieee80211_ptr);
4198 
4199 	return err;
4200 }
4201 
4202 /* This function returns an error or the number of nested attributes */
4203 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4204 {
4205 	struct nlattr *attr;
4206 	int n_entries = 0, tmp;
4207 
4208 	nla_for_each_nested(attr, nl_attr, tmp) {
4209 		if (nla_len(attr) != ETH_ALEN)
4210 			return -EINVAL;
4211 
4212 		n_entries++;
4213 	}
4214 
4215 	return n_entries;
4216 }
4217 
4218 /*
4219  * This function parses ACL information and allocates memory for ACL data.
4220  * On successful return, the calling function is responsible to free the
4221  * ACL buffer returned by this function.
4222  */
4223 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4224 						struct genl_info *info)
4225 {
4226 	enum nl80211_acl_policy acl_policy;
4227 	struct nlattr *attr;
4228 	struct cfg80211_acl_data *acl;
4229 	int i = 0, n_entries, tmp;
4230 
4231 	if (!wiphy->max_acl_mac_addrs)
4232 		return ERR_PTR(-EOPNOTSUPP);
4233 
4234 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4235 		return ERR_PTR(-EINVAL);
4236 
4237 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4238 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4239 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4240 		return ERR_PTR(-EINVAL);
4241 
4242 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4243 		return ERR_PTR(-EINVAL);
4244 
4245 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4246 	if (n_entries < 0)
4247 		return ERR_PTR(n_entries);
4248 
4249 	if (n_entries > wiphy->max_acl_mac_addrs)
4250 		return ERR_PTR(-ENOTSUPP);
4251 
4252 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4253 	if (!acl)
4254 		return ERR_PTR(-ENOMEM);
4255 
4256 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4257 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4258 		i++;
4259 	}
4260 
4261 	acl->n_acl_entries = n_entries;
4262 	acl->acl_policy = acl_policy;
4263 
4264 	return acl;
4265 }
4266 
4267 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4268 {
4269 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4270 	struct net_device *dev = info->user_ptr[1];
4271 	struct cfg80211_acl_data *acl;
4272 	int err;
4273 
4274 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4275 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4276 		return -EOPNOTSUPP;
4277 
4278 	if (!dev->ieee80211_ptr->beacon_interval)
4279 		return -EINVAL;
4280 
4281 	acl = parse_acl_data(&rdev->wiphy, info);
4282 	if (IS_ERR(acl))
4283 		return PTR_ERR(acl);
4284 
4285 	err = rdev_set_mac_acl(rdev, dev, acl);
4286 
4287 	kfree(acl);
4288 
4289 	return err;
4290 }
4291 
4292 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4293 			   u8 *rates, u8 rates_len)
4294 {
4295 	u8 i;
4296 	u32 mask = 0;
4297 
4298 	for (i = 0; i < rates_len; i++) {
4299 		int rate = (rates[i] & 0x7f) * 5;
4300 		int ridx;
4301 
4302 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4303 			struct ieee80211_rate *srate =
4304 				&sband->bitrates[ridx];
4305 			if (rate == srate->bitrate) {
4306 				mask |= 1 << ridx;
4307 				break;
4308 			}
4309 		}
4310 		if (ridx == sband->n_bitrates)
4311 			return 0; /* rate not found */
4312 	}
4313 
4314 	return mask;
4315 }
4316 
4317 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4318 			       u8 *rates, u8 rates_len,
4319 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4320 {
4321 	u8 i;
4322 
4323 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4324 
4325 	for (i = 0; i < rates_len; i++) {
4326 		int ridx, rbit;
4327 
4328 		ridx = rates[i] / 8;
4329 		rbit = BIT(rates[i] % 8);
4330 
4331 		/* check validity */
4332 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4333 			return false;
4334 
4335 		/* check availability */
4336 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4337 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4338 			mcs[ridx] |= rbit;
4339 		else
4340 			return false;
4341 	}
4342 
4343 	return true;
4344 }
4345 
4346 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4347 {
4348 	u16 mcs_mask = 0;
4349 
4350 	switch (vht_mcs_map) {
4351 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4352 		break;
4353 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4354 		mcs_mask = 0x00FF;
4355 		break;
4356 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4357 		mcs_mask = 0x01FF;
4358 		break;
4359 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4360 		mcs_mask = 0x03FF;
4361 		break;
4362 	default:
4363 		break;
4364 	}
4365 
4366 	return mcs_mask;
4367 }
4368 
4369 static void vht_build_mcs_mask(u16 vht_mcs_map,
4370 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
4371 {
4372 	u8 nss;
4373 
4374 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
4375 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
4376 		vht_mcs_map >>= 2;
4377 	}
4378 }
4379 
4380 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
4381 			     struct nl80211_txrate_vht *txrate,
4382 			     u16 mcs[NL80211_VHT_NSS_MAX])
4383 {
4384 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4385 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
4386 	u8 i;
4387 
4388 	if (!sband->vht_cap.vht_supported)
4389 		return false;
4390 
4391 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
4392 
4393 	/* Build vht_mcs_mask from VHT capabilities */
4394 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
4395 
4396 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4397 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
4398 			mcs[i] = txrate->mcs[i];
4399 		else
4400 			return false;
4401 	}
4402 
4403 	return true;
4404 }
4405 
4406 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
4407 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
4408 				    .len = NL80211_MAX_SUPP_RATES },
4409 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
4410 				.len = NL80211_MAX_SUPP_HT_RATES },
4411 	[NL80211_TXRATE_VHT] = {
4412 		.type = NLA_EXACT_LEN_WARN,
4413 		.len = sizeof(struct nl80211_txrate_vht),
4414 	},
4415 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
4416 };
4417 
4418 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
4419 					 struct cfg80211_bitrate_mask *mask)
4420 {
4421 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
4422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4423 	int rem, i;
4424 	struct nlattr *tx_rates;
4425 	struct ieee80211_supported_band *sband;
4426 	u16 vht_tx_mcs_map;
4427 
4428 	memset(mask, 0, sizeof(*mask));
4429 	/* Default to all rates enabled */
4430 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
4431 		sband = rdev->wiphy.bands[i];
4432 
4433 		if (!sband)
4434 			continue;
4435 
4436 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
4437 		memcpy(mask->control[i].ht_mcs,
4438 		       sband->ht_cap.mcs.rx_mask,
4439 		       sizeof(mask->control[i].ht_mcs));
4440 
4441 		if (!sband->vht_cap.vht_supported)
4442 			continue;
4443 
4444 		vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
4445 		vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
4446 	}
4447 
4448 	/* if no rates are given set it back to the defaults */
4449 	if (!info->attrs[NL80211_ATTR_TX_RATES])
4450 		goto out;
4451 
4452 	/* The nested attribute uses enum nl80211_band as the index. This maps
4453 	 * directly to the enum nl80211_band values used in cfg80211.
4454 	 */
4455 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
4456 	nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
4457 		enum nl80211_band band = nla_type(tx_rates);
4458 		int err;
4459 
4460 		if (band < 0 || band >= NUM_NL80211_BANDS)
4461 			return -EINVAL;
4462 		sband = rdev->wiphy.bands[band];
4463 		if (sband == NULL)
4464 			return -EINVAL;
4465 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
4466 						  tx_rates,
4467 						  nl80211_txattr_policy,
4468 						  info->extack);
4469 		if (err)
4470 			return err;
4471 		if (tb[NL80211_TXRATE_LEGACY]) {
4472 			mask->control[band].legacy = rateset_to_mask(
4473 				sband,
4474 				nla_data(tb[NL80211_TXRATE_LEGACY]),
4475 				nla_len(tb[NL80211_TXRATE_LEGACY]));
4476 			if ((mask->control[band].legacy == 0) &&
4477 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
4478 				return -EINVAL;
4479 		}
4480 		if (tb[NL80211_TXRATE_HT]) {
4481 			if (!ht_rateset_to_mask(
4482 					sband,
4483 					nla_data(tb[NL80211_TXRATE_HT]),
4484 					nla_len(tb[NL80211_TXRATE_HT]),
4485 					mask->control[band].ht_mcs))
4486 				return -EINVAL;
4487 		}
4488 		if (tb[NL80211_TXRATE_VHT]) {
4489 			if (!vht_set_mcs_mask(
4490 					sband,
4491 					nla_data(tb[NL80211_TXRATE_VHT]),
4492 					mask->control[band].vht_mcs))
4493 				return -EINVAL;
4494 		}
4495 		if (tb[NL80211_TXRATE_GI]) {
4496 			mask->control[band].gi =
4497 				nla_get_u8(tb[NL80211_TXRATE_GI]);
4498 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
4499 				return -EINVAL;
4500 		}
4501 
4502 		if (mask->control[band].legacy == 0) {
4503 			/* don't allow empty legacy rates if HT or VHT
4504 			 * are not even supported.
4505 			 */
4506 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
4507 			      rdev->wiphy.bands[band]->vht_cap.vht_supported))
4508 				return -EINVAL;
4509 
4510 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
4511 				if (mask->control[band].ht_mcs[i])
4512 					goto out;
4513 
4514 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
4515 				if (mask->control[band].vht_mcs[i])
4516 					goto out;
4517 
4518 			/* legacy and mcs rates may not be both empty */
4519 			return -EINVAL;
4520 		}
4521 	}
4522 
4523 out:
4524 	return 0;
4525 }
4526 
4527 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
4528 				   enum nl80211_band band,
4529 				   struct cfg80211_bitrate_mask *beacon_rate)
4530 {
4531 	u32 count_ht, count_vht, i;
4532 	u32 rate = beacon_rate->control[band].legacy;
4533 
4534 	/* Allow only one rate */
4535 	if (hweight32(rate) > 1)
4536 		return -EINVAL;
4537 
4538 	count_ht = 0;
4539 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
4540 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
4541 			return -EINVAL;
4542 		} else if (beacon_rate->control[band].ht_mcs[i]) {
4543 			count_ht++;
4544 			if (count_ht > 1)
4545 				return -EINVAL;
4546 		}
4547 		if (count_ht && rate)
4548 			return -EINVAL;
4549 	}
4550 
4551 	count_vht = 0;
4552 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
4553 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
4554 			return -EINVAL;
4555 		} else if (beacon_rate->control[band].vht_mcs[i]) {
4556 			count_vht++;
4557 			if (count_vht > 1)
4558 				return -EINVAL;
4559 		}
4560 		if (count_vht && rate)
4561 			return -EINVAL;
4562 	}
4563 
4564 	if ((count_ht && count_vht) || (!rate && !count_ht && !count_vht))
4565 		return -EINVAL;
4566 
4567 	if (rate &&
4568 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4569 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
4570 		return -EINVAL;
4571 	if (count_ht &&
4572 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4573 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
4574 		return -EINVAL;
4575 	if (count_vht &&
4576 	    !wiphy_ext_feature_isset(&rdev->wiphy,
4577 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
4578 		return -EINVAL;
4579 
4580 	return 0;
4581 }
4582 
4583 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
4584 				struct nlattr *attrs[],
4585 				struct cfg80211_beacon_data *bcn)
4586 {
4587 	bool haveinfo = false;
4588 	int err;
4589 
4590 	memset(bcn, 0, sizeof(*bcn));
4591 
4592 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
4593 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
4594 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
4595 		if (!bcn->head_len)
4596 			return -EINVAL;
4597 		haveinfo = true;
4598 	}
4599 
4600 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
4601 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
4602 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
4603 		haveinfo = true;
4604 	}
4605 
4606 	if (!haveinfo)
4607 		return -EINVAL;
4608 
4609 	if (attrs[NL80211_ATTR_IE]) {
4610 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
4611 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
4612 	}
4613 
4614 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
4615 		bcn->proberesp_ies =
4616 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4617 		bcn->proberesp_ies_len =
4618 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
4619 	}
4620 
4621 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
4622 		bcn->assocresp_ies =
4623 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4624 		bcn->assocresp_ies_len =
4625 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
4626 	}
4627 
4628 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
4629 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
4630 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
4631 	}
4632 
4633 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
4634 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
4635 
4636 		err = nla_parse_nested_deprecated(tb,
4637 						  NL80211_FTM_RESP_ATTR_MAX,
4638 						  attrs[NL80211_ATTR_FTM_RESPONDER],
4639 						  NULL, NULL);
4640 		if (err)
4641 			return err;
4642 
4643 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
4644 		    wiphy_ext_feature_isset(&rdev->wiphy,
4645 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
4646 			bcn->ftm_responder = 1;
4647 		else
4648 			return -EOPNOTSUPP;
4649 
4650 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
4651 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
4652 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
4653 		}
4654 
4655 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
4656 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4657 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
4658 		}
4659 	} else {
4660 		bcn->ftm_responder = -1;
4661 	}
4662 
4663 	return 0;
4664 }
4665 
4666 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
4667 				    struct ieee80211_he_obss_pd *he_obss_pd)
4668 {
4669 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
4670 	int err;
4671 
4672 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
4673 			       he_obss_pd_policy, NULL);
4674 	if (err)
4675 		return err;
4676 
4677 	if (!tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] ||
4678 	    !tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
4679 		return -EINVAL;
4680 
4681 	he_obss_pd->min_offset =
4682 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
4683 	he_obss_pd->max_offset =
4684 		nla_get_u32(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
4685 
4686 	if (he_obss_pd->min_offset >= he_obss_pd->max_offset)
4687 		return -EINVAL;
4688 
4689 	he_obss_pd->enable = true;
4690 
4691 	return 0;
4692 }
4693 
4694 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
4695 				      struct cfg80211_he_bss_color *he_bss_color)
4696 {
4697 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
4698 	int err;
4699 
4700 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
4701 			       he_bss_color_policy, NULL);
4702 	if (err)
4703 		return err;
4704 
4705 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
4706 		return -EINVAL;
4707 
4708 	he_bss_color->color =
4709 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
4710 	he_bss_color->disabled =
4711 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
4712 	he_bss_color->partial =
4713 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
4714 
4715 	return 0;
4716 }
4717 
4718 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
4719 					    const u8 *rates)
4720 {
4721 	int i;
4722 
4723 	if (!rates)
4724 		return;
4725 
4726 	for (i = 0; i < rates[1]; i++) {
4727 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
4728 			params->ht_required = true;
4729 		if (rates[2 + i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
4730 			params->vht_required = true;
4731 	}
4732 }
4733 
4734 /*
4735  * Since the nl80211 API didn't include, from the beginning, attributes about
4736  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
4737  * benefit of drivers that rebuild IEs in the firmware.
4738  */
4739 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
4740 {
4741 	const struct cfg80211_beacon_data *bcn = &params->beacon;
4742 	size_t ies_len = bcn->tail_len;
4743 	const u8 *ies = bcn->tail;
4744 	const u8 *rates;
4745 	const u8 *cap;
4746 
4747 	rates = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies, ies_len);
4748 	nl80211_check_ap_rate_selectors(params, rates);
4749 
4750 	rates = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
4751 	nl80211_check_ap_rate_selectors(params, rates);
4752 
4753 	cap = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies, ies_len);
4754 	if (cap && cap[1] >= sizeof(*params->ht_cap))
4755 		params->ht_cap = (void *)(cap + 2);
4756 	cap = cfg80211_find_ie(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
4757 	if (cap && cap[1] >= sizeof(*params->vht_cap))
4758 		params->vht_cap = (void *)(cap + 2);
4759 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
4760 	if (cap && cap[1] >= sizeof(*params->he_cap) + 1)
4761 		params->he_cap = (void *)(cap + 3);
4762 	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
4763 	if (cap && cap[1] >= sizeof(*params->he_oper) + 1)
4764 		params->he_oper = (void *)(cap + 3);
4765 }
4766 
4767 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
4768 				   struct cfg80211_ap_settings *params)
4769 {
4770 	struct wireless_dev *wdev;
4771 	bool ret = false;
4772 
4773 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4774 		if (wdev->iftype != NL80211_IFTYPE_AP &&
4775 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
4776 			continue;
4777 
4778 		if (!wdev->preset_chandef.chan)
4779 			continue;
4780 
4781 		params->chandef = wdev->preset_chandef;
4782 		ret = true;
4783 		break;
4784 	}
4785 
4786 	return ret;
4787 }
4788 
4789 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
4790 				    enum nl80211_auth_type auth_type,
4791 				    enum nl80211_commands cmd)
4792 {
4793 	if (auth_type > NL80211_AUTHTYPE_MAX)
4794 		return false;
4795 
4796 	switch (cmd) {
4797 	case NL80211_CMD_AUTHENTICATE:
4798 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4799 		    auth_type == NL80211_AUTHTYPE_SAE)
4800 			return false;
4801 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
4802 					     NL80211_EXT_FEATURE_FILS_STA) &&
4803 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4804 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4805 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
4806 			return false;
4807 		return true;
4808 	case NL80211_CMD_CONNECT:
4809 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
4810 		    !wiphy_ext_feature_isset(&rdev->wiphy,
4811 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
4812 		    auth_type == NL80211_AUTHTYPE_SAE)
4813 			return false;
4814 
4815 		/* FILS with SK PFS or PK not supported yet */
4816 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4817 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4818 			return false;
4819 		if (!wiphy_ext_feature_isset(
4820 			    &rdev->wiphy,
4821 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
4822 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
4823 			return false;
4824 		return true;
4825 	case NL80211_CMD_START_AP:
4826 		/* SAE not supported yet */
4827 		if (auth_type == NL80211_AUTHTYPE_SAE)
4828 			return false;
4829 		/* FILS not supported yet */
4830 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
4831 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
4832 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
4833 			return false;
4834 		return true;
4835 	default:
4836 		return false;
4837 	}
4838 }
4839 
4840 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
4841 {
4842 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4843 	struct net_device *dev = info->user_ptr[1];
4844 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4845 	struct cfg80211_ap_settings params;
4846 	int err;
4847 
4848 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4849 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4850 		return -EOPNOTSUPP;
4851 
4852 	if (!rdev->ops->start_ap)
4853 		return -EOPNOTSUPP;
4854 
4855 	if (wdev->beacon_interval)
4856 		return -EALREADY;
4857 
4858 	memset(&params, 0, sizeof(params));
4859 
4860 	/* these are required for START_AP */
4861 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
4862 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
4863 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
4864 		return -EINVAL;
4865 
4866 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon);
4867 	if (err)
4868 		return err;
4869 
4870 	params.beacon_interval =
4871 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
4872 	params.dtim_period =
4873 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
4874 
4875 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
4876 					   params.beacon_interval);
4877 	if (err)
4878 		return err;
4879 
4880 	/*
4881 	 * In theory, some of these attributes should be required here
4882 	 * but since they were not used when the command was originally
4883 	 * added, keep them optional for old user space programs to let
4884 	 * them continue to work with drivers that do not need the
4885 	 * additional information -- drivers must check!
4886 	 */
4887 	if (info->attrs[NL80211_ATTR_SSID]) {
4888 		params.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
4889 		params.ssid_len =
4890 			nla_len(info->attrs[NL80211_ATTR_SSID]);
4891 		if (params.ssid_len == 0 ||
4892 		    params.ssid_len > IEEE80211_MAX_SSID_LEN)
4893 			return -EINVAL;
4894 	}
4895 
4896 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
4897 		params.hidden_ssid = nla_get_u32(
4898 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
4899 
4900 	params.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
4901 
4902 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
4903 		params.auth_type = nla_get_u32(
4904 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
4905 		if (!nl80211_valid_auth_type(rdev, params.auth_type,
4906 					     NL80211_CMD_START_AP))
4907 			return -EINVAL;
4908 	} else
4909 		params.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
4910 
4911 	err = nl80211_crypto_settings(rdev, info, &params.crypto,
4912 				      NL80211_MAX_NR_CIPHER_SUITES);
4913 	if (err)
4914 		return err;
4915 
4916 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
4917 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER))
4918 			return -EOPNOTSUPP;
4919 		params.inactivity_timeout = nla_get_u16(
4920 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
4921 	}
4922 
4923 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
4924 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4925 			return -EINVAL;
4926 		params.p2p_ctwindow =
4927 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
4928 		if (params.p2p_ctwindow != 0 &&
4929 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
4930 			return -EINVAL;
4931 	}
4932 
4933 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
4934 		u8 tmp;
4935 
4936 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4937 			return -EINVAL;
4938 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
4939 		params.p2p_opp_ps = tmp;
4940 		if (params.p2p_opp_ps != 0 &&
4941 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
4942 			return -EINVAL;
4943 	}
4944 
4945 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
4946 		err = nl80211_parse_chandef(rdev, info, &params.chandef);
4947 		if (err)
4948 			return err;
4949 	} else if (wdev->preset_chandef.chan) {
4950 		params.chandef = wdev->preset_chandef;
4951 	} else if (!nl80211_get_ap_channel(rdev, &params))
4952 		return -EINVAL;
4953 
4954 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
4955 					   wdev->iftype))
4956 		return -EINVAL;
4957 
4958 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
4959 		err = nl80211_parse_tx_bitrate_mask(info, &params.beacon_rate);
4960 		if (err)
4961 			return err;
4962 
4963 		err = validate_beacon_tx_rate(rdev, params.chandef.chan->band,
4964 					      &params.beacon_rate);
4965 		if (err)
4966 			return err;
4967 	}
4968 
4969 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
4970 		params.smps_mode =
4971 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
4972 		switch (params.smps_mode) {
4973 		case NL80211_SMPS_OFF:
4974 			break;
4975 		case NL80211_SMPS_STATIC:
4976 			if (!(rdev->wiphy.features &
4977 			      NL80211_FEATURE_STATIC_SMPS))
4978 				return -EINVAL;
4979 			break;
4980 		case NL80211_SMPS_DYNAMIC:
4981 			if (!(rdev->wiphy.features &
4982 			      NL80211_FEATURE_DYNAMIC_SMPS))
4983 				return -EINVAL;
4984 			break;
4985 		default:
4986 			return -EINVAL;
4987 		}
4988 	} else {
4989 		params.smps_mode = NL80211_SMPS_OFF;
4990 	}
4991 
4992 	params.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
4993 	if (params.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ])
4994 		return -EOPNOTSUPP;
4995 
4996 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
4997 		params.acl = parse_acl_data(&rdev->wiphy, info);
4998 		if (IS_ERR(params.acl))
4999 			return PTR_ERR(params.acl);
5000 	}
5001 
5002 	params.twt_responder =
5003 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
5004 
5005 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
5006 		err = nl80211_parse_he_obss_pd(
5007 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
5008 					&params.he_obss_pd);
5009 		goto out;
5010 	}
5011 
5012 	if (info->attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5013 		err = nl80211_parse_he_bss_color(
5014 					info->attrs[NL80211_ATTR_HE_BSS_COLOR],
5015 					&params.he_bss_color);
5016 		if (err)
5017 			return err;
5018 	}
5019 
5020 	nl80211_calculate_ap_params(&params);
5021 
5022 	if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
5023 		params.flags |= AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
5024 
5025 	wdev_lock(wdev);
5026 	err = rdev_start_ap(rdev, dev, &params);
5027 	if (!err) {
5028 		wdev->preset_chandef = params.chandef;
5029 		wdev->beacon_interval = params.beacon_interval;
5030 		wdev->chandef = params.chandef;
5031 		wdev->ssid_len = params.ssid_len;
5032 		memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
5033 
5034 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
5035 			wdev->conn_owner_nlportid = info->snd_portid;
5036 	}
5037 	wdev_unlock(wdev);
5038 
5039 out:
5040 	kfree(params.acl);
5041 
5042 	return err;
5043 }
5044 
5045 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
5046 {
5047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5048 	struct net_device *dev = info->user_ptr[1];
5049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5050 	struct cfg80211_beacon_data params;
5051 	int err;
5052 
5053 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5054 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5055 		return -EOPNOTSUPP;
5056 
5057 	if (!rdev->ops->change_beacon)
5058 		return -EOPNOTSUPP;
5059 
5060 	if (!wdev->beacon_interval)
5061 		return -EINVAL;
5062 
5063 	err = nl80211_parse_beacon(rdev, info->attrs, &params);
5064 	if (err)
5065 		return err;
5066 
5067 	wdev_lock(wdev);
5068 	err = rdev_change_beacon(rdev, dev, &params);
5069 	wdev_unlock(wdev);
5070 
5071 	return err;
5072 }
5073 
5074 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
5075 {
5076 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5077 	struct net_device *dev = info->user_ptr[1];
5078 
5079 	return cfg80211_stop_ap(rdev, dev, false);
5080 }
5081 
5082 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
5083 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
5084 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
5085 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
5086 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
5087 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
5088 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
5089 };
5090 
5091 static int parse_station_flags(struct genl_info *info,
5092 			       enum nl80211_iftype iftype,
5093 			       struct station_parameters *params)
5094 {
5095 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
5096 	struct nlattr *nla;
5097 	int flag;
5098 
5099 	/*
5100 	 * Try parsing the new attribute first so userspace
5101 	 * can specify both for older kernels.
5102 	 */
5103 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
5104 	if (nla) {
5105 		struct nl80211_sta_flag_update *sta_flags;
5106 
5107 		sta_flags = nla_data(nla);
5108 		params->sta_flags_mask = sta_flags->mask;
5109 		params->sta_flags_set = sta_flags->set;
5110 		params->sta_flags_set &= params->sta_flags_mask;
5111 		if ((params->sta_flags_mask |
5112 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
5113 			return -EINVAL;
5114 		return 0;
5115 	}
5116 
5117 	/* if present, parse the old attribute */
5118 
5119 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
5120 	if (!nla)
5121 		return 0;
5122 
5123 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
5124 		return -EINVAL;
5125 
5126 	/*
5127 	 * Only allow certain flags for interface types so that
5128 	 * other attributes are silently ignored. Remember that
5129 	 * this is backward compatibility code with old userspace
5130 	 * and shouldn't be hit in other cases anyway.
5131 	 */
5132 	switch (iftype) {
5133 	case NL80211_IFTYPE_AP:
5134 	case NL80211_IFTYPE_AP_VLAN:
5135 	case NL80211_IFTYPE_P2P_GO:
5136 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5137 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5138 					 BIT(NL80211_STA_FLAG_WME) |
5139 					 BIT(NL80211_STA_FLAG_MFP);
5140 		break;
5141 	case NL80211_IFTYPE_P2P_CLIENT:
5142 	case NL80211_IFTYPE_STATION:
5143 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
5144 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
5145 		break;
5146 	case NL80211_IFTYPE_MESH_POINT:
5147 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5148 					 BIT(NL80211_STA_FLAG_MFP) |
5149 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
5150 		break;
5151 	default:
5152 		return -EINVAL;
5153 	}
5154 
5155 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
5156 		if (flags[flag]) {
5157 			params->sta_flags_set |= (1<<flag);
5158 
5159 			/* no longer support new API additions in old API */
5160 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
5161 				return -EINVAL;
5162 		}
5163 	}
5164 
5165 	return 0;
5166 }
5167 
5168 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
5169 {
5170 	struct nlattr *rate;
5171 	u32 bitrate;
5172 	u16 bitrate_compat;
5173 	enum nl80211_rate_info rate_flg;
5174 
5175 	rate = nla_nest_start_noflag(msg, attr);
5176 	if (!rate)
5177 		return false;
5178 
5179 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
5180 	bitrate = cfg80211_calculate_bitrate(info);
5181 	/* report 16-bit bitrate only if we can */
5182 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
5183 	if (bitrate > 0 &&
5184 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
5185 		return false;
5186 	if (bitrate_compat > 0 &&
5187 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
5188 		return false;
5189 
5190 	switch (info->bw) {
5191 	case RATE_INFO_BW_5:
5192 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
5193 		break;
5194 	case RATE_INFO_BW_10:
5195 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
5196 		break;
5197 	default:
5198 		WARN_ON(1);
5199 		/* fall through */
5200 	case RATE_INFO_BW_20:
5201 		rate_flg = 0;
5202 		break;
5203 	case RATE_INFO_BW_40:
5204 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
5205 		break;
5206 	case RATE_INFO_BW_80:
5207 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
5208 		break;
5209 	case RATE_INFO_BW_160:
5210 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
5211 		break;
5212 	case RATE_INFO_BW_HE_RU:
5213 		rate_flg = 0;
5214 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
5215 	}
5216 
5217 	if (rate_flg && nla_put_flag(msg, rate_flg))
5218 		return false;
5219 
5220 	if (info->flags & RATE_INFO_FLAGS_MCS) {
5221 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
5222 			return false;
5223 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5224 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5225 			return false;
5226 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
5227 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
5228 			return false;
5229 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
5230 			return false;
5231 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
5232 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
5233 			return false;
5234 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
5235 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
5236 			return false;
5237 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
5238 			return false;
5239 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
5240 			return false;
5241 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
5242 			return false;
5243 		if (info->bw == RATE_INFO_BW_HE_RU &&
5244 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
5245 			       info->he_ru_alloc))
5246 			return false;
5247 	}
5248 
5249 	nla_nest_end(msg, rate);
5250 	return true;
5251 }
5252 
5253 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
5254 			       int id)
5255 {
5256 	void *attr;
5257 	int i = 0;
5258 
5259 	if (!mask)
5260 		return true;
5261 
5262 	attr = nla_nest_start_noflag(msg, id);
5263 	if (!attr)
5264 		return false;
5265 
5266 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
5267 		if (!(mask & BIT(i)))
5268 			continue;
5269 
5270 		if (nla_put_u8(msg, i, signal[i]))
5271 			return false;
5272 	}
5273 
5274 	nla_nest_end(msg, attr);
5275 
5276 	return true;
5277 }
5278 
5279 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
5280 				u32 seq, int flags,
5281 				struct cfg80211_registered_device *rdev,
5282 				struct net_device *dev,
5283 				const u8 *mac_addr, struct station_info *sinfo)
5284 {
5285 	void *hdr;
5286 	struct nlattr *sinfoattr, *bss_param;
5287 
5288 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
5289 	if (!hdr) {
5290 		cfg80211_sinfo_release_content(sinfo);
5291 		return -1;
5292 	}
5293 
5294 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
5295 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
5296 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
5297 		goto nla_put_failure;
5298 
5299 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
5300 	if (!sinfoattr)
5301 		goto nla_put_failure;
5302 
5303 #define PUT_SINFO(attr, memb, type) do {				\
5304 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
5305 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5306 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
5307 			     sinfo->memb))				\
5308 		goto nla_put_failure;					\
5309 	} while (0)
5310 #define PUT_SINFO_U64(attr, memb) do {					\
5311 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
5312 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
5313 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
5314 		goto nla_put_failure;					\
5315 	} while (0)
5316 
5317 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
5318 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
5319 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
5320 
5321 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
5322 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
5323 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
5324 			(u32)sinfo->rx_bytes))
5325 		goto nla_put_failure;
5326 
5327 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
5328 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
5329 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
5330 			(u32)sinfo->tx_bytes))
5331 		goto nla_put_failure;
5332 
5333 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
5334 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
5335 	PUT_SINFO(LLID, llid, u16);
5336 	PUT_SINFO(PLID, plid, u16);
5337 	PUT_SINFO(PLINK_STATE, plink_state, u8);
5338 	PUT_SINFO_U64(RX_DURATION, rx_duration);
5339 	PUT_SINFO_U64(TX_DURATION, tx_duration);
5340 
5341 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5342 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
5343 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
5344 
5345 	switch (rdev->wiphy.signal_type) {
5346 	case CFG80211_SIGNAL_TYPE_MBM:
5347 		PUT_SINFO(SIGNAL, signal, u8);
5348 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
5349 		break;
5350 	default:
5351 		break;
5352 	}
5353 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
5354 		if (!nl80211_put_signal(msg, sinfo->chains,
5355 					sinfo->chain_signal,
5356 					NL80211_STA_INFO_CHAIN_SIGNAL))
5357 			goto nla_put_failure;
5358 	}
5359 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
5360 		if (!nl80211_put_signal(msg, sinfo->chains,
5361 					sinfo->chain_signal_avg,
5362 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
5363 			goto nla_put_failure;
5364 	}
5365 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
5366 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
5367 					  NL80211_STA_INFO_TX_BITRATE))
5368 			goto nla_put_failure;
5369 	}
5370 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
5371 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
5372 					  NL80211_STA_INFO_RX_BITRATE))
5373 			goto nla_put_failure;
5374 	}
5375 
5376 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
5377 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
5378 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
5379 	PUT_SINFO(TX_FAILED, tx_failed, u32);
5380 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
5381 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
5382 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
5383 	PUT_SINFO(LOCAL_PM, local_pm, u32);
5384 	PUT_SINFO(PEER_PM, peer_pm, u32);
5385 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
5386 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
5387 
5388 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
5389 		bss_param = nla_nest_start_noflag(msg,
5390 						  NL80211_STA_INFO_BSS_PARAM);
5391 		if (!bss_param)
5392 			goto nla_put_failure;
5393 
5394 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
5395 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
5396 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
5397 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
5398 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
5399 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
5400 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
5401 			       sinfo->bss_param.dtim_period) ||
5402 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
5403 				sinfo->bss_param.beacon_interval))
5404 			goto nla_put_failure;
5405 
5406 		nla_nest_end(msg, bss_param);
5407 	}
5408 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
5409 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
5410 		    sizeof(struct nl80211_sta_flag_update),
5411 		    &sinfo->sta_flags))
5412 		goto nla_put_failure;
5413 
5414 	PUT_SINFO_U64(T_OFFSET, t_offset);
5415 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
5416 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
5417 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
5418 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
5419 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
5420 	if (wiphy_ext_feature_isset(&rdev->wiphy,
5421 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
5422 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
5423 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
5424 	}
5425 
5426 #undef PUT_SINFO
5427 #undef PUT_SINFO_U64
5428 
5429 	if (sinfo->pertid) {
5430 		struct nlattr *tidsattr;
5431 		int tid;
5432 
5433 		tidsattr = nla_nest_start_noflag(msg,
5434 						 NL80211_STA_INFO_TID_STATS);
5435 		if (!tidsattr)
5436 			goto nla_put_failure;
5437 
5438 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
5439 			struct cfg80211_tid_stats *tidstats;
5440 			struct nlattr *tidattr;
5441 
5442 			tidstats = &sinfo->pertid[tid];
5443 
5444 			if (!tidstats->filled)
5445 				continue;
5446 
5447 			tidattr = nla_nest_start_noflag(msg, tid + 1);
5448 			if (!tidattr)
5449 				goto nla_put_failure;
5450 
5451 #define PUT_TIDVAL_U64(attr, memb) do {					\
5452 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
5453 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
5454 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
5455 		goto nla_put_failure;					\
5456 	} while (0)
5457 
5458 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
5459 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
5460 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
5461 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
5462 
5463 #undef PUT_TIDVAL_U64
5464 			if ((tidstats->filled &
5465 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
5466 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
5467 						   NL80211_TID_STATS_TXQ_STATS))
5468 				goto nla_put_failure;
5469 
5470 			nla_nest_end(msg, tidattr);
5471 		}
5472 
5473 		nla_nest_end(msg, tidsattr);
5474 	}
5475 
5476 	nla_nest_end(msg, sinfoattr);
5477 
5478 	if (sinfo->assoc_req_ies_len &&
5479 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
5480 		    sinfo->assoc_req_ies))
5481 		goto nla_put_failure;
5482 
5483 	cfg80211_sinfo_release_content(sinfo);
5484 	genlmsg_end(msg, hdr);
5485 	return 0;
5486 
5487  nla_put_failure:
5488 	cfg80211_sinfo_release_content(sinfo);
5489 	genlmsg_cancel(msg, hdr);
5490 	return -EMSGSIZE;
5491 }
5492 
5493 static int nl80211_dump_station(struct sk_buff *skb,
5494 				struct netlink_callback *cb)
5495 {
5496 	struct station_info sinfo;
5497 	struct cfg80211_registered_device *rdev;
5498 	struct wireless_dev *wdev;
5499 	u8 mac_addr[ETH_ALEN];
5500 	int sta_idx = cb->args[2];
5501 	int err;
5502 
5503 	rtnl_lock();
5504 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
5505 	if (err)
5506 		goto out_err;
5507 
5508 	if (!wdev->netdev) {
5509 		err = -EINVAL;
5510 		goto out_err;
5511 	}
5512 
5513 	if (!rdev->ops->dump_station) {
5514 		err = -EOPNOTSUPP;
5515 		goto out_err;
5516 	}
5517 
5518 	while (1) {
5519 		memset(&sinfo, 0, sizeof(sinfo));
5520 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
5521 					mac_addr, &sinfo);
5522 		if (err == -ENOENT)
5523 			break;
5524 		if (err)
5525 			goto out_err;
5526 
5527 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
5528 				NETLINK_CB(cb->skb).portid,
5529 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
5530 				rdev, wdev->netdev, mac_addr,
5531 				&sinfo) < 0)
5532 			goto out;
5533 
5534 		sta_idx++;
5535 	}
5536 
5537  out:
5538 	cb->args[2] = sta_idx;
5539 	err = skb->len;
5540  out_err:
5541 	rtnl_unlock();
5542 
5543 	return err;
5544 }
5545 
5546 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
5547 {
5548 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5549 	struct net_device *dev = info->user_ptr[1];
5550 	struct station_info sinfo;
5551 	struct sk_buff *msg;
5552 	u8 *mac_addr = NULL;
5553 	int err;
5554 
5555 	memset(&sinfo, 0, sizeof(sinfo));
5556 
5557 	if (!info->attrs[NL80211_ATTR_MAC])
5558 		return -EINVAL;
5559 
5560 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5561 
5562 	if (!rdev->ops->get_station)
5563 		return -EOPNOTSUPP;
5564 
5565 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
5566 	if (err)
5567 		return err;
5568 
5569 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5570 	if (!msg) {
5571 		cfg80211_sinfo_release_content(&sinfo);
5572 		return -ENOMEM;
5573 	}
5574 
5575 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
5576 				 info->snd_portid, info->snd_seq, 0,
5577 				 rdev, dev, mac_addr, &sinfo) < 0) {
5578 		nlmsg_free(msg);
5579 		return -ENOBUFS;
5580 	}
5581 
5582 	return genlmsg_reply(msg, info);
5583 }
5584 
5585 int cfg80211_check_station_change(struct wiphy *wiphy,
5586 				  struct station_parameters *params,
5587 				  enum cfg80211_station_type statype)
5588 {
5589 	if (params->listen_interval != -1 &&
5590 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5591 		return -EINVAL;
5592 
5593 	if (params->support_p2p_ps != -1 &&
5594 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5595 		return -EINVAL;
5596 
5597 	if (params->aid &&
5598 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
5599 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
5600 		return -EINVAL;
5601 
5602 	/* When you run into this, adjust the code below for the new flag */
5603 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
5604 
5605 	switch (statype) {
5606 	case CFG80211_STA_MESH_PEER_KERNEL:
5607 	case CFG80211_STA_MESH_PEER_USER:
5608 		/*
5609 		 * No ignoring the TDLS flag here -- the userspace mesh
5610 		 * code doesn't have the bug of including TDLS in the
5611 		 * mask everywhere.
5612 		 */
5613 		if (params->sta_flags_mask &
5614 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5615 				  BIT(NL80211_STA_FLAG_MFP) |
5616 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
5617 			return -EINVAL;
5618 		break;
5619 	case CFG80211_STA_TDLS_PEER_SETUP:
5620 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5621 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
5622 			return -EINVAL;
5623 		/* ignore since it can't change */
5624 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5625 		break;
5626 	default:
5627 		/* disallow mesh-specific things */
5628 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
5629 			return -EINVAL;
5630 		if (params->local_pm)
5631 			return -EINVAL;
5632 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5633 			return -EINVAL;
5634 	}
5635 
5636 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5637 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
5638 		/* TDLS can't be set, ... */
5639 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
5640 			return -EINVAL;
5641 		/*
5642 		 * ... but don't bother the driver with it. This works around
5643 		 * a hostapd/wpa_supplicant issue -- it always includes the
5644 		 * TLDS_PEER flag in the mask even for AP mode.
5645 		 */
5646 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
5647 	}
5648 
5649 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
5650 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5651 		/* reject other things that can't change */
5652 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
5653 			return -EINVAL;
5654 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
5655 			return -EINVAL;
5656 		if (params->supported_rates)
5657 			return -EINVAL;
5658 		if (params->ext_capab || params->ht_capa || params->vht_capa ||
5659 		    params->he_capa)
5660 			return -EINVAL;
5661 	}
5662 
5663 	if (statype != CFG80211_STA_AP_CLIENT &&
5664 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
5665 		if (params->vlan)
5666 			return -EINVAL;
5667 	}
5668 
5669 	switch (statype) {
5670 	case CFG80211_STA_AP_MLME_CLIENT:
5671 		/* Use this only for authorizing/unauthorizing a station */
5672 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
5673 			return -EOPNOTSUPP;
5674 		break;
5675 	case CFG80211_STA_AP_CLIENT:
5676 	case CFG80211_STA_AP_CLIENT_UNASSOC:
5677 		/* accept only the listed bits */
5678 		if (params->sta_flags_mask &
5679 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5680 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5681 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
5682 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
5683 				  BIT(NL80211_STA_FLAG_WME) |
5684 				  BIT(NL80211_STA_FLAG_MFP)))
5685 			return -EINVAL;
5686 
5687 		/* but authenticated/associated only if driver handles it */
5688 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
5689 		    params->sta_flags_mask &
5690 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
5691 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
5692 			return -EINVAL;
5693 		break;
5694 	case CFG80211_STA_IBSS:
5695 	case CFG80211_STA_AP_STA:
5696 		/* reject any changes other than AUTHORIZED */
5697 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
5698 			return -EINVAL;
5699 		break;
5700 	case CFG80211_STA_TDLS_PEER_SETUP:
5701 		/* reject any changes other than AUTHORIZED or WME */
5702 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
5703 					       BIT(NL80211_STA_FLAG_WME)))
5704 			return -EINVAL;
5705 		/* force (at least) rates when authorizing */
5706 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
5707 		    !params->supported_rates)
5708 			return -EINVAL;
5709 		break;
5710 	case CFG80211_STA_TDLS_PEER_ACTIVE:
5711 		/* reject any changes */
5712 		return -EINVAL;
5713 	case CFG80211_STA_MESH_PEER_KERNEL:
5714 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
5715 			return -EINVAL;
5716 		break;
5717 	case CFG80211_STA_MESH_PEER_USER:
5718 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
5719 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
5720 			return -EINVAL;
5721 		break;
5722 	}
5723 
5724 	/*
5725 	 * Older kernel versions ignored this attribute entirely, so don't
5726 	 * reject attempts to update it but mark it as unused instead so the
5727 	 * driver won't look at the data.
5728 	 */
5729 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
5730 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
5731 		params->opmode_notif_used = false;
5732 
5733 	return 0;
5734 }
5735 EXPORT_SYMBOL(cfg80211_check_station_change);
5736 
5737 /*
5738  * Get vlan interface making sure it is running and on the right wiphy.
5739  */
5740 static struct net_device *get_vlan(struct genl_info *info,
5741 				   struct cfg80211_registered_device *rdev)
5742 {
5743 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
5744 	struct net_device *v;
5745 	int ret;
5746 
5747 	if (!vlanattr)
5748 		return NULL;
5749 
5750 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
5751 	if (!v)
5752 		return ERR_PTR(-ENODEV);
5753 
5754 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
5755 		ret = -EINVAL;
5756 		goto error;
5757 	}
5758 
5759 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
5760 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5761 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
5762 		ret = -EINVAL;
5763 		goto error;
5764 	}
5765 
5766 	if (!netif_running(v)) {
5767 		ret = -ENETDOWN;
5768 		goto error;
5769 	}
5770 
5771 	return v;
5772  error:
5773 	dev_put(v);
5774 	return ERR_PTR(ret);
5775 }
5776 
5777 static const struct nla_policy
5778 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
5779 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
5780 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
5781 };
5782 
5783 static int nl80211_parse_sta_wme(struct genl_info *info,
5784 				 struct station_parameters *params)
5785 {
5786 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
5787 	struct nlattr *nla;
5788 	int err;
5789 
5790 	/* parse WME attributes if present */
5791 	if (!info->attrs[NL80211_ATTR_STA_WME])
5792 		return 0;
5793 
5794 	nla = info->attrs[NL80211_ATTR_STA_WME];
5795 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
5796 					  nl80211_sta_wme_policy,
5797 					  info->extack);
5798 	if (err)
5799 		return err;
5800 
5801 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
5802 		params->uapsd_queues = nla_get_u8(
5803 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
5804 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
5805 		return -EINVAL;
5806 
5807 	if (tb[NL80211_STA_WME_MAX_SP])
5808 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
5809 
5810 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
5811 		return -EINVAL;
5812 
5813 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
5814 
5815 	return 0;
5816 }
5817 
5818 static int nl80211_parse_sta_channel_info(struct genl_info *info,
5819 				      struct station_parameters *params)
5820 {
5821 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
5822 		params->supported_channels =
5823 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5824 		params->supported_channels_len =
5825 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
5826 		/*
5827 		 * Need to include at least one (first channel, number of
5828 		 * channels) tuple for each subband, and must have proper
5829 		 * tuples for the rest of the data as well.
5830 		 */
5831 		if (params->supported_channels_len < 2)
5832 			return -EINVAL;
5833 		if (params->supported_channels_len % 2)
5834 			return -EINVAL;
5835 	}
5836 
5837 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
5838 		params->supported_oper_classes =
5839 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5840 		params->supported_oper_classes_len =
5841 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
5842 		/*
5843 		 * The value of the Length field of the Supported Operating
5844 		 * Classes element is between 2 and 253.
5845 		 */
5846 		if (params->supported_oper_classes_len < 2 ||
5847 		    params->supported_oper_classes_len > 253)
5848 			return -EINVAL;
5849 	}
5850 	return 0;
5851 }
5852 
5853 static int nl80211_set_station_tdls(struct genl_info *info,
5854 				    struct station_parameters *params)
5855 {
5856 	int err;
5857 	/* Dummy STA entry gets updated once the peer capabilities are known */
5858 	if (info->attrs[NL80211_ATTR_PEER_AID])
5859 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
5860 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
5861 		params->ht_capa =
5862 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
5863 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
5864 		params->vht_capa =
5865 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
5866 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
5867 		params->he_capa =
5868 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5869 		params->he_capa_len =
5870 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
5871 
5872 		if (params->he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
5873 			return -EINVAL;
5874 	}
5875 
5876 	err = nl80211_parse_sta_channel_info(info, params);
5877 	if (err)
5878 		return err;
5879 
5880 	return nl80211_parse_sta_wme(info, params);
5881 }
5882 
5883 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
5884 					     struct station_parameters *params)
5885 {
5886 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5887 	int idx;
5888 
5889 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
5890 		if (!rdev->ops->set_tx_power ||
5891 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5892 					 NL80211_EXT_FEATURE_STA_TX_PWR))
5893 			return -EOPNOTSUPP;
5894 
5895 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
5896 		params->txpwr.type = nla_get_u8(info->attrs[idx]);
5897 
5898 		if (params->txpwr.type == NL80211_TX_POWER_LIMITED) {
5899 			idx = NL80211_ATTR_STA_TX_POWER;
5900 
5901 			if (info->attrs[idx])
5902 				params->txpwr.power =
5903 					nla_get_s16(info->attrs[idx]);
5904 			else
5905 				return -EINVAL;
5906 		}
5907 		params->sta_modify_mask |= STATION_PARAM_APPLY_STA_TXPOWER;
5908 	}
5909 
5910 	return 0;
5911 }
5912 
5913 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
5914 {
5915 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5916 	struct net_device *dev = info->user_ptr[1];
5917 	struct station_parameters params;
5918 	u8 *mac_addr;
5919 	int err;
5920 
5921 	memset(&params, 0, sizeof(params));
5922 
5923 	if (!rdev->ops->change_station)
5924 		return -EOPNOTSUPP;
5925 
5926 	/*
5927 	 * AID and listen_interval properties can be set only for unassociated
5928 	 * station. Include these parameters here and will check them in
5929 	 * cfg80211_check_station_change().
5930 	 */
5931 	if (info->attrs[NL80211_ATTR_STA_AID])
5932 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
5933 
5934 	if (info->attrs[NL80211_ATTR_VLAN_ID])
5935 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
5936 
5937 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
5938 		params.listen_interval =
5939 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
5940 	else
5941 		params.listen_interval = -1;
5942 
5943 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
5944 		params.support_p2p_ps =
5945 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
5946 	else
5947 		params.support_p2p_ps = -1;
5948 
5949 	if (!info->attrs[NL80211_ATTR_MAC])
5950 		return -EINVAL;
5951 
5952 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
5953 
5954 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
5955 		params.supported_rates =
5956 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5957 		params.supported_rates_len =
5958 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
5959 	}
5960 
5961 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
5962 		params.capability =
5963 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
5964 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
5965 	}
5966 
5967 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
5968 		params.ext_capab =
5969 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5970 		params.ext_capab_len =
5971 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
5972 	}
5973 
5974 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
5975 		return -EINVAL;
5976 
5977 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
5978 		params.plink_action =
5979 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
5980 
5981 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
5982 		params.plink_state =
5983 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
5984 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
5985 			params.peer_aid = nla_get_u16(
5986 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
5987 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
5988 	}
5989 
5990 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
5991 		params.local_pm = nla_get_u32(
5992 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
5993 
5994 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
5995 		params.opmode_notif_used = true;
5996 		params.opmode_notif =
5997 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
5998 	}
5999 
6000 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6001 		params.airtime_weight =
6002 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6003 
6004 	if (params.airtime_weight &&
6005 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6006 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6007 		return -EOPNOTSUPP;
6008 
6009 	err = nl80211_parse_sta_txpower_setting(info, &params);
6010 	if (err)
6011 		return err;
6012 
6013 	/* Include parameters for TDLS peer (will check later) */
6014 	err = nl80211_set_station_tdls(info, &params);
6015 	if (err)
6016 		return err;
6017 
6018 	params.vlan = get_vlan(info, rdev);
6019 	if (IS_ERR(params.vlan))
6020 		return PTR_ERR(params.vlan);
6021 
6022 	switch (dev->ieee80211_ptr->iftype) {
6023 	case NL80211_IFTYPE_AP:
6024 	case NL80211_IFTYPE_AP_VLAN:
6025 	case NL80211_IFTYPE_P2P_GO:
6026 	case NL80211_IFTYPE_P2P_CLIENT:
6027 	case NL80211_IFTYPE_STATION:
6028 	case NL80211_IFTYPE_ADHOC:
6029 	case NL80211_IFTYPE_MESH_POINT:
6030 		break;
6031 	default:
6032 		err = -EOPNOTSUPP;
6033 		goto out_put_vlan;
6034 	}
6035 
6036 	/* driver will call cfg80211_check_station_change() */
6037 	err = rdev_change_station(rdev, dev, mac_addr, &params);
6038 
6039  out_put_vlan:
6040 	if (params.vlan)
6041 		dev_put(params.vlan);
6042 
6043 	return err;
6044 }
6045 
6046 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
6047 {
6048 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6049 	int err;
6050 	struct net_device *dev = info->user_ptr[1];
6051 	struct station_parameters params;
6052 	u8 *mac_addr = NULL;
6053 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6054 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
6055 
6056 	memset(&params, 0, sizeof(params));
6057 
6058 	if (!rdev->ops->add_station)
6059 		return -EOPNOTSUPP;
6060 
6061 	if (!info->attrs[NL80211_ATTR_MAC])
6062 		return -EINVAL;
6063 
6064 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
6065 		return -EINVAL;
6066 
6067 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
6068 		return -EINVAL;
6069 
6070 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
6071 	    !info->attrs[NL80211_ATTR_PEER_AID])
6072 		return -EINVAL;
6073 
6074 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6075 	params.supported_rates =
6076 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6077 	params.supported_rates_len =
6078 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
6079 	params.listen_interval =
6080 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
6081 
6082 	if (info->attrs[NL80211_ATTR_VLAN_ID])
6083 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
6084 
6085 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
6086 		params.support_p2p_ps =
6087 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
6088 	} else {
6089 		/*
6090 		 * if not specified, assume it's supported for P2P GO interface,
6091 		 * and is NOT supported for AP interface
6092 		 */
6093 		params.support_p2p_ps =
6094 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
6095 	}
6096 
6097 	if (info->attrs[NL80211_ATTR_PEER_AID])
6098 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
6099 	else
6100 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
6101 
6102 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
6103 		params.capability =
6104 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
6105 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
6106 	}
6107 
6108 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
6109 		params.ext_capab =
6110 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6111 		params.ext_capab_len =
6112 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
6113 	}
6114 
6115 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
6116 		params.ht_capa =
6117 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
6118 
6119 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
6120 		params.vht_capa =
6121 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
6122 
6123 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
6124 		params.he_capa =
6125 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6126 		params.he_capa_len =
6127 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
6128 
6129 		/* max len is validated in nla policy */
6130 		if (params.he_capa_len < NL80211_HE_MIN_CAPABILITY_LEN)
6131 			return -EINVAL;
6132 	}
6133 
6134 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
6135 		params.opmode_notif_used = true;
6136 		params.opmode_notif =
6137 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
6138 	}
6139 
6140 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
6141 		params.plink_action =
6142 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
6143 
6144 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
6145 		params.airtime_weight =
6146 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
6147 
6148 	if (params.airtime_weight &&
6149 	    !wiphy_ext_feature_isset(&rdev->wiphy,
6150 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6151 		return -EOPNOTSUPP;
6152 
6153 	err = nl80211_parse_sta_txpower_setting(info, &params);
6154 	if (err)
6155 		return err;
6156 
6157 	err = nl80211_parse_sta_channel_info(info, &params);
6158 	if (err)
6159 		return err;
6160 
6161 	err = nl80211_parse_sta_wme(info, &params);
6162 	if (err)
6163 		return err;
6164 
6165 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
6166 		return -EINVAL;
6167 
6168 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
6169 	 * as userspace might just pass through the capabilities from the IEs
6170 	 * directly, rather than enforcing this restriction and returning an
6171 	 * error in this case.
6172 	 */
6173 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
6174 		params.ht_capa = NULL;
6175 		params.vht_capa = NULL;
6176 
6177 		/* HE requires WME */
6178 		if (params.he_capa_len)
6179 			return -EINVAL;
6180 	}
6181 
6182 	/* When you run into this, adjust the code below for the new flag */
6183 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6184 
6185 	switch (dev->ieee80211_ptr->iftype) {
6186 	case NL80211_IFTYPE_AP:
6187 	case NL80211_IFTYPE_AP_VLAN:
6188 	case NL80211_IFTYPE_P2P_GO:
6189 		/* ignore WME attributes if iface/sta is not capable */
6190 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
6191 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
6192 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6193 
6194 		/* TDLS peers cannot be added */
6195 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6196 		    info->attrs[NL80211_ATTR_PEER_AID])
6197 			return -EINVAL;
6198 		/* but don't bother the driver with it */
6199 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6200 
6201 		/* allow authenticated/associated only if driver handles it */
6202 		if (!(rdev->wiphy.features &
6203 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6204 		    params.sta_flags_mask & auth_assoc)
6205 			return -EINVAL;
6206 
6207 		/* Older userspace, or userspace wanting to be compatible with
6208 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
6209 		 * and assoc flags in the mask, but assumes the station will be
6210 		 * added as associated anyway since this was the required driver
6211 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
6212 		 * introduced.
6213 		 * In order to not bother drivers with this quirk in the API
6214 		 * set the flags in both the mask and set for new stations in
6215 		 * this case.
6216 		 */
6217 		if (!(params.sta_flags_mask & auth_assoc)) {
6218 			params.sta_flags_mask |= auth_assoc;
6219 			params.sta_flags_set |= auth_assoc;
6220 		}
6221 
6222 		/* must be last in here for error handling */
6223 		params.vlan = get_vlan(info, rdev);
6224 		if (IS_ERR(params.vlan))
6225 			return PTR_ERR(params.vlan);
6226 		break;
6227 	case NL80211_IFTYPE_MESH_POINT:
6228 		/* ignore uAPSD data */
6229 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6230 
6231 		/* associated is disallowed */
6232 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
6233 			return -EINVAL;
6234 		/* TDLS peers cannot be added */
6235 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
6236 		    info->attrs[NL80211_ATTR_PEER_AID])
6237 			return -EINVAL;
6238 		break;
6239 	case NL80211_IFTYPE_STATION:
6240 	case NL80211_IFTYPE_P2P_CLIENT:
6241 		/* ignore uAPSD data */
6242 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
6243 
6244 		/* these are disallowed */
6245 		if (params.sta_flags_mask &
6246 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
6247 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
6248 			return -EINVAL;
6249 		/* Only TDLS peers can be added */
6250 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6251 			return -EINVAL;
6252 		/* Can only add if TDLS ... */
6253 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
6254 			return -EOPNOTSUPP;
6255 		/* ... with external setup is supported */
6256 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
6257 			return -EOPNOTSUPP;
6258 		/*
6259 		 * Older wpa_supplicant versions always mark the TDLS peer
6260 		 * as authorized, but it shouldn't yet be.
6261 		 */
6262 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
6263 		break;
6264 	default:
6265 		return -EOPNOTSUPP;
6266 	}
6267 
6268 	/* be aware of params.vlan when changing code here */
6269 
6270 	err = rdev_add_station(rdev, dev, mac_addr, &params);
6271 
6272 	if (params.vlan)
6273 		dev_put(params.vlan);
6274 	return err;
6275 }
6276 
6277 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
6278 {
6279 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6280 	struct net_device *dev = info->user_ptr[1];
6281 	struct station_del_parameters params;
6282 
6283 	memset(&params, 0, sizeof(params));
6284 
6285 	if (info->attrs[NL80211_ATTR_MAC])
6286 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
6287 
6288 	switch (dev->ieee80211_ptr->iftype) {
6289 	case NL80211_IFTYPE_AP:
6290 	case NL80211_IFTYPE_AP_VLAN:
6291 	case NL80211_IFTYPE_MESH_POINT:
6292 	case NL80211_IFTYPE_P2P_GO:
6293 		/* always accept these */
6294 		break;
6295 	case NL80211_IFTYPE_ADHOC:
6296 		/* conditionally accept */
6297 		if (wiphy_ext_feature_isset(&rdev->wiphy,
6298 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
6299 			break;
6300 		return -EINVAL;
6301 	default:
6302 		return -EINVAL;
6303 	}
6304 
6305 	if (!rdev->ops->del_station)
6306 		return -EOPNOTSUPP;
6307 
6308 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
6309 		params.subtype =
6310 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
6311 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
6312 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
6313 			return -EINVAL;
6314 	} else {
6315 		/* Default to Deauthentication frame */
6316 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
6317 	}
6318 
6319 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
6320 		params.reason_code =
6321 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
6322 		if (params.reason_code == 0)
6323 			return -EINVAL; /* 0 is reserved */
6324 	} else {
6325 		/* Default to reason code 2 */
6326 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
6327 	}
6328 
6329 	return rdev_del_station(rdev, dev, &params);
6330 }
6331 
6332 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
6333 				int flags, struct net_device *dev,
6334 				u8 *dst, u8 *next_hop,
6335 				struct mpath_info *pinfo)
6336 {
6337 	void *hdr;
6338 	struct nlattr *pinfoattr;
6339 
6340 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
6341 	if (!hdr)
6342 		return -1;
6343 
6344 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6345 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
6346 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
6347 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
6348 		goto nla_put_failure;
6349 
6350 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
6351 	if (!pinfoattr)
6352 		goto nla_put_failure;
6353 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
6354 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
6355 			pinfo->frame_qlen))
6356 		goto nla_put_failure;
6357 	if (((pinfo->filled & MPATH_INFO_SN) &&
6358 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
6359 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
6360 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
6361 			 pinfo->metric)) ||
6362 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
6363 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
6364 			 pinfo->exptime)) ||
6365 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
6366 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
6367 			pinfo->flags)) ||
6368 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
6369 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
6370 			 pinfo->discovery_timeout)) ||
6371 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
6372 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
6373 			pinfo->discovery_retries)) ||
6374 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
6375 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
6376 			pinfo->hop_count)) ||
6377 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
6378 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
6379 			 pinfo->path_change_count)))
6380 		goto nla_put_failure;
6381 
6382 	nla_nest_end(msg, pinfoattr);
6383 
6384 	genlmsg_end(msg, hdr);
6385 	return 0;
6386 
6387  nla_put_failure:
6388 	genlmsg_cancel(msg, hdr);
6389 	return -EMSGSIZE;
6390 }
6391 
6392 static int nl80211_dump_mpath(struct sk_buff *skb,
6393 			      struct netlink_callback *cb)
6394 {
6395 	struct mpath_info pinfo;
6396 	struct cfg80211_registered_device *rdev;
6397 	struct wireless_dev *wdev;
6398 	u8 dst[ETH_ALEN];
6399 	u8 next_hop[ETH_ALEN];
6400 	int path_idx = cb->args[2];
6401 	int err;
6402 
6403 	rtnl_lock();
6404 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6405 	if (err)
6406 		goto out_err;
6407 
6408 	if (!rdev->ops->dump_mpath) {
6409 		err = -EOPNOTSUPP;
6410 		goto out_err;
6411 	}
6412 
6413 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6414 		err = -EOPNOTSUPP;
6415 		goto out_err;
6416 	}
6417 
6418 	while (1) {
6419 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
6420 				      next_hop, &pinfo);
6421 		if (err == -ENOENT)
6422 			break;
6423 		if (err)
6424 			goto out_err;
6425 
6426 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6427 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6428 				       wdev->netdev, dst, next_hop,
6429 				       &pinfo) < 0)
6430 			goto out;
6431 
6432 		path_idx++;
6433 	}
6434 
6435  out:
6436 	cb->args[2] = path_idx;
6437 	err = skb->len;
6438  out_err:
6439 	rtnl_unlock();
6440 	return err;
6441 }
6442 
6443 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
6444 {
6445 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6446 	int err;
6447 	struct net_device *dev = info->user_ptr[1];
6448 	struct mpath_info pinfo;
6449 	struct sk_buff *msg;
6450 	u8 *dst = NULL;
6451 	u8 next_hop[ETH_ALEN];
6452 
6453 	memset(&pinfo, 0, sizeof(pinfo));
6454 
6455 	if (!info->attrs[NL80211_ATTR_MAC])
6456 		return -EINVAL;
6457 
6458 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6459 
6460 	if (!rdev->ops->get_mpath)
6461 		return -EOPNOTSUPP;
6462 
6463 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6464 		return -EOPNOTSUPP;
6465 
6466 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
6467 	if (err)
6468 		return err;
6469 
6470 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6471 	if (!msg)
6472 		return -ENOMEM;
6473 
6474 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6475 				 dev, dst, next_hop, &pinfo) < 0) {
6476 		nlmsg_free(msg);
6477 		return -ENOBUFS;
6478 	}
6479 
6480 	return genlmsg_reply(msg, info);
6481 }
6482 
6483 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
6484 {
6485 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6486 	struct net_device *dev = info->user_ptr[1];
6487 	u8 *dst = NULL;
6488 	u8 *next_hop = NULL;
6489 
6490 	if (!info->attrs[NL80211_ATTR_MAC])
6491 		return -EINVAL;
6492 
6493 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6494 		return -EINVAL;
6495 
6496 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6497 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6498 
6499 	if (!rdev->ops->change_mpath)
6500 		return -EOPNOTSUPP;
6501 
6502 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6503 		return -EOPNOTSUPP;
6504 
6505 	return rdev_change_mpath(rdev, dev, dst, next_hop);
6506 }
6507 
6508 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
6509 {
6510 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6511 	struct net_device *dev = info->user_ptr[1];
6512 	u8 *dst = NULL;
6513 	u8 *next_hop = NULL;
6514 
6515 	if (!info->attrs[NL80211_ATTR_MAC])
6516 		return -EINVAL;
6517 
6518 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
6519 		return -EINVAL;
6520 
6521 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6522 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
6523 
6524 	if (!rdev->ops->add_mpath)
6525 		return -EOPNOTSUPP;
6526 
6527 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6528 		return -EOPNOTSUPP;
6529 
6530 	return rdev_add_mpath(rdev, dev, dst, next_hop);
6531 }
6532 
6533 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
6534 {
6535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6536 	struct net_device *dev = info->user_ptr[1];
6537 	u8 *dst = NULL;
6538 
6539 	if (info->attrs[NL80211_ATTR_MAC])
6540 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6541 
6542 	if (!rdev->ops->del_mpath)
6543 		return -EOPNOTSUPP;
6544 
6545 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6546 		return -EOPNOTSUPP;
6547 
6548 	return rdev_del_mpath(rdev, dev, dst);
6549 }
6550 
6551 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
6552 {
6553 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6554 	int err;
6555 	struct net_device *dev = info->user_ptr[1];
6556 	struct mpath_info pinfo;
6557 	struct sk_buff *msg;
6558 	u8 *dst = NULL;
6559 	u8 mpp[ETH_ALEN];
6560 
6561 	memset(&pinfo, 0, sizeof(pinfo));
6562 
6563 	if (!info->attrs[NL80211_ATTR_MAC])
6564 		return -EINVAL;
6565 
6566 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
6567 
6568 	if (!rdev->ops->get_mpp)
6569 		return -EOPNOTSUPP;
6570 
6571 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
6572 		return -EOPNOTSUPP;
6573 
6574 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
6575 	if (err)
6576 		return err;
6577 
6578 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6579 	if (!msg)
6580 		return -ENOMEM;
6581 
6582 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
6583 			       dev, dst, mpp, &pinfo) < 0) {
6584 		nlmsg_free(msg);
6585 		return -ENOBUFS;
6586 	}
6587 
6588 	return genlmsg_reply(msg, info);
6589 }
6590 
6591 static int nl80211_dump_mpp(struct sk_buff *skb,
6592 			    struct netlink_callback *cb)
6593 {
6594 	struct mpath_info pinfo;
6595 	struct cfg80211_registered_device *rdev;
6596 	struct wireless_dev *wdev;
6597 	u8 dst[ETH_ALEN];
6598 	u8 mpp[ETH_ALEN];
6599 	int path_idx = cb->args[2];
6600 	int err;
6601 
6602 	rtnl_lock();
6603 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
6604 	if (err)
6605 		goto out_err;
6606 
6607 	if (!rdev->ops->dump_mpp) {
6608 		err = -EOPNOTSUPP;
6609 		goto out_err;
6610 	}
6611 
6612 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
6613 		err = -EOPNOTSUPP;
6614 		goto out_err;
6615 	}
6616 
6617 	while (1) {
6618 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
6619 				    mpp, &pinfo);
6620 		if (err == -ENOENT)
6621 			break;
6622 		if (err)
6623 			goto out_err;
6624 
6625 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
6626 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
6627 				       wdev->netdev, dst, mpp,
6628 				       &pinfo) < 0)
6629 			goto out;
6630 
6631 		path_idx++;
6632 	}
6633 
6634  out:
6635 	cb->args[2] = path_idx;
6636 	err = skb->len;
6637  out_err:
6638 	rtnl_unlock();
6639 	return err;
6640 }
6641 
6642 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
6643 {
6644 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6645 	struct net_device *dev = info->user_ptr[1];
6646 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6647 	struct bss_parameters params;
6648 	int err;
6649 
6650 	memset(&params, 0, sizeof(params));
6651 	/* default to not changing parameters */
6652 	params.use_cts_prot = -1;
6653 	params.use_short_preamble = -1;
6654 	params.use_short_slot_time = -1;
6655 	params.ap_isolate = -1;
6656 	params.ht_opmode = -1;
6657 	params.p2p_ctwindow = -1;
6658 	params.p2p_opp_ps = -1;
6659 
6660 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
6661 		params.use_cts_prot =
6662 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
6663 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
6664 		params.use_short_preamble =
6665 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
6666 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
6667 		params.use_short_slot_time =
6668 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
6669 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
6670 		params.basic_rates =
6671 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6672 		params.basic_rates_len =
6673 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
6674 	}
6675 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
6676 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
6677 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
6678 		params.ht_opmode =
6679 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
6680 
6681 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6682 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6683 			return -EINVAL;
6684 		params.p2p_ctwindow =
6685 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6686 		if (params.p2p_ctwindow != 0 &&
6687 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
6688 			return -EINVAL;
6689 	}
6690 
6691 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6692 		u8 tmp;
6693 
6694 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6695 			return -EINVAL;
6696 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6697 		params.p2p_opp_ps = tmp;
6698 		if (params.p2p_opp_ps &&
6699 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
6700 			return -EINVAL;
6701 	}
6702 
6703 	if (!rdev->ops->change_bss)
6704 		return -EOPNOTSUPP;
6705 
6706 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6707 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6708 		return -EOPNOTSUPP;
6709 
6710 	wdev_lock(wdev);
6711 	err = rdev_change_bss(rdev, dev, &params);
6712 	wdev_unlock(wdev);
6713 
6714 	return err;
6715 }
6716 
6717 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
6718 {
6719 	char *data = NULL;
6720 	bool is_indoor;
6721 	enum nl80211_user_reg_hint_type user_reg_hint_type;
6722 	u32 owner_nlportid;
6723 
6724 	/*
6725 	 * You should only get this when cfg80211 hasn't yet initialized
6726 	 * completely when built-in to the kernel right between the time
6727 	 * window between nl80211_init() and regulatory_init(), if that is
6728 	 * even possible.
6729 	 */
6730 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
6731 		return -EINPROGRESS;
6732 
6733 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
6734 		user_reg_hint_type =
6735 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
6736 	else
6737 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
6738 
6739 	switch (user_reg_hint_type) {
6740 	case NL80211_USER_REG_HINT_USER:
6741 	case NL80211_USER_REG_HINT_CELL_BASE:
6742 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
6743 			return -EINVAL;
6744 
6745 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
6746 		return regulatory_hint_user(data, user_reg_hint_type);
6747 	case NL80211_USER_REG_HINT_INDOOR:
6748 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
6749 			owner_nlportid = info->snd_portid;
6750 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
6751 		} else {
6752 			owner_nlportid = 0;
6753 			is_indoor = true;
6754 		}
6755 
6756 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
6757 	default:
6758 		return -EINVAL;
6759 	}
6760 }
6761 
6762 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
6763 {
6764 	return reg_reload_regdb();
6765 }
6766 
6767 static int nl80211_get_mesh_config(struct sk_buff *skb,
6768 				   struct genl_info *info)
6769 {
6770 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6771 	struct net_device *dev = info->user_ptr[1];
6772 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6773 	struct mesh_config cur_params;
6774 	int err = 0;
6775 	void *hdr;
6776 	struct nlattr *pinfoattr;
6777 	struct sk_buff *msg;
6778 
6779 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
6780 		return -EOPNOTSUPP;
6781 
6782 	if (!rdev->ops->get_mesh_config)
6783 		return -EOPNOTSUPP;
6784 
6785 	wdev_lock(wdev);
6786 	/* If not connected, get default parameters */
6787 	if (!wdev->mesh_id_len)
6788 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
6789 	else
6790 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
6791 	wdev_unlock(wdev);
6792 
6793 	if (err)
6794 		return err;
6795 
6796 	/* Draw up a netlink message to send back */
6797 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6798 	if (!msg)
6799 		return -ENOMEM;
6800 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
6801 			     NL80211_CMD_GET_MESH_CONFIG);
6802 	if (!hdr)
6803 		goto out;
6804 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
6805 	if (!pinfoattr)
6806 		goto nla_put_failure;
6807 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6808 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
6809 			cur_params.dot11MeshRetryTimeout) ||
6810 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
6811 			cur_params.dot11MeshConfirmTimeout) ||
6812 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
6813 			cur_params.dot11MeshHoldingTimeout) ||
6814 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
6815 			cur_params.dot11MeshMaxPeerLinks) ||
6816 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
6817 		       cur_params.dot11MeshMaxRetries) ||
6818 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
6819 		       cur_params.dot11MeshTTL) ||
6820 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
6821 		       cur_params.element_ttl) ||
6822 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6823 		       cur_params.auto_open_plinks) ||
6824 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6825 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
6826 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6827 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
6828 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
6829 			cur_params.path_refresh_time) ||
6830 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
6831 			cur_params.min_discovery_timeout) ||
6832 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
6833 			cur_params.dot11MeshHWMPactivePathTimeout) ||
6834 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
6835 			cur_params.dot11MeshHWMPpreqMinInterval) ||
6836 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
6837 			cur_params.dot11MeshHWMPperrMinInterval) ||
6838 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
6839 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
6840 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
6841 		       cur_params.dot11MeshHWMPRootMode) ||
6842 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
6843 			cur_params.dot11MeshHWMPRannInterval) ||
6844 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
6845 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
6846 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
6847 		       cur_params.dot11MeshForwarding) ||
6848 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
6849 			cur_params.rssi_threshold) ||
6850 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
6851 			cur_params.ht_opmode) ||
6852 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
6853 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
6854 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
6855 			cur_params.dot11MeshHWMProotInterval) ||
6856 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
6857 			cur_params.dot11MeshHWMPconfirmationInterval) ||
6858 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
6859 			cur_params.power_mode) ||
6860 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
6861 			cur_params.dot11MeshAwakeWindowDuration) ||
6862 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
6863 			cur_params.plink_timeout) ||
6864 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
6865 		       cur_params.dot11MeshConnectedToMeshGate))
6866 		goto nla_put_failure;
6867 	nla_nest_end(msg, pinfoattr);
6868 	genlmsg_end(msg, hdr);
6869 	return genlmsg_reply(msg, info);
6870 
6871  nla_put_failure:
6872  out:
6873 	nlmsg_free(msg);
6874 	return -ENOBUFS;
6875 }
6876 
6877 static const struct nla_policy
6878 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
6879 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
6880 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6881 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
6882 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6883 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
6884 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
6885 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
6886 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
6887 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
6888 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6889 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
6890 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
6891 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
6892 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
6893 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
6894 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
6895 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
6896 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
6897 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
6898 		NLA_POLICY_MIN(NLA_U16, 1),
6899 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
6900 		NLA_POLICY_MIN(NLA_U16, 1),
6901 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
6902 		NLA_POLICY_MIN(NLA_U16, 1),
6903 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
6904 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
6905 		NLA_POLICY_MIN(NLA_U16, 1),
6906 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
6907 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
6908 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
6909 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
6910 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
6911 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
6912 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
6913 		NLA_POLICY_MIN(NLA_U16, 1),
6914 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
6915 		NLA_POLICY_MIN(NLA_U16, 1),
6916 	[NL80211_MESHCONF_POWER_MODE] =
6917 		NLA_POLICY_RANGE(NLA_U32,
6918 				 NL80211_MESH_POWER_ACTIVE,
6919 				 NL80211_MESH_POWER_MAX),
6920 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
6921 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
6922 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
6923 };
6924 
6925 static const struct nla_policy
6926 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
6927 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
6928 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
6929 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
6930 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
6931 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
6932 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
6933 	[NL80211_MESH_SETUP_IE] =
6934 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
6935 				       IEEE80211_MAX_DATA_LEN),
6936 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
6937 };
6938 
6939 static int nl80211_parse_mesh_config(struct genl_info *info,
6940 				     struct mesh_config *cfg,
6941 				     u32 *mask_out)
6942 {
6943 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
6944 	u32 mask = 0;
6945 	u16 ht_opmode;
6946 
6947 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
6948 do {									\
6949 	if (tb[attr]) {							\
6950 		cfg->param = fn(tb[attr]);				\
6951 		mask |= BIT((attr) - 1);				\
6952 	}								\
6953 } while (0)
6954 
6955 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
6956 		return -EINVAL;
6957 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
6958 		return -EINVAL;
6959 
6960 	/* This makes sure that there aren't more than 32 mesh config
6961 	 * parameters (otherwise our bitfield scheme would not work.) */
6962 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
6963 
6964 	/* Fill in the params struct */
6965 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
6966 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
6967 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
6968 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
6969 				  nla_get_u16);
6970 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
6971 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
6972 				  nla_get_u16);
6973 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
6974 				  NL80211_MESHCONF_MAX_PEER_LINKS,
6975 				  nla_get_u16);
6976 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
6977 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
6978 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
6979 				  NL80211_MESHCONF_TTL, nla_get_u8);
6980 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
6981 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
6982 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
6983 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
6984 				  nla_get_u8);
6985 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
6986 				  mask,
6987 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
6988 				  nla_get_u32);
6989 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
6990 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
6991 				  nla_get_u8);
6992 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
6993 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
6994 				  nla_get_u32);
6995 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
6996 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
6997 		return -EINVAL;
6998 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
6999 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
7000 				  nla_get_u16);
7001 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
7002 				  mask,
7003 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
7004 				  nla_get_u32);
7005 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
7006 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
7007 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
7008 		return -EINVAL;
7009 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
7010 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
7011 				  nla_get_u16);
7012 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
7013 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
7014 				  nla_get_u16);
7015 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7016 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
7017 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
7018 				  nla_get_u16);
7019 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
7020 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
7021 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
7022 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
7023 				  nla_get_u16);
7024 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
7025 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
7026 				  nla_get_u8);
7027 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
7028 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
7029 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
7030 				  NL80211_MESHCONF_RSSI_THRESHOLD,
7031 				  nla_get_s32);
7032 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
7033 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
7034 				  nla_get_u8);
7035 	/*
7036 	 * Check HT operation mode based on
7037 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
7038 	 */
7039 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
7040 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
7041 
7042 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
7043 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
7044 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
7045 			return -EINVAL;
7046 
7047 		/* NON_HT_STA bit is reserved, but some programs set it */
7048 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
7049 
7050 		cfg->ht_opmode = ht_opmode;
7051 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
7052 	}
7053 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
7054 				  dot11MeshHWMPactivePathToRootTimeout, mask,
7055 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
7056 				  nla_get_u32);
7057 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
7058 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
7059 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
7060 		return -EINVAL;
7061 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
7062 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
7063 				  nla_get_u16);
7064 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
7065 				  mask,
7066 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
7067 				  nla_get_u16);
7068 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
7069 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
7070 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
7071 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
7072 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
7073 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
7074 	if (mask_out)
7075 		*mask_out = mask;
7076 
7077 	return 0;
7078 
7079 #undef FILL_IN_MESH_PARAM_IF_SET
7080 }
7081 
7082 static int nl80211_parse_mesh_setup(struct genl_info *info,
7083 				     struct mesh_setup *setup)
7084 {
7085 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7086 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
7087 
7088 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
7089 		return -EINVAL;
7090 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
7091 		return -EINVAL;
7092 
7093 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
7094 		setup->sync_method =
7095 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
7096 		 IEEE80211_SYNC_METHOD_VENDOR :
7097 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
7098 
7099 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
7100 		setup->path_sel_proto =
7101 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
7102 		 IEEE80211_PATH_PROTOCOL_VENDOR :
7103 		 IEEE80211_PATH_PROTOCOL_HWMP;
7104 
7105 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
7106 		setup->path_metric =
7107 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
7108 		 IEEE80211_PATH_METRIC_VENDOR :
7109 		 IEEE80211_PATH_METRIC_AIRTIME;
7110 
7111 	if (tb[NL80211_MESH_SETUP_IE]) {
7112 		struct nlattr *ieattr =
7113 			tb[NL80211_MESH_SETUP_IE];
7114 		setup->ie = nla_data(ieattr);
7115 		setup->ie_len = nla_len(ieattr);
7116 	}
7117 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
7118 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
7119 		return -EINVAL;
7120 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
7121 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
7122 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
7123 	if (setup->is_secure)
7124 		setup->user_mpm = true;
7125 
7126 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
7127 		if (!setup->user_mpm)
7128 			return -EINVAL;
7129 		setup->auth_id =
7130 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
7131 	}
7132 
7133 	return 0;
7134 }
7135 
7136 static int nl80211_update_mesh_config(struct sk_buff *skb,
7137 				      struct genl_info *info)
7138 {
7139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7140 	struct net_device *dev = info->user_ptr[1];
7141 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7142 	struct mesh_config cfg;
7143 	u32 mask;
7144 	int err;
7145 
7146 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
7147 		return -EOPNOTSUPP;
7148 
7149 	if (!rdev->ops->update_mesh_config)
7150 		return -EOPNOTSUPP;
7151 
7152 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
7153 	if (err)
7154 		return err;
7155 
7156 	wdev_lock(wdev);
7157 	if (!wdev->mesh_id_len)
7158 		err = -ENOLINK;
7159 
7160 	if (!err)
7161 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
7162 
7163 	wdev_unlock(wdev);
7164 
7165 	return err;
7166 }
7167 
7168 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
7169 			      struct sk_buff *msg)
7170 {
7171 	struct nlattr *nl_reg_rules;
7172 	unsigned int i;
7173 
7174 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
7175 	    (regdom->dfs_region &&
7176 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
7177 		goto nla_put_failure;
7178 
7179 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
7180 	if (!nl_reg_rules)
7181 		goto nla_put_failure;
7182 
7183 	for (i = 0; i < regdom->n_reg_rules; i++) {
7184 		struct nlattr *nl_reg_rule;
7185 		const struct ieee80211_reg_rule *reg_rule;
7186 		const struct ieee80211_freq_range *freq_range;
7187 		const struct ieee80211_power_rule *power_rule;
7188 		unsigned int max_bandwidth_khz;
7189 
7190 		reg_rule = &regdom->reg_rules[i];
7191 		freq_range = &reg_rule->freq_range;
7192 		power_rule = &reg_rule->power_rule;
7193 
7194 		nl_reg_rule = nla_nest_start_noflag(msg, i);
7195 		if (!nl_reg_rule)
7196 			goto nla_put_failure;
7197 
7198 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
7199 		if (!max_bandwidth_khz)
7200 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
7201 								  reg_rule);
7202 
7203 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
7204 				reg_rule->flags) ||
7205 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
7206 				freq_range->start_freq_khz) ||
7207 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
7208 				freq_range->end_freq_khz) ||
7209 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
7210 				max_bandwidth_khz) ||
7211 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
7212 				power_rule->max_antenna_gain) ||
7213 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
7214 				power_rule->max_eirp) ||
7215 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
7216 				reg_rule->dfs_cac_ms))
7217 			goto nla_put_failure;
7218 
7219 		nla_nest_end(msg, nl_reg_rule);
7220 	}
7221 
7222 	nla_nest_end(msg, nl_reg_rules);
7223 	return 0;
7224 
7225 nla_put_failure:
7226 	return -EMSGSIZE;
7227 }
7228 
7229 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
7230 {
7231 	const struct ieee80211_regdomain *regdom = NULL;
7232 	struct cfg80211_registered_device *rdev;
7233 	struct wiphy *wiphy = NULL;
7234 	struct sk_buff *msg;
7235 	void *hdr;
7236 
7237 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7238 	if (!msg)
7239 		return -ENOBUFS;
7240 
7241 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
7242 			     NL80211_CMD_GET_REG);
7243 	if (!hdr)
7244 		goto put_failure;
7245 
7246 	if (info->attrs[NL80211_ATTR_WIPHY]) {
7247 		bool self_managed;
7248 
7249 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
7250 		if (IS_ERR(rdev)) {
7251 			nlmsg_free(msg);
7252 			return PTR_ERR(rdev);
7253 		}
7254 
7255 		wiphy = &rdev->wiphy;
7256 		self_managed = wiphy->regulatory_flags &
7257 			       REGULATORY_WIPHY_SELF_MANAGED;
7258 		regdom = get_wiphy_regdom(wiphy);
7259 
7260 		/* a self-managed-reg device must have a private regdom */
7261 		if (WARN_ON(!regdom && self_managed)) {
7262 			nlmsg_free(msg);
7263 			return -EINVAL;
7264 		}
7265 
7266 		if (regdom &&
7267 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7268 			goto nla_put_failure;
7269 	}
7270 
7271 	if (!wiphy && reg_last_request_cell_base() &&
7272 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7273 			NL80211_USER_REG_HINT_CELL_BASE))
7274 		goto nla_put_failure;
7275 
7276 	rcu_read_lock();
7277 
7278 	if (!regdom)
7279 		regdom = rcu_dereference(cfg80211_regdomain);
7280 
7281 	if (nl80211_put_regdom(regdom, msg))
7282 		goto nla_put_failure_rcu;
7283 
7284 	rcu_read_unlock();
7285 
7286 	genlmsg_end(msg, hdr);
7287 	return genlmsg_reply(msg, info);
7288 
7289 nla_put_failure_rcu:
7290 	rcu_read_unlock();
7291 nla_put_failure:
7292 put_failure:
7293 	nlmsg_free(msg);
7294 	return -EMSGSIZE;
7295 }
7296 
7297 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
7298 			       u32 seq, int flags, struct wiphy *wiphy,
7299 			       const struct ieee80211_regdomain *regdom)
7300 {
7301 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
7302 				   NL80211_CMD_GET_REG);
7303 
7304 	if (!hdr)
7305 		return -1;
7306 
7307 	genl_dump_check_consistent(cb, hdr);
7308 
7309 	if (nl80211_put_regdom(regdom, msg))
7310 		goto nla_put_failure;
7311 
7312 	if (!wiphy && reg_last_request_cell_base() &&
7313 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
7314 			NL80211_USER_REG_HINT_CELL_BASE))
7315 		goto nla_put_failure;
7316 
7317 	if (wiphy &&
7318 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
7319 		goto nla_put_failure;
7320 
7321 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
7322 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
7323 		goto nla_put_failure;
7324 
7325 	genlmsg_end(msg, hdr);
7326 	return 0;
7327 
7328 nla_put_failure:
7329 	genlmsg_cancel(msg, hdr);
7330 	return -EMSGSIZE;
7331 }
7332 
7333 static int nl80211_get_reg_dump(struct sk_buff *skb,
7334 				struct netlink_callback *cb)
7335 {
7336 	const struct ieee80211_regdomain *regdom = NULL;
7337 	struct cfg80211_registered_device *rdev;
7338 	int err, reg_idx, start = cb->args[2];
7339 
7340 	rtnl_lock();
7341 
7342 	if (cfg80211_regdomain && start == 0) {
7343 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7344 					  NLM_F_MULTI, NULL,
7345 					  rtnl_dereference(cfg80211_regdomain));
7346 		if (err < 0)
7347 			goto out_err;
7348 	}
7349 
7350 	/* the global regdom is idx 0 */
7351 	reg_idx = 1;
7352 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
7353 		regdom = get_wiphy_regdom(&rdev->wiphy);
7354 		if (!regdom)
7355 			continue;
7356 
7357 		if (++reg_idx <= start)
7358 			continue;
7359 
7360 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
7361 					  NLM_F_MULTI, &rdev->wiphy, regdom);
7362 		if (err < 0) {
7363 			reg_idx--;
7364 			break;
7365 		}
7366 	}
7367 
7368 	cb->args[2] = reg_idx;
7369 	err = skb->len;
7370 out_err:
7371 	rtnl_unlock();
7372 	return err;
7373 }
7374 
7375 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
7376 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
7377 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
7378 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
7379 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
7380 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
7381 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
7382 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
7383 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
7384 };
7385 
7386 static int parse_reg_rule(struct nlattr *tb[],
7387 	struct ieee80211_reg_rule *reg_rule)
7388 {
7389 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
7390 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
7391 
7392 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
7393 		return -EINVAL;
7394 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
7395 		return -EINVAL;
7396 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
7397 		return -EINVAL;
7398 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
7399 		return -EINVAL;
7400 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
7401 		return -EINVAL;
7402 
7403 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
7404 
7405 	freq_range->start_freq_khz =
7406 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
7407 	freq_range->end_freq_khz =
7408 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
7409 	freq_range->max_bandwidth_khz =
7410 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
7411 
7412 	power_rule->max_eirp =
7413 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
7414 
7415 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
7416 		power_rule->max_antenna_gain =
7417 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
7418 
7419 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
7420 		reg_rule->dfs_cac_ms =
7421 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
7422 
7423 	return 0;
7424 }
7425 
7426 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
7427 {
7428 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
7429 	struct nlattr *nl_reg_rule;
7430 	char *alpha2;
7431 	int rem_reg_rules, r;
7432 	u32 num_rules = 0, rule_idx = 0;
7433 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
7434 	struct ieee80211_regdomain *rd;
7435 
7436 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
7437 		return -EINVAL;
7438 
7439 	if (!info->attrs[NL80211_ATTR_REG_RULES])
7440 		return -EINVAL;
7441 
7442 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
7443 
7444 	if (info->attrs[NL80211_ATTR_DFS_REGION])
7445 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
7446 
7447 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7448 			    rem_reg_rules) {
7449 		num_rules++;
7450 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
7451 			return -EINVAL;
7452 	}
7453 
7454 	if (!reg_is_valid_request(alpha2))
7455 		return -EINVAL;
7456 
7457 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
7458 	if (!rd)
7459 		return -ENOMEM;
7460 
7461 	rd->n_reg_rules = num_rules;
7462 	rd->alpha2[0] = alpha2[0];
7463 	rd->alpha2[1] = alpha2[1];
7464 
7465 	/*
7466 	 * Disable DFS master mode if the DFS region was
7467 	 * not supported or known on this kernel.
7468 	 */
7469 	if (reg_supported_dfs_region(dfs_region))
7470 		rd->dfs_region = dfs_region;
7471 
7472 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
7473 			    rem_reg_rules) {
7474 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
7475 						nl_reg_rule, reg_rule_policy,
7476 						info->extack);
7477 		if (r)
7478 			goto bad_reg;
7479 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
7480 		if (r)
7481 			goto bad_reg;
7482 
7483 		rule_idx++;
7484 
7485 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
7486 			r = -EINVAL;
7487 			goto bad_reg;
7488 		}
7489 	}
7490 
7491 	/* set_regdom takes ownership of rd */
7492 	return set_regdom(rd, REGD_SOURCE_CRDA);
7493  bad_reg:
7494 	kfree(rd);
7495 	return r;
7496 }
7497 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
7498 
7499 static int validate_scan_freqs(struct nlattr *freqs)
7500 {
7501 	struct nlattr *attr1, *attr2;
7502 	int n_channels = 0, tmp1, tmp2;
7503 
7504 	nla_for_each_nested(attr1, freqs, tmp1)
7505 		if (nla_len(attr1) != sizeof(u32))
7506 			return 0;
7507 
7508 	nla_for_each_nested(attr1, freqs, tmp1) {
7509 		n_channels++;
7510 		/*
7511 		 * Some hardware has a limited channel list for
7512 		 * scanning, and it is pretty much nonsensical
7513 		 * to scan for a channel twice, so disallow that
7514 		 * and don't require drivers to check that the
7515 		 * channel list they get isn't longer than what
7516 		 * they can scan, as long as they can scan all
7517 		 * the channels they registered at once.
7518 		 */
7519 		nla_for_each_nested(attr2, freqs, tmp2)
7520 			if (attr1 != attr2 &&
7521 			    nla_get_u32(attr1) == nla_get_u32(attr2))
7522 				return 0;
7523 	}
7524 
7525 	return n_channels;
7526 }
7527 
7528 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
7529 {
7530 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
7531 }
7532 
7533 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
7534 			    struct cfg80211_bss_selection *bss_select)
7535 {
7536 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
7537 	struct nlattr *nest;
7538 	int err;
7539 	bool found = false;
7540 	int i;
7541 
7542 	/* only process one nested attribute */
7543 	nest = nla_data(nla);
7544 	if (!nla_ok(nest, nla_len(nest)))
7545 		return -EINVAL;
7546 
7547 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
7548 					  nest, nl80211_bss_select_policy,
7549 					  NULL);
7550 	if (err)
7551 		return err;
7552 
7553 	/* only one attribute may be given */
7554 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
7555 		if (attr[i]) {
7556 			if (found)
7557 				return -EINVAL;
7558 			found = true;
7559 		}
7560 	}
7561 
7562 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
7563 
7564 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
7565 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
7566 
7567 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
7568 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
7569 		bss_select->param.band_pref =
7570 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
7571 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
7572 			return -EINVAL;
7573 	}
7574 
7575 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
7576 		struct nl80211_bss_select_rssi_adjust *adj_param;
7577 
7578 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
7579 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
7580 		bss_select->param.adjust.band = adj_param->band;
7581 		bss_select->param.adjust.delta = adj_param->delta;
7582 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
7583 			return -EINVAL;
7584 	}
7585 
7586 	/* user-space did not provide behaviour attribute */
7587 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
7588 		return -EINVAL;
7589 
7590 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
7591 		return -EINVAL;
7592 
7593 	return 0;
7594 }
7595 
7596 int nl80211_parse_random_mac(struct nlattr **attrs,
7597 			     u8 *mac_addr, u8 *mac_addr_mask)
7598 {
7599 	int i;
7600 
7601 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
7602 		eth_zero_addr(mac_addr);
7603 		eth_zero_addr(mac_addr_mask);
7604 		mac_addr[0] = 0x2;
7605 		mac_addr_mask[0] = 0x3;
7606 
7607 		return 0;
7608 	}
7609 
7610 	/* need both or none */
7611 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
7612 		return -EINVAL;
7613 
7614 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
7615 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
7616 
7617 	/* don't allow or configure an mcast address */
7618 	if (!is_multicast_ether_addr(mac_addr_mask) ||
7619 	    is_multicast_ether_addr(mac_addr))
7620 		return -EINVAL;
7621 
7622 	/*
7623 	 * allow users to pass a MAC address that has bits set outside
7624 	 * of the mask, but don't bother drivers with having to deal
7625 	 * with such bits
7626 	 */
7627 	for (i = 0; i < ETH_ALEN; i++)
7628 		mac_addr[i] &= mac_addr_mask[i];
7629 
7630 	return 0;
7631 }
7632 
7633 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev)
7634 {
7635 	ASSERT_WDEV_LOCK(wdev);
7636 
7637 	if (!cfg80211_beaconing_iface_active(wdev))
7638 		return true;
7639 
7640 	if (!(wdev->chandef.chan->flags & IEEE80211_CHAN_RADAR))
7641 		return true;
7642 
7643 	return regulatory_pre_cac_allowed(wdev->wiphy);
7644 }
7645 
7646 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
7647 				    enum nl80211_ext_feature_index feat)
7648 {
7649 	if (!(flags & flag))
7650 		return true;
7651 	if (wiphy_ext_feature_isset(wiphy, feat))
7652 		return true;
7653 	return false;
7654 }
7655 
7656 static int
7657 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
7658 			 void *request, struct nlattr **attrs,
7659 			 bool is_sched_scan)
7660 {
7661 	u8 *mac_addr, *mac_addr_mask;
7662 	u32 *flags;
7663 	enum nl80211_feature_flags randomness_flag;
7664 
7665 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
7666 		return 0;
7667 
7668 	if (is_sched_scan) {
7669 		struct cfg80211_sched_scan_request *req = request;
7670 
7671 		randomness_flag = wdev ?
7672 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
7673 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
7674 		flags = &req->flags;
7675 		mac_addr = req->mac_addr;
7676 		mac_addr_mask = req->mac_addr_mask;
7677 	} else {
7678 		struct cfg80211_scan_request *req = request;
7679 
7680 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
7681 		flags = &req->flags;
7682 		mac_addr = req->mac_addr;
7683 		mac_addr_mask = req->mac_addr_mask;
7684 	}
7685 
7686 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
7687 
7688 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
7689 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
7690 	    !nl80211_check_scan_feat(wiphy, *flags,
7691 				     NL80211_SCAN_FLAG_LOW_SPAN,
7692 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
7693 	    !nl80211_check_scan_feat(wiphy, *flags,
7694 				     NL80211_SCAN_FLAG_LOW_POWER,
7695 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
7696 	    !nl80211_check_scan_feat(wiphy, *flags,
7697 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
7698 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
7699 	    !nl80211_check_scan_feat(wiphy, *flags,
7700 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
7701 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
7702 	    !nl80211_check_scan_feat(wiphy, *flags,
7703 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
7704 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
7705 	    !nl80211_check_scan_feat(wiphy, *flags,
7706 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
7707 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
7708 	    !nl80211_check_scan_feat(wiphy, *flags,
7709 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
7710 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
7711 	    !nl80211_check_scan_feat(wiphy, *flags,
7712 				     NL80211_SCAN_FLAG_RANDOM_SN,
7713 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
7714 	    !nl80211_check_scan_feat(wiphy, *flags,
7715 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
7716 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
7717 		return -EOPNOTSUPP;
7718 
7719 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
7720 		int err;
7721 
7722 		if (!(wiphy->features & randomness_flag) ||
7723 		    (wdev && wdev->current_bss))
7724 			return -EOPNOTSUPP;
7725 
7726 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
7727 		if (err)
7728 			return err;
7729 	}
7730 
7731 	return 0;
7732 }
7733 
7734 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
7735 {
7736 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7737 	struct wireless_dev *wdev = info->user_ptr[1];
7738 	struct cfg80211_scan_request *request;
7739 	struct nlattr *attr;
7740 	struct wiphy *wiphy;
7741 	int err, tmp, n_ssids = 0, n_channels, i;
7742 	size_t ie_len;
7743 
7744 	wiphy = &rdev->wiphy;
7745 
7746 	if (wdev->iftype == NL80211_IFTYPE_NAN)
7747 		return -EOPNOTSUPP;
7748 
7749 	if (!rdev->ops->scan)
7750 		return -EOPNOTSUPP;
7751 
7752 	if (rdev->scan_req || rdev->scan_msg) {
7753 		err = -EBUSY;
7754 		goto unlock;
7755 	}
7756 
7757 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7758 		n_channels = validate_scan_freqs(
7759 				info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
7760 		if (!n_channels) {
7761 			err = -EINVAL;
7762 			goto unlock;
7763 		}
7764 	} else {
7765 		n_channels = ieee80211_get_num_supported_channels(wiphy);
7766 	}
7767 
7768 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
7769 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
7770 			n_ssids++;
7771 
7772 	if (n_ssids > wiphy->max_scan_ssids) {
7773 		err = -EINVAL;
7774 		goto unlock;
7775 	}
7776 
7777 	if (info->attrs[NL80211_ATTR_IE])
7778 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7779 	else
7780 		ie_len = 0;
7781 
7782 	if (ie_len > wiphy->max_scan_ie_len) {
7783 		err = -EINVAL;
7784 		goto unlock;
7785 	}
7786 
7787 	request = kzalloc(sizeof(*request)
7788 			+ sizeof(*request->ssids) * n_ssids
7789 			+ sizeof(*request->channels) * n_channels
7790 			+ ie_len, GFP_KERNEL);
7791 	if (!request) {
7792 		err = -ENOMEM;
7793 		goto unlock;
7794 	}
7795 
7796 	if (n_ssids)
7797 		request->ssids = (void *)&request->channels[n_channels];
7798 	request->n_ssids = n_ssids;
7799 	if (ie_len) {
7800 		if (n_ssids)
7801 			request->ie = (void *)(request->ssids + n_ssids);
7802 		else
7803 			request->ie = (void *)(request->channels + n_channels);
7804 	}
7805 
7806 	i = 0;
7807 	if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
7808 		/* user specified, bail out if channel not found */
7809 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_FREQUENCIES], tmp) {
7810 			struct ieee80211_channel *chan;
7811 
7812 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
7813 
7814 			if (!chan) {
7815 				err = -EINVAL;
7816 				goto out_free;
7817 			}
7818 
7819 			/* ignore disabled channels */
7820 			if (chan->flags & IEEE80211_CHAN_DISABLED)
7821 				continue;
7822 
7823 			request->channels[i] = chan;
7824 			i++;
7825 		}
7826 	} else {
7827 		enum nl80211_band band;
7828 
7829 		/* all channels */
7830 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
7831 			int j;
7832 
7833 			if (!wiphy->bands[band])
7834 				continue;
7835 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
7836 				struct ieee80211_channel *chan;
7837 
7838 				chan = &wiphy->bands[band]->channels[j];
7839 
7840 				if (chan->flags & IEEE80211_CHAN_DISABLED)
7841 					continue;
7842 
7843 				request->channels[i] = chan;
7844 				i++;
7845 			}
7846 		}
7847 	}
7848 
7849 	if (!i) {
7850 		err = -EINVAL;
7851 		goto out_free;
7852 	}
7853 
7854 	request->n_channels = i;
7855 
7856 	wdev_lock(wdev);
7857 	if (!cfg80211_off_channel_oper_allowed(wdev)) {
7858 		struct ieee80211_channel *chan;
7859 
7860 		if (request->n_channels != 1) {
7861 			wdev_unlock(wdev);
7862 			err = -EBUSY;
7863 			goto out_free;
7864 		}
7865 
7866 		chan = request->channels[0];
7867 		if (chan->center_freq != wdev->chandef.chan->center_freq) {
7868 			wdev_unlock(wdev);
7869 			err = -EBUSY;
7870 			goto out_free;
7871 		}
7872 	}
7873 	wdev_unlock(wdev);
7874 
7875 	i = 0;
7876 	if (n_ssids) {
7877 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
7878 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
7879 				err = -EINVAL;
7880 				goto out_free;
7881 			}
7882 			request->ssids[i].ssid_len = nla_len(attr);
7883 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
7884 			i++;
7885 		}
7886 	}
7887 
7888 	if (info->attrs[NL80211_ATTR_IE]) {
7889 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
7890 		memcpy((void *)request->ie,
7891 		       nla_data(info->attrs[NL80211_ATTR_IE]),
7892 		       request->ie_len);
7893 	}
7894 
7895 	for (i = 0; i < NUM_NL80211_BANDS; i++)
7896 		if (wiphy->bands[i])
7897 			request->rates[i] =
7898 				(1 << wiphy->bands[i]->n_bitrates) - 1;
7899 
7900 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
7901 		nla_for_each_nested(attr,
7902 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
7903 				    tmp) {
7904 			enum nl80211_band band = nla_type(attr);
7905 
7906 			if (band < 0 || band >= NUM_NL80211_BANDS) {
7907 				err = -EINVAL;
7908 				goto out_free;
7909 			}
7910 
7911 			if (!wiphy->bands[band])
7912 				continue;
7913 
7914 			err = ieee80211_get_ratemask(wiphy->bands[band],
7915 						     nla_data(attr),
7916 						     nla_len(attr),
7917 						     &request->rates[band]);
7918 			if (err)
7919 				goto out_free;
7920 		}
7921 	}
7922 
7923 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
7924 		if (!wiphy_ext_feature_isset(wiphy,
7925 					NL80211_EXT_FEATURE_SET_SCAN_DWELL)) {
7926 			err = -EOPNOTSUPP;
7927 			goto out_free;
7928 		}
7929 
7930 		request->duration =
7931 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
7932 		request->duration_mandatory =
7933 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
7934 	}
7935 
7936 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
7937 				       false);
7938 	if (err)
7939 		goto out_free;
7940 
7941 	request->no_cck =
7942 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
7943 
7944 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
7945 	 * BSSID to scan for. This was problematic because that same attribute
7946 	 * was already used for another purpose (local random MAC address). The
7947 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
7948 	 * compatibility with older userspace components, also use the
7949 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
7950 	 * the specific BSSID use case instead of the random MAC address
7951 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
7952 	 */
7953 	if (info->attrs[NL80211_ATTR_BSSID])
7954 		memcpy(request->bssid,
7955 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
7956 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
7957 		 info->attrs[NL80211_ATTR_MAC])
7958 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
7959 		       ETH_ALEN);
7960 	else
7961 		eth_broadcast_addr(request->bssid);
7962 
7963 	request->wdev = wdev;
7964 	request->wiphy = &rdev->wiphy;
7965 	request->scan_start = jiffies;
7966 
7967 	rdev->scan_req = request;
7968 	err = rdev_scan(rdev, request);
7969 
7970 	if (!err) {
7971 		nl80211_send_scan_start(rdev, wdev);
7972 		if (wdev->netdev)
7973 			dev_hold(wdev->netdev);
7974 	} else {
7975  out_free:
7976 		rdev->scan_req = NULL;
7977 		kfree(request);
7978 	}
7979 
7980  unlock:
7981 	return err;
7982 }
7983 
7984 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
7985 {
7986 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7987 	struct wireless_dev *wdev = info->user_ptr[1];
7988 
7989 	if (!rdev->ops->abort_scan)
7990 		return -EOPNOTSUPP;
7991 
7992 	if (rdev->scan_msg)
7993 		return 0;
7994 
7995 	if (!rdev->scan_req)
7996 		return -ENOENT;
7997 
7998 	rdev_abort_scan(rdev, wdev);
7999 	return 0;
8000 }
8001 
8002 static int
8003 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
8004 			       struct cfg80211_sched_scan_request *request,
8005 			       struct nlattr **attrs)
8006 {
8007 	int tmp, err, i = 0;
8008 	struct nlattr *attr;
8009 
8010 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8011 		u32 interval;
8012 
8013 		/*
8014 		 * If scan plans are not specified,
8015 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
8016 		 * case one scan plan will be set with the specified scan
8017 		 * interval and infinite number of iterations.
8018 		 */
8019 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
8020 		if (!interval)
8021 			return -EINVAL;
8022 
8023 		request->scan_plans[0].interval =
8024 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
8025 		if (!request->scan_plans[0].interval)
8026 			return -EINVAL;
8027 
8028 		if (request->scan_plans[0].interval >
8029 		    wiphy->max_sched_scan_plan_interval)
8030 			request->scan_plans[0].interval =
8031 				wiphy->max_sched_scan_plan_interval;
8032 
8033 		return 0;
8034 	}
8035 
8036 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
8037 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
8038 
8039 		if (WARN_ON(i >= n_plans))
8040 			return -EINVAL;
8041 
8042 		err = nla_parse_nested_deprecated(plan,
8043 						  NL80211_SCHED_SCAN_PLAN_MAX,
8044 						  attr, nl80211_plan_policy,
8045 						  NULL);
8046 		if (err)
8047 			return err;
8048 
8049 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
8050 			return -EINVAL;
8051 
8052 		request->scan_plans[i].interval =
8053 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
8054 		if (!request->scan_plans[i].interval ||
8055 		    request->scan_plans[i].interval >
8056 		    wiphy->max_sched_scan_plan_interval)
8057 			return -EINVAL;
8058 
8059 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
8060 			request->scan_plans[i].iterations =
8061 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
8062 			if (!request->scan_plans[i].iterations ||
8063 			    (request->scan_plans[i].iterations >
8064 			     wiphy->max_sched_scan_plan_iterations))
8065 				return -EINVAL;
8066 		} else if (i < n_plans - 1) {
8067 			/*
8068 			 * All scan plans but the last one must specify
8069 			 * a finite number of iterations
8070 			 */
8071 			return -EINVAL;
8072 		}
8073 
8074 		i++;
8075 	}
8076 
8077 	/*
8078 	 * The last scan plan must not specify the number of
8079 	 * iterations, it is supposed to run infinitely
8080 	 */
8081 	if (request->scan_plans[n_plans - 1].iterations)
8082 		return  -EINVAL;
8083 
8084 	return 0;
8085 }
8086 
8087 static int
8088 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
8089 				       struct cfg80211_match_set *match_sets,
8090 				       struct nlattr *tb_band_rssi,
8091 				       s32 rssi_thold)
8092 {
8093 	struct nlattr *attr;
8094 	int i, tmp, ret = 0;
8095 
8096 	if (!wiphy_ext_feature_isset(wiphy,
8097 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
8098 		if (tb_band_rssi)
8099 			ret = -EOPNOTSUPP;
8100 		else
8101 			for (i = 0; i < NUM_NL80211_BANDS; i++)
8102 				match_sets->per_band_rssi_thold[i] =
8103 					NL80211_SCAN_RSSI_THOLD_OFF;
8104 		return ret;
8105 	}
8106 
8107 	for (i = 0; i < NUM_NL80211_BANDS; i++)
8108 		match_sets->per_band_rssi_thold[i] = rssi_thold;
8109 
8110 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
8111 		enum nl80211_band band = nla_type(attr);
8112 
8113 		if (band < 0 || band >= NUM_NL80211_BANDS)
8114 			return -EINVAL;
8115 
8116 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
8117 	}
8118 
8119 	return 0;
8120 }
8121 
8122 static struct cfg80211_sched_scan_request *
8123 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
8124 			 struct nlattr **attrs, int max_match_sets)
8125 {
8126 	struct cfg80211_sched_scan_request *request;
8127 	struct nlattr *attr;
8128 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
8129 	enum nl80211_band band;
8130 	size_t ie_len;
8131 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
8132 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
8133 
8134 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8135 		n_channels = validate_scan_freqs(
8136 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
8137 		if (!n_channels)
8138 			return ERR_PTR(-EINVAL);
8139 	} else {
8140 		n_channels = ieee80211_get_num_supported_channels(wiphy);
8141 	}
8142 
8143 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
8144 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8145 				    tmp)
8146 			n_ssids++;
8147 
8148 	if (n_ssids > wiphy->max_sched_scan_ssids)
8149 		return ERR_PTR(-EINVAL);
8150 
8151 	/*
8152 	 * First, count the number of 'real' matchsets. Due to an issue with
8153 	 * the old implementation, matchsets containing only the RSSI attribute
8154 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
8155 	 * RSSI for all matchsets, rather than their own matchset for reporting
8156 	 * all APs with a strong RSSI. This is needed to be compatible with
8157 	 * older userspace that treated a matchset with only the RSSI as the
8158 	 * global RSSI for all other matchsets - if there are other matchsets.
8159 	 */
8160 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8161 		nla_for_each_nested(attr,
8162 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8163 				    tmp) {
8164 			struct nlattr *rssi;
8165 
8166 			err = nla_parse_nested_deprecated(tb,
8167 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8168 							  attr,
8169 							  nl80211_match_policy,
8170 							  NULL);
8171 			if (err)
8172 				return ERR_PTR(err);
8173 
8174 			/* SSID and BSSID are mutually exclusive */
8175 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
8176 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
8177 				return ERR_PTR(-EINVAL);
8178 
8179 			/* add other standalone attributes here */
8180 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
8181 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
8182 				n_match_sets++;
8183 				continue;
8184 			}
8185 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8186 			if (rssi)
8187 				default_match_rssi = nla_get_s32(rssi);
8188 		}
8189 	}
8190 
8191 	/* However, if there's no other matchset, add the RSSI one */
8192 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
8193 		n_match_sets = 1;
8194 
8195 	if (n_match_sets > max_match_sets)
8196 		return ERR_PTR(-EINVAL);
8197 
8198 	if (attrs[NL80211_ATTR_IE])
8199 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
8200 	else
8201 		ie_len = 0;
8202 
8203 	if (ie_len > wiphy->max_sched_scan_ie_len)
8204 		return ERR_PTR(-EINVAL);
8205 
8206 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
8207 		/*
8208 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
8209 		 * each scan plan already specifies its own interval
8210 		 */
8211 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8212 			return ERR_PTR(-EINVAL);
8213 
8214 		nla_for_each_nested(attr,
8215 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
8216 			n_plans++;
8217 	} else {
8218 		/*
8219 		 * The scan interval attribute is kept for backward
8220 		 * compatibility. If no scan plans are specified and sched scan
8221 		 * interval is specified, one scan plan will be set with this
8222 		 * scan interval and infinite number of iterations.
8223 		 */
8224 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
8225 			return ERR_PTR(-EINVAL);
8226 
8227 		n_plans = 1;
8228 	}
8229 
8230 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
8231 		return ERR_PTR(-EINVAL);
8232 
8233 	if (!wiphy_ext_feature_isset(
8234 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
8235 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
8236 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
8237 		return ERR_PTR(-EINVAL);
8238 
8239 	request = kzalloc(sizeof(*request)
8240 			+ sizeof(*request->ssids) * n_ssids
8241 			+ sizeof(*request->match_sets) * n_match_sets
8242 			+ sizeof(*request->scan_plans) * n_plans
8243 			+ sizeof(*request->channels) * n_channels
8244 			+ ie_len, GFP_KERNEL);
8245 	if (!request)
8246 		return ERR_PTR(-ENOMEM);
8247 
8248 	if (n_ssids)
8249 		request->ssids = (void *)&request->channels[n_channels];
8250 	request->n_ssids = n_ssids;
8251 	if (ie_len) {
8252 		if (n_ssids)
8253 			request->ie = (void *)(request->ssids + n_ssids);
8254 		else
8255 			request->ie = (void *)(request->channels + n_channels);
8256 	}
8257 
8258 	if (n_match_sets) {
8259 		if (request->ie)
8260 			request->match_sets = (void *)(request->ie + ie_len);
8261 		else if (n_ssids)
8262 			request->match_sets =
8263 				(void *)(request->ssids + n_ssids);
8264 		else
8265 			request->match_sets =
8266 				(void *)(request->channels + n_channels);
8267 	}
8268 	request->n_match_sets = n_match_sets;
8269 
8270 	if (n_match_sets)
8271 		request->scan_plans = (void *)(request->match_sets +
8272 					       n_match_sets);
8273 	else if (request->ie)
8274 		request->scan_plans = (void *)(request->ie + ie_len);
8275 	else if (n_ssids)
8276 		request->scan_plans = (void *)(request->ssids + n_ssids);
8277 	else
8278 		request->scan_plans = (void *)(request->channels + n_channels);
8279 
8280 	request->n_scan_plans = n_plans;
8281 
8282 	i = 0;
8283 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
8284 		/* user specified, bail out if channel not found */
8285 		nla_for_each_nested(attr,
8286 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
8287 				    tmp) {
8288 			struct ieee80211_channel *chan;
8289 
8290 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
8291 
8292 			if (!chan) {
8293 				err = -EINVAL;
8294 				goto out_free;
8295 			}
8296 
8297 			/* ignore disabled channels */
8298 			if (chan->flags & IEEE80211_CHAN_DISABLED)
8299 				continue;
8300 
8301 			request->channels[i] = chan;
8302 			i++;
8303 		}
8304 	} else {
8305 		/* all channels */
8306 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
8307 			int j;
8308 
8309 			if (!wiphy->bands[band])
8310 				continue;
8311 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
8312 				struct ieee80211_channel *chan;
8313 
8314 				chan = &wiphy->bands[band]->channels[j];
8315 
8316 				if (chan->flags & IEEE80211_CHAN_DISABLED)
8317 					continue;
8318 
8319 				request->channels[i] = chan;
8320 				i++;
8321 			}
8322 		}
8323 	}
8324 
8325 	if (!i) {
8326 		err = -EINVAL;
8327 		goto out_free;
8328 	}
8329 
8330 	request->n_channels = i;
8331 
8332 	i = 0;
8333 	if (n_ssids) {
8334 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
8335 				    tmp) {
8336 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
8337 				err = -EINVAL;
8338 				goto out_free;
8339 			}
8340 			request->ssids[i].ssid_len = nla_len(attr);
8341 			memcpy(request->ssids[i].ssid, nla_data(attr),
8342 			       nla_len(attr));
8343 			i++;
8344 		}
8345 	}
8346 
8347 	i = 0;
8348 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
8349 		nla_for_each_nested(attr,
8350 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
8351 				    tmp) {
8352 			struct nlattr *ssid, *bssid, *rssi;
8353 
8354 			err = nla_parse_nested_deprecated(tb,
8355 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
8356 							  attr,
8357 							  nl80211_match_policy,
8358 							  NULL);
8359 			if (err)
8360 				goto out_free;
8361 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
8362 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
8363 
8364 			if (!ssid && !bssid) {
8365 				i++;
8366 				continue;
8367 			}
8368 
8369 			if (WARN_ON(i >= n_match_sets)) {
8370 				/* this indicates a programming error,
8371 				 * the loop above should have verified
8372 				 * things properly
8373 				 */
8374 				err = -EINVAL;
8375 				goto out_free;
8376 			}
8377 
8378 			if (ssid) {
8379 				if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
8380 					err = -EINVAL;
8381 					goto out_free;
8382 				}
8383 				memcpy(request->match_sets[i].ssid.ssid,
8384 				       nla_data(ssid), nla_len(ssid));
8385 				request->match_sets[i].ssid.ssid_len =
8386 					nla_len(ssid);
8387 			}
8388 			if (bssid) {
8389 				if (nla_len(bssid) != ETH_ALEN) {
8390 					err = -EINVAL;
8391 					goto out_free;
8392 				}
8393 				memcpy(request->match_sets[i].bssid,
8394 				       nla_data(bssid), ETH_ALEN);
8395 			}
8396 
8397 			/* special attribute - old implementation w/a */
8398 			request->match_sets[i].rssi_thold = default_match_rssi;
8399 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
8400 			if (rssi)
8401 				request->match_sets[i].rssi_thold =
8402 					nla_get_s32(rssi);
8403 
8404 			/* Parse per band RSSI attribute */
8405 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
8406 				&request->match_sets[i],
8407 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
8408 				request->match_sets[i].rssi_thold);
8409 			if (err)
8410 				goto out_free;
8411 
8412 			i++;
8413 		}
8414 
8415 		/* there was no other matchset, so the RSSI one is alone */
8416 		if (i == 0 && n_match_sets)
8417 			request->match_sets[0].rssi_thold = default_match_rssi;
8418 
8419 		request->min_rssi_thold = INT_MAX;
8420 		for (i = 0; i < n_match_sets; i++)
8421 			request->min_rssi_thold =
8422 				min(request->match_sets[i].rssi_thold,
8423 				    request->min_rssi_thold);
8424 	} else {
8425 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
8426 	}
8427 
8428 	if (ie_len) {
8429 		request->ie_len = ie_len;
8430 		memcpy((void *)request->ie,
8431 		       nla_data(attrs[NL80211_ATTR_IE]),
8432 		       request->ie_len);
8433 	}
8434 
8435 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
8436 	if (err)
8437 		goto out_free;
8438 
8439 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
8440 		request->delay =
8441 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
8442 
8443 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
8444 		request->relative_rssi = nla_get_s8(
8445 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
8446 		request->relative_rssi_set = true;
8447 	}
8448 
8449 	if (request->relative_rssi_set &&
8450 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
8451 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
8452 
8453 		rssi_adjust = nla_data(
8454 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
8455 		request->rssi_adjust.band = rssi_adjust->band;
8456 		request->rssi_adjust.delta = rssi_adjust->delta;
8457 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
8458 			err = -EINVAL;
8459 			goto out_free;
8460 		}
8461 	}
8462 
8463 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
8464 	if (err)
8465 		goto out_free;
8466 
8467 	request->scan_start = jiffies;
8468 
8469 	return request;
8470 
8471 out_free:
8472 	kfree(request);
8473 	return ERR_PTR(err);
8474 }
8475 
8476 static int nl80211_start_sched_scan(struct sk_buff *skb,
8477 				    struct genl_info *info)
8478 {
8479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8480 	struct net_device *dev = info->user_ptr[1];
8481 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8482 	struct cfg80211_sched_scan_request *sched_scan_req;
8483 	bool want_multi;
8484 	int err;
8485 
8486 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
8487 		return -EOPNOTSUPP;
8488 
8489 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
8490 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
8491 	if (err)
8492 		return err;
8493 
8494 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
8495 						  info->attrs,
8496 						  rdev->wiphy.max_match_sets);
8497 
8498 	err = PTR_ERR_OR_ZERO(sched_scan_req);
8499 	if (err)
8500 		goto out_err;
8501 
8502 	/* leave request id zero for legacy request
8503 	 * or if driver does not support multi-scheduled scan
8504 	 */
8505 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
8506 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
8507 
8508 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
8509 	if (err)
8510 		goto out_free;
8511 
8512 	sched_scan_req->dev = dev;
8513 	sched_scan_req->wiphy = &rdev->wiphy;
8514 
8515 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
8516 		sched_scan_req->owner_nlportid = info->snd_portid;
8517 
8518 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
8519 
8520 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
8521 	return 0;
8522 
8523 out_free:
8524 	kfree(sched_scan_req);
8525 out_err:
8526 	return err;
8527 }
8528 
8529 static int nl80211_stop_sched_scan(struct sk_buff *skb,
8530 				   struct genl_info *info)
8531 {
8532 	struct cfg80211_sched_scan_request *req;
8533 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8534 	u64 cookie;
8535 
8536 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
8537 		return -EOPNOTSUPP;
8538 
8539 	if (info->attrs[NL80211_ATTR_COOKIE]) {
8540 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
8541 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
8542 	}
8543 
8544 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
8545 				     struct cfg80211_sched_scan_request,
8546 				     list);
8547 	if (!req || req->reqid ||
8548 	    (req->owner_nlportid &&
8549 	     req->owner_nlportid != info->snd_portid))
8550 		return -ENOENT;
8551 
8552 	return cfg80211_stop_sched_scan_req(rdev, req, false);
8553 }
8554 
8555 static int nl80211_start_radar_detection(struct sk_buff *skb,
8556 					 struct genl_info *info)
8557 {
8558 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8559 	struct net_device *dev = info->user_ptr[1];
8560 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8561 	struct wiphy *wiphy = wdev->wiphy;
8562 	struct cfg80211_chan_def chandef;
8563 	enum nl80211_dfs_regions dfs_region;
8564 	unsigned int cac_time_ms;
8565 	int err;
8566 
8567 	dfs_region = reg_get_dfs_region(wiphy);
8568 	if (dfs_region == NL80211_DFS_UNSET)
8569 		return -EINVAL;
8570 
8571 	err = nl80211_parse_chandef(rdev, info, &chandef);
8572 	if (err)
8573 		return err;
8574 
8575 	if (netif_carrier_ok(dev))
8576 		return -EBUSY;
8577 
8578 	if (wdev->cac_started)
8579 		return -EBUSY;
8580 
8581 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8582 	if (err < 0)
8583 		return err;
8584 
8585 	if (err == 0)
8586 		return -EINVAL;
8587 
8588 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef))
8589 		return -EINVAL;
8590 
8591 	/* CAC start is offloaded to HW and can't be started manually */
8592 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD))
8593 		return -EOPNOTSUPP;
8594 
8595 	if (!rdev->ops->start_radar_detection)
8596 		return -EOPNOTSUPP;
8597 
8598 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
8599 	if (WARN_ON(!cac_time_ms))
8600 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
8601 
8602 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
8603 	if (!err) {
8604 		wdev->chandef = chandef;
8605 		wdev->cac_started = true;
8606 		wdev->cac_start_time = jiffies;
8607 		wdev->cac_time_ms = cac_time_ms;
8608 	}
8609 	return err;
8610 }
8611 
8612 static int nl80211_notify_radar_detection(struct sk_buff *skb,
8613 					  struct genl_info *info)
8614 {
8615 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8616 	struct net_device *dev = info->user_ptr[1];
8617 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8618 	struct wiphy *wiphy = wdev->wiphy;
8619 	struct cfg80211_chan_def chandef;
8620 	enum nl80211_dfs_regions dfs_region;
8621 	int err;
8622 
8623 	dfs_region = reg_get_dfs_region(wiphy);
8624 	if (dfs_region == NL80211_DFS_UNSET) {
8625 		GENL_SET_ERR_MSG(info,
8626 				 "DFS Region is not set. Unexpected Radar indication");
8627 		return -EINVAL;
8628 	}
8629 
8630 	err = nl80211_parse_chandef(rdev, info, &chandef);
8631 	if (err) {
8632 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
8633 		return err;
8634 	}
8635 
8636 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
8637 	if (err < 0) {
8638 		GENL_SET_ERR_MSG(info, "chandef is invalid");
8639 		return err;
8640 	}
8641 
8642 	if (err == 0) {
8643 		GENL_SET_ERR_MSG(info,
8644 				 "Unexpected Radar indication for chandef/iftype");
8645 		return -EINVAL;
8646 	}
8647 
8648 	/* Do not process this notification if radar is already detected
8649 	 * by kernel on this channel, and return success.
8650 	 */
8651 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
8652 		return 0;
8653 
8654 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
8655 
8656 	cfg80211_sched_dfs_chan_update(rdev);
8657 
8658 	rdev->radar_chandef = chandef;
8659 
8660 	/* Propagate this notification to other radios as well */
8661 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
8662 
8663 	return 0;
8664 }
8665 
8666 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
8667 {
8668 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8669 	struct net_device *dev = info->user_ptr[1];
8670 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8671 	struct cfg80211_csa_settings params;
8672 	/* csa_attrs is defined static to avoid waste of stack size - this
8673 	 * function is called under RTNL lock, so this should not be a problem.
8674 	 */
8675 	static struct nlattr *csa_attrs[NL80211_ATTR_MAX+1];
8676 	int err;
8677 	bool need_new_beacon = false;
8678 	bool need_handle_dfs_flag = true;
8679 	int len, i;
8680 	u32 cs_count;
8681 
8682 	if (!rdev->ops->channel_switch ||
8683 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
8684 		return -EOPNOTSUPP;
8685 
8686 	switch (dev->ieee80211_ptr->iftype) {
8687 	case NL80211_IFTYPE_AP:
8688 	case NL80211_IFTYPE_P2P_GO:
8689 		need_new_beacon = true;
8690 		/* For all modes except AP the handle_dfs flag needs to be
8691 		 * supplied to tell the kernel that userspace will handle radar
8692 		 * events when they happen. Otherwise a switch to a channel
8693 		 * requiring DFS will be rejected.
8694 		 */
8695 		need_handle_dfs_flag = false;
8696 
8697 		/* useless if AP is not running */
8698 		if (!wdev->beacon_interval)
8699 			return -ENOTCONN;
8700 		break;
8701 	case NL80211_IFTYPE_ADHOC:
8702 		if (!wdev->ssid_len)
8703 			return -ENOTCONN;
8704 		break;
8705 	case NL80211_IFTYPE_MESH_POINT:
8706 		if (!wdev->mesh_id_len)
8707 			return -ENOTCONN;
8708 		break;
8709 	default:
8710 		return -EOPNOTSUPP;
8711 	}
8712 
8713 	memset(&params, 0, sizeof(params));
8714 	params.beacon_csa.ftm_responder = -1;
8715 
8716 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
8717 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
8718 		return -EINVAL;
8719 
8720 	/* only important for AP, IBSS and mesh create IEs internally */
8721 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
8722 		return -EINVAL;
8723 
8724 	/* Even though the attribute is u32, the specification says
8725 	 * u8, so let's make sure we don't overflow.
8726 	 */
8727 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
8728 	if (cs_count > 255)
8729 		return -EINVAL;
8730 
8731 	params.count = cs_count;
8732 
8733 	if (!need_new_beacon)
8734 		goto skip_beacons;
8735 
8736 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after);
8737 	if (err)
8738 		return err;
8739 
8740 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
8741 					  info->attrs[NL80211_ATTR_CSA_IES],
8742 					  nl80211_policy, info->extack);
8743 	if (err)
8744 		return err;
8745 
8746 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa);
8747 	if (err)
8748 		return err;
8749 
8750 	if (!csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON])
8751 		return -EINVAL;
8752 
8753 	len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8754 	if (!len || (len % sizeof(u16)))
8755 		return -EINVAL;
8756 
8757 	params.n_counter_offsets_beacon = len / sizeof(u16);
8758 	if (rdev->wiphy.max_num_csa_counters &&
8759 	    (params.n_counter_offsets_beacon >
8760 	     rdev->wiphy.max_num_csa_counters))
8761 		return -EINVAL;
8762 
8763 	params.counter_offsets_beacon =
8764 		nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_BEACON]);
8765 
8766 	/* sanity checks - counters should fit and be the same */
8767 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
8768 		u16 offset = params.counter_offsets_beacon[i];
8769 
8770 		if (offset >= params.beacon_csa.tail_len)
8771 			return -EINVAL;
8772 
8773 		if (params.beacon_csa.tail[offset] != params.count)
8774 			return -EINVAL;
8775 	}
8776 
8777 	if (csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]) {
8778 		len = nla_len(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8779 		if (!len || (len % sizeof(u16)))
8780 			return -EINVAL;
8781 
8782 		params.n_counter_offsets_presp = len / sizeof(u16);
8783 		if (rdev->wiphy.max_num_csa_counters &&
8784 		    (params.n_counter_offsets_presp >
8785 		     rdev->wiphy.max_num_csa_counters))
8786 			return -EINVAL;
8787 
8788 		params.counter_offsets_presp =
8789 			nla_data(csa_attrs[NL80211_ATTR_CSA_C_OFF_PRESP]);
8790 
8791 		/* sanity checks - counters should fit and be the same */
8792 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
8793 			u16 offset = params.counter_offsets_presp[i];
8794 
8795 			if (offset >= params.beacon_csa.probe_resp_len)
8796 				return -EINVAL;
8797 
8798 			if (params.beacon_csa.probe_resp[offset] !=
8799 			    params.count)
8800 				return -EINVAL;
8801 		}
8802 	}
8803 
8804 skip_beacons:
8805 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
8806 	if (err)
8807 		return err;
8808 
8809 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
8810 					   wdev->iftype))
8811 		return -EINVAL;
8812 
8813 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
8814 					    &params.chandef,
8815 					    wdev->iftype);
8816 	if (err < 0)
8817 		return err;
8818 
8819 	if (err > 0) {
8820 		params.radar_required = true;
8821 		if (need_handle_dfs_flag &&
8822 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
8823 			return -EINVAL;
8824 		}
8825 	}
8826 
8827 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
8828 		params.block_tx = true;
8829 
8830 	wdev_lock(wdev);
8831 	err = rdev_channel_switch(rdev, dev, &params);
8832 	wdev_unlock(wdev);
8833 
8834 	return err;
8835 }
8836 
8837 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
8838 			    u32 seq, int flags,
8839 			    struct cfg80211_registered_device *rdev,
8840 			    struct wireless_dev *wdev,
8841 			    struct cfg80211_internal_bss *intbss)
8842 {
8843 	struct cfg80211_bss *res = &intbss->pub;
8844 	const struct cfg80211_bss_ies *ies;
8845 	void *hdr;
8846 	struct nlattr *bss;
8847 
8848 	ASSERT_WDEV_LOCK(wdev);
8849 
8850 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8851 			     NL80211_CMD_NEW_SCAN_RESULTS);
8852 	if (!hdr)
8853 		return -1;
8854 
8855 	genl_dump_check_consistent(cb, hdr);
8856 
8857 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
8858 		goto nla_put_failure;
8859 	if (wdev->netdev &&
8860 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
8861 		goto nla_put_failure;
8862 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
8863 			      NL80211_ATTR_PAD))
8864 		goto nla_put_failure;
8865 
8866 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
8867 	if (!bss)
8868 		goto nla_put_failure;
8869 	if ((!is_zero_ether_addr(res->bssid) &&
8870 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
8871 		goto nla_put_failure;
8872 
8873 	rcu_read_lock();
8874 	/* indicate whether we have probe response data or not */
8875 	if (rcu_access_pointer(res->proberesp_ies) &&
8876 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
8877 		goto fail_unlock_rcu;
8878 
8879 	/* this pointer prefers to be pointed to probe response data
8880 	 * but is always valid
8881 	 */
8882 	ies = rcu_dereference(res->ies);
8883 	if (ies) {
8884 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
8885 				      NL80211_BSS_PAD))
8886 			goto fail_unlock_rcu;
8887 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
8888 					ies->len, ies->data))
8889 			goto fail_unlock_rcu;
8890 	}
8891 
8892 	/* and this pointer is always (unless driver didn't know) beacon data */
8893 	ies = rcu_dereference(res->beacon_ies);
8894 	if (ies && ies->from_beacon) {
8895 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
8896 				      NL80211_BSS_PAD))
8897 			goto fail_unlock_rcu;
8898 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
8899 					ies->len, ies->data))
8900 			goto fail_unlock_rcu;
8901 	}
8902 	rcu_read_unlock();
8903 
8904 	if (res->beacon_interval &&
8905 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
8906 		goto nla_put_failure;
8907 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
8908 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
8909 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
8910 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
8911 			jiffies_to_msecs(jiffies - intbss->ts)))
8912 		goto nla_put_failure;
8913 
8914 	if (intbss->parent_tsf &&
8915 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
8916 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
8917 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
8918 		     intbss->parent_bssid)))
8919 		goto nla_put_failure;
8920 
8921 	if (intbss->ts_boottime &&
8922 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
8923 			      intbss->ts_boottime, NL80211_BSS_PAD))
8924 		goto nla_put_failure;
8925 
8926 	if (!nl80211_put_signal(msg, intbss->pub.chains,
8927 				intbss->pub.chain_signal,
8928 				NL80211_BSS_CHAIN_SIGNAL))
8929 		goto nla_put_failure;
8930 
8931 	switch (rdev->wiphy.signal_type) {
8932 	case CFG80211_SIGNAL_TYPE_MBM:
8933 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
8934 			goto nla_put_failure;
8935 		break;
8936 	case CFG80211_SIGNAL_TYPE_UNSPEC:
8937 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
8938 			goto nla_put_failure;
8939 		break;
8940 	default:
8941 		break;
8942 	}
8943 
8944 	switch (wdev->iftype) {
8945 	case NL80211_IFTYPE_P2P_CLIENT:
8946 	case NL80211_IFTYPE_STATION:
8947 		if (intbss == wdev->current_bss &&
8948 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8949 				NL80211_BSS_STATUS_ASSOCIATED))
8950 			goto nla_put_failure;
8951 		break;
8952 	case NL80211_IFTYPE_ADHOC:
8953 		if (intbss == wdev->current_bss &&
8954 		    nla_put_u32(msg, NL80211_BSS_STATUS,
8955 				NL80211_BSS_STATUS_IBSS_JOINED))
8956 			goto nla_put_failure;
8957 		break;
8958 	default:
8959 		break;
8960 	}
8961 
8962 	nla_nest_end(msg, bss);
8963 
8964 	genlmsg_end(msg, hdr);
8965 	return 0;
8966 
8967  fail_unlock_rcu:
8968 	rcu_read_unlock();
8969  nla_put_failure:
8970 	genlmsg_cancel(msg, hdr);
8971 	return -EMSGSIZE;
8972 }
8973 
8974 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
8975 {
8976 	struct cfg80211_registered_device *rdev;
8977 	struct cfg80211_internal_bss *scan;
8978 	struct wireless_dev *wdev;
8979 	int start = cb->args[2], idx = 0;
8980 	int err;
8981 
8982 	rtnl_lock();
8983 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
8984 	if (err) {
8985 		rtnl_unlock();
8986 		return err;
8987 	}
8988 
8989 	wdev_lock(wdev);
8990 	spin_lock_bh(&rdev->bss_lock);
8991 
8992 	/*
8993 	 * dump_scan will be called multiple times to break up the scan results
8994 	 * into multiple messages.  It is unlikely that any more bss-es will be
8995 	 * expired after the first call, so only call only call this on the
8996 	 * first dump_scan invocation.
8997 	 */
8998 	if (start == 0)
8999 		cfg80211_bss_expire(rdev);
9000 
9001 	cb->seq = rdev->bss_generation;
9002 
9003 	list_for_each_entry(scan, &rdev->bss_list, list) {
9004 		if (++idx <= start)
9005 			continue;
9006 		if (nl80211_send_bss(skb, cb,
9007 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9008 				rdev, wdev, scan) < 0) {
9009 			idx--;
9010 			break;
9011 		}
9012 	}
9013 
9014 	spin_unlock_bh(&rdev->bss_lock);
9015 	wdev_unlock(wdev);
9016 
9017 	cb->args[2] = idx;
9018 	rtnl_unlock();
9019 
9020 	return skb->len;
9021 }
9022 
9023 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
9024 			       int flags, struct net_device *dev,
9025 			       bool allow_radio_stats,
9026 			       struct survey_info *survey)
9027 {
9028 	void *hdr;
9029 	struct nlattr *infoattr;
9030 
9031 	/* skip radio stats if userspace didn't request them */
9032 	if (!survey->channel && !allow_radio_stats)
9033 		return 0;
9034 
9035 	hdr = nl80211hdr_put(msg, portid, seq, flags,
9036 			     NL80211_CMD_NEW_SURVEY_RESULTS);
9037 	if (!hdr)
9038 		return -ENOMEM;
9039 
9040 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
9041 		goto nla_put_failure;
9042 
9043 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
9044 	if (!infoattr)
9045 		goto nla_put_failure;
9046 
9047 	if (survey->channel &&
9048 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
9049 			survey->channel->center_freq))
9050 		goto nla_put_failure;
9051 
9052 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
9053 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
9054 		goto nla_put_failure;
9055 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
9056 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
9057 		goto nla_put_failure;
9058 	if ((survey->filled & SURVEY_INFO_TIME) &&
9059 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
9060 			survey->time, NL80211_SURVEY_INFO_PAD))
9061 		goto nla_put_failure;
9062 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
9063 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
9064 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
9065 		goto nla_put_failure;
9066 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
9067 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
9068 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
9069 		goto nla_put_failure;
9070 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
9071 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
9072 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
9073 		goto nla_put_failure;
9074 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
9075 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
9076 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
9077 		goto nla_put_failure;
9078 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
9079 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
9080 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
9081 		goto nla_put_failure;
9082 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
9083 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
9084 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
9085 		goto nla_put_failure;
9086 
9087 	nla_nest_end(msg, infoattr);
9088 
9089 	genlmsg_end(msg, hdr);
9090 	return 0;
9091 
9092  nla_put_failure:
9093 	genlmsg_cancel(msg, hdr);
9094 	return -EMSGSIZE;
9095 }
9096 
9097 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
9098 {
9099 	struct nlattr **attrbuf;
9100 	struct survey_info survey;
9101 	struct cfg80211_registered_device *rdev;
9102 	struct wireless_dev *wdev;
9103 	int survey_idx = cb->args[2];
9104 	int res;
9105 	bool radio_stats;
9106 
9107 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
9108 	if (!attrbuf)
9109 		return -ENOMEM;
9110 
9111 	rtnl_lock();
9112 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev);
9113 	if (res)
9114 		goto out_err;
9115 
9116 	/* prepare_wdev_dump parsed the attributes */
9117 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
9118 
9119 	if (!wdev->netdev) {
9120 		res = -EINVAL;
9121 		goto out_err;
9122 	}
9123 
9124 	if (!rdev->ops->dump_survey) {
9125 		res = -EOPNOTSUPP;
9126 		goto out_err;
9127 	}
9128 
9129 	while (1) {
9130 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
9131 		if (res == -ENOENT)
9132 			break;
9133 		if (res)
9134 			goto out_err;
9135 
9136 		/* don't send disabled channels, but do send non-channel data */
9137 		if (survey.channel &&
9138 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
9139 			survey_idx++;
9140 			continue;
9141 		}
9142 
9143 		if (nl80211_send_survey(skb,
9144 				NETLINK_CB(cb->skb).portid,
9145 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
9146 				wdev->netdev, radio_stats, &survey) < 0)
9147 			goto out;
9148 		survey_idx++;
9149 	}
9150 
9151  out:
9152 	cb->args[2] = survey_idx;
9153 	res = skb->len;
9154  out_err:
9155 	kfree(attrbuf);
9156 	rtnl_unlock();
9157 	return res;
9158 }
9159 
9160 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
9161 {
9162 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
9163 				  NL80211_WPA_VERSION_2 |
9164 				  NL80211_WPA_VERSION_3));
9165 }
9166 
9167 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
9168 {
9169 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9170 	struct net_device *dev = info->user_ptr[1];
9171 	struct ieee80211_channel *chan;
9172 	const u8 *bssid, *ssid, *ie = NULL, *auth_data = NULL;
9173 	int err, ssid_len, ie_len = 0, auth_data_len = 0;
9174 	enum nl80211_auth_type auth_type;
9175 	struct key_parse key;
9176 	bool local_state_change;
9177 
9178 	if (!info->attrs[NL80211_ATTR_MAC])
9179 		return -EINVAL;
9180 
9181 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
9182 		return -EINVAL;
9183 
9184 	if (!info->attrs[NL80211_ATTR_SSID])
9185 		return -EINVAL;
9186 
9187 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
9188 		return -EINVAL;
9189 
9190 	err = nl80211_parse_key(info, &key);
9191 	if (err)
9192 		return err;
9193 
9194 	if (key.idx >= 0) {
9195 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
9196 			return -EINVAL;
9197 		if (!key.p.key || !key.p.key_len)
9198 			return -EINVAL;
9199 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
9200 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
9201 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
9202 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
9203 			return -EINVAL;
9204 		if (key.idx > 3)
9205 			return -EINVAL;
9206 	} else {
9207 		key.p.key_len = 0;
9208 		key.p.key = NULL;
9209 	}
9210 
9211 	if (key.idx >= 0) {
9212 		int i;
9213 		bool ok = false;
9214 
9215 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
9216 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
9217 				ok = true;
9218 				break;
9219 			}
9220 		}
9221 		if (!ok)
9222 			return -EINVAL;
9223 	}
9224 
9225 	if (!rdev->ops->auth)
9226 		return -EOPNOTSUPP;
9227 
9228 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9229 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9230 		return -EOPNOTSUPP;
9231 
9232 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9233 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9234 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9235 	if (!chan)
9236 		return -EINVAL;
9237 
9238 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9239 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9240 
9241 	if (info->attrs[NL80211_ATTR_IE]) {
9242 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9243 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9244 	}
9245 
9246 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
9247 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
9248 		return -EINVAL;
9249 
9250 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
9251 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
9252 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
9253 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
9254 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
9255 		return -EINVAL;
9256 
9257 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
9258 		if (auth_type != NL80211_AUTHTYPE_SAE &&
9259 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
9260 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
9261 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
9262 			return -EINVAL;
9263 		auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
9264 		auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
9265 		/* need to include at least Auth Transaction and Status Code */
9266 		if (auth_data_len < 4)
9267 			return -EINVAL;
9268 	}
9269 
9270 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9271 
9272 	/*
9273 	 * Since we no longer track auth state, ignore
9274 	 * requests to only change local state.
9275 	 */
9276 	if (local_state_change)
9277 		return 0;
9278 
9279 	wdev_lock(dev->ieee80211_ptr);
9280 	err = cfg80211_mlme_auth(rdev, dev, chan, auth_type, bssid,
9281 				 ssid, ssid_len, ie, ie_len,
9282 				 key.p.key, key.p.key_len, key.idx,
9283 				 auth_data, auth_data_len);
9284 	wdev_unlock(dev->ieee80211_ptr);
9285 	return err;
9286 }
9287 
9288 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
9289 				     struct genl_info *info)
9290 {
9291 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9292 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
9293 		return -EINVAL;
9294 	}
9295 
9296 	if (!rdev->ops->tx_control_port ||
9297 	    !wiphy_ext_feature_isset(&rdev->wiphy,
9298 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
9299 		return -EOPNOTSUPP;
9300 
9301 	return 0;
9302 }
9303 
9304 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
9305 				   struct genl_info *info,
9306 				   struct cfg80211_crypto_settings *settings,
9307 				   int cipher_limit)
9308 {
9309 	memset(settings, 0, sizeof(*settings));
9310 
9311 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
9312 
9313 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
9314 		u16 proto;
9315 
9316 		proto = nla_get_u16(
9317 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
9318 		settings->control_port_ethertype = cpu_to_be16(proto);
9319 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
9320 		    proto != ETH_P_PAE)
9321 			return -EINVAL;
9322 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
9323 			settings->control_port_no_encrypt = true;
9324 	} else
9325 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
9326 
9327 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9328 		int r = validate_pae_over_nl80211(rdev, info);
9329 
9330 		if (r < 0)
9331 			return r;
9332 
9333 		settings->control_port_over_nl80211 = true;
9334 
9335 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
9336 			settings->control_port_no_preauth = true;
9337 	}
9338 
9339 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
9340 		void *data;
9341 		int len, i;
9342 
9343 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9344 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
9345 		settings->n_ciphers_pairwise = len / sizeof(u32);
9346 
9347 		if (len % sizeof(u32))
9348 			return -EINVAL;
9349 
9350 		if (settings->n_ciphers_pairwise > cipher_limit)
9351 			return -EINVAL;
9352 
9353 		memcpy(settings->ciphers_pairwise, data, len);
9354 
9355 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
9356 			if (!cfg80211_supported_cipher_suite(
9357 					&rdev->wiphy,
9358 					settings->ciphers_pairwise[i]))
9359 				return -EINVAL;
9360 	}
9361 
9362 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
9363 		settings->cipher_group =
9364 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
9365 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
9366 						     settings->cipher_group))
9367 			return -EINVAL;
9368 	}
9369 
9370 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
9371 		settings->wpa_versions =
9372 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
9373 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
9374 			return -EINVAL;
9375 	}
9376 
9377 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
9378 		void *data;
9379 		int len;
9380 
9381 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
9382 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
9383 		settings->n_akm_suites = len / sizeof(u32);
9384 
9385 		if (len % sizeof(u32))
9386 			return -EINVAL;
9387 
9388 		if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES)
9389 			return -EINVAL;
9390 
9391 		memcpy(settings->akm_suites, data, len);
9392 	}
9393 
9394 	if (info->attrs[NL80211_ATTR_PMK]) {
9395 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
9396 			return -EINVAL;
9397 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9398 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK))
9399 			return -EINVAL;
9400 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
9401 	}
9402 
9403 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
9404 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9405 					     NL80211_EXT_FEATURE_SAE_OFFLOAD))
9406 			return -EINVAL;
9407 		settings->sae_pwd =
9408 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9409 		settings->sae_pwd_len =
9410 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
9411 	}
9412 
9413 	return 0;
9414 }
9415 
9416 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
9417 {
9418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9419 	struct net_device *dev = info->user_ptr[1];
9420 	struct ieee80211_channel *chan;
9421 	struct cfg80211_assoc_request req = {};
9422 	const u8 *bssid, *ssid;
9423 	int err, ssid_len = 0;
9424 
9425 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9426 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9427 		return -EPERM;
9428 
9429 	if (!info->attrs[NL80211_ATTR_MAC] ||
9430 	    !info->attrs[NL80211_ATTR_SSID] ||
9431 	    !info->attrs[NL80211_ATTR_WIPHY_FREQ])
9432 		return -EINVAL;
9433 
9434 	if (!rdev->ops->assoc)
9435 		return -EOPNOTSUPP;
9436 
9437 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9438 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9439 		return -EOPNOTSUPP;
9440 
9441 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9442 
9443 	chan = nl80211_get_valid_chan(&rdev->wiphy,
9444 				      info->attrs[NL80211_ATTR_WIPHY_FREQ]);
9445 	if (!chan)
9446 		return -EINVAL;
9447 
9448 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9449 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9450 
9451 	if (info->attrs[NL80211_ATTR_IE]) {
9452 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9453 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9454 	}
9455 
9456 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
9457 		enum nl80211_mfp mfp =
9458 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
9459 		if (mfp == NL80211_MFP_REQUIRED)
9460 			req.use_mfp = true;
9461 		else if (mfp != NL80211_MFP_NO)
9462 			return -EINVAL;
9463 	}
9464 
9465 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
9466 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
9467 
9468 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
9469 		req.flags |= ASSOC_REQ_DISABLE_HT;
9470 
9471 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9472 		memcpy(&req.ht_capa_mask,
9473 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9474 		       sizeof(req.ht_capa_mask));
9475 
9476 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9477 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9478 			return -EINVAL;
9479 		memcpy(&req.ht_capa,
9480 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9481 		       sizeof(req.ht_capa));
9482 	}
9483 
9484 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
9485 		req.flags |= ASSOC_REQ_DISABLE_VHT;
9486 
9487 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9488 		memcpy(&req.vht_capa_mask,
9489 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
9490 		       sizeof(req.vht_capa_mask));
9491 
9492 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
9493 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
9494 			return -EINVAL;
9495 		memcpy(&req.vht_capa,
9496 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
9497 		       sizeof(req.vht_capa));
9498 	}
9499 
9500 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
9501 		if (!((rdev->wiphy.features &
9502 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
9503 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
9504 		    !wiphy_ext_feature_isset(&rdev->wiphy,
9505 					     NL80211_EXT_FEATURE_RRM))
9506 			return -EINVAL;
9507 		req.flags |= ASSOC_REQ_USE_RRM;
9508 	}
9509 
9510 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
9511 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
9512 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
9513 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
9514 			return -EINVAL;
9515 		req.fils_nonces =
9516 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
9517 	}
9518 
9519 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
9520 	if (!err) {
9521 		wdev_lock(dev->ieee80211_ptr);
9522 
9523 		err = cfg80211_mlme_assoc(rdev, dev, chan, bssid,
9524 					  ssid, ssid_len, &req);
9525 
9526 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
9527 			dev->ieee80211_ptr->conn_owner_nlportid =
9528 				info->snd_portid;
9529 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
9530 			       bssid, ETH_ALEN);
9531 		}
9532 
9533 		wdev_unlock(dev->ieee80211_ptr);
9534 	}
9535 
9536 	return err;
9537 }
9538 
9539 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
9540 {
9541 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9542 	struct net_device *dev = info->user_ptr[1];
9543 	const u8 *ie = NULL, *bssid;
9544 	int ie_len = 0, err;
9545 	u16 reason_code;
9546 	bool local_state_change;
9547 
9548 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9549 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9550 		return -EPERM;
9551 
9552 	if (!info->attrs[NL80211_ATTR_MAC])
9553 		return -EINVAL;
9554 
9555 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9556 		return -EINVAL;
9557 
9558 	if (!rdev->ops->deauth)
9559 		return -EOPNOTSUPP;
9560 
9561 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9562 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9563 		return -EOPNOTSUPP;
9564 
9565 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9566 
9567 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9568 	if (reason_code == 0) {
9569 		/* Reason Code 0 is reserved */
9570 		return -EINVAL;
9571 	}
9572 
9573 	if (info->attrs[NL80211_ATTR_IE]) {
9574 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9575 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9576 	}
9577 
9578 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9579 
9580 	wdev_lock(dev->ieee80211_ptr);
9581 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
9582 				   local_state_change);
9583 	wdev_unlock(dev->ieee80211_ptr);
9584 	return err;
9585 }
9586 
9587 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
9588 {
9589 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9590 	struct net_device *dev = info->user_ptr[1];
9591 	const u8 *ie = NULL, *bssid;
9592 	int ie_len = 0, err;
9593 	u16 reason_code;
9594 	bool local_state_change;
9595 
9596 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
9597 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
9598 		return -EPERM;
9599 
9600 	if (!info->attrs[NL80211_ATTR_MAC])
9601 		return -EINVAL;
9602 
9603 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
9604 		return -EINVAL;
9605 
9606 	if (!rdev->ops->disassoc)
9607 		return -EOPNOTSUPP;
9608 
9609 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
9610 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
9611 		return -EOPNOTSUPP;
9612 
9613 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9614 
9615 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
9616 	if (reason_code == 0) {
9617 		/* Reason Code 0 is reserved */
9618 		return -EINVAL;
9619 	}
9620 
9621 	if (info->attrs[NL80211_ATTR_IE]) {
9622 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9623 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9624 	}
9625 
9626 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
9627 
9628 	wdev_lock(dev->ieee80211_ptr);
9629 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
9630 				     local_state_change);
9631 	wdev_unlock(dev->ieee80211_ptr);
9632 	return err;
9633 }
9634 
9635 static bool
9636 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
9637 			 int mcast_rate[NUM_NL80211_BANDS],
9638 			 int rateval)
9639 {
9640 	struct wiphy *wiphy = &rdev->wiphy;
9641 	bool found = false;
9642 	int band, i;
9643 
9644 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
9645 		struct ieee80211_supported_band *sband;
9646 
9647 		sband = wiphy->bands[band];
9648 		if (!sband)
9649 			continue;
9650 
9651 		for (i = 0; i < sband->n_bitrates; i++) {
9652 			if (sband->bitrates[i].bitrate == rateval) {
9653 				mcast_rate[band] = i + 1;
9654 				found = true;
9655 				break;
9656 			}
9657 		}
9658 	}
9659 
9660 	return found;
9661 }
9662 
9663 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
9664 {
9665 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9666 	struct net_device *dev = info->user_ptr[1];
9667 	struct cfg80211_ibss_params ibss;
9668 	struct wiphy *wiphy;
9669 	struct cfg80211_cached_keys *connkeys = NULL;
9670 	int err;
9671 
9672 	memset(&ibss, 0, sizeof(ibss));
9673 
9674 	if (!info->attrs[NL80211_ATTR_SSID] ||
9675 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
9676 		return -EINVAL;
9677 
9678 	ibss.beacon_interval = 100;
9679 
9680 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
9681 		ibss.beacon_interval =
9682 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
9683 
9684 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
9685 					   ibss.beacon_interval);
9686 	if (err)
9687 		return err;
9688 
9689 	if (!rdev->ops->join_ibss)
9690 		return -EOPNOTSUPP;
9691 
9692 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9693 		return -EOPNOTSUPP;
9694 
9695 	wiphy = &rdev->wiphy;
9696 
9697 	if (info->attrs[NL80211_ATTR_MAC]) {
9698 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
9699 
9700 		if (!is_valid_ether_addr(ibss.bssid))
9701 			return -EINVAL;
9702 	}
9703 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
9704 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
9705 
9706 	if (info->attrs[NL80211_ATTR_IE]) {
9707 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
9708 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9709 	}
9710 
9711 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
9712 	if (err)
9713 		return err;
9714 
9715 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
9716 				     NL80211_IFTYPE_ADHOC))
9717 		return -EINVAL;
9718 
9719 	switch (ibss.chandef.width) {
9720 	case NL80211_CHAN_WIDTH_5:
9721 	case NL80211_CHAN_WIDTH_10:
9722 	case NL80211_CHAN_WIDTH_20_NOHT:
9723 		break;
9724 	case NL80211_CHAN_WIDTH_20:
9725 	case NL80211_CHAN_WIDTH_40:
9726 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9727 			return -EINVAL;
9728 		break;
9729 	case NL80211_CHAN_WIDTH_80:
9730 	case NL80211_CHAN_WIDTH_80P80:
9731 	case NL80211_CHAN_WIDTH_160:
9732 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
9733 			return -EINVAL;
9734 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
9735 					     NL80211_EXT_FEATURE_VHT_IBSS))
9736 			return -EINVAL;
9737 		break;
9738 	default:
9739 		return -EINVAL;
9740 	}
9741 
9742 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
9743 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
9744 
9745 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
9746 		u8 *rates =
9747 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9748 		int n_rates =
9749 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
9750 		struct ieee80211_supported_band *sband =
9751 			wiphy->bands[ibss.chandef.chan->band];
9752 
9753 		err = ieee80211_get_ratemask(sband, rates, n_rates,
9754 					     &ibss.basic_rates);
9755 		if (err)
9756 			return err;
9757 	}
9758 
9759 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9760 		memcpy(&ibss.ht_capa_mask,
9761 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
9762 		       sizeof(ibss.ht_capa_mask));
9763 
9764 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
9765 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
9766 			return -EINVAL;
9767 		memcpy(&ibss.ht_capa,
9768 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
9769 		       sizeof(ibss.ht_capa));
9770 	}
9771 
9772 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
9773 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
9774 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
9775 		return -EINVAL;
9776 
9777 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
9778 		bool no_ht = false;
9779 
9780 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
9781 		if (IS_ERR(connkeys))
9782 			return PTR_ERR(connkeys);
9783 
9784 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
9785 		    no_ht) {
9786 			kzfree(connkeys);
9787 			return -EINVAL;
9788 		}
9789 	}
9790 
9791 	ibss.control_port =
9792 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
9793 
9794 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
9795 		int r = validate_pae_over_nl80211(rdev, info);
9796 
9797 		if (r < 0) {
9798 			kzfree(connkeys);
9799 			return r;
9800 		}
9801 
9802 		ibss.control_port_over_nl80211 = true;
9803 	}
9804 
9805 	ibss.userspace_handles_dfs =
9806 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
9807 
9808 	wdev_lock(dev->ieee80211_ptr);
9809 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
9810 	if (err)
9811 		kzfree(connkeys);
9812 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9813 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
9814 	wdev_unlock(dev->ieee80211_ptr);
9815 
9816 	return err;
9817 }
9818 
9819 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
9820 {
9821 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9822 	struct net_device *dev = info->user_ptr[1];
9823 
9824 	if (!rdev->ops->leave_ibss)
9825 		return -EOPNOTSUPP;
9826 
9827 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
9828 		return -EOPNOTSUPP;
9829 
9830 	return cfg80211_leave_ibss(rdev, dev, false);
9831 }
9832 
9833 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
9834 {
9835 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9836 	struct net_device *dev = info->user_ptr[1];
9837 	int mcast_rate[NUM_NL80211_BANDS];
9838 	u32 nla_rate;
9839 	int err;
9840 
9841 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
9842 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
9843 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
9844 		return -EOPNOTSUPP;
9845 
9846 	if (!rdev->ops->set_mcast_rate)
9847 		return -EOPNOTSUPP;
9848 
9849 	memset(mcast_rate, 0, sizeof(mcast_rate));
9850 
9851 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
9852 		return -EINVAL;
9853 
9854 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
9855 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
9856 		return -EINVAL;
9857 
9858 	err = rdev_set_mcast_rate(rdev, dev, mcast_rate);
9859 
9860 	return err;
9861 }
9862 
9863 static struct sk_buff *
9864 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
9865 			    struct wireless_dev *wdev, int approxlen,
9866 			    u32 portid, u32 seq, enum nl80211_commands cmd,
9867 			    enum nl80211_attrs attr,
9868 			    const struct nl80211_vendor_cmd_info *info,
9869 			    gfp_t gfp)
9870 {
9871 	struct sk_buff *skb;
9872 	void *hdr;
9873 	struct nlattr *data;
9874 
9875 	skb = nlmsg_new(approxlen + 100, gfp);
9876 	if (!skb)
9877 		return NULL;
9878 
9879 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
9880 	if (!hdr) {
9881 		kfree_skb(skb);
9882 		return NULL;
9883 	}
9884 
9885 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
9886 		goto nla_put_failure;
9887 
9888 	if (info) {
9889 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
9890 				info->vendor_id))
9891 			goto nla_put_failure;
9892 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
9893 				info->subcmd))
9894 			goto nla_put_failure;
9895 	}
9896 
9897 	if (wdev) {
9898 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
9899 				      wdev_id(wdev), NL80211_ATTR_PAD))
9900 			goto nla_put_failure;
9901 		if (wdev->netdev &&
9902 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
9903 				wdev->netdev->ifindex))
9904 			goto nla_put_failure;
9905 	}
9906 
9907 	data = nla_nest_start_noflag(skb, attr);
9908 	if (!data)
9909 		goto nla_put_failure;
9910 
9911 	((void **)skb->cb)[0] = rdev;
9912 	((void **)skb->cb)[1] = hdr;
9913 	((void **)skb->cb)[2] = data;
9914 
9915 	return skb;
9916 
9917  nla_put_failure:
9918 	kfree_skb(skb);
9919 	return NULL;
9920 }
9921 
9922 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
9923 					   struct wireless_dev *wdev,
9924 					   enum nl80211_commands cmd,
9925 					   enum nl80211_attrs attr,
9926 					   unsigned int portid,
9927 					   int vendor_event_idx,
9928 					   int approxlen, gfp_t gfp)
9929 {
9930 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
9931 	const struct nl80211_vendor_cmd_info *info;
9932 
9933 	switch (cmd) {
9934 	case NL80211_CMD_TESTMODE:
9935 		if (WARN_ON(vendor_event_idx != -1))
9936 			return NULL;
9937 		info = NULL;
9938 		break;
9939 	case NL80211_CMD_VENDOR:
9940 		if (WARN_ON(vendor_event_idx < 0 ||
9941 			    vendor_event_idx >= wiphy->n_vendor_events))
9942 			return NULL;
9943 		info = &wiphy->vendor_events[vendor_event_idx];
9944 		break;
9945 	default:
9946 		WARN_ON(1);
9947 		return NULL;
9948 	}
9949 
9950 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
9951 					   cmd, attr, info, gfp);
9952 }
9953 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
9954 
9955 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
9956 {
9957 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
9958 	void *hdr = ((void **)skb->cb)[1];
9959 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
9960 	struct nlattr *data = ((void **)skb->cb)[2];
9961 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
9962 
9963 	/* clear CB data for netlink core to own from now on */
9964 	memset(skb->cb, 0, sizeof(skb->cb));
9965 
9966 	nla_nest_end(skb, data);
9967 	genlmsg_end(skb, hdr);
9968 
9969 	if (nlhdr->nlmsg_pid) {
9970 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
9971 				nlhdr->nlmsg_pid);
9972 	} else {
9973 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
9974 			mcgrp = NL80211_MCGRP_VENDOR;
9975 
9976 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
9977 					skb, 0, mcgrp, gfp);
9978 	}
9979 }
9980 EXPORT_SYMBOL(__cfg80211_send_event_skb);
9981 
9982 #ifdef CONFIG_NL80211_TESTMODE
9983 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
9984 {
9985 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9986 	struct wireless_dev *wdev =
9987 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
9988 	int err;
9989 
9990 	if (!rdev->ops->testmode_cmd)
9991 		return -EOPNOTSUPP;
9992 
9993 	if (IS_ERR(wdev)) {
9994 		err = PTR_ERR(wdev);
9995 		if (err != -EINVAL)
9996 			return err;
9997 		wdev = NULL;
9998 	} else if (wdev->wiphy != &rdev->wiphy) {
9999 		return -EINVAL;
10000 	}
10001 
10002 	if (!info->attrs[NL80211_ATTR_TESTDATA])
10003 		return -EINVAL;
10004 
10005 	rdev->cur_cmd_info = info;
10006 	err = rdev_testmode_cmd(rdev, wdev,
10007 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
10008 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
10009 	rdev->cur_cmd_info = NULL;
10010 
10011 	return err;
10012 }
10013 
10014 static int nl80211_testmode_dump(struct sk_buff *skb,
10015 				 struct netlink_callback *cb)
10016 {
10017 	struct cfg80211_registered_device *rdev;
10018 	struct nlattr **attrbuf = NULL;
10019 	int err;
10020 	long phy_idx;
10021 	void *data = NULL;
10022 	int data_len = 0;
10023 
10024 	rtnl_lock();
10025 
10026 	if (cb->args[0]) {
10027 		/*
10028 		 * 0 is a valid index, but not valid for args[0],
10029 		 * so we need to offset by 1.
10030 		 */
10031 		phy_idx = cb->args[0] - 1;
10032 
10033 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
10034 		if (!rdev) {
10035 			err = -ENOENT;
10036 			goto out_err;
10037 		}
10038 	} else {
10039 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
10040 				  GFP_KERNEL);
10041 		if (!attrbuf) {
10042 			err = -ENOMEM;
10043 			goto out_err;
10044 		}
10045 
10046 		err = nlmsg_parse_deprecated(cb->nlh,
10047 					     GENL_HDRLEN + nl80211_fam.hdrsize,
10048 					     attrbuf, nl80211_fam.maxattr,
10049 					     nl80211_policy, NULL);
10050 		if (err)
10051 			goto out_err;
10052 
10053 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
10054 		if (IS_ERR(rdev)) {
10055 			err = PTR_ERR(rdev);
10056 			goto out_err;
10057 		}
10058 		phy_idx = rdev->wiphy_idx;
10059 
10060 		if (attrbuf[NL80211_ATTR_TESTDATA])
10061 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
10062 	}
10063 
10064 	if (cb->args[1]) {
10065 		data = nla_data((void *)cb->args[1]);
10066 		data_len = nla_len((void *)cb->args[1]);
10067 	}
10068 
10069 	if (!rdev->ops->testmode_dump) {
10070 		err = -EOPNOTSUPP;
10071 		goto out_err;
10072 	}
10073 
10074 	while (1) {
10075 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
10076 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
10077 					   NL80211_CMD_TESTMODE);
10078 		struct nlattr *tmdata;
10079 
10080 		if (!hdr)
10081 			break;
10082 
10083 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
10084 			genlmsg_cancel(skb, hdr);
10085 			break;
10086 		}
10087 
10088 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
10089 		if (!tmdata) {
10090 			genlmsg_cancel(skb, hdr);
10091 			break;
10092 		}
10093 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
10094 		nla_nest_end(skb, tmdata);
10095 
10096 		if (err == -ENOBUFS || err == -ENOENT) {
10097 			genlmsg_cancel(skb, hdr);
10098 			break;
10099 		} else if (err) {
10100 			genlmsg_cancel(skb, hdr);
10101 			goto out_err;
10102 		}
10103 
10104 		genlmsg_end(skb, hdr);
10105 	}
10106 
10107 	err = skb->len;
10108 	/* see above */
10109 	cb->args[0] = phy_idx + 1;
10110  out_err:
10111 	kfree(attrbuf);
10112 	rtnl_unlock();
10113 	return err;
10114 }
10115 #endif
10116 
10117 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
10118 {
10119 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10120 	struct net_device *dev = info->user_ptr[1];
10121 	struct cfg80211_connect_params connect;
10122 	struct wiphy *wiphy;
10123 	struct cfg80211_cached_keys *connkeys = NULL;
10124 	int err;
10125 
10126 	memset(&connect, 0, sizeof(connect));
10127 
10128 	if (!info->attrs[NL80211_ATTR_SSID] ||
10129 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
10130 		return -EINVAL;
10131 
10132 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10133 		connect.auth_type =
10134 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10135 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
10136 					     NL80211_CMD_CONNECT))
10137 			return -EINVAL;
10138 	} else
10139 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
10140 
10141 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
10142 
10143 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
10144 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10145 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
10146 		return -EINVAL;
10147 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
10148 
10149 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
10150 				      NL80211_MAX_NR_CIPHER_SUITES);
10151 	if (err)
10152 		return err;
10153 
10154 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10155 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10156 		return -EOPNOTSUPP;
10157 
10158 	wiphy = &rdev->wiphy;
10159 
10160 	connect.bg_scan_period = -1;
10161 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
10162 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
10163 		connect.bg_scan_period =
10164 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
10165 	}
10166 
10167 	if (info->attrs[NL80211_ATTR_MAC])
10168 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10169 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
10170 		connect.bssid_hint =
10171 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
10172 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10173 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10174 
10175 	if (info->attrs[NL80211_ATTR_IE]) {
10176 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10177 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10178 	}
10179 
10180 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10181 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10182 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
10183 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10184 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
10185 			return -EOPNOTSUPP;
10186 	} else {
10187 		connect.mfp = NL80211_MFP_NO;
10188 	}
10189 
10190 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10191 		connect.prev_bssid =
10192 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10193 
10194 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10195 		connect.channel = nl80211_get_valid_chan(
10196 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ]);
10197 		if (!connect.channel)
10198 			return -EINVAL;
10199 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
10200 		connect.channel_hint = nl80211_get_valid_chan(
10201 			wiphy, info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
10202 		if (!connect.channel_hint)
10203 			return -EINVAL;
10204 	}
10205 
10206 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
10207 		connect.edmg.channels =
10208 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
10209 
10210 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
10211 			connect.edmg.bw_config =
10212 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
10213 	}
10214 
10215 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
10216 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
10217 		if (IS_ERR(connkeys))
10218 			return PTR_ERR(connkeys);
10219 	}
10220 
10221 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10222 		connect.flags |= ASSOC_REQ_DISABLE_HT;
10223 
10224 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10225 		memcpy(&connect.ht_capa_mask,
10226 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10227 		       sizeof(connect.ht_capa_mask));
10228 
10229 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
10230 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
10231 			kzfree(connkeys);
10232 			return -EINVAL;
10233 		}
10234 		memcpy(&connect.ht_capa,
10235 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
10236 		       sizeof(connect.ht_capa));
10237 	}
10238 
10239 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
10240 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
10241 
10242 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
10243 		memcpy(&connect.vht_capa_mask,
10244 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
10245 		       sizeof(connect.vht_capa_mask));
10246 
10247 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
10248 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
10249 			kzfree(connkeys);
10250 			return -EINVAL;
10251 		}
10252 		memcpy(&connect.vht_capa,
10253 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
10254 		       sizeof(connect.vht_capa));
10255 	}
10256 
10257 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
10258 		if (!((rdev->wiphy.features &
10259 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
10260 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
10261 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10262 					     NL80211_EXT_FEATURE_RRM)) {
10263 			kzfree(connkeys);
10264 			return -EINVAL;
10265 		}
10266 		connect.flags |= ASSOC_REQ_USE_RRM;
10267 	}
10268 
10269 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
10270 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
10271 		kzfree(connkeys);
10272 		return -EOPNOTSUPP;
10273 	}
10274 
10275 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
10276 		/* bss selection makes no sense if bssid is set */
10277 		if (connect.bssid) {
10278 			kzfree(connkeys);
10279 			return -EINVAL;
10280 		}
10281 
10282 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
10283 				       wiphy, &connect.bss_select);
10284 		if (err) {
10285 			kzfree(connkeys);
10286 			return err;
10287 		}
10288 	}
10289 
10290 	if (wiphy_ext_feature_isset(&rdev->wiphy,
10291 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
10292 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10293 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10294 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10295 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10296 		connect.fils_erp_username =
10297 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10298 		connect.fils_erp_username_len =
10299 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10300 		connect.fils_erp_realm =
10301 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10302 		connect.fils_erp_realm_len =
10303 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10304 		connect.fils_erp_next_seq_num =
10305 			nla_get_u16(
10306 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10307 		connect.fils_erp_rrk =
10308 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10309 		connect.fils_erp_rrk_len =
10310 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10311 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10312 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10313 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10314 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10315 		kzfree(connkeys);
10316 		return -EINVAL;
10317 	}
10318 
10319 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
10320 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10321 			kzfree(connkeys);
10322 			GENL_SET_ERR_MSG(info,
10323 					 "external auth requires connection ownership");
10324 			return -EINVAL;
10325 		}
10326 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
10327 	}
10328 
10329 	wdev_lock(dev->ieee80211_ptr);
10330 
10331 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
10332 			       connect.prev_bssid);
10333 	if (err)
10334 		kzfree(connkeys);
10335 
10336 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10337 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
10338 		if (connect.bssid)
10339 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
10340 			       connect.bssid, ETH_ALEN);
10341 		else
10342 			memset(dev->ieee80211_ptr->disconnect_bssid,
10343 			       0, ETH_ALEN);
10344 	}
10345 
10346 	wdev_unlock(dev->ieee80211_ptr);
10347 
10348 	return err;
10349 }
10350 
10351 static int nl80211_update_connect_params(struct sk_buff *skb,
10352 					 struct genl_info *info)
10353 {
10354 	struct cfg80211_connect_params connect = {};
10355 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10356 	struct net_device *dev = info->user_ptr[1];
10357 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10358 	bool fils_sk_offload;
10359 	u32 auth_type;
10360 	u32 changed = 0;
10361 	int ret;
10362 
10363 	if (!rdev->ops->update_connect_params)
10364 		return -EOPNOTSUPP;
10365 
10366 	if (info->attrs[NL80211_ATTR_IE]) {
10367 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10368 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10369 		changed |= UPDATE_ASSOC_IES;
10370 	}
10371 
10372 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
10373 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
10374 
10375 	/*
10376 	 * when driver supports fils-sk offload all attributes must be
10377 	 * provided. So the else covers "fils-sk-not-all" and
10378 	 * "no-fils-sk-any".
10379 	 */
10380 	if (fils_sk_offload &&
10381 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
10382 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
10383 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
10384 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10385 		connect.fils_erp_username =
10386 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10387 		connect.fils_erp_username_len =
10388 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
10389 		connect.fils_erp_realm =
10390 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10391 		connect.fils_erp_realm_len =
10392 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
10393 		connect.fils_erp_next_seq_num =
10394 			nla_get_u16(
10395 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
10396 		connect.fils_erp_rrk =
10397 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10398 		connect.fils_erp_rrk_len =
10399 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
10400 		changed |= UPDATE_FILS_ERP_INFO;
10401 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
10402 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
10403 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
10404 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
10405 		return -EINVAL;
10406 	}
10407 
10408 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
10409 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10410 		if (!nl80211_valid_auth_type(rdev, auth_type,
10411 					     NL80211_CMD_CONNECT))
10412 			return -EINVAL;
10413 
10414 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
10415 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
10416 			return -EINVAL;
10417 
10418 		connect.auth_type = auth_type;
10419 		changed |= UPDATE_AUTH_TYPE;
10420 	}
10421 
10422 	wdev_lock(dev->ieee80211_ptr);
10423 	if (!wdev->current_bss)
10424 		ret = -ENOLINK;
10425 	else
10426 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
10427 	wdev_unlock(dev->ieee80211_ptr);
10428 
10429 	return ret;
10430 }
10431 
10432 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
10433 {
10434 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10435 	struct net_device *dev = info->user_ptr[1];
10436 	u16 reason;
10437 	int ret;
10438 
10439 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10440 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10441 		return -EPERM;
10442 
10443 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
10444 		reason = WLAN_REASON_DEAUTH_LEAVING;
10445 	else
10446 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
10447 
10448 	if (reason == 0)
10449 		return -EINVAL;
10450 
10451 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10452 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10453 		return -EOPNOTSUPP;
10454 
10455 	wdev_lock(dev->ieee80211_ptr);
10456 	ret = cfg80211_disconnect(rdev, dev, reason, true);
10457 	wdev_unlock(dev->ieee80211_ptr);
10458 	return ret;
10459 }
10460 
10461 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
10462 {
10463 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10464 	struct net *net;
10465 	int err;
10466 
10467 	if (info->attrs[NL80211_ATTR_PID]) {
10468 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
10469 
10470 		net = get_net_ns_by_pid(pid);
10471 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
10472 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
10473 
10474 		net = get_net_ns_by_fd(fd);
10475 	} else {
10476 		return -EINVAL;
10477 	}
10478 
10479 	if (IS_ERR(net))
10480 		return PTR_ERR(net);
10481 
10482 	err = 0;
10483 
10484 	/* check if anything to do */
10485 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
10486 		err = cfg80211_switch_netns(rdev, net);
10487 
10488 	put_net(net);
10489 	return err;
10490 }
10491 
10492 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
10493 {
10494 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10495 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
10496 			struct cfg80211_pmksa *pmksa) = NULL;
10497 	struct net_device *dev = info->user_ptr[1];
10498 	struct cfg80211_pmksa pmksa;
10499 
10500 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
10501 
10502 	if (!info->attrs[NL80211_ATTR_PMKID])
10503 		return -EINVAL;
10504 
10505 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
10506 
10507 	if (info->attrs[NL80211_ATTR_MAC]) {
10508 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10509 	} else if (info->attrs[NL80211_ATTR_SSID] &&
10510 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
10511 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
10512 		    info->attrs[NL80211_ATTR_PMK])) {
10513 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10514 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10515 		pmksa.cache_id =
10516 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
10517 	} else {
10518 		return -EINVAL;
10519 	}
10520 	if (info->attrs[NL80211_ATTR_PMK]) {
10521 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10522 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
10523 	}
10524 
10525 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
10526 		pmksa.pmk_lifetime =
10527 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
10528 
10529 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
10530 		pmksa.pmk_reauth_threshold =
10531 			nla_get_u8(
10532 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
10533 
10534 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10535 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
10536 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
10537 	      wiphy_ext_feature_isset(&rdev->wiphy,
10538 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
10539 		return -EOPNOTSUPP;
10540 
10541 	switch (info->genlhdr->cmd) {
10542 	case NL80211_CMD_SET_PMKSA:
10543 		rdev_ops = rdev->ops->set_pmksa;
10544 		break;
10545 	case NL80211_CMD_DEL_PMKSA:
10546 		rdev_ops = rdev->ops->del_pmksa;
10547 		break;
10548 	default:
10549 		WARN_ON(1);
10550 		break;
10551 	}
10552 
10553 	if (!rdev_ops)
10554 		return -EOPNOTSUPP;
10555 
10556 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
10557 }
10558 
10559 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
10560 {
10561 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10562 	struct net_device *dev = info->user_ptr[1];
10563 
10564 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10565 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10566 		return -EOPNOTSUPP;
10567 
10568 	if (!rdev->ops->flush_pmksa)
10569 		return -EOPNOTSUPP;
10570 
10571 	return rdev_flush_pmksa(rdev, dev);
10572 }
10573 
10574 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
10575 {
10576 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10577 	struct net_device *dev = info->user_ptr[1];
10578 	u8 action_code, dialog_token;
10579 	u32 peer_capability = 0;
10580 	u16 status_code;
10581 	u8 *peer;
10582 	bool initiator;
10583 
10584 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10585 	    !rdev->ops->tdls_mgmt)
10586 		return -EOPNOTSUPP;
10587 
10588 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
10589 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
10590 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
10591 	    !info->attrs[NL80211_ATTR_IE] ||
10592 	    !info->attrs[NL80211_ATTR_MAC])
10593 		return -EINVAL;
10594 
10595 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10596 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
10597 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
10598 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
10599 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
10600 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
10601 		peer_capability =
10602 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
10603 
10604 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
10605 			      dialog_token, status_code, peer_capability,
10606 			      initiator,
10607 			      nla_data(info->attrs[NL80211_ATTR_IE]),
10608 			      nla_len(info->attrs[NL80211_ATTR_IE]));
10609 }
10610 
10611 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
10612 {
10613 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10614 	struct net_device *dev = info->user_ptr[1];
10615 	enum nl80211_tdls_operation operation;
10616 	u8 *peer;
10617 
10618 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
10619 	    !rdev->ops->tdls_oper)
10620 		return -EOPNOTSUPP;
10621 
10622 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
10623 	    !info->attrs[NL80211_ATTR_MAC])
10624 		return -EINVAL;
10625 
10626 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
10627 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
10628 
10629 	return rdev_tdls_oper(rdev, dev, peer, operation);
10630 }
10631 
10632 static int nl80211_remain_on_channel(struct sk_buff *skb,
10633 				     struct genl_info *info)
10634 {
10635 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10636 	struct wireless_dev *wdev = info->user_ptr[1];
10637 	struct cfg80211_chan_def chandef;
10638 	const struct cfg80211_chan_def *compat_chandef;
10639 	struct sk_buff *msg;
10640 	void *hdr;
10641 	u64 cookie;
10642 	u32 duration;
10643 	int err;
10644 
10645 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10646 	    !info->attrs[NL80211_ATTR_DURATION])
10647 		return -EINVAL;
10648 
10649 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10650 
10651 	if (!rdev->ops->remain_on_channel ||
10652 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
10653 		return -EOPNOTSUPP;
10654 
10655 	/*
10656 	 * We should be on that channel for at least a minimum amount of
10657 	 * time (10ms) but no longer than the driver supports.
10658 	 */
10659 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10660 	    duration > rdev->wiphy.max_remain_on_channel_duration)
10661 		return -EINVAL;
10662 
10663 	err = nl80211_parse_chandef(rdev, info, &chandef);
10664 	if (err)
10665 		return err;
10666 
10667 	wdev_lock(wdev);
10668 	if (!cfg80211_off_channel_oper_allowed(wdev) &&
10669 	    !cfg80211_chandef_identical(&wdev->chandef, &chandef)) {
10670 		compat_chandef = cfg80211_chandef_compatible(&wdev->chandef,
10671 							     &chandef);
10672 		if (compat_chandef != &chandef) {
10673 			wdev_unlock(wdev);
10674 			return -EBUSY;
10675 		}
10676 	}
10677 	wdev_unlock(wdev);
10678 
10679 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10680 	if (!msg)
10681 		return -ENOMEM;
10682 
10683 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10684 			     NL80211_CMD_REMAIN_ON_CHANNEL);
10685 	if (!hdr) {
10686 		err = -ENOBUFS;
10687 		goto free_msg;
10688 	}
10689 
10690 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
10691 				     duration, &cookie);
10692 
10693 	if (err)
10694 		goto free_msg;
10695 
10696 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10697 			      NL80211_ATTR_PAD))
10698 		goto nla_put_failure;
10699 
10700 	genlmsg_end(msg, hdr);
10701 
10702 	return genlmsg_reply(msg, info);
10703 
10704  nla_put_failure:
10705 	err = -ENOBUFS;
10706  free_msg:
10707 	nlmsg_free(msg);
10708 	return err;
10709 }
10710 
10711 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
10712 					    struct genl_info *info)
10713 {
10714 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10715 	struct wireless_dev *wdev = info->user_ptr[1];
10716 	u64 cookie;
10717 
10718 	if (!info->attrs[NL80211_ATTR_COOKIE])
10719 		return -EINVAL;
10720 
10721 	if (!rdev->ops->cancel_remain_on_channel)
10722 		return -EOPNOTSUPP;
10723 
10724 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10725 
10726 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
10727 }
10728 
10729 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
10730 				       struct genl_info *info)
10731 {
10732 	struct cfg80211_bitrate_mask mask;
10733 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10734 	struct net_device *dev = info->user_ptr[1];
10735 	int err;
10736 
10737 	if (!rdev->ops->set_bitrate_mask)
10738 		return -EOPNOTSUPP;
10739 
10740 	err = nl80211_parse_tx_bitrate_mask(info, &mask);
10741 	if (err)
10742 		return err;
10743 
10744 	return rdev_set_bitrate_mask(rdev, dev, NULL, &mask);
10745 }
10746 
10747 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
10748 {
10749 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10750 	struct wireless_dev *wdev = info->user_ptr[1];
10751 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
10752 
10753 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
10754 		return -EINVAL;
10755 
10756 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
10757 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
10758 
10759 	switch (wdev->iftype) {
10760 	case NL80211_IFTYPE_STATION:
10761 	case NL80211_IFTYPE_ADHOC:
10762 	case NL80211_IFTYPE_P2P_CLIENT:
10763 	case NL80211_IFTYPE_AP:
10764 	case NL80211_IFTYPE_AP_VLAN:
10765 	case NL80211_IFTYPE_MESH_POINT:
10766 	case NL80211_IFTYPE_P2P_GO:
10767 	case NL80211_IFTYPE_P2P_DEVICE:
10768 		break;
10769 	case NL80211_IFTYPE_NAN:
10770 	default:
10771 		return -EOPNOTSUPP;
10772 	}
10773 
10774 	/* not much point in registering if we can't reply */
10775 	if (!rdev->ops->mgmt_tx)
10776 		return -EOPNOTSUPP;
10777 
10778 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
10779 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10780 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
10781 					   info->extack);
10782 }
10783 
10784 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
10785 {
10786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10787 	struct wireless_dev *wdev = info->user_ptr[1];
10788 	struct cfg80211_chan_def chandef;
10789 	int err;
10790 	void *hdr = NULL;
10791 	u64 cookie;
10792 	struct sk_buff *msg = NULL;
10793 	struct cfg80211_mgmt_tx_params params = {
10794 		.dont_wait_for_ack =
10795 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
10796 	};
10797 
10798 	if (!info->attrs[NL80211_ATTR_FRAME])
10799 		return -EINVAL;
10800 
10801 	if (!rdev->ops->mgmt_tx)
10802 		return -EOPNOTSUPP;
10803 
10804 	switch (wdev->iftype) {
10805 	case NL80211_IFTYPE_P2P_DEVICE:
10806 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10807 			return -EINVAL;
10808 	case NL80211_IFTYPE_STATION:
10809 	case NL80211_IFTYPE_ADHOC:
10810 	case NL80211_IFTYPE_P2P_CLIENT:
10811 	case NL80211_IFTYPE_AP:
10812 	case NL80211_IFTYPE_AP_VLAN:
10813 	case NL80211_IFTYPE_MESH_POINT:
10814 	case NL80211_IFTYPE_P2P_GO:
10815 		break;
10816 	case NL80211_IFTYPE_NAN:
10817 	default:
10818 		return -EOPNOTSUPP;
10819 	}
10820 
10821 	if (info->attrs[NL80211_ATTR_DURATION]) {
10822 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10823 			return -EINVAL;
10824 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
10825 
10826 		/*
10827 		 * We should wait on the channel for at least a minimum amount
10828 		 * of time (10ms) but no longer than the driver supports.
10829 		 */
10830 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
10831 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
10832 			return -EINVAL;
10833 	}
10834 
10835 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
10836 
10837 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
10838 		return -EINVAL;
10839 
10840 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
10841 
10842 	/* get the channel if any has been specified, otherwise pass NULL to
10843 	 * the driver. The latter will use the current one
10844 	 */
10845 	chandef.chan = NULL;
10846 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
10847 		err = nl80211_parse_chandef(rdev, info, &chandef);
10848 		if (err)
10849 			return err;
10850 	}
10851 
10852 	if (!chandef.chan && params.offchan)
10853 		return -EINVAL;
10854 
10855 	wdev_lock(wdev);
10856 	if (params.offchan && !cfg80211_off_channel_oper_allowed(wdev)) {
10857 		wdev_unlock(wdev);
10858 		return -EBUSY;
10859 	}
10860 	wdev_unlock(wdev);
10861 
10862 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
10863 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
10864 
10865 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
10866 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10867 		int i;
10868 
10869 		if (len % sizeof(u16))
10870 			return -EINVAL;
10871 
10872 		params.n_csa_offsets = len / sizeof(u16);
10873 		params.csa_offsets =
10874 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
10875 
10876 		/* check that all the offsets fit the frame */
10877 		for (i = 0; i < params.n_csa_offsets; i++) {
10878 			if (params.csa_offsets[i] >= params.len)
10879 				return -EINVAL;
10880 		}
10881 	}
10882 
10883 	if (!params.dont_wait_for_ack) {
10884 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10885 		if (!msg)
10886 			return -ENOMEM;
10887 
10888 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
10889 				     NL80211_CMD_FRAME);
10890 		if (!hdr) {
10891 			err = -ENOBUFS;
10892 			goto free_msg;
10893 		}
10894 	}
10895 
10896 	params.chan = chandef.chan;
10897 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
10898 	if (err)
10899 		goto free_msg;
10900 
10901 	if (msg) {
10902 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
10903 				      NL80211_ATTR_PAD))
10904 			goto nla_put_failure;
10905 
10906 		genlmsg_end(msg, hdr);
10907 		return genlmsg_reply(msg, info);
10908 	}
10909 
10910 	return 0;
10911 
10912  nla_put_failure:
10913 	err = -ENOBUFS;
10914  free_msg:
10915 	nlmsg_free(msg);
10916 	return err;
10917 }
10918 
10919 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
10920 {
10921 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10922 	struct wireless_dev *wdev = info->user_ptr[1];
10923 	u64 cookie;
10924 
10925 	if (!info->attrs[NL80211_ATTR_COOKIE])
10926 		return -EINVAL;
10927 
10928 	if (!rdev->ops->mgmt_tx_cancel_wait)
10929 		return -EOPNOTSUPP;
10930 
10931 	switch (wdev->iftype) {
10932 	case NL80211_IFTYPE_STATION:
10933 	case NL80211_IFTYPE_ADHOC:
10934 	case NL80211_IFTYPE_P2P_CLIENT:
10935 	case NL80211_IFTYPE_AP:
10936 	case NL80211_IFTYPE_AP_VLAN:
10937 	case NL80211_IFTYPE_P2P_GO:
10938 	case NL80211_IFTYPE_P2P_DEVICE:
10939 		break;
10940 	case NL80211_IFTYPE_NAN:
10941 	default:
10942 		return -EOPNOTSUPP;
10943 	}
10944 
10945 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
10946 
10947 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
10948 }
10949 
10950 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
10951 {
10952 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10953 	struct wireless_dev *wdev;
10954 	struct net_device *dev = info->user_ptr[1];
10955 	u8 ps_state;
10956 	bool state;
10957 	int err;
10958 
10959 	if (!info->attrs[NL80211_ATTR_PS_STATE])
10960 		return -EINVAL;
10961 
10962 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
10963 
10964 	wdev = dev->ieee80211_ptr;
10965 
10966 	if (!rdev->ops->set_power_mgmt)
10967 		return -EOPNOTSUPP;
10968 
10969 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
10970 
10971 	if (state == wdev->ps)
10972 		return 0;
10973 
10974 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
10975 	if (!err)
10976 		wdev->ps = state;
10977 	return err;
10978 }
10979 
10980 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
10981 {
10982 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10983 	enum nl80211_ps_state ps_state;
10984 	struct wireless_dev *wdev;
10985 	struct net_device *dev = info->user_ptr[1];
10986 	struct sk_buff *msg;
10987 	void *hdr;
10988 	int err;
10989 
10990 	wdev = dev->ieee80211_ptr;
10991 
10992 	if (!rdev->ops->set_power_mgmt)
10993 		return -EOPNOTSUPP;
10994 
10995 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
10996 	if (!msg)
10997 		return -ENOMEM;
10998 
10999 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11000 			     NL80211_CMD_GET_POWER_SAVE);
11001 	if (!hdr) {
11002 		err = -ENOBUFS;
11003 		goto free_msg;
11004 	}
11005 
11006 	if (wdev->ps)
11007 		ps_state = NL80211_PS_ENABLED;
11008 	else
11009 		ps_state = NL80211_PS_DISABLED;
11010 
11011 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
11012 		goto nla_put_failure;
11013 
11014 	genlmsg_end(msg, hdr);
11015 	return genlmsg_reply(msg, info);
11016 
11017  nla_put_failure:
11018 	err = -ENOBUFS;
11019  free_msg:
11020 	nlmsg_free(msg);
11021 	return err;
11022 }
11023 
11024 static const struct nla_policy
11025 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
11026 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
11027 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
11028 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
11029 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
11030 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
11031 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
11032 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
11033 };
11034 
11035 static int nl80211_set_cqm_txe(struct genl_info *info,
11036 			       u32 rate, u32 pkts, u32 intvl)
11037 {
11038 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11039 	struct net_device *dev = info->user_ptr[1];
11040 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11041 
11042 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
11043 		return -EINVAL;
11044 
11045 	if (!rdev->ops->set_cqm_txe_config)
11046 		return -EOPNOTSUPP;
11047 
11048 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11049 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11050 		return -EOPNOTSUPP;
11051 
11052 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
11053 }
11054 
11055 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
11056 				    struct net_device *dev)
11057 {
11058 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11059 	s32 last, low, high;
11060 	u32 hyst;
11061 	int i, n, low_index;
11062 	int err;
11063 
11064 	/* RSSI reporting disabled? */
11065 	if (!wdev->cqm_config)
11066 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
11067 
11068 	/*
11069 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
11070 	 * event has been received yet, we should receive an event after a
11071 	 * connection is established and enough beacons received to calculate
11072 	 * the average.
11073 	 */
11074 	if (!wdev->cqm_config->last_rssi_event_value && wdev->current_bss &&
11075 	    rdev->ops->get_station) {
11076 		struct station_info sinfo = {};
11077 		u8 *mac_addr;
11078 
11079 		mac_addr = wdev->current_bss->pub.bssid;
11080 
11081 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
11082 		if (err)
11083 			return err;
11084 
11085 		cfg80211_sinfo_release_content(&sinfo);
11086 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
11087 			wdev->cqm_config->last_rssi_event_value =
11088 				(s8) sinfo.rx_beacon_signal_avg;
11089 	}
11090 
11091 	last = wdev->cqm_config->last_rssi_event_value;
11092 	hyst = wdev->cqm_config->rssi_hyst;
11093 	n = wdev->cqm_config->n_rssi_thresholds;
11094 
11095 	for (i = 0; i < n; i++) {
11096 		i = array_index_nospec(i, n);
11097 		if (last < wdev->cqm_config->rssi_thresholds[i])
11098 			break;
11099 	}
11100 
11101 	low_index = i - 1;
11102 	if (low_index >= 0) {
11103 		low_index = array_index_nospec(low_index, n);
11104 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
11105 	} else {
11106 		low = S32_MIN;
11107 	}
11108 	if (i < n) {
11109 		i = array_index_nospec(i, n);
11110 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
11111 	} else {
11112 		high = S32_MAX;
11113 	}
11114 
11115 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
11116 }
11117 
11118 static int nl80211_set_cqm_rssi(struct genl_info *info,
11119 				const s32 *thresholds, int n_thresholds,
11120 				u32 hysteresis)
11121 {
11122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11123 	struct net_device *dev = info->user_ptr[1];
11124 	struct wireless_dev *wdev = dev->ieee80211_ptr;
11125 	int i, err;
11126 	s32 prev = S32_MIN;
11127 
11128 	/* Check all values negative and sorted */
11129 	for (i = 0; i < n_thresholds; i++) {
11130 		if (thresholds[i] > 0 || thresholds[i] <= prev)
11131 			return -EINVAL;
11132 
11133 		prev = thresholds[i];
11134 	}
11135 
11136 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
11137 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
11138 		return -EOPNOTSUPP;
11139 
11140 	wdev_lock(wdev);
11141 	cfg80211_cqm_config_free(wdev);
11142 	wdev_unlock(wdev);
11143 
11144 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
11145 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
11146 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
11147 
11148 		return rdev_set_cqm_rssi_config(rdev, dev,
11149 						thresholds[0], hysteresis);
11150 	}
11151 
11152 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
11153 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
11154 		return -EOPNOTSUPP;
11155 
11156 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
11157 		n_thresholds = 0;
11158 
11159 	wdev_lock(wdev);
11160 	if (n_thresholds) {
11161 		struct cfg80211_cqm_config *cqm_config;
11162 
11163 		cqm_config = kzalloc(sizeof(struct cfg80211_cqm_config) +
11164 				     n_thresholds * sizeof(s32), GFP_KERNEL);
11165 		if (!cqm_config) {
11166 			err = -ENOMEM;
11167 			goto unlock;
11168 		}
11169 
11170 		cqm_config->rssi_hyst = hysteresis;
11171 		cqm_config->n_rssi_thresholds = n_thresholds;
11172 		memcpy(cqm_config->rssi_thresholds, thresholds,
11173 		       n_thresholds * sizeof(s32));
11174 
11175 		wdev->cqm_config = cqm_config;
11176 	}
11177 
11178 	err = cfg80211_cqm_rssi_update(rdev, dev);
11179 
11180 unlock:
11181 	wdev_unlock(wdev);
11182 
11183 	return err;
11184 }
11185 
11186 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
11187 {
11188 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
11189 	struct nlattr *cqm;
11190 	int err;
11191 
11192 	cqm = info->attrs[NL80211_ATTR_CQM];
11193 	if (!cqm)
11194 		return -EINVAL;
11195 
11196 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
11197 					  nl80211_attr_cqm_policy,
11198 					  info->extack);
11199 	if (err)
11200 		return err;
11201 
11202 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
11203 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
11204 		const s32 *thresholds =
11205 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11206 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
11207 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
11208 
11209 		if (len % 4)
11210 			return -EINVAL;
11211 
11212 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
11213 					    hysteresis);
11214 	}
11215 
11216 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
11217 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
11218 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
11219 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
11220 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
11221 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
11222 
11223 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
11224 	}
11225 
11226 	return -EINVAL;
11227 }
11228 
11229 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
11230 {
11231 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11232 	struct net_device *dev = info->user_ptr[1];
11233 	struct ocb_setup setup = {};
11234 	int err;
11235 
11236 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11237 	if (err)
11238 		return err;
11239 
11240 	return cfg80211_join_ocb(rdev, dev, &setup);
11241 }
11242 
11243 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
11244 {
11245 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11246 	struct net_device *dev = info->user_ptr[1];
11247 
11248 	return cfg80211_leave_ocb(rdev, dev);
11249 }
11250 
11251 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
11252 {
11253 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11254 	struct net_device *dev = info->user_ptr[1];
11255 	struct mesh_config cfg;
11256 	struct mesh_setup setup;
11257 	int err;
11258 
11259 	/* start with default */
11260 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
11261 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
11262 
11263 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
11264 		/* and parse parameters if given */
11265 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
11266 		if (err)
11267 			return err;
11268 	}
11269 
11270 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
11271 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
11272 		return -EINVAL;
11273 
11274 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
11275 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
11276 
11277 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11278 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
11279 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11280 			return -EINVAL;
11281 
11282 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
11283 		setup.beacon_interval =
11284 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11285 
11286 		err = cfg80211_validate_beacon_int(rdev,
11287 						   NL80211_IFTYPE_MESH_POINT,
11288 						   setup.beacon_interval);
11289 		if (err)
11290 			return err;
11291 	}
11292 
11293 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
11294 		setup.dtim_period =
11295 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
11296 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
11297 			return -EINVAL;
11298 	}
11299 
11300 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
11301 		/* parse additional setup parameters if given */
11302 		err = nl80211_parse_mesh_setup(info, &setup);
11303 		if (err)
11304 			return err;
11305 	}
11306 
11307 	if (setup.user_mpm)
11308 		cfg.auto_open_plinks = false;
11309 
11310 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
11311 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
11312 		if (err)
11313 			return err;
11314 	} else {
11315 		/* __cfg80211_join_mesh() will sort it out */
11316 		setup.chandef.chan = NULL;
11317 	}
11318 
11319 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11320 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11321 		int n_rates =
11322 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11323 		struct ieee80211_supported_band *sband;
11324 
11325 		if (!setup.chandef.chan)
11326 			return -EINVAL;
11327 
11328 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
11329 
11330 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11331 					     &setup.basic_rates);
11332 		if (err)
11333 			return err;
11334 	}
11335 
11336 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
11337 		err = nl80211_parse_tx_bitrate_mask(info, &setup.beacon_rate);
11338 		if (err)
11339 			return err;
11340 
11341 		if (!setup.chandef.chan)
11342 			return -EINVAL;
11343 
11344 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
11345 					      &setup.beacon_rate);
11346 		if (err)
11347 			return err;
11348 	}
11349 
11350 	setup.userspace_handles_dfs =
11351 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11352 
11353 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11354 		int r = validate_pae_over_nl80211(rdev, info);
11355 
11356 		if (r < 0)
11357 			return r;
11358 
11359 		setup.control_port_over_nl80211 = true;
11360 	}
11361 
11362 	wdev_lock(dev->ieee80211_ptr);
11363 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
11364 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
11365 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11366 	wdev_unlock(dev->ieee80211_ptr);
11367 
11368 	return err;
11369 }
11370 
11371 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
11372 {
11373 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11374 	struct net_device *dev = info->user_ptr[1];
11375 
11376 	return cfg80211_leave_mesh(rdev, dev);
11377 }
11378 
11379 #ifdef CONFIG_PM
11380 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
11381 					struct cfg80211_registered_device *rdev)
11382 {
11383 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
11384 	struct nlattr *nl_pats, *nl_pat;
11385 	int i, pat_len;
11386 
11387 	if (!wowlan->n_patterns)
11388 		return 0;
11389 
11390 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
11391 	if (!nl_pats)
11392 		return -ENOBUFS;
11393 
11394 	for (i = 0; i < wowlan->n_patterns; i++) {
11395 		nl_pat = nla_nest_start_noflag(msg, i + 1);
11396 		if (!nl_pat)
11397 			return -ENOBUFS;
11398 		pat_len = wowlan->patterns[i].pattern_len;
11399 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
11400 			    wowlan->patterns[i].mask) ||
11401 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
11402 			    wowlan->patterns[i].pattern) ||
11403 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
11404 				wowlan->patterns[i].pkt_offset))
11405 			return -ENOBUFS;
11406 		nla_nest_end(msg, nl_pat);
11407 	}
11408 	nla_nest_end(msg, nl_pats);
11409 
11410 	return 0;
11411 }
11412 
11413 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
11414 				   struct cfg80211_wowlan_tcp *tcp)
11415 {
11416 	struct nlattr *nl_tcp;
11417 
11418 	if (!tcp)
11419 		return 0;
11420 
11421 	nl_tcp = nla_nest_start_noflag(msg,
11422 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
11423 	if (!nl_tcp)
11424 		return -ENOBUFS;
11425 
11426 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
11427 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
11428 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
11429 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
11430 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
11431 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
11432 		    tcp->payload_len, tcp->payload) ||
11433 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
11434 			tcp->data_interval) ||
11435 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
11436 		    tcp->wake_len, tcp->wake_data) ||
11437 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
11438 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
11439 		return -ENOBUFS;
11440 
11441 	if (tcp->payload_seq.len &&
11442 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
11443 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
11444 		return -ENOBUFS;
11445 
11446 	if (tcp->payload_tok.len &&
11447 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
11448 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
11449 		    &tcp->payload_tok))
11450 		return -ENOBUFS;
11451 
11452 	nla_nest_end(msg, nl_tcp);
11453 
11454 	return 0;
11455 }
11456 
11457 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
11458 				  struct cfg80211_sched_scan_request *req)
11459 {
11460 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
11461 	int i;
11462 
11463 	if (!req)
11464 		return 0;
11465 
11466 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
11467 	if (!nd)
11468 		return -ENOBUFS;
11469 
11470 	if (req->n_scan_plans == 1 &&
11471 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
11472 			req->scan_plans[0].interval * 1000))
11473 		return -ENOBUFS;
11474 
11475 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
11476 		return -ENOBUFS;
11477 
11478 	if (req->relative_rssi_set) {
11479 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
11480 
11481 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
11482 			       req->relative_rssi))
11483 			return -ENOBUFS;
11484 
11485 		rssi_adjust.band = req->rssi_adjust.band;
11486 		rssi_adjust.delta = req->rssi_adjust.delta;
11487 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
11488 			    sizeof(rssi_adjust), &rssi_adjust))
11489 			return -ENOBUFS;
11490 	}
11491 
11492 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
11493 	if (!freqs)
11494 		return -ENOBUFS;
11495 
11496 	for (i = 0; i < req->n_channels; i++) {
11497 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
11498 			return -ENOBUFS;
11499 	}
11500 
11501 	nla_nest_end(msg, freqs);
11502 
11503 	if (req->n_match_sets) {
11504 		matches = nla_nest_start_noflag(msg,
11505 						NL80211_ATTR_SCHED_SCAN_MATCH);
11506 		if (!matches)
11507 			return -ENOBUFS;
11508 
11509 		for (i = 0; i < req->n_match_sets; i++) {
11510 			match = nla_nest_start_noflag(msg, i);
11511 			if (!match)
11512 				return -ENOBUFS;
11513 
11514 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
11515 				    req->match_sets[i].ssid.ssid_len,
11516 				    req->match_sets[i].ssid.ssid))
11517 				return -ENOBUFS;
11518 			nla_nest_end(msg, match);
11519 		}
11520 		nla_nest_end(msg, matches);
11521 	}
11522 
11523 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
11524 	if (!scan_plans)
11525 		return -ENOBUFS;
11526 
11527 	for (i = 0; i < req->n_scan_plans; i++) {
11528 		scan_plan = nla_nest_start_noflag(msg, i + 1);
11529 		if (!scan_plan)
11530 			return -ENOBUFS;
11531 
11532 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
11533 				req->scan_plans[i].interval) ||
11534 		    (req->scan_plans[i].iterations &&
11535 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
11536 				 req->scan_plans[i].iterations)))
11537 			return -ENOBUFS;
11538 		nla_nest_end(msg, scan_plan);
11539 	}
11540 	nla_nest_end(msg, scan_plans);
11541 
11542 	nla_nest_end(msg, nd);
11543 
11544 	return 0;
11545 }
11546 
11547 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
11548 {
11549 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11550 	struct sk_buff *msg;
11551 	void *hdr;
11552 	u32 size = NLMSG_DEFAULT_SIZE;
11553 
11554 	if (!rdev->wiphy.wowlan)
11555 		return -EOPNOTSUPP;
11556 
11557 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
11558 		/* adjust size to have room for all the data */
11559 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
11560 			rdev->wiphy.wowlan_config->tcp->payload_len +
11561 			rdev->wiphy.wowlan_config->tcp->wake_len +
11562 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
11563 	}
11564 
11565 	msg = nlmsg_new(size, GFP_KERNEL);
11566 	if (!msg)
11567 		return -ENOMEM;
11568 
11569 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
11570 			     NL80211_CMD_GET_WOWLAN);
11571 	if (!hdr)
11572 		goto nla_put_failure;
11573 
11574 	if (rdev->wiphy.wowlan_config) {
11575 		struct nlattr *nl_wowlan;
11576 
11577 		nl_wowlan = nla_nest_start_noflag(msg,
11578 						  NL80211_ATTR_WOWLAN_TRIGGERS);
11579 		if (!nl_wowlan)
11580 			goto nla_put_failure;
11581 
11582 		if ((rdev->wiphy.wowlan_config->any &&
11583 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
11584 		    (rdev->wiphy.wowlan_config->disconnect &&
11585 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
11586 		    (rdev->wiphy.wowlan_config->magic_pkt &&
11587 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
11588 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
11589 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
11590 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
11591 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
11592 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
11593 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
11594 		    (rdev->wiphy.wowlan_config->rfkill_release &&
11595 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
11596 			goto nla_put_failure;
11597 
11598 		if (nl80211_send_wowlan_patterns(msg, rdev))
11599 			goto nla_put_failure;
11600 
11601 		if (nl80211_send_wowlan_tcp(msg,
11602 					    rdev->wiphy.wowlan_config->tcp))
11603 			goto nla_put_failure;
11604 
11605 		if (nl80211_send_wowlan_nd(
11606 			    msg,
11607 			    rdev->wiphy.wowlan_config->nd_config))
11608 			goto nla_put_failure;
11609 
11610 		nla_nest_end(msg, nl_wowlan);
11611 	}
11612 
11613 	genlmsg_end(msg, hdr);
11614 	return genlmsg_reply(msg, info);
11615 
11616 nla_put_failure:
11617 	nlmsg_free(msg);
11618 	return -ENOBUFS;
11619 }
11620 
11621 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
11622 				    struct nlattr *attr,
11623 				    struct cfg80211_wowlan *trig)
11624 {
11625 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
11626 	struct cfg80211_wowlan_tcp *cfg;
11627 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
11628 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
11629 	u32 size;
11630 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
11631 	int err, port;
11632 
11633 	if (!rdev->wiphy.wowlan->tcp)
11634 		return -EINVAL;
11635 
11636 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
11637 					  nl80211_wowlan_tcp_policy, NULL);
11638 	if (err)
11639 		return err;
11640 
11641 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
11642 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
11643 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
11644 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
11645 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
11646 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
11647 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
11648 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
11649 		return -EINVAL;
11650 
11651 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
11652 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
11653 		return -EINVAL;
11654 
11655 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
11656 			rdev->wiphy.wowlan->tcp->data_interval_max ||
11657 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
11658 		return -EINVAL;
11659 
11660 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
11661 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
11662 		return -EINVAL;
11663 
11664 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
11665 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
11666 		return -EINVAL;
11667 
11668 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
11669 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11670 
11671 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
11672 		tokens_size = tokln - sizeof(*tok);
11673 
11674 		if (!tok->len || tokens_size % tok->len)
11675 			return -EINVAL;
11676 		if (!rdev->wiphy.wowlan->tcp->tok)
11677 			return -EINVAL;
11678 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
11679 			return -EINVAL;
11680 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
11681 			return -EINVAL;
11682 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
11683 			return -EINVAL;
11684 		if (tok->offset + tok->len > data_size)
11685 			return -EINVAL;
11686 	}
11687 
11688 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
11689 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
11690 		if (!rdev->wiphy.wowlan->tcp->seq)
11691 			return -EINVAL;
11692 		if (seq->len == 0 || seq->len > 4)
11693 			return -EINVAL;
11694 		if (seq->len + seq->offset > data_size)
11695 			return -EINVAL;
11696 	}
11697 
11698 	size = sizeof(*cfg);
11699 	size += data_size;
11700 	size += wake_size + wake_mask_size;
11701 	size += tokens_size;
11702 
11703 	cfg = kzalloc(size, GFP_KERNEL);
11704 	if (!cfg)
11705 		return -ENOMEM;
11706 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
11707 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
11708 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
11709 	       ETH_ALEN);
11710 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
11711 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
11712 	else
11713 		port = 0;
11714 #ifdef CONFIG_INET
11715 	/* allocate a socket and port for it and use it */
11716 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
11717 			    IPPROTO_TCP, &cfg->sock, 1);
11718 	if (err) {
11719 		kfree(cfg);
11720 		return err;
11721 	}
11722 	if (inet_csk_get_port(cfg->sock->sk, port)) {
11723 		sock_release(cfg->sock);
11724 		kfree(cfg);
11725 		return -EADDRINUSE;
11726 	}
11727 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
11728 #else
11729 	if (!port) {
11730 		kfree(cfg);
11731 		return -EINVAL;
11732 	}
11733 	cfg->src_port = port;
11734 #endif
11735 
11736 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
11737 	cfg->payload_len = data_size;
11738 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
11739 	memcpy((void *)cfg->payload,
11740 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
11741 	       data_size);
11742 	if (seq)
11743 		cfg->payload_seq = *seq;
11744 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
11745 	cfg->wake_len = wake_size;
11746 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
11747 	memcpy((void *)cfg->wake_data,
11748 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
11749 	       wake_size);
11750 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
11751 			 data_size + wake_size;
11752 	memcpy((void *)cfg->wake_mask,
11753 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
11754 	       wake_mask_size);
11755 	if (tok) {
11756 		cfg->tokens_size = tokens_size;
11757 		memcpy(&cfg->payload_tok, tok, sizeof(*tok) + tokens_size);
11758 	}
11759 
11760 	trig->tcp = cfg;
11761 
11762 	return 0;
11763 }
11764 
11765 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
11766 				   const struct wiphy_wowlan_support *wowlan,
11767 				   struct nlattr *attr,
11768 				   struct cfg80211_wowlan *trig)
11769 {
11770 	struct nlattr **tb;
11771 	int err;
11772 
11773 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
11774 	if (!tb)
11775 		return -ENOMEM;
11776 
11777 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
11778 		err = -EOPNOTSUPP;
11779 		goto out;
11780 	}
11781 
11782 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
11783 					  nl80211_policy, NULL);
11784 	if (err)
11785 		goto out;
11786 
11787 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
11788 						   wowlan->max_nd_match_sets);
11789 	err = PTR_ERR_OR_ZERO(trig->nd_config);
11790 	if (err)
11791 		trig->nd_config = NULL;
11792 
11793 out:
11794 	kfree(tb);
11795 	return err;
11796 }
11797 
11798 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
11799 {
11800 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11801 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
11802 	struct cfg80211_wowlan new_triggers = {};
11803 	struct cfg80211_wowlan *ntrig;
11804 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
11805 	int err, i;
11806 	bool prev_enabled = rdev->wiphy.wowlan_config;
11807 	bool regular = false;
11808 
11809 	if (!wowlan)
11810 		return -EOPNOTSUPP;
11811 
11812 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
11813 		cfg80211_rdev_free_wowlan(rdev);
11814 		rdev->wiphy.wowlan_config = NULL;
11815 		goto set_wakeup;
11816 	}
11817 
11818 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
11819 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
11820 					  nl80211_wowlan_policy, info->extack);
11821 	if (err)
11822 		return err;
11823 
11824 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
11825 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
11826 			return -EINVAL;
11827 		new_triggers.any = true;
11828 	}
11829 
11830 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
11831 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
11832 			return -EINVAL;
11833 		new_triggers.disconnect = true;
11834 		regular = true;
11835 	}
11836 
11837 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
11838 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
11839 			return -EINVAL;
11840 		new_triggers.magic_pkt = true;
11841 		regular = true;
11842 	}
11843 
11844 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
11845 		return -EINVAL;
11846 
11847 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
11848 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
11849 			return -EINVAL;
11850 		new_triggers.gtk_rekey_failure = true;
11851 		regular = true;
11852 	}
11853 
11854 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
11855 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
11856 			return -EINVAL;
11857 		new_triggers.eap_identity_req = true;
11858 		regular = true;
11859 	}
11860 
11861 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
11862 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
11863 			return -EINVAL;
11864 		new_triggers.four_way_handshake = true;
11865 		regular = true;
11866 	}
11867 
11868 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
11869 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
11870 			return -EINVAL;
11871 		new_triggers.rfkill_release = true;
11872 		regular = true;
11873 	}
11874 
11875 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
11876 		struct nlattr *pat;
11877 		int n_patterns = 0;
11878 		int rem, pat_len, mask_len, pkt_offset;
11879 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
11880 
11881 		regular = true;
11882 
11883 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11884 				    rem)
11885 			n_patterns++;
11886 		if (n_patterns > wowlan->n_patterns)
11887 			return -EINVAL;
11888 
11889 		new_triggers.patterns = kcalloc(n_patterns,
11890 						sizeof(new_triggers.patterns[0]),
11891 						GFP_KERNEL);
11892 		if (!new_triggers.patterns)
11893 			return -ENOMEM;
11894 
11895 		new_triggers.n_patterns = n_patterns;
11896 		i = 0;
11897 
11898 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
11899 				    rem) {
11900 			u8 *mask_pat;
11901 
11902 			err = nla_parse_nested_deprecated(pat_tb,
11903 							  MAX_NL80211_PKTPAT,
11904 							  pat,
11905 							  nl80211_packet_pattern_policy,
11906 							  info->extack);
11907 			if (err)
11908 				goto error;
11909 
11910 			err = -EINVAL;
11911 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
11912 			    !pat_tb[NL80211_PKTPAT_PATTERN])
11913 				goto error;
11914 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
11915 			mask_len = DIV_ROUND_UP(pat_len, 8);
11916 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
11917 				goto error;
11918 			if (pat_len > wowlan->pattern_max_len ||
11919 			    pat_len < wowlan->pattern_min_len)
11920 				goto error;
11921 
11922 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
11923 				pkt_offset = 0;
11924 			else
11925 				pkt_offset = nla_get_u32(
11926 					pat_tb[NL80211_PKTPAT_OFFSET]);
11927 			if (pkt_offset > wowlan->max_pkt_offset)
11928 				goto error;
11929 			new_triggers.patterns[i].pkt_offset = pkt_offset;
11930 
11931 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
11932 			if (!mask_pat) {
11933 				err = -ENOMEM;
11934 				goto error;
11935 			}
11936 			new_triggers.patterns[i].mask = mask_pat;
11937 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
11938 			       mask_len);
11939 			mask_pat += mask_len;
11940 			new_triggers.patterns[i].pattern = mask_pat;
11941 			new_triggers.patterns[i].pattern_len = pat_len;
11942 			memcpy(mask_pat,
11943 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
11944 			       pat_len);
11945 			i++;
11946 		}
11947 	}
11948 
11949 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
11950 		regular = true;
11951 		err = nl80211_parse_wowlan_tcp(
11952 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
11953 			&new_triggers);
11954 		if (err)
11955 			goto error;
11956 	}
11957 
11958 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
11959 		regular = true;
11960 		err = nl80211_parse_wowlan_nd(
11961 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
11962 			&new_triggers);
11963 		if (err)
11964 			goto error;
11965 	}
11966 
11967 	/* The 'any' trigger means the device continues operating more or less
11968 	 * as in its normal operation mode and wakes up the host on most of the
11969 	 * normal interrupts (like packet RX, ...)
11970 	 * It therefore makes little sense to combine with the more constrained
11971 	 * wakeup trigger modes.
11972 	 */
11973 	if (new_triggers.any && regular) {
11974 		err = -EINVAL;
11975 		goto error;
11976 	}
11977 
11978 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
11979 	if (!ntrig) {
11980 		err = -ENOMEM;
11981 		goto error;
11982 	}
11983 	cfg80211_rdev_free_wowlan(rdev);
11984 	rdev->wiphy.wowlan_config = ntrig;
11985 
11986  set_wakeup:
11987 	if (rdev->ops->set_wakeup &&
11988 	    prev_enabled != !!rdev->wiphy.wowlan_config)
11989 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
11990 
11991 	return 0;
11992  error:
11993 	for (i = 0; i < new_triggers.n_patterns; i++)
11994 		kfree(new_triggers.patterns[i].mask);
11995 	kfree(new_triggers.patterns);
11996 	if (new_triggers.tcp && new_triggers.tcp->sock)
11997 		sock_release(new_triggers.tcp->sock);
11998 	kfree(new_triggers.tcp);
11999 	kfree(new_triggers.nd_config);
12000 	return err;
12001 }
12002 #endif
12003 
12004 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
12005 				       struct cfg80211_registered_device *rdev)
12006 {
12007 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
12008 	int i, j, pat_len;
12009 	struct cfg80211_coalesce_rules *rule;
12010 
12011 	if (!rdev->coalesce->n_rules)
12012 		return 0;
12013 
12014 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
12015 	if (!nl_rules)
12016 		return -ENOBUFS;
12017 
12018 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
12019 		nl_rule = nla_nest_start_noflag(msg, i + 1);
12020 		if (!nl_rule)
12021 			return -ENOBUFS;
12022 
12023 		rule = &rdev->coalesce->rules[i];
12024 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
12025 				rule->delay))
12026 			return -ENOBUFS;
12027 
12028 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
12029 				rule->condition))
12030 			return -ENOBUFS;
12031 
12032 		nl_pats = nla_nest_start_noflag(msg,
12033 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
12034 		if (!nl_pats)
12035 			return -ENOBUFS;
12036 
12037 		for (j = 0; j < rule->n_patterns; j++) {
12038 			nl_pat = nla_nest_start_noflag(msg, j + 1);
12039 			if (!nl_pat)
12040 				return -ENOBUFS;
12041 			pat_len = rule->patterns[j].pattern_len;
12042 			if (nla_put(msg, NL80211_PKTPAT_MASK,
12043 				    DIV_ROUND_UP(pat_len, 8),
12044 				    rule->patterns[j].mask) ||
12045 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
12046 				    rule->patterns[j].pattern) ||
12047 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
12048 					rule->patterns[j].pkt_offset))
12049 				return -ENOBUFS;
12050 			nla_nest_end(msg, nl_pat);
12051 		}
12052 		nla_nest_end(msg, nl_pats);
12053 		nla_nest_end(msg, nl_rule);
12054 	}
12055 	nla_nest_end(msg, nl_rules);
12056 
12057 	return 0;
12058 }
12059 
12060 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
12061 {
12062 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12063 	struct sk_buff *msg;
12064 	void *hdr;
12065 
12066 	if (!rdev->wiphy.coalesce)
12067 		return -EOPNOTSUPP;
12068 
12069 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12070 	if (!msg)
12071 		return -ENOMEM;
12072 
12073 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12074 			     NL80211_CMD_GET_COALESCE);
12075 	if (!hdr)
12076 		goto nla_put_failure;
12077 
12078 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
12079 		goto nla_put_failure;
12080 
12081 	genlmsg_end(msg, hdr);
12082 	return genlmsg_reply(msg, info);
12083 
12084 nla_put_failure:
12085 	nlmsg_free(msg);
12086 	return -ENOBUFS;
12087 }
12088 
12089 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
12090 {
12091 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
12092 	int i, j;
12093 	struct cfg80211_coalesce_rules *rule;
12094 
12095 	if (!coalesce)
12096 		return;
12097 
12098 	for (i = 0; i < coalesce->n_rules; i++) {
12099 		rule = &coalesce->rules[i];
12100 		for (j = 0; j < rule->n_patterns; j++)
12101 			kfree(rule->patterns[j].mask);
12102 		kfree(rule->patterns);
12103 	}
12104 	kfree(coalesce->rules);
12105 	kfree(coalesce);
12106 	rdev->coalesce = NULL;
12107 }
12108 
12109 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
12110 				       struct nlattr *rule,
12111 				       struct cfg80211_coalesce_rules *new_rule)
12112 {
12113 	int err, i;
12114 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12115 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
12116 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
12117 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
12118 
12119 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
12120 					  rule, nl80211_coalesce_policy, NULL);
12121 	if (err)
12122 		return err;
12123 
12124 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
12125 		new_rule->delay =
12126 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
12127 	if (new_rule->delay > coalesce->max_delay)
12128 		return -EINVAL;
12129 
12130 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
12131 		new_rule->condition =
12132 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
12133 
12134 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
12135 		return -EINVAL;
12136 
12137 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12138 			    rem)
12139 		n_patterns++;
12140 	if (n_patterns > coalesce->n_patterns)
12141 		return -EINVAL;
12142 
12143 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
12144 				     GFP_KERNEL);
12145 	if (!new_rule->patterns)
12146 		return -ENOMEM;
12147 
12148 	new_rule->n_patterns = n_patterns;
12149 	i = 0;
12150 
12151 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
12152 			    rem) {
12153 		u8 *mask_pat;
12154 
12155 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
12156 						  pat,
12157 						  nl80211_packet_pattern_policy,
12158 						  NULL);
12159 		if (err)
12160 			return err;
12161 
12162 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
12163 		    !pat_tb[NL80211_PKTPAT_PATTERN])
12164 			return -EINVAL;
12165 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
12166 		mask_len = DIV_ROUND_UP(pat_len, 8);
12167 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
12168 			return -EINVAL;
12169 		if (pat_len > coalesce->pattern_max_len ||
12170 		    pat_len < coalesce->pattern_min_len)
12171 			return -EINVAL;
12172 
12173 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
12174 			pkt_offset = 0;
12175 		else
12176 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
12177 		if (pkt_offset > coalesce->max_pkt_offset)
12178 			return -EINVAL;
12179 		new_rule->patterns[i].pkt_offset = pkt_offset;
12180 
12181 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
12182 		if (!mask_pat)
12183 			return -ENOMEM;
12184 
12185 		new_rule->patterns[i].mask = mask_pat;
12186 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
12187 		       mask_len);
12188 
12189 		mask_pat += mask_len;
12190 		new_rule->patterns[i].pattern = mask_pat;
12191 		new_rule->patterns[i].pattern_len = pat_len;
12192 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
12193 		       pat_len);
12194 		i++;
12195 	}
12196 
12197 	return 0;
12198 }
12199 
12200 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
12201 {
12202 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12203 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
12204 	struct cfg80211_coalesce new_coalesce = {};
12205 	struct cfg80211_coalesce *n_coalesce;
12206 	int err, rem_rule, n_rules = 0, i, j;
12207 	struct nlattr *rule;
12208 	struct cfg80211_coalesce_rules *tmp_rule;
12209 
12210 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
12211 		return -EOPNOTSUPP;
12212 
12213 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
12214 		cfg80211_rdev_free_coalesce(rdev);
12215 		rdev_set_coalesce(rdev, NULL);
12216 		return 0;
12217 	}
12218 
12219 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12220 			    rem_rule)
12221 		n_rules++;
12222 	if (n_rules > coalesce->n_rules)
12223 		return -EINVAL;
12224 
12225 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
12226 				     GFP_KERNEL);
12227 	if (!new_coalesce.rules)
12228 		return -ENOMEM;
12229 
12230 	new_coalesce.n_rules = n_rules;
12231 	i = 0;
12232 
12233 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
12234 			    rem_rule) {
12235 		err = nl80211_parse_coalesce_rule(rdev, rule,
12236 						  &new_coalesce.rules[i]);
12237 		if (err)
12238 			goto error;
12239 
12240 		i++;
12241 	}
12242 
12243 	err = rdev_set_coalesce(rdev, &new_coalesce);
12244 	if (err)
12245 		goto error;
12246 
12247 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
12248 	if (!n_coalesce) {
12249 		err = -ENOMEM;
12250 		goto error;
12251 	}
12252 	cfg80211_rdev_free_coalesce(rdev);
12253 	rdev->coalesce = n_coalesce;
12254 
12255 	return 0;
12256 error:
12257 	for (i = 0; i < new_coalesce.n_rules; i++) {
12258 		tmp_rule = &new_coalesce.rules[i];
12259 		for (j = 0; j < tmp_rule->n_patterns; j++)
12260 			kfree(tmp_rule->patterns[j].mask);
12261 		kfree(tmp_rule->patterns);
12262 	}
12263 	kfree(new_coalesce.rules);
12264 
12265 	return err;
12266 }
12267 
12268 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
12269 {
12270 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12271 	struct net_device *dev = info->user_ptr[1];
12272 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12273 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
12274 	struct cfg80211_gtk_rekey_data rekey_data;
12275 	int err;
12276 
12277 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
12278 		return -EINVAL;
12279 
12280 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
12281 					  info->attrs[NL80211_ATTR_REKEY_DATA],
12282 					  nl80211_rekey_policy, info->extack);
12283 	if (err)
12284 		return err;
12285 
12286 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
12287 	    !tb[NL80211_REKEY_DATA_KCK])
12288 		return -EINVAL;
12289 	if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
12290 		return -ERANGE;
12291 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
12292 		return -ERANGE;
12293 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN)
12294 		return -ERANGE;
12295 
12296 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
12297 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
12298 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
12299 
12300 	wdev_lock(wdev);
12301 	if (!wdev->current_bss) {
12302 		err = -ENOTCONN;
12303 		goto out;
12304 	}
12305 
12306 	if (!rdev->ops->set_rekey_data) {
12307 		err = -EOPNOTSUPP;
12308 		goto out;
12309 	}
12310 
12311 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
12312  out:
12313 	wdev_unlock(wdev);
12314 	return err;
12315 }
12316 
12317 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
12318 					     struct genl_info *info)
12319 {
12320 	struct net_device *dev = info->user_ptr[1];
12321 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12322 
12323 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12324 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12325 		return -EINVAL;
12326 
12327 	if (wdev->ap_unexpected_nlportid)
12328 		return -EBUSY;
12329 
12330 	wdev->ap_unexpected_nlportid = info->snd_portid;
12331 	return 0;
12332 }
12333 
12334 static int nl80211_probe_client(struct sk_buff *skb,
12335 				struct genl_info *info)
12336 {
12337 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12338 	struct net_device *dev = info->user_ptr[1];
12339 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12340 	struct sk_buff *msg;
12341 	void *hdr;
12342 	const u8 *addr;
12343 	u64 cookie;
12344 	int err;
12345 
12346 	if (wdev->iftype != NL80211_IFTYPE_AP &&
12347 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
12348 		return -EOPNOTSUPP;
12349 
12350 	if (!info->attrs[NL80211_ATTR_MAC])
12351 		return -EINVAL;
12352 
12353 	if (!rdev->ops->probe_client)
12354 		return -EOPNOTSUPP;
12355 
12356 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12357 	if (!msg)
12358 		return -ENOMEM;
12359 
12360 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12361 			     NL80211_CMD_PROBE_CLIENT);
12362 	if (!hdr) {
12363 		err = -ENOBUFS;
12364 		goto free_msg;
12365 	}
12366 
12367 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
12368 
12369 	err = rdev_probe_client(rdev, dev, addr, &cookie);
12370 	if (err)
12371 		goto free_msg;
12372 
12373 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12374 			      NL80211_ATTR_PAD))
12375 		goto nla_put_failure;
12376 
12377 	genlmsg_end(msg, hdr);
12378 
12379 	return genlmsg_reply(msg, info);
12380 
12381  nla_put_failure:
12382 	err = -ENOBUFS;
12383  free_msg:
12384 	nlmsg_free(msg);
12385 	return err;
12386 }
12387 
12388 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
12389 {
12390 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12391 	struct cfg80211_beacon_registration *reg, *nreg;
12392 	int rv;
12393 
12394 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
12395 		return -EOPNOTSUPP;
12396 
12397 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
12398 	if (!nreg)
12399 		return -ENOMEM;
12400 
12401 	/* First, check if already registered. */
12402 	spin_lock_bh(&rdev->beacon_registrations_lock);
12403 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
12404 		if (reg->nlportid == info->snd_portid) {
12405 			rv = -EALREADY;
12406 			goto out_err;
12407 		}
12408 	}
12409 	/* Add it to the list */
12410 	nreg->nlportid = info->snd_portid;
12411 	list_add(&nreg->list, &rdev->beacon_registrations);
12412 
12413 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12414 
12415 	return 0;
12416 out_err:
12417 	spin_unlock_bh(&rdev->beacon_registrations_lock);
12418 	kfree(nreg);
12419 	return rv;
12420 }
12421 
12422 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
12423 {
12424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12425 	struct wireless_dev *wdev = info->user_ptr[1];
12426 	int err;
12427 
12428 	if (!rdev->ops->start_p2p_device)
12429 		return -EOPNOTSUPP;
12430 
12431 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12432 		return -EOPNOTSUPP;
12433 
12434 	if (wdev_running(wdev))
12435 		return 0;
12436 
12437 	if (rfkill_blocked(rdev->rfkill))
12438 		return -ERFKILL;
12439 
12440 	err = rdev_start_p2p_device(rdev, wdev);
12441 	if (err)
12442 		return err;
12443 
12444 	wdev->is_running = true;
12445 	rdev->opencount++;
12446 
12447 	return 0;
12448 }
12449 
12450 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
12451 {
12452 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12453 	struct wireless_dev *wdev = info->user_ptr[1];
12454 
12455 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
12456 		return -EOPNOTSUPP;
12457 
12458 	if (!rdev->ops->stop_p2p_device)
12459 		return -EOPNOTSUPP;
12460 
12461 	cfg80211_stop_p2p_device(rdev, wdev);
12462 
12463 	return 0;
12464 }
12465 
12466 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
12467 {
12468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12469 	struct wireless_dev *wdev = info->user_ptr[1];
12470 	struct cfg80211_nan_conf conf = {};
12471 	int err;
12472 
12473 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12474 		return -EOPNOTSUPP;
12475 
12476 	if (wdev_running(wdev))
12477 		return -EEXIST;
12478 
12479 	if (rfkill_blocked(rdev->rfkill))
12480 		return -ERFKILL;
12481 
12482 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
12483 		return -EINVAL;
12484 
12485 	conf.master_pref =
12486 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12487 
12488 	if (info->attrs[NL80211_ATTR_BANDS]) {
12489 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12490 
12491 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12492 			return -EOPNOTSUPP;
12493 
12494 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12495 			return -EINVAL;
12496 
12497 		conf.bands = bands;
12498 	}
12499 
12500 	err = rdev_start_nan(rdev, wdev, &conf);
12501 	if (err)
12502 		return err;
12503 
12504 	wdev->is_running = true;
12505 	rdev->opencount++;
12506 
12507 	return 0;
12508 }
12509 
12510 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
12511 {
12512 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12513 	struct wireless_dev *wdev = info->user_ptr[1];
12514 
12515 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12516 		return -EOPNOTSUPP;
12517 
12518 	cfg80211_stop_nan(rdev, wdev);
12519 
12520 	return 0;
12521 }
12522 
12523 static int validate_nan_filter(struct nlattr *filter_attr)
12524 {
12525 	struct nlattr *attr;
12526 	int len = 0, n_entries = 0, rem;
12527 
12528 	nla_for_each_nested(attr, filter_attr, rem) {
12529 		len += nla_len(attr);
12530 		n_entries++;
12531 	}
12532 
12533 	if (len >= U8_MAX)
12534 		return -EINVAL;
12535 
12536 	return n_entries;
12537 }
12538 
12539 static int handle_nan_filter(struct nlattr *attr_filter,
12540 			     struct cfg80211_nan_func *func,
12541 			     bool tx)
12542 {
12543 	struct nlattr *attr;
12544 	int n_entries, rem, i;
12545 	struct cfg80211_nan_func_filter *filter;
12546 
12547 	n_entries = validate_nan_filter(attr_filter);
12548 	if (n_entries < 0)
12549 		return n_entries;
12550 
12551 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
12552 
12553 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
12554 	if (!filter)
12555 		return -ENOMEM;
12556 
12557 	i = 0;
12558 	nla_for_each_nested(attr, attr_filter, rem) {
12559 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
12560 		filter[i].len = nla_len(attr);
12561 		i++;
12562 	}
12563 	if (tx) {
12564 		func->num_tx_filters = n_entries;
12565 		func->tx_filters = filter;
12566 	} else {
12567 		func->num_rx_filters = n_entries;
12568 		func->rx_filters = filter;
12569 	}
12570 
12571 	return 0;
12572 }
12573 
12574 static int nl80211_nan_add_func(struct sk_buff *skb,
12575 				struct genl_info *info)
12576 {
12577 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12578 	struct wireless_dev *wdev = info->user_ptr[1];
12579 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
12580 	struct cfg80211_nan_func *func;
12581 	struct sk_buff *msg = NULL;
12582 	void *hdr = NULL;
12583 	int err = 0;
12584 
12585 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12586 		return -EOPNOTSUPP;
12587 
12588 	if (!wdev_running(wdev))
12589 		return -ENOTCONN;
12590 
12591 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
12592 		return -EINVAL;
12593 
12594 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
12595 					  info->attrs[NL80211_ATTR_NAN_FUNC],
12596 					  nl80211_nan_func_policy,
12597 					  info->extack);
12598 	if (err)
12599 		return err;
12600 
12601 	func = kzalloc(sizeof(*func), GFP_KERNEL);
12602 	if (!func)
12603 		return -ENOMEM;
12604 
12605 	func->cookie = cfg80211_assign_cookie(rdev);
12606 
12607 	if (!tb[NL80211_NAN_FUNC_TYPE] ||
12608 	    nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]) > NL80211_NAN_FUNC_MAX_TYPE) {
12609 		err = -EINVAL;
12610 		goto out;
12611 	}
12612 
12613 
12614 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
12615 
12616 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
12617 		err = -EINVAL;
12618 		goto out;
12619 	}
12620 
12621 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
12622 	       sizeof(func->service_id));
12623 
12624 	func->close_range =
12625 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
12626 
12627 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
12628 		func->serv_spec_info_len =
12629 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
12630 		func->serv_spec_info =
12631 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
12632 				func->serv_spec_info_len,
12633 				GFP_KERNEL);
12634 		if (!func->serv_spec_info) {
12635 			err = -ENOMEM;
12636 			goto out;
12637 		}
12638 	}
12639 
12640 	if (tb[NL80211_NAN_FUNC_TTL])
12641 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
12642 
12643 	switch (func->type) {
12644 	case NL80211_NAN_FUNC_PUBLISH:
12645 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
12646 			err = -EINVAL;
12647 			goto out;
12648 		}
12649 
12650 		func->publish_type =
12651 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
12652 		func->publish_bcast =
12653 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
12654 
12655 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
12656 			func->publish_bcast) {
12657 			err = -EINVAL;
12658 			goto out;
12659 		}
12660 		break;
12661 	case NL80211_NAN_FUNC_SUBSCRIBE:
12662 		func->subscribe_active =
12663 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
12664 		break;
12665 	case NL80211_NAN_FUNC_FOLLOW_UP:
12666 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
12667 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
12668 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
12669 			err = -EINVAL;
12670 			goto out;
12671 		}
12672 
12673 		func->followup_id =
12674 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
12675 		func->followup_reqid =
12676 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
12677 		memcpy(func->followup_dest.addr,
12678 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
12679 		       sizeof(func->followup_dest.addr));
12680 		if (func->ttl) {
12681 			err = -EINVAL;
12682 			goto out;
12683 		}
12684 		break;
12685 	default:
12686 		err = -EINVAL;
12687 		goto out;
12688 	}
12689 
12690 	if (tb[NL80211_NAN_FUNC_SRF]) {
12691 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
12692 
12693 		err = nla_parse_nested_deprecated(srf_tb,
12694 						  NL80211_NAN_SRF_ATTR_MAX,
12695 						  tb[NL80211_NAN_FUNC_SRF],
12696 						  nl80211_nan_srf_policy,
12697 						  info->extack);
12698 		if (err)
12699 			goto out;
12700 
12701 		func->srf_include =
12702 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
12703 
12704 		if (srf_tb[NL80211_NAN_SRF_BF]) {
12705 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
12706 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
12707 				err = -EINVAL;
12708 				goto out;
12709 			}
12710 
12711 			func->srf_bf_len =
12712 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
12713 			func->srf_bf =
12714 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
12715 					func->srf_bf_len, GFP_KERNEL);
12716 			if (!func->srf_bf) {
12717 				err = -ENOMEM;
12718 				goto out;
12719 			}
12720 
12721 			func->srf_bf_idx =
12722 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
12723 		} else {
12724 			struct nlattr *attr, *mac_attr =
12725 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
12726 			int n_entries, rem, i = 0;
12727 
12728 			if (!mac_attr) {
12729 				err = -EINVAL;
12730 				goto out;
12731 			}
12732 
12733 			n_entries = validate_acl_mac_addrs(mac_attr);
12734 			if (n_entries <= 0) {
12735 				err = -EINVAL;
12736 				goto out;
12737 			}
12738 
12739 			func->srf_num_macs = n_entries;
12740 			func->srf_macs =
12741 				kcalloc(n_entries, sizeof(*func->srf_macs),
12742 					GFP_KERNEL);
12743 			if (!func->srf_macs) {
12744 				err = -ENOMEM;
12745 				goto out;
12746 			}
12747 
12748 			nla_for_each_nested(attr, mac_attr, rem)
12749 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
12750 				       sizeof(*func->srf_macs));
12751 		}
12752 	}
12753 
12754 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
12755 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
12756 					func, true);
12757 		if (err)
12758 			goto out;
12759 	}
12760 
12761 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
12762 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
12763 					func, false);
12764 		if (err)
12765 			goto out;
12766 	}
12767 
12768 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12769 	if (!msg) {
12770 		err = -ENOMEM;
12771 		goto out;
12772 	}
12773 
12774 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12775 			     NL80211_CMD_ADD_NAN_FUNCTION);
12776 	/* This can't really happen - we just allocated 4KB */
12777 	if (WARN_ON(!hdr)) {
12778 		err = -ENOMEM;
12779 		goto out;
12780 	}
12781 
12782 	err = rdev_add_nan_func(rdev, wdev, func);
12783 out:
12784 	if (err < 0) {
12785 		cfg80211_free_nan_func(func);
12786 		nlmsg_free(msg);
12787 		return err;
12788 	}
12789 
12790 	/* propagate the instance id and cookie to userspace  */
12791 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
12792 			      NL80211_ATTR_PAD))
12793 		goto nla_put_failure;
12794 
12795 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12796 	if (!func_attr)
12797 		goto nla_put_failure;
12798 
12799 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
12800 		       func->instance_id))
12801 		goto nla_put_failure;
12802 
12803 	nla_nest_end(msg, func_attr);
12804 
12805 	genlmsg_end(msg, hdr);
12806 	return genlmsg_reply(msg, info);
12807 
12808 nla_put_failure:
12809 	nlmsg_free(msg);
12810 	return -ENOBUFS;
12811 }
12812 
12813 static int nl80211_nan_del_func(struct sk_buff *skb,
12814 			       struct genl_info *info)
12815 {
12816 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12817 	struct wireless_dev *wdev = info->user_ptr[1];
12818 	u64 cookie;
12819 
12820 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12821 		return -EOPNOTSUPP;
12822 
12823 	if (!wdev_running(wdev))
12824 		return -ENOTCONN;
12825 
12826 	if (!info->attrs[NL80211_ATTR_COOKIE])
12827 		return -EINVAL;
12828 
12829 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12830 
12831 	rdev_del_nan_func(rdev, wdev, cookie);
12832 
12833 	return 0;
12834 }
12835 
12836 static int nl80211_nan_change_config(struct sk_buff *skb,
12837 				     struct genl_info *info)
12838 {
12839 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12840 	struct wireless_dev *wdev = info->user_ptr[1];
12841 	struct cfg80211_nan_conf conf = {};
12842 	u32 changed = 0;
12843 
12844 	if (wdev->iftype != NL80211_IFTYPE_NAN)
12845 		return -EOPNOTSUPP;
12846 
12847 	if (!wdev_running(wdev))
12848 		return -ENOTCONN;
12849 
12850 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
12851 		conf.master_pref =
12852 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
12853 		if (conf.master_pref <= 1 || conf.master_pref == 255)
12854 			return -EINVAL;
12855 
12856 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
12857 	}
12858 
12859 	if (info->attrs[NL80211_ATTR_BANDS]) {
12860 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
12861 
12862 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
12863 			return -EOPNOTSUPP;
12864 
12865 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
12866 			return -EINVAL;
12867 
12868 		conf.bands = bands;
12869 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
12870 	}
12871 
12872 	if (!changed)
12873 		return -EINVAL;
12874 
12875 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
12876 }
12877 
12878 void cfg80211_nan_match(struct wireless_dev *wdev,
12879 			struct cfg80211_nan_match_params *match, gfp_t gfp)
12880 {
12881 	struct wiphy *wiphy = wdev->wiphy;
12882 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12883 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
12884 	struct sk_buff *msg;
12885 	void *hdr;
12886 
12887 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
12888 		return;
12889 
12890 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12891 	if (!msg)
12892 		return;
12893 
12894 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
12895 	if (!hdr) {
12896 		nlmsg_free(msg);
12897 		return;
12898 	}
12899 
12900 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12901 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12902 					 wdev->netdev->ifindex)) ||
12903 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12904 			      NL80211_ATTR_PAD))
12905 		goto nla_put_failure;
12906 
12907 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
12908 			      NL80211_ATTR_PAD) ||
12909 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
12910 		goto nla_put_failure;
12911 
12912 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
12913 	if (!match_attr)
12914 		goto nla_put_failure;
12915 
12916 	local_func_attr = nla_nest_start_noflag(msg,
12917 						NL80211_NAN_MATCH_FUNC_LOCAL);
12918 	if (!local_func_attr)
12919 		goto nla_put_failure;
12920 
12921 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
12922 		goto nla_put_failure;
12923 
12924 	nla_nest_end(msg, local_func_attr);
12925 
12926 	peer_func_attr = nla_nest_start_noflag(msg,
12927 					       NL80211_NAN_MATCH_FUNC_PEER);
12928 	if (!peer_func_attr)
12929 		goto nla_put_failure;
12930 
12931 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
12932 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
12933 		goto nla_put_failure;
12934 
12935 	if (match->info && match->info_len &&
12936 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
12937 		    match->info))
12938 		goto nla_put_failure;
12939 
12940 	nla_nest_end(msg, peer_func_attr);
12941 	nla_nest_end(msg, match_attr);
12942 	genlmsg_end(msg, hdr);
12943 
12944 	if (!wdev->owner_nlportid)
12945 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
12946 					msg, 0, NL80211_MCGRP_NAN, gfp);
12947 	else
12948 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
12949 				wdev->owner_nlportid);
12950 
12951 	return;
12952 
12953 nla_put_failure:
12954 	nlmsg_free(msg);
12955 }
12956 EXPORT_SYMBOL(cfg80211_nan_match);
12957 
12958 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
12959 				  u8 inst_id,
12960 				  enum nl80211_nan_func_term_reason reason,
12961 				  u64 cookie, gfp_t gfp)
12962 {
12963 	struct wiphy *wiphy = wdev->wiphy;
12964 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
12965 	struct sk_buff *msg;
12966 	struct nlattr *func_attr;
12967 	void *hdr;
12968 
12969 	if (WARN_ON(!inst_id))
12970 		return;
12971 
12972 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
12973 	if (!msg)
12974 		return;
12975 
12976 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
12977 	if (!hdr) {
12978 		nlmsg_free(msg);
12979 		return;
12980 	}
12981 
12982 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
12983 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
12984 					 wdev->netdev->ifindex)) ||
12985 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
12986 			      NL80211_ATTR_PAD))
12987 		goto nla_put_failure;
12988 
12989 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12990 			      NL80211_ATTR_PAD))
12991 		goto nla_put_failure;
12992 
12993 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
12994 	if (!func_attr)
12995 		goto nla_put_failure;
12996 
12997 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
12998 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
12999 		goto nla_put_failure;
13000 
13001 	nla_nest_end(msg, func_attr);
13002 	genlmsg_end(msg, hdr);
13003 
13004 	if (!wdev->owner_nlportid)
13005 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
13006 					msg, 0, NL80211_MCGRP_NAN, gfp);
13007 	else
13008 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
13009 				wdev->owner_nlportid);
13010 
13011 	return;
13012 
13013 nla_put_failure:
13014 	nlmsg_free(msg);
13015 }
13016 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
13017 
13018 static int nl80211_get_protocol_features(struct sk_buff *skb,
13019 					 struct genl_info *info)
13020 {
13021 	void *hdr;
13022 	struct sk_buff *msg;
13023 
13024 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13025 	if (!msg)
13026 		return -ENOMEM;
13027 
13028 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13029 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
13030 	if (!hdr)
13031 		goto nla_put_failure;
13032 
13033 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
13034 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
13035 		goto nla_put_failure;
13036 
13037 	genlmsg_end(msg, hdr);
13038 	return genlmsg_reply(msg, info);
13039 
13040  nla_put_failure:
13041 	kfree_skb(msg);
13042 	return -ENOBUFS;
13043 }
13044 
13045 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
13046 {
13047 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13048 	struct cfg80211_update_ft_ies_params ft_params;
13049 	struct net_device *dev = info->user_ptr[1];
13050 
13051 	if (!rdev->ops->update_ft_ies)
13052 		return -EOPNOTSUPP;
13053 
13054 	if (!info->attrs[NL80211_ATTR_MDID] ||
13055 	    !info->attrs[NL80211_ATTR_IE])
13056 		return -EINVAL;
13057 
13058 	memset(&ft_params, 0, sizeof(ft_params));
13059 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
13060 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13061 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13062 
13063 	return rdev_update_ft_ies(rdev, dev, &ft_params);
13064 }
13065 
13066 static int nl80211_crit_protocol_start(struct sk_buff *skb,
13067 				       struct genl_info *info)
13068 {
13069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13070 	struct wireless_dev *wdev = info->user_ptr[1];
13071 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
13072 	u16 duration;
13073 	int ret;
13074 
13075 	if (!rdev->ops->crit_proto_start)
13076 		return -EOPNOTSUPP;
13077 
13078 	if (WARN_ON(!rdev->ops->crit_proto_stop))
13079 		return -EINVAL;
13080 
13081 	if (rdev->crit_proto_nlportid)
13082 		return -EBUSY;
13083 
13084 	/* determine protocol if provided */
13085 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
13086 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
13087 
13088 	if (proto >= NUM_NL80211_CRIT_PROTO)
13089 		return -EINVAL;
13090 
13091 	/* timeout must be provided */
13092 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
13093 		return -EINVAL;
13094 
13095 	duration =
13096 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
13097 
13098 	if (duration > NL80211_CRIT_PROTO_MAX_DURATION)
13099 		return -ERANGE;
13100 
13101 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
13102 	if (!ret)
13103 		rdev->crit_proto_nlportid = info->snd_portid;
13104 
13105 	return ret;
13106 }
13107 
13108 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
13109 				      struct genl_info *info)
13110 {
13111 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13112 	struct wireless_dev *wdev = info->user_ptr[1];
13113 
13114 	if (!rdev->ops->crit_proto_stop)
13115 		return -EOPNOTSUPP;
13116 
13117 	if (rdev->crit_proto_nlportid) {
13118 		rdev->crit_proto_nlportid = 0;
13119 		rdev_crit_proto_stop(rdev, wdev);
13120 	}
13121 	return 0;
13122 }
13123 
13124 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
13125 				       struct nlattr *attr,
13126 				       struct netlink_ext_ack *extack)
13127 {
13128 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
13129 		if (attr->nla_type & NLA_F_NESTED) {
13130 			NL_SET_ERR_MSG_ATTR(extack, attr,
13131 					    "unexpected nested data");
13132 			return -EINVAL;
13133 		}
13134 
13135 		return 0;
13136 	}
13137 
13138 	if (!(attr->nla_type & NLA_F_NESTED)) {
13139 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
13140 		return -EINVAL;
13141 	}
13142 
13143 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
13144 }
13145 
13146 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
13147 {
13148 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13149 	struct wireless_dev *wdev =
13150 		__cfg80211_wdev_from_attrs(genl_info_net(info), info->attrs);
13151 	int i, err;
13152 	u32 vid, subcmd;
13153 
13154 	if (!rdev->wiphy.vendor_commands)
13155 		return -EOPNOTSUPP;
13156 
13157 	if (IS_ERR(wdev)) {
13158 		err = PTR_ERR(wdev);
13159 		if (err != -EINVAL)
13160 			return err;
13161 		wdev = NULL;
13162 	} else if (wdev->wiphy != &rdev->wiphy) {
13163 		return -EINVAL;
13164 	}
13165 
13166 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
13167 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
13168 		return -EINVAL;
13169 
13170 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
13171 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
13172 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
13173 		const struct wiphy_vendor_command *vcmd;
13174 		void *data = NULL;
13175 		int len = 0;
13176 
13177 		vcmd = &rdev->wiphy.vendor_commands[i];
13178 
13179 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13180 			continue;
13181 
13182 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13183 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13184 			if (!wdev)
13185 				return -EINVAL;
13186 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13187 			    !wdev->netdev)
13188 				return -EINVAL;
13189 
13190 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13191 				if (!wdev_running(wdev))
13192 					return -ENETDOWN;
13193 			}
13194 
13195 			if (!vcmd->doit)
13196 				return -EOPNOTSUPP;
13197 		} else {
13198 			wdev = NULL;
13199 		}
13200 
13201 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
13202 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13203 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
13204 
13205 			err = nl80211_vendor_check_policy(vcmd,
13206 					info->attrs[NL80211_ATTR_VENDOR_DATA],
13207 					info->extack);
13208 			if (err)
13209 				return err;
13210 		}
13211 
13212 		rdev->cur_cmd_info = info;
13213 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
13214 		rdev->cur_cmd_info = NULL;
13215 		return err;
13216 	}
13217 
13218 	return -EOPNOTSUPP;
13219 }
13220 
13221 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
13222 				       struct netlink_callback *cb,
13223 				       struct cfg80211_registered_device **rdev,
13224 				       struct wireless_dev **wdev)
13225 {
13226 	struct nlattr **attrbuf;
13227 	u32 vid, subcmd;
13228 	unsigned int i;
13229 	int vcmd_idx = -1;
13230 	int err;
13231 	void *data = NULL;
13232 	unsigned int data_len = 0;
13233 
13234 	if (cb->args[0]) {
13235 		/* subtract the 1 again here */
13236 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
13237 		struct wireless_dev *tmp;
13238 
13239 		if (!wiphy)
13240 			return -ENODEV;
13241 		*rdev = wiphy_to_rdev(wiphy);
13242 		*wdev = NULL;
13243 
13244 		if (cb->args[1]) {
13245 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
13246 				if (tmp->identifier == cb->args[1] - 1) {
13247 					*wdev = tmp;
13248 					break;
13249 				}
13250 			}
13251 		}
13252 
13253 		/* keep rtnl locked in successful case */
13254 		return 0;
13255 	}
13256 
13257 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
13258 	if (!attrbuf)
13259 		return -ENOMEM;
13260 
13261 	err = nlmsg_parse_deprecated(cb->nlh,
13262 				     GENL_HDRLEN + nl80211_fam.hdrsize,
13263 				     attrbuf, nl80211_fam.maxattr,
13264 				     nl80211_policy, NULL);
13265 	if (err)
13266 		goto out;
13267 
13268 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
13269 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
13270 		err = -EINVAL;
13271 		goto out;
13272 	}
13273 
13274 	*wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
13275 	if (IS_ERR(*wdev))
13276 		*wdev = NULL;
13277 
13278 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
13279 	if (IS_ERR(*rdev)) {
13280 		err = PTR_ERR(*rdev);
13281 		goto out;
13282 	}
13283 
13284 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
13285 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
13286 
13287 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
13288 		const struct wiphy_vendor_command *vcmd;
13289 
13290 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
13291 
13292 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
13293 			continue;
13294 
13295 		if (!vcmd->dumpit) {
13296 			err = -EOPNOTSUPP;
13297 			goto out;
13298 		}
13299 
13300 		vcmd_idx = i;
13301 		break;
13302 	}
13303 
13304 	if (vcmd_idx < 0) {
13305 		err = -EOPNOTSUPP;
13306 		goto out;
13307 	}
13308 
13309 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
13310 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13311 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
13312 
13313 		err = nl80211_vendor_check_policy(
13314 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
13315 				attrbuf[NL80211_ATTR_VENDOR_DATA],
13316 				cb->extack);
13317 		if (err)
13318 			goto out;
13319 	}
13320 
13321 	/* 0 is the first index - add 1 to parse only once */
13322 	cb->args[0] = (*rdev)->wiphy_idx + 1;
13323 	/* add 1 to know if it was NULL */
13324 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
13325 	cb->args[2] = vcmd_idx;
13326 	cb->args[3] = (unsigned long)data;
13327 	cb->args[4] = data_len;
13328 
13329 	/* keep rtnl locked in successful case */
13330 	err = 0;
13331 out:
13332 	kfree(attrbuf);
13333 	return err;
13334 }
13335 
13336 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
13337 				   struct netlink_callback *cb)
13338 {
13339 	struct cfg80211_registered_device *rdev;
13340 	struct wireless_dev *wdev;
13341 	unsigned int vcmd_idx;
13342 	const struct wiphy_vendor_command *vcmd;
13343 	void *data;
13344 	int data_len;
13345 	int err;
13346 	struct nlattr *vendor_data;
13347 
13348 	rtnl_lock();
13349 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
13350 	if (err)
13351 		goto out;
13352 
13353 	vcmd_idx = cb->args[2];
13354 	data = (void *)cb->args[3];
13355 	data_len = cb->args[4];
13356 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
13357 
13358 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
13359 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
13360 		if (!wdev) {
13361 			err = -EINVAL;
13362 			goto out;
13363 		}
13364 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
13365 		    !wdev->netdev) {
13366 			err = -EINVAL;
13367 			goto out;
13368 		}
13369 
13370 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
13371 			if (!wdev_running(wdev)) {
13372 				err = -ENETDOWN;
13373 				goto out;
13374 			}
13375 		}
13376 	}
13377 
13378 	while (1) {
13379 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
13380 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
13381 					   NL80211_CMD_VENDOR);
13382 		if (!hdr)
13383 			break;
13384 
13385 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
13386 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
13387 					       wdev_id(wdev),
13388 					       NL80211_ATTR_PAD))) {
13389 			genlmsg_cancel(skb, hdr);
13390 			break;
13391 		}
13392 
13393 		vendor_data = nla_nest_start_noflag(skb,
13394 						    NL80211_ATTR_VENDOR_DATA);
13395 		if (!vendor_data) {
13396 			genlmsg_cancel(skb, hdr);
13397 			break;
13398 		}
13399 
13400 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
13401 				   (unsigned long *)&cb->args[5]);
13402 		nla_nest_end(skb, vendor_data);
13403 
13404 		if (err == -ENOBUFS || err == -ENOENT) {
13405 			genlmsg_cancel(skb, hdr);
13406 			break;
13407 		} else if (err) {
13408 			genlmsg_cancel(skb, hdr);
13409 			goto out;
13410 		}
13411 
13412 		genlmsg_end(skb, hdr);
13413 	}
13414 
13415 	err = skb->len;
13416  out:
13417 	rtnl_unlock();
13418 	return err;
13419 }
13420 
13421 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
13422 					   enum nl80211_commands cmd,
13423 					   enum nl80211_attrs attr,
13424 					   int approxlen)
13425 {
13426 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13427 
13428 	if (WARN_ON(!rdev->cur_cmd_info))
13429 		return NULL;
13430 
13431 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
13432 					   rdev->cur_cmd_info->snd_portid,
13433 					   rdev->cur_cmd_info->snd_seq,
13434 					   cmd, attr, NULL, GFP_KERNEL);
13435 }
13436 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
13437 
13438 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
13439 {
13440 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
13441 	void *hdr = ((void **)skb->cb)[1];
13442 	struct nlattr *data = ((void **)skb->cb)[2];
13443 
13444 	/* clear CB data for netlink core to own from now on */
13445 	memset(skb->cb, 0, sizeof(skb->cb));
13446 
13447 	if (WARN_ON(!rdev->cur_cmd_info)) {
13448 		kfree_skb(skb);
13449 		return -EINVAL;
13450 	}
13451 
13452 	nla_nest_end(skb, data);
13453 	genlmsg_end(skb, hdr);
13454 	return genlmsg_reply(skb, rdev->cur_cmd_info);
13455 }
13456 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
13457 
13458 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
13459 {
13460 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
13461 
13462 	if (WARN_ON(!rdev->cur_cmd_info))
13463 		return 0;
13464 
13465 	return rdev->cur_cmd_info->snd_portid;
13466 }
13467 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
13468 
13469 static int nl80211_set_qos_map(struct sk_buff *skb,
13470 			       struct genl_info *info)
13471 {
13472 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13473 	struct cfg80211_qos_map *qos_map = NULL;
13474 	struct net_device *dev = info->user_ptr[1];
13475 	u8 *pos, len, num_des, des_len, des;
13476 	int ret;
13477 
13478 	if (!rdev->ops->set_qos_map)
13479 		return -EOPNOTSUPP;
13480 
13481 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
13482 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
13483 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
13484 
13485 		if (len % 2 || len < IEEE80211_QOS_MAP_LEN_MIN ||
13486 		    len > IEEE80211_QOS_MAP_LEN_MAX)
13487 			return -EINVAL;
13488 
13489 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
13490 		if (!qos_map)
13491 			return -ENOMEM;
13492 
13493 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
13494 		if (num_des) {
13495 			des_len = num_des *
13496 				sizeof(struct cfg80211_dscp_exception);
13497 			memcpy(qos_map->dscp_exception, pos, des_len);
13498 			qos_map->num_des = num_des;
13499 			for (des = 0; des < num_des; des++) {
13500 				if (qos_map->dscp_exception[des].up > 7) {
13501 					kfree(qos_map);
13502 					return -EINVAL;
13503 				}
13504 			}
13505 			pos += des_len;
13506 		}
13507 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
13508 	}
13509 
13510 	wdev_lock(dev->ieee80211_ptr);
13511 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
13512 	if (!ret)
13513 		ret = rdev_set_qos_map(rdev, dev, qos_map);
13514 	wdev_unlock(dev->ieee80211_ptr);
13515 
13516 	kfree(qos_map);
13517 	return ret;
13518 }
13519 
13520 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
13521 {
13522 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13523 	struct net_device *dev = info->user_ptr[1];
13524 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13525 	const u8 *peer;
13526 	u8 tsid, up;
13527 	u16 admitted_time = 0;
13528 	int err;
13529 
13530 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
13531 		return -EOPNOTSUPP;
13532 
13533 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
13534 	    !info->attrs[NL80211_ATTR_USER_PRIO])
13535 		return -EINVAL;
13536 
13537 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13538 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
13539 
13540 	/* WMM uses TIDs 0-7 even for TSPEC */
13541 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
13542 		/* TODO: handle 802.11 TSPEC/admission control
13543 		 * need more attributes for that (e.g. BA session requirement);
13544 		 * change the WMM adminssion test above to allow both then
13545 		 */
13546 		return -EINVAL;
13547 	}
13548 
13549 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13550 
13551 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
13552 		admitted_time =
13553 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
13554 		if (!admitted_time)
13555 			return -EINVAL;
13556 	}
13557 
13558 	wdev_lock(wdev);
13559 	switch (wdev->iftype) {
13560 	case NL80211_IFTYPE_STATION:
13561 	case NL80211_IFTYPE_P2P_CLIENT:
13562 		if (wdev->current_bss)
13563 			break;
13564 		err = -ENOTCONN;
13565 		goto out;
13566 	default:
13567 		err = -EOPNOTSUPP;
13568 		goto out;
13569 	}
13570 
13571 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
13572 
13573  out:
13574 	wdev_unlock(wdev);
13575 	return err;
13576 }
13577 
13578 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
13579 {
13580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13581 	struct net_device *dev = info->user_ptr[1];
13582 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13583 	const u8 *peer;
13584 	u8 tsid;
13585 	int err;
13586 
13587 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
13588 		return -EINVAL;
13589 
13590 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
13591 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
13592 
13593 	wdev_lock(wdev);
13594 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
13595 	wdev_unlock(wdev);
13596 
13597 	return err;
13598 }
13599 
13600 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
13601 				       struct genl_info *info)
13602 {
13603 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13604 	struct net_device *dev = info->user_ptr[1];
13605 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13606 	struct cfg80211_chan_def chandef = {};
13607 	const u8 *addr;
13608 	u8 oper_class;
13609 	int err;
13610 
13611 	if (!rdev->ops->tdls_channel_switch ||
13612 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13613 		return -EOPNOTSUPP;
13614 
13615 	switch (dev->ieee80211_ptr->iftype) {
13616 	case NL80211_IFTYPE_STATION:
13617 	case NL80211_IFTYPE_P2P_CLIENT:
13618 		break;
13619 	default:
13620 		return -EOPNOTSUPP;
13621 	}
13622 
13623 	if (!info->attrs[NL80211_ATTR_MAC] ||
13624 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
13625 		return -EINVAL;
13626 
13627 	err = nl80211_parse_chandef(rdev, info, &chandef);
13628 	if (err)
13629 		return err;
13630 
13631 	/*
13632 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
13633 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
13634 	 * specification is not defined for them.
13635 	 */
13636 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
13637 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
13638 	    chandef.width != NL80211_CHAN_WIDTH_20)
13639 		return -EINVAL;
13640 
13641 	/* we will be active on the TDLS link */
13642 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
13643 					   wdev->iftype))
13644 		return -EINVAL;
13645 
13646 	/* don't allow switching to DFS channels */
13647 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
13648 		return -EINVAL;
13649 
13650 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13651 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
13652 
13653 	wdev_lock(wdev);
13654 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
13655 	wdev_unlock(wdev);
13656 
13657 	return err;
13658 }
13659 
13660 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
13661 					      struct genl_info *info)
13662 {
13663 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13664 	struct net_device *dev = info->user_ptr[1];
13665 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13666 	const u8 *addr;
13667 
13668 	if (!rdev->ops->tdls_channel_switch ||
13669 	    !rdev->ops->tdls_cancel_channel_switch ||
13670 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
13671 		return -EOPNOTSUPP;
13672 
13673 	switch (dev->ieee80211_ptr->iftype) {
13674 	case NL80211_IFTYPE_STATION:
13675 	case NL80211_IFTYPE_P2P_CLIENT:
13676 		break;
13677 	default:
13678 		return -EOPNOTSUPP;
13679 	}
13680 
13681 	if (!info->attrs[NL80211_ATTR_MAC])
13682 		return -EINVAL;
13683 
13684 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
13685 
13686 	wdev_lock(wdev);
13687 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
13688 	wdev_unlock(wdev);
13689 
13690 	return 0;
13691 }
13692 
13693 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
13694 					    struct genl_info *info)
13695 {
13696 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13697 	struct net_device *dev = info->user_ptr[1];
13698 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13699 	const struct nlattr *nla;
13700 	bool enabled;
13701 
13702 	if (!rdev->ops->set_multicast_to_unicast)
13703 		return -EOPNOTSUPP;
13704 
13705 	if (wdev->iftype != NL80211_IFTYPE_AP &&
13706 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
13707 		return -EOPNOTSUPP;
13708 
13709 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
13710 	enabled = nla_get_flag(nla);
13711 
13712 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
13713 }
13714 
13715 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
13716 {
13717 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13718 	struct net_device *dev = info->user_ptr[1];
13719 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13720 	struct cfg80211_pmk_conf pmk_conf = {};
13721 	int ret;
13722 
13723 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13724 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13725 		return -EOPNOTSUPP;
13726 
13727 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13728 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13729 		return -EOPNOTSUPP;
13730 
13731 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
13732 		return -EINVAL;
13733 
13734 	wdev_lock(wdev);
13735 	if (!wdev->current_bss) {
13736 		ret = -ENOTCONN;
13737 		goto out;
13738 	}
13739 
13740 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13741 	if (memcmp(pmk_conf.aa, wdev->current_bss->pub.bssid, ETH_ALEN)) {
13742 		ret = -EINVAL;
13743 		goto out;
13744 	}
13745 
13746 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
13747 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
13748 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
13749 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
13750 		ret = -EINVAL;
13751 		goto out;
13752 	}
13753 
13754 	if (info->attrs[NL80211_ATTR_PMKR0_NAME]) {
13755 		int r0_name_len = nla_len(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13756 
13757 		if (r0_name_len != WLAN_PMK_NAME_LEN) {
13758 			ret = -EINVAL;
13759 			goto out;
13760 		}
13761 
13762 		pmk_conf.pmk_r0_name =
13763 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
13764 	}
13765 
13766 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
13767 out:
13768 	wdev_unlock(wdev);
13769 	return ret;
13770 }
13771 
13772 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
13773 {
13774 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13775 	struct net_device *dev = info->user_ptr[1];
13776 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13777 	const u8 *aa;
13778 	int ret;
13779 
13780 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
13781 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
13782 		return -EOPNOTSUPP;
13783 
13784 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13785 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
13786 		return -EOPNOTSUPP;
13787 
13788 	if (!info->attrs[NL80211_ATTR_MAC])
13789 		return -EINVAL;
13790 
13791 	wdev_lock(wdev);
13792 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
13793 	ret = rdev_del_pmk(rdev, dev, aa);
13794 	wdev_unlock(wdev);
13795 
13796 	return ret;
13797 }
13798 
13799 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
13800 {
13801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13802 	struct net_device *dev = info->user_ptr[1];
13803 	struct cfg80211_external_auth_params params;
13804 
13805 	if (!rdev->ops->external_auth)
13806 		return -EOPNOTSUPP;
13807 
13808 	if (!info->attrs[NL80211_ATTR_SSID] &&
13809 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
13810 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
13811 		return -EINVAL;
13812 
13813 	if (!info->attrs[NL80211_ATTR_BSSID])
13814 		return -EINVAL;
13815 
13816 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
13817 		return -EINVAL;
13818 
13819 	memset(&params, 0, sizeof(params));
13820 
13821 	if (info->attrs[NL80211_ATTR_SSID]) {
13822 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
13823 		if (params.ssid.ssid_len == 0 ||
13824 		    params.ssid.ssid_len > IEEE80211_MAX_SSID_LEN)
13825 			return -EINVAL;
13826 		memcpy(params.ssid.ssid,
13827 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
13828 		       params.ssid.ssid_len);
13829 	}
13830 
13831 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
13832 	       ETH_ALEN);
13833 
13834 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13835 
13836 	if (info->attrs[NL80211_ATTR_PMKID])
13837 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
13838 
13839 	return rdev_external_auth(rdev, dev, &params);
13840 }
13841 
13842 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
13843 {
13844 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13845 	struct net_device *dev = info->user_ptr[1];
13846 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13847 	const u8 *buf;
13848 	size_t len;
13849 	u8 *dest;
13850 	u16 proto;
13851 	bool noencrypt;
13852 	int err;
13853 
13854 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
13855 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
13856 		return -EOPNOTSUPP;
13857 
13858 	if (!rdev->ops->tx_control_port)
13859 		return -EOPNOTSUPP;
13860 
13861 	if (!info->attrs[NL80211_ATTR_FRAME] ||
13862 	    !info->attrs[NL80211_ATTR_MAC] ||
13863 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
13864 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
13865 		return -EINVAL;
13866 	}
13867 
13868 	wdev_lock(wdev);
13869 
13870 	switch (wdev->iftype) {
13871 	case NL80211_IFTYPE_AP:
13872 	case NL80211_IFTYPE_P2P_GO:
13873 	case NL80211_IFTYPE_MESH_POINT:
13874 		break;
13875 	case NL80211_IFTYPE_ADHOC:
13876 	case NL80211_IFTYPE_STATION:
13877 	case NL80211_IFTYPE_P2P_CLIENT:
13878 		if (wdev->current_bss)
13879 			break;
13880 		err = -ENOTCONN;
13881 		goto out;
13882 	default:
13883 		err = -EOPNOTSUPP;
13884 		goto out;
13885 	}
13886 
13887 	wdev_unlock(wdev);
13888 
13889 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
13890 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
13891 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
13892 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
13893 	noencrypt =
13894 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
13895 
13896 	return rdev_tx_control_port(rdev, dev, buf, len,
13897 				    dest, cpu_to_be16(proto), noencrypt);
13898 
13899  out:
13900 	wdev_unlock(wdev);
13901 	return err;
13902 }
13903 
13904 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
13905 					   struct genl_info *info)
13906 {
13907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13908 	struct net_device *dev = info->user_ptr[1];
13909 	struct wireless_dev *wdev = dev->ieee80211_ptr;
13910 	struct cfg80211_ftm_responder_stats ftm_stats = {};
13911 	struct sk_buff *msg;
13912 	void *hdr;
13913 	struct nlattr *ftm_stats_attr;
13914 	int err;
13915 
13916 	if (wdev->iftype != NL80211_IFTYPE_AP || !wdev->beacon_interval)
13917 		return -EOPNOTSUPP;
13918 
13919 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
13920 	if (err)
13921 		return err;
13922 
13923 	if (!ftm_stats.filled)
13924 		return -ENODATA;
13925 
13926 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13927 	if (!msg)
13928 		return -ENOMEM;
13929 
13930 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13931 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
13932 	if (!hdr)
13933 		goto nla_put_failure;
13934 
13935 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
13936 		goto nla_put_failure;
13937 
13938 	ftm_stats_attr = nla_nest_start_noflag(msg,
13939 					       NL80211_ATTR_FTM_RESPONDER_STATS);
13940 	if (!ftm_stats_attr)
13941 		goto nla_put_failure;
13942 
13943 #define SET_FTM(field, name, type)					 \
13944 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13945 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
13946 			     ftm_stats.field))				 \
13947 		goto nla_put_failure; } while (0)
13948 #define SET_FTM_U64(field, name)					 \
13949 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
13950 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
13951 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
13952 		goto nla_put_failure; } while (0)
13953 
13954 	SET_FTM(success_num, SUCCESS_NUM, u32);
13955 	SET_FTM(partial_num, PARTIAL_NUM, u32);
13956 	SET_FTM(failed_num, FAILED_NUM, u32);
13957 	SET_FTM(asap_num, ASAP_NUM, u32);
13958 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
13959 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
13960 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
13961 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
13962 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
13963 #undef SET_FTM
13964 
13965 	nla_nest_end(msg, ftm_stats_attr);
13966 
13967 	genlmsg_end(msg, hdr);
13968 	return genlmsg_reply(msg, info);
13969 
13970 nla_put_failure:
13971 	nlmsg_free(msg);
13972 	return -ENOBUFS;
13973 }
13974 
13975 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
13976 {
13977 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13978 	struct cfg80211_update_owe_info owe_info;
13979 	struct net_device *dev = info->user_ptr[1];
13980 
13981 	if (!rdev->ops->update_owe_info)
13982 		return -EOPNOTSUPP;
13983 
13984 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
13985 	    !info->attrs[NL80211_ATTR_MAC])
13986 		return -EINVAL;
13987 
13988 	memset(&owe_info, 0, sizeof(owe_info));
13989 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
13990 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
13991 
13992 	if (info->attrs[NL80211_ATTR_IE]) {
13993 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
13994 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
13995 	}
13996 
13997 	return rdev_update_owe_info(rdev, dev, &owe_info);
13998 }
13999 
14000 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
14001 {
14002 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14003 	struct net_device *dev = info->user_ptr[1];
14004 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14005 	struct station_info sinfo = {};
14006 	const u8 *buf;
14007 	size_t len;
14008 	u8 *dest;
14009 	int err;
14010 
14011 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
14012 		return -EOPNOTSUPP;
14013 
14014 	if (!info->attrs[NL80211_ATTR_MAC] ||
14015 	    !info->attrs[NL80211_ATTR_FRAME]) {
14016 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
14017 		return -EINVAL;
14018 	}
14019 
14020 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
14021 		return -EOPNOTSUPP;
14022 
14023 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
14024 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
14025 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
14026 
14027 	if (len < sizeof(struct ethhdr))
14028 		return -EINVAL;
14029 
14030 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
14031 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
14032 		return -EINVAL;
14033 
14034 	err = rdev_get_station(rdev, dev, dest, &sinfo);
14035 	if (err)
14036 		return err;
14037 
14038 	cfg80211_sinfo_release_content(&sinfo);
14039 
14040 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
14041 }
14042 
14043 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
14044 			  struct nlattr *attrs[], struct net_device *dev,
14045 			  struct cfg80211_tid_cfg *tid_conf,
14046 			  struct genl_info *info, const u8 *peer)
14047 {
14048 	struct netlink_ext_ack *extack = info->extack;
14049 	u64 mask;
14050 	int err;
14051 
14052 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
14053 		return -EINVAL;
14054 
14055 	tid_conf->config_override =
14056 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
14057 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
14058 
14059 	if (tid_conf->config_override) {
14060 		if (rdev->ops->reset_tid_config) {
14061 			err = rdev_reset_tid_config(rdev, dev, peer,
14062 						    tid_conf->tids);
14063 			/* If peer is there no other configuration will be
14064 			 * allowed
14065 			 */
14066 			if (err || peer)
14067 				return err;
14068 		} else {
14069 			return -EINVAL;
14070 		}
14071 	}
14072 
14073 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
14074 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
14075 		tid_conf->noack =
14076 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
14077 	}
14078 
14079 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
14080 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
14081 		tid_conf->retry_short =
14082 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
14083 
14084 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
14085 			return -EINVAL;
14086 	}
14087 
14088 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
14089 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
14090 		tid_conf->retry_long =
14091 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
14092 
14093 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
14094 			return -EINVAL;
14095 	}
14096 
14097 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
14098 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
14099 		tid_conf->ampdu =
14100 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
14101 	}
14102 
14103 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
14104 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
14105 		tid_conf->rtscts =
14106 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
14107 	}
14108 
14109 	if (peer)
14110 		mask = rdev->wiphy.tid_config_support.peer;
14111 	else
14112 		mask = rdev->wiphy.tid_config_support.vif;
14113 
14114 	if (tid_conf->mask & ~mask) {
14115 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
14116 		return -ENOTSUPP;
14117 	}
14118 
14119 	return 0;
14120 }
14121 
14122 static int nl80211_set_tid_config(struct sk_buff *skb,
14123 				  struct genl_info *info)
14124 {
14125 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14126 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
14127 	struct net_device *dev = info->user_ptr[1];
14128 	struct cfg80211_tid_config *tid_config;
14129 	struct nlattr *tid;
14130 	int conf_idx = 0, rem_conf;
14131 	int ret = -EINVAL;
14132 	u32 num_conf = 0;
14133 
14134 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
14135 		return -EINVAL;
14136 
14137 	if (!rdev->ops->set_tid_config)
14138 		return -EOPNOTSUPP;
14139 
14140 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14141 			    rem_conf)
14142 		num_conf++;
14143 
14144 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
14145 			     GFP_KERNEL);
14146 	if (!tid_config)
14147 		return -ENOMEM;
14148 
14149 	tid_config->n_tid_conf = num_conf;
14150 
14151 	if (info->attrs[NL80211_ATTR_MAC])
14152 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
14153 
14154 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
14155 			    rem_conf) {
14156 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
14157 				       tid, NULL, NULL);
14158 
14159 		if (ret)
14160 			goto bad_tid_conf;
14161 
14162 		ret = parse_tid_conf(rdev, attrs, dev,
14163 				     &tid_config->tid_conf[conf_idx],
14164 				     info, tid_config->peer);
14165 		if (ret)
14166 			goto bad_tid_conf;
14167 
14168 		conf_idx++;
14169 	}
14170 
14171 	ret = rdev_set_tid_config(rdev, dev, tid_config);
14172 
14173 bad_tid_conf:
14174 	kfree(tid_config);
14175 	return ret;
14176 }
14177 
14178 #define NL80211_FLAG_NEED_WIPHY		0x01
14179 #define NL80211_FLAG_NEED_NETDEV	0x02
14180 #define NL80211_FLAG_NEED_RTNL		0x04
14181 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
14182 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
14183 					 NL80211_FLAG_CHECK_NETDEV_UP)
14184 #define NL80211_FLAG_NEED_WDEV		0x10
14185 /* If a netdev is associated, it must be UP, P2P must be started */
14186 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
14187 					 NL80211_FLAG_CHECK_NETDEV_UP)
14188 #define NL80211_FLAG_CLEAR_SKB		0x20
14189 
14190 static int nl80211_pre_doit(const struct genl_ops *ops, struct sk_buff *skb,
14191 			    struct genl_info *info)
14192 {
14193 	struct cfg80211_registered_device *rdev;
14194 	struct wireless_dev *wdev;
14195 	struct net_device *dev;
14196 	bool rtnl = ops->internal_flags & NL80211_FLAG_NEED_RTNL;
14197 
14198 	if (rtnl)
14199 		rtnl_lock();
14200 
14201 	if (ops->internal_flags & NL80211_FLAG_NEED_WIPHY) {
14202 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
14203 		if (IS_ERR(rdev)) {
14204 			if (rtnl)
14205 				rtnl_unlock();
14206 			return PTR_ERR(rdev);
14207 		}
14208 		info->user_ptr[0] = rdev;
14209 	} else if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV ||
14210 		   ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14211 		ASSERT_RTNL();
14212 
14213 		wdev = __cfg80211_wdev_from_attrs(genl_info_net(info),
14214 						  info->attrs);
14215 		if (IS_ERR(wdev)) {
14216 			if (rtnl)
14217 				rtnl_unlock();
14218 			return PTR_ERR(wdev);
14219 		}
14220 
14221 		dev = wdev->netdev;
14222 		rdev = wiphy_to_rdev(wdev->wiphy);
14223 
14224 		if (ops->internal_flags & NL80211_FLAG_NEED_NETDEV) {
14225 			if (!dev) {
14226 				if (rtnl)
14227 					rtnl_unlock();
14228 				return -EINVAL;
14229 			}
14230 
14231 			info->user_ptr[1] = dev;
14232 		} else {
14233 			info->user_ptr[1] = wdev;
14234 		}
14235 
14236 		if (ops->internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
14237 		    !wdev_running(wdev)) {
14238 			if (rtnl)
14239 				rtnl_unlock();
14240 			return -ENETDOWN;
14241 		}
14242 
14243 		if (dev)
14244 			dev_hold(dev);
14245 
14246 		info->user_ptr[0] = rdev;
14247 	}
14248 
14249 	return 0;
14250 }
14251 
14252 static void nl80211_post_doit(const struct genl_ops *ops, struct sk_buff *skb,
14253 			      struct genl_info *info)
14254 {
14255 	if (info->user_ptr[1]) {
14256 		if (ops->internal_flags & NL80211_FLAG_NEED_WDEV) {
14257 			struct wireless_dev *wdev = info->user_ptr[1];
14258 
14259 			if (wdev->netdev)
14260 				dev_put(wdev->netdev);
14261 		} else {
14262 			dev_put(info->user_ptr[1]);
14263 		}
14264 	}
14265 
14266 	if (ops->internal_flags & NL80211_FLAG_NEED_RTNL)
14267 		rtnl_unlock();
14268 
14269 	/* If needed, clear the netlink message payload from the SKB
14270 	 * as it might contain key data that shouldn't stick around on
14271 	 * the heap after the SKB is freed. The netlink message header
14272 	 * is still needed for further processing, so leave it intact.
14273 	 */
14274 	if (ops->internal_flags & NL80211_FLAG_CLEAR_SKB) {
14275 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
14276 
14277 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
14278 	}
14279 }
14280 
14281 static const struct genl_ops nl80211_ops[] = {
14282 	{
14283 		.cmd = NL80211_CMD_GET_WIPHY,
14284 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14285 		.doit = nl80211_get_wiphy,
14286 		.dumpit = nl80211_dump_wiphy,
14287 		.done = nl80211_dump_wiphy_done,
14288 		/* can be retrieved by unprivileged users */
14289 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14290 				  NL80211_FLAG_NEED_RTNL,
14291 	},
14292 	{
14293 		.cmd = NL80211_CMD_SET_WIPHY,
14294 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14295 		.doit = nl80211_set_wiphy,
14296 		.flags = GENL_UNS_ADMIN_PERM,
14297 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14298 	},
14299 	{
14300 		.cmd = NL80211_CMD_GET_INTERFACE,
14301 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14302 		.doit = nl80211_get_interface,
14303 		.dumpit = nl80211_dump_interface,
14304 		/* can be retrieved by unprivileged users */
14305 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14306 				  NL80211_FLAG_NEED_RTNL,
14307 	},
14308 	{
14309 		.cmd = NL80211_CMD_SET_INTERFACE,
14310 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14311 		.doit = nl80211_set_interface,
14312 		.flags = GENL_UNS_ADMIN_PERM,
14313 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14314 				  NL80211_FLAG_NEED_RTNL,
14315 	},
14316 	{
14317 		.cmd = NL80211_CMD_NEW_INTERFACE,
14318 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14319 		.doit = nl80211_new_interface,
14320 		.flags = GENL_UNS_ADMIN_PERM,
14321 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14322 				  NL80211_FLAG_NEED_RTNL,
14323 	},
14324 	{
14325 		.cmd = NL80211_CMD_DEL_INTERFACE,
14326 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14327 		.doit = nl80211_del_interface,
14328 		.flags = GENL_UNS_ADMIN_PERM,
14329 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14330 				  NL80211_FLAG_NEED_RTNL,
14331 	},
14332 	{
14333 		.cmd = NL80211_CMD_GET_KEY,
14334 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14335 		.doit = nl80211_get_key,
14336 		.flags = GENL_UNS_ADMIN_PERM,
14337 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14338 				  NL80211_FLAG_NEED_RTNL,
14339 	},
14340 	{
14341 		.cmd = NL80211_CMD_SET_KEY,
14342 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14343 		.doit = nl80211_set_key,
14344 		.flags = GENL_UNS_ADMIN_PERM,
14345 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14346 				  NL80211_FLAG_NEED_RTNL |
14347 				  NL80211_FLAG_CLEAR_SKB,
14348 	},
14349 	{
14350 		.cmd = NL80211_CMD_NEW_KEY,
14351 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14352 		.doit = nl80211_new_key,
14353 		.flags = GENL_UNS_ADMIN_PERM,
14354 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14355 				  NL80211_FLAG_NEED_RTNL |
14356 				  NL80211_FLAG_CLEAR_SKB,
14357 	},
14358 	{
14359 		.cmd = NL80211_CMD_DEL_KEY,
14360 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14361 		.doit = nl80211_del_key,
14362 		.flags = GENL_UNS_ADMIN_PERM,
14363 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14364 				  NL80211_FLAG_NEED_RTNL,
14365 	},
14366 	{
14367 		.cmd = NL80211_CMD_SET_BEACON,
14368 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14369 		.flags = GENL_UNS_ADMIN_PERM,
14370 		.doit = nl80211_set_beacon,
14371 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14372 				  NL80211_FLAG_NEED_RTNL,
14373 	},
14374 	{
14375 		.cmd = NL80211_CMD_START_AP,
14376 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14377 		.flags = GENL_UNS_ADMIN_PERM,
14378 		.doit = nl80211_start_ap,
14379 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14380 				  NL80211_FLAG_NEED_RTNL,
14381 	},
14382 	{
14383 		.cmd = NL80211_CMD_STOP_AP,
14384 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14385 		.flags = GENL_UNS_ADMIN_PERM,
14386 		.doit = nl80211_stop_ap,
14387 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14388 				  NL80211_FLAG_NEED_RTNL,
14389 	},
14390 	{
14391 		.cmd = NL80211_CMD_GET_STATION,
14392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14393 		.doit = nl80211_get_station,
14394 		.dumpit = nl80211_dump_station,
14395 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14396 				  NL80211_FLAG_NEED_RTNL,
14397 	},
14398 	{
14399 		.cmd = NL80211_CMD_SET_STATION,
14400 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14401 		.doit = nl80211_set_station,
14402 		.flags = GENL_UNS_ADMIN_PERM,
14403 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14404 				  NL80211_FLAG_NEED_RTNL,
14405 	},
14406 	{
14407 		.cmd = NL80211_CMD_NEW_STATION,
14408 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14409 		.doit = nl80211_new_station,
14410 		.flags = GENL_UNS_ADMIN_PERM,
14411 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14412 				  NL80211_FLAG_NEED_RTNL,
14413 	},
14414 	{
14415 		.cmd = NL80211_CMD_DEL_STATION,
14416 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14417 		.doit = nl80211_del_station,
14418 		.flags = GENL_UNS_ADMIN_PERM,
14419 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14420 				  NL80211_FLAG_NEED_RTNL,
14421 	},
14422 	{
14423 		.cmd = NL80211_CMD_GET_MPATH,
14424 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14425 		.doit = nl80211_get_mpath,
14426 		.dumpit = nl80211_dump_mpath,
14427 		.flags = GENL_UNS_ADMIN_PERM,
14428 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14429 				  NL80211_FLAG_NEED_RTNL,
14430 	},
14431 	{
14432 		.cmd = NL80211_CMD_GET_MPP,
14433 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14434 		.doit = nl80211_get_mpp,
14435 		.dumpit = nl80211_dump_mpp,
14436 		.flags = GENL_UNS_ADMIN_PERM,
14437 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14438 				  NL80211_FLAG_NEED_RTNL,
14439 	},
14440 	{
14441 		.cmd = NL80211_CMD_SET_MPATH,
14442 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14443 		.doit = nl80211_set_mpath,
14444 		.flags = GENL_UNS_ADMIN_PERM,
14445 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14446 				  NL80211_FLAG_NEED_RTNL,
14447 	},
14448 	{
14449 		.cmd = NL80211_CMD_NEW_MPATH,
14450 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14451 		.doit = nl80211_new_mpath,
14452 		.flags = GENL_UNS_ADMIN_PERM,
14453 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14454 				  NL80211_FLAG_NEED_RTNL,
14455 	},
14456 	{
14457 		.cmd = NL80211_CMD_DEL_MPATH,
14458 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14459 		.doit = nl80211_del_mpath,
14460 		.flags = GENL_UNS_ADMIN_PERM,
14461 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14462 				  NL80211_FLAG_NEED_RTNL,
14463 	},
14464 	{
14465 		.cmd = NL80211_CMD_SET_BSS,
14466 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14467 		.doit = nl80211_set_bss,
14468 		.flags = GENL_UNS_ADMIN_PERM,
14469 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14470 				  NL80211_FLAG_NEED_RTNL,
14471 	},
14472 	{
14473 		.cmd = NL80211_CMD_GET_REG,
14474 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14475 		.doit = nl80211_get_reg_do,
14476 		.dumpit = nl80211_get_reg_dump,
14477 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14478 		/* can be retrieved by unprivileged users */
14479 	},
14480 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
14481 	{
14482 		.cmd = NL80211_CMD_SET_REG,
14483 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14484 		.doit = nl80211_set_reg,
14485 		.flags = GENL_ADMIN_PERM,
14486 		.internal_flags = NL80211_FLAG_NEED_RTNL,
14487 	},
14488 #endif
14489 	{
14490 		.cmd = NL80211_CMD_REQ_SET_REG,
14491 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14492 		.doit = nl80211_req_set_reg,
14493 		.flags = GENL_ADMIN_PERM,
14494 	},
14495 	{
14496 		.cmd = NL80211_CMD_RELOAD_REGDB,
14497 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14498 		.doit = nl80211_reload_regdb,
14499 		.flags = GENL_ADMIN_PERM,
14500 	},
14501 	{
14502 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
14503 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14504 		.doit = nl80211_get_mesh_config,
14505 		/* can be retrieved by unprivileged users */
14506 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14507 				  NL80211_FLAG_NEED_RTNL,
14508 	},
14509 	{
14510 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
14511 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14512 		.doit = nl80211_update_mesh_config,
14513 		.flags = GENL_UNS_ADMIN_PERM,
14514 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14515 				  NL80211_FLAG_NEED_RTNL,
14516 	},
14517 	{
14518 		.cmd = NL80211_CMD_TRIGGER_SCAN,
14519 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14520 		.doit = nl80211_trigger_scan,
14521 		.flags = GENL_UNS_ADMIN_PERM,
14522 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14523 				  NL80211_FLAG_NEED_RTNL,
14524 	},
14525 	{
14526 		.cmd = NL80211_CMD_ABORT_SCAN,
14527 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14528 		.doit = nl80211_abort_scan,
14529 		.flags = GENL_UNS_ADMIN_PERM,
14530 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14531 				  NL80211_FLAG_NEED_RTNL,
14532 	},
14533 	{
14534 		.cmd = NL80211_CMD_GET_SCAN,
14535 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14536 		.dumpit = nl80211_dump_scan,
14537 	},
14538 	{
14539 		.cmd = NL80211_CMD_START_SCHED_SCAN,
14540 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14541 		.doit = nl80211_start_sched_scan,
14542 		.flags = GENL_UNS_ADMIN_PERM,
14543 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14544 				  NL80211_FLAG_NEED_RTNL,
14545 	},
14546 	{
14547 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
14548 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14549 		.doit = nl80211_stop_sched_scan,
14550 		.flags = GENL_UNS_ADMIN_PERM,
14551 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14552 				  NL80211_FLAG_NEED_RTNL,
14553 	},
14554 	{
14555 		.cmd = NL80211_CMD_AUTHENTICATE,
14556 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14557 		.doit = nl80211_authenticate,
14558 		.flags = GENL_UNS_ADMIN_PERM,
14559 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14560 				  NL80211_FLAG_NEED_RTNL |
14561 				  NL80211_FLAG_CLEAR_SKB,
14562 	},
14563 	{
14564 		.cmd = NL80211_CMD_ASSOCIATE,
14565 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14566 		.doit = nl80211_associate,
14567 		.flags = GENL_UNS_ADMIN_PERM,
14568 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14569 				  NL80211_FLAG_NEED_RTNL |
14570 				  NL80211_FLAG_CLEAR_SKB,
14571 	},
14572 	{
14573 		.cmd = NL80211_CMD_DEAUTHENTICATE,
14574 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14575 		.doit = nl80211_deauthenticate,
14576 		.flags = GENL_UNS_ADMIN_PERM,
14577 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14578 				  NL80211_FLAG_NEED_RTNL,
14579 	},
14580 	{
14581 		.cmd = NL80211_CMD_DISASSOCIATE,
14582 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14583 		.doit = nl80211_disassociate,
14584 		.flags = GENL_UNS_ADMIN_PERM,
14585 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14586 				  NL80211_FLAG_NEED_RTNL,
14587 	},
14588 	{
14589 		.cmd = NL80211_CMD_JOIN_IBSS,
14590 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14591 		.doit = nl80211_join_ibss,
14592 		.flags = GENL_UNS_ADMIN_PERM,
14593 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14594 				  NL80211_FLAG_NEED_RTNL,
14595 	},
14596 	{
14597 		.cmd = NL80211_CMD_LEAVE_IBSS,
14598 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14599 		.doit = nl80211_leave_ibss,
14600 		.flags = GENL_UNS_ADMIN_PERM,
14601 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14602 				  NL80211_FLAG_NEED_RTNL,
14603 	},
14604 #ifdef CONFIG_NL80211_TESTMODE
14605 	{
14606 		.cmd = NL80211_CMD_TESTMODE,
14607 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14608 		.doit = nl80211_testmode_do,
14609 		.dumpit = nl80211_testmode_dump,
14610 		.flags = GENL_UNS_ADMIN_PERM,
14611 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14612 				  NL80211_FLAG_NEED_RTNL,
14613 	},
14614 #endif
14615 	{
14616 		.cmd = NL80211_CMD_CONNECT,
14617 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14618 		.doit = nl80211_connect,
14619 		.flags = GENL_UNS_ADMIN_PERM,
14620 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14621 				  NL80211_FLAG_NEED_RTNL |
14622 				  NL80211_FLAG_CLEAR_SKB,
14623 	},
14624 	{
14625 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
14626 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14627 		.doit = nl80211_update_connect_params,
14628 		.flags = GENL_ADMIN_PERM,
14629 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14630 				  NL80211_FLAG_NEED_RTNL |
14631 				  NL80211_FLAG_CLEAR_SKB,
14632 	},
14633 	{
14634 		.cmd = NL80211_CMD_DISCONNECT,
14635 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14636 		.doit = nl80211_disconnect,
14637 		.flags = GENL_UNS_ADMIN_PERM,
14638 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14639 				  NL80211_FLAG_NEED_RTNL,
14640 	},
14641 	{
14642 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
14643 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14644 		.doit = nl80211_wiphy_netns,
14645 		.flags = GENL_UNS_ADMIN_PERM,
14646 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14647 				  NL80211_FLAG_NEED_RTNL,
14648 	},
14649 	{
14650 		.cmd = NL80211_CMD_GET_SURVEY,
14651 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14652 		.dumpit = nl80211_dump_survey,
14653 	},
14654 	{
14655 		.cmd = NL80211_CMD_SET_PMKSA,
14656 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14657 		.doit = nl80211_setdel_pmksa,
14658 		.flags = GENL_UNS_ADMIN_PERM,
14659 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14660 				  NL80211_FLAG_NEED_RTNL |
14661 				  NL80211_FLAG_CLEAR_SKB,
14662 	},
14663 	{
14664 		.cmd = NL80211_CMD_DEL_PMKSA,
14665 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14666 		.doit = nl80211_setdel_pmksa,
14667 		.flags = GENL_UNS_ADMIN_PERM,
14668 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14669 				  NL80211_FLAG_NEED_RTNL,
14670 	},
14671 	{
14672 		.cmd = NL80211_CMD_FLUSH_PMKSA,
14673 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14674 		.doit = nl80211_flush_pmksa,
14675 		.flags = GENL_UNS_ADMIN_PERM,
14676 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14677 				  NL80211_FLAG_NEED_RTNL,
14678 	},
14679 	{
14680 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
14681 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14682 		.doit = nl80211_remain_on_channel,
14683 		.flags = GENL_UNS_ADMIN_PERM,
14684 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14685 				  NL80211_FLAG_NEED_RTNL,
14686 	},
14687 	{
14688 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
14689 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14690 		.doit = nl80211_cancel_remain_on_channel,
14691 		.flags = GENL_UNS_ADMIN_PERM,
14692 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14693 				  NL80211_FLAG_NEED_RTNL,
14694 	},
14695 	{
14696 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
14697 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14698 		.doit = nl80211_set_tx_bitrate_mask,
14699 		.flags = GENL_UNS_ADMIN_PERM,
14700 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14701 				  NL80211_FLAG_NEED_RTNL,
14702 	},
14703 	{
14704 		.cmd = NL80211_CMD_REGISTER_FRAME,
14705 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14706 		.doit = nl80211_register_mgmt,
14707 		.flags = GENL_UNS_ADMIN_PERM,
14708 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14709 				  NL80211_FLAG_NEED_RTNL,
14710 	},
14711 	{
14712 		.cmd = NL80211_CMD_FRAME,
14713 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14714 		.doit = nl80211_tx_mgmt,
14715 		.flags = GENL_UNS_ADMIN_PERM,
14716 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14717 				  NL80211_FLAG_NEED_RTNL,
14718 	},
14719 	{
14720 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
14721 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14722 		.doit = nl80211_tx_mgmt_cancel_wait,
14723 		.flags = GENL_UNS_ADMIN_PERM,
14724 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14725 				  NL80211_FLAG_NEED_RTNL,
14726 	},
14727 	{
14728 		.cmd = NL80211_CMD_SET_POWER_SAVE,
14729 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14730 		.doit = nl80211_set_power_save,
14731 		.flags = GENL_UNS_ADMIN_PERM,
14732 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14733 				  NL80211_FLAG_NEED_RTNL,
14734 	},
14735 	{
14736 		.cmd = NL80211_CMD_GET_POWER_SAVE,
14737 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14738 		.doit = nl80211_get_power_save,
14739 		/* can be retrieved by unprivileged users */
14740 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14741 				  NL80211_FLAG_NEED_RTNL,
14742 	},
14743 	{
14744 		.cmd = NL80211_CMD_SET_CQM,
14745 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14746 		.doit = nl80211_set_cqm,
14747 		.flags = GENL_UNS_ADMIN_PERM,
14748 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14749 				  NL80211_FLAG_NEED_RTNL,
14750 	},
14751 	{
14752 		.cmd = NL80211_CMD_SET_CHANNEL,
14753 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14754 		.doit = nl80211_set_channel,
14755 		.flags = GENL_UNS_ADMIN_PERM,
14756 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14757 				  NL80211_FLAG_NEED_RTNL,
14758 	},
14759 	{
14760 		.cmd = NL80211_CMD_SET_WDS_PEER,
14761 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14762 		.doit = nl80211_set_wds_peer,
14763 		.flags = GENL_UNS_ADMIN_PERM,
14764 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14765 				  NL80211_FLAG_NEED_RTNL,
14766 	},
14767 	{
14768 		.cmd = NL80211_CMD_JOIN_MESH,
14769 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14770 		.doit = nl80211_join_mesh,
14771 		.flags = GENL_UNS_ADMIN_PERM,
14772 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14773 				  NL80211_FLAG_NEED_RTNL,
14774 	},
14775 	{
14776 		.cmd = NL80211_CMD_LEAVE_MESH,
14777 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14778 		.doit = nl80211_leave_mesh,
14779 		.flags = GENL_UNS_ADMIN_PERM,
14780 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14781 				  NL80211_FLAG_NEED_RTNL,
14782 	},
14783 	{
14784 		.cmd = NL80211_CMD_JOIN_OCB,
14785 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14786 		.doit = nl80211_join_ocb,
14787 		.flags = GENL_UNS_ADMIN_PERM,
14788 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14789 				  NL80211_FLAG_NEED_RTNL,
14790 	},
14791 	{
14792 		.cmd = NL80211_CMD_LEAVE_OCB,
14793 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14794 		.doit = nl80211_leave_ocb,
14795 		.flags = GENL_UNS_ADMIN_PERM,
14796 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14797 				  NL80211_FLAG_NEED_RTNL,
14798 	},
14799 #ifdef CONFIG_PM
14800 	{
14801 		.cmd = NL80211_CMD_GET_WOWLAN,
14802 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14803 		.doit = nl80211_get_wowlan,
14804 		/* can be retrieved by unprivileged users */
14805 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14806 				  NL80211_FLAG_NEED_RTNL,
14807 	},
14808 	{
14809 		.cmd = NL80211_CMD_SET_WOWLAN,
14810 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14811 		.doit = nl80211_set_wowlan,
14812 		.flags = GENL_UNS_ADMIN_PERM,
14813 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14814 				  NL80211_FLAG_NEED_RTNL,
14815 	},
14816 #endif
14817 	{
14818 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
14819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14820 		.doit = nl80211_set_rekey_data,
14821 		.flags = GENL_UNS_ADMIN_PERM,
14822 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14823 				  NL80211_FLAG_NEED_RTNL |
14824 				  NL80211_FLAG_CLEAR_SKB,
14825 	},
14826 	{
14827 		.cmd = NL80211_CMD_TDLS_MGMT,
14828 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14829 		.doit = nl80211_tdls_mgmt,
14830 		.flags = GENL_UNS_ADMIN_PERM,
14831 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14832 				  NL80211_FLAG_NEED_RTNL,
14833 	},
14834 	{
14835 		.cmd = NL80211_CMD_TDLS_OPER,
14836 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14837 		.doit = nl80211_tdls_oper,
14838 		.flags = GENL_UNS_ADMIN_PERM,
14839 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14840 				  NL80211_FLAG_NEED_RTNL,
14841 	},
14842 	{
14843 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
14844 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14845 		.doit = nl80211_register_unexpected_frame,
14846 		.flags = GENL_UNS_ADMIN_PERM,
14847 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14848 				  NL80211_FLAG_NEED_RTNL,
14849 	},
14850 	{
14851 		.cmd = NL80211_CMD_PROBE_CLIENT,
14852 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14853 		.doit = nl80211_probe_client,
14854 		.flags = GENL_UNS_ADMIN_PERM,
14855 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14856 				  NL80211_FLAG_NEED_RTNL,
14857 	},
14858 	{
14859 		.cmd = NL80211_CMD_REGISTER_BEACONS,
14860 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14861 		.doit = nl80211_register_beacons,
14862 		.flags = GENL_UNS_ADMIN_PERM,
14863 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14864 				  NL80211_FLAG_NEED_RTNL,
14865 	},
14866 	{
14867 		.cmd = NL80211_CMD_SET_NOACK_MAP,
14868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14869 		.doit = nl80211_set_noack_map,
14870 		.flags = GENL_UNS_ADMIN_PERM,
14871 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14872 				  NL80211_FLAG_NEED_RTNL,
14873 	},
14874 	{
14875 		.cmd = NL80211_CMD_START_P2P_DEVICE,
14876 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14877 		.doit = nl80211_start_p2p_device,
14878 		.flags = GENL_UNS_ADMIN_PERM,
14879 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14880 				  NL80211_FLAG_NEED_RTNL,
14881 	},
14882 	{
14883 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
14884 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14885 		.doit = nl80211_stop_p2p_device,
14886 		.flags = GENL_UNS_ADMIN_PERM,
14887 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14888 				  NL80211_FLAG_NEED_RTNL,
14889 	},
14890 	{
14891 		.cmd = NL80211_CMD_START_NAN,
14892 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14893 		.doit = nl80211_start_nan,
14894 		.flags = GENL_ADMIN_PERM,
14895 		.internal_flags = NL80211_FLAG_NEED_WDEV |
14896 				  NL80211_FLAG_NEED_RTNL,
14897 	},
14898 	{
14899 		.cmd = NL80211_CMD_STOP_NAN,
14900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14901 		.doit = nl80211_stop_nan,
14902 		.flags = GENL_ADMIN_PERM,
14903 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14904 				  NL80211_FLAG_NEED_RTNL,
14905 	},
14906 	{
14907 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
14908 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14909 		.doit = nl80211_nan_add_func,
14910 		.flags = GENL_ADMIN_PERM,
14911 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14912 				  NL80211_FLAG_NEED_RTNL,
14913 	},
14914 	{
14915 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
14916 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14917 		.doit = nl80211_nan_del_func,
14918 		.flags = GENL_ADMIN_PERM,
14919 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14920 				  NL80211_FLAG_NEED_RTNL,
14921 	},
14922 	{
14923 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
14924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14925 		.doit = nl80211_nan_change_config,
14926 		.flags = GENL_ADMIN_PERM,
14927 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14928 				  NL80211_FLAG_NEED_RTNL,
14929 	},
14930 	{
14931 		.cmd = NL80211_CMD_SET_MCAST_RATE,
14932 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14933 		.doit = nl80211_set_mcast_rate,
14934 		.flags = GENL_UNS_ADMIN_PERM,
14935 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14936 				  NL80211_FLAG_NEED_RTNL,
14937 	},
14938 	{
14939 		.cmd = NL80211_CMD_SET_MAC_ACL,
14940 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14941 		.doit = nl80211_set_mac_acl,
14942 		.flags = GENL_UNS_ADMIN_PERM,
14943 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
14944 				  NL80211_FLAG_NEED_RTNL,
14945 	},
14946 	{
14947 		.cmd = NL80211_CMD_RADAR_DETECT,
14948 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14949 		.doit = nl80211_start_radar_detection,
14950 		.flags = GENL_UNS_ADMIN_PERM,
14951 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14952 				  NL80211_FLAG_NEED_RTNL,
14953 	},
14954 	{
14955 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
14956 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14957 		.doit = nl80211_get_protocol_features,
14958 	},
14959 	{
14960 		.cmd = NL80211_CMD_UPDATE_FT_IES,
14961 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14962 		.doit = nl80211_update_ft_ies,
14963 		.flags = GENL_UNS_ADMIN_PERM,
14964 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
14965 				  NL80211_FLAG_NEED_RTNL,
14966 	},
14967 	{
14968 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
14969 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14970 		.doit = nl80211_crit_protocol_start,
14971 		.flags = GENL_UNS_ADMIN_PERM,
14972 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14973 				  NL80211_FLAG_NEED_RTNL,
14974 	},
14975 	{
14976 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
14977 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14978 		.doit = nl80211_crit_protocol_stop,
14979 		.flags = GENL_UNS_ADMIN_PERM,
14980 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
14981 				  NL80211_FLAG_NEED_RTNL,
14982 	},
14983 	{
14984 		.cmd = NL80211_CMD_GET_COALESCE,
14985 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14986 		.doit = nl80211_get_coalesce,
14987 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14988 				  NL80211_FLAG_NEED_RTNL,
14989 	},
14990 	{
14991 		.cmd = NL80211_CMD_SET_COALESCE,
14992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
14993 		.doit = nl80211_set_coalesce,
14994 		.flags = GENL_UNS_ADMIN_PERM,
14995 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
14996 				  NL80211_FLAG_NEED_RTNL,
14997 	},
14998 	{
14999 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
15000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15001 		.doit = nl80211_channel_switch,
15002 		.flags = GENL_UNS_ADMIN_PERM,
15003 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15004 				  NL80211_FLAG_NEED_RTNL,
15005 	},
15006 	{
15007 		.cmd = NL80211_CMD_VENDOR,
15008 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15009 		.doit = nl80211_vendor_cmd,
15010 		.dumpit = nl80211_vendor_cmd_dump,
15011 		.flags = GENL_UNS_ADMIN_PERM,
15012 		.internal_flags = NL80211_FLAG_NEED_WIPHY |
15013 				  NL80211_FLAG_NEED_RTNL |
15014 				  NL80211_FLAG_CLEAR_SKB,
15015 	},
15016 	{
15017 		.cmd = NL80211_CMD_SET_QOS_MAP,
15018 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15019 		.doit = nl80211_set_qos_map,
15020 		.flags = GENL_UNS_ADMIN_PERM,
15021 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15022 				  NL80211_FLAG_NEED_RTNL,
15023 	},
15024 	{
15025 		.cmd = NL80211_CMD_ADD_TX_TS,
15026 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15027 		.doit = nl80211_add_tx_ts,
15028 		.flags = GENL_UNS_ADMIN_PERM,
15029 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15030 				  NL80211_FLAG_NEED_RTNL,
15031 	},
15032 	{
15033 		.cmd = NL80211_CMD_DEL_TX_TS,
15034 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15035 		.doit = nl80211_del_tx_ts,
15036 		.flags = GENL_UNS_ADMIN_PERM,
15037 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15038 				  NL80211_FLAG_NEED_RTNL,
15039 	},
15040 	{
15041 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
15042 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15043 		.doit = nl80211_tdls_channel_switch,
15044 		.flags = GENL_UNS_ADMIN_PERM,
15045 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15046 				  NL80211_FLAG_NEED_RTNL,
15047 	},
15048 	{
15049 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
15050 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15051 		.doit = nl80211_tdls_cancel_channel_switch,
15052 		.flags = GENL_UNS_ADMIN_PERM,
15053 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15054 				  NL80211_FLAG_NEED_RTNL,
15055 	},
15056 	{
15057 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
15058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15059 		.doit = nl80211_set_multicast_to_unicast,
15060 		.flags = GENL_UNS_ADMIN_PERM,
15061 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15062 				  NL80211_FLAG_NEED_RTNL,
15063 	},
15064 	{
15065 		.cmd = NL80211_CMD_SET_PMK,
15066 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15067 		.doit = nl80211_set_pmk,
15068 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15069 				  NL80211_FLAG_NEED_RTNL |
15070 				  NL80211_FLAG_CLEAR_SKB,
15071 	},
15072 	{
15073 		.cmd = NL80211_CMD_DEL_PMK,
15074 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15075 		.doit = nl80211_del_pmk,
15076 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15077 				  NL80211_FLAG_NEED_RTNL,
15078 	},
15079 	{
15080 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
15081 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15082 		.doit = nl80211_external_auth,
15083 		.flags = GENL_ADMIN_PERM,
15084 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15085 				  NL80211_FLAG_NEED_RTNL,
15086 	},
15087 	{
15088 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
15089 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15090 		.doit = nl80211_tx_control_port,
15091 		.flags = GENL_UNS_ADMIN_PERM,
15092 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15093 				  NL80211_FLAG_NEED_RTNL,
15094 	},
15095 	{
15096 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
15097 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15098 		.doit = nl80211_get_ftm_responder_stats,
15099 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15100 				  NL80211_FLAG_NEED_RTNL,
15101 	},
15102 	{
15103 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
15104 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15105 		.doit = nl80211_pmsr_start,
15106 		.flags = GENL_UNS_ADMIN_PERM,
15107 		.internal_flags = NL80211_FLAG_NEED_WDEV_UP |
15108 				  NL80211_FLAG_NEED_RTNL,
15109 	},
15110 	{
15111 		.cmd = NL80211_CMD_NOTIFY_RADAR,
15112 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
15113 		.doit = nl80211_notify_radar_detection,
15114 		.flags = GENL_UNS_ADMIN_PERM,
15115 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15116 				  NL80211_FLAG_NEED_RTNL,
15117 	},
15118 	{
15119 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
15120 		.doit = nl80211_update_owe_info,
15121 		.flags = GENL_ADMIN_PERM,
15122 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15123 				  NL80211_FLAG_NEED_RTNL,
15124 	},
15125 	{
15126 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
15127 		.doit = nl80211_probe_mesh_link,
15128 		.flags = GENL_UNS_ADMIN_PERM,
15129 		.internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
15130 				  NL80211_FLAG_NEED_RTNL,
15131 	},
15132 	{
15133 		.cmd = NL80211_CMD_SET_TID_CONFIG,
15134 		.doit = nl80211_set_tid_config,
15135 		.flags = GENL_UNS_ADMIN_PERM,
15136 		.internal_flags = NL80211_FLAG_NEED_NETDEV |
15137 				  NL80211_FLAG_NEED_RTNL,
15138 	},
15139 };
15140 
15141 static struct genl_family nl80211_fam __ro_after_init = {
15142 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
15143 	.hdrsize = 0,			/* no private header */
15144 	.version = 1,			/* no particular meaning now */
15145 	.maxattr = NL80211_ATTR_MAX,
15146 	.policy = nl80211_policy,
15147 	.netnsok = true,
15148 	.pre_doit = nl80211_pre_doit,
15149 	.post_doit = nl80211_post_doit,
15150 	.module = THIS_MODULE,
15151 	.ops = nl80211_ops,
15152 	.n_ops = ARRAY_SIZE(nl80211_ops),
15153 	.mcgrps = nl80211_mcgrps,
15154 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
15155 	.parallel_ops = true,
15156 };
15157 
15158 /* notification functions */
15159 
15160 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
15161 			  enum nl80211_commands cmd)
15162 {
15163 	struct sk_buff *msg;
15164 	struct nl80211_dump_wiphy_state state = {};
15165 
15166 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
15167 		cmd != NL80211_CMD_DEL_WIPHY);
15168 
15169 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15170 	if (!msg)
15171 		return;
15172 
15173 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
15174 		nlmsg_free(msg);
15175 		return;
15176 	}
15177 
15178 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15179 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15180 }
15181 
15182 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
15183 				struct wireless_dev *wdev,
15184 				enum nl80211_commands cmd)
15185 {
15186 	struct sk_buff *msg;
15187 
15188 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15189 	if (!msg)
15190 		return;
15191 
15192 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
15193 		nlmsg_free(msg);
15194 		return;
15195 	}
15196 
15197 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15198 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
15199 }
15200 
15201 static int nl80211_add_scan_req(struct sk_buff *msg,
15202 				struct cfg80211_registered_device *rdev)
15203 {
15204 	struct cfg80211_scan_request *req = rdev->scan_req;
15205 	struct nlattr *nest;
15206 	int i;
15207 
15208 	if (WARN_ON(!req))
15209 		return 0;
15210 
15211 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
15212 	if (!nest)
15213 		goto nla_put_failure;
15214 	for (i = 0; i < req->n_ssids; i++) {
15215 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
15216 			goto nla_put_failure;
15217 	}
15218 	nla_nest_end(msg, nest);
15219 
15220 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
15221 	if (!nest)
15222 		goto nla_put_failure;
15223 	for (i = 0; i < req->n_channels; i++) {
15224 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
15225 			goto nla_put_failure;
15226 	}
15227 	nla_nest_end(msg, nest);
15228 
15229 	if (req->ie &&
15230 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
15231 		goto nla_put_failure;
15232 
15233 	if (req->flags &&
15234 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
15235 		goto nla_put_failure;
15236 
15237 	if (req->info.scan_start_tsf &&
15238 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
15239 			       req->info.scan_start_tsf, NL80211_BSS_PAD) ||
15240 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
15241 		     req->info.tsf_bssid)))
15242 		goto nla_put_failure;
15243 
15244 	return 0;
15245  nla_put_failure:
15246 	return -ENOBUFS;
15247 }
15248 
15249 static int nl80211_prep_scan_msg(struct sk_buff *msg,
15250 				 struct cfg80211_registered_device *rdev,
15251 				 struct wireless_dev *wdev,
15252 				 u32 portid, u32 seq, int flags,
15253 				 u32 cmd)
15254 {
15255 	void *hdr;
15256 
15257 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
15258 	if (!hdr)
15259 		return -1;
15260 
15261 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15262 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15263 					 wdev->netdev->ifindex)) ||
15264 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15265 			      NL80211_ATTR_PAD))
15266 		goto nla_put_failure;
15267 
15268 	/* ignore errors and send incomplete event anyway */
15269 	nl80211_add_scan_req(msg, rdev);
15270 
15271 	genlmsg_end(msg, hdr);
15272 	return 0;
15273 
15274  nla_put_failure:
15275 	genlmsg_cancel(msg, hdr);
15276 	return -EMSGSIZE;
15277 }
15278 
15279 static int
15280 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
15281 			    struct cfg80211_sched_scan_request *req, u32 cmd)
15282 {
15283 	void *hdr;
15284 
15285 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15286 	if (!hdr)
15287 		return -1;
15288 
15289 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
15290 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
15291 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
15292 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
15293 			      NL80211_ATTR_PAD))
15294 		goto nla_put_failure;
15295 
15296 	genlmsg_end(msg, hdr);
15297 	return 0;
15298 
15299  nla_put_failure:
15300 	genlmsg_cancel(msg, hdr);
15301 	return -EMSGSIZE;
15302 }
15303 
15304 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
15305 			     struct wireless_dev *wdev)
15306 {
15307 	struct sk_buff *msg;
15308 
15309 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15310 	if (!msg)
15311 		return;
15312 
15313 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15314 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
15315 		nlmsg_free(msg);
15316 		return;
15317 	}
15318 
15319 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15320 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15321 }
15322 
15323 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
15324 				       struct wireless_dev *wdev, bool aborted)
15325 {
15326 	struct sk_buff *msg;
15327 
15328 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15329 	if (!msg)
15330 		return NULL;
15331 
15332 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
15333 				  aborted ? NL80211_CMD_SCAN_ABORTED :
15334 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
15335 		nlmsg_free(msg);
15336 		return NULL;
15337 	}
15338 
15339 	return msg;
15340 }
15341 
15342 /* send message created by nl80211_build_scan_msg() */
15343 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
15344 			   struct sk_buff *msg)
15345 {
15346 	if (!msg)
15347 		return;
15348 
15349 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15350 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15351 }
15352 
15353 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
15354 {
15355 	struct sk_buff *msg;
15356 
15357 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15358 	if (!msg)
15359 		return;
15360 
15361 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
15362 		nlmsg_free(msg);
15363 		return;
15364 	}
15365 
15366 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
15367 				NL80211_MCGRP_SCAN, GFP_KERNEL);
15368 }
15369 
15370 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
15371 					  struct regulatory_request *request)
15372 {
15373 	/* Userspace can always count this one always being set */
15374 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
15375 		goto nla_put_failure;
15376 
15377 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
15378 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15379 			       NL80211_REGDOM_TYPE_WORLD))
15380 			goto nla_put_failure;
15381 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
15382 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15383 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
15384 			goto nla_put_failure;
15385 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
15386 		   request->intersect) {
15387 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15388 			       NL80211_REGDOM_TYPE_INTERSECTION))
15389 			goto nla_put_failure;
15390 	} else {
15391 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
15392 			       NL80211_REGDOM_TYPE_COUNTRY) ||
15393 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
15394 				   request->alpha2))
15395 			goto nla_put_failure;
15396 	}
15397 
15398 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
15399 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
15400 
15401 		if (wiphy &&
15402 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
15403 			goto nla_put_failure;
15404 
15405 		if (wiphy &&
15406 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
15407 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
15408 			goto nla_put_failure;
15409 	}
15410 
15411 	return true;
15412 
15413 nla_put_failure:
15414 	return false;
15415 }
15416 
15417 /*
15418  * This can happen on global regulatory changes or device specific settings
15419  * based on custom regulatory domains.
15420  */
15421 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
15422 				     struct regulatory_request *request)
15423 {
15424 	struct sk_buff *msg;
15425 	void *hdr;
15426 
15427 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15428 	if (!msg)
15429 		return;
15430 
15431 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
15432 	if (!hdr)
15433 		goto nla_put_failure;
15434 
15435 	if (!nl80211_reg_change_event_fill(msg, request))
15436 		goto nla_put_failure;
15437 
15438 	genlmsg_end(msg, hdr);
15439 
15440 	rcu_read_lock();
15441 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15442 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15443 	rcu_read_unlock();
15444 
15445 	return;
15446 
15447 nla_put_failure:
15448 	nlmsg_free(msg);
15449 }
15450 
15451 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
15452 				    struct net_device *netdev,
15453 				    const u8 *buf, size_t len,
15454 				    enum nl80211_commands cmd, gfp_t gfp,
15455 				    int uapsd_queues, const u8 *req_ies,
15456 				    size_t req_ies_len)
15457 {
15458 	struct sk_buff *msg;
15459 	void *hdr;
15460 
15461 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
15462 	if (!msg)
15463 		return;
15464 
15465 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15466 	if (!hdr) {
15467 		nlmsg_free(msg);
15468 		return;
15469 	}
15470 
15471 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15472 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15473 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
15474 	    (req_ies &&
15475 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
15476 		goto nla_put_failure;
15477 
15478 	if (uapsd_queues >= 0) {
15479 		struct nlattr *nla_wmm =
15480 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
15481 		if (!nla_wmm)
15482 			goto nla_put_failure;
15483 
15484 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
15485 			       uapsd_queues))
15486 			goto nla_put_failure;
15487 
15488 		nla_nest_end(msg, nla_wmm);
15489 	}
15490 
15491 	genlmsg_end(msg, hdr);
15492 
15493 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15494 				NL80211_MCGRP_MLME, gfp);
15495 	return;
15496 
15497  nla_put_failure:
15498 	nlmsg_free(msg);
15499 }
15500 
15501 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
15502 			  struct net_device *netdev, const u8 *buf,
15503 			  size_t len, gfp_t gfp)
15504 {
15505 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15506 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0);
15507 }
15508 
15509 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
15510 			   struct net_device *netdev, const u8 *buf,
15511 			   size_t len, gfp_t gfp, int uapsd_queues,
15512 			   const u8 *req_ies, size_t req_ies_len)
15513 {
15514 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15515 				NL80211_CMD_ASSOCIATE, gfp, uapsd_queues,
15516 				req_ies, req_ies_len);
15517 }
15518 
15519 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
15520 			 struct net_device *netdev, const u8 *buf,
15521 			 size_t len, gfp_t gfp)
15522 {
15523 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15524 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0);
15525 }
15526 
15527 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
15528 			   struct net_device *netdev, const u8 *buf,
15529 			   size_t len, gfp_t gfp)
15530 {
15531 	nl80211_send_mlme_event(rdev, netdev, buf, len,
15532 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0);
15533 }
15534 
15535 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
15536 				  size_t len)
15537 {
15538 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15539 	struct wiphy *wiphy = wdev->wiphy;
15540 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15541 	const struct ieee80211_mgmt *mgmt = (void *)buf;
15542 	u32 cmd;
15543 
15544 	if (WARN_ON(len < 2))
15545 		return;
15546 
15547 	if (ieee80211_is_deauth(mgmt->frame_control))
15548 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
15549 	else
15550 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
15551 
15552 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
15553 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
15554 				NULL, 0);
15555 }
15556 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
15557 
15558 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
15559 				      struct net_device *netdev, int cmd,
15560 				      const u8 *addr, gfp_t gfp)
15561 {
15562 	struct sk_buff *msg;
15563 	void *hdr;
15564 
15565 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15566 	if (!msg)
15567 		return;
15568 
15569 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15570 	if (!hdr) {
15571 		nlmsg_free(msg);
15572 		return;
15573 	}
15574 
15575 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15576 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15577 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15578 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
15579 		goto nla_put_failure;
15580 
15581 	genlmsg_end(msg, hdr);
15582 
15583 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15584 				NL80211_MCGRP_MLME, gfp);
15585 	return;
15586 
15587  nla_put_failure:
15588 	nlmsg_free(msg);
15589 }
15590 
15591 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
15592 			       struct net_device *netdev, const u8 *addr,
15593 			       gfp_t gfp)
15594 {
15595 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
15596 				  addr, gfp);
15597 }
15598 
15599 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
15600 				struct net_device *netdev, const u8 *addr,
15601 				gfp_t gfp)
15602 {
15603 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
15604 				  addr, gfp);
15605 }
15606 
15607 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
15608 				 struct net_device *netdev,
15609 				 struct cfg80211_connect_resp_params *cr,
15610 				 gfp_t gfp)
15611 {
15612 	struct sk_buff *msg;
15613 	void *hdr;
15614 
15615 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
15616 			cr->fils.kek_len + cr->fils.pmk_len +
15617 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15618 	if (!msg)
15619 		return;
15620 
15621 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
15622 	if (!hdr) {
15623 		nlmsg_free(msg);
15624 		return;
15625 	}
15626 
15627 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15628 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15629 	    (cr->bssid &&
15630 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, cr->bssid)) ||
15631 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
15632 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
15633 			cr->status) ||
15634 	    (cr->status < 0 &&
15635 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
15636 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
15637 			  cr->timeout_reason))) ||
15638 	    (cr->req_ie &&
15639 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
15640 	    (cr->resp_ie &&
15641 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
15642 		     cr->resp_ie)) ||
15643 	    (cr->fils.update_erp_next_seq_num &&
15644 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15645 			 cr->fils.erp_next_seq_num)) ||
15646 	    (cr->status == WLAN_STATUS_SUCCESS &&
15647 	     ((cr->fils.kek &&
15648 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
15649 		       cr->fils.kek)) ||
15650 	      (cr->fils.pmk &&
15651 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
15652 	      (cr->fils.pmkid &&
15653 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
15654 		goto nla_put_failure;
15655 
15656 	genlmsg_end(msg, hdr);
15657 
15658 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15659 				NL80211_MCGRP_MLME, gfp);
15660 	return;
15661 
15662  nla_put_failure:
15663 	nlmsg_free(msg);
15664 }
15665 
15666 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
15667 			 struct net_device *netdev,
15668 			 struct cfg80211_roam_info *info, gfp_t gfp)
15669 {
15670 	struct sk_buff *msg;
15671 	void *hdr;
15672 	const u8 *bssid = info->bss ? info->bss->bssid : info->bssid;
15673 
15674 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
15675 			info->fils.kek_len + info->fils.pmk_len +
15676 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0), gfp);
15677 	if (!msg)
15678 		return;
15679 
15680 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
15681 	if (!hdr) {
15682 		nlmsg_free(msg);
15683 		return;
15684 	}
15685 
15686 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15687 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15688 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid) ||
15689 	    (info->req_ie &&
15690 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
15691 		     info->req_ie)) ||
15692 	    (info->resp_ie &&
15693 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
15694 		     info->resp_ie)) ||
15695 	    (info->fils.update_erp_next_seq_num &&
15696 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
15697 			 info->fils.erp_next_seq_num)) ||
15698 	    (info->fils.kek &&
15699 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
15700 		     info->fils.kek)) ||
15701 	    (info->fils.pmk &&
15702 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
15703 	    (info->fils.pmkid &&
15704 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
15705 		goto nla_put_failure;
15706 
15707 	genlmsg_end(msg, hdr);
15708 
15709 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15710 				NL80211_MCGRP_MLME, gfp);
15711 	return;
15712 
15713  nla_put_failure:
15714 	nlmsg_free(msg);
15715 }
15716 
15717 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
15718 				  struct net_device *netdev, const u8 *bssid)
15719 {
15720 	struct sk_buff *msg;
15721 	void *hdr;
15722 
15723 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15724 	if (!msg)
15725 		return;
15726 
15727 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
15728 	if (!hdr) {
15729 		nlmsg_free(msg);
15730 		return;
15731 	}
15732 
15733 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15734 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15735 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15736 		goto nla_put_failure;
15737 
15738 	genlmsg_end(msg, hdr);
15739 
15740 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15741 				NL80211_MCGRP_MLME, GFP_KERNEL);
15742 	return;
15743 
15744  nla_put_failure:
15745 	nlmsg_free(msg);
15746 }
15747 
15748 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
15749 			       struct net_device *netdev, u16 reason,
15750 			       const u8 *ie, size_t ie_len, bool from_ap)
15751 {
15752 	struct sk_buff *msg;
15753 	void *hdr;
15754 
15755 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
15756 	if (!msg)
15757 		return;
15758 
15759 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
15760 	if (!hdr) {
15761 		nlmsg_free(msg);
15762 		return;
15763 	}
15764 
15765 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15766 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15767 	    (reason &&
15768 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
15769 	    (from_ap &&
15770 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
15771 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
15772 		goto nla_put_failure;
15773 
15774 	genlmsg_end(msg, hdr);
15775 
15776 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15777 				NL80211_MCGRP_MLME, GFP_KERNEL);
15778 	return;
15779 
15780  nla_put_failure:
15781 	nlmsg_free(msg);
15782 }
15783 
15784 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
15785 			     struct net_device *netdev, const u8 *bssid,
15786 			     gfp_t gfp)
15787 {
15788 	struct sk_buff *msg;
15789 	void *hdr;
15790 
15791 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15792 	if (!msg)
15793 		return;
15794 
15795 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
15796 	if (!hdr) {
15797 		nlmsg_free(msg);
15798 		return;
15799 	}
15800 
15801 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15802 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15803 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
15804 		goto nla_put_failure;
15805 
15806 	genlmsg_end(msg, hdr);
15807 
15808 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15809 				NL80211_MCGRP_MLME, gfp);
15810 	return;
15811 
15812  nla_put_failure:
15813 	nlmsg_free(msg);
15814 }
15815 
15816 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
15817 					const u8 *ie, u8 ie_len,
15818 					int sig_dbm, gfp_t gfp)
15819 {
15820 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15821 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
15822 	struct sk_buff *msg;
15823 	void *hdr;
15824 
15825 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
15826 		return;
15827 
15828 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
15829 
15830 	msg = nlmsg_new(100 + ie_len, gfp);
15831 	if (!msg)
15832 		return;
15833 
15834 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
15835 	if (!hdr) {
15836 		nlmsg_free(msg);
15837 		return;
15838 	}
15839 
15840 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15841 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
15842 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
15843 	    (ie_len && ie &&
15844 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
15845 	    (sig_dbm &&
15846 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
15847 		goto nla_put_failure;
15848 
15849 	genlmsg_end(msg, hdr);
15850 
15851 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15852 				NL80211_MCGRP_MLME, gfp);
15853 	return;
15854 
15855  nla_put_failure:
15856 	nlmsg_free(msg);
15857 }
15858 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
15859 
15860 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
15861 				 struct net_device *netdev, const u8 *addr,
15862 				 enum nl80211_key_type key_type, int key_id,
15863 				 const u8 *tsc, gfp_t gfp)
15864 {
15865 	struct sk_buff *msg;
15866 	void *hdr;
15867 
15868 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15869 	if (!msg)
15870 		return;
15871 
15872 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
15873 	if (!hdr) {
15874 		nlmsg_free(msg);
15875 		return;
15876 	}
15877 
15878 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15879 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
15880 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
15881 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
15882 	    (key_id != -1 &&
15883 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
15884 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
15885 		goto nla_put_failure;
15886 
15887 	genlmsg_end(msg, hdr);
15888 
15889 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15890 				NL80211_MCGRP_MLME, gfp);
15891 	return;
15892 
15893  nla_put_failure:
15894 	nlmsg_free(msg);
15895 }
15896 
15897 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
15898 				    struct ieee80211_channel *channel_before,
15899 				    struct ieee80211_channel *channel_after)
15900 {
15901 	struct sk_buff *msg;
15902 	void *hdr;
15903 	struct nlattr *nl_freq;
15904 
15905 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
15906 	if (!msg)
15907 		return;
15908 
15909 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
15910 	if (!hdr) {
15911 		nlmsg_free(msg);
15912 		return;
15913 	}
15914 
15915 	/*
15916 	 * Since we are applying the beacon hint to a wiphy we know its
15917 	 * wiphy_idx is valid
15918 	 */
15919 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
15920 		goto nla_put_failure;
15921 
15922 	/* Before */
15923 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
15924 	if (!nl_freq)
15925 		goto nla_put_failure;
15926 
15927 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
15928 		goto nla_put_failure;
15929 	nla_nest_end(msg, nl_freq);
15930 
15931 	/* After */
15932 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
15933 	if (!nl_freq)
15934 		goto nla_put_failure;
15935 
15936 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
15937 		goto nla_put_failure;
15938 	nla_nest_end(msg, nl_freq);
15939 
15940 	genlmsg_end(msg, hdr);
15941 
15942 	rcu_read_lock();
15943 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
15944 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
15945 	rcu_read_unlock();
15946 
15947 	return;
15948 
15949 nla_put_failure:
15950 	nlmsg_free(msg);
15951 }
15952 
15953 static void nl80211_send_remain_on_chan_event(
15954 	int cmd, struct cfg80211_registered_device *rdev,
15955 	struct wireless_dev *wdev, u64 cookie,
15956 	struct ieee80211_channel *chan,
15957 	unsigned int duration, gfp_t gfp)
15958 {
15959 	struct sk_buff *msg;
15960 	void *hdr;
15961 
15962 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
15963 	if (!msg)
15964 		return;
15965 
15966 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
15967 	if (!hdr) {
15968 		nlmsg_free(msg);
15969 		return;
15970 	}
15971 
15972 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15973 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
15974 					 wdev->netdev->ifindex)) ||
15975 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
15976 			      NL80211_ATTR_PAD) ||
15977 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
15978 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
15979 			NL80211_CHAN_NO_HT) ||
15980 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
15981 			      NL80211_ATTR_PAD))
15982 		goto nla_put_failure;
15983 
15984 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
15985 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
15986 		goto nla_put_failure;
15987 
15988 	genlmsg_end(msg, hdr);
15989 
15990 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
15991 				NL80211_MCGRP_MLME, gfp);
15992 	return;
15993 
15994  nla_put_failure:
15995 	nlmsg_free(msg);
15996 }
15997 
15998 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
15999 			       struct ieee80211_channel *chan,
16000 			       unsigned int duration, gfp_t gfp)
16001 {
16002 	struct wiphy *wiphy = wdev->wiphy;
16003 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16004 
16005 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
16006 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
16007 					  rdev, wdev, cookie, chan,
16008 					  duration, gfp);
16009 }
16010 EXPORT_SYMBOL(cfg80211_ready_on_channel);
16011 
16012 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
16013 					struct ieee80211_channel *chan,
16014 					gfp_t gfp)
16015 {
16016 	struct wiphy *wiphy = wdev->wiphy;
16017 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16018 
16019 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
16020 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
16021 					  rdev, wdev, cookie, chan, 0, gfp);
16022 }
16023 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
16024 
16025 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
16026 					struct ieee80211_channel *chan,
16027 					gfp_t gfp)
16028 {
16029 	struct wiphy *wiphy = wdev->wiphy;
16030 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16031 
16032 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
16033 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
16034 					  rdev, wdev, cookie, chan, 0, gfp);
16035 }
16036 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
16037 
16038 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
16039 		      struct station_info *sinfo, gfp_t gfp)
16040 {
16041 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16042 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16043 	struct sk_buff *msg;
16044 
16045 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
16046 
16047 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16048 	if (!msg)
16049 		return;
16050 
16051 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
16052 				 rdev, dev, mac_addr, sinfo) < 0) {
16053 		nlmsg_free(msg);
16054 		return;
16055 	}
16056 
16057 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16058 				NL80211_MCGRP_MLME, gfp);
16059 }
16060 EXPORT_SYMBOL(cfg80211_new_sta);
16061 
16062 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
16063 			    struct station_info *sinfo, gfp_t gfp)
16064 {
16065 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16066 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16067 	struct sk_buff *msg;
16068 	struct station_info empty_sinfo = {};
16069 
16070 	if (!sinfo)
16071 		sinfo = &empty_sinfo;
16072 
16073 	trace_cfg80211_del_sta(dev, mac_addr);
16074 
16075 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16076 	if (!msg) {
16077 		cfg80211_sinfo_release_content(sinfo);
16078 		return;
16079 	}
16080 
16081 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
16082 				 rdev, dev, mac_addr, sinfo) < 0) {
16083 		nlmsg_free(msg);
16084 		return;
16085 	}
16086 
16087 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16088 				NL80211_MCGRP_MLME, gfp);
16089 }
16090 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
16091 
16092 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
16093 			  enum nl80211_connect_failed_reason reason,
16094 			  gfp_t gfp)
16095 {
16096 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
16097 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16098 	struct sk_buff *msg;
16099 	void *hdr;
16100 
16101 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
16102 	if (!msg)
16103 		return;
16104 
16105 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
16106 	if (!hdr) {
16107 		nlmsg_free(msg);
16108 		return;
16109 	}
16110 
16111 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16112 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
16113 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
16114 		goto nla_put_failure;
16115 
16116 	genlmsg_end(msg, hdr);
16117 
16118 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16119 				NL80211_MCGRP_MLME, gfp);
16120 	return;
16121 
16122  nla_put_failure:
16123 	nlmsg_free(msg);
16124 }
16125 EXPORT_SYMBOL(cfg80211_conn_failed);
16126 
16127 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
16128 				       const u8 *addr, gfp_t gfp)
16129 {
16130 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16131 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16132 	struct sk_buff *msg;
16133 	void *hdr;
16134 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
16135 
16136 	if (!nlportid)
16137 		return false;
16138 
16139 	msg = nlmsg_new(100, gfp);
16140 	if (!msg)
16141 		return true;
16142 
16143 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
16144 	if (!hdr) {
16145 		nlmsg_free(msg);
16146 		return true;
16147 	}
16148 
16149 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16150 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16151 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
16152 		goto nla_put_failure;
16153 
16154 	genlmsg_end(msg, hdr);
16155 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16156 	return true;
16157 
16158  nla_put_failure:
16159 	nlmsg_free(msg);
16160 	return true;
16161 }
16162 
16163 bool cfg80211_rx_spurious_frame(struct net_device *dev,
16164 				const u8 *addr, gfp_t gfp)
16165 {
16166 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16167 	bool ret;
16168 
16169 	trace_cfg80211_rx_spurious_frame(dev, addr);
16170 
16171 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16172 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
16173 		trace_cfg80211_return_bool(false);
16174 		return false;
16175 	}
16176 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
16177 					 addr, gfp);
16178 	trace_cfg80211_return_bool(ret);
16179 	return ret;
16180 }
16181 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
16182 
16183 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
16184 					const u8 *addr, gfp_t gfp)
16185 {
16186 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16187 	bool ret;
16188 
16189 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
16190 
16191 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
16192 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
16193 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
16194 		trace_cfg80211_return_bool(false);
16195 		return false;
16196 	}
16197 	ret = __nl80211_unexpected_frame(dev,
16198 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
16199 					 addr, gfp);
16200 	trace_cfg80211_return_bool(ret);
16201 	return ret;
16202 }
16203 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
16204 
16205 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
16206 		      struct wireless_dev *wdev, u32 nlportid,
16207 		      int freq, int sig_dbm,
16208 		      const u8 *buf, size_t len, u32 flags, gfp_t gfp)
16209 {
16210 	struct net_device *netdev = wdev->netdev;
16211 	struct sk_buff *msg;
16212 	void *hdr;
16213 
16214 	msg = nlmsg_new(100 + len, gfp);
16215 	if (!msg)
16216 		return -ENOMEM;
16217 
16218 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16219 	if (!hdr) {
16220 		nlmsg_free(msg);
16221 		return -ENOMEM;
16222 	}
16223 
16224 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16225 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16226 					netdev->ifindex)) ||
16227 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16228 			      NL80211_ATTR_PAD) ||
16229 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq) ||
16230 	    (sig_dbm &&
16231 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16232 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16233 	    (flags &&
16234 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, flags)))
16235 		goto nla_put_failure;
16236 
16237 	genlmsg_end(msg, hdr);
16238 
16239 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16240 
16241  nla_put_failure:
16242 	nlmsg_free(msg);
16243 	return -ENOBUFS;
16244 }
16245 
16246 void cfg80211_mgmt_tx_status(struct wireless_dev *wdev, u64 cookie,
16247 			     const u8 *buf, size_t len, bool ack, gfp_t gfp)
16248 {
16249 	struct wiphy *wiphy = wdev->wiphy;
16250 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16251 	struct net_device *netdev = wdev->netdev;
16252 	struct sk_buff *msg;
16253 	void *hdr;
16254 
16255 	trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
16256 
16257 	msg = nlmsg_new(100 + len, gfp);
16258 	if (!msg)
16259 		return;
16260 
16261 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME_TX_STATUS);
16262 	if (!hdr) {
16263 		nlmsg_free(msg);
16264 		return;
16265 	}
16266 
16267 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16268 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16269 				   netdev->ifindex)) ||
16270 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16271 			      NL80211_ATTR_PAD) ||
16272 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
16273 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16274 			      NL80211_ATTR_PAD) ||
16275 	    (ack && nla_put_flag(msg, NL80211_ATTR_ACK)))
16276 		goto nla_put_failure;
16277 
16278 	genlmsg_end(msg, hdr);
16279 
16280 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16281 				NL80211_MCGRP_MLME, gfp);
16282 	return;
16283 
16284  nla_put_failure:
16285 	nlmsg_free(msg);
16286 }
16287 EXPORT_SYMBOL(cfg80211_mgmt_tx_status);
16288 
16289 static int __nl80211_rx_control_port(struct net_device *dev,
16290 				     struct sk_buff *skb,
16291 				     bool unencrypted, gfp_t gfp)
16292 {
16293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16294 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16295 	struct ethhdr *ehdr = eth_hdr(skb);
16296 	const u8 *addr = ehdr->h_source;
16297 	u16 proto = be16_to_cpu(skb->protocol);
16298 	struct sk_buff *msg;
16299 	void *hdr;
16300 	struct nlattr *frame;
16301 
16302 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
16303 
16304 	if (!nlportid)
16305 		return -ENOENT;
16306 
16307 	msg = nlmsg_new(100 + skb->len, gfp);
16308 	if (!msg)
16309 		return -ENOMEM;
16310 
16311 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
16312 	if (!hdr) {
16313 		nlmsg_free(msg);
16314 		return -ENOBUFS;
16315 	}
16316 
16317 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16318 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16319 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16320 			      NL80211_ATTR_PAD) ||
16321 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16322 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
16323 	    (unencrypted && nla_put_flag(msg,
16324 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
16325 		goto nla_put_failure;
16326 
16327 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
16328 	if (!frame)
16329 		goto nla_put_failure;
16330 
16331 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
16332 	genlmsg_end(msg, hdr);
16333 
16334 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
16335 
16336  nla_put_failure:
16337 	nlmsg_free(msg);
16338 	return -ENOBUFS;
16339 }
16340 
16341 bool cfg80211_rx_control_port(struct net_device *dev,
16342 			      struct sk_buff *skb, bool unencrypted)
16343 {
16344 	int ret;
16345 
16346 	trace_cfg80211_rx_control_port(dev, skb, unencrypted);
16347 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, GFP_ATOMIC);
16348 	trace_cfg80211_return_bool(ret == 0);
16349 	return ret == 0;
16350 }
16351 EXPORT_SYMBOL(cfg80211_rx_control_port);
16352 
16353 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
16354 					    const char *mac, gfp_t gfp)
16355 {
16356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16357 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16358 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16359 	void **cb;
16360 
16361 	if (!msg)
16362 		return NULL;
16363 
16364 	cb = (void **)msg->cb;
16365 
16366 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
16367 	if (!cb[0]) {
16368 		nlmsg_free(msg);
16369 		return NULL;
16370 	}
16371 
16372 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16373 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16374 		goto nla_put_failure;
16375 
16376 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16377 		goto nla_put_failure;
16378 
16379 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
16380 	if (!cb[1])
16381 		goto nla_put_failure;
16382 
16383 	cb[2] = rdev;
16384 
16385 	return msg;
16386  nla_put_failure:
16387 	nlmsg_free(msg);
16388 	return NULL;
16389 }
16390 
16391 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
16392 {
16393 	void **cb = (void **)msg->cb;
16394 	struct cfg80211_registered_device *rdev = cb[2];
16395 
16396 	nla_nest_end(msg, cb[1]);
16397 	genlmsg_end(msg, cb[0]);
16398 
16399 	memset(msg->cb, 0, sizeof(msg->cb));
16400 
16401 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16402 				NL80211_MCGRP_MLME, gfp);
16403 }
16404 
16405 void cfg80211_cqm_rssi_notify(struct net_device *dev,
16406 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
16407 			      s32 rssi_level, gfp_t gfp)
16408 {
16409 	struct sk_buff *msg;
16410 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16411 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16412 
16413 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
16414 
16415 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
16416 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
16417 		return;
16418 
16419 	if (wdev->cqm_config) {
16420 		wdev->cqm_config->last_rssi_event_value = rssi_level;
16421 
16422 		cfg80211_cqm_rssi_update(rdev, dev);
16423 
16424 		if (rssi_level == 0)
16425 			rssi_level = wdev->cqm_config->last_rssi_event_value;
16426 	}
16427 
16428 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16429 	if (!msg)
16430 		return;
16431 
16432 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
16433 			rssi_event))
16434 		goto nla_put_failure;
16435 
16436 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
16437 				      rssi_level))
16438 		goto nla_put_failure;
16439 
16440 	cfg80211_send_cqm(msg, gfp);
16441 
16442 	return;
16443 
16444  nla_put_failure:
16445 	nlmsg_free(msg);
16446 }
16447 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
16448 
16449 void cfg80211_cqm_txe_notify(struct net_device *dev,
16450 			     const u8 *peer, u32 num_packets,
16451 			     u32 rate, u32 intvl, gfp_t gfp)
16452 {
16453 	struct sk_buff *msg;
16454 
16455 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16456 	if (!msg)
16457 		return;
16458 
16459 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
16460 		goto nla_put_failure;
16461 
16462 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
16463 		goto nla_put_failure;
16464 
16465 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
16466 		goto nla_put_failure;
16467 
16468 	cfg80211_send_cqm(msg, gfp);
16469 	return;
16470 
16471  nla_put_failure:
16472 	nlmsg_free(msg);
16473 }
16474 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
16475 
16476 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
16477 				 const u8 *peer, u32 num_packets, gfp_t gfp)
16478 {
16479 	struct sk_buff *msg;
16480 
16481 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
16482 
16483 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
16484 	if (!msg)
16485 		return;
16486 
16487 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
16488 		goto nla_put_failure;
16489 
16490 	cfg80211_send_cqm(msg, gfp);
16491 	return;
16492 
16493  nla_put_failure:
16494 	nlmsg_free(msg);
16495 }
16496 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
16497 
16498 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
16499 {
16500 	struct sk_buff *msg;
16501 
16502 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
16503 	if (!msg)
16504 		return;
16505 
16506 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
16507 		goto nla_put_failure;
16508 
16509 	cfg80211_send_cqm(msg, gfp);
16510 	return;
16511 
16512  nla_put_failure:
16513 	nlmsg_free(msg);
16514 }
16515 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
16516 
16517 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
16518 				     struct net_device *netdev, const u8 *bssid,
16519 				     const u8 *replay_ctr, gfp_t gfp)
16520 {
16521 	struct sk_buff *msg;
16522 	struct nlattr *rekey_attr;
16523 	void *hdr;
16524 
16525 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16526 	if (!msg)
16527 		return;
16528 
16529 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
16530 	if (!hdr) {
16531 		nlmsg_free(msg);
16532 		return;
16533 	}
16534 
16535 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16536 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16537 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
16538 		goto nla_put_failure;
16539 
16540 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
16541 	if (!rekey_attr)
16542 		goto nla_put_failure;
16543 
16544 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
16545 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
16546 		goto nla_put_failure;
16547 
16548 	nla_nest_end(msg, rekey_attr);
16549 
16550 	genlmsg_end(msg, hdr);
16551 
16552 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16553 				NL80211_MCGRP_MLME, gfp);
16554 	return;
16555 
16556  nla_put_failure:
16557 	nlmsg_free(msg);
16558 }
16559 
16560 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
16561 			       const u8 *replay_ctr, gfp_t gfp)
16562 {
16563 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16564 	struct wiphy *wiphy = wdev->wiphy;
16565 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16566 
16567 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
16568 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
16569 }
16570 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
16571 
16572 static void
16573 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
16574 			       struct net_device *netdev, int index,
16575 			       const u8 *bssid, bool preauth, gfp_t gfp)
16576 {
16577 	struct sk_buff *msg;
16578 	struct nlattr *attr;
16579 	void *hdr;
16580 
16581 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16582 	if (!msg)
16583 		return;
16584 
16585 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
16586 	if (!hdr) {
16587 		nlmsg_free(msg);
16588 		return;
16589 	}
16590 
16591 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16592 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16593 		goto nla_put_failure;
16594 
16595 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
16596 	if (!attr)
16597 		goto nla_put_failure;
16598 
16599 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
16600 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
16601 	    (preauth &&
16602 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
16603 		goto nla_put_failure;
16604 
16605 	nla_nest_end(msg, attr);
16606 
16607 	genlmsg_end(msg, hdr);
16608 
16609 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16610 				NL80211_MCGRP_MLME, gfp);
16611 	return;
16612 
16613  nla_put_failure:
16614 	nlmsg_free(msg);
16615 }
16616 
16617 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
16618 				     const u8 *bssid, bool preauth, gfp_t gfp)
16619 {
16620 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16621 	struct wiphy *wiphy = wdev->wiphy;
16622 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16623 
16624 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
16625 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
16626 }
16627 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
16628 
16629 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
16630 				     struct net_device *netdev,
16631 				     struct cfg80211_chan_def *chandef,
16632 				     gfp_t gfp,
16633 				     enum nl80211_commands notif,
16634 				     u8 count)
16635 {
16636 	struct sk_buff *msg;
16637 	void *hdr;
16638 
16639 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16640 	if (!msg)
16641 		return;
16642 
16643 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
16644 	if (!hdr) {
16645 		nlmsg_free(msg);
16646 		return;
16647 	}
16648 
16649 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
16650 		goto nla_put_failure;
16651 
16652 	if (nl80211_send_chandef(msg, chandef))
16653 		goto nla_put_failure;
16654 
16655 	if ((notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) &&
16656 	    (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count)))
16657 			goto nla_put_failure;
16658 
16659 	genlmsg_end(msg, hdr);
16660 
16661 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16662 				NL80211_MCGRP_MLME, gfp);
16663 	return;
16664 
16665  nla_put_failure:
16666 	nlmsg_free(msg);
16667 }
16668 
16669 void cfg80211_ch_switch_notify(struct net_device *dev,
16670 			       struct cfg80211_chan_def *chandef)
16671 {
16672 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16673 	struct wiphy *wiphy = wdev->wiphy;
16674 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16675 
16676 	ASSERT_WDEV_LOCK(wdev);
16677 
16678 	trace_cfg80211_ch_switch_notify(dev, chandef);
16679 
16680 	wdev->chandef = *chandef;
16681 	wdev->preset_chandef = *chandef;
16682 
16683 	if (wdev->iftype == NL80211_IFTYPE_STATION &&
16684 	    !WARN_ON(!wdev->current_bss))
16685 		cfg80211_update_assoc_bss_entry(wdev, chandef->chan);
16686 
16687 	cfg80211_sched_dfs_chan_update(rdev);
16688 
16689 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16690 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0);
16691 }
16692 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
16693 
16694 void cfg80211_ch_switch_started_notify(struct net_device *dev,
16695 				       struct cfg80211_chan_def *chandef,
16696 				       u8 count)
16697 {
16698 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16699 	struct wiphy *wiphy = wdev->wiphy;
16700 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16701 
16702 	trace_cfg80211_ch_switch_started_notify(dev, chandef);
16703 
16704 	nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
16705 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY, count);
16706 }
16707 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
16708 
16709 void
16710 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
16711 		     const struct cfg80211_chan_def *chandef,
16712 		     enum nl80211_radar_event event,
16713 		     struct net_device *netdev, gfp_t gfp)
16714 {
16715 	struct sk_buff *msg;
16716 	void *hdr;
16717 
16718 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16719 	if (!msg)
16720 		return;
16721 
16722 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
16723 	if (!hdr) {
16724 		nlmsg_free(msg);
16725 		return;
16726 	}
16727 
16728 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16729 		goto nla_put_failure;
16730 
16731 	/* NOP and radar events don't need a netdev parameter */
16732 	if (netdev) {
16733 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
16734 
16735 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
16736 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16737 				      NL80211_ATTR_PAD))
16738 			goto nla_put_failure;
16739 	}
16740 
16741 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
16742 		goto nla_put_failure;
16743 
16744 	if (nl80211_send_chandef(msg, chandef))
16745 		goto nla_put_failure;
16746 
16747 	genlmsg_end(msg, hdr);
16748 
16749 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16750 				NL80211_MCGRP_MLME, gfp);
16751 	return;
16752 
16753  nla_put_failure:
16754 	nlmsg_free(msg);
16755 }
16756 
16757 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
16758 				       struct sta_opmode_info *sta_opmode,
16759 				       gfp_t gfp)
16760 {
16761 	struct sk_buff *msg;
16762 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16763 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16764 	void *hdr;
16765 
16766 	if (WARN_ON(!mac))
16767 		return;
16768 
16769 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16770 	if (!msg)
16771 		return;
16772 
16773 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
16774 	if (!hdr) {
16775 		nlmsg_free(msg);
16776 		return;
16777 	}
16778 
16779 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
16780 		goto nla_put_failure;
16781 
16782 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
16783 		goto nla_put_failure;
16784 
16785 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
16786 		goto nla_put_failure;
16787 
16788 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
16789 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
16790 		goto nla_put_failure;
16791 
16792 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
16793 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
16794 		goto nla_put_failure;
16795 
16796 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
16797 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
16798 		goto nla_put_failure;
16799 
16800 	genlmsg_end(msg, hdr);
16801 
16802 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16803 				NL80211_MCGRP_MLME, gfp);
16804 
16805 	return;
16806 
16807 nla_put_failure:
16808 	nlmsg_free(msg);
16809 }
16810 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
16811 
16812 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
16813 			   u64 cookie, bool acked, s32 ack_signal,
16814 			   bool is_valid_ack_signal, gfp_t gfp)
16815 {
16816 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16817 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16818 	struct sk_buff *msg;
16819 	void *hdr;
16820 
16821 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
16822 
16823 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
16824 
16825 	if (!msg)
16826 		return;
16827 
16828 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
16829 	if (!hdr) {
16830 		nlmsg_free(msg);
16831 		return;
16832 	}
16833 
16834 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16835 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
16836 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
16837 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
16838 			      NL80211_ATTR_PAD) ||
16839 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
16840 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
16841 						ack_signal)))
16842 		goto nla_put_failure;
16843 
16844 	genlmsg_end(msg, hdr);
16845 
16846 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
16847 				NL80211_MCGRP_MLME, gfp);
16848 	return;
16849 
16850  nla_put_failure:
16851 	nlmsg_free(msg);
16852 }
16853 EXPORT_SYMBOL(cfg80211_probe_status);
16854 
16855 void cfg80211_report_obss_beacon(struct wiphy *wiphy,
16856 				 const u8 *frame, size_t len,
16857 				 int freq, int sig_dbm)
16858 {
16859 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
16860 	struct sk_buff *msg;
16861 	void *hdr;
16862 	struct cfg80211_beacon_registration *reg;
16863 
16864 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
16865 
16866 	spin_lock_bh(&rdev->beacon_registrations_lock);
16867 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
16868 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
16869 		if (!msg) {
16870 			spin_unlock_bh(&rdev->beacon_registrations_lock);
16871 			return;
16872 		}
16873 
16874 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
16875 		if (!hdr)
16876 			goto nla_put_failure;
16877 
16878 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16879 		    (freq &&
16880 		     nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, freq)) ||
16881 		    (sig_dbm &&
16882 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
16883 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
16884 			goto nla_put_failure;
16885 
16886 		genlmsg_end(msg, hdr);
16887 
16888 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
16889 	}
16890 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16891 	return;
16892 
16893  nla_put_failure:
16894 	spin_unlock_bh(&rdev->beacon_registrations_lock);
16895 	nlmsg_free(msg);
16896 }
16897 EXPORT_SYMBOL(cfg80211_report_obss_beacon);
16898 
16899 #ifdef CONFIG_PM
16900 static int cfg80211_net_detect_results(struct sk_buff *msg,
16901 				       struct cfg80211_wowlan_wakeup *wakeup)
16902 {
16903 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
16904 	struct nlattr *nl_results, *nl_match, *nl_freqs;
16905 	int i, j;
16906 
16907 	nl_results = nla_nest_start_noflag(msg,
16908 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
16909 	if (!nl_results)
16910 		return -EMSGSIZE;
16911 
16912 	for (i = 0; i < nd->n_matches; i++) {
16913 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
16914 
16915 		nl_match = nla_nest_start_noflag(msg, i);
16916 		if (!nl_match)
16917 			break;
16918 
16919 		/* The SSID attribute is optional in nl80211, but for
16920 		 * simplicity reasons it's always present in the
16921 		 * cfg80211 structure.  If a driver can't pass the
16922 		 * SSID, that needs to be changed.  A zero length SSID
16923 		 * is still a valid SSID (wildcard), so it cannot be
16924 		 * used for this purpose.
16925 		 */
16926 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
16927 			    match->ssid.ssid)) {
16928 			nla_nest_cancel(msg, nl_match);
16929 			goto out;
16930 		}
16931 
16932 		if (match->n_channels) {
16933 			nl_freqs = nla_nest_start_noflag(msg,
16934 							 NL80211_ATTR_SCAN_FREQUENCIES);
16935 			if (!nl_freqs) {
16936 				nla_nest_cancel(msg, nl_match);
16937 				goto out;
16938 			}
16939 
16940 			for (j = 0; j < match->n_channels; j++) {
16941 				if (nla_put_u32(msg, j, match->channels[j])) {
16942 					nla_nest_cancel(msg, nl_freqs);
16943 					nla_nest_cancel(msg, nl_match);
16944 					goto out;
16945 				}
16946 			}
16947 
16948 			nla_nest_end(msg, nl_freqs);
16949 		}
16950 
16951 		nla_nest_end(msg, nl_match);
16952 	}
16953 
16954 out:
16955 	nla_nest_end(msg, nl_results);
16956 	return 0;
16957 }
16958 
16959 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
16960 				   struct cfg80211_wowlan_wakeup *wakeup,
16961 				   gfp_t gfp)
16962 {
16963 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
16964 	struct sk_buff *msg;
16965 	void *hdr;
16966 	int size = 200;
16967 
16968 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
16969 
16970 	if (wakeup)
16971 		size += wakeup->packet_present_len;
16972 
16973 	msg = nlmsg_new(size, gfp);
16974 	if (!msg)
16975 		return;
16976 
16977 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
16978 	if (!hdr)
16979 		goto free_msg;
16980 
16981 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
16982 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
16983 			      NL80211_ATTR_PAD))
16984 		goto free_msg;
16985 
16986 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
16987 					wdev->netdev->ifindex))
16988 		goto free_msg;
16989 
16990 	if (wakeup) {
16991 		struct nlattr *reasons;
16992 
16993 		reasons = nla_nest_start_noflag(msg,
16994 						NL80211_ATTR_WOWLAN_TRIGGERS);
16995 		if (!reasons)
16996 			goto free_msg;
16997 
16998 		if (wakeup->disconnect &&
16999 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
17000 			goto free_msg;
17001 		if (wakeup->magic_pkt &&
17002 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
17003 			goto free_msg;
17004 		if (wakeup->gtk_rekey_failure &&
17005 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
17006 			goto free_msg;
17007 		if (wakeup->eap_identity_req &&
17008 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
17009 			goto free_msg;
17010 		if (wakeup->four_way_handshake &&
17011 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
17012 			goto free_msg;
17013 		if (wakeup->rfkill_release &&
17014 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
17015 			goto free_msg;
17016 
17017 		if (wakeup->pattern_idx >= 0 &&
17018 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
17019 				wakeup->pattern_idx))
17020 			goto free_msg;
17021 
17022 		if (wakeup->tcp_match &&
17023 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
17024 			goto free_msg;
17025 
17026 		if (wakeup->tcp_connlost &&
17027 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
17028 			goto free_msg;
17029 
17030 		if (wakeup->tcp_nomoretokens &&
17031 		    nla_put_flag(msg,
17032 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
17033 			goto free_msg;
17034 
17035 		if (wakeup->packet) {
17036 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
17037 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
17038 
17039 			if (!wakeup->packet_80211) {
17040 				pkt_attr =
17041 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
17042 				len_attr =
17043 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
17044 			}
17045 
17046 			if (wakeup->packet_len &&
17047 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
17048 				goto free_msg;
17049 
17050 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
17051 				    wakeup->packet))
17052 				goto free_msg;
17053 		}
17054 
17055 		if (wakeup->net_detect &&
17056 		    cfg80211_net_detect_results(msg, wakeup))
17057 				goto free_msg;
17058 
17059 		nla_nest_end(msg, reasons);
17060 	}
17061 
17062 	genlmsg_end(msg, hdr);
17063 
17064 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17065 				NL80211_MCGRP_MLME, gfp);
17066 	return;
17067 
17068  free_msg:
17069 	nlmsg_free(msg);
17070 }
17071 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
17072 #endif
17073 
17074 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
17075 				enum nl80211_tdls_operation oper,
17076 				u16 reason_code, gfp_t gfp)
17077 {
17078 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17079 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17080 	struct sk_buff *msg;
17081 	void *hdr;
17082 
17083 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
17084 					 reason_code);
17085 
17086 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17087 	if (!msg)
17088 		return;
17089 
17090 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
17091 	if (!hdr) {
17092 		nlmsg_free(msg);
17093 		return;
17094 	}
17095 
17096 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17097 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17098 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
17099 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
17100 	    (reason_code > 0 &&
17101 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
17102 		goto nla_put_failure;
17103 
17104 	genlmsg_end(msg, hdr);
17105 
17106 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17107 				NL80211_MCGRP_MLME, gfp);
17108 	return;
17109 
17110  nla_put_failure:
17111 	nlmsg_free(msg);
17112 }
17113 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
17114 
17115 static int nl80211_netlink_notify(struct notifier_block * nb,
17116 				  unsigned long state,
17117 				  void *_notify)
17118 {
17119 	struct netlink_notify *notify = _notify;
17120 	struct cfg80211_registered_device *rdev;
17121 	struct wireless_dev *wdev;
17122 	struct cfg80211_beacon_registration *reg, *tmp;
17123 
17124 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
17125 		return NOTIFY_DONE;
17126 
17127 	rcu_read_lock();
17128 
17129 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
17130 		struct cfg80211_sched_scan_request *sched_scan_req;
17131 
17132 		list_for_each_entry_rcu(sched_scan_req,
17133 					&rdev->sched_scan_req_list,
17134 					list) {
17135 			if (sched_scan_req->owner_nlportid == notify->portid) {
17136 				sched_scan_req->nl_owner_dead = true;
17137 				schedule_work(&rdev->sched_scan_stop_wk);
17138 			}
17139 		}
17140 
17141 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
17142 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
17143 
17144 			if (wdev->owner_nlportid == notify->portid) {
17145 				wdev->nl_owner_dead = true;
17146 				schedule_work(&rdev->destroy_work);
17147 			} else if (wdev->conn_owner_nlportid == notify->portid) {
17148 				schedule_work(&wdev->disconnect_wk);
17149 			}
17150 
17151 			cfg80211_release_pmsr(wdev, notify->portid);
17152 		}
17153 
17154 		spin_lock_bh(&rdev->beacon_registrations_lock);
17155 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
17156 					 list) {
17157 			if (reg->nlportid == notify->portid) {
17158 				list_del(&reg->list);
17159 				kfree(reg);
17160 				break;
17161 			}
17162 		}
17163 		spin_unlock_bh(&rdev->beacon_registrations_lock);
17164 	}
17165 
17166 	rcu_read_unlock();
17167 
17168 	/*
17169 	 * It is possible that the user space process that is controlling the
17170 	 * indoor setting disappeared, so notify the regulatory core.
17171 	 */
17172 	regulatory_netlink_notify(notify->portid);
17173 	return NOTIFY_OK;
17174 }
17175 
17176 static struct notifier_block nl80211_netlink_notifier = {
17177 	.notifier_call = nl80211_netlink_notify,
17178 };
17179 
17180 void cfg80211_ft_event(struct net_device *netdev,
17181 		       struct cfg80211_ft_event_params *ft_event)
17182 {
17183 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17184 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17185 	struct sk_buff *msg;
17186 	void *hdr;
17187 
17188 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
17189 
17190 	if (!ft_event->target_ap)
17191 		return;
17192 
17193 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
17194 			GFP_KERNEL);
17195 	if (!msg)
17196 		return;
17197 
17198 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
17199 	if (!hdr)
17200 		goto out;
17201 
17202 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17203 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17204 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
17205 		goto out;
17206 
17207 	if (ft_event->ies &&
17208 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
17209 		goto out;
17210 	if (ft_event->ric_ies &&
17211 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
17212 		    ft_event->ric_ies))
17213 		goto out;
17214 
17215 	genlmsg_end(msg, hdr);
17216 
17217 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17218 				NL80211_MCGRP_MLME, GFP_KERNEL);
17219 	return;
17220  out:
17221 	nlmsg_free(msg);
17222 }
17223 EXPORT_SYMBOL(cfg80211_ft_event);
17224 
17225 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
17226 {
17227 	struct cfg80211_registered_device *rdev;
17228 	struct sk_buff *msg;
17229 	void *hdr;
17230 	u32 nlportid;
17231 
17232 	rdev = wiphy_to_rdev(wdev->wiphy);
17233 	if (!rdev->crit_proto_nlportid)
17234 		return;
17235 
17236 	nlportid = rdev->crit_proto_nlportid;
17237 	rdev->crit_proto_nlportid = 0;
17238 
17239 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17240 	if (!msg)
17241 		return;
17242 
17243 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
17244 	if (!hdr)
17245 		goto nla_put_failure;
17246 
17247 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17248 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17249 			      NL80211_ATTR_PAD))
17250 		goto nla_put_failure;
17251 
17252 	genlmsg_end(msg, hdr);
17253 
17254 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
17255 	return;
17256 
17257  nla_put_failure:
17258 	nlmsg_free(msg);
17259 }
17260 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
17261 
17262 void nl80211_send_ap_stopped(struct wireless_dev *wdev)
17263 {
17264 	struct wiphy *wiphy = wdev->wiphy;
17265 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17266 	struct sk_buff *msg;
17267 	void *hdr;
17268 
17269 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17270 	if (!msg)
17271 		return;
17272 
17273 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
17274 	if (!hdr)
17275 		goto out;
17276 
17277 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17278 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
17279 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17280 			      NL80211_ATTR_PAD))
17281 		goto out;
17282 
17283 	genlmsg_end(msg, hdr);
17284 
17285 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
17286 				NL80211_MCGRP_MLME, GFP_KERNEL);
17287 	return;
17288  out:
17289 	nlmsg_free(msg);
17290 }
17291 
17292 int cfg80211_external_auth_request(struct net_device *dev,
17293 				   struct cfg80211_external_auth_params *params,
17294 				   gfp_t gfp)
17295 {
17296 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17297 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
17298 	struct sk_buff *msg;
17299 	void *hdr;
17300 
17301 	if (!wdev->conn_owner_nlportid)
17302 		return -EINVAL;
17303 
17304 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17305 	if (!msg)
17306 		return -ENOMEM;
17307 
17308 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
17309 	if (!hdr)
17310 		goto nla_put_failure;
17311 
17312 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17313 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
17314 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
17315 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
17316 			params->action) ||
17317 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
17318 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
17319 		    params->ssid.ssid))
17320 		goto nla_put_failure;
17321 
17322 	genlmsg_end(msg, hdr);
17323 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
17324 			wdev->conn_owner_nlportid);
17325 	return 0;
17326 
17327  nla_put_failure:
17328 	nlmsg_free(msg);
17329 	return -ENOBUFS;
17330 }
17331 EXPORT_SYMBOL(cfg80211_external_auth_request);
17332 
17333 void cfg80211_update_owe_info_event(struct net_device *netdev,
17334 				    struct cfg80211_update_owe_info *owe_info,
17335 				    gfp_t gfp)
17336 {
17337 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
17338 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17339 	struct sk_buff *msg;
17340 	void *hdr;
17341 
17342 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
17343 
17344 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17345 	if (!msg)
17346 		return;
17347 
17348 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
17349 	if (!hdr)
17350 		goto nla_put_failure;
17351 
17352 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17353 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17354 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
17355 		goto nla_put_failure;
17356 
17357 	if (!owe_info->ie_len ||
17358 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
17359 		goto nla_put_failure;
17360 
17361 	genlmsg_end(msg, hdr);
17362 
17363 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17364 				NL80211_MCGRP_MLME, gfp);
17365 	return;
17366 
17367 nla_put_failure:
17368 	genlmsg_cancel(msg, hdr);
17369 	nlmsg_free(msg);
17370 }
17371 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
17372 
17373 /* initialisation/exit functions */
17374 
17375 int __init nl80211_init(void)
17376 {
17377 	int err;
17378 
17379 	err = genl_register_family(&nl80211_fam);
17380 	if (err)
17381 		return err;
17382 
17383 	err = netlink_register_notifier(&nl80211_netlink_notifier);
17384 	if (err)
17385 		goto err_out;
17386 
17387 	return 0;
17388  err_out:
17389 	genl_unregister_family(&nl80211_fam);
17390 	return err;
17391 }
17392 
17393 void nl80211_exit(void)
17394 {
17395 	netlink_unregister_notifier(&nl80211_netlink_notifier);
17396 	genl_unregister_family(&nl80211_fam);
17397 }
17398