xref: /openbmc/linux/net/wireless/nl80211.c (revision 2ad66fcb) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2022 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
471 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
472 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
474 				      .len = 20-1 },
475 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
476 
477 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
478 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
479 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
480 						NL80211_EDMG_CHANNELS_MIN,
481 						NL80211_EDMG_CHANNELS_MAX),
482 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
483 						NL80211_EDMG_BW_CONFIG_MIN,
484 						NL80211_EDMG_BW_CONFIG_MAX),
485 
486 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
487 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
488 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
489 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
490 
491 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
492 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
493 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
494 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
495 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
496 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
497 
498 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
499 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
500 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
501 
502 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
503 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504 
505 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
506 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
507 				    .len = WLAN_MAX_KEY_LEN },
508 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
509 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
510 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
511 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
512 	[NL80211_ATTR_KEY_TYPE] =
513 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
514 
515 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
516 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
517 	[NL80211_ATTR_BEACON_HEAD] =
518 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
519 				       IEEE80211_MAX_DATA_LEN),
520 	[NL80211_ATTR_BEACON_TAIL] =
521 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
522 				       IEEE80211_MAX_DATA_LEN),
523 	[NL80211_ATTR_STA_AID] =
524 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
525 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
526 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
527 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
528 					       .len = NL80211_MAX_SUPP_RATES },
529 	[NL80211_ATTR_STA_PLINK_ACTION] =
530 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
531 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
532 		NLA_POLICY_RANGE(NLA_U8,
533 				 NL80211_TX_POWER_AUTOMATIC,
534 				 NL80211_TX_POWER_FIXED),
535 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
536 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
537 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
538 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
539 				   .len = IEEE80211_MAX_MESH_ID_LEN },
540 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
541 
542 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
543 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
544 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
545 
546 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
547 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
549 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
550 					   .len = NL80211_MAX_SUPP_RATES },
551 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
552 
553 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
554 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
555 
556 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
557 
558 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
559 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
560 						   validate_ie_attr,
561 						   IEEE80211_MAX_DATA_LEN),
562 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
563 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
566 				.len = IEEE80211_MAX_SSID_LEN },
567 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
568 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
569 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
572 						  NL80211_MFP_NO,
573 						  NL80211_MFP_OPTIONAL),
574 	[NL80211_ATTR_STA_FLAGS2] =
575 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
576 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
577 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
578 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
579 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
584 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
585 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
586 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
587 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
588 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
589 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
590 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
591 				 .len = IEEE80211_MAX_DATA_LEN },
592 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
593 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
594 						   NL80211_PS_DISABLED,
595 						   NL80211_PS_ENABLED),
596 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
597 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
599 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
600 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
601 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
602 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
603 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
604 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
605 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
608 	[NL80211_ATTR_STA_PLINK_STATE] =
609 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
610 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
611 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
612 	[NL80211_ATTR_MESH_PEER_AID] =
613 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
614 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
615 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
617 	[NL80211_ATTR_HIDDEN_SSID] =
618 		NLA_POLICY_RANGE(NLA_U32,
619 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
620 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
621 	[NL80211_ATTR_IE_PROBE_RESP] =
622 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
623 				       IEEE80211_MAX_DATA_LEN),
624 	[NL80211_ATTR_IE_ASSOC_RESP] =
625 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
626 				       IEEE80211_MAX_DATA_LEN),
627 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
628 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
629 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
630 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
632 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
633 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
634 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
638 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
639 				      .len = IEEE80211_MAX_DATA_LEN },
640 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
641 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
642 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
643 		.len = NL80211_HT_CAPABILITY_LEN
644 	},
645 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
646 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
647 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
648 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
649 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
650 
651 	/* need to include at least Auth Transaction and Status Code */
652 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
653 
654 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
655 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
656 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
657 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
658 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
659 		NLA_POLICY_RANGE(NLA_U32,
660 				 NL80211_MESH_POWER_UNKNOWN + 1,
661 				 NL80211_MESH_POWER_MAX),
662 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
663 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
664 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
665 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
666 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
667 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
668 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
669 		.len = NL80211_VHT_CAPABILITY_LEN,
670 	},
671 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
672 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
673 				  .len = IEEE80211_MAX_DATA_LEN },
674 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
675 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
676 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
677 	[NL80211_ATTR_PEER_AID] =
678 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
679 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
680 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
682 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
683 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
684 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
685 	/*
686 	 * The value of the Length field of the Supported Operating
687 	 * Classes element is between 2 and 253.
688 	 */
689 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
690 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
691 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
693 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
694 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
695 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
696 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
697 						  IEEE80211_QOS_MAP_LEN_MIN,
698 						  IEEE80211_QOS_MAP_LEN_MAX),
699 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
700 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
701 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
702 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
703 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
706 	[NL80211_ATTR_USER_PRIO] =
707 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
708 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
709 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
710 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
711 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
712 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
714 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
715 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
716 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
718 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
719 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
720 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
721 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
722 	},
723 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
724 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
725 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
726 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
727 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
728 				    .len = FILS_MAX_KEK_LEN },
729 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
730 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
731 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
733 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
734 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
735 	},
736 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
737 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
738 					     .len = FILS_ERP_MAX_USERNAME_LEN },
739 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
740 					  .len = FILS_ERP_MAX_REALM_LEN },
741 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
742 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
743 					.len = FILS_ERP_MAX_RRK_LEN },
744 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
745 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
746 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
747 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
748 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
749 
750 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
751 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
752 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
753 	[NL80211_ATTR_HE_CAPABILITY] =
754 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
755 				       NL80211_HE_MAX_CAPABILITY_LEN),
756 	[NL80211_ATTR_FTM_RESPONDER] =
757 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
758 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
759 	[NL80211_ATTR_PEER_MEASUREMENTS] =
760 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
761 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
762 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
763 					.len = SAE_PASSWORD_MAX_LEN },
764 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
765 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
766 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
767 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
768 	[NL80211_ATTR_TID_CONFIG] =
769 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
770 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
771 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
772 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
773 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
774 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
775 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
776 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
777 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
778 	[NL80211_ATTR_FILS_DISCOVERY] =
779 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
780 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
781 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
782 	[NL80211_ATTR_S1G_CAPABILITY] =
783 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
784 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
785 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
786 	[NL80211_ATTR_SAE_PWE] =
787 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
788 				 NL80211_SAE_PWE_BOTH),
789 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
790 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
791 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
792 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
793 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
794 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
795 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
796 	[NL80211_ATTR_MBSSID_CONFIG] =
797 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
798 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
799 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
801 	[NL80211_ATTR_EHT_CAPABILITY] =
802 		NLA_POLICY_RANGE(NLA_BINARY,
803 				 NL80211_EHT_MIN_CAPABILITY_LEN,
804 				 NL80211_EHT_MAX_CAPABILITY_LEN),
805 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
806 	[NL80211_ATTR_MLO_LINKS] =
807 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
808 	[NL80211_ATTR_MLO_LINK_ID] =
809 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
810 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
811 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
812 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
813 	[NL80211_ATTR_PUNCT_BITMAP] =
814 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
815 
816 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
817 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
818 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
819 };
820 
821 /* policy for the key attributes */
822 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
823 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
824 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
825 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
826 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
827 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
828 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
829 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
830 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
831 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
832 };
833 
834 /* policy for the key default flags */
835 static const struct nla_policy
836 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
837 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
838 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
839 };
840 
841 #ifdef CONFIG_PM
842 /* policy for WoWLAN attributes */
843 static const struct nla_policy
844 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
845 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
846 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
847 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
848 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
849 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
850 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
851 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
852 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
853 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
854 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
855 };
856 
857 static const struct nla_policy
858 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
859 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
860 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
861 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
862 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
863 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
864 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
865 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
866 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
867 	},
868 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
869 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
870 	},
871 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
872 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
873 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
874 };
875 #endif /* CONFIG_PM */
876 
877 /* policy for coalesce rule attributes */
878 static const struct nla_policy
879 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
880 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
881 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
882 		NLA_POLICY_RANGE(NLA_U32,
883 				 NL80211_COALESCE_CONDITION_MATCH,
884 				 NL80211_COALESCE_CONDITION_NO_MATCH),
885 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
886 };
887 
888 /* policy for GTK rekey offload attributes */
889 static const struct nla_policy
890 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
891 	[NL80211_REKEY_DATA_KEK] = {
892 		.type = NLA_BINARY,
893 		.len = NL80211_KEK_EXT_LEN
894 	},
895 	[NL80211_REKEY_DATA_KCK] = {
896 		.type = NLA_BINARY,
897 		.len = NL80211_KCK_EXT_LEN_32
898 	},
899 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
900 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
901 };
902 
903 static const struct nla_policy
904 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
905 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
906 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
907 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
908 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
909 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
910 };
911 
912 static const struct nla_policy
913 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
914 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
915 						 .len = IEEE80211_MAX_SSID_LEN },
916 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
917 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
918 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
919 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
920 };
921 
922 static const struct nla_policy
923 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
924 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
925 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
926 };
927 
928 static const struct nla_policy
929 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
930 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
931 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
932 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
933 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
934 	},
935 };
936 
937 /* policy for NAN function attributes */
938 static const struct nla_policy
939 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
940 	[NL80211_NAN_FUNC_TYPE] =
941 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
942 	[NL80211_NAN_FUNC_SERVICE_ID] = {
943 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
944 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
945 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
946 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
947 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
948 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
950 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
951 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
952 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
953 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
954 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
955 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
956 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
958 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
959 };
960 
961 /* policy for Service Response Filter attributes */
962 static const struct nla_policy
963 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
964 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
965 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
966 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
967 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
968 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
969 };
970 
971 /* policy for packet pattern attributes */
972 static const struct nla_policy
973 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
974 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
975 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
976 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
977 };
978 
979 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
980 				     struct cfg80211_registered_device **rdev,
981 				     struct wireless_dev **wdev,
982 				     struct nlattr **attrbuf)
983 {
984 	int err;
985 
986 	if (!cb->args[0]) {
987 		struct nlattr **attrbuf_free = NULL;
988 
989 		if (!attrbuf) {
990 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
991 					  GFP_KERNEL);
992 			if (!attrbuf)
993 				return -ENOMEM;
994 			attrbuf_free = attrbuf;
995 		}
996 
997 		err = nlmsg_parse_deprecated(cb->nlh,
998 					     GENL_HDRLEN + nl80211_fam.hdrsize,
999 					     attrbuf, nl80211_fam.maxattr,
1000 					     nl80211_policy, NULL);
1001 		if (err) {
1002 			kfree(attrbuf_free);
1003 			return err;
1004 		}
1005 
1006 		rtnl_lock();
1007 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1008 						   attrbuf);
1009 		kfree(attrbuf_free);
1010 		if (IS_ERR(*wdev)) {
1011 			rtnl_unlock();
1012 			return PTR_ERR(*wdev);
1013 		}
1014 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1015 		mutex_lock(&(*rdev)->wiphy.mtx);
1016 		rtnl_unlock();
1017 		/* 0 is the first index - add 1 to parse only once */
1018 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1019 		cb->args[1] = (*wdev)->identifier;
1020 	} else {
1021 		/* subtract the 1 again here */
1022 		struct wiphy *wiphy;
1023 		struct wireless_dev *tmp;
1024 
1025 		rtnl_lock();
1026 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1027 		if (!wiphy) {
1028 			rtnl_unlock();
1029 			return -ENODEV;
1030 		}
1031 		*rdev = wiphy_to_rdev(wiphy);
1032 		*wdev = NULL;
1033 
1034 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1035 			if (tmp->identifier == cb->args[1]) {
1036 				*wdev = tmp;
1037 				break;
1038 			}
1039 		}
1040 
1041 		if (!*wdev) {
1042 			rtnl_unlock();
1043 			return -ENODEV;
1044 		}
1045 		mutex_lock(&(*rdev)->wiphy.mtx);
1046 		rtnl_unlock();
1047 	}
1048 
1049 	return 0;
1050 }
1051 
1052 /* message building helper */
1053 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1054 		     int flags, u8 cmd)
1055 {
1056 	/* since there is no private header just add the generic one */
1057 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1058 }
1059 
1060 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1061 				     const struct ieee80211_reg_rule *rule)
1062 {
1063 	int j;
1064 	struct nlattr *nl_wmm_rules =
1065 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1066 
1067 	if (!nl_wmm_rules)
1068 		goto nla_put_failure;
1069 
1070 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1071 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1072 
1073 		if (!nl_wmm_rule)
1074 			goto nla_put_failure;
1075 
1076 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1077 				rule->wmm_rule.client[j].cw_min) ||
1078 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1079 				rule->wmm_rule.client[j].cw_max) ||
1080 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1081 			       rule->wmm_rule.client[j].aifsn) ||
1082 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1083 			        rule->wmm_rule.client[j].cot))
1084 			goto nla_put_failure;
1085 
1086 		nla_nest_end(msg, nl_wmm_rule);
1087 	}
1088 	nla_nest_end(msg, nl_wmm_rules);
1089 
1090 	return 0;
1091 
1092 nla_put_failure:
1093 	return -ENOBUFS;
1094 }
1095 
1096 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1097 				   struct ieee80211_channel *chan,
1098 				   bool large)
1099 {
1100 	/* Some channels must be completely excluded from the
1101 	 * list to protect old user-space tools from breaking
1102 	 */
1103 	if (!large && chan->flags &
1104 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1105 		return 0;
1106 	if (!large && chan->freq_offset)
1107 		return 0;
1108 
1109 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1110 			chan->center_freq))
1111 		goto nla_put_failure;
1112 
1113 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1114 		goto nla_put_failure;
1115 
1116 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1117 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1118 		goto nla_put_failure;
1119 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1120 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1121 			goto nla_put_failure;
1122 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1123 			goto nla_put_failure;
1124 	}
1125 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1126 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1127 			goto nla_put_failure;
1128 		if (large) {
1129 			u32 time;
1130 
1131 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1132 
1133 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1134 					chan->dfs_state))
1135 				goto nla_put_failure;
1136 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1137 					time))
1138 				goto nla_put_failure;
1139 			if (nla_put_u32(msg,
1140 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1141 					chan->dfs_cac_ms))
1142 				goto nla_put_failure;
1143 		}
1144 	}
1145 
1146 	if (large) {
1147 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1148 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1149 			goto nla_put_failure;
1150 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1151 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1152 			goto nla_put_failure;
1153 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1154 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1155 			goto nla_put_failure;
1156 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1157 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1158 			goto nla_put_failure;
1159 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1160 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1161 			goto nla_put_failure;
1162 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1163 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1164 			goto nla_put_failure;
1165 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1166 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1167 			goto nla_put_failure;
1168 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1169 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1170 			goto nla_put_failure;
1171 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1172 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1173 			goto nla_put_failure;
1174 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1175 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1176 			goto nla_put_failure;
1177 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1178 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1179 			goto nla_put_failure;
1180 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1181 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1182 			goto nla_put_failure;
1183 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1184 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1185 			goto nla_put_failure;
1186 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1187 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1188 			goto nla_put_failure;
1189 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1190 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1191 			goto nla_put_failure;
1192 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1193 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1194 			goto nla_put_failure;
1195 	}
1196 
1197 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1198 			DBM_TO_MBM(chan->max_power)))
1199 		goto nla_put_failure;
1200 
1201 	if (large) {
1202 		const struct ieee80211_reg_rule *rule =
1203 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1204 
1205 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1206 			if (nl80211_msg_put_wmm_rules(msg, rule))
1207 				goto nla_put_failure;
1208 		}
1209 	}
1210 
1211 	return 0;
1212 
1213  nla_put_failure:
1214 	return -ENOBUFS;
1215 }
1216 
1217 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1218 				  struct cfg80211_txq_stats *txqstats,
1219 				  int attrtype)
1220 {
1221 	struct nlattr *txqattr;
1222 
1223 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1224 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1225 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1226 		return false;						  \
1227 	} while (0)
1228 
1229 	txqattr = nla_nest_start_noflag(msg, attrtype);
1230 	if (!txqattr)
1231 		return false;
1232 
1233 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1234 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1235 	PUT_TXQVAL_U32(FLOWS, flows);
1236 	PUT_TXQVAL_U32(DROPS, drops);
1237 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1238 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1239 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1240 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1241 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1242 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1243 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1244 	nla_nest_end(msg, txqattr);
1245 
1246 #undef PUT_TXQVAL_U32
1247 	return true;
1248 }
1249 
1250 /* netlink command implementations */
1251 
1252 /**
1253  * nl80211_link_id - return link ID
1254  * @attrs: attributes to look at
1255  *
1256  * Returns: the link ID or 0 if not given
1257  *
1258  * Note this function doesn't do any validation of the link
1259  * ID validity wrt. links that were actually added, so it must
1260  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1261  * or if additional validation is done.
1262  */
1263 static unsigned int nl80211_link_id(struct nlattr **attrs)
1264 {
1265 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1266 
1267 	if (!linkid)
1268 		return 0;
1269 
1270 	return nla_get_u8(linkid);
1271 }
1272 
1273 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1274 {
1275 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1276 
1277 	if (!linkid)
1278 		return -1;
1279 
1280 	return nla_get_u8(linkid);
1281 }
1282 
1283 struct key_parse {
1284 	struct key_params p;
1285 	int idx;
1286 	int type;
1287 	bool def, defmgmt, defbeacon;
1288 	bool def_uni, def_multi;
1289 };
1290 
1291 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1292 				 struct key_parse *k)
1293 {
1294 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1295 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1296 					      nl80211_key_policy,
1297 					      info->extack);
1298 	if (err)
1299 		return err;
1300 
1301 	k->def = !!tb[NL80211_KEY_DEFAULT];
1302 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1303 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1304 
1305 	if (k->def) {
1306 		k->def_uni = true;
1307 		k->def_multi = true;
1308 	}
1309 	if (k->defmgmt || k->defbeacon)
1310 		k->def_multi = true;
1311 
1312 	if (tb[NL80211_KEY_IDX])
1313 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1314 
1315 	if (tb[NL80211_KEY_DATA]) {
1316 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1317 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1318 	}
1319 
1320 	if (tb[NL80211_KEY_SEQ]) {
1321 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1322 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1323 	}
1324 
1325 	if (tb[NL80211_KEY_CIPHER])
1326 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1327 
1328 	if (tb[NL80211_KEY_TYPE])
1329 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1330 
1331 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1332 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1333 
1334 		err = nla_parse_nested_deprecated(kdt,
1335 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1336 						  tb[NL80211_KEY_DEFAULT_TYPES],
1337 						  nl80211_key_default_policy,
1338 						  info->extack);
1339 		if (err)
1340 			return err;
1341 
1342 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1343 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1344 	}
1345 
1346 	if (tb[NL80211_KEY_MODE])
1347 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1348 
1349 	return 0;
1350 }
1351 
1352 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1353 {
1354 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1355 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1356 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1357 	}
1358 
1359 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1360 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1361 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1362 	}
1363 
1364 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1365 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1366 
1367 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1368 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1369 
1370 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1371 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1372 
1373 	if (k->def) {
1374 		k->def_uni = true;
1375 		k->def_multi = true;
1376 	}
1377 	if (k->defmgmt)
1378 		k->def_multi = true;
1379 
1380 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1381 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1382 
1383 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1384 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1385 		int err = nla_parse_nested_deprecated(kdt,
1386 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1387 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1388 						      nl80211_key_default_policy,
1389 						      info->extack);
1390 		if (err)
1391 			return err;
1392 
1393 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1394 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1395 	}
1396 
1397 	return 0;
1398 }
1399 
1400 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1401 {
1402 	int err;
1403 
1404 	memset(k, 0, sizeof(*k));
1405 	k->idx = -1;
1406 	k->type = -1;
1407 
1408 	if (info->attrs[NL80211_ATTR_KEY])
1409 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1410 	else
1411 		err = nl80211_parse_key_old(info, k);
1412 
1413 	if (err)
1414 		return err;
1415 
1416 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1417 	    (k->defbeacon ? 1 : 0) > 1) {
1418 		GENL_SET_ERR_MSG(info,
1419 				 "key with multiple default flags is invalid");
1420 		return -EINVAL;
1421 	}
1422 
1423 	if (k->defmgmt || k->defbeacon) {
1424 		if (k->def_uni || !k->def_multi) {
1425 			GENL_SET_ERR_MSG(info,
1426 					 "defmgmt/defbeacon key must be mcast");
1427 			return -EINVAL;
1428 		}
1429 	}
1430 
1431 	if (k->idx != -1) {
1432 		if (k->defmgmt) {
1433 			if (k->idx < 4 || k->idx > 5) {
1434 				GENL_SET_ERR_MSG(info,
1435 						 "defmgmt key idx not 4 or 5");
1436 				return -EINVAL;
1437 			}
1438 		} else if (k->defbeacon) {
1439 			if (k->idx < 6 || k->idx > 7) {
1440 				GENL_SET_ERR_MSG(info,
1441 						 "defbeacon key idx not 6 or 7");
1442 				return -EINVAL;
1443 			}
1444 		} else if (k->def) {
1445 			if (k->idx < 0 || k->idx > 3) {
1446 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1447 				return -EINVAL;
1448 			}
1449 		} else {
1450 			if (k->idx < 0 || k->idx > 7) {
1451 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1452 				return -EINVAL;
1453 			}
1454 		}
1455 	}
1456 
1457 	return 0;
1458 }
1459 
1460 static struct cfg80211_cached_keys *
1461 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1462 		       struct genl_info *info, bool *no_ht)
1463 {
1464 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1465 	struct key_parse parse;
1466 	struct nlattr *key;
1467 	struct cfg80211_cached_keys *result;
1468 	int rem, err, def = 0;
1469 	bool have_key = false;
1470 
1471 	nla_for_each_nested(key, keys, rem) {
1472 		have_key = true;
1473 		break;
1474 	}
1475 
1476 	if (!have_key)
1477 		return NULL;
1478 
1479 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1480 	if (!result)
1481 		return ERR_PTR(-ENOMEM);
1482 
1483 	result->def = -1;
1484 
1485 	nla_for_each_nested(key, keys, rem) {
1486 		memset(&parse, 0, sizeof(parse));
1487 		parse.idx = -1;
1488 
1489 		err = nl80211_parse_key_new(info, key, &parse);
1490 		if (err)
1491 			goto error;
1492 		err = -EINVAL;
1493 		if (!parse.p.key)
1494 			goto error;
1495 		if (parse.idx < 0 || parse.idx > 3) {
1496 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1497 			goto error;
1498 		}
1499 		if (parse.def) {
1500 			if (def) {
1501 				GENL_SET_ERR_MSG(info,
1502 						 "only one key can be default");
1503 				goto error;
1504 			}
1505 			def = 1;
1506 			result->def = parse.idx;
1507 			if (!parse.def_uni || !parse.def_multi)
1508 				goto error;
1509 		} else if (parse.defmgmt)
1510 			goto error;
1511 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1512 						     parse.idx, false, NULL);
1513 		if (err)
1514 			goto error;
1515 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1516 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1517 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1518 			err = -EINVAL;
1519 			goto error;
1520 		}
1521 		result->params[parse.idx].cipher = parse.p.cipher;
1522 		result->params[parse.idx].key_len = parse.p.key_len;
1523 		result->params[parse.idx].key = result->data[parse.idx];
1524 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1525 
1526 		/* must be WEP key if we got here */
1527 		if (no_ht)
1528 			*no_ht = true;
1529 	}
1530 
1531 	if (result->def < 0) {
1532 		err = -EINVAL;
1533 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1534 		goto error;
1535 	}
1536 
1537 	return result;
1538  error:
1539 	kfree(result);
1540 	return ERR_PTR(err);
1541 }
1542 
1543 static int nl80211_key_allowed(struct wireless_dev *wdev)
1544 {
1545 	ASSERT_WDEV_LOCK(wdev);
1546 
1547 	switch (wdev->iftype) {
1548 	case NL80211_IFTYPE_AP:
1549 	case NL80211_IFTYPE_AP_VLAN:
1550 	case NL80211_IFTYPE_P2P_GO:
1551 	case NL80211_IFTYPE_MESH_POINT:
1552 		break;
1553 	case NL80211_IFTYPE_ADHOC:
1554 		if (wdev->u.ibss.current_bss)
1555 			return 0;
1556 		return -ENOLINK;
1557 	case NL80211_IFTYPE_STATION:
1558 	case NL80211_IFTYPE_P2P_CLIENT:
1559 		if (wdev->connected)
1560 			return 0;
1561 		return -ENOLINK;
1562 	case NL80211_IFTYPE_NAN:
1563 		if (wiphy_ext_feature_isset(wdev->wiphy,
1564 					    NL80211_EXT_FEATURE_SECURE_NAN))
1565 			return 0;
1566 		return -EINVAL;
1567 	case NL80211_IFTYPE_UNSPECIFIED:
1568 	case NL80211_IFTYPE_OCB:
1569 	case NL80211_IFTYPE_MONITOR:
1570 	case NL80211_IFTYPE_P2P_DEVICE:
1571 	case NL80211_IFTYPE_WDS:
1572 	case NUM_NL80211_IFTYPES:
1573 		return -EINVAL;
1574 	}
1575 
1576 	return 0;
1577 }
1578 
1579 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1580 							u32 freq)
1581 {
1582 	struct ieee80211_channel *chan;
1583 
1584 	chan = ieee80211_get_channel_khz(wiphy, freq);
1585 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1586 		return NULL;
1587 	return chan;
1588 }
1589 
1590 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1591 {
1592 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1593 	int i;
1594 
1595 	if (!nl_modes)
1596 		goto nla_put_failure;
1597 
1598 	i = 0;
1599 	while (ifmodes) {
1600 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1601 			goto nla_put_failure;
1602 		ifmodes >>= 1;
1603 		i++;
1604 	}
1605 
1606 	nla_nest_end(msg, nl_modes);
1607 	return 0;
1608 
1609 nla_put_failure:
1610 	return -ENOBUFS;
1611 }
1612 
1613 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1614 					  struct sk_buff *msg,
1615 					  bool large)
1616 {
1617 	struct nlattr *nl_combis;
1618 	int i, j;
1619 
1620 	nl_combis = nla_nest_start_noflag(msg,
1621 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1622 	if (!nl_combis)
1623 		goto nla_put_failure;
1624 
1625 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1626 		const struct ieee80211_iface_combination *c;
1627 		struct nlattr *nl_combi, *nl_limits;
1628 
1629 		c = &wiphy->iface_combinations[i];
1630 
1631 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1632 		if (!nl_combi)
1633 			goto nla_put_failure;
1634 
1635 		nl_limits = nla_nest_start_noflag(msg,
1636 						  NL80211_IFACE_COMB_LIMITS);
1637 		if (!nl_limits)
1638 			goto nla_put_failure;
1639 
1640 		for (j = 0; j < c->n_limits; j++) {
1641 			struct nlattr *nl_limit;
1642 
1643 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1644 			if (!nl_limit)
1645 				goto nla_put_failure;
1646 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1647 					c->limits[j].max))
1648 				goto nla_put_failure;
1649 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1650 						c->limits[j].types))
1651 				goto nla_put_failure;
1652 			nla_nest_end(msg, nl_limit);
1653 		}
1654 
1655 		nla_nest_end(msg, nl_limits);
1656 
1657 		if (c->beacon_int_infra_match &&
1658 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1659 			goto nla_put_failure;
1660 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1661 				c->num_different_channels) ||
1662 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1663 				c->max_interfaces))
1664 			goto nla_put_failure;
1665 		if (large &&
1666 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1667 				c->radar_detect_widths) ||
1668 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1669 				c->radar_detect_regions)))
1670 			goto nla_put_failure;
1671 		if (c->beacon_int_min_gcd &&
1672 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1673 				c->beacon_int_min_gcd))
1674 			goto nla_put_failure;
1675 
1676 		nla_nest_end(msg, nl_combi);
1677 	}
1678 
1679 	nla_nest_end(msg, nl_combis);
1680 
1681 	return 0;
1682 nla_put_failure:
1683 	return -ENOBUFS;
1684 }
1685 
1686 #ifdef CONFIG_PM
1687 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1688 					struct sk_buff *msg)
1689 {
1690 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1691 	struct nlattr *nl_tcp;
1692 
1693 	if (!tcp)
1694 		return 0;
1695 
1696 	nl_tcp = nla_nest_start_noflag(msg,
1697 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1698 	if (!nl_tcp)
1699 		return -ENOBUFS;
1700 
1701 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1702 			tcp->data_payload_max))
1703 		return -ENOBUFS;
1704 
1705 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1706 			tcp->data_payload_max))
1707 		return -ENOBUFS;
1708 
1709 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1710 		return -ENOBUFS;
1711 
1712 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1713 				sizeof(*tcp->tok), tcp->tok))
1714 		return -ENOBUFS;
1715 
1716 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1717 			tcp->data_interval_max))
1718 		return -ENOBUFS;
1719 
1720 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1721 			tcp->wake_payload_max))
1722 		return -ENOBUFS;
1723 
1724 	nla_nest_end(msg, nl_tcp);
1725 	return 0;
1726 }
1727 
1728 static int nl80211_send_wowlan(struct sk_buff *msg,
1729 			       struct cfg80211_registered_device *rdev,
1730 			       bool large)
1731 {
1732 	struct nlattr *nl_wowlan;
1733 
1734 	if (!rdev->wiphy.wowlan)
1735 		return 0;
1736 
1737 	nl_wowlan = nla_nest_start_noflag(msg,
1738 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1739 	if (!nl_wowlan)
1740 		return -ENOBUFS;
1741 
1742 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1743 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1744 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1745 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1746 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1747 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1748 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1749 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1750 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1751 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1752 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1753 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1754 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1755 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1756 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1757 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1758 		return -ENOBUFS;
1759 
1760 	if (rdev->wiphy.wowlan->n_patterns) {
1761 		struct nl80211_pattern_support pat = {
1762 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1763 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1764 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1765 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1766 		};
1767 
1768 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1769 			    sizeof(pat), &pat))
1770 			return -ENOBUFS;
1771 	}
1772 
1773 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1774 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1775 			rdev->wiphy.wowlan->max_nd_match_sets))
1776 		return -ENOBUFS;
1777 
1778 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1779 		return -ENOBUFS;
1780 
1781 	nla_nest_end(msg, nl_wowlan);
1782 
1783 	return 0;
1784 }
1785 #endif
1786 
1787 static int nl80211_send_coalesce(struct sk_buff *msg,
1788 				 struct cfg80211_registered_device *rdev)
1789 {
1790 	struct nl80211_coalesce_rule_support rule;
1791 
1792 	if (!rdev->wiphy.coalesce)
1793 		return 0;
1794 
1795 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1796 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1797 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1798 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1799 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1800 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1801 
1802 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1803 		return -ENOBUFS;
1804 
1805 	return 0;
1806 }
1807 
1808 static int
1809 nl80211_send_iftype_data(struct sk_buff *msg,
1810 			 const struct ieee80211_supported_band *sband,
1811 			 const struct ieee80211_sband_iftype_data *iftdata)
1812 {
1813 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1814 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1815 
1816 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1817 				iftdata->types_mask))
1818 		return -ENOBUFS;
1819 
1820 	if (he_cap->has_he) {
1821 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1822 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1823 			    he_cap->he_cap_elem.mac_cap_info) ||
1824 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1825 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1826 			    he_cap->he_cap_elem.phy_cap_info) ||
1827 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1828 			    sizeof(he_cap->he_mcs_nss_supp),
1829 			    &he_cap->he_mcs_nss_supp) ||
1830 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1831 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1832 			return -ENOBUFS;
1833 	}
1834 
1835 	if (eht_cap->has_eht && he_cap->has_he) {
1836 		u8 mcs_nss_size, ppe_thresh_size;
1837 		u16 ppe_thres_hdr;
1838 		bool is_ap;
1839 
1840 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1841 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1842 
1843 		mcs_nss_size =
1844 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1845 						   &eht_cap->eht_cap_elem,
1846 						   is_ap);
1847 
1848 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1849 		ppe_thresh_size =
1850 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1851 					       eht_cap->eht_cap_elem.phy_cap_info);
1852 
1853 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1854 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1855 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1856 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1857 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1858 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1859 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1860 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1861 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1862 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1863 			return -ENOBUFS;
1864 	}
1865 
1866 	if (sband->band == NL80211_BAND_6GHZ &&
1867 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1868 		    sizeof(iftdata->he_6ghz_capa),
1869 		    &iftdata->he_6ghz_capa))
1870 		return -ENOBUFS;
1871 
1872 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1873 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1874 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1875 		return -ENOBUFS;
1876 
1877 	return 0;
1878 }
1879 
1880 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1881 				      struct ieee80211_supported_band *sband,
1882 				      bool large)
1883 {
1884 	struct nlattr *nl_rates, *nl_rate;
1885 	struct ieee80211_rate *rate;
1886 	int i;
1887 
1888 	/* add HT info */
1889 	if (sband->ht_cap.ht_supported &&
1890 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1891 		     sizeof(sband->ht_cap.mcs),
1892 		     &sband->ht_cap.mcs) ||
1893 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1894 			 sband->ht_cap.cap) ||
1895 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1896 			sband->ht_cap.ampdu_factor) ||
1897 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1898 			sband->ht_cap.ampdu_density)))
1899 		return -ENOBUFS;
1900 
1901 	/* add VHT info */
1902 	if (sband->vht_cap.vht_supported &&
1903 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1904 		     sizeof(sband->vht_cap.vht_mcs),
1905 		     &sband->vht_cap.vht_mcs) ||
1906 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1907 			 sband->vht_cap.cap)))
1908 		return -ENOBUFS;
1909 
1910 	if (large && sband->n_iftype_data) {
1911 		struct nlattr *nl_iftype_data =
1912 			nla_nest_start_noflag(msg,
1913 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1914 		int err;
1915 
1916 		if (!nl_iftype_data)
1917 			return -ENOBUFS;
1918 
1919 		for (i = 0; i < sband->n_iftype_data; i++) {
1920 			struct nlattr *iftdata;
1921 
1922 			iftdata = nla_nest_start_noflag(msg, i + 1);
1923 			if (!iftdata)
1924 				return -ENOBUFS;
1925 
1926 			err = nl80211_send_iftype_data(msg, sband,
1927 						       &sband->iftype_data[i]);
1928 			if (err)
1929 				return err;
1930 
1931 			nla_nest_end(msg, iftdata);
1932 		}
1933 
1934 		nla_nest_end(msg, nl_iftype_data);
1935 	}
1936 
1937 	/* add EDMG info */
1938 	if (large && sband->edmg_cap.channels &&
1939 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1940 		       sband->edmg_cap.channels) ||
1941 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1942 		       sband->edmg_cap.bw_config)))
1943 
1944 		return -ENOBUFS;
1945 
1946 	/* add bitrates */
1947 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1948 	if (!nl_rates)
1949 		return -ENOBUFS;
1950 
1951 	for (i = 0; i < sband->n_bitrates; i++) {
1952 		nl_rate = nla_nest_start_noflag(msg, i);
1953 		if (!nl_rate)
1954 			return -ENOBUFS;
1955 
1956 		rate = &sband->bitrates[i];
1957 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1958 				rate->bitrate))
1959 			return -ENOBUFS;
1960 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1961 		    nla_put_flag(msg,
1962 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1963 			return -ENOBUFS;
1964 
1965 		nla_nest_end(msg, nl_rate);
1966 	}
1967 
1968 	nla_nest_end(msg, nl_rates);
1969 
1970 	/* S1G capabilities */
1971 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1972 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1973 		     sizeof(sband->s1g_cap.cap),
1974 		     sband->s1g_cap.cap) ||
1975 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1976 		     sizeof(sband->s1g_cap.nss_mcs),
1977 		     sband->s1g_cap.nss_mcs)))
1978 		return -ENOBUFS;
1979 
1980 	return 0;
1981 }
1982 
1983 static int
1984 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1985 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1986 {
1987 	u16 stypes;
1988 	struct nlattr *nl_ftypes, *nl_ifs;
1989 	enum nl80211_iftype ift;
1990 	int i;
1991 
1992 	if (!mgmt_stypes)
1993 		return 0;
1994 
1995 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1996 	if (!nl_ifs)
1997 		return -ENOBUFS;
1998 
1999 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2000 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2001 		if (!nl_ftypes)
2002 			return -ENOBUFS;
2003 		i = 0;
2004 		stypes = mgmt_stypes[ift].tx;
2005 		while (stypes) {
2006 			if ((stypes & 1) &&
2007 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2008 					(i << 4) | IEEE80211_FTYPE_MGMT))
2009 				return -ENOBUFS;
2010 			stypes >>= 1;
2011 			i++;
2012 		}
2013 		nla_nest_end(msg, nl_ftypes);
2014 	}
2015 
2016 	nla_nest_end(msg, nl_ifs);
2017 
2018 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2019 	if (!nl_ifs)
2020 		return -ENOBUFS;
2021 
2022 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2023 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2024 		if (!nl_ftypes)
2025 			return -ENOBUFS;
2026 		i = 0;
2027 		stypes = mgmt_stypes[ift].rx;
2028 		while (stypes) {
2029 			if ((stypes & 1) &&
2030 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2031 					(i << 4) | IEEE80211_FTYPE_MGMT))
2032 				return -ENOBUFS;
2033 			stypes >>= 1;
2034 			i++;
2035 		}
2036 		nla_nest_end(msg, nl_ftypes);
2037 	}
2038 	nla_nest_end(msg, nl_ifs);
2039 
2040 	return 0;
2041 }
2042 
2043 #define CMD(op, n)							\
2044 	 do {								\
2045 		if (rdev->ops->op) {					\
2046 			i++;						\
2047 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2048 				goto nla_put_failure;			\
2049 		}							\
2050 	} while (0)
2051 
2052 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2053 					struct sk_buff *msg)
2054 {
2055 	int i = 0;
2056 
2057 	/*
2058 	 * do *NOT* add anything into this function, new things need to be
2059 	 * advertised only to new versions of userspace that can deal with
2060 	 * the split (and they can't possibly care about new features...
2061 	 */
2062 	CMD(add_virtual_intf, NEW_INTERFACE);
2063 	CMD(change_virtual_intf, SET_INTERFACE);
2064 	CMD(add_key, NEW_KEY);
2065 	CMD(start_ap, START_AP);
2066 	CMD(add_station, NEW_STATION);
2067 	CMD(add_mpath, NEW_MPATH);
2068 	CMD(update_mesh_config, SET_MESH_CONFIG);
2069 	CMD(change_bss, SET_BSS);
2070 	CMD(auth, AUTHENTICATE);
2071 	CMD(assoc, ASSOCIATE);
2072 	CMD(deauth, DEAUTHENTICATE);
2073 	CMD(disassoc, DISASSOCIATE);
2074 	CMD(join_ibss, JOIN_IBSS);
2075 	CMD(join_mesh, JOIN_MESH);
2076 	CMD(set_pmksa, SET_PMKSA);
2077 	CMD(del_pmksa, DEL_PMKSA);
2078 	CMD(flush_pmksa, FLUSH_PMKSA);
2079 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2080 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2081 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2082 	CMD(mgmt_tx, FRAME);
2083 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2084 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2085 		i++;
2086 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2087 			goto nla_put_failure;
2088 	}
2089 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2090 	    rdev->ops->join_mesh) {
2091 		i++;
2092 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2093 			goto nla_put_failure;
2094 	}
2095 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2096 		CMD(tdls_mgmt, TDLS_MGMT);
2097 		CMD(tdls_oper, TDLS_OPER);
2098 	}
2099 	if (rdev->wiphy.max_sched_scan_reqs)
2100 		CMD(sched_scan_start, START_SCHED_SCAN);
2101 	CMD(probe_client, PROBE_CLIENT);
2102 	CMD(set_noack_map, SET_NOACK_MAP);
2103 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2104 		i++;
2105 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2106 			goto nla_put_failure;
2107 	}
2108 	CMD(start_p2p_device, START_P2P_DEVICE);
2109 	CMD(set_mcast_rate, SET_MCAST_RATE);
2110 #ifdef CONFIG_NL80211_TESTMODE
2111 	CMD(testmode_cmd, TESTMODE);
2112 #endif
2113 
2114 	if (rdev->ops->connect || rdev->ops->auth) {
2115 		i++;
2116 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2117 			goto nla_put_failure;
2118 	}
2119 
2120 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2121 		i++;
2122 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2123 			goto nla_put_failure;
2124 	}
2125 
2126 	return i;
2127  nla_put_failure:
2128 	return -ENOBUFS;
2129 }
2130 
2131 static int
2132 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2133 			   struct sk_buff *msg)
2134 {
2135 	struct nlattr *ftm;
2136 
2137 	if (!cap->ftm.supported)
2138 		return 0;
2139 
2140 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2141 	if (!ftm)
2142 		return -ENOBUFS;
2143 
2144 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2145 		return -ENOBUFS;
2146 	if (cap->ftm.non_asap &&
2147 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2148 		return -ENOBUFS;
2149 	if (cap->ftm.request_lci &&
2150 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2151 		return -ENOBUFS;
2152 	if (cap->ftm.request_civicloc &&
2153 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2154 		return -ENOBUFS;
2155 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2156 			cap->ftm.preambles))
2157 		return -ENOBUFS;
2158 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2159 			cap->ftm.bandwidths))
2160 		return -ENOBUFS;
2161 	if (cap->ftm.max_bursts_exponent >= 0 &&
2162 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2163 			cap->ftm.max_bursts_exponent))
2164 		return -ENOBUFS;
2165 	if (cap->ftm.max_ftms_per_burst &&
2166 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2167 			cap->ftm.max_ftms_per_burst))
2168 		return -ENOBUFS;
2169 	if (cap->ftm.trigger_based &&
2170 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2171 		return -ENOBUFS;
2172 	if (cap->ftm.non_trigger_based &&
2173 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2174 		return -ENOBUFS;
2175 
2176 	nla_nest_end(msg, ftm);
2177 	return 0;
2178 }
2179 
2180 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2181 				  struct sk_buff *msg)
2182 {
2183 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2184 	struct nlattr *pmsr, *caps;
2185 
2186 	if (!cap)
2187 		return 0;
2188 
2189 	/*
2190 	 * we don't need to clean up anything here since the caller
2191 	 * will genlmsg_cancel() if we fail
2192 	 */
2193 
2194 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2195 	if (!pmsr)
2196 		return -ENOBUFS;
2197 
2198 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2199 		return -ENOBUFS;
2200 
2201 	if (cap->report_ap_tsf &&
2202 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2203 		return -ENOBUFS;
2204 
2205 	if (cap->randomize_mac_addr &&
2206 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2207 		return -ENOBUFS;
2208 
2209 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2210 	if (!caps)
2211 		return -ENOBUFS;
2212 
2213 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2214 		return -ENOBUFS;
2215 
2216 	nla_nest_end(msg, caps);
2217 	nla_nest_end(msg, pmsr);
2218 
2219 	return 0;
2220 }
2221 
2222 static int
2223 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2224 			      struct sk_buff *msg)
2225 {
2226 	int i;
2227 	struct nlattr *nested, *nested_akms;
2228 	const struct wiphy_iftype_akm_suites *iftype_akms;
2229 
2230 	if (!rdev->wiphy.num_iftype_akm_suites ||
2231 	    !rdev->wiphy.iftype_akm_suites)
2232 		return 0;
2233 
2234 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2235 	if (!nested)
2236 		return -ENOBUFS;
2237 
2238 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2239 		nested_akms = nla_nest_start(msg, i + 1);
2240 		if (!nested_akms)
2241 			return -ENOBUFS;
2242 
2243 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2244 
2245 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2246 					iftype_akms->iftypes_mask))
2247 			return -ENOBUFS;
2248 
2249 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2250 			    sizeof(u32) * iftype_akms->n_akm_suites,
2251 			    iftype_akms->akm_suites)) {
2252 			return -ENOBUFS;
2253 		}
2254 		nla_nest_end(msg, nested_akms);
2255 	}
2256 
2257 	nla_nest_end(msg, nested);
2258 
2259 	return 0;
2260 }
2261 
2262 static int
2263 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2264 			       struct sk_buff *msg)
2265 {
2266 	struct nlattr *supp;
2267 
2268 	if (!rdev->wiphy.tid_config_support.vif &&
2269 	    !rdev->wiphy.tid_config_support.peer)
2270 		return 0;
2271 
2272 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2273 	if (!supp)
2274 		return -ENOSPC;
2275 
2276 	if (rdev->wiphy.tid_config_support.vif &&
2277 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2278 			      rdev->wiphy.tid_config_support.vif,
2279 			      NL80211_TID_CONFIG_ATTR_PAD))
2280 		goto fail;
2281 
2282 	if (rdev->wiphy.tid_config_support.peer &&
2283 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2284 			      rdev->wiphy.tid_config_support.peer,
2285 			      NL80211_TID_CONFIG_ATTR_PAD))
2286 		goto fail;
2287 
2288 	/* for now we just use the same value ... makes more sense */
2289 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2290 		       rdev->wiphy.tid_config_support.max_retry))
2291 		goto fail;
2292 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2293 		       rdev->wiphy.tid_config_support.max_retry))
2294 		goto fail;
2295 
2296 	nla_nest_end(msg, supp);
2297 
2298 	return 0;
2299 fail:
2300 	nla_nest_cancel(msg, supp);
2301 	return -ENOBUFS;
2302 }
2303 
2304 static int
2305 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2306 		      struct sk_buff *msg)
2307 {
2308 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2309 	u8 num_freq_ranges;
2310 	int i;
2311 
2312 	if (!rdev->wiphy.sar_capa)
2313 		return 0;
2314 
2315 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2316 
2317 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2318 	if (!sar_capa)
2319 		return -ENOSPC;
2320 
2321 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2322 		goto fail;
2323 
2324 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2325 	if (!specs)
2326 		goto fail;
2327 
2328 	/* report supported freq_ranges */
2329 	for (i = 0; i < num_freq_ranges; i++) {
2330 		sub_freq_range = nla_nest_start(msg, i + 1);
2331 		if (!sub_freq_range)
2332 			goto fail;
2333 
2334 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2335 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2336 			goto fail;
2337 
2338 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2339 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2340 			goto fail;
2341 
2342 		nla_nest_end(msg, sub_freq_range);
2343 	}
2344 
2345 	nla_nest_end(msg, specs);
2346 	nla_nest_end(msg, sar_capa);
2347 
2348 	return 0;
2349 fail:
2350 	nla_nest_cancel(msg, sar_capa);
2351 	return -ENOBUFS;
2352 }
2353 
2354 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2355 {
2356 	struct nlattr *config;
2357 
2358 	if (!wiphy->mbssid_max_interfaces)
2359 		return 0;
2360 
2361 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2362 	if (!config)
2363 		return -ENOBUFS;
2364 
2365 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2366 		       wiphy->mbssid_max_interfaces))
2367 		goto fail;
2368 
2369 	if (wiphy->ema_max_profile_periodicity &&
2370 	    nla_put_u8(msg,
2371 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2372 		       wiphy->ema_max_profile_periodicity))
2373 		goto fail;
2374 
2375 	nla_nest_end(msg, config);
2376 	return 0;
2377 
2378 fail:
2379 	nla_nest_cancel(msg, config);
2380 	return -ENOBUFS;
2381 }
2382 
2383 struct nl80211_dump_wiphy_state {
2384 	s64 filter_wiphy;
2385 	long start;
2386 	long split_start, band_start, chan_start, capa_start;
2387 	bool split;
2388 };
2389 
2390 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2391 			      enum nl80211_commands cmd,
2392 			      struct sk_buff *msg, u32 portid, u32 seq,
2393 			      int flags, struct nl80211_dump_wiphy_state *state)
2394 {
2395 	void *hdr;
2396 	struct nlattr *nl_bands, *nl_band;
2397 	struct nlattr *nl_freqs, *nl_freq;
2398 	struct nlattr *nl_cmds;
2399 	enum nl80211_band band;
2400 	struct ieee80211_channel *chan;
2401 	int i;
2402 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2403 				rdev->wiphy.mgmt_stypes;
2404 	u32 features;
2405 
2406 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2407 	if (!hdr)
2408 		return -ENOBUFS;
2409 
2410 	if (WARN_ON(!state))
2411 		return -EINVAL;
2412 
2413 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2414 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2415 			   wiphy_name(&rdev->wiphy)) ||
2416 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2417 			cfg80211_rdev_list_generation))
2418 		goto nla_put_failure;
2419 
2420 	if (cmd != NL80211_CMD_NEW_WIPHY)
2421 		goto finish;
2422 
2423 	switch (state->split_start) {
2424 	case 0:
2425 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2426 			       rdev->wiphy.retry_short) ||
2427 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2428 			       rdev->wiphy.retry_long) ||
2429 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2430 				rdev->wiphy.frag_threshold) ||
2431 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2432 				rdev->wiphy.rts_threshold) ||
2433 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2434 			       rdev->wiphy.coverage_class) ||
2435 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2436 			       rdev->wiphy.max_scan_ssids) ||
2437 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2438 			       rdev->wiphy.max_sched_scan_ssids) ||
2439 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2440 				rdev->wiphy.max_scan_ie_len) ||
2441 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2442 				rdev->wiphy.max_sched_scan_ie_len) ||
2443 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2444 			       rdev->wiphy.max_match_sets))
2445 			goto nla_put_failure;
2446 
2447 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2448 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2449 			goto nla_put_failure;
2450 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2451 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2452 			goto nla_put_failure;
2453 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2454 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2455 			goto nla_put_failure;
2456 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2457 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2458 			goto nla_put_failure;
2459 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2460 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2461 			goto nla_put_failure;
2462 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2463 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2464 			goto nla_put_failure;
2465 		state->split_start++;
2466 		if (state->split)
2467 			break;
2468 		fallthrough;
2469 	case 1:
2470 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2471 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2472 			    rdev->wiphy.cipher_suites))
2473 			goto nla_put_failure;
2474 
2475 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2476 			       rdev->wiphy.max_num_pmkids))
2477 			goto nla_put_failure;
2478 
2479 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2480 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2481 			goto nla_put_failure;
2482 
2483 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2484 				rdev->wiphy.available_antennas_tx) ||
2485 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2486 				rdev->wiphy.available_antennas_rx))
2487 			goto nla_put_failure;
2488 
2489 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2490 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2491 				rdev->wiphy.probe_resp_offload))
2492 			goto nla_put_failure;
2493 
2494 		if ((rdev->wiphy.available_antennas_tx ||
2495 		     rdev->wiphy.available_antennas_rx) &&
2496 		    rdev->ops->get_antenna) {
2497 			u32 tx_ant = 0, rx_ant = 0;
2498 			int res;
2499 
2500 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2501 			if (!res) {
2502 				if (nla_put_u32(msg,
2503 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2504 						tx_ant) ||
2505 				    nla_put_u32(msg,
2506 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2507 						rx_ant))
2508 					goto nla_put_failure;
2509 			}
2510 		}
2511 
2512 		state->split_start++;
2513 		if (state->split)
2514 			break;
2515 		fallthrough;
2516 	case 2:
2517 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2518 					rdev->wiphy.interface_modes))
2519 				goto nla_put_failure;
2520 		state->split_start++;
2521 		if (state->split)
2522 			break;
2523 		fallthrough;
2524 	case 3:
2525 		nl_bands = nla_nest_start_noflag(msg,
2526 						 NL80211_ATTR_WIPHY_BANDS);
2527 		if (!nl_bands)
2528 			goto nla_put_failure;
2529 
2530 		for (band = state->band_start;
2531 		     band < (state->split ?
2532 				NUM_NL80211_BANDS :
2533 				NL80211_BAND_60GHZ + 1);
2534 		     band++) {
2535 			struct ieee80211_supported_band *sband;
2536 
2537 			/* omit higher bands for ancient software */
2538 			if (band > NL80211_BAND_5GHZ && !state->split)
2539 				break;
2540 
2541 			sband = rdev->wiphy.bands[band];
2542 
2543 			if (!sband)
2544 				continue;
2545 
2546 			nl_band = nla_nest_start_noflag(msg, band);
2547 			if (!nl_band)
2548 				goto nla_put_failure;
2549 
2550 			switch (state->chan_start) {
2551 			case 0:
2552 				if (nl80211_send_band_rateinfo(msg, sband,
2553 							       state->split))
2554 					goto nla_put_failure;
2555 				state->chan_start++;
2556 				if (state->split)
2557 					break;
2558 				fallthrough;
2559 			default:
2560 				/* add frequencies */
2561 				nl_freqs = nla_nest_start_noflag(msg,
2562 								 NL80211_BAND_ATTR_FREQS);
2563 				if (!nl_freqs)
2564 					goto nla_put_failure;
2565 
2566 				for (i = state->chan_start - 1;
2567 				     i < sband->n_channels;
2568 				     i++) {
2569 					nl_freq = nla_nest_start_noflag(msg,
2570 									i);
2571 					if (!nl_freq)
2572 						goto nla_put_failure;
2573 
2574 					chan = &sband->channels[i];
2575 
2576 					if (nl80211_msg_put_channel(
2577 							msg, &rdev->wiphy, chan,
2578 							state->split))
2579 						goto nla_put_failure;
2580 
2581 					nla_nest_end(msg, nl_freq);
2582 					if (state->split)
2583 						break;
2584 				}
2585 				if (i < sband->n_channels)
2586 					state->chan_start = i + 2;
2587 				else
2588 					state->chan_start = 0;
2589 				nla_nest_end(msg, nl_freqs);
2590 			}
2591 
2592 			nla_nest_end(msg, nl_band);
2593 
2594 			if (state->split) {
2595 				/* start again here */
2596 				if (state->chan_start)
2597 					band--;
2598 				break;
2599 			}
2600 		}
2601 		nla_nest_end(msg, nl_bands);
2602 
2603 		if (band < NUM_NL80211_BANDS)
2604 			state->band_start = band + 1;
2605 		else
2606 			state->band_start = 0;
2607 
2608 		/* if bands & channels are done, continue outside */
2609 		if (state->band_start == 0 && state->chan_start == 0)
2610 			state->split_start++;
2611 		if (state->split)
2612 			break;
2613 		fallthrough;
2614 	case 4:
2615 		nl_cmds = nla_nest_start_noflag(msg,
2616 						NL80211_ATTR_SUPPORTED_COMMANDS);
2617 		if (!nl_cmds)
2618 			goto nla_put_failure;
2619 
2620 		i = nl80211_add_commands_unsplit(rdev, msg);
2621 		if (i < 0)
2622 			goto nla_put_failure;
2623 		if (state->split) {
2624 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2625 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2626 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2627 				CMD(channel_switch, CHANNEL_SWITCH);
2628 			CMD(set_qos_map, SET_QOS_MAP);
2629 			if (rdev->wiphy.features &
2630 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2631 				CMD(add_tx_ts, ADD_TX_TS);
2632 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2633 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2634 			CMD(update_ft_ies, UPDATE_FT_IES);
2635 			if (rdev->wiphy.sar_capa)
2636 				CMD(set_sar_specs, SET_SAR_SPECS);
2637 		}
2638 #undef CMD
2639 
2640 		nla_nest_end(msg, nl_cmds);
2641 		state->split_start++;
2642 		if (state->split)
2643 			break;
2644 		fallthrough;
2645 	case 5:
2646 		if (rdev->ops->remain_on_channel &&
2647 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2648 		    nla_put_u32(msg,
2649 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2650 				rdev->wiphy.max_remain_on_channel_duration))
2651 			goto nla_put_failure;
2652 
2653 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2654 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2655 			goto nla_put_failure;
2656 
2657 		state->split_start++;
2658 		if (state->split)
2659 			break;
2660 		fallthrough;
2661 	case 6:
2662 #ifdef CONFIG_PM
2663 		if (nl80211_send_wowlan(msg, rdev, state->split))
2664 			goto nla_put_failure;
2665 		state->split_start++;
2666 		if (state->split)
2667 			break;
2668 #else
2669 		state->split_start++;
2670 #endif
2671 		fallthrough;
2672 	case 7:
2673 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2674 					rdev->wiphy.software_iftypes))
2675 			goto nla_put_failure;
2676 
2677 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2678 						   state->split))
2679 			goto nla_put_failure;
2680 
2681 		state->split_start++;
2682 		if (state->split)
2683 			break;
2684 		fallthrough;
2685 	case 8:
2686 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2687 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2688 				rdev->wiphy.ap_sme_capa))
2689 			goto nla_put_failure;
2690 
2691 		features = rdev->wiphy.features;
2692 		/*
2693 		 * We can only add the per-channel limit information if the
2694 		 * dump is split, otherwise it makes it too big. Therefore
2695 		 * only advertise it in that case.
2696 		 */
2697 		if (state->split)
2698 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2699 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2700 			goto nla_put_failure;
2701 
2702 		if (rdev->wiphy.ht_capa_mod_mask &&
2703 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2704 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2705 			    rdev->wiphy.ht_capa_mod_mask))
2706 			goto nla_put_failure;
2707 
2708 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2709 		    rdev->wiphy.max_acl_mac_addrs &&
2710 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2711 				rdev->wiphy.max_acl_mac_addrs))
2712 			goto nla_put_failure;
2713 
2714 		/*
2715 		 * Any information below this point is only available to
2716 		 * applications that can deal with it being split. This
2717 		 * helps ensure that newly added capabilities don't break
2718 		 * older tools by overrunning their buffers.
2719 		 *
2720 		 * We still increment split_start so that in the split
2721 		 * case we'll continue with more data in the next round,
2722 		 * but break unconditionally so unsplit data stops here.
2723 		 */
2724 		if (state->split)
2725 			state->split_start++;
2726 		else
2727 			state->split_start = 0;
2728 		break;
2729 	case 9:
2730 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2731 			goto nla_put_failure;
2732 
2733 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2734 				rdev->wiphy.max_sched_scan_plans) ||
2735 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2736 				rdev->wiphy.max_sched_scan_plan_interval) ||
2737 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2738 				rdev->wiphy.max_sched_scan_plan_iterations))
2739 			goto nla_put_failure;
2740 
2741 		if (rdev->wiphy.extended_capabilities &&
2742 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2743 			     rdev->wiphy.extended_capabilities_len,
2744 			     rdev->wiphy.extended_capabilities) ||
2745 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2746 			     rdev->wiphy.extended_capabilities_len,
2747 			     rdev->wiphy.extended_capabilities_mask)))
2748 			goto nla_put_failure;
2749 
2750 		if (rdev->wiphy.vht_capa_mod_mask &&
2751 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2752 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2753 			    rdev->wiphy.vht_capa_mod_mask))
2754 			goto nla_put_failure;
2755 
2756 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2757 			    rdev->wiphy.perm_addr))
2758 			goto nla_put_failure;
2759 
2760 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2761 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2762 			    rdev->wiphy.addr_mask))
2763 			goto nla_put_failure;
2764 
2765 		if (rdev->wiphy.n_addresses > 1) {
2766 			void *attr;
2767 
2768 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2769 			if (!attr)
2770 				goto nla_put_failure;
2771 
2772 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2773 				if (nla_put(msg, i + 1, ETH_ALEN,
2774 					    rdev->wiphy.addresses[i].addr))
2775 					goto nla_put_failure;
2776 
2777 			nla_nest_end(msg, attr);
2778 		}
2779 
2780 		state->split_start++;
2781 		break;
2782 	case 10:
2783 		if (nl80211_send_coalesce(msg, rdev))
2784 			goto nla_put_failure;
2785 
2786 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2787 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2788 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2789 			goto nla_put_failure;
2790 
2791 		if (rdev->wiphy.max_ap_assoc_sta &&
2792 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2793 				rdev->wiphy.max_ap_assoc_sta))
2794 			goto nla_put_failure;
2795 
2796 		state->split_start++;
2797 		break;
2798 	case 11:
2799 		if (rdev->wiphy.n_vendor_commands) {
2800 			const struct nl80211_vendor_cmd_info *info;
2801 			struct nlattr *nested;
2802 
2803 			nested = nla_nest_start_noflag(msg,
2804 						       NL80211_ATTR_VENDOR_DATA);
2805 			if (!nested)
2806 				goto nla_put_failure;
2807 
2808 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2809 				info = &rdev->wiphy.vendor_commands[i].info;
2810 				if (nla_put(msg, i + 1, sizeof(*info), info))
2811 					goto nla_put_failure;
2812 			}
2813 			nla_nest_end(msg, nested);
2814 		}
2815 
2816 		if (rdev->wiphy.n_vendor_events) {
2817 			const struct nl80211_vendor_cmd_info *info;
2818 			struct nlattr *nested;
2819 
2820 			nested = nla_nest_start_noflag(msg,
2821 						       NL80211_ATTR_VENDOR_EVENTS);
2822 			if (!nested)
2823 				goto nla_put_failure;
2824 
2825 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2826 				info = &rdev->wiphy.vendor_events[i];
2827 				if (nla_put(msg, i + 1, sizeof(*info), info))
2828 					goto nla_put_failure;
2829 			}
2830 			nla_nest_end(msg, nested);
2831 		}
2832 		state->split_start++;
2833 		break;
2834 	case 12:
2835 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2836 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2837 			       rdev->wiphy.max_num_csa_counters))
2838 			goto nla_put_failure;
2839 
2840 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2841 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2842 			goto nla_put_failure;
2843 
2844 		if (rdev->wiphy.max_sched_scan_reqs &&
2845 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2846 				rdev->wiphy.max_sched_scan_reqs))
2847 			goto nla_put_failure;
2848 
2849 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2850 			    sizeof(rdev->wiphy.ext_features),
2851 			    rdev->wiphy.ext_features))
2852 			goto nla_put_failure;
2853 
2854 		if (rdev->wiphy.bss_select_support) {
2855 			struct nlattr *nested;
2856 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2857 
2858 			nested = nla_nest_start_noflag(msg,
2859 						       NL80211_ATTR_BSS_SELECT);
2860 			if (!nested)
2861 				goto nla_put_failure;
2862 
2863 			i = 0;
2864 			while (bss_select_support) {
2865 				if ((bss_select_support & 1) &&
2866 				    nla_put_flag(msg, i))
2867 					goto nla_put_failure;
2868 				i++;
2869 				bss_select_support >>= 1;
2870 			}
2871 			nla_nest_end(msg, nested);
2872 		}
2873 
2874 		state->split_start++;
2875 		break;
2876 	case 13:
2877 		if (rdev->wiphy.num_iftype_ext_capab &&
2878 		    rdev->wiphy.iftype_ext_capab) {
2879 			struct nlattr *nested_ext_capab, *nested;
2880 
2881 			nested = nla_nest_start_noflag(msg,
2882 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2883 			if (!nested)
2884 				goto nla_put_failure;
2885 
2886 			for (i = state->capa_start;
2887 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2888 				const struct wiphy_iftype_ext_capab *capab;
2889 
2890 				capab = &rdev->wiphy.iftype_ext_capab[i];
2891 
2892 				nested_ext_capab = nla_nest_start_noflag(msg,
2893 									 i);
2894 				if (!nested_ext_capab ||
2895 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2896 						capab->iftype) ||
2897 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2898 					    capab->extended_capabilities_len,
2899 					    capab->extended_capabilities) ||
2900 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2901 					    capab->extended_capabilities_len,
2902 					    capab->extended_capabilities_mask))
2903 					goto nla_put_failure;
2904 
2905 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2906 				    (nla_put_u16(msg,
2907 						 NL80211_ATTR_EML_CAPABILITY,
2908 						 capab->eml_capabilities) ||
2909 				     nla_put_u16(msg,
2910 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2911 						 capab->mld_capa_and_ops)))
2912 					goto nla_put_failure;
2913 
2914 				nla_nest_end(msg, nested_ext_capab);
2915 				if (state->split)
2916 					break;
2917 			}
2918 			nla_nest_end(msg, nested);
2919 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2920 				state->capa_start = i + 1;
2921 				break;
2922 			}
2923 		}
2924 
2925 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2926 				rdev->wiphy.nan_supported_bands))
2927 			goto nla_put_failure;
2928 
2929 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2930 					    NL80211_EXT_FEATURE_TXQS)) {
2931 			struct cfg80211_txq_stats txqstats = {};
2932 			int res;
2933 
2934 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2935 			if (!res &&
2936 			    !nl80211_put_txq_stats(msg, &txqstats,
2937 						   NL80211_ATTR_TXQ_STATS))
2938 				goto nla_put_failure;
2939 
2940 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2941 					rdev->wiphy.txq_limit))
2942 				goto nla_put_failure;
2943 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2944 					rdev->wiphy.txq_memory_limit))
2945 				goto nla_put_failure;
2946 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2947 					rdev->wiphy.txq_quantum))
2948 				goto nla_put_failure;
2949 		}
2950 
2951 		state->split_start++;
2952 		break;
2953 	case 14:
2954 		if (nl80211_send_pmsr_capa(rdev, msg))
2955 			goto nla_put_failure;
2956 
2957 		state->split_start++;
2958 		break;
2959 	case 15:
2960 		if (rdev->wiphy.akm_suites &&
2961 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2962 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2963 			    rdev->wiphy.akm_suites))
2964 			goto nla_put_failure;
2965 
2966 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2967 			goto nla_put_failure;
2968 
2969 		if (nl80211_put_tid_config_support(rdev, msg))
2970 			goto nla_put_failure;
2971 		state->split_start++;
2972 		break;
2973 	case 16:
2974 		if (nl80211_put_sar_specs(rdev, msg))
2975 			goto nla_put_failure;
2976 
2977 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2978 			goto nla_put_failure;
2979 
2980 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2981 				rdev->wiphy.max_num_akm_suites))
2982 			goto nla_put_failure;
2983 
2984 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2985 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2986 
2987 		if (rdev->wiphy.hw_timestamp_max_peers &&
2988 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
2989 				rdev->wiphy.hw_timestamp_max_peers))
2990 			goto nla_put_failure;
2991 
2992 		/* done */
2993 		state->split_start = 0;
2994 		break;
2995 	}
2996  finish:
2997 	genlmsg_end(msg, hdr);
2998 	return 0;
2999 
3000  nla_put_failure:
3001 	genlmsg_cancel(msg, hdr);
3002 	return -EMSGSIZE;
3003 }
3004 
3005 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3006 				    struct netlink_callback *cb,
3007 				    struct nl80211_dump_wiphy_state *state)
3008 {
3009 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3010 	int ret;
3011 
3012 	if (!tb)
3013 		return -ENOMEM;
3014 
3015 	ret = nlmsg_parse_deprecated(cb->nlh,
3016 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3017 				     tb, nl80211_fam.maxattr,
3018 				     nl80211_policy, NULL);
3019 	/* ignore parse errors for backward compatibility */
3020 	if (ret) {
3021 		ret = 0;
3022 		goto out;
3023 	}
3024 
3025 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3026 	if (tb[NL80211_ATTR_WIPHY])
3027 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3028 	if (tb[NL80211_ATTR_WDEV])
3029 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3030 	if (tb[NL80211_ATTR_IFINDEX]) {
3031 		struct net_device *netdev;
3032 		struct cfg80211_registered_device *rdev;
3033 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3034 
3035 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3036 		if (!netdev) {
3037 			ret = -ENODEV;
3038 			goto out;
3039 		}
3040 		if (netdev->ieee80211_ptr) {
3041 			rdev = wiphy_to_rdev(
3042 				netdev->ieee80211_ptr->wiphy);
3043 			state->filter_wiphy = rdev->wiphy_idx;
3044 		}
3045 	}
3046 
3047 	ret = 0;
3048 out:
3049 	kfree(tb);
3050 	return ret;
3051 }
3052 
3053 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3054 {
3055 	int idx = 0, ret;
3056 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3057 	struct cfg80211_registered_device *rdev;
3058 
3059 	rtnl_lock();
3060 	if (!state) {
3061 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3062 		if (!state) {
3063 			rtnl_unlock();
3064 			return -ENOMEM;
3065 		}
3066 		state->filter_wiphy = -1;
3067 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3068 		if (ret) {
3069 			kfree(state);
3070 			rtnl_unlock();
3071 			return ret;
3072 		}
3073 		cb->args[0] = (long)state;
3074 	}
3075 
3076 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3077 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3078 			continue;
3079 		if (++idx <= state->start)
3080 			continue;
3081 		if (state->filter_wiphy != -1 &&
3082 		    state->filter_wiphy != rdev->wiphy_idx)
3083 			continue;
3084 		wiphy_lock(&rdev->wiphy);
3085 		/* attempt to fit multiple wiphy data chunks into the skb */
3086 		do {
3087 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3088 						 skb,
3089 						 NETLINK_CB(cb->skb).portid,
3090 						 cb->nlh->nlmsg_seq,
3091 						 NLM_F_MULTI, state);
3092 			if (ret < 0) {
3093 				/*
3094 				 * If sending the wiphy data didn't fit (ENOBUFS
3095 				 * or EMSGSIZE returned), this SKB is still
3096 				 * empty (so it's not too big because another
3097 				 * wiphy dataset is already in the skb) and
3098 				 * we've not tried to adjust the dump allocation
3099 				 * yet ... then adjust the alloc size to be
3100 				 * bigger, and return 1 but with the empty skb.
3101 				 * This results in an empty message being RX'ed
3102 				 * in userspace, but that is ignored.
3103 				 *
3104 				 * We can then retry with the larger buffer.
3105 				 */
3106 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3107 				    !skb->len && !state->split &&
3108 				    cb->min_dump_alloc < 4096) {
3109 					cb->min_dump_alloc = 4096;
3110 					state->split_start = 0;
3111 					wiphy_unlock(&rdev->wiphy);
3112 					rtnl_unlock();
3113 					return 1;
3114 				}
3115 				idx--;
3116 				break;
3117 			}
3118 		} while (state->split_start > 0);
3119 		wiphy_unlock(&rdev->wiphy);
3120 		break;
3121 	}
3122 	rtnl_unlock();
3123 
3124 	state->start = idx;
3125 
3126 	return skb->len;
3127 }
3128 
3129 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3130 {
3131 	kfree((void *)cb->args[0]);
3132 	return 0;
3133 }
3134 
3135 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3136 {
3137 	struct sk_buff *msg;
3138 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3139 	struct nl80211_dump_wiphy_state state = {};
3140 
3141 	msg = nlmsg_new(4096, GFP_KERNEL);
3142 	if (!msg)
3143 		return -ENOMEM;
3144 
3145 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3146 			       info->snd_portid, info->snd_seq, 0,
3147 			       &state) < 0) {
3148 		nlmsg_free(msg);
3149 		return -ENOBUFS;
3150 	}
3151 
3152 	return genlmsg_reply(msg, info);
3153 }
3154 
3155 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3156 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3157 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3158 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3159 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3160 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3161 };
3162 
3163 static int parse_txq_params(struct nlattr *tb[],
3164 			    struct ieee80211_txq_params *txq_params)
3165 {
3166 	u8 ac;
3167 
3168 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3169 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3170 	    !tb[NL80211_TXQ_ATTR_AIFS])
3171 		return -EINVAL;
3172 
3173 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3174 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3175 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3176 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3177 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3178 
3179 	if (ac >= NL80211_NUM_ACS)
3180 		return -EINVAL;
3181 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3182 	return 0;
3183 }
3184 
3185 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3186 {
3187 	/*
3188 	 * You can only set the channel explicitly for some interfaces,
3189 	 * most have their channel managed via their respective
3190 	 * "establish a connection" command (connect, join, ...)
3191 	 *
3192 	 * For AP/GO and mesh mode, the channel can be set with the
3193 	 * channel userspace API, but is only stored and passed to the
3194 	 * low-level driver when the AP starts or the mesh is joined.
3195 	 * This is for backward compatibility, userspace can also give
3196 	 * the channel in the start-ap or join-mesh commands instead.
3197 	 *
3198 	 * Monitors are special as they are normally slaved to
3199 	 * whatever else is going on, so they have their own special
3200 	 * operation to set the monitor channel if possible.
3201 	 */
3202 	return !wdev ||
3203 		wdev->iftype == NL80211_IFTYPE_AP ||
3204 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3205 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3206 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3207 }
3208 
3209 static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3210 				      struct genl_info *info,
3211 				      const struct cfg80211_chan_def *chandef,
3212 				      u16 *punct_bitmap)
3213 {
3214 	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3215 		return -EINVAL;
3216 
3217 	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3218 	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3219 		return -EINVAL;
3220 
3221 	return 0;
3222 }
3223 
3224 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3225 			  struct genl_info *info,
3226 			  struct cfg80211_chan_def *chandef)
3227 {
3228 	struct netlink_ext_ack *extack = info->extack;
3229 	struct nlattr **attrs = info->attrs;
3230 	u32 control_freq;
3231 
3232 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3233 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3234 				    "Frequency is missing");
3235 		return -EINVAL;
3236 	}
3237 
3238 	control_freq = MHZ_TO_KHZ(
3239 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3240 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3241 		control_freq +=
3242 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3243 
3244 	memset(chandef, 0, sizeof(*chandef));
3245 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3246 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3247 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3248 	chandef->freq1_offset = control_freq % 1000;
3249 	chandef->center_freq2 = 0;
3250 
3251 	/* Primary channel not allowed */
3252 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3253 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3254 				    "Channel is disabled");
3255 		return -EINVAL;
3256 	}
3257 
3258 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3259 		enum nl80211_channel_type chantype;
3260 
3261 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3262 
3263 		switch (chantype) {
3264 		case NL80211_CHAN_NO_HT:
3265 		case NL80211_CHAN_HT20:
3266 		case NL80211_CHAN_HT40PLUS:
3267 		case NL80211_CHAN_HT40MINUS:
3268 			cfg80211_chandef_create(chandef, chandef->chan,
3269 						chantype);
3270 			/* user input for center_freq is incorrect */
3271 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3272 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3273 				NL_SET_ERR_MSG_ATTR(extack,
3274 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3275 						    "bad center frequency 1");
3276 				return -EINVAL;
3277 			}
3278 			/* center_freq2 must be zero */
3279 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3280 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3281 				NL_SET_ERR_MSG_ATTR(extack,
3282 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3283 						    "center frequency 2 can't be used");
3284 				return -EINVAL;
3285 			}
3286 			break;
3287 		default:
3288 			NL_SET_ERR_MSG_ATTR(extack,
3289 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3290 					    "invalid channel type");
3291 			return -EINVAL;
3292 		}
3293 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3294 		chandef->width =
3295 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3296 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3297 			/* User input error for channel width doesn't match channel  */
3298 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3299 				NL_SET_ERR_MSG_ATTR(extack,
3300 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3301 						    "bad channel width");
3302 				return -EINVAL;
3303 			}
3304 		}
3305 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3306 			chandef->center_freq1 =
3307 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3308 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3309 				chandef->freq1_offset = nla_get_u32(
3310 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3311 			else
3312 				chandef->freq1_offset = 0;
3313 		}
3314 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3315 			chandef->center_freq2 =
3316 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3317 	}
3318 
3319 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3320 		chandef->edmg.channels =
3321 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3322 
3323 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3324 			chandef->edmg.bw_config =
3325 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3326 	} else {
3327 		chandef->edmg.bw_config = 0;
3328 		chandef->edmg.channels = 0;
3329 	}
3330 
3331 	if (!cfg80211_chandef_valid(chandef)) {
3332 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3333 		return -EINVAL;
3334 	}
3335 
3336 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3337 				     IEEE80211_CHAN_DISABLED)) {
3338 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3339 		return -EINVAL;
3340 	}
3341 
3342 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3343 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3344 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3345 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3346 		return -EINVAL;
3347 	}
3348 
3349 	return 0;
3350 }
3351 
3352 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3353 				 struct net_device *dev,
3354 				 struct genl_info *info,
3355 				 int _link_id)
3356 {
3357 	struct cfg80211_chan_def chandef;
3358 	int result;
3359 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3360 	struct wireless_dev *wdev = NULL;
3361 	int link_id = _link_id;
3362 
3363 	if (dev)
3364 		wdev = dev->ieee80211_ptr;
3365 	if (!nl80211_can_set_dev_channel(wdev))
3366 		return -EOPNOTSUPP;
3367 	if (wdev)
3368 		iftype = wdev->iftype;
3369 
3370 	if (link_id < 0) {
3371 		if (wdev && wdev->valid_links)
3372 			return -EINVAL;
3373 		link_id = 0;
3374 	}
3375 
3376 	result = nl80211_parse_chandef(rdev, info, &chandef);
3377 	if (result)
3378 		return result;
3379 
3380 	switch (iftype) {
3381 	case NL80211_IFTYPE_AP:
3382 	case NL80211_IFTYPE_P2P_GO:
3383 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3384 						   iftype))
3385 			return -EINVAL;
3386 		if (wdev->links[link_id].ap.beacon_interval) {
3387 			struct ieee80211_channel *cur_chan;
3388 
3389 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3390 			    !(rdev->wiphy.features &
3391 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3392 				return -EBUSY;
3393 
3394 			/* Only allow dynamic channel width changes */
3395 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3396 			if (chandef.chan != cur_chan)
3397 				return -EBUSY;
3398 
3399 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3400 						       &chandef);
3401 			if (result)
3402 				return result;
3403 			wdev->links[link_id].ap.chandef = chandef;
3404 		} else {
3405 			wdev->u.ap.preset_chandef = chandef;
3406 		}
3407 		return 0;
3408 	case NL80211_IFTYPE_MESH_POINT:
3409 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3410 	case NL80211_IFTYPE_MONITOR:
3411 		return cfg80211_set_monitor_channel(rdev, &chandef);
3412 	default:
3413 		break;
3414 	}
3415 
3416 	return -EINVAL;
3417 }
3418 
3419 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3420 {
3421 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3422 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3423 	struct net_device *netdev = info->user_ptr[1];
3424 	int ret;
3425 
3426 	wdev_lock(netdev->ieee80211_ptr);
3427 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3428 	wdev_unlock(netdev->ieee80211_ptr);
3429 
3430 	return ret;
3431 }
3432 
3433 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3434 {
3435 	struct cfg80211_registered_device *rdev = NULL;
3436 	struct net_device *netdev = NULL;
3437 	struct wireless_dev *wdev;
3438 	int result = 0, rem_txq_params = 0;
3439 	struct nlattr *nl_txq_params;
3440 	u32 changed;
3441 	u8 retry_short = 0, retry_long = 0;
3442 	u32 frag_threshold = 0, rts_threshold = 0;
3443 	u8 coverage_class = 0;
3444 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3445 
3446 	rtnl_lock();
3447 	/*
3448 	 * Try to find the wiphy and netdev. Normally this
3449 	 * function shouldn't need the netdev, but this is
3450 	 * done for backward compatibility -- previously
3451 	 * setting the channel was done per wiphy, but now
3452 	 * it is per netdev. Previous userland like hostapd
3453 	 * also passed a netdev to set_wiphy, so that it is
3454 	 * possible to let that go to the right netdev!
3455 	 */
3456 
3457 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3458 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3459 
3460 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3461 		if (netdev && netdev->ieee80211_ptr)
3462 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3463 		else
3464 			netdev = NULL;
3465 	}
3466 
3467 	if (!netdev) {
3468 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3469 						  info->attrs);
3470 		if (IS_ERR(rdev)) {
3471 			rtnl_unlock();
3472 			return PTR_ERR(rdev);
3473 		}
3474 		wdev = NULL;
3475 		netdev = NULL;
3476 		result = 0;
3477 	} else
3478 		wdev = netdev->ieee80211_ptr;
3479 
3480 	wiphy_lock(&rdev->wiphy);
3481 
3482 	/*
3483 	 * end workaround code, by now the rdev is available
3484 	 * and locked, and wdev may or may not be NULL.
3485 	 */
3486 
3487 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3488 		result = cfg80211_dev_rename(
3489 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3490 	rtnl_unlock();
3491 
3492 	if (result)
3493 		goto out;
3494 
3495 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3496 		struct ieee80211_txq_params txq_params;
3497 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3498 
3499 		if (!rdev->ops->set_txq_params) {
3500 			result = -EOPNOTSUPP;
3501 			goto out;
3502 		}
3503 
3504 		if (!netdev) {
3505 			result = -EINVAL;
3506 			goto out;
3507 		}
3508 
3509 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3510 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3511 			result = -EINVAL;
3512 			goto out;
3513 		}
3514 
3515 		if (!netif_running(netdev)) {
3516 			result = -ENETDOWN;
3517 			goto out;
3518 		}
3519 
3520 		nla_for_each_nested(nl_txq_params,
3521 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3522 				    rem_txq_params) {
3523 			result = nla_parse_nested_deprecated(tb,
3524 							     NL80211_TXQ_ATTR_MAX,
3525 							     nl_txq_params,
3526 							     txq_params_policy,
3527 							     info->extack);
3528 			if (result)
3529 				goto out;
3530 			result = parse_txq_params(tb, &txq_params);
3531 			if (result)
3532 				goto out;
3533 
3534 			txq_params.link_id =
3535 				nl80211_link_id_or_invalid(info->attrs);
3536 
3537 			wdev_lock(netdev->ieee80211_ptr);
3538 			if (txq_params.link_id >= 0 &&
3539 			    !(netdev->ieee80211_ptr->valid_links &
3540 			      BIT(txq_params.link_id)))
3541 				result = -ENOLINK;
3542 			else if (txq_params.link_id >= 0 &&
3543 				 !netdev->ieee80211_ptr->valid_links)
3544 				result = -EINVAL;
3545 			else
3546 				result = rdev_set_txq_params(rdev, netdev,
3547 							     &txq_params);
3548 			wdev_unlock(netdev->ieee80211_ptr);
3549 			if (result)
3550 				goto out;
3551 		}
3552 	}
3553 
3554 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3555 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3556 
3557 		if (wdev) {
3558 			wdev_lock(wdev);
3559 			result = __nl80211_set_channel(
3560 				rdev,
3561 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3562 				info, link_id);
3563 			wdev_unlock(wdev);
3564 		} else {
3565 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3566 		}
3567 
3568 		if (result)
3569 			goto out;
3570 	}
3571 
3572 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3573 		struct wireless_dev *txp_wdev = wdev;
3574 		enum nl80211_tx_power_setting type;
3575 		int idx, mbm = 0;
3576 
3577 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3578 			txp_wdev = NULL;
3579 
3580 		if (!rdev->ops->set_tx_power) {
3581 			result = -EOPNOTSUPP;
3582 			goto out;
3583 		}
3584 
3585 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3586 		type = nla_get_u32(info->attrs[idx]);
3587 
3588 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3589 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3590 			result = -EINVAL;
3591 			goto out;
3592 		}
3593 
3594 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3595 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3596 			mbm = nla_get_u32(info->attrs[idx]);
3597 		}
3598 
3599 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3600 		if (result)
3601 			goto out;
3602 	}
3603 
3604 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3605 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3606 		u32 tx_ant, rx_ant;
3607 
3608 		if ((!rdev->wiphy.available_antennas_tx &&
3609 		     !rdev->wiphy.available_antennas_rx) ||
3610 		    !rdev->ops->set_antenna) {
3611 			result = -EOPNOTSUPP;
3612 			goto out;
3613 		}
3614 
3615 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3616 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3617 
3618 		/* reject antenna configurations which don't match the
3619 		 * available antenna masks, except for the "all" mask */
3620 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3621 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3622 			result = -EINVAL;
3623 			goto out;
3624 		}
3625 
3626 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3627 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3628 
3629 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3630 		if (result)
3631 			goto out;
3632 	}
3633 
3634 	changed = 0;
3635 
3636 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3637 		retry_short = nla_get_u8(
3638 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3639 
3640 		changed |= WIPHY_PARAM_RETRY_SHORT;
3641 	}
3642 
3643 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3644 		retry_long = nla_get_u8(
3645 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3646 
3647 		changed |= WIPHY_PARAM_RETRY_LONG;
3648 	}
3649 
3650 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3651 		frag_threshold = nla_get_u32(
3652 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3653 		if (frag_threshold < 256) {
3654 			result = -EINVAL;
3655 			goto out;
3656 		}
3657 
3658 		if (frag_threshold != (u32) -1) {
3659 			/*
3660 			 * Fragments (apart from the last one) are required to
3661 			 * have even length. Make the fragmentation code
3662 			 * simpler by stripping LSB should someone try to use
3663 			 * odd threshold value.
3664 			 */
3665 			frag_threshold &= ~0x1;
3666 		}
3667 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3668 	}
3669 
3670 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3671 		rts_threshold = nla_get_u32(
3672 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3673 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3674 	}
3675 
3676 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3677 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3678 			result = -EINVAL;
3679 			goto out;
3680 		}
3681 
3682 		coverage_class = nla_get_u8(
3683 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3684 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3685 	}
3686 
3687 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3688 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3689 			result = -EOPNOTSUPP;
3690 			goto out;
3691 		}
3692 
3693 		changed |= WIPHY_PARAM_DYN_ACK;
3694 	}
3695 
3696 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3697 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3698 					     NL80211_EXT_FEATURE_TXQS)) {
3699 			result = -EOPNOTSUPP;
3700 			goto out;
3701 		}
3702 		txq_limit = nla_get_u32(
3703 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3704 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3705 	}
3706 
3707 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3708 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3709 					     NL80211_EXT_FEATURE_TXQS)) {
3710 			result = -EOPNOTSUPP;
3711 			goto out;
3712 		}
3713 		txq_memory_limit = nla_get_u32(
3714 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3715 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3716 	}
3717 
3718 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3719 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3720 					     NL80211_EXT_FEATURE_TXQS)) {
3721 			result = -EOPNOTSUPP;
3722 			goto out;
3723 		}
3724 		txq_quantum = nla_get_u32(
3725 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3726 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3727 	}
3728 
3729 	if (changed) {
3730 		u8 old_retry_short, old_retry_long;
3731 		u32 old_frag_threshold, old_rts_threshold;
3732 		u8 old_coverage_class;
3733 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3734 
3735 		if (!rdev->ops->set_wiphy_params) {
3736 			result = -EOPNOTSUPP;
3737 			goto out;
3738 		}
3739 
3740 		old_retry_short = rdev->wiphy.retry_short;
3741 		old_retry_long = rdev->wiphy.retry_long;
3742 		old_frag_threshold = rdev->wiphy.frag_threshold;
3743 		old_rts_threshold = rdev->wiphy.rts_threshold;
3744 		old_coverage_class = rdev->wiphy.coverage_class;
3745 		old_txq_limit = rdev->wiphy.txq_limit;
3746 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3747 		old_txq_quantum = rdev->wiphy.txq_quantum;
3748 
3749 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3750 			rdev->wiphy.retry_short = retry_short;
3751 		if (changed & WIPHY_PARAM_RETRY_LONG)
3752 			rdev->wiphy.retry_long = retry_long;
3753 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3754 			rdev->wiphy.frag_threshold = frag_threshold;
3755 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3756 			rdev->wiphy.rts_threshold = rts_threshold;
3757 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3758 			rdev->wiphy.coverage_class = coverage_class;
3759 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3760 			rdev->wiphy.txq_limit = txq_limit;
3761 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3762 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3763 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3764 			rdev->wiphy.txq_quantum = txq_quantum;
3765 
3766 		result = rdev_set_wiphy_params(rdev, changed);
3767 		if (result) {
3768 			rdev->wiphy.retry_short = old_retry_short;
3769 			rdev->wiphy.retry_long = old_retry_long;
3770 			rdev->wiphy.frag_threshold = old_frag_threshold;
3771 			rdev->wiphy.rts_threshold = old_rts_threshold;
3772 			rdev->wiphy.coverage_class = old_coverage_class;
3773 			rdev->wiphy.txq_limit = old_txq_limit;
3774 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3775 			rdev->wiphy.txq_quantum = old_txq_quantum;
3776 			goto out;
3777 		}
3778 	}
3779 
3780 	result = 0;
3781 
3782 out:
3783 	wiphy_unlock(&rdev->wiphy);
3784 	return result;
3785 }
3786 
3787 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3788 {
3789 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3790 		return -EINVAL;
3791 
3792 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3793 			chandef->chan->center_freq))
3794 		return -ENOBUFS;
3795 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3796 			chandef->chan->freq_offset))
3797 		return -ENOBUFS;
3798 	switch (chandef->width) {
3799 	case NL80211_CHAN_WIDTH_20_NOHT:
3800 	case NL80211_CHAN_WIDTH_20:
3801 	case NL80211_CHAN_WIDTH_40:
3802 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3803 				cfg80211_get_chandef_type(chandef)))
3804 			return -ENOBUFS;
3805 		break;
3806 	default:
3807 		break;
3808 	}
3809 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3810 		return -ENOBUFS;
3811 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3812 		return -ENOBUFS;
3813 	if (chandef->center_freq2 &&
3814 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3815 		return -ENOBUFS;
3816 	return 0;
3817 }
3818 EXPORT_SYMBOL(nl80211_send_chandef);
3819 
3820 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3821 			      struct cfg80211_registered_device *rdev,
3822 			      struct wireless_dev *wdev,
3823 			      enum nl80211_commands cmd)
3824 {
3825 	struct net_device *dev = wdev->netdev;
3826 	void *hdr;
3827 
3828 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3829 		cmd != NL80211_CMD_DEL_INTERFACE &&
3830 		cmd != NL80211_CMD_SET_INTERFACE);
3831 
3832 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3833 	if (!hdr)
3834 		return -1;
3835 
3836 	if (dev &&
3837 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3838 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3839 		goto nla_put_failure;
3840 
3841 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3842 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3843 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3844 			      NL80211_ATTR_PAD) ||
3845 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3846 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3847 			rdev->devlist_generation ^
3848 			(cfg80211_rdev_list_generation << 2)) ||
3849 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3850 		goto nla_put_failure;
3851 
3852 	if (rdev->ops->get_channel && !wdev->valid_links) {
3853 		struct cfg80211_chan_def chandef = {};
3854 		int ret;
3855 
3856 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3857 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3858 			goto nla_put_failure;
3859 	}
3860 
3861 	if (rdev->ops->get_tx_power) {
3862 		int dbm, ret;
3863 
3864 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3865 		if (ret == 0 &&
3866 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3867 				DBM_TO_MBM(dbm)))
3868 			goto nla_put_failure;
3869 	}
3870 
3871 	wdev_lock(wdev);
3872 	switch (wdev->iftype) {
3873 	case NL80211_IFTYPE_AP:
3874 	case NL80211_IFTYPE_P2P_GO:
3875 		if (wdev->u.ap.ssid_len &&
3876 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3877 			    wdev->u.ap.ssid))
3878 			goto nla_put_failure_locked;
3879 		break;
3880 	case NL80211_IFTYPE_STATION:
3881 	case NL80211_IFTYPE_P2P_CLIENT:
3882 		if (wdev->u.client.ssid_len &&
3883 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3884 			    wdev->u.client.ssid))
3885 			goto nla_put_failure_locked;
3886 		break;
3887 	case NL80211_IFTYPE_ADHOC:
3888 		if (wdev->u.ibss.ssid_len &&
3889 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3890 			    wdev->u.ibss.ssid))
3891 			goto nla_put_failure_locked;
3892 		break;
3893 	default:
3894 		/* nothing */
3895 		break;
3896 	}
3897 	wdev_unlock(wdev);
3898 
3899 	if (rdev->ops->get_txq_stats) {
3900 		struct cfg80211_txq_stats txqstats = {};
3901 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3902 
3903 		if (ret == 0 &&
3904 		    !nl80211_put_txq_stats(msg, &txqstats,
3905 					   NL80211_ATTR_TXQ_STATS))
3906 			goto nla_put_failure;
3907 	}
3908 
3909 	if (wdev->valid_links) {
3910 		unsigned int link_id;
3911 		struct nlattr *links = nla_nest_start(msg,
3912 						      NL80211_ATTR_MLO_LINKS);
3913 
3914 		if (!links)
3915 			goto nla_put_failure;
3916 
3917 		for_each_valid_link(wdev, link_id) {
3918 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3919 			struct cfg80211_chan_def chandef = {};
3920 			int ret;
3921 
3922 			if (!link)
3923 				goto nla_put_failure;
3924 
3925 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3926 				goto nla_put_failure;
3927 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3928 				    wdev->links[link_id].addr))
3929 				goto nla_put_failure;
3930 
3931 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3932 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3933 				goto nla_put_failure;
3934 
3935 			nla_nest_end(msg, link);
3936 		}
3937 
3938 		nla_nest_end(msg, links);
3939 	}
3940 
3941 	genlmsg_end(msg, hdr);
3942 	return 0;
3943 
3944  nla_put_failure_locked:
3945 	wdev_unlock(wdev);
3946  nla_put_failure:
3947 	genlmsg_cancel(msg, hdr);
3948 	return -EMSGSIZE;
3949 }
3950 
3951 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3952 {
3953 	int wp_idx = 0;
3954 	int if_idx = 0;
3955 	int wp_start = cb->args[0];
3956 	int if_start = cb->args[1];
3957 	int filter_wiphy = -1;
3958 	struct cfg80211_registered_device *rdev;
3959 	struct wireless_dev *wdev;
3960 	int ret;
3961 
3962 	rtnl_lock();
3963 	if (!cb->args[2]) {
3964 		struct nl80211_dump_wiphy_state state = {
3965 			.filter_wiphy = -1,
3966 		};
3967 
3968 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3969 		if (ret)
3970 			goto out_unlock;
3971 
3972 		filter_wiphy = state.filter_wiphy;
3973 
3974 		/*
3975 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3976 		 * value needed to determine that parsing is necessary.
3977 		 */
3978 		if (filter_wiphy >= 0)
3979 			cb->args[2] = filter_wiphy + 1;
3980 		else
3981 			cb->args[2] = -1;
3982 	} else if (cb->args[2] > 0) {
3983 		filter_wiphy = cb->args[2] - 1;
3984 	}
3985 
3986 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3987 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3988 			continue;
3989 		if (wp_idx < wp_start) {
3990 			wp_idx++;
3991 			continue;
3992 		}
3993 
3994 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3995 			continue;
3996 
3997 		if_idx = 0;
3998 
3999 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4000 			if (if_idx < if_start) {
4001 				if_idx++;
4002 				continue;
4003 			}
4004 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4005 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4006 					       rdev, wdev,
4007 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4008 				goto out;
4009 			}
4010 			if_idx++;
4011 		}
4012 
4013 		wp_idx++;
4014 	}
4015  out:
4016 	cb->args[0] = wp_idx;
4017 	cb->args[1] = if_idx;
4018 
4019 	ret = skb->len;
4020  out_unlock:
4021 	rtnl_unlock();
4022 
4023 	return ret;
4024 }
4025 
4026 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4027 {
4028 	struct sk_buff *msg;
4029 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4030 	struct wireless_dev *wdev = info->user_ptr[1];
4031 
4032 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4033 	if (!msg)
4034 		return -ENOMEM;
4035 
4036 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4037 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4038 		nlmsg_free(msg);
4039 		return -ENOBUFS;
4040 	}
4041 
4042 	return genlmsg_reply(msg, info);
4043 }
4044 
4045 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4046 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4047 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4048 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4049 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4050 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4051 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4052 };
4053 
4054 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4055 {
4056 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4057 	int flag;
4058 
4059 	*mntrflags = 0;
4060 
4061 	if (!nla)
4062 		return -EINVAL;
4063 
4064 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4065 		return -EINVAL;
4066 
4067 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4068 		if (flags[flag])
4069 			*mntrflags |= (1<<flag);
4070 
4071 	*mntrflags |= MONITOR_FLAG_CHANGED;
4072 
4073 	return 0;
4074 }
4075 
4076 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4077 				     enum nl80211_iftype type,
4078 				     struct genl_info *info,
4079 				     struct vif_params *params)
4080 {
4081 	bool change = false;
4082 	int err;
4083 
4084 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4085 		if (type != NL80211_IFTYPE_MONITOR)
4086 			return -EINVAL;
4087 
4088 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4089 					  &params->flags);
4090 		if (err)
4091 			return err;
4092 
4093 		change = true;
4094 	}
4095 
4096 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4097 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4098 		return -EOPNOTSUPP;
4099 
4100 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4101 		const u8 *mumimo_groups;
4102 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4103 
4104 		if (type != NL80211_IFTYPE_MONITOR)
4105 			return -EINVAL;
4106 
4107 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4108 			return -EOPNOTSUPP;
4109 
4110 		mumimo_groups =
4111 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4112 
4113 		/* bits 0 and 63 are reserved and must be zero */
4114 		if ((mumimo_groups[0] & BIT(0)) ||
4115 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4116 			return -EINVAL;
4117 
4118 		params->vht_mumimo_groups = mumimo_groups;
4119 		change = true;
4120 	}
4121 
4122 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4123 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4124 
4125 		if (type != NL80211_IFTYPE_MONITOR)
4126 			return -EINVAL;
4127 
4128 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4129 			return -EOPNOTSUPP;
4130 
4131 		params->vht_mumimo_follow_addr =
4132 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4133 		change = true;
4134 	}
4135 
4136 	return change ? 1 : 0;
4137 }
4138 
4139 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4140 			       struct net_device *netdev, u8 use_4addr,
4141 			       enum nl80211_iftype iftype)
4142 {
4143 	if (!use_4addr) {
4144 		if (netdev && netif_is_bridge_port(netdev))
4145 			return -EBUSY;
4146 		return 0;
4147 	}
4148 
4149 	switch (iftype) {
4150 	case NL80211_IFTYPE_AP_VLAN:
4151 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4152 			return 0;
4153 		break;
4154 	case NL80211_IFTYPE_STATION:
4155 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4156 			return 0;
4157 		break;
4158 	default:
4159 		break;
4160 	}
4161 
4162 	return -EOPNOTSUPP;
4163 }
4164 
4165 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4166 {
4167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4168 	struct vif_params params;
4169 	int err;
4170 	enum nl80211_iftype otype, ntype;
4171 	struct net_device *dev = info->user_ptr[1];
4172 	bool change = false;
4173 
4174 	memset(&params, 0, sizeof(params));
4175 
4176 	otype = ntype = dev->ieee80211_ptr->iftype;
4177 
4178 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4179 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4180 		if (otype != ntype)
4181 			change = true;
4182 	}
4183 
4184 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4185 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4186 
4187 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4188 			return -EINVAL;
4189 		if (netif_running(dev))
4190 			return -EBUSY;
4191 
4192 		wdev_lock(wdev);
4193 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4194 			     IEEE80211_MAX_MESH_ID_LEN);
4195 		wdev->u.mesh.id_up_len =
4196 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4197 		memcpy(wdev->u.mesh.id,
4198 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4199 		       wdev->u.mesh.id_up_len);
4200 		wdev_unlock(wdev);
4201 	}
4202 
4203 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4204 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4205 		change = true;
4206 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4207 		if (err)
4208 			return err;
4209 	} else {
4210 		params.use_4addr = -1;
4211 	}
4212 
4213 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4214 	if (err < 0)
4215 		return err;
4216 	if (err > 0)
4217 		change = true;
4218 
4219 	if (change)
4220 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4221 	else
4222 		err = 0;
4223 
4224 	if (!err && params.use_4addr != -1)
4225 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4226 
4227 	if (change && !err) {
4228 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4229 
4230 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4231 	}
4232 
4233 	return err;
4234 }
4235 
4236 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4237 {
4238 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4239 	struct vif_params params;
4240 	struct wireless_dev *wdev;
4241 	struct sk_buff *msg;
4242 	int err;
4243 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4244 
4245 	memset(&params, 0, sizeof(params));
4246 
4247 	if (!info->attrs[NL80211_ATTR_IFNAME])
4248 		return -EINVAL;
4249 
4250 	if (info->attrs[NL80211_ATTR_IFTYPE])
4251 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4252 
4253 	if (!rdev->ops->add_virtual_intf)
4254 		return -EOPNOTSUPP;
4255 
4256 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4257 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4258 	    info->attrs[NL80211_ATTR_MAC]) {
4259 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4260 			   ETH_ALEN);
4261 		if (!is_valid_ether_addr(params.macaddr))
4262 			return -EADDRNOTAVAIL;
4263 	}
4264 
4265 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4266 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4267 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4268 		if (err)
4269 			return err;
4270 	}
4271 
4272 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4273 		return -EOPNOTSUPP;
4274 
4275 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4276 	if (err < 0)
4277 		return err;
4278 
4279 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4280 	if (!msg)
4281 		return -ENOMEM;
4282 
4283 	wdev = rdev_add_virtual_intf(rdev,
4284 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4285 				NET_NAME_USER, type, &params);
4286 	if (WARN_ON(!wdev)) {
4287 		nlmsg_free(msg);
4288 		return -EPROTO;
4289 	} else if (IS_ERR(wdev)) {
4290 		nlmsg_free(msg);
4291 		return PTR_ERR(wdev);
4292 	}
4293 
4294 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4295 		wdev->owner_nlportid = info->snd_portid;
4296 
4297 	switch (type) {
4298 	case NL80211_IFTYPE_MESH_POINT:
4299 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4300 			break;
4301 		wdev_lock(wdev);
4302 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4303 			     IEEE80211_MAX_MESH_ID_LEN);
4304 		wdev->u.mesh.id_up_len =
4305 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4306 		memcpy(wdev->u.mesh.id,
4307 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4308 		       wdev->u.mesh.id_up_len);
4309 		wdev_unlock(wdev);
4310 		break;
4311 	case NL80211_IFTYPE_NAN:
4312 	case NL80211_IFTYPE_P2P_DEVICE:
4313 		/*
4314 		 * P2P Device and NAN do not have a netdev, so don't go
4315 		 * through the netdev notifier and must be added here
4316 		 */
4317 		cfg80211_init_wdev(wdev);
4318 		cfg80211_register_wdev(rdev, wdev);
4319 		break;
4320 	default:
4321 		break;
4322 	}
4323 
4324 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4325 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4326 		nlmsg_free(msg);
4327 		return -ENOBUFS;
4328 	}
4329 
4330 	return genlmsg_reply(msg, info);
4331 }
4332 
4333 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4334 {
4335 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4336 	int ret;
4337 
4338 	/* to avoid failing a new interface creation due to pending removal */
4339 	cfg80211_destroy_ifaces(rdev);
4340 
4341 	wiphy_lock(&rdev->wiphy);
4342 	ret = _nl80211_new_interface(skb, info);
4343 	wiphy_unlock(&rdev->wiphy);
4344 
4345 	return ret;
4346 }
4347 
4348 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4349 {
4350 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4351 	struct wireless_dev *wdev = info->user_ptr[1];
4352 
4353 	if (!rdev->ops->del_virtual_intf)
4354 		return -EOPNOTSUPP;
4355 
4356 	/*
4357 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4358 	 * reach 0, and thus the rdev cannot be deleted.
4359 	 *
4360 	 * We need to do it for the dev_close(), since that will call
4361 	 * the netdev notifiers, and we need to acquire the mutex there
4362 	 * but don't know if we get there from here or from some other
4363 	 * place (e.g. "ip link set ... down").
4364 	 */
4365 	mutex_unlock(&rdev->wiphy.mtx);
4366 
4367 	/*
4368 	 * If we remove a wireless device without a netdev then clear
4369 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4370 	 * to check if it needs to do dev_put(). Otherwise it crashes
4371 	 * since the wdev has been freed, unlike with a netdev where
4372 	 * we need the dev_put() for the netdev to really be freed.
4373 	 */
4374 	if (!wdev->netdev)
4375 		info->user_ptr[1] = NULL;
4376 	else
4377 		dev_close(wdev->netdev);
4378 
4379 	mutex_lock(&rdev->wiphy.mtx);
4380 
4381 	return cfg80211_remove_virtual_intf(rdev, wdev);
4382 }
4383 
4384 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4385 {
4386 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4387 	struct net_device *dev = info->user_ptr[1];
4388 	u16 noack_map;
4389 
4390 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4391 		return -EINVAL;
4392 
4393 	if (!rdev->ops->set_noack_map)
4394 		return -EOPNOTSUPP;
4395 
4396 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4397 
4398 	return rdev_set_noack_map(rdev, dev, noack_map);
4399 }
4400 
4401 static int nl80211_validate_key_link_id(struct genl_info *info,
4402 					struct wireless_dev *wdev,
4403 					int link_id, bool pairwise)
4404 {
4405 	if (pairwise) {
4406 		if (link_id != -1) {
4407 			GENL_SET_ERR_MSG(info,
4408 					 "link ID not allowed for pairwise key");
4409 			return -EINVAL;
4410 		}
4411 
4412 		return 0;
4413 	}
4414 
4415 	if (wdev->valid_links) {
4416 		if (link_id == -1) {
4417 			GENL_SET_ERR_MSG(info,
4418 					 "link ID must for MLO group key");
4419 			return -EINVAL;
4420 		}
4421 		if (!(wdev->valid_links & BIT(link_id))) {
4422 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4423 			return -EINVAL;
4424 		}
4425 	} else if (link_id != -1) {
4426 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4427 		return -EINVAL;
4428 	}
4429 
4430 	return 0;
4431 }
4432 
4433 struct get_key_cookie {
4434 	struct sk_buff *msg;
4435 	int error;
4436 	int idx;
4437 };
4438 
4439 static void get_key_callback(void *c, struct key_params *params)
4440 {
4441 	struct nlattr *key;
4442 	struct get_key_cookie *cookie = c;
4443 
4444 	if ((params->key &&
4445 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4446 		     params->key_len, params->key)) ||
4447 	    (params->seq &&
4448 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4449 		     params->seq_len, params->seq)) ||
4450 	    (params->cipher &&
4451 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4452 			 params->cipher)))
4453 		goto nla_put_failure;
4454 
4455 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4456 	if (!key)
4457 		goto nla_put_failure;
4458 
4459 	if ((params->key &&
4460 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4461 		     params->key_len, params->key)) ||
4462 	    (params->seq &&
4463 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4464 		     params->seq_len, params->seq)) ||
4465 	    (params->cipher &&
4466 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4467 			 params->cipher)))
4468 		goto nla_put_failure;
4469 
4470 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4471 		goto nla_put_failure;
4472 
4473 	nla_nest_end(cookie->msg, key);
4474 
4475 	return;
4476  nla_put_failure:
4477 	cookie->error = 1;
4478 }
4479 
4480 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4481 {
4482 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4483 	int err;
4484 	struct net_device *dev = info->user_ptr[1];
4485 	u8 key_idx = 0;
4486 	const u8 *mac_addr = NULL;
4487 	bool pairwise;
4488 	struct get_key_cookie cookie = {
4489 		.error = 0,
4490 	};
4491 	void *hdr;
4492 	struct sk_buff *msg;
4493 	bool bigtk_support = false;
4494 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4495 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4496 
4497 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4498 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4499 		bigtk_support = true;
4500 
4501 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4502 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4503 	    wiphy_ext_feature_isset(&rdev->wiphy,
4504 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4505 		bigtk_support = true;
4506 
4507 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4508 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4509 
4510 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4511 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4512 			return -EINVAL;
4513 		}
4514 	}
4515 
4516 	if (info->attrs[NL80211_ATTR_MAC])
4517 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4518 
4519 	pairwise = !!mac_addr;
4520 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4521 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4522 
4523 		if (kt != NL80211_KEYTYPE_GROUP &&
4524 		    kt != NL80211_KEYTYPE_PAIRWISE)
4525 			return -EINVAL;
4526 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4527 	}
4528 
4529 	if (!rdev->ops->get_key)
4530 		return -EOPNOTSUPP;
4531 
4532 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4533 		return -ENOENT;
4534 
4535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4536 	if (!msg)
4537 		return -ENOMEM;
4538 
4539 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4540 			     NL80211_CMD_NEW_KEY);
4541 	if (!hdr)
4542 		goto nla_put_failure;
4543 
4544 	cookie.msg = msg;
4545 	cookie.idx = key_idx;
4546 
4547 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4548 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4549 		goto nla_put_failure;
4550 	if (mac_addr &&
4551 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4552 		goto nla_put_failure;
4553 
4554 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4555 	if (err)
4556 		goto free_msg;
4557 
4558 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4559 			   &cookie, get_key_callback);
4560 
4561 	if (err)
4562 		goto free_msg;
4563 
4564 	if (cookie.error)
4565 		goto nla_put_failure;
4566 
4567 	genlmsg_end(msg, hdr);
4568 	return genlmsg_reply(msg, info);
4569 
4570  nla_put_failure:
4571 	err = -ENOBUFS;
4572  free_msg:
4573 	nlmsg_free(msg);
4574 	return err;
4575 }
4576 
4577 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4578 {
4579 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4580 	struct key_parse key;
4581 	int err;
4582 	struct net_device *dev = info->user_ptr[1];
4583 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4584 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4585 
4586 	err = nl80211_parse_key(info, &key);
4587 	if (err)
4588 		return err;
4589 
4590 	if (key.idx < 0)
4591 		return -EINVAL;
4592 
4593 	/* Only support setting default key and
4594 	 * Extended Key ID action NL80211_KEY_SET_TX.
4595 	 */
4596 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4597 	    !(key.p.mode == NL80211_KEY_SET_TX))
4598 		return -EINVAL;
4599 
4600 	wdev_lock(wdev);
4601 
4602 	if (key.def) {
4603 		if (!rdev->ops->set_default_key) {
4604 			err = -EOPNOTSUPP;
4605 			goto out;
4606 		}
4607 
4608 		err = nl80211_key_allowed(wdev);
4609 		if (err)
4610 			goto out;
4611 
4612 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4613 		if (err)
4614 			goto out;
4615 
4616 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4617 					   key.def_uni, key.def_multi);
4618 
4619 		if (err)
4620 			goto out;
4621 
4622 #ifdef CONFIG_CFG80211_WEXT
4623 		wdev->wext.default_key = key.idx;
4624 #endif
4625 	} else if (key.defmgmt) {
4626 		if (key.def_uni || !key.def_multi) {
4627 			err = -EINVAL;
4628 			goto out;
4629 		}
4630 
4631 		if (!rdev->ops->set_default_mgmt_key) {
4632 			err = -EOPNOTSUPP;
4633 			goto out;
4634 		}
4635 
4636 		err = nl80211_key_allowed(wdev);
4637 		if (err)
4638 			goto out;
4639 
4640 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4641 		if (err)
4642 			goto out;
4643 
4644 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4645 		if (err)
4646 			goto out;
4647 
4648 #ifdef CONFIG_CFG80211_WEXT
4649 		wdev->wext.default_mgmt_key = key.idx;
4650 #endif
4651 	} else if (key.defbeacon) {
4652 		if (key.def_uni || !key.def_multi) {
4653 			err = -EINVAL;
4654 			goto out;
4655 		}
4656 
4657 		if (!rdev->ops->set_default_beacon_key) {
4658 			err = -EOPNOTSUPP;
4659 			goto out;
4660 		}
4661 
4662 		err = nl80211_key_allowed(wdev);
4663 		if (err)
4664 			goto out;
4665 
4666 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4667 		if (err)
4668 			goto out;
4669 
4670 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4671 		if (err)
4672 			goto out;
4673 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4674 		   wiphy_ext_feature_isset(&rdev->wiphy,
4675 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4676 		u8 *mac_addr = NULL;
4677 
4678 		if (info->attrs[NL80211_ATTR_MAC])
4679 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4680 
4681 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4682 			err = -EINVAL;
4683 			goto out;
4684 		}
4685 
4686 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4687 		if (err)
4688 			goto out;
4689 
4690 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4691 				   NL80211_KEYTYPE_PAIRWISE,
4692 				   mac_addr, &key.p);
4693 	} else {
4694 		err = -EINVAL;
4695 	}
4696  out:
4697 	wdev_unlock(wdev);
4698 
4699 	return err;
4700 }
4701 
4702 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4703 {
4704 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4705 	int err;
4706 	struct net_device *dev = info->user_ptr[1];
4707 	struct key_parse key;
4708 	const u8 *mac_addr = NULL;
4709 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4710 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4711 
4712 	err = nl80211_parse_key(info, &key);
4713 	if (err)
4714 		return err;
4715 
4716 	if (!key.p.key) {
4717 		GENL_SET_ERR_MSG(info, "no key");
4718 		return -EINVAL;
4719 	}
4720 
4721 	if (info->attrs[NL80211_ATTR_MAC])
4722 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4723 
4724 	if (key.type == -1) {
4725 		if (mac_addr)
4726 			key.type = NL80211_KEYTYPE_PAIRWISE;
4727 		else
4728 			key.type = NL80211_KEYTYPE_GROUP;
4729 	}
4730 
4731 	/* for now */
4732 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4733 	    key.type != NL80211_KEYTYPE_GROUP) {
4734 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4735 		return -EINVAL;
4736 	}
4737 
4738 	if (key.type == NL80211_KEYTYPE_GROUP &&
4739 	    info->attrs[NL80211_ATTR_VLAN_ID])
4740 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4741 
4742 	if (!rdev->ops->add_key)
4743 		return -EOPNOTSUPP;
4744 
4745 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4746 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4747 					   mac_addr)) {
4748 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4749 		return -EINVAL;
4750 	}
4751 
4752 	wdev_lock(wdev);
4753 	err = nl80211_key_allowed(wdev);
4754 	if (err)
4755 		GENL_SET_ERR_MSG(info, "key not allowed");
4756 
4757 	if (!err)
4758 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4759 				key.type == NL80211_KEYTYPE_PAIRWISE);
4760 
4761 	if (!err) {
4762 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4763 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4764 				    mac_addr, &key.p);
4765 		if (err)
4766 			GENL_SET_ERR_MSG(info, "key addition failed");
4767 	}
4768 	wdev_unlock(wdev);
4769 
4770 	return err;
4771 }
4772 
4773 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4774 {
4775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4776 	int err;
4777 	struct net_device *dev = info->user_ptr[1];
4778 	u8 *mac_addr = NULL;
4779 	struct key_parse key;
4780 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4781 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4782 
4783 	err = nl80211_parse_key(info, &key);
4784 	if (err)
4785 		return err;
4786 
4787 	if (info->attrs[NL80211_ATTR_MAC])
4788 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4789 
4790 	if (key.type == -1) {
4791 		if (mac_addr)
4792 			key.type = NL80211_KEYTYPE_PAIRWISE;
4793 		else
4794 			key.type = NL80211_KEYTYPE_GROUP;
4795 	}
4796 
4797 	/* for now */
4798 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4799 	    key.type != NL80211_KEYTYPE_GROUP)
4800 		return -EINVAL;
4801 
4802 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4803 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4804 		return -EINVAL;
4805 
4806 	if (!rdev->ops->del_key)
4807 		return -EOPNOTSUPP;
4808 
4809 	wdev_lock(wdev);
4810 	err = nl80211_key_allowed(wdev);
4811 
4812 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4813 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4814 		err = -ENOENT;
4815 
4816 	if (!err)
4817 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4818 				key.type == NL80211_KEYTYPE_PAIRWISE);
4819 
4820 	if (!err)
4821 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4822 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4823 				   mac_addr);
4824 
4825 #ifdef CONFIG_CFG80211_WEXT
4826 	if (!err) {
4827 		if (key.idx == wdev->wext.default_key)
4828 			wdev->wext.default_key = -1;
4829 		else if (key.idx == wdev->wext.default_mgmt_key)
4830 			wdev->wext.default_mgmt_key = -1;
4831 	}
4832 #endif
4833 	wdev_unlock(wdev);
4834 
4835 	return err;
4836 }
4837 
4838 /* This function returns an error or the number of nested attributes */
4839 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4840 {
4841 	struct nlattr *attr;
4842 	int n_entries = 0, tmp;
4843 
4844 	nla_for_each_nested(attr, nl_attr, tmp) {
4845 		if (nla_len(attr) != ETH_ALEN)
4846 			return -EINVAL;
4847 
4848 		n_entries++;
4849 	}
4850 
4851 	return n_entries;
4852 }
4853 
4854 /*
4855  * This function parses ACL information and allocates memory for ACL data.
4856  * On successful return, the calling function is responsible to free the
4857  * ACL buffer returned by this function.
4858  */
4859 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4860 						struct genl_info *info)
4861 {
4862 	enum nl80211_acl_policy acl_policy;
4863 	struct nlattr *attr;
4864 	struct cfg80211_acl_data *acl;
4865 	int i = 0, n_entries, tmp;
4866 
4867 	if (!wiphy->max_acl_mac_addrs)
4868 		return ERR_PTR(-EOPNOTSUPP);
4869 
4870 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4871 		return ERR_PTR(-EINVAL);
4872 
4873 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4874 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4875 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4876 		return ERR_PTR(-EINVAL);
4877 
4878 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4879 		return ERR_PTR(-EINVAL);
4880 
4881 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4882 	if (n_entries < 0)
4883 		return ERR_PTR(n_entries);
4884 
4885 	if (n_entries > wiphy->max_acl_mac_addrs)
4886 		return ERR_PTR(-ENOTSUPP);
4887 
4888 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4889 	if (!acl)
4890 		return ERR_PTR(-ENOMEM);
4891 
4892 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4893 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4894 		i++;
4895 	}
4896 
4897 	acl->n_acl_entries = n_entries;
4898 	acl->acl_policy = acl_policy;
4899 
4900 	return acl;
4901 }
4902 
4903 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4904 {
4905 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4906 	struct net_device *dev = info->user_ptr[1];
4907 	struct cfg80211_acl_data *acl;
4908 	int err;
4909 
4910 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4911 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4912 		return -EOPNOTSUPP;
4913 
4914 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4915 		return -EINVAL;
4916 
4917 	acl = parse_acl_data(&rdev->wiphy, info);
4918 	if (IS_ERR(acl))
4919 		return PTR_ERR(acl);
4920 
4921 	err = rdev_set_mac_acl(rdev, dev, acl);
4922 
4923 	kfree(acl);
4924 
4925 	return err;
4926 }
4927 
4928 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4929 			   u8 *rates, u8 rates_len)
4930 {
4931 	u8 i;
4932 	u32 mask = 0;
4933 
4934 	for (i = 0; i < rates_len; i++) {
4935 		int rate = (rates[i] & 0x7f) * 5;
4936 		int ridx;
4937 
4938 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4939 			struct ieee80211_rate *srate =
4940 				&sband->bitrates[ridx];
4941 			if (rate == srate->bitrate) {
4942 				mask |= 1 << ridx;
4943 				break;
4944 			}
4945 		}
4946 		if (ridx == sband->n_bitrates)
4947 			return 0; /* rate not found */
4948 	}
4949 
4950 	return mask;
4951 }
4952 
4953 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4954 			       u8 *rates, u8 rates_len,
4955 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4956 {
4957 	u8 i;
4958 
4959 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4960 
4961 	for (i = 0; i < rates_len; i++) {
4962 		int ridx, rbit;
4963 
4964 		ridx = rates[i] / 8;
4965 		rbit = BIT(rates[i] % 8);
4966 
4967 		/* check validity */
4968 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4969 			return false;
4970 
4971 		/* check availability */
4972 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4973 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4974 			mcs[ridx] |= rbit;
4975 		else
4976 			return false;
4977 	}
4978 
4979 	return true;
4980 }
4981 
4982 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4983 {
4984 	u16 mcs_mask = 0;
4985 
4986 	switch (vht_mcs_map) {
4987 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4988 		break;
4989 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4990 		mcs_mask = 0x00FF;
4991 		break;
4992 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4993 		mcs_mask = 0x01FF;
4994 		break;
4995 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4996 		mcs_mask = 0x03FF;
4997 		break;
4998 	default:
4999 		break;
5000 	}
5001 
5002 	return mcs_mask;
5003 }
5004 
5005 static void vht_build_mcs_mask(u16 vht_mcs_map,
5006 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5007 {
5008 	u8 nss;
5009 
5010 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5011 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5012 		vht_mcs_map >>= 2;
5013 	}
5014 }
5015 
5016 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5017 			     struct nl80211_txrate_vht *txrate,
5018 			     u16 mcs[NL80211_VHT_NSS_MAX])
5019 {
5020 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5021 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5022 	u8 i;
5023 
5024 	if (!sband->vht_cap.vht_supported)
5025 		return false;
5026 
5027 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5028 
5029 	/* Build vht_mcs_mask from VHT capabilities */
5030 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5031 
5032 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5033 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5034 			mcs[i] = txrate->mcs[i];
5035 		else
5036 			return false;
5037 	}
5038 
5039 	return true;
5040 }
5041 
5042 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5043 {
5044 	switch (he_mcs_map) {
5045 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5046 		return 0;
5047 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5048 		return 0x00FF;
5049 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5050 		return 0x03FF;
5051 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5052 		return 0xFFF;
5053 	default:
5054 		break;
5055 	}
5056 	return 0;
5057 }
5058 
5059 static void he_build_mcs_mask(u16 he_mcs_map,
5060 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5061 {
5062 	u8 nss;
5063 
5064 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5065 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5066 		he_mcs_map >>= 2;
5067 	}
5068 }
5069 
5070 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5071 			   const struct ieee80211_sta_he_cap *he_cap)
5072 {
5073 	struct net_device *dev = info->user_ptr[1];
5074 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5075 	struct cfg80211_chan_def *chandef;
5076 	__le16 tx_mcs;
5077 
5078 	chandef = wdev_chandef(wdev, link_id);
5079 	if (!chandef) {
5080 		/*
5081 		 * This is probably broken, but we never maintained
5082 		 * a chandef in these cases, so it always was.
5083 		 */
5084 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5085 	}
5086 
5087 	switch (chandef->width) {
5088 	case NL80211_CHAN_WIDTH_80P80:
5089 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5090 		break;
5091 	case NL80211_CHAN_WIDTH_160:
5092 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5093 		break;
5094 	default:
5095 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5096 		break;
5097 	}
5098 
5099 	return le16_to_cpu(tx_mcs);
5100 }
5101 
5102 static bool he_set_mcs_mask(struct genl_info *info,
5103 			    struct wireless_dev *wdev,
5104 			    struct ieee80211_supported_band *sband,
5105 			    struct nl80211_txrate_he *txrate,
5106 			    u16 mcs[NL80211_HE_NSS_MAX],
5107 			    unsigned int link_id)
5108 {
5109 	const struct ieee80211_sta_he_cap *he_cap;
5110 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5111 	u16 tx_mcs_map = 0;
5112 	u8 i;
5113 
5114 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5115 	if (!he_cap)
5116 		return false;
5117 
5118 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5119 
5120 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5121 
5122 	/* Build he_mcs_mask from HE capabilities */
5123 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5124 
5125 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5126 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5127 			mcs[i] = txrate->mcs[i];
5128 		else
5129 			return false;
5130 	}
5131 
5132 	return true;
5133 }
5134 
5135 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5136 					 struct nlattr *attrs[],
5137 					 enum nl80211_attrs attr,
5138 					 struct cfg80211_bitrate_mask *mask,
5139 					 struct net_device *dev,
5140 					 bool default_all_enabled,
5141 					 unsigned int link_id)
5142 {
5143 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5144 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5145 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5146 	int rem, i;
5147 	struct nlattr *tx_rates;
5148 	struct ieee80211_supported_band *sband;
5149 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5150 
5151 	memset(mask, 0, sizeof(*mask));
5152 	/* Default to all rates enabled */
5153 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5154 		const struct ieee80211_sta_he_cap *he_cap;
5155 
5156 		if (!default_all_enabled)
5157 			break;
5158 
5159 		sband = rdev->wiphy.bands[i];
5160 
5161 		if (!sband)
5162 			continue;
5163 
5164 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5165 		memcpy(mask->control[i].ht_mcs,
5166 		       sband->ht_cap.mcs.rx_mask,
5167 		       sizeof(mask->control[i].ht_mcs));
5168 
5169 		if (sband->vht_cap.vht_supported) {
5170 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5171 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5172 		}
5173 
5174 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5175 		if (!he_cap)
5176 			continue;
5177 
5178 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5179 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5180 
5181 		mask->control[i].he_gi = 0xFF;
5182 		mask->control[i].he_ltf = 0xFF;
5183 	}
5184 
5185 	/* if no rates are given set it back to the defaults */
5186 	if (!attrs[attr])
5187 		goto out;
5188 
5189 	/* The nested attribute uses enum nl80211_band as the index. This maps
5190 	 * directly to the enum nl80211_band values used in cfg80211.
5191 	 */
5192 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5193 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5194 		enum nl80211_band band = nla_type(tx_rates);
5195 		int err;
5196 
5197 		if (band < 0 || band >= NUM_NL80211_BANDS)
5198 			return -EINVAL;
5199 		sband = rdev->wiphy.bands[band];
5200 		if (sband == NULL)
5201 			return -EINVAL;
5202 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5203 						  tx_rates,
5204 						  nl80211_txattr_policy,
5205 						  info->extack);
5206 		if (err)
5207 			return err;
5208 		if (tb[NL80211_TXRATE_LEGACY]) {
5209 			mask->control[band].legacy = rateset_to_mask(
5210 				sband,
5211 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5212 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5213 			if ((mask->control[band].legacy == 0) &&
5214 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5215 				return -EINVAL;
5216 		}
5217 		if (tb[NL80211_TXRATE_HT]) {
5218 			if (!ht_rateset_to_mask(
5219 					sband,
5220 					nla_data(tb[NL80211_TXRATE_HT]),
5221 					nla_len(tb[NL80211_TXRATE_HT]),
5222 					mask->control[band].ht_mcs))
5223 				return -EINVAL;
5224 		}
5225 
5226 		if (tb[NL80211_TXRATE_VHT]) {
5227 			if (!vht_set_mcs_mask(
5228 					sband,
5229 					nla_data(tb[NL80211_TXRATE_VHT]),
5230 					mask->control[band].vht_mcs))
5231 				return -EINVAL;
5232 		}
5233 
5234 		if (tb[NL80211_TXRATE_GI]) {
5235 			mask->control[band].gi =
5236 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5237 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5238 				return -EINVAL;
5239 		}
5240 		if (tb[NL80211_TXRATE_HE] &&
5241 		    !he_set_mcs_mask(info, wdev, sband,
5242 				     nla_data(tb[NL80211_TXRATE_HE]),
5243 				     mask->control[band].he_mcs,
5244 				     link_id))
5245 			return -EINVAL;
5246 
5247 		if (tb[NL80211_TXRATE_HE_GI])
5248 			mask->control[band].he_gi =
5249 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5250 		if (tb[NL80211_TXRATE_HE_LTF])
5251 			mask->control[band].he_ltf =
5252 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5253 
5254 		if (mask->control[band].legacy == 0) {
5255 			/* don't allow empty legacy rates if HT, VHT or HE
5256 			 * are not even supported.
5257 			 */
5258 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5259 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5260 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5261 				return -EINVAL;
5262 
5263 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5264 				if (mask->control[band].ht_mcs[i])
5265 					goto out;
5266 
5267 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5268 				if (mask->control[band].vht_mcs[i])
5269 					goto out;
5270 
5271 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5272 				if (mask->control[band].he_mcs[i])
5273 					goto out;
5274 
5275 			/* legacy and mcs rates may not be both empty */
5276 			return -EINVAL;
5277 		}
5278 	}
5279 
5280 out:
5281 	return 0;
5282 }
5283 
5284 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5285 				   enum nl80211_band band,
5286 				   struct cfg80211_bitrate_mask *beacon_rate)
5287 {
5288 	u32 count_ht, count_vht, count_he, i;
5289 	u32 rate = beacon_rate->control[band].legacy;
5290 
5291 	/* Allow only one rate */
5292 	if (hweight32(rate) > 1)
5293 		return -EINVAL;
5294 
5295 	count_ht = 0;
5296 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5297 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5298 			return -EINVAL;
5299 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5300 			count_ht++;
5301 			if (count_ht > 1)
5302 				return -EINVAL;
5303 		}
5304 		if (count_ht && rate)
5305 			return -EINVAL;
5306 	}
5307 
5308 	count_vht = 0;
5309 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5310 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5311 			return -EINVAL;
5312 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5313 			count_vht++;
5314 			if (count_vht > 1)
5315 				return -EINVAL;
5316 		}
5317 		if (count_vht && rate)
5318 			return -EINVAL;
5319 	}
5320 
5321 	count_he = 0;
5322 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5323 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5324 			return -EINVAL;
5325 		} else if (beacon_rate->control[band].he_mcs[i]) {
5326 			count_he++;
5327 			if (count_he > 1)
5328 				return -EINVAL;
5329 		}
5330 		if (count_he && rate)
5331 			return -EINVAL;
5332 	}
5333 
5334 	if ((count_ht && count_vht && count_he) ||
5335 	    (!rate && !count_ht && !count_vht && !count_he))
5336 		return -EINVAL;
5337 
5338 	if (rate &&
5339 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5340 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5341 		return -EINVAL;
5342 	if (count_ht &&
5343 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5344 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5345 		return -EINVAL;
5346 	if (count_vht &&
5347 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5348 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5349 		return -EINVAL;
5350 	if (count_he &&
5351 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5352 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5353 		return -EINVAL;
5354 
5355 	return 0;
5356 }
5357 
5358 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5359 				       struct net_device *dev,
5360 				       struct nlattr *attrs,
5361 				       struct cfg80211_mbssid_config *config,
5362 				       u8 num_elems)
5363 {
5364 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5365 
5366 	if (!wiphy->mbssid_max_interfaces)
5367 		return -EOPNOTSUPP;
5368 
5369 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5370 			     NULL) ||
5371 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5372 		return -EINVAL;
5373 
5374 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5375 	if (config->ema) {
5376 		if (!wiphy->ema_max_profile_periodicity)
5377 			return -EOPNOTSUPP;
5378 
5379 		if (num_elems > wiphy->ema_max_profile_periodicity)
5380 			return -EINVAL;
5381 	}
5382 
5383 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5384 	if (config->index >= wiphy->mbssid_max_interfaces ||
5385 	    (!config->index && !num_elems))
5386 		return -EINVAL;
5387 
5388 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5389 		u32 tx_ifindex =
5390 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5391 
5392 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5393 		    (config->index && tx_ifindex == dev->ifindex))
5394 			return -EINVAL;
5395 
5396 		if (tx_ifindex != dev->ifindex) {
5397 			struct net_device *tx_netdev =
5398 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5399 
5400 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5401 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5402 			    tx_netdev->ieee80211_ptr->iftype !=
5403 							NL80211_IFTYPE_AP) {
5404 				dev_put(tx_netdev);
5405 				return -EINVAL;
5406 			}
5407 
5408 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5409 		} else {
5410 			config->tx_wdev = dev->ieee80211_ptr;
5411 		}
5412 	} else if (!config->index) {
5413 		config->tx_wdev = dev->ieee80211_ptr;
5414 	} else {
5415 		return -EINVAL;
5416 	}
5417 
5418 	return 0;
5419 }
5420 
5421 static struct cfg80211_mbssid_elems *
5422 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5423 {
5424 	struct nlattr *nl_elems;
5425 	struct cfg80211_mbssid_elems *elems;
5426 	int rem_elems;
5427 	u8 i = 0, num_elems = 0;
5428 
5429 	if (!wiphy->mbssid_max_interfaces)
5430 		return ERR_PTR(-EINVAL);
5431 
5432 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5433 		num_elems++;
5434 
5435 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5436 	if (!elems)
5437 		return ERR_PTR(-ENOMEM);
5438 
5439 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5440 		elems->elem[i].data = nla_data(nl_elems);
5441 		elems->elem[i].len = nla_len(nl_elems);
5442 		i++;
5443 	}
5444 	elems->cnt = num_elems;
5445 	return elems;
5446 }
5447 
5448 static struct cfg80211_rnr_elems *
5449 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5450 			struct netlink_ext_ack *extack)
5451 {
5452 	struct nlattr *nl_elems;
5453 	struct cfg80211_rnr_elems *elems;
5454 	int rem_elems;
5455 	u8 i = 0, num_elems = 0;
5456 
5457 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5458 		int ret;
5459 
5460 		ret = validate_ie_attr(nl_elems, extack);
5461 		if (ret)
5462 			return ERR_PTR(ret);
5463 
5464 		num_elems++;
5465 	}
5466 
5467 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5468 	if (!elems)
5469 		return ERR_PTR(-ENOMEM);
5470 
5471 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5472 		elems->elem[i].data = nla_data(nl_elems);
5473 		elems->elem[i].len = nla_len(nl_elems);
5474 		i++;
5475 	}
5476 	elems->cnt = num_elems;
5477 	return elems;
5478 }
5479 
5480 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5481 				      struct cfg80211_he_bss_color *he_bss_color)
5482 {
5483 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5484 	int err;
5485 
5486 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5487 			       he_bss_color_policy, NULL);
5488 	if (err)
5489 		return err;
5490 
5491 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5492 		return -EINVAL;
5493 
5494 	he_bss_color->color =
5495 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5496 	he_bss_color->enabled =
5497 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5498 	he_bss_color->partial =
5499 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5500 
5501 	return 0;
5502 }
5503 
5504 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5505 				struct nlattr *attrs[],
5506 				struct cfg80211_beacon_data *bcn,
5507 				struct netlink_ext_ack *extack)
5508 {
5509 	bool haveinfo = false;
5510 	int err;
5511 
5512 	memset(bcn, 0, sizeof(*bcn));
5513 
5514 	bcn->link_id = nl80211_link_id(attrs);
5515 
5516 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5517 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5518 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5519 		if (!bcn->head_len)
5520 			return -EINVAL;
5521 		haveinfo = true;
5522 	}
5523 
5524 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5525 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5526 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5527 		haveinfo = true;
5528 	}
5529 
5530 	if (!haveinfo)
5531 		return -EINVAL;
5532 
5533 	if (attrs[NL80211_ATTR_IE]) {
5534 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5535 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5536 	}
5537 
5538 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5539 		bcn->proberesp_ies =
5540 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5541 		bcn->proberesp_ies_len =
5542 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5543 	}
5544 
5545 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5546 		bcn->assocresp_ies =
5547 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5548 		bcn->assocresp_ies_len =
5549 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5550 	}
5551 
5552 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5553 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5554 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5555 	}
5556 
5557 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5558 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5559 
5560 		err = nla_parse_nested_deprecated(tb,
5561 						  NL80211_FTM_RESP_ATTR_MAX,
5562 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5563 						  NULL, NULL);
5564 		if (err)
5565 			return err;
5566 
5567 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5568 		    wiphy_ext_feature_isset(&rdev->wiphy,
5569 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5570 			bcn->ftm_responder = 1;
5571 		else
5572 			return -EOPNOTSUPP;
5573 
5574 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5575 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5576 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5577 		}
5578 
5579 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5580 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5581 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5582 		}
5583 	} else {
5584 		bcn->ftm_responder = -1;
5585 	}
5586 
5587 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5588 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5589 						 &bcn->he_bss_color);
5590 		if (err)
5591 			return err;
5592 		bcn->he_bss_color_valid = true;
5593 	}
5594 
5595 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5596 		struct cfg80211_mbssid_elems *mbssid =
5597 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5598 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5599 
5600 		if (IS_ERR(mbssid))
5601 			return PTR_ERR(mbssid);
5602 
5603 		bcn->mbssid_ies = mbssid;
5604 
5605 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5606 			struct cfg80211_rnr_elems *rnr =
5607 				nl80211_parse_rnr_elems(&rdev->wiphy,
5608 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5609 							extack);
5610 
5611 			if (IS_ERR(rnr))
5612 				return PTR_ERR(rnr);
5613 
5614 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5615 				return -EINVAL;
5616 
5617 			bcn->rnr_ies = rnr;
5618 		}
5619 	}
5620 
5621 	return 0;
5622 }
5623 
5624 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5625 				    struct ieee80211_he_obss_pd *he_obss_pd)
5626 {
5627 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5628 	int err;
5629 
5630 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5631 			       he_obss_pd_policy, NULL);
5632 	if (err)
5633 		return err;
5634 
5635 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5636 		return -EINVAL;
5637 
5638 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5639 
5640 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5641 		he_obss_pd->min_offset =
5642 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5643 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5644 		he_obss_pd->max_offset =
5645 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5646 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5647 		he_obss_pd->non_srg_max_offset =
5648 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5649 
5650 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5651 		return -EINVAL;
5652 
5653 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5654 		memcpy(he_obss_pd->bss_color_bitmap,
5655 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5656 		       sizeof(he_obss_pd->bss_color_bitmap));
5657 
5658 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5659 		memcpy(he_obss_pd->partial_bssid_bitmap,
5660 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5661 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5662 
5663 	he_obss_pd->enable = true;
5664 
5665 	return 0;
5666 }
5667 
5668 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5669 					struct nlattr *attrs,
5670 					struct cfg80211_ap_settings *params)
5671 {
5672 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5673 	int ret;
5674 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5675 
5676 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5677 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5678 		return -EINVAL;
5679 
5680 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5681 			       NULL, NULL);
5682 	if (ret)
5683 		return ret;
5684 
5685 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5686 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5687 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5688 		return -EINVAL;
5689 
5690 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5691 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5692 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5693 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5694 
5695 	return 0;
5696 }
5697 
5698 static int
5699 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5700 				     struct nlattr *attrs,
5701 				     struct cfg80211_ap_settings *params)
5702 {
5703 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5704 	int ret;
5705 	struct cfg80211_unsol_bcast_probe_resp *presp =
5706 					&params->unsol_bcast_probe_resp;
5707 
5708 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5709 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5710 		return -EINVAL;
5711 
5712 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5713 			       attrs, NULL, NULL);
5714 	if (ret)
5715 		return ret;
5716 
5717 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5718 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5719 		return -EINVAL;
5720 
5721 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5722 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5723 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5724 	return 0;
5725 }
5726 
5727 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5728 					    const struct element *rates)
5729 {
5730 	int i;
5731 
5732 	if (!rates)
5733 		return;
5734 
5735 	for (i = 0; i < rates->datalen; i++) {
5736 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5737 			params->ht_required = true;
5738 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5739 			params->vht_required = true;
5740 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5741 			params->he_required = true;
5742 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5743 			params->sae_h2e_required = true;
5744 	}
5745 }
5746 
5747 /*
5748  * Since the nl80211 API didn't include, from the beginning, attributes about
5749  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5750  * benefit of drivers that rebuild IEs in the firmware.
5751  */
5752 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5753 {
5754 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5755 	size_t ies_len = bcn->tail_len;
5756 	const u8 *ies = bcn->tail;
5757 	const struct element *rates;
5758 	const struct element *cap;
5759 
5760 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5761 	nl80211_check_ap_rate_selectors(params, rates);
5762 
5763 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5764 	nl80211_check_ap_rate_selectors(params, rates);
5765 
5766 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5767 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5768 		params->ht_cap = (void *)cap->data;
5769 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5770 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5771 		params->vht_cap = (void *)cap->data;
5772 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5773 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5774 		params->he_cap = (void *)(cap->data + 1);
5775 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5776 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5777 		params->he_oper = (void *)(cap->data + 1);
5778 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5779 	if (cap) {
5780 		if (!cap->datalen)
5781 			return -EINVAL;
5782 		params->eht_cap = (void *)(cap->data + 1);
5783 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5784 						(const u8 *)params->eht_cap,
5785 						cap->datalen - 1, true))
5786 			return -EINVAL;
5787 	}
5788 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5789 	if (cap) {
5790 		if (!cap->datalen)
5791 			return -EINVAL;
5792 		params->eht_oper = (void *)(cap->data + 1);
5793 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5794 						cap->datalen - 1))
5795 			return -EINVAL;
5796 	}
5797 	return 0;
5798 }
5799 
5800 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5801 				   struct cfg80211_ap_settings *params)
5802 {
5803 	struct wireless_dev *wdev;
5804 
5805 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5806 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5807 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5808 			continue;
5809 
5810 		if (!wdev->u.ap.preset_chandef.chan)
5811 			continue;
5812 
5813 		params->chandef = wdev->u.ap.preset_chandef;
5814 		return true;
5815 	}
5816 
5817 	return false;
5818 }
5819 
5820 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5821 				    enum nl80211_auth_type auth_type,
5822 				    enum nl80211_commands cmd)
5823 {
5824 	if (auth_type > NL80211_AUTHTYPE_MAX)
5825 		return false;
5826 
5827 	switch (cmd) {
5828 	case NL80211_CMD_AUTHENTICATE:
5829 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5830 		    auth_type == NL80211_AUTHTYPE_SAE)
5831 			return false;
5832 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5833 					     NL80211_EXT_FEATURE_FILS_STA) &&
5834 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5835 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5836 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5837 			return false;
5838 		return true;
5839 	case NL80211_CMD_CONNECT:
5840 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5841 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5842 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5843 		    auth_type == NL80211_AUTHTYPE_SAE)
5844 			return false;
5845 
5846 		/* FILS with SK PFS or PK not supported yet */
5847 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5848 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5849 			return false;
5850 		if (!wiphy_ext_feature_isset(
5851 			    &rdev->wiphy,
5852 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5853 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5854 			return false;
5855 		return true;
5856 	case NL80211_CMD_START_AP:
5857 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5858 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5859 		    auth_type == NL80211_AUTHTYPE_SAE)
5860 			return false;
5861 		/* FILS not supported yet */
5862 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5863 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5864 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5865 			return false;
5866 		return true;
5867 	default:
5868 		return false;
5869 	}
5870 }
5871 
5872 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5873 				    unsigned int link_id)
5874 {
5875 	struct wiphy *wiphy = wdev->wiphy;
5876 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5877 	struct sk_buff *msg;
5878 	void *hdr;
5879 
5880 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5881 	if (!msg)
5882 		return;
5883 
5884 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5885 	if (!hdr)
5886 		goto out;
5887 
5888 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5889 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5890 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5891 			      NL80211_ATTR_PAD) ||
5892 	    (wdev->u.ap.ssid_len &&
5893 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5894 		     wdev->u.ap.ssid)) ||
5895 	    (wdev->valid_links &&
5896 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5897 		goto out;
5898 
5899 	genlmsg_end(msg, hdr);
5900 
5901 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5902 				NL80211_MCGRP_MLME, GFP_KERNEL);
5903 	return;
5904 out:
5905 	nlmsg_free(msg);
5906 }
5907 
5908 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5909 {
5910 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5911 	unsigned int link_id = nl80211_link_id(info->attrs);
5912 	struct net_device *dev = info->user_ptr[1];
5913 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5914 	struct cfg80211_ap_settings *params;
5915 	int err;
5916 
5917 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5918 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5919 		return -EOPNOTSUPP;
5920 
5921 	if (!rdev->ops->start_ap)
5922 		return -EOPNOTSUPP;
5923 
5924 	if (wdev->links[link_id].ap.beacon_interval)
5925 		return -EALREADY;
5926 
5927 	/* these are required for START_AP */
5928 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5929 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5930 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5931 		return -EINVAL;
5932 
5933 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5934 	if (!params)
5935 		return -ENOMEM;
5936 
5937 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5938 				   info->extack);
5939 	if (err)
5940 		goto out;
5941 
5942 	params->beacon_interval =
5943 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5944 	params->dtim_period =
5945 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5946 
5947 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5948 					   params->beacon_interval);
5949 	if (err)
5950 		goto out;
5951 
5952 	/*
5953 	 * In theory, some of these attributes should be required here
5954 	 * but since they were not used when the command was originally
5955 	 * added, keep them optional for old user space programs to let
5956 	 * them continue to work with drivers that do not need the
5957 	 * additional information -- drivers must check!
5958 	 */
5959 	if (info->attrs[NL80211_ATTR_SSID]) {
5960 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5961 		params->ssid_len =
5962 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5963 		if (params->ssid_len == 0) {
5964 			err = -EINVAL;
5965 			goto out;
5966 		}
5967 
5968 		if (wdev->u.ap.ssid_len &&
5969 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5970 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5971 			/* require identical SSID for MLO */
5972 			err = -EINVAL;
5973 			goto out;
5974 		}
5975 	} else if (wdev->valid_links) {
5976 		/* require SSID for MLO */
5977 		err = -EINVAL;
5978 		goto out;
5979 	}
5980 
5981 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5982 		params->hidden_ssid = nla_get_u32(
5983 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5984 
5985 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5986 
5987 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5988 		params->auth_type = nla_get_u32(
5989 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5990 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5991 					     NL80211_CMD_START_AP)) {
5992 			err = -EINVAL;
5993 			goto out;
5994 		}
5995 	} else
5996 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5997 
5998 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
5999 				      NL80211_MAX_NR_CIPHER_SUITES);
6000 	if (err)
6001 		goto out;
6002 
6003 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6004 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6005 			err = -EOPNOTSUPP;
6006 			goto out;
6007 		}
6008 		params->inactivity_timeout = nla_get_u16(
6009 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6010 	}
6011 
6012 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6013 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6014 			err = -EINVAL;
6015 			goto out;
6016 		}
6017 		params->p2p_ctwindow =
6018 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6019 		if (params->p2p_ctwindow != 0 &&
6020 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6021 			err = -EINVAL;
6022 			goto out;
6023 		}
6024 	}
6025 
6026 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6027 		u8 tmp;
6028 
6029 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6030 			err = -EINVAL;
6031 			goto out;
6032 		}
6033 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6034 		params->p2p_opp_ps = tmp;
6035 		if (params->p2p_opp_ps != 0 &&
6036 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6037 			err = -EINVAL;
6038 			goto out;
6039 		}
6040 	}
6041 
6042 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6043 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6044 		if (err)
6045 			goto out;
6046 	} else if (wdev->valid_links) {
6047 		/* with MLD need to specify the channel configuration */
6048 		err = -EINVAL;
6049 		goto out;
6050 	} else if (wdev->u.ap.preset_chandef.chan) {
6051 		params->chandef = wdev->u.ap.preset_chandef;
6052 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6053 		err = -EINVAL;
6054 		goto out;
6055 	}
6056 
6057 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
6058 		err = nl80211_parse_punct_bitmap(rdev, info,
6059 						 &params->chandef,
6060 						 &params->punct_bitmap);
6061 		if (err)
6062 			goto out;
6063 	}
6064 
6065 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
6066 					   wdev->iftype)) {
6067 		err = -EINVAL;
6068 		goto out;
6069 	}
6070 
6071 	wdev_lock(wdev);
6072 
6073 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6074 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6075 						    NL80211_ATTR_TX_RATES,
6076 						    &params->beacon_rate,
6077 						    dev, false, link_id);
6078 		if (err)
6079 			goto out_unlock;
6080 
6081 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6082 					      &params->beacon_rate);
6083 		if (err)
6084 			goto out_unlock;
6085 	}
6086 
6087 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6088 		params->smps_mode =
6089 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6090 		switch (params->smps_mode) {
6091 		case NL80211_SMPS_OFF:
6092 			break;
6093 		case NL80211_SMPS_STATIC:
6094 			if (!(rdev->wiphy.features &
6095 			      NL80211_FEATURE_STATIC_SMPS)) {
6096 				err = -EINVAL;
6097 				goto out_unlock;
6098 			}
6099 			break;
6100 		case NL80211_SMPS_DYNAMIC:
6101 			if (!(rdev->wiphy.features &
6102 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6103 				err = -EINVAL;
6104 				goto out_unlock;
6105 			}
6106 			break;
6107 		default:
6108 			err = -EINVAL;
6109 			goto out_unlock;
6110 		}
6111 	} else {
6112 		params->smps_mode = NL80211_SMPS_OFF;
6113 	}
6114 
6115 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6116 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6117 		err = -EOPNOTSUPP;
6118 		goto out_unlock;
6119 	}
6120 
6121 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6122 		params->acl = parse_acl_data(&rdev->wiphy, info);
6123 		if (IS_ERR(params->acl)) {
6124 			err = PTR_ERR(params->acl);
6125 			params->acl = NULL;
6126 			goto out_unlock;
6127 		}
6128 	}
6129 
6130 	params->twt_responder =
6131 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6132 
6133 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6134 		err = nl80211_parse_he_obss_pd(
6135 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6136 					&params->he_obss_pd);
6137 		if (err)
6138 			goto out_unlock;
6139 	}
6140 
6141 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6142 		err = nl80211_parse_fils_discovery(rdev,
6143 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6144 						   params);
6145 		if (err)
6146 			goto out_unlock;
6147 	}
6148 
6149 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6150 		err = nl80211_parse_unsol_bcast_probe_resp(
6151 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6152 			params);
6153 		if (err)
6154 			goto out_unlock;
6155 	}
6156 
6157 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6158 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6159 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6160 						  &params->mbssid_config,
6161 						  params->beacon.mbssid_ies ?
6162 							params->beacon.mbssid_ies->cnt :
6163 							0);
6164 		if (err)
6165 			goto out_unlock;
6166 	}
6167 
6168 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6169 		err = -EINVAL;
6170 		goto out_unlock;
6171 	}
6172 
6173 	err = nl80211_calculate_ap_params(params);
6174 	if (err)
6175 		goto out_unlock;
6176 
6177 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6178 		params->flags = nla_get_u32(
6179 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6180 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6181 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6182 
6183 	if (wdev->conn_owner_nlportid &&
6184 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6185 	    wdev->conn_owner_nlportid != info->snd_portid) {
6186 		err = -EINVAL;
6187 		goto out_unlock;
6188 	}
6189 
6190 	/* FIXME: validate MLO/link-id against driver capabilities */
6191 
6192 	err = rdev_start_ap(rdev, dev, params);
6193 	if (!err) {
6194 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6195 		wdev->links[link_id].ap.chandef = params->chandef;
6196 		wdev->u.ap.ssid_len = params->ssid_len;
6197 		memcpy(wdev->u.ap.ssid, params->ssid,
6198 		       params->ssid_len);
6199 
6200 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6201 			wdev->conn_owner_nlportid = info->snd_portid;
6202 
6203 		nl80211_send_ap_started(wdev, link_id);
6204 	}
6205 out_unlock:
6206 	wdev_unlock(wdev);
6207 out:
6208 	kfree(params->acl);
6209 	kfree(params->beacon.mbssid_ies);
6210 	if (params->mbssid_config.tx_wdev &&
6211 	    params->mbssid_config.tx_wdev->netdev &&
6212 	    params->mbssid_config.tx_wdev->netdev != dev)
6213 		dev_put(params->mbssid_config.tx_wdev->netdev);
6214 	kfree(params->beacon.rnr_ies);
6215 	kfree(params);
6216 
6217 	return err;
6218 }
6219 
6220 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6221 {
6222 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6223 	unsigned int link_id = nl80211_link_id(info->attrs);
6224 	struct net_device *dev = info->user_ptr[1];
6225 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6226 	struct cfg80211_beacon_data params;
6227 	int err;
6228 
6229 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6230 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6231 		return -EOPNOTSUPP;
6232 
6233 	if (!rdev->ops->change_beacon)
6234 		return -EOPNOTSUPP;
6235 
6236 	if (!wdev->links[link_id].ap.beacon_interval)
6237 		return -EINVAL;
6238 
6239 	err = nl80211_parse_beacon(rdev, info->attrs, &params, info->extack);
6240 	if (err)
6241 		goto out;
6242 
6243 	wdev_lock(wdev);
6244 	err = rdev_change_beacon(rdev, dev, &params);
6245 	wdev_unlock(wdev);
6246 
6247 out:
6248 	kfree(params.mbssid_ies);
6249 	kfree(params.rnr_ies);
6250 	return err;
6251 }
6252 
6253 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6254 {
6255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6256 	unsigned int link_id = nl80211_link_id(info->attrs);
6257 	struct net_device *dev = info->user_ptr[1];
6258 
6259 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6260 }
6261 
6262 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6263 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6264 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6265 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6266 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6267 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6268 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6269 };
6270 
6271 static int parse_station_flags(struct genl_info *info,
6272 			       enum nl80211_iftype iftype,
6273 			       struct station_parameters *params)
6274 {
6275 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6276 	struct nlattr *nla;
6277 	int flag;
6278 
6279 	/*
6280 	 * Try parsing the new attribute first so userspace
6281 	 * can specify both for older kernels.
6282 	 */
6283 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6284 	if (nla) {
6285 		struct nl80211_sta_flag_update *sta_flags;
6286 
6287 		sta_flags = nla_data(nla);
6288 		params->sta_flags_mask = sta_flags->mask;
6289 		params->sta_flags_set = sta_flags->set;
6290 		params->sta_flags_set &= params->sta_flags_mask;
6291 		if ((params->sta_flags_mask |
6292 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6293 			return -EINVAL;
6294 		return 0;
6295 	}
6296 
6297 	/* if present, parse the old attribute */
6298 
6299 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6300 	if (!nla)
6301 		return 0;
6302 
6303 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6304 		return -EINVAL;
6305 
6306 	/*
6307 	 * Only allow certain flags for interface types so that
6308 	 * other attributes are silently ignored. Remember that
6309 	 * this is backward compatibility code with old userspace
6310 	 * and shouldn't be hit in other cases anyway.
6311 	 */
6312 	switch (iftype) {
6313 	case NL80211_IFTYPE_AP:
6314 	case NL80211_IFTYPE_AP_VLAN:
6315 	case NL80211_IFTYPE_P2P_GO:
6316 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6317 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6318 					 BIT(NL80211_STA_FLAG_WME) |
6319 					 BIT(NL80211_STA_FLAG_MFP);
6320 		break;
6321 	case NL80211_IFTYPE_P2P_CLIENT:
6322 	case NL80211_IFTYPE_STATION:
6323 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6324 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6325 		break;
6326 	case NL80211_IFTYPE_MESH_POINT:
6327 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6328 					 BIT(NL80211_STA_FLAG_MFP) |
6329 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6330 		break;
6331 	default:
6332 		return -EINVAL;
6333 	}
6334 
6335 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6336 		if (flags[flag]) {
6337 			params->sta_flags_set |= (1<<flag);
6338 
6339 			/* no longer support new API additions in old API */
6340 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6341 				return -EINVAL;
6342 		}
6343 	}
6344 
6345 	return 0;
6346 }
6347 
6348 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6349 {
6350 	struct nlattr *rate;
6351 	u32 bitrate;
6352 	u16 bitrate_compat;
6353 	enum nl80211_rate_info rate_flg;
6354 
6355 	rate = nla_nest_start_noflag(msg, attr);
6356 	if (!rate)
6357 		return false;
6358 
6359 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6360 	bitrate = cfg80211_calculate_bitrate(info);
6361 	/* report 16-bit bitrate only if we can */
6362 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6363 	if (bitrate > 0 &&
6364 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6365 		return false;
6366 	if (bitrate_compat > 0 &&
6367 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6368 		return false;
6369 
6370 	switch (info->bw) {
6371 	case RATE_INFO_BW_1:
6372 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6373 		break;
6374 	case RATE_INFO_BW_2:
6375 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6376 		break;
6377 	case RATE_INFO_BW_4:
6378 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6379 		break;
6380 	case RATE_INFO_BW_5:
6381 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6382 		break;
6383 	case RATE_INFO_BW_8:
6384 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6385 		break;
6386 	case RATE_INFO_BW_10:
6387 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6388 		break;
6389 	case RATE_INFO_BW_16:
6390 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6391 		break;
6392 	default:
6393 		WARN_ON(1);
6394 		fallthrough;
6395 	case RATE_INFO_BW_20:
6396 		rate_flg = 0;
6397 		break;
6398 	case RATE_INFO_BW_40:
6399 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6400 		break;
6401 	case RATE_INFO_BW_80:
6402 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6403 		break;
6404 	case RATE_INFO_BW_160:
6405 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6406 		break;
6407 	case RATE_INFO_BW_HE_RU:
6408 		rate_flg = 0;
6409 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6410 		break;
6411 	case RATE_INFO_BW_320:
6412 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6413 		break;
6414 	case RATE_INFO_BW_EHT_RU:
6415 		rate_flg = 0;
6416 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6417 		break;
6418 	}
6419 
6420 	if (rate_flg && nla_put_flag(msg, rate_flg))
6421 		return false;
6422 
6423 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6424 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6425 			return false;
6426 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6427 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6428 			return false;
6429 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6430 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6431 			return false;
6432 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6433 			return false;
6434 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6435 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6436 			return false;
6437 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6438 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6439 			return false;
6440 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6441 			return false;
6442 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6443 			return false;
6444 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6445 			return false;
6446 		if (info->bw == RATE_INFO_BW_HE_RU &&
6447 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6448 			       info->he_ru_alloc))
6449 			return false;
6450 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6451 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6452 			return false;
6453 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6454 			return false;
6455 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6456 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6457 			return false;
6458 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6459 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6460 			return false;
6461 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6462 			return false;
6463 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6464 			return false;
6465 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6466 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6467 			       info->eht_ru_alloc))
6468 			return false;
6469 	}
6470 
6471 	nla_nest_end(msg, rate);
6472 	return true;
6473 }
6474 
6475 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6476 			       int id)
6477 {
6478 	void *attr;
6479 	int i = 0;
6480 
6481 	if (!mask)
6482 		return true;
6483 
6484 	attr = nla_nest_start_noflag(msg, id);
6485 	if (!attr)
6486 		return false;
6487 
6488 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6489 		if (!(mask & BIT(i)))
6490 			continue;
6491 
6492 		if (nla_put_u8(msg, i, signal[i]))
6493 			return false;
6494 	}
6495 
6496 	nla_nest_end(msg, attr);
6497 
6498 	return true;
6499 }
6500 
6501 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6502 				u32 seq, int flags,
6503 				struct cfg80211_registered_device *rdev,
6504 				struct net_device *dev,
6505 				const u8 *mac_addr, struct station_info *sinfo)
6506 {
6507 	void *hdr;
6508 	struct nlattr *sinfoattr, *bss_param;
6509 
6510 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6511 	if (!hdr) {
6512 		cfg80211_sinfo_release_content(sinfo);
6513 		return -1;
6514 	}
6515 
6516 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6517 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6518 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6519 		goto nla_put_failure;
6520 
6521 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6522 	if (!sinfoattr)
6523 		goto nla_put_failure;
6524 
6525 #define PUT_SINFO(attr, memb, type) do {				\
6526 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6527 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6528 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6529 			     sinfo->memb))				\
6530 		goto nla_put_failure;					\
6531 	} while (0)
6532 #define PUT_SINFO_U64(attr, memb) do {					\
6533 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6534 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6535 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6536 		goto nla_put_failure;					\
6537 	} while (0)
6538 
6539 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6540 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6541 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6542 
6543 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6544 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6545 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6546 			(u32)sinfo->rx_bytes))
6547 		goto nla_put_failure;
6548 
6549 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6550 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6551 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6552 			(u32)sinfo->tx_bytes))
6553 		goto nla_put_failure;
6554 
6555 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6556 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6557 	PUT_SINFO(LLID, llid, u16);
6558 	PUT_SINFO(PLID, plid, u16);
6559 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6560 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6561 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6562 
6563 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6564 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6565 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6566 
6567 	switch (rdev->wiphy.signal_type) {
6568 	case CFG80211_SIGNAL_TYPE_MBM:
6569 		PUT_SINFO(SIGNAL, signal, u8);
6570 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6571 		break;
6572 	default:
6573 		break;
6574 	}
6575 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6576 		if (!nl80211_put_signal(msg, sinfo->chains,
6577 					sinfo->chain_signal,
6578 					NL80211_STA_INFO_CHAIN_SIGNAL))
6579 			goto nla_put_failure;
6580 	}
6581 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6582 		if (!nl80211_put_signal(msg, sinfo->chains,
6583 					sinfo->chain_signal_avg,
6584 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6585 			goto nla_put_failure;
6586 	}
6587 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6588 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6589 					  NL80211_STA_INFO_TX_BITRATE))
6590 			goto nla_put_failure;
6591 	}
6592 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6593 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6594 					  NL80211_STA_INFO_RX_BITRATE))
6595 			goto nla_put_failure;
6596 	}
6597 
6598 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6599 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6600 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6601 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6602 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6603 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6604 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6605 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6606 	PUT_SINFO(PEER_PM, peer_pm, u32);
6607 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6608 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6609 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6610 
6611 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6612 		bss_param = nla_nest_start_noflag(msg,
6613 						  NL80211_STA_INFO_BSS_PARAM);
6614 		if (!bss_param)
6615 			goto nla_put_failure;
6616 
6617 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6618 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6619 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6620 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6621 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6622 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6623 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6624 			       sinfo->bss_param.dtim_period) ||
6625 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6626 				sinfo->bss_param.beacon_interval))
6627 			goto nla_put_failure;
6628 
6629 		nla_nest_end(msg, bss_param);
6630 	}
6631 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6632 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6633 		    sizeof(struct nl80211_sta_flag_update),
6634 		    &sinfo->sta_flags))
6635 		goto nla_put_failure;
6636 
6637 	PUT_SINFO_U64(T_OFFSET, t_offset);
6638 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6639 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6640 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6641 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6642 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6643 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6644 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6645 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6646 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6647 	}
6648 
6649 #undef PUT_SINFO
6650 #undef PUT_SINFO_U64
6651 
6652 	if (sinfo->pertid) {
6653 		struct nlattr *tidsattr;
6654 		int tid;
6655 
6656 		tidsattr = nla_nest_start_noflag(msg,
6657 						 NL80211_STA_INFO_TID_STATS);
6658 		if (!tidsattr)
6659 			goto nla_put_failure;
6660 
6661 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6662 			struct cfg80211_tid_stats *tidstats;
6663 			struct nlattr *tidattr;
6664 
6665 			tidstats = &sinfo->pertid[tid];
6666 
6667 			if (!tidstats->filled)
6668 				continue;
6669 
6670 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6671 			if (!tidattr)
6672 				goto nla_put_failure;
6673 
6674 #define PUT_TIDVAL_U64(attr, memb) do {					\
6675 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6676 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6677 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6678 		goto nla_put_failure;					\
6679 	} while (0)
6680 
6681 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6682 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6683 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6684 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6685 
6686 #undef PUT_TIDVAL_U64
6687 			if ((tidstats->filled &
6688 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6689 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6690 						   NL80211_TID_STATS_TXQ_STATS))
6691 				goto nla_put_failure;
6692 
6693 			nla_nest_end(msg, tidattr);
6694 		}
6695 
6696 		nla_nest_end(msg, tidsattr);
6697 	}
6698 
6699 	nla_nest_end(msg, sinfoattr);
6700 
6701 	if (sinfo->assoc_req_ies_len &&
6702 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6703 		    sinfo->assoc_req_ies))
6704 		goto nla_put_failure;
6705 
6706 	if (sinfo->assoc_resp_ies_len &&
6707 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6708 		    sinfo->assoc_resp_ies))
6709 		goto nla_put_failure;
6710 
6711 	if (sinfo->mlo_params_valid) {
6712 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6713 			       sinfo->assoc_link_id))
6714 			goto nla_put_failure;
6715 
6716 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6717 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6718 			    sinfo->mld_addr))
6719 			goto nla_put_failure;
6720 	}
6721 
6722 	cfg80211_sinfo_release_content(sinfo);
6723 	genlmsg_end(msg, hdr);
6724 	return 0;
6725 
6726  nla_put_failure:
6727 	cfg80211_sinfo_release_content(sinfo);
6728 	genlmsg_cancel(msg, hdr);
6729 	return -EMSGSIZE;
6730 }
6731 
6732 static int nl80211_dump_station(struct sk_buff *skb,
6733 				struct netlink_callback *cb)
6734 {
6735 	struct station_info sinfo;
6736 	struct cfg80211_registered_device *rdev;
6737 	struct wireless_dev *wdev;
6738 	u8 mac_addr[ETH_ALEN];
6739 	int sta_idx = cb->args[2];
6740 	int err;
6741 
6742 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6743 	if (err)
6744 		return err;
6745 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6746 	__acquire(&rdev->wiphy.mtx);
6747 
6748 	if (!wdev->netdev) {
6749 		err = -EINVAL;
6750 		goto out_err;
6751 	}
6752 
6753 	if (!rdev->ops->dump_station) {
6754 		err = -EOPNOTSUPP;
6755 		goto out_err;
6756 	}
6757 
6758 	while (1) {
6759 		memset(&sinfo, 0, sizeof(sinfo));
6760 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6761 					mac_addr, &sinfo);
6762 		if (err == -ENOENT)
6763 			break;
6764 		if (err)
6765 			goto out_err;
6766 
6767 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6768 				NETLINK_CB(cb->skb).portid,
6769 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6770 				rdev, wdev->netdev, mac_addr,
6771 				&sinfo) < 0)
6772 			goto out;
6773 
6774 		sta_idx++;
6775 	}
6776 
6777  out:
6778 	cb->args[2] = sta_idx;
6779 	err = skb->len;
6780  out_err:
6781 	wiphy_unlock(&rdev->wiphy);
6782 
6783 	return err;
6784 }
6785 
6786 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6787 {
6788 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6789 	struct net_device *dev = info->user_ptr[1];
6790 	struct station_info sinfo;
6791 	struct sk_buff *msg;
6792 	u8 *mac_addr = NULL;
6793 	int err;
6794 
6795 	memset(&sinfo, 0, sizeof(sinfo));
6796 
6797 	if (!info->attrs[NL80211_ATTR_MAC])
6798 		return -EINVAL;
6799 
6800 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6801 
6802 	if (!rdev->ops->get_station)
6803 		return -EOPNOTSUPP;
6804 
6805 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6806 	if (err)
6807 		return err;
6808 
6809 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6810 	if (!msg) {
6811 		cfg80211_sinfo_release_content(&sinfo);
6812 		return -ENOMEM;
6813 	}
6814 
6815 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6816 				 info->snd_portid, info->snd_seq, 0,
6817 				 rdev, dev, mac_addr, &sinfo) < 0) {
6818 		nlmsg_free(msg);
6819 		return -ENOBUFS;
6820 	}
6821 
6822 	return genlmsg_reply(msg, info);
6823 }
6824 
6825 int cfg80211_check_station_change(struct wiphy *wiphy,
6826 				  struct station_parameters *params,
6827 				  enum cfg80211_station_type statype)
6828 {
6829 	if (params->listen_interval != -1 &&
6830 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6831 		return -EINVAL;
6832 
6833 	if (params->support_p2p_ps != -1 &&
6834 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6835 		return -EINVAL;
6836 
6837 	if (params->aid &&
6838 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6839 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6840 		return -EINVAL;
6841 
6842 	/* When you run into this, adjust the code below for the new flag */
6843 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6844 
6845 	switch (statype) {
6846 	case CFG80211_STA_MESH_PEER_KERNEL:
6847 	case CFG80211_STA_MESH_PEER_USER:
6848 		/*
6849 		 * No ignoring the TDLS flag here -- the userspace mesh
6850 		 * code doesn't have the bug of including TDLS in the
6851 		 * mask everywhere.
6852 		 */
6853 		if (params->sta_flags_mask &
6854 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6855 				  BIT(NL80211_STA_FLAG_MFP) |
6856 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6857 			return -EINVAL;
6858 		break;
6859 	case CFG80211_STA_TDLS_PEER_SETUP:
6860 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6861 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6862 			return -EINVAL;
6863 		/* ignore since it can't change */
6864 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6865 		break;
6866 	default:
6867 		/* disallow mesh-specific things */
6868 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6869 			return -EINVAL;
6870 		if (params->local_pm)
6871 			return -EINVAL;
6872 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6873 			return -EINVAL;
6874 	}
6875 
6876 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6877 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6878 		/* TDLS can't be set, ... */
6879 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6880 			return -EINVAL;
6881 		/*
6882 		 * ... but don't bother the driver with it. This works around
6883 		 * a hostapd/wpa_supplicant issue -- it always includes the
6884 		 * TLDS_PEER flag in the mask even for AP mode.
6885 		 */
6886 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6887 	}
6888 
6889 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6890 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6891 		/* reject other things that can't change */
6892 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6893 			return -EINVAL;
6894 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6895 			return -EINVAL;
6896 		if (params->link_sta_params.supported_rates)
6897 			return -EINVAL;
6898 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6899 		    params->link_sta_params.vht_capa ||
6900 		    params->link_sta_params.he_capa ||
6901 		    params->link_sta_params.eht_capa)
6902 			return -EINVAL;
6903 	}
6904 
6905 	if (statype != CFG80211_STA_AP_CLIENT &&
6906 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6907 		if (params->vlan)
6908 			return -EINVAL;
6909 	}
6910 
6911 	switch (statype) {
6912 	case CFG80211_STA_AP_MLME_CLIENT:
6913 		/* Use this only for authorizing/unauthorizing a station */
6914 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6915 			return -EOPNOTSUPP;
6916 		break;
6917 	case CFG80211_STA_AP_CLIENT:
6918 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6919 		/* accept only the listed bits */
6920 		if (params->sta_flags_mask &
6921 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6922 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6923 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6924 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6925 				  BIT(NL80211_STA_FLAG_WME) |
6926 				  BIT(NL80211_STA_FLAG_MFP)))
6927 			return -EINVAL;
6928 
6929 		/* but authenticated/associated only if driver handles it */
6930 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6931 		    params->sta_flags_mask &
6932 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6933 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6934 			return -EINVAL;
6935 		break;
6936 	case CFG80211_STA_IBSS:
6937 	case CFG80211_STA_AP_STA:
6938 		/* reject any changes other than AUTHORIZED */
6939 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6940 			return -EINVAL;
6941 		break;
6942 	case CFG80211_STA_TDLS_PEER_SETUP:
6943 		/* reject any changes other than AUTHORIZED or WME */
6944 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6945 					       BIT(NL80211_STA_FLAG_WME)))
6946 			return -EINVAL;
6947 		/* force (at least) rates when authorizing */
6948 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6949 		    !params->link_sta_params.supported_rates)
6950 			return -EINVAL;
6951 		break;
6952 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6953 		/* reject any changes */
6954 		return -EINVAL;
6955 	case CFG80211_STA_MESH_PEER_KERNEL:
6956 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6957 			return -EINVAL;
6958 		break;
6959 	case CFG80211_STA_MESH_PEER_USER:
6960 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6961 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6962 			return -EINVAL;
6963 		break;
6964 	}
6965 
6966 	/*
6967 	 * Older kernel versions ignored this attribute entirely, so don't
6968 	 * reject attempts to update it but mark it as unused instead so the
6969 	 * driver won't look at the data.
6970 	 */
6971 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6972 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6973 		params->link_sta_params.opmode_notif_used = false;
6974 
6975 	return 0;
6976 }
6977 EXPORT_SYMBOL(cfg80211_check_station_change);
6978 
6979 /*
6980  * Get vlan interface making sure it is running and on the right wiphy.
6981  */
6982 static struct net_device *get_vlan(struct genl_info *info,
6983 				   struct cfg80211_registered_device *rdev)
6984 {
6985 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6986 	struct net_device *v;
6987 	int ret;
6988 
6989 	if (!vlanattr)
6990 		return NULL;
6991 
6992 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6993 	if (!v)
6994 		return ERR_PTR(-ENODEV);
6995 
6996 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6997 		ret = -EINVAL;
6998 		goto error;
6999 	}
7000 
7001 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7002 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7003 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7004 		ret = -EINVAL;
7005 		goto error;
7006 	}
7007 
7008 	if (!netif_running(v)) {
7009 		ret = -ENETDOWN;
7010 		goto error;
7011 	}
7012 
7013 	return v;
7014  error:
7015 	dev_put(v);
7016 	return ERR_PTR(ret);
7017 }
7018 
7019 static int nl80211_parse_sta_wme(struct genl_info *info,
7020 				 struct station_parameters *params)
7021 {
7022 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7023 	struct nlattr *nla;
7024 	int err;
7025 
7026 	/* parse WME attributes if present */
7027 	if (!info->attrs[NL80211_ATTR_STA_WME])
7028 		return 0;
7029 
7030 	nla = info->attrs[NL80211_ATTR_STA_WME];
7031 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7032 					  nl80211_sta_wme_policy,
7033 					  info->extack);
7034 	if (err)
7035 		return err;
7036 
7037 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7038 		params->uapsd_queues = nla_get_u8(
7039 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7040 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7041 		return -EINVAL;
7042 
7043 	if (tb[NL80211_STA_WME_MAX_SP])
7044 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7045 
7046 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7047 		return -EINVAL;
7048 
7049 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7050 
7051 	return 0;
7052 }
7053 
7054 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7055 				      struct station_parameters *params)
7056 {
7057 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7058 		params->supported_channels =
7059 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7060 		params->supported_channels_len =
7061 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7062 		/*
7063 		 * Need to include at least one (first channel, number of
7064 		 * channels) tuple for each subband (checked in policy),
7065 		 * and must have proper tuples for the rest of the data as well.
7066 		 */
7067 		if (params->supported_channels_len % 2)
7068 			return -EINVAL;
7069 	}
7070 
7071 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7072 		params->supported_oper_classes =
7073 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7074 		params->supported_oper_classes_len =
7075 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7076 	}
7077 	return 0;
7078 }
7079 
7080 static int nl80211_set_station_tdls(struct genl_info *info,
7081 				    struct station_parameters *params)
7082 {
7083 	int err;
7084 	/* Dummy STA entry gets updated once the peer capabilities are known */
7085 	if (info->attrs[NL80211_ATTR_PEER_AID])
7086 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7087 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7088 		params->link_sta_params.ht_capa =
7089 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7090 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7091 		params->link_sta_params.vht_capa =
7092 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7093 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7094 		params->link_sta_params.he_capa =
7095 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7096 		params->link_sta_params.he_capa_len =
7097 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7098 
7099 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7100 			params->link_sta_params.eht_capa =
7101 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7102 			params->link_sta_params.eht_capa_len =
7103 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7104 
7105 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7106 							(const u8 *)params->link_sta_params.eht_capa,
7107 							params->link_sta_params.eht_capa_len,
7108 							false))
7109 				return -EINVAL;
7110 		}
7111 	}
7112 
7113 	err = nl80211_parse_sta_channel_info(info, params);
7114 	if (err)
7115 		return err;
7116 
7117 	return nl80211_parse_sta_wme(info, params);
7118 }
7119 
7120 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7121 					     struct sta_txpwr *txpwr,
7122 					     bool *txpwr_set)
7123 {
7124 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7125 	int idx;
7126 
7127 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7128 		if (!rdev->ops->set_tx_power ||
7129 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7130 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7131 			return -EOPNOTSUPP;
7132 
7133 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7134 		txpwr->type = nla_get_u8(info->attrs[idx]);
7135 
7136 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7137 			idx = NL80211_ATTR_STA_TX_POWER;
7138 
7139 			if (info->attrs[idx])
7140 				txpwr->power = nla_get_s16(info->attrs[idx]);
7141 			else
7142 				return -EINVAL;
7143 		}
7144 
7145 		*txpwr_set = true;
7146 	} else {
7147 		*txpwr_set = false;
7148 	}
7149 
7150 	return 0;
7151 }
7152 
7153 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7154 {
7155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7156 	struct net_device *dev = info->user_ptr[1];
7157 	struct station_parameters params;
7158 	u8 *mac_addr;
7159 	int err;
7160 
7161 	memset(&params, 0, sizeof(params));
7162 
7163 	if (!rdev->ops->change_station)
7164 		return -EOPNOTSUPP;
7165 
7166 	/*
7167 	 * AID and listen_interval properties can be set only for unassociated
7168 	 * station. Include these parameters here and will check them in
7169 	 * cfg80211_check_station_change().
7170 	 */
7171 	if (info->attrs[NL80211_ATTR_STA_AID])
7172 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7173 
7174 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7175 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7176 
7177 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7178 		params.listen_interval =
7179 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7180 	else
7181 		params.listen_interval = -1;
7182 
7183 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7184 		params.support_p2p_ps =
7185 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7186 	else
7187 		params.support_p2p_ps = -1;
7188 
7189 	if (!info->attrs[NL80211_ATTR_MAC])
7190 		return -EINVAL;
7191 
7192 	params.link_sta_params.link_id =
7193 		nl80211_link_id_or_invalid(info->attrs);
7194 
7195 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7196 		/* If MLD_ADDR attribute is set then this is an MLD station
7197 		 * and the MLD_ADDR attribute holds the MLD address and the
7198 		 * MAC attribute holds for the LINK address.
7199 		 * In that case, the link_id is also expected to be valid.
7200 		 */
7201 		if (params.link_sta_params.link_id < 0)
7202 			return -EINVAL;
7203 
7204 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7205 		params.link_sta_params.mld_mac = mac_addr;
7206 		params.link_sta_params.link_mac =
7207 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7208 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7209 			return -EINVAL;
7210 	} else {
7211 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7212 	}
7213 
7214 
7215 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7216 		params.link_sta_params.supported_rates =
7217 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7218 		params.link_sta_params.supported_rates_len =
7219 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7220 	}
7221 
7222 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7223 		params.capability =
7224 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7225 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7226 	}
7227 
7228 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7229 		params.ext_capab =
7230 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7231 		params.ext_capab_len =
7232 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7233 	}
7234 
7235 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7236 		return -EINVAL;
7237 
7238 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7239 		params.plink_action =
7240 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7241 
7242 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7243 		params.plink_state =
7244 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7245 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7246 			params.peer_aid = nla_get_u16(
7247 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7248 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7249 	}
7250 
7251 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7252 		params.local_pm = nla_get_u32(
7253 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7254 
7255 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7256 		params.link_sta_params.opmode_notif_used = true;
7257 		params.link_sta_params.opmode_notif =
7258 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7259 	}
7260 
7261 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7262 		params.link_sta_params.he_6ghz_capa =
7263 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7264 
7265 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7266 		params.airtime_weight =
7267 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7268 
7269 	if (params.airtime_weight &&
7270 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7271 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7272 		return -EOPNOTSUPP;
7273 
7274 	err = nl80211_parse_sta_txpower_setting(info,
7275 						&params.link_sta_params.txpwr,
7276 						&params.link_sta_params.txpwr_set);
7277 	if (err)
7278 		return err;
7279 
7280 	/* Include parameters for TDLS peer (will check later) */
7281 	err = nl80211_set_station_tdls(info, &params);
7282 	if (err)
7283 		return err;
7284 
7285 	params.vlan = get_vlan(info, rdev);
7286 	if (IS_ERR(params.vlan))
7287 		return PTR_ERR(params.vlan);
7288 
7289 	switch (dev->ieee80211_ptr->iftype) {
7290 	case NL80211_IFTYPE_AP:
7291 	case NL80211_IFTYPE_AP_VLAN:
7292 	case NL80211_IFTYPE_P2P_GO:
7293 	case NL80211_IFTYPE_P2P_CLIENT:
7294 	case NL80211_IFTYPE_STATION:
7295 	case NL80211_IFTYPE_ADHOC:
7296 	case NL80211_IFTYPE_MESH_POINT:
7297 		break;
7298 	default:
7299 		err = -EOPNOTSUPP;
7300 		goto out_put_vlan;
7301 	}
7302 
7303 	/* driver will call cfg80211_check_station_change() */
7304 	wdev_lock(dev->ieee80211_ptr);
7305 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7306 	wdev_unlock(dev->ieee80211_ptr);
7307 
7308  out_put_vlan:
7309 	dev_put(params.vlan);
7310 
7311 	return err;
7312 }
7313 
7314 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7315 {
7316 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7317 	int err;
7318 	struct net_device *dev = info->user_ptr[1];
7319 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7320 	struct station_parameters params;
7321 	u8 *mac_addr = NULL;
7322 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7323 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7324 
7325 	memset(&params, 0, sizeof(params));
7326 
7327 	if (!rdev->ops->add_station)
7328 		return -EOPNOTSUPP;
7329 
7330 	if (!info->attrs[NL80211_ATTR_MAC])
7331 		return -EINVAL;
7332 
7333 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7334 		return -EINVAL;
7335 
7336 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7337 		return -EINVAL;
7338 
7339 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7340 	    !info->attrs[NL80211_ATTR_PEER_AID])
7341 		return -EINVAL;
7342 
7343 	params.link_sta_params.link_id =
7344 		nl80211_link_id_or_invalid(info->attrs);
7345 
7346 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7347 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7348 		params.link_sta_params.mld_mac = mac_addr;
7349 		params.link_sta_params.link_mac =
7350 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7351 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7352 			return -EINVAL;
7353 	} else {
7354 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7355 	}
7356 
7357 	params.link_sta_params.supported_rates =
7358 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7359 	params.link_sta_params.supported_rates_len =
7360 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7361 	params.listen_interval =
7362 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7363 
7364 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7365 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7366 
7367 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7368 		params.support_p2p_ps =
7369 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7370 	} else {
7371 		/*
7372 		 * if not specified, assume it's supported for P2P GO interface,
7373 		 * and is NOT supported for AP interface
7374 		 */
7375 		params.support_p2p_ps =
7376 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7377 	}
7378 
7379 	if (info->attrs[NL80211_ATTR_PEER_AID])
7380 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7381 	else
7382 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7383 
7384 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7385 		params.capability =
7386 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7387 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7388 	}
7389 
7390 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7391 		params.ext_capab =
7392 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7393 		params.ext_capab_len =
7394 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7395 	}
7396 
7397 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7398 		params.link_sta_params.ht_capa =
7399 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7400 
7401 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7402 		params.link_sta_params.vht_capa =
7403 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7404 
7405 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7406 		params.link_sta_params.he_capa =
7407 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7408 		params.link_sta_params.he_capa_len =
7409 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7410 
7411 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7412 			params.link_sta_params.eht_capa =
7413 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7414 			params.link_sta_params.eht_capa_len =
7415 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7416 
7417 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7418 							(const u8 *)params.link_sta_params.eht_capa,
7419 							params.link_sta_params.eht_capa_len,
7420 							false))
7421 				return -EINVAL;
7422 		}
7423 	}
7424 
7425 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7426 		params.link_sta_params.he_6ghz_capa =
7427 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7428 
7429 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7430 		params.link_sta_params.opmode_notif_used = true;
7431 		params.link_sta_params.opmode_notif =
7432 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7433 	}
7434 
7435 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7436 		params.plink_action =
7437 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7438 
7439 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7440 		params.airtime_weight =
7441 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7442 
7443 	if (params.airtime_weight &&
7444 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7445 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7446 		return -EOPNOTSUPP;
7447 
7448 	err = nl80211_parse_sta_txpower_setting(info,
7449 						&params.link_sta_params.txpwr,
7450 						&params.link_sta_params.txpwr_set);
7451 	if (err)
7452 		return err;
7453 
7454 	err = nl80211_parse_sta_channel_info(info, &params);
7455 	if (err)
7456 		return err;
7457 
7458 	err = nl80211_parse_sta_wme(info, &params);
7459 	if (err)
7460 		return err;
7461 
7462 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7463 		return -EINVAL;
7464 
7465 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7466 	 * as userspace might just pass through the capabilities from the IEs
7467 	 * directly, rather than enforcing this restriction and returning an
7468 	 * error in this case.
7469 	 */
7470 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7471 		params.link_sta_params.ht_capa = NULL;
7472 		params.link_sta_params.vht_capa = NULL;
7473 
7474 		/* HE and EHT require WME */
7475 		if (params.link_sta_params.he_capa_len ||
7476 		    params.link_sta_params.he_6ghz_capa ||
7477 		    params.link_sta_params.eht_capa_len)
7478 			return -EINVAL;
7479 	}
7480 
7481 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7482 	if (params.link_sta_params.he_6ghz_capa &&
7483 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7484 		return -EINVAL;
7485 
7486 	/* When you run into this, adjust the code below for the new flag */
7487 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7488 
7489 	switch (dev->ieee80211_ptr->iftype) {
7490 	case NL80211_IFTYPE_AP:
7491 	case NL80211_IFTYPE_AP_VLAN:
7492 	case NL80211_IFTYPE_P2P_GO:
7493 		/* ignore WME attributes if iface/sta is not capable */
7494 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7495 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7496 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7497 
7498 		/* TDLS peers cannot be added */
7499 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7500 		    info->attrs[NL80211_ATTR_PEER_AID])
7501 			return -EINVAL;
7502 		/* but don't bother the driver with it */
7503 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7504 
7505 		/* allow authenticated/associated only if driver handles it */
7506 		if (!(rdev->wiphy.features &
7507 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7508 		    params.sta_flags_mask & auth_assoc)
7509 			return -EINVAL;
7510 
7511 		/* Older userspace, or userspace wanting to be compatible with
7512 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7513 		 * and assoc flags in the mask, but assumes the station will be
7514 		 * added as associated anyway since this was the required driver
7515 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7516 		 * introduced.
7517 		 * In order to not bother drivers with this quirk in the API
7518 		 * set the flags in both the mask and set for new stations in
7519 		 * this case.
7520 		 */
7521 		if (!(params.sta_flags_mask & auth_assoc)) {
7522 			params.sta_flags_mask |= auth_assoc;
7523 			params.sta_flags_set |= auth_assoc;
7524 		}
7525 
7526 		/* must be last in here for error handling */
7527 		params.vlan = get_vlan(info, rdev);
7528 		if (IS_ERR(params.vlan))
7529 			return PTR_ERR(params.vlan);
7530 		break;
7531 	case NL80211_IFTYPE_MESH_POINT:
7532 		/* ignore uAPSD data */
7533 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7534 
7535 		/* associated is disallowed */
7536 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7537 			return -EINVAL;
7538 		/* TDLS peers cannot be added */
7539 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7540 		    info->attrs[NL80211_ATTR_PEER_AID])
7541 			return -EINVAL;
7542 		break;
7543 	case NL80211_IFTYPE_STATION:
7544 	case NL80211_IFTYPE_P2P_CLIENT:
7545 		/* ignore uAPSD data */
7546 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7547 
7548 		/* these are disallowed */
7549 		if (params.sta_flags_mask &
7550 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7551 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7552 			return -EINVAL;
7553 		/* Only TDLS peers can be added */
7554 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7555 			return -EINVAL;
7556 		/* Can only add if TDLS ... */
7557 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7558 			return -EOPNOTSUPP;
7559 		/* ... with external setup is supported */
7560 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7561 			return -EOPNOTSUPP;
7562 		/*
7563 		 * Older wpa_supplicant versions always mark the TDLS peer
7564 		 * as authorized, but it shouldn't yet be.
7565 		 */
7566 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7567 		break;
7568 	default:
7569 		return -EOPNOTSUPP;
7570 	}
7571 
7572 	/* be aware of params.vlan when changing code here */
7573 
7574 	wdev_lock(dev->ieee80211_ptr);
7575 	if (wdev->valid_links) {
7576 		if (params.link_sta_params.link_id < 0) {
7577 			err = -EINVAL;
7578 			goto out;
7579 		}
7580 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7581 			err = -ENOLINK;
7582 			goto out;
7583 		}
7584 	} else {
7585 		if (params.link_sta_params.link_id >= 0) {
7586 			err = -EINVAL;
7587 			goto out;
7588 		}
7589 	}
7590 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7591 out:
7592 	wdev_unlock(dev->ieee80211_ptr);
7593 	dev_put(params.vlan);
7594 	return err;
7595 }
7596 
7597 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7598 {
7599 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7600 	struct net_device *dev = info->user_ptr[1];
7601 	struct station_del_parameters params;
7602 	int ret;
7603 
7604 	memset(&params, 0, sizeof(params));
7605 
7606 	if (info->attrs[NL80211_ATTR_MAC])
7607 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7608 
7609 	switch (dev->ieee80211_ptr->iftype) {
7610 	case NL80211_IFTYPE_AP:
7611 	case NL80211_IFTYPE_AP_VLAN:
7612 	case NL80211_IFTYPE_MESH_POINT:
7613 	case NL80211_IFTYPE_P2P_GO:
7614 		/* always accept these */
7615 		break;
7616 	case NL80211_IFTYPE_ADHOC:
7617 		/* conditionally accept */
7618 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7619 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7620 			break;
7621 		return -EINVAL;
7622 	default:
7623 		return -EINVAL;
7624 	}
7625 
7626 	if (!rdev->ops->del_station)
7627 		return -EOPNOTSUPP;
7628 
7629 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7630 		params.subtype =
7631 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7632 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7633 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7634 			return -EINVAL;
7635 	} else {
7636 		/* Default to Deauthentication frame */
7637 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7638 	}
7639 
7640 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7641 		params.reason_code =
7642 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7643 		if (params.reason_code == 0)
7644 			return -EINVAL; /* 0 is reserved */
7645 	} else {
7646 		/* Default to reason code 2 */
7647 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7648 	}
7649 
7650 	wdev_lock(dev->ieee80211_ptr);
7651 	ret = rdev_del_station(rdev, dev, &params);
7652 	wdev_unlock(dev->ieee80211_ptr);
7653 
7654 	return ret;
7655 }
7656 
7657 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7658 				int flags, struct net_device *dev,
7659 				u8 *dst, u8 *next_hop,
7660 				struct mpath_info *pinfo)
7661 {
7662 	void *hdr;
7663 	struct nlattr *pinfoattr;
7664 
7665 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7666 	if (!hdr)
7667 		return -1;
7668 
7669 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7670 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7671 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7672 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7673 		goto nla_put_failure;
7674 
7675 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7676 	if (!pinfoattr)
7677 		goto nla_put_failure;
7678 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7679 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7680 			pinfo->frame_qlen))
7681 		goto nla_put_failure;
7682 	if (((pinfo->filled & MPATH_INFO_SN) &&
7683 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7684 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7685 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7686 			 pinfo->metric)) ||
7687 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7688 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7689 			 pinfo->exptime)) ||
7690 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7691 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7692 			pinfo->flags)) ||
7693 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7694 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7695 			 pinfo->discovery_timeout)) ||
7696 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7697 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7698 			pinfo->discovery_retries)) ||
7699 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7700 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7701 			pinfo->hop_count)) ||
7702 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7703 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7704 			 pinfo->path_change_count)))
7705 		goto nla_put_failure;
7706 
7707 	nla_nest_end(msg, pinfoattr);
7708 
7709 	genlmsg_end(msg, hdr);
7710 	return 0;
7711 
7712  nla_put_failure:
7713 	genlmsg_cancel(msg, hdr);
7714 	return -EMSGSIZE;
7715 }
7716 
7717 static int nl80211_dump_mpath(struct sk_buff *skb,
7718 			      struct netlink_callback *cb)
7719 {
7720 	struct mpath_info pinfo;
7721 	struct cfg80211_registered_device *rdev;
7722 	struct wireless_dev *wdev;
7723 	u8 dst[ETH_ALEN];
7724 	u8 next_hop[ETH_ALEN];
7725 	int path_idx = cb->args[2];
7726 	int err;
7727 
7728 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7729 	if (err)
7730 		return err;
7731 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7732 	__acquire(&rdev->wiphy.mtx);
7733 
7734 	if (!rdev->ops->dump_mpath) {
7735 		err = -EOPNOTSUPP;
7736 		goto out_err;
7737 	}
7738 
7739 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7740 		err = -EOPNOTSUPP;
7741 		goto out_err;
7742 	}
7743 
7744 	while (1) {
7745 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7746 				      next_hop, &pinfo);
7747 		if (err == -ENOENT)
7748 			break;
7749 		if (err)
7750 			goto out_err;
7751 
7752 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7753 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7754 				       wdev->netdev, dst, next_hop,
7755 				       &pinfo) < 0)
7756 			goto out;
7757 
7758 		path_idx++;
7759 	}
7760 
7761  out:
7762 	cb->args[2] = path_idx;
7763 	err = skb->len;
7764  out_err:
7765 	wiphy_unlock(&rdev->wiphy);
7766 	return err;
7767 }
7768 
7769 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7770 {
7771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7772 	int err;
7773 	struct net_device *dev = info->user_ptr[1];
7774 	struct mpath_info pinfo;
7775 	struct sk_buff *msg;
7776 	u8 *dst = NULL;
7777 	u8 next_hop[ETH_ALEN];
7778 
7779 	memset(&pinfo, 0, sizeof(pinfo));
7780 
7781 	if (!info->attrs[NL80211_ATTR_MAC])
7782 		return -EINVAL;
7783 
7784 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7785 
7786 	if (!rdev->ops->get_mpath)
7787 		return -EOPNOTSUPP;
7788 
7789 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7790 		return -EOPNOTSUPP;
7791 
7792 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7793 	if (err)
7794 		return err;
7795 
7796 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7797 	if (!msg)
7798 		return -ENOMEM;
7799 
7800 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7801 				 dev, dst, next_hop, &pinfo) < 0) {
7802 		nlmsg_free(msg);
7803 		return -ENOBUFS;
7804 	}
7805 
7806 	return genlmsg_reply(msg, info);
7807 }
7808 
7809 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7810 {
7811 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7812 	struct net_device *dev = info->user_ptr[1];
7813 	u8 *dst = NULL;
7814 	u8 *next_hop = NULL;
7815 
7816 	if (!info->attrs[NL80211_ATTR_MAC])
7817 		return -EINVAL;
7818 
7819 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7820 		return -EINVAL;
7821 
7822 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7823 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7824 
7825 	if (!rdev->ops->change_mpath)
7826 		return -EOPNOTSUPP;
7827 
7828 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7829 		return -EOPNOTSUPP;
7830 
7831 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7832 }
7833 
7834 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7835 {
7836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7837 	struct net_device *dev = info->user_ptr[1];
7838 	u8 *dst = NULL;
7839 	u8 *next_hop = NULL;
7840 
7841 	if (!info->attrs[NL80211_ATTR_MAC])
7842 		return -EINVAL;
7843 
7844 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7845 		return -EINVAL;
7846 
7847 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7848 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7849 
7850 	if (!rdev->ops->add_mpath)
7851 		return -EOPNOTSUPP;
7852 
7853 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7854 		return -EOPNOTSUPP;
7855 
7856 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7857 }
7858 
7859 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7860 {
7861 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7862 	struct net_device *dev = info->user_ptr[1];
7863 	u8 *dst = NULL;
7864 
7865 	if (info->attrs[NL80211_ATTR_MAC])
7866 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7867 
7868 	if (!rdev->ops->del_mpath)
7869 		return -EOPNOTSUPP;
7870 
7871 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7872 		return -EOPNOTSUPP;
7873 
7874 	return rdev_del_mpath(rdev, dev, dst);
7875 }
7876 
7877 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7878 {
7879 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7880 	int err;
7881 	struct net_device *dev = info->user_ptr[1];
7882 	struct mpath_info pinfo;
7883 	struct sk_buff *msg;
7884 	u8 *dst = NULL;
7885 	u8 mpp[ETH_ALEN];
7886 
7887 	memset(&pinfo, 0, sizeof(pinfo));
7888 
7889 	if (!info->attrs[NL80211_ATTR_MAC])
7890 		return -EINVAL;
7891 
7892 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7893 
7894 	if (!rdev->ops->get_mpp)
7895 		return -EOPNOTSUPP;
7896 
7897 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7898 		return -EOPNOTSUPP;
7899 
7900 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7901 	if (err)
7902 		return err;
7903 
7904 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7905 	if (!msg)
7906 		return -ENOMEM;
7907 
7908 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7909 			       dev, dst, mpp, &pinfo) < 0) {
7910 		nlmsg_free(msg);
7911 		return -ENOBUFS;
7912 	}
7913 
7914 	return genlmsg_reply(msg, info);
7915 }
7916 
7917 static int nl80211_dump_mpp(struct sk_buff *skb,
7918 			    struct netlink_callback *cb)
7919 {
7920 	struct mpath_info pinfo;
7921 	struct cfg80211_registered_device *rdev;
7922 	struct wireless_dev *wdev;
7923 	u8 dst[ETH_ALEN];
7924 	u8 mpp[ETH_ALEN];
7925 	int path_idx = cb->args[2];
7926 	int err;
7927 
7928 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7929 	if (err)
7930 		return err;
7931 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7932 	__acquire(&rdev->wiphy.mtx);
7933 
7934 	if (!rdev->ops->dump_mpp) {
7935 		err = -EOPNOTSUPP;
7936 		goto out_err;
7937 	}
7938 
7939 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7940 		err = -EOPNOTSUPP;
7941 		goto out_err;
7942 	}
7943 
7944 	while (1) {
7945 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7946 				    mpp, &pinfo);
7947 		if (err == -ENOENT)
7948 			break;
7949 		if (err)
7950 			goto out_err;
7951 
7952 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7953 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7954 				       wdev->netdev, dst, mpp,
7955 				       &pinfo) < 0)
7956 			goto out;
7957 
7958 		path_idx++;
7959 	}
7960 
7961  out:
7962 	cb->args[2] = path_idx;
7963 	err = skb->len;
7964  out_err:
7965 	wiphy_unlock(&rdev->wiphy);
7966 	return err;
7967 }
7968 
7969 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7970 {
7971 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7972 	struct net_device *dev = info->user_ptr[1];
7973 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7974 	struct bss_parameters params;
7975 	int err;
7976 
7977 	memset(&params, 0, sizeof(params));
7978 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
7979 	/* default to not changing parameters */
7980 	params.use_cts_prot = -1;
7981 	params.use_short_preamble = -1;
7982 	params.use_short_slot_time = -1;
7983 	params.ap_isolate = -1;
7984 	params.ht_opmode = -1;
7985 	params.p2p_ctwindow = -1;
7986 	params.p2p_opp_ps = -1;
7987 
7988 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7989 		params.use_cts_prot =
7990 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7991 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7992 		params.use_short_preamble =
7993 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7994 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7995 		params.use_short_slot_time =
7996 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7997 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7998 		params.basic_rates =
7999 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8000 		params.basic_rates_len =
8001 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8002 	}
8003 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8004 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8005 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8006 		params.ht_opmode =
8007 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8008 
8009 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8010 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8011 			return -EINVAL;
8012 		params.p2p_ctwindow =
8013 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8014 		if (params.p2p_ctwindow != 0 &&
8015 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8016 			return -EINVAL;
8017 	}
8018 
8019 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8020 		u8 tmp;
8021 
8022 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8023 			return -EINVAL;
8024 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8025 		params.p2p_opp_ps = tmp;
8026 		if (params.p2p_opp_ps &&
8027 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8028 			return -EINVAL;
8029 	}
8030 
8031 	if (!rdev->ops->change_bss)
8032 		return -EOPNOTSUPP;
8033 
8034 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8035 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8036 		return -EOPNOTSUPP;
8037 
8038 	wdev_lock(wdev);
8039 	err = rdev_change_bss(rdev, dev, &params);
8040 	wdev_unlock(wdev);
8041 
8042 	return err;
8043 }
8044 
8045 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8046 {
8047 	char *data = NULL;
8048 	bool is_indoor;
8049 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8050 	u32 owner_nlportid;
8051 
8052 	/*
8053 	 * You should only get this when cfg80211 hasn't yet initialized
8054 	 * completely when built-in to the kernel right between the time
8055 	 * window between nl80211_init() and regulatory_init(), if that is
8056 	 * even possible.
8057 	 */
8058 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8059 		return -EINPROGRESS;
8060 
8061 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8062 		user_reg_hint_type =
8063 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8064 	else
8065 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8066 
8067 	switch (user_reg_hint_type) {
8068 	case NL80211_USER_REG_HINT_USER:
8069 	case NL80211_USER_REG_HINT_CELL_BASE:
8070 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8071 			return -EINVAL;
8072 
8073 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8074 		return regulatory_hint_user(data, user_reg_hint_type);
8075 	case NL80211_USER_REG_HINT_INDOOR:
8076 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8077 			owner_nlportid = info->snd_portid;
8078 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8079 		} else {
8080 			owner_nlportid = 0;
8081 			is_indoor = true;
8082 		}
8083 
8084 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
8085 	default:
8086 		return -EINVAL;
8087 	}
8088 }
8089 
8090 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8091 {
8092 	return reg_reload_regdb();
8093 }
8094 
8095 static int nl80211_get_mesh_config(struct sk_buff *skb,
8096 				   struct genl_info *info)
8097 {
8098 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8099 	struct net_device *dev = info->user_ptr[1];
8100 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8101 	struct mesh_config cur_params;
8102 	int err = 0;
8103 	void *hdr;
8104 	struct nlattr *pinfoattr;
8105 	struct sk_buff *msg;
8106 
8107 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8108 		return -EOPNOTSUPP;
8109 
8110 	if (!rdev->ops->get_mesh_config)
8111 		return -EOPNOTSUPP;
8112 
8113 	wdev_lock(wdev);
8114 	/* If not connected, get default parameters */
8115 	if (!wdev->u.mesh.id_len)
8116 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8117 	else
8118 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8119 	wdev_unlock(wdev);
8120 
8121 	if (err)
8122 		return err;
8123 
8124 	/* Draw up a netlink message to send back */
8125 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8126 	if (!msg)
8127 		return -ENOMEM;
8128 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8129 			     NL80211_CMD_GET_MESH_CONFIG);
8130 	if (!hdr)
8131 		goto out;
8132 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8133 	if (!pinfoattr)
8134 		goto nla_put_failure;
8135 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8136 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8137 			cur_params.dot11MeshRetryTimeout) ||
8138 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8139 			cur_params.dot11MeshConfirmTimeout) ||
8140 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8141 			cur_params.dot11MeshHoldingTimeout) ||
8142 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8143 			cur_params.dot11MeshMaxPeerLinks) ||
8144 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8145 		       cur_params.dot11MeshMaxRetries) ||
8146 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8147 		       cur_params.dot11MeshTTL) ||
8148 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8149 		       cur_params.element_ttl) ||
8150 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8151 		       cur_params.auto_open_plinks) ||
8152 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8153 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8154 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8155 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8156 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8157 			cur_params.path_refresh_time) ||
8158 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8159 			cur_params.min_discovery_timeout) ||
8160 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8161 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8162 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8163 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8164 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8165 			cur_params.dot11MeshHWMPperrMinInterval) ||
8166 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8167 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8168 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8169 		       cur_params.dot11MeshHWMPRootMode) ||
8170 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8171 			cur_params.dot11MeshHWMPRannInterval) ||
8172 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8173 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8174 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8175 		       cur_params.dot11MeshForwarding) ||
8176 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8177 			cur_params.rssi_threshold) ||
8178 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8179 			cur_params.ht_opmode) ||
8180 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8181 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8182 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8183 			cur_params.dot11MeshHWMProotInterval) ||
8184 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8185 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8186 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8187 			cur_params.power_mode) ||
8188 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8189 			cur_params.dot11MeshAwakeWindowDuration) ||
8190 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8191 			cur_params.plink_timeout) ||
8192 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8193 		       cur_params.dot11MeshConnectedToMeshGate) ||
8194 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8195 		       cur_params.dot11MeshNolearn) ||
8196 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8197 		       cur_params.dot11MeshConnectedToAuthServer))
8198 		goto nla_put_failure;
8199 	nla_nest_end(msg, pinfoattr);
8200 	genlmsg_end(msg, hdr);
8201 	return genlmsg_reply(msg, info);
8202 
8203  nla_put_failure:
8204  out:
8205 	nlmsg_free(msg);
8206 	return -ENOBUFS;
8207 }
8208 
8209 static const struct nla_policy
8210 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8211 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8212 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8213 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8214 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8215 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8216 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8217 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8218 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8219 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8220 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8221 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8222 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8223 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8224 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8225 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8226 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8227 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8228 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8229 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8230 		NLA_POLICY_MIN(NLA_U16, 1),
8231 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8232 		NLA_POLICY_MIN(NLA_U16, 1),
8233 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8234 		NLA_POLICY_MIN(NLA_U16, 1),
8235 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8236 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8237 		NLA_POLICY_MIN(NLA_U16, 1),
8238 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8239 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8240 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8241 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8242 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8243 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8244 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8245 		NLA_POLICY_MIN(NLA_U16, 1),
8246 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8247 		NLA_POLICY_MIN(NLA_U16, 1),
8248 	[NL80211_MESHCONF_POWER_MODE] =
8249 		NLA_POLICY_RANGE(NLA_U32,
8250 				 NL80211_MESH_POWER_ACTIVE,
8251 				 NL80211_MESH_POWER_MAX),
8252 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8253 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8254 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8255 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8256 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8257 };
8258 
8259 static const struct nla_policy
8260 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8261 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8262 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8263 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8264 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8265 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8266 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8267 	[NL80211_MESH_SETUP_IE] =
8268 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8269 				       IEEE80211_MAX_DATA_LEN),
8270 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8271 };
8272 
8273 static int nl80211_parse_mesh_config(struct genl_info *info,
8274 				     struct mesh_config *cfg,
8275 				     u32 *mask_out)
8276 {
8277 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8278 	u32 mask = 0;
8279 	u16 ht_opmode;
8280 
8281 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8282 do {									\
8283 	if (tb[attr]) {							\
8284 		cfg->param = fn(tb[attr]);				\
8285 		mask |= BIT((attr) - 1);				\
8286 	}								\
8287 } while (0)
8288 
8289 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8290 		return -EINVAL;
8291 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8292 		return -EINVAL;
8293 
8294 	/* This makes sure that there aren't more than 32 mesh config
8295 	 * parameters (otherwise our bitfield scheme would not work.) */
8296 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8297 
8298 	/* Fill in the params struct */
8299 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8300 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8301 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8302 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8303 				  nla_get_u16);
8304 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8305 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8306 				  nla_get_u16);
8307 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8308 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8309 				  nla_get_u16);
8310 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8311 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8312 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8313 				  NL80211_MESHCONF_TTL, nla_get_u8);
8314 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8315 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8316 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8317 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8318 				  nla_get_u8);
8319 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8320 				  mask,
8321 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8322 				  nla_get_u32);
8323 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8324 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8325 				  nla_get_u8);
8326 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8327 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8328 				  nla_get_u32);
8329 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8330 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8331 		return -EINVAL;
8332 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8333 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8334 				  nla_get_u16);
8335 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8336 				  mask,
8337 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8338 				  nla_get_u32);
8339 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8340 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8341 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8342 		return -EINVAL;
8343 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8344 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8345 				  nla_get_u16);
8346 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8347 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8348 				  nla_get_u16);
8349 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8350 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8351 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8352 				  nla_get_u16);
8353 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8354 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8355 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8356 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8357 				  nla_get_u16);
8358 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8359 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8360 				  nla_get_u8);
8361 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8362 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8363 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8364 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8365 				  nla_get_s32);
8366 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8367 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8368 				  nla_get_u8);
8369 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8370 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8371 				  nla_get_u8);
8372 	/*
8373 	 * Check HT operation mode based on
8374 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8375 	 */
8376 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8377 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8378 
8379 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8380 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8381 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8382 			return -EINVAL;
8383 
8384 		/* NON_HT_STA bit is reserved, but some programs set it */
8385 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8386 
8387 		cfg->ht_opmode = ht_opmode;
8388 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8389 	}
8390 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8391 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8392 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8393 				  nla_get_u32);
8394 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8395 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8396 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8397 		return -EINVAL;
8398 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8399 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8400 				  nla_get_u16);
8401 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8402 				  mask,
8403 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8404 				  nla_get_u16);
8405 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8406 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8407 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8408 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8409 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8410 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8411 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8412 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8413 	if (mask_out)
8414 		*mask_out = mask;
8415 
8416 	return 0;
8417 
8418 #undef FILL_IN_MESH_PARAM_IF_SET
8419 }
8420 
8421 static int nl80211_parse_mesh_setup(struct genl_info *info,
8422 				     struct mesh_setup *setup)
8423 {
8424 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8425 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8426 
8427 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8428 		return -EINVAL;
8429 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8430 		return -EINVAL;
8431 
8432 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8433 		setup->sync_method =
8434 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8435 		 IEEE80211_SYNC_METHOD_VENDOR :
8436 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8437 
8438 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8439 		setup->path_sel_proto =
8440 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8441 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8442 		 IEEE80211_PATH_PROTOCOL_HWMP;
8443 
8444 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8445 		setup->path_metric =
8446 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8447 		 IEEE80211_PATH_METRIC_VENDOR :
8448 		 IEEE80211_PATH_METRIC_AIRTIME;
8449 
8450 	if (tb[NL80211_MESH_SETUP_IE]) {
8451 		struct nlattr *ieattr =
8452 			tb[NL80211_MESH_SETUP_IE];
8453 		setup->ie = nla_data(ieattr);
8454 		setup->ie_len = nla_len(ieattr);
8455 	}
8456 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8457 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8458 		return -EINVAL;
8459 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8460 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8461 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8462 	if (setup->is_secure)
8463 		setup->user_mpm = true;
8464 
8465 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8466 		if (!setup->user_mpm)
8467 			return -EINVAL;
8468 		setup->auth_id =
8469 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8470 	}
8471 
8472 	return 0;
8473 }
8474 
8475 static int nl80211_update_mesh_config(struct sk_buff *skb,
8476 				      struct genl_info *info)
8477 {
8478 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8479 	struct net_device *dev = info->user_ptr[1];
8480 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8481 	struct mesh_config cfg;
8482 	u32 mask;
8483 	int err;
8484 
8485 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8486 		return -EOPNOTSUPP;
8487 
8488 	if (!rdev->ops->update_mesh_config)
8489 		return -EOPNOTSUPP;
8490 
8491 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8492 	if (err)
8493 		return err;
8494 
8495 	wdev_lock(wdev);
8496 	if (!wdev->u.mesh.id_len)
8497 		err = -ENOLINK;
8498 
8499 	if (!err)
8500 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8501 
8502 	wdev_unlock(wdev);
8503 
8504 	return err;
8505 }
8506 
8507 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8508 			      struct sk_buff *msg)
8509 {
8510 	struct nlattr *nl_reg_rules;
8511 	unsigned int i;
8512 
8513 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8514 	    (regdom->dfs_region &&
8515 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8516 		goto nla_put_failure;
8517 
8518 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8519 	if (!nl_reg_rules)
8520 		goto nla_put_failure;
8521 
8522 	for (i = 0; i < regdom->n_reg_rules; i++) {
8523 		struct nlattr *nl_reg_rule;
8524 		const struct ieee80211_reg_rule *reg_rule;
8525 		const struct ieee80211_freq_range *freq_range;
8526 		const struct ieee80211_power_rule *power_rule;
8527 		unsigned int max_bandwidth_khz;
8528 
8529 		reg_rule = &regdom->reg_rules[i];
8530 		freq_range = &reg_rule->freq_range;
8531 		power_rule = &reg_rule->power_rule;
8532 
8533 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8534 		if (!nl_reg_rule)
8535 			goto nla_put_failure;
8536 
8537 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8538 		if (!max_bandwidth_khz)
8539 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8540 								  reg_rule);
8541 
8542 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8543 				reg_rule->flags) ||
8544 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8545 				freq_range->start_freq_khz) ||
8546 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8547 				freq_range->end_freq_khz) ||
8548 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8549 				max_bandwidth_khz) ||
8550 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8551 				power_rule->max_antenna_gain) ||
8552 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8553 				power_rule->max_eirp) ||
8554 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8555 				reg_rule->dfs_cac_ms))
8556 			goto nla_put_failure;
8557 
8558 		nla_nest_end(msg, nl_reg_rule);
8559 	}
8560 
8561 	nla_nest_end(msg, nl_reg_rules);
8562 	return 0;
8563 
8564 nla_put_failure:
8565 	return -EMSGSIZE;
8566 }
8567 
8568 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8569 {
8570 	const struct ieee80211_regdomain *regdom = NULL;
8571 	struct cfg80211_registered_device *rdev;
8572 	struct wiphy *wiphy = NULL;
8573 	struct sk_buff *msg;
8574 	int err = -EMSGSIZE;
8575 	void *hdr;
8576 
8577 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8578 	if (!msg)
8579 		return -ENOBUFS;
8580 
8581 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8582 			     NL80211_CMD_GET_REG);
8583 	if (!hdr)
8584 		goto put_failure;
8585 
8586 	rtnl_lock();
8587 
8588 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8589 		bool self_managed;
8590 
8591 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8592 		if (IS_ERR(rdev)) {
8593 			err = PTR_ERR(rdev);
8594 			goto nla_put_failure;
8595 		}
8596 
8597 		wiphy = &rdev->wiphy;
8598 		self_managed = wiphy->regulatory_flags &
8599 			       REGULATORY_WIPHY_SELF_MANAGED;
8600 
8601 		rcu_read_lock();
8602 
8603 		regdom = get_wiphy_regdom(wiphy);
8604 
8605 		/* a self-managed-reg device must have a private regdom */
8606 		if (WARN_ON(!regdom && self_managed)) {
8607 			err = -EINVAL;
8608 			goto nla_put_failure_rcu;
8609 		}
8610 
8611 		if (regdom &&
8612 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8613 			goto nla_put_failure_rcu;
8614 	} else {
8615 		rcu_read_lock();
8616 	}
8617 
8618 	if (!wiphy && reg_last_request_cell_base() &&
8619 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8620 			NL80211_USER_REG_HINT_CELL_BASE))
8621 		goto nla_put_failure_rcu;
8622 
8623 	if (!regdom)
8624 		regdom = rcu_dereference(cfg80211_regdomain);
8625 
8626 	if (nl80211_put_regdom(regdom, msg))
8627 		goto nla_put_failure_rcu;
8628 
8629 	rcu_read_unlock();
8630 
8631 	genlmsg_end(msg, hdr);
8632 	rtnl_unlock();
8633 	return genlmsg_reply(msg, info);
8634 
8635 nla_put_failure_rcu:
8636 	rcu_read_unlock();
8637 nla_put_failure:
8638 	rtnl_unlock();
8639 put_failure:
8640 	nlmsg_free(msg);
8641 	return err;
8642 }
8643 
8644 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8645 			       u32 seq, int flags, struct wiphy *wiphy,
8646 			       const struct ieee80211_regdomain *regdom)
8647 {
8648 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8649 				   NL80211_CMD_GET_REG);
8650 
8651 	if (!hdr)
8652 		return -1;
8653 
8654 	genl_dump_check_consistent(cb, hdr);
8655 
8656 	if (nl80211_put_regdom(regdom, msg))
8657 		goto nla_put_failure;
8658 
8659 	if (!wiphy && reg_last_request_cell_base() &&
8660 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8661 			NL80211_USER_REG_HINT_CELL_BASE))
8662 		goto nla_put_failure;
8663 
8664 	if (wiphy &&
8665 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8666 		goto nla_put_failure;
8667 
8668 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8669 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8670 		goto nla_put_failure;
8671 
8672 	genlmsg_end(msg, hdr);
8673 	return 0;
8674 
8675 nla_put_failure:
8676 	genlmsg_cancel(msg, hdr);
8677 	return -EMSGSIZE;
8678 }
8679 
8680 static int nl80211_get_reg_dump(struct sk_buff *skb,
8681 				struct netlink_callback *cb)
8682 {
8683 	const struct ieee80211_regdomain *regdom = NULL;
8684 	struct cfg80211_registered_device *rdev;
8685 	int err, reg_idx, start = cb->args[2];
8686 
8687 	rcu_read_lock();
8688 
8689 	if (cfg80211_regdomain && start == 0) {
8690 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8691 					  NLM_F_MULTI, NULL,
8692 					  rcu_dereference(cfg80211_regdomain));
8693 		if (err < 0)
8694 			goto out_err;
8695 	}
8696 
8697 	/* the global regdom is idx 0 */
8698 	reg_idx = 1;
8699 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8700 		regdom = get_wiphy_regdom(&rdev->wiphy);
8701 		if (!regdom)
8702 			continue;
8703 
8704 		if (++reg_idx <= start)
8705 			continue;
8706 
8707 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8708 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8709 		if (err < 0) {
8710 			reg_idx--;
8711 			break;
8712 		}
8713 	}
8714 
8715 	cb->args[2] = reg_idx;
8716 	err = skb->len;
8717 out_err:
8718 	rcu_read_unlock();
8719 	return err;
8720 }
8721 
8722 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8723 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8724 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8725 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8726 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8727 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8728 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8729 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8730 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8731 };
8732 
8733 static int parse_reg_rule(struct nlattr *tb[],
8734 	struct ieee80211_reg_rule *reg_rule)
8735 {
8736 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8737 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8738 
8739 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8740 		return -EINVAL;
8741 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8742 		return -EINVAL;
8743 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8744 		return -EINVAL;
8745 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8746 		return -EINVAL;
8747 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8748 		return -EINVAL;
8749 
8750 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8751 
8752 	freq_range->start_freq_khz =
8753 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8754 	freq_range->end_freq_khz =
8755 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8756 	freq_range->max_bandwidth_khz =
8757 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8758 
8759 	power_rule->max_eirp =
8760 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8761 
8762 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8763 		power_rule->max_antenna_gain =
8764 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8765 
8766 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8767 		reg_rule->dfs_cac_ms =
8768 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8769 
8770 	return 0;
8771 }
8772 
8773 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8774 {
8775 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8776 	struct nlattr *nl_reg_rule;
8777 	char *alpha2;
8778 	int rem_reg_rules, r;
8779 	u32 num_rules = 0, rule_idx = 0;
8780 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8781 	struct ieee80211_regdomain *rd;
8782 
8783 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8784 		return -EINVAL;
8785 
8786 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8787 		return -EINVAL;
8788 
8789 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8790 
8791 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8792 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8793 
8794 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8795 			    rem_reg_rules) {
8796 		num_rules++;
8797 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8798 			return -EINVAL;
8799 	}
8800 
8801 	rtnl_lock();
8802 	if (!reg_is_valid_request(alpha2)) {
8803 		r = -EINVAL;
8804 		goto out;
8805 	}
8806 
8807 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8808 	if (!rd) {
8809 		r = -ENOMEM;
8810 		goto out;
8811 	}
8812 
8813 	rd->n_reg_rules = num_rules;
8814 	rd->alpha2[0] = alpha2[0];
8815 	rd->alpha2[1] = alpha2[1];
8816 
8817 	/*
8818 	 * Disable DFS master mode if the DFS region was
8819 	 * not supported or known on this kernel.
8820 	 */
8821 	if (reg_supported_dfs_region(dfs_region))
8822 		rd->dfs_region = dfs_region;
8823 
8824 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8825 			    rem_reg_rules) {
8826 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8827 						nl_reg_rule, reg_rule_policy,
8828 						info->extack);
8829 		if (r)
8830 			goto bad_reg;
8831 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8832 		if (r)
8833 			goto bad_reg;
8834 
8835 		rule_idx++;
8836 
8837 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8838 			r = -EINVAL;
8839 			goto bad_reg;
8840 		}
8841 	}
8842 
8843 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8844 	/* set_regdom takes ownership of rd */
8845 	rd = NULL;
8846  bad_reg:
8847 	kfree(rd);
8848  out:
8849 	rtnl_unlock();
8850 	return r;
8851 }
8852 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8853 
8854 static int validate_scan_freqs(struct nlattr *freqs)
8855 {
8856 	struct nlattr *attr1, *attr2;
8857 	int n_channels = 0, tmp1, tmp2;
8858 
8859 	nla_for_each_nested(attr1, freqs, tmp1)
8860 		if (nla_len(attr1) != sizeof(u32))
8861 			return 0;
8862 
8863 	nla_for_each_nested(attr1, freqs, tmp1) {
8864 		n_channels++;
8865 		/*
8866 		 * Some hardware has a limited channel list for
8867 		 * scanning, and it is pretty much nonsensical
8868 		 * to scan for a channel twice, so disallow that
8869 		 * and don't require drivers to check that the
8870 		 * channel list they get isn't longer than what
8871 		 * they can scan, as long as they can scan all
8872 		 * the channels they registered at once.
8873 		 */
8874 		nla_for_each_nested(attr2, freqs, tmp2)
8875 			if (attr1 != attr2 &&
8876 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8877 				return 0;
8878 	}
8879 
8880 	return n_channels;
8881 }
8882 
8883 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8884 {
8885 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8886 }
8887 
8888 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8889 			    struct cfg80211_bss_selection *bss_select)
8890 {
8891 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8892 	struct nlattr *nest;
8893 	int err;
8894 	bool found = false;
8895 	int i;
8896 
8897 	/* only process one nested attribute */
8898 	nest = nla_data(nla);
8899 	if (!nla_ok(nest, nla_len(nest)))
8900 		return -EINVAL;
8901 
8902 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8903 					  nest, nl80211_bss_select_policy,
8904 					  NULL);
8905 	if (err)
8906 		return err;
8907 
8908 	/* only one attribute may be given */
8909 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8910 		if (attr[i]) {
8911 			if (found)
8912 				return -EINVAL;
8913 			found = true;
8914 		}
8915 	}
8916 
8917 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8918 
8919 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8920 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8921 
8922 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8923 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8924 		bss_select->param.band_pref =
8925 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8926 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8927 			return -EINVAL;
8928 	}
8929 
8930 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8931 		struct nl80211_bss_select_rssi_adjust *adj_param;
8932 
8933 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8934 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8935 		bss_select->param.adjust.band = adj_param->band;
8936 		bss_select->param.adjust.delta = adj_param->delta;
8937 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8938 			return -EINVAL;
8939 	}
8940 
8941 	/* user-space did not provide behaviour attribute */
8942 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8943 		return -EINVAL;
8944 
8945 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8946 		return -EINVAL;
8947 
8948 	return 0;
8949 }
8950 
8951 int nl80211_parse_random_mac(struct nlattr **attrs,
8952 			     u8 *mac_addr, u8 *mac_addr_mask)
8953 {
8954 	int i;
8955 
8956 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8957 		eth_zero_addr(mac_addr);
8958 		eth_zero_addr(mac_addr_mask);
8959 		mac_addr[0] = 0x2;
8960 		mac_addr_mask[0] = 0x3;
8961 
8962 		return 0;
8963 	}
8964 
8965 	/* need both or none */
8966 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8967 		return -EINVAL;
8968 
8969 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8970 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8971 
8972 	/* don't allow or configure an mcast address */
8973 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8974 	    is_multicast_ether_addr(mac_addr))
8975 		return -EINVAL;
8976 
8977 	/*
8978 	 * allow users to pass a MAC address that has bits set outside
8979 	 * of the mask, but don't bother drivers with having to deal
8980 	 * with such bits
8981 	 */
8982 	for (i = 0; i < ETH_ALEN; i++)
8983 		mac_addr[i] &= mac_addr_mask[i];
8984 
8985 	return 0;
8986 }
8987 
8988 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8989 					      struct ieee80211_channel *chan)
8990 {
8991 	unsigned int link_id;
8992 	bool all_ok = true;
8993 
8994 	ASSERT_WDEV_LOCK(wdev);
8995 
8996 	if (!cfg80211_beaconing_iface_active(wdev))
8997 		return true;
8998 
8999 	/*
9000 	 * FIXME: check if we have a free HW resource/link for chan
9001 	 *
9002 	 * This, as well as the FIXME below, requires knowing the link
9003 	 * capabilities of the hardware.
9004 	 */
9005 
9006 	/* we cannot leave radar channels */
9007 	for_each_valid_link(wdev, link_id) {
9008 		struct cfg80211_chan_def *chandef;
9009 
9010 		chandef = wdev_chandef(wdev, link_id);
9011 		if (!chandef || !chandef->chan)
9012 			continue;
9013 
9014 		/*
9015 		 * FIXME: don't require all_ok, but rather check only the
9016 		 *	  correct HW resource/link onto which 'chan' falls,
9017 		 *	  as only that link leaves the channel for doing
9018 		 *	  the off-channel operation.
9019 		 */
9020 
9021 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9022 			all_ok = false;
9023 	}
9024 
9025 	if (all_ok)
9026 		return true;
9027 
9028 	return regulatory_pre_cac_allowed(wdev->wiphy);
9029 }
9030 
9031 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9032 				    enum nl80211_ext_feature_index feat)
9033 {
9034 	if (!(flags & flag))
9035 		return true;
9036 	if (wiphy_ext_feature_isset(wiphy, feat))
9037 		return true;
9038 	return false;
9039 }
9040 
9041 static int
9042 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9043 			 void *request, struct nlattr **attrs,
9044 			 bool is_sched_scan)
9045 {
9046 	u8 *mac_addr, *mac_addr_mask;
9047 	u32 *flags;
9048 	enum nl80211_feature_flags randomness_flag;
9049 
9050 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9051 		return 0;
9052 
9053 	if (is_sched_scan) {
9054 		struct cfg80211_sched_scan_request *req = request;
9055 
9056 		randomness_flag = wdev ?
9057 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9058 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9059 		flags = &req->flags;
9060 		mac_addr = req->mac_addr;
9061 		mac_addr_mask = req->mac_addr_mask;
9062 	} else {
9063 		struct cfg80211_scan_request *req = request;
9064 
9065 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9066 		flags = &req->flags;
9067 		mac_addr = req->mac_addr;
9068 		mac_addr_mask = req->mac_addr_mask;
9069 	}
9070 
9071 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9072 
9073 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9074 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9075 	    !nl80211_check_scan_feat(wiphy, *flags,
9076 				     NL80211_SCAN_FLAG_LOW_SPAN,
9077 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9078 	    !nl80211_check_scan_feat(wiphy, *flags,
9079 				     NL80211_SCAN_FLAG_LOW_POWER,
9080 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9081 	    !nl80211_check_scan_feat(wiphy, *flags,
9082 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9083 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9084 	    !nl80211_check_scan_feat(wiphy, *flags,
9085 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9086 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9087 	    !nl80211_check_scan_feat(wiphy, *flags,
9088 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9089 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9090 	    !nl80211_check_scan_feat(wiphy, *flags,
9091 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9092 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9093 	    !nl80211_check_scan_feat(wiphy, *flags,
9094 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9095 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9096 	    !nl80211_check_scan_feat(wiphy, *flags,
9097 				     NL80211_SCAN_FLAG_RANDOM_SN,
9098 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9099 	    !nl80211_check_scan_feat(wiphy, *flags,
9100 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9101 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9102 		return -EOPNOTSUPP;
9103 
9104 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9105 		int err;
9106 
9107 		if (!(wiphy->features & randomness_flag) ||
9108 		    (wdev && wdev->connected))
9109 			return -EOPNOTSUPP;
9110 
9111 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9112 		if (err)
9113 			return err;
9114 	}
9115 
9116 	return 0;
9117 }
9118 
9119 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9120 {
9121 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9122 	struct wireless_dev *wdev = info->user_ptr[1];
9123 	struct cfg80211_scan_request *request;
9124 	struct nlattr *scan_freqs = NULL;
9125 	bool scan_freqs_khz = false;
9126 	struct nlattr *attr;
9127 	struct wiphy *wiphy;
9128 	int err, tmp, n_ssids = 0, n_channels, i;
9129 	size_t ie_len, size;
9130 
9131 	wiphy = &rdev->wiphy;
9132 
9133 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9134 		return -EOPNOTSUPP;
9135 
9136 	if (!rdev->ops->scan)
9137 		return -EOPNOTSUPP;
9138 
9139 	if (rdev->scan_req || rdev->scan_msg)
9140 		return -EBUSY;
9141 
9142 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9143 		if (!wiphy_ext_feature_isset(wiphy,
9144 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9145 			return -EOPNOTSUPP;
9146 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9147 		scan_freqs_khz = true;
9148 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9149 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9150 
9151 	if (scan_freqs) {
9152 		n_channels = validate_scan_freqs(scan_freqs);
9153 		if (!n_channels)
9154 			return -EINVAL;
9155 	} else {
9156 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9157 	}
9158 
9159 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9160 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9161 			n_ssids++;
9162 
9163 	if (n_ssids > wiphy->max_scan_ssids)
9164 		return -EINVAL;
9165 
9166 	if (info->attrs[NL80211_ATTR_IE])
9167 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9168 	else
9169 		ie_len = 0;
9170 
9171 	if (ie_len > wiphy->max_scan_ie_len)
9172 		return -EINVAL;
9173 
9174 	size = struct_size(request, channels, n_channels);
9175 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9176 	size = size_add(size, ie_len);
9177 	request = kzalloc(size, GFP_KERNEL);
9178 	if (!request)
9179 		return -ENOMEM;
9180 
9181 	if (n_ssids)
9182 		request->ssids = (void *)&request->channels[n_channels];
9183 	request->n_ssids = n_ssids;
9184 	if (ie_len) {
9185 		if (n_ssids)
9186 			request->ie = (void *)(request->ssids + n_ssids);
9187 		else
9188 			request->ie = (void *)(request->channels + n_channels);
9189 	}
9190 
9191 	i = 0;
9192 	if (scan_freqs) {
9193 		/* user specified, bail out if channel not found */
9194 		nla_for_each_nested(attr, scan_freqs, tmp) {
9195 			struct ieee80211_channel *chan;
9196 			int freq = nla_get_u32(attr);
9197 
9198 			if (!scan_freqs_khz)
9199 				freq = MHZ_TO_KHZ(freq);
9200 
9201 			chan = ieee80211_get_channel_khz(wiphy, freq);
9202 			if (!chan) {
9203 				err = -EINVAL;
9204 				goto out_free;
9205 			}
9206 
9207 			/* ignore disabled channels */
9208 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9209 				continue;
9210 
9211 			request->channels[i] = chan;
9212 			i++;
9213 		}
9214 	} else {
9215 		enum nl80211_band band;
9216 
9217 		/* all channels */
9218 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9219 			int j;
9220 
9221 			if (!wiphy->bands[band])
9222 				continue;
9223 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9224 				struct ieee80211_channel *chan;
9225 
9226 				chan = &wiphy->bands[band]->channels[j];
9227 
9228 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9229 					continue;
9230 
9231 				request->channels[i] = chan;
9232 				i++;
9233 			}
9234 		}
9235 	}
9236 
9237 	if (!i) {
9238 		err = -EINVAL;
9239 		goto out_free;
9240 	}
9241 
9242 	request->n_channels = i;
9243 
9244 	wdev_lock(wdev);
9245 	for (i = 0; i < request->n_channels; i++) {
9246 		struct ieee80211_channel *chan = request->channels[i];
9247 
9248 		/* if we can go off-channel to the target channel we're good */
9249 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9250 			continue;
9251 
9252 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9253 			wdev_unlock(wdev);
9254 			err = -EBUSY;
9255 			goto out_free;
9256 		}
9257 	}
9258 	wdev_unlock(wdev);
9259 
9260 	i = 0;
9261 	if (n_ssids) {
9262 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9263 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9264 				err = -EINVAL;
9265 				goto out_free;
9266 			}
9267 			request->ssids[i].ssid_len = nla_len(attr);
9268 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9269 			i++;
9270 		}
9271 	}
9272 
9273 	if (info->attrs[NL80211_ATTR_IE]) {
9274 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9275 		memcpy((void *)request->ie,
9276 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9277 		       request->ie_len);
9278 	}
9279 
9280 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9281 		if (wiphy->bands[i])
9282 			request->rates[i] =
9283 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9284 
9285 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9286 		nla_for_each_nested(attr,
9287 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9288 				    tmp) {
9289 			enum nl80211_band band = nla_type(attr);
9290 
9291 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9292 				err = -EINVAL;
9293 				goto out_free;
9294 			}
9295 
9296 			if (!wiphy->bands[band])
9297 				continue;
9298 
9299 			err = ieee80211_get_ratemask(wiphy->bands[band],
9300 						     nla_data(attr),
9301 						     nla_len(attr),
9302 						     &request->rates[band]);
9303 			if (err)
9304 				goto out_free;
9305 		}
9306 	}
9307 
9308 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9309 		request->duration =
9310 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9311 		request->duration_mandatory =
9312 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9313 	}
9314 
9315 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9316 				       false);
9317 	if (err)
9318 		goto out_free;
9319 
9320 	request->no_cck =
9321 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9322 
9323 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9324 	 * BSSID to scan for. This was problematic because that same attribute
9325 	 * was already used for another purpose (local random MAC address). The
9326 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9327 	 * compatibility with older userspace components, also use the
9328 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9329 	 * the specific BSSID use case instead of the random MAC address
9330 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9331 	 */
9332 	if (info->attrs[NL80211_ATTR_BSSID])
9333 		memcpy(request->bssid,
9334 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9335 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9336 		 info->attrs[NL80211_ATTR_MAC])
9337 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9338 		       ETH_ALEN);
9339 	else
9340 		eth_broadcast_addr(request->bssid);
9341 
9342 	request->wdev = wdev;
9343 	request->wiphy = &rdev->wiphy;
9344 	request->scan_start = jiffies;
9345 
9346 	rdev->scan_req = request;
9347 	err = cfg80211_scan(rdev);
9348 
9349 	if (err)
9350 		goto out_free;
9351 
9352 	nl80211_send_scan_start(rdev, wdev);
9353 	dev_hold(wdev->netdev);
9354 
9355 	return 0;
9356 
9357  out_free:
9358 	rdev->scan_req = NULL;
9359 	kfree(request);
9360 
9361 	return err;
9362 }
9363 
9364 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9365 {
9366 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9367 	struct wireless_dev *wdev = info->user_ptr[1];
9368 
9369 	if (!rdev->ops->abort_scan)
9370 		return -EOPNOTSUPP;
9371 
9372 	if (rdev->scan_msg)
9373 		return 0;
9374 
9375 	if (!rdev->scan_req)
9376 		return -ENOENT;
9377 
9378 	rdev_abort_scan(rdev, wdev);
9379 	return 0;
9380 }
9381 
9382 static int
9383 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9384 			       struct cfg80211_sched_scan_request *request,
9385 			       struct nlattr **attrs)
9386 {
9387 	int tmp, err, i = 0;
9388 	struct nlattr *attr;
9389 
9390 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9391 		u32 interval;
9392 
9393 		/*
9394 		 * If scan plans are not specified,
9395 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9396 		 * case one scan plan will be set with the specified scan
9397 		 * interval and infinite number of iterations.
9398 		 */
9399 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9400 		if (!interval)
9401 			return -EINVAL;
9402 
9403 		request->scan_plans[0].interval =
9404 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9405 		if (!request->scan_plans[0].interval)
9406 			return -EINVAL;
9407 
9408 		if (request->scan_plans[0].interval >
9409 		    wiphy->max_sched_scan_plan_interval)
9410 			request->scan_plans[0].interval =
9411 				wiphy->max_sched_scan_plan_interval;
9412 
9413 		return 0;
9414 	}
9415 
9416 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9417 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9418 
9419 		if (WARN_ON(i >= n_plans))
9420 			return -EINVAL;
9421 
9422 		err = nla_parse_nested_deprecated(plan,
9423 						  NL80211_SCHED_SCAN_PLAN_MAX,
9424 						  attr, nl80211_plan_policy,
9425 						  NULL);
9426 		if (err)
9427 			return err;
9428 
9429 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9430 			return -EINVAL;
9431 
9432 		request->scan_plans[i].interval =
9433 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9434 		if (!request->scan_plans[i].interval ||
9435 		    request->scan_plans[i].interval >
9436 		    wiphy->max_sched_scan_plan_interval)
9437 			return -EINVAL;
9438 
9439 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9440 			request->scan_plans[i].iterations =
9441 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9442 			if (!request->scan_plans[i].iterations ||
9443 			    (request->scan_plans[i].iterations >
9444 			     wiphy->max_sched_scan_plan_iterations))
9445 				return -EINVAL;
9446 		} else if (i < n_plans - 1) {
9447 			/*
9448 			 * All scan plans but the last one must specify
9449 			 * a finite number of iterations
9450 			 */
9451 			return -EINVAL;
9452 		}
9453 
9454 		i++;
9455 	}
9456 
9457 	/*
9458 	 * The last scan plan must not specify the number of
9459 	 * iterations, it is supposed to run infinitely
9460 	 */
9461 	if (request->scan_plans[n_plans - 1].iterations)
9462 		return  -EINVAL;
9463 
9464 	return 0;
9465 }
9466 
9467 static int
9468 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9469 				       struct cfg80211_match_set *match_sets,
9470 				       struct nlattr *tb_band_rssi,
9471 				       s32 rssi_thold)
9472 {
9473 	struct nlattr *attr;
9474 	int i, tmp, ret = 0;
9475 
9476 	if (!wiphy_ext_feature_isset(wiphy,
9477 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9478 		if (tb_band_rssi)
9479 			ret = -EOPNOTSUPP;
9480 		else
9481 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9482 				match_sets->per_band_rssi_thold[i] =
9483 					NL80211_SCAN_RSSI_THOLD_OFF;
9484 		return ret;
9485 	}
9486 
9487 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9488 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9489 
9490 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9491 		enum nl80211_band band = nla_type(attr);
9492 
9493 		if (band < 0 || band >= NUM_NL80211_BANDS)
9494 			return -EINVAL;
9495 
9496 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9497 	}
9498 
9499 	return 0;
9500 }
9501 
9502 static struct cfg80211_sched_scan_request *
9503 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9504 			 struct nlattr **attrs, int max_match_sets)
9505 {
9506 	struct cfg80211_sched_scan_request *request;
9507 	struct nlattr *attr;
9508 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9509 	enum nl80211_band band;
9510 	size_t ie_len, size;
9511 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9512 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9513 
9514 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9515 		n_channels = validate_scan_freqs(
9516 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9517 		if (!n_channels)
9518 			return ERR_PTR(-EINVAL);
9519 	} else {
9520 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9521 	}
9522 
9523 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9524 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9525 				    tmp)
9526 			n_ssids++;
9527 
9528 	if (n_ssids > wiphy->max_sched_scan_ssids)
9529 		return ERR_PTR(-EINVAL);
9530 
9531 	/*
9532 	 * First, count the number of 'real' matchsets. Due to an issue with
9533 	 * the old implementation, matchsets containing only the RSSI attribute
9534 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9535 	 * RSSI for all matchsets, rather than their own matchset for reporting
9536 	 * all APs with a strong RSSI. This is needed to be compatible with
9537 	 * older userspace that treated a matchset with only the RSSI as the
9538 	 * global RSSI for all other matchsets - if there are other matchsets.
9539 	 */
9540 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9541 		nla_for_each_nested(attr,
9542 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9543 				    tmp) {
9544 			struct nlattr *rssi;
9545 
9546 			err = nla_parse_nested_deprecated(tb,
9547 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9548 							  attr,
9549 							  nl80211_match_policy,
9550 							  NULL);
9551 			if (err)
9552 				return ERR_PTR(err);
9553 
9554 			/* SSID and BSSID are mutually exclusive */
9555 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9556 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9557 				return ERR_PTR(-EINVAL);
9558 
9559 			/* add other standalone attributes here */
9560 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9561 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9562 				n_match_sets++;
9563 				continue;
9564 			}
9565 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9566 			if (rssi)
9567 				default_match_rssi = nla_get_s32(rssi);
9568 		}
9569 	}
9570 
9571 	/* However, if there's no other matchset, add the RSSI one */
9572 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9573 		n_match_sets = 1;
9574 
9575 	if (n_match_sets > max_match_sets)
9576 		return ERR_PTR(-EINVAL);
9577 
9578 	if (attrs[NL80211_ATTR_IE])
9579 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9580 	else
9581 		ie_len = 0;
9582 
9583 	if (ie_len > wiphy->max_sched_scan_ie_len)
9584 		return ERR_PTR(-EINVAL);
9585 
9586 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9587 		/*
9588 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9589 		 * each scan plan already specifies its own interval
9590 		 */
9591 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9592 			return ERR_PTR(-EINVAL);
9593 
9594 		nla_for_each_nested(attr,
9595 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9596 			n_plans++;
9597 	} else {
9598 		/*
9599 		 * The scan interval attribute is kept for backward
9600 		 * compatibility. If no scan plans are specified and sched scan
9601 		 * interval is specified, one scan plan will be set with this
9602 		 * scan interval and infinite number of iterations.
9603 		 */
9604 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9605 			return ERR_PTR(-EINVAL);
9606 
9607 		n_plans = 1;
9608 	}
9609 
9610 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9611 		return ERR_PTR(-EINVAL);
9612 
9613 	if (!wiphy_ext_feature_isset(
9614 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9615 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9616 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9617 		return ERR_PTR(-EINVAL);
9618 
9619 	size = struct_size(request, channels, n_channels);
9620 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9621 	size = size_add(size, array_size(sizeof(*request->match_sets),
9622 					 n_match_sets));
9623 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9624 					 n_plans));
9625 	size = size_add(size, ie_len);
9626 	request = kzalloc(size, GFP_KERNEL);
9627 	if (!request)
9628 		return ERR_PTR(-ENOMEM);
9629 
9630 	if (n_ssids)
9631 		request->ssids = (void *)&request->channels[n_channels];
9632 	request->n_ssids = n_ssids;
9633 	if (ie_len) {
9634 		if (n_ssids)
9635 			request->ie = (void *)(request->ssids + n_ssids);
9636 		else
9637 			request->ie = (void *)(request->channels + n_channels);
9638 	}
9639 
9640 	if (n_match_sets) {
9641 		if (request->ie)
9642 			request->match_sets = (void *)(request->ie + ie_len);
9643 		else if (n_ssids)
9644 			request->match_sets =
9645 				(void *)(request->ssids + n_ssids);
9646 		else
9647 			request->match_sets =
9648 				(void *)(request->channels + n_channels);
9649 	}
9650 	request->n_match_sets = n_match_sets;
9651 
9652 	if (n_match_sets)
9653 		request->scan_plans = (void *)(request->match_sets +
9654 					       n_match_sets);
9655 	else if (request->ie)
9656 		request->scan_plans = (void *)(request->ie + ie_len);
9657 	else if (n_ssids)
9658 		request->scan_plans = (void *)(request->ssids + n_ssids);
9659 	else
9660 		request->scan_plans = (void *)(request->channels + n_channels);
9661 
9662 	request->n_scan_plans = n_plans;
9663 
9664 	i = 0;
9665 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9666 		/* user specified, bail out if channel not found */
9667 		nla_for_each_nested(attr,
9668 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9669 				    tmp) {
9670 			struct ieee80211_channel *chan;
9671 
9672 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9673 
9674 			if (!chan) {
9675 				err = -EINVAL;
9676 				goto out_free;
9677 			}
9678 
9679 			/* ignore disabled channels */
9680 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9681 				continue;
9682 
9683 			request->channels[i] = chan;
9684 			i++;
9685 		}
9686 	} else {
9687 		/* all channels */
9688 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9689 			int j;
9690 
9691 			if (!wiphy->bands[band])
9692 				continue;
9693 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9694 				struct ieee80211_channel *chan;
9695 
9696 				chan = &wiphy->bands[band]->channels[j];
9697 
9698 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9699 					continue;
9700 
9701 				request->channels[i] = chan;
9702 				i++;
9703 			}
9704 		}
9705 	}
9706 
9707 	if (!i) {
9708 		err = -EINVAL;
9709 		goto out_free;
9710 	}
9711 
9712 	request->n_channels = i;
9713 
9714 	i = 0;
9715 	if (n_ssids) {
9716 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9717 				    tmp) {
9718 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9719 				err = -EINVAL;
9720 				goto out_free;
9721 			}
9722 			request->ssids[i].ssid_len = nla_len(attr);
9723 			memcpy(request->ssids[i].ssid, nla_data(attr),
9724 			       nla_len(attr));
9725 			i++;
9726 		}
9727 	}
9728 
9729 	i = 0;
9730 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9731 		nla_for_each_nested(attr,
9732 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9733 				    tmp) {
9734 			struct nlattr *ssid, *bssid, *rssi;
9735 
9736 			err = nla_parse_nested_deprecated(tb,
9737 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9738 							  attr,
9739 							  nl80211_match_policy,
9740 							  NULL);
9741 			if (err)
9742 				goto out_free;
9743 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9744 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9745 
9746 			if (!ssid && !bssid) {
9747 				i++;
9748 				continue;
9749 			}
9750 
9751 			if (WARN_ON(i >= n_match_sets)) {
9752 				/* this indicates a programming error,
9753 				 * the loop above should have verified
9754 				 * things properly
9755 				 */
9756 				err = -EINVAL;
9757 				goto out_free;
9758 			}
9759 
9760 			if (ssid) {
9761 				memcpy(request->match_sets[i].ssid.ssid,
9762 				       nla_data(ssid), nla_len(ssid));
9763 				request->match_sets[i].ssid.ssid_len =
9764 					nla_len(ssid);
9765 			}
9766 			if (bssid)
9767 				memcpy(request->match_sets[i].bssid,
9768 				       nla_data(bssid), ETH_ALEN);
9769 
9770 			/* special attribute - old implementation w/a */
9771 			request->match_sets[i].rssi_thold = default_match_rssi;
9772 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9773 			if (rssi)
9774 				request->match_sets[i].rssi_thold =
9775 					nla_get_s32(rssi);
9776 
9777 			/* Parse per band RSSI attribute */
9778 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9779 				&request->match_sets[i],
9780 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9781 				request->match_sets[i].rssi_thold);
9782 			if (err)
9783 				goto out_free;
9784 
9785 			i++;
9786 		}
9787 
9788 		/* there was no other matchset, so the RSSI one is alone */
9789 		if (i == 0 && n_match_sets)
9790 			request->match_sets[0].rssi_thold = default_match_rssi;
9791 
9792 		request->min_rssi_thold = INT_MAX;
9793 		for (i = 0; i < n_match_sets; i++)
9794 			request->min_rssi_thold =
9795 				min(request->match_sets[i].rssi_thold,
9796 				    request->min_rssi_thold);
9797 	} else {
9798 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9799 	}
9800 
9801 	if (ie_len) {
9802 		request->ie_len = ie_len;
9803 		memcpy((void *)request->ie,
9804 		       nla_data(attrs[NL80211_ATTR_IE]),
9805 		       request->ie_len);
9806 	}
9807 
9808 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9809 	if (err)
9810 		goto out_free;
9811 
9812 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9813 		request->delay =
9814 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9815 
9816 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9817 		request->relative_rssi = nla_get_s8(
9818 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9819 		request->relative_rssi_set = true;
9820 	}
9821 
9822 	if (request->relative_rssi_set &&
9823 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9824 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9825 
9826 		rssi_adjust = nla_data(
9827 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9828 		request->rssi_adjust.band = rssi_adjust->band;
9829 		request->rssi_adjust.delta = rssi_adjust->delta;
9830 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9831 			err = -EINVAL;
9832 			goto out_free;
9833 		}
9834 	}
9835 
9836 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9837 	if (err)
9838 		goto out_free;
9839 
9840 	request->scan_start = jiffies;
9841 
9842 	return request;
9843 
9844 out_free:
9845 	kfree(request);
9846 	return ERR_PTR(err);
9847 }
9848 
9849 static int nl80211_start_sched_scan(struct sk_buff *skb,
9850 				    struct genl_info *info)
9851 {
9852 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9853 	struct net_device *dev = info->user_ptr[1];
9854 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9855 	struct cfg80211_sched_scan_request *sched_scan_req;
9856 	bool want_multi;
9857 	int err;
9858 
9859 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9860 		return -EOPNOTSUPP;
9861 
9862 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9863 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9864 	if (err)
9865 		return err;
9866 
9867 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9868 						  info->attrs,
9869 						  rdev->wiphy.max_match_sets);
9870 
9871 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9872 	if (err)
9873 		goto out_err;
9874 
9875 	/* leave request id zero for legacy request
9876 	 * or if driver does not support multi-scheduled scan
9877 	 */
9878 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9879 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9880 
9881 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9882 	if (err)
9883 		goto out_free;
9884 
9885 	sched_scan_req->dev = dev;
9886 	sched_scan_req->wiphy = &rdev->wiphy;
9887 
9888 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9889 		sched_scan_req->owner_nlportid = info->snd_portid;
9890 
9891 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9892 
9893 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9894 	return 0;
9895 
9896 out_free:
9897 	kfree(sched_scan_req);
9898 out_err:
9899 	return err;
9900 }
9901 
9902 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9903 				   struct genl_info *info)
9904 {
9905 	struct cfg80211_sched_scan_request *req;
9906 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9907 	u64 cookie;
9908 
9909 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9910 		return -EOPNOTSUPP;
9911 
9912 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9913 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9914 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9915 	}
9916 
9917 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9918 				     struct cfg80211_sched_scan_request,
9919 				     list);
9920 	if (!req || req->reqid ||
9921 	    (req->owner_nlportid &&
9922 	     req->owner_nlportid != info->snd_portid))
9923 		return -ENOENT;
9924 
9925 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9926 }
9927 
9928 static int nl80211_start_radar_detection(struct sk_buff *skb,
9929 					 struct genl_info *info)
9930 {
9931 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9932 	struct net_device *dev = info->user_ptr[1];
9933 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9934 	struct wiphy *wiphy = wdev->wiphy;
9935 	struct cfg80211_chan_def chandef;
9936 	enum nl80211_dfs_regions dfs_region;
9937 	unsigned int cac_time_ms;
9938 	int err = -EINVAL;
9939 
9940 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9941 
9942 	wiphy_lock(wiphy);
9943 
9944 	dfs_region = reg_get_dfs_region(wiphy);
9945 	if (dfs_region == NL80211_DFS_UNSET)
9946 		goto unlock;
9947 
9948 	err = nl80211_parse_chandef(rdev, info, &chandef);
9949 	if (err)
9950 		goto unlock;
9951 
9952 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9953 	if (err < 0)
9954 		goto unlock;
9955 
9956 	if (err == 0) {
9957 		err = -EINVAL;
9958 		goto unlock;
9959 	}
9960 
9961 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9962 		err = -EINVAL;
9963 		goto unlock;
9964 	}
9965 
9966 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9967 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9968 								&chandef);
9969 		goto unlock;
9970 	}
9971 
9972 	if (netif_carrier_ok(dev)) {
9973 		err = -EBUSY;
9974 		goto unlock;
9975 	}
9976 
9977 	if (wdev->cac_started) {
9978 		err = -EBUSY;
9979 		goto unlock;
9980 	}
9981 
9982 	/* CAC start is offloaded to HW and can't be started manually */
9983 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9984 		err = -EOPNOTSUPP;
9985 		goto unlock;
9986 	}
9987 
9988 	if (!rdev->ops->start_radar_detection) {
9989 		err = -EOPNOTSUPP;
9990 		goto unlock;
9991 	}
9992 
9993 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9994 	if (WARN_ON(!cac_time_ms))
9995 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9996 
9997 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9998 	if (!err) {
9999 		wdev->links[0].ap.chandef = chandef;
10000 		wdev->cac_started = true;
10001 		wdev->cac_start_time = jiffies;
10002 		wdev->cac_time_ms = cac_time_ms;
10003 	}
10004 unlock:
10005 	wiphy_unlock(wiphy);
10006 
10007 	return err;
10008 }
10009 
10010 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10011 					  struct genl_info *info)
10012 {
10013 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10014 	struct net_device *dev = info->user_ptr[1];
10015 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10016 	struct wiphy *wiphy = wdev->wiphy;
10017 	struct cfg80211_chan_def chandef;
10018 	enum nl80211_dfs_regions dfs_region;
10019 	int err;
10020 
10021 	dfs_region = reg_get_dfs_region(wiphy);
10022 	if (dfs_region == NL80211_DFS_UNSET) {
10023 		GENL_SET_ERR_MSG(info,
10024 				 "DFS Region is not set. Unexpected Radar indication");
10025 		return -EINVAL;
10026 	}
10027 
10028 	err = nl80211_parse_chandef(rdev, info, &chandef);
10029 	if (err) {
10030 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10031 		return err;
10032 	}
10033 
10034 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10035 	if (err < 0) {
10036 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10037 		return err;
10038 	}
10039 
10040 	if (err == 0) {
10041 		GENL_SET_ERR_MSG(info,
10042 				 "Unexpected Radar indication for chandef/iftype");
10043 		return -EINVAL;
10044 	}
10045 
10046 	/* Do not process this notification if radar is already detected
10047 	 * by kernel on this channel, and return success.
10048 	 */
10049 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10050 		return 0;
10051 
10052 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10053 
10054 	cfg80211_sched_dfs_chan_update(rdev);
10055 
10056 	rdev->radar_chandef = chandef;
10057 
10058 	/* Propagate this notification to other radios as well */
10059 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10060 
10061 	return 0;
10062 }
10063 
10064 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10065 {
10066 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10067 	unsigned int link_id = nl80211_link_id(info->attrs);
10068 	struct net_device *dev = info->user_ptr[1];
10069 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10070 	struct cfg80211_csa_settings params;
10071 	struct nlattr **csa_attrs = NULL;
10072 	int err;
10073 	bool need_new_beacon = false;
10074 	bool need_handle_dfs_flag = true;
10075 	int len, i;
10076 	u32 cs_count;
10077 
10078 	if (!rdev->ops->channel_switch ||
10079 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10080 		return -EOPNOTSUPP;
10081 
10082 	switch (dev->ieee80211_ptr->iftype) {
10083 	case NL80211_IFTYPE_AP:
10084 	case NL80211_IFTYPE_P2P_GO:
10085 		need_new_beacon = true;
10086 		/* For all modes except AP the handle_dfs flag needs to be
10087 		 * supplied to tell the kernel that userspace will handle radar
10088 		 * events when they happen. Otherwise a switch to a channel
10089 		 * requiring DFS will be rejected.
10090 		 */
10091 		need_handle_dfs_flag = false;
10092 
10093 		/* useless if AP is not running */
10094 		if (!wdev->links[link_id].ap.beacon_interval)
10095 			return -ENOTCONN;
10096 		break;
10097 	case NL80211_IFTYPE_ADHOC:
10098 		if (!wdev->u.ibss.ssid_len)
10099 			return -ENOTCONN;
10100 		break;
10101 	case NL80211_IFTYPE_MESH_POINT:
10102 		if (!wdev->u.mesh.id_len)
10103 			return -ENOTCONN;
10104 		break;
10105 	default:
10106 		return -EOPNOTSUPP;
10107 	}
10108 
10109 	memset(&params, 0, sizeof(params));
10110 	params.beacon_csa.ftm_responder = -1;
10111 
10112 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10113 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10114 		return -EINVAL;
10115 
10116 	/* only important for AP, IBSS and mesh create IEs internally */
10117 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10118 		return -EINVAL;
10119 
10120 	/* Even though the attribute is u32, the specification says
10121 	 * u8, so let's make sure we don't overflow.
10122 	 */
10123 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10124 	if (cs_count > 255)
10125 		return -EINVAL;
10126 
10127 	params.count = cs_count;
10128 
10129 	if (!need_new_beacon)
10130 		goto skip_beacons;
10131 
10132 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10133 				   info->extack);
10134 	if (err)
10135 		goto free;
10136 
10137 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10138 			    GFP_KERNEL);
10139 	if (!csa_attrs) {
10140 		err = -ENOMEM;
10141 		goto free;
10142 	}
10143 
10144 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10145 					  info->attrs[NL80211_ATTR_CSA_IES],
10146 					  nl80211_policy, info->extack);
10147 	if (err)
10148 		goto free;
10149 
10150 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10151 				   info->extack);
10152 	if (err)
10153 		goto free;
10154 
10155 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10156 		err = -EINVAL;
10157 		goto free;
10158 	}
10159 
10160 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10161 	if (!len || (len % sizeof(u16))) {
10162 		err = -EINVAL;
10163 		goto free;
10164 	}
10165 
10166 	params.n_counter_offsets_beacon = len / sizeof(u16);
10167 	if (rdev->wiphy.max_num_csa_counters &&
10168 	    (params.n_counter_offsets_beacon >
10169 	     rdev->wiphy.max_num_csa_counters)) {
10170 		err = -EINVAL;
10171 		goto free;
10172 	}
10173 
10174 	params.counter_offsets_beacon =
10175 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10176 
10177 	/* sanity checks - counters should fit and be the same */
10178 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10179 		u16 offset = params.counter_offsets_beacon[i];
10180 
10181 		if (offset >= params.beacon_csa.tail_len) {
10182 			err = -EINVAL;
10183 			goto free;
10184 		}
10185 
10186 		if (params.beacon_csa.tail[offset] != params.count) {
10187 			err = -EINVAL;
10188 			goto free;
10189 		}
10190 	}
10191 
10192 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10193 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10194 		if (!len || (len % sizeof(u16))) {
10195 			err = -EINVAL;
10196 			goto free;
10197 		}
10198 
10199 		params.n_counter_offsets_presp = len / sizeof(u16);
10200 		if (rdev->wiphy.max_num_csa_counters &&
10201 		    (params.n_counter_offsets_presp >
10202 		     rdev->wiphy.max_num_csa_counters)) {
10203 			err = -EINVAL;
10204 			goto free;
10205 		}
10206 
10207 		params.counter_offsets_presp =
10208 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10209 
10210 		/* sanity checks - counters should fit and be the same */
10211 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10212 			u16 offset = params.counter_offsets_presp[i];
10213 
10214 			if (offset >= params.beacon_csa.probe_resp_len) {
10215 				err = -EINVAL;
10216 				goto free;
10217 			}
10218 
10219 			if (params.beacon_csa.probe_resp[offset] !=
10220 			    params.count) {
10221 				err = -EINVAL;
10222 				goto free;
10223 			}
10224 		}
10225 	}
10226 
10227 skip_beacons:
10228 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10229 	if (err)
10230 		goto free;
10231 
10232 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10233 					   wdev->iftype)) {
10234 		err = -EINVAL;
10235 		goto free;
10236 	}
10237 
10238 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10239 					    &params.chandef,
10240 					    wdev->iftype);
10241 	if (err < 0)
10242 		goto free;
10243 
10244 	if (err > 0) {
10245 		params.radar_required = true;
10246 		if (need_handle_dfs_flag &&
10247 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10248 			err = -EINVAL;
10249 			goto free;
10250 		}
10251 	}
10252 
10253 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10254 		params.block_tx = true;
10255 
10256 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10257 		err = nl80211_parse_punct_bitmap(rdev, info,
10258 						 &params.chandef,
10259 						 &params.punct_bitmap);
10260 		if (err)
10261 			goto free;
10262 	}
10263 
10264 	wdev_lock(wdev);
10265 	err = rdev_channel_switch(rdev, dev, &params);
10266 	wdev_unlock(wdev);
10267 
10268 free:
10269 	kfree(params.beacon_after.mbssid_ies);
10270 	kfree(params.beacon_csa.mbssid_ies);
10271 	kfree(params.beacon_after.rnr_ies);
10272 	kfree(params.beacon_csa.rnr_ies);
10273 	kfree(csa_attrs);
10274 	return err;
10275 }
10276 
10277 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10278 			    u32 seq, int flags,
10279 			    struct cfg80211_registered_device *rdev,
10280 			    struct wireless_dev *wdev,
10281 			    struct cfg80211_internal_bss *intbss)
10282 {
10283 	struct cfg80211_bss *res = &intbss->pub;
10284 	const struct cfg80211_bss_ies *ies;
10285 	unsigned int link_id;
10286 	void *hdr;
10287 	struct nlattr *bss;
10288 
10289 	ASSERT_WDEV_LOCK(wdev);
10290 
10291 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10292 			     NL80211_CMD_NEW_SCAN_RESULTS);
10293 	if (!hdr)
10294 		return -1;
10295 
10296 	genl_dump_check_consistent(cb, hdr);
10297 
10298 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10299 		goto nla_put_failure;
10300 	if (wdev->netdev &&
10301 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10302 		goto nla_put_failure;
10303 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10304 			      NL80211_ATTR_PAD))
10305 		goto nla_put_failure;
10306 
10307 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10308 	if (!bss)
10309 		goto nla_put_failure;
10310 	if ((!is_zero_ether_addr(res->bssid) &&
10311 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10312 		goto nla_put_failure;
10313 
10314 	rcu_read_lock();
10315 	/* indicate whether we have probe response data or not */
10316 	if (rcu_access_pointer(res->proberesp_ies) &&
10317 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10318 		goto fail_unlock_rcu;
10319 
10320 	/* this pointer prefers to be pointed to probe response data
10321 	 * but is always valid
10322 	 */
10323 	ies = rcu_dereference(res->ies);
10324 	if (ies) {
10325 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10326 				      NL80211_BSS_PAD))
10327 			goto fail_unlock_rcu;
10328 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10329 					ies->len, ies->data))
10330 			goto fail_unlock_rcu;
10331 	}
10332 
10333 	/* and this pointer is always (unless driver didn't know) beacon data */
10334 	ies = rcu_dereference(res->beacon_ies);
10335 	if (ies && ies->from_beacon) {
10336 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10337 				      NL80211_BSS_PAD))
10338 			goto fail_unlock_rcu;
10339 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10340 					ies->len, ies->data))
10341 			goto fail_unlock_rcu;
10342 	}
10343 	rcu_read_unlock();
10344 
10345 	if (res->beacon_interval &&
10346 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10347 		goto nla_put_failure;
10348 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10349 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10350 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10351 			res->channel->freq_offset) ||
10352 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10353 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10354 			jiffies_to_msecs(jiffies - intbss->ts)))
10355 		goto nla_put_failure;
10356 
10357 	if (intbss->parent_tsf &&
10358 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10359 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10360 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10361 		     intbss->parent_bssid)))
10362 		goto nla_put_failure;
10363 
10364 	if (intbss->ts_boottime &&
10365 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10366 			      intbss->ts_boottime, NL80211_BSS_PAD))
10367 		goto nla_put_failure;
10368 
10369 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10370 				intbss->pub.chain_signal,
10371 				NL80211_BSS_CHAIN_SIGNAL))
10372 		goto nla_put_failure;
10373 
10374 	switch (rdev->wiphy.signal_type) {
10375 	case CFG80211_SIGNAL_TYPE_MBM:
10376 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10377 			goto nla_put_failure;
10378 		break;
10379 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10380 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10381 			goto nla_put_failure;
10382 		break;
10383 	default:
10384 		break;
10385 	}
10386 
10387 	switch (wdev->iftype) {
10388 	case NL80211_IFTYPE_P2P_CLIENT:
10389 	case NL80211_IFTYPE_STATION:
10390 		for_each_valid_link(wdev, link_id) {
10391 			if (intbss == wdev->links[link_id].client.current_bss &&
10392 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10393 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10394 			     (wdev->valid_links &&
10395 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10396 					  link_id) ||
10397 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10398 				       wdev->u.client.connected_addr)))))
10399 				goto nla_put_failure;
10400 		}
10401 		break;
10402 	case NL80211_IFTYPE_ADHOC:
10403 		if (intbss == wdev->u.ibss.current_bss &&
10404 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10405 				NL80211_BSS_STATUS_IBSS_JOINED))
10406 			goto nla_put_failure;
10407 		break;
10408 	default:
10409 		break;
10410 	}
10411 
10412 	nla_nest_end(msg, bss);
10413 
10414 	genlmsg_end(msg, hdr);
10415 	return 0;
10416 
10417  fail_unlock_rcu:
10418 	rcu_read_unlock();
10419  nla_put_failure:
10420 	genlmsg_cancel(msg, hdr);
10421 	return -EMSGSIZE;
10422 }
10423 
10424 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10425 {
10426 	struct cfg80211_registered_device *rdev;
10427 	struct cfg80211_internal_bss *scan;
10428 	struct wireless_dev *wdev;
10429 	int start = cb->args[2], idx = 0;
10430 	int err;
10431 
10432 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10433 	if (err)
10434 		return err;
10435 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10436 	__acquire(&rdev->wiphy.mtx);
10437 
10438 	wdev_lock(wdev);
10439 	spin_lock_bh(&rdev->bss_lock);
10440 
10441 	/*
10442 	 * dump_scan will be called multiple times to break up the scan results
10443 	 * into multiple messages.  It is unlikely that any more bss-es will be
10444 	 * expired after the first call, so only call only call this on the
10445 	 * first dump_scan invocation.
10446 	 */
10447 	if (start == 0)
10448 		cfg80211_bss_expire(rdev);
10449 
10450 	cb->seq = rdev->bss_generation;
10451 
10452 	list_for_each_entry(scan, &rdev->bss_list, list) {
10453 		if (++idx <= start)
10454 			continue;
10455 		if (nl80211_send_bss(skb, cb,
10456 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10457 				rdev, wdev, scan) < 0) {
10458 			idx--;
10459 			break;
10460 		}
10461 	}
10462 
10463 	spin_unlock_bh(&rdev->bss_lock);
10464 	wdev_unlock(wdev);
10465 
10466 	cb->args[2] = idx;
10467 	wiphy_unlock(&rdev->wiphy);
10468 
10469 	return skb->len;
10470 }
10471 
10472 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10473 			       int flags, struct net_device *dev,
10474 			       bool allow_radio_stats,
10475 			       struct survey_info *survey)
10476 {
10477 	void *hdr;
10478 	struct nlattr *infoattr;
10479 
10480 	/* skip radio stats if userspace didn't request them */
10481 	if (!survey->channel && !allow_radio_stats)
10482 		return 0;
10483 
10484 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10485 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10486 	if (!hdr)
10487 		return -ENOMEM;
10488 
10489 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10490 		goto nla_put_failure;
10491 
10492 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10493 	if (!infoattr)
10494 		goto nla_put_failure;
10495 
10496 	if (survey->channel &&
10497 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10498 			survey->channel->center_freq))
10499 		goto nla_put_failure;
10500 
10501 	if (survey->channel && survey->channel->freq_offset &&
10502 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10503 			survey->channel->freq_offset))
10504 		goto nla_put_failure;
10505 
10506 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10507 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10508 		goto nla_put_failure;
10509 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10510 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10511 		goto nla_put_failure;
10512 	if ((survey->filled & SURVEY_INFO_TIME) &&
10513 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10514 			survey->time, NL80211_SURVEY_INFO_PAD))
10515 		goto nla_put_failure;
10516 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10517 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10518 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10519 		goto nla_put_failure;
10520 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10521 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10522 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10523 		goto nla_put_failure;
10524 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10525 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10526 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10527 		goto nla_put_failure;
10528 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10529 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10530 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10531 		goto nla_put_failure;
10532 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10533 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10534 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10535 		goto nla_put_failure;
10536 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10537 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10538 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10539 		goto nla_put_failure;
10540 
10541 	nla_nest_end(msg, infoattr);
10542 
10543 	genlmsg_end(msg, hdr);
10544 	return 0;
10545 
10546  nla_put_failure:
10547 	genlmsg_cancel(msg, hdr);
10548 	return -EMSGSIZE;
10549 }
10550 
10551 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10552 {
10553 	struct nlattr **attrbuf;
10554 	struct survey_info survey;
10555 	struct cfg80211_registered_device *rdev;
10556 	struct wireless_dev *wdev;
10557 	int survey_idx = cb->args[2];
10558 	int res;
10559 	bool radio_stats;
10560 
10561 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10562 	if (!attrbuf)
10563 		return -ENOMEM;
10564 
10565 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10566 	if (res) {
10567 		kfree(attrbuf);
10568 		return res;
10569 	}
10570 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10571 	__acquire(&rdev->wiphy.mtx);
10572 
10573 	/* prepare_wdev_dump parsed the attributes */
10574 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10575 
10576 	if (!wdev->netdev) {
10577 		res = -EINVAL;
10578 		goto out_err;
10579 	}
10580 
10581 	if (!rdev->ops->dump_survey) {
10582 		res = -EOPNOTSUPP;
10583 		goto out_err;
10584 	}
10585 
10586 	while (1) {
10587 		wdev_lock(wdev);
10588 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10589 		wdev_unlock(wdev);
10590 		if (res == -ENOENT)
10591 			break;
10592 		if (res)
10593 			goto out_err;
10594 
10595 		/* don't send disabled channels, but do send non-channel data */
10596 		if (survey.channel &&
10597 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10598 			survey_idx++;
10599 			continue;
10600 		}
10601 
10602 		if (nl80211_send_survey(skb,
10603 				NETLINK_CB(cb->skb).portid,
10604 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10605 				wdev->netdev, radio_stats, &survey) < 0)
10606 			goto out;
10607 		survey_idx++;
10608 	}
10609 
10610  out:
10611 	cb->args[2] = survey_idx;
10612 	res = skb->len;
10613  out_err:
10614 	kfree(attrbuf);
10615 	wiphy_unlock(&rdev->wiphy);
10616 	return res;
10617 }
10618 
10619 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10620 {
10621 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10622 				  NL80211_WPA_VERSION_2 |
10623 				  NL80211_WPA_VERSION_3));
10624 }
10625 
10626 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10627 {
10628 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10629 	struct net_device *dev = info->user_ptr[1];
10630 	struct ieee80211_channel *chan;
10631 	const u8 *bssid, *ssid;
10632 	int err, ssid_len;
10633 	enum nl80211_auth_type auth_type;
10634 	struct key_parse key;
10635 	bool local_state_change;
10636 	struct cfg80211_auth_request req = {};
10637 	u32 freq;
10638 
10639 	if (!info->attrs[NL80211_ATTR_MAC])
10640 		return -EINVAL;
10641 
10642 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10643 		return -EINVAL;
10644 
10645 	if (!info->attrs[NL80211_ATTR_SSID])
10646 		return -EINVAL;
10647 
10648 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10649 		return -EINVAL;
10650 
10651 	err = nl80211_parse_key(info, &key);
10652 	if (err)
10653 		return err;
10654 
10655 	if (key.idx >= 0) {
10656 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10657 			return -EINVAL;
10658 		if (!key.p.key || !key.p.key_len)
10659 			return -EINVAL;
10660 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10661 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10662 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10663 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10664 			return -EINVAL;
10665 		if (key.idx > 3)
10666 			return -EINVAL;
10667 	} else {
10668 		key.p.key_len = 0;
10669 		key.p.key = NULL;
10670 	}
10671 
10672 	if (key.idx >= 0) {
10673 		int i;
10674 		bool ok = false;
10675 
10676 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10677 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10678 				ok = true;
10679 				break;
10680 			}
10681 		}
10682 		if (!ok)
10683 			return -EINVAL;
10684 	}
10685 
10686 	if (!rdev->ops->auth)
10687 		return -EOPNOTSUPP;
10688 
10689 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10690 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10691 		return -EOPNOTSUPP;
10692 
10693 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10694 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10695 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10696 		freq +=
10697 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10698 
10699 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10700 	if (!chan)
10701 		return -EINVAL;
10702 
10703 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10704 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10705 
10706 	if (info->attrs[NL80211_ATTR_IE]) {
10707 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10708 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10709 	}
10710 
10711 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10712 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10713 		return -EINVAL;
10714 
10715 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10716 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10717 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10718 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10719 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10720 		return -EINVAL;
10721 
10722 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10723 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10724 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10725 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10726 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10727 			return -EINVAL;
10728 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10729 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10730 	}
10731 
10732 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10733 
10734 	/*
10735 	 * Since we no longer track auth state, ignore
10736 	 * requests to only change local state.
10737 	 */
10738 	if (local_state_change)
10739 		return 0;
10740 
10741 	req.auth_type = auth_type;
10742 	req.key = key.p.key;
10743 	req.key_len = key.p.key_len;
10744 	req.key_idx = key.idx;
10745 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10746 	if (req.link_id >= 0) {
10747 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10748 			return -EINVAL;
10749 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10750 			return -EINVAL;
10751 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10752 		if (!is_valid_ether_addr(req.ap_mld_addr))
10753 			return -EINVAL;
10754 	}
10755 
10756 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10757 				   IEEE80211_BSS_TYPE_ESS,
10758 				   IEEE80211_PRIVACY_ANY);
10759 	if (!req.bss)
10760 		return -ENOENT;
10761 
10762 	wdev_lock(dev->ieee80211_ptr);
10763 	err = cfg80211_mlme_auth(rdev, dev, &req);
10764 	wdev_unlock(dev->ieee80211_ptr);
10765 
10766 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10767 
10768 	return err;
10769 }
10770 
10771 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10772 				     struct genl_info *info)
10773 {
10774 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10775 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10776 		return -EINVAL;
10777 	}
10778 
10779 	if (!rdev->ops->tx_control_port ||
10780 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10781 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10782 		return -EOPNOTSUPP;
10783 
10784 	return 0;
10785 }
10786 
10787 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10788 				   struct genl_info *info,
10789 				   struct cfg80211_crypto_settings *settings,
10790 				   int cipher_limit)
10791 {
10792 	memset(settings, 0, sizeof(*settings));
10793 
10794 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10795 
10796 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10797 		u16 proto;
10798 
10799 		proto = nla_get_u16(
10800 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10801 		settings->control_port_ethertype = cpu_to_be16(proto);
10802 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10803 		    proto != ETH_P_PAE)
10804 			return -EINVAL;
10805 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10806 			settings->control_port_no_encrypt = true;
10807 	} else
10808 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10809 
10810 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10811 		int r = validate_pae_over_nl80211(rdev, info);
10812 
10813 		if (r < 0)
10814 			return r;
10815 
10816 		settings->control_port_over_nl80211 = true;
10817 
10818 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10819 			settings->control_port_no_preauth = true;
10820 	}
10821 
10822 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10823 		void *data;
10824 		int len, i;
10825 
10826 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10827 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10828 		settings->n_ciphers_pairwise = len / sizeof(u32);
10829 
10830 		if (len % sizeof(u32))
10831 			return -EINVAL;
10832 
10833 		if (settings->n_ciphers_pairwise > cipher_limit)
10834 			return -EINVAL;
10835 
10836 		memcpy(settings->ciphers_pairwise, data, len);
10837 
10838 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10839 			if (!cfg80211_supported_cipher_suite(
10840 					&rdev->wiphy,
10841 					settings->ciphers_pairwise[i]))
10842 				return -EINVAL;
10843 	}
10844 
10845 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10846 		settings->cipher_group =
10847 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10848 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10849 						     settings->cipher_group))
10850 			return -EINVAL;
10851 	}
10852 
10853 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10854 		settings->wpa_versions =
10855 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10856 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10857 			return -EINVAL;
10858 	}
10859 
10860 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10861 		void *data;
10862 		int len;
10863 
10864 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10865 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10866 		settings->n_akm_suites = len / sizeof(u32);
10867 
10868 		if (len % sizeof(u32))
10869 			return -EINVAL;
10870 
10871 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10872 			return -EINVAL;
10873 
10874 		memcpy(settings->akm_suites, data, len);
10875 	}
10876 
10877 	if (info->attrs[NL80211_ATTR_PMK]) {
10878 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10879 			return -EINVAL;
10880 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10881 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10882 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10883 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10884 			return -EINVAL;
10885 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10886 	}
10887 
10888 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10889 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10890 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10891 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10892 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10893 			return -EINVAL;
10894 		settings->sae_pwd =
10895 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10896 		settings->sae_pwd_len =
10897 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10898 	}
10899 
10900 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10901 		settings->sae_pwe =
10902 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10903 	else
10904 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10905 
10906 	return 0;
10907 }
10908 
10909 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10910 					      const u8 *ssid, int ssid_len,
10911 					      struct nlattr **attrs)
10912 {
10913 	struct ieee80211_channel *chan;
10914 	struct cfg80211_bss *bss;
10915 	const u8 *bssid;
10916 	u32 freq;
10917 
10918 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10919 		return ERR_PTR(-EINVAL);
10920 
10921 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10922 
10923 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10924 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10925 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10926 
10927 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10928 	if (!chan)
10929 		return ERR_PTR(-EINVAL);
10930 
10931 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10932 			       ssid, ssid_len,
10933 			       IEEE80211_BSS_TYPE_ESS,
10934 			       IEEE80211_PRIVACY_ANY);
10935 	if (!bss)
10936 		return ERR_PTR(-ENOENT);
10937 
10938 	return bss;
10939 }
10940 
10941 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10942 {
10943 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10944 	struct net_device *dev = info->user_ptr[1];
10945 	struct cfg80211_assoc_request req = {};
10946 	struct nlattr **attrs = NULL;
10947 	const u8 *ap_addr, *ssid;
10948 	unsigned int link_id;
10949 	int err, ssid_len;
10950 
10951 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10952 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10953 		return -EPERM;
10954 
10955 	if (!info->attrs[NL80211_ATTR_SSID])
10956 		return -EINVAL;
10957 
10958 	if (!rdev->ops->assoc)
10959 		return -EOPNOTSUPP;
10960 
10961 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10962 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10963 		return -EOPNOTSUPP;
10964 
10965 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10966 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10967 
10968 	if (info->attrs[NL80211_ATTR_IE]) {
10969 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10970 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10971 
10972 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10973 					   req.ie, req.ie_len)) {
10974 			GENL_SET_ERR_MSG(info,
10975 					 "non-inheritance makes no sense");
10976 			return -EINVAL;
10977 		}
10978 	}
10979 
10980 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10981 		enum nl80211_mfp mfp =
10982 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10983 		if (mfp == NL80211_MFP_REQUIRED)
10984 			req.use_mfp = true;
10985 		else if (mfp != NL80211_MFP_NO)
10986 			return -EINVAL;
10987 	}
10988 
10989 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10990 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10991 
10992 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10993 		req.flags |= ASSOC_REQ_DISABLE_HT;
10994 
10995 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10996 		memcpy(&req.ht_capa_mask,
10997 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10998 		       sizeof(req.ht_capa_mask));
10999 
11000 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11001 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11002 			return -EINVAL;
11003 		memcpy(&req.ht_capa,
11004 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11005 		       sizeof(req.ht_capa));
11006 	}
11007 
11008 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11009 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11010 
11011 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11012 		req.flags |= ASSOC_REQ_DISABLE_HE;
11013 
11014 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11015 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11016 
11017 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11018 		memcpy(&req.vht_capa_mask,
11019 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11020 		       sizeof(req.vht_capa_mask));
11021 
11022 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11023 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11024 			return -EINVAL;
11025 		memcpy(&req.vht_capa,
11026 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11027 		       sizeof(req.vht_capa));
11028 	}
11029 
11030 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11031 		if (!((rdev->wiphy.features &
11032 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11033 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11034 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11035 					     NL80211_EXT_FEATURE_RRM))
11036 			return -EINVAL;
11037 		req.flags |= ASSOC_REQ_USE_RRM;
11038 	}
11039 
11040 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11041 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11042 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11043 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11044 			return -EINVAL;
11045 		req.fils_nonces =
11046 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11047 	}
11048 
11049 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11050 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11051 			return -EINVAL;
11052 		memcpy(&req.s1g_capa_mask,
11053 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11054 		       sizeof(req.s1g_capa_mask));
11055 	}
11056 
11057 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11058 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11059 			return -EINVAL;
11060 		memcpy(&req.s1g_capa,
11061 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11062 		       sizeof(req.s1g_capa));
11063 	}
11064 
11065 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11066 
11067 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11068 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11069 		struct nlattr *link;
11070 		int rem = 0;
11071 
11072 		if (req.link_id < 0)
11073 			return -EINVAL;
11074 
11075 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11076 			return -EINVAL;
11077 
11078 		if (info->attrs[NL80211_ATTR_MAC] ||
11079 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11080 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11081 			return -EINVAL;
11082 
11083 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11084 		ap_addr = req.ap_mld_addr;
11085 
11086 		attrs = kzalloc(attrsize, GFP_KERNEL);
11087 		if (!attrs)
11088 			return -ENOMEM;
11089 
11090 		nla_for_each_nested(link,
11091 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11092 				    rem) {
11093 			memset(attrs, 0, attrsize);
11094 
11095 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11096 					 link, NULL, NULL);
11097 
11098 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11099 				err = -EINVAL;
11100 				goto free;
11101 			}
11102 
11103 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11104 			/* cannot use the same link ID again */
11105 			if (req.links[link_id].bss) {
11106 				err = -EINVAL;
11107 				goto free;
11108 			}
11109 			req.links[link_id].bss =
11110 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
11111 			if (IS_ERR(req.links[link_id].bss)) {
11112 				err = PTR_ERR(req.links[link_id].bss);
11113 				req.links[link_id].bss = NULL;
11114 				goto free;
11115 			}
11116 
11117 			if (attrs[NL80211_ATTR_IE]) {
11118 				req.links[link_id].elems =
11119 					nla_data(attrs[NL80211_ATTR_IE]);
11120 				req.links[link_id].elems_len =
11121 					nla_len(attrs[NL80211_ATTR_IE]);
11122 
11123 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11124 						       req.links[link_id].elems,
11125 						       req.links[link_id].elems_len)) {
11126 					GENL_SET_ERR_MSG(info,
11127 							 "cannot deal with fragmentation");
11128 					err = -EINVAL;
11129 					goto free;
11130 				}
11131 
11132 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11133 							   req.links[link_id].elems,
11134 							   req.links[link_id].elems_len)) {
11135 					GENL_SET_ERR_MSG(info,
11136 							 "cannot deal with non-inheritance");
11137 					err = -EINVAL;
11138 					goto free;
11139 				}
11140 			}
11141 		}
11142 
11143 		if (!req.links[req.link_id].bss) {
11144 			err = -EINVAL;
11145 			goto free;
11146 		}
11147 
11148 		if (req.links[req.link_id].elems_len) {
11149 			GENL_SET_ERR_MSG(info,
11150 					 "cannot have per-link elems on assoc link");
11151 			err = -EINVAL;
11152 			goto free;
11153 		}
11154 
11155 		kfree(attrs);
11156 		attrs = NULL;
11157 	} else {
11158 		if (req.link_id >= 0)
11159 			return -EINVAL;
11160 
11161 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
11162 		if (IS_ERR(req.bss))
11163 			return PTR_ERR(req.bss);
11164 		ap_addr = req.bss->bssid;
11165 	}
11166 
11167 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11168 	if (!err) {
11169 		wdev_lock(dev->ieee80211_ptr);
11170 
11171 		err = cfg80211_mlme_assoc(rdev, dev, &req);
11172 
11173 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11174 			dev->ieee80211_ptr->conn_owner_nlportid =
11175 				info->snd_portid;
11176 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11177 			       ap_addr, ETH_ALEN);
11178 		}
11179 
11180 		wdev_unlock(dev->ieee80211_ptr);
11181 	}
11182 
11183 free:
11184 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11185 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11186 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11187 	kfree(attrs);
11188 
11189 	return err;
11190 }
11191 
11192 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11193 {
11194 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11195 	struct net_device *dev = info->user_ptr[1];
11196 	const u8 *ie = NULL, *bssid;
11197 	int ie_len = 0, err;
11198 	u16 reason_code;
11199 	bool local_state_change;
11200 
11201 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11202 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11203 		return -EPERM;
11204 
11205 	if (!info->attrs[NL80211_ATTR_MAC])
11206 		return -EINVAL;
11207 
11208 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11209 		return -EINVAL;
11210 
11211 	if (!rdev->ops->deauth)
11212 		return -EOPNOTSUPP;
11213 
11214 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11215 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11216 		return -EOPNOTSUPP;
11217 
11218 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11219 
11220 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11221 	if (reason_code == 0) {
11222 		/* Reason Code 0 is reserved */
11223 		return -EINVAL;
11224 	}
11225 
11226 	if (info->attrs[NL80211_ATTR_IE]) {
11227 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11228 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11229 	}
11230 
11231 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11232 
11233 	wdev_lock(dev->ieee80211_ptr);
11234 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11235 				   local_state_change);
11236 	wdev_unlock(dev->ieee80211_ptr);
11237 	return err;
11238 }
11239 
11240 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11241 {
11242 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11243 	struct net_device *dev = info->user_ptr[1];
11244 	const u8 *ie = NULL, *bssid;
11245 	int ie_len = 0, err;
11246 	u16 reason_code;
11247 	bool local_state_change;
11248 
11249 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11250 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11251 		return -EPERM;
11252 
11253 	if (!info->attrs[NL80211_ATTR_MAC])
11254 		return -EINVAL;
11255 
11256 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11257 		return -EINVAL;
11258 
11259 	if (!rdev->ops->disassoc)
11260 		return -EOPNOTSUPP;
11261 
11262 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11263 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11264 		return -EOPNOTSUPP;
11265 
11266 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11267 
11268 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11269 	if (reason_code == 0) {
11270 		/* Reason Code 0 is reserved */
11271 		return -EINVAL;
11272 	}
11273 
11274 	if (info->attrs[NL80211_ATTR_IE]) {
11275 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11276 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11277 	}
11278 
11279 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11280 
11281 	wdev_lock(dev->ieee80211_ptr);
11282 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11283 				     local_state_change);
11284 	wdev_unlock(dev->ieee80211_ptr);
11285 	return err;
11286 }
11287 
11288 static bool
11289 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11290 			 int mcast_rate[NUM_NL80211_BANDS],
11291 			 int rateval)
11292 {
11293 	struct wiphy *wiphy = &rdev->wiphy;
11294 	bool found = false;
11295 	int band, i;
11296 
11297 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11298 		struct ieee80211_supported_band *sband;
11299 
11300 		sband = wiphy->bands[band];
11301 		if (!sband)
11302 			continue;
11303 
11304 		for (i = 0; i < sband->n_bitrates; i++) {
11305 			if (sband->bitrates[i].bitrate == rateval) {
11306 				mcast_rate[band] = i + 1;
11307 				found = true;
11308 				break;
11309 			}
11310 		}
11311 	}
11312 
11313 	return found;
11314 }
11315 
11316 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11317 {
11318 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11319 	struct net_device *dev = info->user_ptr[1];
11320 	struct cfg80211_ibss_params ibss;
11321 	struct wiphy *wiphy;
11322 	struct cfg80211_cached_keys *connkeys = NULL;
11323 	int err;
11324 
11325 	memset(&ibss, 0, sizeof(ibss));
11326 
11327 	if (!info->attrs[NL80211_ATTR_SSID] ||
11328 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11329 		return -EINVAL;
11330 
11331 	ibss.beacon_interval = 100;
11332 
11333 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11334 		ibss.beacon_interval =
11335 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11336 
11337 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11338 					   ibss.beacon_interval);
11339 	if (err)
11340 		return err;
11341 
11342 	if (!rdev->ops->join_ibss)
11343 		return -EOPNOTSUPP;
11344 
11345 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11346 		return -EOPNOTSUPP;
11347 
11348 	wiphy = &rdev->wiphy;
11349 
11350 	if (info->attrs[NL80211_ATTR_MAC]) {
11351 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11352 
11353 		if (!is_valid_ether_addr(ibss.bssid))
11354 			return -EINVAL;
11355 	}
11356 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11357 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11358 
11359 	if (info->attrs[NL80211_ATTR_IE]) {
11360 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11361 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11362 	}
11363 
11364 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11365 	if (err)
11366 		return err;
11367 
11368 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11369 				     NL80211_IFTYPE_ADHOC))
11370 		return -EINVAL;
11371 
11372 	switch (ibss.chandef.width) {
11373 	case NL80211_CHAN_WIDTH_5:
11374 	case NL80211_CHAN_WIDTH_10:
11375 	case NL80211_CHAN_WIDTH_20_NOHT:
11376 		break;
11377 	case NL80211_CHAN_WIDTH_20:
11378 	case NL80211_CHAN_WIDTH_40:
11379 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11380 			return -EINVAL;
11381 		break;
11382 	case NL80211_CHAN_WIDTH_80:
11383 	case NL80211_CHAN_WIDTH_80P80:
11384 	case NL80211_CHAN_WIDTH_160:
11385 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11386 			return -EINVAL;
11387 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11388 					     NL80211_EXT_FEATURE_VHT_IBSS))
11389 			return -EINVAL;
11390 		break;
11391 	case NL80211_CHAN_WIDTH_320:
11392 		return -EINVAL;
11393 	default:
11394 		return -EINVAL;
11395 	}
11396 
11397 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11398 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11399 
11400 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11401 		u8 *rates =
11402 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11403 		int n_rates =
11404 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11405 		struct ieee80211_supported_band *sband =
11406 			wiphy->bands[ibss.chandef.chan->band];
11407 
11408 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11409 					     &ibss.basic_rates);
11410 		if (err)
11411 			return err;
11412 	}
11413 
11414 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11415 		memcpy(&ibss.ht_capa_mask,
11416 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11417 		       sizeof(ibss.ht_capa_mask));
11418 
11419 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11420 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11421 			return -EINVAL;
11422 		memcpy(&ibss.ht_capa,
11423 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11424 		       sizeof(ibss.ht_capa));
11425 	}
11426 
11427 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11428 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11429 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11430 		return -EINVAL;
11431 
11432 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11433 		bool no_ht = false;
11434 
11435 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11436 		if (IS_ERR(connkeys))
11437 			return PTR_ERR(connkeys);
11438 
11439 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11440 		    no_ht) {
11441 			kfree_sensitive(connkeys);
11442 			return -EINVAL;
11443 		}
11444 	}
11445 
11446 	ibss.control_port =
11447 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11448 
11449 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11450 		int r = validate_pae_over_nl80211(rdev, info);
11451 
11452 		if (r < 0) {
11453 			kfree_sensitive(connkeys);
11454 			return r;
11455 		}
11456 
11457 		ibss.control_port_over_nl80211 = true;
11458 	}
11459 
11460 	ibss.userspace_handles_dfs =
11461 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11462 
11463 	wdev_lock(dev->ieee80211_ptr);
11464 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11465 	if (err)
11466 		kfree_sensitive(connkeys);
11467 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11468 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11469 	wdev_unlock(dev->ieee80211_ptr);
11470 
11471 	return err;
11472 }
11473 
11474 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11475 {
11476 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11477 	struct net_device *dev = info->user_ptr[1];
11478 
11479 	if (!rdev->ops->leave_ibss)
11480 		return -EOPNOTSUPP;
11481 
11482 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11483 		return -EOPNOTSUPP;
11484 
11485 	return cfg80211_leave_ibss(rdev, dev, false);
11486 }
11487 
11488 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11489 {
11490 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11491 	struct net_device *dev = info->user_ptr[1];
11492 	int mcast_rate[NUM_NL80211_BANDS];
11493 	u32 nla_rate;
11494 
11495 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11496 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11497 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11498 		return -EOPNOTSUPP;
11499 
11500 	if (!rdev->ops->set_mcast_rate)
11501 		return -EOPNOTSUPP;
11502 
11503 	memset(mcast_rate, 0, sizeof(mcast_rate));
11504 
11505 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11506 		return -EINVAL;
11507 
11508 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11509 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11510 		return -EINVAL;
11511 
11512 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11513 }
11514 
11515 static struct sk_buff *
11516 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11517 			    struct wireless_dev *wdev, int approxlen,
11518 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11519 			    enum nl80211_attrs attr,
11520 			    const struct nl80211_vendor_cmd_info *info,
11521 			    gfp_t gfp)
11522 {
11523 	struct sk_buff *skb;
11524 	void *hdr;
11525 	struct nlattr *data;
11526 
11527 	skb = nlmsg_new(approxlen + 100, gfp);
11528 	if (!skb)
11529 		return NULL;
11530 
11531 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11532 	if (!hdr) {
11533 		kfree_skb(skb);
11534 		return NULL;
11535 	}
11536 
11537 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11538 		goto nla_put_failure;
11539 
11540 	if (info) {
11541 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11542 				info->vendor_id))
11543 			goto nla_put_failure;
11544 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11545 				info->subcmd))
11546 			goto nla_put_failure;
11547 	}
11548 
11549 	if (wdev) {
11550 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11551 				      wdev_id(wdev), NL80211_ATTR_PAD))
11552 			goto nla_put_failure;
11553 		if (wdev->netdev &&
11554 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11555 				wdev->netdev->ifindex))
11556 			goto nla_put_failure;
11557 	}
11558 
11559 	data = nla_nest_start_noflag(skb, attr);
11560 	if (!data)
11561 		goto nla_put_failure;
11562 
11563 	((void **)skb->cb)[0] = rdev;
11564 	((void **)skb->cb)[1] = hdr;
11565 	((void **)skb->cb)[2] = data;
11566 
11567 	return skb;
11568 
11569  nla_put_failure:
11570 	kfree_skb(skb);
11571 	return NULL;
11572 }
11573 
11574 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11575 					   struct wireless_dev *wdev,
11576 					   enum nl80211_commands cmd,
11577 					   enum nl80211_attrs attr,
11578 					   unsigned int portid,
11579 					   int vendor_event_idx,
11580 					   int approxlen, gfp_t gfp)
11581 {
11582 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11583 	const struct nl80211_vendor_cmd_info *info;
11584 
11585 	switch (cmd) {
11586 	case NL80211_CMD_TESTMODE:
11587 		if (WARN_ON(vendor_event_idx != -1))
11588 			return NULL;
11589 		info = NULL;
11590 		break;
11591 	case NL80211_CMD_VENDOR:
11592 		if (WARN_ON(vendor_event_idx < 0 ||
11593 			    vendor_event_idx >= wiphy->n_vendor_events))
11594 			return NULL;
11595 		info = &wiphy->vendor_events[vendor_event_idx];
11596 		break;
11597 	default:
11598 		WARN_ON(1);
11599 		return NULL;
11600 	}
11601 
11602 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11603 					   cmd, attr, info, gfp);
11604 }
11605 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11606 
11607 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11608 {
11609 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11610 	void *hdr = ((void **)skb->cb)[1];
11611 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11612 	struct nlattr *data = ((void **)skb->cb)[2];
11613 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11614 
11615 	/* clear CB data for netlink core to own from now on */
11616 	memset(skb->cb, 0, sizeof(skb->cb));
11617 
11618 	nla_nest_end(skb, data);
11619 	genlmsg_end(skb, hdr);
11620 
11621 	if (nlhdr->nlmsg_pid) {
11622 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11623 				nlhdr->nlmsg_pid);
11624 	} else {
11625 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11626 			mcgrp = NL80211_MCGRP_VENDOR;
11627 
11628 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11629 					skb, 0, mcgrp, gfp);
11630 	}
11631 }
11632 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11633 
11634 #ifdef CONFIG_NL80211_TESTMODE
11635 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11636 {
11637 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11638 	struct wireless_dev *wdev;
11639 	int err;
11640 
11641 	lockdep_assert_held(&rdev->wiphy.mtx);
11642 
11643 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11644 					  info->attrs);
11645 
11646 	if (!rdev->ops->testmode_cmd)
11647 		return -EOPNOTSUPP;
11648 
11649 	if (IS_ERR(wdev)) {
11650 		err = PTR_ERR(wdev);
11651 		if (err != -EINVAL)
11652 			return err;
11653 		wdev = NULL;
11654 	} else if (wdev->wiphy != &rdev->wiphy) {
11655 		return -EINVAL;
11656 	}
11657 
11658 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11659 		return -EINVAL;
11660 
11661 	rdev->cur_cmd_info = info;
11662 	err = rdev_testmode_cmd(rdev, wdev,
11663 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11664 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11665 	rdev->cur_cmd_info = NULL;
11666 
11667 	return err;
11668 }
11669 
11670 static int nl80211_testmode_dump(struct sk_buff *skb,
11671 				 struct netlink_callback *cb)
11672 {
11673 	struct cfg80211_registered_device *rdev;
11674 	struct nlattr **attrbuf = NULL;
11675 	int err;
11676 	long phy_idx;
11677 	void *data = NULL;
11678 	int data_len = 0;
11679 
11680 	rtnl_lock();
11681 
11682 	if (cb->args[0]) {
11683 		/*
11684 		 * 0 is a valid index, but not valid for args[0],
11685 		 * so we need to offset by 1.
11686 		 */
11687 		phy_idx = cb->args[0] - 1;
11688 
11689 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11690 		if (!rdev) {
11691 			err = -ENOENT;
11692 			goto out_err;
11693 		}
11694 	} else {
11695 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11696 				  GFP_KERNEL);
11697 		if (!attrbuf) {
11698 			err = -ENOMEM;
11699 			goto out_err;
11700 		}
11701 
11702 		err = nlmsg_parse_deprecated(cb->nlh,
11703 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11704 					     attrbuf, nl80211_fam.maxattr,
11705 					     nl80211_policy, NULL);
11706 		if (err)
11707 			goto out_err;
11708 
11709 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11710 		if (IS_ERR(rdev)) {
11711 			err = PTR_ERR(rdev);
11712 			goto out_err;
11713 		}
11714 		phy_idx = rdev->wiphy_idx;
11715 
11716 		if (attrbuf[NL80211_ATTR_TESTDATA])
11717 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11718 	}
11719 
11720 	if (cb->args[1]) {
11721 		data = nla_data((void *)cb->args[1]);
11722 		data_len = nla_len((void *)cb->args[1]);
11723 	}
11724 
11725 	if (!rdev->ops->testmode_dump) {
11726 		err = -EOPNOTSUPP;
11727 		goto out_err;
11728 	}
11729 
11730 	while (1) {
11731 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11732 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11733 					   NL80211_CMD_TESTMODE);
11734 		struct nlattr *tmdata;
11735 
11736 		if (!hdr)
11737 			break;
11738 
11739 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11740 			genlmsg_cancel(skb, hdr);
11741 			break;
11742 		}
11743 
11744 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11745 		if (!tmdata) {
11746 			genlmsg_cancel(skb, hdr);
11747 			break;
11748 		}
11749 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11750 		nla_nest_end(skb, tmdata);
11751 
11752 		if (err == -ENOBUFS || err == -ENOENT) {
11753 			genlmsg_cancel(skb, hdr);
11754 			break;
11755 		} else if (err) {
11756 			genlmsg_cancel(skb, hdr);
11757 			goto out_err;
11758 		}
11759 
11760 		genlmsg_end(skb, hdr);
11761 	}
11762 
11763 	err = skb->len;
11764 	/* see above */
11765 	cb->args[0] = phy_idx + 1;
11766  out_err:
11767 	kfree(attrbuf);
11768 	rtnl_unlock();
11769 	return err;
11770 }
11771 #endif
11772 
11773 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11774 {
11775 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11776 	struct net_device *dev = info->user_ptr[1];
11777 	struct cfg80211_connect_params connect;
11778 	struct wiphy *wiphy;
11779 	struct cfg80211_cached_keys *connkeys = NULL;
11780 	u32 freq = 0;
11781 	int err;
11782 
11783 	memset(&connect, 0, sizeof(connect));
11784 
11785 	if (!info->attrs[NL80211_ATTR_SSID] ||
11786 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11787 		return -EINVAL;
11788 
11789 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11790 		connect.auth_type =
11791 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11792 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11793 					     NL80211_CMD_CONNECT))
11794 			return -EINVAL;
11795 	} else
11796 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11797 
11798 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11799 
11800 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11801 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11802 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11803 		return -EINVAL;
11804 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11805 
11806 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11807 				      NL80211_MAX_NR_CIPHER_SUITES);
11808 	if (err)
11809 		return err;
11810 
11811 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11812 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11813 		return -EOPNOTSUPP;
11814 
11815 	wiphy = &rdev->wiphy;
11816 
11817 	connect.bg_scan_period = -1;
11818 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11819 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11820 		connect.bg_scan_period =
11821 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11822 	}
11823 
11824 	if (info->attrs[NL80211_ATTR_MAC])
11825 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11826 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11827 		connect.bssid_hint =
11828 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11829 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11830 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11831 
11832 	if (info->attrs[NL80211_ATTR_IE]) {
11833 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11834 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11835 	}
11836 
11837 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11838 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11839 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11840 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11841 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11842 			return -EOPNOTSUPP;
11843 	} else {
11844 		connect.mfp = NL80211_MFP_NO;
11845 	}
11846 
11847 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11848 		connect.prev_bssid =
11849 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11850 
11851 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11852 		freq = MHZ_TO_KHZ(nla_get_u32(
11853 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11854 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11855 		freq +=
11856 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11857 
11858 	if (freq) {
11859 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11860 		if (!connect.channel)
11861 			return -EINVAL;
11862 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11863 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11864 		freq = MHZ_TO_KHZ(freq);
11865 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11866 		if (!connect.channel_hint)
11867 			return -EINVAL;
11868 	}
11869 
11870 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11871 		connect.edmg.channels =
11872 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11873 
11874 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11875 			connect.edmg.bw_config =
11876 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11877 	}
11878 
11879 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11880 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11881 		if (IS_ERR(connkeys))
11882 			return PTR_ERR(connkeys);
11883 	}
11884 
11885 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11886 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11887 
11888 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11889 		memcpy(&connect.ht_capa_mask,
11890 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11891 		       sizeof(connect.ht_capa_mask));
11892 
11893 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11894 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11895 			kfree_sensitive(connkeys);
11896 			return -EINVAL;
11897 		}
11898 		memcpy(&connect.ht_capa,
11899 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11900 		       sizeof(connect.ht_capa));
11901 	}
11902 
11903 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11904 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11905 
11906 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11907 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11908 
11909 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11910 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11911 
11912 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11913 		memcpy(&connect.vht_capa_mask,
11914 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11915 		       sizeof(connect.vht_capa_mask));
11916 
11917 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11918 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11919 			kfree_sensitive(connkeys);
11920 			return -EINVAL;
11921 		}
11922 		memcpy(&connect.vht_capa,
11923 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11924 		       sizeof(connect.vht_capa));
11925 	}
11926 
11927 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11928 		if (!((rdev->wiphy.features &
11929 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11930 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11931 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11932 					     NL80211_EXT_FEATURE_RRM)) {
11933 			kfree_sensitive(connkeys);
11934 			return -EINVAL;
11935 		}
11936 		connect.flags |= ASSOC_REQ_USE_RRM;
11937 	}
11938 
11939 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11940 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11941 		kfree_sensitive(connkeys);
11942 		return -EOPNOTSUPP;
11943 	}
11944 
11945 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11946 		/* bss selection makes no sense if bssid is set */
11947 		if (connect.bssid) {
11948 			kfree_sensitive(connkeys);
11949 			return -EINVAL;
11950 		}
11951 
11952 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11953 				       wiphy, &connect.bss_select);
11954 		if (err) {
11955 			kfree_sensitive(connkeys);
11956 			return err;
11957 		}
11958 	}
11959 
11960 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11961 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11962 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11963 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11964 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11965 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11966 		connect.fils_erp_username =
11967 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11968 		connect.fils_erp_username_len =
11969 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11970 		connect.fils_erp_realm =
11971 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11972 		connect.fils_erp_realm_len =
11973 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11974 		connect.fils_erp_next_seq_num =
11975 			nla_get_u16(
11976 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11977 		connect.fils_erp_rrk =
11978 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11979 		connect.fils_erp_rrk_len =
11980 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11981 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11982 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11983 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11984 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11985 		kfree_sensitive(connkeys);
11986 		return -EINVAL;
11987 	}
11988 
11989 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
11990 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11991 			kfree_sensitive(connkeys);
11992 			GENL_SET_ERR_MSG(info,
11993 					 "external auth requires connection ownership");
11994 			return -EINVAL;
11995 		}
11996 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
11997 	}
11998 
11999 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12000 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12001 
12002 	wdev_lock(dev->ieee80211_ptr);
12003 
12004 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12005 			       connect.prev_bssid);
12006 	if (err)
12007 		kfree_sensitive(connkeys);
12008 
12009 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12010 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12011 		if (connect.bssid)
12012 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12013 			       connect.bssid, ETH_ALEN);
12014 		else
12015 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12016 	}
12017 
12018 	wdev_unlock(dev->ieee80211_ptr);
12019 
12020 	return err;
12021 }
12022 
12023 static int nl80211_update_connect_params(struct sk_buff *skb,
12024 					 struct genl_info *info)
12025 {
12026 	struct cfg80211_connect_params connect = {};
12027 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12028 	struct net_device *dev = info->user_ptr[1];
12029 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12030 	bool fils_sk_offload;
12031 	u32 auth_type;
12032 	u32 changed = 0;
12033 	int ret;
12034 
12035 	if (!rdev->ops->update_connect_params)
12036 		return -EOPNOTSUPP;
12037 
12038 	if (info->attrs[NL80211_ATTR_IE]) {
12039 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12040 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12041 		changed |= UPDATE_ASSOC_IES;
12042 	}
12043 
12044 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12045 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12046 
12047 	/*
12048 	 * when driver supports fils-sk offload all attributes must be
12049 	 * provided. So the else covers "fils-sk-not-all" and
12050 	 * "no-fils-sk-any".
12051 	 */
12052 	if (fils_sk_offload &&
12053 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12054 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12055 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12056 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12057 		connect.fils_erp_username =
12058 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12059 		connect.fils_erp_username_len =
12060 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12061 		connect.fils_erp_realm =
12062 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12063 		connect.fils_erp_realm_len =
12064 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12065 		connect.fils_erp_next_seq_num =
12066 			nla_get_u16(
12067 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12068 		connect.fils_erp_rrk =
12069 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12070 		connect.fils_erp_rrk_len =
12071 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12072 		changed |= UPDATE_FILS_ERP_INFO;
12073 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12074 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12075 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12076 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12077 		return -EINVAL;
12078 	}
12079 
12080 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12081 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12082 		if (!nl80211_valid_auth_type(rdev, auth_type,
12083 					     NL80211_CMD_CONNECT))
12084 			return -EINVAL;
12085 
12086 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12087 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12088 			return -EINVAL;
12089 
12090 		connect.auth_type = auth_type;
12091 		changed |= UPDATE_AUTH_TYPE;
12092 	}
12093 
12094 	wdev_lock(dev->ieee80211_ptr);
12095 	if (!wdev->connected)
12096 		ret = -ENOLINK;
12097 	else
12098 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
12099 	wdev_unlock(dev->ieee80211_ptr);
12100 
12101 	return ret;
12102 }
12103 
12104 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12105 {
12106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12107 	struct net_device *dev = info->user_ptr[1];
12108 	u16 reason;
12109 	int ret;
12110 
12111 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12112 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12113 		return -EPERM;
12114 
12115 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12116 		reason = WLAN_REASON_DEAUTH_LEAVING;
12117 	else
12118 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12119 
12120 	if (reason == 0)
12121 		return -EINVAL;
12122 
12123 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12124 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12125 		return -EOPNOTSUPP;
12126 
12127 	wdev_lock(dev->ieee80211_ptr);
12128 	ret = cfg80211_disconnect(rdev, dev, reason, true);
12129 	wdev_unlock(dev->ieee80211_ptr);
12130 	return ret;
12131 }
12132 
12133 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12134 {
12135 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12136 	struct net *net;
12137 	int err;
12138 
12139 	if (info->attrs[NL80211_ATTR_PID]) {
12140 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12141 
12142 		net = get_net_ns_by_pid(pid);
12143 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12144 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12145 
12146 		net = get_net_ns_by_fd(fd);
12147 	} else {
12148 		return -EINVAL;
12149 	}
12150 
12151 	if (IS_ERR(net))
12152 		return PTR_ERR(net);
12153 
12154 	err = 0;
12155 
12156 	/* check if anything to do */
12157 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12158 		err = cfg80211_switch_netns(rdev, net);
12159 
12160 	put_net(net);
12161 	return err;
12162 }
12163 
12164 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12165 {
12166 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12167 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12168 			struct cfg80211_pmksa *pmksa) = NULL;
12169 	struct net_device *dev = info->user_ptr[1];
12170 	struct cfg80211_pmksa pmksa;
12171 
12172 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12173 
12174 	if (!info->attrs[NL80211_ATTR_PMKID])
12175 		return -EINVAL;
12176 
12177 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12178 
12179 	if (info->attrs[NL80211_ATTR_MAC]) {
12180 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12181 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12182 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12183 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12184 		    info->attrs[NL80211_ATTR_PMK])) {
12185 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12186 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12187 		pmksa.cache_id =
12188 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12189 	} else {
12190 		return -EINVAL;
12191 	}
12192 	if (info->attrs[NL80211_ATTR_PMK]) {
12193 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12194 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12195 	}
12196 
12197 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12198 		pmksa.pmk_lifetime =
12199 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12200 
12201 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12202 		pmksa.pmk_reauth_threshold =
12203 			nla_get_u8(
12204 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12205 
12206 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12207 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12208 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12209 	      wiphy_ext_feature_isset(&rdev->wiphy,
12210 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12211 		return -EOPNOTSUPP;
12212 
12213 	switch (info->genlhdr->cmd) {
12214 	case NL80211_CMD_SET_PMKSA:
12215 		rdev_ops = rdev->ops->set_pmksa;
12216 		break;
12217 	case NL80211_CMD_DEL_PMKSA:
12218 		rdev_ops = rdev->ops->del_pmksa;
12219 		break;
12220 	default:
12221 		WARN_ON(1);
12222 		break;
12223 	}
12224 
12225 	if (!rdev_ops)
12226 		return -EOPNOTSUPP;
12227 
12228 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12229 }
12230 
12231 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12232 {
12233 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12234 	struct net_device *dev = info->user_ptr[1];
12235 
12236 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12237 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12238 		return -EOPNOTSUPP;
12239 
12240 	if (!rdev->ops->flush_pmksa)
12241 		return -EOPNOTSUPP;
12242 
12243 	return rdev_flush_pmksa(rdev, dev);
12244 }
12245 
12246 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12247 {
12248 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12249 	struct net_device *dev = info->user_ptr[1];
12250 	u8 action_code, dialog_token;
12251 	u32 peer_capability = 0;
12252 	u16 status_code;
12253 	u8 *peer;
12254 	bool initiator;
12255 
12256 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12257 	    !rdev->ops->tdls_mgmt)
12258 		return -EOPNOTSUPP;
12259 
12260 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12261 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12262 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12263 	    !info->attrs[NL80211_ATTR_IE] ||
12264 	    !info->attrs[NL80211_ATTR_MAC])
12265 		return -EINVAL;
12266 
12267 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12268 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12269 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12270 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12271 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12272 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12273 		peer_capability =
12274 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12275 
12276 	return rdev_tdls_mgmt(rdev, dev, peer, action_code,
12277 			      dialog_token, status_code, peer_capability,
12278 			      initiator,
12279 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12280 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12281 }
12282 
12283 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12284 {
12285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12286 	struct net_device *dev = info->user_ptr[1];
12287 	enum nl80211_tdls_operation operation;
12288 	u8 *peer;
12289 
12290 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12291 	    !rdev->ops->tdls_oper)
12292 		return -EOPNOTSUPP;
12293 
12294 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12295 	    !info->attrs[NL80211_ATTR_MAC])
12296 		return -EINVAL;
12297 
12298 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12299 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12300 
12301 	return rdev_tdls_oper(rdev, dev, peer, operation);
12302 }
12303 
12304 static int nl80211_remain_on_channel(struct sk_buff *skb,
12305 				     struct genl_info *info)
12306 {
12307 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12308 	unsigned int link_id = nl80211_link_id(info->attrs);
12309 	struct wireless_dev *wdev = info->user_ptr[1];
12310 	struct cfg80211_chan_def chandef;
12311 	struct sk_buff *msg;
12312 	void *hdr;
12313 	u64 cookie;
12314 	u32 duration;
12315 	int err;
12316 
12317 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12318 	    !info->attrs[NL80211_ATTR_DURATION])
12319 		return -EINVAL;
12320 
12321 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12322 
12323 	if (!rdev->ops->remain_on_channel ||
12324 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12325 		return -EOPNOTSUPP;
12326 
12327 	/*
12328 	 * We should be on that channel for at least a minimum amount of
12329 	 * time (10ms) but no longer than the driver supports.
12330 	 */
12331 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12332 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12333 		return -EINVAL;
12334 
12335 	err = nl80211_parse_chandef(rdev, info, &chandef);
12336 	if (err)
12337 		return err;
12338 
12339 	wdev_lock(wdev);
12340 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12341 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12342 
12343 		oper_chandef = wdev_chandef(wdev, link_id);
12344 
12345 		if (WARN_ON(!oper_chandef)) {
12346 			/* cannot happen since we must beacon to get here */
12347 			WARN_ON(1);
12348 			wdev_unlock(wdev);
12349 			return -EBUSY;
12350 		}
12351 
12352 		/* note: returns first one if identical chandefs */
12353 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12354 							     oper_chandef);
12355 
12356 		if (compat_chandef != &chandef) {
12357 			wdev_unlock(wdev);
12358 			return -EBUSY;
12359 		}
12360 	}
12361 	wdev_unlock(wdev);
12362 
12363 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12364 	if (!msg)
12365 		return -ENOMEM;
12366 
12367 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12368 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12369 	if (!hdr) {
12370 		err = -ENOBUFS;
12371 		goto free_msg;
12372 	}
12373 
12374 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12375 				     duration, &cookie);
12376 
12377 	if (err)
12378 		goto free_msg;
12379 
12380 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12381 			      NL80211_ATTR_PAD))
12382 		goto nla_put_failure;
12383 
12384 	genlmsg_end(msg, hdr);
12385 
12386 	return genlmsg_reply(msg, info);
12387 
12388  nla_put_failure:
12389 	err = -ENOBUFS;
12390  free_msg:
12391 	nlmsg_free(msg);
12392 	return err;
12393 }
12394 
12395 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12396 					    struct genl_info *info)
12397 {
12398 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12399 	struct wireless_dev *wdev = info->user_ptr[1];
12400 	u64 cookie;
12401 
12402 	if (!info->attrs[NL80211_ATTR_COOKIE])
12403 		return -EINVAL;
12404 
12405 	if (!rdev->ops->cancel_remain_on_channel)
12406 		return -EOPNOTSUPP;
12407 
12408 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12409 
12410 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12411 }
12412 
12413 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12414 				       struct genl_info *info)
12415 {
12416 	struct cfg80211_bitrate_mask mask;
12417 	unsigned int link_id = nl80211_link_id(info->attrs);
12418 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12419 	struct net_device *dev = info->user_ptr[1];
12420 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12421 	int err;
12422 
12423 	if (!rdev->ops->set_bitrate_mask)
12424 		return -EOPNOTSUPP;
12425 
12426 	wdev_lock(wdev);
12427 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12428 					    NL80211_ATTR_TX_RATES, &mask,
12429 					    dev, true, link_id);
12430 	if (err)
12431 		goto out;
12432 
12433 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12434 out:
12435 	wdev_unlock(wdev);
12436 	return err;
12437 }
12438 
12439 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12440 {
12441 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12442 	struct wireless_dev *wdev = info->user_ptr[1];
12443 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12444 
12445 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12446 		return -EINVAL;
12447 
12448 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12449 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12450 
12451 	switch (wdev->iftype) {
12452 	case NL80211_IFTYPE_STATION:
12453 	case NL80211_IFTYPE_ADHOC:
12454 	case NL80211_IFTYPE_P2P_CLIENT:
12455 	case NL80211_IFTYPE_AP:
12456 	case NL80211_IFTYPE_AP_VLAN:
12457 	case NL80211_IFTYPE_MESH_POINT:
12458 	case NL80211_IFTYPE_P2P_GO:
12459 	case NL80211_IFTYPE_P2P_DEVICE:
12460 		break;
12461 	case NL80211_IFTYPE_NAN:
12462 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12463 					     NL80211_EXT_FEATURE_SECURE_NAN))
12464 			return -EOPNOTSUPP;
12465 		break;
12466 	default:
12467 		return -EOPNOTSUPP;
12468 	}
12469 
12470 	/* not much point in registering if we can't reply */
12471 	if (!rdev->ops->mgmt_tx)
12472 		return -EOPNOTSUPP;
12473 
12474 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12475 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12476 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12477 		GENL_SET_ERR_MSG(info,
12478 				 "multicast RX registrations are not supported");
12479 		return -EOPNOTSUPP;
12480 	}
12481 
12482 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12483 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12484 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12485 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12486 					   info->extack);
12487 }
12488 
12489 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12490 {
12491 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12492 	struct wireless_dev *wdev = info->user_ptr[1];
12493 	struct cfg80211_chan_def chandef;
12494 	int err;
12495 	void *hdr = NULL;
12496 	u64 cookie;
12497 	struct sk_buff *msg = NULL;
12498 	struct cfg80211_mgmt_tx_params params = {
12499 		.dont_wait_for_ack =
12500 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12501 	};
12502 
12503 	if (!info->attrs[NL80211_ATTR_FRAME])
12504 		return -EINVAL;
12505 
12506 	if (!rdev->ops->mgmt_tx)
12507 		return -EOPNOTSUPP;
12508 
12509 	switch (wdev->iftype) {
12510 	case NL80211_IFTYPE_P2P_DEVICE:
12511 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12512 			return -EINVAL;
12513 		break;
12514 	case NL80211_IFTYPE_STATION:
12515 	case NL80211_IFTYPE_ADHOC:
12516 	case NL80211_IFTYPE_P2P_CLIENT:
12517 	case NL80211_IFTYPE_AP:
12518 	case NL80211_IFTYPE_AP_VLAN:
12519 	case NL80211_IFTYPE_MESH_POINT:
12520 	case NL80211_IFTYPE_P2P_GO:
12521 		break;
12522 	case NL80211_IFTYPE_NAN:
12523 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12524 					     NL80211_EXT_FEATURE_SECURE_NAN))
12525 			return -EOPNOTSUPP;
12526 		break;
12527 	default:
12528 		return -EOPNOTSUPP;
12529 	}
12530 
12531 	if (info->attrs[NL80211_ATTR_DURATION]) {
12532 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12533 			return -EINVAL;
12534 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12535 
12536 		/*
12537 		 * We should wait on the channel for at least a minimum amount
12538 		 * of time (10ms) but no longer than the driver supports.
12539 		 */
12540 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12541 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12542 			return -EINVAL;
12543 	}
12544 
12545 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12546 
12547 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12548 		return -EINVAL;
12549 
12550 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12551 
12552 	/* get the channel if any has been specified, otherwise pass NULL to
12553 	 * the driver. The latter will use the current one
12554 	 */
12555 	chandef.chan = NULL;
12556 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12557 		err = nl80211_parse_chandef(rdev, info, &chandef);
12558 		if (err)
12559 			return err;
12560 	}
12561 
12562 	if (!chandef.chan && params.offchan)
12563 		return -EINVAL;
12564 
12565 	wdev_lock(wdev);
12566 	if (params.offchan &&
12567 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12568 		wdev_unlock(wdev);
12569 		return -EBUSY;
12570 	}
12571 
12572 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12573 	/*
12574 	 * This now races due to the unlock, but we cannot check
12575 	 * the valid links for the _station_ anyway, so that's up
12576 	 * to the driver.
12577 	 */
12578 	if (params.link_id >= 0 &&
12579 	    !(wdev->valid_links & BIT(params.link_id))) {
12580 		wdev_unlock(wdev);
12581 		return -EINVAL;
12582 	}
12583 	wdev_unlock(wdev);
12584 
12585 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12586 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12587 
12588 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12589 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12590 		int i;
12591 
12592 		if (len % sizeof(u16))
12593 			return -EINVAL;
12594 
12595 		params.n_csa_offsets = len / sizeof(u16);
12596 		params.csa_offsets =
12597 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12598 
12599 		/* check that all the offsets fit the frame */
12600 		for (i = 0; i < params.n_csa_offsets; i++) {
12601 			if (params.csa_offsets[i] >= params.len)
12602 				return -EINVAL;
12603 		}
12604 	}
12605 
12606 	if (!params.dont_wait_for_ack) {
12607 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12608 		if (!msg)
12609 			return -ENOMEM;
12610 
12611 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12612 				     NL80211_CMD_FRAME);
12613 		if (!hdr) {
12614 			err = -ENOBUFS;
12615 			goto free_msg;
12616 		}
12617 	}
12618 
12619 	params.chan = chandef.chan;
12620 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12621 	if (err)
12622 		goto free_msg;
12623 
12624 	if (msg) {
12625 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12626 				      NL80211_ATTR_PAD))
12627 			goto nla_put_failure;
12628 
12629 		genlmsg_end(msg, hdr);
12630 		return genlmsg_reply(msg, info);
12631 	}
12632 
12633 	return 0;
12634 
12635  nla_put_failure:
12636 	err = -ENOBUFS;
12637  free_msg:
12638 	nlmsg_free(msg);
12639 	return err;
12640 }
12641 
12642 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12643 {
12644 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12645 	struct wireless_dev *wdev = info->user_ptr[1];
12646 	u64 cookie;
12647 
12648 	if (!info->attrs[NL80211_ATTR_COOKIE])
12649 		return -EINVAL;
12650 
12651 	if (!rdev->ops->mgmt_tx_cancel_wait)
12652 		return -EOPNOTSUPP;
12653 
12654 	switch (wdev->iftype) {
12655 	case NL80211_IFTYPE_STATION:
12656 	case NL80211_IFTYPE_ADHOC:
12657 	case NL80211_IFTYPE_P2P_CLIENT:
12658 	case NL80211_IFTYPE_AP:
12659 	case NL80211_IFTYPE_AP_VLAN:
12660 	case NL80211_IFTYPE_P2P_GO:
12661 	case NL80211_IFTYPE_P2P_DEVICE:
12662 		break;
12663 	case NL80211_IFTYPE_NAN:
12664 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12665 					     NL80211_EXT_FEATURE_SECURE_NAN))
12666 			return -EOPNOTSUPP;
12667 		break;
12668 	default:
12669 		return -EOPNOTSUPP;
12670 	}
12671 
12672 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12673 
12674 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12675 }
12676 
12677 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12678 {
12679 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12680 	struct wireless_dev *wdev;
12681 	struct net_device *dev = info->user_ptr[1];
12682 	u8 ps_state;
12683 	bool state;
12684 	int err;
12685 
12686 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12687 		return -EINVAL;
12688 
12689 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12690 
12691 	wdev = dev->ieee80211_ptr;
12692 
12693 	if (!rdev->ops->set_power_mgmt)
12694 		return -EOPNOTSUPP;
12695 
12696 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12697 
12698 	if (state == wdev->ps)
12699 		return 0;
12700 
12701 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12702 	if (!err)
12703 		wdev->ps = state;
12704 	return err;
12705 }
12706 
12707 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12708 {
12709 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12710 	enum nl80211_ps_state ps_state;
12711 	struct wireless_dev *wdev;
12712 	struct net_device *dev = info->user_ptr[1];
12713 	struct sk_buff *msg;
12714 	void *hdr;
12715 	int err;
12716 
12717 	wdev = dev->ieee80211_ptr;
12718 
12719 	if (!rdev->ops->set_power_mgmt)
12720 		return -EOPNOTSUPP;
12721 
12722 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12723 	if (!msg)
12724 		return -ENOMEM;
12725 
12726 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12727 			     NL80211_CMD_GET_POWER_SAVE);
12728 	if (!hdr) {
12729 		err = -ENOBUFS;
12730 		goto free_msg;
12731 	}
12732 
12733 	if (wdev->ps)
12734 		ps_state = NL80211_PS_ENABLED;
12735 	else
12736 		ps_state = NL80211_PS_DISABLED;
12737 
12738 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12739 		goto nla_put_failure;
12740 
12741 	genlmsg_end(msg, hdr);
12742 	return genlmsg_reply(msg, info);
12743 
12744  nla_put_failure:
12745 	err = -ENOBUFS;
12746  free_msg:
12747 	nlmsg_free(msg);
12748 	return err;
12749 }
12750 
12751 static const struct nla_policy
12752 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12753 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12754 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12755 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12756 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12757 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12758 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12759 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12760 };
12761 
12762 static int nl80211_set_cqm_txe(struct genl_info *info,
12763 			       u32 rate, u32 pkts, u32 intvl)
12764 {
12765 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12766 	struct net_device *dev = info->user_ptr[1];
12767 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12768 
12769 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12770 		return -EINVAL;
12771 
12772 	if (!rdev->ops->set_cqm_txe_config)
12773 		return -EOPNOTSUPP;
12774 
12775 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12776 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12777 		return -EOPNOTSUPP;
12778 
12779 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12780 }
12781 
12782 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12783 				    struct net_device *dev)
12784 {
12785 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12786 	s32 last, low, high;
12787 	u32 hyst;
12788 	int i, n, low_index;
12789 	int err;
12790 
12791 	/* RSSI reporting disabled? */
12792 	if (!wdev->cqm_config)
12793 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12794 
12795 	/*
12796 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12797 	 * event has been received yet, we should receive an event after a
12798 	 * connection is established and enough beacons received to calculate
12799 	 * the average.
12800 	 */
12801 	if (!wdev->cqm_config->last_rssi_event_value &&
12802 	    wdev->links[0].client.current_bss &&
12803 	    rdev->ops->get_station) {
12804 		struct station_info sinfo = {};
12805 		u8 *mac_addr;
12806 
12807 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12808 
12809 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12810 		if (err)
12811 			return err;
12812 
12813 		cfg80211_sinfo_release_content(&sinfo);
12814 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12815 			wdev->cqm_config->last_rssi_event_value =
12816 				(s8) sinfo.rx_beacon_signal_avg;
12817 	}
12818 
12819 	last = wdev->cqm_config->last_rssi_event_value;
12820 	hyst = wdev->cqm_config->rssi_hyst;
12821 	n = wdev->cqm_config->n_rssi_thresholds;
12822 
12823 	for (i = 0; i < n; i++) {
12824 		i = array_index_nospec(i, n);
12825 		if (last < wdev->cqm_config->rssi_thresholds[i])
12826 			break;
12827 	}
12828 
12829 	low_index = i - 1;
12830 	if (low_index >= 0) {
12831 		low_index = array_index_nospec(low_index, n);
12832 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12833 	} else {
12834 		low = S32_MIN;
12835 	}
12836 	if (i < n) {
12837 		i = array_index_nospec(i, n);
12838 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12839 	} else {
12840 		high = S32_MAX;
12841 	}
12842 
12843 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12844 }
12845 
12846 static int nl80211_set_cqm_rssi(struct genl_info *info,
12847 				const s32 *thresholds, int n_thresholds,
12848 				u32 hysteresis)
12849 {
12850 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12851 	struct net_device *dev = info->user_ptr[1];
12852 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12853 	int i, err;
12854 	s32 prev = S32_MIN;
12855 
12856 	/* Check all values negative and sorted */
12857 	for (i = 0; i < n_thresholds; i++) {
12858 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12859 			return -EINVAL;
12860 
12861 		prev = thresholds[i];
12862 	}
12863 
12864 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12865 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12866 		return -EOPNOTSUPP;
12867 
12868 	wdev_lock(wdev);
12869 	cfg80211_cqm_config_free(wdev);
12870 	wdev_unlock(wdev);
12871 
12872 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12873 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12874 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12875 
12876 		return rdev_set_cqm_rssi_config(rdev, dev,
12877 						thresholds[0], hysteresis);
12878 	}
12879 
12880 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12881 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12882 		return -EOPNOTSUPP;
12883 
12884 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12885 		n_thresholds = 0;
12886 
12887 	wdev_lock(wdev);
12888 	if (n_thresholds) {
12889 		struct cfg80211_cqm_config *cqm_config;
12890 
12891 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12892 						 n_thresholds),
12893 				     GFP_KERNEL);
12894 		if (!cqm_config) {
12895 			err = -ENOMEM;
12896 			goto unlock;
12897 		}
12898 
12899 		cqm_config->rssi_hyst = hysteresis;
12900 		cqm_config->n_rssi_thresholds = n_thresholds;
12901 		memcpy(cqm_config->rssi_thresholds, thresholds,
12902 		       flex_array_size(cqm_config, rssi_thresholds,
12903 				       n_thresholds));
12904 
12905 		wdev->cqm_config = cqm_config;
12906 	}
12907 
12908 	err = cfg80211_cqm_rssi_update(rdev, dev);
12909 
12910 unlock:
12911 	wdev_unlock(wdev);
12912 
12913 	return err;
12914 }
12915 
12916 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12917 {
12918 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12919 	struct nlattr *cqm;
12920 	int err;
12921 
12922 	cqm = info->attrs[NL80211_ATTR_CQM];
12923 	if (!cqm)
12924 		return -EINVAL;
12925 
12926 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12927 					  nl80211_attr_cqm_policy,
12928 					  info->extack);
12929 	if (err)
12930 		return err;
12931 
12932 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12933 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12934 		const s32 *thresholds =
12935 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12936 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12937 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12938 
12939 		if (len % 4)
12940 			return -EINVAL;
12941 
12942 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12943 					    hysteresis);
12944 	}
12945 
12946 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12947 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12948 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12949 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12950 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12951 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12952 
12953 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12954 	}
12955 
12956 	return -EINVAL;
12957 }
12958 
12959 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12960 {
12961 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12962 	struct net_device *dev = info->user_ptr[1];
12963 	struct ocb_setup setup = {};
12964 	int err;
12965 
12966 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12967 	if (err)
12968 		return err;
12969 
12970 	return cfg80211_join_ocb(rdev, dev, &setup);
12971 }
12972 
12973 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12974 {
12975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12976 	struct net_device *dev = info->user_ptr[1];
12977 
12978 	return cfg80211_leave_ocb(rdev, dev);
12979 }
12980 
12981 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12982 {
12983 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12984 	struct net_device *dev = info->user_ptr[1];
12985 	struct mesh_config cfg;
12986 	struct mesh_setup setup;
12987 	int err;
12988 
12989 	/* start with default */
12990 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
12991 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
12992 
12993 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
12994 		/* and parse parameters if given */
12995 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
12996 		if (err)
12997 			return err;
12998 	}
12999 
13000 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13001 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13002 		return -EINVAL;
13003 
13004 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13005 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13006 
13007 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13008 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13009 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13010 			return -EINVAL;
13011 
13012 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13013 		setup.beacon_interval =
13014 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13015 
13016 		err = cfg80211_validate_beacon_int(rdev,
13017 						   NL80211_IFTYPE_MESH_POINT,
13018 						   setup.beacon_interval);
13019 		if (err)
13020 			return err;
13021 	}
13022 
13023 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13024 		setup.dtim_period =
13025 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13026 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13027 			return -EINVAL;
13028 	}
13029 
13030 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13031 		/* parse additional setup parameters if given */
13032 		err = nl80211_parse_mesh_setup(info, &setup);
13033 		if (err)
13034 			return err;
13035 	}
13036 
13037 	if (setup.user_mpm)
13038 		cfg.auto_open_plinks = false;
13039 
13040 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13041 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13042 		if (err)
13043 			return err;
13044 	} else {
13045 		/* __cfg80211_join_mesh() will sort it out */
13046 		setup.chandef.chan = NULL;
13047 	}
13048 
13049 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13050 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13051 		int n_rates =
13052 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13053 		struct ieee80211_supported_band *sband;
13054 
13055 		if (!setup.chandef.chan)
13056 			return -EINVAL;
13057 
13058 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13059 
13060 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13061 					     &setup.basic_rates);
13062 		if (err)
13063 			return err;
13064 	}
13065 
13066 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13067 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13068 						    NL80211_ATTR_TX_RATES,
13069 						    &setup.beacon_rate,
13070 						    dev, false, 0);
13071 		if (err)
13072 			return err;
13073 
13074 		if (!setup.chandef.chan)
13075 			return -EINVAL;
13076 
13077 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13078 					      &setup.beacon_rate);
13079 		if (err)
13080 			return err;
13081 	}
13082 
13083 	setup.userspace_handles_dfs =
13084 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13085 
13086 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13087 		int r = validate_pae_over_nl80211(rdev, info);
13088 
13089 		if (r < 0)
13090 			return r;
13091 
13092 		setup.control_port_over_nl80211 = true;
13093 	}
13094 
13095 	wdev_lock(dev->ieee80211_ptr);
13096 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13097 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13098 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13099 	wdev_unlock(dev->ieee80211_ptr);
13100 
13101 	return err;
13102 }
13103 
13104 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13105 {
13106 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13107 	struct net_device *dev = info->user_ptr[1];
13108 
13109 	return cfg80211_leave_mesh(rdev, dev);
13110 }
13111 
13112 #ifdef CONFIG_PM
13113 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13114 					struct cfg80211_registered_device *rdev)
13115 {
13116 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13117 	struct nlattr *nl_pats, *nl_pat;
13118 	int i, pat_len;
13119 
13120 	if (!wowlan->n_patterns)
13121 		return 0;
13122 
13123 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13124 	if (!nl_pats)
13125 		return -ENOBUFS;
13126 
13127 	for (i = 0; i < wowlan->n_patterns; i++) {
13128 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13129 		if (!nl_pat)
13130 			return -ENOBUFS;
13131 		pat_len = wowlan->patterns[i].pattern_len;
13132 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13133 			    wowlan->patterns[i].mask) ||
13134 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13135 			    wowlan->patterns[i].pattern) ||
13136 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13137 				wowlan->patterns[i].pkt_offset))
13138 			return -ENOBUFS;
13139 		nla_nest_end(msg, nl_pat);
13140 	}
13141 	nla_nest_end(msg, nl_pats);
13142 
13143 	return 0;
13144 }
13145 
13146 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13147 				   struct cfg80211_wowlan_tcp *tcp)
13148 {
13149 	struct nlattr *nl_tcp;
13150 
13151 	if (!tcp)
13152 		return 0;
13153 
13154 	nl_tcp = nla_nest_start_noflag(msg,
13155 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13156 	if (!nl_tcp)
13157 		return -ENOBUFS;
13158 
13159 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13160 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13161 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13162 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13163 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13164 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13165 		    tcp->payload_len, tcp->payload) ||
13166 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13167 			tcp->data_interval) ||
13168 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13169 		    tcp->wake_len, tcp->wake_data) ||
13170 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13171 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13172 		return -ENOBUFS;
13173 
13174 	if (tcp->payload_seq.len &&
13175 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13176 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13177 		return -ENOBUFS;
13178 
13179 	if (tcp->payload_tok.len &&
13180 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13181 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13182 		    &tcp->payload_tok))
13183 		return -ENOBUFS;
13184 
13185 	nla_nest_end(msg, nl_tcp);
13186 
13187 	return 0;
13188 }
13189 
13190 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13191 				  struct cfg80211_sched_scan_request *req)
13192 {
13193 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13194 	int i;
13195 
13196 	if (!req)
13197 		return 0;
13198 
13199 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13200 	if (!nd)
13201 		return -ENOBUFS;
13202 
13203 	if (req->n_scan_plans == 1 &&
13204 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13205 			req->scan_plans[0].interval * 1000))
13206 		return -ENOBUFS;
13207 
13208 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13209 		return -ENOBUFS;
13210 
13211 	if (req->relative_rssi_set) {
13212 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13213 
13214 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13215 			       req->relative_rssi))
13216 			return -ENOBUFS;
13217 
13218 		rssi_adjust.band = req->rssi_adjust.band;
13219 		rssi_adjust.delta = req->rssi_adjust.delta;
13220 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13221 			    sizeof(rssi_adjust), &rssi_adjust))
13222 			return -ENOBUFS;
13223 	}
13224 
13225 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13226 	if (!freqs)
13227 		return -ENOBUFS;
13228 
13229 	for (i = 0; i < req->n_channels; i++) {
13230 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13231 			return -ENOBUFS;
13232 	}
13233 
13234 	nla_nest_end(msg, freqs);
13235 
13236 	if (req->n_match_sets) {
13237 		matches = nla_nest_start_noflag(msg,
13238 						NL80211_ATTR_SCHED_SCAN_MATCH);
13239 		if (!matches)
13240 			return -ENOBUFS;
13241 
13242 		for (i = 0; i < req->n_match_sets; i++) {
13243 			match = nla_nest_start_noflag(msg, i);
13244 			if (!match)
13245 				return -ENOBUFS;
13246 
13247 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13248 				    req->match_sets[i].ssid.ssid_len,
13249 				    req->match_sets[i].ssid.ssid))
13250 				return -ENOBUFS;
13251 			nla_nest_end(msg, match);
13252 		}
13253 		nla_nest_end(msg, matches);
13254 	}
13255 
13256 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13257 	if (!scan_plans)
13258 		return -ENOBUFS;
13259 
13260 	for (i = 0; i < req->n_scan_plans; i++) {
13261 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13262 		if (!scan_plan)
13263 			return -ENOBUFS;
13264 
13265 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13266 				req->scan_plans[i].interval) ||
13267 		    (req->scan_plans[i].iterations &&
13268 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13269 				 req->scan_plans[i].iterations)))
13270 			return -ENOBUFS;
13271 		nla_nest_end(msg, scan_plan);
13272 	}
13273 	nla_nest_end(msg, scan_plans);
13274 
13275 	nla_nest_end(msg, nd);
13276 
13277 	return 0;
13278 }
13279 
13280 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13281 {
13282 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13283 	struct sk_buff *msg;
13284 	void *hdr;
13285 	u32 size = NLMSG_DEFAULT_SIZE;
13286 
13287 	if (!rdev->wiphy.wowlan)
13288 		return -EOPNOTSUPP;
13289 
13290 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13291 		/* adjust size to have room for all the data */
13292 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13293 			rdev->wiphy.wowlan_config->tcp->payload_len +
13294 			rdev->wiphy.wowlan_config->tcp->wake_len +
13295 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13296 	}
13297 
13298 	msg = nlmsg_new(size, GFP_KERNEL);
13299 	if (!msg)
13300 		return -ENOMEM;
13301 
13302 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13303 			     NL80211_CMD_GET_WOWLAN);
13304 	if (!hdr)
13305 		goto nla_put_failure;
13306 
13307 	if (rdev->wiphy.wowlan_config) {
13308 		struct nlattr *nl_wowlan;
13309 
13310 		nl_wowlan = nla_nest_start_noflag(msg,
13311 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13312 		if (!nl_wowlan)
13313 			goto nla_put_failure;
13314 
13315 		if ((rdev->wiphy.wowlan_config->any &&
13316 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13317 		    (rdev->wiphy.wowlan_config->disconnect &&
13318 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13319 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13320 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13321 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13322 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13323 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13324 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13325 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13326 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13327 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13328 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13329 			goto nla_put_failure;
13330 
13331 		if (nl80211_send_wowlan_patterns(msg, rdev))
13332 			goto nla_put_failure;
13333 
13334 		if (nl80211_send_wowlan_tcp(msg,
13335 					    rdev->wiphy.wowlan_config->tcp))
13336 			goto nla_put_failure;
13337 
13338 		if (nl80211_send_wowlan_nd(
13339 			    msg,
13340 			    rdev->wiphy.wowlan_config->nd_config))
13341 			goto nla_put_failure;
13342 
13343 		nla_nest_end(msg, nl_wowlan);
13344 	}
13345 
13346 	genlmsg_end(msg, hdr);
13347 	return genlmsg_reply(msg, info);
13348 
13349 nla_put_failure:
13350 	nlmsg_free(msg);
13351 	return -ENOBUFS;
13352 }
13353 
13354 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13355 				    struct nlattr *attr,
13356 				    struct cfg80211_wowlan *trig)
13357 {
13358 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13359 	struct cfg80211_wowlan_tcp *cfg;
13360 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13361 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13362 	u32 size;
13363 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13364 	int err, port;
13365 
13366 	if (!rdev->wiphy.wowlan->tcp)
13367 		return -EINVAL;
13368 
13369 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13370 					  nl80211_wowlan_tcp_policy, NULL);
13371 	if (err)
13372 		return err;
13373 
13374 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13375 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13376 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13377 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13378 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13379 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13380 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13381 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13382 		return -EINVAL;
13383 
13384 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13385 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13386 		return -EINVAL;
13387 
13388 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13389 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13390 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13391 		return -EINVAL;
13392 
13393 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13394 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13395 		return -EINVAL;
13396 
13397 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13398 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13399 		return -EINVAL;
13400 
13401 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13402 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13403 
13404 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13405 		tokens_size = tokln - sizeof(*tok);
13406 
13407 		if (!tok->len || tokens_size % tok->len)
13408 			return -EINVAL;
13409 		if (!rdev->wiphy.wowlan->tcp->tok)
13410 			return -EINVAL;
13411 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13412 			return -EINVAL;
13413 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13414 			return -EINVAL;
13415 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13416 			return -EINVAL;
13417 		if (tok->offset + tok->len > data_size)
13418 			return -EINVAL;
13419 	}
13420 
13421 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13422 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13423 		if (!rdev->wiphy.wowlan->tcp->seq)
13424 			return -EINVAL;
13425 		if (seq->len == 0 || seq->len > 4)
13426 			return -EINVAL;
13427 		if (seq->len + seq->offset > data_size)
13428 			return -EINVAL;
13429 	}
13430 
13431 	size = sizeof(*cfg);
13432 	size += data_size;
13433 	size += wake_size + wake_mask_size;
13434 	size += tokens_size;
13435 
13436 	cfg = kzalloc(size, GFP_KERNEL);
13437 	if (!cfg)
13438 		return -ENOMEM;
13439 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13440 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13441 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13442 	       ETH_ALEN);
13443 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13444 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13445 	else
13446 		port = 0;
13447 #ifdef CONFIG_INET
13448 	/* allocate a socket and port for it and use it */
13449 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13450 			    IPPROTO_TCP, &cfg->sock, 1);
13451 	if (err) {
13452 		kfree(cfg);
13453 		return err;
13454 	}
13455 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13456 		sock_release(cfg->sock);
13457 		kfree(cfg);
13458 		return -EADDRINUSE;
13459 	}
13460 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13461 #else
13462 	if (!port) {
13463 		kfree(cfg);
13464 		return -EINVAL;
13465 	}
13466 	cfg->src_port = port;
13467 #endif
13468 
13469 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13470 	cfg->payload_len = data_size;
13471 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13472 	memcpy((void *)cfg->payload,
13473 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13474 	       data_size);
13475 	if (seq)
13476 		cfg->payload_seq = *seq;
13477 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13478 	cfg->wake_len = wake_size;
13479 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13480 	memcpy((void *)cfg->wake_data,
13481 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13482 	       wake_size);
13483 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13484 			 data_size + wake_size;
13485 	memcpy((void *)cfg->wake_mask,
13486 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13487 	       wake_mask_size);
13488 	if (tok) {
13489 		cfg->tokens_size = tokens_size;
13490 		cfg->payload_tok = *tok;
13491 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13492 		       tokens_size);
13493 	}
13494 
13495 	trig->tcp = cfg;
13496 
13497 	return 0;
13498 }
13499 
13500 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13501 				   const struct wiphy_wowlan_support *wowlan,
13502 				   struct nlattr *attr,
13503 				   struct cfg80211_wowlan *trig)
13504 {
13505 	struct nlattr **tb;
13506 	int err;
13507 
13508 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13509 	if (!tb)
13510 		return -ENOMEM;
13511 
13512 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13513 		err = -EOPNOTSUPP;
13514 		goto out;
13515 	}
13516 
13517 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13518 					  nl80211_policy, NULL);
13519 	if (err)
13520 		goto out;
13521 
13522 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13523 						   wowlan->max_nd_match_sets);
13524 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13525 	if (err)
13526 		trig->nd_config = NULL;
13527 
13528 out:
13529 	kfree(tb);
13530 	return err;
13531 }
13532 
13533 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13534 {
13535 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13536 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13537 	struct cfg80211_wowlan new_triggers = {};
13538 	struct cfg80211_wowlan *ntrig;
13539 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13540 	int err, i;
13541 	bool prev_enabled = rdev->wiphy.wowlan_config;
13542 	bool regular = false;
13543 
13544 	if (!wowlan)
13545 		return -EOPNOTSUPP;
13546 
13547 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13548 		cfg80211_rdev_free_wowlan(rdev);
13549 		rdev->wiphy.wowlan_config = NULL;
13550 		goto set_wakeup;
13551 	}
13552 
13553 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13554 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13555 					  nl80211_wowlan_policy, info->extack);
13556 	if (err)
13557 		return err;
13558 
13559 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13560 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13561 			return -EINVAL;
13562 		new_triggers.any = true;
13563 	}
13564 
13565 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13566 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13567 			return -EINVAL;
13568 		new_triggers.disconnect = true;
13569 		regular = true;
13570 	}
13571 
13572 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13573 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13574 			return -EINVAL;
13575 		new_triggers.magic_pkt = true;
13576 		regular = true;
13577 	}
13578 
13579 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13580 		return -EINVAL;
13581 
13582 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13583 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13584 			return -EINVAL;
13585 		new_triggers.gtk_rekey_failure = true;
13586 		regular = true;
13587 	}
13588 
13589 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13590 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13591 			return -EINVAL;
13592 		new_triggers.eap_identity_req = true;
13593 		regular = true;
13594 	}
13595 
13596 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13597 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13598 			return -EINVAL;
13599 		new_triggers.four_way_handshake = true;
13600 		regular = true;
13601 	}
13602 
13603 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13604 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13605 			return -EINVAL;
13606 		new_triggers.rfkill_release = true;
13607 		regular = true;
13608 	}
13609 
13610 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13611 		struct nlattr *pat;
13612 		int n_patterns = 0;
13613 		int rem, pat_len, mask_len, pkt_offset;
13614 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13615 
13616 		regular = true;
13617 
13618 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13619 				    rem)
13620 			n_patterns++;
13621 		if (n_patterns > wowlan->n_patterns)
13622 			return -EINVAL;
13623 
13624 		new_triggers.patterns = kcalloc(n_patterns,
13625 						sizeof(new_triggers.patterns[0]),
13626 						GFP_KERNEL);
13627 		if (!new_triggers.patterns)
13628 			return -ENOMEM;
13629 
13630 		new_triggers.n_patterns = n_patterns;
13631 		i = 0;
13632 
13633 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13634 				    rem) {
13635 			u8 *mask_pat;
13636 
13637 			err = nla_parse_nested_deprecated(pat_tb,
13638 							  MAX_NL80211_PKTPAT,
13639 							  pat,
13640 							  nl80211_packet_pattern_policy,
13641 							  info->extack);
13642 			if (err)
13643 				goto error;
13644 
13645 			err = -EINVAL;
13646 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13647 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13648 				goto error;
13649 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13650 			mask_len = DIV_ROUND_UP(pat_len, 8);
13651 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13652 				goto error;
13653 			if (pat_len > wowlan->pattern_max_len ||
13654 			    pat_len < wowlan->pattern_min_len)
13655 				goto error;
13656 
13657 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13658 				pkt_offset = 0;
13659 			else
13660 				pkt_offset = nla_get_u32(
13661 					pat_tb[NL80211_PKTPAT_OFFSET]);
13662 			if (pkt_offset > wowlan->max_pkt_offset)
13663 				goto error;
13664 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13665 
13666 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13667 			if (!mask_pat) {
13668 				err = -ENOMEM;
13669 				goto error;
13670 			}
13671 			new_triggers.patterns[i].mask = mask_pat;
13672 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13673 			       mask_len);
13674 			mask_pat += mask_len;
13675 			new_triggers.patterns[i].pattern = mask_pat;
13676 			new_triggers.patterns[i].pattern_len = pat_len;
13677 			memcpy(mask_pat,
13678 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13679 			       pat_len);
13680 			i++;
13681 		}
13682 	}
13683 
13684 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13685 		regular = true;
13686 		err = nl80211_parse_wowlan_tcp(
13687 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13688 			&new_triggers);
13689 		if (err)
13690 			goto error;
13691 	}
13692 
13693 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13694 		regular = true;
13695 		err = nl80211_parse_wowlan_nd(
13696 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13697 			&new_triggers);
13698 		if (err)
13699 			goto error;
13700 	}
13701 
13702 	/* The 'any' trigger means the device continues operating more or less
13703 	 * as in its normal operation mode and wakes up the host on most of the
13704 	 * normal interrupts (like packet RX, ...)
13705 	 * It therefore makes little sense to combine with the more constrained
13706 	 * wakeup trigger modes.
13707 	 */
13708 	if (new_triggers.any && regular) {
13709 		err = -EINVAL;
13710 		goto error;
13711 	}
13712 
13713 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13714 	if (!ntrig) {
13715 		err = -ENOMEM;
13716 		goto error;
13717 	}
13718 	cfg80211_rdev_free_wowlan(rdev);
13719 	rdev->wiphy.wowlan_config = ntrig;
13720 
13721  set_wakeup:
13722 	if (rdev->ops->set_wakeup &&
13723 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13724 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13725 
13726 	return 0;
13727  error:
13728 	for (i = 0; i < new_triggers.n_patterns; i++)
13729 		kfree(new_triggers.patterns[i].mask);
13730 	kfree(new_triggers.patterns);
13731 	if (new_triggers.tcp && new_triggers.tcp->sock)
13732 		sock_release(new_triggers.tcp->sock);
13733 	kfree(new_triggers.tcp);
13734 	kfree(new_triggers.nd_config);
13735 	return err;
13736 }
13737 #endif
13738 
13739 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13740 				       struct cfg80211_registered_device *rdev)
13741 {
13742 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13743 	int i, j, pat_len;
13744 	struct cfg80211_coalesce_rules *rule;
13745 
13746 	if (!rdev->coalesce->n_rules)
13747 		return 0;
13748 
13749 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13750 	if (!nl_rules)
13751 		return -ENOBUFS;
13752 
13753 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13754 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13755 		if (!nl_rule)
13756 			return -ENOBUFS;
13757 
13758 		rule = &rdev->coalesce->rules[i];
13759 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13760 				rule->delay))
13761 			return -ENOBUFS;
13762 
13763 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13764 				rule->condition))
13765 			return -ENOBUFS;
13766 
13767 		nl_pats = nla_nest_start_noflag(msg,
13768 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13769 		if (!nl_pats)
13770 			return -ENOBUFS;
13771 
13772 		for (j = 0; j < rule->n_patterns; j++) {
13773 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13774 			if (!nl_pat)
13775 				return -ENOBUFS;
13776 			pat_len = rule->patterns[j].pattern_len;
13777 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13778 				    DIV_ROUND_UP(pat_len, 8),
13779 				    rule->patterns[j].mask) ||
13780 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13781 				    rule->patterns[j].pattern) ||
13782 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13783 					rule->patterns[j].pkt_offset))
13784 				return -ENOBUFS;
13785 			nla_nest_end(msg, nl_pat);
13786 		}
13787 		nla_nest_end(msg, nl_pats);
13788 		nla_nest_end(msg, nl_rule);
13789 	}
13790 	nla_nest_end(msg, nl_rules);
13791 
13792 	return 0;
13793 }
13794 
13795 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13796 {
13797 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13798 	struct sk_buff *msg;
13799 	void *hdr;
13800 
13801 	if (!rdev->wiphy.coalesce)
13802 		return -EOPNOTSUPP;
13803 
13804 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13805 	if (!msg)
13806 		return -ENOMEM;
13807 
13808 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13809 			     NL80211_CMD_GET_COALESCE);
13810 	if (!hdr)
13811 		goto nla_put_failure;
13812 
13813 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13814 		goto nla_put_failure;
13815 
13816 	genlmsg_end(msg, hdr);
13817 	return genlmsg_reply(msg, info);
13818 
13819 nla_put_failure:
13820 	nlmsg_free(msg);
13821 	return -ENOBUFS;
13822 }
13823 
13824 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13825 {
13826 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13827 	int i, j;
13828 	struct cfg80211_coalesce_rules *rule;
13829 
13830 	if (!coalesce)
13831 		return;
13832 
13833 	for (i = 0; i < coalesce->n_rules; i++) {
13834 		rule = &coalesce->rules[i];
13835 		for (j = 0; j < rule->n_patterns; j++)
13836 			kfree(rule->patterns[j].mask);
13837 		kfree(rule->patterns);
13838 	}
13839 	kfree(coalesce->rules);
13840 	kfree(coalesce);
13841 	rdev->coalesce = NULL;
13842 }
13843 
13844 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13845 				       struct nlattr *rule,
13846 				       struct cfg80211_coalesce_rules *new_rule)
13847 {
13848 	int err, i;
13849 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13850 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13851 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13852 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13853 
13854 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13855 					  rule, nl80211_coalesce_policy, NULL);
13856 	if (err)
13857 		return err;
13858 
13859 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13860 		new_rule->delay =
13861 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13862 	if (new_rule->delay > coalesce->max_delay)
13863 		return -EINVAL;
13864 
13865 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13866 		new_rule->condition =
13867 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13868 
13869 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13870 		return -EINVAL;
13871 
13872 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13873 			    rem)
13874 		n_patterns++;
13875 	if (n_patterns > coalesce->n_patterns)
13876 		return -EINVAL;
13877 
13878 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13879 				     GFP_KERNEL);
13880 	if (!new_rule->patterns)
13881 		return -ENOMEM;
13882 
13883 	new_rule->n_patterns = n_patterns;
13884 	i = 0;
13885 
13886 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13887 			    rem) {
13888 		u8 *mask_pat;
13889 
13890 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13891 						  pat,
13892 						  nl80211_packet_pattern_policy,
13893 						  NULL);
13894 		if (err)
13895 			return err;
13896 
13897 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13898 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13899 			return -EINVAL;
13900 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13901 		mask_len = DIV_ROUND_UP(pat_len, 8);
13902 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13903 			return -EINVAL;
13904 		if (pat_len > coalesce->pattern_max_len ||
13905 		    pat_len < coalesce->pattern_min_len)
13906 			return -EINVAL;
13907 
13908 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13909 			pkt_offset = 0;
13910 		else
13911 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13912 		if (pkt_offset > coalesce->max_pkt_offset)
13913 			return -EINVAL;
13914 		new_rule->patterns[i].pkt_offset = pkt_offset;
13915 
13916 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13917 		if (!mask_pat)
13918 			return -ENOMEM;
13919 
13920 		new_rule->patterns[i].mask = mask_pat;
13921 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13922 		       mask_len);
13923 
13924 		mask_pat += mask_len;
13925 		new_rule->patterns[i].pattern = mask_pat;
13926 		new_rule->patterns[i].pattern_len = pat_len;
13927 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13928 		       pat_len);
13929 		i++;
13930 	}
13931 
13932 	return 0;
13933 }
13934 
13935 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13936 {
13937 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13938 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13939 	struct cfg80211_coalesce new_coalesce = {};
13940 	struct cfg80211_coalesce *n_coalesce;
13941 	int err, rem_rule, n_rules = 0, i, j;
13942 	struct nlattr *rule;
13943 	struct cfg80211_coalesce_rules *tmp_rule;
13944 
13945 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13946 		return -EOPNOTSUPP;
13947 
13948 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13949 		cfg80211_rdev_free_coalesce(rdev);
13950 		rdev_set_coalesce(rdev, NULL);
13951 		return 0;
13952 	}
13953 
13954 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13955 			    rem_rule)
13956 		n_rules++;
13957 	if (n_rules > coalesce->n_rules)
13958 		return -EINVAL;
13959 
13960 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13961 				     GFP_KERNEL);
13962 	if (!new_coalesce.rules)
13963 		return -ENOMEM;
13964 
13965 	new_coalesce.n_rules = n_rules;
13966 	i = 0;
13967 
13968 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13969 			    rem_rule) {
13970 		err = nl80211_parse_coalesce_rule(rdev, rule,
13971 						  &new_coalesce.rules[i]);
13972 		if (err)
13973 			goto error;
13974 
13975 		i++;
13976 	}
13977 
13978 	err = rdev_set_coalesce(rdev, &new_coalesce);
13979 	if (err)
13980 		goto error;
13981 
13982 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13983 	if (!n_coalesce) {
13984 		err = -ENOMEM;
13985 		goto error;
13986 	}
13987 	cfg80211_rdev_free_coalesce(rdev);
13988 	rdev->coalesce = n_coalesce;
13989 
13990 	return 0;
13991 error:
13992 	for (i = 0; i < new_coalesce.n_rules; i++) {
13993 		tmp_rule = &new_coalesce.rules[i];
13994 		for (j = 0; j < tmp_rule->n_patterns; j++)
13995 			kfree(tmp_rule->patterns[j].mask);
13996 		kfree(tmp_rule->patterns);
13997 	}
13998 	kfree(new_coalesce.rules);
13999 
14000 	return err;
14001 }
14002 
14003 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14004 {
14005 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14006 	struct net_device *dev = info->user_ptr[1];
14007 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14008 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14009 	struct cfg80211_gtk_rekey_data rekey_data = {};
14010 	int err;
14011 
14012 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14013 		return -EINVAL;
14014 
14015 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14016 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14017 					  nl80211_rekey_policy, info->extack);
14018 	if (err)
14019 		return err;
14020 
14021 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14022 	    !tb[NL80211_REKEY_DATA_KCK])
14023 		return -EINVAL;
14024 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14025 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14026 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14027 		return -ERANGE;
14028 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14029 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14030 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14031 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14032 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14033 		return -ERANGE;
14034 
14035 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14036 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14037 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14038 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14039 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14040 	if (tb[NL80211_REKEY_DATA_AKM])
14041 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14042 
14043 	wdev_lock(wdev);
14044 	if (!wdev->connected) {
14045 		err = -ENOTCONN;
14046 		goto out;
14047 	}
14048 
14049 	if (!rdev->ops->set_rekey_data) {
14050 		err = -EOPNOTSUPP;
14051 		goto out;
14052 	}
14053 
14054 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
14055  out:
14056 	wdev_unlock(wdev);
14057 	return err;
14058 }
14059 
14060 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14061 					     struct genl_info *info)
14062 {
14063 	struct net_device *dev = info->user_ptr[1];
14064 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14065 
14066 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14067 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14068 		return -EINVAL;
14069 
14070 	if (wdev->ap_unexpected_nlportid)
14071 		return -EBUSY;
14072 
14073 	wdev->ap_unexpected_nlportid = info->snd_portid;
14074 	return 0;
14075 }
14076 
14077 static int nl80211_probe_client(struct sk_buff *skb,
14078 				struct genl_info *info)
14079 {
14080 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14081 	struct net_device *dev = info->user_ptr[1];
14082 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14083 	struct sk_buff *msg;
14084 	void *hdr;
14085 	const u8 *addr;
14086 	u64 cookie;
14087 	int err;
14088 
14089 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14090 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14091 		return -EOPNOTSUPP;
14092 
14093 	if (!info->attrs[NL80211_ATTR_MAC])
14094 		return -EINVAL;
14095 
14096 	if (!rdev->ops->probe_client)
14097 		return -EOPNOTSUPP;
14098 
14099 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14100 	if (!msg)
14101 		return -ENOMEM;
14102 
14103 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14104 			     NL80211_CMD_PROBE_CLIENT);
14105 	if (!hdr) {
14106 		err = -ENOBUFS;
14107 		goto free_msg;
14108 	}
14109 
14110 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14111 
14112 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14113 	if (err)
14114 		goto free_msg;
14115 
14116 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14117 			      NL80211_ATTR_PAD))
14118 		goto nla_put_failure;
14119 
14120 	genlmsg_end(msg, hdr);
14121 
14122 	return genlmsg_reply(msg, info);
14123 
14124  nla_put_failure:
14125 	err = -ENOBUFS;
14126  free_msg:
14127 	nlmsg_free(msg);
14128 	return err;
14129 }
14130 
14131 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14132 {
14133 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14134 	struct cfg80211_beacon_registration *reg, *nreg;
14135 	int rv;
14136 
14137 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14138 		return -EOPNOTSUPP;
14139 
14140 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14141 	if (!nreg)
14142 		return -ENOMEM;
14143 
14144 	/* First, check if already registered. */
14145 	spin_lock_bh(&rdev->beacon_registrations_lock);
14146 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14147 		if (reg->nlportid == info->snd_portid) {
14148 			rv = -EALREADY;
14149 			goto out_err;
14150 		}
14151 	}
14152 	/* Add it to the list */
14153 	nreg->nlportid = info->snd_portid;
14154 	list_add(&nreg->list, &rdev->beacon_registrations);
14155 
14156 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14157 
14158 	return 0;
14159 out_err:
14160 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14161 	kfree(nreg);
14162 	return rv;
14163 }
14164 
14165 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14166 {
14167 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14168 	struct wireless_dev *wdev = info->user_ptr[1];
14169 	int err;
14170 
14171 	if (!rdev->ops->start_p2p_device)
14172 		return -EOPNOTSUPP;
14173 
14174 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14175 		return -EOPNOTSUPP;
14176 
14177 	if (wdev_running(wdev))
14178 		return 0;
14179 
14180 	if (rfkill_blocked(rdev->wiphy.rfkill))
14181 		return -ERFKILL;
14182 
14183 	err = rdev_start_p2p_device(rdev, wdev);
14184 	if (err)
14185 		return err;
14186 
14187 	wdev->is_running = true;
14188 	rdev->opencount++;
14189 
14190 	return 0;
14191 }
14192 
14193 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14194 {
14195 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14196 	struct wireless_dev *wdev = info->user_ptr[1];
14197 
14198 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14199 		return -EOPNOTSUPP;
14200 
14201 	if (!rdev->ops->stop_p2p_device)
14202 		return -EOPNOTSUPP;
14203 
14204 	cfg80211_stop_p2p_device(rdev, wdev);
14205 
14206 	return 0;
14207 }
14208 
14209 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14210 {
14211 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14212 	struct wireless_dev *wdev = info->user_ptr[1];
14213 	struct cfg80211_nan_conf conf = {};
14214 	int err;
14215 
14216 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14217 		return -EOPNOTSUPP;
14218 
14219 	if (wdev_running(wdev))
14220 		return -EEXIST;
14221 
14222 	if (rfkill_blocked(rdev->wiphy.rfkill))
14223 		return -ERFKILL;
14224 
14225 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14226 		return -EINVAL;
14227 
14228 	conf.master_pref =
14229 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14230 
14231 	if (info->attrs[NL80211_ATTR_BANDS]) {
14232 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14233 
14234 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14235 			return -EOPNOTSUPP;
14236 
14237 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14238 			return -EINVAL;
14239 
14240 		conf.bands = bands;
14241 	}
14242 
14243 	err = rdev_start_nan(rdev, wdev, &conf);
14244 	if (err)
14245 		return err;
14246 
14247 	wdev->is_running = true;
14248 	rdev->opencount++;
14249 
14250 	return 0;
14251 }
14252 
14253 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14254 {
14255 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14256 	struct wireless_dev *wdev = info->user_ptr[1];
14257 
14258 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14259 		return -EOPNOTSUPP;
14260 
14261 	cfg80211_stop_nan(rdev, wdev);
14262 
14263 	return 0;
14264 }
14265 
14266 static int validate_nan_filter(struct nlattr *filter_attr)
14267 {
14268 	struct nlattr *attr;
14269 	int len = 0, n_entries = 0, rem;
14270 
14271 	nla_for_each_nested(attr, filter_attr, rem) {
14272 		len += nla_len(attr);
14273 		n_entries++;
14274 	}
14275 
14276 	if (len >= U8_MAX)
14277 		return -EINVAL;
14278 
14279 	return n_entries;
14280 }
14281 
14282 static int handle_nan_filter(struct nlattr *attr_filter,
14283 			     struct cfg80211_nan_func *func,
14284 			     bool tx)
14285 {
14286 	struct nlattr *attr;
14287 	int n_entries, rem, i;
14288 	struct cfg80211_nan_func_filter *filter;
14289 
14290 	n_entries = validate_nan_filter(attr_filter);
14291 	if (n_entries < 0)
14292 		return n_entries;
14293 
14294 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14295 
14296 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14297 	if (!filter)
14298 		return -ENOMEM;
14299 
14300 	i = 0;
14301 	nla_for_each_nested(attr, attr_filter, rem) {
14302 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14303 		if (!filter[i].filter)
14304 			goto err;
14305 
14306 		filter[i].len = nla_len(attr);
14307 		i++;
14308 	}
14309 	if (tx) {
14310 		func->num_tx_filters = n_entries;
14311 		func->tx_filters = filter;
14312 	} else {
14313 		func->num_rx_filters = n_entries;
14314 		func->rx_filters = filter;
14315 	}
14316 
14317 	return 0;
14318 
14319 err:
14320 	i = 0;
14321 	nla_for_each_nested(attr, attr_filter, rem) {
14322 		kfree(filter[i].filter);
14323 		i++;
14324 	}
14325 	kfree(filter);
14326 	return -ENOMEM;
14327 }
14328 
14329 static int nl80211_nan_add_func(struct sk_buff *skb,
14330 				struct genl_info *info)
14331 {
14332 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14333 	struct wireless_dev *wdev = info->user_ptr[1];
14334 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14335 	struct cfg80211_nan_func *func;
14336 	struct sk_buff *msg = NULL;
14337 	void *hdr = NULL;
14338 	int err = 0;
14339 
14340 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14341 		return -EOPNOTSUPP;
14342 
14343 	if (!wdev_running(wdev))
14344 		return -ENOTCONN;
14345 
14346 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14347 		return -EINVAL;
14348 
14349 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14350 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14351 					  nl80211_nan_func_policy,
14352 					  info->extack);
14353 	if (err)
14354 		return err;
14355 
14356 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14357 	if (!func)
14358 		return -ENOMEM;
14359 
14360 	func->cookie = cfg80211_assign_cookie(rdev);
14361 
14362 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14363 		err = -EINVAL;
14364 		goto out;
14365 	}
14366 
14367 
14368 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14369 
14370 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14371 		err = -EINVAL;
14372 		goto out;
14373 	}
14374 
14375 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14376 	       sizeof(func->service_id));
14377 
14378 	func->close_range =
14379 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14380 
14381 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14382 		func->serv_spec_info_len =
14383 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14384 		func->serv_spec_info =
14385 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14386 				func->serv_spec_info_len,
14387 				GFP_KERNEL);
14388 		if (!func->serv_spec_info) {
14389 			err = -ENOMEM;
14390 			goto out;
14391 		}
14392 	}
14393 
14394 	if (tb[NL80211_NAN_FUNC_TTL])
14395 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14396 
14397 	switch (func->type) {
14398 	case NL80211_NAN_FUNC_PUBLISH:
14399 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14400 			err = -EINVAL;
14401 			goto out;
14402 		}
14403 
14404 		func->publish_type =
14405 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14406 		func->publish_bcast =
14407 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14408 
14409 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14410 			func->publish_bcast) {
14411 			err = -EINVAL;
14412 			goto out;
14413 		}
14414 		break;
14415 	case NL80211_NAN_FUNC_SUBSCRIBE:
14416 		func->subscribe_active =
14417 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14418 		break;
14419 	case NL80211_NAN_FUNC_FOLLOW_UP:
14420 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14421 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14422 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14423 			err = -EINVAL;
14424 			goto out;
14425 		}
14426 
14427 		func->followup_id =
14428 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14429 		func->followup_reqid =
14430 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14431 		memcpy(func->followup_dest.addr,
14432 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14433 		       sizeof(func->followup_dest.addr));
14434 		if (func->ttl) {
14435 			err = -EINVAL;
14436 			goto out;
14437 		}
14438 		break;
14439 	default:
14440 		err = -EINVAL;
14441 		goto out;
14442 	}
14443 
14444 	if (tb[NL80211_NAN_FUNC_SRF]) {
14445 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14446 
14447 		err = nla_parse_nested_deprecated(srf_tb,
14448 						  NL80211_NAN_SRF_ATTR_MAX,
14449 						  tb[NL80211_NAN_FUNC_SRF],
14450 						  nl80211_nan_srf_policy,
14451 						  info->extack);
14452 		if (err)
14453 			goto out;
14454 
14455 		func->srf_include =
14456 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14457 
14458 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14459 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14460 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14461 				err = -EINVAL;
14462 				goto out;
14463 			}
14464 
14465 			func->srf_bf_len =
14466 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14467 			func->srf_bf =
14468 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14469 					func->srf_bf_len, GFP_KERNEL);
14470 			if (!func->srf_bf) {
14471 				err = -ENOMEM;
14472 				goto out;
14473 			}
14474 
14475 			func->srf_bf_idx =
14476 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14477 		} else {
14478 			struct nlattr *attr, *mac_attr =
14479 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14480 			int n_entries, rem, i = 0;
14481 
14482 			if (!mac_attr) {
14483 				err = -EINVAL;
14484 				goto out;
14485 			}
14486 
14487 			n_entries = validate_acl_mac_addrs(mac_attr);
14488 			if (n_entries <= 0) {
14489 				err = -EINVAL;
14490 				goto out;
14491 			}
14492 
14493 			func->srf_num_macs = n_entries;
14494 			func->srf_macs =
14495 				kcalloc(n_entries, sizeof(*func->srf_macs),
14496 					GFP_KERNEL);
14497 			if (!func->srf_macs) {
14498 				err = -ENOMEM;
14499 				goto out;
14500 			}
14501 
14502 			nla_for_each_nested(attr, mac_attr, rem)
14503 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14504 				       sizeof(*func->srf_macs));
14505 		}
14506 	}
14507 
14508 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14509 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14510 					func, true);
14511 		if (err)
14512 			goto out;
14513 	}
14514 
14515 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14516 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14517 					func, false);
14518 		if (err)
14519 			goto out;
14520 	}
14521 
14522 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14523 	if (!msg) {
14524 		err = -ENOMEM;
14525 		goto out;
14526 	}
14527 
14528 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14529 			     NL80211_CMD_ADD_NAN_FUNCTION);
14530 	/* This can't really happen - we just allocated 4KB */
14531 	if (WARN_ON(!hdr)) {
14532 		err = -ENOMEM;
14533 		goto out;
14534 	}
14535 
14536 	err = rdev_add_nan_func(rdev, wdev, func);
14537 out:
14538 	if (err < 0) {
14539 		cfg80211_free_nan_func(func);
14540 		nlmsg_free(msg);
14541 		return err;
14542 	}
14543 
14544 	/* propagate the instance id and cookie to userspace  */
14545 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14546 			      NL80211_ATTR_PAD))
14547 		goto nla_put_failure;
14548 
14549 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14550 	if (!func_attr)
14551 		goto nla_put_failure;
14552 
14553 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14554 		       func->instance_id))
14555 		goto nla_put_failure;
14556 
14557 	nla_nest_end(msg, func_attr);
14558 
14559 	genlmsg_end(msg, hdr);
14560 	return genlmsg_reply(msg, info);
14561 
14562 nla_put_failure:
14563 	nlmsg_free(msg);
14564 	return -ENOBUFS;
14565 }
14566 
14567 static int nl80211_nan_del_func(struct sk_buff *skb,
14568 			       struct genl_info *info)
14569 {
14570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14571 	struct wireless_dev *wdev = info->user_ptr[1];
14572 	u64 cookie;
14573 
14574 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14575 		return -EOPNOTSUPP;
14576 
14577 	if (!wdev_running(wdev))
14578 		return -ENOTCONN;
14579 
14580 	if (!info->attrs[NL80211_ATTR_COOKIE])
14581 		return -EINVAL;
14582 
14583 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14584 
14585 	rdev_del_nan_func(rdev, wdev, cookie);
14586 
14587 	return 0;
14588 }
14589 
14590 static int nl80211_nan_change_config(struct sk_buff *skb,
14591 				     struct genl_info *info)
14592 {
14593 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14594 	struct wireless_dev *wdev = info->user_ptr[1];
14595 	struct cfg80211_nan_conf conf = {};
14596 	u32 changed = 0;
14597 
14598 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14599 		return -EOPNOTSUPP;
14600 
14601 	if (!wdev_running(wdev))
14602 		return -ENOTCONN;
14603 
14604 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14605 		conf.master_pref =
14606 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14607 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14608 			return -EINVAL;
14609 
14610 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14611 	}
14612 
14613 	if (info->attrs[NL80211_ATTR_BANDS]) {
14614 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14615 
14616 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14617 			return -EOPNOTSUPP;
14618 
14619 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14620 			return -EINVAL;
14621 
14622 		conf.bands = bands;
14623 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14624 	}
14625 
14626 	if (!changed)
14627 		return -EINVAL;
14628 
14629 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14630 }
14631 
14632 void cfg80211_nan_match(struct wireless_dev *wdev,
14633 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14634 {
14635 	struct wiphy *wiphy = wdev->wiphy;
14636 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14637 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14638 	struct sk_buff *msg;
14639 	void *hdr;
14640 
14641 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14642 		return;
14643 
14644 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14645 	if (!msg)
14646 		return;
14647 
14648 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14649 	if (!hdr) {
14650 		nlmsg_free(msg);
14651 		return;
14652 	}
14653 
14654 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14655 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14656 					 wdev->netdev->ifindex)) ||
14657 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14658 			      NL80211_ATTR_PAD))
14659 		goto nla_put_failure;
14660 
14661 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14662 			      NL80211_ATTR_PAD) ||
14663 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14664 		goto nla_put_failure;
14665 
14666 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14667 	if (!match_attr)
14668 		goto nla_put_failure;
14669 
14670 	local_func_attr = nla_nest_start_noflag(msg,
14671 						NL80211_NAN_MATCH_FUNC_LOCAL);
14672 	if (!local_func_attr)
14673 		goto nla_put_failure;
14674 
14675 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14676 		goto nla_put_failure;
14677 
14678 	nla_nest_end(msg, local_func_attr);
14679 
14680 	peer_func_attr = nla_nest_start_noflag(msg,
14681 					       NL80211_NAN_MATCH_FUNC_PEER);
14682 	if (!peer_func_attr)
14683 		goto nla_put_failure;
14684 
14685 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14686 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14687 		goto nla_put_failure;
14688 
14689 	if (match->info && match->info_len &&
14690 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14691 		    match->info))
14692 		goto nla_put_failure;
14693 
14694 	nla_nest_end(msg, peer_func_attr);
14695 	nla_nest_end(msg, match_attr);
14696 	genlmsg_end(msg, hdr);
14697 
14698 	if (!wdev->owner_nlportid)
14699 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14700 					msg, 0, NL80211_MCGRP_NAN, gfp);
14701 	else
14702 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14703 				wdev->owner_nlportid);
14704 
14705 	return;
14706 
14707 nla_put_failure:
14708 	nlmsg_free(msg);
14709 }
14710 EXPORT_SYMBOL(cfg80211_nan_match);
14711 
14712 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14713 				  u8 inst_id,
14714 				  enum nl80211_nan_func_term_reason reason,
14715 				  u64 cookie, gfp_t gfp)
14716 {
14717 	struct wiphy *wiphy = wdev->wiphy;
14718 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14719 	struct sk_buff *msg;
14720 	struct nlattr *func_attr;
14721 	void *hdr;
14722 
14723 	if (WARN_ON(!inst_id))
14724 		return;
14725 
14726 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14727 	if (!msg)
14728 		return;
14729 
14730 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14731 	if (!hdr) {
14732 		nlmsg_free(msg);
14733 		return;
14734 	}
14735 
14736 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14737 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14738 					 wdev->netdev->ifindex)) ||
14739 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14740 			      NL80211_ATTR_PAD))
14741 		goto nla_put_failure;
14742 
14743 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14744 			      NL80211_ATTR_PAD))
14745 		goto nla_put_failure;
14746 
14747 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14748 	if (!func_attr)
14749 		goto nla_put_failure;
14750 
14751 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14752 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14753 		goto nla_put_failure;
14754 
14755 	nla_nest_end(msg, func_attr);
14756 	genlmsg_end(msg, hdr);
14757 
14758 	if (!wdev->owner_nlportid)
14759 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14760 					msg, 0, NL80211_MCGRP_NAN, gfp);
14761 	else
14762 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14763 				wdev->owner_nlportid);
14764 
14765 	return;
14766 
14767 nla_put_failure:
14768 	nlmsg_free(msg);
14769 }
14770 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14771 
14772 static int nl80211_get_protocol_features(struct sk_buff *skb,
14773 					 struct genl_info *info)
14774 {
14775 	void *hdr;
14776 	struct sk_buff *msg;
14777 
14778 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14779 	if (!msg)
14780 		return -ENOMEM;
14781 
14782 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14783 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14784 	if (!hdr)
14785 		goto nla_put_failure;
14786 
14787 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14788 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14789 		goto nla_put_failure;
14790 
14791 	genlmsg_end(msg, hdr);
14792 	return genlmsg_reply(msg, info);
14793 
14794  nla_put_failure:
14795 	kfree_skb(msg);
14796 	return -ENOBUFS;
14797 }
14798 
14799 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14800 {
14801 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14802 	struct cfg80211_update_ft_ies_params ft_params;
14803 	struct net_device *dev = info->user_ptr[1];
14804 
14805 	if (!rdev->ops->update_ft_ies)
14806 		return -EOPNOTSUPP;
14807 
14808 	if (!info->attrs[NL80211_ATTR_MDID] ||
14809 	    !info->attrs[NL80211_ATTR_IE])
14810 		return -EINVAL;
14811 
14812 	memset(&ft_params, 0, sizeof(ft_params));
14813 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14814 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14815 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14816 
14817 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14818 }
14819 
14820 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14821 				       struct genl_info *info)
14822 {
14823 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14824 	struct wireless_dev *wdev = info->user_ptr[1];
14825 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14826 	u16 duration;
14827 	int ret;
14828 
14829 	if (!rdev->ops->crit_proto_start)
14830 		return -EOPNOTSUPP;
14831 
14832 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14833 		return -EINVAL;
14834 
14835 	if (rdev->crit_proto_nlportid)
14836 		return -EBUSY;
14837 
14838 	/* determine protocol if provided */
14839 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14840 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14841 
14842 	if (proto >= NUM_NL80211_CRIT_PROTO)
14843 		return -EINVAL;
14844 
14845 	/* timeout must be provided */
14846 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14847 		return -EINVAL;
14848 
14849 	duration =
14850 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14851 
14852 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14853 	if (!ret)
14854 		rdev->crit_proto_nlportid = info->snd_portid;
14855 
14856 	return ret;
14857 }
14858 
14859 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14860 				      struct genl_info *info)
14861 {
14862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14863 	struct wireless_dev *wdev = info->user_ptr[1];
14864 
14865 	if (!rdev->ops->crit_proto_stop)
14866 		return -EOPNOTSUPP;
14867 
14868 	if (rdev->crit_proto_nlportid) {
14869 		rdev->crit_proto_nlportid = 0;
14870 		rdev_crit_proto_stop(rdev, wdev);
14871 	}
14872 	return 0;
14873 }
14874 
14875 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14876 				       struct nlattr *attr,
14877 				       struct netlink_ext_ack *extack)
14878 {
14879 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14880 		if (attr->nla_type & NLA_F_NESTED) {
14881 			NL_SET_ERR_MSG_ATTR(extack, attr,
14882 					    "unexpected nested data");
14883 			return -EINVAL;
14884 		}
14885 
14886 		return 0;
14887 	}
14888 
14889 	if (!(attr->nla_type & NLA_F_NESTED)) {
14890 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14891 		return -EINVAL;
14892 	}
14893 
14894 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14895 }
14896 
14897 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14898 {
14899 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14900 	struct wireless_dev *wdev =
14901 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14902 					   info->attrs);
14903 	int i, err;
14904 	u32 vid, subcmd;
14905 
14906 	if (!rdev->wiphy.vendor_commands)
14907 		return -EOPNOTSUPP;
14908 
14909 	if (IS_ERR(wdev)) {
14910 		err = PTR_ERR(wdev);
14911 		if (err != -EINVAL)
14912 			return err;
14913 		wdev = NULL;
14914 	} else if (wdev->wiphy != &rdev->wiphy) {
14915 		return -EINVAL;
14916 	}
14917 
14918 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14919 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14920 		return -EINVAL;
14921 
14922 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14923 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14924 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14925 		const struct wiphy_vendor_command *vcmd;
14926 		void *data = NULL;
14927 		int len = 0;
14928 
14929 		vcmd = &rdev->wiphy.vendor_commands[i];
14930 
14931 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14932 			continue;
14933 
14934 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14935 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14936 			if (!wdev)
14937 				return -EINVAL;
14938 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14939 			    !wdev->netdev)
14940 				return -EINVAL;
14941 
14942 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14943 				if (!wdev_running(wdev))
14944 					return -ENETDOWN;
14945 			}
14946 		} else {
14947 			wdev = NULL;
14948 		}
14949 
14950 		if (!vcmd->doit)
14951 			return -EOPNOTSUPP;
14952 
14953 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14954 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14955 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14956 
14957 			err = nl80211_vendor_check_policy(vcmd,
14958 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14959 					info->extack);
14960 			if (err)
14961 				return err;
14962 		}
14963 
14964 		rdev->cur_cmd_info = info;
14965 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14966 		rdev->cur_cmd_info = NULL;
14967 		return err;
14968 	}
14969 
14970 	return -EOPNOTSUPP;
14971 }
14972 
14973 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14974 				       struct netlink_callback *cb,
14975 				       struct cfg80211_registered_device **rdev,
14976 				       struct wireless_dev **wdev)
14977 {
14978 	struct nlattr **attrbuf;
14979 	u32 vid, subcmd;
14980 	unsigned int i;
14981 	int vcmd_idx = -1;
14982 	int err;
14983 	void *data = NULL;
14984 	unsigned int data_len = 0;
14985 
14986 	if (cb->args[0]) {
14987 		/* subtract the 1 again here */
14988 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
14989 		struct wireless_dev *tmp;
14990 
14991 		if (!wiphy)
14992 			return -ENODEV;
14993 		*rdev = wiphy_to_rdev(wiphy);
14994 		*wdev = NULL;
14995 
14996 		if (cb->args[1]) {
14997 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
14998 				if (tmp->identifier == cb->args[1] - 1) {
14999 					*wdev = tmp;
15000 					break;
15001 				}
15002 			}
15003 		}
15004 
15005 		/* keep rtnl locked in successful case */
15006 		return 0;
15007 	}
15008 
15009 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15010 	if (!attrbuf)
15011 		return -ENOMEM;
15012 
15013 	err = nlmsg_parse_deprecated(cb->nlh,
15014 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15015 				     attrbuf, nl80211_fam.maxattr,
15016 				     nl80211_policy, NULL);
15017 	if (err)
15018 		goto out;
15019 
15020 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15021 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15022 		err = -EINVAL;
15023 		goto out;
15024 	}
15025 
15026 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15027 	if (IS_ERR(*wdev))
15028 		*wdev = NULL;
15029 
15030 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15031 	if (IS_ERR(*rdev)) {
15032 		err = PTR_ERR(*rdev);
15033 		goto out;
15034 	}
15035 
15036 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15037 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15038 
15039 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15040 		const struct wiphy_vendor_command *vcmd;
15041 
15042 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15043 
15044 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15045 			continue;
15046 
15047 		if (!vcmd->dumpit) {
15048 			err = -EOPNOTSUPP;
15049 			goto out;
15050 		}
15051 
15052 		vcmd_idx = i;
15053 		break;
15054 	}
15055 
15056 	if (vcmd_idx < 0) {
15057 		err = -EOPNOTSUPP;
15058 		goto out;
15059 	}
15060 
15061 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15062 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15063 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15064 
15065 		err = nl80211_vendor_check_policy(
15066 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15067 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15068 				cb->extack);
15069 		if (err)
15070 			goto out;
15071 	}
15072 
15073 	/* 0 is the first index - add 1 to parse only once */
15074 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15075 	/* add 1 to know if it was NULL */
15076 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15077 	cb->args[2] = vcmd_idx;
15078 	cb->args[3] = (unsigned long)data;
15079 	cb->args[4] = data_len;
15080 
15081 	/* keep rtnl locked in successful case */
15082 	err = 0;
15083 out:
15084 	kfree(attrbuf);
15085 	return err;
15086 }
15087 
15088 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15089 				   struct netlink_callback *cb)
15090 {
15091 	struct cfg80211_registered_device *rdev;
15092 	struct wireless_dev *wdev;
15093 	unsigned int vcmd_idx;
15094 	const struct wiphy_vendor_command *vcmd;
15095 	void *data;
15096 	int data_len;
15097 	int err;
15098 	struct nlattr *vendor_data;
15099 
15100 	rtnl_lock();
15101 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15102 	if (err)
15103 		goto out;
15104 
15105 	vcmd_idx = cb->args[2];
15106 	data = (void *)cb->args[3];
15107 	data_len = cb->args[4];
15108 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15109 
15110 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15111 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15112 		if (!wdev) {
15113 			err = -EINVAL;
15114 			goto out;
15115 		}
15116 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15117 		    !wdev->netdev) {
15118 			err = -EINVAL;
15119 			goto out;
15120 		}
15121 
15122 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15123 			if (!wdev_running(wdev)) {
15124 				err = -ENETDOWN;
15125 				goto out;
15126 			}
15127 		}
15128 	}
15129 
15130 	while (1) {
15131 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15132 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15133 					   NL80211_CMD_VENDOR);
15134 		if (!hdr)
15135 			break;
15136 
15137 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15138 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15139 					       wdev_id(wdev),
15140 					       NL80211_ATTR_PAD))) {
15141 			genlmsg_cancel(skb, hdr);
15142 			break;
15143 		}
15144 
15145 		vendor_data = nla_nest_start_noflag(skb,
15146 						    NL80211_ATTR_VENDOR_DATA);
15147 		if (!vendor_data) {
15148 			genlmsg_cancel(skb, hdr);
15149 			break;
15150 		}
15151 
15152 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15153 				   (unsigned long *)&cb->args[5]);
15154 		nla_nest_end(skb, vendor_data);
15155 
15156 		if (err == -ENOBUFS || err == -ENOENT) {
15157 			genlmsg_cancel(skb, hdr);
15158 			break;
15159 		} else if (err <= 0) {
15160 			genlmsg_cancel(skb, hdr);
15161 			goto out;
15162 		}
15163 
15164 		genlmsg_end(skb, hdr);
15165 	}
15166 
15167 	err = skb->len;
15168  out:
15169 	rtnl_unlock();
15170 	return err;
15171 }
15172 
15173 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15174 					   enum nl80211_commands cmd,
15175 					   enum nl80211_attrs attr,
15176 					   int approxlen)
15177 {
15178 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15179 
15180 	if (WARN_ON(!rdev->cur_cmd_info))
15181 		return NULL;
15182 
15183 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15184 					   rdev->cur_cmd_info->snd_portid,
15185 					   rdev->cur_cmd_info->snd_seq,
15186 					   cmd, attr, NULL, GFP_KERNEL);
15187 }
15188 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15189 
15190 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15191 {
15192 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15193 	void *hdr = ((void **)skb->cb)[1];
15194 	struct nlattr *data = ((void **)skb->cb)[2];
15195 
15196 	/* clear CB data for netlink core to own from now on */
15197 	memset(skb->cb, 0, sizeof(skb->cb));
15198 
15199 	if (WARN_ON(!rdev->cur_cmd_info)) {
15200 		kfree_skb(skb);
15201 		return -EINVAL;
15202 	}
15203 
15204 	nla_nest_end(skb, data);
15205 	genlmsg_end(skb, hdr);
15206 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15207 }
15208 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15209 
15210 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15211 {
15212 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15213 
15214 	if (WARN_ON(!rdev->cur_cmd_info))
15215 		return 0;
15216 
15217 	return rdev->cur_cmd_info->snd_portid;
15218 }
15219 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15220 
15221 static int nl80211_set_qos_map(struct sk_buff *skb,
15222 			       struct genl_info *info)
15223 {
15224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15225 	struct cfg80211_qos_map *qos_map = NULL;
15226 	struct net_device *dev = info->user_ptr[1];
15227 	u8 *pos, len, num_des, des_len, des;
15228 	int ret;
15229 
15230 	if (!rdev->ops->set_qos_map)
15231 		return -EOPNOTSUPP;
15232 
15233 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15234 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15235 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15236 
15237 		if (len % 2)
15238 			return -EINVAL;
15239 
15240 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15241 		if (!qos_map)
15242 			return -ENOMEM;
15243 
15244 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15245 		if (num_des) {
15246 			des_len = num_des *
15247 				sizeof(struct cfg80211_dscp_exception);
15248 			memcpy(qos_map->dscp_exception, pos, des_len);
15249 			qos_map->num_des = num_des;
15250 			for (des = 0; des < num_des; des++) {
15251 				if (qos_map->dscp_exception[des].up > 7) {
15252 					kfree(qos_map);
15253 					return -EINVAL;
15254 				}
15255 			}
15256 			pos += des_len;
15257 		}
15258 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15259 	}
15260 
15261 	wdev_lock(dev->ieee80211_ptr);
15262 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15263 	if (!ret)
15264 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15265 	wdev_unlock(dev->ieee80211_ptr);
15266 
15267 	kfree(qos_map);
15268 	return ret;
15269 }
15270 
15271 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15272 {
15273 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15274 	struct net_device *dev = info->user_ptr[1];
15275 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15276 	const u8 *peer;
15277 	u8 tsid, up;
15278 	u16 admitted_time = 0;
15279 	int err;
15280 
15281 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15282 		return -EOPNOTSUPP;
15283 
15284 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15285 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15286 		return -EINVAL;
15287 
15288 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15289 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15290 
15291 	/* WMM uses TIDs 0-7 even for TSPEC */
15292 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15293 		/* TODO: handle 802.11 TSPEC/admission control
15294 		 * need more attributes for that (e.g. BA session requirement);
15295 		 * change the WMM adminssion test above to allow both then
15296 		 */
15297 		return -EINVAL;
15298 	}
15299 
15300 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15301 
15302 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15303 		admitted_time =
15304 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15305 		if (!admitted_time)
15306 			return -EINVAL;
15307 	}
15308 
15309 	wdev_lock(wdev);
15310 	switch (wdev->iftype) {
15311 	case NL80211_IFTYPE_STATION:
15312 	case NL80211_IFTYPE_P2P_CLIENT:
15313 		if (wdev->connected)
15314 			break;
15315 		err = -ENOTCONN;
15316 		goto out;
15317 	default:
15318 		err = -EOPNOTSUPP;
15319 		goto out;
15320 	}
15321 
15322 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15323 
15324  out:
15325 	wdev_unlock(wdev);
15326 	return err;
15327 }
15328 
15329 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15330 {
15331 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15332 	struct net_device *dev = info->user_ptr[1];
15333 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15334 	const u8 *peer;
15335 	u8 tsid;
15336 	int err;
15337 
15338 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15339 		return -EINVAL;
15340 
15341 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15342 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15343 
15344 	wdev_lock(wdev);
15345 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15346 	wdev_unlock(wdev);
15347 
15348 	return err;
15349 }
15350 
15351 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15352 				       struct genl_info *info)
15353 {
15354 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15355 	struct net_device *dev = info->user_ptr[1];
15356 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15357 	struct cfg80211_chan_def chandef = {};
15358 	const u8 *addr;
15359 	u8 oper_class;
15360 	int err;
15361 
15362 	if (!rdev->ops->tdls_channel_switch ||
15363 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15364 		return -EOPNOTSUPP;
15365 
15366 	switch (dev->ieee80211_ptr->iftype) {
15367 	case NL80211_IFTYPE_STATION:
15368 	case NL80211_IFTYPE_P2P_CLIENT:
15369 		break;
15370 	default:
15371 		return -EOPNOTSUPP;
15372 	}
15373 
15374 	if (!info->attrs[NL80211_ATTR_MAC] ||
15375 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15376 		return -EINVAL;
15377 
15378 	err = nl80211_parse_chandef(rdev, info, &chandef);
15379 	if (err)
15380 		return err;
15381 
15382 	/*
15383 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15384 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15385 	 * specification is not defined for them.
15386 	 */
15387 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15388 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15389 	    chandef.width != NL80211_CHAN_WIDTH_20)
15390 		return -EINVAL;
15391 
15392 	/* we will be active on the TDLS link */
15393 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15394 					   wdev->iftype))
15395 		return -EINVAL;
15396 
15397 	/* don't allow switching to DFS channels */
15398 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15399 		return -EINVAL;
15400 
15401 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15402 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15403 
15404 	wdev_lock(wdev);
15405 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15406 	wdev_unlock(wdev);
15407 
15408 	return err;
15409 }
15410 
15411 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15412 					      struct genl_info *info)
15413 {
15414 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15415 	struct net_device *dev = info->user_ptr[1];
15416 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15417 	const u8 *addr;
15418 
15419 	if (!rdev->ops->tdls_channel_switch ||
15420 	    !rdev->ops->tdls_cancel_channel_switch ||
15421 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15422 		return -EOPNOTSUPP;
15423 
15424 	switch (dev->ieee80211_ptr->iftype) {
15425 	case NL80211_IFTYPE_STATION:
15426 	case NL80211_IFTYPE_P2P_CLIENT:
15427 		break;
15428 	default:
15429 		return -EOPNOTSUPP;
15430 	}
15431 
15432 	if (!info->attrs[NL80211_ATTR_MAC])
15433 		return -EINVAL;
15434 
15435 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15436 
15437 	wdev_lock(wdev);
15438 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15439 	wdev_unlock(wdev);
15440 
15441 	return 0;
15442 }
15443 
15444 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15445 					    struct genl_info *info)
15446 {
15447 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15448 	struct net_device *dev = info->user_ptr[1];
15449 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15450 	const struct nlattr *nla;
15451 	bool enabled;
15452 
15453 	if (!rdev->ops->set_multicast_to_unicast)
15454 		return -EOPNOTSUPP;
15455 
15456 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15457 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15458 		return -EOPNOTSUPP;
15459 
15460 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15461 	enabled = nla_get_flag(nla);
15462 
15463 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15464 }
15465 
15466 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15467 {
15468 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15469 	struct net_device *dev = info->user_ptr[1];
15470 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15471 	struct cfg80211_pmk_conf pmk_conf = {};
15472 	int ret;
15473 
15474 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15475 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15476 		return -EOPNOTSUPP;
15477 
15478 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15479 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15480 		return -EOPNOTSUPP;
15481 
15482 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15483 		return -EINVAL;
15484 
15485 	wdev_lock(wdev);
15486 	if (!wdev->connected) {
15487 		ret = -ENOTCONN;
15488 		goto out;
15489 	}
15490 
15491 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15492 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15493 		ret = -EINVAL;
15494 		goto out;
15495 	}
15496 
15497 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15498 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15499 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15500 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15501 		ret = -EINVAL;
15502 		goto out;
15503 	}
15504 
15505 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15506 		pmk_conf.pmk_r0_name =
15507 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15508 
15509 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15510 out:
15511 	wdev_unlock(wdev);
15512 	return ret;
15513 }
15514 
15515 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15516 {
15517 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15518 	struct net_device *dev = info->user_ptr[1];
15519 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15520 	const u8 *aa;
15521 	int ret;
15522 
15523 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15524 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15525 		return -EOPNOTSUPP;
15526 
15527 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15528 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15529 		return -EOPNOTSUPP;
15530 
15531 	if (!info->attrs[NL80211_ATTR_MAC])
15532 		return -EINVAL;
15533 
15534 	wdev_lock(wdev);
15535 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15536 	ret = rdev_del_pmk(rdev, dev, aa);
15537 	wdev_unlock(wdev);
15538 
15539 	return ret;
15540 }
15541 
15542 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15543 {
15544 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15545 	struct net_device *dev = info->user_ptr[1];
15546 	struct cfg80211_external_auth_params params;
15547 
15548 	if (!rdev->ops->external_auth)
15549 		return -EOPNOTSUPP;
15550 
15551 	if (!info->attrs[NL80211_ATTR_SSID] &&
15552 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15553 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15554 		return -EINVAL;
15555 
15556 	if (!info->attrs[NL80211_ATTR_BSSID])
15557 		return -EINVAL;
15558 
15559 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15560 		return -EINVAL;
15561 
15562 	memset(&params, 0, sizeof(params));
15563 
15564 	if (info->attrs[NL80211_ATTR_SSID]) {
15565 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15566 		if (params.ssid.ssid_len == 0)
15567 			return -EINVAL;
15568 		memcpy(params.ssid.ssid,
15569 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15570 		       params.ssid.ssid_len);
15571 	}
15572 
15573 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15574 	       ETH_ALEN);
15575 
15576 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15577 
15578 	if (info->attrs[NL80211_ATTR_PMKID])
15579 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15580 
15581 	return rdev_external_auth(rdev, dev, &params);
15582 }
15583 
15584 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15585 {
15586 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15587 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15588 	struct net_device *dev = info->user_ptr[1];
15589 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15590 	const u8 *buf;
15591 	size_t len;
15592 	u8 *dest;
15593 	u16 proto;
15594 	bool noencrypt;
15595 	u64 cookie = 0;
15596 	int link_id;
15597 	int err;
15598 
15599 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15600 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15601 		return -EOPNOTSUPP;
15602 
15603 	if (!rdev->ops->tx_control_port)
15604 		return -EOPNOTSUPP;
15605 
15606 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15607 	    !info->attrs[NL80211_ATTR_MAC] ||
15608 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15609 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15610 		return -EINVAL;
15611 	}
15612 
15613 	wdev_lock(wdev);
15614 
15615 	switch (wdev->iftype) {
15616 	case NL80211_IFTYPE_AP:
15617 	case NL80211_IFTYPE_P2P_GO:
15618 	case NL80211_IFTYPE_MESH_POINT:
15619 		break;
15620 	case NL80211_IFTYPE_ADHOC:
15621 		if (wdev->u.ibss.current_bss)
15622 			break;
15623 		err = -ENOTCONN;
15624 		goto out;
15625 	case NL80211_IFTYPE_STATION:
15626 	case NL80211_IFTYPE_P2P_CLIENT:
15627 		if (wdev->connected)
15628 			break;
15629 		err = -ENOTCONN;
15630 		goto out;
15631 	default:
15632 		err = -EOPNOTSUPP;
15633 		goto out;
15634 	}
15635 
15636 	wdev_unlock(wdev);
15637 
15638 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15639 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15640 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15641 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15642 	noencrypt =
15643 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15644 
15645 	link_id = nl80211_link_id_or_invalid(info->attrs);
15646 
15647 	err = rdev_tx_control_port(rdev, dev, buf, len,
15648 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15649 				   dont_wait_for_ack ? NULL : &cookie);
15650 	if (!err && !dont_wait_for_ack)
15651 		nl_set_extack_cookie_u64(info->extack, cookie);
15652 	return err;
15653  out:
15654 	wdev_unlock(wdev);
15655 	return err;
15656 }
15657 
15658 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15659 					   struct genl_info *info)
15660 {
15661 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15662 	struct net_device *dev = info->user_ptr[1];
15663 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15664 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15665 	unsigned int link_id = nl80211_link_id(info->attrs);
15666 	struct sk_buff *msg;
15667 	void *hdr;
15668 	struct nlattr *ftm_stats_attr;
15669 	int err;
15670 
15671 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15672 	    !wdev->links[link_id].ap.beacon_interval)
15673 		return -EOPNOTSUPP;
15674 
15675 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15676 	if (err)
15677 		return err;
15678 
15679 	if (!ftm_stats.filled)
15680 		return -ENODATA;
15681 
15682 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15683 	if (!msg)
15684 		return -ENOMEM;
15685 
15686 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15687 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15688 	if (!hdr)
15689 		goto nla_put_failure;
15690 
15691 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15692 		goto nla_put_failure;
15693 
15694 	ftm_stats_attr = nla_nest_start_noflag(msg,
15695 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15696 	if (!ftm_stats_attr)
15697 		goto nla_put_failure;
15698 
15699 #define SET_FTM(field, name, type)					 \
15700 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15701 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15702 			     ftm_stats.field))				 \
15703 		goto nla_put_failure; } while (0)
15704 #define SET_FTM_U64(field, name)					 \
15705 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15706 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15707 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15708 		goto nla_put_failure; } while (0)
15709 
15710 	SET_FTM(success_num, SUCCESS_NUM, u32);
15711 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15712 	SET_FTM(failed_num, FAILED_NUM, u32);
15713 	SET_FTM(asap_num, ASAP_NUM, u32);
15714 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15715 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15716 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15717 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15718 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15719 #undef SET_FTM
15720 
15721 	nla_nest_end(msg, ftm_stats_attr);
15722 
15723 	genlmsg_end(msg, hdr);
15724 	return genlmsg_reply(msg, info);
15725 
15726 nla_put_failure:
15727 	nlmsg_free(msg);
15728 	return -ENOBUFS;
15729 }
15730 
15731 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15732 {
15733 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15734 	struct cfg80211_update_owe_info owe_info;
15735 	struct net_device *dev = info->user_ptr[1];
15736 
15737 	if (!rdev->ops->update_owe_info)
15738 		return -EOPNOTSUPP;
15739 
15740 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15741 	    !info->attrs[NL80211_ATTR_MAC])
15742 		return -EINVAL;
15743 
15744 	memset(&owe_info, 0, sizeof(owe_info));
15745 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15746 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15747 
15748 	if (info->attrs[NL80211_ATTR_IE]) {
15749 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15750 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15751 	}
15752 
15753 	return rdev_update_owe_info(rdev, dev, &owe_info);
15754 }
15755 
15756 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15757 {
15758 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15759 	struct net_device *dev = info->user_ptr[1];
15760 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15761 	struct station_info sinfo = {};
15762 	const u8 *buf;
15763 	size_t len;
15764 	u8 *dest;
15765 	int err;
15766 
15767 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15768 		return -EOPNOTSUPP;
15769 
15770 	if (!info->attrs[NL80211_ATTR_MAC] ||
15771 	    !info->attrs[NL80211_ATTR_FRAME]) {
15772 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15773 		return -EINVAL;
15774 	}
15775 
15776 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15777 		return -EOPNOTSUPP;
15778 
15779 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15780 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15781 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15782 
15783 	if (len < sizeof(struct ethhdr))
15784 		return -EINVAL;
15785 
15786 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15787 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15788 		return -EINVAL;
15789 
15790 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15791 	if (err)
15792 		return err;
15793 
15794 	cfg80211_sinfo_release_content(&sinfo);
15795 
15796 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15797 }
15798 
15799 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15800 			  struct nlattr *attrs[], struct net_device *dev,
15801 			  struct cfg80211_tid_cfg *tid_conf,
15802 			  struct genl_info *info, const u8 *peer,
15803 			  unsigned int link_id)
15804 {
15805 	struct netlink_ext_ack *extack = info->extack;
15806 	u64 mask;
15807 	int err;
15808 
15809 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15810 		return -EINVAL;
15811 
15812 	tid_conf->config_override =
15813 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15814 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15815 
15816 	if (tid_conf->config_override) {
15817 		if (rdev->ops->reset_tid_config) {
15818 			err = rdev_reset_tid_config(rdev, dev, peer,
15819 						    tid_conf->tids);
15820 			if (err)
15821 				return err;
15822 		} else {
15823 			return -EINVAL;
15824 		}
15825 	}
15826 
15827 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15828 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15829 		tid_conf->noack =
15830 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15831 	}
15832 
15833 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15834 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15835 		tid_conf->retry_short =
15836 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15837 
15838 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15839 			return -EINVAL;
15840 	}
15841 
15842 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15843 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15844 		tid_conf->retry_long =
15845 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15846 
15847 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15848 			return -EINVAL;
15849 	}
15850 
15851 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15852 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15853 		tid_conf->ampdu =
15854 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15855 	}
15856 
15857 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15858 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15859 		tid_conf->rtscts =
15860 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15861 	}
15862 
15863 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15864 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15865 		tid_conf->amsdu =
15866 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15867 	}
15868 
15869 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15870 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15871 
15872 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15873 
15874 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15875 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15876 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15877 						    &tid_conf->txrate_mask, dev,
15878 						    true, link_id);
15879 			if (err)
15880 				return err;
15881 
15882 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15883 		}
15884 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15885 	}
15886 
15887 	if (peer)
15888 		mask = rdev->wiphy.tid_config_support.peer;
15889 	else
15890 		mask = rdev->wiphy.tid_config_support.vif;
15891 
15892 	if (tid_conf->mask & ~mask) {
15893 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15894 		return -ENOTSUPP;
15895 	}
15896 
15897 	return 0;
15898 }
15899 
15900 static int nl80211_set_tid_config(struct sk_buff *skb,
15901 				  struct genl_info *info)
15902 {
15903 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15904 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15905 	unsigned int link_id = nl80211_link_id(info->attrs);
15906 	struct net_device *dev = info->user_ptr[1];
15907 	struct cfg80211_tid_config *tid_config;
15908 	struct nlattr *tid;
15909 	int conf_idx = 0, rem_conf;
15910 	int ret = -EINVAL;
15911 	u32 num_conf = 0;
15912 
15913 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15914 		return -EINVAL;
15915 
15916 	if (!rdev->ops->set_tid_config)
15917 		return -EOPNOTSUPP;
15918 
15919 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15920 			    rem_conf)
15921 		num_conf++;
15922 
15923 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15924 			     GFP_KERNEL);
15925 	if (!tid_config)
15926 		return -ENOMEM;
15927 
15928 	tid_config->n_tid_conf = num_conf;
15929 
15930 	if (info->attrs[NL80211_ATTR_MAC])
15931 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15932 
15933 	wdev_lock(dev->ieee80211_ptr);
15934 
15935 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15936 			    rem_conf) {
15937 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15938 				       tid, NULL, NULL);
15939 
15940 		if (ret)
15941 			goto bad_tid_conf;
15942 
15943 		ret = parse_tid_conf(rdev, attrs, dev,
15944 				     &tid_config->tid_conf[conf_idx],
15945 				     info, tid_config->peer, link_id);
15946 		if (ret)
15947 			goto bad_tid_conf;
15948 
15949 		conf_idx++;
15950 	}
15951 
15952 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15953 
15954 bad_tid_conf:
15955 	kfree(tid_config);
15956 	wdev_unlock(dev->ieee80211_ptr);
15957 	return ret;
15958 }
15959 
15960 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15961 {
15962 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15963 	struct cfg80211_color_change_settings params = {};
15964 	struct net_device *dev = info->user_ptr[1];
15965 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15966 	struct nlattr **tb;
15967 	u16 offset;
15968 	int err;
15969 
15970 	if (!rdev->ops->color_change)
15971 		return -EOPNOTSUPP;
15972 
15973 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15974 				     NL80211_EXT_FEATURE_BSS_COLOR))
15975 		return -EOPNOTSUPP;
15976 
15977 	if (wdev->iftype != NL80211_IFTYPE_AP)
15978 		return -EOPNOTSUPP;
15979 
15980 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15981 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15982 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15983 		return -EINVAL;
15984 
15985 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15986 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
15987 
15988 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
15989 				   info->extack);
15990 	if (err)
15991 		return err;
15992 
15993 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
15994 	if (!tb)
15995 		return -ENOMEM;
15996 
15997 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
15998 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
15999 			       nl80211_policy, info->extack);
16000 	if (err)
16001 		goto out;
16002 
16003 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16004 				   info->extack);
16005 	if (err)
16006 		goto out;
16007 
16008 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16009 		err = -EINVAL;
16010 		goto out;
16011 	}
16012 
16013 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16014 		err = -EINVAL;
16015 		goto out;
16016 	}
16017 
16018 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16019 	if (offset >= params.beacon_color_change.tail_len) {
16020 		err = -EINVAL;
16021 		goto out;
16022 	}
16023 
16024 	if (params.beacon_color_change.tail[offset] != params.count) {
16025 		err = -EINVAL;
16026 		goto out;
16027 	}
16028 
16029 	params.counter_offset_beacon = offset;
16030 
16031 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16032 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16033 		    sizeof(u16)) {
16034 			err = -EINVAL;
16035 			goto out;
16036 		}
16037 
16038 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16039 		if (offset >= params.beacon_color_change.probe_resp_len) {
16040 			err = -EINVAL;
16041 			goto out;
16042 		}
16043 
16044 		if (params.beacon_color_change.probe_resp[offset] !=
16045 		    params.count) {
16046 			err = -EINVAL;
16047 			goto out;
16048 		}
16049 
16050 		params.counter_offset_presp = offset;
16051 	}
16052 
16053 	wdev_lock(wdev);
16054 	err = rdev_color_change(rdev, dev, &params);
16055 	wdev_unlock(wdev);
16056 
16057 out:
16058 	kfree(params.beacon_next.mbssid_ies);
16059 	kfree(params.beacon_color_change.mbssid_ies);
16060 	kfree(params.beacon_next.rnr_ies);
16061 	kfree(params.beacon_color_change.rnr_ies);
16062 	kfree(tb);
16063 	return err;
16064 }
16065 
16066 static int nl80211_set_fils_aad(struct sk_buff *skb,
16067 				struct genl_info *info)
16068 {
16069 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16070 	struct net_device *dev = info->user_ptr[1];
16071 	struct cfg80211_fils_aad fils_aad = {};
16072 	u8 *nonces;
16073 
16074 	if (!info->attrs[NL80211_ATTR_MAC] ||
16075 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16076 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16077 		return -EINVAL;
16078 
16079 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16080 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16081 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16082 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16083 	fils_aad.snonce = nonces;
16084 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16085 
16086 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16087 }
16088 
16089 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16090 {
16091 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16092 	unsigned int link_id = nl80211_link_id(info->attrs);
16093 	struct net_device *dev = info->user_ptr[1];
16094 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16095 	int ret;
16096 
16097 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16098 		return -EINVAL;
16099 
16100 	switch (wdev->iftype) {
16101 	case NL80211_IFTYPE_AP:
16102 		break;
16103 	default:
16104 		return -EINVAL;
16105 	}
16106 
16107 	if (!info->attrs[NL80211_ATTR_MAC] ||
16108 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16109 		return -EINVAL;
16110 
16111 	wdev_lock(wdev);
16112 	wdev->valid_links |= BIT(link_id);
16113 	ether_addr_copy(wdev->links[link_id].addr,
16114 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16115 
16116 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16117 	if (ret) {
16118 		wdev->valid_links &= ~BIT(link_id);
16119 		eth_zero_addr(wdev->links[link_id].addr);
16120 	}
16121 	wdev_unlock(wdev);
16122 
16123 	return ret;
16124 }
16125 
16126 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16127 {
16128 	unsigned int link_id = nl80211_link_id(info->attrs);
16129 	struct net_device *dev = info->user_ptr[1];
16130 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16131 
16132 	/* cannot remove if there's no link */
16133 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16134 		return -EINVAL;
16135 
16136 	switch (wdev->iftype) {
16137 	case NL80211_IFTYPE_AP:
16138 		break;
16139 	default:
16140 		return -EINVAL;
16141 	}
16142 
16143 	wdev_lock(wdev);
16144 	cfg80211_remove_link(wdev, link_id);
16145 	wdev_unlock(wdev);
16146 
16147 	return 0;
16148 }
16149 
16150 static int
16151 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16152 			     bool add)
16153 {
16154 	struct link_station_parameters params = {};
16155 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16156 	struct net_device *dev = info->user_ptr[1];
16157 	int err;
16158 
16159 	if ((add && !rdev->ops->add_link_station) ||
16160 	    (!add && !rdev->ops->mod_link_station))
16161 		return -EOPNOTSUPP;
16162 
16163 	if (add && !info->attrs[NL80211_ATTR_MAC])
16164 		return -EINVAL;
16165 
16166 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16167 		return -EINVAL;
16168 
16169 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16170 		return -EINVAL;
16171 
16172 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16173 
16174 	if (info->attrs[NL80211_ATTR_MAC]) {
16175 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16176 		if (!is_valid_ether_addr(params.link_mac))
16177 			return -EINVAL;
16178 	}
16179 
16180 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16181 		return -EINVAL;
16182 
16183 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16184 
16185 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16186 		params.supported_rates =
16187 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16188 		params.supported_rates_len =
16189 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16190 	}
16191 
16192 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16193 		params.ht_capa =
16194 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16195 
16196 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16197 		params.vht_capa =
16198 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16199 
16200 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16201 		params.he_capa =
16202 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16203 		params.he_capa_len =
16204 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16205 
16206 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16207 			params.eht_capa =
16208 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16209 			params.eht_capa_len =
16210 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16211 
16212 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16213 							(const u8 *)params.eht_capa,
16214 							params.eht_capa_len,
16215 							false))
16216 				return -EINVAL;
16217 		}
16218 	}
16219 
16220 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16221 		params.he_6ghz_capa =
16222 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16223 
16224 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16225 		params.opmode_notif_used = true;
16226 		params.opmode_notif =
16227 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16228 	}
16229 
16230 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16231 						&params.txpwr_set);
16232 	if (err)
16233 		return err;
16234 
16235 	wdev_lock(dev->ieee80211_ptr);
16236 	if (add)
16237 		err = rdev_add_link_station(rdev, dev, &params);
16238 	else
16239 		err = rdev_mod_link_station(rdev, dev, &params);
16240 	wdev_unlock(dev->ieee80211_ptr);
16241 
16242 	return err;
16243 }
16244 
16245 static int
16246 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16247 {
16248 	return nl80211_add_mod_link_station(skb, info, true);
16249 }
16250 
16251 static int
16252 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16253 {
16254 	return nl80211_add_mod_link_station(skb, info, false);
16255 }
16256 
16257 static int
16258 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16259 {
16260 	struct link_station_del_parameters params = {};
16261 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16262 	struct net_device *dev = info->user_ptr[1];
16263 	int ret;
16264 
16265 	if (!rdev->ops->del_link_station)
16266 		return -EOPNOTSUPP;
16267 
16268 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16269 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16270 		return -EINVAL;
16271 
16272 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16273 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16274 
16275 	wdev_lock(dev->ieee80211_ptr);
16276 	ret = rdev_del_link_station(rdev, dev, &params);
16277 	wdev_unlock(dev->ieee80211_ptr);
16278 
16279 	return ret;
16280 }
16281 
16282 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16283 				    struct genl_info *info)
16284 {
16285 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16286 	struct net_device *dev = info->user_ptr[1];
16287 	struct cfg80211_set_hw_timestamp hwts = {};
16288 
16289 	if (!rdev->wiphy.hw_timestamp_max_peers)
16290 		return -EOPNOTSUPP;
16291 
16292 	if (!info->attrs[NL80211_ATTR_MAC] &&
16293 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16294 		return -EOPNOTSUPP;
16295 
16296 	if (info->attrs[NL80211_ATTR_MAC])
16297 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16298 
16299 	hwts.enable =
16300 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16301 
16302 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16303 }
16304 
16305 #define NL80211_FLAG_NEED_WIPHY		0x01
16306 #define NL80211_FLAG_NEED_NETDEV	0x02
16307 #define NL80211_FLAG_NEED_RTNL		0x04
16308 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16309 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16310 					 NL80211_FLAG_CHECK_NETDEV_UP)
16311 #define NL80211_FLAG_NEED_WDEV		0x10
16312 /* If a netdev is associated, it must be UP, P2P must be started */
16313 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16314 					 NL80211_FLAG_CHECK_NETDEV_UP)
16315 #define NL80211_FLAG_CLEAR_SKB		0x20
16316 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16317 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16318 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16319 
16320 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16321 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16322 	SELECTOR(__sel, WIPHY,				\
16323 		 NL80211_FLAG_NEED_WIPHY)		\
16324 	SELECTOR(__sel, WDEV,				\
16325 		 NL80211_FLAG_NEED_WDEV)		\
16326 	SELECTOR(__sel, NETDEV,				\
16327 		 NL80211_FLAG_NEED_NETDEV)		\
16328 	SELECTOR(__sel, NETDEV_LINK,			\
16329 		 NL80211_FLAG_NEED_NETDEV |		\
16330 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16331 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16332 		 NL80211_FLAG_NEED_NETDEV |		\
16333 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16334 	SELECTOR(__sel, WIPHY_RTNL,			\
16335 		 NL80211_FLAG_NEED_WIPHY |		\
16336 		 NL80211_FLAG_NEED_RTNL)		\
16337 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16338 		 NL80211_FLAG_NEED_WIPHY |		\
16339 		 NL80211_FLAG_NEED_RTNL |		\
16340 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16341 	SELECTOR(__sel, WDEV_RTNL,			\
16342 		 NL80211_FLAG_NEED_WDEV |		\
16343 		 NL80211_FLAG_NEED_RTNL)		\
16344 	SELECTOR(__sel, NETDEV_RTNL,			\
16345 		 NL80211_FLAG_NEED_NETDEV |		\
16346 		 NL80211_FLAG_NEED_RTNL)		\
16347 	SELECTOR(__sel, NETDEV_UP,			\
16348 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16349 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16350 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16351 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16352 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16353 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16354 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16355 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16356 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16357 		 NL80211_FLAG_CLEAR_SKB |		\
16358 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16359 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16360 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16361 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16362 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16363 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16364 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16365 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16366 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16367 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16368 		 NL80211_FLAG_CLEAR_SKB)		\
16369 	SELECTOR(__sel, WDEV_UP,			\
16370 		 NL80211_FLAG_NEED_WDEV_UP)		\
16371 	SELECTOR(__sel, WDEV_UP_LINK,			\
16372 		 NL80211_FLAG_NEED_WDEV_UP |		\
16373 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16374 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16375 		 NL80211_FLAG_NEED_WDEV_UP |		\
16376 		 NL80211_FLAG_NEED_RTNL)		\
16377 	SELECTOR(__sel, WIPHY_CLEAR,			\
16378 		 NL80211_FLAG_NEED_WIPHY |		\
16379 		 NL80211_FLAG_CLEAR_SKB)
16380 
16381 enum nl80211_internal_flags_selector {
16382 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16383 	INTERNAL_FLAG_SELECTORS(_)
16384 #undef SELECTOR
16385 };
16386 
16387 static u32 nl80211_internal_flags[] = {
16388 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16389 	INTERNAL_FLAG_SELECTORS(_)
16390 #undef SELECTOR
16391 };
16392 
16393 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16394 			    struct sk_buff *skb,
16395 			    struct genl_info *info)
16396 {
16397 	struct cfg80211_registered_device *rdev = NULL;
16398 	struct wireless_dev *wdev = NULL;
16399 	struct net_device *dev = NULL;
16400 	u32 internal_flags;
16401 	int err;
16402 
16403 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16404 		return -EINVAL;
16405 
16406 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16407 
16408 	rtnl_lock();
16409 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16410 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16411 		if (IS_ERR(rdev)) {
16412 			err = PTR_ERR(rdev);
16413 			goto out_unlock;
16414 		}
16415 		info->user_ptr[0] = rdev;
16416 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16417 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16418 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16419 						  info->attrs);
16420 		if (IS_ERR(wdev)) {
16421 			err = PTR_ERR(wdev);
16422 			goto out_unlock;
16423 		}
16424 
16425 		dev = wdev->netdev;
16426 		dev_hold(dev);
16427 		rdev = wiphy_to_rdev(wdev->wiphy);
16428 
16429 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16430 			if (!dev) {
16431 				err = -EINVAL;
16432 				goto out_unlock;
16433 			}
16434 
16435 			info->user_ptr[1] = dev;
16436 		} else {
16437 			info->user_ptr[1] = wdev;
16438 		}
16439 
16440 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16441 		    !wdev_running(wdev)) {
16442 			err = -ENETDOWN;
16443 			goto out_unlock;
16444 		}
16445 
16446 		info->user_ptr[0] = rdev;
16447 	}
16448 
16449 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16450 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16451 
16452 		if (!wdev) {
16453 			err = -EINVAL;
16454 			goto out_unlock;
16455 		}
16456 
16457 		/* MLO -> require valid link ID */
16458 		if (wdev->valid_links &&
16459 		    (!link_id ||
16460 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16461 			err = -EINVAL;
16462 			goto out_unlock;
16463 		}
16464 
16465 		/* non-MLO -> no link ID attribute accepted */
16466 		if (!wdev->valid_links && link_id) {
16467 			err = -EINVAL;
16468 			goto out_unlock;
16469 		}
16470 	}
16471 
16472 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16473 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16474 		    (wdev && wdev->valid_links)) {
16475 			err = -EINVAL;
16476 			goto out_unlock;
16477 		}
16478 	}
16479 
16480 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16481 		wiphy_lock(&rdev->wiphy);
16482 		/* we keep the mutex locked until post_doit */
16483 		__release(&rdev->wiphy.mtx);
16484 	}
16485 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16486 		rtnl_unlock();
16487 
16488 	return 0;
16489 out_unlock:
16490 	rtnl_unlock();
16491 	dev_put(dev);
16492 	return err;
16493 }
16494 
16495 static void nl80211_post_doit(const struct genl_split_ops *ops,
16496 			      struct sk_buff *skb,
16497 			      struct genl_info *info)
16498 {
16499 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16500 
16501 	if (info->user_ptr[1]) {
16502 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16503 			struct wireless_dev *wdev = info->user_ptr[1];
16504 
16505 			dev_put(wdev->netdev);
16506 		} else {
16507 			dev_put(info->user_ptr[1]);
16508 		}
16509 	}
16510 
16511 	if (info->user_ptr[0] &&
16512 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16513 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16514 
16515 		/* we kept the mutex locked since pre_doit */
16516 		__acquire(&rdev->wiphy.mtx);
16517 		wiphy_unlock(&rdev->wiphy);
16518 	}
16519 
16520 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16521 		rtnl_unlock();
16522 
16523 	/* If needed, clear the netlink message payload from the SKB
16524 	 * as it might contain key data that shouldn't stick around on
16525 	 * the heap after the SKB is freed. The netlink message header
16526 	 * is still needed for further processing, so leave it intact.
16527 	 */
16528 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16529 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16530 
16531 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16532 	}
16533 }
16534 
16535 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16536 				     struct cfg80211_sar_specs *sar_specs,
16537 				     struct nlattr *spec[], int index)
16538 {
16539 	u32 range_index, i;
16540 
16541 	if (!sar_specs || !spec)
16542 		return -EINVAL;
16543 
16544 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16545 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16546 		return -EINVAL;
16547 
16548 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16549 
16550 	/* check if range_index exceeds num_freq_ranges */
16551 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16552 		return -EINVAL;
16553 
16554 	/* check if range_index duplicates */
16555 	for (i = 0; i < index; i++) {
16556 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16557 			return -EINVAL;
16558 	}
16559 
16560 	sar_specs->sub_specs[index].power =
16561 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16562 
16563 	sar_specs->sub_specs[index].freq_range_index = range_index;
16564 
16565 	return 0;
16566 }
16567 
16568 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16569 {
16570 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16571 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16572 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16573 	struct cfg80211_sar_specs *sar_spec;
16574 	enum nl80211_sar_type type;
16575 	struct nlattr *spec_list;
16576 	u32 specs;
16577 	int rem, err;
16578 
16579 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16580 		return -EOPNOTSUPP;
16581 
16582 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16583 		return -EINVAL;
16584 
16585 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16586 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16587 			 NULL, NULL);
16588 
16589 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16590 		return -EINVAL;
16591 
16592 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16593 	if (type != rdev->wiphy.sar_capa->type)
16594 		return -EINVAL;
16595 
16596 	specs = 0;
16597 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16598 		specs++;
16599 
16600 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16601 		return -EINVAL;
16602 
16603 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16604 	if (!sar_spec)
16605 		return -ENOMEM;
16606 
16607 	sar_spec->type = type;
16608 	specs = 0;
16609 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16610 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16611 				 spec_list, NULL, NULL);
16612 
16613 		switch (type) {
16614 		case NL80211_SAR_TYPE_POWER:
16615 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16616 						      spec, specs)) {
16617 				err = -EINVAL;
16618 				goto error;
16619 			}
16620 			break;
16621 		default:
16622 			err = -EINVAL;
16623 			goto error;
16624 		}
16625 		specs++;
16626 	}
16627 
16628 	sar_spec->num_sub_specs = specs;
16629 
16630 	rdev->cur_cmd_info = info;
16631 	err = rdev_set_sar_specs(rdev, sar_spec);
16632 	rdev->cur_cmd_info = NULL;
16633 error:
16634 	kfree(sar_spec);
16635 	return err;
16636 }
16637 
16638 #define SELECTOR(__sel, name, value) \
16639 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16640 int __missing_selector(void);
16641 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16642 
16643 static const struct genl_ops nl80211_ops[] = {
16644 	{
16645 		.cmd = NL80211_CMD_GET_WIPHY,
16646 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16647 		.doit = nl80211_get_wiphy,
16648 		.dumpit = nl80211_dump_wiphy,
16649 		.done = nl80211_dump_wiphy_done,
16650 		/* can be retrieved by unprivileged users */
16651 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16652 	},
16653 };
16654 
16655 static const struct genl_small_ops nl80211_small_ops[] = {
16656 	{
16657 		.cmd = NL80211_CMD_SET_WIPHY,
16658 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16659 		.doit = nl80211_set_wiphy,
16660 		.flags = GENL_UNS_ADMIN_PERM,
16661 	},
16662 	{
16663 		.cmd = NL80211_CMD_GET_INTERFACE,
16664 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16665 		.doit = nl80211_get_interface,
16666 		.dumpit = nl80211_dump_interface,
16667 		/* can be retrieved by unprivileged users */
16668 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16669 	},
16670 	{
16671 		.cmd = NL80211_CMD_SET_INTERFACE,
16672 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16673 		.doit = nl80211_set_interface,
16674 		.flags = GENL_UNS_ADMIN_PERM,
16675 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16676 					 NL80211_FLAG_NEED_RTNL),
16677 	},
16678 	{
16679 		.cmd = NL80211_CMD_NEW_INTERFACE,
16680 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16681 		.doit = nl80211_new_interface,
16682 		.flags = GENL_UNS_ADMIN_PERM,
16683 		.internal_flags =
16684 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16685 			       NL80211_FLAG_NEED_RTNL |
16686 			       /* we take the wiphy mutex later ourselves */
16687 			       NL80211_FLAG_NO_WIPHY_MTX),
16688 	},
16689 	{
16690 		.cmd = NL80211_CMD_DEL_INTERFACE,
16691 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16692 		.doit = nl80211_del_interface,
16693 		.flags = GENL_UNS_ADMIN_PERM,
16694 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16695 					 NL80211_FLAG_NEED_RTNL),
16696 	},
16697 	{
16698 		.cmd = NL80211_CMD_GET_KEY,
16699 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16700 		.doit = nl80211_get_key,
16701 		.flags = GENL_UNS_ADMIN_PERM,
16702 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16703 	},
16704 	{
16705 		.cmd = NL80211_CMD_SET_KEY,
16706 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16707 		.doit = nl80211_set_key,
16708 		.flags = GENL_UNS_ADMIN_PERM,
16709 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16710 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16711 					 NL80211_FLAG_CLEAR_SKB),
16712 	},
16713 	{
16714 		.cmd = NL80211_CMD_NEW_KEY,
16715 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16716 		.doit = nl80211_new_key,
16717 		.flags = GENL_UNS_ADMIN_PERM,
16718 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16719 					 NL80211_FLAG_CLEAR_SKB),
16720 	},
16721 	{
16722 		.cmd = NL80211_CMD_DEL_KEY,
16723 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16724 		.doit = nl80211_del_key,
16725 		.flags = GENL_UNS_ADMIN_PERM,
16726 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16727 	},
16728 	{
16729 		.cmd = NL80211_CMD_SET_BEACON,
16730 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16731 		.flags = GENL_UNS_ADMIN_PERM,
16732 		.doit = nl80211_set_beacon,
16733 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16734 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16735 	},
16736 	{
16737 		.cmd = NL80211_CMD_START_AP,
16738 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16739 		.flags = GENL_UNS_ADMIN_PERM,
16740 		.doit = nl80211_start_ap,
16741 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16742 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16743 	},
16744 	{
16745 		.cmd = NL80211_CMD_STOP_AP,
16746 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16747 		.flags = GENL_UNS_ADMIN_PERM,
16748 		.doit = nl80211_stop_ap,
16749 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16750 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16751 	},
16752 	{
16753 		.cmd = NL80211_CMD_GET_STATION,
16754 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16755 		.doit = nl80211_get_station,
16756 		.dumpit = nl80211_dump_station,
16757 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16758 	},
16759 	{
16760 		.cmd = NL80211_CMD_SET_STATION,
16761 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16762 		.doit = nl80211_set_station,
16763 		.flags = GENL_UNS_ADMIN_PERM,
16764 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16765 	},
16766 	{
16767 		.cmd = NL80211_CMD_NEW_STATION,
16768 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16769 		.doit = nl80211_new_station,
16770 		.flags = GENL_UNS_ADMIN_PERM,
16771 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16772 	},
16773 	{
16774 		.cmd = NL80211_CMD_DEL_STATION,
16775 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16776 		.doit = nl80211_del_station,
16777 		.flags = GENL_UNS_ADMIN_PERM,
16778 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16779 	},
16780 	{
16781 		.cmd = NL80211_CMD_GET_MPATH,
16782 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16783 		.doit = nl80211_get_mpath,
16784 		.dumpit = nl80211_dump_mpath,
16785 		.flags = GENL_UNS_ADMIN_PERM,
16786 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16787 	},
16788 	{
16789 		.cmd = NL80211_CMD_GET_MPP,
16790 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16791 		.doit = nl80211_get_mpp,
16792 		.dumpit = nl80211_dump_mpp,
16793 		.flags = GENL_UNS_ADMIN_PERM,
16794 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16795 	},
16796 	{
16797 		.cmd = NL80211_CMD_SET_MPATH,
16798 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16799 		.doit = nl80211_set_mpath,
16800 		.flags = GENL_UNS_ADMIN_PERM,
16801 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16802 	},
16803 	{
16804 		.cmd = NL80211_CMD_NEW_MPATH,
16805 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16806 		.doit = nl80211_new_mpath,
16807 		.flags = GENL_UNS_ADMIN_PERM,
16808 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16809 	},
16810 	{
16811 		.cmd = NL80211_CMD_DEL_MPATH,
16812 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16813 		.doit = nl80211_del_mpath,
16814 		.flags = GENL_UNS_ADMIN_PERM,
16815 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16816 	},
16817 	{
16818 		.cmd = NL80211_CMD_SET_BSS,
16819 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16820 		.doit = nl80211_set_bss,
16821 		.flags = GENL_UNS_ADMIN_PERM,
16822 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16823 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16824 	},
16825 	{
16826 		.cmd = NL80211_CMD_GET_REG,
16827 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16828 		.doit = nl80211_get_reg_do,
16829 		.dumpit = nl80211_get_reg_dump,
16830 		/* can be retrieved by unprivileged users */
16831 	},
16832 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16833 	{
16834 		.cmd = NL80211_CMD_SET_REG,
16835 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16836 		.doit = nl80211_set_reg,
16837 		.flags = GENL_ADMIN_PERM,
16838 	},
16839 #endif
16840 	{
16841 		.cmd = NL80211_CMD_REQ_SET_REG,
16842 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16843 		.doit = nl80211_req_set_reg,
16844 		.flags = GENL_ADMIN_PERM,
16845 	},
16846 	{
16847 		.cmd = NL80211_CMD_RELOAD_REGDB,
16848 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16849 		.doit = nl80211_reload_regdb,
16850 		.flags = GENL_ADMIN_PERM,
16851 	},
16852 	{
16853 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16854 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16855 		.doit = nl80211_get_mesh_config,
16856 		/* can be retrieved by unprivileged users */
16857 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16858 	},
16859 	{
16860 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16861 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16862 		.doit = nl80211_update_mesh_config,
16863 		.flags = GENL_UNS_ADMIN_PERM,
16864 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16865 	},
16866 	{
16867 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16868 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16869 		.doit = nl80211_trigger_scan,
16870 		.flags = GENL_UNS_ADMIN_PERM,
16871 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16872 	},
16873 	{
16874 		.cmd = NL80211_CMD_ABORT_SCAN,
16875 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16876 		.doit = nl80211_abort_scan,
16877 		.flags = GENL_UNS_ADMIN_PERM,
16878 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16879 	},
16880 	{
16881 		.cmd = NL80211_CMD_GET_SCAN,
16882 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16883 		.dumpit = nl80211_dump_scan,
16884 	},
16885 	{
16886 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16887 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16888 		.doit = nl80211_start_sched_scan,
16889 		.flags = GENL_UNS_ADMIN_PERM,
16890 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16891 	},
16892 	{
16893 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16894 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16895 		.doit = nl80211_stop_sched_scan,
16896 		.flags = GENL_UNS_ADMIN_PERM,
16897 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16898 	},
16899 	{
16900 		.cmd = NL80211_CMD_AUTHENTICATE,
16901 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16902 		.doit = nl80211_authenticate,
16903 		.flags = GENL_UNS_ADMIN_PERM,
16904 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16905 					 NL80211_FLAG_CLEAR_SKB),
16906 	},
16907 	{
16908 		.cmd = NL80211_CMD_ASSOCIATE,
16909 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16910 		.doit = nl80211_associate,
16911 		.flags = GENL_UNS_ADMIN_PERM,
16912 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16913 					 NL80211_FLAG_CLEAR_SKB),
16914 	},
16915 	{
16916 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16917 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16918 		.doit = nl80211_deauthenticate,
16919 		.flags = GENL_UNS_ADMIN_PERM,
16920 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16921 	},
16922 	{
16923 		.cmd = NL80211_CMD_DISASSOCIATE,
16924 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16925 		.doit = nl80211_disassociate,
16926 		.flags = GENL_UNS_ADMIN_PERM,
16927 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16928 	},
16929 	{
16930 		.cmd = NL80211_CMD_JOIN_IBSS,
16931 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16932 		.doit = nl80211_join_ibss,
16933 		.flags = GENL_UNS_ADMIN_PERM,
16934 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16935 	},
16936 	{
16937 		.cmd = NL80211_CMD_LEAVE_IBSS,
16938 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16939 		.doit = nl80211_leave_ibss,
16940 		.flags = GENL_UNS_ADMIN_PERM,
16941 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16942 	},
16943 #ifdef CONFIG_NL80211_TESTMODE
16944 	{
16945 		.cmd = NL80211_CMD_TESTMODE,
16946 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16947 		.doit = nl80211_testmode_do,
16948 		.dumpit = nl80211_testmode_dump,
16949 		.flags = GENL_UNS_ADMIN_PERM,
16950 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16951 	},
16952 #endif
16953 	{
16954 		.cmd = NL80211_CMD_CONNECT,
16955 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16956 		.doit = nl80211_connect,
16957 		.flags = GENL_UNS_ADMIN_PERM,
16958 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16959 					 NL80211_FLAG_CLEAR_SKB),
16960 	},
16961 	{
16962 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16963 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16964 		.doit = nl80211_update_connect_params,
16965 		.flags = GENL_ADMIN_PERM,
16966 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16967 					 NL80211_FLAG_CLEAR_SKB),
16968 	},
16969 	{
16970 		.cmd = NL80211_CMD_DISCONNECT,
16971 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16972 		.doit = nl80211_disconnect,
16973 		.flags = GENL_UNS_ADMIN_PERM,
16974 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16975 	},
16976 	{
16977 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16978 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16979 		.doit = nl80211_wiphy_netns,
16980 		.flags = GENL_UNS_ADMIN_PERM,
16981 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16982 					 NL80211_FLAG_NEED_RTNL |
16983 					 NL80211_FLAG_NO_WIPHY_MTX),
16984 	},
16985 	{
16986 		.cmd = NL80211_CMD_GET_SURVEY,
16987 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16988 		.dumpit = nl80211_dump_survey,
16989 	},
16990 	{
16991 		.cmd = NL80211_CMD_SET_PMKSA,
16992 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16993 		.doit = nl80211_setdel_pmksa,
16994 		.flags = GENL_UNS_ADMIN_PERM,
16995 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16996 					 NL80211_FLAG_CLEAR_SKB),
16997 	},
16998 	{
16999 		.cmd = NL80211_CMD_DEL_PMKSA,
17000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17001 		.doit = nl80211_setdel_pmksa,
17002 		.flags = GENL_UNS_ADMIN_PERM,
17003 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17004 	},
17005 	{
17006 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17007 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17008 		.doit = nl80211_flush_pmksa,
17009 		.flags = GENL_UNS_ADMIN_PERM,
17010 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17011 	},
17012 	{
17013 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17014 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17015 		.doit = nl80211_remain_on_channel,
17016 		.flags = GENL_UNS_ADMIN_PERM,
17017 		/* FIXME: requiring a link ID here is probably not good */
17018 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17019 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17020 	},
17021 	{
17022 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17023 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17024 		.doit = nl80211_cancel_remain_on_channel,
17025 		.flags = GENL_UNS_ADMIN_PERM,
17026 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17027 	},
17028 	{
17029 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17030 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17031 		.doit = nl80211_set_tx_bitrate_mask,
17032 		.flags = GENL_UNS_ADMIN_PERM,
17033 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17034 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17035 	},
17036 	{
17037 		.cmd = NL80211_CMD_REGISTER_FRAME,
17038 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17039 		.doit = nl80211_register_mgmt,
17040 		.flags = GENL_UNS_ADMIN_PERM,
17041 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17042 	},
17043 	{
17044 		.cmd = NL80211_CMD_FRAME,
17045 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17046 		.doit = nl80211_tx_mgmt,
17047 		.flags = GENL_UNS_ADMIN_PERM,
17048 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17049 	},
17050 	{
17051 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17052 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17053 		.doit = nl80211_tx_mgmt_cancel_wait,
17054 		.flags = GENL_UNS_ADMIN_PERM,
17055 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17056 	},
17057 	{
17058 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17059 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17060 		.doit = nl80211_set_power_save,
17061 		.flags = GENL_UNS_ADMIN_PERM,
17062 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17063 	},
17064 	{
17065 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17066 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17067 		.doit = nl80211_get_power_save,
17068 		/* can be retrieved by unprivileged users */
17069 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17070 	},
17071 	{
17072 		.cmd = NL80211_CMD_SET_CQM,
17073 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17074 		.doit = nl80211_set_cqm,
17075 		.flags = GENL_UNS_ADMIN_PERM,
17076 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17077 	},
17078 	{
17079 		.cmd = NL80211_CMD_SET_CHANNEL,
17080 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17081 		.doit = nl80211_set_channel,
17082 		.flags = GENL_UNS_ADMIN_PERM,
17083 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17084 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17085 	},
17086 	{
17087 		.cmd = NL80211_CMD_JOIN_MESH,
17088 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17089 		.doit = nl80211_join_mesh,
17090 		.flags = GENL_UNS_ADMIN_PERM,
17091 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17092 	},
17093 	{
17094 		.cmd = NL80211_CMD_LEAVE_MESH,
17095 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17096 		.doit = nl80211_leave_mesh,
17097 		.flags = GENL_UNS_ADMIN_PERM,
17098 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17099 	},
17100 	{
17101 		.cmd = NL80211_CMD_JOIN_OCB,
17102 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17103 		.doit = nl80211_join_ocb,
17104 		.flags = GENL_UNS_ADMIN_PERM,
17105 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17106 	},
17107 	{
17108 		.cmd = NL80211_CMD_LEAVE_OCB,
17109 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17110 		.doit = nl80211_leave_ocb,
17111 		.flags = GENL_UNS_ADMIN_PERM,
17112 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17113 	},
17114 #ifdef CONFIG_PM
17115 	{
17116 		.cmd = NL80211_CMD_GET_WOWLAN,
17117 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17118 		.doit = nl80211_get_wowlan,
17119 		/* can be retrieved by unprivileged users */
17120 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17121 	},
17122 	{
17123 		.cmd = NL80211_CMD_SET_WOWLAN,
17124 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17125 		.doit = nl80211_set_wowlan,
17126 		.flags = GENL_UNS_ADMIN_PERM,
17127 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17128 	},
17129 #endif
17130 	{
17131 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17132 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17133 		.doit = nl80211_set_rekey_data,
17134 		.flags = GENL_UNS_ADMIN_PERM,
17135 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17136 					 NL80211_FLAG_CLEAR_SKB),
17137 	},
17138 	{
17139 		.cmd = NL80211_CMD_TDLS_MGMT,
17140 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17141 		.doit = nl80211_tdls_mgmt,
17142 		.flags = GENL_UNS_ADMIN_PERM,
17143 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17144 	},
17145 	{
17146 		.cmd = NL80211_CMD_TDLS_OPER,
17147 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17148 		.doit = nl80211_tdls_oper,
17149 		.flags = GENL_UNS_ADMIN_PERM,
17150 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17151 	},
17152 	{
17153 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17154 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17155 		.doit = nl80211_register_unexpected_frame,
17156 		.flags = GENL_UNS_ADMIN_PERM,
17157 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17158 	},
17159 	{
17160 		.cmd = NL80211_CMD_PROBE_CLIENT,
17161 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17162 		.doit = nl80211_probe_client,
17163 		.flags = GENL_UNS_ADMIN_PERM,
17164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17165 	},
17166 	{
17167 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17169 		.doit = nl80211_register_beacons,
17170 		.flags = GENL_UNS_ADMIN_PERM,
17171 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17172 	},
17173 	{
17174 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17175 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17176 		.doit = nl80211_set_noack_map,
17177 		.flags = GENL_UNS_ADMIN_PERM,
17178 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17179 	},
17180 	{
17181 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17182 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17183 		.doit = nl80211_start_p2p_device,
17184 		.flags = GENL_UNS_ADMIN_PERM,
17185 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17186 					 NL80211_FLAG_NEED_RTNL),
17187 	},
17188 	{
17189 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17190 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17191 		.doit = nl80211_stop_p2p_device,
17192 		.flags = GENL_UNS_ADMIN_PERM,
17193 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17194 					 NL80211_FLAG_NEED_RTNL),
17195 	},
17196 	{
17197 		.cmd = NL80211_CMD_START_NAN,
17198 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17199 		.doit = nl80211_start_nan,
17200 		.flags = GENL_ADMIN_PERM,
17201 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17202 					 NL80211_FLAG_NEED_RTNL),
17203 	},
17204 	{
17205 		.cmd = NL80211_CMD_STOP_NAN,
17206 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17207 		.doit = nl80211_stop_nan,
17208 		.flags = GENL_ADMIN_PERM,
17209 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17210 					 NL80211_FLAG_NEED_RTNL),
17211 	},
17212 	{
17213 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17214 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17215 		.doit = nl80211_nan_add_func,
17216 		.flags = GENL_ADMIN_PERM,
17217 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17218 	},
17219 	{
17220 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17221 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17222 		.doit = nl80211_nan_del_func,
17223 		.flags = GENL_ADMIN_PERM,
17224 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17225 	},
17226 	{
17227 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17229 		.doit = nl80211_nan_change_config,
17230 		.flags = GENL_ADMIN_PERM,
17231 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17232 	},
17233 	{
17234 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17235 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17236 		.doit = nl80211_set_mcast_rate,
17237 		.flags = GENL_UNS_ADMIN_PERM,
17238 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17239 	},
17240 	{
17241 		.cmd = NL80211_CMD_SET_MAC_ACL,
17242 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17243 		.doit = nl80211_set_mac_acl,
17244 		.flags = GENL_UNS_ADMIN_PERM,
17245 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17246 					 NL80211_FLAG_MLO_UNSUPPORTED),
17247 	},
17248 	{
17249 		.cmd = NL80211_CMD_RADAR_DETECT,
17250 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17251 		.doit = nl80211_start_radar_detection,
17252 		.flags = GENL_UNS_ADMIN_PERM,
17253 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17254 					 NL80211_FLAG_NO_WIPHY_MTX |
17255 					 NL80211_FLAG_MLO_UNSUPPORTED),
17256 	},
17257 	{
17258 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17259 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17260 		.doit = nl80211_get_protocol_features,
17261 	},
17262 	{
17263 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17264 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17265 		.doit = nl80211_update_ft_ies,
17266 		.flags = GENL_UNS_ADMIN_PERM,
17267 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17268 	},
17269 	{
17270 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17271 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17272 		.doit = nl80211_crit_protocol_start,
17273 		.flags = GENL_UNS_ADMIN_PERM,
17274 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17275 	},
17276 	{
17277 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17278 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17279 		.doit = nl80211_crit_protocol_stop,
17280 		.flags = GENL_UNS_ADMIN_PERM,
17281 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17282 	},
17283 	{
17284 		.cmd = NL80211_CMD_GET_COALESCE,
17285 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17286 		.doit = nl80211_get_coalesce,
17287 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17288 	},
17289 	{
17290 		.cmd = NL80211_CMD_SET_COALESCE,
17291 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17292 		.doit = nl80211_set_coalesce,
17293 		.flags = GENL_UNS_ADMIN_PERM,
17294 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17295 	},
17296 	{
17297 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17298 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17299 		.doit = nl80211_channel_switch,
17300 		.flags = GENL_UNS_ADMIN_PERM,
17301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17302 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17303 	},
17304 	{
17305 		.cmd = NL80211_CMD_VENDOR,
17306 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17307 		.doit = nl80211_vendor_cmd,
17308 		.dumpit = nl80211_vendor_cmd_dump,
17309 		.flags = GENL_UNS_ADMIN_PERM,
17310 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17311 					 NL80211_FLAG_CLEAR_SKB),
17312 	},
17313 	{
17314 		.cmd = NL80211_CMD_SET_QOS_MAP,
17315 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17316 		.doit = nl80211_set_qos_map,
17317 		.flags = GENL_UNS_ADMIN_PERM,
17318 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17319 	},
17320 	{
17321 		.cmd = NL80211_CMD_ADD_TX_TS,
17322 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17323 		.doit = nl80211_add_tx_ts,
17324 		.flags = GENL_UNS_ADMIN_PERM,
17325 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17326 					 NL80211_FLAG_MLO_UNSUPPORTED),
17327 	},
17328 	{
17329 		.cmd = NL80211_CMD_DEL_TX_TS,
17330 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17331 		.doit = nl80211_del_tx_ts,
17332 		.flags = GENL_UNS_ADMIN_PERM,
17333 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17334 	},
17335 	{
17336 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17337 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17338 		.doit = nl80211_tdls_channel_switch,
17339 		.flags = GENL_UNS_ADMIN_PERM,
17340 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17341 	},
17342 	{
17343 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17344 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17345 		.doit = nl80211_tdls_cancel_channel_switch,
17346 		.flags = GENL_UNS_ADMIN_PERM,
17347 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17348 	},
17349 	{
17350 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17351 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17352 		.doit = nl80211_set_multicast_to_unicast,
17353 		.flags = GENL_UNS_ADMIN_PERM,
17354 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17355 	},
17356 	{
17357 		.cmd = NL80211_CMD_SET_PMK,
17358 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17359 		.doit = nl80211_set_pmk,
17360 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17361 					 NL80211_FLAG_CLEAR_SKB),
17362 	},
17363 	{
17364 		.cmd = NL80211_CMD_DEL_PMK,
17365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17366 		.doit = nl80211_del_pmk,
17367 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17368 	},
17369 	{
17370 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17371 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17372 		.doit = nl80211_external_auth,
17373 		.flags = GENL_ADMIN_PERM,
17374 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17375 	},
17376 	{
17377 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17378 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17379 		.doit = nl80211_tx_control_port,
17380 		.flags = GENL_UNS_ADMIN_PERM,
17381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17382 	},
17383 	{
17384 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17386 		.doit = nl80211_get_ftm_responder_stats,
17387 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17388 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17389 	},
17390 	{
17391 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393 		.doit = nl80211_pmsr_start,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_notify_radar_detection,
17401 		.flags = GENL_UNS_ADMIN_PERM,
17402 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17403 	},
17404 	{
17405 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17406 		.doit = nl80211_update_owe_info,
17407 		.flags = GENL_ADMIN_PERM,
17408 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17409 	},
17410 	{
17411 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17412 		.doit = nl80211_probe_mesh_link,
17413 		.flags = GENL_UNS_ADMIN_PERM,
17414 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17415 	},
17416 	{
17417 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17418 		.doit = nl80211_set_tid_config,
17419 		.flags = GENL_UNS_ADMIN_PERM,
17420 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17421 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17422 	},
17423 	{
17424 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17425 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17426 		.doit = nl80211_set_sar_specs,
17427 		.flags = GENL_UNS_ADMIN_PERM,
17428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17429 					 NL80211_FLAG_NEED_RTNL),
17430 	},
17431 	{
17432 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17433 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17434 		.doit = nl80211_color_change,
17435 		.flags = GENL_UNS_ADMIN_PERM,
17436 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17437 	},
17438 	{
17439 		.cmd = NL80211_CMD_SET_FILS_AAD,
17440 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17441 		.doit = nl80211_set_fils_aad,
17442 		.flags = GENL_UNS_ADMIN_PERM,
17443 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17444 	},
17445 	{
17446 		.cmd = NL80211_CMD_ADD_LINK,
17447 		.doit = nl80211_add_link,
17448 		.flags = GENL_UNS_ADMIN_PERM,
17449 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17450 	},
17451 	{
17452 		.cmd = NL80211_CMD_REMOVE_LINK,
17453 		.doit = nl80211_remove_link,
17454 		.flags = GENL_UNS_ADMIN_PERM,
17455 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17456 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17457 	},
17458 	{
17459 		.cmd = NL80211_CMD_ADD_LINK_STA,
17460 		.doit = nl80211_add_link_station,
17461 		.flags = GENL_UNS_ADMIN_PERM,
17462 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17463 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17464 	},
17465 	{
17466 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17467 		.doit = nl80211_modify_link_station,
17468 		.flags = GENL_UNS_ADMIN_PERM,
17469 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17470 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17471 	},
17472 	{
17473 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17474 		.doit = nl80211_remove_link_station,
17475 		.flags = GENL_UNS_ADMIN_PERM,
17476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17477 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17478 	},
17479 	{
17480 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17481 		.doit = nl80211_set_hw_timestamp,
17482 		.flags = GENL_UNS_ADMIN_PERM,
17483 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17484 	},
17485 };
17486 
17487 static struct genl_family nl80211_fam __ro_after_init = {
17488 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17489 	.hdrsize = 0,			/* no private header */
17490 	.version = 1,			/* no particular meaning now */
17491 	.maxattr = NL80211_ATTR_MAX,
17492 	.policy = nl80211_policy,
17493 	.netnsok = true,
17494 	.pre_doit = nl80211_pre_doit,
17495 	.post_doit = nl80211_post_doit,
17496 	.module = THIS_MODULE,
17497 	.ops = nl80211_ops,
17498 	.n_ops = ARRAY_SIZE(nl80211_ops),
17499 	.small_ops = nl80211_small_ops,
17500 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17501 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17502 	.mcgrps = nl80211_mcgrps,
17503 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17504 	.parallel_ops = true,
17505 };
17506 
17507 /* notification functions */
17508 
17509 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17510 			  enum nl80211_commands cmd)
17511 {
17512 	struct sk_buff *msg;
17513 	struct nl80211_dump_wiphy_state state = {};
17514 
17515 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17516 		cmd != NL80211_CMD_DEL_WIPHY);
17517 
17518 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17519 	if (!msg)
17520 		return;
17521 
17522 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17523 		nlmsg_free(msg);
17524 		return;
17525 	}
17526 
17527 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17528 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17529 }
17530 
17531 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17532 				struct wireless_dev *wdev,
17533 				enum nl80211_commands cmd)
17534 {
17535 	struct sk_buff *msg;
17536 
17537 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17538 	if (!msg)
17539 		return;
17540 
17541 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17542 		nlmsg_free(msg);
17543 		return;
17544 	}
17545 
17546 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17547 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17548 }
17549 
17550 static int nl80211_add_scan_req(struct sk_buff *msg,
17551 				struct cfg80211_registered_device *rdev)
17552 {
17553 	struct cfg80211_scan_request *req = rdev->scan_req;
17554 	struct nlattr *nest;
17555 	int i;
17556 	struct cfg80211_scan_info *info;
17557 
17558 	if (WARN_ON(!req))
17559 		return 0;
17560 
17561 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17562 	if (!nest)
17563 		goto nla_put_failure;
17564 	for (i = 0; i < req->n_ssids; i++) {
17565 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17566 			goto nla_put_failure;
17567 	}
17568 	nla_nest_end(msg, nest);
17569 
17570 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17571 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17572 		if (!nest)
17573 			goto nla_put_failure;
17574 		for (i = 0; i < req->n_channels; i++) {
17575 			if (nla_put_u32(msg, i,
17576 				   ieee80211_channel_to_khz(req->channels[i])))
17577 				goto nla_put_failure;
17578 		}
17579 		nla_nest_end(msg, nest);
17580 	} else {
17581 		nest = nla_nest_start_noflag(msg,
17582 					     NL80211_ATTR_SCAN_FREQUENCIES);
17583 		if (!nest)
17584 			goto nla_put_failure;
17585 		for (i = 0; i < req->n_channels; i++) {
17586 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17587 				goto nla_put_failure;
17588 		}
17589 		nla_nest_end(msg, nest);
17590 	}
17591 
17592 	if (req->ie &&
17593 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17594 		goto nla_put_failure;
17595 
17596 	if (req->flags &&
17597 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17598 		goto nla_put_failure;
17599 
17600 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17601 		&rdev->scan_req->info;
17602 	if (info->scan_start_tsf &&
17603 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17604 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17605 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17606 		     info->tsf_bssid)))
17607 		goto nla_put_failure;
17608 
17609 	return 0;
17610  nla_put_failure:
17611 	return -ENOBUFS;
17612 }
17613 
17614 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17615 				 struct cfg80211_registered_device *rdev,
17616 				 struct wireless_dev *wdev,
17617 				 u32 portid, u32 seq, int flags,
17618 				 u32 cmd)
17619 {
17620 	void *hdr;
17621 
17622 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17623 	if (!hdr)
17624 		return -1;
17625 
17626 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17627 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17628 					 wdev->netdev->ifindex)) ||
17629 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17630 			      NL80211_ATTR_PAD))
17631 		goto nla_put_failure;
17632 
17633 	/* ignore errors and send incomplete event anyway */
17634 	nl80211_add_scan_req(msg, rdev);
17635 
17636 	genlmsg_end(msg, hdr);
17637 	return 0;
17638 
17639  nla_put_failure:
17640 	genlmsg_cancel(msg, hdr);
17641 	return -EMSGSIZE;
17642 }
17643 
17644 static int
17645 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17646 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17647 {
17648 	void *hdr;
17649 
17650 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17651 	if (!hdr)
17652 		return -1;
17653 
17654 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17655 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17656 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17657 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17658 			      NL80211_ATTR_PAD))
17659 		goto nla_put_failure;
17660 
17661 	genlmsg_end(msg, hdr);
17662 	return 0;
17663 
17664  nla_put_failure:
17665 	genlmsg_cancel(msg, hdr);
17666 	return -EMSGSIZE;
17667 }
17668 
17669 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17670 			     struct wireless_dev *wdev)
17671 {
17672 	struct sk_buff *msg;
17673 
17674 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17675 	if (!msg)
17676 		return;
17677 
17678 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17679 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17680 		nlmsg_free(msg);
17681 		return;
17682 	}
17683 
17684 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17685 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17686 }
17687 
17688 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17689 				       struct wireless_dev *wdev, bool aborted)
17690 {
17691 	struct sk_buff *msg;
17692 
17693 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17694 	if (!msg)
17695 		return NULL;
17696 
17697 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17698 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17699 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17700 		nlmsg_free(msg);
17701 		return NULL;
17702 	}
17703 
17704 	return msg;
17705 }
17706 
17707 /* send message created by nl80211_build_scan_msg() */
17708 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17709 			   struct sk_buff *msg)
17710 {
17711 	if (!msg)
17712 		return;
17713 
17714 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17715 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17716 }
17717 
17718 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17719 {
17720 	struct sk_buff *msg;
17721 
17722 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17723 	if (!msg)
17724 		return;
17725 
17726 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17727 		nlmsg_free(msg);
17728 		return;
17729 	}
17730 
17731 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17732 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17733 }
17734 
17735 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17736 					  struct regulatory_request *request)
17737 {
17738 	/* Userspace can always count this one always being set */
17739 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17740 		goto nla_put_failure;
17741 
17742 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17743 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17744 			       NL80211_REGDOM_TYPE_WORLD))
17745 			goto nla_put_failure;
17746 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17747 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17748 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17749 			goto nla_put_failure;
17750 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17751 		   request->intersect) {
17752 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17753 			       NL80211_REGDOM_TYPE_INTERSECTION))
17754 			goto nla_put_failure;
17755 	} else {
17756 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17757 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17758 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17759 				   request->alpha2))
17760 			goto nla_put_failure;
17761 	}
17762 
17763 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17764 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17765 
17766 		if (wiphy &&
17767 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17768 			goto nla_put_failure;
17769 
17770 		if (wiphy &&
17771 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17772 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17773 			goto nla_put_failure;
17774 	}
17775 
17776 	return true;
17777 
17778 nla_put_failure:
17779 	return false;
17780 }
17781 
17782 /*
17783  * This can happen on global regulatory changes or device specific settings
17784  * based on custom regulatory domains.
17785  */
17786 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17787 				     struct regulatory_request *request)
17788 {
17789 	struct sk_buff *msg;
17790 	void *hdr;
17791 
17792 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17793 	if (!msg)
17794 		return;
17795 
17796 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17797 	if (!hdr)
17798 		goto nla_put_failure;
17799 
17800 	if (!nl80211_reg_change_event_fill(msg, request))
17801 		goto nla_put_failure;
17802 
17803 	genlmsg_end(msg, hdr);
17804 
17805 	rcu_read_lock();
17806 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17807 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17808 	rcu_read_unlock();
17809 
17810 	return;
17811 
17812 nla_put_failure:
17813 	nlmsg_free(msg);
17814 }
17815 
17816 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17817 				    struct net_device *netdev,
17818 				    const u8 *buf, size_t len,
17819 				    enum nl80211_commands cmd, gfp_t gfp,
17820 				    int uapsd_queues, const u8 *req_ies,
17821 				    size_t req_ies_len, bool reconnect)
17822 {
17823 	struct sk_buff *msg;
17824 	void *hdr;
17825 
17826 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17827 	if (!msg)
17828 		return;
17829 
17830 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17831 	if (!hdr) {
17832 		nlmsg_free(msg);
17833 		return;
17834 	}
17835 
17836 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17837 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17838 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17839 	    (req_ies &&
17840 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17841 		goto nla_put_failure;
17842 
17843 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17844 		goto nla_put_failure;
17845 
17846 	if (uapsd_queues >= 0) {
17847 		struct nlattr *nla_wmm =
17848 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17849 		if (!nla_wmm)
17850 			goto nla_put_failure;
17851 
17852 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17853 			       uapsd_queues))
17854 			goto nla_put_failure;
17855 
17856 		nla_nest_end(msg, nla_wmm);
17857 	}
17858 
17859 	genlmsg_end(msg, hdr);
17860 
17861 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17862 				NL80211_MCGRP_MLME, gfp);
17863 	return;
17864 
17865  nla_put_failure:
17866 	nlmsg_free(msg);
17867 }
17868 
17869 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17870 			  struct net_device *netdev, const u8 *buf,
17871 			  size_t len, gfp_t gfp)
17872 {
17873 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17874 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17875 				false);
17876 }
17877 
17878 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17879 			   struct net_device *netdev,
17880 			   struct cfg80211_rx_assoc_resp *data)
17881 {
17882 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17883 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17884 				data->uapsd_queues,
17885 				data->req_ies, data->req_ies_len, false);
17886 }
17887 
17888 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17889 			 struct net_device *netdev, const u8 *buf,
17890 			 size_t len, bool reconnect, gfp_t gfp)
17891 {
17892 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17893 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17894 				reconnect);
17895 }
17896 
17897 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17898 			   struct net_device *netdev, const u8 *buf,
17899 			   size_t len, bool reconnect, gfp_t gfp)
17900 {
17901 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17902 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17903 				reconnect);
17904 }
17905 
17906 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17907 				  size_t len)
17908 {
17909 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17910 	struct wiphy *wiphy = wdev->wiphy;
17911 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17912 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17913 	u32 cmd;
17914 
17915 	if (WARN_ON(len < 2))
17916 		return;
17917 
17918 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17919 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17920 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17921 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17922 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17923 		if (wdev->unprot_beacon_reported &&
17924 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17925 			return;
17926 		cmd = NL80211_CMD_UNPROT_BEACON;
17927 		wdev->unprot_beacon_reported = jiffies;
17928 	} else {
17929 		return;
17930 	}
17931 
17932 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17933 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17934 				NULL, 0, false);
17935 }
17936 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17937 
17938 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17939 				      struct net_device *netdev, int cmd,
17940 				      const u8 *addr, gfp_t gfp)
17941 {
17942 	struct sk_buff *msg;
17943 	void *hdr;
17944 
17945 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17946 	if (!msg)
17947 		return;
17948 
17949 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17950 	if (!hdr) {
17951 		nlmsg_free(msg);
17952 		return;
17953 	}
17954 
17955 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17956 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17957 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17958 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17959 		goto nla_put_failure;
17960 
17961 	genlmsg_end(msg, hdr);
17962 
17963 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17964 				NL80211_MCGRP_MLME, gfp);
17965 	return;
17966 
17967  nla_put_failure:
17968 	nlmsg_free(msg);
17969 }
17970 
17971 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17972 			       struct net_device *netdev, const u8 *addr,
17973 			       gfp_t gfp)
17974 {
17975 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17976 				  addr, gfp);
17977 }
17978 
17979 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17980 				struct net_device *netdev, const u8 *addr,
17981 				gfp_t gfp)
17982 {
17983 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17984 				  addr, gfp);
17985 }
17986 
17987 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
17988 				 struct net_device *netdev,
17989 				 struct cfg80211_connect_resp_params *cr,
17990 				 gfp_t gfp)
17991 {
17992 	struct sk_buff *msg;
17993 	void *hdr;
17994 	unsigned int link;
17995 	size_t link_info_size = 0;
17996 	const u8 *connected_addr = cr->valid_links ?
17997 				   cr->ap_mld_addr : cr->links[0].bssid;
17998 
17999 	if (cr->valid_links) {
18000 		for_each_valid_link(cr, link) {
18001 			/* Nested attribute header */
18002 			link_info_size += NLA_HDRLEN;
18003 			/* Link ID */
18004 			link_info_size += nla_total_size(sizeof(u8));
18005 			link_info_size += cr->links[link].addr ?
18006 					  nla_total_size(ETH_ALEN) : 0;
18007 			link_info_size += (cr->links[link].bssid ||
18008 					   cr->links[link].bss) ?
18009 					  nla_total_size(ETH_ALEN) : 0;
18010 			link_info_size += nla_total_size(sizeof(u16));
18011 		}
18012 	}
18013 
18014 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18015 			cr->fils.kek_len + cr->fils.pmk_len +
18016 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18017 			gfp);
18018 	if (!msg)
18019 		return;
18020 
18021 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18022 	if (!hdr) {
18023 		nlmsg_free(msg);
18024 		return;
18025 	}
18026 
18027 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18028 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18029 	    (connected_addr &&
18030 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18031 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18032 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18033 			cr->status) ||
18034 	    (cr->status < 0 &&
18035 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18036 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18037 			  cr->timeout_reason))) ||
18038 	    (cr->req_ie &&
18039 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18040 	    (cr->resp_ie &&
18041 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18042 		     cr->resp_ie)) ||
18043 	    (cr->fils.update_erp_next_seq_num &&
18044 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18045 			 cr->fils.erp_next_seq_num)) ||
18046 	    (cr->status == WLAN_STATUS_SUCCESS &&
18047 	     ((cr->fils.kek &&
18048 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18049 		       cr->fils.kek)) ||
18050 	      (cr->fils.pmk &&
18051 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18052 	      (cr->fils.pmkid &&
18053 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18054 		goto nla_put_failure;
18055 
18056 	if (cr->valid_links) {
18057 		int i = 1;
18058 		struct nlattr *nested;
18059 
18060 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18061 		if (!nested)
18062 			goto nla_put_failure;
18063 
18064 		for_each_valid_link(cr, link) {
18065 			struct nlattr *nested_mlo_links;
18066 			const u8 *bssid = cr->links[link].bss ?
18067 					  cr->links[link].bss->bssid :
18068 					  cr->links[link].bssid;
18069 
18070 			nested_mlo_links = nla_nest_start(msg, i);
18071 			if (!nested_mlo_links)
18072 				goto nla_put_failure;
18073 
18074 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18075 			    (bssid &&
18076 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18077 			    (cr->links[link].addr &&
18078 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18079 				     cr->links[link].addr)) ||
18080 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18081 					cr->links[link].status))
18082 				goto nla_put_failure;
18083 
18084 			nla_nest_end(msg, nested_mlo_links);
18085 			i++;
18086 		}
18087 		nla_nest_end(msg, nested);
18088 	}
18089 
18090 	genlmsg_end(msg, hdr);
18091 
18092 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18093 				NL80211_MCGRP_MLME, gfp);
18094 	return;
18095 
18096  nla_put_failure:
18097 	nlmsg_free(msg);
18098 }
18099 
18100 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18101 			 struct net_device *netdev,
18102 			 struct cfg80211_roam_info *info, gfp_t gfp)
18103 {
18104 	struct sk_buff *msg;
18105 	void *hdr;
18106 	size_t link_info_size = 0;
18107 	unsigned int link;
18108 	const u8 *connected_addr = info->ap_mld_addr ?
18109 				   info->ap_mld_addr :
18110 				   (info->links[0].bss ?
18111 				    info->links[0].bss->bssid :
18112 				    info->links[0].bssid);
18113 
18114 	if (info->valid_links) {
18115 		for_each_valid_link(info, link) {
18116 			/* Nested attribute header */
18117 			link_info_size += NLA_HDRLEN;
18118 			/* Link ID */
18119 			link_info_size += nla_total_size(sizeof(u8));
18120 			link_info_size += info->links[link].addr ?
18121 					  nla_total_size(ETH_ALEN) : 0;
18122 			link_info_size += (info->links[link].bssid ||
18123 					   info->links[link].bss) ?
18124 					  nla_total_size(ETH_ALEN) : 0;
18125 		}
18126 	}
18127 
18128 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18129 			info->fils.kek_len + info->fils.pmk_len +
18130 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18131 			link_info_size, gfp);
18132 	if (!msg)
18133 		return;
18134 
18135 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18136 	if (!hdr) {
18137 		nlmsg_free(msg);
18138 		return;
18139 	}
18140 
18141 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18142 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18143 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18144 	    (info->req_ie &&
18145 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18146 		     info->req_ie)) ||
18147 	    (info->resp_ie &&
18148 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18149 		     info->resp_ie)) ||
18150 	    (info->fils.update_erp_next_seq_num &&
18151 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18152 			 info->fils.erp_next_seq_num)) ||
18153 	    (info->fils.kek &&
18154 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18155 		     info->fils.kek)) ||
18156 	    (info->fils.pmk &&
18157 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18158 	    (info->fils.pmkid &&
18159 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18160 		goto nla_put_failure;
18161 
18162 	if (info->valid_links) {
18163 		int i = 1;
18164 		struct nlattr *nested;
18165 
18166 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18167 		if (!nested)
18168 			goto nla_put_failure;
18169 
18170 		for_each_valid_link(info, link) {
18171 			struct nlattr *nested_mlo_links;
18172 			const u8 *bssid = info->links[link].bss ?
18173 					  info->links[link].bss->bssid :
18174 					  info->links[link].bssid;
18175 
18176 			nested_mlo_links = nla_nest_start(msg, i);
18177 			if (!nested_mlo_links)
18178 				goto nla_put_failure;
18179 
18180 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18181 			    (bssid &&
18182 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18183 			    (info->links[link].addr &&
18184 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18185 				     info->links[link].addr)))
18186 				goto nla_put_failure;
18187 
18188 			nla_nest_end(msg, nested_mlo_links);
18189 			i++;
18190 		}
18191 		nla_nest_end(msg, nested);
18192 	}
18193 
18194 	genlmsg_end(msg, hdr);
18195 
18196 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18197 				NL80211_MCGRP_MLME, gfp);
18198 	return;
18199 
18200  nla_put_failure:
18201 	nlmsg_free(msg);
18202 }
18203 
18204 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18205 				  struct net_device *netdev, const u8 *bssid,
18206 				  const u8 *td_bitmap, u8 td_bitmap_len)
18207 {
18208 	struct sk_buff *msg;
18209 	void *hdr;
18210 
18211 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18212 	if (!msg)
18213 		return;
18214 
18215 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18216 	if (!hdr) {
18217 		nlmsg_free(msg);
18218 		return;
18219 	}
18220 
18221 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18222 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18223 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18224 		goto nla_put_failure;
18225 
18226 	if ((td_bitmap_len > 0) && td_bitmap)
18227 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18228 			    td_bitmap_len, td_bitmap))
18229 			goto nla_put_failure;
18230 
18231 	genlmsg_end(msg, hdr);
18232 
18233 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18234 				NL80211_MCGRP_MLME, GFP_KERNEL);
18235 	return;
18236 
18237  nla_put_failure:
18238 	nlmsg_free(msg);
18239 }
18240 
18241 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18242 			       struct net_device *netdev, u16 reason,
18243 			       const u8 *ie, size_t ie_len, bool from_ap)
18244 {
18245 	struct sk_buff *msg;
18246 	void *hdr;
18247 
18248 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18249 	if (!msg)
18250 		return;
18251 
18252 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18253 	if (!hdr) {
18254 		nlmsg_free(msg);
18255 		return;
18256 	}
18257 
18258 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18259 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18260 	    (reason &&
18261 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18262 	    (from_ap &&
18263 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18264 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18265 		goto nla_put_failure;
18266 
18267 	genlmsg_end(msg, hdr);
18268 
18269 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18270 				NL80211_MCGRP_MLME, GFP_KERNEL);
18271 	return;
18272 
18273  nla_put_failure:
18274 	nlmsg_free(msg);
18275 }
18276 
18277 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18278 			     struct net_device *netdev, const u8 *bssid,
18279 			     gfp_t gfp)
18280 {
18281 	struct sk_buff *msg;
18282 	void *hdr;
18283 
18284 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18285 	if (!msg)
18286 		return;
18287 
18288 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18289 	if (!hdr) {
18290 		nlmsg_free(msg);
18291 		return;
18292 	}
18293 
18294 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18295 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18296 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18297 		goto nla_put_failure;
18298 
18299 	genlmsg_end(msg, hdr);
18300 
18301 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18302 				NL80211_MCGRP_MLME, gfp);
18303 	return;
18304 
18305  nla_put_failure:
18306 	nlmsg_free(msg);
18307 }
18308 
18309 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18310 					const u8 *ie, u8 ie_len,
18311 					int sig_dbm, gfp_t gfp)
18312 {
18313 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18314 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18315 	struct sk_buff *msg;
18316 	void *hdr;
18317 
18318 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18319 		return;
18320 
18321 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18322 
18323 	msg = nlmsg_new(100 + ie_len, gfp);
18324 	if (!msg)
18325 		return;
18326 
18327 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18328 	if (!hdr) {
18329 		nlmsg_free(msg);
18330 		return;
18331 	}
18332 
18333 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18334 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18335 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18336 	    (ie_len && ie &&
18337 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18338 	    (sig_dbm &&
18339 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18340 		goto nla_put_failure;
18341 
18342 	genlmsg_end(msg, hdr);
18343 
18344 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18345 				NL80211_MCGRP_MLME, gfp);
18346 	return;
18347 
18348  nla_put_failure:
18349 	nlmsg_free(msg);
18350 }
18351 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18352 
18353 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18354 				 struct net_device *netdev, const u8 *addr,
18355 				 enum nl80211_key_type key_type, int key_id,
18356 				 const u8 *tsc, gfp_t gfp)
18357 {
18358 	struct sk_buff *msg;
18359 	void *hdr;
18360 
18361 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18362 	if (!msg)
18363 		return;
18364 
18365 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18366 	if (!hdr) {
18367 		nlmsg_free(msg);
18368 		return;
18369 	}
18370 
18371 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18372 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18373 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18374 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18375 	    (key_id != -1 &&
18376 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18377 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18378 		goto nla_put_failure;
18379 
18380 	genlmsg_end(msg, hdr);
18381 
18382 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18383 				NL80211_MCGRP_MLME, gfp);
18384 	return;
18385 
18386  nla_put_failure:
18387 	nlmsg_free(msg);
18388 }
18389 
18390 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18391 				    struct ieee80211_channel *channel_before,
18392 				    struct ieee80211_channel *channel_after)
18393 {
18394 	struct sk_buff *msg;
18395 	void *hdr;
18396 	struct nlattr *nl_freq;
18397 
18398 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18399 	if (!msg)
18400 		return;
18401 
18402 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18403 	if (!hdr) {
18404 		nlmsg_free(msg);
18405 		return;
18406 	}
18407 
18408 	/*
18409 	 * Since we are applying the beacon hint to a wiphy we know its
18410 	 * wiphy_idx is valid
18411 	 */
18412 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18413 		goto nla_put_failure;
18414 
18415 	/* Before */
18416 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18417 	if (!nl_freq)
18418 		goto nla_put_failure;
18419 
18420 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18421 		goto nla_put_failure;
18422 	nla_nest_end(msg, nl_freq);
18423 
18424 	/* After */
18425 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18426 	if (!nl_freq)
18427 		goto nla_put_failure;
18428 
18429 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18430 		goto nla_put_failure;
18431 	nla_nest_end(msg, nl_freq);
18432 
18433 	genlmsg_end(msg, hdr);
18434 
18435 	rcu_read_lock();
18436 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18437 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18438 	rcu_read_unlock();
18439 
18440 	return;
18441 
18442 nla_put_failure:
18443 	nlmsg_free(msg);
18444 }
18445 
18446 static void nl80211_send_remain_on_chan_event(
18447 	int cmd, struct cfg80211_registered_device *rdev,
18448 	struct wireless_dev *wdev, u64 cookie,
18449 	struct ieee80211_channel *chan,
18450 	unsigned int duration, gfp_t gfp)
18451 {
18452 	struct sk_buff *msg;
18453 	void *hdr;
18454 
18455 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18456 	if (!msg)
18457 		return;
18458 
18459 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18460 	if (!hdr) {
18461 		nlmsg_free(msg);
18462 		return;
18463 	}
18464 
18465 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18466 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18467 					 wdev->netdev->ifindex)) ||
18468 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18469 			      NL80211_ATTR_PAD) ||
18470 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18471 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18472 			NL80211_CHAN_NO_HT) ||
18473 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18474 			      NL80211_ATTR_PAD))
18475 		goto nla_put_failure;
18476 
18477 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18478 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18479 		goto nla_put_failure;
18480 
18481 	genlmsg_end(msg, hdr);
18482 
18483 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18484 				NL80211_MCGRP_MLME, gfp);
18485 	return;
18486 
18487  nla_put_failure:
18488 	nlmsg_free(msg);
18489 }
18490 
18491 void cfg80211_assoc_comeback(struct net_device *netdev,
18492 			     const u8 *ap_addr, u32 timeout)
18493 {
18494 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18495 	struct wiphy *wiphy = wdev->wiphy;
18496 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18497 	struct sk_buff *msg;
18498 	void *hdr;
18499 
18500 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18501 
18502 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18503 	if (!msg)
18504 		return;
18505 
18506 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18507 	if (!hdr) {
18508 		nlmsg_free(msg);
18509 		return;
18510 	}
18511 
18512 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18513 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18514 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18515 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18516 		goto nla_put_failure;
18517 
18518 	genlmsg_end(msg, hdr);
18519 
18520 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18521 				NL80211_MCGRP_MLME, GFP_KERNEL);
18522 	return;
18523 
18524  nla_put_failure:
18525 	nlmsg_free(msg);
18526 }
18527 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18528 
18529 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18530 			       struct ieee80211_channel *chan,
18531 			       unsigned int duration, gfp_t gfp)
18532 {
18533 	struct wiphy *wiphy = wdev->wiphy;
18534 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18535 
18536 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18537 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18538 					  rdev, wdev, cookie, chan,
18539 					  duration, gfp);
18540 }
18541 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18542 
18543 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18544 					struct ieee80211_channel *chan,
18545 					gfp_t gfp)
18546 {
18547 	struct wiphy *wiphy = wdev->wiphy;
18548 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18549 
18550 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18551 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18552 					  rdev, wdev, cookie, chan, 0, gfp);
18553 }
18554 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18555 
18556 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18557 					struct ieee80211_channel *chan,
18558 					gfp_t gfp)
18559 {
18560 	struct wiphy *wiphy = wdev->wiphy;
18561 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18562 
18563 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18564 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18565 					  rdev, wdev, cookie, chan, 0, gfp);
18566 }
18567 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18568 
18569 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18570 		      struct station_info *sinfo, gfp_t gfp)
18571 {
18572 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18573 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18574 	struct sk_buff *msg;
18575 
18576 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18577 
18578 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18579 	if (!msg)
18580 		return;
18581 
18582 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18583 				 rdev, dev, mac_addr, sinfo) < 0) {
18584 		nlmsg_free(msg);
18585 		return;
18586 	}
18587 
18588 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18589 				NL80211_MCGRP_MLME, gfp);
18590 }
18591 EXPORT_SYMBOL(cfg80211_new_sta);
18592 
18593 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18594 			    struct station_info *sinfo, gfp_t gfp)
18595 {
18596 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18597 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18598 	struct sk_buff *msg;
18599 	struct station_info empty_sinfo = {};
18600 
18601 	if (!sinfo)
18602 		sinfo = &empty_sinfo;
18603 
18604 	trace_cfg80211_del_sta(dev, mac_addr);
18605 
18606 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18607 	if (!msg) {
18608 		cfg80211_sinfo_release_content(sinfo);
18609 		return;
18610 	}
18611 
18612 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18613 				 rdev, dev, mac_addr, sinfo) < 0) {
18614 		nlmsg_free(msg);
18615 		return;
18616 	}
18617 
18618 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18619 				NL80211_MCGRP_MLME, gfp);
18620 }
18621 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18622 
18623 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18624 			  enum nl80211_connect_failed_reason reason,
18625 			  gfp_t gfp)
18626 {
18627 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18628 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18629 	struct sk_buff *msg;
18630 	void *hdr;
18631 
18632 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18633 	if (!msg)
18634 		return;
18635 
18636 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18637 	if (!hdr) {
18638 		nlmsg_free(msg);
18639 		return;
18640 	}
18641 
18642 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18643 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18644 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18645 		goto nla_put_failure;
18646 
18647 	genlmsg_end(msg, hdr);
18648 
18649 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18650 				NL80211_MCGRP_MLME, gfp);
18651 	return;
18652 
18653  nla_put_failure:
18654 	nlmsg_free(msg);
18655 }
18656 EXPORT_SYMBOL(cfg80211_conn_failed);
18657 
18658 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18659 				       const u8 *addr, gfp_t gfp)
18660 {
18661 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18662 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18663 	struct sk_buff *msg;
18664 	void *hdr;
18665 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18666 
18667 	if (!nlportid)
18668 		return false;
18669 
18670 	msg = nlmsg_new(100, gfp);
18671 	if (!msg)
18672 		return true;
18673 
18674 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18675 	if (!hdr) {
18676 		nlmsg_free(msg);
18677 		return true;
18678 	}
18679 
18680 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18681 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18682 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18683 		goto nla_put_failure;
18684 
18685 	genlmsg_end(msg, hdr);
18686 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18687 	return true;
18688 
18689  nla_put_failure:
18690 	nlmsg_free(msg);
18691 	return true;
18692 }
18693 
18694 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18695 				const u8 *addr, gfp_t gfp)
18696 {
18697 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18698 	bool ret;
18699 
18700 	trace_cfg80211_rx_spurious_frame(dev, addr);
18701 
18702 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18703 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18704 		trace_cfg80211_return_bool(false);
18705 		return false;
18706 	}
18707 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18708 					 addr, gfp);
18709 	trace_cfg80211_return_bool(ret);
18710 	return ret;
18711 }
18712 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18713 
18714 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18715 					const u8 *addr, gfp_t gfp)
18716 {
18717 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18718 	bool ret;
18719 
18720 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18721 
18722 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18723 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18724 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18725 		trace_cfg80211_return_bool(false);
18726 		return false;
18727 	}
18728 	ret = __nl80211_unexpected_frame(dev,
18729 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18730 					 addr, gfp);
18731 	trace_cfg80211_return_bool(ret);
18732 	return ret;
18733 }
18734 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18735 
18736 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18737 		      struct wireless_dev *wdev, u32 nlportid,
18738 		      struct cfg80211_rx_info *info, gfp_t gfp)
18739 {
18740 	struct net_device *netdev = wdev->netdev;
18741 	struct sk_buff *msg;
18742 	void *hdr;
18743 
18744 	msg = nlmsg_new(100 + info->len, gfp);
18745 	if (!msg)
18746 		return -ENOMEM;
18747 
18748 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18749 	if (!hdr) {
18750 		nlmsg_free(msg);
18751 		return -ENOMEM;
18752 	}
18753 
18754 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18755 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18756 					netdev->ifindex)) ||
18757 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18758 			      NL80211_ATTR_PAD) ||
18759 	    (info->have_link_id &&
18760 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18761 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18762 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18763 	    (info->sig_dbm &&
18764 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18765 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18766 	    (info->flags &&
18767 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18768 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18769 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18770 						  info->rx_tstamp,
18771 						  NL80211_ATTR_PAD)) ||
18772 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18773 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18774 						   info->ack_tstamp,
18775 						   NL80211_ATTR_PAD)))
18776 		goto nla_put_failure;
18777 
18778 	genlmsg_end(msg, hdr);
18779 
18780 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18781 
18782  nla_put_failure:
18783 	nlmsg_free(msg);
18784 	return -ENOBUFS;
18785 }
18786 
18787 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18788 				    struct cfg80211_tx_status *status,
18789 				    gfp_t gfp, enum nl80211_commands command)
18790 {
18791 	struct wiphy *wiphy = wdev->wiphy;
18792 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18793 	struct net_device *netdev = wdev->netdev;
18794 	struct sk_buff *msg;
18795 	void *hdr;
18796 
18797 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18798 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18799 					      status->ack);
18800 	else
18801 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18802 						      status->ack);
18803 
18804 	msg = nlmsg_new(100 + status->len, gfp);
18805 	if (!msg)
18806 		return;
18807 
18808 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18809 	if (!hdr) {
18810 		nlmsg_free(msg);
18811 		return;
18812 	}
18813 
18814 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18815 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18816 				   netdev->ifindex)) ||
18817 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18818 			      NL80211_ATTR_PAD) ||
18819 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18820 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18821 			      NL80211_ATTR_PAD) ||
18822 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18823 	    (status->tx_tstamp &&
18824 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18825 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18826 	    (status->ack_tstamp &&
18827 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18828 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18829 		goto nla_put_failure;
18830 
18831 	genlmsg_end(msg, hdr);
18832 
18833 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18834 				NL80211_MCGRP_MLME, gfp);
18835 	return;
18836 
18837 nla_put_failure:
18838 	nlmsg_free(msg);
18839 }
18840 
18841 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18842 				     const u8 *buf, size_t len, bool ack,
18843 				     gfp_t gfp)
18844 {
18845 	struct cfg80211_tx_status status = {
18846 		.cookie = cookie,
18847 		.buf = buf,
18848 		.len = len,
18849 		.ack = ack
18850 	};
18851 
18852 	nl80211_frame_tx_status(wdev, &status, gfp,
18853 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18854 }
18855 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18856 
18857 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18858 				 struct cfg80211_tx_status *status, gfp_t gfp)
18859 {
18860 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18861 }
18862 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18863 
18864 static int __nl80211_rx_control_port(struct net_device *dev,
18865 				     struct sk_buff *skb,
18866 				     bool unencrypted,
18867 				     int link_id,
18868 				     gfp_t gfp)
18869 {
18870 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18871 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18872 	struct ethhdr *ehdr = eth_hdr(skb);
18873 	const u8 *addr = ehdr->h_source;
18874 	u16 proto = be16_to_cpu(skb->protocol);
18875 	struct sk_buff *msg;
18876 	void *hdr;
18877 	struct nlattr *frame;
18878 
18879 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18880 
18881 	if (!nlportid)
18882 		return -ENOENT;
18883 
18884 	msg = nlmsg_new(100 + skb->len, gfp);
18885 	if (!msg)
18886 		return -ENOMEM;
18887 
18888 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18889 	if (!hdr) {
18890 		nlmsg_free(msg);
18891 		return -ENOBUFS;
18892 	}
18893 
18894 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18895 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18896 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18897 			      NL80211_ATTR_PAD) ||
18898 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18899 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18900 	    (link_id >= 0 &&
18901 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
18902 	    (unencrypted && nla_put_flag(msg,
18903 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18904 		goto nla_put_failure;
18905 
18906 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18907 	if (!frame)
18908 		goto nla_put_failure;
18909 
18910 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18911 	genlmsg_end(msg, hdr);
18912 
18913 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18914 
18915  nla_put_failure:
18916 	nlmsg_free(msg);
18917 	return -ENOBUFS;
18918 }
18919 
18920 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
18921 			      bool unencrypted, int link_id)
18922 {
18923 	int ret;
18924 
18925 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
18926 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
18927 					GFP_ATOMIC);
18928 	trace_cfg80211_return_bool(ret == 0);
18929 	return ret == 0;
18930 }
18931 EXPORT_SYMBOL(cfg80211_rx_control_port);
18932 
18933 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
18934 					    const char *mac, gfp_t gfp)
18935 {
18936 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18937 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18938 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18939 	void **cb;
18940 
18941 	if (!msg)
18942 		return NULL;
18943 
18944 	cb = (void **)msg->cb;
18945 
18946 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
18947 	if (!cb[0]) {
18948 		nlmsg_free(msg);
18949 		return NULL;
18950 	}
18951 
18952 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18953 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18954 		goto nla_put_failure;
18955 
18956 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
18957 		goto nla_put_failure;
18958 
18959 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
18960 	if (!cb[1])
18961 		goto nla_put_failure;
18962 
18963 	cb[2] = rdev;
18964 
18965 	return msg;
18966  nla_put_failure:
18967 	nlmsg_free(msg);
18968 	return NULL;
18969 }
18970 
18971 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
18972 {
18973 	void **cb = (void **)msg->cb;
18974 	struct cfg80211_registered_device *rdev = cb[2];
18975 
18976 	nla_nest_end(msg, cb[1]);
18977 	genlmsg_end(msg, cb[0]);
18978 
18979 	memset(msg->cb, 0, sizeof(msg->cb));
18980 
18981 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18982 				NL80211_MCGRP_MLME, gfp);
18983 }
18984 
18985 void cfg80211_cqm_rssi_notify(struct net_device *dev,
18986 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
18987 			      s32 rssi_level, gfp_t gfp)
18988 {
18989 	struct sk_buff *msg;
18990 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18991 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18992 
18993 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
18994 
18995 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
18996 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
18997 		return;
18998 
18999 	if (wdev->cqm_config) {
19000 		wdev->cqm_config->last_rssi_event_value = rssi_level;
19001 
19002 		cfg80211_cqm_rssi_update(rdev, dev);
19003 
19004 		if (rssi_level == 0)
19005 			rssi_level = wdev->cqm_config->last_rssi_event_value;
19006 	}
19007 
19008 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19009 	if (!msg)
19010 		return;
19011 
19012 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19013 			rssi_event))
19014 		goto nla_put_failure;
19015 
19016 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19017 				      rssi_level))
19018 		goto nla_put_failure;
19019 
19020 	cfg80211_send_cqm(msg, gfp);
19021 
19022 	return;
19023 
19024  nla_put_failure:
19025 	nlmsg_free(msg);
19026 }
19027 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19028 
19029 void cfg80211_cqm_txe_notify(struct net_device *dev,
19030 			     const u8 *peer, u32 num_packets,
19031 			     u32 rate, u32 intvl, gfp_t gfp)
19032 {
19033 	struct sk_buff *msg;
19034 
19035 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19036 	if (!msg)
19037 		return;
19038 
19039 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19040 		goto nla_put_failure;
19041 
19042 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19043 		goto nla_put_failure;
19044 
19045 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19046 		goto nla_put_failure;
19047 
19048 	cfg80211_send_cqm(msg, gfp);
19049 	return;
19050 
19051  nla_put_failure:
19052 	nlmsg_free(msg);
19053 }
19054 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19055 
19056 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19057 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19058 {
19059 	struct sk_buff *msg;
19060 
19061 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19062 
19063 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19064 	if (!msg)
19065 		return;
19066 
19067 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19068 		goto nla_put_failure;
19069 
19070 	cfg80211_send_cqm(msg, gfp);
19071 	return;
19072 
19073  nla_put_failure:
19074 	nlmsg_free(msg);
19075 }
19076 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19077 
19078 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19079 {
19080 	struct sk_buff *msg;
19081 
19082 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19083 	if (!msg)
19084 		return;
19085 
19086 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19087 		goto nla_put_failure;
19088 
19089 	cfg80211_send_cqm(msg, gfp);
19090 	return;
19091 
19092  nla_put_failure:
19093 	nlmsg_free(msg);
19094 }
19095 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19096 
19097 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19098 				     struct net_device *netdev, const u8 *bssid,
19099 				     const u8 *replay_ctr, gfp_t gfp)
19100 {
19101 	struct sk_buff *msg;
19102 	struct nlattr *rekey_attr;
19103 	void *hdr;
19104 
19105 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19106 	if (!msg)
19107 		return;
19108 
19109 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19110 	if (!hdr) {
19111 		nlmsg_free(msg);
19112 		return;
19113 	}
19114 
19115 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19116 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19117 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19118 		goto nla_put_failure;
19119 
19120 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19121 	if (!rekey_attr)
19122 		goto nla_put_failure;
19123 
19124 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19125 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19126 		goto nla_put_failure;
19127 
19128 	nla_nest_end(msg, rekey_attr);
19129 
19130 	genlmsg_end(msg, hdr);
19131 
19132 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19133 				NL80211_MCGRP_MLME, gfp);
19134 	return;
19135 
19136  nla_put_failure:
19137 	nlmsg_free(msg);
19138 }
19139 
19140 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19141 			       const u8 *replay_ctr, gfp_t gfp)
19142 {
19143 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19144 	struct wiphy *wiphy = wdev->wiphy;
19145 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19146 
19147 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19148 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19149 }
19150 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19151 
19152 static void
19153 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19154 			       struct net_device *netdev, int index,
19155 			       const u8 *bssid, bool preauth, gfp_t gfp)
19156 {
19157 	struct sk_buff *msg;
19158 	struct nlattr *attr;
19159 	void *hdr;
19160 
19161 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19162 	if (!msg)
19163 		return;
19164 
19165 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19166 	if (!hdr) {
19167 		nlmsg_free(msg);
19168 		return;
19169 	}
19170 
19171 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19172 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19173 		goto nla_put_failure;
19174 
19175 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19176 	if (!attr)
19177 		goto nla_put_failure;
19178 
19179 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19180 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19181 	    (preauth &&
19182 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19183 		goto nla_put_failure;
19184 
19185 	nla_nest_end(msg, attr);
19186 
19187 	genlmsg_end(msg, hdr);
19188 
19189 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19190 				NL80211_MCGRP_MLME, gfp);
19191 	return;
19192 
19193  nla_put_failure:
19194 	nlmsg_free(msg);
19195 }
19196 
19197 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19198 				     const u8 *bssid, bool preauth, gfp_t gfp)
19199 {
19200 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19201 	struct wiphy *wiphy = wdev->wiphy;
19202 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19203 
19204 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19205 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19206 }
19207 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19208 
19209 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19210 				     struct net_device *netdev,
19211 				     unsigned int link_id,
19212 				     struct cfg80211_chan_def *chandef,
19213 				     gfp_t gfp,
19214 				     enum nl80211_commands notif,
19215 				     u8 count, bool quiet, u16 punct_bitmap)
19216 {
19217 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19218 	struct sk_buff *msg;
19219 	void *hdr;
19220 
19221 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19222 	if (!msg)
19223 		return;
19224 
19225 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19226 	if (!hdr) {
19227 		nlmsg_free(msg);
19228 		return;
19229 	}
19230 
19231 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19232 		goto nla_put_failure;
19233 
19234 	if (wdev->valid_links &&
19235 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19236 		goto nla_put_failure;
19237 
19238 	if (nl80211_send_chandef(msg, chandef))
19239 		goto nla_put_failure;
19240 
19241 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19242 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19243 			goto nla_put_failure;
19244 		if (quiet &&
19245 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19246 			goto nla_put_failure;
19247 	}
19248 
19249 	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19250 		goto nla_put_failure;
19251 
19252 	genlmsg_end(msg, hdr);
19253 
19254 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19255 				NL80211_MCGRP_MLME, gfp);
19256 	return;
19257 
19258  nla_put_failure:
19259 	nlmsg_free(msg);
19260 }
19261 
19262 void cfg80211_ch_switch_notify(struct net_device *dev,
19263 			       struct cfg80211_chan_def *chandef,
19264 			       unsigned int link_id, u16 punct_bitmap)
19265 {
19266 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19267 	struct wiphy *wiphy = wdev->wiphy;
19268 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19269 
19270 	ASSERT_WDEV_LOCK(wdev);
19271 	WARN_INVALID_LINK_ID(wdev, link_id);
19272 
19273 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19274 
19275 	switch (wdev->iftype) {
19276 	case NL80211_IFTYPE_STATION:
19277 	case NL80211_IFTYPE_P2P_CLIENT:
19278 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19279 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19280 							chandef->chan);
19281 		break;
19282 	case NL80211_IFTYPE_MESH_POINT:
19283 		wdev->u.mesh.chandef = *chandef;
19284 		wdev->u.mesh.preset_chandef = *chandef;
19285 		break;
19286 	case NL80211_IFTYPE_AP:
19287 	case NL80211_IFTYPE_P2P_GO:
19288 		wdev->links[link_id].ap.chandef = *chandef;
19289 		break;
19290 	case NL80211_IFTYPE_ADHOC:
19291 		wdev->u.ibss.chandef = *chandef;
19292 		break;
19293 	default:
19294 		WARN_ON(1);
19295 		break;
19296 	}
19297 
19298 	cfg80211_sched_dfs_chan_update(rdev);
19299 
19300 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19301 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19302 				 punct_bitmap);
19303 }
19304 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19305 
19306 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19307 				       struct cfg80211_chan_def *chandef,
19308 				       unsigned int link_id, u8 count,
19309 				       bool quiet, u16 punct_bitmap)
19310 {
19311 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19312 	struct wiphy *wiphy = wdev->wiphy;
19313 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19314 
19315 	ASSERT_WDEV_LOCK(wdev);
19316 	WARN_INVALID_LINK_ID(wdev, link_id);
19317 
19318 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19319 						punct_bitmap);
19320 
19321 
19322 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19323 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19324 				 count, quiet, punct_bitmap);
19325 }
19326 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19327 
19328 int cfg80211_bss_color_notify(struct net_device *dev,
19329 			      enum nl80211_commands cmd, u8 count,
19330 			      u64 color_bitmap)
19331 {
19332 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19333 	struct wiphy *wiphy = wdev->wiphy;
19334 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19335 	struct sk_buff *msg;
19336 	void *hdr;
19337 
19338 	ASSERT_WDEV_LOCK(wdev);
19339 
19340 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19341 
19342 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19343 	if (!msg)
19344 		return -ENOMEM;
19345 
19346 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19347 	if (!hdr)
19348 		goto nla_put_failure;
19349 
19350 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19351 		goto nla_put_failure;
19352 
19353 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19354 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19355 		goto nla_put_failure;
19356 
19357 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19358 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19359 			      color_bitmap, NL80211_ATTR_PAD))
19360 		goto nla_put_failure;
19361 
19362 	genlmsg_end(msg, hdr);
19363 
19364 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19365 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19366 
19367 nla_put_failure:
19368 	nlmsg_free(msg);
19369 	return -EINVAL;
19370 }
19371 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19372 
19373 void
19374 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19375 		     const struct cfg80211_chan_def *chandef,
19376 		     enum nl80211_radar_event event,
19377 		     struct net_device *netdev, gfp_t gfp)
19378 {
19379 	struct sk_buff *msg;
19380 	void *hdr;
19381 
19382 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19383 	if (!msg)
19384 		return;
19385 
19386 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19387 	if (!hdr) {
19388 		nlmsg_free(msg);
19389 		return;
19390 	}
19391 
19392 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19393 		goto nla_put_failure;
19394 
19395 	/* NOP and radar events don't need a netdev parameter */
19396 	if (netdev) {
19397 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19398 
19399 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19400 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19401 				      NL80211_ATTR_PAD))
19402 			goto nla_put_failure;
19403 	}
19404 
19405 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19406 		goto nla_put_failure;
19407 
19408 	if (nl80211_send_chandef(msg, chandef))
19409 		goto nla_put_failure;
19410 
19411 	genlmsg_end(msg, hdr);
19412 
19413 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19414 				NL80211_MCGRP_MLME, gfp);
19415 	return;
19416 
19417  nla_put_failure:
19418 	nlmsg_free(msg);
19419 }
19420 
19421 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19422 				       struct sta_opmode_info *sta_opmode,
19423 				       gfp_t gfp)
19424 {
19425 	struct sk_buff *msg;
19426 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19427 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19428 	void *hdr;
19429 
19430 	if (WARN_ON(!mac))
19431 		return;
19432 
19433 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19434 	if (!msg)
19435 		return;
19436 
19437 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19438 	if (!hdr) {
19439 		nlmsg_free(msg);
19440 		return;
19441 	}
19442 
19443 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19444 		goto nla_put_failure;
19445 
19446 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19447 		goto nla_put_failure;
19448 
19449 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19450 		goto nla_put_failure;
19451 
19452 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19453 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19454 		goto nla_put_failure;
19455 
19456 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19457 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19458 		goto nla_put_failure;
19459 
19460 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19461 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19462 		goto nla_put_failure;
19463 
19464 	genlmsg_end(msg, hdr);
19465 
19466 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19467 				NL80211_MCGRP_MLME, gfp);
19468 
19469 	return;
19470 
19471 nla_put_failure:
19472 	nlmsg_free(msg);
19473 }
19474 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19475 
19476 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19477 			   u64 cookie, bool acked, s32 ack_signal,
19478 			   bool is_valid_ack_signal, gfp_t gfp)
19479 {
19480 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19481 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19482 	struct sk_buff *msg;
19483 	void *hdr;
19484 
19485 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19486 
19487 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19488 
19489 	if (!msg)
19490 		return;
19491 
19492 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19493 	if (!hdr) {
19494 		nlmsg_free(msg);
19495 		return;
19496 	}
19497 
19498 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19499 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19500 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19501 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19502 			      NL80211_ATTR_PAD) ||
19503 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19504 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19505 						ack_signal)))
19506 		goto nla_put_failure;
19507 
19508 	genlmsg_end(msg, hdr);
19509 
19510 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19511 				NL80211_MCGRP_MLME, gfp);
19512 	return;
19513 
19514  nla_put_failure:
19515 	nlmsg_free(msg);
19516 }
19517 EXPORT_SYMBOL(cfg80211_probe_status);
19518 
19519 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19520 				     size_t len, int freq, int sig_dbm)
19521 {
19522 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19523 	struct sk_buff *msg;
19524 	void *hdr;
19525 	struct cfg80211_beacon_registration *reg;
19526 
19527 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19528 
19529 	spin_lock_bh(&rdev->beacon_registrations_lock);
19530 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19531 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19532 		if (!msg) {
19533 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19534 			return;
19535 		}
19536 
19537 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19538 		if (!hdr)
19539 			goto nla_put_failure;
19540 
19541 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19542 		    (freq &&
19543 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19544 				  KHZ_TO_MHZ(freq)) ||
19545 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19546 				  freq % 1000))) ||
19547 		    (sig_dbm &&
19548 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19549 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19550 			goto nla_put_failure;
19551 
19552 		genlmsg_end(msg, hdr);
19553 
19554 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19555 	}
19556 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19557 	return;
19558 
19559  nla_put_failure:
19560 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19561 	nlmsg_free(msg);
19562 }
19563 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19564 
19565 #ifdef CONFIG_PM
19566 static int cfg80211_net_detect_results(struct sk_buff *msg,
19567 				       struct cfg80211_wowlan_wakeup *wakeup)
19568 {
19569 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19570 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19571 	int i, j;
19572 
19573 	nl_results = nla_nest_start_noflag(msg,
19574 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19575 	if (!nl_results)
19576 		return -EMSGSIZE;
19577 
19578 	for (i = 0; i < nd->n_matches; i++) {
19579 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19580 
19581 		nl_match = nla_nest_start_noflag(msg, i);
19582 		if (!nl_match)
19583 			break;
19584 
19585 		/* The SSID attribute is optional in nl80211, but for
19586 		 * simplicity reasons it's always present in the
19587 		 * cfg80211 structure.  If a driver can't pass the
19588 		 * SSID, that needs to be changed.  A zero length SSID
19589 		 * is still a valid SSID (wildcard), so it cannot be
19590 		 * used for this purpose.
19591 		 */
19592 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19593 			    match->ssid.ssid)) {
19594 			nla_nest_cancel(msg, nl_match);
19595 			goto out;
19596 		}
19597 
19598 		if (match->n_channels) {
19599 			nl_freqs = nla_nest_start_noflag(msg,
19600 							 NL80211_ATTR_SCAN_FREQUENCIES);
19601 			if (!nl_freqs) {
19602 				nla_nest_cancel(msg, nl_match);
19603 				goto out;
19604 			}
19605 
19606 			for (j = 0; j < match->n_channels; j++) {
19607 				if (nla_put_u32(msg, j, match->channels[j])) {
19608 					nla_nest_cancel(msg, nl_freqs);
19609 					nla_nest_cancel(msg, nl_match);
19610 					goto out;
19611 				}
19612 			}
19613 
19614 			nla_nest_end(msg, nl_freqs);
19615 		}
19616 
19617 		nla_nest_end(msg, nl_match);
19618 	}
19619 
19620 out:
19621 	nla_nest_end(msg, nl_results);
19622 	return 0;
19623 }
19624 
19625 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19626 				   struct cfg80211_wowlan_wakeup *wakeup,
19627 				   gfp_t gfp)
19628 {
19629 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19630 	struct sk_buff *msg;
19631 	void *hdr;
19632 	int size = 200;
19633 
19634 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19635 
19636 	if (wakeup)
19637 		size += wakeup->packet_present_len;
19638 
19639 	msg = nlmsg_new(size, gfp);
19640 	if (!msg)
19641 		return;
19642 
19643 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19644 	if (!hdr)
19645 		goto free_msg;
19646 
19647 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19648 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19649 			      NL80211_ATTR_PAD))
19650 		goto free_msg;
19651 
19652 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19653 					wdev->netdev->ifindex))
19654 		goto free_msg;
19655 
19656 	if (wakeup) {
19657 		struct nlattr *reasons;
19658 
19659 		reasons = nla_nest_start_noflag(msg,
19660 						NL80211_ATTR_WOWLAN_TRIGGERS);
19661 		if (!reasons)
19662 			goto free_msg;
19663 
19664 		if (wakeup->disconnect &&
19665 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19666 			goto free_msg;
19667 		if (wakeup->magic_pkt &&
19668 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19669 			goto free_msg;
19670 		if (wakeup->gtk_rekey_failure &&
19671 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19672 			goto free_msg;
19673 		if (wakeup->eap_identity_req &&
19674 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19675 			goto free_msg;
19676 		if (wakeup->four_way_handshake &&
19677 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19678 			goto free_msg;
19679 		if (wakeup->rfkill_release &&
19680 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19681 			goto free_msg;
19682 
19683 		if (wakeup->pattern_idx >= 0 &&
19684 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19685 				wakeup->pattern_idx))
19686 			goto free_msg;
19687 
19688 		if (wakeup->tcp_match &&
19689 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19690 			goto free_msg;
19691 
19692 		if (wakeup->tcp_connlost &&
19693 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19694 			goto free_msg;
19695 
19696 		if (wakeup->tcp_nomoretokens &&
19697 		    nla_put_flag(msg,
19698 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19699 			goto free_msg;
19700 
19701 		if (wakeup->packet) {
19702 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19703 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19704 
19705 			if (!wakeup->packet_80211) {
19706 				pkt_attr =
19707 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19708 				len_attr =
19709 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19710 			}
19711 
19712 			if (wakeup->packet_len &&
19713 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19714 				goto free_msg;
19715 
19716 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19717 				    wakeup->packet))
19718 				goto free_msg;
19719 		}
19720 
19721 		if (wakeup->net_detect &&
19722 		    cfg80211_net_detect_results(msg, wakeup))
19723 				goto free_msg;
19724 
19725 		nla_nest_end(msg, reasons);
19726 	}
19727 
19728 	genlmsg_end(msg, hdr);
19729 
19730 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19731 				NL80211_MCGRP_MLME, gfp);
19732 	return;
19733 
19734  free_msg:
19735 	nlmsg_free(msg);
19736 }
19737 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19738 #endif
19739 
19740 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19741 				enum nl80211_tdls_operation oper,
19742 				u16 reason_code, gfp_t gfp)
19743 {
19744 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19745 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19746 	struct sk_buff *msg;
19747 	void *hdr;
19748 
19749 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19750 					 reason_code);
19751 
19752 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19753 	if (!msg)
19754 		return;
19755 
19756 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19757 	if (!hdr) {
19758 		nlmsg_free(msg);
19759 		return;
19760 	}
19761 
19762 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19763 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19764 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19765 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19766 	    (reason_code > 0 &&
19767 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19768 		goto nla_put_failure;
19769 
19770 	genlmsg_end(msg, hdr);
19771 
19772 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19773 				NL80211_MCGRP_MLME, gfp);
19774 	return;
19775 
19776  nla_put_failure:
19777 	nlmsg_free(msg);
19778 }
19779 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19780 
19781 static int nl80211_netlink_notify(struct notifier_block * nb,
19782 				  unsigned long state,
19783 				  void *_notify)
19784 {
19785 	struct netlink_notify *notify = _notify;
19786 	struct cfg80211_registered_device *rdev;
19787 	struct wireless_dev *wdev;
19788 	struct cfg80211_beacon_registration *reg, *tmp;
19789 
19790 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19791 		return NOTIFY_DONE;
19792 
19793 	rcu_read_lock();
19794 
19795 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19796 		struct cfg80211_sched_scan_request *sched_scan_req;
19797 
19798 		list_for_each_entry_rcu(sched_scan_req,
19799 					&rdev->sched_scan_req_list,
19800 					list) {
19801 			if (sched_scan_req->owner_nlportid == notify->portid) {
19802 				sched_scan_req->nl_owner_dead = true;
19803 				wiphy_work_queue(&rdev->wiphy,
19804 						 &rdev->sched_scan_stop_wk);
19805 			}
19806 		}
19807 
19808 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19809 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19810 
19811 			if (wdev->owner_nlportid == notify->portid) {
19812 				wdev->nl_owner_dead = true;
19813 				schedule_work(&rdev->destroy_work);
19814 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19815 				schedule_work(&wdev->disconnect_wk);
19816 			}
19817 
19818 			cfg80211_release_pmsr(wdev, notify->portid);
19819 		}
19820 
19821 		spin_lock_bh(&rdev->beacon_registrations_lock);
19822 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19823 					 list) {
19824 			if (reg->nlportid == notify->portid) {
19825 				list_del(&reg->list);
19826 				kfree(reg);
19827 				break;
19828 			}
19829 		}
19830 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19831 	}
19832 
19833 	rcu_read_unlock();
19834 
19835 	/*
19836 	 * It is possible that the user space process that is controlling the
19837 	 * indoor setting disappeared, so notify the regulatory core.
19838 	 */
19839 	regulatory_netlink_notify(notify->portid);
19840 	return NOTIFY_OK;
19841 }
19842 
19843 static struct notifier_block nl80211_netlink_notifier = {
19844 	.notifier_call = nl80211_netlink_notify,
19845 };
19846 
19847 void cfg80211_ft_event(struct net_device *netdev,
19848 		       struct cfg80211_ft_event_params *ft_event)
19849 {
19850 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19851 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19852 	struct sk_buff *msg;
19853 	void *hdr;
19854 
19855 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19856 
19857 	if (!ft_event->target_ap)
19858 		return;
19859 
19860 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19861 			GFP_KERNEL);
19862 	if (!msg)
19863 		return;
19864 
19865 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19866 	if (!hdr)
19867 		goto out;
19868 
19869 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19870 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19871 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19872 		goto out;
19873 
19874 	if (ft_event->ies &&
19875 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19876 		goto out;
19877 	if (ft_event->ric_ies &&
19878 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19879 		    ft_event->ric_ies))
19880 		goto out;
19881 
19882 	genlmsg_end(msg, hdr);
19883 
19884 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19885 				NL80211_MCGRP_MLME, GFP_KERNEL);
19886 	return;
19887  out:
19888 	nlmsg_free(msg);
19889 }
19890 EXPORT_SYMBOL(cfg80211_ft_event);
19891 
19892 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19893 {
19894 	struct cfg80211_registered_device *rdev;
19895 	struct sk_buff *msg;
19896 	void *hdr;
19897 	u32 nlportid;
19898 
19899 	rdev = wiphy_to_rdev(wdev->wiphy);
19900 	if (!rdev->crit_proto_nlportid)
19901 		return;
19902 
19903 	nlportid = rdev->crit_proto_nlportid;
19904 	rdev->crit_proto_nlportid = 0;
19905 
19906 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19907 	if (!msg)
19908 		return;
19909 
19910 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19911 	if (!hdr)
19912 		goto nla_put_failure;
19913 
19914 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19915 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19916 			      NL80211_ATTR_PAD))
19917 		goto nla_put_failure;
19918 
19919 	genlmsg_end(msg, hdr);
19920 
19921 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
19922 	return;
19923 
19924  nla_put_failure:
19925 	nlmsg_free(msg);
19926 }
19927 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
19928 
19929 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
19930 {
19931 	struct wiphy *wiphy = wdev->wiphy;
19932 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19933 	struct sk_buff *msg;
19934 	void *hdr;
19935 
19936 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19937 	if (!msg)
19938 		return;
19939 
19940 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
19941 	if (!hdr)
19942 		goto out;
19943 
19944 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19945 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
19946 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19947 			      NL80211_ATTR_PAD) ||
19948 	    (wdev->valid_links &&
19949 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
19950 		goto out;
19951 
19952 	genlmsg_end(msg, hdr);
19953 
19954 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
19955 				NL80211_MCGRP_MLME, GFP_KERNEL);
19956 	return;
19957  out:
19958 	nlmsg_free(msg);
19959 }
19960 
19961 int cfg80211_external_auth_request(struct net_device *dev,
19962 				   struct cfg80211_external_auth_params *params,
19963 				   gfp_t gfp)
19964 {
19965 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19966 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19967 	struct sk_buff *msg;
19968 	void *hdr;
19969 
19970 	if (!wdev->conn_owner_nlportid)
19971 		return -EINVAL;
19972 
19973 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19974 	if (!msg)
19975 		return -ENOMEM;
19976 
19977 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
19978 	if (!hdr)
19979 		goto nla_put_failure;
19980 
19981 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19982 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19983 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
19984 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
19985 			params->action) ||
19986 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
19987 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
19988 		    params->ssid.ssid) ||
19989 	    (!is_zero_ether_addr(params->mld_addr) &&
19990 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
19991 		goto nla_put_failure;
19992 
19993 	genlmsg_end(msg, hdr);
19994 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
19995 			wdev->conn_owner_nlportid);
19996 	return 0;
19997 
19998  nla_put_failure:
19999 	nlmsg_free(msg);
20000 	return -ENOBUFS;
20001 }
20002 EXPORT_SYMBOL(cfg80211_external_auth_request);
20003 
20004 void cfg80211_update_owe_info_event(struct net_device *netdev,
20005 				    struct cfg80211_update_owe_info *owe_info,
20006 				    gfp_t gfp)
20007 {
20008 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20009 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20010 	struct sk_buff *msg;
20011 	void *hdr;
20012 
20013 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20014 
20015 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20016 	if (!msg)
20017 		return;
20018 
20019 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20020 	if (!hdr)
20021 		goto nla_put_failure;
20022 
20023 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20024 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20025 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20026 		goto nla_put_failure;
20027 
20028 	if (!owe_info->ie_len ||
20029 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20030 		goto nla_put_failure;
20031 
20032 	if (owe_info->assoc_link_id != -1) {
20033 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20034 			       owe_info->assoc_link_id))
20035 			goto nla_put_failure;
20036 
20037 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20038 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20039 			    owe_info->peer_mld_addr))
20040 			goto nla_put_failure;
20041 	}
20042 
20043 	genlmsg_end(msg, hdr);
20044 
20045 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20046 				NL80211_MCGRP_MLME, gfp);
20047 	return;
20048 
20049 nla_put_failure:
20050 	genlmsg_cancel(msg, hdr);
20051 	nlmsg_free(msg);
20052 }
20053 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20054 
20055 /* initialisation/exit functions */
20056 
20057 int __init nl80211_init(void)
20058 {
20059 	int err;
20060 
20061 	err = genl_register_family(&nl80211_fam);
20062 	if (err)
20063 		return err;
20064 
20065 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20066 	if (err)
20067 		goto err_out;
20068 
20069 	return 0;
20070  err_out:
20071 	genl_unregister_family(&nl80211_fam);
20072 	return err;
20073 }
20074 
20075 void nl80211_exit(void)
20076 {
20077 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20078 	genl_unregister_family(&nl80211_fam);
20079 }
20080