xref: /openbmc/linux/net/wireless/nl80211.c (revision 31d49ba0)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * This is the new netlink-based wireless configuration interface.
4  *
5  * Copyright 2006-2010	Johannes Berg <johannes@sipsolutions.net>
6  * Copyright 2013-2014  Intel Mobile Communications GmbH
7  * Copyright 2015-2017	Intel Deutschland GmbH
8  * Copyright (C) 2018-2023 Intel Corporation
9  */
10 
11 #include <linux/if.h>
12 #include <linux/module.h>
13 #include <linux/err.h>
14 #include <linux/slab.h>
15 #include <linux/list.h>
16 #include <linux/if_ether.h>
17 #include <linux/ieee80211.h>
18 #include <linux/nl80211.h>
19 #include <linux/rtnetlink.h>
20 #include <linux/netlink.h>
21 #include <linux/nospec.h>
22 #include <linux/etherdevice.h>
23 #include <linux/if_vlan.h>
24 #include <net/net_namespace.h>
25 #include <net/genetlink.h>
26 #include <net/cfg80211.h>
27 #include <net/sock.h>
28 #include <net/inet_connection_sock.h>
29 #include "core.h"
30 #include "nl80211.h"
31 #include "reg.h"
32 #include "rdev-ops.h"
33 
34 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
35 				   struct genl_info *info,
36 				   struct cfg80211_crypto_settings *settings,
37 				   int cipher_limit);
38 
39 /* the netlink family */
40 static struct genl_family nl80211_fam;
41 
42 /* multicast groups */
43 enum nl80211_multicast_groups {
44 	NL80211_MCGRP_CONFIG,
45 	NL80211_MCGRP_SCAN,
46 	NL80211_MCGRP_REGULATORY,
47 	NL80211_MCGRP_MLME,
48 	NL80211_MCGRP_VENDOR,
49 	NL80211_MCGRP_NAN,
50 	NL80211_MCGRP_TESTMODE /* keep last - ifdef! */
51 };
52 
53 static const struct genl_multicast_group nl80211_mcgrps[] = {
54 	[NL80211_MCGRP_CONFIG] = { .name = NL80211_MULTICAST_GROUP_CONFIG },
55 	[NL80211_MCGRP_SCAN] = { .name = NL80211_MULTICAST_GROUP_SCAN },
56 	[NL80211_MCGRP_REGULATORY] = { .name = NL80211_MULTICAST_GROUP_REG },
57 	[NL80211_MCGRP_MLME] = { .name = NL80211_MULTICAST_GROUP_MLME },
58 	[NL80211_MCGRP_VENDOR] = { .name = NL80211_MULTICAST_GROUP_VENDOR },
59 	[NL80211_MCGRP_NAN] = { .name = NL80211_MULTICAST_GROUP_NAN },
60 #ifdef CONFIG_NL80211_TESTMODE
61 	[NL80211_MCGRP_TESTMODE] = { .name = NL80211_MULTICAST_GROUP_TESTMODE }
62 #endif
63 };
64 
65 /* returns ERR_PTR values */
66 static struct wireless_dev *
67 __cfg80211_wdev_from_attrs(struct cfg80211_registered_device *rdev,
68 			   struct net *netns, struct nlattr **attrs)
69 {
70 	struct wireless_dev *result = NULL;
71 	bool have_ifidx = attrs[NL80211_ATTR_IFINDEX];
72 	bool have_wdev_id = attrs[NL80211_ATTR_WDEV];
73 	u64 wdev_id = 0;
74 	int wiphy_idx = -1;
75 	int ifidx = -1;
76 
77 	if (!have_ifidx && !have_wdev_id)
78 		return ERR_PTR(-EINVAL);
79 
80 	if (have_ifidx)
81 		ifidx = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
82 	if (have_wdev_id) {
83 		wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
84 		wiphy_idx = wdev_id >> 32;
85 	}
86 
87 	if (rdev) {
88 		struct wireless_dev *wdev;
89 
90 		lockdep_assert_held(&rdev->wiphy.mtx);
91 
92 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
93 			if (have_ifidx && wdev->netdev &&
94 			    wdev->netdev->ifindex == ifidx) {
95 				result = wdev;
96 				break;
97 			}
98 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
99 				result = wdev;
100 				break;
101 			}
102 		}
103 
104 		return result ?: ERR_PTR(-ENODEV);
105 	}
106 
107 	ASSERT_RTNL();
108 
109 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
110 		struct wireless_dev *wdev;
111 
112 		if (wiphy_net(&rdev->wiphy) != netns)
113 			continue;
114 
115 		if (have_wdev_id && rdev->wiphy_idx != wiphy_idx)
116 			continue;
117 
118 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
119 			if (have_ifidx && wdev->netdev &&
120 			    wdev->netdev->ifindex == ifidx) {
121 				result = wdev;
122 				break;
123 			}
124 			if (have_wdev_id && wdev->identifier == (u32)wdev_id) {
125 				result = wdev;
126 				break;
127 			}
128 		}
129 
130 		if (result)
131 			break;
132 	}
133 
134 	if (result)
135 		return result;
136 	return ERR_PTR(-ENODEV);
137 }
138 
139 static struct cfg80211_registered_device *
140 __cfg80211_rdev_from_attrs(struct net *netns, struct nlattr **attrs)
141 {
142 	struct cfg80211_registered_device *rdev = NULL, *tmp;
143 	struct net_device *netdev;
144 
145 	ASSERT_RTNL();
146 
147 	if (!attrs[NL80211_ATTR_WIPHY] &&
148 	    !attrs[NL80211_ATTR_IFINDEX] &&
149 	    !attrs[NL80211_ATTR_WDEV])
150 		return ERR_PTR(-EINVAL);
151 
152 	if (attrs[NL80211_ATTR_WIPHY])
153 		rdev = cfg80211_rdev_by_wiphy_idx(
154 				nla_get_u32(attrs[NL80211_ATTR_WIPHY]));
155 
156 	if (attrs[NL80211_ATTR_WDEV]) {
157 		u64 wdev_id = nla_get_u64(attrs[NL80211_ATTR_WDEV]);
158 		struct wireless_dev *wdev;
159 		bool found = false;
160 
161 		tmp = cfg80211_rdev_by_wiphy_idx(wdev_id >> 32);
162 		if (tmp) {
163 			/* make sure wdev exists */
164 			list_for_each_entry(wdev, &tmp->wiphy.wdev_list, list) {
165 				if (wdev->identifier != (u32)wdev_id)
166 					continue;
167 				found = true;
168 				break;
169 			}
170 
171 			if (!found)
172 				tmp = NULL;
173 
174 			if (rdev && tmp != rdev)
175 				return ERR_PTR(-EINVAL);
176 			rdev = tmp;
177 		}
178 	}
179 
180 	if (attrs[NL80211_ATTR_IFINDEX]) {
181 		int ifindex = nla_get_u32(attrs[NL80211_ATTR_IFINDEX]);
182 
183 		netdev = __dev_get_by_index(netns, ifindex);
184 		if (netdev) {
185 			if (netdev->ieee80211_ptr)
186 				tmp = wiphy_to_rdev(
187 					netdev->ieee80211_ptr->wiphy);
188 			else
189 				tmp = NULL;
190 
191 			/* not wireless device -- return error */
192 			if (!tmp)
193 				return ERR_PTR(-EINVAL);
194 
195 			/* mismatch -- return error */
196 			if (rdev && tmp != rdev)
197 				return ERR_PTR(-EINVAL);
198 
199 			rdev = tmp;
200 		}
201 	}
202 
203 	if (!rdev)
204 		return ERR_PTR(-ENODEV);
205 
206 	if (netns != wiphy_net(&rdev->wiphy))
207 		return ERR_PTR(-ENODEV);
208 
209 	return rdev;
210 }
211 
212 /*
213  * This function returns a pointer to the driver
214  * that the genl_info item that is passed refers to.
215  *
216  * The result of this can be a PTR_ERR and hence must
217  * be checked with IS_ERR() for errors.
218  */
219 static struct cfg80211_registered_device *
220 cfg80211_get_dev_from_info(struct net *netns, struct genl_info *info)
221 {
222 	return __cfg80211_rdev_from_attrs(netns, info->attrs);
223 }
224 
225 static int validate_beacon_head(const struct nlattr *attr,
226 				struct netlink_ext_ack *extack)
227 {
228 	const u8 *data = nla_data(attr);
229 	unsigned int len = nla_len(attr);
230 	const struct element *elem;
231 	const struct ieee80211_mgmt *mgmt = (void *)data;
232 	unsigned int fixedlen, hdrlen;
233 	bool s1g_bcn;
234 
235 	if (len < offsetofend(typeof(*mgmt), frame_control))
236 		goto err;
237 
238 	s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control);
239 	if (s1g_bcn) {
240 		fixedlen = offsetof(struct ieee80211_ext,
241 				    u.s1g_beacon.variable);
242 		hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon);
243 	} else {
244 		fixedlen = offsetof(struct ieee80211_mgmt,
245 				    u.beacon.variable);
246 		hdrlen = offsetof(struct ieee80211_mgmt, u.beacon);
247 	}
248 
249 	if (len < fixedlen)
250 		goto err;
251 
252 	if (ieee80211_hdrlen(mgmt->frame_control) != hdrlen)
253 		goto err;
254 
255 	data += fixedlen;
256 	len -= fixedlen;
257 
258 	for_each_element(elem, data, len) {
259 		/* nothing */
260 	}
261 
262 	if (for_each_element_completed(elem, data, len))
263 		return 0;
264 
265 err:
266 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed beacon head");
267 	return -EINVAL;
268 }
269 
270 static int validate_ie_attr(const struct nlattr *attr,
271 			    struct netlink_ext_ack *extack)
272 {
273 	const u8 *data = nla_data(attr);
274 	unsigned int len = nla_len(attr);
275 	const struct element *elem;
276 
277 	for_each_element(elem, data, len) {
278 		/* nothing */
279 	}
280 
281 	if (for_each_element_completed(elem, data, len))
282 		return 0;
283 
284 	NL_SET_ERR_MSG_ATTR(extack, attr, "malformed information elements");
285 	return -EINVAL;
286 }
287 
288 static int validate_he_capa(const struct nlattr *attr,
289 			    struct netlink_ext_ack *extack)
290 {
291 	if (!ieee80211_he_capa_size_ok(nla_data(attr), nla_len(attr)))
292 		return -EINVAL;
293 
294 	return 0;
295 }
296 
297 /* policy for the attributes */
298 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR];
299 
300 static const struct nla_policy
301 nl80211_ftm_responder_policy[NL80211_FTM_RESP_ATTR_MAX + 1] = {
302 	[NL80211_FTM_RESP_ATTR_ENABLED] = { .type = NLA_FLAG, },
303 	[NL80211_FTM_RESP_ATTR_LCI] = { .type = NLA_BINARY,
304 					.len = U8_MAX },
305 	[NL80211_FTM_RESP_ATTR_CIVICLOC] = { .type = NLA_BINARY,
306 					     .len = U8_MAX },
307 };
308 
309 static const struct nla_policy
310 nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
311 	[NL80211_PMSR_FTM_REQ_ATTR_ASAP] = { .type = NLA_FLAG },
312 	[NL80211_PMSR_FTM_REQ_ATTR_PREAMBLE] = { .type = NLA_U32 },
313 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
314 		NLA_POLICY_MAX(NLA_U8, 15),
315 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
316 	[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
317 		NLA_POLICY_MAX(NLA_U8, 15),
318 	[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
319 		NLA_POLICY_MAX(NLA_U8, 31),
320 	[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
321 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
322 	[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
323 	[NL80211_PMSR_FTM_REQ_ATTR_TRIGGER_BASED] = { .type = NLA_FLAG },
324 	[NL80211_PMSR_FTM_REQ_ATTR_NON_TRIGGER_BASED] = { .type = NLA_FLAG },
325 	[NL80211_PMSR_FTM_REQ_ATTR_LMR_FEEDBACK] = { .type = NLA_FLAG },
326 };
327 
328 static const struct nla_policy
329 nl80211_pmsr_req_data_policy[NL80211_PMSR_TYPE_MAX + 1] = {
330 	[NL80211_PMSR_TYPE_FTM] =
331 		NLA_POLICY_NESTED(nl80211_pmsr_ftm_req_attr_policy),
332 };
333 
334 static const struct nla_policy
335 nl80211_pmsr_req_attr_policy[NL80211_PMSR_REQ_ATTR_MAX + 1] = {
336 	[NL80211_PMSR_REQ_ATTR_DATA] =
337 		NLA_POLICY_NESTED(nl80211_pmsr_req_data_policy),
338 	[NL80211_PMSR_REQ_ATTR_GET_AP_TSF] = { .type = NLA_FLAG },
339 };
340 
341 static const struct nla_policy
342 nl80211_pmsr_peer_attr_policy[NL80211_PMSR_PEER_ATTR_MAX + 1] = {
343 	[NL80211_PMSR_PEER_ATTR_ADDR] = NLA_POLICY_ETH_ADDR,
344 	[NL80211_PMSR_PEER_ATTR_CHAN] = NLA_POLICY_NESTED(nl80211_policy),
345 	[NL80211_PMSR_PEER_ATTR_REQ] =
346 		NLA_POLICY_NESTED(nl80211_pmsr_req_attr_policy),
347 	[NL80211_PMSR_PEER_ATTR_RESP] = { .type = NLA_REJECT },
348 };
349 
350 static const struct nla_policy
351 nl80211_pmsr_attr_policy[NL80211_PMSR_ATTR_MAX + 1] = {
352 	[NL80211_PMSR_ATTR_MAX_PEERS] = { .type = NLA_REJECT },
353 	[NL80211_PMSR_ATTR_REPORT_AP_TSF] = { .type = NLA_REJECT },
354 	[NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR] = { .type = NLA_REJECT },
355 	[NL80211_PMSR_ATTR_TYPE_CAPA] = { .type = NLA_REJECT },
356 	[NL80211_PMSR_ATTR_PEERS] =
357 		NLA_POLICY_NESTED_ARRAY(nl80211_pmsr_peer_attr_policy),
358 };
359 
360 static const struct nla_policy
361 he_obss_pd_policy[NL80211_HE_OBSS_PD_ATTR_MAX + 1] = {
362 	[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET] =
363 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
364 	[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET] =
365 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
366 	[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET] =
367 		NLA_POLICY_RANGE(NLA_U8, 1, 20),
368 	[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP] =
369 		NLA_POLICY_EXACT_LEN(8),
370 	[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP] =
371 		NLA_POLICY_EXACT_LEN(8),
372 	[NL80211_HE_OBSS_PD_ATTR_SR_CTRL] = { .type = NLA_U8 },
373 };
374 
375 static const struct nla_policy
376 he_bss_color_policy[NL80211_HE_BSS_COLOR_ATTR_MAX + 1] = {
377 	[NL80211_HE_BSS_COLOR_ATTR_COLOR] = NLA_POLICY_RANGE(NLA_U8, 1, 63),
378 	[NL80211_HE_BSS_COLOR_ATTR_DISABLED] = { .type = NLA_FLAG },
379 	[NL80211_HE_BSS_COLOR_ATTR_PARTIAL] = { .type = NLA_FLAG },
380 };
381 
382 static const struct nla_policy nl80211_txattr_policy[NL80211_TXRATE_MAX + 1] = {
383 	[NL80211_TXRATE_LEGACY] = { .type = NLA_BINARY,
384 				    .len = NL80211_MAX_SUPP_RATES },
385 	[NL80211_TXRATE_HT] = { .type = NLA_BINARY,
386 				.len = NL80211_MAX_SUPP_HT_RATES },
387 	[NL80211_TXRATE_VHT] = NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_txrate_vht)),
388 	[NL80211_TXRATE_GI] = { .type = NLA_U8 },
389 	[NL80211_TXRATE_HE] = NLA_POLICY_EXACT_LEN(sizeof(struct nl80211_txrate_he)),
390 	[NL80211_TXRATE_HE_GI] =  NLA_POLICY_RANGE(NLA_U8,
391 						   NL80211_RATE_INFO_HE_GI_0_8,
392 						   NL80211_RATE_INFO_HE_GI_3_2),
393 	[NL80211_TXRATE_HE_LTF] = NLA_POLICY_RANGE(NLA_U8,
394 						   NL80211_RATE_INFO_HE_1XLTF,
395 						   NL80211_RATE_INFO_HE_4XLTF),
396 };
397 
398 static const struct nla_policy
399 nl80211_tid_config_attr_policy[NL80211_TID_CONFIG_ATTR_MAX + 1] = {
400 	[NL80211_TID_CONFIG_ATTR_VIF_SUPP] = { .type = NLA_U64 },
401 	[NL80211_TID_CONFIG_ATTR_PEER_SUPP] = { .type = NLA_U64 },
402 	[NL80211_TID_CONFIG_ATTR_OVERRIDE] = { .type = NLA_FLAG },
403 	[NL80211_TID_CONFIG_ATTR_TIDS] = NLA_POLICY_RANGE(NLA_U16, 1, 0xff),
404 	[NL80211_TID_CONFIG_ATTR_NOACK] =
405 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
406 	[NL80211_TID_CONFIG_ATTR_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
407 	[NL80211_TID_CONFIG_ATTR_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
408 	[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL] =
409 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
410 	[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL] =
411 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
412 	[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL] =
413 			NLA_POLICY_MAX(NLA_U8, NL80211_TID_CONFIG_DISABLE),
414 	[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE] =
415 			NLA_POLICY_MAX(NLA_U8, NL80211_TX_RATE_FIXED),
416 	[NL80211_TID_CONFIG_ATTR_TX_RATE] =
417 			NLA_POLICY_NESTED(nl80211_txattr_policy),
418 };
419 
420 static const struct nla_policy
421 nl80211_fils_discovery_policy[NL80211_FILS_DISCOVERY_ATTR_MAX + 1] = {
422 	[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] = NLA_POLICY_MAX(NLA_U32, 10000),
423 	[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] = NLA_POLICY_MAX(NLA_U32, 10000),
424 	[NL80211_FILS_DISCOVERY_ATTR_TMPL] =
425 			NLA_POLICY_RANGE(NLA_BINARY,
426 					 NL80211_FILS_DISCOVERY_TMPL_MIN_LEN,
427 					 IEEE80211_MAX_DATA_LEN),
428 };
429 
430 static const struct nla_policy
431 nl80211_unsol_bcast_probe_resp_policy[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1] = {
432 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] = NLA_POLICY_MAX(NLA_U32, 20),
433 	[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL] = { .type = NLA_BINARY,
434 						       .len = IEEE80211_MAX_DATA_LEN }
435 };
436 
437 static const struct nla_policy
438 sar_specs_policy[NL80211_SAR_ATTR_SPECS_MAX + 1] = {
439 	[NL80211_SAR_ATTR_SPECS_POWER] = { .type = NLA_S32 },
440 	[NL80211_SAR_ATTR_SPECS_RANGE_INDEX] = {.type = NLA_U32 },
441 };
442 
443 static const struct nla_policy
444 sar_policy[NL80211_SAR_ATTR_MAX + 1] = {
445 	[NL80211_SAR_ATTR_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_SAR_TYPE),
446 	[NL80211_SAR_ATTR_SPECS] = NLA_POLICY_NESTED_ARRAY(sar_specs_policy),
447 };
448 
449 static const struct nla_policy
450 nl80211_mbssid_config_policy[NL80211_MBSSID_CONFIG_ATTR_MAX + 1] = {
451 	[NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES] = NLA_POLICY_MIN(NLA_U8, 2),
452 	[NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY] =
453 						NLA_POLICY_MIN(NLA_U8, 1),
454 	[NL80211_MBSSID_CONFIG_ATTR_INDEX] = { .type = NLA_U8 },
455 	[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX] = { .type = NLA_U32 },
456 	[NL80211_MBSSID_CONFIG_ATTR_EMA] = { .type = NLA_FLAG },
457 };
458 
459 static const struct nla_policy
460 nl80211_sta_wme_policy[NL80211_STA_WME_MAX + 1] = {
461 	[NL80211_STA_WME_UAPSD_QUEUES] = { .type = NLA_U8 },
462 	[NL80211_STA_WME_MAX_SP] = { .type = NLA_U8 },
463 };
464 
465 static struct netlink_range_validation nl80211_punct_bitmap_range = {
466 	.min = 0,
467 	.max = 0xffff,
468 };
469 
470 static const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
471 	[0] = { .strict_start_type = NL80211_ATTR_HE_OBSS_PD },
472 	[NL80211_ATTR_WIPHY] = { .type = NLA_U32 },
473 	[NL80211_ATTR_WIPHY_NAME] = { .type = NLA_NUL_STRING,
474 				      .len = 20-1 },
475 	[NL80211_ATTR_WIPHY_TXQ_PARAMS] = { .type = NLA_NESTED },
476 
477 	[NL80211_ATTR_WIPHY_FREQ] = { .type = NLA_U32 },
478 	[NL80211_ATTR_WIPHY_CHANNEL_TYPE] = { .type = NLA_U32 },
479 	[NL80211_ATTR_WIPHY_EDMG_CHANNELS] = NLA_POLICY_RANGE(NLA_U8,
480 						NL80211_EDMG_CHANNELS_MIN,
481 						NL80211_EDMG_CHANNELS_MAX),
482 	[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG] = NLA_POLICY_RANGE(NLA_U8,
483 						NL80211_EDMG_BW_CONFIG_MIN,
484 						NL80211_EDMG_BW_CONFIG_MAX),
485 
486 	[NL80211_ATTR_CHANNEL_WIDTH] = { .type = NLA_U32 },
487 	[NL80211_ATTR_CENTER_FREQ1] = { .type = NLA_U32 },
488 	[NL80211_ATTR_CENTER_FREQ1_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
489 	[NL80211_ATTR_CENTER_FREQ2] = { .type = NLA_U32 },
490 
491 	[NL80211_ATTR_WIPHY_RETRY_SHORT] = NLA_POLICY_MIN(NLA_U8, 1),
492 	[NL80211_ATTR_WIPHY_RETRY_LONG] = NLA_POLICY_MIN(NLA_U8, 1),
493 	[NL80211_ATTR_WIPHY_FRAG_THRESHOLD] = { .type = NLA_U32 },
494 	[NL80211_ATTR_WIPHY_RTS_THRESHOLD] = { .type = NLA_U32 },
495 	[NL80211_ATTR_WIPHY_COVERAGE_CLASS] = { .type = NLA_U8 },
496 	[NL80211_ATTR_WIPHY_DYN_ACK] = { .type = NLA_FLAG },
497 
498 	[NL80211_ATTR_IFTYPE] = NLA_POLICY_MAX(NLA_U32, NL80211_IFTYPE_MAX),
499 	[NL80211_ATTR_IFINDEX] = { .type = NLA_U32 },
500 	[NL80211_ATTR_IFNAME] = { .type = NLA_NUL_STRING, .len = IFNAMSIZ-1 },
501 
502 	[NL80211_ATTR_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
503 	[NL80211_ATTR_PREV_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
504 
505 	[NL80211_ATTR_KEY] = { .type = NLA_NESTED, },
506 	[NL80211_ATTR_KEY_DATA] = { .type = NLA_BINARY,
507 				    .len = WLAN_MAX_KEY_LEN },
508 	[NL80211_ATTR_KEY_IDX] = NLA_POLICY_MAX(NLA_U8, 7),
509 	[NL80211_ATTR_KEY_CIPHER] = { .type = NLA_U32 },
510 	[NL80211_ATTR_KEY_DEFAULT] = { .type = NLA_FLAG },
511 	[NL80211_ATTR_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
512 	[NL80211_ATTR_KEY_TYPE] =
513 		NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES),
514 
515 	[NL80211_ATTR_BEACON_INTERVAL] = { .type = NLA_U32 },
516 	[NL80211_ATTR_DTIM_PERIOD] = { .type = NLA_U32 },
517 	[NL80211_ATTR_BEACON_HEAD] =
518 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_beacon_head,
519 				       IEEE80211_MAX_DATA_LEN),
520 	[NL80211_ATTR_BEACON_TAIL] =
521 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
522 				       IEEE80211_MAX_DATA_LEN),
523 	[NL80211_ATTR_STA_AID] =
524 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
525 	[NL80211_ATTR_STA_FLAGS] = { .type = NLA_NESTED },
526 	[NL80211_ATTR_STA_LISTEN_INTERVAL] = { .type = NLA_U16 },
527 	[NL80211_ATTR_STA_SUPPORTED_RATES] = { .type = NLA_BINARY,
528 					       .len = NL80211_MAX_SUPP_RATES },
529 	[NL80211_ATTR_STA_PLINK_ACTION] =
530 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_ACTIONS - 1),
531 	[NL80211_ATTR_STA_TX_POWER_SETTING] =
532 		NLA_POLICY_RANGE(NLA_U8,
533 				 NL80211_TX_POWER_AUTOMATIC,
534 				 NL80211_TX_POWER_FIXED),
535 	[NL80211_ATTR_STA_TX_POWER] = { .type = NLA_S16 },
536 	[NL80211_ATTR_STA_VLAN] = { .type = NLA_U32 },
537 	[NL80211_ATTR_MNTR_FLAGS] = { /* NLA_NESTED can't be empty */ },
538 	[NL80211_ATTR_MESH_ID] = { .type = NLA_BINARY,
539 				   .len = IEEE80211_MAX_MESH_ID_LEN },
540 	[NL80211_ATTR_MPATH_NEXT_HOP] = NLA_POLICY_ETH_ADDR_COMPAT,
541 
542 	/* allow 3 for NUL-termination, we used to declare this NLA_STRING */
543 	[NL80211_ATTR_REG_ALPHA2] = NLA_POLICY_RANGE(NLA_BINARY, 2, 3),
544 	[NL80211_ATTR_REG_RULES] = { .type = NLA_NESTED },
545 
546 	[NL80211_ATTR_BSS_CTS_PROT] = { .type = NLA_U8 },
547 	[NL80211_ATTR_BSS_SHORT_PREAMBLE] = { .type = NLA_U8 },
548 	[NL80211_ATTR_BSS_SHORT_SLOT_TIME] = { .type = NLA_U8 },
549 	[NL80211_ATTR_BSS_BASIC_RATES] = { .type = NLA_BINARY,
550 					   .len = NL80211_MAX_SUPP_RATES },
551 	[NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
552 
553 	[NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
554 	[NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
555 
556 	[NL80211_ATTR_HT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_HT_CAPABILITY_LEN),
557 
558 	[NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
559 	[NL80211_ATTR_IE] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
560 						   validate_ie_attr,
561 						   IEEE80211_MAX_DATA_LEN),
562 	[NL80211_ATTR_SCAN_FREQUENCIES] = { .type = NLA_NESTED },
563 	[NL80211_ATTR_SCAN_SSIDS] = { .type = NLA_NESTED },
564 
565 	[NL80211_ATTR_SSID] = { .type = NLA_BINARY,
566 				.len = IEEE80211_MAX_SSID_LEN },
567 	[NL80211_ATTR_AUTH_TYPE] = { .type = NLA_U32 },
568 	[NL80211_ATTR_REASON_CODE] = { .type = NLA_U16 },
569 	[NL80211_ATTR_FREQ_FIXED] = { .type = NLA_FLAG },
570 	[NL80211_ATTR_TIMED_OUT] = { .type = NLA_FLAG },
571 	[NL80211_ATTR_USE_MFP] = NLA_POLICY_RANGE(NLA_U32,
572 						  NL80211_MFP_NO,
573 						  NL80211_MFP_OPTIONAL),
574 	[NL80211_ATTR_STA_FLAGS2] =
575 		NLA_POLICY_EXACT_LEN_WARN(sizeof(struct nl80211_sta_flag_update)),
576 	[NL80211_ATTR_CONTROL_PORT] = { .type = NLA_FLAG },
577 	[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
578 	[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
579 	[NL80211_ATTR_CONTROL_PORT_OVER_NL80211] = { .type = NLA_FLAG },
580 	[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
581 	[NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 },
582 	[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
583 	[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
584 	[NL80211_ATTR_PID] = { .type = NLA_U32 },
585 	[NL80211_ATTR_4ADDR] = { .type = NLA_U8 },
586 	[NL80211_ATTR_PMKID] = NLA_POLICY_EXACT_LEN_WARN(WLAN_PMKID_LEN),
587 	[NL80211_ATTR_DURATION] = { .type = NLA_U32 },
588 	[NL80211_ATTR_COOKIE] = { .type = NLA_U64 },
589 	[NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED },
590 	[NL80211_ATTR_FRAME] = { .type = NLA_BINARY,
591 				 .len = IEEE80211_MAX_DATA_LEN },
592 	[NL80211_ATTR_FRAME_MATCH] = { .type = NLA_BINARY, },
593 	[NL80211_ATTR_PS_STATE] = NLA_POLICY_RANGE(NLA_U32,
594 						   NL80211_PS_DISABLED,
595 						   NL80211_PS_ENABLED),
596 	[NL80211_ATTR_CQM] = { .type = NLA_NESTED, },
597 	[NL80211_ATTR_LOCAL_STATE_CHANGE] = { .type = NLA_FLAG },
598 	[NL80211_ATTR_AP_ISOLATE] = { .type = NLA_U8 },
599 	[NL80211_ATTR_WIPHY_TX_POWER_SETTING] = { .type = NLA_U32 },
600 	[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] = { .type = NLA_U32 },
601 	[NL80211_ATTR_FRAME_TYPE] = { .type = NLA_U16 },
602 	[NL80211_ATTR_WIPHY_ANTENNA_TX] = { .type = NLA_U32 },
603 	[NL80211_ATTR_WIPHY_ANTENNA_RX] = { .type = NLA_U32 },
604 	[NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
605 	[NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
606 	[NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
607 	[NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
608 	[NL80211_ATTR_STA_PLINK_STATE] =
609 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_PLINK_STATES - 1),
610 	[NL80211_ATTR_MEASUREMENT_DURATION] = { .type = NLA_U16 },
611 	[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY] = { .type = NLA_FLAG },
612 	[NL80211_ATTR_MESH_PEER_AID] =
613 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
614 	[NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
615 	[NL80211_ATTR_REKEY_DATA] = { .type = NLA_NESTED },
616 	[NL80211_ATTR_SCAN_SUPP_RATES] = { .type = NLA_NESTED },
617 	[NL80211_ATTR_HIDDEN_SSID] =
618 		NLA_POLICY_RANGE(NLA_U32,
619 				 NL80211_HIDDEN_SSID_NOT_IN_USE,
620 				 NL80211_HIDDEN_SSID_ZERO_CONTENTS),
621 	[NL80211_ATTR_IE_PROBE_RESP] =
622 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
623 				       IEEE80211_MAX_DATA_LEN),
624 	[NL80211_ATTR_IE_ASSOC_RESP] =
625 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
626 				       IEEE80211_MAX_DATA_LEN),
627 	[NL80211_ATTR_ROAM_SUPPORT] = { .type = NLA_FLAG },
628 	[NL80211_ATTR_STA_WME] = NLA_POLICY_NESTED(nl80211_sta_wme_policy),
629 	[NL80211_ATTR_SCHED_SCAN_MATCH] = { .type = NLA_NESTED },
630 	[NL80211_ATTR_TX_NO_CCK_RATE] = { .type = NLA_FLAG },
631 	[NL80211_ATTR_TDLS_ACTION] = { .type = NLA_U8 },
632 	[NL80211_ATTR_TDLS_DIALOG_TOKEN] = { .type = NLA_U8 },
633 	[NL80211_ATTR_TDLS_OPERATION] = { .type = NLA_U8 },
634 	[NL80211_ATTR_TDLS_SUPPORT] = { .type = NLA_FLAG },
635 	[NL80211_ATTR_TDLS_EXTERNAL_SETUP] = { .type = NLA_FLAG },
636 	[NL80211_ATTR_TDLS_INITIATOR] = { .type = NLA_FLAG },
637 	[NL80211_ATTR_DONT_WAIT_FOR_ACK] = { .type = NLA_FLAG },
638 	[NL80211_ATTR_PROBE_RESP] = { .type = NLA_BINARY,
639 				      .len = IEEE80211_MAX_DATA_LEN },
640 	[NL80211_ATTR_DFS_REGION] = { .type = NLA_U8 },
641 	[NL80211_ATTR_DISABLE_HT] = { .type = NLA_FLAG },
642 	[NL80211_ATTR_HT_CAPABILITY_MASK] = {
643 		.len = NL80211_HT_CAPABILITY_LEN
644 	},
645 	[NL80211_ATTR_NOACK_MAP] = { .type = NLA_U16 },
646 	[NL80211_ATTR_INACTIVITY_TIMEOUT] = { .type = NLA_U16 },
647 	[NL80211_ATTR_BG_SCAN_PERIOD] = { .type = NLA_U16 },
648 	[NL80211_ATTR_WDEV] = { .type = NLA_U64 },
649 	[NL80211_ATTR_USER_REG_HINT_TYPE] = { .type = NLA_U32 },
650 
651 	/* need to include at least Auth Transaction and Status Code */
652 	[NL80211_ATTR_AUTH_DATA] = NLA_POLICY_MIN_LEN(4),
653 
654 	[NL80211_ATTR_VHT_CAPABILITY] = NLA_POLICY_EXACT_LEN_WARN(NL80211_VHT_CAPABILITY_LEN),
655 	[NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 },
656 	[NL80211_ATTR_P2P_CTWINDOW] = NLA_POLICY_MAX(NLA_U8, 127),
657 	[NL80211_ATTR_P2P_OPPPS] = NLA_POLICY_MAX(NLA_U8, 1),
658 	[NL80211_ATTR_LOCAL_MESH_POWER_MODE] =
659 		NLA_POLICY_RANGE(NLA_U32,
660 				 NL80211_MESH_POWER_UNKNOWN + 1,
661 				 NL80211_MESH_POWER_MAX),
662 	[NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 },
663 	[NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED },
664 	[NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 },
665 	[NL80211_ATTR_STA_EXT_CAPABILITY] = { .type = NLA_BINARY, },
666 	[NL80211_ATTR_SPLIT_WIPHY_DUMP] = { .type = NLA_FLAG, },
667 	[NL80211_ATTR_DISABLE_VHT] = { .type = NLA_FLAG },
668 	[NL80211_ATTR_VHT_CAPABILITY_MASK] = {
669 		.len = NL80211_VHT_CAPABILITY_LEN,
670 	},
671 	[NL80211_ATTR_MDID] = { .type = NLA_U16 },
672 	[NL80211_ATTR_IE_RIC] = { .type = NLA_BINARY,
673 				  .len = IEEE80211_MAX_DATA_LEN },
674 	[NL80211_ATTR_CRIT_PROT_ID] = { .type = NLA_U16 },
675 	[NL80211_ATTR_MAX_CRIT_PROT_DURATION] =
676 		NLA_POLICY_MAX(NLA_U16, NL80211_CRIT_PROTO_MAX_DURATION),
677 	[NL80211_ATTR_PEER_AID] =
678 		NLA_POLICY_RANGE(NLA_U16, 1, IEEE80211_MAX_AID),
679 	[NL80211_ATTR_CH_SWITCH_COUNT] = { .type = NLA_U32 },
680 	[NL80211_ATTR_CH_SWITCH_BLOCK_TX] = { .type = NLA_FLAG },
681 	[NL80211_ATTR_CSA_IES] = { .type = NLA_NESTED },
682 	[NL80211_ATTR_CNTDWN_OFFS_BEACON] = { .type = NLA_BINARY },
683 	[NL80211_ATTR_CNTDWN_OFFS_PRESP] = { .type = NLA_BINARY },
684 	[NL80211_ATTR_STA_SUPPORTED_CHANNELS] = NLA_POLICY_MIN_LEN(2),
685 	/*
686 	 * The value of the Length field of the Supported Operating
687 	 * Classes element is between 2 and 253.
688 	 */
689 	[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES] =
690 		NLA_POLICY_RANGE(NLA_BINARY, 2, 253),
691 	[NL80211_ATTR_HANDLE_DFS] = { .type = NLA_FLAG },
692 	[NL80211_ATTR_OPMODE_NOTIF] = { .type = NLA_U8 },
693 	[NL80211_ATTR_VENDOR_ID] = { .type = NLA_U32 },
694 	[NL80211_ATTR_VENDOR_SUBCMD] = { .type = NLA_U32 },
695 	[NL80211_ATTR_VENDOR_DATA] = { .type = NLA_BINARY },
696 	[NL80211_ATTR_QOS_MAP] = NLA_POLICY_RANGE(NLA_BINARY,
697 						  IEEE80211_QOS_MAP_LEN_MIN,
698 						  IEEE80211_QOS_MAP_LEN_MAX),
699 	[NL80211_ATTR_MAC_HINT] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
700 	[NL80211_ATTR_WIPHY_FREQ_HINT] = { .type = NLA_U32 },
701 	[NL80211_ATTR_TDLS_PEER_CAPABILITY] = { .type = NLA_U32 },
702 	[NL80211_ATTR_SOCKET_OWNER] = { .type = NLA_FLAG },
703 	[NL80211_ATTR_CSA_C_OFFSETS_TX] = { .type = NLA_BINARY },
704 	[NL80211_ATTR_USE_RRM] = { .type = NLA_FLAG },
705 	[NL80211_ATTR_TSID] = NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_TIDS - 1),
706 	[NL80211_ATTR_USER_PRIO] =
707 		NLA_POLICY_MAX(NLA_U8, IEEE80211_NUM_UPS - 1),
708 	[NL80211_ATTR_ADMITTED_TIME] = { .type = NLA_U16 },
709 	[NL80211_ATTR_SMPS_MODE] = { .type = NLA_U8 },
710 	[NL80211_ATTR_OPER_CLASS] = { .type = NLA_U8 },
711 	[NL80211_ATTR_MAC_MASK] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
712 	[NL80211_ATTR_WIPHY_SELF_MANAGED_REG] = { .type = NLA_FLAG },
713 	[NL80211_ATTR_NETNS_FD] = { .type = NLA_U32 },
714 	[NL80211_ATTR_SCHED_SCAN_DELAY] = { .type = NLA_U32 },
715 	[NL80211_ATTR_REG_INDOOR] = { .type = NLA_FLAG },
716 	[NL80211_ATTR_PBSS] = { .type = NLA_FLAG },
717 	[NL80211_ATTR_BSS_SELECT] = { .type = NLA_NESTED },
718 	[NL80211_ATTR_STA_SUPPORT_P2P_PS] =
719 		NLA_POLICY_MAX(NLA_U8, NUM_NL80211_P2P_PS_STATUS - 1),
720 	[NL80211_ATTR_MU_MIMO_GROUP_DATA] = {
721 		.len = VHT_MUMIMO_GROUPS_DATA_LEN
722 	},
723 	[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
724 	[NL80211_ATTR_NAN_MASTER_PREF] = NLA_POLICY_MIN(NLA_U8, 1),
725 	[NL80211_ATTR_BANDS] = { .type = NLA_U32 },
726 	[NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
727 	[NL80211_ATTR_FILS_KEK] = { .type = NLA_BINARY,
728 				    .len = FILS_MAX_KEK_LEN },
729 	[NL80211_ATTR_FILS_NONCES] = NLA_POLICY_EXACT_LEN_WARN(2 * FILS_NONCE_LEN),
730 	[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED] = { .type = NLA_FLAG, },
731 	[NL80211_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
732 	[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] = { .type = NLA_S8 },
733 	[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST] = {
734 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
735 	},
736 	[NL80211_ATTR_TIMEOUT_REASON] = { .type = NLA_U32 },
737 	[NL80211_ATTR_FILS_ERP_USERNAME] = { .type = NLA_BINARY,
738 					     .len = FILS_ERP_MAX_USERNAME_LEN },
739 	[NL80211_ATTR_FILS_ERP_REALM] = { .type = NLA_BINARY,
740 					  .len = FILS_ERP_MAX_REALM_LEN },
741 	[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] = { .type = NLA_U16 },
742 	[NL80211_ATTR_FILS_ERP_RRK] = { .type = NLA_BINARY,
743 					.len = FILS_ERP_MAX_RRK_LEN },
744 	[NL80211_ATTR_FILS_CACHE_ID] = NLA_POLICY_EXACT_LEN_WARN(2),
745 	[NL80211_ATTR_PMK] = { .type = NLA_BINARY, .len = PMK_MAX_LEN },
746 	[NL80211_ATTR_PMKR0_NAME] = NLA_POLICY_EXACT_LEN(WLAN_PMK_NAME_LEN),
747 	[NL80211_ATTR_SCHED_SCAN_MULTI] = { .type = NLA_FLAG },
748 	[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT] = { .type = NLA_FLAG },
749 
750 	[NL80211_ATTR_TXQ_LIMIT] = { .type = NLA_U32 },
751 	[NL80211_ATTR_TXQ_MEMORY_LIMIT] = { .type = NLA_U32 },
752 	[NL80211_ATTR_TXQ_QUANTUM] = { .type = NLA_U32 },
753 	[NL80211_ATTR_HE_CAPABILITY] =
754 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_he_capa,
755 				       NL80211_HE_MAX_CAPABILITY_LEN),
756 	[NL80211_ATTR_FTM_RESPONDER] =
757 		NLA_POLICY_NESTED(nl80211_ftm_responder_policy),
758 	[NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
759 	[NL80211_ATTR_PEER_MEASUREMENTS] =
760 		NLA_POLICY_NESTED(nl80211_pmsr_attr_policy),
761 	[NL80211_ATTR_AIRTIME_WEIGHT] = NLA_POLICY_MIN(NLA_U16, 1),
762 	[NL80211_ATTR_SAE_PASSWORD] = { .type = NLA_BINARY,
763 					.len = SAE_PASSWORD_MAX_LEN },
764 	[NL80211_ATTR_TWT_RESPONDER] = { .type = NLA_FLAG },
765 	[NL80211_ATTR_HE_OBSS_PD] = NLA_POLICY_NESTED(he_obss_pd_policy),
766 	[NL80211_ATTR_VLAN_ID] = NLA_POLICY_RANGE(NLA_U16, 1, VLAN_N_VID - 2),
767 	[NL80211_ATTR_HE_BSS_COLOR] = NLA_POLICY_NESTED(he_bss_color_policy),
768 	[NL80211_ATTR_TID_CONFIG] =
769 		NLA_POLICY_NESTED_ARRAY(nl80211_tid_config_attr_policy),
770 	[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH] = { .type = NLA_FLAG },
771 	[NL80211_ATTR_PMK_LIFETIME] = NLA_POLICY_MIN(NLA_U32, 1),
772 	[NL80211_ATTR_PMK_REAUTH_THRESHOLD] = NLA_POLICY_RANGE(NLA_U8, 1, 100),
773 	[NL80211_ATTR_RECEIVE_MULTICAST] = { .type = NLA_FLAG },
774 	[NL80211_ATTR_WIPHY_FREQ_OFFSET] = NLA_POLICY_RANGE(NLA_U32, 0, 999),
775 	[NL80211_ATTR_SCAN_FREQ_KHZ] = { .type = NLA_NESTED },
776 	[NL80211_ATTR_HE_6GHZ_CAPABILITY] =
777 		NLA_POLICY_EXACT_LEN(sizeof(struct ieee80211_he_6ghz_capa)),
778 	[NL80211_ATTR_FILS_DISCOVERY] =
779 		NLA_POLICY_NESTED(nl80211_fils_discovery_policy),
780 	[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP] =
781 		NLA_POLICY_NESTED(nl80211_unsol_bcast_probe_resp_policy),
782 	[NL80211_ATTR_S1G_CAPABILITY] =
783 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
784 	[NL80211_ATTR_S1G_CAPABILITY_MASK] =
785 		NLA_POLICY_EXACT_LEN(IEEE80211_S1G_CAPABILITY_LEN),
786 	[NL80211_ATTR_SAE_PWE] =
787 		NLA_POLICY_RANGE(NLA_U8, NL80211_SAE_PWE_HUNT_AND_PECK,
788 				 NL80211_SAE_PWE_BOTH),
789 	[NL80211_ATTR_RECONNECT_REQUESTED] = { .type = NLA_REJECT },
790 	[NL80211_ATTR_SAR_SPEC] = NLA_POLICY_NESTED(sar_policy),
791 	[NL80211_ATTR_DISABLE_HE] = { .type = NLA_FLAG },
792 	[NL80211_ATTR_OBSS_COLOR_BITMAP] = { .type = NLA_U64 },
793 	[NL80211_ATTR_COLOR_CHANGE_COUNT] = { .type = NLA_U8 },
794 	[NL80211_ATTR_COLOR_CHANGE_COLOR] = { .type = NLA_U8 },
795 	[NL80211_ATTR_COLOR_CHANGE_ELEMS] = NLA_POLICY_NESTED(nl80211_policy),
796 	[NL80211_ATTR_MBSSID_CONFIG] =
797 			NLA_POLICY_NESTED(nl80211_mbssid_config_policy),
798 	[NL80211_ATTR_MBSSID_ELEMS] = { .type = NLA_NESTED },
799 	[NL80211_ATTR_RADAR_BACKGROUND] = { .type = NLA_FLAG },
800 	[NL80211_ATTR_AP_SETTINGS_FLAGS] = { .type = NLA_U32 },
801 	[NL80211_ATTR_EHT_CAPABILITY] =
802 		NLA_POLICY_RANGE(NLA_BINARY,
803 				 NL80211_EHT_MIN_CAPABILITY_LEN,
804 				 NL80211_EHT_MAX_CAPABILITY_LEN),
805 	[NL80211_ATTR_DISABLE_EHT] = { .type = NLA_FLAG },
806 	[NL80211_ATTR_MLO_LINKS] =
807 		NLA_POLICY_NESTED_ARRAY(nl80211_policy),
808 	[NL80211_ATTR_MLO_LINK_ID] =
809 		NLA_POLICY_RANGE(NLA_U8, 0, IEEE80211_MLD_MAX_NUM_LINKS),
810 	[NL80211_ATTR_MLD_ADDR] = NLA_POLICY_EXACT_LEN(ETH_ALEN),
811 	[NL80211_ATTR_MLO_SUPPORT] = { .type = NLA_FLAG },
812 	[NL80211_ATTR_MAX_NUM_AKM_SUITES] = { .type = NLA_REJECT },
813 	[NL80211_ATTR_PUNCT_BITMAP] =
814 		NLA_POLICY_FULL_RANGE(NLA_U32, &nl80211_punct_bitmap_range),
815 
816 	[NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS] = { .type = NLA_U16 },
817 	[NL80211_ATTR_HW_TIMESTAMP_ENABLED] = { .type = NLA_FLAG },
818 	[NL80211_ATTR_EMA_RNR_ELEMS] = { .type = NLA_NESTED },
819 	[NL80211_ATTR_MLO_LINK_DISABLED] = { .type = NLA_FLAG },
820 };
821 
822 /* policy for the key attributes */
823 static const struct nla_policy nl80211_key_policy[NL80211_KEY_MAX + 1] = {
824 	[NL80211_KEY_DATA] = { .type = NLA_BINARY, .len = WLAN_MAX_KEY_LEN },
825 	[NL80211_KEY_IDX] = { .type = NLA_U8 },
826 	[NL80211_KEY_CIPHER] = { .type = NLA_U32 },
827 	[NL80211_KEY_SEQ] = { .type = NLA_BINARY, .len = 16 },
828 	[NL80211_KEY_DEFAULT] = { .type = NLA_FLAG },
829 	[NL80211_KEY_DEFAULT_MGMT] = { .type = NLA_FLAG },
830 	[NL80211_KEY_TYPE] = NLA_POLICY_MAX(NLA_U32, NUM_NL80211_KEYTYPES - 1),
831 	[NL80211_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
832 	[NL80211_KEY_MODE] = NLA_POLICY_RANGE(NLA_U8, 0, NL80211_KEY_SET_TX),
833 };
834 
835 /* policy for the key default flags */
836 static const struct nla_policy
837 nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
838 	[NL80211_KEY_DEFAULT_TYPE_UNICAST] = { .type = NLA_FLAG },
839 	[NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
840 };
841 
842 #ifdef CONFIG_PM
843 /* policy for WoWLAN attributes */
844 static const struct nla_policy
845 nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
846 	[NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
847 	[NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
848 	[NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
849 	[NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
850 	[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE] = { .type = NLA_FLAG },
851 	[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST] = { .type = NLA_FLAG },
852 	[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE] = { .type = NLA_FLAG },
853 	[NL80211_WOWLAN_TRIG_RFKILL_RELEASE] = { .type = NLA_FLAG },
854 	[NL80211_WOWLAN_TRIG_TCP_CONNECTION] = { .type = NLA_NESTED },
855 	[NL80211_WOWLAN_TRIG_NET_DETECT] = { .type = NLA_NESTED },
856 };
857 
858 static const struct nla_policy
859 nl80211_wowlan_tcp_policy[NUM_NL80211_WOWLAN_TCP] = {
860 	[NL80211_WOWLAN_TCP_SRC_IPV4] = { .type = NLA_U32 },
861 	[NL80211_WOWLAN_TCP_DST_IPV4] = { .type = NLA_U32 },
862 	[NL80211_WOWLAN_TCP_DST_MAC] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
863 	[NL80211_WOWLAN_TCP_SRC_PORT] = { .type = NLA_U16 },
864 	[NL80211_WOWLAN_TCP_DST_PORT] = { .type = NLA_U16 },
865 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
866 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ] = {
867 		.len = sizeof(struct nl80211_wowlan_tcp_data_seq)
868 	},
869 	[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN] = {
870 		.len = sizeof(struct nl80211_wowlan_tcp_data_token)
871 	},
872 	[NL80211_WOWLAN_TCP_DATA_INTERVAL] = { .type = NLA_U32 },
873 	[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] = NLA_POLICY_MIN_LEN(1),
874 	[NL80211_WOWLAN_TCP_WAKE_MASK] = NLA_POLICY_MIN_LEN(1),
875 };
876 #endif /* CONFIG_PM */
877 
878 /* policy for coalesce rule attributes */
879 static const struct nla_policy
880 nl80211_coalesce_policy[NUM_NL80211_ATTR_COALESCE_RULE] = {
881 	[NL80211_ATTR_COALESCE_RULE_DELAY] = { .type = NLA_U32 },
882 	[NL80211_ATTR_COALESCE_RULE_CONDITION] =
883 		NLA_POLICY_RANGE(NLA_U32,
884 				 NL80211_COALESCE_CONDITION_MATCH,
885 				 NL80211_COALESCE_CONDITION_NO_MATCH),
886 	[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN] = { .type = NLA_NESTED },
887 };
888 
889 /* policy for GTK rekey offload attributes */
890 static const struct nla_policy
891 nl80211_rekey_policy[NUM_NL80211_REKEY_DATA] = {
892 	[NL80211_REKEY_DATA_KEK] = {
893 		.type = NLA_BINARY,
894 		.len = NL80211_KEK_EXT_LEN
895 	},
896 	[NL80211_REKEY_DATA_KCK] = {
897 		.type = NLA_BINARY,
898 		.len = NL80211_KCK_EXT_LEN_32
899 	},
900 	[NL80211_REKEY_DATA_REPLAY_CTR] = NLA_POLICY_EXACT_LEN(NL80211_REPLAY_CTR_LEN),
901 	[NL80211_REKEY_DATA_AKM] = { .type = NLA_U32 },
902 };
903 
904 static const struct nla_policy
905 nl80211_match_band_rssi_policy[NUM_NL80211_BANDS] = {
906 	[NL80211_BAND_2GHZ] = { .type = NLA_S32 },
907 	[NL80211_BAND_5GHZ] = { .type = NLA_S32 },
908 	[NL80211_BAND_6GHZ] = { .type = NLA_S32 },
909 	[NL80211_BAND_60GHZ] = { .type = NLA_S32 },
910 	[NL80211_BAND_LC]    = { .type = NLA_S32 },
911 };
912 
913 static const struct nla_policy
914 nl80211_match_policy[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1] = {
915 	[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] = { .type = NLA_BINARY,
916 						 .len = IEEE80211_MAX_SSID_LEN },
917 	[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
918 	[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI] = { .type = NLA_U32 },
919 	[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI] =
920 		NLA_POLICY_NESTED(nl80211_match_band_rssi_policy),
921 };
922 
923 static const struct nla_policy
924 nl80211_plan_policy[NL80211_SCHED_SCAN_PLAN_MAX + 1] = {
925 	[NL80211_SCHED_SCAN_PLAN_INTERVAL] = { .type = NLA_U32 },
926 	[NL80211_SCHED_SCAN_PLAN_ITERATIONS] = { .type = NLA_U32 },
927 };
928 
929 static const struct nla_policy
930 nl80211_bss_select_policy[NL80211_BSS_SELECT_ATTR_MAX + 1] = {
931 	[NL80211_BSS_SELECT_ATTR_RSSI] = { .type = NLA_FLAG },
932 	[NL80211_BSS_SELECT_ATTR_BAND_PREF] = { .type = NLA_U32 },
933 	[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST] = {
934 		.len = sizeof(struct nl80211_bss_select_rssi_adjust)
935 	},
936 };
937 
938 /* policy for NAN function attributes */
939 static const struct nla_policy
940 nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = {
941 	[NL80211_NAN_FUNC_TYPE] =
942 		NLA_POLICY_MAX(NLA_U8, NL80211_NAN_FUNC_MAX_TYPE),
943 	[NL80211_NAN_FUNC_SERVICE_ID] = {
944 				    .len = NL80211_NAN_FUNC_SERVICE_ID_LEN },
945 	[NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 },
946 	[NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG },
947 	[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE] = { .type = NLA_FLAG },
948 	[NL80211_NAN_FUNC_FOLLOW_UP_ID] = { .type = NLA_U8 },
949 	[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] = { .type = NLA_U8 },
950 	[NL80211_NAN_FUNC_FOLLOW_UP_DEST] = NLA_POLICY_EXACT_LEN_WARN(ETH_ALEN),
951 	[NL80211_NAN_FUNC_CLOSE_RANGE] = { .type = NLA_FLAG },
952 	[NL80211_NAN_FUNC_TTL] = { .type = NLA_U32 },
953 	[NL80211_NAN_FUNC_SERVICE_INFO] = { .type = NLA_BINARY,
954 			.len = NL80211_NAN_FUNC_SERVICE_SPEC_INFO_MAX_LEN },
955 	[NL80211_NAN_FUNC_SRF] = { .type = NLA_NESTED },
956 	[NL80211_NAN_FUNC_RX_MATCH_FILTER] = { .type = NLA_NESTED },
957 	[NL80211_NAN_FUNC_TX_MATCH_FILTER] = { .type = NLA_NESTED },
958 	[NL80211_NAN_FUNC_INSTANCE_ID] = { .type = NLA_U8 },
959 	[NL80211_NAN_FUNC_TERM_REASON] = { .type = NLA_U8 },
960 };
961 
962 /* policy for Service Response Filter attributes */
963 static const struct nla_policy
964 nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
965 	[NL80211_NAN_SRF_INCLUDE] = { .type = NLA_FLAG },
966 	[NL80211_NAN_SRF_BF] = { .type = NLA_BINARY,
967 				 .len =  NL80211_NAN_FUNC_SRF_MAX_LEN },
968 	[NL80211_NAN_SRF_BF_IDX] = { .type = NLA_U8 },
969 	[NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
970 };
971 
972 /* policy for packet pattern attributes */
973 static const struct nla_policy
974 nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
975 	[NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
976 	[NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
977 	[NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
978 };
979 
980 static int nl80211_prepare_wdev_dump(struct netlink_callback *cb,
981 				     struct cfg80211_registered_device **rdev,
982 				     struct wireless_dev **wdev,
983 				     struct nlattr **attrbuf)
984 {
985 	int err;
986 
987 	if (!cb->args[0]) {
988 		struct nlattr **attrbuf_free = NULL;
989 
990 		if (!attrbuf) {
991 			attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
992 					  GFP_KERNEL);
993 			if (!attrbuf)
994 				return -ENOMEM;
995 			attrbuf_free = attrbuf;
996 		}
997 
998 		err = nlmsg_parse_deprecated(cb->nlh,
999 					     GENL_HDRLEN + nl80211_fam.hdrsize,
1000 					     attrbuf, nl80211_fam.maxattr,
1001 					     nl80211_policy, NULL);
1002 		if (err) {
1003 			kfree(attrbuf_free);
1004 			return err;
1005 		}
1006 
1007 		rtnl_lock();
1008 		*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(cb->skb->sk),
1009 						   attrbuf);
1010 		kfree(attrbuf_free);
1011 		if (IS_ERR(*wdev)) {
1012 			rtnl_unlock();
1013 			return PTR_ERR(*wdev);
1014 		}
1015 		*rdev = wiphy_to_rdev((*wdev)->wiphy);
1016 		mutex_lock(&(*rdev)->wiphy.mtx);
1017 		rtnl_unlock();
1018 		/* 0 is the first index - add 1 to parse only once */
1019 		cb->args[0] = (*rdev)->wiphy_idx + 1;
1020 		cb->args[1] = (*wdev)->identifier;
1021 	} else {
1022 		/* subtract the 1 again here */
1023 		struct wiphy *wiphy;
1024 		struct wireless_dev *tmp;
1025 
1026 		rtnl_lock();
1027 		wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
1028 		if (!wiphy) {
1029 			rtnl_unlock();
1030 			return -ENODEV;
1031 		}
1032 		*rdev = wiphy_to_rdev(wiphy);
1033 		*wdev = NULL;
1034 
1035 		list_for_each_entry(tmp, &(*rdev)->wiphy.wdev_list, list) {
1036 			if (tmp->identifier == cb->args[1]) {
1037 				*wdev = tmp;
1038 				break;
1039 			}
1040 		}
1041 
1042 		if (!*wdev) {
1043 			rtnl_unlock();
1044 			return -ENODEV;
1045 		}
1046 		mutex_lock(&(*rdev)->wiphy.mtx);
1047 		rtnl_unlock();
1048 	}
1049 
1050 	return 0;
1051 }
1052 
1053 /* message building helper */
1054 void *nl80211hdr_put(struct sk_buff *skb, u32 portid, u32 seq,
1055 		     int flags, u8 cmd)
1056 {
1057 	/* since there is no private header just add the generic one */
1058 	return genlmsg_put(skb, portid, seq, &nl80211_fam, flags, cmd);
1059 }
1060 
1061 static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
1062 				     const struct ieee80211_reg_rule *rule)
1063 {
1064 	int j;
1065 	struct nlattr *nl_wmm_rules =
1066 		nla_nest_start_noflag(msg, NL80211_FREQUENCY_ATTR_WMM);
1067 
1068 	if (!nl_wmm_rules)
1069 		goto nla_put_failure;
1070 
1071 	for (j = 0; j < IEEE80211_NUM_ACS; j++) {
1072 		struct nlattr *nl_wmm_rule = nla_nest_start_noflag(msg, j);
1073 
1074 		if (!nl_wmm_rule)
1075 			goto nla_put_failure;
1076 
1077 		if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
1078 				rule->wmm_rule.client[j].cw_min) ||
1079 		    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
1080 				rule->wmm_rule.client[j].cw_max) ||
1081 		    nla_put_u8(msg, NL80211_WMMR_AIFSN,
1082 			       rule->wmm_rule.client[j].aifsn) ||
1083 		    nla_put_u16(msg, NL80211_WMMR_TXOP,
1084 			        rule->wmm_rule.client[j].cot))
1085 			goto nla_put_failure;
1086 
1087 		nla_nest_end(msg, nl_wmm_rule);
1088 	}
1089 	nla_nest_end(msg, nl_wmm_rules);
1090 
1091 	return 0;
1092 
1093 nla_put_failure:
1094 	return -ENOBUFS;
1095 }
1096 
1097 static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
1098 				   struct ieee80211_channel *chan,
1099 				   bool large)
1100 {
1101 	/* Some channels must be completely excluded from the
1102 	 * list to protect old user-space tools from breaking
1103 	 */
1104 	if (!large && chan->flags &
1105 	    (IEEE80211_CHAN_NO_10MHZ | IEEE80211_CHAN_NO_20MHZ))
1106 		return 0;
1107 	if (!large && chan->freq_offset)
1108 		return 0;
1109 
1110 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_FREQ,
1111 			chan->center_freq))
1112 		goto nla_put_failure;
1113 
1114 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_OFFSET, chan->freq_offset))
1115 		goto nla_put_failure;
1116 
1117 	if ((chan->flags & IEEE80211_CHAN_DISABLED) &&
1118 	    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_DISABLED))
1119 		goto nla_put_failure;
1120 	if (chan->flags & IEEE80211_CHAN_NO_IR) {
1121 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_IR))
1122 			goto nla_put_failure;
1123 		if (nla_put_flag(msg, __NL80211_FREQUENCY_ATTR_NO_IBSS))
1124 			goto nla_put_failure;
1125 	}
1126 	if (chan->flags & IEEE80211_CHAN_RADAR) {
1127 		if (nla_put_flag(msg, NL80211_FREQUENCY_ATTR_RADAR))
1128 			goto nla_put_failure;
1129 		if (large) {
1130 			u32 time;
1131 
1132 			time = elapsed_jiffies_msecs(chan->dfs_state_entered);
1133 
1134 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_STATE,
1135 					chan->dfs_state))
1136 				goto nla_put_failure;
1137 			if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_DFS_TIME,
1138 					time))
1139 				goto nla_put_failure;
1140 			if (nla_put_u32(msg,
1141 					NL80211_FREQUENCY_ATTR_DFS_CAC_TIME,
1142 					chan->dfs_cac_ms))
1143 				goto nla_put_failure;
1144 		}
1145 	}
1146 
1147 	if (large) {
1148 		if ((chan->flags & IEEE80211_CHAN_NO_HT40MINUS) &&
1149 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_MINUS))
1150 			goto nla_put_failure;
1151 		if ((chan->flags & IEEE80211_CHAN_NO_HT40PLUS) &&
1152 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HT40_PLUS))
1153 			goto nla_put_failure;
1154 		if ((chan->flags & IEEE80211_CHAN_NO_80MHZ) &&
1155 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_80MHZ))
1156 			goto nla_put_failure;
1157 		if ((chan->flags & IEEE80211_CHAN_NO_160MHZ) &&
1158 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_160MHZ))
1159 			goto nla_put_failure;
1160 		if ((chan->flags & IEEE80211_CHAN_INDOOR_ONLY) &&
1161 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_INDOOR_ONLY))
1162 			goto nla_put_failure;
1163 		if ((chan->flags & IEEE80211_CHAN_IR_CONCURRENT) &&
1164 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_IR_CONCURRENT))
1165 			goto nla_put_failure;
1166 		if ((chan->flags & IEEE80211_CHAN_NO_20MHZ) &&
1167 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_20MHZ))
1168 			goto nla_put_failure;
1169 		if ((chan->flags & IEEE80211_CHAN_NO_10MHZ) &&
1170 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_10MHZ))
1171 			goto nla_put_failure;
1172 		if ((chan->flags & IEEE80211_CHAN_NO_HE) &&
1173 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_HE))
1174 			goto nla_put_failure;
1175 		if ((chan->flags & IEEE80211_CHAN_1MHZ) &&
1176 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_1MHZ))
1177 			goto nla_put_failure;
1178 		if ((chan->flags & IEEE80211_CHAN_2MHZ) &&
1179 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_2MHZ))
1180 			goto nla_put_failure;
1181 		if ((chan->flags & IEEE80211_CHAN_4MHZ) &&
1182 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_4MHZ))
1183 			goto nla_put_failure;
1184 		if ((chan->flags & IEEE80211_CHAN_8MHZ) &&
1185 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_8MHZ))
1186 			goto nla_put_failure;
1187 		if ((chan->flags & IEEE80211_CHAN_16MHZ) &&
1188 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_16MHZ))
1189 			goto nla_put_failure;
1190 		if ((chan->flags & IEEE80211_CHAN_NO_320MHZ) &&
1191 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_320MHZ))
1192 			goto nla_put_failure;
1193 		if ((chan->flags & IEEE80211_CHAN_NO_EHT) &&
1194 		    nla_put_flag(msg, NL80211_FREQUENCY_ATTR_NO_EHT))
1195 			goto nla_put_failure;
1196 	}
1197 
1198 	if (nla_put_u32(msg, NL80211_FREQUENCY_ATTR_MAX_TX_POWER,
1199 			DBM_TO_MBM(chan->max_power)))
1200 		goto nla_put_failure;
1201 
1202 	if (large) {
1203 		const struct ieee80211_reg_rule *rule =
1204 			freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
1205 
1206 		if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
1207 			if (nl80211_msg_put_wmm_rules(msg, rule))
1208 				goto nla_put_failure;
1209 		}
1210 	}
1211 
1212 	return 0;
1213 
1214  nla_put_failure:
1215 	return -ENOBUFS;
1216 }
1217 
1218 static bool nl80211_put_txq_stats(struct sk_buff *msg,
1219 				  struct cfg80211_txq_stats *txqstats,
1220 				  int attrtype)
1221 {
1222 	struct nlattr *txqattr;
1223 
1224 #define PUT_TXQVAL_U32(attr, memb) do {					  \
1225 	if (txqstats->filled & BIT(NL80211_TXQ_STATS_ ## attr) &&	  \
1226 	    nla_put_u32(msg, NL80211_TXQ_STATS_ ## attr, txqstats->memb)) \
1227 		return false;						  \
1228 	} while (0)
1229 
1230 	txqattr = nla_nest_start_noflag(msg, attrtype);
1231 	if (!txqattr)
1232 		return false;
1233 
1234 	PUT_TXQVAL_U32(BACKLOG_BYTES, backlog_bytes);
1235 	PUT_TXQVAL_U32(BACKLOG_PACKETS, backlog_packets);
1236 	PUT_TXQVAL_U32(FLOWS, flows);
1237 	PUT_TXQVAL_U32(DROPS, drops);
1238 	PUT_TXQVAL_U32(ECN_MARKS, ecn_marks);
1239 	PUT_TXQVAL_U32(OVERLIMIT, overlimit);
1240 	PUT_TXQVAL_U32(OVERMEMORY, overmemory);
1241 	PUT_TXQVAL_U32(COLLISIONS, collisions);
1242 	PUT_TXQVAL_U32(TX_BYTES, tx_bytes);
1243 	PUT_TXQVAL_U32(TX_PACKETS, tx_packets);
1244 	PUT_TXQVAL_U32(MAX_FLOWS, max_flows);
1245 	nla_nest_end(msg, txqattr);
1246 
1247 #undef PUT_TXQVAL_U32
1248 	return true;
1249 }
1250 
1251 /* netlink command implementations */
1252 
1253 /**
1254  * nl80211_link_id - return link ID
1255  * @attrs: attributes to look at
1256  *
1257  * Returns: the link ID or 0 if not given
1258  *
1259  * Note this function doesn't do any validation of the link
1260  * ID validity wrt. links that were actually added, so it must
1261  * be called only from ops with %NL80211_FLAG_MLO_VALID_LINK_ID
1262  * or if additional validation is done.
1263  */
1264 static unsigned int nl80211_link_id(struct nlattr **attrs)
1265 {
1266 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1267 
1268 	if (!linkid)
1269 		return 0;
1270 
1271 	return nla_get_u8(linkid);
1272 }
1273 
1274 static int nl80211_link_id_or_invalid(struct nlattr **attrs)
1275 {
1276 	struct nlattr *linkid = attrs[NL80211_ATTR_MLO_LINK_ID];
1277 
1278 	if (!linkid)
1279 		return -1;
1280 
1281 	return nla_get_u8(linkid);
1282 }
1283 
1284 struct key_parse {
1285 	struct key_params p;
1286 	int idx;
1287 	int type;
1288 	bool def, defmgmt, defbeacon;
1289 	bool def_uni, def_multi;
1290 };
1291 
1292 static int nl80211_parse_key_new(struct genl_info *info, struct nlattr *key,
1293 				 struct key_parse *k)
1294 {
1295 	struct nlattr *tb[NL80211_KEY_MAX + 1];
1296 	int err = nla_parse_nested_deprecated(tb, NL80211_KEY_MAX, key,
1297 					      nl80211_key_policy,
1298 					      info->extack);
1299 	if (err)
1300 		return err;
1301 
1302 	k->def = !!tb[NL80211_KEY_DEFAULT];
1303 	k->defmgmt = !!tb[NL80211_KEY_DEFAULT_MGMT];
1304 	k->defbeacon = !!tb[NL80211_KEY_DEFAULT_BEACON];
1305 
1306 	if (k->def) {
1307 		k->def_uni = true;
1308 		k->def_multi = true;
1309 	}
1310 	if (k->defmgmt || k->defbeacon)
1311 		k->def_multi = true;
1312 
1313 	if (tb[NL80211_KEY_IDX])
1314 		k->idx = nla_get_u8(tb[NL80211_KEY_IDX]);
1315 
1316 	if (tb[NL80211_KEY_DATA]) {
1317 		k->p.key = nla_data(tb[NL80211_KEY_DATA]);
1318 		k->p.key_len = nla_len(tb[NL80211_KEY_DATA]);
1319 	}
1320 
1321 	if (tb[NL80211_KEY_SEQ]) {
1322 		k->p.seq = nla_data(tb[NL80211_KEY_SEQ]);
1323 		k->p.seq_len = nla_len(tb[NL80211_KEY_SEQ]);
1324 	}
1325 
1326 	if (tb[NL80211_KEY_CIPHER])
1327 		k->p.cipher = nla_get_u32(tb[NL80211_KEY_CIPHER]);
1328 
1329 	if (tb[NL80211_KEY_TYPE])
1330 		k->type = nla_get_u32(tb[NL80211_KEY_TYPE]);
1331 
1332 	if (tb[NL80211_KEY_DEFAULT_TYPES]) {
1333 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1334 
1335 		err = nla_parse_nested_deprecated(kdt,
1336 						  NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1337 						  tb[NL80211_KEY_DEFAULT_TYPES],
1338 						  nl80211_key_default_policy,
1339 						  info->extack);
1340 		if (err)
1341 			return err;
1342 
1343 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1344 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1345 	}
1346 
1347 	if (tb[NL80211_KEY_MODE])
1348 		k->p.mode = nla_get_u8(tb[NL80211_KEY_MODE]);
1349 
1350 	return 0;
1351 }
1352 
1353 static int nl80211_parse_key_old(struct genl_info *info, struct key_parse *k)
1354 {
1355 	if (info->attrs[NL80211_ATTR_KEY_DATA]) {
1356 		k->p.key = nla_data(info->attrs[NL80211_ATTR_KEY_DATA]);
1357 		k->p.key_len = nla_len(info->attrs[NL80211_ATTR_KEY_DATA]);
1358 	}
1359 
1360 	if (info->attrs[NL80211_ATTR_KEY_SEQ]) {
1361 		k->p.seq = nla_data(info->attrs[NL80211_ATTR_KEY_SEQ]);
1362 		k->p.seq_len = nla_len(info->attrs[NL80211_ATTR_KEY_SEQ]);
1363 	}
1364 
1365 	if (info->attrs[NL80211_ATTR_KEY_IDX])
1366 		k->idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
1367 
1368 	if (info->attrs[NL80211_ATTR_KEY_CIPHER])
1369 		k->p.cipher = nla_get_u32(info->attrs[NL80211_ATTR_KEY_CIPHER]);
1370 
1371 	k->def = !!info->attrs[NL80211_ATTR_KEY_DEFAULT];
1372 	k->defmgmt = !!info->attrs[NL80211_ATTR_KEY_DEFAULT_MGMT];
1373 
1374 	if (k->def) {
1375 		k->def_uni = true;
1376 		k->def_multi = true;
1377 	}
1378 	if (k->defmgmt)
1379 		k->def_multi = true;
1380 
1381 	if (info->attrs[NL80211_ATTR_KEY_TYPE])
1382 		k->type = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
1383 
1384 	if (info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES]) {
1385 		struct nlattr *kdt[NUM_NL80211_KEY_DEFAULT_TYPES];
1386 		int err = nla_parse_nested_deprecated(kdt,
1387 						      NUM_NL80211_KEY_DEFAULT_TYPES - 1,
1388 						      info->attrs[NL80211_ATTR_KEY_DEFAULT_TYPES],
1389 						      nl80211_key_default_policy,
1390 						      info->extack);
1391 		if (err)
1392 			return err;
1393 
1394 		k->def_uni = kdt[NL80211_KEY_DEFAULT_TYPE_UNICAST];
1395 		k->def_multi = kdt[NL80211_KEY_DEFAULT_TYPE_MULTICAST];
1396 	}
1397 
1398 	return 0;
1399 }
1400 
1401 static int nl80211_parse_key(struct genl_info *info, struct key_parse *k)
1402 {
1403 	int err;
1404 
1405 	memset(k, 0, sizeof(*k));
1406 	k->idx = -1;
1407 	k->type = -1;
1408 
1409 	if (info->attrs[NL80211_ATTR_KEY])
1410 		err = nl80211_parse_key_new(info, info->attrs[NL80211_ATTR_KEY], k);
1411 	else
1412 		err = nl80211_parse_key_old(info, k);
1413 
1414 	if (err)
1415 		return err;
1416 
1417 	if ((k->def ? 1 : 0) + (k->defmgmt ? 1 : 0) +
1418 	    (k->defbeacon ? 1 : 0) > 1) {
1419 		GENL_SET_ERR_MSG(info,
1420 				 "key with multiple default flags is invalid");
1421 		return -EINVAL;
1422 	}
1423 
1424 	if (k->defmgmt || k->defbeacon) {
1425 		if (k->def_uni || !k->def_multi) {
1426 			GENL_SET_ERR_MSG(info,
1427 					 "defmgmt/defbeacon key must be mcast");
1428 			return -EINVAL;
1429 		}
1430 	}
1431 
1432 	if (k->idx != -1) {
1433 		if (k->defmgmt) {
1434 			if (k->idx < 4 || k->idx > 5) {
1435 				GENL_SET_ERR_MSG(info,
1436 						 "defmgmt key idx not 4 or 5");
1437 				return -EINVAL;
1438 			}
1439 		} else if (k->defbeacon) {
1440 			if (k->idx < 6 || k->idx > 7) {
1441 				GENL_SET_ERR_MSG(info,
1442 						 "defbeacon key idx not 6 or 7");
1443 				return -EINVAL;
1444 			}
1445 		} else if (k->def) {
1446 			if (k->idx < 0 || k->idx > 3) {
1447 				GENL_SET_ERR_MSG(info, "def key idx not 0-3");
1448 				return -EINVAL;
1449 			}
1450 		} else {
1451 			if (k->idx < 0 || k->idx > 7) {
1452 				GENL_SET_ERR_MSG(info, "key idx not 0-7");
1453 				return -EINVAL;
1454 			}
1455 		}
1456 	}
1457 
1458 	return 0;
1459 }
1460 
1461 static struct cfg80211_cached_keys *
1462 nl80211_parse_connkeys(struct cfg80211_registered_device *rdev,
1463 		       struct genl_info *info, bool *no_ht)
1464 {
1465 	struct nlattr *keys = info->attrs[NL80211_ATTR_KEYS];
1466 	struct key_parse parse;
1467 	struct nlattr *key;
1468 	struct cfg80211_cached_keys *result;
1469 	int rem, err, def = 0;
1470 	bool have_key = false;
1471 
1472 	nla_for_each_nested(key, keys, rem) {
1473 		have_key = true;
1474 		break;
1475 	}
1476 
1477 	if (!have_key)
1478 		return NULL;
1479 
1480 	result = kzalloc(sizeof(*result), GFP_KERNEL);
1481 	if (!result)
1482 		return ERR_PTR(-ENOMEM);
1483 
1484 	result->def = -1;
1485 
1486 	nla_for_each_nested(key, keys, rem) {
1487 		memset(&parse, 0, sizeof(parse));
1488 		parse.idx = -1;
1489 
1490 		err = nl80211_parse_key_new(info, key, &parse);
1491 		if (err)
1492 			goto error;
1493 		err = -EINVAL;
1494 		if (!parse.p.key)
1495 			goto error;
1496 		if (parse.idx < 0 || parse.idx > 3) {
1497 			GENL_SET_ERR_MSG(info, "key index out of range [0-3]");
1498 			goto error;
1499 		}
1500 		if (parse.def) {
1501 			if (def) {
1502 				GENL_SET_ERR_MSG(info,
1503 						 "only one key can be default");
1504 				goto error;
1505 			}
1506 			def = 1;
1507 			result->def = parse.idx;
1508 			if (!parse.def_uni || !parse.def_multi)
1509 				goto error;
1510 		} else if (parse.defmgmt)
1511 			goto error;
1512 		err = cfg80211_validate_key_settings(rdev, &parse.p,
1513 						     parse.idx, false, NULL);
1514 		if (err)
1515 			goto error;
1516 		if (parse.p.cipher != WLAN_CIPHER_SUITE_WEP40 &&
1517 		    parse.p.cipher != WLAN_CIPHER_SUITE_WEP104) {
1518 			GENL_SET_ERR_MSG(info, "connect key must be WEP");
1519 			err = -EINVAL;
1520 			goto error;
1521 		}
1522 		result->params[parse.idx].cipher = parse.p.cipher;
1523 		result->params[parse.idx].key_len = parse.p.key_len;
1524 		result->params[parse.idx].key = result->data[parse.idx];
1525 		memcpy(result->data[parse.idx], parse.p.key, parse.p.key_len);
1526 
1527 		/* must be WEP key if we got here */
1528 		if (no_ht)
1529 			*no_ht = true;
1530 	}
1531 
1532 	if (result->def < 0) {
1533 		err = -EINVAL;
1534 		GENL_SET_ERR_MSG(info, "need a default/TX key");
1535 		goto error;
1536 	}
1537 
1538 	return result;
1539  error:
1540 	kfree(result);
1541 	return ERR_PTR(err);
1542 }
1543 
1544 static int nl80211_key_allowed(struct wireless_dev *wdev)
1545 {
1546 	ASSERT_WDEV_LOCK(wdev);
1547 
1548 	switch (wdev->iftype) {
1549 	case NL80211_IFTYPE_AP:
1550 	case NL80211_IFTYPE_AP_VLAN:
1551 	case NL80211_IFTYPE_P2P_GO:
1552 	case NL80211_IFTYPE_MESH_POINT:
1553 		break;
1554 	case NL80211_IFTYPE_ADHOC:
1555 		if (wdev->u.ibss.current_bss)
1556 			return 0;
1557 		return -ENOLINK;
1558 	case NL80211_IFTYPE_STATION:
1559 	case NL80211_IFTYPE_P2P_CLIENT:
1560 		if (wdev->connected)
1561 			return 0;
1562 		return -ENOLINK;
1563 	case NL80211_IFTYPE_NAN:
1564 		if (wiphy_ext_feature_isset(wdev->wiphy,
1565 					    NL80211_EXT_FEATURE_SECURE_NAN))
1566 			return 0;
1567 		return -EINVAL;
1568 	case NL80211_IFTYPE_UNSPECIFIED:
1569 	case NL80211_IFTYPE_OCB:
1570 	case NL80211_IFTYPE_MONITOR:
1571 	case NL80211_IFTYPE_P2P_DEVICE:
1572 	case NL80211_IFTYPE_WDS:
1573 	case NUM_NL80211_IFTYPES:
1574 		return -EINVAL;
1575 	}
1576 
1577 	return 0;
1578 }
1579 
1580 static struct ieee80211_channel *nl80211_get_valid_chan(struct wiphy *wiphy,
1581 							u32 freq)
1582 {
1583 	struct ieee80211_channel *chan;
1584 
1585 	chan = ieee80211_get_channel_khz(wiphy, freq);
1586 	if (!chan || chan->flags & IEEE80211_CHAN_DISABLED)
1587 		return NULL;
1588 	return chan;
1589 }
1590 
1591 static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
1592 {
1593 	struct nlattr *nl_modes = nla_nest_start_noflag(msg, attr);
1594 	int i;
1595 
1596 	if (!nl_modes)
1597 		goto nla_put_failure;
1598 
1599 	i = 0;
1600 	while (ifmodes) {
1601 		if ((ifmodes & 1) && nla_put_flag(msg, i))
1602 			goto nla_put_failure;
1603 		ifmodes >>= 1;
1604 		i++;
1605 	}
1606 
1607 	nla_nest_end(msg, nl_modes);
1608 	return 0;
1609 
1610 nla_put_failure:
1611 	return -ENOBUFS;
1612 }
1613 
1614 static int nl80211_put_iface_combinations(struct wiphy *wiphy,
1615 					  struct sk_buff *msg,
1616 					  bool large)
1617 {
1618 	struct nlattr *nl_combis;
1619 	int i, j;
1620 
1621 	nl_combis = nla_nest_start_noflag(msg,
1622 					  NL80211_ATTR_INTERFACE_COMBINATIONS);
1623 	if (!nl_combis)
1624 		goto nla_put_failure;
1625 
1626 	for (i = 0; i < wiphy->n_iface_combinations; i++) {
1627 		const struct ieee80211_iface_combination *c;
1628 		struct nlattr *nl_combi, *nl_limits;
1629 
1630 		c = &wiphy->iface_combinations[i];
1631 
1632 		nl_combi = nla_nest_start_noflag(msg, i + 1);
1633 		if (!nl_combi)
1634 			goto nla_put_failure;
1635 
1636 		nl_limits = nla_nest_start_noflag(msg,
1637 						  NL80211_IFACE_COMB_LIMITS);
1638 		if (!nl_limits)
1639 			goto nla_put_failure;
1640 
1641 		for (j = 0; j < c->n_limits; j++) {
1642 			struct nlattr *nl_limit;
1643 
1644 			nl_limit = nla_nest_start_noflag(msg, j + 1);
1645 			if (!nl_limit)
1646 				goto nla_put_failure;
1647 			if (nla_put_u32(msg, NL80211_IFACE_LIMIT_MAX,
1648 					c->limits[j].max))
1649 				goto nla_put_failure;
1650 			if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
1651 						c->limits[j].types))
1652 				goto nla_put_failure;
1653 			nla_nest_end(msg, nl_limit);
1654 		}
1655 
1656 		nla_nest_end(msg, nl_limits);
1657 
1658 		if (c->beacon_int_infra_match &&
1659 		    nla_put_flag(msg, NL80211_IFACE_COMB_STA_AP_BI_MATCH))
1660 			goto nla_put_failure;
1661 		if (nla_put_u32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
1662 				c->num_different_channels) ||
1663 		    nla_put_u32(msg, NL80211_IFACE_COMB_MAXNUM,
1664 				c->max_interfaces))
1665 			goto nla_put_failure;
1666 		if (large &&
1667 		    (nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_WIDTHS,
1668 				c->radar_detect_widths) ||
1669 		     nla_put_u32(msg, NL80211_IFACE_COMB_RADAR_DETECT_REGIONS,
1670 				c->radar_detect_regions)))
1671 			goto nla_put_failure;
1672 		if (c->beacon_int_min_gcd &&
1673 		    nla_put_u32(msg, NL80211_IFACE_COMB_BI_MIN_GCD,
1674 				c->beacon_int_min_gcd))
1675 			goto nla_put_failure;
1676 
1677 		nla_nest_end(msg, nl_combi);
1678 	}
1679 
1680 	nla_nest_end(msg, nl_combis);
1681 
1682 	return 0;
1683 nla_put_failure:
1684 	return -ENOBUFS;
1685 }
1686 
1687 #ifdef CONFIG_PM
1688 static int nl80211_send_wowlan_tcp_caps(struct cfg80211_registered_device *rdev,
1689 					struct sk_buff *msg)
1690 {
1691 	const struct wiphy_wowlan_tcp_support *tcp = rdev->wiphy.wowlan->tcp;
1692 	struct nlattr *nl_tcp;
1693 
1694 	if (!tcp)
1695 		return 0;
1696 
1697 	nl_tcp = nla_nest_start_noflag(msg,
1698 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
1699 	if (!nl_tcp)
1700 		return -ENOBUFS;
1701 
1702 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1703 			tcp->data_payload_max))
1704 		return -ENOBUFS;
1705 
1706 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
1707 			tcp->data_payload_max))
1708 		return -ENOBUFS;
1709 
1710 	if (tcp->seq && nla_put_flag(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ))
1711 		return -ENOBUFS;
1712 
1713 	if (tcp->tok && nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
1714 				sizeof(*tcp->tok), tcp->tok))
1715 		return -ENOBUFS;
1716 
1717 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
1718 			tcp->data_interval_max))
1719 		return -ENOBUFS;
1720 
1721 	if (nla_put_u32(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
1722 			tcp->wake_payload_max))
1723 		return -ENOBUFS;
1724 
1725 	nla_nest_end(msg, nl_tcp);
1726 	return 0;
1727 }
1728 
1729 static int nl80211_send_wowlan(struct sk_buff *msg,
1730 			       struct cfg80211_registered_device *rdev,
1731 			       bool large)
1732 {
1733 	struct nlattr *nl_wowlan;
1734 
1735 	if (!rdev->wiphy.wowlan)
1736 		return 0;
1737 
1738 	nl_wowlan = nla_nest_start_noflag(msg,
1739 					  NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
1740 	if (!nl_wowlan)
1741 		return -ENOBUFS;
1742 
1743 	if (((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_ANY) &&
1744 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
1745 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_DISCONNECT) &&
1746 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
1747 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT) &&
1748 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
1749 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_SUPPORTS_GTK_REKEY) &&
1750 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED)) ||
1751 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
1752 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
1753 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ) &&
1754 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
1755 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE) &&
1756 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
1757 	    ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE) &&
1758 	     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
1759 		return -ENOBUFS;
1760 
1761 	if (rdev->wiphy.wowlan->n_patterns) {
1762 		struct nl80211_pattern_support pat = {
1763 			.max_patterns = rdev->wiphy.wowlan->n_patterns,
1764 			.min_pattern_len = rdev->wiphy.wowlan->pattern_min_len,
1765 			.max_pattern_len = rdev->wiphy.wowlan->pattern_max_len,
1766 			.max_pkt_offset = rdev->wiphy.wowlan->max_pkt_offset,
1767 		};
1768 
1769 		if (nla_put(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
1770 			    sizeof(pat), &pat))
1771 			return -ENOBUFS;
1772 	}
1773 
1774 	if ((rdev->wiphy.wowlan->flags & WIPHY_WOWLAN_NET_DETECT) &&
1775 	    nla_put_u32(msg, NL80211_WOWLAN_TRIG_NET_DETECT,
1776 			rdev->wiphy.wowlan->max_nd_match_sets))
1777 		return -ENOBUFS;
1778 
1779 	if (large && nl80211_send_wowlan_tcp_caps(rdev, msg))
1780 		return -ENOBUFS;
1781 
1782 	nla_nest_end(msg, nl_wowlan);
1783 
1784 	return 0;
1785 }
1786 #endif
1787 
1788 static int nl80211_send_coalesce(struct sk_buff *msg,
1789 				 struct cfg80211_registered_device *rdev)
1790 {
1791 	struct nl80211_coalesce_rule_support rule;
1792 
1793 	if (!rdev->wiphy.coalesce)
1794 		return 0;
1795 
1796 	rule.max_rules = rdev->wiphy.coalesce->n_rules;
1797 	rule.max_delay = rdev->wiphy.coalesce->max_delay;
1798 	rule.pat.max_patterns = rdev->wiphy.coalesce->n_patterns;
1799 	rule.pat.min_pattern_len = rdev->wiphy.coalesce->pattern_min_len;
1800 	rule.pat.max_pattern_len = rdev->wiphy.coalesce->pattern_max_len;
1801 	rule.pat.max_pkt_offset = rdev->wiphy.coalesce->max_pkt_offset;
1802 
1803 	if (nla_put(msg, NL80211_ATTR_COALESCE_RULE, sizeof(rule), &rule))
1804 		return -ENOBUFS;
1805 
1806 	return 0;
1807 }
1808 
1809 static int
1810 nl80211_send_iftype_data(struct sk_buff *msg,
1811 			 const struct ieee80211_supported_band *sband,
1812 			 const struct ieee80211_sband_iftype_data *iftdata)
1813 {
1814 	const struct ieee80211_sta_he_cap *he_cap = &iftdata->he_cap;
1815 	const struct ieee80211_sta_eht_cap *eht_cap = &iftdata->eht_cap;
1816 
1817 	if (nl80211_put_iftypes(msg, NL80211_BAND_IFTYPE_ATTR_IFTYPES,
1818 				iftdata->types_mask))
1819 		return -ENOBUFS;
1820 
1821 	if (he_cap->has_he) {
1822 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MAC,
1823 			    sizeof(he_cap->he_cap_elem.mac_cap_info),
1824 			    he_cap->he_cap_elem.mac_cap_info) ||
1825 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PHY,
1826 			    sizeof(he_cap->he_cap_elem.phy_cap_info),
1827 			    he_cap->he_cap_elem.phy_cap_info) ||
1828 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_MCS_SET,
1829 			    sizeof(he_cap->he_mcs_nss_supp),
1830 			    &he_cap->he_mcs_nss_supp) ||
1831 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_CAP_PPE,
1832 			    sizeof(he_cap->ppe_thres), he_cap->ppe_thres))
1833 			return -ENOBUFS;
1834 	}
1835 
1836 	if (eht_cap->has_eht && he_cap->has_he) {
1837 		u8 mcs_nss_size, ppe_thresh_size;
1838 		u16 ppe_thres_hdr;
1839 		bool is_ap;
1840 
1841 		is_ap = iftdata->types_mask & BIT(NL80211_IFTYPE_AP) ||
1842 			iftdata->types_mask & BIT(NL80211_IFTYPE_P2P_GO);
1843 
1844 		mcs_nss_size =
1845 			ieee80211_eht_mcs_nss_size(&he_cap->he_cap_elem,
1846 						   &eht_cap->eht_cap_elem,
1847 						   is_ap);
1848 
1849 		ppe_thres_hdr = get_unaligned_le16(&eht_cap->eht_ppe_thres[0]);
1850 		ppe_thresh_size =
1851 			ieee80211_eht_ppe_size(ppe_thres_hdr,
1852 					       eht_cap->eht_cap_elem.phy_cap_info);
1853 
1854 		if (nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MAC,
1855 			    sizeof(eht_cap->eht_cap_elem.mac_cap_info),
1856 			    eht_cap->eht_cap_elem.mac_cap_info) ||
1857 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PHY,
1858 			    sizeof(eht_cap->eht_cap_elem.phy_cap_info),
1859 			    eht_cap->eht_cap_elem.phy_cap_info) ||
1860 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_MCS_SET,
1861 			    mcs_nss_size, &eht_cap->eht_mcs_nss_supp) ||
1862 		    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_EHT_CAP_PPE,
1863 			    ppe_thresh_size, eht_cap->eht_ppe_thres))
1864 			return -ENOBUFS;
1865 	}
1866 
1867 	if (sband->band == NL80211_BAND_6GHZ &&
1868 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_HE_6GHZ_CAPA,
1869 		    sizeof(iftdata->he_6ghz_capa),
1870 		    &iftdata->he_6ghz_capa))
1871 		return -ENOBUFS;
1872 
1873 	if (iftdata->vendor_elems.data && iftdata->vendor_elems.len &&
1874 	    nla_put(msg, NL80211_BAND_IFTYPE_ATTR_VENDOR_ELEMS,
1875 		    iftdata->vendor_elems.len, iftdata->vendor_elems.data))
1876 		return -ENOBUFS;
1877 
1878 	return 0;
1879 }
1880 
1881 static int nl80211_send_band_rateinfo(struct sk_buff *msg,
1882 				      struct ieee80211_supported_band *sband,
1883 				      bool large)
1884 {
1885 	struct nlattr *nl_rates, *nl_rate;
1886 	struct ieee80211_rate *rate;
1887 	int i;
1888 
1889 	/* add HT info */
1890 	if (sband->ht_cap.ht_supported &&
1891 	    (nla_put(msg, NL80211_BAND_ATTR_HT_MCS_SET,
1892 		     sizeof(sband->ht_cap.mcs),
1893 		     &sband->ht_cap.mcs) ||
1894 	     nla_put_u16(msg, NL80211_BAND_ATTR_HT_CAPA,
1895 			 sband->ht_cap.cap) ||
1896 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_FACTOR,
1897 			sband->ht_cap.ampdu_factor) ||
1898 	     nla_put_u8(msg, NL80211_BAND_ATTR_HT_AMPDU_DENSITY,
1899 			sband->ht_cap.ampdu_density)))
1900 		return -ENOBUFS;
1901 
1902 	/* add VHT info */
1903 	if (sband->vht_cap.vht_supported &&
1904 	    (nla_put(msg, NL80211_BAND_ATTR_VHT_MCS_SET,
1905 		     sizeof(sband->vht_cap.vht_mcs),
1906 		     &sband->vht_cap.vht_mcs) ||
1907 	     nla_put_u32(msg, NL80211_BAND_ATTR_VHT_CAPA,
1908 			 sband->vht_cap.cap)))
1909 		return -ENOBUFS;
1910 
1911 	if (large && sband->n_iftype_data) {
1912 		struct nlattr *nl_iftype_data =
1913 			nla_nest_start_noflag(msg,
1914 					      NL80211_BAND_ATTR_IFTYPE_DATA);
1915 		int err;
1916 
1917 		if (!nl_iftype_data)
1918 			return -ENOBUFS;
1919 
1920 		for (i = 0; i < sband->n_iftype_data; i++) {
1921 			struct nlattr *iftdata;
1922 
1923 			iftdata = nla_nest_start_noflag(msg, i + 1);
1924 			if (!iftdata)
1925 				return -ENOBUFS;
1926 
1927 			err = nl80211_send_iftype_data(msg, sband,
1928 						       &sband->iftype_data[i]);
1929 			if (err)
1930 				return err;
1931 
1932 			nla_nest_end(msg, iftdata);
1933 		}
1934 
1935 		nla_nest_end(msg, nl_iftype_data);
1936 	}
1937 
1938 	/* add EDMG info */
1939 	if (large && sband->edmg_cap.channels &&
1940 	    (nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_CHANNELS,
1941 		       sband->edmg_cap.channels) ||
1942 	    nla_put_u8(msg, NL80211_BAND_ATTR_EDMG_BW_CONFIG,
1943 		       sband->edmg_cap.bw_config)))
1944 
1945 		return -ENOBUFS;
1946 
1947 	/* add bitrates */
1948 	nl_rates = nla_nest_start_noflag(msg, NL80211_BAND_ATTR_RATES);
1949 	if (!nl_rates)
1950 		return -ENOBUFS;
1951 
1952 	for (i = 0; i < sband->n_bitrates; i++) {
1953 		nl_rate = nla_nest_start_noflag(msg, i);
1954 		if (!nl_rate)
1955 			return -ENOBUFS;
1956 
1957 		rate = &sband->bitrates[i];
1958 		if (nla_put_u32(msg, NL80211_BITRATE_ATTR_RATE,
1959 				rate->bitrate))
1960 			return -ENOBUFS;
1961 		if ((rate->flags & IEEE80211_RATE_SHORT_PREAMBLE) &&
1962 		    nla_put_flag(msg,
1963 				 NL80211_BITRATE_ATTR_2GHZ_SHORTPREAMBLE))
1964 			return -ENOBUFS;
1965 
1966 		nla_nest_end(msg, nl_rate);
1967 	}
1968 
1969 	nla_nest_end(msg, nl_rates);
1970 
1971 	/* S1G capabilities */
1972 	if (sband->band == NL80211_BAND_S1GHZ && sband->s1g_cap.s1g &&
1973 	    (nla_put(msg, NL80211_BAND_ATTR_S1G_CAPA,
1974 		     sizeof(sband->s1g_cap.cap),
1975 		     sband->s1g_cap.cap) ||
1976 	     nla_put(msg, NL80211_BAND_ATTR_S1G_MCS_NSS_SET,
1977 		     sizeof(sband->s1g_cap.nss_mcs),
1978 		     sband->s1g_cap.nss_mcs)))
1979 		return -ENOBUFS;
1980 
1981 	return 0;
1982 }
1983 
1984 static int
1985 nl80211_send_mgmt_stypes(struct sk_buff *msg,
1986 			 const struct ieee80211_txrx_stypes *mgmt_stypes)
1987 {
1988 	u16 stypes;
1989 	struct nlattr *nl_ftypes, *nl_ifs;
1990 	enum nl80211_iftype ift;
1991 	int i;
1992 
1993 	if (!mgmt_stypes)
1994 		return 0;
1995 
1996 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_TX_FRAME_TYPES);
1997 	if (!nl_ifs)
1998 		return -ENOBUFS;
1999 
2000 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2001 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2002 		if (!nl_ftypes)
2003 			return -ENOBUFS;
2004 		i = 0;
2005 		stypes = mgmt_stypes[ift].tx;
2006 		while (stypes) {
2007 			if ((stypes & 1) &&
2008 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2009 					(i << 4) | IEEE80211_FTYPE_MGMT))
2010 				return -ENOBUFS;
2011 			stypes >>= 1;
2012 			i++;
2013 		}
2014 		nla_nest_end(msg, nl_ftypes);
2015 	}
2016 
2017 	nla_nest_end(msg, nl_ifs);
2018 
2019 	nl_ifs = nla_nest_start_noflag(msg, NL80211_ATTR_RX_FRAME_TYPES);
2020 	if (!nl_ifs)
2021 		return -ENOBUFS;
2022 
2023 	for (ift = 0; ift < NUM_NL80211_IFTYPES; ift++) {
2024 		nl_ftypes = nla_nest_start_noflag(msg, ift);
2025 		if (!nl_ftypes)
2026 			return -ENOBUFS;
2027 		i = 0;
2028 		stypes = mgmt_stypes[ift].rx;
2029 		while (stypes) {
2030 			if ((stypes & 1) &&
2031 			    nla_put_u16(msg, NL80211_ATTR_FRAME_TYPE,
2032 					(i << 4) | IEEE80211_FTYPE_MGMT))
2033 				return -ENOBUFS;
2034 			stypes >>= 1;
2035 			i++;
2036 		}
2037 		nla_nest_end(msg, nl_ftypes);
2038 	}
2039 	nla_nest_end(msg, nl_ifs);
2040 
2041 	return 0;
2042 }
2043 
2044 #define CMD(op, n)							\
2045 	 do {								\
2046 		if (rdev->ops->op) {					\
2047 			i++;						\
2048 			if (nla_put_u32(msg, i, NL80211_CMD_ ## n)) 	\
2049 				goto nla_put_failure;			\
2050 		}							\
2051 	} while (0)
2052 
2053 static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
2054 					struct sk_buff *msg)
2055 {
2056 	int i = 0;
2057 
2058 	/*
2059 	 * do *NOT* add anything into this function, new things need to be
2060 	 * advertised only to new versions of userspace that can deal with
2061 	 * the split (and they can't possibly care about new features...
2062 	 */
2063 	CMD(add_virtual_intf, NEW_INTERFACE);
2064 	CMD(change_virtual_intf, SET_INTERFACE);
2065 	CMD(add_key, NEW_KEY);
2066 	CMD(start_ap, START_AP);
2067 	CMD(add_station, NEW_STATION);
2068 	CMD(add_mpath, NEW_MPATH);
2069 	CMD(update_mesh_config, SET_MESH_CONFIG);
2070 	CMD(change_bss, SET_BSS);
2071 	CMD(auth, AUTHENTICATE);
2072 	CMD(assoc, ASSOCIATE);
2073 	CMD(deauth, DEAUTHENTICATE);
2074 	CMD(disassoc, DISASSOCIATE);
2075 	CMD(join_ibss, JOIN_IBSS);
2076 	CMD(join_mesh, JOIN_MESH);
2077 	CMD(set_pmksa, SET_PMKSA);
2078 	CMD(del_pmksa, DEL_PMKSA);
2079 	CMD(flush_pmksa, FLUSH_PMKSA);
2080 	if (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL)
2081 		CMD(remain_on_channel, REMAIN_ON_CHANNEL);
2082 	CMD(set_bitrate_mask, SET_TX_BITRATE_MASK);
2083 	CMD(mgmt_tx, FRAME);
2084 	CMD(mgmt_tx_cancel_wait, FRAME_WAIT_CANCEL);
2085 	if (rdev->wiphy.flags & WIPHY_FLAG_NETNS_OK) {
2086 		i++;
2087 		if (nla_put_u32(msg, i, NL80211_CMD_SET_WIPHY_NETNS))
2088 			goto nla_put_failure;
2089 	}
2090 	if (rdev->ops->set_monitor_channel || rdev->ops->start_ap ||
2091 	    rdev->ops->join_mesh) {
2092 		i++;
2093 		if (nla_put_u32(msg, i, NL80211_CMD_SET_CHANNEL))
2094 			goto nla_put_failure;
2095 	}
2096 	if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) {
2097 		CMD(tdls_mgmt, TDLS_MGMT);
2098 		CMD(tdls_oper, TDLS_OPER);
2099 	}
2100 	if (rdev->wiphy.max_sched_scan_reqs)
2101 		CMD(sched_scan_start, START_SCHED_SCAN);
2102 	CMD(probe_client, PROBE_CLIENT);
2103 	CMD(set_noack_map, SET_NOACK_MAP);
2104 	if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
2105 		i++;
2106 		if (nla_put_u32(msg, i, NL80211_CMD_REGISTER_BEACONS))
2107 			goto nla_put_failure;
2108 	}
2109 	CMD(start_p2p_device, START_P2P_DEVICE);
2110 	CMD(set_mcast_rate, SET_MCAST_RATE);
2111 #ifdef CONFIG_NL80211_TESTMODE
2112 	CMD(testmode_cmd, TESTMODE);
2113 #endif
2114 
2115 	if (rdev->ops->connect || rdev->ops->auth) {
2116 		i++;
2117 		if (nla_put_u32(msg, i, NL80211_CMD_CONNECT))
2118 			goto nla_put_failure;
2119 	}
2120 
2121 	if (rdev->ops->disconnect || rdev->ops->deauth) {
2122 		i++;
2123 		if (nla_put_u32(msg, i, NL80211_CMD_DISCONNECT))
2124 			goto nla_put_failure;
2125 	}
2126 
2127 	return i;
2128  nla_put_failure:
2129 	return -ENOBUFS;
2130 }
2131 
2132 static int
2133 nl80211_send_pmsr_ftm_capa(const struct cfg80211_pmsr_capabilities *cap,
2134 			   struct sk_buff *msg)
2135 {
2136 	struct nlattr *ftm;
2137 
2138 	if (!cap->ftm.supported)
2139 		return 0;
2140 
2141 	ftm = nla_nest_start_noflag(msg, NL80211_PMSR_TYPE_FTM);
2142 	if (!ftm)
2143 		return -ENOBUFS;
2144 
2145 	if (cap->ftm.asap && nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_ASAP))
2146 		return -ENOBUFS;
2147 	if (cap->ftm.non_asap &&
2148 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_ASAP))
2149 		return -ENOBUFS;
2150 	if (cap->ftm.request_lci &&
2151 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_LCI))
2152 		return -ENOBUFS;
2153 	if (cap->ftm.request_civicloc &&
2154 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_REQ_CIVICLOC))
2155 		return -ENOBUFS;
2156 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_PREAMBLES,
2157 			cap->ftm.preambles))
2158 		return -ENOBUFS;
2159 	if (nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_BANDWIDTHS,
2160 			cap->ftm.bandwidths))
2161 		return -ENOBUFS;
2162 	if (cap->ftm.max_bursts_exponent >= 0 &&
2163 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_BURSTS_EXPONENT,
2164 			cap->ftm.max_bursts_exponent))
2165 		return -ENOBUFS;
2166 	if (cap->ftm.max_ftms_per_burst &&
2167 	    nla_put_u32(msg, NL80211_PMSR_FTM_CAPA_ATTR_MAX_FTMS_PER_BURST,
2168 			cap->ftm.max_ftms_per_burst))
2169 		return -ENOBUFS;
2170 	if (cap->ftm.trigger_based &&
2171 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_TRIGGER_BASED))
2172 		return -ENOBUFS;
2173 	if (cap->ftm.non_trigger_based &&
2174 	    nla_put_flag(msg, NL80211_PMSR_FTM_CAPA_ATTR_NON_TRIGGER_BASED))
2175 		return -ENOBUFS;
2176 
2177 	nla_nest_end(msg, ftm);
2178 	return 0;
2179 }
2180 
2181 static int nl80211_send_pmsr_capa(struct cfg80211_registered_device *rdev,
2182 				  struct sk_buff *msg)
2183 {
2184 	const struct cfg80211_pmsr_capabilities *cap = rdev->wiphy.pmsr_capa;
2185 	struct nlattr *pmsr, *caps;
2186 
2187 	if (!cap)
2188 		return 0;
2189 
2190 	/*
2191 	 * we don't need to clean up anything here since the caller
2192 	 * will genlmsg_cancel() if we fail
2193 	 */
2194 
2195 	pmsr = nla_nest_start_noflag(msg, NL80211_ATTR_PEER_MEASUREMENTS);
2196 	if (!pmsr)
2197 		return -ENOBUFS;
2198 
2199 	if (nla_put_u32(msg, NL80211_PMSR_ATTR_MAX_PEERS, cap->max_peers))
2200 		return -ENOBUFS;
2201 
2202 	if (cap->report_ap_tsf &&
2203 	    nla_put_flag(msg, NL80211_PMSR_ATTR_REPORT_AP_TSF))
2204 		return -ENOBUFS;
2205 
2206 	if (cap->randomize_mac_addr &&
2207 	    nla_put_flag(msg, NL80211_PMSR_ATTR_RANDOMIZE_MAC_ADDR))
2208 		return -ENOBUFS;
2209 
2210 	caps = nla_nest_start_noflag(msg, NL80211_PMSR_ATTR_TYPE_CAPA);
2211 	if (!caps)
2212 		return -ENOBUFS;
2213 
2214 	if (nl80211_send_pmsr_ftm_capa(cap, msg))
2215 		return -ENOBUFS;
2216 
2217 	nla_nest_end(msg, caps);
2218 	nla_nest_end(msg, pmsr);
2219 
2220 	return 0;
2221 }
2222 
2223 static int
2224 nl80211_put_iftype_akm_suites(struct cfg80211_registered_device *rdev,
2225 			      struct sk_buff *msg)
2226 {
2227 	int i;
2228 	struct nlattr *nested, *nested_akms;
2229 	const struct wiphy_iftype_akm_suites *iftype_akms;
2230 
2231 	if (!rdev->wiphy.num_iftype_akm_suites ||
2232 	    !rdev->wiphy.iftype_akm_suites)
2233 		return 0;
2234 
2235 	nested = nla_nest_start(msg, NL80211_ATTR_IFTYPE_AKM_SUITES);
2236 	if (!nested)
2237 		return -ENOBUFS;
2238 
2239 	for (i = 0; i < rdev->wiphy.num_iftype_akm_suites; i++) {
2240 		nested_akms = nla_nest_start(msg, i + 1);
2241 		if (!nested_akms)
2242 			return -ENOBUFS;
2243 
2244 		iftype_akms = &rdev->wiphy.iftype_akm_suites[i];
2245 
2246 		if (nl80211_put_iftypes(msg, NL80211_IFTYPE_AKM_ATTR_IFTYPES,
2247 					iftype_akms->iftypes_mask))
2248 			return -ENOBUFS;
2249 
2250 		if (nla_put(msg, NL80211_IFTYPE_AKM_ATTR_SUITES,
2251 			    sizeof(u32) * iftype_akms->n_akm_suites,
2252 			    iftype_akms->akm_suites)) {
2253 			return -ENOBUFS;
2254 		}
2255 		nla_nest_end(msg, nested_akms);
2256 	}
2257 
2258 	nla_nest_end(msg, nested);
2259 
2260 	return 0;
2261 }
2262 
2263 static int
2264 nl80211_put_tid_config_support(struct cfg80211_registered_device *rdev,
2265 			       struct sk_buff *msg)
2266 {
2267 	struct nlattr *supp;
2268 
2269 	if (!rdev->wiphy.tid_config_support.vif &&
2270 	    !rdev->wiphy.tid_config_support.peer)
2271 		return 0;
2272 
2273 	supp = nla_nest_start(msg, NL80211_ATTR_TID_CONFIG);
2274 	if (!supp)
2275 		return -ENOSPC;
2276 
2277 	if (rdev->wiphy.tid_config_support.vif &&
2278 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_VIF_SUPP,
2279 			      rdev->wiphy.tid_config_support.vif,
2280 			      NL80211_TID_CONFIG_ATTR_PAD))
2281 		goto fail;
2282 
2283 	if (rdev->wiphy.tid_config_support.peer &&
2284 	    nla_put_u64_64bit(msg, NL80211_TID_CONFIG_ATTR_PEER_SUPP,
2285 			      rdev->wiphy.tid_config_support.peer,
2286 			      NL80211_TID_CONFIG_ATTR_PAD))
2287 		goto fail;
2288 
2289 	/* for now we just use the same value ... makes more sense */
2290 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_SHORT,
2291 		       rdev->wiphy.tid_config_support.max_retry))
2292 		goto fail;
2293 	if (nla_put_u8(msg, NL80211_TID_CONFIG_ATTR_RETRY_LONG,
2294 		       rdev->wiphy.tid_config_support.max_retry))
2295 		goto fail;
2296 
2297 	nla_nest_end(msg, supp);
2298 
2299 	return 0;
2300 fail:
2301 	nla_nest_cancel(msg, supp);
2302 	return -ENOBUFS;
2303 }
2304 
2305 static int
2306 nl80211_put_sar_specs(struct cfg80211_registered_device *rdev,
2307 		      struct sk_buff *msg)
2308 {
2309 	struct nlattr *sar_capa, *specs, *sub_freq_range;
2310 	u8 num_freq_ranges;
2311 	int i;
2312 
2313 	if (!rdev->wiphy.sar_capa)
2314 		return 0;
2315 
2316 	num_freq_ranges = rdev->wiphy.sar_capa->num_freq_ranges;
2317 
2318 	sar_capa = nla_nest_start(msg, NL80211_ATTR_SAR_SPEC);
2319 	if (!sar_capa)
2320 		return -ENOSPC;
2321 
2322 	if (nla_put_u32(msg, NL80211_SAR_ATTR_TYPE, rdev->wiphy.sar_capa->type))
2323 		goto fail;
2324 
2325 	specs = nla_nest_start(msg, NL80211_SAR_ATTR_SPECS);
2326 	if (!specs)
2327 		goto fail;
2328 
2329 	/* report supported freq_ranges */
2330 	for (i = 0; i < num_freq_ranges; i++) {
2331 		sub_freq_range = nla_nest_start(msg, i + 1);
2332 		if (!sub_freq_range)
2333 			goto fail;
2334 
2335 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_START_FREQ,
2336 				rdev->wiphy.sar_capa->freq_ranges[i].start_freq))
2337 			goto fail;
2338 
2339 		if (nla_put_u32(msg, NL80211_SAR_ATTR_SPECS_END_FREQ,
2340 				rdev->wiphy.sar_capa->freq_ranges[i].end_freq))
2341 			goto fail;
2342 
2343 		nla_nest_end(msg, sub_freq_range);
2344 	}
2345 
2346 	nla_nest_end(msg, specs);
2347 	nla_nest_end(msg, sar_capa);
2348 
2349 	return 0;
2350 fail:
2351 	nla_nest_cancel(msg, sar_capa);
2352 	return -ENOBUFS;
2353 }
2354 
2355 static int nl80211_put_mbssid_support(struct wiphy *wiphy, struct sk_buff *msg)
2356 {
2357 	struct nlattr *config;
2358 
2359 	if (!wiphy->mbssid_max_interfaces)
2360 		return 0;
2361 
2362 	config = nla_nest_start(msg, NL80211_ATTR_MBSSID_CONFIG);
2363 	if (!config)
2364 		return -ENOBUFS;
2365 
2366 	if (nla_put_u8(msg, NL80211_MBSSID_CONFIG_ATTR_MAX_INTERFACES,
2367 		       wiphy->mbssid_max_interfaces))
2368 		goto fail;
2369 
2370 	if (wiphy->ema_max_profile_periodicity &&
2371 	    nla_put_u8(msg,
2372 		       NL80211_MBSSID_CONFIG_ATTR_MAX_EMA_PROFILE_PERIODICITY,
2373 		       wiphy->ema_max_profile_periodicity))
2374 		goto fail;
2375 
2376 	nla_nest_end(msg, config);
2377 	return 0;
2378 
2379 fail:
2380 	nla_nest_cancel(msg, config);
2381 	return -ENOBUFS;
2382 }
2383 
2384 struct nl80211_dump_wiphy_state {
2385 	s64 filter_wiphy;
2386 	long start;
2387 	long split_start, band_start, chan_start, capa_start;
2388 	bool split;
2389 };
2390 
2391 static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev,
2392 			      enum nl80211_commands cmd,
2393 			      struct sk_buff *msg, u32 portid, u32 seq,
2394 			      int flags, struct nl80211_dump_wiphy_state *state)
2395 {
2396 	void *hdr;
2397 	struct nlattr *nl_bands, *nl_band;
2398 	struct nlattr *nl_freqs, *nl_freq;
2399 	struct nlattr *nl_cmds;
2400 	enum nl80211_band band;
2401 	struct ieee80211_channel *chan;
2402 	int i;
2403 	const struct ieee80211_txrx_stypes *mgmt_stypes =
2404 				rdev->wiphy.mgmt_stypes;
2405 	u32 features;
2406 
2407 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
2408 	if (!hdr)
2409 		return -ENOBUFS;
2410 
2411 	if (WARN_ON(!state))
2412 		return -EINVAL;
2413 
2414 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2415 	    nla_put_string(msg, NL80211_ATTR_WIPHY_NAME,
2416 			   wiphy_name(&rdev->wiphy)) ||
2417 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
2418 			cfg80211_rdev_list_generation))
2419 		goto nla_put_failure;
2420 
2421 	if (cmd != NL80211_CMD_NEW_WIPHY)
2422 		goto finish;
2423 
2424 	switch (state->split_start) {
2425 	case 0:
2426 		if (nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_SHORT,
2427 			       rdev->wiphy.retry_short) ||
2428 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_RETRY_LONG,
2429 			       rdev->wiphy.retry_long) ||
2430 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_FRAG_THRESHOLD,
2431 				rdev->wiphy.frag_threshold) ||
2432 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_RTS_THRESHOLD,
2433 				rdev->wiphy.rts_threshold) ||
2434 		    nla_put_u8(msg, NL80211_ATTR_WIPHY_COVERAGE_CLASS,
2435 			       rdev->wiphy.coverage_class) ||
2436 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCAN_SSIDS,
2437 			       rdev->wiphy.max_scan_ssids) ||
2438 		    nla_put_u8(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_SSIDS,
2439 			       rdev->wiphy.max_sched_scan_ssids) ||
2440 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCAN_IE_LEN,
2441 				rdev->wiphy.max_scan_ie_len) ||
2442 		    nla_put_u16(msg, NL80211_ATTR_MAX_SCHED_SCAN_IE_LEN,
2443 				rdev->wiphy.max_sched_scan_ie_len) ||
2444 		    nla_put_u8(msg, NL80211_ATTR_MAX_MATCH_SETS,
2445 			       rdev->wiphy.max_match_sets))
2446 			goto nla_put_failure;
2447 
2448 		if ((rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN) &&
2449 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_IBSS_RSN))
2450 			goto nla_put_failure;
2451 		if ((rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
2452 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_MESH_AUTH))
2453 			goto nla_put_failure;
2454 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) &&
2455 		    nla_put_flag(msg, NL80211_ATTR_SUPPORT_AP_UAPSD))
2456 			goto nla_put_failure;
2457 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_FW_ROAM) &&
2458 		    nla_put_flag(msg, NL80211_ATTR_ROAM_SUPPORT))
2459 			goto nla_put_failure;
2460 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) &&
2461 		    nla_put_flag(msg, NL80211_ATTR_TDLS_SUPPORT))
2462 			goto nla_put_failure;
2463 		if ((rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP) &&
2464 		    nla_put_flag(msg, NL80211_ATTR_TDLS_EXTERNAL_SETUP))
2465 			goto nla_put_failure;
2466 		state->split_start++;
2467 		if (state->split)
2468 			break;
2469 		fallthrough;
2470 	case 1:
2471 		if (nla_put(msg, NL80211_ATTR_CIPHER_SUITES,
2472 			    sizeof(u32) * rdev->wiphy.n_cipher_suites,
2473 			    rdev->wiphy.cipher_suites))
2474 			goto nla_put_failure;
2475 
2476 		if (nla_put_u8(msg, NL80211_ATTR_MAX_NUM_PMKIDS,
2477 			       rdev->wiphy.max_num_pmkids))
2478 			goto nla_put_failure;
2479 
2480 		if ((rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
2481 		    nla_put_flag(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE))
2482 			goto nla_put_failure;
2483 
2484 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_TX,
2485 				rdev->wiphy.available_antennas_tx) ||
2486 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_ANTENNA_AVAIL_RX,
2487 				rdev->wiphy.available_antennas_rx))
2488 			goto nla_put_failure;
2489 
2490 		if ((rdev->wiphy.flags & WIPHY_FLAG_AP_PROBE_RESP_OFFLOAD) &&
2491 		    nla_put_u32(msg, NL80211_ATTR_PROBE_RESP_OFFLOAD,
2492 				rdev->wiphy.probe_resp_offload))
2493 			goto nla_put_failure;
2494 
2495 		if ((rdev->wiphy.available_antennas_tx ||
2496 		     rdev->wiphy.available_antennas_rx) &&
2497 		    rdev->ops->get_antenna) {
2498 			u32 tx_ant = 0, rx_ant = 0;
2499 			int res;
2500 
2501 			res = rdev_get_antenna(rdev, &tx_ant, &rx_ant);
2502 			if (!res) {
2503 				if (nla_put_u32(msg,
2504 						NL80211_ATTR_WIPHY_ANTENNA_TX,
2505 						tx_ant) ||
2506 				    nla_put_u32(msg,
2507 						NL80211_ATTR_WIPHY_ANTENNA_RX,
2508 						rx_ant))
2509 					goto nla_put_failure;
2510 			}
2511 		}
2512 
2513 		state->split_start++;
2514 		if (state->split)
2515 			break;
2516 		fallthrough;
2517 	case 2:
2518 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
2519 					rdev->wiphy.interface_modes))
2520 				goto nla_put_failure;
2521 		state->split_start++;
2522 		if (state->split)
2523 			break;
2524 		fallthrough;
2525 	case 3:
2526 		nl_bands = nla_nest_start_noflag(msg,
2527 						 NL80211_ATTR_WIPHY_BANDS);
2528 		if (!nl_bands)
2529 			goto nla_put_failure;
2530 
2531 		for (band = state->band_start;
2532 		     band < (state->split ?
2533 				NUM_NL80211_BANDS :
2534 				NL80211_BAND_60GHZ + 1);
2535 		     band++) {
2536 			struct ieee80211_supported_band *sband;
2537 
2538 			/* omit higher bands for ancient software */
2539 			if (band > NL80211_BAND_5GHZ && !state->split)
2540 				break;
2541 
2542 			sband = rdev->wiphy.bands[band];
2543 
2544 			if (!sband)
2545 				continue;
2546 
2547 			nl_band = nla_nest_start_noflag(msg, band);
2548 			if (!nl_band)
2549 				goto nla_put_failure;
2550 
2551 			switch (state->chan_start) {
2552 			case 0:
2553 				if (nl80211_send_band_rateinfo(msg, sband,
2554 							       state->split))
2555 					goto nla_put_failure;
2556 				state->chan_start++;
2557 				if (state->split)
2558 					break;
2559 				fallthrough;
2560 			default:
2561 				/* add frequencies */
2562 				nl_freqs = nla_nest_start_noflag(msg,
2563 								 NL80211_BAND_ATTR_FREQS);
2564 				if (!nl_freqs)
2565 					goto nla_put_failure;
2566 
2567 				for (i = state->chan_start - 1;
2568 				     i < sband->n_channels;
2569 				     i++) {
2570 					nl_freq = nla_nest_start_noflag(msg,
2571 									i);
2572 					if (!nl_freq)
2573 						goto nla_put_failure;
2574 
2575 					chan = &sband->channels[i];
2576 
2577 					if (nl80211_msg_put_channel(
2578 							msg, &rdev->wiphy, chan,
2579 							state->split))
2580 						goto nla_put_failure;
2581 
2582 					nla_nest_end(msg, nl_freq);
2583 					if (state->split)
2584 						break;
2585 				}
2586 				if (i < sband->n_channels)
2587 					state->chan_start = i + 2;
2588 				else
2589 					state->chan_start = 0;
2590 				nla_nest_end(msg, nl_freqs);
2591 			}
2592 
2593 			nla_nest_end(msg, nl_band);
2594 
2595 			if (state->split) {
2596 				/* start again here */
2597 				if (state->chan_start)
2598 					band--;
2599 				break;
2600 			}
2601 		}
2602 		nla_nest_end(msg, nl_bands);
2603 
2604 		if (band < NUM_NL80211_BANDS)
2605 			state->band_start = band + 1;
2606 		else
2607 			state->band_start = 0;
2608 
2609 		/* if bands & channels are done, continue outside */
2610 		if (state->band_start == 0 && state->chan_start == 0)
2611 			state->split_start++;
2612 		if (state->split)
2613 			break;
2614 		fallthrough;
2615 	case 4:
2616 		nl_cmds = nla_nest_start_noflag(msg,
2617 						NL80211_ATTR_SUPPORTED_COMMANDS);
2618 		if (!nl_cmds)
2619 			goto nla_put_failure;
2620 
2621 		i = nl80211_add_commands_unsplit(rdev, msg);
2622 		if (i < 0)
2623 			goto nla_put_failure;
2624 		if (state->split) {
2625 			CMD(crit_proto_start, CRIT_PROTOCOL_START);
2626 			CMD(crit_proto_stop, CRIT_PROTOCOL_STOP);
2627 			if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH)
2628 				CMD(channel_switch, CHANNEL_SWITCH);
2629 			CMD(set_qos_map, SET_QOS_MAP);
2630 			if (rdev->wiphy.features &
2631 					NL80211_FEATURE_SUPPORTS_WMM_ADMISSION)
2632 				CMD(add_tx_ts, ADD_TX_TS);
2633 			CMD(set_multicast_to_unicast, SET_MULTICAST_TO_UNICAST);
2634 			CMD(update_connect_params, UPDATE_CONNECT_PARAMS);
2635 			CMD(update_ft_ies, UPDATE_FT_IES);
2636 			if (rdev->wiphy.sar_capa)
2637 				CMD(set_sar_specs, SET_SAR_SPECS);
2638 		}
2639 #undef CMD
2640 
2641 		nla_nest_end(msg, nl_cmds);
2642 		state->split_start++;
2643 		if (state->split)
2644 			break;
2645 		fallthrough;
2646 	case 5:
2647 		if (rdev->ops->remain_on_channel &&
2648 		    (rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL) &&
2649 		    nla_put_u32(msg,
2650 				NL80211_ATTR_MAX_REMAIN_ON_CHANNEL_DURATION,
2651 				rdev->wiphy.max_remain_on_channel_duration))
2652 			goto nla_put_failure;
2653 
2654 		if ((rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX) &&
2655 		    nla_put_flag(msg, NL80211_ATTR_OFFCHANNEL_TX_OK))
2656 			goto nla_put_failure;
2657 
2658 		state->split_start++;
2659 		if (state->split)
2660 			break;
2661 		fallthrough;
2662 	case 6:
2663 #ifdef CONFIG_PM
2664 		if (nl80211_send_wowlan(msg, rdev, state->split))
2665 			goto nla_put_failure;
2666 		state->split_start++;
2667 		if (state->split)
2668 			break;
2669 #else
2670 		state->split_start++;
2671 #endif
2672 		fallthrough;
2673 	case 7:
2674 		if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
2675 					rdev->wiphy.software_iftypes))
2676 			goto nla_put_failure;
2677 
2678 		if (nl80211_put_iface_combinations(&rdev->wiphy, msg,
2679 						   state->split))
2680 			goto nla_put_failure;
2681 
2682 		state->split_start++;
2683 		if (state->split)
2684 			break;
2685 		fallthrough;
2686 	case 8:
2687 		if ((rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME) &&
2688 		    nla_put_u32(msg, NL80211_ATTR_DEVICE_AP_SME,
2689 				rdev->wiphy.ap_sme_capa))
2690 			goto nla_put_failure;
2691 
2692 		features = rdev->wiphy.features;
2693 		/*
2694 		 * We can only add the per-channel limit information if the
2695 		 * dump is split, otherwise it makes it too big. Therefore
2696 		 * only advertise it in that case.
2697 		 */
2698 		if (state->split)
2699 			features |= NL80211_FEATURE_ADVERTISE_CHAN_LIMITS;
2700 		if (nla_put_u32(msg, NL80211_ATTR_FEATURE_FLAGS, features))
2701 			goto nla_put_failure;
2702 
2703 		if (rdev->wiphy.ht_capa_mod_mask &&
2704 		    nla_put(msg, NL80211_ATTR_HT_CAPABILITY_MASK,
2705 			    sizeof(*rdev->wiphy.ht_capa_mod_mask),
2706 			    rdev->wiphy.ht_capa_mod_mask))
2707 			goto nla_put_failure;
2708 
2709 		if (rdev->wiphy.flags & WIPHY_FLAG_HAVE_AP_SME &&
2710 		    rdev->wiphy.max_acl_mac_addrs &&
2711 		    nla_put_u32(msg, NL80211_ATTR_MAC_ACL_MAX,
2712 				rdev->wiphy.max_acl_mac_addrs))
2713 			goto nla_put_failure;
2714 
2715 		/*
2716 		 * Any information below this point is only available to
2717 		 * applications that can deal with it being split. This
2718 		 * helps ensure that newly added capabilities don't break
2719 		 * older tools by overrunning their buffers.
2720 		 *
2721 		 * We still increment split_start so that in the split
2722 		 * case we'll continue with more data in the next round,
2723 		 * but break unconditionally so unsplit data stops here.
2724 		 */
2725 		if (state->split)
2726 			state->split_start++;
2727 		else
2728 			state->split_start = 0;
2729 		break;
2730 	case 9:
2731 		if (nl80211_send_mgmt_stypes(msg, mgmt_stypes))
2732 			goto nla_put_failure;
2733 
2734 		if (nla_put_u32(msg, NL80211_ATTR_MAX_NUM_SCHED_SCAN_PLANS,
2735 				rdev->wiphy.max_sched_scan_plans) ||
2736 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_INTERVAL,
2737 				rdev->wiphy.max_sched_scan_plan_interval) ||
2738 		    nla_put_u32(msg, NL80211_ATTR_MAX_SCAN_PLAN_ITERATIONS,
2739 				rdev->wiphy.max_sched_scan_plan_iterations))
2740 			goto nla_put_failure;
2741 
2742 		if (rdev->wiphy.extended_capabilities &&
2743 		    (nla_put(msg, NL80211_ATTR_EXT_CAPA,
2744 			     rdev->wiphy.extended_capabilities_len,
2745 			     rdev->wiphy.extended_capabilities) ||
2746 		     nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2747 			     rdev->wiphy.extended_capabilities_len,
2748 			     rdev->wiphy.extended_capabilities_mask)))
2749 			goto nla_put_failure;
2750 
2751 		if (rdev->wiphy.vht_capa_mod_mask &&
2752 		    nla_put(msg, NL80211_ATTR_VHT_CAPABILITY_MASK,
2753 			    sizeof(*rdev->wiphy.vht_capa_mod_mask),
2754 			    rdev->wiphy.vht_capa_mod_mask))
2755 			goto nla_put_failure;
2756 
2757 		if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
2758 			    rdev->wiphy.perm_addr))
2759 			goto nla_put_failure;
2760 
2761 		if (!is_zero_ether_addr(rdev->wiphy.addr_mask) &&
2762 		    nla_put(msg, NL80211_ATTR_MAC_MASK, ETH_ALEN,
2763 			    rdev->wiphy.addr_mask))
2764 			goto nla_put_failure;
2765 
2766 		if (rdev->wiphy.n_addresses > 1) {
2767 			void *attr;
2768 
2769 			attr = nla_nest_start(msg, NL80211_ATTR_MAC_ADDRS);
2770 			if (!attr)
2771 				goto nla_put_failure;
2772 
2773 			for (i = 0; i < rdev->wiphy.n_addresses; i++)
2774 				if (nla_put(msg, i + 1, ETH_ALEN,
2775 					    rdev->wiphy.addresses[i].addr))
2776 					goto nla_put_failure;
2777 
2778 			nla_nest_end(msg, attr);
2779 		}
2780 
2781 		state->split_start++;
2782 		break;
2783 	case 10:
2784 		if (nl80211_send_coalesce(msg, rdev))
2785 			goto nla_put_failure;
2786 
2787 		if ((rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ) &&
2788 		    (nla_put_flag(msg, NL80211_ATTR_SUPPORT_5_MHZ) ||
2789 		     nla_put_flag(msg, NL80211_ATTR_SUPPORT_10_MHZ)))
2790 			goto nla_put_failure;
2791 
2792 		if (rdev->wiphy.max_ap_assoc_sta &&
2793 		    nla_put_u32(msg, NL80211_ATTR_MAX_AP_ASSOC_STA,
2794 				rdev->wiphy.max_ap_assoc_sta))
2795 			goto nla_put_failure;
2796 
2797 		state->split_start++;
2798 		break;
2799 	case 11:
2800 		if (rdev->wiphy.n_vendor_commands) {
2801 			const struct nl80211_vendor_cmd_info *info;
2802 			struct nlattr *nested;
2803 
2804 			nested = nla_nest_start_noflag(msg,
2805 						       NL80211_ATTR_VENDOR_DATA);
2806 			if (!nested)
2807 				goto nla_put_failure;
2808 
2809 			for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
2810 				info = &rdev->wiphy.vendor_commands[i].info;
2811 				if (nla_put(msg, i + 1, sizeof(*info), info))
2812 					goto nla_put_failure;
2813 			}
2814 			nla_nest_end(msg, nested);
2815 		}
2816 
2817 		if (rdev->wiphy.n_vendor_events) {
2818 			const struct nl80211_vendor_cmd_info *info;
2819 			struct nlattr *nested;
2820 
2821 			nested = nla_nest_start_noflag(msg,
2822 						       NL80211_ATTR_VENDOR_EVENTS);
2823 			if (!nested)
2824 				goto nla_put_failure;
2825 
2826 			for (i = 0; i < rdev->wiphy.n_vendor_events; i++) {
2827 				info = &rdev->wiphy.vendor_events[i];
2828 				if (nla_put(msg, i + 1, sizeof(*info), info))
2829 					goto nla_put_failure;
2830 			}
2831 			nla_nest_end(msg, nested);
2832 		}
2833 		state->split_start++;
2834 		break;
2835 	case 12:
2836 		if (rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH &&
2837 		    nla_put_u8(msg, NL80211_ATTR_MAX_CSA_COUNTERS,
2838 			       rdev->wiphy.max_num_csa_counters))
2839 			goto nla_put_failure;
2840 
2841 		if (rdev->wiphy.regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
2842 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
2843 			goto nla_put_failure;
2844 
2845 		if (rdev->wiphy.max_sched_scan_reqs &&
2846 		    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_MAX_REQS,
2847 				rdev->wiphy.max_sched_scan_reqs))
2848 			goto nla_put_failure;
2849 
2850 		if (nla_put(msg, NL80211_ATTR_EXT_FEATURES,
2851 			    sizeof(rdev->wiphy.ext_features),
2852 			    rdev->wiphy.ext_features))
2853 			goto nla_put_failure;
2854 
2855 		if (rdev->wiphy.bss_select_support) {
2856 			struct nlattr *nested;
2857 			u32 bss_select_support = rdev->wiphy.bss_select_support;
2858 
2859 			nested = nla_nest_start_noflag(msg,
2860 						       NL80211_ATTR_BSS_SELECT);
2861 			if (!nested)
2862 				goto nla_put_failure;
2863 
2864 			i = 0;
2865 			while (bss_select_support) {
2866 				if ((bss_select_support & 1) &&
2867 				    nla_put_flag(msg, i))
2868 					goto nla_put_failure;
2869 				i++;
2870 				bss_select_support >>= 1;
2871 			}
2872 			nla_nest_end(msg, nested);
2873 		}
2874 
2875 		state->split_start++;
2876 		break;
2877 	case 13:
2878 		if (rdev->wiphy.num_iftype_ext_capab &&
2879 		    rdev->wiphy.iftype_ext_capab) {
2880 			struct nlattr *nested_ext_capab, *nested;
2881 
2882 			nested = nla_nest_start_noflag(msg,
2883 						       NL80211_ATTR_IFTYPE_EXT_CAPA);
2884 			if (!nested)
2885 				goto nla_put_failure;
2886 
2887 			for (i = state->capa_start;
2888 			     i < rdev->wiphy.num_iftype_ext_capab; i++) {
2889 				const struct wiphy_iftype_ext_capab *capab;
2890 
2891 				capab = &rdev->wiphy.iftype_ext_capab[i];
2892 
2893 				nested_ext_capab = nla_nest_start_noflag(msg,
2894 									 i);
2895 				if (!nested_ext_capab ||
2896 				    nla_put_u32(msg, NL80211_ATTR_IFTYPE,
2897 						capab->iftype) ||
2898 				    nla_put(msg, NL80211_ATTR_EXT_CAPA,
2899 					    capab->extended_capabilities_len,
2900 					    capab->extended_capabilities) ||
2901 				    nla_put(msg, NL80211_ATTR_EXT_CAPA_MASK,
2902 					    capab->extended_capabilities_len,
2903 					    capab->extended_capabilities_mask))
2904 					goto nla_put_failure;
2905 
2906 				if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO &&
2907 				    (nla_put_u16(msg,
2908 						 NL80211_ATTR_EML_CAPABILITY,
2909 						 capab->eml_capabilities) ||
2910 				     nla_put_u16(msg,
2911 						 NL80211_ATTR_MLD_CAPA_AND_OPS,
2912 						 capab->mld_capa_and_ops)))
2913 					goto nla_put_failure;
2914 
2915 				nla_nest_end(msg, nested_ext_capab);
2916 				if (state->split)
2917 					break;
2918 			}
2919 			nla_nest_end(msg, nested);
2920 			if (i < rdev->wiphy.num_iftype_ext_capab) {
2921 				state->capa_start = i + 1;
2922 				break;
2923 			}
2924 		}
2925 
2926 		if (nla_put_u32(msg, NL80211_ATTR_BANDS,
2927 				rdev->wiphy.nan_supported_bands))
2928 			goto nla_put_failure;
2929 
2930 		if (wiphy_ext_feature_isset(&rdev->wiphy,
2931 					    NL80211_EXT_FEATURE_TXQS)) {
2932 			struct cfg80211_txq_stats txqstats = {};
2933 			int res;
2934 
2935 			res = rdev_get_txq_stats(rdev, NULL, &txqstats);
2936 			if (!res &&
2937 			    !nl80211_put_txq_stats(msg, &txqstats,
2938 						   NL80211_ATTR_TXQ_STATS))
2939 				goto nla_put_failure;
2940 
2941 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_LIMIT,
2942 					rdev->wiphy.txq_limit))
2943 				goto nla_put_failure;
2944 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_MEMORY_LIMIT,
2945 					rdev->wiphy.txq_memory_limit))
2946 				goto nla_put_failure;
2947 			if (nla_put_u32(msg, NL80211_ATTR_TXQ_QUANTUM,
2948 					rdev->wiphy.txq_quantum))
2949 				goto nla_put_failure;
2950 		}
2951 
2952 		state->split_start++;
2953 		break;
2954 	case 14:
2955 		if (nl80211_send_pmsr_capa(rdev, msg))
2956 			goto nla_put_failure;
2957 
2958 		state->split_start++;
2959 		break;
2960 	case 15:
2961 		if (rdev->wiphy.akm_suites &&
2962 		    nla_put(msg, NL80211_ATTR_AKM_SUITES,
2963 			    sizeof(u32) * rdev->wiphy.n_akm_suites,
2964 			    rdev->wiphy.akm_suites))
2965 			goto nla_put_failure;
2966 
2967 		if (nl80211_put_iftype_akm_suites(rdev, msg))
2968 			goto nla_put_failure;
2969 
2970 		if (nl80211_put_tid_config_support(rdev, msg))
2971 			goto nla_put_failure;
2972 		state->split_start++;
2973 		break;
2974 	case 16:
2975 		if (nl80211_put_sar_specs(rdev, msg))
2976 			goto nla_put_failure;
2977 
2978 		if (nl80211_put_mbssid_support(&rdev->wiphy, msg))
2979 			goto nla_put_failure;
2980 
2981 		if (nla_put_u16(msg, NL80211_ATTR_MAX_NUM_AKM_SUITES,
2982 				rdev->wiphy.max_num_akm_suites))
2983 			goto nla_put_failure;
2984 
2985 		if (rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO)
2986 			nla_put_flag(msg, NL80211_ATTR_MLO_SUPPORT);
2987 
2988 		if (rdev->wiphy.hw_timestamp_max_peers &&
2989 		    nla_put_u16(msg, NL80211_ATTR_MAX_HW_TIMESTAMP_PEERS,
2990 				rdev->wiphy.hw_timestamp_max_peers))
2991 			goto nla_put_failure;
2992 
2993 		/* done */
2994 		state->split_start = 0;
2995 		break;
2996 	}
2997  finish:
2998 	genlmsg_end(msg, hdr);
2999 	return 0;
3000 
3001  nla_put_failure:
3002 	genlmsg_cancel(msg, hdr);
3003 	return -EMSGSIZE;
3004 }
3005 
3006 static int nl80211_dump_wiphy_parse(struct sk_buff *skb,
3007 				    struct netlink_callback *cb,
3008 				    struct nl80211_dump_wiphy_state *state)
3009 {
3010 	struct nlattr **tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
3011 	int ret;
3012 
3013 	if (!tb)
3014 		return -ENOMEM;
3015 
3016 	ret = nlmsg_parse_deprecated(cb->nlh,
3017 				     GENL_HDRLEN + nl80211_fam.hdrsize,
3018 				     tb, nl80211_fam.maxattr,
3019 				     nl80211_policy, NULL);
3020 	/* ignore parse errors for backward compatibility */
3021 	if (ret) {
3022 		ret = 0;
3023 		goto out;
3024 	}
3025 
3026 	state->split = tb[NL80211_ATTR_SPLIT_WIPHY_DUMP];
3027 	if (tb[NL80211_ATTR_WIPHY])
3028 		state->filter_wiphy = nla_get_u32(tb[NL80211_ATTR_WIPHY]);
3029 	if (tb[NL80211_ATTR_WDEV])
3030 		state->filter_wiphy = nla_get_u64(tb[NL80211_ATTR_WDEV]) >> 32;
3031 	if (tb[NL80211_ATTR_IFINDEX]) {
3032 		struct net_device *netdev;
3033 		struct cfg80211_registered_device *rdev;
3034 		int ifidx = nla_get_u32(tb[NL80211_ATTR_IFINDEX]);
3035 
3036 		netdev = __dev_get_by_index(sock_net(skb->sk), ifidx);
3037 		if (!netdev) {
3038 			ret = -ENODEV;
3039 			goto out;
3040 		}
3041 		if (netdev->ieee80211_ptr) {
3042 			rdev = wiphy_to_rdev(
3043 				netdev->ieee80211_ptr->wiphy);
3044 			state->filter_wiphy = rdev->wiphy_idx;
3045 		}
3046 	}
3047 
3048 	ret = 0;
3049 out:
3050 	kfree(tb);
3051 	return ret;
3052 }
3053 
3054 static int nl80211_dump_wiphy(struct sk_buff *skb, struct netlink_callback *cb)
3055 {
3056 	int idx = 0, ret;
3057 	struct nl80211_dump_wiphy_state *state = (void *)cb->args[0];
3058 	struct cfg80211_registered_device *rdev;
3059 
3060 	rtnl_lock();
3061 	if (!state) {
3062 		state = kzalloc(sizeof(*state), GFP_KERNEL);
3063 		if (!state) {
3064 			rtnl_unlock();
3065 			return -ENOMEM;
3066 		}
3067 		state->filter_wiphy = -1;
3068 		ret = nl80211_dump_wiphy_parse(skb, cb, state);
3069 		if (ret) {
3070 			kfree(state);
3071 			rtnl_unlock();
3072 			return ret;
3073 		}
3074 		cb->args[0] = (long)state;
3075 	}
3076 
3077 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3078 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3079 			continue;
3080 		if (++idx <= state->start)
3081 			continue;
3082 		if (state->filter_wiphy != -1 &&
3083 		    state->filter_wiphy != rdev->wiphy_idx)
3084 			continue;
3085 		wiphy_lock(&rdev->wiphy);
3086 		/* attempt to fit multiple wiphy data chunks into the skb */
3087 		do {
3088 			ret = nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY,
3089 						 skb,
3090 						 NETLINK_CB(cb->skb).portid,
3091 						 cb->nlh->nlmsg_seq,
3092 						 NLM_F_MULTI, state);
3093 			if (ret < 0) {
3094 				/*
3095 				 * If sending the wiphy data didn't fit (ENOBUFS
3096 				 * or EMSGSIZE returned), this SKB is still
3097 				 * empty (so it's not too big because another
3098 				 * wiphy dataset is already in the skb) and
3099 				 * we've not tried to adjust the dump allocation
3100 				 * yet ... then adjust the alloc size to be
3101 				 * bigger, and return 1 but with the empty skb.
3102 				 * This results in an empty message being RX'ed
3103 				 * in userspace, but that is ignored.
3104 				 *
3105 				 * We can then retry with the larger buffer.
3106 				 */
3107 				if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
3108 				    !skb->len && !state->split &&
3109 				    cb->min_dump_alloc < 4096) {
3110 					cb->min_dump_alloc = 4096;
3111 					state->split_start = 0;
3112 					wiphy_unlock(&rdev->wiphy);
3113 					rtnl_unlock();
3114 					return 1;
3115 				}
3116 				idx--;
3117 				break;
3118 			}
3119 		} while (state->split_start > 0);
3120 		wiphy_unlock(&rdev->wiphy);
3121 		break;
3122 	}
3123 	rtnl_unlock();
3124 
3125 	state->start = idx;
3126 
3127 	return skb->len;
3128 }
3129 
3130 static int nl80211_dump_wiphy_done(struct netlink_callback *cb)
3131 {
3132 	kfree((void *)cb->args[0]);
3133 	return 0;
3134 }
3135 
3136 static int nl80211_get_wiphy(struct sk_buff *skb, struct genl_info *info)
3137 {
3138 	struct sk_buff *msg;
3139 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3140 	struct nl80211_dump_wiphy_state state = {};
3141 
3142 	msg = nlmsg_new(4096, GFP_KERNEL);
3143 	if (!msg)
3144 		return -ENOMEM;
3145 
3146 	if (nl80211_send_wiphy(rdev, NL80211_CMD_NEW_WIPHY, msg,
3147 			       info->snd_portid, info->snd_seq, 0,
3148 			       &state) < 0) {
3149 		nlmsg_free(msg);
3150 		return -ENOBUFS;
3151 	}
3152 
3153 	return genlmsg_reply(msg, info);
3154 }
3155 
3156 static const struct nla_policy txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
3157 	[NL80211_TXQ_ATTR_QUEUE]		= { .type = NLA_U8 },
3158 	[NL80211_TXQ_ATTR_TXOP]			= { .type = NLA_U16 },
3159 	[NL80211_TXQ_ATTR_CWMIN]		= { .type = NLA_U16 },
3160 	[NL80211_TXQ_ATTR_CWMAX]		= { .type = NLA_U16 },
3161 	[NL80211_TXQ_ATTR_AIFS]			= { .type = NLA_U8 },
3162 };
3163 
3164 static int parse_txq_params(struct nlattr *tb[],
3165 			    struct ieee80211_txq_params *txq_params)
3166 {
3167 	u8 ac;
3168 
3169 	if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
3170 	    !tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
3171 	    !tb[NL80211_TXQ_ATTR_AIFS])
3172 		return -EINVAL;
3173 
3174 	ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
3175 	txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
3176 	txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
3177 	txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
3178 	txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
3179 
3180 	if (ac >= NL80211_NUM_ACS)
3181 		return -EINVAL;
3182 	txq_params->ac = array_index_nospec(ac, NL80211_NUM_ACS);
3183 	return 0;
3184 }
3185 
3186 static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
3187 {
3188 	/*
3189 	 * You can only set the channel explicitly for some interfaces,
3190 	 * most have their channel managed via their respective
3191 	 * "establish a connection" command (connect, join, ...)
3192 	 *
3193 	 * For AP/GO and mesh mode, the channel can be set with the
3194 	 * channel userspace API, but is only stored and passed to the
3195 	 * low-level driver when the AP starts or the mesh is joined.
3196 	 * This is for backward compatibility, userspace can also give
3197 	 * the channel in the start-ap or join-mesh commands instead.
3198 	 *
3199 	 * Monitors are special as they are normally slaved to
3200 	 * whatever else is going on, so they have their own special
3201 	 * operation to set the monitor channel if possible.
3202 	 */
3203 	return !wdev ||
3204 		wdev->iftype == NL80211_IFTYPE_AP ||
3205 		wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
3206 		wdev->iftype == NL80211_IFTYPE_MONITOR ||
3207 		wdev->iftype == NL80211_IFTYPE_P2P_GO;
3208 }
3209 
3210 static int nl80211_parse_punct_bitmap(struct cfg80211_registered_device *rdev,
3211 				      struct genl_info *info,
3212 				      const struct cfg80211_chan_def *chandef,
3213 				      u16 *punct_bitmap)
3214 {
3215 	if (!wiphy_ext_feature_isset(&rdev->wiphy, NL80211_EXT_FEATURE_PUNCT))
3216 		return -EINVAL;
3217 
3218 	*punct_bitmap = nla_get_u32(info->attrs[NL80211_ATTR_PUNCT_BITMAP]);
3219 	if (!cfg80211_valid_disable_subchannel_bitmap(punct_bitmap, chandef))
3220 		return -EINVAL;
3221 
3222 	return 0;
3223 }
3224 
3225 int nl80211_parse_chandef(struct cfg80211_registered_device *rdev,
3226 			  struct genl_info *info,
3227 			  struct cfg80211_chan_def *chandef)
3228 {
3229 	struct netlink_ext_ack *extack = info->extack;
3230 	struct nlattr **attrs = info->attrs;
3231 	u32 control_freq;
3232 
3233 	if (!attrs[NL80211_ATTR_WIPHY_FREQ]) {
3234 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3235 				    "Frequency is missing");
3236 		return -EINVAL;
3237 	}
3238 
3239 	control_freq = MHZ_TO_KHZ(
3240 			nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
3241 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
3242 		control_freq +=
3243 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
3244 
3245 	memset(chandef, 0, sizeof(*chandef));
3246 	chandef->chan = ieee80211_get_channel_khz(&rdev->wiphy, control_freq);
3247 	chandef->width = NL80211_CHAN_WIDTH_20_NOHT;
3248 	chandef->center_freq1 = KHZ_TO_MHZ(control_freq);
3249 	chandef->freq1_offset = control_freq % 1000;
3250 	chandef->center_freq2 = 0;
3251 
3252 	/* Primary channel not allowed */
3253 	if (!chandef->chan || chandef->chan->flags & IEEE80211_CHAN_DISABLED) {
3254 		NL_SET_ERR_MSG_ATTR(extack, attrs[NL80211_ATTR_WIPHY_FREQ],
3255 				    "Channel is disabled");
3256 		return -EINVAL;
3257 	}
3258 
3259 	if (attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
3260 		enum nl80211_channel_type chantype;
3261 
3262 		chantype = nla_get_u32(attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
3263 
3264 		switch (chantype) {
3265 		case NL80211_CHAN_NO_HT:
3266 		case NL80211_CHAN_HT20:
3267 		case NL80211_CHAN_HT40PLUS:
3268 		case NL80211_CHAN_HT40MINUS:
3269 			cfg80211_chandef_create(chandef, chandef->chan,
3270 						chantype);
3271 			/* user input for center_freq is incorrect */
3272 			if (attrs[NL80211_ATTR_CENTER_FREQ1] &&
3273 			    chandef->center_freq1 != nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1])) {
3274 				NL_SET_ERR_MSG_ATTR(extack,
3275 						    attrs[NL80211_ATTR_CENTER_FREQ1],
3276 						    "bad center frequency 1");
3277 				return -EINVAL;
3278 			}
3279 			/* center_freq2 must be zero */
3280 			if (attrs[NL80211_ATTR_CENTER_FREQ2] &&
3281 			    nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2])) {
3282 				NL_SET_ERR_MSG_ATTR(extack,
3283 						    attrs[NL80211_ATTR_CENTER_FREQ2],
3284 						    "center frequency 2 can't be used");
3285 				return -EINVAL;
3286 			}
3287 			break;
3288 		default:
3289 			NL_SET_ERR_MSG_ATTR(extack,
3290 					    attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE],
3291 					    "invalid channel type");
3292 			return -EINVAL;
3293 		}
3294 	} else if (attrs[NL80211_ATTR_CHANNEL_WIDTH]) {
3295 		chandef->width =
3296 			nla_get_u32(attrs[NL80211_ATTR_CHANNEL_WIDTH]);
3297 		if (chandef->chan->band == NL80211_BAND_S1GHZ) {
3298 			/* User input error for channel width doesn't match channel  */
3299 			if (chandef->width != ieee80211_s1g_channel_width(chandef->chan)) {
3300 				NL_SET_ERR_MSG_ATTR(extack,
3301 						    attrs[NL80211_ATTR_CHANNEL_WIDTH],
3302 						    "bad channel width");
3303 				return -EINVAL;
3304 			}
3305 		}
3306 		if (attrs[NL80211_ATTR_CENTER_FREQ1]) {
3307 			chandef->center_freq1 =
3308 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ1]);
3309 			if (attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET])
3310 				chandef->freq1_offset = nla_get_u32(
3311 				      attrs[NL80211_ATTR_CENTER_FREQ1_OFFSET]);
3312 			else
3313 				chandef->freq1_offset = 0;
3314 		}
3315 		if (attrs[NL80211_ATTR_CENTER_FREQ2])
3316 			chandef->center_freq2 =
3317 				nla_get_u32(attrs[NL80211_ATTR_CENTER_FREQ2]);
3318 	}
3319 
3320 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
3321 		chandef->edmg.channels =
3322 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
3323 
3324 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
3325 			chandef->edmg.bw_config =
3326 		     nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
3327 	} else {
3328 		chandef->edmg.bw_config = 0;
3329 		chandef->edmg.channels = 0;
3330 	}
3331 
3332 	if (!cfg80211_chandef_valid(chandef)) {
3333 		NL_SET_ERR_MSG(extack, "invalid channel definition");
3334 		return -EINVAL;
3335 	}
3336 
3337 	if (!cfg80211_chandef_usable(&rdev->wiphy, chandef,
3338 				     IEEE80211_CHAN_DISABLED)) {
3339 		NL_SET_ERR_MSG(extack, "(extension) channel is disabled");
3340 		return -EINVAL;
3341 	}
3342 
3343 	if ((chandef->width == NL80211_CHAN_WIDTH_5 ||
3344 	     chandef->width == NL80211_CHAN_WIDTH_10) &&
3345 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_5_10_MHZ)) {
3346 		NL_SET_ERR_MSG(extack, "5/10 MHz not supported");
3347 		return -EINVAL;
3348 	}
3349 
3350 	return 0;
3351 }
3352 
3353 static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
3354 				 struct net_device *dev,
3355 				 struct genl_info *info,
3356 				 int _link_id)
3357 {
3358 	struct cfg80211_chan_def chandef;
3359 	int result;
3360 	enum nl80211_iftype iftype = NL80211_IFTYPE_MONITOR;
3361 	struct wireless_dev *wdev = NULL;
3362 	int link_id = _link_id;
3363 
3364 	if (dev)
3365 		wdev = dev->ieee80211_ptr;
3366 	if (!nl80211_can_set_dev_channel(wdev))
3367 		return -EOPNOTSUPP;
3368 	if (wdev)
3369 		iftype = wdev->iftype;
3370 
3371 	if (link_id < 0) {
3372 		if (wdev && wdev->valid_links)
3373 			return -EINVAL;
3374 		link_id = 0;
3375 	}
3376 
3377 	result = nl80211_parse_chandef(rdev, info, &chandef);
3378 	if (result)
3379 		return result;
3380 
3381 	switch (iftype) {
3382 	case NL80211_IFTYPE_AP:
3383 	case NL80211_IFTYPE_P2P_GO:
3384 		if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
3385 						   iftype))
3386 			return -EINVAL;
3387 		if (wdev->links[link_id].ap.beacon_interval) {
3388 			struct ieee80211_channel *cur_chan;
3389 
3390 			if (!dev || !rdev->ops->set_ap_chanwidth ||
3391 			    !(rdev->wiphy.features &
3392 			      NL80211_FEATURE_AP_MODE_CHAN_WIDTH_CHANGE))
3393 				return -EBUSY;
3394 
3395 			/* Only allow dynamic channel width changes */
3396 			cur_chan = wdev->links[link_id].ap.chandef.chan;
3397 			if (chandef.chan != cur_chan)
3398 				return -EBUSY;
3399 
3400 			result = rdev_set_ap_chanwidth(rdev, dev, link_id,
3401 						       &chandef);
3402 			if (result)
3403 				return result;
3404 			wdev->links[link_id].ap.chandef = chandef;
3405 		} else {
3406 			wdev->u.ap.preset_chandef = chandef;
3407 		}
3408 		return 0;
3409 	case NL80211_IFTYPE_MESH_POINT:
3410 		return cfg80211_set_mesh_channel(rdev, wdev, &chandef);
3411 	case NL80211_IFTYPE_MONITOR:
3412 		return cfg80211_set_monitor_channel(rdev, &chandef);
3413 	default:
3414 		break;
3415 	}
3416 
3417 	return -EINVAL;
3418 }
3419 
3420 static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
3421 {
3422 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
3423 	int link_id = nl80211_link_id_or_invalid(info->attrs);
3424 	struct net_device *netdev = info->user_ptr[1];
3425 	int ret;
3426 
3427 	wdev_lock(netdev->ieee80211_ptr);
3428 	ret = __nl80211_set_channel(rdev, netdev, info, link_id);
3429 	wdev_unlock(netdev->ieee80211_ptr);
3430 
3431 	return ret;
3432 }
3433 
3434 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
3435 {
3436 	struct cfg80211_registered_device *rdev = NULL;
3437 	struct net_device *netdev = NULL;
3438 	struct wireless_dev *wdev;
3439 	int result = 0, rem_txq_params = 0;
3440 	struct nlattr *nl_txq_params;
3441 	u32 changed;
3442 	u8 retry_short = 0, retry_long = 0;
3443 	u32 frag_threshold = 0, rts_threshold = 0;
3444 	u8 coverage_class = 0;
3445 	u32 txq_limit = 0, txq_memory_limit = 0, txq_quantum = 0;
3446 
3447 	rtnl_lock();
3448 	/*
3449 	 * Try to find the wiphy and netdev. Normally this
3450 	 * function shouldn't need the netdev, but this is
3451 	 * done for backward compatibility -- previously
3452 	 * setting the channel was done per wiphy, but now
3453 	 * it is per netdev. Previous userland like hostapd
3454 	 * also passed a netdev to set_wiphy, so that it is
3455 	 * possible to let that go to the right netdev!
3456 	 */
3457 
3458 	if (info->attrs[NL80211_ATTR_IFINDEX]) {
3459 		int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
3460 
3461 		netdev = __dev_get_by_index(genl_info_net(info), ifindex);
3462 		if (netdev && netdev->ieee80211_ptr)
3463 			rdev = wiphy_to_rdev(netdev->ieee80211_ptr->wiphy);
3464 		else
3465 			netdev = NULL;
3466 	}
3467 
3468 	if (!netdev) {
3469 		rdev = __cfg80211_rdev_from_attrs(genl_info_net(info),
3470 						  info->attrs);
3471 		if (IS_ERR(rdev)) {
3472 			rtnl_unlock();
3473 			return PTR_ERR(rdev);
3474 		}
3475 		wdev = NULL;
3476 		netdev = NULL;
3477 		result = 0;
3478 	} else
3479 		wdev = netdev->ieee80211_ptr;
3480 
3481 	wiphy_lock(&rdev->wiphy);
3482 
3483 	/*
3484 	 * end workaround code, by now the rdev is available
3485 	 * and locked, and wdev may or may not be NULL.
3486 	 */
3487 
3488 	if (info->attrs[NL80211_ATTR_WIPHY_NAME])
3489 		result = cfg80211_dev_rename(
3490 			rdev, nla_data(info->attrs[NL80211_ATTR_WIPHY_NAME]));
3491 	rtnl_unlock();
3492 
3493 	if (result)
3494 		goto out;
3495 
3496 	if (info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS]) {
3497 		struct ieee80211_txq_params txq_params;
3498 		struct nlattr *tb[NL80211_TXQ_ATTR_MAX + 1];
3499 
3500 		if (!rdev->ops->set_txq_params) {
3501 			result = -EOPNOTSUPP;
3502 			goto out;
3503 		}
3504 
3505 		if (!netdev) {
3506 			result = -EINVAL;
3507 			goto out;
3508 		}
3509 
3510 		if (netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
3511 		    netdev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
3512 			result = -EINVAL;
3513 			goto out;
3514 		}
3515 
3516 		if (!netif_running(netdev)) {
3517 			result = -ENETDOWN;
3518 			goto out;
3519 		}
3520 
3521 		nla_for_each_nested(nl_txq_params,
3522 				    info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
3523 				    rem_txq_params) {
3524 			result = nla_parse_nested_deprecated(tb,
3525 							     NL80211_TXQ_ATTR_MAX,
3526 							     nl_txq_params,
3527 							     txq_params_policy,
3528 							     info->extack);
3529 			if (result)
3530 				goto out;
3531 			result = parse_txq_params(tb, &txq_params);
3532 			if (result)
3533 				goto out;
3534 
3535 			txq_params.link_id =
3536 				nl80211_link_id_or_invalid(info->attrs);
3537 
3538 			wdev_lock(netdev->ieee80211_ptr);
3539 			if (txq_params.link_id >= 0 &&
3540 			    !(netdev->ieee80211_ptr->valid_links &
3541 			      BIT(txq_params.link_id)))
3542 				result = -ENOLINK;
3543 			else if (txq_params.link_id >= 0 &&
3544 				 !netdev->ieee80211_ptr->valid_links)
3545 				result = -EINVAL;
3546 			else
3547 				result = rdev_set_txq_params(rdev, netdev,
3548 							     &txq_params);
3549 			wdev_unlock(netdev->ieee80211_ptr);
3550 			if (result)
3551 				goto out;
3552 		}
3553 	}
3554 
3555 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
3556 		int link_id = nl80211_link_id_or_invalid(info->attrs);
3557 
3558 		if (wdev) {
3559 			wdev_lock(wdev);
3560 			result = __nl80211_set_channel(
3561 				rdev,
3562 				nl80211_can_set_dev_channel(wdev) ? netdev : NULL,
3563 				info, link_id);
3564 			wdev_unlock(wdev);
3565 		} else {
3566 			result = __nl80211_set_channel(rdev, netdev, info, link_id);
3567 		}
3568 
3569 		if (result)
3570 			goto out;
3571 	}
3572 
3573 	if (info->attrs[NL80211_ATTR_WIPHY_TX_POWER_SETTING]) {
3574 		struct wireless_dev *txp_wdev = wdev;
3575 		enum nl80211_tx_power_setting type;
3576 		int idx, mbm = 0;
3577 
3578 		if (!(rdev->wiphy.features & NL80211_FEATURE_VIF_TXPOWER))
3579 			txp_wdev = NULL;
3580 
3581 		if (!rdev->ops->set_tx_power) {
3582 			result = -EOPNOTSUPP;
3583 			goto out;
3584 		}
3585 
3586 		idx = NL80211_ATTR_WIPHY_TX_POWER_SETTING;
3587 		type = nla_get_u32(info->attrs[idx]);
3588 
3589 		if (!info->attrs[NL80211_ATTR_WIPHY_TX_POWER_LEVEL] &&
3590 		    (type != NL80211_TX_POWER_AUTOMATIC)) {
3591 			result = -EINVAL;
3592 			goto out;
3593 		}
3594 
3595 		if (type != NL80211_TX_POWER_AUTOMATIC) {
3596 			idx = NL80211_ATTR_WIPHY_TX_POWER_LEVEL;
3597 			mbm = nla_get_u32(info->attrs[idx]);
3598 		}
3599 
3600 		result = rdev_set_tx_power(rdev, txp_wdev, type, mbm);
3601 		if (result)
3602 			goto out;
3603 	}
3604 
3605 	if (info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX] &&
3606 	    info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]) {
3607 		u32 tx_ant, rx_ant;
3608 
3609 		if ((!rdev->wiphy.available_antennas_tx &&
3610 		     !rdev->wiphy.available_antennas_rx) ||
3611 		    !rdev->ops->set_antenna) {
3612 			result = -EOPNOTSUPP;
3613 			goto out;
3614 		}
3615 
3616 		tx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_TX]);
3617 		rx_ant = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_ANTENNA_RX]);
3618 
3619 		/* reject antenna configurations which don't match the
3620 		 * available antenna masks, except for the "all" mask */
3621 		if ((~tx_ant && (tx_ant & ~rdev->wiphy.available_antennas_tx)) ||
3622 		    (~rx_ant && (rx_ant & ~rdev->wiphy.available_antennas_rx))) {
3623 			result = -EINVAL;
3624 			goto out;
3625 		}
3626 
3627 		tx_ant = tx_ant & rdev->wiphy.available_antennas_tx;
3628 		rx_ant = rx_ant & rdev->wiphy.available_antennas_rx;
3629 
3630 		result = rdev_set_antenna(rdev, tx_ant, rx_ant);
3631 		if (result)
3632 			goto out;
3633 	}
3634 
3635 	changed = 0;
3636 
3637 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]) {
3638 		retry_short = nla_get_u8(
3639 			info->attrs[NL80211_ATTR_WIPHY_RETRY_SHORT]);
3640 
3641 		changed |= WIPHY_PARAM_RETRY_SHORT;
3642 	}
3643 
3644 	if (info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]) {
3645 		retry_long = nla_get_u8(
3646 			info->attrs[NL80211_ATTR_WIPHY_RETRY_LONG]);
3647 
3648 		changed |= WIPHY_PARAM_RETRY_LONG;
3649 	}
3650 
3651 	if (info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]) {
3652 		frag_threshold = nla_get_u32(
3653 			info->attrs[NL80211_ATTR_WIPHY_FRAG_THRESHOLD]);
3654 		if (frag_threshold < 256) {
3655 			result = -EINVAL;
3656 			goto out;
3657 		}
3658 
3659 		if (frag_threshold != (u32) -1) {
3660 			/*
3661 			 * Fragments (apart from the last one) are required to
3662 			 * have even length. Make the fragmentation code
3663 			 * simpler by stripping LSB should someone try to use
3664 			 * odd threshold value.
3665 			 */
3666 			frag_threshold &= ~0x1;
3667 		}
3668 		changed |= WIPHY_PARAM_FRAG_THRESHOLD;
3669 	}
3670 
3671 	if (info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]) {
3672 		rts_threshold = nla_get_u32(
3673 			info->attrs[NL80211_ATTR_WIPHY_RTS_THRESHOLD]);
3674 		changed |= WIPHY_PARAM_RTS_THRESHOLD;
3675 	}
3676 
3677 	if (info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]) {
3678 		if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3679 			result = -EINVAL;
3680 			goto out;
3681 		}
3682 
3683 		coverage_class = nla_get_u8(
3684 			info->attrs[NL80211_ATTR_WIPHY_COVERAGE_CLASS]);
3685 		changed |= WIPHY_PARAM_COVERAGE_CLASS;
3686 	}
3687 
3688 	if (info->attrs[NL80211_ATTR_WIPHY_DYN_ACK]) {
3689 		if (!(rdev->wiphy.features & NL80211_FEATURE_ACKTO_ESTIMATION)) {
3690 			result = -EOPNOTSUPP;
3691 			goto out;
3692 		}
3693 
3694 		changed |= WIPHY_PARAM_DYN_ACK;
3695 	}
3696 
3697 	if (info->attrs[NL80211_ATTR_TXQ_LIMIT]) {
3698 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3699 					     NL80211_EXT_FEATURE_TXQS)) {
3700 			result = -EOPNOTSUPP;
3701 			goto out;
3702 		}
3703 		txq_limit = nla_get_u32(
3704 			info->attrs[NL80211_ATTR_TXQ_LIMIT]);
3705 		changed |= WIPHY_PARAM_TXQ_LIMIT;
3706 	}
3707 
3708 	if (info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]) {
3709 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3710 					     NL80211_EXT_FEATURE_TXQS)) {
3711 			result = -EOPNOTSUPP;
3712 			goto out;
3713 		}
3714 		txq_memory_limit = nla_get_u32(
3715 			info->attrs[NL80211_ATTR_TXQ_MEMORY_LIMIT]);
3716 		changed |= WIPHY_PARAM_TXQ_MEMORY_LIMIT;
3717 	}
3718 
3719 	if (info->attrs[NL80211_ATTR_TXQ_QUANTUM]) {
3720 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
3721 					     NL80211_EXT_FEATURE_TXQS)) {
3722 			result = -EOPNOTSUPP;
3723 			goto out;
3724 		}
3725 		txq_quantum = nla_get_u32(
3726 			info->attrs[NL80211_ATTR_TXQ_QUANTUM]);
3727 		changed |= WIPHY_PARAM_TXQ_QUANTUM;
3728 	}
3729 
3730 	if (changed) {
3731 		u8 old_retry_short, old_retry_long;
3732 		u32 old_frag_threshold, old_rts_threshold;
3733 		u8 old_coverage_class;
3734 		u32 old_txq_limit, old_txq_memory_limit, old_txq_quantum;
3735 
3736 		if (!rdev->ops->set_wiphy_params) {
3737 			result = -EOPNOTSUPP;
3738 			goto out;
3739 		}
3740 
3741 		old_retry_short = rdev->wiphy.retry_short;
3742 		old_retry_long = rdev->wiphy.retry_long;
3743 		old_frag_threshold = rdev->wiphy.frag_threshold;
3744 		old_rts_threshold = rdev->wiphy.rts_threshold;
3745 		old_coverage_class = rdev->wiphy.coverage_class;
3746 		old_txq_limit = rdev->wiphy.txq_limit;
3747 		old_txq_memory_limit = rdev->wiphy.txq_memory_limit;
3748 		old_txq_quantum = rdev->wiphy.txq_quantum;
3749 
3750 		if (changed & WIPHY_PARAM_RETRY_SHORT)
3751 			rdev->wiphy.retry_short = retry_short;
3752 		if (changed & WIPHY_PARAM_RETRY_LONG)
3753 			rdev->wiphy.retry_long = retry_long;
3754 		if (changed & WIPHY_PARAM_FRAG_THRESHOLD)
3755 			rdev->wiphy.frag_threshold = frag_threshold;
3756 		if (changed & WIPHY_PARAM_RTS_THRESHOLD)
3757 			rdev->wiphy.rts_threshold = rts_threshold;
3758 		if (changed & WIPHY_PARAM_COVERAGE_CLASS)
3759 			rdev->wiphy.coverage_class = coverage_class;
3760 		if (changed & WIPHY_PARAM_TXQ_LIMIT)
3761 			rdev->wiphy.txq_limit = txq_limit;
3762 		if (changed & WIPHY_PARAM_TXQ_MEMORY_LIMIT)
3763 			rdev->wiphy.txq_memory_limit = txq_memory_limit;
3764 		if (changed & WIPHY_PARAM_TXQ_QUANTUM)
3765 			rdev->wiphy.txq_quantum = txq_quantum;
3766 
3767 		result = rdev_set_wiphy_params(rdev, changed);
3768 		if (result) {
3769 			rdev->wiphy.retry_short = old_retry_short;
3770 			rdev->wiphy.retry_long = old_retry_long;
3771 			rdev->wiphy.frag_threshold = old_frag_threshold;
3772 			rdev->wiphy.rts_threshold = old_rts_threshold;
3773 			rdev->wiphy.coverage_class = old_coverage_class;
3774 			rdev->wiphy.txq_limit = old_txq_limit;
3775 			rdev->wiphy.txq_memory_limit = old_txq_memory_limit;
3776 			rdev->wiphy.txq_quantum = old_txq_quantum;
3777 			goto out;
3778 		}
3779 	}
3780 
3781 	result = 0;
3782 
3783 out:
3784 	wiphy_unlock(&rdev->wiphy);
3785 	return result;
3786 }
3787 
3788 int nl80211_send_chandef(struct sk_buff *msg, const struct cfg80211_chan_def *chandef)
3789 {
3790 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
3791 		return -EINVAL;
3792 
3793 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
3794 			chandef->chan->center_freq))
3795 		return -ENOBUFS;
3796 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
3797 			chandef->chan->freq_offset))
3798 		return -ENOBUFS;
3799 	switch (chandef->width) {
3800 	case NL80211_CHAN_WIDTH_20_NOHT:
3801 	case NL80211_CHAN_WIDTH_20:
3802 	case NL80211_CHAN_WIDTH_40:
3803 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
3804 				cfg80211_get_chandef_type(chandef)))
3805 			return -ENOBUFS;
3806 		break;
3807 	default:
3808 		break;
3809 	}
3810 	if (nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, chandef->width))
3811 		return -ENOBUFS;
3812 	if (nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ1, chandef->center_freq1))
3813 		return -ENOBUFS;
3814 	if (chandef->center_freq2 &&
3815 	    nla_put_u32(msg, NL80211_ATTR_CENTER_FREQ2, chandef->center_freq2))
3816 		return -ENOBUFS;
3817 	return 0;
3818 }
3819 EXPORT_SYMBOL(nl80211_send_chandef);
3820 
3821 static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flags,
3822 			      struct cfg80211_registered_device *rdev,
3823 			      struct wireless_dev *wdev,
3824 			      enum nl80211_commands cmd)
3825 {
3826 	struct net_device *dev = wdev->netdev;
3827 	void *hdr;
3828 
3829 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
3830 		cmd != NL80211_CMD_DEL_INTERFACE &&
3831 		cmd != NL80211_CMD_SET_INTERFACE);
3832 
3833 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
3834 	if (!hdr)
3835 		return -1;
3836 
3837 	if (dev &&
3838 	    (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
3839 	     nla_put_string(msg, NL80211_ATTR_IFNAME, dev->name)))
3840 		goto nla_put_failure;
3841 
3842 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
3843 	    nla_put_u32(msg, NL80211_ATTR_IFTYPE, wdev->iftype) ||
3844 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
3845 			      NL80211_ATTR_PAD) ||
3846 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, wdev_address(wdev)) ||
3847 	    nla_put_u32(msg, NL80211_ATTR_GENERATION,
3848 			rdev->devlist_generation ^
3849 			(cfg80211_rdev_list_generation << 2)) ||
3850 	    nla_put_u8(msg, NL80211_ATTR_4ADDR, wdev->use_4addr))
3851 		goto nla_put_failure;
3852 
3853 	if (rdev->ops->get_channel && !wdev->valid_links) {
3854 		struct cfg80211_chan_def chandef = {};
3855 		int ret;
3856 
3857 		ret = rdev_get_channel(rdev, wdev, 0, &chandef);
3858 		if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3859 			goto nla_put_failure;
3860 	}
3861 
3862 	if (rdev->ops->get_tx_power) {
3863 		int dbm, ret;
3864 
3865 		ret = rdev_get_tx_power(rdev, wdev, &dbm);
3866 		if (ret == 0 &&
3867 		    nla_put_u32(msg, NL80211_ATTR_WIPHY_TX_POWER_LEVEL,
3868 				DBM_TO_MBM(dbm)))
3869 			goto nla_put_failure;
3870 	}
3871 
3872 	wdev_lock(wdev);
3873 	switch (wdev->iftype) {
3874 	case NL80211_IFTYPE_AP:
3875 	case NL80211_IFTYPE_P2P_GO:
3876 		if (wdev->u.ap.ssid_len &&
3877 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
3878 			    wdev->u.ap.ssid))
3879 			goto nla_put_failure_locked;
3880 		break;
3881 	case NL80211_IFTYPE_STATION:
3882 	case NL80211_IFTYPE_P2P_CLIENT:
3883 		if (wdev->u.client.ssid_len &&
3884 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.client.ssid_len,
3885 			    wdev->u.client.ssid))
3886 			goto nla_put_failure_locked;
3887 		break;
3888 	case NL80211_IFTYPE_ADHOC:
3889 		if (wdev->u.ibss.ssid_len &&
3890 		    nla_put(msg, NL80211_ATTR_SSID, wdev->u.ibss.ssid_len,
3891 			    wdev->u.ibss.ssid))
3892 			goto nla_put_failure_locked;
3893 		break;
3894 	default:
3895 		/* nothing */
3896 		break;
3897 	}
3898 	wdev_unlock(wdev);
3899 
3900 	if (rdev->ops->get_txq_stats) {
3901 		struct cfg80211_txq_stats txqstats = {};
3902 		int ret = rdev_get_txq_stats(rdev, wdev, &txqstats);
3903 
3904 		if (ret == 0 &&
3905 		    !nl80211_put_txq_stats(msg, &txqstats,
3906 					   NL80211_ATTR_TXQ_STATS))
3907 			goto nla_put_failure;
3908 	}
3909 
3910 	if (wdev->valid_links) {
3911 		unsigned int link_id;
3912 		struct nlattr *links = nla_nest_start(msg,
3913 						      NL80211_ATTR_MLO_LINKS);
3914 
3915 		if (!links)
3916 			goto nla_put_failure;
3917 
3918 		for_each_valid_link(wdev, link_id) {
3919 			struct nlattr *link = nla_nest_start(msg, link_id + 1);
3920 			struct cfg80211_chan_def chandef = {};
3921 			int ret;
3922 
3923 			if (!link)
3924 				goto nla_put_failure;
3925 
3926 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
3927 				goto nla_put_failure;
3928 			if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
3929 				    wdev->links[link_id].addr))
3930 				goto nla_put_failure;
3931 
3932 			ret = rdev_get_channel(rdev, wdev, link_id, &chandef);
3933 			if (ret == 0 && nl80211_send_chandef(msg, &chandef))
3934 				goto nla_put_failure;
3935 
3936 			nla_nest_end(msg, link);
3937 		}
3938 
3939 		nla_nest_end(msg, links);
3940 	}
3941 
3942 	genlmsg_end(msg, hdr);
3943 	return 0;
3944 
3945  nla_put_failure_locked:
3946 	wdev_unlock(wdev);
3947  nla_put_failure:
3948 	genlmsg_cancel(msg, hdr);
3949 	return -EMSGSIZE;
3950 }
3951 
3952 static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *cb)
3953 {
3954 	int wp_idx = 0;
3955 	int if_idx = 0;
3956 	int wp_start = cb->args[0];
3957 	int if_start = cb->args[1];
3958 	int filter_wiphy = -1;
3959 	struct cfg80211_registered_device *rdev;
3960 	struct wireless_dev *wdev;
3961 	int ret;
3962 
3963 	rtnl_lock();
3964 	if (!cb->args[2]) {
3965 		struct nl80211_dump_wiphy_state state = {
3966 			.filter_wiphy = -1,
3967 		};
3968 
3969 		ret = nl80211_dump_wiphy_parse(skb, cb, &state);
3970 		if (ret)
3971 			goto out_unlock;
3972 
3973 		filter_wiphy = state.filter_wiphy;
3974 
3975 		/*
3976 		 * if filtering, set cb->args[2] to +1 since 0 is the default
3977 		 * value needed to determine that parsing is necessary.
3978 		 */
3979 		if (filter_wiphy >= 0)
3980 			cb->args[2] = filter_wiphy + 1;
3981 		else
3982 			cb->args[2] = -1;
3983 	} else if (cb->args[2] > 0) {
3984 		filter_wiphy = cb->args[2] - 1;
3985 	}
3986 
3987 	list_for_each_entry(rdev, &cfg80211_rdev_list, list) {
3988 		if (!net_eq(wiphy_net(&rdev->wiphy), sock_net(skb->sk)))
3989 			continue;
3990 		if (wp_idx < wp_start) {
3991 			wp_idx++;
3992 			continue;
3993 		}
3994 
3995 		if (filter_wiphy >= 0 && filter_wiphy != rdev->wiphy_idx)
3996 			continue;
3997 
3998 		if_idx = 0;
3999 
4000 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
4001 			if (if_idx < if_start) {
4002 				if_idx++;
4003 				continue;
4004 			}
4005 			if (nl80211_send_iface(skb, NETLINK_CB(cb->skb).portid,
4006 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
4007 					       rdev, wdev,
4008 					       NL80211_CMD_NEW_INTERFACE) < 0) {
4009 				goto out;
4010 			}
4011 			if_idx++;
4012 		}
4013 
4014 		wp_idx++;
4015 	}
4016  out:
4017 	cb->args[0] = wp_idx;
4018 	cb->args[1] = if_idx;
4019 
4020 	ret = skb->len;
4021  out_unlock:
4022 	rtnl_unlock();
4023 
4024 	return ret;
4025 }
4026 
4027 static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
4028 {
4029 	struct sk_buff *msg;
4030 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4031 	struct wireless_dev *wdev = info->user_ptr[1];
4032 
4033 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4034 	if (!msg)
4035 		return -ENOMEM;
4036 
4037 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4038 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4039 		nlmsg_free(msg);
4040 		return -ENOBUFS;
4041 	}
4042 
4043 	return genlmsg_reply(msg, info);
4044 }
4045 
4046 static const struct nla_policy mntr_flags_policy[NL80211_MNTR_FLAG_MAX + 1] = {
4047 	[NL80211_MNTR_FLAG_FCSFAIL] = { .type = NLA_FLAG },
4048 	[NL80211_MNTR_FLAG_PLCPFAIL] = { .type = NLA_FLAG },
4049 	[NL80211_MNTR_FLAG_CONTROL] = { .type = NLA_FLAG },
4050 	[NL80211_MNTR_FLAG_OTHER_BSS] = { .type = NLA_FLAG },
4051 	[NL80211_MNTR_FLAG_COOK_FRAMES] = { .type = NLA_FLAG },
4052 	[NL80211_MNTR_FLAG_ACTIVE] = { .type = NLA_FLAG },
4053 };
4054 
4055 static int parse_monitor_flags(struct nlattr *nla, u32 *mntrflags)
4056 {
4057 	struct nlattr *flags[NL80211_MNTR_FLAG_MAX + 1];
4058 	int flag;
4059 
4060 	*mntrflags = 0;
4061 
4062 	if (!nla)
4063 		return -EINVAL;
4064 
4065 	if (nla_parse_nested_deprecated(flags, NL80211_MNTR_FLAG_MAX, nla, mntr_flags_policy, NULL))
4066 		return -EINVAL;
4067 
4068 	for (flag = 1; flag <= NL80211_MNTR_FLAG_MAX; flag++)
4069 		if (flags[flag])
4070 			*mntrflags |= (1<<flag);
4071 
4072 	*mntrflags |= MONITOR_FLAG_CHANGED;
4073 
4074 	return 0;
4075 }
4076 
4077 static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
4078 				     enum nl80211_iftype type,
4079 				     struct genl_info *info,
4080 				     struct vif_params *params)
4081 {
4082 	bool change = false;
4083 	int err;
4084 
4085 	if (info->attrs[NL80211_ATTR_MNTR_FLAGS]) {
4086 		if (type != NL80211_IFTYPE_MONITOR)
4087 			return -EINVAL;
4088 
4089 		err = parse_monitor_flags(info->attrs[NL80211_ATTR_MNTR_FLAGS],
4090 					  &params->flags);
4091 		if (err)
4092 			return err;
4093 
4094 		change = true;
4095 	}
4096 
4097 	if (params->flags & MONITOR_FLAG_ACTIVE &&
4098 	    !(rdev->wiphy.features & NL80211_FEATURE_ACTIVE_MONITOR))
4099 		return -EOPNOTSUPP;
4100 
4101 	if (info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]) {
4102 		const u8 *mumimo_groups;
4103 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4104 
4105 		if (type != NL80211_IFTYPE_MONITOR)
4106 			return -EINVAL;
4107 
4108 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4109 			return -EOPNOTSUPP;
4110 
4111 		mumimo_groups =
4112 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
4113 
4114 		/* bits 0 and 63 are reserved and must be zero */
4115 		if ((mumimo_groups[0] & BIT(0)) ||
4116 		    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
4117 			return -EINVAL;
4118 
4119 		params->vht_mumimo_groups = mumimo_groups;
4120 		change = true;
4121 	}
4122 
4123 	if (info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]) {
4124 		u32 cap_flag = NL80211_EXT_FEATURE_MU_MIMO_AIR_SNIFFER;
4125 
4126 		if (type != NL80211_IFTYPE_MONITOR)
4127 			return -EINVAL;
4128 
4129 		if (!wiphy_ext_feature_isset(&rdev->wiphy, cap_flag))
4130 			return -EOPNOTSUPP;
4131 
4132 		params->vht_mumimo_follow_addr =
4133 			nla_data(info->attrs[NL80211_ATTR_MU_MIMO_FOLLOW_MAC_ADDR]);
4134 		change = true;
4135 	}
4136 
4137 	return change ? 1 : 0;
4138 }
4139 
4140 static int nl80211_valid_4addr(struct cfg80211_registered_device *rdev,
4141 			       struct net_device *netdev, u8 use_4addr,
4142 			       enum nl80211_iftype iftype)
4143 {
4144 	if (!use_4addr) {
4145 		if (netdev && netif_is_bridge_port(netdev))
4146 			return -EBUSY;
4147 		return 0;
4148 	}
4149 
4150 	switch (iftype) {
4151 	case NL80211_IFTYPE_AP_VLAN:
4152 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP)
4153 			return 0;
4154 		break;
4155 	case NL80211_IFTYPE_STATION:
4156 		if (rdev->wiphy.flags & WIPHY_FLAG_4ADDR_STATION)
4157 			return 0;
4158 		break;
4159 	default:
4160 		break;
4161 	}
4162 
4163 	return -EOPNOTSUPP;
4164 }
4165 
4166 static int nl80211_set_interface(struct sk_buff *skb, struct genl_info *info)
4167 {
4168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4169 	struct vif_params params;
4170 	int err;
4171 	enum nl80211_iftype otype, ntype;
4172 	struct net_device *dev = info->user_ptr[1];
4173 	bool change = false;
4174 
4175 	memset(&params, 0, sizeof(params));
4176 
4177 	otype = ntype = dev->ieee80211_ptr->iftype;
4178 
4179 	if (info->attrs[NL80211_ATTR_IFTYPE]) {
4180 		ntype = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4181 		if (otype != ntype)
4182 			change = true;
4183 	}
4184 
4185 	if (info->attrs[NL80211_ATTR_MESH_ID]) {
4186 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4187 
4188 		if (ntype != NL80211_IFTYPE_MESH_POINT)
4189 			return -EINVAL;
4190 		if (netif_running(dev))
4191 			return -EBUSY;
4192 
4193 		wdev_lock(wdev);
4194 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4195 			     IEEE80211_MAX_MESH_ID_LEN);
4196 		wdev->u.mesh.id_up_len =
4197 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4198 		memcpy(wdev->u.mesh.id,
4199 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4200 		       wdev->u.mesh.id_up_len);
4201 		wdev_unlock(wdev);
4202 	}
4203 
4204 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4205 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4206 		change = true;
4207 		err = nl80211_valid_4addr(rdev, dev, params.use_4addr, ntype);
4208 		if (err)
4209 			return err;
4210 	} else {
4211 		params.use_4addr = -1;
4212 	}
4213 
4214 	err = nl80211_parse_mon_options(rdev, ntype, info, &params);
4215 	if (err < 0)
4216 		return err;
4217 	if (err > 0)
4218 		change = true;
4219 
4220 	if (change)
4221 		err = cfg80211_change_iface(rdev, dev, ntype, &params);
4222 	else
4223 		err = 0;
4224 
4225 	if (!err && params.use_4addr != -1)
4226 		dev->ieee80211_ptr->use_4addr = params.use_4addr;
4227 
4228 	if (change && !err) {
4229 		struct wireless_dev *wdev = dev->ieee80211_ptr;
4230 
4231 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_SET_INTERFACE);
4232 	}
4233 
4234 	return err;
4235 }
4236 
4237 static int _nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4238 {
4239 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4240 	struct vif_params params;
4241 	struct wireless_dev *wdev;
4242 	struct sk_buff *msg;
4243 	int err;
4244 	enum nl80211_iftype type = NL80211_IFTYPE_UNSPECIFIED;
4245 
4246 	memset(&params, 0, sizeof(params));
4247 
4248 	if (!info->attrs[NL80211_ATTR_IFNAME])
4249 		return -EINVAL;
4250 
4251 	if (info->attrs[NL80211_ATTR_IFTYPE])
4252 		type = nla_get_u32(info->attrs[NL80211_ATTR_IFTYPE]);
4253 
4254 	if (!rdev->ops->add_virtual_intf)
4255 		return -EOPNOTSUPP;
4256 
4257 	if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
4258 	     rdev->wiphy.features & NL80211_FEATURE_MAC_ON_CREATE) &&
4259 	    info->attrs[NL80211_ATTR_MAC]) {
4260 		nla_memcpy(params.macaddr, info->attrs[NL80211_ATTR_MAC],
4261 			   ETH_ALEN);
4262 		if (!is_valid_ether_addr(params.macaddr))
4263 			return -EADDRNOTAVAIL;
4264 	}
4265 
4266 	if (info->attrs[NL80211_ATTR_4ADDR]) {
4267 		params.use_4addr = !!nla_get_u8(info->attrs[NL80211_ATTR_4ADDR]);
4268 		err = nl80211_valid_4addr(rdev, NULL, params.use_4addr, type);
4269 		if (err)
4270 			return err;
4271 	}
4272 
4273 	if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
4274 		return -EOPNOTSUPP;
4275 
4276 	err = nl80211_parse_mon_options(rdev, type, info, &params);
4277 	if (err < 0)
4278 		return err;
4279 
4280 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4281 	if (!msg)
4282 		return -ENOMEM;
4283 
4284 	wdev = rdev_add_virtual_intf(rdev,
4285 				nla_data(info->attrs[NL80211_ATTR_IFNAME]),
4286 				NET_NAME_USER, type, &params);
4287 	if (WARN_ON(!wdev)) {
4288 		nlmsg_free(msg);
4289 		return -EPROTO;
4290 	} else if (IS_ERR(wdev)) {
4291 		nlmsg_free(msg);
4292 		return PTR_ERR(wdev);
4293 	}
4294 
4295 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
4296 		wdev->owner_nlportid = info->snd_portid;
4297 
4298 	switch (type) {
4299 	case NL80211_IFTYPE_MESH_POINT:
4300 		if (!info->attrs[NL80211_ATTR_MESH_ID])
4301 			break;
4302 		wdev_lock(wdev);
4303 		BUILD_BUG_ON(IEEE80211_MAX_SSID_LEN !=
4304 			     IEEE80211_MAX_MESH_ID_LEN);
4305 		wdev->u.mesh.id_up_len =
4306 			nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
4307 		memcpy(wdev->u.mesh.id,
4308 		       nla_data(info->attrs[NL80211_ATTR_MESH_ID]),
4309 		       wdev->u.mesh.id_up_len);
4310 		wdev_unlock(wdev);
4311 		break;
4312 	case NL80211_IFTYPE_NAN:
4313 	case NL80211_IFTYPE_P2P_DEVICE:
4314 		/*
4315 		 * P2P Device and NAN do not have a netdev, so don't go
4316 		 * through the netdev notifier and must be added here
4317 		 */
4318 		cfg80211_init_wdev(wdev);
4319 		cfg80211_register_wdev(rdev, wdev);
4320 		break;
4321 	default:
4322 		break;
4323 	}
4324 
4325 	if (nl80211_send_iface(msg, info->snd_portid, info->snd_seq, 0,
4326 			       rdev, wdev, NL80211_CMD_NEW_INTERFACE) < 0) {
4327 		nlmsg_free(msg);
4328 		return -ENOBUFS;
4329 	}
4330 
4331 	return genlmsg_reply(msg, info);
4332 }
4333 
4334 static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
4335 {
4336 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4337 	int ret;
4338 
4339 	/* to avoid failing a new interface creation due to pending removal */
4340 	cfg80211_destroy_ifaces(rdev);
4341 
4342 	wiphy_lock(&rdev->wiphy);
4343 	ret = _nl80211_new_interface(skb, info);
4344 	wiphy_unlock(&rdev->wiphy);
4345 
4346 	return ret;
4347 }
4348 
4349 static int nl80211_del_interface(struct sk_buff *skb, struct genl_info *info)
4350 {
4351 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4352 	struct wireless_dev *wdev = info->user_ptr[1];
4353 
4354 	if (!rdev->ops->del_virtual_intf)
4355 		return -EOPNOTSUPP;
4356 
4357 	/*
4358 	 * We hold RTNL, so this is safe, without RTNL opencount cannot
4359 	 * reach 0, and thus the rdev cannot be deleted.
4360 	 *
4361 	 * We need to do it for the dev_close(), since that will call
4362 	 * the netdev notifiers, and we need to acquire the mutex there
4363 	 * but don't know if we get there from here or from some other
4364 	 * place (e.g. "ip link set ... down").
4365 	 */
4366 	mutex_unlock(&rdev->wiphy.mtx);
4367 
4368 	/*
4369 	 * If we remove a wireless device without a netdev then clear
4370 	 * user_ptr[1] so that nl80211_post_doit won't dereference it
4371 	 * to check if it needs to do dev_put(). Otherwise it crashes
4372 	 * since the wdev has been freed, unlike with a netdev where
4373 	 * we need the dev_put() for the netdev to really be freed.
4374 	 */
4375 	if (!wdev->netdev)
4376 		info->user_ptr[1] = NULL;
4377 	else
4378 		dev_close(wdev->netdev);
4379 
4380 	mutex_lock(&rdev->wiphy.mtx);
4381 
4382 	return cfg80211_remove_virtual_intf(rdev, wdev);
4383 }
4384 
4385 static int nl80211_set_noack_map(struct sk_buff *skb, struct genl_info *info)
4386 {
4387 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4388 	struct net_device *dev = info->user_ptr[1];
4389 	u16 noack_map;
4390 
4391 	if (!info->attrs[NL80211_ATTR_NOACK_MAP])
4392 		return -EINVAL;
4393 
4394 	if (!rdev->ops->set_noack_map)
4395 		return -EOPNOTSUPP;
4396 
4397 	noack_map = nla_get_u16(info->attrs[NL80211_ATTR_NOACK_MAP]);
4398 
4399 	return rdev_set_noack_map(rdev, dev, noack_map);
4400 }
4401 
4402 static int nl80211_validate_key_link_id(struct genl_info *info,
4403 					struct wireless_dev *wdev,
4404 					int link_id, bool pairwise)
4405 {
4406 	if (pairwise) {
4407 		if (link_id != -1) {
4408 			GENL_SET_ERR_MSG(info,
4409 					 "link ID not allowed for pairwise key");
4410 			return -EINVAL;
4411 		}
4412 
4413 		return 0;
4414 	}
4415 
4416 	if (wdev->valid_links) {
4417 		if (link_id == -1) {
4418 			GENL_SET_ERR_MSG(info,
4419 					 "link ID must for MLO group key");
4420 			return -EINVAL;
4421 		}
4422 		if (!(wdev->valid_links & BIT(link_id))) {
4423 			GENL_SET_ERR_MSG(info, "invalid link ID for MLO group key");
4424 			return -EINVAL;
4425 		}
4426 	} else if (link_id != -1) {
4427 		GENL_SET_ERR_MSG(info, "link ID not allowed for non-MLO group key");
4428 		return -EINVAL;
4429 	}
4430 
4431 	return 0;
4432 }
4433 
4434 struct get_key_cookie {
4435 	struct sk_buff *msg;
4436 	int error;
4437 	int idx;
4438 };
4439 
4440 static void get_key_callback(void *c, struct key_params *params)
4441 {
4442 	struct nlattr *key;
4443 	struct get_key_cookie *cookie = c;
4444 
4445 	if ((params->key &&
4446 	     nla_put(cookie->msg, NL80211_ATTR_KEY_DATA,
4447 		     params->key_len, params->key)) ||
4448 	    (params->seq &&
4449 	     nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ,
4450 		     params->seq_len, params->seq)) ||
4451 	    (params->cipher &&
4452 	     nla_put_u32(cookie->msg, NL80211_ATTR_KEY_CIPHER,
4453 			 params->cipher)))
4454 		goto nla_put_failure;
4455 
4456 	key = nla_nest_start_noflag(cookie->msg, NL80211_ATTR_KEY);
4457 	if (!key)
4458 		goto nla_put_failure;
4459 
4460 	if ((params->key &&
4461 	     nla_put(cookie->msg, NL80211_KEY_DATA,
4462 		     params->key_len, params->key)) ||
4463 	    (params->seq &&
4464 	     nla_put(cookie->msg, NL80211_KEY_SEQ,
4465 		     params->seq_len, params->seq)) ||
4466 	    (params->cipher &&
4467 	     nla_put_u32(cookie->msg, NL80211_KEY_CIPHER,
4468 			 params->cipher)))
4469 		goto nla_put_failure;
4470 
4471 	if (nla_put_u8(cookie->msg, NL80211_KEY_IDX, cookie->idx))
4472 		goto nla_put_failure;
4473 
4474 	nla_nest_end(cookie->msg, key);
4475 
4476 	return;
4477  nla_put_failure:
4478 	cookie->error = 1;
4479 }
4480 
4481 static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info)
4482 {
4483 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4484 	int err;
4485 	struct net_device *dev = info->user_ptr[1];
4486 	u8 key_idx = 0;
4487 	const u8 *mac_addr = NULL;
4488 	bool pairwise;
4489 	struct get_key_cookie cookie = {
4490 		.error = 0,
4491 	};
4492 	void *hdr;
4493 	struct sk_buff *msg;
4494 	bool bigtk_support = false;
4495 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4496 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4497 
4498 	if (wiphy_ext_feature_isset(&rdev->wiphy,
4499 				    NL80211_EXT_FEATURE_BEACON_PROTECTION))
4500 		bigtk_support = true;
4501 
4502 	if ((wdev->iftype == NL80211_IFTYPE_STATION ||
4503 	     wdev->iftype == NL80211_IFTYPE_P2P_CLIENT) &&
4504 	    wiphy_ext_feature_isset(&rdev->wiphy,
4505 				    NL80211_EXT_FEATURE_BEACON_PROTECTION_CLIENT))
4506 		bigtk_support = true;
4507 
4508 	if (info->attrs[NL80211_ATTR_KEY_IDX]) {
4509 		key_idx = nla_get_u8(info->attrs[NL80211_ATTR_KEY_IDX]);
4510 
4511 		if (key_idx >= 6 && key_idx <= 7 && !bigtk_support) {
4512 			GENL_SET_ERR_MSG(info, "BIGTK not supported");
4513 			return -EINVAL;
4514 		}
4515 	}
4516 
4517 	if (info->attrs[NL80211_ATTR_MAC])
4518 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4519 
4520 	pairwise = !!mac_addr;
4521 	if (info->attrs[NL80211_ATTR_KEY_TYPE]) {
4522 		u32 kt = nla_get_u32(info->attrs[NL80211_ATTR_KEY_TYPE]);
4523 
4524 		if (kt != NL80211_KEYTYPE_GROUP &&
4525 		    kt != NL80211_KEYTYPE_PAIRWISE)
4526 			return -EINVAL;
4527 		pairwise = kt == NL80211_KEYTYPE_PAIRWISE;
4528 	}
4529 
4530 	if (!rdev->ops->get_key)
4531 		return -EOPNOTSUPP;
4532 
4533 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4534 		return -ENOENT;
4535 
4536 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
4537 	if (!msg)
4538 		return -ENOMEM;
4539 
4540 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
4541 			     NL80211_CMD_NEW_KEY);
4542 	if (!hdr)
4543 		goto nla_put_failure;
4544 
4545 	cookie.msg = msg;
4546 	cookie.idx = key_idx;
4547 
4548 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
4549 	    nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_idx))
4550 		goto nla_put_failure;
4551 	if (mac_addr &&
4552 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
4553 		goto nla_put_failure;
4554 
4555 	err = nl80211_validate_key_link_id(info, wdev, link_id, pairwise);
4556 	if (err)
4557 		goto free_msg;
4558 
4559 	err = rdev_get_key(rdev, dev, link_id, key_idx, pairwise, mac_addr,
4560 			   &cookie, get_key_callback);
4561 
4562 	if (err)
4563 		goto free_msg;
4564 
4565 	if (cookie.error)
4566 		goto nla_put_failure;
4567 
4568 	genlmsg_end(msg, hdr);
4569 	return genlmsg_reply(msg, info);
4570 
4571  nla_put_failure:
4572 	err = -ENOBUFS;
4573  free_msg:
4574 	nlmsg_free(msg);
4575 	return err;
4576 }
4577 
4578 static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
4579 {
4580 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4581 	struct key_parse key;
4582 	int err;
4583 	struct net_device *dev = info->user_ptr[1];
4584 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4585 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4586 
4587 	err = nl80211_parse_key(info, &key);
4588 	if (err)
4589 		return err;
4590 
4591 	if (key.idx < 0)
4592 		return -EINVAL;
4593 
4594 	/* Only support setting default key and
4595 	 * Extended Key ID action NL80211_KEY_SET_TX.
4596 	 */
4597 	if (!key.def && !key.defmgmt && !key.defbeacon &&
4598 	    !(key.p.mode == NL80211_KEY_SET_TX))
4599 		return -EINVAL;
4600 
4601 	wdev_lock(wdev);
4602 
4603 	if (key.def) {
4604 		if (!rdev->ops->set_default_key) {
4605 			err = -EOPNOTSUPP;
4606 			goto out;
4607 		}
4608 
4609 		err = nl80211_key_allowed(wdev);
4610 		if (err)
4611 			goto out;
4612 
4613 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4614 		if (err)
4615 			goto out;
4616 
4617 		err = rdev_set_default_key(rdev, dev, link_id, key.idx,
4618 					   key.def_uni, key.def_multi);
4619 
4620 		if (err)
4621 			goto out;
4622 
4623 #ifdef CONFIG_CFG80211_WEXT
4624 		wdev->wext.default_key = key.idx;
4625 #endif
4626 	} else if (key.defmgmt) {
4627 		if (key.def_uni || !key.def_multi) {
4628 			err = -EINVAL;
4629 			goto out;
4630 		}
4631 
4632 		if (!rdev->ops->set_default_mgmt_key) {
4633 			err = -EOPNOTSUPP;
4634 			goto out;
4635 		}
4636 
4637 		err = nl80211_key_allowed(wdev);
4638 		if (err)
4639 			goto out;
4640 
4641 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4642 		if (err)
4643 			goto out;
4644 
4645 		err = rdev_set_default_mgmt_key(rdev, dev, link_id, key.idx);
4646 		if (err)
4647 			goto out;
4648 
4649 #ifdef CONFIG_CFG80211_WEXT
4650 		wdev->wext.default_mgmt_key = key.idx;
4651 #endif
4652 	} else if (key.defbeacon) {
4653 		if (key.def_uni || !key.def_multi) {
4654 			err = -EINVAL;
4655 			goto out;
4656 		}
4657 
4658 		if (!rdev->ops->set_default_beacon_key) {
4659 			err = -EOPNOTSUPP;
4660 			goto out;
4661 		}
4662 
4663 		err = nl80211_key_allowed(wdev);
4664 		if (err)
4665 			goto out;
4666 
4667 		err = nl80211_validate_key_link_id(info, wdev, link_id, false);
4668 		if (err)
4669 			goto out;
4670 
4671 		err = rdev_set_default_beacon_key(rdev, dev, link_id, key.idx);
4672 		if (err)
4673 			goto out;
4674 	} else if (key.p.mode == NL80211_KEY_SET_TX &&
4675 		   wiphy_ext_feature_isset(&rdev->wiphy,
4676 					   NL80211_EXT_FEATURE_EXT_KEY_ID)) {
4677 		u8 *mac_addr = NULL;
4678 
4679 		if (info->attrs[NL80211_ATTR_MAC])
4680 			mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4681 
4682 		if (!mac_addr || key.idx < 0 || key.idx > 1) {
4683 			err = -EINVAL;
4684 			goto out;
4685 		}
4686 
4687 		err = nl80211_validate_key_link_id(info, wdev, link_id, true);
4688 		if (err)
4689 			goto out;
4690 
4691 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4692 				   NL80211_KEYTYPE_PAIRWISE,
4693 				   mac_addr, &key.p);
4694 	} else {
4695 		err = -EINVAL;
4696 	}
4697  out:
4698 	wdev_unlock(wdev);
4699 
4700 	return err;
4701 }
4702 
4703 static int nl80211_new_key(struct sk_buff *skb, struct genl_info *info)
4704 {
4705 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4706 	int err;
4707 	struct net_device *dev = info->user_ptr[1];
4708 	struct key_parse key;
4709 	const u8 *mac_addr = NULL;
4710 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4711 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4712 
4713 	err = nl80211_parse_key(info, &key);
4714 	if (err)
4715 		return err;
4716 
4717 	if (!key.p.key) {
4718 		GENL_SET_ERR_MSG(info, "no key");
4719 		return -EINVAL;
4720 	}
4721 
4722 	if (info->attrs[NL80211_ATTR_MAC])
4723 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4724 
4725 	if (key.type == -1) {
4726 		if (mac_addr)
4727 			key.type = NL80211_KEYTYPE_PAIRWISE;
4728 		else
4729 			key.type = NL80211_KEYTYPE_GROUP;
4730 	}
4731 
4732 	/* for now */
4733 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4734 	    key.type != NL80211_KEYTYPE_GROUP) {
4735 		GENL_SET_ERR_MSG(info, "key type not pairwise or group");
4736 		return -EINVAL;
4737 	}
4738 
4739 	if (key.type == NL80211_KEYTYPE_GROUP &&
4740 	    info->attrs[NL80211_ATTR_VLAN_ID])
4741 		key.p.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
4742 
4743 	if (!rdev->ops->add_key)
4744 		return -EOPNOTSUPP;
4745 
4746 	if (cfg80211_validate_key_settings(rdev, &key.p, key.idx,
4747 					   key.type == NL80211_KEYTYPE_PAIRWISE,
4748 					   mac_addr)) {
4749 		GENL_SET_ERR_MSG(info, "key setting validation failed");
4750 		return -EINVAL;
4751 	}
4752 
4753 	wdev_lock(wdev);
4754 	err = nl80211_key_allowed(wdev);
4755 	if (err)
4756 		GENL_SET_ERR_MSG(info, "key not allowed");
4757 
4758 	if (!err)
4759 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4760 				key.type == NL80211_KEYTYPE_PAIRWISE);
4761 
4762 	if (!err) {
4763 		err = rdev_add_key(rdev, dev, link_id, key.idx,
4764 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4765 				    mac_addr, &key.p);
4766 		if (err)
4767 			GENL_SET_ERR_MSG(info, "key addition failed");
4768 	}
4769 	wdev_unlock(wdev);
4770 
4771 	return err;
4772 }
4773 
4774 static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
4775 {
4776 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4777 	int err;
4778 	struct net_device *dev = info->user_ptr[1];
4779 	u8 *mac_addr = NULL;
4780 	struct key_parse key;
4781 	int link_id = nl80211_link_id_or_invalid(info->attrs);
4782 	struct wireless_dev *wdev = dev->ieee80211_ptr;
4783 
4784 	err = nl80211_parse_key(info, &key);
4785 	if (err)
4786 		return err;
4787 
4788 	if (info->attrs[NL80211_ATTR_MAC])
4789 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
4790 
4791 	if (key.type == -1) {
4792 		if (mac_addr)
4793 			key.type = NL80211_KEYTYPE_PAIRWISE;
4794 		else
4795 			key.type = NL80211_KEYTYPE_GROUP;
4796 	}
4797 
4798 	/* for now */
4799 	if (key.type != NL80211_KEYTYPE_PAIRWISE &&
4800 	    key.type != NL80211_KEYTYPE_GROUP)
4801 		return -EINVAL;
4802 
4803 	if (!cfg80211_valid_key_idx(rdev, key.idx,
4804 				    key.type == NL80211_KEYTYPE_PAIRWISE))
4805 		return -EINVAL;
4806 
4807 	if (!rdev->ops->del_key)
4808 		return -EOPNOTSUPP;
4809 
4810 	wdev_lock(wdev);
4811 	err = nl80211_key_allowed(wdev);
4812 
4813 	if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
4814 	    !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
4815 		err = -ENOENT;
4816 
4817 	if (!err)
4818 		err = nl80211_validate_key_link_id(info, wdev, link_id,
4819 				key.type == NL80211_KEYTYPE_PAIRWISE);
4820 
4821 	if (!err)
4822 		err = rdev_del_key(rdev, dev, link_id, key.idx,
4823 				   key.type == NL80211_KEYTYPE_PAIRWISE,
4824 				   mac_addr);
4825 
4826 #ifdef CONFIG_CFG80211_WEXT
4827 	if (!err) {
4828 		if (key.idx == wdev->wext.default_key)
4829 			wdev->wext.default_key = -1;
4830 		else if (key.idx == wdev->wext.default_mgmt_key)
4831 			wdev->wext.default_mgmt_key = -1;
4832 	}
4833 #endif
4834 	wdev_unlock(wdev);
4835 
4836 	return err;
4837 }
4838 
4839 /* This function returns an error or the number of nested attributes */
4840 static int validate_acl_mac_addrs(struct nlattr *nl_attr)
4841 {
4842 	struct nlattr *attr;
4843 	int n_entries = 0, tmp;
4844 
4845 	nla_for_each_nested(attr, nl_attr, tmp) {
4846 		if (nla_len(attr) != ETH_ALEN)
4847 			return -EINVAL;
4848 
4849 		n_entries++;
4850 	}
4851 
4852 	return n_entries;
4853 }
4854 
4855 /*
4856  * This function parses ACL information and allocates memory for ACL data.
4857  * On successful return, the calling function is responsible to free the
4858  * ACL buffer returned by this function.
4859  */
4860 static struct cfg80211_acl_data *parse_acl_data(struct wiphy *wiphy,
4861 						struct genl_info *info)
4862 {
4863 	enum nl80211_acl_policy acl_policy;
4864 	struct nlattr *attr;
4865 	struct cfg80211_acl_data *acl;
4866 	int i = 0, n_entries, tmp;
4867 
4868 	if (!wiphy->max_acl_mac_addrs)
4869 		return ERR_PTR(-EOPNOTSUPP);
4870 
4871 	if (!info->attrs[NL80211_ATTR_ACL_POLICY])
4872 		return ERR_PTR(-EINVAL);
4873 
4874 	acl_policy = nla_get_u32(info->attrs[NL80211_ATTR_ACL_POLICY]);
4875 	if (acl_policy != NL80211_ACL_POLICY_ACCEPT_UNLESS_LISTED &&
4876 	    acl_policy != NL80211_ACL_POLICY_DENY_UNLESS_LISTED)
4877 		return ERR_PTR(-EINVAL);
4878 
4879 	if (!info->attrs[NL80211_ATTR_MAC_ADDRS])
4880 		return ERR_PTR(-EINVAL);
4881 
4882 	n_entries = validate_acl_mac_addrs(info->attrs[NL80211_ATTR_MAC_ADDRS]);
4883 	if (n_entries < 0)
4884 		return ERR_PTR(n_entries);
4885 
4886 	if (n_entries > wiphy->max_acl_mac_addrs)
4887 		return ERR_PTR(-ENOTSUPP);
4888 
4889 	acl = kzalloc(struct_size(acl, mac_addrs, n_entries), GFP_KERNEL);
4890 	if (!acl)
4891 		return ERR_PTR(-ENOMEM);
4892 
4893 	nla_for_each_nested(attr, info->attrs[NL80211_ATTR_MAC_ADDRS], tmp) {
4894 		memcpy(acl->mac_addrs[i].addr, nla_data(attr), ETH_ALEN);
4895 		i++;
4896 	}
4897 
4898 	acl->n_acl_entries = n_entries;
4899 	acl->acl_policy = acl_policy;
4900 
4901 	return acl;
4902 }
4903 
4904 static int nl80211_set_mac_acl(struct sk_buff *skb, struct genl_info *info)
4905 {
4906 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
4907 	struct net_device *dev = info->user_ptr[1];
4908 	struct cfg80211_acl_data *acl;
4909 	int err;
4910 
4911 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
4912 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
4913 		return -EOPNOTSUPP;
4914 
4915 	if (!dev->ieee80211_ptr->links[0].ap.beacon_interval)
4916 		return -EINVAL;
4917 
4918 	acl = parse_acl_data(&rdev->wiphy, info);
4919 	if (IS_ERR(acl))
4920 		return PTR_ERR(acl);
4921 
4922 	err = rdev_set_mac_acl(rdev, dev, acl);
4923 
4924 	kfree(acl);
4925 
4926 	return err;
4927 }
4928 
4929 static u32 rateset_to_mask(struct ieee80211_supported_band *sband,
4930 			   u8 *rates, u8 rates_len)
4931 {
4932 	u8 i;
4933 	u32 mask = 0;
4934 
4935 	for (i = 0; i < rates_len; i++) {
4936 		int rate = (rates[i] & 0x7f) * 5;
4937 		int ridx;
4938 
4939 		for (ridx = 0; ridx < sband->n_bitrates; ridx++) {
4940 			struct ieee80211_rate *srate =
4941 				&sband->bitrates[ridx];
4942 			if (rate == srate->bitrate) {
4943 				mask |= 1 << ridx;
4944 				break;
4945 			}
4946 		}
4947 		if (ridx == sband->n_bitrates)
4948 			return 0; /* rate not found */
4949 	}
4950 
4951 	return mask;
4952 }
4953 
4954 static bool ht_rateset_to_mask(struct ieee80211_supported_band *sband,
4955 			       u8 *rates, u8 rates_len,
4956 			       u8 mcs[IEEE80211_HT_MCS_MASK_LEN])
4957 {
4958 	u8 i;
4959 
4960 	memset(mcs, 0, IEEE80211_HT_MCS_MASK_LEN);
4961 
4962 	for (i = 0; i < rates_len; i++) {
4963 		int ridx, rbit;
4964 
4965 		ridx = rates[i] / 8;
4966 		rbit = BIT(rates[i] % 8);
4967 
4968 		/* check validity */
4969 		if ((ridx < 0) || (ridx >= IEEE80211_HT_MCS_MASK_LEN))
4970 			return false;
4971 
4972 		/* check availability */
4973 		ridx = array_index_nospec(ridx, IEEE80211_HT_MCS_MASK_LEN);
4974 		if (sband->ht_cap.mcs.rx_mask[ridx] & rbit)
4975 			mcs[ridx] |= rbit;
4976 		else
4977 			return false;
4978 	}
4979 
4980 	return true;
4981 }
4982 
4983 static u16 vht_mcs_map_to_mcs_mask(u8 vht_mcs_map)
4984 {
4985 	u16 mcs_mask = 0;
4986 
4987 	switch (vht_mcs_map) {
4988 	case IEEE80211_VHT_MCS_NOT_SUPPORTED:
4989 		break;
4990 	case IEEE80211_VHT_MCS_SUPPORT_0_7:
4991 		mcs_mask = 0x00FF;
4992 		break;
4993 	case IEEE80211_VHT_MCS_SUPPORT_0_8:
4994 		mcs_mask = 0x01FF;
4995 		break;
4996 	case IEEE80211_VHT_MCS_SUPPORT_0_9:
4997 		mcs_mask = 0x03FF;
4998 		break;
4999 	default:
5000 		break;
5001 	}
5002 
5003 	return mcs_mask;
5004 }
5005 
5006 static void vht_build_mcs_mask(u16 vht_mcs_map,
5007 			       u16 vht_mcs_mask[NL80211_VHT_NSS_MAX])
5008 {
5009 	u8 nss;
5010 
5011 	for (nss = 0; nss < NL80211_VHT_NSS_MAX; nss++) {
5012 		vht_mcs_mask[nss] = vht_mcs_map_to_mcs_mask(vht_mcs_map & 0x03);
5013 		vht_mcs_map >>= 2;
5014 	}
5015 }
5016 
5017 static bool vht_set_mcs_mask(struct ieee80211_supported_band *sband,
5018 			     struct nl80211_txrate_vht *txrate,
5019 			     u16 mcs[NL80211_VHT_NSS_MAX])
5020 {
5021 	u16 tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5022 	u16 tx_mcs_mask[NL80211_VHT_NSS_MAX] = {};
5023 	u8 i;
5024 
5025 	if (!sband->vht_cap.vht_supported)
5026 		return false;
5027 
5028 	memset(mcs, 0, sizeof(u16) * NL80211_VHT_NSS_MAX);
5029 
5030 	/* Build vht_mcs_mask from VHT capabilities */
5031 	vht_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5032 
5033 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5034 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5035 			mcs[i] = txrate->mcs[i];
5036 		else
5037 			return false;
5038 	}
5039 
5040 	return true;
5041 }
5042 
5043 static u16 he_mcs_map_to_mcs_mask(u8 he_mcs_map)
5044 {
5045 	switch (he_mcs_map) {
5046 	case IEEE80211_HE_MCS_NOT_SUPPORTED:
5047 		return 0;
5048 	case IEEE80211_HE_MCS_SUPPORT_0_7:
5049 		return 0x00FF;
5050 	case IEEE80211_HE_MCS_SUPPORT_0_9:
5051 		return 0x03FF;
5052 	case IEEE80211_HE_MCS_SUPPORT_0_11:
5053 		return 0xFFF;
5054 	default:
5055 		break;
5056 	}
5057 	return 0;
5058 }
5059 
5060 static void he_build_mcs_mask(u16 he_mcs_map,
5061 			      u16 he_mcs_mask[NL80211_HE_NSS_MAX])
5062 {
5063 	u8 nss;
5064 
5065 	for (nss = 0; nss < NL80211_HE_NSS_MAX; nss++) {
5066 		he_mcs_mask[nss] = he_mcs_map_to_mcs_mask(he_mcs_map & 0x03);
5067 		he_mcs_map >>= 2;
5068 	}
5069 }
5070 
5071 static u16 he_get_txmcsmap(struct genl_info *info, unsigned int link_id,
5072 			   const struct ieee80211_sta_he_cap *he_cap)
5073 {
5074 	struct net_device *dev = info->user_ptr[1];
5075 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5076 	struct cfg80211_chan_def *chandef;
5077 	__le16 tx_mcs;
5078 
5079 	chandef = wdev_chandef(wdev, link_id);
5080 	if (!chandef) {
5081 		/*
5082 		 * This is probably broken, but we never maintained
5083 		 * a chandef in these cases, so it always was.
5084 		 */
5085 		return le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
5086 	}
5087 
5088 	switch (chandef->width) {
5089 	case NL80211_CHAN_WIDTH_80P80:
5090 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80p80;
5091 		break;
5092 	case NL80211_CHAN_WIDTH_160:
5093 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_160;
5094 		break;
5095 	default:
5096 		tx_mcs = he_cap->he_mcs_nss_supp.tx_mcs_80;
5097 		break;
5098 	}
5099 
5100 	return le16_to_cpu(tx_mcs);
5101 }
5102 
5103 static bool he_set_mcs_mask(struct genl_info *info,
5104 			    struct wireless_dev *wdev,
5105 			    struct ieee80211_supported_band *sband,
5106 			    struct nl80211_txrate_he *txrate,
5107 			    u16 mcs[NL80211_HE_NSS_MAX],
5108 			    unsigned int link_id)
5109 {
5110 	const struct ieee80211_sta_he_cap *he_cap;
5111 	u16 tx_mcs_mask[NL80211_HE_NSS_MAX] = {};
5112 	u16 tx_mcs_map = 0;
5113 	u8 i;
5114 
5115 	he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5116 	if (!he_cap)
5117 		return false;
5118 
5119 	memset(mcs, 0, sizeof(u16) * NL80211_HE_NSS_MAX);
5120 
5121 	tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5122 
5123 	/* Build he_mcs_mask from HE capabilities */
5124 	he_build_mcs_mask(tx_mcs_map, tx_mcs_mask);
5125 
5126 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5127 		if ((tx_mcs_mask[i] & txrate->mcs[i]) == txrate->mcs[i])
5128 			mcs[i] = txrate->mcs[i];
5129 		else
5130 			return false;
5131 	}
5132 
5133 	return true;
5134 }
5135 
5136 static int nl80211_parse_tx_bitrate_mask(struct genl_info *info,
5137 					 struct nlattr *attrs[],
5138 					 enum nl80211_attrs attr,
5139 					 struct cfg80211_bitrate_mask *mask,
5140 					 struct net_device *dev,
5141 					 bool default_all_enabled,
5142 					 unsigned int link_id)
5143 {
5144 	struct nlattr *tb[NL80211_TXRATE_MAX + 1];
5145 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5146 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5147 	int rem, i;
5148 	struct nlattr *tx_rates;
5149 	struct ieee80211_supported_band *sband;
5150 	u16 vht_tx_mcs_map, he_tx_mcs_map;
5151 
5152 	memset(mask, 0, sizeof(*mask));
5153 	/* Default to all rates enabled */
5154 	for (i = 0; i < NUM_NL80211_BANDS; i++) {
5155 		const struct ieee80211_sta_he_cap *he_cap;
5156 
5157 		if (!default_all_enabled)
5158 			break;
5159 
5160 		sband = rdev->wiphy.bands[i];
5161 
5162 		if (!sband)
5163 			continue;
5164 
5165 		mask->control[i].legacy = (1 << sband->n_bitrates) - 1;
5166 		memcpy(mask->control[i].ht_mcs,
5167 		       sband->ht_cap.mcs.rx_mask,
5168 		       sizeof(mask->control[i].ht_mcs));
5169 
5170 		if (sband->vht_cap.vht_supported) {
5171 			vht_tx_mcs_map = le16_to_cpu(sband->vht_cap.vht_mcs.tx_mcs_map);
5172 			vht_build_mcs_mask(vht_tx_mcs_map, mask->control[i].vht_mcs);
5173 		}
5174 
5175 		he_cap = ieee80211_get_he_iftype_cap(sband, wdev->iftype);
5176 		if (!he_cap)
5177 			continue;
5178 
5179 		he_tx_mcs_map = he_get_txmcsmap(info, link_id, he_cap);
5180 		he_build_mcs_mask(he_tx_mcs_map, mask->control[i].he_mcs);
5181 
5182 		mask->control[i].he_gi = 0xFF;
5183 		mask->control[i].he_ltf = 0xFF;
5184 	}
5185 
5186 	/* if no rates are given set it back to the defaults */
5187 	if (!attrs[attr])
5188 		goto out;
5189 
5190 	/* The nested attribute uses enum nl80211_band as the index. This maps
5191 	 * directly to the enum nl80211_band values used in cfg80211.
5192 	 */
5193 	BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
5194 	nla_for_each_nested(tx_rates, attrs[attr], rem) {
5195 		enum nl80211_band band = nla_type(tx_rates);
5196 		int err;
5197 
5198 		if (band < 0 || band >= NUM_NL80211_BANDS)
5199 			return -EINVAL;
5200 		sband = rdev->wiphy.bands[band];
5201 		if (sband == NULL)
5202 			return -EINVAL;
5203 		err = nla_parse_nested_deprecated(tb, NL80211_TXRATE_MAX,
5204 						  tx_rates,
5205 						  nl80211_txattr_policy,
5206 						  info->extack);
5207 		if (err)
5208 			return err;
5209 		if (tb[NL80211_TXRATE_LEGACY]) {
5210 			mask->control[band].legacy = rateset_to_mask(
5211 				sband,
5212 				nla_data(tb[NL80211_TXRATE_LEGACY]),
5213 				nla_len(tb[NL80211_TXRATE_LEGACY]));
5214 			if ((mask->control[band].legacy == 0) &&
5215 			    nla_len(tb[NL80211_TXRATE_LEGACY]))
5216 				return -EINVAL;
5217 		}
5218 		if (tb[NL80211_TXRATE_HT]) {
5219 			if (!ht_rateset_to_mask(
5220 					sband,
5221 					nla_data(tb[NL80211_TXRATE_HT]),
5222 					nla_len(tb[NL80211_TXRATE_HT]),
5223 					mask->control[band].ht_mcs))
5224 				return -EINVAL;
5225 		}
5226 
5227 		if (tb[NL80211_TXRATE_VHT]) {
5228 			if (!vht_set_mcs_mask(
5229 					sband,
5230 					nla_data(tb[NL80211_TXRATE_VHT]),
5231 					mask->control[band].vht_mcs))
5232 				return -EINVAL;
5233 		}
5234 
5235 		if (tb[NL80211_TXRATE_GI]) {
5236 			mask->control[band].gi =
5237 				nla_get_u8(tb[NL80211_TXRATE_GI]);
5238 			if (mask->control[band].gi > NL80211_TXRATE_FORCE_LGI)
5239 				return -EINVAL;
5240 		}
5241 		if (tb[NL80211_TXRATE_HE] &&
5242 		    !he_set_mcs_mask(info, wdev, sband,
5243 				     nla_data(tb[NL80211_TXRATE_HE]),
5244 				     mask->control[band].he_mcs,
5245 				     link_id))
5246 			return -EINVAL;
5247 
5248 		if (tb[NL80211_TXRATE_HE_GI])
5249 			mask->control[band].he_gi =
5250 				nla_get_u8(tb[NL80211_TXRATE_HE_GI]);
5251 		if (tb[NL80211_TXRATE_HE_LTF])
5252 			mask->control[band].he_ltf =
5253 				nla_get_u8(tb[NL80211_TXRATE_HE_LTF]);
5254 
5255 		if (mask->control[band].legacy == 0) {
5256 			/* don't allow empty legacy rates if HT, VHT or HE
5257 			 * are not even supported.
5258 			 */
5259 			if (!(rdev->wiphy.bands[band]->ht_cap.ht_supported ||
5260 			      rdev->wiphy.bands[band]->vht_cap.vht_supported ||
5261 			      ieee80211_get_he_iftype_cap(sband, wdev->iftype)))
5262 				return -EINVAL;
5263 
5264 			for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++)
5265 				if (mask->control[band].ht_mcs[i])
5266 					goto out;
5267 
5268 			for (i = 0; i < NL80211_VHT_NSS_MAX; i++)
5269 				if (mask->control[band].vht_mcs[i])
5270 					goto out;
5271 
5272 			for (i = 0; i < NL80211_HE_NSS_MAX; i++)
5273 				if (mask->control[band].he_mcs[i])
5274 					goto out;
5275 
5276 			/* legacy and mcs rates may not be both empty */
5277 			return -EINVAL;
5278 		}
5279 	}
5280 
5281 out:
5282 	return 0;
5283 }
5284 
5285 static int validate_beacon_tx_rate(struct cfg80211_registered_device *rdev,
5286 				   enum nl80211_band band,
5287 				   struct cfg80211_bitrate_mask *beacon_rate)
5288 {
5289 	u32 count_ht, count_vht, count_he, i;
5290 	u32 rate = beacon_rate->control[band].legacy;
5291 
5292 	/* Allow only one rate */
5293 	if (hweight32(rate) > 1)
5294 		return -EINVAL;
5295 
5296 	count_ht = 0;
5297 	for (i = 0; i < IEEE80211_HT_MCS_MASK_LEN; i++) {
5298 		if (hweight8(beacon_rate->control[band].ht_mcs[i]) > 1) {
5299 			return -EINVAL;
5300 		} else if (beacon_rate->control[band].ht_mcs[i]) {
5301 			count_ht++;
5302 			if (count_ht > 1)
5303 				return -EINVAL;
5304 		}
5305 		if (count_ht && rate)
5306 			return -EINVAL;
5307 	}
5308 
5309 	count_vht = 0;
5310 	for (i = 0; i < NL80211_VHT_NSS_MAX; i++) {
5311 		if (hweight16(beacon_rate->control[band].vht_mcs[i]) > 1) {
5312 			return -EINVAL;
5313 		} else if (beacon_rate->control[band].vht_mcs[i]) {
5314 			count_vht++;
5315 			if (count_vht > 1)
5316 				return -EINVAL;
5317 		}
5318 		if (count_vht && rate)
5319 			return -EINVAL;
5320 	}
5321 
5322 	count_he = 0;
5323 	for (i = 0; i < NL80211_HE_NSS_MAX; i++) {
5324 		if (hweight16(beacon_rate->control[band].he_mcs[i]) > 1) {
5325 			return -EINVAL;
5326 		} else if (beacon_rate->control[band].he_mcs[i]) {
5327 			count_he++;
5328 			if (count_he > 1)
5329 				return -EINVAL;
5330 		}
5331 		if (count_he && rate)
5332 			return -EINVAL;
5333 	}
5334 
5335 	if ((count_ht && count_vht && count_he) ||
5336 	    (!rate && !count_ht && !count_vht && !count_he))
5337 		return -EINVAL;
5338 
5339 	if (rate &&
5340 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5341 				     NL80211_EXT_FEATURE_BEACON_RATE_LEGACY))
5342 		return -EINVAL;
5343 	if (count_ht &&
5344 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5345 				     NL80211_EXT_FEATURE_BEACON_RATE_HT))
5346 		return -EINVAL;
5347 	if (count_vht &&
5348 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5349 				     NL80211_EXT_FEATURE_BEACON_RATE_VHT))
5350 		return -EINVAL;
5351 	if (count_he &&
5352 	    !wiphy_ext_feature_isset(&rdev->wiphy,
5353 				     NL80211_EXT_FEATURE_BEACON_RATE_HE))
5354 		return -EINVAL;
5355 
5356 	return 0;
5357 }
5358 
5359 static int nl80211_parse_mbssid_config(struct wiphy *wiphy,
5360 				       struct net_device *dev,
5361 				       struct nlattr *attrs,
5362 				       struct cfg80211_mbssid_config *config,
5363 				       u8 num_elems)
5364 {
5365 	struct nlattr *tb[NL80211_MBSSID_CONFIG_ATTR_MAX + 1];
5366 
5367 	if (!wiphy->mbssid_max_interfaces)
5368 		return -EOPNOTSUPP;
5369 
5370 	if (nla_parse_nested(tb, NL80211_MBSSID_CONFIG_ATTR_MAX, attrs, NULL,
5371 			     NULL) ||
5372 	    !tb[NL80211_MBSSID_CONFIG_ATTR_INDEX])
5373 		return -EINVAL;
5374 
5375 	config->ema = nla_get_flag(tb[NL80211_MBSSID_CONFIG_ATTR_EMA]);
5376 	if (config->ema) {
5377 		if (!wiphy->ema_max_profile_periodicity)
5378 			return -EOPNOTSUPP;
5379 
5380 		if (num_elems > wiphy->ema_max_profile_periodicity)
5381 			return -EINVAL;
5382 	}
5383 
5384 	config->index = nla_get_u8(tb[NL80211_MBSSID_CONFIG_ATTR_INDEX]);
5385 	if (config->index >= wiphy->mbssid_max_interfaces ||
5386 	    (!config->index && !num_elems))
5387 		return -EINVAL;
5388 
5389 	if (tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]) {
5390 		u32 tx_ifindex =
5391 			nla_get_u32(tb[NL80211_MBSSID_CONFIG_ATTR_TX_IFINDEX]);
5392 
5393 		if ((!config->index && tx_ifindex != dev->ifindex) ||
5394 		    (config->index && tx_ifindex == dev->ifindex))
5395 			return -EINVAL;
5396 
5397 		if (tx_ifindex != dev->ifindex) {
5398 			struct net_device *tx_netdev =
5399 				dev_get_by_index(wiphy_net(wiphy), tx_ifindex);
5400 
5401 			if (!tx_netdev || !tx_netdev->ieee80211_ptr ||
5402 			    tx_netdev->ieee80211_ptr->wiphy != wiphy ||
5403 			    tx_netdev->ieee80211_ptr->iftype !=
5404 							NL80211_IFTYPE_AP) {
5405 				dev_put(tx_netdev);
5406 				return -EINVAL;
5407 			}
5408 
5409 			config->tx_wdev = tx_netdev->ieee80211_ptr;
5410 		} else {
5411 			config->tx_wdev = dev->ieee80211_ptr;
5412 		}
5413 	} else if (!config->index) {
5414 		config->tx_wdev = dev->ieee80211_ptr;
5415 	} else {
5416 		return -EINVAL;
5417 	}
5418 
5419 	return 0;
5420 }
5421 
5422 static struct cfg80211_mbssid_elems *
5423 nl80211_parse_mbssid_elems(struct wiphy *wiphy, struct nlattr *attrs)
5424 {
5425 	struct nlattr *nl_elems;
5426 	struct cfg80211_mbssid_elems *elems;
5427 	int rem_elems;
5428 	u8 i = 0, num_elems = 0;
5429 
5430 	if (!wiphy->mbssid_max_interfaces)
5431 		return ERR_PTR(-EINVAL);
5432 
5433 	nla_for_each_nested(nl_elems, attrs, rem_elems)
5434 		num_elems++;
5435 
5436 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5437 	if (!elems)
5438 		return ERR_PTR(-ENOMEM);
5439 
5440 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5441 		elems->elem[i].data = nla_data(nl_elems);
5442 		elems->elem[i].len = nla_len(nl_elems);
5443 		i++;
5444 	}
5445 	elems->cnt = num_elems;
5446 	return elems;
5447 }
5448 
5449 static struct cfg80211_rnr_elems *
5450 nl80211_parse_rnr_elems(struct wiphy *wiphy, struct nlattr *attrs,
5451 			struct netlink_ext_ack *extack)
5452 {
5453 	struct nlattr *nl_elems;
5454 	struct cfg80211_rnr_elems *elems;
5455 	int rem_elems;
5456 	u8 i = 0, num_elems = 0;
5457 
5458 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5459 		int ret;
5460 
5461 		ret = validate_ie_attr(nl_elems, extack);
5462 		if (ret)
5463 			return ERR_PTR(ret);
5464 
5465 		num_elems++;
5466 	}
5467 
5468 	elems = kzalloc(struct_size(elems, elem, num_elems), GFP_KERNEL);
5469 	if (!elems)
5470 		return ERR_PTR(-ENOMEM);
5471 
5472 	nla_for_each_nested(nl_elems, attrs, rem_elems) {
5473 		elems->elem[i].data = nla_data(nl_elems);
5474 		elems->elem[i].len = nla_len(nl_elems);
5475 		i++;
5476 	}
5477 	elems->cnt = num_elems;
5478 	return elems;
5479 }
5480 
5481 static int nl80211_parse_he_bss_color(struct nlattr *attrs,
5482 				      struct cfg80211_he_bss_color *he_bss_color)
5483 {
5484 	struct nlattr *tb[NL80211_HE_BSS_COLOR_ATTR_MAX + 1];
5485 	int err;
5486 
5487 	err = nla_parse_nested(tb, NL80211_HE_BSS_COLOR_ATTR_MAX, attrs,
5488 			       he_bss_color_policy, NULL);
5489 	if (err)
5490 		return err;
5491 
5492 	if (!tb[NL80211_HE_BSS_COLOR_ATTR_COLOR])
5493 		return -EINVAL;
5494 
5495 	he_bss_color->color =
5496 		nla_get_u8(tb[NL80211_HE_BSS_COLOR_ATTR_COLOR]);
5497 	he_bss_color->enabled =
5498 		!nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_DISABLED]);
5499 	he_bss_color->partial =
5500 		nla_get_flag(tb[NL80211_HE_BSS_COLOR_ATTR_PARTIAL]);
5501 
5502 	return 0;
5503 }
5504 
5505 static int nl80211_parse_beacon(struct cfg80211_registered_device *rdev,
5506 				struct nlattr *attrs[],
5507 				struct cfg80211_beacon_data *bcn,
5508 				struct netlink_ext_ack *extack)
5509 {
5510 	bool haveinfo = false;
5511 	int err;
5512 
5513 	memset(bcn, 0, sizeof(*bcn));
5514 
5515 	bcn->link_id = nl80211_link_id(attrs);
5516 
5517 	if (attrs[NL80211_ATTR_BEACON_HEAD]) {
5518 		bcn->head = nla_data(attrs[NL80211_ATTR_BEACON_HEAD]);
5519 		bcn->head_len = nla_len(attrs[NL80211_ATTR_BEACON_HEAD]);
5520 		if (!bcn->head_len)
5521 			return -EINVAL;
5522 		haveinfo = true;
5523 	}
5524 
5525 	if (attrs[NL80211_ATTR_BEACON_TAIL]) {
5526 		bcn->tail = nla_data(attrs[NL80211_ATTR_BEACON_TAIL]);
5527 		bcn->tail_len = nla_len(attrs[NL80211_ATTR_BEACON_TAIL]);
5528 		haveinfo = true;
5529 	}
5530 
5531 	if (!haveinfo)
5532 		return -EINVAL;
5533 
5534 	if (attrs[NL80211_ATTR_IE]) {
5535 		bcn->beacon_ies = nla_data(attrs[NL80211_ATTR_IE]);
5536 		bcn->beacon_ies_len = nla_len(attrs[NL80211_ATTR_IE]);
5537 	}
5538 
5539 	if (attrs[NL80211_ATTR_IE_PROBE_RESP]) {
5540 		bcn->proberesp_ies =
5541 			nla_data(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5542 		bcn->proberesp_ies_len =
5543 			nla_len(attrs[NL80211_ATTR_IE_PROBE_RESP]);
5544 	}
5545 
5546 	if (attrs[NL80211_ATTR_IE_ASSOC_RESP]) {
5547 		bcn->assocresp_ies =
5548 			nla_data(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5549 		bcn->assocresp_ies_len =
5550 			nla_len(attrs[NL80211_ATTR_IE_ASSOC_RESP]);
5551 	}
5552 
5553 	if (attrs[NL80211_ATTR_PROBE_RESP]) {
5554 		bcn->probe_resp = nla_data(attrs[NL80211_ATTR_PROBE_RESP]);
5555 		bcn->probe_resp_len = nla_len(attrs[NL80211_ATTR_PROBE_RESP]);
5556 	}
5557 
5558 	if (attrs[NL80211_ATTR_FTM_RESPONDER]) {
5559 		struct nlattr *tb[NL80211_FTM_RESP_ATTR_MAX + 1];
5560 
5561 		err = nla_parse_nested_deprecated(tb,
5562 						  NL80211_FTM_RESP_ATTR_MAX,
5563 						  attrs[NL80211_ATTR_FTM_RESPONDER],
5564 						  NULL, NULL);
5565 		if (err)
5566 			return err;
5567 
5568 		if (tb[NL80211_FTM_RESP_ATTR_ENABLED] &&
5569 		    wiphy_ext_feature_isset(&rdev->wiphy,
5570 					    NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER))
5571 			bcn->ftm_responder = 1;
5572 		else
5573 			return -EOPNOTSUPP;
5574 
5575 		if (tb[NL80211_FTM_RESP_ATTR_LCI]) {
5576 			bcn->lci = nla_data(tb[NL80211_FTM_RESP_ATTR_LCI]);
5577 			bcn->lci_len = nla_len(tb[NL80211_FTM_RESP_ATTR_LCI]);
5578 		}
5579 
5580 		if (tb[NL80211_FTM_RESP_ATTR_CIVICLOC]) {
5581 			bcn->civicloc = nla_data(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5582 			bcn->civicloc_len = nla_len(tb[NL80211_FTM_RESP_ATTR_CIVICLOC]);
5583 		}
5584 	} else {
5585 		bcn->ftm_responder = -1;
5586 	}
5587 
5588 	if (attrs[NL80211_ATTR_HE_BSS_COLOR]) {
5589 		err = nl80211_parse_he_bss_color(attrs[NL80211_ATTR_HE_BSS_COLOR],
5590 						 &bcn->he_bss_color);
5591 		if (err)
5592 			return err;
5593 		bcn->he_bss_color_valid = true;
5594 	}
5595 
5596 	if (attrs[NL80211_ATTR_MBSSID_ELEMS]) {
5597 		struct cfg80211_mbssid_elems *mbssid =
5598 			nl80211_parse_mbssid_elems(&rdev->wiphy,
5599 						   attrs[NL80211_ATTR_MBSSID_ELEMS]);
5600 
5601 		if (IS_ERR(mbssid))
5602 			return PTR_ERR(mbssid);
5603 
5604 		bcn->mbssid_ies = mbssid;
5605 
5606 		if (bcn->mbssid_ies && attrs[NL80211_ATTR_EMA_RNR_ELEMS]) {
5607 			struct cfg80211_rnr_elems *rnr =
5608 				nl80211_parse_rnr_elems(&rdev->wiphy,
5609 							attrs[NL80211_ATTR_EMA_RNR_ELEMS],
5610 							extack);
5611 
5612 			if (IS_ERR(rnr))
5613 				return PTR_ERR(rnr);
5614 
5615 			if (rnr && rnr->cnt < bcn->mbssid_ies->cnt)
5616 				return -EINVAL;
5617 
5618 			bcn->rnr_ies = rnr;
5619 		}
5620 	}
5621 
5622 	return 0;
5623 }
5624 
5625 static int nl80211_parse_he_obss_pd(struct nlattr *attrs,
5626 				    struct ieee80211_he_obss_pd *he_obss_pd)
5627 {
5628 	struct nlattr *tb[NL80211_HE_OBSS_PD_ATTR_MAX + 1];
5629 	int err;
5630 
5631 	err = nla_parse_nested(tb, NL80211_HE_OBSS_PD_ATTR_MAX, attrs,
5632 			       he_obss_pd_policy, NULL);
5633 	if (err)
5634 		return err;
5635 
5636 	if (!tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL])
5637 		return -EINVAL;
5638 
5639 	he_obss_pd->sr_ctrl = nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_SR_CTRL]);
5640 
5641 	if (tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET])
5642 		he_obss_pd->min_offset =
5643 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MIN_OFFSET]);
5644 	if (tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET])
5645 		he_obss_pd->max_offset =
5646 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_MAX_OFFSET]);
5647 	if (tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET])
5648 		he_obss_pd->non_srg_max_offset =
5649 			nla_get_u8(tb[NL80211_HE_OBSS_PD_ATTR_NON_SRG_MAX_OFFSET]);
5650 
5651 	if (he_obss_pd->min_offset > he_obss_pd->max_offset)
5652 		return -EINVAL;
5653 
5654 	if (tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP])
5655 		memcpy(he_obss_pd->bss_color_bitmap,
5656 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_BSS_COLOR_BITMAP]),
5657 		       sizeof(he_obss_pd->bss_color_bitmap));
5658 
5659 	if (tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP])
5660 		memcpy(he_obss_pd->partial_bssid_bitmap,
5661 		       nla_data(tb[NL80211_HE_OBSS_PD_ATTR_PARTIAL_BSSID_BITMAP]),
5662 		       sizeof(he_obss_pd->partial_bssid_bitmap));
5663 
5664 	he_obss_pd->enable = true;
5665 
5666 	return 0;
5667 }
5668 
5669 static int nl80211_parse_fils_discovery(struct cfg80211_registered_device *rdev,
5670 					struct nlattr *attrs,
5671 					struct cfg80211_ap_settings *params)
5672 {
5673 	struct nlattr *tb[NL80211_FILS_DISCOVERY_ATTR_MAX + 1];
5674 	int ret;
5675 	struct cfg80211_fils_discovery *fd = &params->fils_discovery;
5676 
5677 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5678 				     NL80211_EXT_FEATURE_FILS_DISCOVERY))
5679 		return -EINVAL;
5680 
5681 	ret = nla_parse_nested(tb, NL80211_FILS_DISCOVERY_ATTR_MAX, attrs,
5682 			       NULL, NULL);
5683 	if (ret)
5684 		return ret;
5685 
5686 	if (!tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN] ||
5687 	    !tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX] ||
5688 	    !tb[NL80211_FILS_DISCOVERY_ATTR_TMPL])
5689 		return -EINVAL;
5690 
5691 	fd->tmpl_len = nla_len(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5692 	fd->tmpl = nla_data(tb[NL80211_FILS_DISCOVERY_ATTR_TMPL]);
5693 	fd->min_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MIN]);
5694 	fd->max_interval = nla_get_u32(tb[NL80211_FILS_DISCOVERY_ATTR_INT_MAX]);
5695 
5696 	return 0;
5697 }
5698 
5699 static int
5700 nl80211_parse_unsol_bcast_probe_resp(struct cfg80211_registered_device *rdev,
5701 				     struct nlattr *attrs,
5702 				     struct cfg80211_ap_settings *params)
5703 {
5704 	struct nlattr *tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX + 1];
5705 	int ret;
5706 	struct cfg80211_unsol_bcast_probe_resp *presp =
5707 					&params->unsol_bcast_probe_resp;
5708 
5709 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
5710 				     NL80211_EXT_FEATURE_UNSOL_BCAST_PROBE_RESP))
5711 		return -EINVAL;
5712 
5713 	ret = nla_parse_nested(tb, NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_MAX,
5714 			       attrs, NULL, NULL);
5715 	if (ret)
5716 		return ret;
5717 
5718 	if (!tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT] ||
5719 	    !tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL])
5720 		return -EINVAL;
5721 
5722 	presp->tmpl = nla_data(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5723 	presp->tmpl_len = nla_len(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_TMPL]);
5724 	presp->interval = nla_get_u32(tb[NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT]);
5725 	return 0;
5726 }
5727 
5728 static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
5729 					    const struct element *rates)
5730 {
5731 	int i;
5732 
5733 	if (!rates)
5734 		return;
5735 
5736 	for (i = 0; i < rates->datalen; i++) {
5737 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HT_PHY)
5738 			params->ht_required = true;
5739 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_VHT_PHY)
5740 			params->vht_required = true;
5741 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_HE_PHY)
5742 			params->he_required = true;
5743 		if (rates->data[i] == BSS_MEMBERSHIP_SELECTOR_SAE_H2E)
5744 			params->sae_h2e_required = true;
5745 	}
5746 }
5747 
5748 /*
5749  * Since the nl80211 API didn't include, from the beginning, attributes about
5750  * HT/VHT requirements/capabilities, we parse them out of the IEs for the
5751  * benefit of drivers that rebuild IEs in the firmware.
5752  */
5753 static int nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
5754 {
5755 	const struct cfg80211_beacon_data *bcn = &params->beacon;
5756 	size_t ies_len = bcn->tail_len;
5757 	const u8 *ies = bcn->tail;
5758 	const struct element *rates;
5759 	const struct element *cap;
5760 
5761 	rates = cfg80211_find_elem(WLAN_EID_SUPP_RATES, ies, ies_len);
5762 	nl80211_check_ap_rate_selectors(params, rates);
5763 
5764 	rates = cfg80211_find_elem(WLAN_EID_EXT_SUPP_RATES, ies, ies_len);
5765 	nl80211_check_ap_rate_selectors(params, rates);
5766 
5767 	cap = cfg80211_find_elem(WLAN_EID_HT_CAPABILITY, ies, ies_len);
5768 	if (cap && cap->datalen >= sizeof(*params->ht_cap))
5769 		params->ht_cap = (void *)cap->data;
5770 	cap = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY, ies, ies_len);
5771 	if (cap && cap->datalen >= sizeof(*params->vht_cap))
5772 		params->vht_cap = (void *)cap->data;
5773 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_CAPABILITY, ies, ies_len);
5774 	if (cap && cap->datalen >= sizeof(*params->he_cap) + 1)
5775 		params->he_cap = (void *)(cap->data + 1);
5776 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ies, ies_len);
5777 	if (cap && cap->datalen >= sizeof(*params->he_oper) + 1)
5778 		params->he_oper = (void *)(cap->data + 1);
5779 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_CAPABILITY, ies, ies_len);
5780 	if (cap) {
5781 		if (!cap->datalen)
5782 			return -EINVAL;
5783 		params->eht_cap = (void *)(cap->data + 1);
5784 		if (!ieee80211_eht_capa_size_ok((const u8 *)params->he_cap,
5785 						(const u8 *)params->eht_cap,
5786 						cap->datalen - 1, true))
5787 			return -EINVAL;
5788 	}
5789 	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_EHT_OPERATION, ies, ies_len);
5790 	if (cap) {
5791 		if (!cap->datalen)
5792 			return -EINVAL;
5793 		params->eht_oper = (void *)(cap->data + 1);
5794 		if (!ieee80211_eht_oper_size_ok((const u8 *)params->eht_oper,
5795 						cap->datalen - 1))
5796 			return -EINVAL;
5797 	}
5798 	return 0;
5799 }
5800 
5801 static bool nl80211_get_ap_channel(struct cfg80211_registered_device *rdev,
5802 				   struct cfg80211_ap_settings *params)
5803 {
5804 	struct wireless_dev *wdev;
5805 
5806 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
5807 		if (wdev->iftype != NL80211_IFTYPE_AP &&
5808 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)
5809 			continue;
5810 
5811 		if (!wdev->u.ap.preset_chandef.chan)
5812 			continue;
5813 
5814 		params->chandef = wdev->u.ap.preset_chandef;
5815 		return true;
5816 	}
5817 
5818 	return false;
5819 }
5820 
5821 static bool nl80211_valid_auth_type(struct cfg80211_registered_device *rdev,
5822 				    enum nl80211_auth_type auth_type,
5823 				    enum nl80211_commands cmd)
5824 {
5825 	if (auth_type > NL80211_AUTHTYPE_MAX)
5826 		return false;
5827 
5828 	switch (cmd) {
5829 	case NL80211_CMD_AUTHENTICATE:
5830 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5831 		    auth_type == NL80211_AUTHTYPE_SAE)
5832 			return false;
5833 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5834 					     NL80211_EXT_FEATURE_FILS_STA) &&
5835 		    (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5836 		     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5837 		     auth_type == NL80211_AUTHTYPE_FILS_PK))
5838 			return false;
5839 		return true;
5840 	case NL80211_CMD_CONNECT:
5841 		if (!(rdev->wiphy.features & NL80211_FEATURE_SAE) &&
5842 		    !wiphy_ext_feature_isset(&rdev->wiphy,
5843 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
5844 		    auth_type == NL80211_AUTHTYPE_SAE)
5845 			return false;
5846 
5847 		/* FILS with SK PFS or PK not supported yet */
5848 		if (auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5849 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5850 			return false;
5851 		if (!wiphy_ext_feature_isset(
5852 			    &rdev->wiphy,
5853 			    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
5854 		    auth_type == NL80211_AUTHTYPE_FILS_SK)
5855 			return false;
5856 		return true;
5857 	case NL80211_CMD_START_AP:
5858 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
5859 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP) &&
5860 		    auth_type == NL80211_AUTHTYPE_SAE)
5861 			return false;
5862 		/* FILS not supported yet */
5863 		if (auth_type == NL80211_AUTHTYPE_FILS_SK ||
5864 		    auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
5865 		    auth_type == NL80211_AUTHTYPE_FILS_PK)
5866 			return false;
5867 		return true;
5868 	default:
5869 		return false;
5870 	}
5871 }
5872 
5873 static void nl80211_send_ap_started(struct wireless_dev *wdev,
5874 				    unsigned int link_id)
5875 {
5876 	struct wiphy *wiphy = wdev->wiphy;
5877 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
5878 	struct sk_buff *msg;
5879 	void *hdr;
5880 
5881 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
5882 	if (!msg)
5883 		return;
5884 
5885 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_START_AP);
5886 	if (!hdr)
5887 		goto out;
5888 
5889 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
5890 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
5891 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
5892 			      NL80211_ATTR_PAD) ||
5893 	    (wdev->u.ap.ssid_len &&
5894 	     nla_put(msg, NL80211_ATTR_SSID, wdev->u.ap.ssid_len,
5895 		     wdev->u.ap.ssid)) ||
5896 	    (wdev->valid_links &&
5897 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
5898 		goto out;
5899 
5900 	genlmsg_end(msg, hdr);
5901 
5902 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
5903 				NL80211_MCGRP_MLME, GFP_KERNEL);
5904 	return;
5905 out:
5906 	nlmsg_free(msg);
5907 }
5908 
5909 static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
5910 {
5911 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
5912 	unsigned int link_id = nl80211_link_id(info->attrs);
5913 	struct net_device *dev = info->user_ptr[1];
5914 	struct wireless_dev *wdev = dev->ieee80211_ptr;
5915 	struct cfg80211_ap_settings *params;
5916 	int err;
5917 
5918 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
5919 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
5920 		return -EOPNOTSUPP;
5921 
5922 	if (!rdev->ops->start_ap)
5923 		return -EOPNOTSUPP;
5924 
5925 	if (wdev->links[link_id].ap.beacon_interval)
5926 		return -EALREADY;
5927 
5928 	/* these are required for START_AP */
5929 	if (!info->attrs[NL80211_ATTR_BEACON_INTERVAL] ||
5930 	    !info->attrs[NL80211_ATTR_DTIM_PERIOD] ||
5931 	    !info->attrs[NL80211_ATTR_BEACON_HEAD])
5932 		return -EINVAL;
5933 
5934 	params = kzalloc(sizeof(*params), GFP_KERNEL);
5935 	if (!params)
5936 		return -ENOMEM;
5937 
5938 	err = nl80211_parse_beacon(rdev, info->attrs, &params->beacon,
5939 				   info->extack);
5940 	if (err)
5941 		goto out;
5942 
5943 	params->beacon_interval =
5944 		nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
5945 	params->dtim_period =
5946 		nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
5947 
5948 	err = cfg80211_validate_beacon_int(rdev, dev->ieee80211_ptr->iftype,
5949 					   params->beacon_interval);
5950 	if (err)
5951 		goto out;
5952 
5953 	/*
5954 	 * In theory, some of these attributes should be required here
5955 	 * but since they were not used when the command was originally
5956 	 * added, keep them optional for old user space programs to let
5957 	 * them continue to work with drivers that do not need the
5958 	 * additional information -- drivers must check!
5959 	 */
5960 	if (info->attrs[NL80211_ATTR_SSID]) {
5961 		params->ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
5962 		params->ssid_len =
5963 			nla_len(info->attrs[NL80211_ATTR_SSID]);
5964 		if (params->ssid_len == 0) {
5965 			err = -EINVAL;
5966 			goto out;
5967 		}
5968 
5969 		if (wdev->u.ap.ssid_len &&
5970 		    (wdev->u.ap.ssid_len != params->ssid_len ||
5971 		     memcmp(wdev->u.ap.ssid, params->ssid, params->ssid_len))) {
5972 			/* require identical SSID for MLO */
5973 			err = -EINVAL;
5974 			goto out;
5975 		}
5976 	} else if (wdev->valid_links) {
5977 		/* require SSID for MLO */
5978 		err = -EINVAL;
5979 		goto out;
5980 	}
5981 
5982 	if (info->attrs[NL80211_ATTR_HIDDEN_SSID])
5983 		params->hidden_ssid = nla_get_u32(
5984 			info->attrs[NL80211_ATTR_HIDDEN_SSID]);
5985 
5986 	params->privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
5987 
5988 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
5989 		params->auth_type = nla_get_u32(
5990 			info->attrs[NL80211_ATTR_AUTH_TYPE]);
5991 		if (!nl80211_valid_auth_type(rdev, params->auth_type,
5992 					     NL80211_CMD_START_AP)) {
5993 			err = -EINVAL;
5994 			goto out;
5995 		}
5996 	} else
5997 		params->auth_type = NL80211_AUTHTYPE_AUTOMATIC;
5998 
5999 	err = nl80211_crypto_settings(rdev, info, &params->crypto,
6000 				      NL80211_MAX_NR_CIPHER_SUITES);
6001 	if (err)
6002 		goto out;
6003 
6004 	if (info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]) {
6005 		if (!(rdev->wiphy.features & NL80211_FEATURE_INACTIVITY_TIMER)) {
6006 			err = -EOPNOTSUPP;
6007 			goto out;
6008 		}
6009 		params->inactivity_timeout = nla_get_u16(
6010 			info->attrs[NL80211_ATTR_INACTIVITY_TIMEOUT]);
6011 	}
6012 
6013 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
6014 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6015 			err = -EINVAL;
6016 			goto out;
6017 		}
6018 		params->p2p_ctwindow =
6019 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
6020 		if (params->p2p_ctwindow != 0 &&
6021 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN)) {
6022 			err = -EINVAL;
6023 			goto out;
6024 		}
6025 	}
6026 
6027 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
6028 		u8 tmp;
6029 
6030 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
6031 			err = -EINVAL;
6032 			goto out;
6033 		}
6034 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
6035 		params->p2p_opp_ps = tmp;
6036 		if (params->p2p_opp_ps != 0 &&
6037 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS)) {
6038 			err = -EINVAL;
6039 			goto out;
6040 		}
6041 	}
6042 
6043 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
6044 		err = nl80211_parse_chandef(rdev, info, &params->chandef);
6045 		if (err)
6046 			goto out;
6047 	} else if (wdev->valid_links) {
6048 		/* with MLD need to specify the channel configuration */
6049 		err = -EINVAL;
6050 		goto out;
6051 	} else if (wdev->u.ap.preset_chandef.chan) {
6052 		params->chandef = wdev->u.ap.preset_chandef;
6053 	} else if (!nl80211_get_ap_channel(rdev, params)) {
6054 		err = -EINVAL;
6055 		goto out;
6056 	}
6057 
6058 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
6059 		err = nl80211_parse_punct_bitmap(rdev, info,
6060 						 &params->chandef,
6061 						 &params->punct_bitmap);
6062 		if (err)
6063 			goto out;
6064 	}
6065 
6066 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params->chandef,
6067 					   wdev->iftype)) {
6068 		err = -EINVAL;
6069 		goto out;
6070 	}
6071 
6072 	wdev_lock(wdev);
6073 
6074 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
6075 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
6076 						    NL80211_ATTR_TX_RATES,
6077 						    &params->beacon_rate,
6078 						    dev, false, link_id);
6079 		if (err)
6080 			goto out_unlock;
6081 
6082 		err = validate_beacon_tx_rate(rdev, params->chandef.chan->band,
6083 					      &params->beacon_rate);
6084 		if (err)
6085 			goto out_unlock;
6086 	}
6087 
6088 	if (info->attrs[NL80211_ATTR_SMPS_MODE]) {
6089 		params->smps_mode =
6090 			nla_get_u8(info->attrs[NL80211_ATTR_SMPS_MODE]);
6091 		switch (params->smps_mode) {
6092 		case NL80211_SMPS_OFF:
6093 			break;
6094 		case NL80211_SMPS_STATIC:
6095 			if (!(rdev->wiphy.features &
6096 			      NL80211_FEATURE_STATIC_SMPS)) {
6097 				err = -EINVAL;
6098 				goto out_unlock;
6099 			}
6100 			break;
6101 		case NL80211_SMPS_DYNAMIC:
6102 			if (!(rdev->wiphy.features &
6103 			      NL80211_FEATURE_DYNAMIC_SMPS)) {
6104 				err = -EINVAL;
6105 				goto out_unlock;
6106 			}
6107 			break;
6108 		default:
6109 			err = -EINVAL;
6110 			goto out_unlock;
6111 		}
6112 	} else {
6113 		params->smps_mode = NL80211_SMPS_OFF;
6114 	}
6115 
6116 	params->pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
6117 	if (params->pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
6118 		err = -EOPNOTSUPP;
6119 		goto out_unlock;
6120 	}
6121 
6122 	if (info->attrs[NL80211_ATTR_ACL_POLICY]) {
6123 		params->acl = parse_acl_data(&rdev->wiphy, info);
6124 		if (IS_ERR(params->acl)) {
6125 			err = PTR_ERR(params->acl);
6126 			params->acl = NULL;
6127 			goto out_unlock;
6128 		}
6129 	}
6130 
6131 	params->twt_responder =
6132 		    nla_get_flag(info->attrs[NL80211_ATTR_TWT_RESPONDER]);
6133 
6134 	if (info->attrs[NL80211_ATTR_HE_OBSS_PD]) {
6135 		err = nl80211_parse_he_obss_pd(
6136 					info->attrs[NL80211_ATTR_HE_OBSS_PD],
6137 					&params->he_obss_pd);
6138 		if (err)
6139 			goto out_unlock;
6140 	}
6141 
6142 	if (info->attrs[NL80211_ATTR_FILS_DISCOVERY]) {
6143 		err = nl80211_parse_fils_discovery(rdev,
6144 						   info->attrs[NL80211_ATTR_FILS_DISCOVERY],
6145 						   params);
6146 		if (err)
6147 			goto out_unlock;
6148 	}
6149 
6150 	if (info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP]) {
6151 		err = nl80211_parse_unsol_bcast_probe_resp(
6152 			rdev, info->attrs[NL80211_ATTR_UNSOL_BCAST_PROBE_RESP],
6153 			params);
6154 		if (err)
6155 			goto out_unlock;
6156 	}
6157 
6158 	if (info->attrs[NL80211_ATTR_MBSSID_CONFIG]) {
6159 		err = nl80211_parse_mbssid_config(&rdev->wiphy, dev,
6160 						  info->attrs[NL80211_ATTR_MBSSID_CONFIG],
6161 						  &params->mbssid_config,
6162 						  params->beacon.mbssid_ies ?
6163 							params->beacon.mbssid_ies->cnt :
6164 							0);
6165 		if (err)
6166 			goto out_unlock;
6167 	}
6168 
6169 	if (!params->mbssid_config.ema && params->beacon.rnr_ies) {
6170 		err = -EINVAL;
6171 		goto out_unlock;
6172 	}
6173 
6174 	err = nl80211_calculate_ap_params(params);
6175 	if (err)
6176 		goto out_unlock;
6177 
6178 	if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
6179 		params->flags = nla_get_u32(
6180 			info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
6181 	else if (info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])
6182 		params->flags |= NL80211_AP_SETTINGS_EXTERNAL_AUTH_SUPPORT;
6183 
6184 	if (wdev->conn_owner_nlportid &&
6185 	    info->attrs[NL80211_ATTR_SOCKET_OWNER] &&
6186 	    wdev->conn_owner_nlportid != info->snd_portid) {
6187 		err = -EINVAL;
6188 		goto out_unlock;
6189 	}
6190 
6191 	/* FIXME: validate MLO/link-id against driver capabilities */
6192 
6193 	err = rdev_start_ap(rdev, dev, params);
6194 	if (!err) {
6195 		wdev->links[link_id].ap.beacon_interval = params->beacon_interval;
6196 		wdev->links[link_id].ap.chandef = params->chandef;
6197 		wdev->u.ap.ssid_len = params->ssid_len;
6198 		memcpy(wdev->u.ap.ssid, params->ssid,
6199 		       params->ssid_len);
6200 
6201 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
6202 			wdev->conn_owner_nlportid = info->snd_portid;
6203 
6204 		nl80211_send_ap_started(wdev, link_id);
6205 	}
6206 out_unlock:
6207 	wdev_unlock(wdev);
6208 out:
6209 	kfree(params->acl);
6210 	kfree(params->beacon.mbssid_ies);
6211 	if (params->mbssid_config.tx_wdev &&
6212 	    params->mbssid_config.tx_wdev->netdev &&
6213 	    params->mbssid_config.tx_wdev->netdev != dev)
6214 		dev_put(params->mbssid_config.tx_wdev->netdev);
6215 	kfree(params->beacon.rnr_ies);
6216 	kfree(params);
6217 
6218 	return err;
6219 }
6220 
6221 static int nl80211_set_beacon(struct sk_buff *skb, struct genl_info *info)
6222 {
6223 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6224 	unsigned int link_id = nl80211_link_id(info->attrs);
6225 	struct net_device *dev = info->user_ptr[1];
6226 	struct wireless_dev *wdev = dev->ieee80211_ptr;
6227 	struct cfg80211_beacon_data params;
6228 	int err;
6229 
6230 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
6231 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
6232 		return -EOPNOTSUPP;
6233 
6234 	if (!rdev->ops->change_beacon)
6235 		return -EOPNOTSUPP;
6236 
6237 	if (!wdev->links[link_id].ap.beacon_interval)
6238 		return -EINVAL;
6239 
6240 	err = nl80211_parse_beacon(rdev, info->attrs, &params, info->extack);
6241 	if (err)
6242 		goto out;
6243 
6244 	wdev_lock(wdev);
6245 	err = rdev_change_beacon(rdev, dev, &params);
6246 	wdev_unlock(wdev);
6247 
6248 out:
6249 	kfree(params.mbssid_ies);
6250 	kfree(params.rnr_ies);
6251 	return err;
6252 }
6253 
6254 static int nl80211_stop_ap(struct sk_buff *skb, struct genl_info *info)
6255 {
6256 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6257 	unsigned int link_id = nl80211_link_id(info->attrs);
6258 	struct net_device *dev = info->user_ptr[1];
6259 
6260 	return cfg80211_stop_ap(rdev, dev, link_id, false);
6261 }
6262 
6263 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
6264 	[NL80211_STA_FLAG_AUTHORIZED] = { .type = NLA_FLAG },
6265 	[NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
6266 	[NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
6267 	[NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
6268 	[NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
6269 	[NL80211_STA_FLAG_TDLS_PEER] = { .type = NLA_FLAG },
6270 };
6271 
6272 static int parse_station_flags(struct genl_info *info,
6273 			       enum nl80211_iftype iftype,
6274 			       struct station_parameters *params)
6275 {
6276 	struct nlattr *flags[NL80211_STA_FLAG_MAX + 1];
6277 	struct nlattr *nla;
6278 	int flag;
6279 
6280 	/*
6281 	 * Try parsing the new attribute first so userspace
6282 	 * can specify both for older kernels.
6283 	 */
6284 	nla = info->attrs[NL80211_ATTR_STA_FLAGS2];
6285 	if (nla) {
6286 		struct nl80211_sta_flag_update *sta_flags;
6287 
6288 		sta_flags = nla_data(nla);
6289 		params->sta_flags_mask = sta_flags->mask;
6290 		params->sta_flags_set = sta_flags->set;
6291 		params->sta_flags_set &= params->sta_flags_mask;
6292 		if ((params->sta_flags_mask |
6293 		     params->sta_flags_set) & BIT(__NL80211_STA_FLAG_INVALID))
6294 			return -EINVAL;
6295 		return 0;
6296 	}
6297 
6298 	/* if present, parse the old attribute */
6299 
6300 	nla = info->attrs[NL80211_ATTR_STA_FLAGS];
6301 	if (!nla)
6302 		return 0;
6303 
6304 	if (nla_parse_nested_deprecated(flags, NL80211_STA_FLAG_MAX, nla, sta_flags_policy, info->extack))
6305 		return -EINVAL;
6306 
6307 	/*
6308 	 * Only allow certain flags for interface types so that
6309 	 * other attributes are silently ignored. Remember that
6310 	 * this is backward compatibility code with old userspace
6311 	 * and shouldn't be hit in other cases anyway.
6312 	 */
6313 	switch (iftype) {
6314 	case NL80211_IFTYPE_AP:
6315 	case NL80211_IFTYPE_AP_VLAN:
6316 	case NL80211_IFTYPE_P2P_GO:
6317 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6318 					 BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6319 					 BIT(NL80211_STA_FLAG_WME) |
6320 					 BIT(NL80211_STA_FLAG_MFP);
6321 		break;
6322 	case NL80211_IFTYPE_P2P_CLIENT:
6323 	case NL80211_IFTYPE_STATION:
6324 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHORIZED) |
6325 					 BIT(NL80211_STA_FLAG_TDLS_PEER);
6326 		break;
6327 	case NL80211_IFTYPE_MESH_POINT:
6328 		params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6329 					 BIT(NL80211_STA_FLAG_MFP) |
6330 					 BIT(NL80211_STA_FLAG_AUTHORIZED);
6331 		break;
6332 	default:
6333 		return -EINVAL;
6334 	}
6335 
6336 	for (flag = 1; flag <= NL80211_STA_FLAG_MAX; flag++) {
6337 		if (flags[flag]) {
6338 			params->sta_flags_set |= (1<<flag);
6339 
6340 			/* no longer support new API additions in old API */
6341 			if (flag > NL80211_STA_FLAG_MAX_OLD_API)
6342 				return -EINVAL;
6343 		}
6344 	}
6345 
6346 	return 0;
6347 }
6348 
6349 bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info, int attr)
6350 {
6351 	struct nlattr *rate;
6352 	u32 bitrate;
6353 	u16 bitrate_compat;
6354 	enum nl80211_rate_info rate_flg;
6355 
6356 	rate = nla_nest_start_noflag(msg, attr);
6357 	if (!rate)
6358 		return false;
6359 
6360 	/* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
6361 	bitrate = cfg80211_calculate_bitrate(info);
6362 	/* report 16-bit bitrate only if we can */
6363 	bitrate_compat = bitrate < (1UL << 16) ? bitrate : 0;
6364 	if (bitrate > 0 &&
6365 	    nla_put_u32(msg, NL80211_RATE_INFO_BITRATE32, bitrate))
6366 		return false;
6367 	if (bitrate_compat > 0 &&
6368 	    nla_put_u16(msg, NL80211_RATE_INFO_BITRATE, bitrate_compat))
6369 		return false;
6370 
6371 	switch (info->bw) {
6372 	case RATE_INFO_BW_1:
6373 		rate_flg = NL80211_RATE_INFO_1_MHZ_WIDTH;
6374 		break;
6375 	case RATE_INFO_BW_2:
6376 		rate_flg = NL80211_RATE_INFO_2_MHZ_WIDTH;
6377 		break;
6378 	case RATE_INFO_BW_4:
6379 		rate_flg = NL80211_RATE_INFO_4_MHZ_WIDTH;
6380 		break;
6381 	case RATE_INFO_BW_5:
6382 		rate_flg = NL80211_RATE_INFO_5_MHZ_WIDTH;
6383 		break;
6384 	case RATE_INFO_BW_8:
6385 		rate_flg = NL80211_RATE_INFO_8_MHZ_WIDTH;
6386 		break;
6387 	case RATE_INFO_BW_10:
6388 		rate_flg = NL80211_RATE_INFO_10_MHZ_WIDTH;
6389 		break;
6390 	case RATE_INFO_BW_16:
6391 		rate_flg = NL80211_RATE_INFO_16_MHZ_WIDTH;
6392 		break;
6393 	default:
6394 		WARN_ON(1);
6395 		fallthrough;
6396 	case RATE_INFO_BW_20:
6397 		rate_flg = 0;
6398 		break;
6399 	case RATE_INFO_BW_40:
6400 		rate_flg = NL80211_RATE_INFO_40_MHZ_WIDTH;
6401 		break;
6402 	case RATE_INFO_BW_80:
6403 		rate_flg = NL80211_RATE_INFO_80_MHZ_WIDTH;
6404 		break;
6405 	case RATE_INFO_BW_160:
6406 		rate_flg = NL80211_RATE_INFO_160_MHZ_WIDTH;
6407 		break;
6408 	case RATE_INFO_BW_HE_RU:
6409 		rate_flg = 0;
6410 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_HE_MCS));
6411 		break;
6412 	case RATE_INFO_BW_320:
6413 		rate_flg = NL80211_RATE_INFO_320_MHZ_WIDTH;
6414 		break;
6415 	case RATE_INFO_BW_EHT_RU:
6416 		rate_flg = 0;
6417 		WARN_ON(!(info->flags & RATE_INFO_FLAGS_EHT_MCS));
6418 		break;
6419 	}
6420 
6421 	if (rate_flg && nla_put_flag(msg, rate_flg))
6422 		return false;
6423 
6424 	if (info->flags & RATE_INFO_FLAGS_MCS) {
6425 		if (nla_put_u8(msg, NL80211_RATE_INFO_MCS, info->mcs))
6426 			return false;
6427 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6428 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6429 			return false;
6430 	} else if (info->flags & RATE_INFO_FLAGS_VHT_MCS) {
6431 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_MCS, info->mcs))
6432 			return false;
6433 		if (nla_put_u8(msg, NL80211_RATE_INFO_VHT_NSS, info->nss))
6434 			return false;
6435 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6436 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6437 			return false;
6438 	} else if (info->flags & RATE_INFO_FLAGS_HE_MCS) {
6439 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_MCS, info->mcs))
6440 			return false;
6441 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_NSS, info->nss))
6442 			return false;
6443 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_GI, info->he_gi))
6444 			return false;
6445 		if (nla_put_u8(msg, NL80211_RATE_INFO_HE_DCM, info->he_dcm))
6446 			return false;
6447 		if (info->bw == RATE_INFO_BW_HE_RU &&
6448 		    nla_put_u8(msg, NL80211_RATE_INFO_HE_RU_ALLOC,
6449 			       info->he_ru_alloc))
6450 			return false;
6451 	} else if (info->flags & RATE_INFO_FLAGS_S1G_MCS) {
6452 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_MCS, info->mcs))
6453 			return false;
6454 		if (nla_put_u8(msg, NL80211_RATE_INFO_S1G_NSS, info->nss))
6455 			return false;
6456 		if (info->flags & RATE_INFO_FLAGS_SHORT_GI &&
6457 		    nla_put_flag(msg, NL80211_RATE_INFO_SHORT_GI))
6458 			return false;
6459 	} else if (info->flags & RATE_INFO_FLAGS_EHT_MCS) {
6460 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_MCS, info->mcs))
6461 			return false;
6462 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_NSS, info->nss))
6463 			return false;
6464 		if (nla_put_u8(msg, NL80211_RATE_INFO_EHT_GI, info->eht_gi))
6465 			return false;
6466 		if (info->bw == RATE_INFO_BW_EHT_RU &&
6467 		    nla_put_u8(msg, NL80211_RATE_INFO_EHT_RU_ALLOC,
6468 			       info->eht_ru_alloc))
6469 			return false;
6470 	}
6471 
6472 	nla_nest_end(msg, rate);
6473 	return true;
6474 }
6475 
6476 static bool nl80211_put_signal(struct sk_buff *msg, u8 mask, s8 *signal,
6477 			       int id)
6478 {
6479 	void *attr;
6480 	int i = 0;
6481 
6482 	if (!mask)
6483 		return true;
6484 
6485 	attr = nla_nest_start_noflag(msg, id);
6486 	if (!attr)
6487 		return false;
6488 
6489 	for (i = 0; i < IEEE80211_MAX_CHAINS; i++) {
6490 		if (!(mask & BIT(i)))
6491 			continue;
6492 
6493 		if (nla_put_u8(msg, i, signal[i]))
6494 			return false;
6495 	}
6496 
6497 	nla_nest_end(msg, attr);
6498 
6499 	return true;
6500 }
6501 
6502 static int nl80211_send_station(struct sk_buff *msg, u32 cmd, u32 portid,
6503 				u32 seq, int flags,
6504 				struct cfg80211_registered_device *rdev,
6505 				struct net_device *dev,
6506 				const u8 *mac_addr, struct station_info *sinfo)
6507 {
6508 	void *hdr;
6509 	struct nlattr *sinfoattr, *bss_param;
6510 
6511 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
6512 	if (!hdr) {
6513 		cfg80211_sinfo_release_content(sinfo);
6514 		return -1;
6515 	}
6516 
6517 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
6518 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
6519 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, sinfo->generation))
6520 		goto nla_put_failure;
6521 
6522 	sinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_STA_INFO);
6523 	if (!sinfoattr)
6524 		goto nla_put_failure;
6525 
6526 #define PUT_SINFO(attr, memb, type) do {				\
6527 	BUILD_BUG_ON(sizeof(type) == sizeof(u64));			\
6528 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6529 	    nla_put_ ## type(msg, NL80211_STA_INFO_ ## attr,		\
6530 			     sinfo->memb))				\
6531 		goto nla_put_failure;					\
6532 	} while (0)
6533 #define PUT_SINFO_U64(attr, memb) do {					\
6534 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_ ## attr) &&	\
6535 	    nla_put_u64_64bit(msg, NL80211_STA_INFO_ ## attr,		\
6536 			      sinfo->memb, NL80211_STA_INFO_PAD))	\
6537 		goto nla_put_failure;					\
6538 	} while (0)
6539 
6540 	PUT_SINFO(CONNECTED_TIME, connected_time, u32);
6541 	PUT_SINFO(INACTIVE_TIME, inactive_time, u32);
6542 	PUT_SINFO_U64(ASSOC_AT_BOOTTIME, assoc_at);
6543 
6544 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_RX_BYTES) |
6545 			     BIT_ULL(NL80211_STA_INFO_RX_BYTES64)) &&
6546 	    nla_put_u32(msg, NL80211_STA_INFO_RX_BYTES,
6547 			(u32)sinfo->rx_bytes))
6548 		goto nla_put_failure;
6549 
6550 	if (sinfo->filled & (BIT_ULL(NL80211_STA_INFO_TX_BYTES) |
6551 			     BIT_ULL(NL80211_STA_INFO_TX_BYTES64)) &&
6552 	    nla_put_u32(msg, NL80211_STA_INFO_TX_BYTES,
6553 			(u32)sinfo->tx_bytes))
6554 		goto nla_put_failure;
6555 
6556 	PUT_SINFO_U64(RX_BYTES64, rx_bytes);
6557 	PUT_SINFO_U64(TX_BYTES64, tx_bytes);
6558 	PUT_SINFO(LLID, llid, u16);
6559 	PUT_SINFO(PLID, plid, u16);
6560 	PUT_SINFO(PLINK_STATE, plink_state, u8);
6561 	PUT_SINFO_U64(RX_DURATION, rx_duration);
6562 	PUT_SINFO_U64(TX_DURATION, tx_duration);
6563 
6564 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6565 				    NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
6566 		PUT_SINFO(AIRTIME_WEIGHT, airtime_weight, u16);
6567 
6568 	switch (rdev->wiphy.signal_type) {
6569 	case CFG80211_SIGNAL_TYPE_MBM:
6570 		PUT_SINFO(SIGNAL, signal, u8);
6571 		PUT_SINFO(SIGNAL_AVG, signal_avg, u8);
6572 		break;
6573 	default:
6574 		break;
6575 	}
6576 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL)) {
6577 		if (!nl80211_put_signal(msg, sinfo->chains,
6578 					sinfo->chain_signal,
6579 					NL80211_STA_INFO_CHAIN_SIGNAL))
6580 			goto nla_put_failure;
6581 	}
6582 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_CHAIN_SIGNAL_AVG)) {
6583 		if (!nl80211_put_signal(msg, sinfo->chains,
6584 					sinfo->chain_signal_avg,
6585 					NL80211_STA_INFO_CHAIN_SIGNAL_AVG))
6586 			goto nla_put_failure;
6587 	}
6588 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_TX_BITRATE)) {
6589 		if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
6590 					  NL80211_STA_INFO_TX_BITRATE))
6591 			goto nla_put_failure;
6592 	}
6593 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_RX_BITRATE)) {
6594 		if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
6595 					  NL80211_STA_INFO_RX_BITRATE))
6596 			goto nla_put_failure;
6597 	}
6598 
6599 	PUT_SINFO(RX_PACKETS, rx_packets, u32);
6600 	PUT_SINFO(TX_PACKETS, tx_packets, u32);
6601 	PUT_SINFO(TX_RETRIES, tx_retries, u32);
6602 	PUT_SINFO(TX_FAILED, tx_failed, u32);
6603 	PUT_SINFO(EXPECTED_THROUGHPUT, expected_throughput, u32);
6604 	PUT_SINFO(AIRTIME_LINK_METRIC, airtime_link_metric, u32);
6605 	PUT_SINFO(BEACON_LOSS, beacon_loss_count, u32);
6606 	PUT_SINFO(LOCAL_PM, local_pm, u32);
6607 	PUT_SINFO(PEER_PM, peer_pm, u32);
6608 	PUT_SINFO(NONPEER_PM, nonpeer_pm, u32);
6609 	PUT_SINFO(CONNECTED_TO_GATE, connected_to_gate, u8);
6610 	PUT_SINFO(CONNECTED_TO_AS, connected_to_as, u8);
6611 
6612 	if (sinfo->filled & BIT_ULL(NL80211_STA_INFO_BSS_PARAM)) {
6613 		bss_param = nla_nest_start_noflag(msg,
6614 						  NL80211_STA_INFO_BSS_PARAM);
6615 		if (!bss_param)
6616 			goto nla_put_failure;
6617 
6618 		if (((sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT) &&
6619 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_CTS_PROT)) ||
6620 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE) &&
6621 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE)) ||
6622 		    ((sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME) &&
6623 		     nla_put_flag(msg, NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME)) ||
6624 		    nla_put_u8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
6625 			       sinfo->bss_param.dtim_period) ||
6626 		    nla_put_u16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
6627 				sinfo->bss_param.beacon_interval))
6628 			goto nla_put_failure;
6629 
6630 		nla_nest_end(msg, bss_param);
6631 	}
6632 	if ((sinfo->filled & BIT_ULL(NL80211_STA_INFO_STA_FLAGS)) &&
6633 	    nla_put(msg, NL80211_STA_INFO_STA_FLAGS,
6634 		    sizeof(struct nl80211_sta_flag_update),
6635 		    &sinfo->sta_flags))
6636 		goto nla_put_failure;
6637 
6638 	PUT_SINFO_U64(T_OFFSET, t_offset);
6639 	PUT_SINFO_U64(RX_DROP_MISC, rx_dropped_misc);
6640 	PUT_SINFO_U64(BEACON_RX, rx_beacon);
6641 	PUT_SINFO(BEACON_SIGNAL_AVG, rx_beacon_signal_avg, u8);
6642 	PUT_SINFO(RX_MPDUS, rx_mpdu_count, u32);
6643 	PUT_SINFO(FCS_ERROR_COUNT, fcs_err_count, u32);
6644 	if (wiphy_ext_feature_isset(&rdev->wiphy,
6645 				    NL80211_EXT_FEATURE_ACK_SIGNAL_SUPPORT)) {
6646 		PUT_SINFO(ACK_SIGNAL, ack_signal, u8);
6647 		PUT_SINFO(ACK_SIGNAL_AVG, avg_ack_signal, s8);
6648 	}
6649 
6650 #undef PUT_SINFO
6651 #undef PUT_SINFO_U64
6652 
6653 	if (sinfo->pertid) {
6654 		struct nlattr *tidsattr;
6655 		int tid;
6656 
6657 		tidsattr = nla_nest_start_noflag(msg,
6658 						 NL80211_STA_INFO_TID_STATS);
6659 		if (!tidsattr)
6660 			goto nla_put_failure;
6661 
6662 		for (tid = 0; tid < IEEE80211_NUM_TIDS + 1; tid++) {
6663 			struct cfg80211_tid_stats *tidstats;
6664 			struct nlattr *tidattr;
6665 
6666 			tidstats = &sinfo->pertid[tid];
6667 
6668 			if (!tidstats->filled)
6669 				continue;
6670 
6671 			tidattr = nla_nest_start_noflag(msg, tid + 1);
6672 			if (!tidattr)
6673 				goto nla_put_failure;
6674 
6675 #define PUT_TIDVAL_U64(attr, memb) do {					\
6676 	if (tidstats->filled & BIT(NL80211_TID_STATS_ ## attr) &&	\
6677 	    nla_put_u64_64bit(msg, NL80211_TID_STATS_ ## attr,		\
6678 			      tidstats->memb, NL80211_TID_STATS_PAD))	\
6679 		goto nla_put_failure;					\
6680 	} while (0)
6681 
6682 			PUT_TIDVAL_U64(RX_MSDU, rx_msdu);
6683 			PUT_TIDVAL_U64(TX_MSDU, tx_msdu);
6684 			PUT_TIDVAL_U64(TX_MSDU_RETRIES, tx_msdu_retries);
6685 			PUT_TIDVAL_U64(TX_MSDU_FAILED, tx_msdu_failed);
6686 
6687 #undef PUT_TIDVAL_U64
6688 			if ((tidstats->filled &
6689 			     BIT(NL80211_TID_STATS_TXQ_STATS)) &&
6690 			    !nl80211_put_txq_stats(msg, &tidstats->txq_stats,
6691 						   NL80211_TID_STATS_TXQ_STATS))
6692 				goto nla_put_failure;
6693 
6694 			nla_nest_end(msg, tidattr);
6695 		}
6696 
6697 		nla_nest_end(msg, tidsattr);
6698 	}
6699 
6700 	nla_nest_end(msg, sinfoattr);
6701 
6702 	if (sinfo->assoc_req_ies_len &&
6703 	    nla_put(msg, NL80211_ATTR_IE, sinfo->assoc_req_ies_len,
6704 		    sinfo->assoc_req_ies))
6705 		goto nla_put_failure;
6706 
6707 	if (sinfo->assoc_resp_ies_len &&
6708 	    nla_put(msg, NL80211_ATTR_RESP_IE, sinfo->assoc_resp_ies_len,
6709 		    sinfo->assoc_resp_ies))
6710 		goto nla_put_failure;
6711 
6712 	if (sinfo->mlo_params_valid) {
6713 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
6714 			       sinfo->assoc_link_id))
6715 			goto nla_put_failure;
6716 
6717 		if (!is_zero_ether_addr(sinfo->mld_addr) &&
6718 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
6719 			    sinfo->mld_addr))
6720 			goto nla_put_failure;
6721 	}
6722 
6723 	cfg80211_sinfo_release_content(sinfo);
6724 	genlmsg_end(msg, hdr);
6725 	return 0;
6726 
6727  nla_put_failure:
6728 	cfg80211_sinfo_release_content(sinfo);
6729 	genlmsg_cancel(msg, hdr);
6730 	return -EMSGSIZE;
6731 }
6732 
6733 static int nl80211_dump_station(struct sk_buff *skb,
6734 				struct netlink_callback *cb)
6735 {
6736 	struct station_info sinfo;
6737 	struct cfg80211_registered_device *rdev;
6738 	struct wireless_dev *wdev;
6739 	u8 mac_addr[ETH_ALEN];
6740 	int sta_idx = cb->args[2];
6741 	int err;
6742 
6743 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
6744 	if (err)
6745 		return err;
6746 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
6747 	__acquire(&rdev->wiphy.mtx);
6748 
6749 	if (!wdev->netdev) {
6750 		err = -EINVAL;
6751 		goto out_err;
6752 	}
6753 
6754 	if (!rdev->ops->dump_station) {
6755 		err = -EOPNOTSUPP;
6756 		goto out_err;
6757 	}
6758 
6759 	while (1) {
6760 		memset(&sinfo, 0, sizeof(sinfo));
6761 		err = rdev_dump_station(rdev, wdev->netdev, sta_idx,
6762 					mac_addr, &sinfo);
6763 		if (err == -ENOENT)
6764 			break;
6765 		if (err)
6766 			goto out_err;
6767 
6768 		if (nl80211_send_station(skb, NL80211_CMD_NEW_STATION,
6769 				NETLINK_CB(cb->skb).portid,
6770 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
6771 				rdev, wdev->netdev, mac_addr,
6772 				&sinfo) < 0)
6773 			goto out;
6774 
6775 		sta_idx++;
6776 	}
6777 
6778  out:
6779 	cb->args[2] = sta_idx;
6780 	err = skb->len;
6781  out_err:
6782 	wiphy_unlock(&rdev->wiphy);
6783 
6784 	return err;
6785 }
6786 
6787 static int nl80211_get_station(struct sk_buff *skb, struct genl_info *info)
6788 {
6789 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
6790 	struct net_device *dev = info->user_ptr[1];
6791 	struct station_info sinfo;
6792 	struct sk_buff *msg;
6793 	u8 *mac_addr = NULL;
6794 	int err;
6795 
6796 	memset(&sinfo, 0, sizeof(sinfo));
6797 
6798 	if (!info->attrs[NL80211_ATTR_MAC])
6799 		return -EINVAL;
6800 
6801 	mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
6802 
6803 	if (!rdev->ops->get_station)
6804 		return -EOPNOTSUPP;
6805 
6806 	err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
6807 	if (err)
6808 		return err;
6809 
6810 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
6811 	if (!msg) {
6812 		cfg80211_sinfo_release_content(&sinfo);
6813 		return -ENOMEM;
6814 	}
6815 
6816 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION,
6817 				 info->snd_portid, info->snd_seq, 0,
6818 				 rdev, dev, mac_addr, &sinfo) < 0) {
6819 		nlmsg_free(msg);
6820 		return -ENOBUFS;
6821 	}
6822 
6823 	return genlmsg_reply(msg, info);
6824 }
6825 
6826 int cfg80211_check_station_change(struct wiphy *wiphy,
6827 				  struct station_parameters *params,
6828 				  enum cfg80211_station_type statype)
6829 {
6830 	if (params->listen_interval != -1 &&
6831 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6832 		return -EINVAL;
6833 
6834 	if (params->support_p2p_ps != -1 &&
6835 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6836 		return -EINVAL;
6837 
6838 	if (params->aid &&
6839 	    !(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) &&
6840 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC)
6841 		return -EINVAL;
6842 
6843 	/* When you run into this, adjust the code below for the new flag */
6844 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
6845 
6846 	switch (statype) {
6847 	case CFG80211_STA_MESH_PEER_KERNEL:
6848 	case CFG80211_STA_MESH_PEER_USER:
6849 		/*
6850 		 * No ignoring the TDLS flag here -- the userspace mesh
6851 		 * code doesn't have the bug of including TDLS in the
6852 		 * mask everywhere.
6853 		 */
6854 		if (params->sta_flags_mask &
6855 				~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6856 				  BIT(NL80211_STA_FLAG_MFP) |
6857 				  BIT(NL80211_STA_FLAG_AUTHORIZED)))
6858 			return -EINVAL;
6859 		break;
6860 	case CFG80211_STA_TDLS_PEER_SETUP:
6861 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6862 		if (!(params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
6863 			return -EINVAL;
6864 		/* ignore since it can't change */
6865 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6866 		break;
6867 	default:
6868 		/* disallow mesh-specific things */
6869 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION)
6870 			return -EINVAL;
6871 		if (params->local_pm)
6872 			return -EINVAL;
6873 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6874 			return -EINVAL;
6875 	}
6876 
6877 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6878 	    statype != CFG80211_STA_TDLS_PEER_ACTIVE) {
6879 		/* TDLS can't be set, ... */
6880 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
6881 			return -EINVAL;
6882 		/*
6883 		 * ... but don't bother the driver with it. This works around
6884 		 * a hostapd/wpa_supplicant issue -- it always includes the
6885 		 * TLDS_PEER flag in the mask even for AP mode.
6886 		 */
6887 		params->sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
6888 	}
6889 
6890 	if (statype != CFG80211_STA_TDLS_PEER_SETUP &&
6891 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6892 		/* reject other things that can't change */
6893 		if (params->sta_modify_mask & STATION_PARAM_APPLY_UAPSD)
6894 			return -EINVAL;
6895 		if (params->sta_modify_mask & STATION_PARAM_APPLY_CAPABILITY)
6896 			return -EINVAL;
6897 		if (params->link_sta_params.supported_rates)
6898 			return -EINVAL;
6899 		if (params->ext_capab || params->link_sta_params.ht_capa ||
6900 		    params->link_sta_params.vht_capa ||
6901 		    params->link_sta_params.he_capa ||
6902 		    params->link_sta_params.eht_capa)
6903 			return -EINVAL;
6904 	}
6905 
6906 	if (statype != CFG80211_STA_AP_CLIENT &&
6907 	    statype != CFG80211_STA_AP_CLIENT_UNASSOC) {
6908 		if (params->vlan)
6909 			return -EINVAL;
6910 	}
6911 
6912 	switch (statype) {
6913 	case CFG80211_STA_AP_MLME_CLIENT:
6914 		/* Use this only for authorizing/unauthorizing a station */
6915 		if (!(params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED)))
6916 			return -EOPNOTSUPP;
6917 		break;
6918 	case CFG80211_STA_AP_CLIENT:
6919 	case CFG80211_STA_AP_CLIENT_UNASSOC:
6920 		/* accept only the listed bits */
6921 		if (params->sta_flags_mask &
6922 				~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6923 				  BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6924 				  BIT(NL80211_STA_FLAG_ASSOCIATED) |
6925 				  BIT(NL80211_STA_FLAG_SHORT_PREAMBLE) |
6926 				  BIT(NL80211_STA_FLAG_WME) |
6927 				  BIT(NL80211_STA_FLAG_MFP)))
6928 			return -EINVAL;
6929 
6930 		/* but authenticated/associated only if driver handles it */
6931 		if (!(wiphy->features & NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
6932 		    params->sta_flags_mask &
6933 				(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
6934 				 BIT(NL80211_STA_FLAG_ASSOCIATED)))
6935 			return -EINVAL;
6936 		break;
6937 	case CFG80211_STA_IBSS:
6938 	case CFG80211_STA_AP_STA:
6939 		/* reject any changes other than AUTHORIZED */
6940 		if (params->sta_flags_mask & ~BIT(NL80211_STA_FLAG_AUTHORIZED))
6941 			return -EINVAL;
6942 		break;
6943 	case CFG80211_STA_TDLS_PEER_SETUP:
6944 		/* reject any changes other than AUTHORIZED or WME */
6945 		if (params->sta_flags_mask & ~(BIT(NL80211_STA_FLAG_AUTHORIZED) |
6946 					       BIT(NL80211_STA_FLAG_WME)))
6947 			return -EINVAL;
6948 		/* force (at least) rates when authorizing */
6949 		if (params->sta_flags_set & BIT(NL80211_STA_FLAG_AUTHORIZED) &&
6950 		    !params->link_sta_params.supported_rates)
6951 			return -EINVAL;
6952 		break;
6953 	case CFG80211_STA_TDLS_PEER_ACTIVE:
6954 		/* reject any changes */
6955 		return -EINVAL;
6956 	case CFG80211_STA_MESH_PEER_KERNEL:
6957 		if (params->sta_modify_mask & STATION_PARAM_APPLY_PLINK_STATE)
6958 			return -EINVAL;
6959 		break;
6960 	case CFG80211_STA_MESH_PEER_USER:
6961 		if (params->plink_action != NL80211_PLINK_ACTION_NO_ACTION &&
6962 		    params->plink_action != NL80211_PLINK_ACTION_BLOCK)
6963 			return -EINVAL;
6964 		break;
6965 	}
6966 
6967 	/*
6968 	 * Older kernel versions ignored this attribute entirely, so don't
6969 	 * reject attempts to update it but mark it as unused instead so the
6970 	 * driver won't look at the data.
6971 	 */
6972 	if (statype != CFG80211_STA_AP_CLIENT_UNASSOC &&
6973 	    statype != CFG80211_STA_TDLS_PEER_SETUP)
6974 		params->link_sta_params.opmode_notif_used = false;
6975 
6976 	return 0;
6977 }
6978 EXPORT_SYMBOL(cfg80211_check_station_change);
6979 
6980 /*
6981  * Get vlan interface making sure it is running and on the right wiphy.
6982  */
6983 static struct net_device *get_vlan(struct genl_info *info,
6984 				   struct cfg80211_registered_device *rdev)
6985 {
6986 	struct nlattr *vlanattr = info->attrs[NL80211_ATTR_STA_VLAN];
6987 	struct net_device *v;
6988 	int ret;
6989 
6990 	if (!vlanattr)
6991 		return NULL;
6992 
6993 	v = dev_get_by_index(genl_info_net(info), nla_get_u32(vlanattr));
6994 	if (!v)
6995 		return ERR_PTR(-ENODEV);
6996 
6997 	if (!v->ieee80211_ptr || v->ieee80211_ptr->wiphy != &rdev->wiphy) {
6998 		ret = -EINVAL;
6999 		goto error;
7000 	}
7001 
7002 	if (v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
7003 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
7004 	    v->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO) {
7005 		ret = -EINVAL;
7006 		goto error;
7007 	}
7008 
7009 	if (!netif_running(v)) {
7010 		ret = -ENETDOWN;
7011 		goto error;
7012 	}
7013 
7014 	return v;
7015  error:
7016 	dev_put(v);
7017 	return ERR_PTR(ret);
7018 }
7019 
7020 static int nl80211_parse_sta_wme(struct genl_info *info,
7021 				 struct station_parameters *params)
7022 {
7023 	struct nlattr *tb[NL80211_STA_WME_MAX + 1];
7024 	struct nlattr *nla;
7025 	int err;
7026 
7027 	/* parse WME attributes if present */
7028 	if (!info->attrs[NL80211_ATTR_STA_WME])
7029 		return 0;
7030 
7031 	nla = info->attrs[NL80211_ATTR_STA_WME];
7032 	err = nla_parse_nested_deprecated(tb, NL80211_STA_WME_MAX, nla,
7033 					  nl80211_sta_wme_policy,
7034 					  info->extack);
7035 	if (err)
7036 		return err;
7037 
7038 	if (tb[NL80211_STA_WME_UAPSD_QUEUES])
7039 		params->uapsd_queues = nla_get_u8(
7040 			tb[NL80211_STA_WME_UAPSD_QUEUES]);
7041 	if (params->uapsd_queues & ~IEEE80211_WMM_IE_STA_QOSINFO_AC_MASK)
7042 		return -EINVAL;
7043 
7044 	if (tb[NL80211_STA_WME_MAX_SP])
7045 		params->max_sp = nla_get_u8(tb[NL80211_STA_WME_MAX_SP]);
7046 
7047 	if (params->max_sp & ~IEEE80211_WMM_IE_STA_QOSINFO_SP_MASK)
7048 		return -EINVAL;
7049 
7050 	params->sta_modify_mask |= STATION_PARAM_APPLY_UAPSD;
7051 
7052 	return 0;
7053 }
7054 
7055 static int nl80211_parse_sta_channel_info(struct genl_info *info,
7056 				      struct station_parameters *params)
7057 {
7058 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]) {
7059 		params->supported_channels =
7060 		     nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7061 		params->supported_channels_len =
7062 		     nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_CHANNELS]);
7063 		/*
7064 		 * Need to include at least one (first channel, number of
7065 		 * channels) tuple for each subband (checked in policy),
7066 		 * and must have proper tuples for the rest of the data as well.
7067 		 */
7068 		if (params->supported_channels_len % 2)
7069 			return -EINVAL;
7070 	}
7071 
7072 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]) {
7073 		params->supported_oper_classes =
7074 		 nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7075 		params->supported_oper_classes_len =
7076 		  nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_OPER_CLASSES]);
7077 	}
7078 	return 0;
7079 }
7080 
7081 static int nl80211_set_station_tdls(struct genl_info *info,
7082 				    struct station_parameters *params)
7083 {
7084 	int err;
7085 	/* Dummy STA entry gets updated once the peer capabilities are known */
7086 	if (info->attrs[NL80211_ATTR_PEER_AID])
7087 		params->aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7088 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7089 		params->link_sta_params.ht_capa =
7090 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7091 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7092 		params->link_sta_params.vht_capa =
7093 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7094 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7095 		params->link_sta_params.he_capa =
7096 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7097 		params->link_sta_params.he_capa_len =
7098 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7099 
7100 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7101 			params->link_sta_params.eht_capa =
7102 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7103 			params->link_sta_params.eht_capa_len =
7104 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7105 
7106 			if (!ieee80211_eht_capa_size_ok((const u8 *)params->link_sta_params.he_capa,
7107 							(const u8 *)params->link_sta_params.eht_capa,
7108 							params->link_sta_params.eht_capa_len,
7109 							false))
7110 				return -EINVAL;
7111 		}
7112 	}
7113 
7114 	err = nl80211_parse_sta_channel_info(info, params);
7115 	if (err)
7116 		return err;
7117 
7118 	return nl80211_parse_sta_wme(info, params);
7119 }
7120 
7121 static int nl80211_parse_sta_txpower_setting(struct genl_info *info,
7122 					     struct sta_txpwr *txpwr,
7123 					     bool *txpwr_set)
7124 {
7125 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7126 	int idx;
7127 
7128 	if (info->attrs[NL80211_ATTR_STA_TX_POWER_SETTING]) {
7129 		if (!rdev->ops->set_tx_power ||
7130 		    !wiphy_ext_feature_isset(&rdev->wiphy,
7131 					 NL80211_EXT_FEATURE_STA_TX_PWR))
7132 			return -EOPNOTSUPP;
7133 
7134 		idx = NL80211_ATTR_STA_TX_POWER_SETTING;
7135 		txpwr->type = nla_get_u8(info->attrs[idx]);
7136 
7137 		if (txpwr->type == NL80211_TX_POWER_LIMITED) {
7138 			idx = NL80211_ATTR_STA_TX_POWER;
7139 
7140 			if (info->attrs[idx])
7141 				txpwr->power = nla_get_s16(info->attrs[idx]);
7142 			else
7143 				return -EINVAL;
7144 		}
7145 
7146 		*txpwr_set = true;
7147 	} else {
7148 		*txpwr_set = false;
7149 	}
7150 
7151 	return 0;
7152 }
7153 
7154 static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
7155 {
7156 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7157 	struct net_device *dev = info->user_ptr[1];
7158 	struct station_parameters params;
7159 	u8 *mac_addr;
7160 	int err;
7161 
7162 	memset(&params, 0, sizeof(params));
7163 
7164 	if (!rdev->ops->change_station)
7165 		return -EOPNOTSUPP;
7166 
7167 	/*
7168 	 * AID and listen_interval properties can be set only for unassociated
7169 	 * station. Include these parameters here and will check them in
7170 	 * cfg80211_check_station_change().
7171 	 */
7172 	if (info->attrs[NL80211_ATTR_STA_AID])
7173 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7174 
7175 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7176 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7177 
7178 	if (info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7179 		params.listen_interval =
7180 		     nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7181 	else
7182 		params.listen_interval = -1;
7183 
7184 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS])
7185 		params.support_p2p_ps =
7186 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7187 	else
7188 		params.support_p2p_ps = -1;
7189 
7190 	if (!info->attrs[NL80211_ATTR_MAC])
7191 		return -EINVAL;
7192 
7193 	params.link_sta_params.link_id =
7194 		nl80211_link_id_or_invalid(info->attrs);
7195 
7196 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7197 		/* If MLD_ADDR attribute is set then this is an MLD station
7198 		 * and the MLD_ADDR attribute holds the MLD address and the
7199 		 * MAC attribute holds for the LINK address.
7200 		 * In that case, the link_id is also expected to be valid.
7201 		 */
7202 		if (params.link_sta_params.link_id < 0)
7203 			return -EINVAL;
7204 
7205 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7206 		params.link_sta_params.mld_mac = mac_addr;
7207 		params.link_sta_params.link_mac =
7208 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7209 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7210 			return -EINVAL;
7211 	} else {
7212 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7213 	}
7214 
7215 
7216 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
7217 		params.link_sta_params.supported_rates =
7218 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7219 		params.link_sta_params.supported_rates_len =
7220 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7221 	}
7222 
7223 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7224 		params.capability =
7225 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7226 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7227 	}
7228 
7229 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7230 		params.ext_capab =
7231 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7232 		params.ext_capab_len =
7233 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7234 	}
7235 
7236 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7237 		return -EINVAL;
7238 
7239 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7240 		params.plink_action =
7241 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7242 
7243 	if (info->attrs[NL80211_ATTR_STA_PLINK_STATE]) {
7244 		params.plink_state =
7245 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
7246 		if (info->attrs[NL80211_ATTR_MESH_PEER_AID])
7247 			params.peer_aid = nla_get_u16(
7248 				info->attrs[NL80211_ATTR_MESH_PEER_AID]);
7249 		params.sta_modify_mask |= STATION_PARAM_APPLY_PLINK_STATE;
7250 	}
7251 
7252 	if (info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE])
7253 		params.local_pm = nla_get_u32(
7254 			info->attrs[NL80211_ATTR_LOCAL_MESH_POWER_MODE]);
7255 
7256 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7257 		params.link_sta_params.opmode_notif_used = true;
7258 		params.link_sta_params.opmode_notif =
7259 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7260 	}
7261 
7262 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7263 		params.link_sta_params.he_6ghz_capa =
7264 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7265 
7266 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7267 		params.airtime_weight =
7268 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7269 
7270 	if (params.airtime_weight &&
7271 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7272 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7273 		return -EOPNOTSUPP;
7274 
7275 	err = nl80211_parse_sta_txpower_setting(info,
7276 						&params.link_sta_params.txpwr,
7277 						&params.link_sta_params.txpwr_set);
7278 	if (err)
7279 		return err;
7280 
7281 	/* Include parameters for TDLS peer (will check later) */
7282 	err = nl80211_set_station_tdls(info, &params);
7283 	if (err)
7284 		return err;
7285 
7286 	params.vlan = get_vlan(info, rdev);
7287 	if (IS_ERR(params.vlan))
7288 		return PTR_ERR(params.vlan);
7289 
7290 	switch (dev->ieee80211_ptr->iftype) {
7291 	case NL80211_IFTYPE_AP:
7292 	case NL80211_IFTYPE_AP_VLAN:
7293 	case NL80211_IFTYPE_P2P_GO:
7294 	case NL80211_IFTYPE_P2P_CLIENT:
7295 	case NL80211_IFTYPE_STATION:
7296 	case NL80211_IFTYPE_ADHOC:
7297 	case NL80211_IFTYPE_MESH_POINT:
7298 		break;
7299 	default:
7300 		err = -EOPNOTSUPP;
7301 		goto out_put_vlan;
7302 	}
7303 
7304 	/* driver will call cfg80211_check_station_change() */
7305 	wdev_lock(dev->ieee80211_ptr);
7306 	err = rdev_change_station(rdev, dev, mac_addr, &params);
7307 	wdev_unlock(dev->ieee80211_ptr);
7308 
7309  out_put_vlan:
7310 	dev_put(params.vlan);
7311 
7312 	return err;
7313 }
7314 
7315 static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
7316 {
7317 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7318 	int err;
7319 	struct net_device *dev = info->user_ptr[1];
7320 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7321 	struct station_parameters params;
7322 	u8 *mac_addr = NULL;
7323 	u32 auth_assoc = BIT(NL80211_STA_FLAG_AUTHENTICATED) |
7324 			 BIT(NL80211_STA_FLAG_ASSOCIATED);
7325 
7326 	memset(&params, 0, sizeof(params));
7327 
7328 	if (!rdev->ops->add_station)
7329 		return -EOPNOTSUPP;
7330 
7331 	if (!info->attrs[NL80211_ATTR_MAC])
7332 		return -EINVAL;
7333 
7334 	if (!info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL])
7335 		return -EINVAL;
7336 
7337 	if (!info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
7338 		return -EINVAL;
7339 
7340 	if (!info->attrs[NL80211_ATTR_STA_AID] &&
7341 	    !info->attrs[NL80211_ATTR_PEER_AID])
7342 		return -EINVAL;
7343 
7344 	params.link_sta_params.link_id =
7345 		nl80211_link_id_or_invalid(info->attrs);
7346 
7347 	if (info->attrs[NL80211_ATTR_MLD_ADDR]) {
7348 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
7349 		params.link_sta_params.mld_mac = mac_addr;
7350 		params.link_sta_params.link_mac =
7351 			nla_data(info->attrs[NL80211_ATTR_MAC]);
7352 		if (!is_valid_ether_addr(params.link_sta_params.link_mac))
7353 			return -EINVAL;
7354 	} else {
7355 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
7356 	}
7357 
7358 	params.link_sta_params.supported_rates =
7359 		nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7360 	params.link_sta_params.supported_rates_len =
7361 		nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
7362 	params.listen_interval =
7363 		nla_get_u16(info->attrs[NL80211_ATTR_STA_LISTEN_INTERVAL]);
7364 
7365 	if (info->attrs[NL80211_ATTR_VLAN_ID])
7366 		params.vlan_id = nla_get_u16(info->attrs[NL80211_ATTR_VLAN_ID]);
7367 
7368 	if (info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]) {
7369 		params.support_p2p_ps =
7370 			nla_get_u8(info->attrs[NL80211_ATTR_STA_SUPPORT_P2P_PS]);
7371 	} else {
7372 		/*
7373 		 * if not specified, assume it's supported for P2P GO interface,
7374 		 * and is NOT supported for AP interface
7375 		 */
7376 		params.support_p2p_ps =
7377 			dev->ieee80211_ptr->iftype == NL80211_IFTYPE_P2P_GO;
7378 	}
7379 
7380 	if (info->attrs[NL80211_ATTR_PEER_AID])
7381 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_PEER_AID]);
7382 	else
7383 		params.aid = nla_get_u16(info->attrs[NL80211_ATTR_STA_AID]);
7384 
7385 	if (info->attrs[NL80211_ATTR_STA_CAPABILITY]) {
7386 		params.capability =
7387 			nla_get_u16(info->attrs[NL80211_ATTR_STA_CAPABILITY]);
7388 		params.sta_modify_mask |= STATION_PARAM_APPLY_CAPABILITY;
7389 	}
7390 
7391 	if (info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]) {
7392 		params.ext_capab =
7393 			nla_data(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7394 		params.ext_capab_len =
7395 			nla_len(info->attrs[NL80211_ATTR_STA_EXT_CAPABILITY]);
7396 	}
7397 
7398 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
7399 		params.link_sta_params.ht_capa =
7400 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
7401 
7402 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
7403 		params.link_sta_params.vht_capa =
7404 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
7405 
7406 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
7407 		params.link_sta_params.he_capa =
7408 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7409 		params.link_sta_params.he_capa_len =
7410 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
7411 
7412 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
7413 			params.link_sta_params.eht_capa =
7414 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7415 			params.link_sta_params.eht_capa_len =
7416 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
7417 
7418 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.link_sta_params.he_capa,
7419 							(const u8 *)params.link_sta_params.eht_capa,
7420 							params.link_sta_params.eht_capa_len,
7421 							false))
7422 				return -EINVAL;
7423 		}
7424 	}
7425 
7426 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
7427 		params.link_sta_params.he_6ghz_capa =
7428 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
7429 
7430 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
7431 		params.link_sta_params.opmode_notif_used = true;
7432 		params.link_sta_params.opmode_notif =
7433 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
7434 	}
7435 
7436 	if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
7437 		params.plink_action =
7438 			nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
7439 
7440 	if (info->attrs[NL80211_ATTR_AIRTIME_WEIGHT])
7441 		params.airtime_weight =
7442 			nla_get_u16(info->attrs[NL80211_ATTR_AIRTIME_WEIGHT]);
7443 
7444 	if (params.airtime_weight &&
7445 	    !wiphy_ext_feature_isset(&rdev->wiphy,
7446 				     NL80211_EXT_FEATURE_AIRTIME_FAIRNESS))
7447 		return -EOPNOTSUPP;
7448 
7449 	err = nl80211_parse_sta_txpower_setting(info,
7450 						&params.link_sta_params.txpwr,
7451 						&params.link_sta_params.txpwr_set);
7452 	if (err)
7453 		return err;
7454 
7455 	err = nl80211_parse_sta_channel_info(info, &params);
7456 	if (err)
7457 		return err;
7458 
7459 	err = nl80211_parse_sta_wme(info, &params);
7460 	if (err)
7461 		return err;
7462 
7463 	if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
7464 		return -EINVAL;
7465 
7466 	/* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
7467 	 * as userspace might just pass through the capabilities from the IEs
7468 	 * directly, rather than enforcing this restriction and returning an
7469 	 * error in this case.
7470 	 */
7471 	if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
7472 		params.link_sta_params.ht_capa = NULL;
7473 		params.link_sta_params.vht_capa = NULL;
7474 
7475 		/* HE and EHT require WME */
7476 		if (params.link_sta_params.he_capa_len ||
7477 		    params.link_sta_params.he_6ghz_capa ||
7478 		    params.link_sta_params.eht_capa_len)
7479 			return -EINVAL;
7480 	}
7481 
7482 	/* Ensure that HT/VHT capabilities are not set for 6 GHz HE STA */
7483 	if (params.link_sta_params.he_6ghz_capa &&
7484 	    (params.link_sta_params.ht_capa || params.link_sta_params.vht_capa))
7485 		return -EINVAL;
7486 
7487 	/* When you run into this, adjust the code below for the new flag */
7488 	BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
7489 
7490 	switch (dev->ieee80211_ptr->iftype) {
7491 	case NL80211_IFTYPE_AP:
7492 	case NL80211_IFTYPE_AP_VLAN:
7493 	case NL80211_IFTYPE_P2P_GO:
7494 		/* ignore WME attributes if iface/sta is not capable */
7495 		if (!(rdev->wiphy.flags & WIPHY_FLAG_AP_UAPSD) ||
7496 		    !(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME)))
7497 			params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7498 
7499 		/* TDLS peers cannot be added */
7500 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7501 		    info->attrs[NL80211_ATTR_PEER_AID])
7502 			return -EINVAL;
7503 		/* but don't bother the driver with it */
7504 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_TDLS_PEER);
7505 
7506 		/* allow authenticated/associated only if driver handles it */
7507 		if (!(rdev->wiphy.features &
7508 				NL80211_FEATURE_FULL_AP_CLIENT_STATE) &&
7509 		    params.sta_flags_mask & auth_assoc)
7510 			return -EINVAL;
7511 
7512 		/* Older userspace, or userspace wanting to be compatible with
7513 		 * !NL80211_FEATURE_FULL_AP_CLIENT_STATE, will not set the auth
7514 		 * and assoc flags in the mask, but assumes the station will be
7515 		 * added as associated anyway since this was the required driver
7516 		 * behaviour before NL80211_FEATURE_FULL_AP_CLIENT_STATE was
7517 		 * introduced.
7518 		 * In order to not bother drivers with this quirk in the API
7519 		 * set the flags in both the mask and set for new stations in
7520 		 * this case.
7521 		 */
7522 		if (!(params.sta_flags_mask & auth_assoc)) {
7523 			params.sta_flags_mask |= auth_assoc;
7524 			params.sta_flags_set |= auth_assoc;
7525 		}
7526 
7527 		/* must be last in here for error handling */
7528 		params.vlan = get_vlan(info, rdev);
7529 		if (IS_ERR(params.vlan))
7530 			return PTR_ERR(params.vlan);
7531 		break;
7532 	case NL80211_IFTYPE_MESH_POINT:
7533 		/* ignore uAPSD data */
7534 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7535 
7536 		/* associated is disallowed */
7537 		if (params.sta_flags_mask & BIT(NL80211_STA_FLAG_ASSOCIATED))
7538 			return -EINVAL;
7539 		/* TDLS peers cannot be added */
7540 		if ((params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) ||
7541 		    info->attrs[NL80211_ATTR_PEER_AID])
7542 			return -EINVAL;
7543 		break;
7544 	case NL80211_IFTYPE_STATION:
7545 	case NL80211_IFTYPE_P2P_CLIENT:
7546 		/* ignore uAPSD data */
7547 		params.sta_modify_mask &= ~STATION_PARAM_APPLY_UAPSD;
7548 
7549 		/* these are disallowed */
7550 		if (params.sta_flags_mask &
7551 				(BIT(NL80211_STA_FLAG_ASSOCIATED) |
7552 				 BIT(NL80211_STA_FLAG_AUTHENTICATED)))
7553 			return -EINVAL;
7554 		/* Only TDLS peers can be added */
7555 		if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)))
7556 			return -EINVAL;
7557 		/* Can only add if TDLS ... */
7558 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS))
7559 			return -EOPNOTSUPP;
7560 		/* ... with external setup is supported */
7561 		if (!(rdev->wiphy.flags & WIPHY_FLAG_TDLS_EXTERNAL_SETUP))
7562 			return -EOPNOTSUPP;
7563 		/*
7564 		 * Older wpa_supplicant versions always mark the TDLS peer
7565 		 * as authorized, but it shouldn't yet be.
7566 		 */
7567 		params.sta_flags_mask &= ~BIT(NL80211_STA_FLAG_AUTHORIZED);
7568 		break;
7569 	default:
7570 		return -EOPNOTSUPP;
7571 	}
7572 
7573 	/* be aware of params.vlan when changing code here */
7574 
7575 	wdev_lock(dev->ieee80211_ptr);
7576 	if (wdev->valid_links) {
7577 		if (params.link_sta_params.link_id < 0) {
7578 			err = -EINVAL;
7579 			goto out;
7580 		}
7581 		if (!(wdev->valid_links & BIT(params.link_sta_params.link_id))) {
7582 			err = -ENOLINK;
7583 			goto out;
7584 		}
7585 	} else {
7586 		if (params.link_sta_params.link_id >= 0) {
7587 			err = -EINVAL;
7588 			goto out;
7589 		}
7590 	}
7591 	err = rdev_add_station(rdev, dev, mac_addr, &params);
7592 out:
7593 	wdev_unlock(dev->ieee80211_ptr);
7594 	dev_put(params.vlan);
7595 	return err;
7596 }
7597 
7598 static int nl80211_del_station(struct sk_buff *skb, struct genl_info *info)
7599 {
7600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7601 	struct net_device *dev = info->user_ptr[1];
7602 	struct station_del_parameters params;
7603 	int ret;
7604 
7605 	memset(&params, 0, sizeof(params));
7606 
7607 	if (info->attrs[NL80211_ATTR_MAC])
7608 		params.mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
7609 
7610 	switch (dev->ieee80211_ptr->iftype) {
7611 	case NL80211_IFTYPE_AP:
7612 	case NL80211_IFTYPE_AP_VLAN:
7613 	case NL80211_IFTYPE_MESH_POINT:
7614 	case NL80211_IFTYPE_P2P_GO:
7615 		/* always accept these */
7616 		break;
7617 	case NL80211_IFTYPE_ADHOC:
7618 		/* conditionally accept */
7619 		if (wiphy_ext_feature_isset(&rdev->wiphy,
7620 					    NL80211_EXT_FEATURE_DEL_IBSS_STA))
7621 			break;
7622 		return -EINVAL;
7623 	default:
7624 		return -EINVAL;
7625 	}
7626 
7627 	if (!rdev->ops->del_station)
7628 		return -EOPNOTSUPP;
7629 
7630 	if (info->attrs[NL80211_ATTR_MGMT_SUBTYPE]) {
7631 		params.subtype =
7632 			nla_get_u8(info->attrs[NL80211_ATTR_MGMT_SUBTYPE]);
7633 		if (params.subtype != IEEE80211_STYPE_DISASSOC >> 4 &&
7634 		    params.subtype != IEEE80211_STYPE_DEAUTH >> 4)
7635 			return -EINVAL;
7636 	} else {
7637 		/* Default to Deauthentication frame */
7638 		params.subtype = IEEE80211_STYPE_DEAUTH >> 4;
7639 	}
7640 
7641 	if (info->attrs[NL80211_ATTR_REASON_CODE]) {
7642 		params.reason_code =
7643 			nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
7644 		if (params.reason_code == 0)
7645 			return -EINVAL; /* 0 is reserved */
7646 	} else {
7647 		/* Default to reason code 2 */
7648 		params.reason_code = WLAN_REASON_PREV_AUTH_NOT_VALID;
7649 	}
7650 
7651 	wdev_lock(dev->ieee80211_ptr);
7652 	ret = rdev_del_station(rdev, dev, &params);
7653 	wdev_unlock(dev->ieee80211_ptr);
7654 
7655 	return ret;
7656 }
7657 
7658 static int nl80211_send_mpath(struct sk_buff *msg, u32 portid, u32 seq,
7659 				int flags, struct net_device *dev,
7660 				u8 *dst, u8 *next_hop,
7661 				struct mpath_info *pinfo)
7662 {
7663 	void *hdr;
7664 	struct nlattr *pinfoattr;
7665 
7666 	hdr = nl80211hdr_put(msg, portid, seq, flags, NL80211_CMD_NEW_MPATH);
7667 	if (!hdr)
7668 		return -1;
7669 
7670 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
7671 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, dst) ||
7672 	    nla_put(msg, NL80211_ATTR_MPATH_NEXT_HOP, ETH_ALEN, next_hop) ||
7673 	    nla_put_u32(msg, NL80211_ATTR_GENERATION, pinfo->generation))
7674 		goto nla_put_failure;
7675 
7676 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MPATH_INFO);
7677 	if (!pinfoattr)
7678 		goto nla_put_failure;
7679 	if ((pinfo->filled & MPATH_INFO_FRAME_QLEN) &&
7680 	    nla_put_u32(msg, NL80211_MPATH_INFO_FRAME_QLEN,
7681 			pinfo->frame_qlen))
7682 		goto nla_put_failure;
7683 	if (((pinfo->filled & MPATH_INFO_SN) &&
7684 	     nla_put_u32(msg, NL80211_MPATH_INFO_SN, pinfo->sn)) ||
7685 	    ((pinfo->filled & MPATH_INFO_METRIC) &&
7686 	     nla_put_u32(msg, NL80211_MPATH_INFO_METRIC,
7687 			 pinfo->metric)) ||
7688 	    ((pinfo->filled & MPATH_INFO_EXPTIME) &&
7689 	     nla_put_u32(msg, NL80211_MPATH_INFO_EXPTIME,
7690 			 pinfo->exptime)) ||
7691 	    ((pinfo->filled & MPATH_INFO_FLAGS) &&
7692 	     nla_put_u8(msg, NL80211_MPATH_INFO_FLAGS,
7693 			pinfo->flags)) ||
7694 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_TIMEOUT) &&
7695 	     nla_put_u32(msg, NL80211_MPATH_INFO_DISCOVERY_TIMEOUT,
7696 			 pinfo->discovery_timeout)) ||
7697 	    ((pinfo->filled & MPATH_INFO_DISCOVERY_RETRIES) &&
7698 	     nla_put_u8(msg, NL80211_MPATH_INFO_DISCOVERY_RETRIES,
7699 			pinfo->discovery_retries)) ||
7700 	    ((pinfo->filled & MPATH_INFO_HOP_COUNT) &&
7701 	     nla_put_u8(msg, NL80211_MPATH_INFO_HOP_COUNT,
7702 			pinfo->hop_count)) ||
7703 	    ((pinfo->filled & MPATH_INFO_PATH_CHANGE) &&
7704 	     nla_put_u32(msg, NL80211_MPATH_INFO_PATH_CHANGE,
7705 			 pinfo->path_change_count)))
7706 		goto nla_put_failure;
7707 
7708 	nla_nest_end(msg, pinfoattr);
7709 
7710 	genlmsg_end(msg, hdr);
7711 	return 0;
7712 
7713  nla_put_failure:
7714 	genlmsg_cancel(msg, hdr);
7715 	return -EMSGSIZE;
7716 }
7717 
7718 static int nl80211_dump_mpath(struct sk_buff *skb,
7719 			      struct netlink_callback *cb)
7720 {
7721 	struct mpath_info pinfo;
7722 	struct cfg80211_registered_device *rdev;
7723 	struct wireless_dev *wdev;
7724 	u8 dst[ETH_ALEN];
7725 	u8 next_hop[ETH_ALEN];
7726 	int path_idx = cb->args[2];
7727 	int err;
7728 
7729 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7730 	if (err)
7731 		return err;
7732 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7733 	__acquire(&rdev->wiphy.mtx);
7734 
7735 	if (!rdev->ops->dump_mpath) {
7736 		err = -EOPNOTSUPP;
7737 		goto out_err;
7738 	}
7739 
7740 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7741 		err = -EOPNOTSUPP;
7742 		goto out_err;
7743 	}
7744 
7745 	while (1) {
7746 		err = rdev_dump_mpath(rdev, wdev->netdev, path_idx, dst,
7747 				      next_hop, &pinfo);
7748 		if (err == -ENOENT)
7749 			break;
7750 		if (err)
7751 			goto out_err;
7752 
7753 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7754 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7755 				       wdev->netdev, dst, next_hop,
7756 				       &pinfo) < 0)
7757 			goto out;
7758 
7759 		path_idx++;
7760 	}
7761 
7762  out:
7763 	cb->args[2] = path_idx;
7764 	err = skb->len;
7765  out_err:
7766 	wiphy_unlock(&rdev->wiphy);
7767 	return err;
7768 }
7769 
7770 static int nl80211_get_mpath(struct sk_buff *skb, struct genl_info *info)
7771 {
7772 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7773 	int err;
7774 	struct net_device *dev = info->user_ptr[1];
7775 	struct mpath_info pinfo;
7776 	struct sk_buff *msg;
7777 	u8 *dst = NULL;
7778 	u8 next_hop[ETH_ALEN];
7779 
7780 	memset(&pinfo, 0, sizeof(pinfo));
7781 
7782 	if (!info->attrs[NL80211_ATTR_MAC])
7783 		return -EINVAL;
7784 
7785 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7786 
7787 	if (!rdev->ops->get_mpath)
7788 		return -EOPNOTSUPP;
7789 
7790 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7791 		return -EOPNOTSUPP;
7792 
7793 	err = rdev_get_mpath(rdev, dev, dst, next_hop, &pinfo);
7794 	if (err)
7795 		return err;
7796 
7797 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7798 	if (!msg)
7799 		return -ENOMEM;
7800 
7801 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7802 				 dev, dst, next_hop, &pinfo) < 0) {
7803 		nlmsg_free(msg);
7804 		return -ENOBUFS;
7805 	}
7806 
7807 	return genlmsg_reply(msg, info);
7808 }
7809 
7810 static int nl80211_set_mpath(struct sk_buff *skb, struct genl_info *info)
7811 {
7812 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7813 	struct net_device *dev = info->user_ptr[1];
7814 	u8 *dst = NULL;
7815 	u8 *next_hop = NULL;
7816 
7817 	if (!info->attrs[NL80211_ATTR_MAC])
7818 		return -EINVAL;
7819 
7820 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7821 		return -EINVAL;
7822 
7823 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7824 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7825 
7826 	if (!rdev->ops->change_mpath)
7827 		return -EOPNOTSUPP;
7828 
7829 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7830 		return -EOPNOTSUPP;
7831 
7832 	return rdev_change_mpath(rdev, dev, dst, next_hop);
7833 }
7834 
7835 static int nl80211_new_mpath(struct sk_buff *skb, struct genl_info *info)
7836 {
7837 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7838 	struct net_device *dev = info->user_ptr[1];
7839 	u8 *dst = NULL;
7840 	u8 *next_hop = NULL;
7841 
7842 	if (!info->attrs[NL80211_ATTR_MAC])
7843 		return -EINVAL;
7844 
7845 	if (!info->attrs[NL80211_ATTR_MPATH_NEXT_HOP])
7846 		return -EINVAL;
7847 
7848 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7849 	next_hop = nla_data(info->attrs[NL80211_ATTR_MPATH_NEXT_HOP]);
7850 
7851 	if (!rdev->ops->add_mpath)
7852 		return -EOPNOTSUPP;
7853 
7854 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7855 		return -EOPNOTSUPP;
7856 
7857 	return rdev_add_mpath(rdev, dev, dst, next_hop);
7858 }
7859 
7860 static int nl80211_del_mpath(struct sk_buff *skb, struct genl_info *info)
7861 {
7862 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7863 	struct net_device *dev = info->user_ptr[1];
7864 	u8 *dst = NULL;
7865 
7866 	if (info->attrs[NL80211_ATTR_MAC])
7867 		dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7868 
7869 	if (!rdev->ops->del_mpath)
7870 		return -EOPNOTSUPP;
7871 
7872 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7873 		return -EOPNOTSUPP;
7874 
7875 	return rdev_del_mpath(rdev, dev, dst);
7876 }
7877 
7878 static int nl80211_get_mpp(struct sk_buff *skb, struct genl_info *info)
7879 {
7880 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7881 	int err;
7882 	struct net_device *dev = info->user_ptr[1];
7883 	struct mpath_info pinfo;
7884 	struct sk_buff *msg;
7885 	u8 *dst = NULL;
7886 	u8 mpp[ETH_ALEN];
7887 
7888 	memset(&pinfo, 0, sizeof(pinfo));
7889 
7890 	if (!info->attrs[NL80211_ATTR_MAC])
7891 		return -EINVAL;
7892 
7893 	dst = nla_data(info->attrs[NL80211_ATTR_MAC]);
7894 
7895 	if (!rdev->ops->get_mpp)
7896 		return -EOPNOTSUPP;
7897 
7898 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
7899 		return -EOPNOTSUPP;
7900 
7901 	err = rdev_get_mpp(rdev, dev, dst, mpp, &pinfo);
7902 	if (err)
7903 		return err;
7904 
7905 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
7906 	if (!msg)
7907 		return -ENOMEM;
7908 
7909 	if (nl80211_send_mpath(msg, info->snd_portid, info->snd_seq, 0,
7910 			       dev, dst, mpp, &pinfo) < 0) {
7911 		nlmsg_free(msg);
7912 		return -ENOBUFS;
7913 	}
7914 
7915 	return genlmsg_reply(msg, info);
7916 }
7917 
7918 static int nl80211_dump_mpp(struct sk_buff *skb,
7919 			    struct netlink_callback *cb)
7920 {
7921 	struct mpath_info pinfo;
7922 	struct cfg80211_registered_device *rdev;
7923 	struct wireless_dev *wdev;
7924 	u8 dst[ETH_ALEN];
7925 	u8 mpp[ETH_ALEN];
7926 	int path_idx = cb->args[2];
7927 	int err;
7928 
7929 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
7930 	if (err)
7931 		return err;
7932 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
7933 	__acquire(&rdev->wiphy.mtx);
7934 
7935 	if (!rdev->ops->dump_mpp) {
7936 		err = -EOPNOTSUPP;
7937 		goto out_err;
7938 	}
7939 
7940 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT) {
7941 		err = -EOPNOTSUPP;
7942 		goto out_err;
7943 	}
7944 
7945 	while (1) {
7946 		err = rdev_dump_mpp(rdev, wdev->netdev, path_idx, dst,
7947 				    mpp, &pinfo);
7948 		if (err == -ENOENT)
7949 			break;
7950 		if (err)
7951 			goto out_err;
7952 
7953 		if (nl80211_send_mpath(skb, NETLINK_CB(cb->skb).portid,
7954 				       cb->nlh->nlmsg_seq, NLM_F_MULTI,
7955 				       wdev->netdev, dst, mpp,
7956 				       &pinfo) < 0)
7957 			goto out;
7958 
7959 		path_idx++;
7960 	}
7961 
7962  out:
7963 	cb->args[2] = path_idx;
7964 	err = skb->len;
7965  out_err:
7966 	wiphy_unlock(&rdev->wiphy);
7967 	return err;
7968 }
7969 
7970 static int nl80211_set_bss(struct sk_buff *skb, struct genl_info *info)
7971 {
7972 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
7973 	struct net_device *dev = info->user_ptr[1];
7974 	struct wireless_dev *wdev = dev->ieee80211_ptr;
7975 	struct bss_parameters params;
7976 	int err;
7977 
7978 	memset(&params, 0, sizeof(params));
7979 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
7980 	/* default to not changing parameters */
7981 	params.use_cts_prot = -1;
7982 	params.use_short_preamble = -1;
7983 	params.use_short_slot_time = -1;
7984 	params.ap_isolate = -1;
7985 	params.ht_opmode = -1;
7986 	params.p2p_ctwindow = -1;
7987 	params.p2p_opp_ps = -1;
7988 
7989 	if (info->attrs[NL80211_ATTR_BSS_CTS_PROT])
7990 		params.use_cts_prot =
7991 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_CTS_PROT]);
7992 	if (info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE])
7993 		params.use_short_preamble =
7994 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_PREAMBLE]);
7995 	if (info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME])
7996 		params.use_short_slot_time =
7997 		    nla_get_u8(info->attrs[NL80211_ATTR_BSS_SHORT_SLOT_TIME]);
7998 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
7999 		params.basic_rates =
8000 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8001 		params.basic_rates_len =
8002 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
8003 	}
8004 	if (info->attrs[NL80211_ATTR_AP_ISOLATE])
8005 		params.ap_isolate = !!nla_get_u8(info->attrs[NL80211_ATTR_AP_ISOLATE]);
8006 	if (info->attrs[NL80211_ATTR_BSS_HT_OPMODE])
8007 		params.ht_opmode =
8008 			nla_get_u16(info->attrs[NL80211_ATTR_BSS_HT_OPMODE]);
8009 
8010 	if (info->attrs[NL80211_ATTR_P2P_CTWINDOW]) {
8011 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8012 			return -EINVAL;
8013 		params.p2p_ctwindow =
8014 			nla_get_u8(info->attrs[NL80211_ATTR_P2P_CTWINDOW]);
8015 		if (params.p2p_ctwindow != 0 &&
8016 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_CTWIN))
8017 			return -EINVAL;
8018 	}
8019 
8020 	if (info->attrs[NL80211_ATTR_P2P_OPPPS]) {
8021 		u8 tmp;
8022 
8023 		if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8024 			return -EINVAL;
8025 		tmp = nla_get_u8(info->attrs[NL80211_ATTR_P2P_OPPPS]);
8026 		params.p2p_opp_ps = tmp;
8027 		if (params.p2p_opp_ps &&
8028 		    !(rdev->wiphy.features & NL80211_FEATURE_P2P_GO_OPPPS))
8029 			return -EINVAL;
8030 	}
8031 
8032 	if (!rdev->ops->change_bss)
8033 		return -EOPNOTSUPP;
8034 
8035 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
8036 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
8037 		return -EOPNOTSUPP;
8038 
8039 	wdev_lock(wdev);
8040 	err = rdev_change_bss(rdev, dev, &params);
8041 	wdev_unlock(wdev);
8042 
8043 	return err;
8044 }
8045 
8046 static int nl80211_req_set_reg(struct sk_buff *skb, struct genl_info *info)
8047 {
8048 	char *data = NULL;
8049 	bool is_indoor;
8050 	enum nl80211_user_reg_hint_type user_reg_hint_type;
8051 	u32 owner_nlportid;
8052 
8053 	/*
8054 	 * You should only get this when cfg80211 hasn't yet initialized
8055 	 * completely when built-in to the kernel right between the time
8056 	 * window between nl80211_init() and regulatory_init(), if that is
8057 	 * even possible.
8058 	 */
8059 	if (unlikely(!rcu_access_pointer(cfg80211_regdomain)))
8060 		return -EINPROGRESS;
8061 
8062 	if (info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE])
8063 		user_reg_hint_type =
8064 		  nla_get_u32(info->attrs[NL80211_ATTR_USER_REG_HINT_TYPE]);
8065 	else
8066 		user_reg_hint_type = NL80211_USER_REG_HINT_USER;
8067 
8068 	switch (user_reg_hint_type) {
8069 	case NL80211_USER_REG_HINT_USER:
8070 	case NL80211_USER_REG_HINT_CELL_BASE:
8071 		if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8072 			return -EINVAL;
8073 
8074 		data = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8075 		return regulatory_hint_user(data, user_reg_hint_type);
8076 	case NL80211_USER_REG_HINT_INDOOR:
8077 		if (info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
8078 			owner_nlportid = info->snd_portid;
8079 			is_indoor = !!info->attrs[NL80211_ATTR_REG_INDOOR];
8080 		} else {
8081 			owner_nlportid = 0;
8082 			is_indoor = true;
8083 		}
8084 
8085 		return regulatory_hint_indoor(is_indoor, owner_nlportid);
8086 	default:
8087 		return -EINVAL;
8088 	}
8089 }
8090 
8091 static int nl80211_reload_regdb(struct sk_buff *skb, struct genl_info *info)
8092 {
8093 	return reg_reload_regdb();
8094 }
8095 
8096 static int nl80211_get_mesh_config(struct sk_buff *skb,
8097 				   struct genl_info *info)
8098 {
8099 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8100 	struct net_device *dev = info->user_ptr[1];
8101 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8102 	struct mesh_config cur_params;
8103 	int err = 0;
8104 	void *hdr;
8105 	struct nlattr *pinfoattr;
8106 	struct sk_buff *msg;
8107 
8108 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8109 		return -EOPNOTSUPP;
8110 
8111 	if (!rdev->ops->get_mesh_config)
8112 		return -EOPNOTSUPP;
8113 
8114 	wdev_lock(wdev);
8115 	/* If not connected, get default parameters */
8116 	if (!wdev->u.mesh.id_len)
8117 		memcpy(&cur_params, &default_mesh_config, sizeof(cur_params));
8118 	else
8119 		err = rdev_get_mesh_config(rdev, dev, &cur_params);
8120 	wdev_unlock(wdev);
8121 
8122 	if (err)
8123 		return err;
8124 
8125 	/* Draw up a netlink message to send back */
8126 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8127 	if (!msg)
8128 		return -ENOMEM;
8129 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8130 			     NL80211_CMD_GET_MESH_CONFIG);
8131 	if (!hdr)
8132 		goto out;
8133 	pinfoattr = nla_nest_start_noflag(msg, NL80211_ATTR_MESH_CONFIG);
8134 	if (!pinfoattr)
8135 		goto nla_put_failure;
8136 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
8137 	    nla_put_u16(msg, NL80211_MESHCONF_RETRY_TIMEOUT,
8138 			cur_params.dot11MeshRetryTimeout) ||
8139 	    nla_put_u16(msg, NL80211_MESHCONF_CONFIRM_TIMEOUT,
8140 			cur_params.dot11MeshConfirmTimeout) ||
8141 	    nla_put_u16(msg, NL80211_MESHCONF_HOLDING_TIMEOUT,
8142 			cur_params.dot11MeshHoldingTimeout) ||
8143 	    nla_put_u16(msg, NL80211_MESHCONF_MAX_PEER_LINKS,
8144 			cur_params.dot11MeshMaxPeerLinks) ||
8145 	    nla_put_u8(msg, NL80211_MESHCONF_MAX_RETRIES,
8146 		       cur_params.dot11MeshMaxRetries) ||
8147 	    nla_put_u8(msg, NL80211_MESHCONF_TTL,
8148 		       cur_params.dot11MeshTTL) ||
8149 	    nla_put_u8(msg, NL80211_MESHCONF_ELEMENT_TTL,
8150 		       cur_params.element_ttl) ||
8151 	    nla_put_u8(msg, NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8152 		       cur_params.auto_open_plinks) ||
8153 	    nla_put_u32(msg, NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8154 			cur_params.dot11MeshNbrOffsetMaxNeighbor) ||
8155 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8156 		       cur_params.dot11MeshHWMPmaxPREQretries) ||
8157 	    nla_put_u32(msg, NL80211_MESHCONF_PATH_REFRESH_TIME,
8158 			cur_params.path_refresh_time) ||
8159 	    nla_put_u16(msg, NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8160 			cur_params.min_discovery_timeout) ||
8161 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8162 			cur_params.dot11MeshHWMPactivePathTimeout) ||
8163 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8164 			cur_params.dot11MeshHWMPpreqMinInterval) ||
8165 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8166 			cur_params.dot11MeshHWMPperrMinInterval) ||
8167 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8168 			cur_params.dot11MeshHWMPnetDiameterTraversalTime) ||
8169 	    nla_put_u8(msg, NL80211_MESHCONF_HWMP_ROOTMODE,
8170 		       cur_params.dot11MeshHWMPRootMode) ||
8171 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8172 			cur_params.dot11MeshHWMPRannInterval) ||
8173 	    nla_put_u8(msg, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8174 		       cur_params.dot11MeshGateAnnouncementProtocol) ||
8175 	    nla_put_u8(msg, NL80211_MESHCONF_FORWARDING,
8176 		       cur_params.dot11MeshForwarding) ||
8177 	    nla_put_s32(msg, NL80211_MESHCONF_RSSI_THRESHOLD,
8178 			cur_params.rssi_threshold) ||
8179 	    nla_put_u32(msg, NL80211_MESHCONF_HT_OPMODE,
8180 			cur_params.ht_opmode) ||
8181 	    nla_put_u32(msg, NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8182 			cur_params.dot11MeshHWMPactivePathToRootTimeout) ||
8183 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8184 			cur_params.dot11MeshHWMProotInterval) ||
8185 	    nla_put_u16(msg, NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8186 			cur_params.dot11MeshHWMPconfirmationInterval) ||
8187 	    nla_put_u32(msg, NL80211_MESHCONF_POWER_MODE,
8188 			cur_params.power_mode) ||
8189 	    nla_put_u16(msg, NL80211_MESHCONF_AWAKE_WINDOW,
8190 			cur_params.dot11MeshAwakeWindowDuration) ||
8191 	    nla_put_u32(msg, NL80211_MESHCONF_PLINK_TIMEOUT,
8192 			cur_params.plink_timeout) ||
8193 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_GATE,
8194 		       cur_params.dot11MeshConnectedToMeshGate) ||
8195 	    nla_put_u8(msg, NL80211_MESHCONF_NOLEARN,
8196 		       cur_params.dot11MeshNolearn) ||
8197 	    nla_put_u8(msg, NL80211_MESHCONF_CONNECTED_TO_AS,
8198 		       cur_params.dot11MeshConnectedToAuthServer))
8199 		goto nla_put_failure;
8200 	nla_nest_end(msg, pinfoattr);
8201 	genlmsg_end(msg, hdr);
8202 	return genlmsg_reply(msg, info);
8203 
8204  nla_put_failure:
8205  out:
8206 	nlmsg_free(msg);
8207 	return -ENOBUFS;
8208 }
8209 
8210 static const struct nla_policy
8211 nl80211_meshconf_params_policy[NL80211_MESHCONF_ATTR_MAX+1] = {
8212 	[NL80211_MESHCONF_RETRY_TIMEOUT] =
8213 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8214 	[NL80211_MESHCONF_CONFIRM_TIMEOUT] =
8215 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8216 	[NL80211_MESHCONF_HOLDING_TIMEOUT] =
8217 		NLA_POLICY_RANGE(NLA_U16, 1, 255),
8218 	[NL80211_MESHCONF_MAX_PEER_LINKS] =
8219 		NLA_POLICY_RANGE(NLA_U16, 0, 255),
8220 	[NL80211_MESHCONF_MAX_RETRIES] = NLA_POLICY_MAX(NLA_U8, 16),
8221 	[NL80211_MESHCONF_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8222 	[NL80211_MESHCONF_ELEMENT_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
8223 	[NL80211_MESHCONF_AUTO_OPEN_PLINKS] = NLA_POLICY_MAX(NLA_U8, 1),
8224 	[NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR] =
8225 		NLA_POLICY_RANGE(NLA_U32, 1, 255),
8226 	[NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES] = { .type = NLA_U8 },
8227 	[NL80211_MESHCONF_PATH_REFRESH_TIME] = { .type = NLA_U32 },
8228 	[NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT] = NLA_POLICY_MIN(NLA_U16, 1),
8229 	[NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT] = { .type = NLA_U32 },
8230 	[NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL] =
8231 		NLA_POLICY_MIN(NLA_U16, 1),
8232 	[NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL] =
8233 		NLA_POLICY_MIN(NLA_U16, 1),
8234 	[NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME] =
8235 		NLA_POLICY_MIN(NLA_U16, 1),
8236 	[NL80211_MESHCONF_HWMP_ROOTMODE] = NLA_POLICY_MAX(NLA_U8, 4),
8237 	[NL80211_MESHCONF_HWMP_RANN_INTERVAL] =
8238 		NLA_POLICY_MIN(NLA_U16, 1),
8239 	[NL80211_MESHCONF_GATE_ANNOUNCEMENTS] = NLA_POLICY_MAX(NLA_U8, 1),
8240 	[NL80211_MESHCONF_FORWARDING] = NLA_POLICY_MAX(NLA_U8, 1),
8241 	[NL80211_MESHCONF_RSSI_THRESHOLD] =
8242 		NLA_POLICY_RANGE(NLA_S32, -255, 0),
8243 	[NL80211_MESHCONF_HT_OPMODE] = { .type = NLA_U16 },
8244 	[NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT] = { .type = NLA_U32 },
8245 	[NL80211_MESHCONF_HWMP_ROOT_INTERVAL] =
8246 		NLA_POLICY_MIN(NLA_U16, 1),
8247 	[NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL] =
8248 		NLA_POLICY_MIN(NLA_U16, 1),
8249 	[NL80211_MESHCONF_POWER_MODE] =
8250 		NLA_POLICY_RANGE(NLA_U32,
8251 				 NL80211_MESH_POWER_ACTIVE,
8252 				 NL80211_MESH_POWER_MAX),
8253 	[NL80211_MESHCONF_AWAKE_WINDOW] = { .type = NLA_U16 },
8254 	[NL80211_MESHCONF_PLINK_TIMEOUT] = { .type = NLA_U32 },
8255 	[NL80211_MESHCONF_CONNECTED_TO_GATE] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8256 	[NL80211_MESHCONF_NOLEARN] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8257 	[NL80211_MESHCONF_CONNECTED_TO_AS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
8258 };
8259 
8260 static const struct nla_policy
8261 	nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
8262 	[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC] = { .type = NLA_U8 },
8263 	[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
8264 	[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
8265 	[NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
8266 	[NL80211_MESH_SETUP_AUTH_PROTOCOL] = { .type = NLA_U8 },
8267 	[NL80211_MESH_SETUP_USERSPACE_MPM] = { .type = NLA_FLAG },
8268 	[NL80211_MESH_SETUP_IE] =
8269 		NLA_POLICY_VALIDATE_FN(NLA_BINARY, validate_ie_attr,
8270 				       IEEE80211_MAX_DATA_LEN),
8271 	[NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
8272 };
8273 
8274 static int nl80211_parse_mesh_config(struct genl_info *info,
8275 				     struct mesh_config *cfg,
8276 				     u32 *mask_out)
8277 {
8278 	struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
8279 	u32 mask = 0;
8280 	u16 ht_opmode;
8281 
8282 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, mask, attr, fn)	\
8283 do {									\
8284 	if (tb[attr]) {							\
8285 		cfg->param = fn(tb[attr]);				\
8286 		mask |= BIT((attr) - 1);				\
8287 	}								\
8288 } while (0)
8289 
8290 	if (!info->attrs[NL80211_ATTR_MESH_CONFIG])
8291 		return -EINVAL;
8292 	if (nla_parse_nested_deprecated(tb, NL80211_MESHCONF_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_CONFIG], nl80211_meshconf_params_policy, info->extack))
8293 		return -EINVAL;
8294 
8295 	/* This makes sure that there aren't more than 32 mesh config
8296 	 * parameters (otherwise our bitfield scheme would not work.) */
8297 	BUILD_BUG_ON(NL80211_MESHCONF_ATTR_MAX > 32);
8298 
8299 	/* Fill in the params struct */
8300 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshRetryTimeout, mask,
8301 				  NL80211_MESHCONF_RETRY_TIMEOUT, nla_get_u16);
8302 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConfirmTimeout, mask,
8303 				  NL80211_MESHCONF_CONFIRM_TIMEOUT,
8304 				  nla_get_u16);
8305 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHoldingTimeout, mask,
8306 				  NL80211_MESHCONF_HOLDING_TIMEOUT,
8307 				  nla_get_u16);
8308 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxPeerLinks, mask,
8309 				  NL80211_MESHCONF_MAX_PEER_LINKS,
8310 				  nla_get_u16);
8311 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshMaxRetries, mask,
8312 				  NL80211_MESHCONF_MAX_RETRIES, nla_get_u8);
8313 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshTTL, mask,
8314 				  NL80211_MESHCONF_TTL, nla_get_u8);
8315 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, element_ttl, mask,
8316 				  NL80211_MESHCONF_ELEMENT_TTL, nla_get_u8);
8317 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, auto_open_plinks, mask,
8318 				  NL80211_MESHCONF_AUTO_OPEN_PLINKS,
8319 				  nla_get_u8);
8320 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNbrOffsetMaxNeighbor,
8321 				  mask,
8322 				  NL80211_MESHCONF_SYNC_OFFSET_MAX_NEIGHBOR,
8323 				  nla_get_u32);
8324 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPmaxPREQretries, mask,
8325 				  NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES,
8326 				  nla_get_u8);
8327 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, path_refresh_time, mask,
8328 				  NL80211_MESHCONF_PATH_REFRESH_TIME,
8329 				  nla_get_u32);
8330 	if (mask & BIT(NL80211_MESHCONF_PATH_REFRESH_TIME) &&
8331 	    (cfg->path_refresh_time < 1 || cfg->path_refresh_time > 65535))
8332 		return -EINVAL;
8333 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, min_discovery_timeout, mask,
8334 				  NL80211_MESHCONF_MIN_DISCOVERY_TIMEOUT,
8335 				  nla_get_u16);
8336 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathTimeout,
8337 				  mask,
8338 				  NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT,
8339 				  nla_get_u32);
8340 	if (mask & BIT(NL80211_MESHCONF_HWMP_ACTIVE_PATH_TIMEOUT) &&
8341 	    (cfg->dot11MeshHWMPactivePathTimeout < 1 ||
8342 	     cfg->dot11MeshHWMPactivePathTimeout > 65535))
8343 		return -EINVAL;
8344 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPpreqMinInterval, mask,
8345 				  NL80211_MESHCONF_HWMP_PREQ_MIN_INTERVAL,
8346 				  nla_get_u16);
8347 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPperrMinInterval, mask,
8348 				  NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL,
8349 				  nla_get_u16);
8350 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8351 				  dot11MeshHWMPnetDiameterTraversalTime, mask,
8352 				  NL80211_MESHCONF_HWMP_NET_DIAM_TRVS_TIME,
8353 				  nla_get_u16);
8354 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRootMode, mask,
8355 				  NL80211_MESHCONF_HWMP_ROOTMODE, nla_get_u8);
8356 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPRannInterval, mask,
8357 				  NL80211_MESHCONF_HWMP_RANN_INTERVAL,
8358 				  nla_get_u16);
8359 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshGateAnnouncementProtocol,
8360 				  mask, NL80211_MESHCONF_GATE_ANNOUNCEMENTS,
8361 				  nla_get_u8);
8362 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshForwarding, mask,
8363 				  NL80211_MESHCONF_FORWARDING, nla_get_u8);
8364 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, mask,
8365 				  NL80211_MESHCONF_RSSI_THRESHOLD,
8366 				  nla_get_s32);
8367 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToMeshGate, mask,
8368 				  NL80211_MESHCONF_CONNECTED_TO_GATE,
8369 				  nla_get_u8);
8370 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshConnectedToAuthServer, mask,
8371 				  NL80211_MESHCONF_CONNECTED_TO_AS,
8372 				  nla_get_u8);
8373 	/*
8374 	 * Check HT operation mode based on
8375 	 * IEEE 802.11-2016 9.4.2.57 HT Operation element.
8376 	 */
8377 	if (tb[NL80211_MESHCONF_HT_OPMODE]) {
8378 		ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
8379 
8380 		if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
8381 				  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
8382 				  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
8383 			return -EINVAL;
8384 
8385 		/* NON_HT_STA bit is reserved, but some programs set it */
8386 		ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT;
8387 
8388 		cfg->ht_opmode = ht_opmode;
8389 		mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1));
8390 	}
8391 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg,
8392 				  dot11MeshHWMPactivePathToRootTimeout, mask,
8393 				  NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,
8394 				  nla_get_u32);
8395 	if (mask & BIT(NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT) &&
8396 	    (cfg->dot11MeshHWMPactivePathToRootTimeout < 1 ||
8397 	     cfg->dot11MeshHWMPactivePathToRootTimeout > 65535))
8398 		return -EINVAL;
8399 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMProotInterval, mask,
8400 				  NL80211_MESHCONF_HWMP_ROOT_INTERVAL,
8401 				  nla_get_u16);
8402 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPconfirmationInterval,
8403 				  mask,
8404 				  NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL,
8405 				  nla_get_u16);
8406 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, power_mode, mask,
8407 				  NL80211_MESHCONF_POWER_MODE, nla_get_u32);
8408 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshAwakeWindowDuration, mask,
8409 				  NL80211_MESHCONF_AWAKE_WINDOW, nla_get_u16);
8410 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, plink_timeout, mask,
8411 				  NL80211_MESHCONF_PLINK_TIMEOUT, nla_get_u32);
8412 	FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshNolearn, mask,
8413 				  NL80211_MESHCONF_NOLEARN, nla_get_u8);
8414 	if (mask_out)
8415 		*mask_out = mask;
8416 
8417 	return 0;
8418 
8419 #undef FILL_IN_MESH_PARAM_IF_SET
8420 }
8421 
8422 static int nl80211_parse_mesh_setup(struct genl_info *info,
8423 				     struct mesh_setup *setup)
8424 {
8425 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8426 	struct nlattr *tb[NL80211_MESH_SETUP_ATTR_MAX + 1];
8427 
8428 	if (!info->attrs[NL80211_ATTR_MESH_SETUP])
8429 		return -EINVAL;
8430 	if (nla_parse_nested_deprecated(tb, NL80211_MESH_SETUP_ATTR_MAX, info->attrs[NL80211_ATTR_MESH_SETUP], nl80211_mesh_setup_params_policy, info->extack))
8431 		return -EINVAL;
8432 
8433 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])
8434 		setup->sync_method =
8435 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_SYNC])) ?
8436 		 IEEE80211_SYNC_METHOD_VENDOR :
8437 		 IEEE80211_SYNC_METHOD_NEIGHBOR_OFFSET;
8438 
8439 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])
8440 		setup->path_sel_proto =
8441 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL])) ?
8442 		 IEEE80211_PATH_PROTOCOL_VENDOR :
8443 		 IEEE80211_PATH_PROTOCOL_HWMP;
8444 
8445 	if (tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])
8446 		setup->path_metric =
8447 		(nla_get_u8(tb[NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC])) ?
8448 		 IEEE80211_PATH_METRIC_VENDOR :
8449 		 IEEE80211_PATH_METRIC_AIRTIME;
8450 
8451 	if (tb[NL80211_MESH_SETUP_IE]) {
8452 		struct nlattr *ieattr =
8453 			tb[NL80211_MESH_SETUP_IE];
8454 		setup->ie = nla_data(ieattr);
8455 		setup->ie_len = nla_len(ieattr);
8456 	}
8457 	if (tb[NL80211_MESH_SETUP_USERSPACE_MPM] &&
8458 	    !(rdev->wiphy.features & NL80211_FEATURE_USERSPACE_MPM))
8459 		return -EINVAL;
8460 	setup->user_mpm = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_MPM]);
8461 	setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
8462 	setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
8463 	if (setup->is_secure)
8464 		setup->user_mpm = true;
8465 
8466 	if (tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]) {
8467 		if (!setup->user_mpm)
8468 			return -EINVAL;
8469 		setup->auth_id =
8470 			nla_get_u8(tb[NL80211_MESH_SETUP_AUTH_PROTOCOL]);
8471 	}
8472 
8473 	return 0;
8474 }
8475 
8476 static int nl80211_update_mesh_config(struct sk_buff *skb,
8477 				      struct genl_info *info)
8478 {
8479 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
8480 	struct net_device *dev = info->user_ptr[1];
8481 	struct wireless_dev *wdev = dev->ieee80211_ptr;
8482 	struct mesh_config cfg;
8483 	u32 mask;
8484 	int err;
8485 
8486 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
8487 		return -EOPNOTSUPP;
8488 
8489 	if (!rdev->ops->update_mesh_config)
8490 		return -EOPNOTSUPP;
8491 
8492 	err = nl80211_parse_mesh_config(info, &cfg, &mask);
8493 	if (err)
8494 		return err;
8495 
8496 	wdev_lock(wdev);
8497 	if (!wdev->u.mesh.id_len)
8498 		err = -ENOLINK;
8499 
8500 	if (!err)
8501 		err = rdev_update_mesh_config(rdev, dev, mask, &cfg);
8502 
8503 	wdev_unlock(wdev);
8504 
8505 	return err;
8506 }
8507 
8508 static int nl80211_put_regdom(const struct ieee80211_regdomain *regdom,
8509 			      struct sk_buff *msg)
8510 {
8511 	struct nlattr *nl_reg_rules;
8512 	unsigned int i;
8513 
8514 	if (nla_put_string(msg, NL80211_ATTR_REG_ALPHA2, regdom->alpha2) ||
8515 	    (regdom->dfs_region &&
8516 	     nla_put_u8(msg, NL80211_ATTR_DFS_REGION, regdom->dfs_region)))
8517 		goto nla_put_failure;
8518 
8519 	nl_reg_rules = nla_nest_start_noflag(msg, NL80211_ATTR_REG_RULES);
8520 	if (!nl_reg_rules)
8521 		goto nla_put_failure;
8522 
8523 	for (i = 0; i < regdom->n_reg_rules; i++) {
8524 		struct nlattr *nl_reg_rule;
8525 		const struct ieee80211_reg_rule *reg_rule;
8526 		const struct ieee80211_freq_range *freq_range;
8527 		const struct ieee80211_power_rule *power_rule;
8528 		unsigned int max_bandwidth_khz;
8529 
8530 		reg_rule = &regdom->reg_rules[i];
8531 		freq_range = &reg_rule->freq_range;
8532 		power_rule = &reg_rule->power_rule;
8533 
8534 		nl_reg_rule = nla_nest_start_noflag(msg, i);
8535 		if (!nl_reg_rule)
8536 			goto nla_put_failure;
8537 
8538 		max_bandwidth_khz = freq_range->max_bandwidth_khz;
8539 		if (!max_bandwidth_khz)
8540 			max_bandwidth_khz = reg_get_max_bandwidth(regdom,
8541 								  reg_rule);
8542 
8543 		if (nla_put_u32(msg, NL80211_ATTR_REG_RULE_FLAGS,
8544 				reg_rule->flags) ||
8545 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_START,
8546 				freq_range->start_freq_khz) ||
8547 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_END,
8548 				freq_range->end_freq_khz) ||
8549 		    nla_put_u32(msg, NL80211_ATTR_FREQ_RANGE_MAX_BW,
8550 				max_bandwidth_khz) ||
8551 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN,
8552 				power_rule->max_antenna_gain) ||
8553 		    nla_put_u32(msg, NL80211_ATTR_POWER_RULE_MAX_EIRP,
8554 				power_rule->max_eirp) ||
8555 		    nla_put_u32(msg, NL80211_ATTR_DFS_CAC_TIME,
8556 				reg_rule->dfs_cac_ms))
8557 			goto nla_put_failure;
8558 
8559 		nla_nest_end(msg, nl_reg_rule);
8560 	}
8561 
8562 	nla_nest_end(msg, nl_reg_rules);
8563 	return 0;
8564 
8565 nla_put_failure:
8566 	return -EMSGSIZE;
8567 }
8568 
8569 static int nl80211_get_reg_do(struct sk_buff *skb, struct genl_info *info)
8570 {
8571 	const struct ieee80211_regdomain *regdom = NULL;
8572 	struct cfg80211_registered_device *rdev;
8573 	struct wiphy *wiphy = NULL;
8574 	struct sk_buff *msg;
8575 	int err = -EMSGSIZE;
8576 	void *hdr;
8577 
8578 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
8579 	if (!msg)
8580 		return -ENOBUFS;
8581 
8582 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
8583 			     NL80211_CMD_GET_REG);
8584 	if (!hdr)
8585 		goto put_failure;
8586 
8587 	rtnl_lock();
8588 
8589 	if (info->attrs[NL80211_ATTR_WIPHY]) {
8590 		bool self_managed;
8591 
8592 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
8593 		if (IS_ERR(rdev)) {
8594 			err = PTR_ERR(rdev);
8595 			goto nla_put_failure;
8596 		}
8597 
8598 		wiphy = &rdev->wiphy;
8599 		self_managed = wiphy->regulatory_flags &
8600 			       REGULATORY_WIPHY_SELF_MANAGED;
8601 
8602 		rcu_read_lock();
8603 
8604 		regdom = get_wiphy_regdom(wiphy);
8605 
8606 		/* a self-managed-reg device must have a private regdom */
8607 		if (WARN_ON(!regdom && self_managed)) {
8608 			err = -EINVAL;
8609 			goto nla_put_failure_rcu;
8610 		}
8611 
8612 		if (regdom &&
8613 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8614 			goto nla_put_failure_rcu;
8615 	} else {
8616 		rcu_read_lock();
8617 	}
8618 
8619 	if (!wiphy && reg_last_request_cell_base() &&
8620 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8621 			NL80211_USER_REG_HINT_CELL_BASE))
8622 		goto nla_put_failure_rcu;
8623 
8624 	if (!regdom)
8625 		regdom = rcu_dereference(cfg80211_regdomain);
8626 
8627 	if (nl80211_put_regdom(regdom, msg))
8628 		goto nla_put_failure_rcu;
8629 
8630 	rcu_read_unlock();
8631 
8632 	genlmsg_end(msg, hdr);
8633 	rtnl_unlock();
8634 	return genlmsg_reply(msg, info);
8635 
8636 nla_put_failure_rcu:
8637 	rcu_read_unlock();
8638 nla_put_failure:
8639 	rtnl_unlock();
8640 put_failure:
8641 	nlmsg_free(msg);
8642 	return err;
8643 }
8644 
8645 static int nl80211_send_regdom(struct sk_buff *msg, struct netlink_callback *cb,
8646 			       u32 seq, int flags, struct wiphy *wiphy,
8647 			       const struct ieee80211_regdomain *regdom)
8648 {
8649 	void *hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
8650 				   NL80211_CMD_GET_REG);
8651 
8652 	if (!hdr)
8653 		return -1;
8654 
8655 	genl_dump_check_consistent(cb, hdr);
8656 
8657 	if (nl80211_put_regdom(regdom, msg))
8658 		goto nla_put_failure;
8659 
8660 	if (!wiphy && reg_last_request_cell_base() &&
8661 	    nla_put_u32(msg, NL80211_ATTR_USER_REG_HINT_TYPE,
8662 			NL80211_USER_REG_HINT_CELL_BASE))
8663 		goto nla_put_failure;
8664 
8665 	if (wiphy &&
8666 	    nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
8667 		goto nla_put_failure;
8668 
8669 	if (wiphy && wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
8670 	    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
8671 		goto nla_put_failure;
8672 
8673 	genlmsg_end(msg, hdr);
8674 	return 0;
8675 
8676 nla_put_failure:
8677 	genlmsg_cancel(msg, hdr);
8678 	return -EMSGSIZE;
8679 }
8680 
8681 static int nl80211_get_reg_dump(struct sk_buff *skb,
8682 				struct netlink_callback *cb)
8683 {
8684 	const struct ieee80211_regdomain *regdom = NULL;
8685 	struct cfg80211_registered_device *rdev;
8686 	int err, reg_idx, start = cb->args[2];
8687 
8688 	rcu_read_lock();
8689 
8690 	if (cfg80211_regdomain && start == 0) {
8691 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8692 					  NLM_F_MULTI, NULL,
8693 					  rcu_dereference(cfg80211_regdomain));
8694 		if (err < 0)
8695 			goto out_err;
8696 	}
8697 
8698 	/* the global regdom is idx 0 */
8699 	reg_idx = 1;
8700 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
8701 		regdom = get_wiphy_regdom(&rdev->wiphy);
8702 		if (!regdom)
8703 			continue;
8704 
8705 		if (++reg_idx <= start)
8706 			continue;
8707 
8708 		err = nl80211_send_regdom(skb, cb, cb->nlh->nlmsg_seq,
8709 					  NLM_F_MULTI, &rdev->wiphy, regdom);
8710 		if (err < 0) {
8711 			reg_idx--;
8712 			break;
8713 		}
8714 	}
8715 
8716 	cb->args[2] = reg_idx;
8717 	err = skb->len;
8718 out_err:
8719 	rcu_read_unlock();
8720 	return err;
8721 }
8722 
8723 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
8724 static const struct nla_policy reg_rule_policy[NL80211_REG_RULE_ATTR_MAX + 1] = {
8725 	[NL80211_ATTR_REG_RULE_FLAGS]		= { .type = NLA_U32 },
8726 	[NL80211_ATTR_FREQ_RANGE_START]		= { .type = NLA_U32 },
8727 	[NL80211_ATTR_FREQ_RANGE_END]		= { .type = NLA_U32 },
8728 	[NL80211_ATTR_FREQ_RANGE_MAX_BW]	= { .type = NLA_U32 },
8729 	[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]	= { .type = NLA_U32 },
8730 	[NL80211_ATTR_POWER_RULE_MAX_EIRP]	= { .type = NLA_U32 },
8731 	[NL80211_ATTR_DFS_CAC_TIME]		= { .type = NLA_U32 },
8732 };
8733 
8734 static int parse_reg_rule(struct nlattr *tb[],
8735 	struct ieee80211_reg_rule *reg_rule)
8736 {
8737 	struct ieee80211_freq_range *freq_range = &reg_rule->freq_range;
8738 	struct ieee80211_power_rule *power_rule = &reg_rule->power_rule;
8739 
8740 	if (!tb[NL80211_ATTR_REG_RULE_FLAGS])
8741 		return -EINVAL;
8742 	if (!tb[NL80211_ATTR_FREQ_RANGE_START])
8743 		return -EINVAL;
8744 	if (!tb[NL80211_ATTR_FREQ_RANGE_END])
8745 		return -EINVAL;
8746 	if (!tb[NL80211_ATTR_FREQ_RANGE_MAX_BW])
8747 		return -EINVAL;
8748 	if (!tb[NL80211_ATTR_POWER_RULE_MAX_EIRP])
8749 		return -EINVAL;
8750 
8751 	reg_rule->flags = nla_get_u32(tb[NL80211_ATTR_REG_RULE_FLAGS]);
8752 
8753 	freq_range->start_freq_khz =
8754 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_START]);
8755 	freq_range->end_freq_khz =
8756 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_END]);
8757 	freq_range->max_bandwidth_khz =
8758 		nla_get_u32(tb[NL80211_ATTR_FREQ_RANGE_MAX_BW]);
8759 
8760 	power_rule->max_eirp =
8761 		nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_EIRP]);
8762 
8763 	if (tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN])
8764 		power_rule->max_antenna_gain =
8765 			nla_get_u32(tb[NL80211_ATTR_POWER_RULE_MAX_ANT_GAIN]);
8766 
8767 	if (tb[NL80211_ATTR_DFS_CAC_TIME])
8768 		reg_rule->dfs_cac_ms =
8769 			nla_get_u32(tb[NL80211_ATTR_DFS_CAC_TIME]);
8770 
8771 	return 0;
8772 }
8773 
8774 static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
8775 {
8776 	struct nlattr *tb[NL80211_REG_RULE_ATTR_MAX + 1];
8777 	struct nlattr *nl_reg_rule;
8778 	char *alpha2;
8779 	int rem_reg_rules, r;
8780 	u32 num_rules = 0, rule_idx = 0;
8781 	enum nl80211_dfs_regions dfs_region = NL80211_DFS_UNSET;
8782 	struct ieee80211_regdomain *rd;
8783 
8784 	if (!info->attrs[NL80211_ATTR_REG_ALPHA2])
8785 		return -EINVAL;
8786 
8787 	if (!info->attrs[NL80211_ATTR_REG_RULES])
8788 		return -EINVAL;
8789 
8790 	alpha2 = nla_data(info->attrs[NL80211_ATTR_REG_ALPHA2]);
8791 
8792 	if (info->attrs[NL80211_ATTR_DFS_REGION])
8793 		dfs_region = nla_get_u8(info->attrs[NL80211_ATTR_DFS_REGION]);
8794 
8795 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8796 			    rem_reg_rules) {
8797 		num_rules++;
8798 		if (num_rules > NL80211_MAX_SUPP_REG_RULES)
8799 			return -EINVAL;
8800 	}
8801 
8802 	rtnl_lock();
8803 	if (!reg_is_valid_request(alpha2)) {
8804 		r = -EINVAL;
8805 		goto out;
8806 	}
8807 
8808 	rd = kzalloc(struct_size(rd, reg_rules, num_rules), GFP_KERNEL);
8809 	if (!rd) {
8810 		r = -ENOMEM;
8811 		goto out;
8812 	}
8813 
8814 	rd->n_reg_rules = num_rules;
8815 	rd->alpha2[0] = alpha2[0];
8816 	rd->alpha2[1] = alpha2[1];
8817 
8818 	/*
8819 	 * Disable DFS master mode if the DFS region was
8820 	 * not supported or known on this kernel.
8821 	 */
8822 	if (reg_supported_dfs_region(dfs_region))
8823 		rd->dfs_region = dfs_region;
8824 
8825 	nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
8826 			    rem_reg_rules) {
8827 		r = nla_parse_nested_deprecated(tb, NL80211_REG_RULE_ATTR_MAX,
8828 						nl_reg_rule, reg_rule_policy,
8829 						info->extack);
8830 		if (r)
8831 			goto bad_reg;
8832 		r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
8833 		if (r)
8834 			goto bad_reg;
8835 
8836 		rule_idx++;
8837 
8838 		if (rule_idx > NL80211_MAX_SUPP_REG_RULES) {
8839 			r = -EINVAL;
8840 			goto bad_reg;
8841 		}
8842 	}
8843 
8844 	r = set_regdom(rd, REGD_SOURCE_CRDA);
8845 	/* set_regdom takes ownership of rd */
8846 	rd = NULL;
8847  bad_reg:
8848 	kfree(rd);
8849  out:
8850 	rtnl_unlock();
8851 	return r;
8852 }
8853 #endif /* CONFIG_CFG80211_CRDA_SUPPORT */
8854 
8855 static int validate_scan_freqs(struct nlattr *freqs)
8856 {
8857 	struct nlattr *attr1, *attr2;
8858 	int n_channels = 0, tmp1, tmp2;
8859 
8860 	nla_for_each_nested(attr1, freqs, tmp1)
8861 		if (nla_len(attr1) != sizeof(u32))
8862 			return 0;
8863 
8864 	nla_for_each_nested(attr1, freqs, tmp1) {
8865 		n_channels++;
8866 		/*
8867 		 * Some hardware has a limited channel list for
8868 		 * scanning, and it is pretty much nonsensical
8869 		 * to scan for a channel twice, so disallow that
8870 		 * and don't require drivers to check that the
8871 		 * channel list they get isn't longer than what
8872 		 * they can scan, as long as they can scan all
8873 		 * the channels they registered at once.
8874 		 */
8875 		nla_for_each_nested(attr2, freqs, tmp2)
8876 			if (attr1 != attr2 &&
8877 			    nla_get_u32(attr1) == nla_get_u32(attr2))
8878 				return 0;
8879 	}
8880 
8881 	return n_channels;
8882 }
8883 
8884 static bool is_band_valid(struct wiphy *wiphy, enum nl80211_band b)
8885 {
8886 	return b < NUM_NL80211_BANDS && wiphy->bands[b];
8887 }
8888 
8889 static int parse_bss_select(struct nlattr *nla, struct wiphy *wiphy,
8890 			    struct cfg80211_bss_selection *bss_select)
8891 {
8892 	struct nlattr *attr[NL80211_BSS_SELECT_ATTR_MAX + 1];
8893 	struct nlattr *nest;
8894 	int err;
8895 	bool found = false;
8896 	int i;
8897 
8898 	/* only process one nested attribute */
8899 	nest = nla_data(nla);
8900 	if (!nla_ok(nest, nla_len(nest)))
8901 		return -EINVAL;
8902 
8903 	err = nla_parse_nested_deprecated(attr, NL80211_BSS_SELECT_ATTR_MAX,
8904 					  nest, nl80211_bss_select_policy,
8905 					  NULL);
8906 	if (err)
8907 		return err;
8908 
8909 	/* only one attribute may be given */
8910 	for (i = 0; i <= NL80211_BSS_SELECT_ATTR_MAX; i++) {
8911 		if (attr[i]) {
8912 			if (found)
8913 				return -EINVAL;
8914 			found = true;
8915 		}
8916 	}
8917 
8918 	bss_select->behaviour = __NL80211_BSS_SELECT_ATTR_INVALID;
8919 
8920 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI])
8921 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI;
8922 
8923 	if (attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]) {
8924 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_BAND_PREF;
8925 		bss_select->param.band_pref =
8926 			nla_get_u32(attr[NL80211_BSS_SELECT_ATTR_BAND_PREF]);
8927 		if (!is_band_valid(wiphy, bss_select->param.band_pref))
8928 			return -EINVAL;
8929 	}
8930 
8931 	if (attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]) {
8932 		struct nl80211_bss_select_rssi_adjust *adj_param;
8933 
8934 		adj_param = nla_data(attr[NL80211_BSS_SELECT_ATTR_RSSI_ADJUST]);
8935 		bss_select->behaviour = NL80211_BSS_SELECT_ATTR_RSSI_ADJUST;
8936 		bss_select->param.adjust.band = adj_param->band;
8937 		bss_select->param.adjust.delta = adj_param->delta;
8938 		if (!is_band_valid(wiphy, bss_select->param.adjust.band))
8939 			return -EINVAL;
8940 	}
8941 
8942 	/* user-space did not provide behaviour attribute */
8943 	if (bss_select->behaviour == __NL80211_BSS_SELECT_ATTR_INVALID)
8944 		return -EINVAL;
8945 
8946 	if (!(wiphy->bss_select_support & BIT(bss_select->behaviour)))
8947 		return -EINVAL;
8948 
8949 	return 0;
8950 }
8951 
8952 int nl80211_parse_random_mac(struct nlattr **attrs,
8953 			     u8 *mac_addr, u8 *mac_addr_mask)
8954 {
8955 	int i;
8956 
8957 	if (!attrs[NL80211_ATTR_MAC] && !attrs[NL80211_ATTR_MAC_MASK]) {
8958 		eth_zero_addr(mac_addr);
8959 		eth_zero_addr(mac_addr_mask);
8960 		mac_addr[0] = 0x2;
8961 		mac_addr_mask[0] = 0x3;
8962 
8963 		return 0;
8964 	}
8965 
8966 	/* need both or none */
8967 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_MAC_MASK])
8968 		return -EINVAL;
8969 
8970 	memcpy(mac_addr, nla_data(attrs[NL80211_ATTR_MAC]), ETH_ALEN);
8971 	memcpy(mac_addr_mask, nla_data(attrs[NL80211_ATTR_MAC_MASK]), ETH_ALEN);
8972 
8973 	/* don't allow or configure an mcast address */
8974 	if (!is_multicast_ether_addr(mac_addr_mask) ||
8975 	    is_multicast_ether_addr(mac_addr))
8976 		return -EINVAL;
8977 
8978 	/*
8979 	 * allow users to pass a MAC address that has bits set outside
8980 	 * of the mask, but don't bother drivers with having to deal
8981 	 * with such bits
8982 	 */
8983 	for (i = 0; i < ETH_ALEN; i++)
8984 		mac_addr[i] &= mac_addr_mask[i];
8985 
8986 	return 0;
8987 }
8988 
8989 static bool cfg80211_off_channel_oper_allowed(struct wireless_dev *wdev,
8990 					      struct ieee80211_channel *chan)
8991 {
8992 	unsigned int link_id;
8993 	bool all_ok = true;
8994 
8995 	ASSERT_WDEV_LOCK(wdev);
8996 
8997 	if (!cfg80211_beaconing_iface_active(wdev))
8998 		return true;
8999 
9000 	/*
9001 	 * FIXME: check if we have a free HW resource/link for chan
9002 	 *
9003 	 * This, as well as the FIXME below, requires knowing the link
9004 	 * capabilities of the hardware.
9005 	 */
9006 
9007 	/* we cannot leave radar channels */
9008 	for_each_valid_link(wdev, link_id) {
9009 		struct cfg80211_chan_def *chandef;
9010 
9011 		chandef = wdev_chandef(wdev, link_id);
9012 		if (!chandef || !chandef->chan)
9013 			continue;
9014 
9015 		/*
9016 		 * FIXME: don't require all_ok, but rather check only the
9017 		 *	  correct HW resource/link onto which 'chan' falls,
9018 		 *	  as only that link leaves the channel for doing
9019 		 *	  the off-channel operation.
9020 		 */
9021 
9022 		if (chandef->chan->flags & IEEE80211_CHAN_RADAR)
9023 			all_ok = false;
9024 	}
9025 
9026 	if (all_ok)
9027 		return true;
9028 
9029 	return regulatory_pre_cac_allowed(wdev->wiphy);
9030 }
9031 
9032 static bool nl80211_check_scan_feat(struct wiphy *wiphy, u32 flags, u32 flag,
9033 				    enum nl80211_ext_feature_index feat)
9034 {
9035 	if (!(flags & flag))
9036 		return true;
9037 	if (wiphy_ext_feature_isset(wiphy, feat))
9038 		return true;
9039 	return false;
9040 }
9041 
9042 static int
9043 nl80211_check_scan_flags(struct wiphy *wiphy, struct wireless_dev *wdev,
9044 			 void *request, struct nlattr **attrs,
9045 			 bool is_sched_scan)
9046 {
9047 	u8 *mac_addr, *mac_addr_mask;
9048 	u32 *flags;
9049 	enum nl80211_feature_flags randomness_flag;
9050 
9051 	if (!attrs[NL80211_ATTR_SCAN_FLAGS])
9052 		return 0;
9053 
9054 	if (is_sched_scan) {
9055 		struct cfg80211_sched_scan_request *req = request;
9056 
9057 		randomness_flag = wdev ?
9058 				  NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR :
9059 				  NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
9060 		flags = &req->flags;
9061 		mac_addr = req->mac_addr;
9062 		mac_addr_mask = req->mac_addr_mask;
9063 	} else {
9064 		struct cfg80211_scan_request *req = request;
9065 
9066 		randomness_flag = NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR;
9067 		flags = &req->flags;
9068 		mac_addr = req->mac_addr;
9069 		mac_addr_mask = req->mac_addr_mask;
9070 	}
9071 
9072 	*flags = nla_get_u32(attrs[NL80211_ATTR_SCAN_FLAGS]);
9073 
9074 	if (((*flags & NL80211_SCAN_FLAG_LOW_PRIORITY) &&
9075 	     !(wiphy->features & NL80211_FEATURE_LOW_PRIORITY_SCAN)) ||
9076 	    !nl80211_check_scan_feat(wiphy, *flags,
9077 				     NL80211_SCAN_FLAG_LOW_SPAN,
9078 				     NL80211_EXT_FEATURE_LOW_SPAN_SCAN) ||
9079 	    !nl80211_check_scan_feat(wiphy, *flags,
9080 				     NL80211_SCAN_FLAG_LOW_POWER,
9081 				     NL80211_EXT_FEATURE_LOW_POWER_SCAN) ||
9082 	    !nl80211_check_scan_feat(wiphy, *flags,
9083 				     NL80211_SCAN_FLAG_HIGH_ACCURACY,
9084 				     NL80211_EXT_FEATURE_HIGH_ACCURACY_SCAN) ||
9085 	    !nl80211_check_scan_feat(wiphy, *flags,
9086 				     NL80211_SCAN_FLAG_FILS_MAX_CHANNEL_TIME,
9087 				     NL80211_EXT_FEATURE_FILS_MAX_CHANNEL_TIME) ||
9088 	    !nl80211_check_scan_feat(wiphy, *flags,
9089 				     NL80211_SCAN_FLAG_ACCEPT_BCAST_PROBE_RESP,
9090 				     NL80211_EXT_FEATURE_ACCEPT_BCAST_PROBE_RESP) ||
9091 	    !nl80211_check_scan_feat(wiphy, *flags,
9092 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION,
9093 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_DEFERRAL_SUPPRESSION) ||
9094 	    !nl80211_check_scan_feat(wiphy, *flags,
9095 				     NL80211_SCAN_FLAG_OCE_PROBE_REQ_HIGH_TX_RATE,
9096 				     NL80211_EXT_FEATURE_OCE_PROBE_REQ_HIGH_TX_RATE) ||
9097 	    !nl80211_check_scan_feat(wiphy, *flags,
9098 				     NL80211_SCAN_FLAG_RANDOM_SN,
9099 				     NL80211_EXT_FEATURE_SCAN_RANDOM_SN) ||
9100 	    !nl80211_check_scan_feat(wiphy, *flags,
9101 				     NL80211_SCAN_FLAG_MIN_PREQ_CONTENT,
9102 				     NL80211_EXT_FEATURE_SCAN_MIN_PREQ_CONTENT))
9103 		return -EOPNOTSUPP;
9104 
9105 	if (*flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
9106 		int err;
9107 
9108 		if (!(wiphy->features & randomness_flag) ||
9109 		    (wdev && wdev->connected))
9110 			return -EOPNOTSUPP;
9111 
9112 		err = nl80211_parse_random_mac(attrs, mac_addr, mac_addr_mask);
9113 		if (err)
9114 			return err;
9115 	}
9116 
9117 	return 0;
9118 }
9119 
9120 static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
9121 {
9122 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9123 	struct wireless_dev *wdev = info->user_ptr[1];
9124 	struct cfg80211_scan_request *request;
9125 	struct nlattr *scan_freqs = NULL;
9126 	bool scan_freqs_khz = false;
9127 	struct nlattr *attr;
9128 	struct wiphy *wiphy;
9129 	int err, tmp, n_ssids = 0, n_channels, i;
9130 	size_t ie_len, size;
9131 
9132 	wiphy = &rdev->wiphy;
9133 
9134 	if (wdev->iftype == NL80211_IFTYPE_NAN)
9135 		return -EOPNOTSUPP;
9136 
9137 	if (!rdev->ops->scan)
9138 		return -EOPNOTSUPP;
9139 
9140 	if (rdev->scan_req || rdev->scan_msg)
9141 		return -EBUSY;
9142 
9143 	if (info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ]) {
9144 		if (!wiphy_ext_feature_isset(wiphy,
9145 					     NL80211_EXT_FEATURE_SCAN_FREQ_KHZ))
9146 			return -EOPNOTSUPP;
9147 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQ_KHZ];
9148 		scan_freqs_khz = true;
9149 	} else if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES])
9150 		scan_freqs = info->attrs[NL80211_ATTR_SCAN_FREQUENCIES];
9151 
9152 	if (scan_freqs) {
9153 		n_channels = validate_scan_freqs(scan_freqs);
9154 		if (!n_channels)
9155 			return -EINVAL;
9156 	} else {
9157 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9158 	}
9159 
9160 	if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
9161 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp)
9162 			n_ssids++;
9163 
9164 	if (n_ssids > wiphy->max_scan_ssids)
9165 		return -EINVAL;
9166 
9167 	if (info->attrs[NL80211_ATTR_IE])
9168 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9169 	else
9170 		ie_len = 0;
9171 
9172 	if (ie_len > wiphy->max_scan_ie_len)
9173 		return -EINVAL;
9174 
9175 	size = struct_size(request, channels, n_channels);
9176 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9177 	size = size_add(size, ie_len);
9178 	request = kzalloc(size, GFP_KERNEL);
9179 	if (!request)
9180 		return -ENOMEM;
9181 
9182 	if (n_ssids)
9183 		request->ssids = (void *)&request->channels[n_channels];
9184 	request->n_ssids = n_ssids;
9185 	if (ie_len) {
9186 		if (n_ssids)
9187 			request->ie = (void *)(request->ssids + n_ssids);
9188 		else
9189 			request->ie = (void *)(request->channels + n_channels);
9190 	}
9191 
9192 	i = 0;
9193 	if (scan_freqs) {
9194 		/* user specified, bail out if channel not found */
9195 		nla_for_each_nested(attr, scan_freqs, tmp) {
9196 			struct ieee80211_channel *chan;
9197 			int freq = nla_get_u32(attr);
9198 
9199 			if (!scan_freqs_khz)
9200 				freq = MHZ_TO_KHZ(freq);
9201 
9202 			chan = ieee80211_get_channel_khz(wiphy, freq);
9203 			if (!chan) {
9204 				err = -EINVAL;
9205 				goto out_free;
9206 			}
9207 
9208 			/* ignore disabled channels */
9209 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9210 				continue;
9211 
9212 			request->channels[i] = chan;
9213 			i++;
9214 		}
9215 	} else {
9216 		enum nl80211_band band;
9217 
9218 		/* all channels */
9219 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9220 			int j;
9221 
9222 			if (!wiphy->bands[band])
9223 				continue;
9224 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9225 				struct ieee80211_channel *chan;
9226 
9227 				chan = &wiphy->bands[band]->channels[j];
9228 
9229 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9230 					continue;
9231 
9232 				request->channels[i] = chan;
9233 				i++;
9234 			}
9235 		}
9236 	}
9237 
9238 	if (!i) {
9239 		err = -EINVAL;
9240 		goto out_free;
9241 	}
9242 
9243 	request->n_channels = i;
9244 
9245 	wdev_lock(wdev);
9246 	for (i = 0; i < request->n_channels; i++) {
9247 		struct ieee80211_channel *chan = request->channels[i];
9248 
9249 		/* if we can go off-channel to the target channel we're good */
9250 		if (cfg80211_off_channel_oper_allowed(wdev, chan))
9251 			continue;
9252 
9253 		if (!cfg80211_wdev_on_sub_chan(wdev, chan, true)) {
9254 			wdev_unlock(wdev);
9255 			err = -EBUSY;
9256 			goto out_free;
9257 		}
9258 	}
9259 	wdev_unlock(wdev);
9260 
9261 	i = 0;
9262 	if (n_ssids) {
9263 		nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) {
9264 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9265 				err = -EINVAL;
9266 				goto out_free;
9267 			}
9268 			request->ssids[i].ssid_len = nla_len(attr);
9269 			memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr));
9270 			i++;
9271 		}
9272 	}
9273 
9274 	if (info->attrs[NL80211_ATTR_IE]) {
9275 		request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
9276 		memcpy((void *)request->ie,
9277 		       nla_data(info->attrs[NL80211_ATTR_IE]),
9278 		       request->ie_len);
9279 	}
9280 
9281 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9282 		if (wiphy->bands[i])
9283 			request->rates[i] =
9284 				(1 << wiphy->bands[i]->n_bitrates) - 1;
9285 
9286 	if (info->attrs[NL80211_ATTR_SCAN_SUPP_RATES]) {
9287 		nla_for_each_nested(attr,
9288 				    info->attrs[NL80211_ATTR_SCAN_SUPP_RATES],
9289 				    tmp) {
9290 			enum nl80211_band band = nla_type(attr);
9291 
9292 			if (band < 0 || band >= NUM_NL80211_BANDS) {
9293 				err = -EINVAL;
9294 				goto out_free;
9295 			}
9296 
9297 			if (!wiphy->bands[band])
9298 				continue;
9299 
9300 			err = ieee80211_get_ratemask(wiphy->bands[band],
9301 						     nla_data(attr),
9302 						     nla_len(attr),
9303 						     &request->rates[band]);
9304 			if (err)
9305 				goto out_free;
9306 		}
9307 	}
9308 
9309 	if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) {
9310 		request->duration =
9311 			nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]);
9312 		request->duration_mandatory =
9313 			nla_get_flag(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION_MANDATORY]);
9314 	}
9315 
9316 	err = nl80211_check_scan_flags(wiphy, wdev, request, info->attrs,
9317 				       false);
9318 	if (err)
9319 		goto out_free;
9320 
9321 	request->no_cck =
9322 		nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
9323 
9324 	/* Initial implementation used NL80211_ATTR_MAC to set the specific
9325 	 * BSSID to scan for. This was problematic because that same attribute
9326 	 * was already used for another purpose (local random MAC address). The
9327 	 * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
9328 	 * compatibility with older userspace components, also use the
9329 	 * NL80211_ATTR_MAC value here if it can be determined to be used for
9330 	 * the specific BSSID use case instead of the random MAC address
9331 	 * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
9332 	 */
9333 	if (info->attrs[NL80211_ATTR_BSSID])
9334 		memcpy(request->bssid,
9335 		       nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
9336 	else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
9337 		 info->attrs[NL80211_ATTR_MAC])
9338 		memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
9339 		       ETH_ALEN);
9340 	else
9341 		eth_broadcast_addr(request->bssid);
9342 
9343 	request->wdev = wdev;
9344 	request->wiphy = &rdev->wiphy;
9345 	request->scan_start = jiffies;
9346 
9347 	rdev->scan_req = request;
9348 	err = cfg80211_scan(rdev);
9349 
9350 	if (err)
9351 		goto out_free;
9352 
9353 	nl80211_send_scan_start(rdev, wdev);
9354 	dev_hold(wdev->netdev);
9355 
9356 	return 0;
9357 
9358  out_free:
9359 	rdev->scan_req = NULL;
9360 	kfree(request);
9361 
9362 	return err;
9363 }
9364 
9365 static int nl80211_abort_scan(struct sk_buff *skb, struct genl_info *info)
9366 {
9367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9368 	struct wireless_dev *wdev = info->user_ptr[1];
9369 
9370 	if (!rdev->ops->abort_scan)
9371 		return -EOPNOTSUPP;
9372 
9373 	if (rdev->scan_msg)
9374 		return 0;
9375 
9376 	if (!rdev->scan_req)
9377 		return -ENOENT;
9378 
9379 	rdev_abort_scan(rdev, wdev);
9380 	return 0;
9381 }
9382 
9383 static int
9384 nl80211_parse_sched_scan_plans(struct wiphy *wiphy, int n_plans,
9385 			       struct cfg80211_sched_scan_request *request,
9386 			       struct nlattr **attrs)
9387 {
9388 	int tmp, err, i = 0;
9389 	struct nlattr *attr;
9390 
9391 	if (!attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9392 		u32 interval;
9393 
9394 		/*
9395 		 * If scan plans are not specified,
9396 		 * %NL80211_ATTR_SCHED_SCAN_INTERVAL will be specified. In this
9397 		 * case one scan plan will be set with the specified scan
9398 		 * interval and infinite number of iterations.
9399 		 */
9400 		interval = nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
9401 		if (!interval)
9402 			return -EINVAL;
9403 
9404 		request->scan_plans[0].interval =
9405 			DIV_ROUND_UP(interval, MSEC_PER_SEC);
9406 		if (!request->scan_plans[0].interval)
9407 			return -EINVAL;
9408 
9409 		if (request->scan_plans[0].interval >
9410 		    wiphy->max_sched_scan_plan_interval)
9411 			request->scan_plans[0].interval =
9412 				wiphy->max_sched_scan_plan_interval;
9413 
9414 		return 0;
9415 	}
9416 
9417 	nla_for_each_nested(attr, attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp) {
9418 		struct nlattr *plan[NL80211_SCHED_SCAN_PLAN_MAX + 1];
9419 
9420 		if (WARN_ON(i >= n_plans))
9421 			return -EINVAL;
9422 
9423 		err = nla_parse_nested_deprecated(plan,
9424 						  NL80211_SCHED_SCAN_PLAN_MAX,
9425 						  attr, nl80211_plan_policy,
9426 						  NULL);
9427 		if (err)
9428 			return err;
9429 
9430 		if (!plan[NL80211_SCHED_SCAN_PLAN_INTERVAL])
9431 			return -EINVAL;
9432 
9433 		request->scan_plans[i].interval =
9434 			nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_INTERVAL]);
9435 		if (!request->scan_plans[i].interval ||
9436 		    request->scan_plans[i].interval >
9437 		    wiphy->max_sched_scan_plan_interval)
9438 			return -EINVAL;
9439 
9440 		if (plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]) {
9441 			request->scan_plans[i].iterations =
9442 				nla_get_u32(plan[NL80211_SCHED_SCAN_PLAN_ITERATIONS]);
9443 			if (!request->scan_plans[i].iterations ||
9444 			    (request->scan_plans[i].iterations >
9445 			     wiphy->max_sched_scan_plan_iterations))
9446 				return -EINVAL;
9447 		} else if (i < n_plans - 1) {
9448 			/*
9449 			 * All scan plans but the last one must specify
9450 			 * a finite number of iterations
9451 			 */
9452 			return -EINVAL;
9453 		}
9454 
9455 		i++;
9456 	}
9457 
9458 	/*
9459 	 * The last scan plan must not specify the number of
9460 	 * iterations, it is supposed to run infinitely
9461 	 */
9462 	if (request->scan_plans[n_plans - 1].iterations)
9463 		return  -EINVAL;
9464 
9465 	return 0;
9466 }
9467 
9468 static int
9469 nl80211_parse_sched_scan_per_band_rssi(struct wiphy *wiphy,
9470 				       struct cfg80211_match_set *match_sets,
9471 				       struct nlattr *tb_band_rssi,
9472 				       s32 rssi_thold)
9473 {
9474 	struct nlattr *attr;
9475 	int i, tmp, ret = 0;
9476 
9477 	if (!wiphy_ext_feature_isset(wiphy,
9478 		    NL80211_EXT_FEATURE_SCHED_SCAN_BAND_SPECIFIC_RSSI_THOLD)) {
9479 		if (tb_band_rssi)
9480 			ret = -EOPNOTSUPP;
9481 		else
9482 			for (i = 0; i < NUM_NL80211_BANDS; i++)
9483 				match_sets->per_band_rssi_thold[i] =
9484 					NL80211_SCAN_RSSI_THOLD_OFF;
9485 		return ret;
9486 	}
9487 
9488 	for (i = 0; i < NUM_NL80211_BANDS; i++)
9489 		match_sets->per_band_rssi_thold[i] = rssi_thold;
9490 
9491 	nla_for_each_nested(attr, tb_band_rssi, tmp) {
9492 		enum nl80211_band band = nla_type(attr);
9493 
9494 		if (band < 0 || band >= NUM_NL80211_BANDS)
9495 			return -EINVAL;
9496 
9497 		match_sets->per_band_rssi_thold[band] =	nla_get_s32(attr);
9498 	}
9499 
9500 	return 0;
9501 }
9502 
9503 static struct cfg80211_sched_scan_request *
9504 nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
9505 			 struct nlattr **attrs, int max_match_sets)
9506 {
9507 	struct cfg80211_sched_scan_request *request;
9508 	struct nlattr *attr;
9509 	int err, tmp, n_ssids = 0, n_match_sets = 0, n_channels, i, n_plans = 0;
9510 	enum nl80211_band band;
9511 	size_t ie_len, size;
9512 	struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
9513 	s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
9514 
9515 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9516 		n_channels = validate_scan_freqs(
9517 				attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
9518 		if (!n_channels)
9519 			return ERR_PTR(-EINVAL);
9520 	} else {
9521 		n_channels = ieee80211_get_num_supported_channels(wiphy);
9522 	}
9523 
9524 	if (attrs[NL80211_ATTR_SCAN_SSIDS])
9525 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9526 				    tmp)
9527 			n_ssids++;
9528 
9529 	if (n_ssids > wiphy->max_sched_scan_ssids)
9530 		return ERR_PTR(-EINVAL);
9531 
9532 	/*
9533 	 * First, count the number of 'real' matchsets. Due to an issue with
9534 	 * the old implementation, matchsets containing only the RSSI attribute
9535 	 * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
9536 	 * RSSI for all matchsets, rather than their own matchset for reporting
9537 	 * all APs with a strong RSSI. This is needed to be compatible with
9538 	 * older userspace that treated a matchset with only the RSSI as the
9539 	 * global RSSI for all other matchsets - if there are other matchsets.
9540 	 */
9541 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9542 		nla_for_each_nested(attr,
9543 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9544 				    tmp) {
9545 			struct nlattr *rssi;
9546 
9547 			err = nla_parse_nested_deprecated(tb,
9548 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9549 							  attr,
9550 							  nl80211_match_policy,
9551 							  NULL);
9552 			if (err)
9553 				return ERR_PTR(err);
9554 
9555 			/* SSID and BSSID are mutually exclusive */
9556 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] &&
9557 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID])
9558 				return ERR_PTR(-EINVAL);
9559 
9560 			/* add other standalone attributes here */
9561 			if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID] ||
9562 			    tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID]) {
9563 				n_match_sets++;
9564 				continue;
9565 			}
9566 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9567 			if (rssi)
9568 				default_match_rssi = nla_get_s32(rssi);
9569 		}
9570 	}
9571 
9572 	/* However, if there's no other matchset, add the RSSI one */
9573 	if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
9574 		n_match_sets = 1;
9575 
9576 	if (n_match_sets > max_match_sets)
9577 		return ERR_PTR(-EINVAL);
9578 
9579 	if (attrs[NL80211_ATTR_IE])
9580 		ie_len = nla_len(attrs[NL80211_ATTR_IE]);
9581 	else
9582 		ie_len = 0;
9583 
9584 	if (ie_len > wiphy->max_sched_scan_ie_len)
9585 		return ERR_PTR(-EINVAL);
9586 
9587 	if (attrs[NL80211_ATTR_SCHED_SCAN_PLANS]) {
9588 		/*
9589 		 * NL80211_ATTR_SCHED_SCAN_INTERVAL must not be specified since
9590 		 * each scan plan already specifies its own interval
9591 		 */
9592 		if (attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9593 			return ERR_PTR(-EINVAL);
9594 
9595 		nla_for_each_nested(attr,
9596 				    attrs[NL80211_ATTR_SCHED_SCAN_PLANS], tmp)
9597 			n_plans++;
9598 	} else {
9599 		/*
9600 		 * The scan interval attribute is kept for backward
9601 		 * compatibility. If no scan plans are specified and sched scan
9602 		 * interval is specified, one scan plan will be set with this
9603 		 * scan interval and infinite number of iterations.
9604 		 */
9605 		if (!attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
9606 			return ERR_PTR(-EINVAL);
9607 
9608 		n_plans = 1;
9609 	}
9610 
9611 	if (!n_plans || n_plans > wiphy->max_sched_scan_plans)
9612 		return ERR_PTR(-EINVAL);
9613 
9614 	if (!wiphy_ext_feature_isset(
9615 		    wiphy, NL80211_EXT_FEATURE_SCHED_SCAN_RELATIVE_RSSI) &&
9616 	    (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI] ||
9617 	     attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]))
9618 		return ERR_PTR(-EINVAL);
9619 
9620 	size = struct_size(request, channels, n_channels);
9621 	size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
9622 	size = size_add(size, array_size(sizeof(*request->match_sets),
9623 					 n_match_sets));
9624 	size = size_add(size, array_size(sizeof(*request->scan_plans),
9625 					 n_plans));
9626 	size = size_add(size, ie_len);
9627 	request = kzalloc(size, GFP_KERNEL);
9628 	if (!request)
9629 		return ERR_PTR(-ENOMEM);
9630 
9631 	if (n_ssids)
9632 		request->ssids = (void *)&request->channels[n_channels];
9633 	request->n_ssids = n_ssids;
9634 	if (ie_len) {
9635 		if (n_ssids)
9636 			request->ie = (void *)(request->ssids + n_ssids);
9637 		else
9638 			request->ie = (void *)(request->channels + n_channels);
9639 	}
9640 
9641 	if (n_match_sets) {
9642 		if (request->ie)
9643 			request->match_sets = (void *)(request->ie + ie_len);
9644 		else if (n_ssids)
9645 			request->match_sets =
9646 				(void *)(request->ssids + n_ssids);
9647 		else
9648 			request->match_sets =
9649 				(void *)(request->channels + n_channels);
9650 	}
9651 	request->n_match_sets = n_match_sets;
9652 
9653 	if (n_match_sets)
9654 		request->scan_plans = (void *)(request->match_sets +
9655 					       n_match_sets);
9656 	else if (request->ie)
9657 		request->scan_plans = (void *)(request->ie + ie_len);
9658 	else if (n_ssids)
9659 		request->scan_plans = (void *)(request->ssids + n_ssids);
9660 	else
9661 		request->scan_plans = (void *)(request->channels + n_channels);
9662 
9663 	request->n_scan_plans = n_plans;
9664 
9665 	i = 0;
9666 	if (attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
9667 		/* user specified, bail out if channel not found */
9668 		nla_for_each_nested(attr,
9669 				    attrs[NL80211_ATTR_SCAN_FREQUENCIES],
9670 				    tmp) {
9671 			struct ieee80211_channel *chan;
9672 
9673 			chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
9674 
9675 			if (!chan) {
9676 				err = -EINVAL;
9677 				goto out_free;
9678 			}
9679 
9680 			/* ignore disabled channels */
9681 			if (chan->flags & IEEE80211_CHAN_DISABLED)
9682 				continue;
9683 
9684 			request->channels[i] = chan;
9685 			i++;
9686 		}
9687 	} else {
9688 		/* all channels */
9689 		for (band = 0; band < NUM_NL80211_BANDS; band++) {
9690 			int j;
9691 
9692 			if (!wiphy->bands[band])
9693 				continue;
9694 			for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
9695 				struct ieee80211_channel *chan;
9696 
9697 				chan = &wiphy->bands[band]->channels[j];
9698 
9699 				if (chan->flags & IEEE80211_CHAN_DISABLED)
9700 					continue;
9701 
9702 				request->channels[i] = chan;
9703 				i++;
9704 			}
9705 		}
9706 	}
9707 
9708 	if (!i) {
9709 		err = -EINVAL;
9710 		goto out_free;
9711 	}
9712 
9713 	request->n_channels = i;
9714 
9715 	i = 0;
9716 	if (n_ssids) {
9717 		nla_for_each_nested(attr, attrs[NL80211_ATTR_SCAN_SSIDS],
9718 				    tmp) {
9719 			if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) {
9720 				err = -EINVAL;
9721 				goto out_free;
9722 			}
9723 			request->ssids[i].ssid_len = nla_len(attr);
9724 			memcpy(request->ssids[i].ssid, nla_data(attr),
9725 			       nla_len(attr));
9726 			i++;
9727 		}
9728 	}
9729 
9730 	i = 0;
9731 	if (attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
9732 		nla_for_each_nested(attr,
9733 				    attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
9734 				    tmp) {
9735 			struct nlattr *ssid, *bssid, *rssi;
9736 
9737 			err = nla_parse_nested_deprecated(tb,
9738 							  NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
9739 							  attr,
9740 							  nl80211_match_policy,
9741 							  NULL);
9742 			if (err)
9743 				goto out_free;
9744 			ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
9745 			bssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_BSSID];
9746 
9747 			if (!ssid && !bssid) {
9748 				i++;
9749 				continue;
9750 			}
9751 
9752 			if (WARN_ON(i >= n_match_sets)) {
9753 				/* this indicates a programming error,
9754 				 * the loop above should have verified
9755 				 * things properly
9756 				 */
9757 				err = -EINVAL;
9758 				goto out_free;
9759 			}
9760 
9761 			if (ssid) {
9762 				memcpy(request->match_sets[i].ssid.ssid,
9763 				       nla_data(ssid), nla_len(ssid));
9764 				request->match_sets[i].ssid.ssid_len =
9765 					nla_len(ssid);
9766 			}
9767 			if (bssid)
9768 				memcpy(request->match_sets[i].bssid,
9769 				       nla_data(bssid), ETH_ALEN);
9770 
9771 			/* special attribute - old implementation w/a */
9772 			request->match_sets[i].rssi_thold = default_match_rssi;
9773 			rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
9774 			if (rssi)
9775 				request->match_sets[i].rssi_thold =
9776 					nla_get_s32(rssi);
9777 
9778 			/* Parse per band RSSI attribute */
9779 			err = nl80211_parse_sched_scan_per_band_rssi(wiphy,
9780 				&request->match_sets[i],
9781 				tb[NL80211_SCHED_SCAN_MATCH_PER_BAND_RSSI],
9782 				request->match_sets[i].rssi_thold);
9783 			if (err)
9784 				goto out_free;
9785 
9786 			i++;
9787 		}
9788 
9789 		/* there was no other matchset, so the RSSI one is alone */
9790 		if (i == 0 && n_match_sets)
9791 			request->match_sets[0].rssi_thold = default_match_rssi;
9792 
9793 		request->min_rssi_thold = INT_MAX;
9794 		for (i = 0; i < n_match_sets; i++)
9795 			request->min_rssi_thold =
9796 				min(request->match_sets[i].rssi_thold,
9797 				    request->min_rssi_thold);
9798 	} else {
9799 		request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
9800 	}
9801 
9802 	if (ie_len) {
9803 		request->ie_len = ie_len;
9804 		memcpy((void *)request->ie,
9805 		       nla_data(attrs[NL80211_ATTR_IE]),
9806 		       request->ie_len);
9807 	}
9808 
9809 	err = nl80211_check_scan_flags(wiphy, wdev, request, attrs, true);
9810 	if (err)
9811 		goto out_free;
9812 
9813 	if (attrs[NL80211_ATTR_SCHED_SCAN_DELAY])
9814 		request->delay =
9815 			nla_get_u32(attrs[NL80211_ATTR_SCHED_SCAN_DELAY]);
9816 
9817 	if (attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]) {
9818 		request->relative_rssi = nla_get_s8(
9819 			attrs[NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI]);
9820 		request->relative_rssi_set = true;
9821 	}
9822 
9823 	if (request->relative_rssi_set &&
9824 	    attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]) {
9825 		struct nl80211_bss_select_rssi_adjust *rssi_adjust;
9826 
9827 		rssi_adjust = nla_data(
9828 			attrs[NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST]);
9829 		request->rssi_adjust.band = rssi_adjust->band;
9830 		request->rssi_adjust.delta = rssi_adjust->delta;
9831 		if (!is_band_valid(wiphy, request->rssi_adjust.band)) {
9832 			err = -EINVAL;
9833 			goto out_free;
9834 		}
9835 	}
9836 
9837 	err = nl80211_parse_sched_scan_plans(wiphy, n_plans, request, attrs);
9838 	if (err)
9839 		goto out_free;
9840 
9841 	request->scan_start = jiffies;
9842 
9843 	return request;
9844 
9845 out_free:
9846 	kfree(request);
9847 	return ERR_PTR(err);
9848 }
9849 
9850 static int nl80211_start_sched_scan(struct sk_buff *skb,
9851 				    struct genl_info *info)
9852 {
9853 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9854 	struct net_device *dev = info->user_ptr[1];
9855 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9856 	struct cfg80211_sched_scan_request *sched_scan_req;
9857 	bool want_multi;
9858 	int err;
9859 
9860 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_start)
9861 		return -EOPNOTSUPP;
9862 
9863 	want_multi = info->attrs[NL80211_ATTR_SCHED_SCAN_MULTI];
9864 	err = cfg80211_sched_scan_req_possible(rdev, want_multi);
9865 	if (err)
9866 		return err;
9867 
9868 	sched_scan_req = nl80211_parse_sched_scan(&rdev->wiphy, wdev,
9869 						  info->attrs,
9870 						  rdev->wiphy.max_match_sets);
9871 
9872 	err = PTR_ERR_OR_ZERO(sched_scan_req);
9873 	if (err)
9874 		goto out_err;
9875 
9876 	/* leave request id zero for legacy request
9877 	 * or if driver does not support multi-scheduled scan
9878 	 */
9879 	if (want_multi && rdev->wiphy.max_sched_scan_reqs > 1)
9880 		sched_scan_req->reqid = cfg80211_assign_cookie(rdev);
9881 
9882 	err = rdev_sched_scan_start(rdev, dev, sched_scan_req);
9883 	if (err)
9884 		goto out_free;
9885 
9886 	sched_scan_req->dev = dev;
9887 	sched_scan_req->wiphy = &rdev->wiphy;
9888 
9889 	if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
9890 		sched_scan_req->owner_nlportid = info->snd_portid;
9891 
9892 	cfg80211_add_sched_scan_req(rdev, sched_scan_req);
9893 
9894 	nl80211_send_sched_scan(sched_scan_req, NL80211_CMD_START_SCHED_SCAN);
9895 	return 0;
9896 
9897 out_free:
9898 	kfree(sched_scan_req);
9899 out_err:
9900 	return err;
9901 }
9902 
9903 static int nl80211_stop_sched_scan(struct sk_buff *skb,
9904 				   struct genl_info *info)
9905 {
9906 	struct cfg80211_sched_scan_request *req;
9907 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9908 	u64 cookie;
9909 
9910 	if (!rdev->wiphy.max_sched_scan_reqs || !rdev->ops->sched_scan_stop)
9911 		return -EOPNOTSUPP;
9912 
9913 	if (info->attrs[NL80211_ATTR_COOKIE]) {
9914 		cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
9915 		return __cfg80211_stop_sched_scan(rdev, cookie, false);
9916 	}
9917 
9918 	req = list_first_or_null_rcu(&rdev->sched_scan_req_list,
9919 				     struct cfg80211_sched_scan_request,
9920 				     list);
9921 	if (!req || req->reqid ||
9922 	    (req->owner_nlportid &&
9923 	     req->owner_nlportid != info->snd_portid))
9924 		return -ENOENT;
9925 
9926 	return cfg80211_stop_sched_scan_req(rdev, req, false);
9927 }
9928 
9929 static int nl80211_start_radar_detection(struct sk_buff *skb,
9930 					 struct genl_info *info)
9931 {
9932 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
9933 	struct net_device *dev = info->user_ptr[1];
9934 	struct wireless_dev *wdev = dev->ieee80211_ptr;
9935 	struct wiphy *wiphy = wdev->wiphy;
9936 	struct cfg80211_chan_def chandef;
9937 	enum nl80211_dfs_regions dfs_region;
9938 	unsigned int cac_time_ms;
9939 	int err = -EINVAL;
9940 
9941 	flush_delayed_work(&rdev->dfs_update_channels_wk);
9942 
9943 	wiphy_lock(wiphy);
9944 
9945 	dfs_region = reg_get_dfs_region(wiphy);
9946 	if (dfs_region == NL80211_DFS_UNSET)
9947 		goto unlock;
9948 
9949 	err = nl80211_parse_chandef(rdev, info, &chandef);
9950 	if (err)
9951 		goto unlock;
9952 
9953 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
9954 	if (err < 0)
9955 		goto unlock;
9956 
9957 	if (err == 0) {
9958 		err = -EINVAL;
9959 		goto unlock;
9960 	}
9961 
9962 	if (!cfg80211_chandef_dfs_usable(wiphy, &chandef)) {
9963 		err = -EINVAL;
9964 		goto unlock;
9965 	}
9966 
9967 	if (nla_get_flag(info->attrs[NL80211_ATTR_RADAR_BACKGROUND])) {
9968 		err = cfg80211_start_background_radar_detection(rdev, wdev,
9969 								&chandef);
9970 		goto unlock;
9971 	}
9972 
9973 	if (netif_carrier_ok(dev)) {
9974 		err = -EBUSY;
9975 		goto unlock;
9976 	}
9977 
9978 	if (wdev->cac_started) {
9979 		err = -EBUSY;
9980 		goto unlock;
9981 	}
9982 
9983 	/* CAC start is offloaded to HW and can't be started manually */
9984 	if (wiphy_ext_feature_isset(wiphy, NL80211_EXT_FEATURE_DFS_OFFLOAD)) {
9985 		err = -EOPNOTSUPP;
9986 		goto unlock;
9987 	}
9988 
9989 	if (!rdev->ops->start_radar_detection) {
9990 		err = -EOPNOTSUPP;
9991 		goto unlock;
9992 	}
9993 
9994 	cac_time_ms = cfg80211_chandef_dfs_cac_time(&rdev->wiphy, &chandef);
9995 	if (WARN_ON(!cac_time_ms))
9996 		cac_time_ms = IEEE80211_DFS_MIN_CAC_TIME_MS;
9997 
9998 	err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
9999 	if (!err) {
10000 		wdev->links[0].ap.chandef = chandef;
10001 		wdev->cac_started = true;
10002 		wdev->cac_start_time = jiffies;
10003 		wdev->cac_time_ms = cac_time_ms;
10004 	}
10005 unlock:
10006 	wiphy_unlock(wiphy);
10007 
10008 	return err;
10009 }
10010 
10011 static int nl80211_notify_radar_detection(struct sk_buff *skb,
10012 					  struct genl_info *info)
10013 {
10014 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10015 	struct net_device *dev = info->user_ptr[1];
10016 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10017 	struct wiphy *wiphy = wdev->wiphy;
10018 	struct cfg80211_chan_def chandef;
10019 	enum nl80211_dfs_regions dfs_region;
10020 	int err;
10021 
10022 	dfs_region = reg_get_dfs_region(wiphy);
10023 	if (dfs_region == NL80211_DFS_UNSET) {
10024 		GENL_SET_ERR_MSG(info,
10025 				 "DFS Region is not set. Unexpected Radar indication");
10026 		return -EINVAL;
10027 	}
10028 
10029 	err = nl80211_parse_chandef(rdev, info, &chandef);
10030 	if (err) {
10031 		GENL_SET_ERR_MSG(info, "Unable to extract chandef info");
10032 		return err;
10033 	}
10034 
10035 	err = cfg80211_chandef_dfs_required(wiphy, &chandef, wdev->iftype);
10036 	if (err < 0) {
10037 		GENL_SET_ERR_MSG(info, "chandef is invalid");
10038 		return err;
10039 	}
10040 
10041 	if (err == 0) {
10042 		GENL_SET_ERR_MSG(info,
10043 				 "Unexpected Radar indication for chandef/iftype");
10044 		return -EINVAL;
10045 	}
10046 
10047 	/* Do not process this notification if radar is already detected
10048 	 * by kernel on this channel, and return success.
10049 	 */
10050 	if (chandef.chan->dfs_state == NL80211_DFS_UNAVAILABLE)
10051 		return 0;
10052 
10053 	cfg80211_set_dfs_state(wiphy, &chandef, NL80211_DFS_UNAVAILABLE);
10054 
10055 	cfg80211_sched_dfs_chan_update(rdev);
10056 
10057 	rdev->radar_chandef = chandef;
10058 
10059 	/* Propagate this notification to other radios as well */
10060 	queue_work(cfg80211_wq, &rdev->propagate_radar_detect_wk);
10061 
10062 	return 0;
10063 }
10064 
10065 static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
10066 {
10067 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10068 	unsigned int link_id = nl80211_link_id(info->attrs);
10069 	struct net_device *dev = info->user_ptr[1];
10070 	struct wireless_dev *wdev = dev->ieee80211_ptr;
10071 	struct cfg80211_csa_settings params;
10072 	struct nlattr **csa_attrs = NULL;
10073 	int err;
10074 	bool need_new_beacon = false;
10075 	bool need_handle_dfs_flag = true;
10076 	int len, i;
10077 	u32 cs_count;
10078 
10079 	if (!rdev->ops->channel_switch ||
10080 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_CHANNEL_SWITCH))
10081 		return -EOPNOTSUPP;
10082 
10083 	switch (dev->ieee80211_ptr->iftype) {
10084 	case NL80211_IFTYPE_AP:
10085 	case NL80211_IFTYPE_P2P_GO:
10086 		need_new_beacon = true;
10087 		/* For all modes except AP the handle_dfs flag needs to be
10088 		 * supplied to tell the kernel that userspace will handle radar
10089 		 * events when they happen. Otherwise a switch to a channel
10090 		 * requiring DFS will be rejected.
10091 		 */
10092 		need_handle_dfs_flag = false;
10093 
10094 		/* useless if AP is not running */
10095 		if (!wdev->links[link_id].ap.beacon_interval)
10096 			return -ENOTCONN;
10097 		break;
10098 	case NL80211_IFTYPE_ADHOC:
10099 		if (!wdev->u.ibss.ssid_len)
10100 			return -ENOTCONN;
10101 		break;
10102 	case NL80211_IFTYPE_MESH_POINT:
10103 		if (!wdev->u.mesh.id_len)
10104 			return -ENOTCONN;
10105 		break;
10106 	default:
10107 		return -EOPNOTSUPP;
10108 	}
10109 
10110 	memset(&params, 0, sizeof(params));
10111 	params.beacon_csa.ftm_responder = -1;
10112 
10113 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
10114 	    !info->attrs[NL80211_ATTR_CH_SWITCH_COUNT])
10115 		return -EINVAL;
10116 
10117 	/* only important for AP, IBSS and mesh create IEs internally */
10118 	if (need_new_beacon && !info->attrs[NL80211_ATTR_CSA_IES])
10119 		return -EINVAL;
10120 
10121 	/* Even though the attribute is u32, the specification says
10122 	 * u8, so let's make sure we don't overflow.
10123 	 */
10124 	cs_count = nla_get_u32(info->attrs[NL80211_ATTR_CH_SWITCH_COUNT]);
10125 	if (cs_count > 255)
10126 		return -EINVAL;
10127 
10128 	params.count = cs_count;
10129 
10130 	if (!need_new_beacon)
10131 		goto skip_beacons;
10132 
10133 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_after,
10134 				   info->extack);
10135 	if (err)
10136 		goto free;
10137 
10138 	csa_attrs = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*csa_attrs),
10139 			    GFP_KERNEL);
10140 	if (!csa_attrs) {
10141 		err = -ENOMEM;
10142 		goto free;
10143 	}
10144 
10145 	err = nla_parse_nested_deprecated(csa_attrs, NL80211_ATTR_MAX,
10146 					  info->attrs[NL80211_ATTR_CSA_IES],
10147 					  nl80211_policy, info->extack);
10148 	if (err)
10149 		goto free;
10150 
10151 	err = nl80211_parse_beacon(rdev, csa_attrs, &params.beacon_csa,
10152 				   info->extack);
10153 	if (err)
10154 		goto free;
10155 
10156 	if (!csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
10157 		err = -EINVAL;
10158 		goto free;
10159 	}
10160 
10161 	len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10162 	if (!len || (len % sizeof(u16))) {
10163 		err = -EINVAL;
10164 		goto free;
10165 	}
10166 
10167 	params.n_counter_offsets_beacon = len / sizeof(u16);
10168 	if (rdev->wiphy.max_num_csa_counters &&
10169 	    (params.n_counter_offsets_beacon >
10170 	     rdev->wiphy.max_num_csa_counters)) {
10171 		err = -EINVAL;
10172 		goto free;
10173 	}
10174 
10175 	params.counter_offsets_beacon =
10176 		nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
10177 
10178 	/* sanity checks - counters should fit and be the same */
10179 	for (i = 0; i < params.n_counter_offsets_beacon; i++) {
10180 		u16 offset = params.counter_offsets_beacon[i];
10181 
10182 		if (offset >= params.beacon_csa.tail_len) {
10183 			err = -EINVAL;
10184 			goto free;
10185 		}
10186 
10187 		if (params.beacon_csa.tail[offset] != params.count) {
10188 			err = -EINVAL;
10189 			goto free;
10190 		}
10191 	}
10192 
10193 	if (csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
10194 		len = nla_len(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10195 		if (!len || (len % sizeof(u16))) {
10196 			err = -EINVAL;
10197 			goto free;
10198 		}
10199 
10200 		params.n_counter_offsets_presp = len / sizeof(u16);
10201 		if (rdev->wiphy.max_num_csa_counters &&
10202 		    (params.n_counter_offsets_presp >
10203 		     rdev->wiphy.max_num_csa_counters)) {
10204 			err = -EINVAL;
10205 			goto free;
10206 		}
10207 
10208 		params.counter_offsets_presp =
10209 			nla_data(csa_attrs[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
10210 
10211 		/* sanity checks - counters should fit and be the same */
10212 		for (i = 0; i < params.n_counter_offsets_presp; i++) {
10213 			u16 offset = params.counter_offsets_presp[i];
10214 
10215 			if (offset >= params.beacon_csa.probe_resp_len) {
10216 				err = -EINVAL;
10217 				goto free;
10218 			}
10219 
10220 			if (params.beacon_csa.probe_resp[offset] !=
10221 			    params.count) {
10222 				err = -EINVAL;
10223 				goto free;
10224 			}
10225 		}
10226 	}
10227 
10228 skip_beacons:
10229 	err = nl80211_parse_chandef(rdev, info, &params.chandef);
10230 	if (err)
10231 		goto free;
10232 
10233 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &params.chandef,
10234 					   wdev->iftype)) {
10235 		err = -EINVAL;
10236 		goto free;
10237 	}
10238 
10239 	err = cfg80211_chandef_dfs_required(wdev->wiphy,
10240 					    &params.chandef,
10241 					    wdev->iftype);
10242 	if (err < 0)
10243 		goto free;
10244 
10245 	if (err > 0) {
10246 		params.radar_required = true;
10247 		if (need_handle_dfs_flag &&
10248 		    !nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS])) {
10249 			err = -EINVAL;
10250 			goto free;
10251 		}
10252 	}
10253 
10254 	if (info->attrs[NL80211_ATTR_CH_SWITCH_BLOCK_TX])
10255 		params.block_tx = true;
10256 
10257 	if (info->attrs[NL80211_ATTR_PUNCT_BITMAP]) {
10258 		err = nl80211_parse_punct_bitmap(rdev, info,
10259 						 &params.chandef,
10260 						 &params.punct_bitmap);
10261 		if (err)
10262 			goto free;
10263 	}
10264 
10265 	wdev_lock(wdev);
10266 	err = rdev_channel_switch(rdev, dev, &params);
10267 	wdev_unlock(wdev);
10268 
10269 free:
10270 	kfree(params.beacon_after.mbssid_ies);
10271 	kfree(params.beacon_csa.mbssid_ies);
10272 	kfree(params.beacon_after.rnr_ies);
10273 	kfree(params.beacon_csa.rnr_ies);
10274 	kfree(csa_attrs);
10275 	return err;
10276 }
10277 
10278 static int nl80211_send_bss(struct sk_buff *msg, struct netlink_callback *cb,
10279 			    u32 seq, int flags,
10280 			    struct cfg80211_registered_device *rdev,
10281 			    struct wireless_dev *wdev,
10282 			    struct cfg80211_internal_bss *intbss)
10283 {
10284 	struct cfg80211_bss *res = &intbss->pub;
10285 	const struct cfg80211_bss_ies *ies;
10286 	unsigned int link_id;
10287 	void *hdr;
10288 	struct nlattr *bss;
10289 
10290 	ASSERT_WDEV_LOCK(wdev);
10291 
10292 	hdr = nl80211hdr_put(msg, NETLINK_CB(cb->skb).portid, seq, flags,
10293 			     NL80211_CMD_NEW_SCAN_RESULTS);
10294 	if (!hdr)
10295 		return -1;
10296 
10297 	genl_dump_check_consistent(cb, hdr);
10298 
10299 	if (nla_put_u32(msg, NL80211_ATTR_GENERATION, rdev->bss_generation))
10300 		goto nla_put_failure;
10301 	if (wdev->netdev &&
10302 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex))
10303 		goto nla_put_failure;
10304 	if (nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
10305 			      NL80211_ATTR_PAD))
10306 		goto nla_put_failure;
10307 
10308 	bss = nla_nest_start_noflag(msg, NL80211_ATTR_BSS);
10309 	if (!bss)
10310 		goto nla_put_failure;
10311 	if ((!is_zero_ether_addr(res->bssid) &&
10312 	     nla_put(msg, NL80211_BSS_BSSID, ETH_ALEN, res->bssid)))
10313 		goto nla_put_failure;
10314 
10315 	rcu_read_lock();
10316 	/* indicate whether we have probe response data or not */
10317 	if (rcu_access_pointer(res->proberesp_ies) &&
10318 	    nla_put_flag(msg, NL80211_BSS_PRESP_DATA))
10319 		goto fail_unlock_rcu;
10320 
10321 	/* this pointer prefers to be pointed to probe response data
10322 	 * but is always valid
10323 	 */
10324 	ies = rcu_dereference(res->ies);
10325 	if (ies) {
10326 		if (nla_put_u64_64bit(msg, NL80211_BSS_TSF, ies->tsf,
10327 				      NL80211_BSS_PAD))
10328 			goto fail_unlock_rcu;
10329 		if (ies->len && nla_put(msg, NL80211_BSS_INFORMATION_ELEMENTS,
10330 					ies->len, ies->data))
10331 			goto fail_unlock_rcu;
10332 	}
10333 
10334 	/* and this pointer is always (unless driver didn't know) beacon data */
10335 	ies = rcu_dereference(res->beacon_ies);
10336 	if (ies && ies->from_beacon) {
10337 		if (nla_put_u64_64bit(msg, NL80211_BSS_BEACON_TSF, ies->tsf,
10338 				      NL80211_BSS_PAD))
10339 			goto fail_unlock_rcu;
10340 		if (ies->len && nla_put(msg, NL80211_BSS_BEACON_IES,
10341 					ies->len, ies->data))
10342 			goto fail_unlock_rcu;
10343 	}
10344 	rcu_read_unlock();
10345 
10346 	if (res->beacon_interval &&
10347 	    nla_put_u16(msg, NL80211_BSS_BEACON_INTERVAL, res->beacon_interval))
10348 		goto nla_put_failure;
10349 	if (nla_put_u16(msg, NL80211_BSS_CAPABILITY, res->capability) ||
10350 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY, res->channel->center_freq) ||
10351 	    nla_put_u32(msg, NL80211_BSS_FREQUENCY_OFFSET,
10352 			res->channel->freq_offset) ||
10353 	    nla_put_u32(msg, NL80211_BSS_CHAN_WIDTH, res->scan_width) ||
10354 	    nla_put_u32(msg, NL80211_BSS_SEEN_MS_AGO,
10355 			jiffies_to_msecs(jiffies - intbss->ts)))
10356 		goto nla_put_failure;
10357 
10358 	if (intbss->parent_tsf &&
10359 	    (nla_put_u64_64bit(msg, NL80211_BSS_PARENT_TSF,
10360 			       intbss->parent_tsf, NL80211_BSS_PAD) ||
10361 	     nla_put(msg, NL80211_BSS_PARENT_BSSID, ETH_ALEN,
10362 		     intbss->parent_bssid)))
10363 		goto nla_put_failure;
10364 
10365 	if (intbss->ts_boottime &&
10366 	    nla_put_u64_64bit(msg, NL80211_BSS_LAST_SEEN_BOOTTIME,
10367 			      intbss->ts_boottime, NL80211_BSS_PAD))
10368 		goto nla_put_failure;
10369 
10370 	if (!nl80211_put_signal(msg, intbss->pub.chains,
10371 				intbss->pub.chain_signal,
10372 				NL80211_BSS_CHAIN_SIGNAL))
10373 		goto nla_put_failure;
10374 
10375 	switch (rdev->wiphy.signal_type) {
10376 	case CFG80211_SIGNAL_TYPE_MBM:
10377 		if (nla_put_u32(msg, NL80211_BSS_SIGNAL_MBM, res->signal))
10378 			goto nla_put_failure;
10379 		break;
10380 	case CFG80211_SIGNAL_TYPE_UNSPEC:
10381 		if (nla_put_u8(msg, NL80211_BSS_SIGNAL_UNSPEC, res->signal))
10382 			goto nla_put_failure;
10383 		break;
10384 	default:
10385 		break;
10386 	}
10387 
10388 	switch (wdev->iftype) {
10389 	case NL80211_IFTYPE_P2P_CLIENT:
10390 	case NL80211_IFTYPE_STATION:
10391 		for_each_valid_link(wdev, link_id) {
10392 			if (intbss == wdev->links[link_id].client.current_bss &&
10393 			    (nla_put_u32(msg, NL80211_BSS_STATUS,
10394 					 NL80211_BSS_STATUS_ASSOCIATED) ||
10395 			     (wdev->valid_links &&
10396 			      (nla_put_u8(msg, NL80211_BSS_MLO_LINK_ID,
10397 					  link_id) ||
10398 			       nla_put(msg, NL80211_BSS_MLD_ADDR, ETH_ALEN,
10399 				       wdev->u.client.connected_addr)))))
10400 				goto nla_put_failure;
10401 		}
10402 		break;
10403 	case NL80211_IFTYPE_ADHOC:
10404 		if (intbss == wdev->u.ibss.current_bss &&
10405 		    nla_put_u32(msg, NL80211_BSS_STATUS,
10406 				NL80211_BSS_STATUS_IBSS_JOINED))
10407 			goto nla_put_failure;
10408 		break;
10409 	default:
10410 		break;
10411 	}
10412 
10413 	nla_nest_end(msg, bss);
10414 
10415 	genlmsg_end(msg, hdr);
10416 	return 0;
10417 
10418  fail_unlock_rcu:
10419 	rcu_read_unlock();
10420  nla_put_failure:
10421 	genlmsg_cancel(msg, hdr);
10422 	return -EMSGSIZE;
10423 }
10424 
10425 static int nl80211_dump_scan(struct sk_buff *skb, struct netlink_callback *cb)
10426 {
10427 	struct cfg80211_registered_device *rdev;
10428 	struct cfg80211_internal_bss *scan;
10429 	struct wireless_dev *wdev;
10430 	int start = cb->args[2], idx = 0;
10431 	int err;
10432 
10433 	err = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, NULL);
10434 	if (err)
10435 		return err;
10436 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10437 	__acquire(&rdev->wiphy.mtx);
10438 
10439 	wdev_lock(wdev);
10440 	spin_lock_bh(&rdev->bss_lock);
10441 
10442 	/*
10443 	 * dump_scan will be called multiple times to break up the scan results
10444 	 * into multiple messages.  It is unlikely that any more bss-es will be
10445 	 * expired after the first call, so only call only call this on the
10446 	 * first dump_scan invocation.
10447 	 */
10448 	if (start == 0)
10449 		cfg80211_bss_expire(rdev);
10450 
10451 	cb->seq = rdev->bss_generation;
10452 
10453 	list_for_each_entry(scan, &rdev->bss_list, list) {
10454 		if (++idx <= start)
10455 			continue;
10456 		if (nl80211_send_bss(skb, cb,
10457 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10458 				rdev, wdev, scan) < 0) {
10459 			idx--;
10460 			break;
10461 		}
10462 	}
10463 
10464 	spin_unlock_bh(&rdev->bss_lock);
10465 	wdev_unlock(wdev);
10466 
10467 	cb->args[2] = idx;
10468 	wiphy_unlock(&rdev->wiphy);
10469 
10470 	return skb->len;
10471 }
10472 
10473 static int nl80211_send_survey(struct sk_buff *msg, u32 portid, u32 seq,
10474 			       int flags, struct net_device *dev,
10475 			       bool allow_radio_stats,
10476 			       struct survey_info *survey)
10477 {
10478 	void *hdr;
10479 	struct nlattr *infoattr;
10480 
10481 	/* skip radio stats if userspace didn't request them */
10482 	if (!survey->channel && !allow_radio_stats)
10483 		return 0;
10484 
10485 	hdr = nl80211hdr_put(msg, portid, seq, flags,
10486 			     NL80211_CMD_NEW_SURVEY_RESULTS);
10487 	if (!hdr)
10488 		return -ENOMEM;
10489 
10490 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
10491 		goto nla_put_failure;
10492 
10493 	infoattr = nla_nest_start_noflag(msg, NL80211_ATTR_SURVEY_INFO);
10494 	if (!infoattr)
10495 		goto nla_put_failure;
10496 
10497 	if (survey->channel &&
10498 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY,
10499 			survey->channel->center_freq))
10500 		goto nla_put_failure;
10501 
10502 	if (survey->channel && survey->channel->freq_offset &&
10503 	    nla_put_u32(msg, NL80211_SURVEY_INFO_FREQUENCY_OFFSET,
10504 			survey->channel->freq_offset))
10505 		goto nla_put_failure;
10506 
10507 	if ((survey->filled & SURVEY_INFO_NOISE_DBM) &&
10508 	    nla_put_u8(msg, NL80211_SURVEY_INFO_NOISE, survey->noise))
10509 		goto nla_put_failure;
10510 	if ((survey->filled & SURVEY_INFO_IN_USE) &&
10511 	    nla_put_flag(msg, NL80211_SURVEY_INFO_IN_USE))
10512 		goto nla_put_failure;
10513 	if ((survey->filled & SURVEY_INFO_TIME) &&
10514 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME,
10515 			survey->time, NL80211_SURVEY_INFO_PAD))
10516 		goto nla_put_failure;
10517 	if ((survey->filled & SURVEY_INFO_TIME_BUSY) &&
10518 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BUSY,
10519 			      survey->time_busy, NL80211_SURVEY_INFO_PAD))
10520 		goto nla_put_failure;
10521 	if ((survey->filled & SURVEY_INFO_TIME_EXT_BUSY) &&
10522 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_EXT_BUSY,
10523 			      survey->time_ext_busy, NL80211_SURVEY_INFO_PAD))
10524 		goto nla_put_failure;
10525 	if ((survey->filled & SURVEY_INFO_TIME_RX) &&
10526 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_RX,
10527 			      survey->time_rx, NL80211_SURVEY_INFO_PAD))
10528 		goto nla_put_failure;
10529 	if ((survey->filled & SURVEY_INFO_TIME_TX) &&
10530 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_TX,
10531 			      survey->time_tx, NL80211_SURVEY_INFO_PAD))
10532 		goto nla_put_failure;
10533 	if ((survey->filled & SURVEY_INFO_TIME_SCAN) &&
10534 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_SCAN,
10535 			      survey->time_scan, NL80211_SURVEY_INFO_PAD))
10536 		goto nla_put_failure;
10537 	if ((survey->filled & SURVEY_INFO_TIME_BSS_RX) &&
10538 	    nla_put_u64_64bit(msg, NL80211_SURVEY_INFO_TIME_BSS_RX,
10539 			      survey->time_bss_rx, NL80211_SURVEY_INFO_PAD))
10540 		goto nla_put_failure;
10541 
10542 	nla_nest_end(msg, infoattr);
10543 
10544 	genlmsg_end(msg, hdr);
10545 	return 0;
10546 
10547  nla_put_failure:
10548 	genlmsg_cancel(msg, hdr);
10549 	return -EMSGSIZE;
10550 }
10551 
10552 static int nl80211_dump_survey(struct sk_buff *skb, struct netlink_callback *cb)
10553 {
10554 	struct nlattr **attrbuf;
10555 	struct survey_info survey;
10556 	struct cfg80211_registered_device *rdev;
10557 	struct wireless_dev *wdev;
10558 	int survey_idx = cb->args[2];
10559 	int res;
10560 	bool radio_stats;
10561 
10562 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
10563 	if (!attrbuf)
10564 		return -ENOMEM;
10565 
10566 	res = nl80211_prepare_wdev_dump(cb, &rdev, &wdev, attrbuf);
10567 	if (res) {
10568 		kfree(attrbuf);
10569 		return res;
10570 	}
10571 	/* nl80211_prepare_wdev_dump acquired it in the successful case */
10572 	__acquire(&rdev->wiphy.mtx);
10573 
10574 	/* prepare_wdev_dump parsed the attributes */
10575 	radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
10576 
10577 	if (!wdev->netdev) {
10578 		res = -EINVAL;
10579 		goto out_err;
10580 	}
10581 
10582 	if (!rdev->ops->dump_survey) {
10583 		res = -EOPNOTSUPP;
10584 		goto out_err;
10585 	}
10586 
10587 	while (1) {
10588 		wdev_lock(wdev);
10589 		res = rdev_dump_survey(rdev, wdev->netdev, survey_idx, &survey);
10590 		wdev_unlock(wdev);
10591 		if (res == -ENOENT)
10592 			break;
10593 		if (res)
10594 			goto out_err;
10595 
10596 		/* don't send disabled channels, but do send non-channel data */
10597 		if (survey.channel &&
10598 		    survey.channel->flags & IEEE80211_CHAN_DISABLED) {
10599 			survey_idx++;
10600 			continue;
10601 		}
10602 
10603 		if (nl80211_send_survey(skb,
10604 				NETLINK_CB(cb->skb).portid,
10605 				cb->nlh->nlmsg_seq, NLM_F_MULTI,
10606 				wdev->netdev, radio_stats, &survey) < 0)
10607 			goto out;
10608 		survey_idx++;
10609 	}
10610 
10611  out:
10612 	cb->args[2] = survey_idx;
10613 	res = skb->len;
10614  out_err:
10615 	kfree(attrbuf);
10616 	wiphy_unlock(&rdev->wiphy);
10617 	return res;
10618 }
10619 
10620 static bool nl80211_valid_wpa_versions(u32 wpa_versions)
10621 {
10622 	return !(wpa_versions & ~(NL80211_WPA_VERSION_1 |
10623 				  NL80211_WPA_VERSION_2 |
10624 				  NL80211_WPA_VERSION_3));
10625 }
10626 
10627 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10628 {
10629 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10630 	struct net_device *dev = info->user_ptr[1];
10631 	struct ieee80211_channel *chan;
10632 	const u8 *bssid, *ssid;
10633 	int err, ssid_len;
10634 	enum nl80211_auth_type auth_type;
10635 	struct key_parse key;
10636 	bool local_state_change;
10637 	struct cfg80211_auth_request req = {};
10638 	u32 freq;
10639 
10640 	if (!info->attrs[NL80211_ATTR_MAC])
10641 		return -EINVAL;
10642 
10643 	if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10644 		return -EINVAL;
10645 
10646 	if (!info->attrs[NL80211_ATTR_SSID])
10647 		return -EINVAL;
10648 
10649 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10650 		return -EINVAL;
10651 
10652 	err = nl80211_parse_key(info, &key);
10653 	if (err)
10654 		return err;
10655 
10656 	if (key.idx >= 0) {
10657 		if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10658 			return -EINVAL;
10659 		if (!key.p.key || !key.p.key_len)
10660 			return -EINVAL;
10661 		if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10662 		     key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10663 		    (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10664 		     key.p.key_len != WLAN_KEY_LEN_WEP104))
10665 			return -EINVAL;
10666 		if (key.idx > 3)
10667 			return -EINVAL;
10668 	} else {
10669 		key.p.key_len = 0;
10670 		key.p.key = NULL;
10671 	}
10672 
10673 	if (key.idx >= 0) {
10674 		int i;
10675 		bool ok = false;
10676 
10677 		for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10678 			if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10679 				ok = true;
10680 				break;
10681 			}
10682 		}
10683 		if (!ok)
10684 			return -EINVAL;
10685 	}
10686 
10687 	if (!rdev->ops->auth)
10688 		return -EOPNOTSUPP;
10689 
10690 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10691 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10692 		return -EOPNOTSUPP;
10693 
10694 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10695 	freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10696 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10697 		freq +=
10698 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10699 
10700 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10701 	if (!chan)
10702 		return -EINVAL;
10703 
10704 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10705 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10706 
10707 	if (info->attrs[NL80211_ATTR_IE]) {
10708 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10709 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10710 	}
10711 
10712 	auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10713 	if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10714 		return -EINVAL;
10715 
10716 	if ((auth_type == NL80211_AUTHTYPE_SAE ||
10717 	     auth_type == NL80211_AUTHTYPE_FILS_SK ||
10718 	     auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10719 	     auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10720 	    !info->attrs[NL80211_ATTR_AUTH_DATA])
10721 		return -EINVAL;
10722 
10723 	if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10724 		if (auth_type != NL80211_AUTHTYPE_SAE &&
10725 		    auth_type != NL80211_AUTHTYPE_FILS_SK &&
10726 		    auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10727 		    auth_type != NL80211_AUTHTYPE_FILS_PK)
10728 			return -EINVAL;
10729 		req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10730 		req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10731 	}
10732 
10733 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10734 
10735 	/*
10736 	 * Since we no longer track auth state, ignore
10737 	 * requests to only change local state.
10738 	 */
10739 	if (local_state_change)
10740 		return 0;
10741 
10742 	req.auth_type = auth_type;
10743 	req.key = key.p.key;
10744 	req.key_len = key.p.key_len;
10745 	req.key_idx = key.idx;
10746 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
10747 	if (req.link_id >= 0) {
10748 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
10749 			return -EINVAL;
10750 		if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10751 			return -EINVAL;
10752 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10753 		if (!is_valid_ether_addr(req.ap_mld_addr))
10754 			return -EINVAL;
10755 	}
10756 
10757 	req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10758 				   IEEE80211_BSS_TYPE_ESS,
10759 				   IEEE80211_PRIVACY_ANY);
10760 	if (!req.bss)
10761 		return -ENOENT;
10762 
10763 	wdev_lock(dev->ieee80211_ptr);
10764 	err = cfg80211_mlme_auth(rdev, dev, &req);
10765 	wdev_unlock(dev->ieee80211_ptr);
10766 
10767 	cfg80211_put_bss(&rdev->wiphy, req.bss);
10768 
10769 	return err;
10770 }
10771 
10772 static int validate_pae_over_nl80211(struct cfg80211_registered_device *rdev,
10773 				     struct genl_info *info)
10774 {
10775 	if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
10776 		GENL_SET_ERR_MSG(info, "SOCKET_OWNER not set");
10777 		return -EINVAL;
10778 	}
10779 
10780 	if (!rdev->ops->tx_control_port ||
10781 	    !wiphy_ext_feature_isset(&rdev->wiphy,
10782 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
10783 		return -EOPNOTSUPP;
10784 
10785 	return 0;
10786 }
10787 
10788 static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
10789 				   struct genl_info *info,
10790 				   struct cfg80211_crypto_settings *settings,
10791 				   int cipher_limit)
10792 {
10793 	memset(settings, 0, sizeof(*settings));
10794 
10795 	settings->control_port = info->attrs[NL80211_ATTR_CONTROL_PORT];
10796 
10797 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
10798 		u16 proto;
10799 
10800 		proto = nla_get_u16(
10801 			info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
10802 		settings->control_port_ethertype = cpu_to_be16(proto);
10803 		if (!(rdev->wiphy.flags & WIPHY_FLAG_CONTROL_PORT_PROTOCOL) &&
10804 		    proto != ETH_P_PAE)
10805 			return -EINVAL;
10806 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT])
10807 			settings->control_port_no_encrypt = true;
10808 	} else
10809 		settings->control_port_ethertype = cpu_to_be16(ETH_P_PAE);
10810 
10811 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
10812 		int r = validate_pae_over_nl80211(rdev, info);
10813 
10814 		if (r < 0)
10815 			return r;
10816 
10817 		settings->control_port_over_nl80211 = true;
10818 
10819 		if (info->attrs[NL80211_ATTR_CONTROL_PORT_NO_PREAUTH])
10820 			settings->control_port_no_preauth = true;
10821 	}
10822 
10823 	if (info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]) {
10824 		void *data;
10825 		int len, i;
10826 
10827 		data = nla_data(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10828 		len = nla_len(info->attrs[NL80211_ATTR_CIPHER_SUITES_PAIRWISE]);
10829 		settings->n_ciphers_pairwise = len / sizeof(u32);
10830 
10831 		if (len % sizeof(u32))
10832 			return -EINVAL;
10833 
10834 		if (settings->n_ciphers_pairwise > cipher_limit)
10835 			return -EINVAL;
10836 
10837 		memcpy(settings->ciphers_pairwise, data, len);
10838 
10839 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
10840 			if (!cfg80211_supported_cipher_suite(
10841 					&rdev->wiphy,
10842 					settings->ciphers_pairwise[i]))
10843 				return -EINVAL;
10844 	}
10845 
10846 	if (info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]) {
10847 		settings->cipher_group =
10848 			nla_get_u32(info->attrs[NL80211_ATTR_CIPHER_SUITE_GROUP]);
10849 		if (!cfg80211_supported_cipher_suite(&rdev->wiphy,
10850 						     settings->cipher_group))
10851 			return -EINVAL;
10852 	}
10853 
10854 	if (info->attrs[NL80211_ATTR_WPA_VERSIONS]) {
10855 		settings->wpa_versions =
10856 			nla_get_u32(info->attrs[NL80211_ATTR_WPA_VERSIONS]);
10857 		if (!nl80211_valid_wpa_versions(settings->wpa_versions))
10858 			return -EINVAL;
10859 	}
10860 
10861 	if (info->attrs[NL80211_ATTR_AKM_SUITES]) {
10862 		void *data;
10863 		int len;
10864 
10865 		data = nla_data(info->attrs[NL80211_ATTR_AKM_SUITES]);
10866 		len = nla_len(info->attrs[NL80211_ATTR_AKM_SUITES]);
10867 		settings->n_akm_suites = len / sizeof(u32);
10868 
10869 		if (len % sizeof(u32))
10870 			return -EINVAL;
10871 
10872 		if (settings->n_akm_suites > rdev->wiphy.max_num_akm_suites)
10873 			return -EINVAL;
10874 
10875 		memcpy(settings->akm_suites, data, len);
10876 	}
10877 
10878 	if (info->attrs[NL80211_ATTR_PMK]) {
10879 		if (nla_len(info->attrs[NL80211_ATTR_PMK]) != WLAN_PMK_LEN)
10880 			return -EINVAL;
10881 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10882 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_PSK) &&
10883 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10884 					     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_AP_PSK))
10885 			return -EINVAL;
10886 		settings->psk = nla_data(info->attrs[NL80211_ATTR_PMK]);
10887 	}
10888 
10889 	if (info->attrs[NL80211_ATTR_SAE_PASSWORD]) {
10890 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
10891 					     NL80211_EXT_FEATURE_SAE_OFFLOAD) &&
10892 		    !wiphy_ext_feature_isset(&rdev->wiphy,
10893 					     NL80211_EXT_FEATURE_SAE_OFFLOAD_AP))
10894 			return -EINVAL;
10895 		settings->sae_pwd =
10896 			nla_data(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10897 		settings->sae_pwd_len =
10898 			nla_len(info->attrs[NL80211_ATTR_SAE_PASSWORD]);
10899 	}
10900 
10901 	if (info->attrs[NL80211_ATTR_SAE_PWE])
10902 		settings->sae_pwe =
10903 			nla_get_u8(info->attrs[NL80211_ATTR_SAE_PWE]);
10904 	else
10905 		settings->sae_pwe = NL80211_SAE_PWE_UNSPECIFIED;
10906 
10907 	return 0;
10908 }
10909 
10910 static struct cfg80211_bss *nl80211_assoc_bss(struct cfg80211_registered_device *rdev,
10911 					      const u8 *ssid, int ssid_len,
10912 					      struct nlattr **attrs)
10913 {
10914 	struct ieee80211_channel *chan;
10915 	struct cfg80211_bss *bss;
10916 	const u8 *bssid;
10917 	u32 freq;
10918 
10919 	if (!attrs[NL80211_ATTR_MAC] || !attrs[NL80211_ATTR_WIPHY_FREQ])
10920 		return ERR_PTR(-EINVAL);
10921 
10922 	bssid = nla_data(attrs[NL80211_ATTR_MAC]);
10923 
10924 	freq = MHZ_TO_KHZ(nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ]));
10925 	if (attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10926 		freq += nla_get_u32(attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10927 
10928 	chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10929 	if (!chan)
10930 		return ERR_PTR(-EINVAL);
10931 
10932 	bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid,
10933 			       ssid, ssid_len,
10934 			       IEEE80211_BSS_TYPE_ESS,
10935 			       IEEE80211_PRIVACY_ANY);
10936 	if (!bss)
10937 		return ERR_PTR(-ENOENT);
10938 
10939 	return bss;
10940 }
10941 
10942 static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
10943 {
10944 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
10945 	struct net_device *dev = info->user_ptr[1];
10946 	struct cfg80211_assoc_request req = {};
10947 	struct nlattr **attrs = NULL;
10948 	const u8 *ap_addr, *ssid;
10949 	unsigned int link_id;
10950 	int err, ssid_len;
10951 
10952 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
10953 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
10954 		return -EPERM;
10955 
10956 	if (!info->attrs[NL80211_ATTR_SSID])
10957 		return -EINVAL;
10958 
10959 	if (!rdev->ops->assoc)
10960 		return -EOPNOTSUPP;
10961 
10962 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10963 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10964 		return -EOPNOTSUPP;
10965 
10966 	ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10967 	ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10968 
10969 	if (info->attrs[NL80211_ATTR_IE]) {
10970 		req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10971 		req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10972 
10973 		if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
10974 					   req.ie, req.ie_len)) {
10975 			GENL_SET_ERR_MSG(info,
10976 					 "non-inheritance makes no sense");
10977 			return -EINVAL;
10978 		}
10979 	}
10980 
10981 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
10982 		enum nl80211_mfp mfp =
10983 			nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
10984 		if (mfp == NL80211_MFP_REQUIRED)
10985 			req.use_mfp = true;
10986 		else if (mfp != NL80211_MFP_NO)
10987 			return -EINVAL;
10988 	}
10989 
10990 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
10991 		req.prev_bssid = nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
10992 
10993 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
10994 		req.flags |= ASSOC_REQ_DISABLE_HT;
10995 
10996 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
10997 		memcpy(&req.ht_capa_mask,
10998 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
10999 		       sizeof(req.ht_capa_mask));
11000 
11001 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11002 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11003 			return -EINVAL;
11004 		memcpy(&req.ht_capa,
11005 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11006 		       sizeof(req.ht_capa));
11007 	}
11008 
11009 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11010 		req.flags |= ASSOC_REQ_DISABLE_VHT;
11011 
11012 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11013 		req.flags |= ASSOC_REQ_DISABLE_HE;
11014 
11015 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11016 		req.flags |= ASSOC_REQ_DISABLE_EHT;
11017 
11018 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11019 		memcpy(&req.vht_capa_mask,
11020 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11021 		       sizeof(req.vht_capa_mask));
11022 
11023 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11024 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11025 			return -EINVAL;
11026 		memcpy(&req.vht_capa,
11027 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11028 		       sizeof(req.vht_capa));
11029 	}
11030 
11031 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11032 		if (!((rdev->wiphy.features &
11033 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11034 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11035 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11036 					     NL80211_EXT_FEATURE_RRM))
11037 			return -EINVAL;
11038 		req.flags |= ASSOC_REQ_USE_RRM;
11039 	}
11040 
11041 	if (info->attrs[NL80211_ATTR_FILS_KEK]) {
11042 		req.fils_kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
11043 		req.fils_kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
11044 		if (!info->attrs[NL80211_ATTR_FILS_NONCES])
11045 			return -EINVAL;
11046 		req.fils_nonces =
11047 			nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
11048 	}
11049 
11050 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]) {
11051 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY])
11052 			return -EINVAL;
11053 		memcpy(&req.s1g_capa_mask,
11054 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK]),
11055 		       sizeof(req.s1g_capa_mask));
11056 	}
11057 
11058 	if (info->attrs[NL80211_ATTR_S1G_CAPABILITY]) {
11059 		if (!info->attrs[NL80211_ATTR_S1G_CAPABILITY_MASK])
11060 			return -EINVAL;
11061 		memcpy(&req.s1g_capa,
11062 		       nla_data(info->attrs[NL80211_ATTR_S1G_CAPABILITY]),
11063 		       sizeof(req.s1g_capa));
11064 	}
11065 
11066 	req.link_id = nl80211_link_id_or_invalid(info->attrs);
11067 
11068 	if (info->attrs[NL80211_ATTR_MLO_LINKS]) {
11069 		unsigned int attrsize = NUM_NL80211_ATTR * sizeof(*attrs);
11070 		struct nlattr *link;
11071 		int rem = 0;
11072 
11073 		if (req.link_id < 0)
11074 			return -EINVAL;
11075 
11076 		if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_MLO))
11077 			return -EINVAL;
11078 
11079 		if (info->attrs[NL80211_ATTR_MAC] ||
11080 		    info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
11081 		    !info->attrs[NL80211_ATTR_MLD_ADDR])
11082 			return -EINVAL;
11083 
11084 		req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
11085 		ap_addr = req.ap_mld_addr;
11086 
11087 		attrs = kzalloc(attrsize, GFP_KERNEL);
11088 		if (!attrs)
11089 			return -ENOMEM;
11090 
11091 		nla_for_each_nested(link,
11092 				    info->attrs[NL80211_ATTR_MLO_LINKS],
11093 				    rem) {
11094 			memset(attrs, 0, attrsize);
11095 
11096 			nla_parse_nested(attrs, NL80211_ATTR_MAX,
11097 					 link, NULL, NULL);
11098 
11099 			if (!attrs[NL80211_ATTR_MLO_LINK_ID]) {
11100 				err = -EINVAL;
11101 				goto free;
11102 			}
11103 
11104 			link_id = nla_get_u8(attrs[NL80211_ATTR_MLO_LINK_ID]);
11105 			/* cannot use the same link ID again */
11106 			if (req.links[link_id].bss) {
11107 				err = -EINVAL;
11108 				goto free;
11109 			}
11110 			req.links[link_id].bss =
11111 				nl80211_assoc_bss(rdev, ssid, ssid_len, attrs);
11112 			if (IS_ERR(req.links[link_id].bss)) {
11113 				err = PTR_ERR(req.links[link_id].bss);
11114 				req.links[link_id].bss = NULL;
11115 				goto free;
11116 			}
11117 
11118 			if (attrs[NL80211_ATTR_IE]) {
11119 				req.links[link_id].elems =
11120 					nla_data(attrs[NL80211_ATTR_IE]);
11121 				req.links[link_id].elems_len =
11122 					nla_len(attrs[NL80211_ATTR_IE]);
11123 
11124 				if (cfg80211_find_elem(WLAN_EID_FRAGMENT,
11125 						       req.links[link_id].elems,
11126 						       req.links[link_id].elems_len)) {
11127 					GENL_SET_ERR_MSG(info,
11128 							 "cannot deal with fragmentation");
11129 					err = -EINVAL;
11130 					goto free;
11131 				}
11132 
11133 				if (cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
11134 							   req.links[link_id].elems,
11135 							   req.links[link_id].elems_len)) {
11136 					GENL_SET_ERR_MSG(info,
11137 							 "cannot deal with non-inheritance");
11138 					err = -EINVAL;
11139 					goto free;
11140 				}
11141 			}
11142 
11143 			req.links[link_id].disabled =
11144 				nla_get_flag(attrs[NL80211_ATTR_MLO_LINK_DISABLED]);
11145 		}
11146 
11147 		if (!req.links[req.link_id].bss) {
11148 			err = -EINVAL;
11149 			goto free;
11150 		}
11151 
11152 		if (req.links[req.link_id].elems_len) {
11153 			GENL_SET_ERR_MSG(info,
11154 					 "cannot have per-link elems on assoc link");
11155 			err = -EINVAL;
11156 			goto free;
11157 		}
11158 
11159 		if (req.links[req.link_id].disabled) {
11160 			GENL_SET_ERR_MSG(info,
11161 					 "cannot have assoc link disabled");
11162 			err = -EINVAL;
11163 			goto free;
11164 		}
11165 
11166 		kfree(attrs);
11167 		attrs = NULL;
11168 	} else {
11169 		if (req.link_id >= 0)
11170 			return -EINVAL;
11171 
11172 		req.bss = nl80211_assoc_bss(rdev, ssid, ssid_len, info->attrs);
11173 		if (IS_ERR(req.bss))
11174 			return PTR_ERR(req.bss);
11175 		ap_addr = req.bss->bssid;
11176 	}
11177 
11178 	err = nl80211_crypto_settings(rdev, info, &req.crypto, 1);
11179 	if (!err) {
11180 		wdev_lock(dev->ieee80211_ptr);
11181 
11182 		err = cfg80211_mlme_assoc(rdev, dev, &req);
11183 
11184 		if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
11185 			dev->ieee80211_ptr->conn_owner_nlportid =
11186 				info->snd_portid;
11187 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
11188 			       ap_addr, ETH_ALEN);
11189 		}
11190 
11191 		wdev_unlock(dev->ieee80211_ptr);
11192 	}
11193 
11194 free:
11195 	for (link_id = 0; link_id < ARRAY_SIZE(req.links); link_id++)
11196 		cfg80211_put_bss(&rdev->wiphy, req.links[link_id].bss);
11197 	cfg80211_put_bss(&rdev->wiphy, req.bss);
11198 	kfree(attrs);
11199 
11200 	return err;
11201 }
11202 
11203 static int nl80211_deauthenticate(struct sk_buff *skb, struct genl_info *info)
11204 {
11205 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11206 	struct net_device *dev = info->user_ptr[1];
11207 	const u8 *ie = NULL, *bssid;
11208 	int ie_len = 0, err;
11209 	u16 reason_code;
11210 	bool local_state_change;
11211 
11212 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11213 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11214 		return -EPERM;
11215 
11216 	if (!info->attrs[NL80211_ATTR_MAC])
11217 		return -EINVAL;
11218 
11219 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11220 		return -EINVAL;
11221 
11222 	if (!rdev->ops->deauth)
11223 		return -EOPNOTSUPP;
11224 
11225 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11226 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11227 		return -EOPNOTSUPP;
11228 
11229 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11230 
11231 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11232 	if (reason_code == 0) {
11233 		/* Reason Code 0 is reserved */
11234 		return -EINVAL;
11235 	}
11236 
11237 	if (info->attrs[NL80211_ATTR_IE]) {
11238 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11239 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11240 	}
11241 
11242 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11243 
11244 	wdev_lock(dev->ieee80211_ptr);
11245 	err = cfg80211_mlme_deauth(rdev, dev, bssid, ie, ie_len, reason_code,
11246 				   local_state_change);
11247 	wdev_unlock(dev->ieee80211_ptr);
11248 	return err;
11249 }
11250 
11251 static int nl80211_disassociate(struct sk_buff *skb, struct genl_info *info)
11252 {
11253 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11254 	struct net_device *dev = info->user_ptr[1];
11255 	const u8 *ie = NULL, *bssid;
11256 	int ie_len = 0, err;
11257 	u16 reason_code;
11258 	bool local_state_change;
11259 
11260 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
11261 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
11262 		return -EPERM;
11263 
11264 	if (!info->attrs[NL80211_ATTR_MAC])
11265 		return -EINVAL;
11266 
11267 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
11268 		return -EINVAL;
11269 
11270 	if (!rdev->ops->disassoc)
11271 		return -EOPNOTSUPP;
11272 
11273 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11274 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11275 		return -EOPNOTSUPP;
11276 
11277 	bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11278 
11279 	reason_code = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
11280 	if (reason_code == 0) {
11281 		/* Reason Code 0 is reserved */
11282 		return -EINVAL;
11283 	}
11284 
11285 	if (info->attrs[NL80211_ATTR_IE]) {
11286 		ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11287 		ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11288 	}
11289 
11290 	local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
11291 
11292 	wdev_lock(dev->ieee80211_ptr);
11293 	err = cfg80211_mlme_disassoc(rdev, dev, bssid, ie, ie_len, reason_code,
11294 				     local_state_change);
11295 	wdev_unlock(dev->ieee80211_ptr);
11296 	return err;
11297 }
11298 
11299 static bool
11300 nl80211_parse_mcast_rate(struct cfg80211_registered_device *rdev,
11301 			 int mcast_rate[NUM_NL80211_BANDS],
11302 			 int rateval)
11303 {
11304 	struct wiphy *wiphy = &rdev->wiphy;
11305 	bool found = false;
11306 	int band, i;
11307 
11308 	for (band = 0; band < NUM_NL80211_BANDS; band++) {
11309 		struct ieee80211_supported_band *sband;
11310 
11311 		sband = wiphy->bands[band];
11312 		if (!sband)
11313 			continue;
11314 
11315 		for (i = 0; i < sband->n_bitrates; i++) {
11316 			if (sband->bitrates[i].bitrate == rateval) {
11317 				mcast_rate[band] = i + 1;
11318 				found = true;
11319 				break;
11320 			}
11321 		}
11322 	}
11323 
11324 	return found;
11325 }
11326 
11327 static int nl80211_join_ibss(struct sk_buff *skb, struct genl_info *info)
11328 {
11329 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11330 	struct net_device *dev = info->user_ptr[1];
11331 	struct cfg80211_ibss_params ibss;
11332 	struct wiphy *wiphy;
11333 	struct cfg80211_cached_keys *connkeys = NULL;
11334 	int err;
11335 
11336 	memset(&ibss, 0, sizeof(ibss));
11337 
11338 	if (!info->attrs[NL80211_ATTR_SSID] ||
11339 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11340 		return -EINVAL;
11341 
11342 	ibss.beacon_interval = 100;
11343 
11344 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL])
11345 		ibss.beacon_interval =
11346 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
11347 
11348 	err = cfg80211_validate_beacon_int(rdev, NL80211_IFTYPE_ADHOC,
11349 					   ibss.beacon_interval);
11350 	if (err)
11351 		return err;
11352 
11353 	if (!rdev->ops->join_ibss)
11354 		return -EOPNOTSUPP;
11355 
11356 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11357 		return -EOPNOTSUPP;
11358 
11359 	wiphy = &rdev->wiphy;
11360 
11361 	if (info->attrs[NL80211_ATTR_MAC]) {
11362 		ibss.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11363 
11364 		if (!is_valid_ether_addr(ibss.bssid))
11365 			return -EINVAL;
11366 	}
11367 	ibss.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11368 	ibss.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11369 
11370 	if (info->attrs[NL80211_ATTR_IE]) {
11371 		ibss.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11372 		ibss.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11373 	}
11374 
11375 	err = nl80211_parse_chandef(rdev, info, &ibss.chandef);
11376 	if (err)
11377 		return err;
11378 
11379 	if (!cfg80211_reg_can_beacon(&rdev->wiphy, &ibss.chandef,
11380 				     NL80211_IFTYPE_ADHOC))
11381 		return -EINVAL;
11382 
11383 	switch (ibss.chandef.width) {
11384 	case NL80211_CHAN_WIDTH_5:
11385 	case NL80211_CHAN_WIDTH_10:
11386 	case NL80211_CHAN_WIDTH_20_NOHT:
11387 		break;
11388 	case NL80211_CHAN_WIDTH_20:
11389 	case NL80211_CHAN_WIDTH_40:
11390 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11391 			return -EINVAL;
11392 		break;
11393 	case NL80211_CHAN_WIDTH_80:
11394 	case NL80211_CHAN_WIDTH_80P80:
11395 	case NL80211_CHAN_WIDTH_160:
11396 		if (!(rdev->wiphy.features & NL80211_FEATURE_HT_IBSS))
11397 			return -EINVAL;
11398 		if (!wiphy_ext_feature_isset(&rdev->wiphy,
11399 					     NL80211_EXT_FEATURE_VHT_IBSS))
11400 			return -EINVAL;
11401 		break;
11402 	case NL80211_CHAN_WIDTH_320:
11403 		return -EINVAL;
11404 	default:
11405 		return -EINVAL;
11406 	}
11407 
11408 	ibss.channel_fixed = !!info->attrs[NL80211_ATTR_FREQ_FIXED];
11409 	ibss.privacy = !!info->attrs[NL80211_ATTR_PRIVACY];
11410 
11411 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
11412 		u8 *rates =
11413 			nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11414 		int n_rates =
11415 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
11416 		struct ieee80211_supported_band *sband =
11417 			wiphy->bands[ibss.chandef.chan->band];
11418 
11419 		err = ieee80211_get_ratemask(sband, rates, n_rates,
11420 					     &ibss.basic_rates);
11421 		if (err)
11422 			return err;
11423 	}
11424 
11425 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11426 		memcpy(&ibss.ht_capa_mask,
11427 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11428 		       sizeof(ibss.ht_capa_mask));
11429 
11430 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11431 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11432 			return -EINVAL;
11433 		memcpy(&ibss.ht_capa,
11434 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11435 		       sizeof(ibss.ht_capa));
11436 	}
11437 
11438 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
11439 	    !nl80211_parse_mcast_rate(rdev, ibss.mcast_rate,
11440 			nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
11441 		return -EINVAL;
11442 
11443 	if (ibss.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11444 		bool no_ht = false;
11445 
11446 		connkeys = nl80211_parse_connkeys(rdev, info, &no_ht);
11447 		if (IS_ERR(connkeys))
11448 			return PTR_ERR(connkeys);
11449 
11450 		if ((ibss.chandef.width != NL80211_CHAN_WIDTH_20_NOHT) &&
11451 		    no_ht) {
11452 			kfree_sensitive(connkeys);
11453 			return -EINVAL;
11454 		}
11455 	}
11456 
11457 	ibss.control_port =
11458 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT]);
11459 
11460 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
11461 		int r = validate_pae_over_nl80211(rdev, info);
11462 
11463 		if (r < 0) {
11464 			kfree_sensitive(connkeys);
11465 			return r;
11466 		}
11467 
11468 		ibss.control_port_over_nl80211 = true;
11469 	}
11470 
11471 	ibss.userspace_handles_dfs =
11472 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
11473 
11474 	wdev_lock(dev->ieee80211_ptr);
11475 	err = __cfg80211_join_ibss(rdev, dev, &ibss, connkeys);
11476 	if (err)
11477 		kfree_sensitive(connkeys);
11478 	else if (info->attrs[NL80211_ATTR_SOCKET_OWNER])
11479 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
11480 	wdev_unlock(dev->ieee80211_ptr);
11481 
11482 	return err;
11483 }
11484 
11485 static int nl80211_leave_ibss(struct sk_buff *skb, struct genl_info *info)
11486 {
11487 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11488 	struct net_device *dev = info->user_ptr[1];
11489 
11490 	if (!rdev->ops->leave_ibss)
11491 		return -EOPNOTSUPP;
11492 
11493 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC)
11494 		return -EOPNOTSUPP;
11495 
11496 	return cfg80211_leave_ibss(rdev, dev, false);
11497 }
11498 
11499 static int nl80211_set_mcast_rate(struct sk_buff *skb, struct genl_info *info)
11500 {
11501 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11502 	struct net_device *dev = info->user_ptr[1];
11503 	int mcast_rate[NUM_NL80211_BANDS];
11504 	u32 nla_rate;
11505 
11506 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_ADHOC &&
11507 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
11508 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_OCB)
11509 		return -EOPNOTSUPP;
11510 
11511 	if (!rdev->ops->set_mcast_rate)
11512 		return -EOPNOTSUPP;
11513 
11514 	memset(mcast_rate, 0, sizeof(mcast_rate));
11515 
11516 	if (!info->attrs[NL80211_ATTR_MCAST_RATE])
11517 		return -EINVAL;
11518 
11519 	nla_rate = nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE]);
11520 	if (!nl80211_parse_mcast_rate(rdev, mcast_rate, nla_rate))
11521 		return -EINVAL;
11522 
11523 	return rdev_set_mcast_rate(rdev, dev, mcast_rate);
11524 }
11525 
11526 static struct sk_buff *
11527 __cfg80211_alloc_vendor_skb(struct cfg80211_registered_device *rdev,
11528 			    struct wireless_dev *wdev, int approxlen,
11529 			    u32 portid, u32 seq, enum nl80211_commands cmd,
11530 			    enum nl80211_attrs attr,
11531 			    const struct nl80211_vendor_cmd_info *info,
11532 			    gfp_t gfp)
11533 {
11534 	struct sk_buff *skb;
11535 	void *hdr;
11536 	struct nlattr *data;
11537 
11538 	skb = nlmsg_new(approxlen + 100, gfp);
11539 	if (!skb)
11540 		return NULL;
11541 
11542 	hdr = nl80211hdr_put(skb, portid, seq, 0, cmd);
11543 	if (!hdr) {
11544 		kfree_skb(skb);
11545 		return NULL;
11546 	}
11547 
11548 	if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
11549 		goto nla_put_failure;
11550 
11551 	if (info) {
11552 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_ID,
11553 				info->vendor_id))
11554 			goto nla_put_failure;
11555 		if (nla_put_u32(skb, NL80211_ATTR_VENDOR_SUBCMD,
11556 				info->subcmd))
11557 			goto nla_put_failure;
11558 	}
11559 
11560 	if (wdev) {
11561 		if (nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
11562 				      wdev_id(wdev), NL80211_ATTR_PAD))
11563 			goto nla_put_failure;
11564 		if (wdev->netdev &&
11565 		    nla_put_u32(skb, NL80211_ATTR_IFINDEX,
11566 				wdev->netdev->ifindex))
11567 			goto nla_put_failure;
11568 	}
11569 
11570 	data = nla_nest_start_noflag(skb, attr);
11571 	if (!data)
11572 		goto nla_put_failure;
11573 
11574 	((void **)skb->cb)[0] = rdev;
11575 	((void **)skb->cb)[1] = hdr;
11576 	((void **)skb->cb)[2] = data;
11577 
11578 	return skb;
11579 
11580  nla_put_failure:
11581 	kfree_skb(skb);
11582 	return NULL;
11583 }
11584 
11585 struct sk_buff *__cfg80211_alloc_event_skb(struct wiphy *wiphy,
11586 					   struct wireless_dev *wdev,
11587 					   enum nl80211_commands cmd,
11588 					   enum nl80211_attrs attr,
11589 					   unsigned int portid,
11590 					   int vendor_event_idx,
11591 					   int approxlen, gfp_t gfp)
11592 {
11593 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
11594 	const struct nl80211_vendor_cmd_info *info;
11595 
11596 	switch (cmd) {
11597 	case NL80211_CMD_TESTMODE:
11598 		if (WARN_ON(vendor_event_idx != -1))
11599 			return NULL;
11600 		info = NULL;
11601 		break;
11602 	case NL80211_CMD_VENDOR:
11603 		if (WARN_ON(vendor_event_idx < 0 ||
11604 			    vendor_event_idx >= wiphy->n_vendor_events))
11605 			return NULL;
11606 		info = &wiphy->vendor_events[vendor_event_idx];
11607 		break;
11608 	default:
11609 		WARN_ON(1);
11610 		return NULL;
11611 	}
11612 
11613 	return __cfg80211_alloc_vendor_skb(rdev, wdev, approxlen, portid, 0,
11614 					   cmd, attr, info, gfp);
11615 }
11616 EXPORT_SYMBOL(__cfg80211_alloc_event_skb);
11617 
11618 void __cfg80211_send_event_skb(struct sk_buff *skb, gfp_t gfp)
11619 {
11620 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
11621 	void *hdr = ((void **)skb->cb)[1];
11622 	struct nlmsghdr *nlhdr = nlmsg_hdr(skb);
11623 	struct nlattr *data = ((void **)skb->cb)[2];
11624 	enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE;
11625 
11626 	/* clear CB data for netlink core to own from now on */
11627 	memset(skb->cb, 0, sizeof(skb->cb));
11628 
11629 	nla_nest_end(skb, data);
11630 	genlmsg_end(skb, hdr);
11631 
11632 	if (nlhdr->nlmsg_pid) {
11633 		genlmsg_unicast(wiphy_net(&rdev->wiphy), skb,
11634 				nlhdr->nlmsg_pid);
11635 	} else {
11636 		if (data->nla_type == NL80211_ATTR_VENDOR_DATA)
11637 			mcgrp = NL80211_MCGRP_VENDOR;
11638 
11639 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
11640 					skb, 0, mcgrp, gfp);
11641 	}
11642 }
11643 EXPORT_SYMBOL(__cfg80211_send_event_skb);
11644 
11645 #ifdef CONFIG_NL80211_TESTMODE
11646 static int nl80211_testmode_do(struct sk_buff *skb, struct genl_info *info)
11647 {
11648 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11649 	struct wireless_dev *wdev;
11650 	int err;
11651 
11652 	lockdep_assert_held(&rdev->wiphy.mtx);
11653 
11654 	wdev = __cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
11655 					  info->attrs);
11656 
11657 	if (!rdev->ops->testmode_cmd)
11658 		return -EOPNOTSUPP;
11659 
11660 	if (IS_ERR(wdev)) {
11661 		err = PTR_ERR(wdev);
11662 		if (err != -EINVAL)
11663 			return err;
11664 		wdev = NULL;
11665 	} else if (wdev->wiphy != &rdev->wiphy) {
11666 		return -EINVAL;
11667 	}
11668 
11669 	if (!info->attrs[NL80211_ATTR_TESTDATA])
11670 		return -EINVAL;
11671 
11672 	rdev->cur_cmd_info = info;
11673 	err = rdev_testmode_cmd(rdev, wdev,
11674 				nla_data(info->attrs[NL80211_ATTR_TESTDATA]),
11675 				nla_len(info->attrs[NL80211_ATTR_TESTDATA]));
11676 	rdev->cur_cmd_info = NULL;
11677 
11678 	return err;
11679 }
11680 
11681 static int nl80211_testmode_dump(struct sk_buff *skb,
11682 				 struct netlink_callback *cb)
11683 {
11684 	struct cfg80211_registered_device *rdev;
11685 	struct nlattr **attrbuf = NULL;
11686 	int err;
11687 	long phy_idx;
11688 	void *data = NULL;
11689 	int data_len = 0;
11690 
11691 	rtnl_lock();
11692 
11693 	if (cb->args[0]) {
11694 		/*
11695 		 * 0 is a valid index, but not valid for args[0],
11696 		 * so we need to offset by 1.
11697 		 */
11698 		phy_idx = cb->args[0] - 1;
11699 
11700 		rdev = cfg80211_rdev_by_wiphy_idx(phy_idx);
11701 		if (!rdev) {
11702 			err = -ENOENT;
11703 			goto out_err;
11704 		}
11705 	} else {
11706 		attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf),
11707 				  GFP_KERNEL);
11708 		if (!attrbuf) {
11709 			err = -ENOMEM;
11710 			goto out_err;
11711 		}
11712 
11713 		err = nlmsg_parse_deprecated(cb->nlh,
11714 					     GENL_HDRLEN + nl80211_fam.hdrsize,
11715 					     attrbuf, nl80211_fam.maxattr,
11716 					     nl80211_policy, NULL);
11717 		if (err)
11718 			goto out_err;
11719 
11720 		rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
11721 		if (IS_ERR(rdev)) {
11722 			err = PTR_ERR(rdev);
11723 			goto out_err;
11724 		}
11725 		phy_idx = rdev->wiphy_idx;
11726 
11727 		if (attrbuf[NL80211_ATTR_TESTDATA])
11728 			cb->args[1] = (long)attrbuf[NL80211_ATTR_TESTDATA];
11729 	}
11730 
11731 	if (cb->args[1]) {
11732 		data = nla_data((void *)cb->args[1]);
11733 		data_len = nla_len((void *)cb->args[1]);
11734 	}
11735 
11736 	if (!rdev->ops->testmode_dump) {
11737 		err = -EOPNOTSUPP;
11738 		goto out_err;
11739 	}
11740 
11741 	while (1) {
11742 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
11743 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
11744 					   NL80211_CMD_TESTMODE);
11745 		struct nlattr *tmdata;
11746 
11747 		if (!hdr)
11748 			break;
11749 
11750 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, phy_idx)) {
11751 			genlmsg_cancel(skb, hdr);
11752 			break;
11753 		}
11754 
11755 		tmdata = nla_nest_start_noflag(skb, NL80211_ATTR_TESTDATA);
11756 		if (!tmdata) {
11757 			genlmsg_cancel(skb, hdr);
11758 			break;
11759 		}
11760 		err = rdev_testmode_dump(rdev, skb, cb, data, data_len);
11761 		nla_nest_end(skb, tmdata);
11762 
11763 		if (err == -ENOBUFS || err == -ENOENT) {
11764 			genlmsg_cancel(skb, hdr);
11765 			break;
11766 		} else if (err) {
11767 			genlmsg_cancel(skb, hdr);
11768 			goto out_err;
11769 		}
11770 
11771 		genlmsg_end(skb, hdr);
11772 	}
11773 
11774 	err = skb->len;
11775 	/* see above */
11776 	cb->args[0] = phy_idx + 1;
11777  out_err:
11778 	kfree(attrbuf);
11779 	rtnl_unlock();
11780 	return err;
11781 }
11782 #endif
11783 
11784 static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
11785 {
11786 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
11787 	struct net_device *dev = info->user_ptr[1];
11788 	struct cfg80211_connect_params connect;
11789 	struct wiphy *wiphy;
11790 	struct cfg80211_cached_keys *connkeys = NULL;
11791 	u32 freq = 0;
11792 	int err;
11793 
11794 	memset(&connect, 0, sizeof(connect));
11795 
11796 	if (!info->attrs[NL80211_ATTR_SSID] ||
11797 	    !nla_len(info->attrs[NL80211_ATTR_SSID]))
11798 		return -EINVAL;
11799 
11800 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
11801 		connect.auth_type =
11802 			nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
11803 		if (!nl80211_valid_auth_type(rdev, connect.auth_type,
11804 					     NL80211_CMD_CONNECT))
11805 			return -EINVAL;
11806 	} else
11807 		connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC;
11808 
11809 	connect.privacy = info->attrs[NL80211_ATTR_PRIVACY];
11810 
11811 	if (info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS] &&
11812 	    !wiphy_ext_feature_isset(&rdev->wiphy,
11813 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
11814 		return -EINVAL;
11815 	connect.want_1x = info->attrs[NL80211_ATTR_WANT_1X_4WAY_HS];
11816 
11817 	err = nl80211_crypto_settings(rdev, info, &connect.crypto,
11818 				      NL80211_MAX_NR_CIPHER_SUITES);
11819 	if (err)
11820 		return err;
11821 
11822 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
11823 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
11824 		return -EOPNOTSUPP;
11825 
11826 	wiphy = &rdev->wiphy;
11827 
11828 	connect.bg_scan_period = -1;
11829 	if (info->attrs[NL80211_ATTR_BG_SCAN_PERIOD] &&
11830 		(wiphy->flags & WIPHY_FLAG_SUPPORTS_FW_ROAM)) {
11831 		connect.bg_scan_period =
11832 			nla_get_u16(info->attrs[NL80211_ATTR_BG_SCAN_PERIOD]);
11833 	}
11834 
11835 	if (info->attrs[NL80211_ATTR_MAC])
11836 		connect.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
11837 	else if (info->attrs[NL80211_ATTR_MAC_HINT])
11838 		connect.bssid_hint =
11839 			nla_data(info->attrs[NL80211_ATTR_MAC_HINT]);
11840 	connect.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
11841 	connect.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
11842 
11843 	if (info->attrs[NL80211_ATTR_IE]) {
11844 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
11845 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
11846 	}
11847 
11848 	if (info->attrs[NL80211_ATTR_USE_MFP]) {
11849 		connect.mfp = nla_get_u32(info->attrs[NL80211_ATTR_USE_MFP]);
11850 		if (connect.mfp == NL80211_MFP_OPTIONAL &&
11851 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11852 					     NL80211_EXT_FEATURE_MFP_OPTIONAL))
11853 			return -EOPNOTSUPP;
11854 	} else {
11855 		connect.mfp = NL80211_MFP_NO;
11856 	}
11857 
11858 	if (info->attrs[NL80211_ATTR_PREV_BSSID])
11859 		connect.prev_bssid =
11860 			nla_data(info->attrs[NL80211_ATTR_PREV_BSSID]);
11861 
11862 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ])
11863 		freq = MHZ_TO_KHZ(nla_get_u32(
11864 					info->attrs[NL80211_ATTR_WIPHY_FREQ]));
11865 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
11866 		freq +=
11867 		    nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
11868 
11869 	if (freq) {
11870 		connect.channel = nl80211_get_valid_chan(wiphy, freq);
11871 		if (!connect.channel)
11872 			return -EINVAL;
11873 	} else if (info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]) {
11874 		freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_HINT]);
11875 		freq = MHZ_TO_KHZ(freq);
11876 		connect.channel_hint = nl80211_get_valid_chan(wiphy, freq);
11877 		if (!connect.channel_hint)
11878 			return -EINVAL;
11879 	}
11880 
11881 	if (info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]) {
11882 		connect.edmg.channels =
11883 		      nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_CHANNELS]);
11884 
11885 		if (info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG])
11886 			connect.edmg.bw_config =
11887 				nla_get_u8(info->attrs[NL80211_ATTR_WIPHY_EDMG_BW_CONFIG]);
11888 	}
11889 
11890 	if (connect.privacy && info->attrs[NL80211_ATTR_KEYS]) {
11891 		connkeys = nl80211_parse_connkeys(rdev, info, NULL);
11892 		if (IS_ERR(connkeys))
11893 			return PTR_ERR(connkeys);
11894 	}
11895 
11896 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HT]))
11897 		connect.flags |= ASSOC_REQ_DISABLE_HT;
11898 
11899 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK])
11900 		memcpy(&connect.ht_capa_mask,
11901 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]),
11902 		       sizeof(connect.ht_capa_mask));
11903 
11904 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY]) {
11905 		if (!info->attrs[NL80211_ATTR_HT_CAPABILITY_MASK]) {
11906 			kfree_sensitive(connkeys);
11907 			return -EINVAL;
11908 		}
11909 		memcpy(&connect.ht_capa,
11910 		       nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]),
11911 		       sizeof(connect.ht_capa));
11912 	}
11913 
11914 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_VHT]))
11915 		connect.flags |= ASSOC_REQ_DISABLE_VHT;
11916 
11917 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_HE]))
11918 		connect.flags |= ASSOC_REQ_DISABLE_HE;
11919 
11920 	if (nla_get_flag(info->attrs[NL80211_ATTR_DISABLE_EHT]))
11921 		connect.flags |= ASSOC_REQ_DISABLE_EHT;
11922 
11923 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK])
11924 		memcpy(&connect.vht_capa_mask,
11925 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]),
11926 		       sizeof(connect.vht_capa_mask));
11927 
11928 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY]) {
11929 		if (!info->attrs[NL80211_ATTR_VHT_CAPABILITY_MASK]) {
11930 			kfree_sensitive(connkeys);
11931 			return -EINVAL;
11932 		}
11933 		memcpy(&connect.vht_capa,
11934 		       nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]),
11935 		       sizeof(connect.vht_capa));
11936 	}
11937 
11938 	if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
11939 		if (!((rdev->wiphy.features &
11940 			NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) &&
11941 		       (rdev->wiphy.features & NL80211_FEATURE_QUIET)) &&
11942 		    !wiphy_ext_feature_isset(&rdev->wiphy,
11943 					     NL80211_EXT_FEATURE_RRM)) {
11944 			kfree_sensitive(connkeys);
11945 			return -EINVAL;
11946 		}
11947 		connect.flags |= ASSOC_REQ_USE_RRM;
11948 	}
11949 
11950 	connect.pbss = nla_get_flag(info->attrs[NL80211_ATTR_PBSS]);
11951 	if (connect.pbss && !rdev->wiphy.bands[NL80211_BAND_60GHZ]) {
11952 		kfree_sensitive(connkeys);
11953 		return -EOPNOTSUPP;
11954 	}
11955 
11956 	if (info->attrs[NL80211_ATTR_BSS_SELECT]) {
11957 		/* bss selection makes no sense if bssid is set */
11958 		if (connect.bssid) {
11959 			kfree_sensitive(connkeys);
11960 			return -EINVAL;
11961 		}
11962 
11963 		err = parse_bss_select(info->attrs[NL80211_ATTR_BSS_SELECT],
11964 				       wiphy, &connect.bss_select);
11965 		if (err) {
11966 			kfree_sensitive(connkeys);
11967 			return err;
11968 		}
11969 	}
11970 
11971 	if (wiphy_ext_feature_isset(&rdev->wiphy,
11972 				    NL80211_EXT_FEATURE_FILS_SK_OFFLOAD) &&
11973 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
11974 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
11975 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
11976 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11977 		connect.fils_erp_username =
11978 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11979 		connect.fils_erp_username_len =
11980 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
11981 		connect.fils_erp_realm =
11982 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11983 		connect.fils_erp_realm_len =
11984 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
11985 		connect.fils_erp_next_seq_num =
11986 			nla_get_u16(
11987 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
11988 		connect.fils_erp_rrk =
11989 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11990 		connect.fils_erp_rrk_len =
11991 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
11992 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
11993 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
11994 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
11995 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
11996 		kfree_sensitive(connkeys);
11997 		return -EINVAL;
11998 	}
11999 
12000 	if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
12001 		if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12002 			kfree_sensitive(connkeys);
12003 			GENL_SET_ERR_MSG(info,
12004 					 "external auth requires connection ownership");
12005 			return -EINVAL;
12006 		}
12007 		connect.flags |= CONNECT_REQ_EXTERNAL_AUTH_SUPPORT;
12008 	}
12009 
12010 	if (nla_get_flag(info->attrs[NL80211_ATTR_MLO_SUPPORT]))
12011 		connect.flags |= CONNECT_REQ_MLO_SUPPORT;
12012 
12013 	wdev_lock(dev->ieee80211_ptr);
12014 
12015 	err = cfg80211_connect(rdev, dev, &connect, connkeys,
12016 			       connect.prev_bssid);
12017 	if (err)
12018 		kfree_sensitive(connkeys);
12019 
12020 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
12021 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
12022 		if (connect.bssid)
12023 			memcpy(dev->ieee80211_ptr->disconnect_bssid,
12024 			       connect.bssid, ETH_ALEN);
12025 		else
12026 			eth_zero_addr(dev->ieee80211_ptr->disconnect_bssid);
12027 	}
12028 
12029 	wdev_unlock(dev->ieee80211_ptr);
12030 
12031 	return err;
12032 }
12033 
12034 static int nl80211_update_connect_params(struct sk_buff *skb,
12035 					 struct genl_info *info)
12036 {
12037 	struct cfg80211_connect_params connect = {};
12038 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12039 	struct net_device *dev = info->user_ptr[1];
12040 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12041 	bool fils_sk_offload;
12042 	u32 auth_type;
12043 	u32 changed = 0;
12044 	int ret;
12045 
12046 	if (!rdev->ops->update_connect_params)
12047 		return -EOPNOTSUPP;
12048 
12049 	if (info->attrs[NL80211_ATTR_IE]) {
12050 		connect.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
12051 		connect.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
12052 		changed |= UPDATE_ASSOC_IES;
12053 	}
12054 
12055 	fils_sk_offload = wiphy_ext_feature_isset(&rdev->wiphy,
12056 						  NL80211_EXT_FEATURE_FILS_SK_OFFLOAD);
12057 
12058 	/*
12059 	 * when driver supports fils-sk offload all attributes must be
12060 	 * provided. So the else covers "fils-sk-not-all" and
12061 	 * "no-fils-sk-any".
12062 	 */
12063 	if (fils_sk_offload &&
12064 	    info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] &&
12065 	    info->attrs[NL80211_ATTR_FILS_ERP_REALM] &&
12066 	    info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] &&
12067 	    info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12068 		connect.fils_erp_username =
12069 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12070 		connect.fils_erp_username_len =
12071 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_USERNAME]);
12072 		connect.fils_erp_realm =
12073 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12074 		connect.fils_erp_realm_len =
12075 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_REALM]);
12076 		connect.fils_erp_next_seq_num =
12077 			nla_get_u16(
12078 			   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM]);
12079 		connect.fils_erp_rrk =
12080 			nla_data(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12081 		connect.fils_erp_rrk_len =
12082 			nla_len(info->attrs[NL80211_ATTR_FILS_ERP_RRK]);
12083 		changed |= UPDATE_FILS_ERP_INFO;
12084 	} else if (info->attrs[NL80211_ATTR_FILS_ERP_USERNAME] ||
12085 		   info->attrs[NL80211_ATTR_FILS_ERP_REALM] ||
12086 		   info->attrs[NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM] ||
12087 		   info->attrs[NL80211_ATTR_FILS_ERP_RRK]) {
12088 		return -EINVAL;
12089 	}
12090 
12091 	if (info->attrs[NL80211_ATTR_AUTH_TYPE]) {
12092 		auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
12093 		if (!nl80211_valid_auth_type(rdev, auth_type,
12094 					     NL80211_CMD_CONNECT))
12095 			return -EINVAL;
12096 
12097 		if (auth_type == NL80211_AUTHTYPE_FILS_SK &&
12098 		    fils_sk_offload && !(changed & UPDATE_FILS_ERP_INFO))
12099 			return -EINVAL;
12100 
12101 		connect.auth_type = auth_type;
12102 		changed |= UPDATE_AUTH_TYPE;
12103 	}
12104 
12105 	wdev_lock(dev->ieee80211_ptr);
12106 	if (!wdev->connected)
12107 		ret = -ENOLINK;
12108 	else
12109 		ret = rdev_update_connect_params(rdev, dev, &connect, changed);
12110 	wdev_unlock(dev->ieee80211_ptr);
12111 
12112 	return ret;
12113 }
12114 
12115 static int nl80211_disconnect(struct sk_buff *skb, struct genl_info *info)
12116 {
12117 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12118 	struct net_device *dev = info->user_ptr[1];
12119 	u16 reason;
12120 	int ret;
12121 
12122 	if (dev->ieee80211_ptr->conn_owner_nlportid &&
12123 	    dev->ieee80211_ptr->conn_owner_nlportid != info->snd_portid)
12124 		return -EPERM;
12125 
12126 	if (!info->attrs[NL80211_ATTR_REASON_CODE])
12127 		reason = WLAN_REASON_DEAUTH_LEAVING;
12128 	else
12129 		reason = nla_get_u16(info->attrs[NL80211_ATTR_REASON_CODE]);
12130 
12131 	if (reason == 0)
12132 		return -EINVAL;
12133 
12134 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12135 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12136 		return -EOPNOTSUPP;
12137 
12138 	wdev_lock(dev->ieee80211_ptr);
12139 	ret = cfg80211_disconnect(rdev, dev, reason, true);
12140 	wdev_unlock(dev->ieee80211_ptr);
12141 	return ret;
12142 }
12143 
12144 static int nl80211_wiphy_netns(struct sk_buff *skb, struct genl_info *info)
12145 {
12146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12147 	struct net *net;
12148 	int err;
12149 
12150 	if (info->attrs[NL80211_ATTR_PID]) {
12151 		u32 pid = nla_get_u32(info->attrs[NL80211_ATTR_PID]);
12152 
12153 		net = get_net_ns_by_pid(pid);
12154 	} else if (info->attrs[NL80211_ATTR_NETNS_FD]) {
12155 		u32 fd = nla_get_u32(info->attrs[NL80211_ATTR_NETNS_FD]);
12156 
12157 		net = get_net_ns_by_fd(fd);
12158 	} else {
12159 		return -EINVAL;
12160 	}
12161 
12162 	if (IS_ERR(net))
12163 		return PTR_ERR(net);
12164 
12165 	err = 0;
12166 
12167 	/* check if anything to do */
12168 	if (!net_eq(wiphy_net(&rdev->wiphy), net))
12169 		err = cfg80211_switch_netns(rdev, net);
12170 
12171 	put_net(net);
12172 	return err;
12173 }
12174 
12175 static int nl80211_setdel_pmksa(struct sk_buff *skb, struct genl_info *info)
12176 {
12177 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12178 	int (*rdev_ops)(struct wiphy *wiphy, struct net_device *dev,
12179 			struct cfg80211_pmksa *pmksa) = NULL;
12180 	struct net_device *dev = info->user_ptr[1];
12181 	struct cfg80211_pmksa pmksa;
12182 
12183 	memset(&pmksa, 0, sizeof(struct cfg80211_pmksa));
12184 
12185 	if (!info->attrs[NL80211_ATTR_PMKID])
12186 		return -EINVAL;
12187 
12188 	pmksa.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
12189 
12190 	if (info->attrs[NL80211_ATTR_MAC]) {
12191 		pmksa.bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
12192 	} else if (info->attrs[NL80211_ATTR_SSID] &&
12193 		   info->attrs[NL80211_ATTR_FILS_CACHE_ID] &&
12194 		   (info->genlhdr->cmd == NL80211_CMD_DEL_PMKSA ||
12195 		    info->attrs[NL80211_ATTR_PMK])) {
12196 		pmksa.ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
12197 		pmksa.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
12198 		pmksa.cache_id =
12199 			nla_data(info->attrs[NL80211_ATTR_FILS_CACHE_ID]);
12200 	} else {
12201 		return -EINVAL;
12202 	}
12203 	if (info->attrs[NL80211_ATTR_PMK]) {
12204 		pmksa.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
12205 		pmksa.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
12206 	}
12207 
12208 	if (info->attrs[NL80211_ATTR_PMK_LIFETIME])
12209 		pmksa.pmk_lifetime =
12210 			nla_get_u32(info->attrs[NL80211_ATTR_PMK_LIFETIME]);
12211 
12212 	if (info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD])
12213 		pmksa.pmk_reauth_threshold =
12214 			nla_get_u8(
12215 				info->attrs[NL80211_ATTR_PMK_REAUTH_THRESHOLD]);
12216 
12217 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12218 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT &&
12219 	    !(dev->ieee80211_ptr->iftype == NL80211_IFTYPE_AP &&
12220 	      wiphy_ext_feature_isset(&rdev->wiphy,
12221 				      NL80211_EXT_FEATURE_AP_PMKSA_CACHING)))
12222 		return -EOPNOTSUPP;
12223 
12224 	switch (info->genlhdr->cmd) {
12225 	case NL80211_CMD_SET_PMKSA:
12226 		rdev_ops = rdev->ops->set_pmksa;
12227 		break;
12228 	case NL80211_CMD_DEL_PMKSA:
12229 		rdev_ops = rdev->ops->del_pmksa;
12230 		break;
12231 	default:
12232 		WARN_ON(1);
12233 		break;
12234 	}
12235 
12236 	if (!rdev_ops)
12237 		return -EOPNOTSUPP;
12238 
12239 	return rdev_ops(&rdev->wiphy, dev, &pmksa);
12240 }
12241 
12242 static int nl80211_flush_pmksa(struct sk_buff *skb, struct genl_info *info)
12243 {
12244 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12245 	struct net_device *dev = info->user_ptr[1];
12246 
12247 	if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
12248 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
12249 		return -EOPNOTSUPP;
12250 
12251 	if (!rdev->ops->flush_pmksa)
12252 		return -EOPNOTSUPP;
12253 
12254 	return rdev_flush_pmksa(rdev, dev);
12255 }
12256 
12257 static int nl80211_tdls_mgmt(struct sk_buff *skb, struct genl_info *info)
12258 {
12259 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12260 	struct net_device *dev = info->user_ptr[1];
12261 	u8 action_code, dialog_token;
12262 	u32 peer_capability = 0;
12263 	u16 status_code;
12264 	u8 *peer;
12265 	int link_id;
12266 	bool initiator;
12267 
12268 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12269 	    !rdev->ops->tdls_mgmt)
12270 		return -EOPNOTSUPP;
12271 
12272 	if (!info->attrs[NL80211_ATTR_TDLS_ACTION] ||
12273 	    !info->attrs[NL80211_ATTR_STATUS_CODE] ||
12274 	    !info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN] ||
12275 	    !info->attrs[NL80211_ATTR_IE] ||
12276 	    !info->attrs[NL80211_ATTR_MAC])
12277 		return -EINVAL;
12278 
12279 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12280 	action_code = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_ACTION]);
12281 	status_code = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
12282 	dialog_token = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_DIALOG_TOKEN]);
12283 	initiator = nla_get_flag(info->attrs[NL80211_ATTR_TDLS_INITIATOR]);
12284 	if (info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY])
12285 		peer_capability =
12286 			nla_get_u32(info->attrs[NL80211_ATTR_TDLS_PEER_CAPABILITY]);
12287 	link_id = nl80211_link_id_or_invalid(info->attrs);
12288 
12289 	return rdev_tdls_mgmt(rdev, dev, peer, link_id, action_code,
12290 			      dialog_token, status_code, peer_capability,
12291 			      initiator,
12292 			      nla_data(info->attrs[NL80211_ATTR_IE]),
12293 			      nla_len(info->attrs[NL80211_ATTR_IE]));
12294 }
12295 
12296 static int nl80211_tdls_oper(struct sk_buff *skb, struct genl_info *info)
12297 {
12298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12299 	struct net_device *dev = info->user_ptr[1];
12300 	enum nl80211_tdls_operation operation;
12301 	u8 *peer;
12302 
12303 	if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_TDLS) ||
12304 	    !rdev->ops->tdls_oper)
12305 		return -EOPNOTSUPP;
12306 
12307 	if (!info->attrs[NL80211_ATTR_TDLS_OPERATION] ||
12308 	    !info->attrs[NL80211_ATTR_MAC])
12309 		return -EINVAL;
12310 
12311 	operation = nla_get_u8(info->attrs[NL80211_ATTR_TDLS_OPERATION]);
12312 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
12313 
12314 	return rdev_tdls_oper(rdev, dev, peer, operation);
12315 }
12316 
12317 static int nl80211_remain_on_channel(struct sk_buff *skb,
12318 				     struct genl_info *info)
12319 {
12320 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12321 	unsigned int link_id = nl80211_link_id(info->attrs);
12322 	struct wireless_dev *wdev = info->user_ptr[1];
12323 	struct cfg80211_chan_def chandef;
12324 	struct sk_buff *msg;
12325 	void *hdr;
12326 	u64 cookie;
12327 	u32 duration;
12328 	int err;
12329 
12330 	if (!info->attrs[NL80211_ATTR_WIPHY_FREQ] ||
12331 	    !info->attrs[NL80211_ATTR_DURATION])
12332 		return -EINVAL;
12333 
12334 	duration = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12335 
12336 	if (!rdev->ops->remain_on_channel ||
12337 	    !(rdev->wiphy.flags & WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL))
12338 		return -EOPNOTSUPP;
12339 
12340 	/*
12341 	 * We should be on that channel for at least a minimum amount of
12342 	 * time (10ms) but no longer than the driver supports.
12343 	 */
12344 	if (duration < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12345 	    duration > rdev->wiphy.max_remain_on_channel_duration)
12346 		return -EINVAL;
12347 
12348 	err = nl80211_parse_chandef(rdev, info, &chandef);
12349 	if (err)
12350 		return err;
12351 
12352 	wdev_lock(wdev);
12353 	if (!cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12354 		const struct cfg80211_chan_def *oper_chandef, *compat_chandef;
12355 
12356 		oper_chandef = wdev_chandef(wdev, link_id);
12357 
12358 		if (WARN_ON(!oper_chandef)) {
12359 			/* cannot happen since we must beacon to get here */
12360 			WARN_ON(1);
12361 			wdev_unlock(wdev);
12362 			return -EBUSY;
12363 		}
12364 
12365 		/* note: returns first one if identical chandefs */
12366 		compat_chandef = cfg80211_chandef_compatible(&chandef,
12367 							     oper_chandef);
12368 
12369 		if (compat_chandef != &chandef) {
12370 			wdev_unlock(wdev);
12371 			return -EBUSY;
12372 		}
12373 	}
12374 	wdev_unlock(wdev);
12375 
12376 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12377 	if (!msg)
12378 		return -ENOMEM;
12379 
12380 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12381 			     NL80211_CMD_REMAIN_ON_CHANNEL);
12382 	if (!hdr) {
12383 		err = -ENOBUFS;
12384 		goto free_msg;
12385 	}
12386 
12387 	err = rdev_remain_on_channel(rdev, wdev, chandef.chan,
12388 				     duration, &cookie);
12389 
12390 	if (err)
12391 		goto free_msg;
12392 
12393 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12394 			      NL80211_ATTR_PAD))
12395 		goto nla_put_failure;
12396 
12397 	genlmsg_end(msg, hdr);
12398 
12399 	return genlmsg_reply(msg, info);
12400 
12401  nla_put_failure:
12402 	err = -ENOBUFS;
12403  free_msg:
12404 	nlmsg_free(msg);
12405 	return err;
12406 }
12407 
12408 static int nl80211_cancel_remain_on_channel(struct sk_buff *skb,
12409 					    struct genl_info *info)
12410 {
12411 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12412 	struct wireless_dev *wdev = info->user_ptr[1];
12413 	u64 cookie;
12414 
12415 	if (!info->attrs[NL80211_ATTR_COOKIE])
12416 		return -EINVAL;
12417 
12418 	if (!rdev->ops->cancel_remain_on_channel)
12419 		return -EOPNOTSUPP;
12420 
12421 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12422 
12423 	return rdev_cancel_remain_on_channel(rdev, wdev, cookie);
12424 }
12425 
12426 static int nl80211_set_tx_bitrate_mask(struct sk_buff *skb,
12427 				       struct genl_info *info)
12428 {
12429 	struct cfg80211_bitrate_mask mask;
12430 	unsigned int link_id = nl80211_link_id(info->attrs);
12431 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12432 	struct net_device *dev = info->user_ptr[1];
12433 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12434 	int err;
12435 
12436 	if (!rdev->ops->set_bitrate_mask)
12437 		return -EOPNOTSUPP;
12438 
12439 	wdev_lock(wdev);
12440 	err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
12441 					    NL80211_ATTR_TX_RATES, &mask,
12442 					    dev, true, link_id);
12443 	if (err)
12444 		goto out;
12445 
12446 	err = rdev_set_bitrate_mask(rdev, dev, link_id, NULL, &mask);
12447 out:
12448 	wdev_unlock(wdev);
12449 	return err;
12450 }
12451 
12452 static int nl80211_register_mgmt(struct sk_buff *skb, struct genl_info *info)
12453 {
12454 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12455 	struct wireless_dev *wdev = info->user_ptr[1];
12456 	u16 frame_type = IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION;
12457 
12458 	if (!info->attrs[NL80211_ATTR_FRAME_MATCH])
12459 		return -EINVAL;
12460 
12461 	if (info->attrs[NL80211_ATTR_FRAME_TYPE])
12462 		frame_type = nla_get_u16(info->attrs[NL80211_ATTR_FRAME_TYPE]);
12463 
12464 	switch (wdev->iftype) {
12465 	case NL80211_IFTYPE_STATION:
12466 	case NL80211_IFTYPE_ADHOC:
12467 	case NL80211_IFTYPE_P2P_CLIENT:
12468 	case NL80211_IFTYPE_AP:
12469 	case NL80211_IFTYPE_AP_VLAN:
12470 	case NL80211_IFTYPE_MESH_POINT:
12471 	case NL80211_IFTYPE_P2P_GO:
12472 	case NL80211_IFTYPE_P2P_DEVICE:
12473 		break;
12474 	case NL80211_IFTYPE_NAN:
12475 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12476 					     NL80211_EXT_FEATURE_SECURE_NAN))
12477 			return -EOPNOTSUPP;
12478 		break;
12479 	default:
12480 		return -EOPNOTSUPP;
12481 	}
12482 
12483 	/* not much point in registering if we can't reply */
12484 	if (!rdev->ops->mgmt_tx)
12485 		return -EOPNOTSUPP;
12486 
12487 	if (info->attrs[NL80211_ATTR_RECEIVE_MULTICAST] &&
12488 	    !wiphy_ext_feature_isset(&rdev->wiphy,
12489 				     NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS)) {
12490 		GENL_SET_ERR_MSG(info,
12491 				 "multicast RX registrations are not supported");
12492 		return -EOPNOTSUPP;
12493 	}
12494 
12495 	return cfg80211_mlme_register_mgmt(wdev, info->snd_portid, frame_type,
12496 					   nla_data(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12497 					   nla_len(info->attrs[NL80211_ATTR_FRAME_MATCH]),
12498 					   info->attrs[NL80211_ATTR_RECEIVE_MULTICAST],
12499 					   info->extack);
12500 }
12501 
12502 static int nl80211_tx_mgmt(struct sk_buff *skb, struct genl_info *info)
12503 {
12504 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12505 	struct wireless_dev *wdev = info->user_ptr[1];
12506 	struct cfg80211_chan_def chandef;
12507 	int err;
12508 	void *hdr = NULL;
12509 	u64 cookie;
12510 	struct sk_buff *msg = NULL;
12511 	struct cfg80211_mgmt_tx_params params = {
12512 		.dont_wait_for_ack =
12513 			info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK],
12514 	};
12515 
12516 	if (!info->attrs[NL80211_ATTR_FRAME])
12517 		return -EINVAL;
12518 
12519 	if (!rdev->ops->mgmt_tx)
12520 		return -EOPNOTSUPP;
12521 
12522 	switch (wdev->iftype) {
12523 	case NL80211_IFTYPE_P2P_DEVICE:
12524 		if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
12525 			return -EINVAL;
12526 		break;
12527 	case NL80211_IFTYPE_STATION:
12528 	case NL80211_IFTYPE_ADHOC:
12529 	case NL80211_IFTYPE_P2P_CLIENT:
12530 	case NL80211_IFTYPE_AP:
12531 	case NL80211_IFTYPE_AP_VLAN:
12532 	case NL80211_IFTYPE_MESH_POINT:
12533 	case NL80211_IFTYPE_P2P_GO:
12534 		break;
12535 	case NL80211_IFTYPE_NAN:
12536 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12537 					     NL80211_EXT_FEATURE_SECURE_NAN))
12538 			return -EOPNOTSUPP;
12539 		break;
12540 	default:
12541 		return -EOPNOTSUPP;
12542 	}
12543 
12544 	if (info->attrs[NL80211_ATTR_DURATION]) {
12545 		if (!(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12546 			return -EINVAL;
12547 		params.wait = nla_get_u32(info->attrs[NL80211_ATTR_DURATION]);
12548 
12549 		/*
12550 		 * We should wait on the channel for at least a minimum amount
12551 		 * of time (10ms) but no longer than the driver supports.
12552 		 */
12553 		if (params.wait < NL80211_MIN_REMAIN_ON_CHANNEL_TIME ||
12554 		    params.wait > rdev->wiphy.max_remain_on_channel_duration)
12555 			return -EINVAL;
12556 	}
12557 
12558 	params.offchan = info->attrs[NL80211_ATTR_OFFCHANNEL_TX_OK];
12559 
12560 	if (params.offchan && !(rdev->wiphy.flags & WIPHY_FLAG_OFFCHAN_TX))
12561 		return -EINVAL;
12562 
12563 	params.no_cck = nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
12564 
12565 	/* get the channel if any has been specified, otherwise pass NULL to
12566 	 * the driver. The latter will use the current one
12567 	 */
12568 	chandef.chan = NULL;
12569 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
12570 		err = nl80211_parse_chandef(rdev, info, &chandef);
12571 		if (err)
12572 			return err;
12573 	}
12574 
12575 	if (!chandef.chan && params.offchan)
12576 		return -EINVAL;
12577 
12578 	wdev_lock(wdev);
12579 	if (params.offchan &&
12580 	    !cfg80211_off_channel_oper_allowed(wdev, chandef.chan)) {
12581 		wdev_unlock(wdev);
12582 		return -EBUSY;
12583 	}
12584 
12585 	params.link_id = nl80211_link_id_or_invalid(info->attrs);
12586 	/*
12587 	 * This now races due to the unlock, but we cannot check
12588 	 * the valid links for the _station_ anyway, so that's up
12589 	 * to the driver.
12590 	 */
12591 	if (params.link_id >= 0 &&
12592 	    !(wdev->valid_links & BIT(params.link_id))) {
12593 		wdev_unlock(wdev);
12594 		return -EINVAL;
12595 	}
12596 	wdev_unlock(wdev);
12597 
12598 	params.buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
12599 	params.len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
12600 
12601 	if (info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]) {
12602 		int len = nla_len(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12603 		int i;
12604 
12605 		if (len % sizeof(u16))
12606 			return -EINVAL;
12607 
12608 		params.n_csa_offsets = len / sizeof(u16);
12609 		params.csa_offsets =
12610 			nla_data(info->attrs[NL80211_ATTR_CSA_C_OFFSETS_TX]);
12611 
12612 		/* check that all the offsets fit the frame */
12613 		for (i = 0; i < params.n_csa_offsets; i++) {
12614 			if (params.csa_offsets[i] >= params.len)
12615 				return -EINVAL;
12616 		}
12617 	}
12618 
12619 	if (!params.dont_wait_for_ack) {
12620 		msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12621 		if (!msg)
12622 			return -ENOMEM;
12623 
12624 		hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12625 				     NL80211_CMD_FRAME);
12626 		if (!hdr) {
12627 			err = -ENOBUFS;
12628 			goto free_msg;
12629 		}
12630 	}
12631 
12632 	params.chan = chandef.chan;
12633 	err = cfg80211_mlme_mgmt_tx(rdev, wdev, &params, &cookie);
12634 	if (err)
12635 		goto free_msg;
12636 
12637 	if (msg) {
12638 		if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
12639 				      NL80211_ATTR_PAD))
12640 			goto nla_put_failure;
12641 
12642 		genlmsg_end(msg, hdr);
12643 		return genlmsg_reply(msg, info);
12644 	}
12645 
12646 	return 0;
12647 
12648  nla_put_failure:
12649 	err = -ENOBUFS;
12650  free_msg:
12651 	nlmsg_free(msg);
12652 	return err;
12653 }
12654 
12655 static int nl80211_tx_mgmt_cancel_wait(struct sk_buff *skb, struct genl_info *info)
12656 {
12657 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12658 	struct wireless_dev *wdev = info->user_ptr[1];
12659 	u64 cookie;
12660 
12661 	if (!info->attrs[NL80211_ATTR_COOKIE])
12662 		return -EINVAL;
12663 
12664 	if (!rdev->ops->mgmt_tx_cancel_wait)
12665 		return -EOPNOTSUPP;
12666 
12667 	switch (wdev->iftype) {
12668 	case NL80211_IFTYPE_STATION:
12669 	case NL80211_IFTYPE_ADHOC:
12670 	case NL80211_IFTYPE_P2P_CLIENT:
12671 	case NL80211_IFTYPE_AP:
12672 	case NL80211_IFTYPE_AP_VLAN:
12673 	case NL80211_IFTYPE_P2P_GO:
12674 	case NL80211_IFTYPE_P2P_DEVICE:
12675 		break;
12676 	case NL80211_IFTYPE_NAN:
12677 		if (!wiphy_ext_feature_isset(wdev->wiphy,
12678 					     NL80211_EXT_FEATURE_SECURE_NAN))
12679 			return -EOPNOTSUPP;
12680 		break;
12681 	default:
12682 		return -EOPNOTSUPP;
12683 	}
12684 
12685 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
12686 
12687 	return rdev_mgmt_tx_cancel_wait(rdev, wdev, cookie);
12688 }
12689 
12690 static int nl80211_set_power_save(struct sk_buff *skb, struct genl_info *info)
12691 {
12692 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12693 	struct wireless_dev *wdev;
12694 	struct net_device *dev = info->user_ptr[1];
12695 	u8 ps_state;
12696 	bool state;
12697 	int err;
12698 
12699 	if (!info->attrs[NL80211_ATTR_PS_STATE])
12700 		return -EINVAL;
12701 
12702 	ps_state = nla_get_u32(info->attrs[NL80211_ATTR_PS_STATE]);
12703 
12704 	wdev = dev->ieee80211_ptr;
12705 
12706 	if (!rdev->ops->set_power_mgmt)
12707 		return -EOPNOTSUPP;
12708 
12709 	state = (ps_state == NL80211_PS_ENABLED) ? true : false;
12710 
12711 	if (state == wdev->ps)
12712 		return 0;
12713 
12714 	err = rdev_set_power_mgmt(rdev, dev, state, wdev->ps_timeout);
12715 	if (!err)
12716 		wdev->ps = state;
12717 	return err;
12718 }
12719 
12720 static int nl80211_get_power_save(struct sk_buff *skb, struct genl_info *info)
12721 {
12722 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12723 	enum nl80211_ps_state ps_state;
12724 	struct wireless_dev *wdev;
12725 	struct net_device *dev = info->user_ptr[1];
12726 	struct sk_buff *msg;
12727 	void *hdr;
12728 	int err;
12729 
12730 	wdev = dev->ieee80211_ptr;
12731 
12732 	if (!rdev->ops->set_power_mgmt)
12733 		return -EOPNOTSUPP;
12734 
12735 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
12736 	if (!msg)
12737 		return -ENOMEM;
12738 
12739 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
12740 			     NL80211_CMD_GET_POWER_SAVE);
12741 	if (!hdr) {
12742 		err = -ENOBUFS;
12743 		goto free_msg;
12744 	}
12745 
12746 	if (wdev->ps)
12747 		ps_state = NL80211_PS_ENABLED;
12748 	else
12749 		ps_state = NL80211_PS_DISABLED;
12750 
12751 	if (nla_put_u32(msg, NL80211_ATTR_PS_STATE, ps_state))
12752 		goto nla_put_failure;
12753 
12754 	genlmsg_end(msg, hdr);
12755 	return genlmsg_reply(msg, info);
12756 
12757  nla_put_failure:
12758 	err = -ENOBUFS;
12759  free_msg:
12760 	nlmsg_free(msg);
12761 	return err;
12762 }
12763 
12764 static const struct nla_policy
12765 nl80211_attr_cqm_policy[NL80211_ATTR_CQM_MAX + 1] = {
12766 	[NL80211_ATTR_CQM_RSSI_THOLD] = { .type = NLA_BINARY },
12767 	[NL80211_ATTR_CQM_RSSI_HYST] = { .type = NLA_U32 },
12768 	[NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT] = { .type = NLA_U32 },
12769 	[NL80211_ATTR_CQM_TXE_RATE] = { .type = NLA_U32 },
12770 	[NL80211_ATTR_CQM_TXE_PKTS] = { .type = NLA_U32 },
12771 	[NL80211_ATTR_CQM_TXE_INTVL] = { .type = NLA_U32 },
12772 	[NL80211_ATTR_CQM_RSSI_LEVEL] = { .type = NLA_S32 },
12773 };
12774 
12775 static int nl80211_set_cqm_txe(struct genl_info *info,
12776 			       u32 rate, u32 pkts, u32 intvl)
12777 {
12778 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12779 	struct net_device *dev = info->user_ptr[1];
12780 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12781 
12782 	if (rate > 100 || intvl > NL80211_CQM_TXE_MAX_INTVL)
12783 		return -EINVAL;
12784 
12785 	if (!rdev->ops->set_cqm_txe_config)
12786 		return -EOPNOTSUPP;
12787 
12788 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12789 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12790 		return -EOPNOTSUPP;
12791 
12792 	return rdev_set_cqm_txe_config(rdev, dev, rate, pkts, intvl);
12793 }
12794 
12795 static int cfg80211_cqm_rssi_update(struct cfg80211_registered_device *rdev,
12796 				    struct net_device *dev)
12797 {
12798 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12799 	s32 last, low, high;
12800 	u32 hyst;
12801 	int i, n, low_index;
12802 	int err;
12803 
12804 	/* RSSI reporting disabled? */
12805 	if (!wdev->cqm_config)
12806 		return rdev_set_cqm_rssi_range_config(rdev, dev, 0, 0);
12807 
12808 	/*
12809 	 * Obtain current RSSI value if possible, if not and no RSSI threshold
12810 	 * event has been received yet, we should receive an event after a
12811 	 * connection is established and enough beacons received to calculate
12812 	 * the average.
12813 	 */
12814 	if (!wdev->cqm_config->last_rssi_event_value &&
12815 	    wdev->links[0].client.current_bss &&
12816 	    rdev->ops->get_station) {
12817 		struct station_info sinfo = {};
12818 		u8 *mac_addr;
12819 
12820 		mac_addr = wdev->links[0].client.current_bss->pub.bssid;
12821 
12822 		err = rdev_get_station(rdev, dev, mac_addr, &sinfo);
12823 		if (err)
12824 			return err;
12825 
12826 		cfg80211_sinfo_release_content(&sinfo);
12827 		if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG))
12828 			wdev->cqm_config->last_rssi_event_value =
12829 				(s8) sinfo.rx_beacon_signal_avg;
12830 	}
12831 
12832 	last = wdev->cqm_config->last_rssi_event_value;
12833 	hyst = wdev->cqm_config->rssi_hyst;
12834 	n = wdev->cqm_config->n_rssi_thresholds;
12835 
12836 	for (i = 0; i < n; i++) {
12837 		i = array_index_nospec(i, n);
12838 		if (last < wdev->cqm_config->rssi_thresholds[i])
12839 			break;
12840 	}
12841 
12842 	low_index = i - 1;
12843 	if (low_index >= 0) {
12844 		low_index = array_index_nospec(low_index, n);
12845 		low = wdev->cqm_config->rssi_thresholds[low_index] - hyst;
12846 	} else {
12847 		low = S32_MIN;
12848 	}
12849 	if (i < n) {
12850 		i = array_index_nospec(i, n);
12851 		high = wdev->cqm_config->rssi_thresholds[i] + hyst - 1;
12852 	} else {
12853 		high = S32_MAX;
12854 	}
12855 
12856 	return rdev_set_cqm_rssi_range_config(rdev, dev, low, high);
12857 }
12858 
12859 static int nl80211_set_cqm_rssi(struct genl_info *info,
12860 				const s32 *thresholds, int n_thresholds,
12861 				u32 hysteresis)
12862 {
12863 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12864 	struct net_device *dev = info->user_ptr[1];
12865 	struct wireless_dev *wdev = dev->ieee80211_ptr;
12866 	int i, err;
12867 	s32 prev = S32_MIN;
12868 
12869 	/* Check all values negative and sorted */
12870 	for (i = 0; i < n_thresholds; i++) {
12871 		if (thresholds[i] > 0 || thresholds[i] <= prev)
12872 			return -EINVAL;
12873 
12874 		prev = thresholds[i];
12875 	}
12876 
12877 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
12878 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
12879 		return -EOPNOTSUPP;
12880 
12881 	wdev_lock(wdev);
12882 	cfg80211_cqm_config_free(wdev);
12883 	wdev_unlock(wdev);
12884 
12885 	if (n_thresholds <= 1 && rdev->ops->set_cqm_rssi_config) {
12886 		if (n_thresholds == 0 || thresholds[0] == 0) /* Disabling */
12887 			return rdev_set_cqm_rssi_config(rdev, dev, 0, 0);
12888 
12889 		return rdev_set_cqm_rssi_config(rdev, dev,
12890 						thresholds[0], hysteresis);
12891 	}
12892 
12893 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
12894 				     NL80211_EXT_FEATURE_CQM_RSSI_LIST))
12895 		return -EOPNOTSUPP;
12896 
12897 	if (n_thresholds == 1 && thresholds[0] == 0) /* Disabling */
12898 		n_thresholds = 0;
12899 
12900 	wdev_lock(wdev);
12901 	if (n_thresholds) {
12902 		struct cfg80211_cqm_config *cqm_config;
12903 
12904 		cqm_config = kzalloc(struct_size(cqm_config, rssi_thresholds,
12905 						 n_thresholds),
12906 				     GFP_KERNEL);
12907 		if (!cqm_config) {
12908 			err = -ENOMEM;
12909 			goto unlock;
12910 		}
12911 
12912 		cqm_config->rssi_hyst = hysteresis;
12913 		cqm_config->n_rssi_thresholds = n_thresholds;
12914 		memcpy(cqm_config->rssi_thresholds, thresholds,
12915 		       flex_array_size(cqm_config, rssi_thresholds,
12916 				       n_thresholds));
12917 
12918 		wdev->cqm_config = cqm_config;
12919 	}
12920 
12921 	err = cfg80211_cqm_rssi_update(rdev, dev);
12922 
12923 unlock:
12924 	wdev_unlock(wdev);
12925 
12926 	return err;
12927 }
12928 
12929 static int nl80211_set_cqm(struct sk_buff *skb, struct genl_info *info)
12930 {
12931 	struct nlattr *attrs[NL80211_ATTR_CQM_MAX + 1];
12932 	struct nlattr *cqm;
12933 	int err;
12934 
12935 	cqm = info->attrs[NL80211_ATTR_CQM];
12936 	if (!cqm)
12937 		return -EINVAL;
12938 
12939 	err = nla_parse_nested_deprecated(attrs, NL80211_ATTR_CQM_MAX, cqm,
12940 					  nl80211_attr_cqm_policy,
12941 					  info->extack);
12942 	if (err)
12943 		return err;
12944 
12945 	if (attrs[NL80211_ATTR_CQM_RSSI_THOLD] &&
12946 	    attrs[NL80211_ATTR_CQM_RSSI_HYST]) {
12947 		const s32 *thresholds =
12948 			nla_data(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12949 		int len = nla_len(attrs[NL80211_ATTR_CQM_RSSI_THOLD]);
12950 		u32 hysteresis = nla_get_u32(attrs[NL80211_ATTR_CQM_RSSI_HYST]);
12951 
12952 		if (len % 4)
12953 			return -EINVAL;
12954 
12955 		return nl80211_set_cqm_rssi(info, thresholds, len / 4,
12956 					    hysteresis);
12957 	}
12958 
12959 	if (attrs[NL80211_ATTR_CQM_TXE_RATE] &&
12960 	    attrs[NL80211_ATTR_CQM_TXE_PKTS] &&
12961 	    attrs[NL80211_ATTR_CQM_TXE_INTVL]) {
12962 		u32 rate = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_RATE]);
12963 		u32 pkts = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_PKTS]);
12964 		u32 intvl = nla_get_u32(attrs[NL80211_ATTR_CQM_TXE_INTVL]);
12965 
12966 		return nl80211_set_cqm_txe(info, rate, pkts, intvl);
12967 	}
12968 
12969 	return -EINVAL;
12970 }
12971 
12972 static int nl80211_join_ocb(struct sk_buff *skb, struct genl_info *info)
12973 {
12974 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12975 	struct net_device *dev = info->user_ptr[1];
12976 	struct ocb_setup setup = {};
12977 	int err;
12978 
12979 	err = nl80211_parse_chandef(rdev, info, &setup.chandef);
12980 	if (err)
12981 		return err;
12982 
12983 	return cfg80211_join_ocb(rdev, dev, &setup);
12984 }
12985 
12986 static int nl80211_leave_ocb(struct sk_buff *skb, struct genl_info *info)
12987 {
12988 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12989 	struct net_device *dev = info->user_ptr[1];
12990 
12991 	return cfg80211_leave_ocb(rdev, dev);
12992 }
12993 
12994 static int nl80211_join_mesh(struct sk_buff *skb, struct genl_info *info)
12995 {
12996 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
12997 	struct net_device *dev = info->user_ptr[1];
12998 	struct mesh_config cfg;
12999 	struct mesh_setup setup;
13000 	int err;
13001 
13002 	/* start with default */
13003 	memcpy(&cfg, &default_mesh_config, sizeof(cfg));
13004 	memcpy(&setup, &default_mesh_setup, sizeof(setup));
13005 
13006 	if (info->attrs[NL80211_ATTR_MESH_CONFIG]) {
13007 		/* and parse parameters if given */
13008 		err = nl80211_parse_mesh_config(info, &cfg, NULL);
13009 		if (err)
13010 			return err;
13011 	}
13012 
13013 	if (!info->attrs[NL80211_ATTR_MESH_ID] ||
13014 	    !nla_len(info->attrs[NL80211_ATTR_MESH_ID]))
13015 		return -EINVAL;
13016 
13017 	setup.mesh_id = nla_data(info->attrs[NL80211_ATTR_MESH_ID]);
13018 	setup.mesh_id_len = nla_len(info->attrs[NL80211_ATTR_MESH_ID]);
13019 
13020 	if (info->attrs[NL80211_ATTR_MCAST_RATE] &&
13021 	    !nl80211_parse_mcast_rate(rdev, setup.mcast_rate,
13022 			    nla_get_u32(info->attrs[NL80211_ATTR_MCAST_RATE])))
13023 			return -EINVAL;
13024 
13025 	if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
13026 		setup.beacon_interval =
13027 			nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
13028 
13029 		err = cfg80211_validate_beacon_int(rdev,
13030 						   NL80211_IFTYPE_MESH_POINT,
13031 						   setup.beacon_interval);
13032 		if (err)
13033 			return err;
13034 	}
13035 
13036 	if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
13037 		setup.dtim_period =
13038 			nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
13039 		if (setup.dtim_period < 1 || setup.dtim_period > 100)
13040 			return -EINVAL;
13041 	}
13042 
13043 	if (info->attrs[NL80211_ATTR_MESH_SETUP]) {
13044 		/* parse additional setup parameters if given */
13045 		err = nl80211_parse_mesh_setup(info, &setup);
13046 		if (err)
13047 			return err;
13048 	}
13049 
13050 	if (setup.user_mpm)
13051 		cfg.auto_open_plinks = false;
13052 
13053 	if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
13054 		err = nl80211_parse_chandef(rdev, info, &setup.chandef);
13055 		if (err)
13056 			return err;
13057 	} else {
13058 		/* __cfg80211_join_mesh() will sort it out */
13059 		setup.chandef.chan = NULL;
13060 	}
13061 
13062 	if (info->attrs[NL80211_ATTR_BSS_BASIC_RATES]) {
13063 		u8 *rates = nla_data(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13064 		int n_rates =
13065 			nla_len(info->attrs[NL80211_ATTR_BSS_BASIC_RATES]);
13066 		struct ieee80211_supported_band *sband;
13067 
13068 		if (!setup.chandef.chan)
13069 			return -EINVAL;
13070 
13071 		sband = rdev->wiphy.bands[setup.chandef.chan->band];
13072 
13073 		err = ieee80211_get_ratemask(sband, rates, n_rates,
13074 					     &setup.basic_rates);
13075 		if (err)
13076 			return err;
13077 	}
13078 
13079 	if (info->attrs[NL80211_ATTR_TX_RATES]) {
13080 		err = nl80211_parse_tx_bitrate_mask(info, info->attrs,
13081 						    NL80211_ATTR_TX_RATES,
13082 						    &setup.beacon_rate,
13083 						    dev, false, 0);
13084 		if (err)
13085 			return err;
13086 
13087 		if (!setup.chandef.chan)
13088 			return -EINVAL;
13089 
13090 		err = validate_beacon_tx_rate(rdev, setup.chandef.chan->band,
13091 					      &setup.beacon_rate);
13092 		if (err)
13093 			return err;
13094 	}
13095 
13096 	setup.userspace_handles_dfs =
13097 		nla_get_flag(info->attrs[NL80211_ATTR_HANDLE_DFS]);
13098 
13099 	if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
13100 		int r = validate_pae_over_nl80211(rdev, info);
13101 
13102 		if (r < 0)
13103 			return r;
13104 
13105 		setup.control_port_over_nl80211 = true;
13106 	}
13107 
13108 	wdev_lock(dev->ieee80211_ptr);
13109 	err = __cfg80211_join_mesh(rdev, dev, &setup, &cfg);
13110 	if (!err && info->attrs[NL80211_ATTR_SOCKET_OWNER])
13111 		dev->ieee80211_ptr->conn_owner_nlportid = info->snd_portid;
13112 	wdev_unlock(dev->ieee80211_ptr);
13113 
13114 	return err;
13115 }
13116 
13117 static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
13118 {
13119 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13120 	struct net_device *dev = info->user_ptr[1];
13121 
13122 	return cfg80211_leave_mesh(rdev, dev);
13123 }
13124 
13125 #ifdef CONFIG_PM
13126 static int nl80211_send_wowlan_patterns(struct sk_buff *msg,
13127 					struct cfg80211_registered_device *rdev)
13128 {
13129 	struct cfg80211_wowlan *wowlan = rdev->wiphy.wowlan_config;
13130 	struct nlattr *nl_pats, *nl_pat;
13131 	int i, pat_len;
13132 
13133 	if (!wowlan->n_patterns)
13134 		return 0;
13135 
13136 	nl_pats = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN);
13137 	if (!nl_pats)
13138 		return -ENOBUFS;
13139 
13140 	for (i = 0; i < wowlan->n_patterns; i++) {
13141 		nl_pat = nla_nest_start_noflag(msg, i + 1);
13142 		if (!nl_pat)
13143 			return -ENOBUFS;
13144 		pat_len = wowlan->patterns[i].pattern_len;
13145 		if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8),
13146 			    wowlan->patterns[i].mask) ||
13147 		    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13148 			    wowlan->patterns[i].pattern) ||
13149 		    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13150 				wowlan->patterns[i].pkt_offset))
13151 			return -ENOBUFS;
13152 		nla_nest_end(msg, nl_pat);
13153 	}
13154 	nla_nest_end(msg, nl_pats);
13155 
13156 	return 0;
13157 }
13158 
13159 static int nl80211_send_wowlan_tcp(struct sk_buff *msg,
13160 				   struct cfg80211_wowlan_tcp *tcp)
13161 {
13162 	struct nlattr *nl_tcp;
13163 
13164 	if (!tcp)
13165 		return 0;
13166 
13167 	nl_tcp = nla_nest_start_noflag(msg,
13168 				       NL80211_WOWLAN_TRIG_TCP_CONNECTION);
13169 	if (!nl_tcp)
13170 		return -ENOBUFS;
13171 
13172 	if (nla_put_in_addr(msg, NL80211_WOWLAN_TCP_SRC_IPV4, tcp->src) ||
13173 	    nla_put_in_addr(msg, NL80211_WOWLAN_TCP_DST_IPV4, tcp->dst) ||
13174 	    nla_put(msg, NL80211_WOWLAN_TCP_DST_MAC, ETH_ALEN, tcp->dst_mac) ||
13175 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_SRC_PORT, tcp->src_port) ||
13176 	    nla_put_u16(msg, NL80211_WOWLAN_TCP_DST_PORT, tcp->dst_port) ||
13177 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD,
13178 		    tcp->payload_len, tcp->payload) ||
13179 	    nla_put_u32(msg, NL80211_WOWLAN_TCP_DATA_INTERVAL,
13180 			tcp->data_interval) ||
13181 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_PAYLOAD,
13182 		    tcp->wake_len, tcp->wake_data) ||
13183 	    nla_put(msg, NL80211_WOWLAN_TCP_WAKE_MASK,
13184 		    DIV_ROUND_UP(tcp->wake_len, 8), tcp->wake_mask))
13185 		return -ENOBUFS;
13186 
13187 	if (tcp->payload_seq.len &&
13188 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ,
13189 		    sizeof(tcp->payload_seq), &tcp->payload_seq))
13190 		return -ENOBUFS;
13191 
13192 	if (tcp->payload_tok.len &&
13193 	    nla_put(msg, NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN,
13194 		    sizeof(tcp->payload_tok) + tcp->tokens_size,
13195 		    &tcp->payload_tok))
13196 		return -ENOBUFS;
13197 
13198 	nla_nest_end(msg, nl_tcp);
13199 
13200 	return 0;
13201 }
13202 
13203 static int nl80211_send_wowlan_nd(struct sk_buff *msg,
13204 				  struct cfg80211_sched_scan_request *req)
13205 {
13206 	struct nlattr *nd, *freqs, *matches, *match, *scan_plans, *scan_plan;
13207 	int i;
13208 
13209 	if (!req)
13210 		return 0;
13211 
13212 	nd = nla_nest_start_noflag(msg, NL80211_WOWLAN_TRIG_NET_DETECT);
13213 	if (!nd)
13214 		return -ENOBUFS;
13215 
13216 	if (req->n_scan_plans == 1 &&
13217 	    nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_INTERVAL,
13218 			req->scan_plans[0].interval * 1000))
13219 		return -ENOBUFS;
13220 
13221 	if (nla_put_u32(msg, NL80211_ATTR_SCHED_SCAN_DELAY, req->delay))
13222 		return -ENOBUFS;
13223 
13224 	if (req->relative_rssi_set) {
13225 		struct nl80211_bss_select_rssi_adjust rssi_adjust;
13226 
13227 		if (nla_put_s8(msg, NL80211_ATTR_SCHED_SCAN_RELATIVE_RSSI,
13228 			       req->relative_rssi))
13229 			return -ENOBUFS;
13230 
13231 		rssi_adjust.band = req->rssi_adjust.band;
13232 		rssi_adjust.delta = req->rssi_adjust.delta;
13233 		if (nla_put(msg, NL80211_ATTR_SCHED_SCAN_RSSI_ADJUST,
13234 			    sizeof(rssi_adjust), &rssi_adjust))
13235 			return -ENOBUFS;
13236 	}
13237 
13238 	freqs = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_FREQUENCIES);
13239 	if (!freqs)
13240 		return -ENOBUFS;
13241 
13242 	for (i = 0; i < req->n_channels; i++) {
13243 		if (nla_put_u32(msg, i, req->channels[i]->center_freq))
13244 			return -ENOBUFS;
13245 	}
13246 
13247 	nla_nest_end(msg, freqs);
13248 
13249 	if (req->n_match_sets) {
13250 		matches = nla_nest_start_noflag(msg,
13251 						NL80211_ATTR_SCHED_SCAN_MATCH);
13252 		if (!matches)
13253 			return -ENOBUFS;
13254 
13255 		for (i = 0; i < req->n_match_sets; i++) {
13256 			match = nla_nest_start_noflag(msg, i);
13257 			if (!match)
13258 				return -ENOBUFS;
13259 
13260 			if (nla_put(msg, NL80211_SCHED_SCAN_MATCH_ATTR_SSID,
13261 				    req->match_sets[i].ssid.ssid_len,
13262 				    req->match_sets[i].ssid.ssid))
13263 				return -ENOBUFS;
13264 			nla_nest_end(msg, match);
13265 		}
13266 		nla_nest_end(msg, matches);
13267 	}
13268 
13269 	scan_plans = nla_nest_start_noflag(msg, NL80211_ATTR_SCHED_SCAN_PLANS);
13270 	if (!scan_plans)
13271 		return -ENOBUFS;
13272 
13273 	for (i = 0; i < req->n_scan_plans; i++) {
13274 		scan_plan = nla_nest_start_noflag(msg, i + 1);
13275 		if (!scan_plan)
13276 			return -ENOBUFS;
13277 
13278 		if (nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_INTERVAL,
13279 				req->scan_plans[i].interval) ||
13280 		    (req->scan_plans[i].iterations &&
13281 		     nla_put_u32(msg, NL80211_SCHED_SCAN_PLAN_ITERATIONS,
13282 				 req->scan_plans[i].iterations)))
13283 			return -ENOBUFS;
13284 		nla_nest_end(msg, scan_plan);
13285 	}
13286 	nla_nest_end(msg, scan_plans);
13287 
13288 	nla_nest_end(msg, nd);
13289 
13290 	return 0;
13291 }
13292 
13293 static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
13294 {
13295 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13296 	struct sk_buff *msg;
13297 	void *hdr;
13298 	u32 size = NLMSG_DEFAULT_SIZE;
13299 
13300 	if (!rdev->wiphy.wowlan)
13301 		return -EOPNOTSUPP;
13302 
13303 	if (rdev->wiphy.wowlan_config && rdev->wiphy.wowlan_config->tcp) {
13304 		/* adjust size to have room for all the data */
13305 		size += rdev->wiphy.wowlan_config->tcp->tokens_size +
13306 			rdev->wiphy.wowlan_config->tcp->payload_len +
13307 			rdev->wiphy.wowlan_config->tcp->wake_len +
13308 			rdev->wiphy.wowlan_config->tcp->wake_len / 8;
13309 	}
13310 
13311 	msg = nlmsg_new(size, GFP_KERNEL);
13312 	if (!msg)
13313 		return -ENOMEM;
13314 
13315 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13316 			     NL80211_CMD_GET_WOWLAN);
13317 	if (!hdr)
13318 		goto nla_put_failure;
13319 
13320 	if (rdev->wiphy.wowlan_config) {
13321 		struct nlattr *nl_wowlan;
13322 
13323 		nl_wowlan = nla_nest_start_noflag(msg,
13324 						  NL80211_ATTR_WOWLAN_TRIGGERS);
13325 		if (!nl_wowlan)
13326 			goto nla_put_failure;
13327 
13328 		if ((rdev->wiphy.wowlan_config->any &&
13329 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_ANY)) ||
13330 		    (rdev->wiphy.wowlan_config->disconnect &&
13331 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT)) ||
13332 		    (rdev->wiphy.wowlan_config->magic_pkt &&
13333 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT)) ||
13334 		    (rdev->wiphy.wowlan_config->gtk_rekey_failure &&
13335 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE)) ||
13336 		    (rdev->wiphy.wowlan_config->eap_identity_req &&
13337 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST)) ||
13338 		    (rdev->wiphy.wowlan_config->four_way_handshake &&
13339 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE)) ||
13340 		    (rdev->wiphy.wowlan_config->rfkill_release &&
13341 		     nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE)))
13342 			goto nla_put_failure;
13343 
13344 		if (nl80211_send_wowlan_patterns(msg, rdev))
13345 			goto nla_put_failure;
13346 
13347 		if (nl80211_send_wowlan_tcp(msg,
13348 					    rdev->wiphy.wowlan_config->tcp))
13349 			goto nla_put_failure;
13350 
13351 		if (nl80211_send_wowlan_nd(
13352 			    msg,
13353 			    rdev->wiphy.wowlan_config->nd_config))
13354 			goto nla_put_failure;
13355 
13356 		nla_nest_end(msg, nl_wowlan);
13357 	}
13358 
13359 	genlmsg_end(msg, hdr);
13360 	return genlmsg_reply(msg, info);
13361 
13362 nla_put_failure:
13363 	nlmsg_free(msg);
13364 	return -ENOBUFS;
13365 }
13366 
13367 static int nl80211_parse_wowlan_tcp(struct cfg80211_registered_device *rdev,
13368 				    struct nlattr *attr,
13369 				    struct cfg80211_wowlan *trig)
13370 {
13371 	struct nlattr *tb[NUM_NL80211_WOWLAN_TCP];
13372 	struct cfg80211_wowlan_tcp *cfg;
13373 	struct nl80211_wowlan_tcp_data_token *tok = NULL;
13374 	struct nl80211_wowlan_tcp_data_seq *seq = NULL;
13375 	u32 size;
13376 	u32 data_size, wake_size, tokens_size = 0, wake_mask_size;
13377 	int err, port;
13378 
13379 	if (!rdev->wiphy.wowlan->tcp)
13380 		return -EINVAL;
13381 
13382 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TCP, attr,
13383 					  nl80211_wowlan_tcp_policy, NULL);
13384 	if (err)
13385 		return err;
13386 
13387 	if (!tb[NL80211_WOWLAN_TCP_SRC_IPV4] ||
13388 	    !tb[NL80211_WOWLAN_TCP_DST_IPV4] ||
13389 	    !tb[NL80211_WOWLAN_TCP_DST_MAC] ||
13390 	    !tb[NL80211_WOWLAN_TCP_DST_PORT] ||
13391 	    !tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD] ||
13392 	    !tb[NL80211_WOWLAN_TCP_DATA_INTERVAL] ||
13393 	    !tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD] ||
13394 	    !tb[NL80211_WOWLAN_TCP_WAKE_MASK])
13395 		return -EINVAL;
13396 
13397 	data_size = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]);
13398 	if (data_size > rdev->wiphy.wowlan->tcp->data_payload_max)
13399 		return -EINVAL;
13400 
13401 	if (nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) >
13402 			rdev->wiphy.wowlan->tcp->data_interval_max ||
13403 	    nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]) == 0)
13404 		return -EINVAL;
13405 
13406 	wake_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]);
13407 	if (wake_size > rdev->wiphy.wowlan->tcp->wake_payload_max)
13408 		return -EINVAL;
13409 
13410 	wake_mask_size = nla_len(tb[NL80211_WOWLAN_TCP_WAKE_MASK]);
13411 	if (wake_mask_size != DIV_ROUND_UP(wake_size, 8))
13412 		return -EINVAL;
13413 
13414 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]) {
13415 		u32 tokln = nla_len(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13416 
13417 		tok = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_TOKEN]);
13418 		tokens_size = tokln - sizeof(*tok);
13419 
13420 		if (!tok->len || tokens_size % tok->len)
13421 			return -EINVAL;
13422 		if (!rdev->wiphy.wowlan->tcp->tok)
13423 			return -EINVAL;
13424 		if (tok->len > rdev->wiphy.wowlan->tcp->tok->max_len)
13425 			return -EINVAL;
13426 		if (tok->len < rdev->wiphy.wowlan->tcp->tok->min_len)
13427 			return -EINVAL;
13428 		if (tokens_size > rdev->wiphy.wowlan->tcp->tok->bufsize)
13429 			return -EINVAL;
13430 		if (tok->offset + tok->len > data_size)
13431 			return -EINVAL;
13432 	}
13433 
13434 	if (tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]) {
13435 		seq = nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD_SEQ]);
13436 		if (!rdev->wiphy.wowlan->tcp->seq)
13437 			return -EINVAL;
13438 		if (seq->len == 0 || seq->len > 4)
13439 			return -EINVAL;
13440 		if (seq->len + seq->offset > data_size)
13441 			return -EINVAL;
13442 	}
13443 
13444 	size = sizeof(*cfg);
13445 	size += data_size;
13446 	size += wake_size + wake_mask_size;
13447 	size += tokens_size;
13448 
13449 	cfg = kzalloc(size, GFP_KERNEL);
13450 	if (!cfg)
13451 		return -ENOMEM;
13452 	cfg->src = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_SRC_IPV4]);
13453 	cfg->dst = nla_get_in_addr(tb[NL80211_WOWLAN_TCP_DST_IPV4]);
13454 	memcpy(cfg->dst_mac, nla_data(tb[NL80211_WOWLAN_TCP_DST_MAC]),
13455 	       ETH_ALEN);
13456 	if (tb[NL80211_WOWLAN_TCP_SRC_PORT])
13457 		port = nla_get_u16(tb[NL80211_WOWLAN_TCP_SRC_PORT]);
13458 	else
13459 		port = 0;
13460 #ifdef CONFIG_INET
13461 	/* allocate a socket and port for it and use it */
13462 	err = __sock_create(wiphy_net(&rdev->wiphy), PF_INET, SOCK_STREAM,
13463 			    IPPROTO_TCP, &cfg->sock, 1);
13464 	if (err) {
13465 		kfree(cfg);
13466 		return err;
13467 	}
13468 	if (inet_csk_get_port(cfg->sock->sk, port)) {
13469 		sock_release(cfg->sock);
13470 		kfree(cfg);
13471 		return -EADDRINUSE;
13472 	}
13473 	cfg->src_port = inet_sk(cfg->sock->sk)->inet_num;
13474 #else
13475 	if (!port) {
13476 		kfree(cfg);
13477 		return -EINVAL;
13478 	}
13479 	cfg->src_port = port;
13480 #endif
13481 
13482 	cfg->dst_port = nla_get_u16(tb[NL80211_WOWLAN_TCP_DST_PORT]);
13483 	cfg->payload_len = data_size;
13484 	cfg->payload = (u8 *)cfg + sizeof(*cfg) + tokens_size;
13485 	memcpy((void *)cfg->payload,
13486 	       nla_data(tb[NL80211_WOWLAN_TCP_DATA_PAYLOAD]),
13487 	       data_size);
13488 	if (seq)
13489 		cfg->payload_seq = *seq;
13490 	cfg->data_interval = nla_get_u32(tb[NL80211_WOWLAN_TCP_DATA_INTERVAL]);
13491 	cfg->wake_len = wake_size;
13492 	cfg->wake_data = (u8 *)cfg + sizeof(*cfg) + tokens_size + data_size;
13493 	memcpy((void *)cfg->wake_data,
13494 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_PAYLOAD]),
13495 	       wake_size);
13496 	cfg->wake_mask = (u8 *)cfg + sizeof(*cfg) + tokens_size +
13497 			 data_size + wake_size;
13498 	memcpy((void *)cfg->wake_mask,
13499 	       nla_data(tb[NL80211_WOWLAN_TCP_WAKE_MASK]),
13500 	       wake_mask_size);
13501 	if (tok) {
13502 		cfg->tokens_size = tokens_size;
13503 		cfg->payload_tok = *tok;
13504 		memcpy(cfg->payload_tok.token_stream, tok->token_stream,
13505 		       tokens_size);
13506 	}
13507 
13508 	trig->tcp = cfg;
13509 
13510 	return 0;
13511 }
13512 
13513 static int nl80211_parse_wowlan_nd(struct cfg80211_registered_device *rdev,
13514 				   const struct wiphy_wowlan_support *wowlan,
13515 				   struct nlattr *attr,
13516 				   struct cfg80211_wowlan *trig)
13517 {
13518 	struct nlattr **tb;
13519 	int err;
13520 
13521 	tb = kcalloc(NUM_NL80211_ATTR, sizeof(*tb), GFP_KERNEL);
13522 	if (!tb)
13523 		return -ENOMEM;
13524 
13525 	if (!(wowlan->flags & WIPHY_WOWLAN_NET_DETECT)) {
13526 		err = -EOPNOTSUPP;
13527 		goto out;
13528 	}
13529 
13530 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_MAX, attr,
13531 					  nl80211_policy, NULL);
13532 	if (err)
13533 		goto out;
13534 
13535 	trig->nd_config = nl80211_parse_sched_scan(&rdev->wiphy, NULL, tb,
13536 						   wowlan->max_nd_match_sets);
13537 	err = PTR_ERR_OR_ZERO(trig->nd_config);
13538 	if (err)
13539 		trig->nd_config = NULL;
13540 
13541 out:
13542 	kfree(tb);
13543 	return err;
13544 }
13545 
13546 static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
13547 {
13548 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13549 	struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
13550 	struct cfg80211_wowlan new_triggers = {};
13551 	struct cfg80211_wowlan *ntrig;
13552 	const struct wiphy_wowlan_support *wowlan = rdev->wiphy.wowlan;
13553 	int err, i;
13554 	bool prev_enabled = rdev->wiphy.wowlan_config;
13555 	bool regular = false;
13556 
13557 	if (!wowlan)
13558 		return -EOPNOTSUPP;
13559 
13560 	if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]) {
13561 		cfg80211_rdev_free_wowlan(rdev);
13562 		rdev->wiphy.wowlan_config = NULL;
13563 		goto set_wakeup;
13564 	}
13565 
13566 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_WOWLAN_TRIG,
13567 					  info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS],
13568 					  nl80211_wowlan_policy, info->extack);
13569 	if (err)
13570 		return err;
13571 
13572 	if (tb[NL80211_WOWLAN_TRIG_ANY]) {
13573 		if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
13574 			return -EINVAL;
13575 		new_triggers.any = true;
13576 	}
13577 
13578 	if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
13579 		if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
13580 			return -EINVAL;
13581 		new_triggers.disconnect = true;
13582 		regular = true;
13583 	}
13584 
13585 	if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
13586 		if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
13587 			return -EINVAL;
13588 		new_triggers.magic_pkt = true;
13589 		regular = true;
13590 	}
13591 
13592 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_SUPPORTED])
13593 		return -EINVAL;
13594 
13595 	if (tb[NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE]) {
13596 		if (!(wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE))
13597 			return -EINVAL;
13598 		new_triggers.gtk_rekey_failure = true;
13599 		regular = true;
13600 	}
13601 
13602 	if (tb[NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST]) {
13603 		if (!(wowlan->flags & WIPHY_WOWLAN_EAP_IDENTITY_REQ))
13604 			return -EINVAL;
13605 		new_triggers.eap_identity_req = true;
13606 		regular = true;
13607 	}
13608 
13609 	if (tb[NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE]) {
13610 		if (!(wowlan->flags & WIPHY_WOWLAN_4WAY_HANDSHAKE))
13611 			return -EINVAL;
13612 		new_triggers.four_way_handshake = true;
13613 		regular = true;
13614 	}
13615 
13616 	if (tb[NL80211_WOWLAN_TRIG_RFKILL_RELEASE]) {
13617 		if (!(wowlan->flags & WIPHY_WOWLAN_RFKILL_RELEASE))
13618 			return -EINVAL;
13619 		new_triggers.rfkill_release = true;
13620 		regular = true;
13621 	}
13622 
13623 	if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
13624 		struct nlattr *pat;
13625 		int n_patterns = 0;
13626 		int rem, pat_len, mask_len, pkt_offset;
13627 		struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13628 
13629 		regular = true;
13630 
13631 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13632 				    rem)
13633 			n_patterns++;
13634 		if (n_patterns > wowlan->n_patterns)
13635 			return -EINVAL;
13636 
13637 		new_triggers.patterns = kcalloc(n_patterns,
13638 						sizeof(new_triggers.patterns[0]),
13639 						GFP_KERNEL);
13640 		if (!new_triggers.patterns)
13641 			return -ENOMEM;
13642 
13643 		new_triggers.n_patterns = n_patterns;
13644 		i = 0;
13645 
13646 		nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
13647 				    rem) {
13648 			u8 *mask_pat;
13649 
13650 			err = nla_parse_nested_deprecated(pat_tb,
13651 							  MAX_NL80211_PKTPAT,
13652 							  pat,
13653 							  nl80211_packet_pattern_policy,
13654 							  info->extack);
13655 			if (err)
13656 				goto error;
13657 
13658 			err = -EINVAL;
13659 			if (!pat_tb[NL80211_PKTPAT_MASK] ||
13660 			    !pat_tb[NL80211_PKTPAT_PATTERN])
13661 				goto error;
13662 			pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13663 			mask_len = DIV_ROUND_UP(pat_len, 8);
13664 			if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13665 				goto error;
13666 			if (pat_len > wowlan->pattern_max_len ||
13667 			    pat_len < wowlan->pattern_min_len)
13668 				goto error;
13669 
13670 			if (!pat_tb[NL80211_PKTPAT_OFFSET])
13671 				pkt_offset = 0;
13672 			else
13673 				pkt_offset = nla_get_u32(
13674 					pat_tb[NL80211_PKTPAT_OFFSET]);
13675 			if (pkt_offset > wowlan->max_pkt_offset)
13676 				goto error;
13677 			new_triggers.patterns[i].pkt_offset = pkt_offset;
13678 
13679 			mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13680 			if (!mask_pat) {
13681 				err = -ENOMEM;
13682 				goto error;
13683 			}
13684 			new_triggers.patterns[i].mask = mask_pat;
13685 			memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13686 			       mask_len);
13687 			mask_pat += mask_len;
13688 			new_triggers.patterns[i].pattern = mask_pat;
13689 			new_triggers.patterns[i].pattern_len = pat_len;
13690 			memcpy(mask_pat,
13691 			       nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13692 			       pat_len);
13693 			i++;
13694 		}
13695 	}
13696 
13697 	if (tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION]) {
13698 		regular = true;
13699 		err = nl80211_parse_wowlan_tcp(
13700 			rdev, tb[NL80211_WOWLAN_TRIG_TCP_CONNECTION],
13701 			&new_triggers);
13702 		if (err)
13703 			goto error;
13704 	}
13705 
13706 	if (tb[NL80211_WOWLAN_TRIG_NET_DETECT]) {
13707 		regular = true;
13708 		err = nl80211_parse_wowlan_nd(
13709 			rdev, wowlan, tb[NL80211_WOWLAN_TRIG_NET_DETECT],
13710 			&new_triggers);
13711 		if (err)
13712 			goto error;
13713 	}
13714 
13715 	/* The 'any' trigger means the device continues operating more or less
13716 	 * as in its normal operation mode and wakes up the host on most of the
13717 	 * normal interrupts (like packet RX, ...)
13718 	 * It therefore makes little sense to combine with the more constrained
13719 	 * wakeup trigger modes.
13720 	 */
13721 	if (new_triggers.any && regular) {
13722 		err = -EINVAL;
13723 		goto error;
13724 	}
13725 
13726 	ntrig = kmemdup(&new_triggers, sizeof(new_triggers), GFP_KERNEL);
13727 	if (!ntrig) {
13728 		err = -ENOMEM;
13729 		goto error;
13730 	}
13731 	cfg80211_rdev_free_wowlan(rdev);
13732 	rdev->wiphy.wowlan_config = ntrig;
13733 
13734  set_wakeup:
13735 	if (rdev->ops->set_wakeup &&
13736 	    prev_enabled != !!rdev->wiphy.wowlan_config)
13737 		rdev_set_wakeup(rdev, rdev->wiphy.wowlan_config);
13738 
13739 	return 0;
13740  error:
13741 	for (i = 0; i < new_triggers.n_patterns; i++)
13742 		kfree(new_triggers.patterns[i].mask);
13743 	kfree(new_triggers.patterns);
13744 	if (new_triggers.tcp && new_triggers.tcp->sock)
13745 		sock_release(new_triggers.tcp->sock);
13746 	kfree(new_triggers.tcp);
13747 	kfree(new_triggers.nd_config);
13748 	return err;
13749 }
13750 #endif
13751 
13752 static int nl80211_send_coalesce_rules(struct sk_buff *msg,
13753 				       struct cfg80211_registered_device *rdev)
13754 {
13755 	struct nlattr *nl_pats, *nl_pat, *nl_rule, *nl_rules;
13756 	int i, j, pat_len;
13757 	struct cfg80211_coalesce_rules *rule;
13758 
13759 	if (!rdev->coalesce->n_rules)
13760 		return 0;
13761 
13762 	nl_rules = nla_nest_start_noflag(msg, NL80211_ATTR_COALESCE_RULE);
13763 	if (!nl_rules)
13764 		return -ENOBUFS;
13765 
13766 	for (i = 0; i < rdev->coalesce->n_rules; i++) {
13767 		nl_rule = nla_nest_start_noflag(msg, i + 1);
13768 		if (!nl_rule)
13769 			return -ENOBUFS;
13770 
13771 		rule = &rdev->coalesce->rules[i];
13772 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_DELAY,
13773 				rule->delay))
13774 			return -ENOBUFS;
13775 
13776 		if (nla_put_u32(msg, NL80211_ATTR_COALESCE_RULE_CONDITION,
13777 				rule->condition))
13778 			return -ENOBUFS;
13779 
13780 		nl_pats = nla_nest_start_noflag(msg,
13781 						NL80211_ATTR_COALESCE_RULE_PKT_PATTERN);
13782 		if (!nl_pats)
13783 			return -ENOBUFS;
13784 
13785 		for (j = 0; j < rule->n_patterns; j++) {
13786 			nl_pat = nla_nest_start_noflag(msg, j + 1);
13787 			if (!nl_pat)
13788 				return -ENOBUFS;
13789 			pat_len = rule->patterns[j].pattern_len;
13790 			if (nla_put(msg, NL80211_PKTPAT_MASK,
13791 				    DIV_ROUND_UP(pat_len, 8),
13792 				    rule->patterns[j].mask) ||
13793 			    nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len,
13794 				    rule->patterns[j].pattern) ||
13795 			    nla_put_u32(msg, NL80211_PKTPAT_OFFSET,
13796 					rule->patterns[j].pkt_offset))
13797 				return -ENOBUFS;
13798 			nla_nest_end(msg, nl_pat);
13799 		}
13800 		nla_nest_end(msg, nl_pats);
13801 		nla_nest_end(msg, nl_rule);
13802 	}
13803 	nla_nest_end(msg, nl_rules);
13804 
13805 	return 0;
13806 }
13807 
13808 static int nl80211_get_coalesce(struct sk_buff *skb, struct genl_info *info)
13809 {
13810 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13811 	struct sk_buff *msg;
13812 	void *hdr;
13813 
13814 	if (!rdev->wiphy.coalesce)
13815 		return -EOPNOTSUPP;
13816 
13817 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
13818 	if (!msg)
13819 		return -ENOMEM;
13820 
13821 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
13822 			     NL80211_CMD_GET_COALESCE);
13823 	if (!hdr)
13824 		goto nla_put_failure;
13825 
13826 	if (rdev->coalesce && nl80211_send_coalesce_rules(msg, rdev))
13827 		goto nla_put_failure;
13828 
13829 	genlmsg_end(msg, hdr);
13830 	return genlmsg_reply(msg, info);
13831 
13832 nla_put_failure:
13833 	nlmsg_free(msg);
13834 	return -ENOBUFS;
13835 }
13836 
13837 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev)
13838 {
13839 	struct cfg80211_coalesce *coalesce = rdev->coalesce;
13840 	int i, j;
13841 	struct cfg80211_coalesce_rules *rule;
13842 
13843 	if (!coalesce)
13844 		return;
13845 
13846 	for (i = 0; i < coalesce->n_rules; i++) {
13847 		rule = &coalesce->rules[i];
13848 		for (j = 0; j < rule->n_patterns; j++)
13849 			kfree(rule->patterns[j].mask);
13850 		kfree(rule->patterns);
13851 	}
13852 	kfree(coalesce->rules);
13853 	kfree(coalesce);
13854 	rdev->coalesce = NULL;
13855 }
13856 
13857 static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
13858 				       struct nlattr *rule,
13859 				       struct cfg80211_coalesce_rules *new_rule)
13860 {
13861 	int err, i;
13862 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13863 	struct nlattr *tb[NUM_NL80211_ATTR_COALESCE_RULE], *pat;
13864 	int rem, pat_len, mask_len, pkt_offset, n_patterns = 0;
13865 	struct nlattr *pat_tb[NUM_NL80211_PKTPAT];
13866 
13867 	err = nla_parse_nested_deprecated(tb, NL80211_ATTR_COALESCE_RULE_MAX,
13868 					  rule, nl80211_coalesce_policy, NULL);
13869 	if (err)
13870 		return err;
13871 
13872 	if (tb[NL80211_ATTR_COALESCE_RULE_DELAY])
13873 		new_rule->delay =
13874 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_DELAY]);
13875 	if (new_rule->delay > coalesce->max_delay)
13876 		return -EINVAL;
13877 
13878 	if (tb[NL80211_ATTR_COALESCE_RULE_CONDITION])
13879 		new_rule->condition =
13880 			nla_get_u32(tb[NL80211_ATTR_COALESCE_RULE_CONDITION]);
13881 
13882 	if (!tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN])
13883 		return -EINVAL;
13884 
13885 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13886 			    rem)
13887 		n_patterns++;
13888 	if (n_patterns > coalesce->n_patterns)
13889 		return -EINVAL;
13890 
13891 	new_rule->patterns = kcalloc(n_patterns, sizeof(new_rule->patterns[0]),
13892 				     GFP_KERNEL);
13893 	if (!new_rule->patterns)
13894 		return -ENOMEM;
13895 
13896 	new_rule->n_patterns = n_patterns;
13897 	i = 0;
13898 
13899 	nla_for_each_nested(pat, tb[NL80211_ATTR_COALESCE_RULE_PKT_PATTERN],
13900 			    rem) {
13901 		u8 *mask_pat;
13902 
13903 		err = nla_parse_nested_deprecated(pat_tb, MAX_NL80211_PKTPAT,
13904 						  pat,
13905 						  nl80211_packet_pattern_policy,
13906 						  NULL);
13907 		if (err)
13908 			return err;
13909 
13910 		if (!pat_tb[NL80211_PKTPAT_MASK] ||
13911 		    !pat_tb[NL80211_PKTPAT_PATTERN])
13912 			return -EINVAL;
13913 		pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]);
13914 		mask_len = DIV_ROUND_UP(pat_len, 8);
13915 		if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len)
13916 			return -EINVAL;
13917 		if (pat_len > coalesce->pattern_max_len ||
13918 		    pat_len < coalesce->pattern_min_len)
13919 			return -EINVAL;
13920 
13921 		if (!pat_tb[NL80211_PKTPAT_OFFSET])
13922 			pkt_offset = 0;
13923 		else
13924 			pkt_offset = nla_get_u32(pat_tb[NL80211_PKTPAT_OFFSET]);
13925 		if (pkt_offset > coalesce->max_pkt_offset)
13926 			return -EINVAL;
13927 		new_rule->patterns[i].pkt_offset = pkt_offset;
13928 
13929 		mask_pat = kmalloc(mask_len + pat_len, GFP_KERNEL);
13930 		if (!mask_pat)
13931 			return -ENOMEM;
13932 
13933 		new_rule->patterns[i].mask = mask_pat;
13934 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_MASK]),
13935 		       mask_len);
13936 
13937 		mask_pat += mask_len;
13938 		new_rule->patterns[i].pattern = mask_pat;
13939 		new_rule->patterns[i].pattern_len = pat_len;
13940 		memcpy(mask_pat, nla_data(pat_tb[NL80211_PKTPAT_PATTERN]),
13941 		       pat_len);
13942 		i++;
13943 	}
13944 
13945 	return 0;
13946 }
13947 
13948 static int nl80211_set_coalesce(struct sk_buff *skb, struct genl_info *info)
13949 {
13950 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
13951 	const struct wiphy_coalesce_support *coalesce = rdev->wiphy.coalesce;
13952 	struct cfg80211_coalesce new_coalesce = {};
13953 	struct cfg80211_coalesce *n_coalesce;
13954 	int err, rem_rule, n_rules = 0, i, j;
13955 	struct nlattr *rule;
13956 	struct cfg80211_coalesce_rules *tmp_rule;
13957 
13958 	if (!rdev->wiphy.coalesce || !rdev->ops->set_coalesce)
13959 		return -EOPNOTSUPP;
13960 
13961 	if (!info->attrs[NL80211_ATTR_COALESCE_RULE]) {
13962 		cfg80211_rdev_free_coalesce(rdev);
13963 		rdev_set_coalesce(rdev, NULL);
13964 		return 0;
13965 	}
13966 
13967 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13968 			    rem_rule)
13969 		n_rules++;
13970 	if (n_rules > coalesce->n_rules)
13971 		return -EINVAL;
13972 
13973 	new_coalesce.rules = kcalloc(n_rules, sizeof(new_coalesce.rules[0]),
13974 				     GFP_KERNEL);
13975 	if (!new_coalesce.rules)
13976 		return -ENOMEM;
13977 
13978 	new_coalesce.n_rules = n_rules;
13979 	i = 0;
13980 
13981 	nla_for_each_nested(rule, info->attrs[NL80211_ATTR_COALESCE_RULE],
13982 			    rem_rule) {
13983 		err = nl80211_parse_coalesce_rule(rdev, rule,
13984 						  &new_coalesce.rules[i]);
13985 		if (err)
13986 			goto error;
13987 
13988 		i++;
13989 	}
13990 
13991 	err = rdev_set_coalesce(rdev, &new_coalesce);
13992 	if (err)
13993 		goto error;
13994 
13995 	n_coalesce = kmemdup(&new_coalesce, sizeof(new_coalesce), GFP_KERNEL);
13996 	if (!n_coalesce) {
13997 		err = -ENOMEM;
13998 		goto error;
13999 	}
14000 	cfg80211_rdev_free_coalesce(rdev);
14001 	rdev->coalesce = n_coalesce;
14002 
14003 	return 0;
14004 error:
14005 	for (i = 0; i < new_coalesce.n_rules; i++) {
14006 		tmp_rule = &new_coalesce.rules[i];
14007 		for (j = 0; j < tmp_rule->n_patterns; j++)
14008 			kfree(tmp_rule->patterns[j].mask);
14009 		kfree(tmp_rule->patterns);
14010 	}
14011 	kfree(new_coalesce.rules);
14012 
14013 	return err;
14014 }
14015 
14016 static int nl80211_set_rekey_data(struct sk_buff *skb, struct genl_info *info)
14017 {
14018 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14019 	struct net_device *dev = info->user_ptr[1];
14020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14021 	struct nlattr *tb[NUM_NL80211_REKEY_DATA];
14022 	struct cfg80211_gtk_rekey_data rekey_data = {};
14023 	int err;
14024 
14025 	if (!info->attrs[NL80211_ATTR_REKEY_DATA])
14026 		return -EINVAL;
14027 
14028 	err = nla_parse_nested_deprecated(tb, MAX_NL80211_REKEY_DATA,
14029 					  info->attrs[NL80211_ATTR_REKEY_DATA],
14030 					  nl80211_rekey_policy, info->extack);
14031 	if (err)
14032 		return err;
14033 
14034 	if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
14035 	    !tb[NL80211_REKEY_DATA_KCK])
14036 		return -EINVAL;
14037 	if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN &&
14038 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14039 	      nla_len(tb[NL80211_REKEY_DATA_KEK]) == NL80211_KEK_EXT_LEN))
14040 		return -ERANGE;
14041 	if (nla_len(tb[NL80211_REKEY_DATA_KCK]) != NL80211_KCK_LEN &&
14042 	    !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KEK_KCK &&
14043 	      nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN) &&
14044 	     !(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_EXT_KCK_32 &&
14045 	       nla_len(tb[NL80211_REKEY_DATA_KCK]) == NL80211_KCK_EXT_LEN_32))
14046 		return -ERANGE;
14047 
14048 	rekey_data.kek = nla_data(tb[NL80211_REKEY_DATA_KEK]);
14049 	rekey_data.kck = nla_data(tb[NL80211_REKEY_DATA_KCK]);
14050 	rekey_data.replay_ctr = nla_data(tb[NL80211_REKEY_DATA_REPLAY_CTR]);
14051 	rekey_data.kek_len = nla_len(tb[NL80211_REKEY_DATA_KEK]);
14052 	rekey_data.kck_len = nla_len(tb[NL80211_REKEY_DATA_KCK]);
14053 	if (tb[NL80211_REKEY_DATA_AKM])
14054 		rekey_data.akm = nla_get_u32(tb[NL80211_REKEY_DATA_AKM]);
14055 
14056 	wdev_lock(wdev);
14057 	if (!wdev->connected) {
14058 		err = -ENOTCONN;
14059 		goto out;
14060 	}
14061 
14062 	if (!rdev->ops->set_rekey_data) {
14063 		err = -EOPNOTSUPP;
14064 		goto out;
14065 	}
14066 
14067 	err = rdev_set_rekey_data(rdev, dev, &rekey_data);
14068  out:
14069 	wdev_unlock(wdev);
14070 	return err;
14071 }
14072 
14073 static int nl80211_register_unexpected_frame(struct sk_buff *skb,
14074 					     struct genl_info *info)
14075 {
14076 	struct net_device *dev = info->user_ptr[1];
14077 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14078 
14079 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14080 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14081 		return -EINVAL;
14082 
14083 	if (wdev->ap_unexpected_nlportid)
14084 		return -EBUSY;
14085 
14086 	wdev->ap_unexpected_nlportid = info->snd_portid;
14087 	return 0;
14088 }
14089 
14090 static int nl80211_probe_client(struct sk_buff *skb,
14091 				struct genl_info *info)
14092 {
14093 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14094 	struct net_device *dev = info->user_ptr[1];
14095 	struct wireless_dev *wdev = dev->ieee80211_ptr;
14096 	struct sk_buff *msg;
14097 	void *hdr;
14098 	const u8 *addr;
14099 	u64 cookie;
14100 	int err;
14101 
14102 	if (wdev->iftype != NL80211_IFTYPE_AP &&
14103 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
14104 		return -EOPNOTSUPP;
14105 
14106 	if (!info->attrs[NL80211_ATTR_MAC])
14107 		return -EINVAL;
14108 
14109 	if (!rdev->ops->probe_client)
14110 		return -EOPNOTSUPP;
14111 
14112 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14113 	if (!msg)
14114 		return -ENOMEM;
14115 
14116 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14117 			     NL80211_CMD_PROBE_CLIENT);
14118 	if (!hdr) {
14119 		err = -ENOBUFS;
14120 		goto free_msg;
14121 	}
14122 
14123 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
14124 
14125 	err = rdev_probe_client(rdev, dev, addr, &cookie);
14126 	if (err)
14127 		goto free_msg;
14128 
14129 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14130 			      NL80211_ATTR_PAD))
14131 		goto nla_put_failure;
14132 
14133 	genlmsg_end(msg, hdr);
14134 
14135 	return genlmsg_reply(msg, info);
14136 
14137  nla_put_failure:
14138 	err = -ENOBUFS;
14139  free_msg:
14140 	nlmsg_free(msg);
14141 	return err;
14142 }
14143 
14144 static int nl80211_register_beacons(struct sk_buff *skb, struct genl_info *info)
14145 {
14146 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14147 	struct cfg80211_beacon_registration *reg, *nreg;
14148 	int rv;
14149 
14150 	if (!(rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS))
14151 		return -EOPNOTSUPP;
14152 
14153 	nreg = kzalloc(sizeof(*nreg), GFP_KERNEL);
14154 	if (!nreg)
14155 		return -ENOMEM;
14156 
14157 	/* First, check if already registered. */
14158 	spin_lock_bh(&rdev->beacon_registrations_lock);
14159 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
14160 		if (reg->nlportid == info->snd_portid) {
14161 			rv = -EALREADY;
14162 			goto out_err;
14163 		}
14164 	}
14165 	/* Add it to the list */
14166 	nreg->nlportid = info->snd_portid;
14167 	list_add(&nreg->list, &rdev->beacon_registrations);
14168 
14169 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14170 
14171 	return 0;
14172 out_err:
14173 	spin_unlock_bh(&rdev->beacon_registrations_lock);
14174 	kfree(nreg);
14175 	return rv;
14176 }
14177 
14178 static int nl80211_start_p2p_device(struct sk_buff *skb, struct genl_info *info)
14179 {
14180 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14181 	struct wireless_dev *wdev = info->user_ptr[1];
14182 	int err;
14183 
14184 	if (!rdev->ops->start_p2p_device)
14185 		return -EOPNOTSUPP;
14186 
14187 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14188 		return -EOPNOTSUPP;
14189 
14190 	if (wdev_running(wdev))
14191 		return 0;
14192 
14193 	if (rfkill_blocked(rdev->wiphy.rfkill))
14194 		return -ERFKILL;
14195 
14196 	err = rdev_start_p2p_device(rdev, wdev);
14197 	if (err)
14198 		return err;
14199 
14200 	wdev->is_running = true;
14201 	rdev->opencount++;
14202 
14203 	return 0;
14204 }
14205 
14206 static int nl80211_stop_p2p_device(struct sk_buff *skb, struct genl_info *info)
14207 {
14208 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14209 	struct wireless_dev *wdev = info->user_ptr[1];
14210 
14211 	if (wdev->iftype != NL80211_IFTYPE_P2P_DEVICE)
14212 		return -EOPNOTSUPP;
14213 
14214 	if (!rdev->ops->stop_p2p_device)
14215 		return -EOPNOTSUPP;
14216 
14217 	cfg80211_stop_p2p_device(rdev, wdev);
14218 
14219 	return 0;
14220 }
14221 
14222 static int nl80211_start_nan(struct sk_buff *skb, struct genl_info *info)
14223 {
14224 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14225 	struct wireless_dev *wdev = info->user_ptr[1];
14226 	struct cfg80211_nan_conf conf = {};
14227 	int err;
14228 
14229 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14230 		return -EOPNOTSUPP;
14231 
14232 	if (wdev_running(wdev))
14233 		return -EEXIST;
14234 
14235 	if (rfkill_blocked(rdev->wiphy.rfkill))
14236 		return -ERFKILL;
14237 
14238 	if (!info->attrs[NL80211_ATTR_NAN_MASTER_PREF])
14239 		return -EINVAL;
14240 
14241 	conf.master_pref =
14242 		nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14243 
14244 	if (info->attrs[NL80211_ATTR_BANDS]) {
14245 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14246 
14247 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14248 			return -EOPNOTSUPP;
14249 
14250 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14251 			return -EINVAL;
14252 
14253 		conf.bands = bands;
14254 	}
14255 
14256 	err = rdev_start_nan(rdev, wdev, &conf);
14257 	if (err)
14258 		return err;
14259 
14260 	wdev->is_running = true;
14261 	rdev->opencount++;
14262 
14263 	return 0;
14264 }
14265 
14266 static int nl80211_stop_nan(struct sk_buff *skb, struct genl_info *info)
14267 {
14268 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14269 	struct wireless_dev *wdev = info->user_ptr[1];
14270 
14271 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14272 		return -EOPNOTSUPP;
14273 
14274 	cfg80211_stop_nan(rdev, wdev);
14275 
14276 	return 0;
14277 }
14278 
14279 static int validate_nan_filter(struct nlattr *filter_attr)
14280 {
14281 	struct nlattr *attr;
14282 	int len = 0, n_entries = 0, rem;
14283 
14284 	nla_for_each_nested(attr, filter_attr, rem) {
14285 		len += nla_len(attr);
14286 		n_entries++;
14287 	}
14288 
14289 	if (len >= U8_MAX)
14290 		return -EINVAL;
14291 
14292 	return n_entries;
14293 }
14294 
14295 static int handle_nan_filter(struct nlattr *attr_filter,
14296 			     struct cfg80211_nan_func *func,
14297 			     bool tx)
14298 {
14299 	struct nlattr *attr;
14300 	int n_entries, rem, i;
14301 	struct cfg80211_nan_func_filter *filter;
14302 
14303 	n_entries = validate_nan_filter(attr_filter);
14304 	if (n_entries < 0)
14305 		return n_entries;
14306 
14307 	BUILD_BUG_ON(sizeof(*func->rx_filters) != sizeof(*func->tx_filters));
14308 
14309 	filter = kcalloc(n_entries, sizeof(*func->rx_filters), GFP_KERNEL);
14310 	if (!filter)
14311 		return -ENOMEM;
14312 
14313 	i = 0;
14314 	nla_for_each_nested(attr, attr_filter, rem) {
14315 		filter[i].filter = nla_memdup(attr, GFP_KERNEL);
14316 		if (!filter[i].filter)
14317 			goto err;
14318 
14319 		filter[i].len = nla_len(attr);
14320 		i++;
14321 	}
14322 	if (tx) {
14323 		func->num_tx_filters = n_entries;
14324 		func->tx_filters = filter;
14325 	} else {
14326 		func->num_rx_filters = n_entries;
14327 		func->rx_filters = filter;
14328 	}
14329 
14330 	return 0;
14331 
14332 err:
14333 	i = 0;
14334 	nla_for_each_nested(attr, attr_filter, rem) {
14335 		kfree(filter[i].filter);
14336 		i++;
14337 	}
14338 	kfree(filter);
14339 	return -ENOMEM;
14340 }
14341 
14342 static int nl80211_nan_add_func(struct sk_buff *skb,
14343 				struct genl_info *info)
14344 {
14345 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14346 	struct wireless_dev *wdev = info->user_ptr[1];
14347 	struct nlattr *tb[NUM_NL80211_NAN_FUNC_ATTR], *func_attr;
14348 	struct cfg80211_nan_func *func;
14349 	struct sk_buff *msg = NULL;
14350 	void *hdr = NULL;
14351 	int err = 0;
14352 
14353 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14354 		return -EOPNOTSUPP;
14355 
14356 	if (!wdev_running(wdev))
14357 		return -ENOTCONN;
14358 
14359 	if (!info->attrs[NL80211_ATTR_NAN_FUNC])
14360 		return -EINVAL;
14361 
14362 	err = nla_parse_nested_deprecated(tb, NL80211_NAN_FUNC_ATTR_MAX,
14363 					  info->attrs[NL80211_ATTR_NAN_FUNC],
14364 					  nl80211_nan_func_policy,
14365 					  info->extack);
14366 	if (err)
14367 		return err;
14368 
14369 	func = kzalloc(sizeof(*func), GFP_KERNEL);
14370 	if (!func)
14371 		return -ENOMEM;
14372 
14373 	func->cookie = cfg80211_assign_cookie(rdev);
14374 
14375 	if (!tb[NL80211_NAN_FUNC_TYPE]) {
14376 		err = -EINVAL;
14377 		goto out;
14378 	}
14379 
14380 
14381 	func->type = nla_get_u8(tb[NL80211_NAN_FUNC_TYPE]);
14382 
14383 	if (!tb[NL80211_NAN_FUNC_SERVICE_ID]) {
14384 		err = -EINVAL;
14385 		goto out;
14386 	}
14387 
14388 	memcpy(func->service_id, nla_data(tb[NL80211_NAN_FUNC_SERVICE_ID]),
14389 	       sizeof(func->service_id));
14390 
14391 	func->close_range =
14392 		nla_get_flag(tb[NL80211_NAN_FUNC_CLOSE_RANGE]);
14393 
14394 	if (tb[NL80211_NAN_FUNC_SERVICE_INFO]) {
14395 		func->serv_spec_info_len =
14396 			nla_len(tb[NL80211_NAN_FUNC_SERVICE_INFO]);
14397 		func->serv_spec_info =
14398 			kmemdup(nla_data(tb[NL80211_NAN_FUNC_SERVICE_INFO]),
14399 				func->serv_spec_info_len,
14400 				GFP_KERNEL);
14401 		if (!func->serv_spec_info) {
14402 			err = -ENOMEM;
14403 			goto out;
14404 		}
14405 	}
14406 
14407 	if (tb[NL80211_NAN_FUNC_TTL])
14408 		func->ttl = nla_get_u32(tb[NL80211_NAN_FUNC_TTL]);
14409 
14410 	switch (func->type) {
14411 	case NL80211_NAN_FUNC_PUBLISH:
14412 		if (!tb[NL80211_NAN_FUNC_PUBLISH_TYPE]) {
14413 			err = -EINVAL;
14414 			goto out;
14415 		}
14416 
14417 		func->publish_type =
14418 			nla_get_u8(tb[NL80211_NAN_FUNC_PUBLISH_TYPE]);
14419 		func->publish_bcast =
14420 			nla_get_flag(tb[NL80211_NAN_FUNC_PUBLISH_BCAST]);
14421 
14422 		if ((!(func->publish_type & NL80211_NAN_SOLICITED_PUBLISH)) &&
14423 			func->publish_bcast) {
14424 			err = -EINVAL;
14425 			goto out;
14426 		}
14427 		break;
14428 	case NL80211_NAN_FUNC_SUBSCRIBE:
14429 		func->subscribe_active =
14430 			nla_get_flag(tb[NL80211_NAN_FUNC_SUBSCRIBE_ACTIVE]);
14431 		break;
14432 	case NL80211_NAN_FUNC_FOLLOW_UP:
14433 		if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
14434 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
14435 		    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
14436 			err = -EINVAL;
14437 			goto out;
14438 		}
14439 
14440 		func->followup_id =
14441 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_ID]);
14442 		func->followup_reqid =
14443 			nla_get_u8(tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]);
14444 		memcpy(func->followup_dest.addr,
14445 		       nla_data(tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]),
14446 		       sizeof(func->followup_dest.addr));
14447 		if (func->ttl) {
14448 			err = -EINVAL;
14449 			goto out;
14450 		}
14451 		break;
14452 	default:
14453 		err = -EINVAL;
14454 		goto out;
14455 	}
14456 
14457 	if (tb[NL80211_NAN_FUNC_SRF]) {
14458 		struct nlattr *srf_tb[NUM_NL80211_NAN_SRF_ATTR];
14459 
14460 		err = nla_parse_nested_deprecated(srf_tb,
14461 						  NL80211_NAN_SRF_ATTR_MAX,
14462 						  tb[NL80211_NAN_FUNC_SRF],
14463 						  nl80211_nan_srf_policy,
14464 						  info->extack);
14465 		if (err)
14466 			goto out;
14467 
14468 		func->srf_include =
14469 			nla_get_flag(srf_tb[NL80211_NAN_SRF_INCLUDE]);
14470 
14471 		if (srf_tb[NL80211_NAN_SRF_BF]) {
14472 			if (srf_tb[NL80211_NAN_SRF_MAC_ADDRS] ||
14473 			    !srf_tb[NL80211_NAN_SRF_BF_IDX]) {
14474 				err = -EINVAL;
14475 				goto out;
14476 			}
14477 
14478 			func->srf_bf_len =
14479 				nla_len(srf_tb[NL80211_NAN_SRF_BF]);
14480 			func->srf_bf =
14481 				kmemdup(nla_data(srf_tb[NL80211_NAN_SRF_BF]),
14482 					func->srf_bf_len, GFP_KERNEL);
14483 			if (!func->srf_bf) {
14484 				err = -ENOMEM;
14485 				goto out;
14486 			}
14487 
14488 			func->srf_bf_idx =
14489 				nla_get_u8(srf_tb[NL80211_NAN_SRF_BF_IDX]);
14490 		} else {
14491 			struct nlattr *attr, *mac_attr =
14492 				srf_tb[NL80211_NAN_SRF_MAC_ADDRS];
14493 			int n_entries, rem, i = 0;
14494 
14495 			if (!mac_attr) {
14496 				err = -EINVAL;
14497 				goto out;
14498 			}
14499 
14500 			n_entries = validate_acl_mac_addrs(mac_attr);
14501 			if (n_entries <= 0) {
14502 				err = -EINVAL;
14503 				goto out;
14504 			}
14505 
14506 			func->srf_num_macs = n_entries;
14507 			func->srf_macs =
14508 				kcalloc(n_entries, sizeof(*func->srf_macs),
14509 					GFP_KERNEL);
14510 			if (!func->srf_macs) {
14511 				err = -ENOMEM;
14512 				goto out;
14513 			}
14514 
14515 			nla_for_each_nested(attr, mac_attr, rem)
14516 				memcpy(func->srf_macs[i++].addr, nla_data(attr),
14517 				       sizeof(*func->srf_macs));
14518 		}
14519 	}
14520 
14521 	if (tb[NL80211_NAN_FUNC_TX_MATCH_FILTER]) {
14522 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_TX_MATCH_FILTER],
14523 					func, true);
14524 		if (err)
14525 			goto out;
14526 	}
14527 
14528 	if (tb[NL80211_NAN_FUNC_RX_MATCH_FILTER]) {
14529 		err = handle_nan_filter(tb[NL80211_NAN_FUNC_RX_MATCH_FILTER],
14530 					func, false);
14531 		if (err)
14532 			goto out;
14533 	}
14534 
14535 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14536 	if (!msg) {
14537 		err = -ENOMEM;
14538 		goto out;
14539 	}
14540 
14541 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14542 			     NL80211_CMD_ADD_NAN_FUNCTION);
14543 	/* This can't really happen - we just allocated 4KB */
14544 	if (WARN_ON(!hdr)) {
14545 		err = -ENOMEM;
14546 		goto out;
14547 	}
14548 
14549 	err = rdev_add_nan_func(rdev, wdev, func);
14550 out:
14551 	if (err < 0) {
14552 		cfg80211_free_nan_func(func);
14553 		nlmsg_free(msg);
14554 		return err;
14555 	}
14556 
14557 	/* propagate the instance id and cookie to userspace  */
14558 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, func->cookie,
14559 			      NL80211_ATTR_PAD))
14560 		goto nla_put_failure;
14561 
14562 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14563 	if (!func_attr)
14564 		goto nla_put_failure;
14565 
14566 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID,
14567 		       func->instance_id))
14568 		goto nla_put_failure;
14569 
14570 	nla_nest_end(msg, func_attr);
14571 
14572 	genlmsg_end(msg, hdr);
14573 	return genlmsg_reply(msg, info);
14574 
14575 nla_put_failure:
14576 	nlmsg_free(msg);
14577 	return -ENOBUFS;
14578 }
14579 
14580 static int nl80211_nan_del_func(struct sk_buff *skb,
14581 			       struct genl_info *info)
14582 {
14583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14584 	struct wireless_dev *wdev = info->user_ptr[1];
14585 	u64 cookie;
14586 
14587 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14588 		return -EOPNOTSUPP;
14589 
14590 	if (!wdev_running(wdev))
14591 		return -ENOTCONN;
14592 
14593 	if (!info->attrs[NL80211_ATTR_COOKIE])
14594 		return -EINVAL;
14595 
14596 	cookie = nla_get_u64(info->attrs[NL80211_ATTR_COOKIE]);
14597 
14598 	rdev_del_nan_func(rdev, wdev, cookie);
14599 
14600 	return 0;
14601 }
14602 
14603 static int nl80211_nan_change_config(struct sk_buff *skb,
14604 				     struct genl_info *info)
14605 {
14606 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14607 	struct wireless_dev *wdev = info->user_ptr[1];
14608 	struct cfg80211_nan_conf conf = {};
14609 	u32 changed = 0;
14610 
14611 	if (wdev->iftype != NL80211_IFTYPE_NAN)
14612 		return -EOPNOTSUPP;
14613 
14614 	if (!wdev_running(wdev))
14615 		return -ENOTCONN;
14616 
14617 	if (info->attrs[NL80211_ATTR_NAN_MASTER_PREF]) {
14618 		conf.master_pref =
14619 			nla_get_u8(info->attrs[NL80211_ATTR_NAN_MASTER_PREF]);
14620 		if (conf.master_pref <= 1 || conf.master_pref == 255)
14621 			return -EINVAL;
14622 
14623 		changed |= CFG80211_NAN_CONF_CHANGED_PREF;
14624 	}
14625 
14626 	if (info->attrs[NL80211_ATTR_BANDS]) {
14627 		u32 bands = nla_get_u32(info->attrs[NL80211_ATTR_BANDS]);
14628 
14629 		if (bands & ~(u32)wdev->wiphy->nan_supported_bands)
14630 			return -EOPNOTSUPP;
14631 
14632 		if (bands && !(bands & BIT(NL80211_BAND_2GHZ)))
14633 			return -EINVAL;
14634 
14635 		conf.bands = bands;
14636 		changed |= CFG80211_NAN_CONF_CHANGED_BANDS;
14637 	}
14638 
14639 	if (!changed)
14640 		return -EINVAL;
14641 
14642 	return rdev_nan_change_conf(rdev, wdev, &conf, changed);
14643 }
14644 
14645 void cfg80211_nan_match(struct wireless_dev *wdev,
14646 			struct cfg80211_nan_match_params *match, gfp_t gfp)
14647 {
14648 	struct wiphy *wiphy = wdev->wiphy;
14649 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14650 	struct nlattr *match_attr, *local_func_attr, *peer_func_attr;
14651 	struct sk_buff *msg;
14652 	void *hdr;
14653 
14654 	if (WARN_ON(!match->inst_id || !match->peer_inst_id || !match->addr))
14655 		return;
14656 
14657 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14658 	if (!msg)
14659 		return;
14660 
14661 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NAN_MATCH);
14662 	if (!hdr) {
14663 		nlmsg_free(msg);
14664 		return;
14665 	}
14666 
14667 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14668 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14669 					 wdev->netdev->ifindex)) ||
14670 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14671 			      NL80211_ATTR_PAD))
14672 		goto nla_put_failure;
14673 
14674 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, match->cookie,
14675 			      NL80211_ATTR_PAD) ||
14676 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, match->addr))
14677 		goto nla_put_failure;
14678 
14679 	match_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_MATCH);
14680 	if (!match_attr)
14681 		goto nla_put_failure;
14682 
14683 	local_func_attr = nla_nest_start_noflag(msg,
14684 						NL80211_NAN_MATCH_FUNC_LOCAL);
14685 	if (!local_func_attr)
14686 		goto nla_put_failure;
14687 
14688 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->inst_id))
14689 		goto nla_put_failure;
14690 
14691 	nla_nest_end(msg, local_func_attr);
14692 
14693 	peer_func_attr = nla_nest_start_noflag(msg,
14694 					       NL80211_NAN_MATCH_FUNC_PEER);
14695 	if (!peer_func_attr)
14696 		goto nla_put_failure;
14697 
14698 	if (nla_put_u8(msg, NL80211_NAN_FUNC_TYPE, match->type) ||
14699 	    nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, match->peer_inst_id))
14700 		goto nla_put_failure;
14701 
14702 	if (match->info && match->info_len &&
14703 	    nla_put(msg, NL80211_NAN_FUNC_SERVICE_INFO, match->info_len,
14704 		    match->info))
14705 		goto nla_put_failure;
14706 
14707 	nla_nest_end(msg, peer_func_attr);
14708 	nla_nest_end(msg, match_attr);
14709 	genlmsg_end(msg, hdr);
14710 
14711 	if (!wdev->owner_nlportid)
14712 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14713 					msg, 0, NL80211_MCGRP_NAN, gfp);
14714 	else
14715 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14716 				wdev->owner_nlportid);
14717 
14718 	return;
14719 
14720 nla_put_failure:
14721 	nlmsg_free(msg);
14722 }
14723 EXPORT_SYMBOL(cfg80211_nan_match);
14724 
14725 void cfg80211_nan_func_terminated(struct wireless_dev *wdev,
14726 				  u8 inst_id,
14727 				  enum nl80211_nan_func_term_reason reason,
14728 				  u64 cookie, gfp_t gfp)
14729 {
14730 	struct wiphy *wiphy = wdev->wiphy;
14731 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
14732 	struct sk_buff *msg;
14733 	struct nlattr *func_attr;
14734 	void *hdr;
14735 
14736 	if (WARN_ON(!inst_id))
14737 		return;
14738 
14739 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
14740 	if (!msg)
14741 		return;
14742 
14743 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_NAN_FUNCTION);
14744 	if (!hdr) {
14745 		nlmsg_free(msg);
14746 		return;
14747 	}
14748 
14749 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
14750 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
14751 					 wdev->netdev->ifindex)) ||
14752 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
14753 			      NL80211_ATTR_PAD))
14754 		goto nla_put_failure;
14755 
14756 	if (nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
14757 			      NL80211_ATTR_PAD))
14758 		goto nla_put_failure;
14759 
14760 	func_attr = nla_nest_start_noflag(msg, NL80211_ATTR_NAN_FUNC);
14761 	if (!func_attr)
14762 		goto nla_put_failure;
14763 
14764 	if (nla_put_u8(msg, NL80211_NAN_FUNC_INSTANCE_ID, inst_id) ||
14765 	    nla_put_u8(msg, NL80211_NAN_FUNC_TERM_REASON, reason))
14766 		goto nla_put_failure;
14767 
14768 	nla_nest_end(msg, func_attr);
14769 	genlmsg_end(msg, hdr);
14770 
14771 	if (!wdev->owner_nlportid)
14772 		genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
14773 					msg, 0, NL80211_MCGRP_NAN, gfp);
14774 	else
14775 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
14776 				wdev->owner_nlportid);
14777 
14778 	return;
14779 
14780 nla_put_failure:
14781 	nlmsg_free(msg);
14782 }
14783 EXPORT_SYMBOL(cfg80211_nan_func_terminated);
14784 
14785 static int nl80211_get_protocol_features(struct sk_buff *skb,
14786 					 struct genl_info *info)
14787 {
14788 	void *hdr;
14789 	struct sk_buff *msg;
14790 
14791 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
14792 	if (!msg)
14793 		return -ENOMEM;
14794 
14795 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
14796 			     NL80211_CMD_GET_PROTOCOL_FEATURES);
14797 	if (!hdr)
14798 		goto nla_put_failure;
14799 
14800 	if (nla_put_u32(msg, NL80211_ATTR_PROTOCOL_FEATURES,
14801 			NL80211_PROTOCOL_FEATURE_SPLIT_WIPHY_DUMP))
14802 		goto nla_put_failure;
14803 
14804 	genlmsg_end(msg, hdr);
14805 	return genlmsg_reply(msg, info);
14806 
14807  nla_put_failure:
14808 	kfree_skb(msg);
14809 	return -ENOBUFS;
14810 }
14811 
14812 static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
14813 {
14814 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14815 	struct cfg80211_update_ft_ies_params ft_params;
14816 	struct net_device *dev = info->user_ptr[1];
14817 
14818 	if (!rdev->ops->update_ft_ies)
14819 		return -EOPNOTSUPP;
14820 
14821 	if (!info->attrs[NL80211_ATTR_MDID] ||
14822 	    !info->attrs[NL80211_ATTR_IE])
14823 		return -EINVAL;
14824 
14825 	memset(&ft_params, 0, sizeof(ft_params));
14826 	ft_params.md = nla_get_u16(info->attrs[NL80211_ATTR_MDID]);
14827 	ft_params.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
14828 	ft_params.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
14829 
14830 	return rdev_update_ft_ies(rdev, dev, &ft_params);
14831 }
14832 
14833 static int nl80211_crit_protocol_start(struct sk_buff *skb,
14834 				       struct genl_info *info)
14835 {
14836 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14837 	struct wireless_dev *wdev = info->user_ptr[1];
14838 	enum nl80211_crit_proto_id proto = NL80211_CRIT_PROTO_UNSPEC;
14839 	u16 duration;
14840 	int ret;
14841 
14842 	if (!rdev->ops->crit_proto_start)
14843 		return -EOPNOTSUPP;
14844 
14845 	if (WARN_ON(!rdev->ops->crit_proto_stop))
14846 		return -EINVAL;
14847 
14848 	if (rdev->crit_proto_nlportid)
14849 		return -EBUSY;
14850 
14851 	/* determine protocol if provided */
14852 	if (info->attrs[NL80211_ATTR_CRIT_PROT_ID])
14853 		proto = nla_get_u16(info->attrs[NL80211_ATTR_CRIT_PROT_ID]);
14854 
14855 	if (proto >= NUM_NL80211_CRIT_PROTO)
14856 		return -EINVAL;
14857 
14858 	/* timeout must be provided */
14859 	if (!info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION])
14860 		return -EINVAL;
14861 
14862 	duration =
14863 		nla_get_u16(info->attrs[NL80211_ATTR_MAX_CRIT_PROT_DURATION]);
14864 
14865 	ret = rdev_crit_proto_start(rdev, wdev, proto, duration);
14866 	if (!ret)
14867 		rdev->crit_proto_nlportid = info->snd_portid;
14868 
14869 	return ret;
14870 }
14871 
14872 static int nl80211_crit_protocol_stop(struct sk_buff *skb,
14873 				      struct genl_info *info)
14874 {
14875 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14876 	struct wireless_dev *wdev = info->user_ptr[1];
14877 
14878 	if (!rdev->ops->crit_proto_stop)
14879 		return -EOPNOTSUPP;
14880 
14881 	if (rdev->crit_proto_nlportid) {
14882 		rdev->crit_proto_nlportid = 0;
14883 		rdev_crit_proto_stop(rdev, wdev);
14884 	}
14885 	return 0;
14886 }
14887 
14888 static int nl80211_vendor_check_policy(const struct wiphy_vendor_command *vcmd,
14889 				       struct nlattr *attr,
14890 				       struct netlink_ext_ack *extack)
14891 {
14892 	if (vcmd->policy == VENDOR_CMD_RAW_DATA) {
14893 		if (attr->nla_type & NLA_F_NESTED) {
14894 			NL_SET_ERR_MSG_ATTR(extack, attr,
14895 					    "unexpected nested data");
14896 			return -EINVAL;
14897 		}
14898 
14899 		return 0;
14900 	}
14901 
14902 	if (!(attr->nla_type & NLA_F_NESTED)) {
14903 		NL_SET_ERR_MSG_ATTR(extack, attr, "expected nested data");
14904 		return -EINVAL;
14905 	}
14906 
14907 	return nla_validate_nested(attr, vcmd->maxattr, vcmd->policy, extack);
14908 }
14909 
14910 static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
14911 {
14912 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
14913 	struct wireless_dev *wdev =
14914 		__cfg80211_wdev_from_attrs(rdev, genl_info_net(info),
14915 					   info->attrs);
14916 	int i, err;
14917 	u32 vid, subcmd;
14918 
14919 	if (!rdev->wiphy.vendor_commands)
14920 		return -EOPNOTSUPP;
14921 
14922 	if (IS_ERR(wdev)) {
14923 		err = PTR_ERR(wdev);
14924 		if (err != -EINVAL)
14925 			return err;
14926 		wdev = NULL;
14927 	} else if (wdev->wiphy != &rdev->wiphy) {
14928 		return -EINVAL;
14929 	}
14930 
14931 	if (!info->attrs[NL80211_ATTR_VENDOR_ID] ||
14932 	    !info->attrs[NL80211_ATTR_VENDOR_SUBCMD])
14933 		return -EINVAL;
14934 
14935 	vid = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_ID]);
14936 	subcmd = nla_get_u32(info->attrs[NL80211_ATTR_VENDOR_SUBCMD]);
14937 	for (i = 0; i < rdev->wiphy.n_vendor_commands; i++) {
14938 		const struct wiphy_vendor_command *vcmd;
14939 		void *data = NULL;
14940 		int len = 0;
14941 
14942 		vcmd = &rdev->wiphy.vendor_commands[i];
14943 
14944 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
14945 			continue;
14946 
14947 		if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
14948 				   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
14949 			if (!wdev)
14950 				return -EINVAL;
14951 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
14952 			    !wdev->netdev)
14953 				return -EINVAL;
14954 
14955 			if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
14956 				if (!wdev_running(wdev))
14957 					return -ENETDOWN;
14958 			}
14959 		} else {
14960 			wdev = NULL;
14961 		}
14962 
14963 		if (!vcmd->doit)
14964 			return -EOPNOTSUPP;
14965 
14966 		if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
14967 			data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14968 			len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
14969 
14970 			err = nl80211_vendor_check_policy(vcmd,
14971 					info->attrs[NL80211_ATTR_VENDOR_DATA],
14972 					info->extack);
14973 			if (err)
14974 				return err;
14975 		}
14976 
14977 		rdev->cur_cmd_info = info;
14978 		err = vcmd->doit(&rdev->wiphy, wdev, data, len);
14979 		rdev->cur_cmd_info = NULL;
14980 		return err;
14981 	}
14982 
14983 	return -EOPNOTSUPP;
14984 }
14985 
14986 static int nl80211_prepare_vendor_dump(struct sk_buff *skb,
14987 				       struct netlink_callback *cb,
14988 				       struct cfg80211_registered_device **rdev,
14989 				       struct wireless_dev **wdev)
14990 {
14991 	struct nlattr **attrbuf;
14992 	u32 vid, subcmd;
14993 	unsigned int i;
14994 	int vcmd_idx = -1;
14995 	int err;
14996 	void *data = NULL;
14997 	unsigned int data_len = 0;
14998 
14999 	if (cb->args[0]) {
15000 		/* subtract the 1 again here */
15001 		struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
15002 		struct wireless_dev *tmp;
15003 
15004 		if (!wiphy)
15005 			return -ENODEV;
15006 		*rdev = wiphy_to_rdev(wiphy);
15007 		*wdev = NULL;
15008 
15009 		if (cb->args[1]) {
15010 			list_for_each_entry(tmp, &wiphy->wdev_list, list) {
15011 				if (tmp->identifier == cb->args[1] - 1) {
15012 					*wdev = tmp;
15013 					break;
15014 				}
15015 			}
15016 		}
15017 
15018 		/* keep rtnl locked in successful case */
15019 		return 0;
15020 	}
15021 
15022 	attrbuf = kcalloc(NUM_NL80211_ATTR, sizeof(*attrbuf), GFP_KERNEL);
15023 	if (!attrbuf)
15024 		return -ENOMEM;
15025 
15026 	err = nlmsg_parse_deprecated(cb->nlh,
15027 				     GENL_HDRLEN + nl80211_fam.hdrsize,
15028 				     attrbuf, nl80211_fam.maxattr,
15029 				     nl80211_policy, NULL);
15030 	if (err)
15031 		goto out;
15032 
15033 	if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
15034 	    !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
15035 		err = -EINVAL;
15036 		goto out;
15037 	}
15038 
15039 	*wdev = __cfg80211_wdev_from_attrs(NULL, sock_net(skb->sk), attrbuf);
15040 	if (IS_ERR(*wdev))
15041 		*wdev = NULL;
15042 
15043 	*rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
15044 	if (IS_ERR(*rdev)) {
15045 		err = PTR_ERR(*rdev);
15046 		goto out;
15047 	}
15048 
15049 	vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
15050 	subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
15051 
15052 	for (i = 0; i < (*rdev)->wiphy.n_vendor_commands; i++) {
15053 		const struct wiphy_vendor_command *vcmd;
15054 
15055 		vcmd = &(*rdev)->wiphy.vendor_commands[i];
15056 
15057 		if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
15058 			continue;
15059 
15060 		if (!vcmd->dumpit) {
15061 			err = -EOPNOTSUPP;
15062 			goto out;
15063 		}
15064 
15065 		vcmd_idx = i;
15066 		break;
15067 	}
15068 
15069 	if (vcmd_idx < 0) {
15070 		err = -EOPNOTSUPP;
15071 		goto out;
15072 	}
15073 
15074 	if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
15075 		data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15076 		data_len = nla_len(attrbuf[NL80211_ATTR_VENDOR_DATA]);
15077 
15078 		err = nl80211_vendor_check_policy(
15079 				&(*rdev)->wiphy.vendor_commands[vcmd_idx],
15080 				attrbuf[NL80211_ATTR_VENDOR_DATA],
15081 				cb->extack);
15082 		if (err)
15083 			goto out;
15084 	}
15085 
15086 	/* 0 is the first index - add 1 to parse only once */
15087 	cb->args[0] = (*rdev)->wiphy_idx + 1;
15088 	/* add 1 to know if it was NULL */
15089 	cb->args[1] = *wdev ? (*wdev)->identifier + 1 : 0;
15090 	cb->args[2] = vcmd_idx;
15091 	cb->args[3] = (unsigned long)data;
15092 	cb->args[4] = data_len;
15093 
15094 	/* keep rtnl locked in successful case */
15095 	err = 0;
15096 out:
15097 	kfree(attrbuf);
15098 	return err;
15099 }
15100 
15101 static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
15102 				   struct netlink_callback *cb)
15103 {
15104 	struct cfg80211_registered_device *rdev;
15105 	struct wireless_dev *wdev;
15106 	unsigned int vcmd_idx;
15107 	const struct wiphy_vendor_command *vcmd;
15108 	void *data;
15109 	int data_len;
15110 	int err;
15111 	struct nlattr *vendor_data;
15112 
15113 	rtnl_lock();
15114 	err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
15115 	if (err)
15116 		goto out;
15117 
15118 	vcmd_idx = cb->args[2];
15119 	data = (void *)cb->args[3];
15120 	data_len = cb->args[4];
15121 	vcmd = &rdev->wiphy.vendor_commands[vcmd_idx];
15122 
15123 	if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
15124 			   WIPHY_VENDOR_CMD_NEED_NETDEV)) {
15125 		if (!wdev) {
15126 			err = -EINVAL;
15127 			goto out;
15128 		}
15129 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
15130 		    !wdev->netdev) {
15131 			err = -EINVAL;
15132 			goto out;
15133 		}
15134 
15135 		if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
15136 			if (!wdev_running(wdev)) {
15137 				err = -ENETDOWN;
15138 				goto out;
15139 			}
15140 		}
15141 	}
15142 
15143 	while (1) {
15144 		void *hdr = nl80211hdr_put(skb, NETLINK_CB(cb->skb).portid,
15145 					   cb->nlh->nlmsg_seq, NLM_F_MULTI,
15146 					   NL80211_CMD_VENDOR);
15147 		if (!hdr)
15148 			break;
15149 
15150 		if (nla_put_u32(skb, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
15151 		    (wdev && nla_put_u64_64bit(skb, NL80211_ATTR_WDEV,
15152 					       wdev_id(wdev),
15153 					       NL80211_ATTR_PAD))) {
15154 			genlmsg_cancel(skb, hdr);
15155 			break;
15156 		}
15157 
15158 		vendor_data = nla_nest_start_noflag(skb,
15159 						    NL80211_ATTR_VENDOR_DATA);
15160 		if (!vendor_data) {
15161 			genlmsg_cancel(skb, hdr);
15162 			break;
15163 		}
15164 
15165 		err = vcmd->dumpit(&rdev->wiphy, wdev, skb, data, data_len,
15166 				   (unsigned long *)&cb->args[5]);
15167 		nla_nest_end(skb, vendor_data);
15168 
15169 		if (err == -ENOBUFS || err == -ENOENT) {
15170 			genlmsg_cancel(skb, hdr);
15171 			break;
15172 		} else if (err <= 0) {
15173 			genlmsg_cancel(skb, hdr);
15174 			goto out;
15175 		}
15176 
15177 		genlmsg_end(skb, hdr);
15178 	}
15179 
15180 	err = skb->len;
15181  out:
15182 	rtnl_unlock();
15183 	return err;
15184 }
15185 
15186 struct sk_buff *__cfg80211_alloc_reply_skb(struct wiphy *wiphy,
15187 					   enum nl80211_commands cmd,
15188 					   enum nl80211_attrs attr,
15189 					   int approxlen)
15190 {
15191 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15192 
15193 	if (WARN_ON(!rdev->cur_cmd_info))
15194 		return NULL;
15195 
15196 	return __cfg80211_alloc_vendor_skb(rdev, NULL, approxlen,
15197 					   rdev->cur_cmd_info->snd_portid,
15198 					   rdev->cur_cmd_info->snd_seq,
15199 					   cmd, attr, NULL, GFP_KERNEL);
15200 }
15201 EXPORT_SYMBOL(__cfg80211_alloc_reply_skb);
15202 
15203 int cfg80211_vendor_cmd_reply(struct sk_buff *skb)
15204 {
15205 	struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0];
15206 	void *hdr = ((void **)skb->cb)[1];
15207 	struct nlattr *data = ((void **)skb->cb)[2];
15208 
15209 	/* clear CB data for netlink core to own from now on */
15210 	memset(skb->cb, 0, sizeof(skb->cb));
15211 
15212 	if (WARN_ON(!rdev->cur_cmd_info)) {
15213 		kfree_skb(skb);
15214 		return -EINVAL;
15215 	}
15216 
15217 	nla_nest_end(skb, data);
15218 	genlmsg_end(skb, hdr);
15219 	return genlmsg_reply(skb, rdev->cur_cmd_info);
15220 }
15221 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_reply);
15222 
15223 unsigned int cfg80211_vendor_cmd_get_sender(struct wiphy *wiphy)
15224 {
15225 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
15226 
15227 	if (WARN_ON(!rdev->cur_cmd_info))
15228 		return 0;
15229 
15230 	return rdev->cur_cmd_info->snd_portid;
15231 }
15232 EXPORT_SYMBOL_GPL(cfg80211_vendor_cmd_get_sender);
15233 
15234 static int nl80211_set_qos_map(struct sk_buff *skb,
15235 			       struct genl_info *info)
15236 {
15237 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15238 	struct cfg80211_qos_map *qos_map = NULL;
15239 	struct net_device *dev = info->user_ptr[1];
15240 	u8 *pos, len, num_des, des_len, des;
15241 	int ret;
15242 
15243 	if (!rdev->ops->set_qos_map)
15244 		return -EOPNOTSUPP;
15245 
15246 	if (info->attrs[NL80211_ATTR_QOS_MAP]) {
15247 		pos = nla_data(info->attrs[NL80211_ATTR_QOS_MAP]);
15248 		len = nla_len(info->attrs[NL80211_ATTR_QOS_MAP]);
15249 
15250 		if (len % 2)
15251 			return -EINVAL;
15252 
15253 		qos_map = kzalloc(sizeof(struct cfg80211_qos_map), GFP_KERNEL);
15254 		if (!qos_map)
15255 			return -ENOMEM;
15256 
15257 		num_des = (len - IEEE80211_QOS_MAP_LEN_MIN) >> 1;
15258 		if (num_des) {
15259 			des_len = num_des *
15260 				sizeof(struct cfg80211_dscp_exception);
15261 			memcpy(qos_map->dscp_exception, pos, des_len);
15262 			qos_map->num_des = num_des;
15263 			for (des = 0; des < num_des; des++) {
15264 				if (qos_map->dscp_exception[des].up > 7) {
15265 					kfree(qos_map);
15266 					return -EINVAL;
15267 				}
15268 			}
15269 			pos += des_len;
15270 		}
15271 		memcpy(qos_map->up, pos, IEEE80211_QOS_MAP_LEN_MIN);
15272 	}
15273 
15274 	wdev_lock(dev->ieee80211_ptr);
15275 	ret = nl80211_key_allowed(dev->ieee80211_ptr);
15276 	if (!ret)
15277 		ret = rdev_set_qos_map(rdev, dev, qos_map);
15278 	wdev_unlock(dev->ieee80211_ptr);
15279 
15280 	kfree(qos_map);
15281 	return ret;
15282 }
15283 
15284 static int nl80211_add_tx_ts(struct sk_buff *skb, struct genl_info *info)
15285 {
15286 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15287 	struct net_device *dev = info->user_ptr[1];
15288 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15289 	const u8 *peer;
15290 	u8 tsid, up;
15291 	u16 admitted_time = 0;
15292 	int err;
15293 
15294 	if (!(rdev->wiphy.features & NL80211_FEATURE_SUPPORTS_WMM_ADMISSION))
15295 		return -EOPNOTSUPP;
15296 
15297 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC] ||
15298 	    !info->attrs[NL80211_ATTR_USER_PRIO])
15299 		return -EINVAL;
15300 
15301 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15302 	up = nla_get_u8(info->attrs[NL80211_ATTR_USER_PRIO]);
15303 
15304 	/* WMM uses TIDs 0-7 even for TSPEC */
15305 	if (tsid >= IEEE80211_FIRST_TSPEC_TSID) {
15306 		/* TODO: handle 802.11 TSPEC/admission control
15307 		 * need more attributes for that (e.g. BA session requirement);
15308 		 * change the WMM adminssion test above to allow both then
15309 		 */
15310 		return -EINVAL;
15311 	}
15312 
15313 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15314 
15315 	if (info->attrs[NL80211_ATTR_ADMITTED_TIME]) {
15316 		admitted_time =
15317 			nla_get_u16(info->attrs[NL80211_ATTR_ADMITTED_TIME]);
15318 		if (!admitted_time)
15319 			return -EINVAL;
15320 	}
15321 
15322 	wdev_lock(wdev);
15323 	switch (wdev->iftype) {
15324 	case NL80211_IFTYPE_STATION:
15325 	case NL80211_IFTYPE_P2P_CLIENT:
15326 		if (wdev->connected)
15327 			break;
15328 		err = -ENOTCONN;
15329 		goto out;
15330 	default:
15331 		err = -EOPNOTSUPP;
15332 		goto out;
15333 	}
15334 
15335 	err = rdev_add_tx_ts(rdev, dev, tsid, peer, up, admitted_time);
15336 
15337  out:
15338 	wdev_unlock(wdev);
15339 	return err;
15340 }
15341 
15342 static int nl80211_del_tx_ts(struct sk_buff *skb, struct genl_info *info)
15343 {
15344 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15345 	struct net_device *dev = info->user_ptr[1];
15346 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15347 	const u8 *peer;
15348 	u8 tsid;
15349 	int err;
15350 
15351 	if (!info->attrs[NL80211_ATTR_TSID] || !info->attrs[NL80211_ATTR_MAC])
15352 		return -EINVAL;
15353 
15354 	tsid = nla_get_u8(info->attrs[NL80211_ATTR_TSID]);
15355 	peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15356 
15357 	wdev_lock(wdev);
15358 	err = rdev_del_tx_ts(rdev, dev, tsid, peer);
15359 	wdev_unlock(wdev);
15360 
15361 	return err;
15362 }
15363 
15364 static int nl80211_tdls_channel_switch(struct sk_buff *skb,
15365 				       struct genl_info *info)
15366 {
15367 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15368 	struct net_device *dev = info->user_ptr[1];
15369 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15370 	struct cfg80211_chan_def chandef = {};
15371 	const u8 *addr;
15372 	u8 oper_class;
15373 	int err;
15374 
15375 	if (!rdev->ops->tdls_channel_switch ||
15376 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15377 		return -EOPNOTSUPP;
15378 
15379 	switch (dev->ieee80211_ptr->iftype) {
15380 	case NL80211_IFTYPE_STATION:
15381 	case NL80211_IFTYPE_P2P_CLIENT:
15382 		break;
15383 	default:
15384 		return -EOPNOTSUPP;
15385 	}
15386 
15387 	if (!info->attrs[NL80211_ATTR_MAC] ||
15388 	    !info->attrs[NL80211_ATTR_OPER_CLASS])
15389 		return -EINVAL;
15390 
15391 	err = nl80211_parse_chandef(rdev, info, &chandef);
15392 	if (err)
15393 		return err;
15394 
15395 	/*
15396 	 * Don't allow wide channels on the 2.4Ghz band, as per IEEE802.11-2012
15397 	 * section 10.22.6.2.1. Disallow 5/10Mhz channels as well for now, the
15398 	 * specification is not defined for them.
15399 	 */
15400 	if (chandef.chan->band == NL80211_BAND_2GHZ &&
15401 	    chandef.width != NL80211_CHAN_WIDTH_20_NOHT &&
15402 	    chandef.width != NL80211_CHAN_WIDTH_20)
15403 		return -EINVAL;
15404 
15405 	/* we will be active on the TDLS link */
15406 	if (!cfg80211_reg_can_beacon_relax(&rdev->wiphy, &chandef,
15407 					   wdev->iftype))
15408 		return -EINVAL;
15409 
15410 	/* don't allow switching to DFS channels */
15411 	if (cfg80211_chandef_dfs_required(wdev->wiphy, &chandef, wdev->iftype))
15412 		return -EINVAL;
15413 
15414 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15415 	oper_class = nla_get_u8(info->attrs[NL80211_ATTR_OPER_CLASS]);
15416 
15417 	wdev_lock(wdev);
15418 	err = rdev_tdls_channel_switch(rdev, dev, addr, oper_class, &chandef);
15419 	wdev_unlock(wdev);
15420 
15421 	return err;
15422 }
15423 
15424 static int nl80211_tdls_cancel_channel_switch(struct sk_buff *skb,
15425 					      struct genl_info *info)
15426 {
15427 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15428 	struct net_device *dev = info->user_ptr[1];
15429 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15430 	const u8 *addr;
15431 
15432 	if (!rdev->ops->tdls_channel_switch ||
15433 	    !rdev->ops->tdls_cancel_channel_switch ||
15434 	    !(rdev->wiphy.features & NL80211_FEATURE_TDLS_CHANNEL_SWITCH))
15435 		return -EOPNOTSUPP;
15436 
15437 	switch (dev->ieee80211_ptr->iftype) {
15438 	case NL80211_IFTYPE_STATION:
15439 	case NL80211_IFTYPE_P2P_CLIENT:
15440 		break;
15441 	default:
15442 		return -EOPNOTSUPP;
15443 	}
15444 
15445 	if (!info->attrs[NL80211_ATTR_MAC])
15446 		return -EINVAL;
15447 
15448 	addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
15449 
15450 	wdev_lock(wdev);
15451 	rdev_tdls_cancel_channel_switch(rdev, dev, addr);
15452 	wdev_unlock(wdev);
15453 
15454 	return 0;
15455 }
15456 
15457 static int nl80211_set_multicast_to_unicast(struct sk_buff *skb,
15458 					    struct genl_info *info)
15459 {
15460 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15461 	struct net_device *dev = info->user_ptr[1];
15462 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15463 	const struct nlattr *nla;
15464 	bool enabled;
15465 
15466 	if (!rdev->ops->set_multicast_to_unicast)
15467 		return -EOPNOTSUPP;
15468 
15469 	if (wdev->iftype != NL80211_IFTYPE_AP &&
15470 	    wdev->iftype != NL80211_IFTYPE_P2P_GO)
15471 		return -EOPNOTSUPP;
15472 
15473 	nla = info->attrs[NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED];
15474 	enabled = nla_get_flag(nla);
15475 
15476 	return rdev_set_multicast_to_unicast(rdev, dev, enabled);
15477 }
15478 
15479 static int nl80211_set_pmk(struct sk_buff *skb, struct genl_info *info)
15480 {
15481 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15482 	struct net_device *dev = info->user_ptr[1];
15483 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15484 	struct cfg80211_pmk_conf pmk_conf = {};
15485 	int ret;
15486 
15487 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15488 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15489 		return -EOPNOTSUPP;
15490 
15491 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15492 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15493 		return -EOPNOTSUPP;
15494 
15495 	if (!info->attrs[NL80211_ATTR_MAC] || !info->attrs[NL80211_ATTR_PMK])
15496 		return -EINVAL;
15497 
15498 	wdev_lock(wdev);
15499 	if (!wdev->connected) {
15500 		ret = -ENOTCONN;
15501 		goto out;
15502 	}
15503 
15504 	pmk_conf.aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15505 	if (memcmp(pmk_conf.aa, wdev->u.client.connected_addr, ETH_ALEN)) {
15506 		ret = -EINVAL;
15507 		goto out;
15508 	}
15509 
15510 	pmk_conf.pmk = nla_data(info->attrs[NL80211_ATTR_PMK]);
15511 	pmk_conf.pmk_len = nla_len(info->attrs[NL80211_ATTR_PMK]);
15512 	if (pmk_conf.pmk_len != WLAN_PMK_LEN &&
15513 	    pmk_conf.pmk_len != WLAN_PMK_LEN_SUITE_B_192) {
15514 		ret = -EINVAL;
15515 		goto out;
15516 	}
15517 
15518 	if (info->attrs[NL80211_ATTR_PMKR0_NAME])
15519 		pmk_conf.pmk_r0_name =
15520 			nla_data(info->attrs[NL80211_ATTR_PMKR0_NAME]);
15521 
15522 	ret = rdev_set_pmk(rdev, dev, &pmk_conf);
15523 out:
15524 	wdev_unlock(wdev);
15525 	return ret;
15526 }
15527 
15528 static int nl80211_del_pmk(struct sk_buff *skb, struct genl_info *info)
15529 {
15530 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15531 	struct net_device *dev = info->user_ptr[1];
15532 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15533 	const u8 *aa;
15534 	int ret;
15535 
15536 	if (wdev->iftype != NL80211_IFTYPE_STATION &&
15537 	    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT)
15538 		return -EOPNOTSUPP;
15539 
15540 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15541 				     NL80211_EXT_FEATURE_4WAY_HANDSHAKE_STA_1X))
15542 		return -EOPNOTSUPP;
15543 
15544 	if (!info->attrs[NL80211_ATTR_MAC])
15545 		return -EINVAL;
15546 
15547 	wdev_lock(wdev);
15548 	aa = nla_data(info->attrs[NL80211_ATTR_MAC]);
15549 	ret = rdev_del_pmk(rdev, dev, aa);
15550 	wdev_unlock(wdev);
15551 
15552 	return ret;
15553 }
15554 
15555 static int nl80211_external_auth(struct sk_buff *skb, struct genl_info *info)
15556 {
15557 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15558 	struct net_device *dev = info->user_ptr[1];
15559 	struct cfg80211_external_auth_params params;
15560 
15561 	if (!rdev->ops->external_auth)
15562 		return -EOPNOTSUPP;
15563 
15564 	if (!info->attrs[NL80211_ATTR_SSID] &&
15565 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
15566 	    dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
15567 		return -EINVAL;
15568 
15569 	if (!info->attrs[NL80211_ATTR_BSSID])
15570 		return -EINVAL;
15571 
15572 	if (!info->attrs[NL80211_ATTR_STATUS_CODE])
15573 		return -EINVAL;
15574 
15575 	memset(&params, 0, sizeof(params));
15576 
15577 	if (info->attrs[NL80211_ATTR_SSID]) {
15578 		params.ssid.ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
15579 		if (params.ssid.ssid_len == 0)
15580 			return -EINVAL;
15581 		memcpy(params.ssid.ssid,
15582 		       nla_data(info->attrs[NL80211_ATTR_SSID]),
15583 		       params.ssid.ssid_len);
15584 	}
15585 
15586 	memcpy(params.bssid, nla_data(info->attrs[NL80211_ATTR_BSSID]),
15587 	       ETH_ALEN);
15588 
15589 	params.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15590 
15591 	if (info->attrs[NL80211_ATTR_PMKID])
15592 		params.pmkid = nla_data(info->attrs[NL80211_ATTR_PMKID]);
15593 
15594 	return rdev_external_auth(rdev, dev, &params);
15595 }
15596 
15597 static int nl80211_tx_control_port(struct sk_buff *skb, struct genl_info *info)
15598 {
15599 	bool dont_wait_for_ack = info->attrs[NL80211_ATTR_DONT_WAIT_FOR_ACK];
15600 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15601 	struct net_device *dev = info->user_ptr[1];
15602 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15603 	const u8 *buf;
15604 	size_t len;
15605 	u8 *dest;
15606 	u16 proto;
15607 	bool noencrypt;
15608 	u64 cookie = 0;
15609 	int link_id;
15610 	int err;
15611 
15612 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15613 				     NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211))
15614 		return -EOPNOTSUPP;
15615 
15616 	if (!rdev->ops->tx_control_port)
15617 		return -EOPNOTSUPP;
15618 
15619 	if (!info->attrs[NL80211_ATTR_FRAME] ||
15620 	    !info->attrs[NL80211_ATTR_MAC] ||
15621 	    !info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]) {
15622 		GENL_SET_ERR_MSG(info, "Frame, MAC or ethertype missing");
15623 		return -EINVAL;
15624 	}
15625 
15626 	wdev_lock(wdev);
15627 
15628 	switch (wdev->iftype) {
15629 	case NL80211_IFTYPE_AP:
15630 	case NL80211_IFTYPE_P2P_GO:
15631 	case NL80211_IFTYPE_MESH_POINT:
15632 		break;
15633 	case NL80211_IFTYPE_ADHOC:
15634 		if (wdev->u.ibss.current_bss)
15635 			break;
15636 		err = -ENOTCONN;
15637 		goto out;
15638 	case NL80211_IFTYPE_STATION:
15639 	case NL80211_IFTYPE_P2P_CLIENT:
15640 		if (wdev->connected)
15641 			break;
15642 		err = -ENOTCONN;
15643 		goto out;
15644 	default:
15645 		err = -EOPNOTSUPP;
15646 		goto out;
15647 	}
15648 
15649 	wdev_unlock(wdev);
15650 
15651 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15652 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15653 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15654 	proto = nla_get_u16(info->attrs[NL80211_ATTR_CONTROL_PORT_ETHERTYPE]);
15655 	noencrypt =
15656 		nla_get_flag(info->attrs[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT]);
15657 
15658 	link_id = nl80211_link_id_or_invalid(info->attrs);
15659 
15660 	err = rdev_tx_control_port(rdev, dev, buf, len,
15661 				   dest, cpu_to_be16(proto), noencrypt, link_id,
15662 				   dont_wait_for_ack ? NULL : &cookie);
15663 	if (!err && !dont_wait_for_ack)
15664 		nl_set_extack_cookie_u64(info->extack, cookie);
15665 	return err;
15666  out:
15667 	wdev_unlock(wdev);
15668 	return err;
15669 }
15670 
15671 static int nl80211_get_ftm_responder_stats(struct sk_buff *skb,
15672 					   struct genl_info *info)
15673 {
15674 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15675 	struct net_device *dev = info->user_ptr[1];
15676 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15677 	struct cfg80211_ftm_responder_stats ftm_stats = {};
15678 	unsigned int link_id = nl80211_link_id(info->attrs);
15679 	struct sk_buff *msg;
15680 	void *hdr;
15681 	struct nlattr *ftm_stats_attr;
15682 	int err;
15683 
15684 	if (wdev->iftype != NL80211_IFTYPE_AP ||
15685 	    !wdev->links[link_id].ap.beacon_interval)
15686 		return -EOPNOTSUPP;
15687 
15688 	err = rdev_get_ftm_responder_stats(rdev, dev, &ftm_stats);
15689 	if (err)
15690 		return err;
15691 
15692 	if (!ftm_stats.filled)
15693 		return -ENODATA;
15694 
15695 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
15696 	if (!msg)
15697 		return -ENOMEM;
15698 
15699 	hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
15700 			     NL80211_CMD_GET_FTM_RESPONDER_STATS);
15701 	if (!hdr)
15702 		goto nla_put_failure;
15703 
15704 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
15705 		goto nla_put_failure;
15706 
15707 	ftm_stats_attr = nla_nest_start_noflag(msg,
15708 					       NL80211_ATTR_FTM_RESPONDER_STATS);
15709 	if (!ftm_stats_attr)
15710 		goto nla_put_failure;
15711 
15712 #define SET_FTM(field, name, type)					 \
15713 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15714 	    nla_put_ ## type(msg, NL80211_FTM_STATS_ ## name,		 \
15715 			     ftm_stats.field))				 \
15716 		goto nla_put_failure; } while (0)
15717 #define SET_FTM_U64(field, name)					 \
15718 	do { if ((ftm_stats.filled & BIT(NL80211_FTM_STATS_ ## name)) && \
15719 	    nla_put_u64_64bit(msg, NL80211_FTM_STATS_ ## name,		 \
15720 			      ftm_stats.field, NL80211_FTM_STATS_PAD))	 \
15721 		goto nla_put_failure; } while (0)
15722 
15723 	SET_FTM(success_num, SUCCESS_NUM, u32);
15724 	SET_FTM(partial_num, PARTIAL_NUM, u32);
15725 	SET_FTM(failed_num, FAILED_NUM, u32);
15726 	SET_FTM(asap_num, ASAP_NUM, u32);
15727 	SET_FTM(non_asap_num, NON_ASAP_NUM, u32);
15728 	SET_FTM_U64(total_duration_ms, TOTAL_DURATION_MSEC);
15729 	SET_FTM(unknown_triggers_num, UNKNOWN_TRIGGERS_NUM, u32);
15730 	SET_FTM(reschedule_requests_num, RESCHEDULE_REQUESTS_NUM, u32);
15731 	SET_FTM(out_of_window_triggers_num, OUT_OF_WINDOW_TRIGGERS_NUM, u32);
15732 #undef SET_FTM
15733 
15734 	nla_nest_end(msg, ftm_stats_attr);
15735 
15736 	genlmsg_end(msg, hdr);
15737 	return genlmsg_reply(msg, info);
15738 
15739 nla_put_failure:
15740 	nlmsg_free(msg);
15741 	return -ENOBUFS;
15742 }
15743 
15744 static int nl80211_update_owe_info(struct sk_buff *skb, struct genl_info *info)
15745 {
15746 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15747 	struct cfg80211_update_owe_info owe_info;
15748 	struct net_device *dev = info->user_ptr[1];
15749 
15750 	if (!rdev->ops->update_owe_info)
15751 		return -EOPNOTSUPP;
15752 
15753 	if (!info->attrs[NL80211_ATTR_STATUS_CODE] ||
15754 	    !info->attrs[NL80211_ATTR_MAC])
15755 		return -EINVAL;
15756 
15757 	memset(&owe_info, 0, sizeof(owe_info));
15758 	owe_info.status = nla_get_u16(info->attrs[NL80211_ATTR_STATUS_CODE]);
15759 	nla_memcpy(owe_info.peer, info->attrs[NL80211_ATTR_MAC], ETH_ALEN);
15760 
15761 	if (info->attrs[NL80211_ATTR_IE]) {
15762 		owe_info.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
15763 		owe_info.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
15764 	}
15765 
15766 	return rdev_update_owe_info(rdev, dev, &owe_info);
15767 }
15768 
15769 static int nl80211_probe_mesh_link(struct sk_buff *skb, struct genl_info *info)
15770 {
15771 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15772 	struct net_device *dev = info->user_ptr[1];
15773 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15774 	struct station_info sinfo = {};
15775 	const u8 *buf;
15776 	size_t len;
15777 	u8 *dest;
15778 	int err;
15779 
15780 	if (!rdev->ops->probe_mesh_link || !rdev->ops->get_station)
15781 		return -EOPNOTSUPP;
15782 
15783 	if (!info->attrs[NL80211_ATTR_MAC] ||
15784 	    !info->attrs[NL80211_ATTR_FRAME]) {
15785 		GENL_SET_ERR_MSG(info, "Frame or MAC missing");
15786 		return -EINVAL;
15787 	}
15788 
15789 	if (wdev->iftype != NL80211_IFTYPE_MESH_POINT)
15790 		return -EOPNOTSUPP;
15791 
15792 	dest = nla_data(info->attrs[NL80211_ATTR_MAC]);
15793 	buf = nla_data(info->attrs[NL80211_ATTR_FRAME]);
15794 	len = nla_len(info->attrs[NL80211_ATTR_FRAME]);
15795 
15796 	if (len < sizeof(struct ethhdr))
15797 		return -EINVAL;
15798 
15799 	if (!ether_addr_equal(buf, dest) || is_multicast_ether_addr(buf) ||
15800 	    !ether_addr_equal(buf + ETH_ALEN, dev->dev_addr))
15801 		return -EINVAL;
15802 
15803 	err = rdev_get_station(rdev, dev, dest, &sinfo);
15804 	if (err)
15805 		return err;
15806 
15807 	cfg80211_sinfo_release_content(&sinfo);
15808 
15809 	return rdev_probe_mesh_link(rdev, dev, dest, buf, len);
15810 }
15811 
15812 static int parse_tid_conf(struct cfg80211_registered_device *rdev,
15813 			  struct nlattr *attrs[], struct net_device *dev,
15814 			  struct cfg80211_tid_cfg *tid_conf,
15815 			  struct genl_info *info, const u8 *peer,
15816 			  unsigned int link_id)
15817 {
15818 	struct netlink_ext_ack *extack = info->extack;
15819 	u64 mask;
15820 	int err;
15821 
15822 	if (!attrs[NL80211_TID_CONFIG_ATTR_TIDS])
15823 		return -EINVAL;
15824 
15825 	tid_conf->config_override =
15826 			nla_get_flag(attrs[NL80211_TID_CONFIG_ATTR_OVERRIDE]);
15827 	tid_conf->tids = nla_get_u16(attrs[NL80211_TID_CONFIG_ATTR_TIDS]);
15828 
15829 	if (tid_conf->config_override) {
15830 		if (rdev->ops->reset_tid_config) {
15831 			err = rdev_reset_tid_config(rdev, dev, peer,
15832 						    tid_conf->tids);
15833 			if (err)
15834 				return err;
15835 		} else {
15836 			return -EINVAL;
15837 		}
15838 	}
15839 
15840 	if (attrs[NL80211_TID_CONFIG_ATTR_NOACK]) {
15841 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_NOACK);
15842 		tid_conf->noack =
15843 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_NOACK]);
15844 	}
15845 
15846 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]) {
15847 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_SHORT);
15848 		tid_conf->retry_short =
15849 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_SHORT]);
15850 
15851 		if (tid_conf->retry_short > rdev->wiphy.max_data_retry_count)
15852 			return -EINVAL;
15853 	}
15854 
15855 	if (attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]) {
15856 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RETRY_LONG);
15857 		tid_conf->retry_long =
15858 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RETRY_LONG]);
15859 
15860 		if (tid_conf->retry_long > rdev->wiphy.max_data_retry_count)
15861 			return -EINVAL;
15862 	}
15863 
15864 	if (attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]) {
15865 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMPDU_CTRL);
15866 		tid_conf->ampdu =
15867 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMPDU_CTRL]);
15868 	}
15869 
15870 	if (attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]) {
15871 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL);
15872 		tid_conf->rtscts =
15873 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_RTSCTS_CTRL]);
15874 	}
15875 
15876 	if (attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]) {
15877 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_AMSDU_CTRL);
15878 		tid_conf->amsdu =
15879 			nla_get_u8(attrs[NL80211_TID_CONFIG_ATTR_AMSDU_CTRL]);
15880 	}
15881 
15882 	if (attrs[NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE]) {
15883 		u32 idx = NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE, attr;
15884 
15885 		tid_conf->txrate_type = nla_get_u8(attrs[idx]);
15886 
15887 		if (tid_conf->txrate_type != NL80211_TX_RATE_AUTOMATIC) {
15888 			attr = NL80211_TID_CONFIG_ATTR_TX_RATE;
15889 			err = nl80211_parse_tx_bitrate_mask(info, attrs, attr,
15890 						    &tid_conf->txrate_mask, dev,
15891 						    true, link_id);
15892 			if (err)
15893 				return err;
15894 
15895 			tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE);
15896 		}
15897 		tid_conf->mask |= BIT(NL80211_TID_CONFIG_ATTR_TX_RATE_TYPE);
15898 	}
15899 
15900 	if (peer)
15901 		mask = rdev->wiphy.tid_config_support.peer;
15902 	else
15903 		mask = rdev->wiphy.tid_config_support.vif;
15904 
15905 	if (tid_conf->mask & ~mask) {
15906 		NL_SET_ERR_MSG(extack, "unsupported TID configuration");
15907 		return -ENOTSUPP;
15908 	}
15909 
15910 	return 0;
15911 }
15912 
15913 static int nl80211_set_tid_config(struct sk_buff *skb,
15914 				  struct genl_info *info)
15915 {
15916 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15917 	struct nlattr *attrs[NL80211_TID_CONFIG_ATTR_MAX + 1];
15918 	unsigned int link_id = nl80211_link_id(info->attrs);
15919 	struct net_device *dev = info->user_ptr[1];
15920 	struct cfg80211_tid_config *tid_config;
15921 	struct nlattr *tid;
15922 	int conf_idx = 0, rem_conf;
15923 	int ret = -EINVAL;
15924 	u32 num_conf = 0;
15925 
15926 	if (!info->attrs[NL80211_ATTR_TID_CONFIG])
15927 		return -EINVAL;
15928 
15929 	if (!rdev->ops->set_tid_config)
15930 		return -EOPNOTSUPP;
15931 
15932 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15933 			    rem_conf)
15934 		num_conf++;
15935 
15936 	tid_config = kzalloc(struct_size(tid_config, tid_conf, num_conf),
15937 			     GFP_KERNEL);
15938 	if (!tid_config)
15939 		return -ENOMEM;
15940 
15941 	tid_config->n_tid_conf = num_conf;
15942 
15943 	if (info->attrs[NL80211_ATTR_MAC])
15944 		tid_config->peer = nla_data(info->attrs[NL80211_ATTR_MAC]);
15945 
15946 	wdev_lock(dev->ieee80211_ptr);
15947 
15948 	nla_for_each_nested(tid, info->attrs[NL80211_ATTR_TID_CONFIG],
15949 			    rem_conf) {
15950 		ret = nla_parse_nested(attrs, NL80211_TID_CONFIG_ATTR_MAX,
15951 				       tid, NULL, NULL);
15952 
15953 		if (ret)
15954 			goto bad_tid_conf;
15955 
15956 		ret = parse_tid_conf(rdev, attrs, dev,
15957 				     &tid_config->tid_conf[conf_idx],
15958 				     info, tid_config->peer, link_id);
15959 		if (ret)
15960 			goto bad_tid_conf;
15961 
15962 		conf_idx++;
15963 	}
15964 
15965 	ret = rdev_set_tid_config(rdev, dev, tid_config);
15966 
15967 bad_tid_conf:
15968 	kfree(tid_config);
15969 	wdev_unlock(dev->ieee80211_ptr);
15970 	return ret;
15971 }
15972 
15973 static int nl80211_color_change(struct sk_buff *skb, struct genl_info *info)
15974 {
15975 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
15976 	struct cfg80211_color_change_settings params = {};
15977 	struct net_device *dev = info->user_ptr[1];
15978 	struct wireless_dev *wdev = dev->ieee80211_ptr;
15979 	struct nlattr **tb;
15980 	u16 offset;
15981 	int err;
15982 
15983 	if (!rdev->ops->color_change)
15984 		return -EOPNOTSUPP;
15985 
15986 	if (!wiphy_ext_feature_isset(&rdev->wiphy,
15987 				     NL80211_EXT_FEATURE_BSS_COLOR))
15988 		return -EOPNOTSUPP;
15989 
15990 	if (wdev->iftype != NL80211_IFTYPE_AP)
15991 		return -EOPNOTSUPP;
15992 
15993 	if (!info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT] ||
15994 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR] ||
15995 	    !info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS])
15996 		return -EINVAL;
15997 
15998 	params.count = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COUNT]);
15999 	params.color = nla_get_u8(info->attrs[NL80211_ATTR_COLOR_CHANGE_COLOR]);
16000 
16001 	err = nl80211_parse_beacon(rdev, info->attrs, &params.beacon_next,
16002 				   info->extack);
16003 	if (err)
16004 		return err;
16005 
16006 	tb = kcalloc(NL80211_ATTR_MAX + 1, sizeof(*tb), GFP_KERNEL);
16007 	if (!tb)
16008 		return -ENOMEM;
16009 
16010 	err = nla_parse_nested(tb, NL80211_ATTR_MAX,
16011 			       info->attrs[NL80211_ATTR_COLOR_CHANGE_ELEMS],
16012 			       nl80211_policy, info->extack);
16013 	if (err)
16014 		goto out;
16015 
16016 	err = nl80211_parse_beacon(rdev, tb, &params.beacon_color_change,
16017 				   info->extack);
16018 	if (err)
16019 		goto out;
16020 
16021 	if (!tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) {
16022 		err = -EINVAL;
16023 		goto out;
16024 	}
16025 
16026 	if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]) != sizeof(u16)) {
16027 		err = -EINVAL;
16028 		goto out;
16029 	}
16030 
16031 	offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_BEACON]);
16032 	if (offset >= params.beacon_color_change.tail_len) {
16033 		err = -EINVAL;
16034 		goto out;
16035 	}
16036 
16037 	if (params.beacon_color_change.tail[offset] != params.count) {
16038 		err = -EINVAL;
16039 		goto out;
16040 	}
16041 
16042 	params.counter_offset_beacon = offset;
16043 
16044 	if (tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) {
16045 		if (nla_len(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]) !=
16046 		    sizeof(u16)) {
16047 			err = -EINVAL;
16048 			goto out;
16049 		}
16050 
16051 		offset = nla_get_u16(tb[NL80211_ATTR_CNTDWN_OFFS_PRESP]);
16052 		if (offset >= params.beacon_color_change.probe_resp_len) {
16053 			err = -EINVAL;
16054 			goto out;
16055 		}
16056 
16057 		if (params.beacon_color_change.probe_resp[offset] !=
16058 		    params.count) {
16059 			err = -EINVAL;
16060 			goto out;
16061 		}
16062 
16063 		params.counter_offset_presp = offset;
16064 	}
16065 
16066 	wdev_lock(wdev);
16067 	err = rdev_color_change(rdev, dev, &params);
16068 	wdev_unlock(wdev);
16069 
16070 out:
16071 	kfree(params.beacon_next.mbssid_ies);
16072 	kfree(params.beacon_color_change.mbssid_ies);
16073 	kfree(params.beacon_next.rnr_ies);
16074 	kfree(params.beacon_color_change.rnr_ies);
16075 	kfree(tb);
16076 	return err;
16077 }
16078 
16079 static int nl80211_set_fils_aad(struct sk_buff *skb,
16080 				struct genl_info *info)
16081 {
16082 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16083 	struct net_device *dev = info->user_ptr[1];
16084 	struct cfg80211_fils_aad fils_aad = {};
16085 	u8 *nonces;
16086 
16087 	if (!info->attrs[NL80211_ATTR_MAC] ||
16088 	    !info->attrs[NL80211_ATTR_FILS_KEK] ||
16089 	    !info->attrs[NL80211_ATTR_FILS_NONCES])
16090 		return -EINVAL;
16091 
16092 	fils_aad.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16093 	fils_aad.kek_len = nla_len(info->attrs[NL80211_ATTR_FILS_KEK]);
16094 	fils_aad.kek = nla_data(info->attrs[NL80211_ATTR_FILS_KEK]);
16095 	nonces = nla_data(info->attrs[NL80211_ATTR_FILS_NONCES]);
16096 	fils_aad.snonce = nonces;
16097 	fils_aad.anonce = nonces + FILS_NONCE_LEN;
16098 
16099 	return rdev_set_fils_aad(rdev, dev, &fils_aad);
16100 }
16101 
16102 static int nl80211_add_link(struct sk_buff *skb, struct genl_info *info)
16103 {
16104 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16105 	unsigned int link_id = nl80211_link_id(info->attrs);
16106 	struct net_device *dev = info->user_ptr[1];
16107 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16108 	int ret;
16109 
16110 	if (!(wdev->wiphy->flags & WIPHY_FLAG_SUPPORTS_MLO))
16111 		return -EINVAL;
16112 
16113 	switch (wdev->iftype) {
16114 	case NL80211_IFTYPE_AP:
16115 		break;
16116 	default:
16117 		return -EINVAL;
16118 	}
16119 
16120 	if (!info->attrs[NL80211_ATTR_MAC] ||
16121 	    !is_valid_ether_addr(nla_data(info->attrs[NL80211_ATTR_MAC])))
16122 		return -EINVAL;
16123 
16124 	wdev_lock(wdev);
16125 	wdev->valid_links |= BIT(link_id);
16126 	ether_addr_copy(wdev->links[link_id].addr,
16127 			nla_data(info->attrs[NL80211_ATTR_MAC]));
16128 
16129 	ret = rdev_add_intf_link(rdev, wdev, link_id);
16130 	if (ret) {
16131 		wdev->valid_links &= ~BIT(link_id);
16132 		eth_zero_addr(wdev->links[link_id].addr);
16133 	}
16134 	wdev_unlock(wdev);
16135 
16136 	return ret;
16137 }
16138 
16139 static int nl80211_remove_link(struct sk_buff *skb, struct genl_info *info)
16140 {
16141 	unsigned int link_id = nl80211_link_id(info->attrs);
16142 	struct net_device *dev = info->user_ptr[1];
16143 	struct wireless_dev *wdev = dev->ieee80211_ptr;
16144 
16145 	/* cannot remove if there's no link */
16146 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16147 		return -EINVAL;
16148 
16149 	switch (wdev->iftype) {
16150 	case NL80211_IFTYPE_AP:
16151 		break;
16152 	default:
16153 		return -EINVAL;
16154 	}
16155 
16156 	wdev_lock(wdev);
16157 	cfg80211_remove_link(wdev, link_id);
16158 	wdev_unlock(wdev);
16159 
16160 	return 0;
16161 }
16162 
16163 static int
16164 nl80211_add_mod_link_station(struct sk_buff *skb, struct genl_info *info,
16165 			     bool add)
16166 {
16167 	struct link_station_parameters params = {};
16168 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16169 	struct net_device *dev = info->user_ptr[1];
16170 	int err;
16171 
16172 	if ((add && !rdev->ops->add_link_station) ||
16173 	    (!add && !rdev->ops->mod_link_station))
16174 		return -EOPNOTSUPP;
16175 
16176 	if (add && !info->attrs[NL80211_ATTR_MAC])
16177 		return -EINVAL;
16178 
16179 	if (!info->attrs[NL80211_ATTR_MLD_ADDR])
16180 		return -EINVAL;
16181 
16182 	if (add && !info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES])
16183 		return -EINVAL;
16184 
16185 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16186 
16187 	if (info->attrs[NL80211_ATTR_MAC]) {
16188 		params.link_mac = nla_data(info->attrs[NL80211_ATTR_MAC]);
16189 		if (!is_valid_ether_addr(params.link_mac))
16190 			return -EINVAL;
16191 	}
16192 
16193 	if (!info->attrs[NL80211_ATTR_MLO_LINK_ID])
16194 		return -EINVAL;
16195 
16196 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16197 
16198 	if (info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]) {
16199 		params.supported_rates =
16200 			nla_data(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16201 		params.supported_rates_len =
16202 			nla_len(info->attrs[NL80211_ATTR_STA_SUPPORTED_RATES]);
16203 	}
16204 
16205 	if (info->attrs[NL80211_ATTR_HT_CAPABILITY])
16206 		params.ht_capa =
16207 			nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
16208 
16209 	if (info->attrs[NL80211_ATTR_VHT_CAPABILITY])
16210 		params.vht_capa =
16211 			nla_data(info->attrs[NL80211_ATTR_VHT_CAPABILITY]);
16212 
16213 	if (info->attrs[NL80211_ATTR_HE_CAPABILITY]) {
16214 		params.he_capa =
16215 			nla_data(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16216 		params.he_capa_len =
16217 			nla_len(info->attrs[NL80211_ATTR_HE_CAPABILITY]);
16218 
16219 		if (info->attrs[NL80211_ATTR_EHT_CAPABILITY]) {
16220 			params.eht_capa =
16221 				nla_data(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16222 			params.eht_capa_len =
16223 				nla_len(info->attrs[NL80211_ATTR_EHT_CAPABILITY]);
16224 
16225 			if (!ieee80211_eht_capa_size_ok((const u8 *)params.he_capa,
16226 							(const u8 *)params.eht_capa,
16227 							params.eht_capa_len,
16228 							false))
16229 				return -EINVAL;
16230 		}
16231 	}
16232 
16233 	if (info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY])
16234 		params.he_6ghz_capa =
16235 			nla_data(info->attrs[NL80211_ATTR_HE_6GHZ_CAPABILITY]);
16236 
16237 	if (info->attrs[NL80211_ATTR_OPMODE_NOTIF]) {
16238 		params.opmode_notif_used = true;
16239 		params.opmode_notif =
16240 			nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
16241 	}
16242 
16243 	err = nl80211_parse_sta_txpower_setting(info, &params.txpwr,
16244 						&params.txpwr_set);
16245 	if (err)
16246 		return err;
16247 
16248 	wdev_lock(dev->ieee80211_ptr);
16249 	if (add)
16250 		err = rdev_add_link_station(rdev, dev, &params);
16251 	else
16252 		err = rdev_mod_link_station(rdev, dev, &params);
16253 	wdev_unlock(dev->ieee80211_ptr);
16254 
16255 	return err;
16256 }
16257 
16258 static int
16259 nl80211_add_link_station(struct sk_buff *skb, struct genl_info *info)
16260 {
16261 	return nl80211_add_mod_link_station(skb, info, true);
16262 }
16263 
16264 static int
16265 nl80211_modify_link_station(struct sk_buff *skb, struct genl_info *info)
16266 {
16267 	return nl80211_add_mod_link_station(skb, info, false);
16268 }
16269 
16270 static int
16271 nl80211_remove_link_station(struct sk_buff *skb, struct genl_info *info)
16272 {
16273 	struct link_station_del_parameters params = {};
16274 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16275 	struct net_device *dev = info->user_ptr[1];
16276 	int ret;
16277 
16278 	if (!rdev->ops->del_link_station)
16279 		return -EOPNOTSUPP;
16280 
16281 	if (!info->attrs[NL80211_ATTR_MLD_ADDR] ||
16282 	    !info->attrs[NL80211_ATTR_MLO_LINK_ID])
16283 		return -EINVAL;
16284 
16285 	params.mld_mac = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
16286 	params.link_id = nla_get_u8(info->attrs[NL80211_ATTR_MLO_LINK_ID]);
16287 
16288 	wdev_lock(dev->ieee80211_ptr);
16289 	ret = rdev_del_link_station(rdev, dev, &params);
16290 	wdev_unlock(dev->ieee80211_ptr);
16291 
16292 	return ret;
16293 }
16294 
16295 static int nl80211_set_hw_timestamp(struct sk_buff *skb,
16296 				    struct genl_info *info)
16297 {
16298 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16299 	struct net_device *dev = info->user_ptr[1];
16300 	struct cfg80211_set_hw_timestamp hwts = {};
16301 
16302 	if (!rdev->wiphy.hw_timestamp_max_peers)
16303 		return -EOPNOTSUPP;
16304 
16305 	if (!info->attrs[NL80211_ATTR_MAC] &&
16306 	    rdev->wiphy.hw_timestamp_max_peers != CFG80211_HW_TIMESTAMP_ALL_PEERS)
16307 		return -EOPNOTSUPP;
16308 
16309 	if (info->attrs[NL80211_ATTR_MAC])
16310 		hwts.macaddr = nla_data(info->attrs[NL80211_ATTR_MAC]);
16311 
16312 	hwts.enable =
16313 		nla_get_flag(info->attrs[NL80211_ATTR_HW_TIMESTAMP_ENABLED]);
16314 
16315 	return rdev_set_hw_timestamp(rdev, dev, &hwts);
16316 }
16317 
16318 #define NL80211_FLAG_NEED_WIPHY		0x01
16319 #define NL80211_FLAG_NEED_NETDEV	0x02
16320 #define NL80211_FLAG_NEED_RTNL		0x04
16321 #define NL80211_FLAG_CHECK_NETDEV_UP	0x08
16322 #define NL80211_FLAG_NEED_NETDEV_UP	(NL80211_FLAG_NEED_NETDEV |\
16323 					 NL80211_FLAG_CHECK_NETDEV_UP)
16324 #define NL80211_FLAG_NEED_WDEV		0x10
16325 /* If a netdev is associated, it must be UP, P2P must be started */
16326 #define NL80211_FLAG_NEED_WDEV_UP	(NL80211_FLAG_NEED_WDEV |\
16327 					 NL80211_FLAG_CHECK_NETDEV_UP)
16328 #define NL80211_FLAG_CLEAR_SKB		0x20
16329 #define NL80211_FLAG_NO_WIPHY_MTX	0x40
16330 #define NL80211_FLAG_MLO_VALID_LINK_ID	0x80
16331 #define NL80211_FLAG_MLO_UNSUPPORTED	0x100
16332 
16333 #define INTERNAL_FLAG_SELECTORS(__sel)			\
16334 	SELECTOR(__sel, NONE, 0) /* must be first */	\
16335 	SELECTOR(__sel, WIPHY,				\
16336 		 NL80211_FLAG_NEED_WIPHY)		\
16337 	SELECTOR(__sel, WDEV,				\
16338 		 NL80211_FLAG_NEED_WDEV)		\
16339 	SELECTOR(__sel, NETDEV,				\
16340 		 NL80211_FLAG_NEED_NETDEV)		\
16341 	SELECTOR(__sel, NETDEV_LINK,			\
16342 		 NL80211_FLAG_NEED_NETDEV |		\
16343 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16344 	SELECTOR(__sel, NETDEV_NO_MLO,			\
16345 		 NL80211_FLAG_NEED_NETDEV |		\
16346 		 NL80211_FLAG_MLO_UNSUPPORTED)	\
16347 	SELECTOR(__sel, WIPHY_RTNL,			\
16348 		 NL80211_FLAG_NEED_WIPHY |		\
16349 		 NL80211_FLAG_NEED_RTNL)		\
16350 	SELECTOR(__sel, WIPHY_RTNL_NOMTX,		\
16351 		 NL80211_FLAG_NEED_WIPHY |		\
16352 		 NL80211_FLAG_NEED_RTNL |		\
16353 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16354 	SELECTOR(__sel, WDEV_RTNL,			\
16355 		 NL80211_FLAG_NEED_WDEV |		\
16356 		 NL80211_FLAG_NEED_RTNL)		\
16357 	SELECTOR(__sel, NETDEV_RTNL,			\
16358 		 NL80211_FLAG_NEED_NETDEV |		\
16359 		 NL80211_FLAG_NEED_RTNL)		\
16360 	SELECTOR(__sel, NETDEV_UP,			\
16361 		 NL80211_FLAG_NEED_NETDEV_UP)		\
16362 	SELECTOR(__sel, NETDEV_UP_LINK,			\
16363 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16364 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16365 	SELECTOR(__sel, NETDEV_UP_NO_MLO,		\
16366 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16367 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16368 	SELECTOR(__sel, NETDEV_UP_NO_MLO_CLEAR,		\
16369 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16370 		 NL80211_FLAG_CLEAR_SKB |		\
16371 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16372 	SELECTOR(__sel, NETDEV_UP_NOTMX,		\
16373 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16374 		 NL80211_FLAG_NO_WIPHY_MTX)		\
16375 	SELECTOR(__sel, NETDEV_UP_NOTMX_NOMLO,		\
16376 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16377 		 NL80211_FLAG_NO_WIPHY_MTX |		\
16378 		 NL80211_FLAG_MLO_UNSUPPORTED)		\
16379 	SELECTOR(__sel, NETDEV_UP_CLEAR,		\
16380 		 NL80211_FLAG_NEED_NETDEV_UP |		\
16381 		 NL80211_FLAG_CLEAR_SKB)		\
16382 	SELECTOR(__sel, WDEV_UP,			\
16383 		 NL80211_FLAG_NEED_WDEV_UP)		\
16384 	SELECTOR(__sel, WDEV_UP_LINK,			\
16385 		 NL80211_FLAG_NEED_WDEV_UP |		\
16386 		 NL80211_FLAG_MLO_VALID_LINK_ID)	\
16387 	SELECTOR(__sel, WDEV_UP_RTNL,			\
16388 		 NL80211_FLAG_NEED_WDEV_UP |		\
16389 		 NL80211_FLAG_NEED_RTNL)		\
16390 	SELECTOR(__sel, WIPHY_CLEAR,			\
16391 		 NL80211_FLAG_NEED_WIPHY |		\
16392 		 NL80211_FLAG_CLEAR_SKB)
16393 
16394 enum nl80211_internal_flags_selector {
16395 #define SELECTOR(_, name, value)	NL80211_IFL_SEL_##name,
16396 	INTERNAL_FLAG_SELECTORS(_)
16397 #undef SELECTOR
16398 };
16399 
16400 static u32 nl80211_internal_flags[] = {
16401 #define SELECTOR(_, name, value)	[NL80211_IFL_SEL_##name] = value,
16402 	INTERNAL_FLAG_SELECTORS(_)
16403 #undef SELECTOR
16404 };
16405 
16406 static int nl80211_pre_doit(const struct genl_split_ops *ops,
16407 			    struct sk_buff *skb,
16408 			    struct genl_info *info)
16409 {
16410 	struct cfg80211_registered_device *rdev = NULL;
16411 	struct wireless_dev *wdev = NULL;
16412 	struct net_device *dev = NULL;
16413 	u32 internal_flags;
16414 	int err;
16415 
16416 	if (WARN_ON(ops->internal_flags >= ARRAY_SIZE(nl80211_internal_flags)))
16417 		return -EINVAL;
16418 
16419 	internal_flags = nl80211_internal_flags[ops->internal_flags];
16420 
16421 	rtnl_lock();
16422 	if (internal_flags & NL80211_FLAG_NEED_WIPHY) {
16423 		rdev = cfg80211_get_dev_from_info(genl_info_net(info), info);
16424 		if (IS_ERR(rdev)) {
16425 			err = PTR_ERR(rdev);
16426 			goto out_unlock;
16427 		}
16428 		info->user_ptr[0] = rdev;
16429 	} else if (internal_flags & NL80211_FLAG_NEED_NETDEV ||
16430 		   internal_flags & NL80211_FLAG_NEED_WDEV) {
16431 		wdev = __cfg80211_wdev_from_attrs(NULL, genl_info_net(info),
16432 						  info->attrs);
16433 		if (IS_ERR(wdev)) {
16434 			err = PTR_ERR(wdev);
16435 			goto out_unlock;
16436 		}
16437 
16438 		dev = wdev->netdev;
16439 		dev_hold(dev);
16440 		rdev = wiphy_to_rdev(wdev->wiphy);
16441 
16442 		if (internal_flags & NL80211_FLAG_NEED_NETDEV) {
16443 			if (!dev) {
16444 				err = -EINVAL;
16445 				goto out_unlock;
16446 			}
16447 
16448 			info->user_ptr[1] = dev;
16449 		} else {
16450 			info->user_ptr[1] = wdev;
16451 		}
16452 
16453 		if (internal_flags & NL80211_FLAG_CHECK_NETDEV_UP &&
16454 		    !wdev_running(wdev)) {
16455 			err = -ENETDOWN;
16456 			goto out_unlock;
16457 		}
16458 
16459 		info->user_ptr[0] = rdev;
16460 	}
16461 
16462 	if (internal_flags & NL80211_FLAG_MLO_VALID_LINK_ID) {
16463 		struct nlattr *link_id = info->attrs[NL80211_ATTR_MLO_LINK_ID];
16464 
16465 		if (!wdev) {
16466 			err = -EINVAL;
16467 			goto out_unlock;
16468 		}
16469 
16470 		/* MLO -> require valid link ID */
16471 		if (wdev->valid_links &&
16472 		    (!link_id ||
16473 		     !(wdev->valid_links & BIT(nla_get_u8(link_id))))) {
16474 			err = -EINVAL;
16475 			goto out_unlock;
16476 		}
16477 
16478 		/* non-MLO -> no link ID attribute accepted */
16479 		if (!wdev->valid_links && link_id) {
16480 			err = -EINVAL;
16481 			goto out_unlock;
16482 		}
16483 	}
16484 
16485 	if (internal_flags & NL80211_FLAG_MLO_UNSUPPORTED) {
16486 		if (info->attrs[NL80211_ATTR_MLO_LINK_ID] ||
16487 		    (wdev && wdev->valid_links)) {
16488 			err = -EINVAL;
16489 			goto out_unlock;
16490 		}
16491 	}
16492 
16493 	if (rdev && !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16494 		wiphy_lock(&rdev->wiphy);
16495 		/* we keep the mutex locked until post_doit */
16496 		__release(&rdev->wiphy.mtx);
16497 	}
16498 	if (!(internal_flags & NL80211_FLAG_NEED_RTNL))
16499 		rtnl_unlock();
16500 
16501 	return 0;
16502 out_unlock:
16503 	rtnl_unlock();
16504 	dev_put(dev);
16505 	return err;
16506 }
16507 
16508 static void nl80211_post_doit(const struct genl_split_ops *ops,
16509 			      struct sk_buff *skb,
16510 			      struct genl_info *info)
16511 {
16512 	u32 internal_flags = nl80211_internal_flags[ops->internal_flags];
16513 
16514 	if (info->user_ptr[1]) {
16515 		if (internal_flags & NL80211_FLAG_NEED_WDEV) {
16516 			struct wireless_dev *wdev = info->user_ptr[1];
16517 
16518 			dev_put(wdev->netdev);
16519 		} else {
16520 			dev_put(info->user_ptr[1]);
16521 		}
16522 	}
16523 
16524 	if (info->user_ptr[0] &&
16525 	    !(internal_flags & NL80211_FLAG_NO_WIPHY_MTX)) {
16526 		struct cfg80211_registered_device *rdev = info->user_ptr[0];
16527 
16528 		/* we kept the mutex locked since pre_doit */
16529 		__acquire(&rdev->wiphy.mtx);
16530 		wiphy_unlock(&rdev->wiphy);
16531 	}
16532 
16533 	if (internal_flags & NL80211_FLAG_NEED_RTNL)
16534 		rtnl_unlock();
16535 
16536 	/* If needed, clear the netlink message payload from the SKB
16537 	 * as it might contain key data that shouldn't stick around on
16538 	 * the heap after the SKB is freed. The netlink message header
16539 	 * is still needed for further processing, so leave it intact.
16540 	 */
16541 	if (internal_flags & NL80211_FLAG_CLEAR_SKB) {
16542 		struct nlmsghdr *nlh = nlmsg_hdr(skb);
16543 
16544 		memset(nlmsg_data(nlh), 0, nlmsg_len(nlh));
16545 	}
16546 }
16547 
16548 static int nl80211_set_sar_sub_specs(struct cfg80211_registered_device *rdev,
16549 				     struct cfg80211_sar_specs *sar_specs,
16550 				     struct nlattr *spec[], int index)
16551 {
16552 	u32 range_index, i;
16553 
16554 	if (!sar_specs || !spec)
16555 		return -EINVAL;
16556 
16557 	if (!spec[NL80211_SAR_ATTR_SPECS_POWER] ||
16558 	    !spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX])
16559 		return -EINVAL;
16560 
16561 	range_index = nla_get_u32(spec[NL80211_SAR_ATTR_SPECS_RANGE_INDEX]);
16562 
16563 	/* check if range_index exceeds num_freq_ranges */
16564 	if (range_index >= rdev->wiphy.sar_capa->num_freq_ranges)
16565 		return -EINVAL;
16566 
16567 	/* check if range_index duplicates */
16568 	for (i = 0; i < index; i++) {
16569 		if (sar_specs->sub_specs[i].freq_range_index == range_index)
16570 			return -EINVAL;
16571 	}
16572 
16573 	sar_specs->sub_specs[index].power =
16574 		nla_get_s32(spec[NL80211_SAR_ATTR_SPECS_POWER]);
16575 
16576 	sar_specs->sub_specs[index].freq_range_index = range_index;
16577 
16578 	return 0;
16579 }
16580 
16581 static int nl80211_set_sar_specs(struct sk_buff *skb, struct genl_info *info)
16582 {
16583 	struct cfg80211_registered_device *rdev = info->user_ptr[0];
16584 	struct nlattr *spec[NL80211_SAR_ATTR_SPECS_MAX + 1];
16585 	struct nlattr *tb[NL80211_SAR_ATTR_MAX + 1];
16586 	struct cfg80211_sar_specs *sar_spec;
16587 	enum nl80211_sar_type type;
16588 	struct nlattr *spec_list;
16589 	u32 specs;
16590 	int rem, err;
16591 
16592 	if (!rdev->wiphy.sar_capa || !rdev->ops->set_sar_specs)
16593 		return -EOPNOTSUPP;
16594 
16595 	if (!info->attrs[NL80211_ATTR_SAR_SPEC])
16596 		return -EINVAL;
16597 
16598 	nla_parse_nested(tb, NL80211_SAR_ATTR_MAX,
16599 			 info->attrs[NL80211_ATTR_SAR_SPEC],
16600 			 NULL, NULL);
16601 
16602 	if (!tb[NL80211_SAR_ATTR_TYPE] || !tb[NL80211_SAR_ATTR_SPECS])
16603 		return -EINVAL;
16604 
16605 	type = nla_get_u32(tb[NL80211_SAR_ATTR_TYPE]);
16606 	if (type != rdev->wiphy.sar_capa->type)
16607 		return -EINVAL;
16608 
16609 	specs = 0;
16610 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem)
16611 		specs++;
16612 
16613 	if (specs > rdev->wiphy.sar_capa->num_freq_ranges)
16614 		return -EINVAL;
16615 
16616 	sar_spec = kzalloc(struct_size(sar_spec, sub_specs, specs), GFP_KERNEL);
16617 	if (!sar_spec)
16618 		return -ENOMEM;
16619 
16620 	sar_spec->type = type;
16621 	specs = 0;
16622 	nla_for_each_nested(spec_list, tb[NL80211_SAR_ATTR_SPECS], rem) {
16623 		nla_parse_nested(spec, NL80211_SAR_ATTR_SPECS_MAX,
16624 				 spec_list, NULL, NULL);
16625 
16626 		switch (type) {
16627 		case NL80211_SAR_TYPE_POWER:
16628 			if (nl80211_set_sar_sub_specs(rdev, sar_spec,
16629 						      spec, specs)) {
16630 				err = -EINVAL;
16631 				goto error;
16632 			}
16633 			break;
16634 		default:
16635 			err = -EINVAL;
16636 			goto error;
16637 		}
16638 		specs++;
16639 	}
16640 
16641 	sar_spec->num_sub_specs = specs;
16642 
16643 	rdev->cur_cmd_info = info;
16644 	err = rdev_set_sar_specs(rdev, sar_spec);
16645 	rdev->cur_cmd_info = NULL;
16646 error:
16647 	kfree(sar_spec);
16648 	return err;
16649 }
16650 
16651 #define SELECTOR(__sel, name, value) \
16652 	((__sel) == (value)) ? NL80211_IFL_SEL_##name :
16653 int __missing_selector(void);
16654 #define IFLAGS(__val) INTERNAL_FLAG_SELECTORS(__val) __missing_selector()
16655 
16656 static const struct genl_ops nl80211_ops[] = {
16657 	{
16658 		.cmd = NL80211_CMD_GET_WIPHY,
16659 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16660 		.doit = nl80211_get_wiphy,
16661 		.dumpit = nl80211_dump_wiphy,
16662 		.done = nl80211_dump_wiphy_done,
16663 		/* can be retrieved by unprivileged users */
16664 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16665 	},
16666 };
16667 
16668 static const struct genl_small_ops nl80211_small_ops[] = {
16669 	{
16670 		.cmd = NL80211_CMD_SET_WIPHY,
16671 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16672 		.doit = nl80211_set_wiphy,
16673 		.flags = GENL_UNS_ADMIN_PERM,
16674 	},
16675 	{
16676 		.cmd = NL80211_CMD_GET_INTERFACE,
16677 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16678 		.doit = nl80211_get_interface,
16679 		.dumpit = nl80211_dump_interface,
16680 		/* can be retrieved by unprivileged users */
16681 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
16682 	},
16683 	{
16684 		.cmd = NL80211_CMD_SET_INTERFACE,
16685 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16686 		.doit = nl80211_set_interface,
16687 		.flags = GENL_UNS_ADMIN_PERM,
16688 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
16689 					 NL80211_FLAG_NEED_RTNL),
16690 	},
16691 	{
16692 		.cmd = NL80211_CMD_NEW_INTERFACE,
16693 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16694 		.doit = nl80211_new_interface,
16695 		.flags = GENL_UNS_ADMIN_PERM,
16696 		.internal_flags =
16697 			IFLAGS(NL80211_FLAG_NEED_WIPHY |
16698 			       NL80211_FLAG_NEED_RTNL |
16699 			       /* we take the wiphy mutex later ourselves */
16700 			       NL80211_FLAG_NO_WIPHY_MTX),
16701 	},
16702 	{
16703 		.cmd = NL80211_CMD_DEL_INTERFACE,
16704 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16705 		.doit = nl80211_del_interface,
16706 		.flags = GENL_UNS_ADMIN_PERM,
16707 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
16708 					 NL80211_FLAG_NEED_RTNL),
16709 	},
16710 	{
16711 		.cmd = NL80211_CMD_GET_KEY,
16712 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16713 		.doit = nl80211_get_key,
16714 		.flags = GENL_UNS_ADMIN_PERM,
16715 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16716 	},
16717 	{
16718 		.cmd = NL80211_CMD_SET_KEY,
16719 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16720 		.doit = nl80211_set_key,
16721 		.flags = GENL_UNS_ADMIN_PERM,
16722 		/* cannot use NL80211_FLAG_MLO_VALID_LINK_ID, depends on key */
16723 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16724 					 NL80211_FLAG_CLEAR_SKB),
16725 	},
16726 	{
16727 		.cmd = NL80211_CMD_NEW_KEY,
16728 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16729 		.doit = nl80211_new_key,
16730 		.flags = GENL_UNS_ADMIN_PERM,
16731 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16732 					 NL80211_FLAG_CLEAR_SKB),
16733 	},
16734 	{
16735 		.cmd = NL80211_CMD_DEL_KEY,
16736 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16737 		.doit = nl80211_del_key,
16738 		.flags = GENL_UNS_ADMIN_PERM,
16739 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16740 	},
16741 	{
16742 		.cmd = NL80211_CMD_SET_BEACON,
16743 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16744 		.flags = GENL_UNS_ADMIN_PERM,
16745 		.doit = nl80211_set_beacon,
16746 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16747 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16748 	},
16749 	{
16750 		.cmd = NL80211_CMD_START_AP,
16751 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16752 		.flags = GENL_UNS_ADMIN_PERM,
16753 		.doit = nl80211_start_ap,
16754 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16755 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16756 	},
16757 	{
16758 		.cmd = NL80211_CMD_STOP_AP,
16759 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16760 		.flags = GENL_UNS_ADMIN_PERM,
16761 		.doit = nl80211_stop_ap,
16762 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16763 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16764 	},
16765 	{
16766 		.cmd = NL80211_CMD_GET_STATION,
16767 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16768 		.doit = nl80211_get_station,
16769 		.dumpit = nl80211_dump_station,
16770 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
16771 	},
16772 	{
16773 		.cmd = NL80211_CMD_SET_STATION,
16774 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16775 		.doit = nl80211_set_station,
16776 		.flags = GENL_UNS_ADMIN_PERM,
16777 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16778 	},
16779 	{
16780 		.cmd = NL80211_CMD_NEW_STATION,
16781 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16782 		.doit = nl80211_new_station,
16783 		.flags = GENL_UNS_ADMIN_PERM,
16784 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16785 	},
16786 	{
16787 		.cmd = NL80211_CMD_DEL_STATION,
16788 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16789 		.doit = nl80211_del_station,
16790 		.flags = GENL_UNS_ADMIN_PERM,
16791 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16792 	},
16793 	{
16794 		.cmd = NL80211_CMD_GET_MPATH,
16795 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16796 		.doit = nl80211_get_mpath,
16797 		.dumpit = nl80211_dump_mpath,
16798 		.flags = GENL_UNS_ADMIN_PERM,
16799 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16800 	},
16801 	{
16802 		.cmd = NL80211_CMD_GET_MPP,
16803 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16804 		.doit = nl80211_get_mpp,
16805 		.dumpit = nl80211_dump_mpp,
16806 		.flags = GENL_UNS_ADMIN_PERM,
16807 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16808 	},
16809 	{
16810 		.cmd = NL80211_CMD_SET_MPATH,
16811 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16812 		.doit = nl80211_set_mpath,
16813 		.flags = GENL_UNS_ADMIN_PERM,
16814 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16815 	},
16816 	{
16817 		.cmd = NL80211_CMD_NEW_MPATH,
16818 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16819 		.doit = nl80211_new_mpath,
16820 		.flags = GENL_UNS_ADMIN_PERM,
16821 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16822 	},
16823 	{
16824 		.cmd = NL80211_CMD_DEL_MPATH,
16825 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16826 		.doit = nl80211_del_mpath,
16827 		.flags = GENL_UNS_ADMIN_PERM,
16828 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16829 	},
16830 	{
16831 		.cmd = NL80211_CMD_SET_BSS,
16832 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16833 		.doit = nl80211_set_bss,
16834 		.flags = GENL_UNS_ADMIN_PERM,
16835 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16836 					 NL80211_FLAG_MLO_VALID_LINK_ID),
16837 	},
16838 	{
16839 		.cmd = NL80211_CMD_GET_REG,
16840 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16841 		.doit = nl80211_get_reg_do,
16842 		.dumpit = nl80211_get_reg_dump,
16843 		/* can be retrieved by unprivileged users */
16844 	},
16845 #ifdef CONFIG_CFG80211_CRDA_SUPPORT
16846 	{
16847 		.cmd = NL80211_CMD_SET_REG,
16848 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16849 		.doit = nl80211_set_reg,
16850 		.flags = GENL_ADMIN_PERM,
16851 	},
16852 #endif
16853 	{
16854 		.cmd = NL80211_CMD_REQ_SET_REG,
16855 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16856 		.doit = nl80211_req_set_reg,
16857 		.flags = GENL_ADMIN_PERM,
16858 	},
16859 	{
16860 		.cmd = NL80211_CMD_RELOAD_REGDB,
16861 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16862 		.doit = nl80211_reload_regdb,
16863 		.flags = GENL_ADMIN_PERM,
16864 	},
16865 	{
16866 		.cmd = NL80211_CMD_GET_MESH_CONFIG,
16867 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16868 		.doit = nl80211_get_mesh_config,
16869 		/* can be retrieved by unprivileged users */
16870 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16871 	},
16872 	{
16873 		.cmd = NL80211_CMD_SET_MESH_CONFIG,
16874 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16875 		.doit = nl80211_update_mesh_config,
16876 		.flags = GENL_UNS_ADMIN_PERM,
16877 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16878 	},
16879 	{
16880 		.cmd = NL80211_CMD_TRIGGER_SCAN,
16881 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16882 		.doit = nl80211_trigger_scan,
16883 		.flags = GENL_UNS_ADMIN_PERM,
16884 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16885 	},
16886 	{
16887 		.cmd = NL80211_CMD_ABORT_SCAN,
16888 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16889 		.doit = nl80211_abort_scan,
16890 		.flags = GENL_UNS_ADMIN_PERM,
16891 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
16892 	},
16893 	{
16894 		.cmd = NL80211_CMD_GET_SCAN,
16895 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16896 		.dumpit = nl80211_dump_scan,
16897 	},
16898 	{
16899 		.cmd = NL80211_CMD_START_SCHED_SCAN,
16900 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16901 		.doit = nl80211_start_sched_scan,
16902 		.flags = GENL_UNS_ADMIN_PERM,
16903 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16904 	},
16905 	{
16906 		.cmd = NL80211_CMD_STOP_SCHED_SCAN,
16907 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16908 		.doit = nl80211_stop_sched_scan,
16909 		.flags = GENL_UNS_ADMIN_PERM,
16910 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16911 	},
16912 	{
16913 		.cmd = NL80211_CMD_AUTHENTICATE,
16914 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16915 		.doit = nl80211_authenticate,
16916 		.flags = GENL_UNS_ADMIN_PERM,
16917 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16918 					 NL80211_FLAG_CLEAR_SKB),
16919 	},
16920 	{
16921 		.cmd = NL80211_CMD_ASSOCIATE,
16922 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16923 		.doit = nl80211_associate,
16924 		.flags = GENL_UNS_ADMIN_PERM,
16925 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16926 					 NL80211_FLAG_CLEAR_SKB),
16927 	},
16928 	{
16929 		.cmd = NL80211_CMD_DEAUTHENTICATE,
16930 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16931 		.doit = nl80211_deauthenticate,
16932 		.flags = GENL_UNS_ADMIN_PERM,
16933 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16934 	},
16935 	{
16936 		.cmd = NL80211_CMD_DISASSOCIATE,
16937 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16938 		.doit = nl80211_disassociate,
16939 		.flags = GENL_UNS_ADMIN_PERM,
16940 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16941 	},
16942 	{
16943 		.cmd = NL80211_CMD_JOIN_IBSS,
16944 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16945 		.doit = nl80211_join_ibss,
16946 		.flags = GENL_UNS_ADMIN_PERM,
16947 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16948 	},
16949 	{
16950 		.cmd = NL80211_CMD_LEAVE_IBSS,
16951 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16952 		.doit = nl80211_leave_ibss,
16953 		.flags = GENL_UNS_ADMIN_PERM,
16954 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16955 	},
16956 #ifdef CONFIG_NL80211_TESTMODE
16957 	{
16958 		.cmd = NL80211_CMD_TESTMODE,
16959 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16960 		.doit = nl80211_testmode_do,
16961 		.dumpit = nl80211_testmode_dump,
16962 		.flags = GENL_UNS_ADMIN_PERM,
16963 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
16964 	},
16965 #endif
16966 	{
16967 		.cmd = NL80211_CMD_CONNECT,
16968 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16969 		.doit = nl80211_connect,
16970 		.flags = GENL_UNS_ADMIN_PERM,
16971 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16972 					 NL80211_FLAG_CLEAR_SKB),
16973 	},
16974 	{
16975 		.cmd = NL80211_CMD_UPDATE_CONNECT_PARAMS,
16976 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16977 		.doit = nl80211_update_connect_params,
16978 		.flags = GENL_ADMIN_PERM,
16979 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
16980 					 NL80211_FLAG_CLEAR_SKB),
16981 	},
16982 	{
16983 		.cmd = NL80211_CMD_DISCONNECT,
16984 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16985 		.doit = nl80211_disconnect,
16986 		.flags = GENL_UNS_ADMIN_PERM,
16987 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
16988 	},
16989 	{
16990 		.cmd = NL80211_CMD_SET_WIPHY_NETNS,
16991 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
16992 		.doit = nl80211_wiphy_netns,
16993 		.flags = GENL_UNS_ADMIN_PERM,
16994 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
16995 					 NL80211_FLAG_NEED_RTNL |
16996 					 NL80211_FLAG_NO_WIPHY_MTX),
16997 	},
16998 	{
16999 		.cmd = NL80211_CMD_GET_SURVEY,
17000 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17001 		.dumpit = nl80211_dump_survey,
17002 	},
17003 	{
17004 		.cmd = NL80211_CMD_SET_PMKSA,
17005 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17006 		.doit = nl80211_setdel_pmksa,
17007 		.flags = GENL_UNS_ADMIN_PERM,
17008 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17009 					 NL80211_FLAG_CLEAR_SKB),
17010 	},
17011 	{
17012 		.cmd = NL80211_CMD_DEL_PMKSA,
17013 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17014 		.doit = nl80211_setdel_pmksa,
17015 		.flags = GENL_UNS_ADMIN_PERM,
17016 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17017 	},
17018 	{
17019 		.cmd = NL80211_CMD_FLUSH_PMKSA,
17020 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17021 		.doit = nl80211_flush_pmksa,
17022 		.flags = GENL_UNS_ADMIN_PERM,
17023 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17024 	},
17025 	{
17026 		.cmd = NL80211_CMD_REMAIN_ON_CHANNEL,
17027 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17028 		.doit = nl80211_remain_on_channel,
17029 		.flags = GENL_UNS_ADMIN_PERM,
17030 		/* FIXME: requiring a link ID here is probably not good */
17031 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17032 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17033 	},
17034 	{
17035 		.cmd = NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
17036 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17037 		.doit = nl80211_cancel_remain_on_channel,
17038 		.flags = GENL_UNS_ADMIN_PERM,
17039 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17040 	},
17041 	{
17042 		.cmd = NL80211_CMD_SET_TX_BITRATE_MASK,
17043 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17044 		.doit = nl80211_set_tx_bitrate_mask,
17045 		.flags = GENL_UNS_ADMIN_PERM,
17046 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17047 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17048 	},
17049 	{
17050 		.cmd = NL80211_CMD_REGISTER_FRAME,
17051 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17052 		.doit = nl80211_register_mgmt,
17053 		.flags = GENL_UNS_ADMIN_PERM,
17054 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV),
17055 	},
17056 	{
17057 		.cmd = NL80211_CMD_FRAME,
17058 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17059 		.doit = nl80211_tx_mgmt,
17060 		.flags = GENL_UNS_ADMIN_PERM,
17061 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17062 	},
17063 	{
17064 		.cmd = NL80211_CMD_FRAME_WAIT_CANCEL,
17065 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17066 		.doit = nl80211_tx_mgmt_cancel_wait,
17067 		.flags = GENL_UNS_ADMIN_PERM,
17068 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17069 	},
17070 	{
17071 		.cmd = NL80211_CMD_SET_POWER_SAVE,
17072 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17073 		.doit = nl80211_set_power_save,
17074 		.flags = GENL_UNS_ADMIN_PERM,
17075 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17076 	},
17077 	{
17078 		.cmd = NL80211_CMD_GET_POWER_SAVE,
17079 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17080 		.doit = nl80211_get_power_save,
17081 		/* can be retrieved by unprivileged users */
17082 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17083 	},
17084 	{
17085 		.cmd = NL80211_CMD_SET_CQM,
17086 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17087 		.doit = nl80211_set_cqm,
17088 		.flags = GENL_UNS_ADMIN_PERM,
17089 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17090 	},
17091 	{
17092 		.cmd = NL80211_CMD_SET_CHANNEL,
17093 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17094 		.doit = nl80211_set_channel,
17095 		.flags = GENL_UNS_ADMIN_PERM,
17096 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17097 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17098 	},
17099 	{
17100 		.cmd = NL80211_CMD_JOIN_MESH,
17101 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17102 		.doit = nl80211_join_mesh,
17103 		.flags = GENL_UNS_ADMIN_PERM,
17104 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17105 	},
17106 	{
17107 		.cmd = NL80211_CMD_LEAVE_MESH,
17108 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17109 		.doit = nl80211_leave_mesh,
17110 		.flags = GENL_UNS_ADMIN_PERM,
17111 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17112 	},
17113 	{
17114 		.cmd = NL80211_CMD_JOIN_OCB,
17115 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17116 		.doit = nl80211_join_ocb,
17117 		.flags = GENL_UNS_ADMIN_PERM,
17118 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17119 	},
17120 	{
17121 		.cmd = NL80211_CMD_LEAVE_OCB,
17122 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17123 		.doit = nl80211_leave_ocb,
17124 		.flags = GENL_UNS_ADMIN_PERM,
17125 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17126 	},
17127 #ifdef CONFIG_PM
17128 	{
17129 		.cmd = NL80211_CMD_GET_WOWLAN,
17130 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17131 		.doit = nl80211_get_wowlan,
17132 		/* can be retrieved by unprivileged users */
17133 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17134 	},
17135 	{
17136 		.cmd = NL80211_CMD_SET_WOWLAN,
17137 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17138 		.doit = nl80211_set_wowlan,
17139 		.flags = GENL_UNS_ADMIN_PERM,
17140 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17141 	},
17142 #endif
17143 	{
17144 		.cmd = NL80211_CMD_SET_REKEY_OFFLOAD,
17145 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17146 		.doit = nl80211_set_rekey_data,
17147 		.flags = GENL_UNS_ADMIN_PERM,
17148 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17149 					 NL80211_FLAG_CLEAR_SKB),
17150 	},
17151 	{
17152 		.cmd = NL80211_CMD_TDLS_MGMT,
17153 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17154 		.doit = nl80211_tdls_mgmt,
17155 		.flags = GENL_UNS_ADMIN_PERM,
17156 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17157 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17158 	},
17159 	{
17160 		.cmd = NL80211_CMD_TDLS_OPER,
17161 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17162 		.doit = nl80211_tdls_oper,
17163 		.flags = GENL_UNS_ADMIN_PERM,
17164 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17165 	},
17166 	{
17167 		.cmd = NL80211_CMD_UNEXPECTED_FRAME,
17168 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17169 		.doit = nl80211_register_unexpected_frame,
17170 		.flags = GENL_UNS_ADMIN_PERM,
17171 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17172 	},
17173 	{
17174 		.cmd = NL80211_CMD_PROBE_CLIENT,
17175 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17176 		.doit = nl80211_probe_client,
17177 		.flags = GENL_UNS_ADMIN_PERM,
17178 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17179 	},
17180 	{
17181 		.cmd = NL80211_CMD_REGISTER_BEACONS,
17182 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17183 		.doit = nl80211_register_beacons,
17184 		.flags = GENL_UNS_ADMIN_PERM,
17185 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17186 	},
17187 	{
17188 		.cmd = NL80211_CMD_SET_NOACK_MAP,
17189 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17190 		.doit = nl80211_set_noack_map,
17191 		.flags = GENL_UNS_ADMIN_PERM,
17192 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17193 	},
17194 	{
17195 		.cmd = NL80211_CMD_START_P2P_DEVICE,
17196 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17197 		.doit = nl80211_start_p2p_device,
17198 		.flags = GENL_UNS_ADMIN_PERM,
17199 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17200 					 NL80211_FLAG_NEED_RTNL),
17201 	},
17202 	{
17203 		.cmd = NL80211_CMD_STOP_P2P_DEVICE,
17204 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17205 		.doit = nl80211_stop_p2p_device,
17206 		.flags = GENL_UNS_ADMIN_PERM,
17207 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17208 					 NL80211_FLAG_NEED_RTNL),
17209 	},
17210 	{
17211 		.cmd = NL80211_CMD_START_NAN,
17212 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17213 		.doit = nl80211_start_nan,
17214 		.flags = GENL_ADMIN_PERM,
17215 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV |
17216 					 NL80211_FLAG_NEED_RTNL),
17217 	},
17218 	{
17219 		.cmd = NL80211_CMD_STOP_NAN,
17220 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17221 		.doit = nl80211_stop_nan,
17222 		.flags = GENL_ADMIN_PERM,
17223 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP |
17224 					 NL80211_FLAG_NEED_RTNL),
17225 	},
17226 	{
17227 		.cmd = NL80211_CMD_ADD_NAN_FUNCTION,
17228 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17229 		.doit = nl80211_nan_add_func,
17230 		.flags = GENL_ADMIN_PERM,
17231 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17232 	},
17233 	{
17234 		.cmd = NL80211_CMD_DEL_NAN_FUNCTION,
17235 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17236 		.doit = nl80211_nan_del_func,
17237 		.flags = GENL_ADMIN_PERM,
17238 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17239 	},
17240 	{
17241 		.cmd = NL80211_CMD_CHANGE_NAN_CONFIG,
17242 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17243 		.doit = nl80211_nan_change_config,
17244 		.flags = GENL_ADMIN_PERM,
17245 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17246 	},
17247 	{
17248 		.cmd = NL80211_CMD_SET_MCAST_RATE,
17249 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17250 		.doit = nl80211_set_mcast_rate,
17251 		.flags = GENL_UNS_ADMIN_PERM,
17252 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17253 	},
17254 	{
17255 		.cmd = NL80211_CMD_SET_MAC_ACL,
17256 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17257 		.doit = nl80211_set_mac_acl,
17258 		.flags = GENL_UNS_ADMIN_PERM,
17259 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17260 					 NL80211_FLAG_MLO_UNSUPPORTED),
17261 	},
17262 	{
17263 		.cmd = NL80211_CMD_RADAR_DETECT,
17264 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17265 		.doit = nl80211_start_radar_detection,
17266 		.flags = GENL_UNS_ADMIN_PERM,
17267 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17268 					 NL80211_FLAG_NO_WIPHY_MTX |
17269 					 NL80211_FLAG_MLO_UNSUPPORTED),
17270 	},
17271 	{
17272 		.cmd = NL80211_CMD_GET_PROTOCOL_FEATURES,
17273 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17274 		.doit = nl80211_get_protocol_features,
17275 	},
17276 	{
17277 		.cmd = NL80211_CMD_UPDATE_FT_IES,
17278 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17279 		.doit = nl80211_update_ft_ies,
17280 		.flags = GENL_UNS_ADMIN_PERM,
17281 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17282 	},
17283 	{
17284 		.cmd = NL80211_CMD_CRIT_PROTOCOL_START,
17285 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17286 		.doit = nl80211_crit_protocol_start,
17287 		.flags = GENL_UNS_ADMIN_PERM,
17288 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17289 	},
17290 	{
17291 		.cmd = NL80211_CMD_CRIT_PROTOCOL_STOP,
17292 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17293 		.doit = nl80211_crit_protocol_stop,
17294 		.flags = GENL_UNS_ADMIN_PERM,
17295 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17296 	},
17297 	{
17298 		.cmd = NL80211_CMD_GET_COALESCE,
17299 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17300 		.doit = nl80211_get_coalesce,
17301 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17302 	},
17303 	{
17304 		.cmd = NL80211_CMD_SET_COALESCE,
17305 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17306 		.doit = nl80211_set_coalesce,
17307 		.flags = GENL_UNS_ADMIN_PERM,
17308 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY),
17309 	},
17310 	{
17311 		.cmd = NL80211_CMD_CHANNEL_SWITCH,
17312 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17313 		.doit = nl80211_channel_switch,
17314 		.flags = GENL_UNS_ADMIN_PERM,
17315 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17316 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17317 	},
17318 	{
17319 		.cmd = NL80211_CMD_VENDOR,
17320 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17321 		.doit = nl80211_vendor_cmd,
17322 		.dumpit = nl80211_vendor_cmd_dump,
17323 		.flags = GENL_UNS_ADMIN_PERM,
17324 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17325 					 NL80211_FLAG_CLEAR_SKB),
17326 	},
17327 	{
17328 		.cmd = NL80211_CMD_SET_QOS_MAP,
17329 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17330 		.doit = nl80211_set_qos_map,
17331 		.flags = GENL_UNS_ADMIN_PERM,
17332 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17333 	},
17334 	{
17335 		.cmd = NL80211_CMD_ADD_TX_TS,
17336 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17337 		.doit = nl80211_add_tx_ts,
17338 		.flags = GENL_UNS_ADMIN_PERM,
17339 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17340 					 NL80211_FLAG_MLO_UNSUPPORTED),
17341 	},
17342 	{
17343 		.cmd = NL80211_CMD_DEL_TX_TS,
17344 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17345 		.doit = nl80211_del_tx_ts,
17346 		.flags = GENL_UNS_ADMIN_PERM,
17347 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17348 	},
17349 	{
17350 		.cmd = NL80211_CMD_TDLS_CHANNEL_SWITCH,
17351 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17352 		.doit = nl80211_tdls_channel_switch,
17353 		.flags = GENL_UNS_ADMIN_PERM,
17354 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17355 	},
17356 	{
17357 		.cmd = NL80211_CMD_TDLS_CANCEL_CHANNEL_SWITCH,
17358 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17359 		.doit = nl80211_tdls_cancel_channel_switch,
17360 		.flags = GENL_UNS_ADMIN_PERM,
17361 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17362 	},
17363 	{
17364 		.cmd = NL80211_CMD_SET_MULTICAST_TO_UNICAST,
17365 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17366 		.doit = nl80211_set_multicast_to_unicast,
17367 		.flags = GENL_UNS_ADMIN_PERM,
17368 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
17369 	},
17370 	{
17371 		.cmd = NL80211_CMD_SET_PMK,
17372 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17373 		.doit = nl80211_set_pmk,
17374 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17375 					 NL80211_FLAG_CLEAR_SKB),
17376 	},
17377 	{
17378 		.cmd = NL80211_CMD_DEL_PMK,
17379 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17380 		.doit = nl80211_del_pmk,
17381 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17382 	},
17383 	{
17384 		.cmd = NL80211_CMD_EXTERNAL_AUTH,
17385 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17386 		.doit = nl80211_external_auth,
17387 		.flags = GENL_ADMIN_PERM,
17388 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17389 	},
17390 	{
17391 		.cmd = NL80211_CMD_CONTROL_PORT_FRAME,
17392 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17393 		.doit = nl80211_tx_control_port,
17394 		.flags = GENL_UNS_ADMIN_PERM,
17395 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17396 	},
17397 	{
17398 		.cmd = NL80211_CMD_GET_FTM_RESPONDER_STATS,
17399 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17400 		.doit = nl80211_get_ftm_responder_stats,
17401 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17402 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17403 	},
17404 	{
17405 		.cmd = NL80211_CMD_PEER_MEASUREMENT_START,
17406 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17407 		.doit = nl80211_pmsr_start,
17408 		.flags = GENL_UNS_ADMIN_PERM,
17409 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WDEV_UP),
17410 	},
17411 	{
17412 		.cmd = NL80211_CMD_NOTIFY_RADAR,
17413 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17414 		.doit = nl80211_notify_radar_detection,
17415 		.flags = GENL_UNS_ADMIN_PERM,
17416 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17417 	},
17418 	{
17419 		.cmd = NL80211_CMD_UPDATE_OWE_INFO,
17420 		.doit = nl80211_update_owe_info,
17421 		.flags = GENL_ADMIN_PERM,
17422 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17423 	},
17424 	{
17425 		.cmd = NL80211_CMD_PROBE_MESH_LINK,
17426 		.doit = nl80211_probe_mesh_link,
17427 		.flags = GENL_UNS_ADMIN_PERM,
17428 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17429 	},
17430 	{
17431 		.cmd = NL80211_CMD_SET_TID_CONFIG,
17432 		.doit = nl80211_set_tid_config,
17433 		.flags = GENL_UNS_ADMIN_PERM,
17434 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV |
17435 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17436 	},
17437 	{
17438 		.cmd = NL80211_CMD_SET_SAR_SPECS,
17439 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17440 		.doit = nl80211_set_sar_specs,
17441 		.flags = GENL_UNS_ADMIN_PERM,
17442 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_WIPHY |
17443 					 NL80211_FLAG_NEED_RTNL),
17444 	},
17445 	{
17446 		.cmd = NL80211_CMD_COLOR_CHANGE_REQUEST,
17447 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17448 		.doit = nl80211_color_change,
17449 		.flags = GENL_UNS_ADMIN_PERM,
17450 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17451 	},
17452 	{
17453 		.cmd = NL80211_CMD_SET_FILS_AAD,
17454 		.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
17455 		.doit = nl80211_set_fils_aad,
17456 		.flags = GENL_UNS_ADMIN_PERM,
17457 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17458 	},
17459 	{
17460 		.cmd = NL80211_CMD_ADD_LINK,
17461 		.doit = nl80211_add_link,
17462 		.flags = GENL_UNS_ADMIN_PERM,
17463 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17464 	},
17465 	{
17466 		.cmd = NL80211_CMD_REMOVE_LINK,
17467 		.doit = nl80211_remove_link,
17468 		.flags = GENL_UNS_ADMIN_PERM,
17469 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17470 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17471 	},
17472 	{
17473 		.cmd = NL80211_CMD_ADD_LINK_STA,
17474 		.doit = nl80211_add_link_station,
17475 		.flags = GENL_UNS_ADMIN_PERM,
17476 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17477 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17478 	},
17479 	{
17480 		.cmd = NL80211_CMD_MODIFY_LINK_STA,
17481 		.doit = nl80211_modify_link_station,
17482 		.flags = GENL_UNS_ADMIN_PERM,
17483 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17484 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17485 	},
17486 	{
17487 		.cmd = NL80211_CMD_REMOVE_LINK_STA,
17488 		.doit = nl80211_remove_link_station,
17489 		.flags = GENL_UNS_ADMIN_PERM,
17490 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP |
17491 					 NL80211_FLAG_MLO_VALID_LINK_ID),
17492 	},
17493 	{
17494 		.cmd = NL80211_CMD_SET_HW_TIMESTAMP,
17495 		.doit = nl80211_set_hw_timestamp,
17496 		.flags = GENL_UNS_ADMIN_PERM,
17497 		.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
17498 	},
17499 };
17500 
17501 static struct genl_family nl80211_fam __ro_after_init = {
17502 	.name = NL80211_GENL_NAME,	/* have users key off the name instead */
17503 	.hdrsize = 0,			/* no private header */
17504 	.version = 1,			/* no particular meaning now */
17505 	.maxattr = NL80211_ATTR_MAX,
17506 	.policy = nl80211_policy,
17507 	.netnsok = true,
17508 	.pre_doit = nl80211_pre_doit,
17509 	.post_doit = nl80211_post_doit,
17510 	.module = THIS_MODULE,
17511 	.ops = nl80211_ops,
17512 	.n_ops = ARRAY_SIZE(nl80211_ops),
17513 	.small_ops = nl80211_small_ops,
17514 	.n_small_ops = ARRAY_SIZE(nl80211_small_ops),
17515 	.resv_start_op = NL80211_CMD_REMOVE_LINK_STA + 1,
17516 	.mcgrps = nl80211_mcgrps,
17517 	.n_mcgrps = ARRAY_SIZE(nl80211_mcgrps),
17518 	.parallel_ops = true,
17519 };
17520 
17521 /* notification functions */
17522 
17523 void nl80211_notify_wiphy(struct cfg80211_registered_device *rdev,
17524 			  enum nl80211_commands cmd)
17525 {
17526 	struct sk_buff *msg;
17527 	struct nl80211_dump_wiphy_state state = {};
17528 
17529 	WARN_ON(cmd != NL80211_CMD_NEW_WIPHY &&
17530 		cmd != NL80211_CMD_DEL_WIPHY);
17531 
17532 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17533 	if (!msg)
17534 		return;
17535 
17536 	if (nl80211_send_wiphy(rdev, cmd, msg, 0, 0, 0, &state) < 0) {
17537 		nlmsg_free(msg);
17538 		return;
17539 	}
17540 
17541 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17542 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17543 }
17544 
17545 void nl80211_notify_iface(struct cfg80211_registered_device *rdev,
17546 				struct wireless_dev *wdev,
17547 				enum nl80211_commands cmd)
17548 {
17549 	struct sk_buff *msg;
17550 
17551 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17552 	if (!msg)
17553 		return;
17554 
17555 	if (nl80211_send_iface(msg, 0, 0, 0, rdev, wdev, cmd) < 0) {
17556 		nlmsg_free(msg);
17557 		return;
17558 	}
17559 
17560 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17561 				NL80211_MCGRP_CONFIG, GFP_KERNEL);
17562 }
17563 
17564 static int nl80211_add_scan_req(struct sk_buff *msg,
17565 				struct cfg80211_registered_device *rdev)
17566 {
17567 	struct cfg80211_scan_request *req = rdev->scan_req;
17568 	struct nlattr *nest;
17569 	int i;
17570 	struct cfg80211_scan_info *info;
17571 
17572 	if (WARN_ON(!req))
17573 		return 0;
17574 
17575 	nest = nla_nest_start_noflag(msg, NL80211_ATTR_SCAN_SSIDS);
17576 	if (!nest)
17577 		goto nla_put_failure;
17578 	for (i = 0; i < req->n_ssids; i++) {
17579 		if (nla_put(msg, i, req->ssids[i].ssid_len, req->ssids[i].ssid))
17580 			goto nla_put_failure;
17581 	}
17582 	nla_nest_end(msg, nest);
17583 
17584 	if (req->flags & NL80211_SCAN_FLAG_FREQ_KHZ) {
17585 		nest = nla_nest_start(msg, NL80211_ATTR_SCAN_FREQ_KHZ);
17586 		if (!nest)
17587 			goto nla_put_failure;
17588 		for (i = 0; i < req->n_channels; i++) {
17589 			if (nla_put_u32(msg, i,
17590 				   ieee80211_channel_to_khz(req->channels[i])))
17591 				goto nla_put_failure;
17592 		}
17593 		nla_nest_end(msg, nest);
17594 	} else {
17595 		nest = nla_nest_start_noflag(msg,
17596 					     NL80211_ATTR_SCAN_FREQUENCIES);
17597 		if (!nest)
17598 			goto nla_put_failure;
17599 		for (i = 0; i < req->n_channels; i++) {
17600 			if (nla_put_u32(msg, i, req->channels[i]->center_freq))
17601 				goto nla_put_failure;
17602 		}
17603 		nla_nest_end(msg, nest);
17604 	}
17605 
17606 	if (req->ie &&
17607 	    nla_put(msg, NL80211_ATTR_IE, req->ie_len, req->ie))
17608 		goto nla_put_failure;
17609 
17610 	if (req->flags &&
17611 	    nla_put_u32(msg, NL80211_ATTR_SCAN_FLAGS, req->flags))
17612 		goto nla_put_failure;
17613 
17614 	info = rdev->int_scan_req ? &rdev->int_scan_req->info :
17615 		&rdev->scan_req->info;
17616 	if (info->scan_start_tsf &&
17617 	    (nla_put_u64_64bit(msg, NL80211_ATTR_SCAN_START_TIME_TSF,
17618 			       info->scan_start_tsf, NL80211_BSS_PAD) ||
17619 	     nla_put(msg, NL80211_ATTR_SCAN_START_TIME_TSF_BSSID, ETH_ALEN,
17620 		     info->tsf_bssid)))
17621 		goto nla_put_failure;
17622 
17623 	return 0;
17624  nla_put_failure:
17625 	return -ENOBUFS;
17626 }
17627 
17628 static int nl80211_prep_scan_msg(struct sk_buff *msg,
17629 				 struct cfg80211_registered_device *rdev,
17630 				 struct wireless_dev *wdev,
17631 				 u32 portid, u32 seq, int flags,
17632 				 u32 cmd)
17633 {
17634 	void *hdr;
17635 
17636 	hdr = nl80211hdr_put(msg, portid, seq, flags, cmd);
17637 	if (!hdr)
17638 		return -1;
17639 
17640 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17641 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
17642 					 wdev->netdev->ifindex)) ||
17643 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
17644 			      NL80211_ATTR_PAD))
17645 		goto nla_put_failure;
17646 
17647 	/* ignore errors and send incomplete event anyway */
17648 	nl80211_add_scan_req(msg, rdev);
17649 
17650 	genlmsg_end(msg, hdr);
17651 	return 0;
17652 
17653  nla_put_failure:
17654 	genlmsg_cancel(msg, hdr);
17655 	return -EMSGSIZE;
17656 }
17657 
17658 static int
17659 nl80211_prep_sched_scan_msg(struct sk_buff *msg,
17660 			    struct cfg80211_sched_scan_request *req, u32 cmd)
17661 {
17662 	void *hdr;
17663 
17664 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17665 	if (!hdr)
17666 		return -1;
17667 
17668 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY,
17669 			wiphy_to_rdev(req->wiphy)->wiphy_idx) ||
17670 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, req->dev->ifindex) ||
17671 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, req->reqid,
17672 			      NL80211_ATTR_PAD))
17673 		goto nla_put_failure;
17674 
17675 	genlmsg_end(msg, hdr);
17676 	return 0;
17677 
17678  nla_put_failure:
17679 	genlmsg_cancel(msg, hdr);
17680 	return -EMSGSIZE;
17681 }
17682 
17683 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
17684 			     struct wireless_dev *wdev)
17685 {
17686 	struct sk_buff *msg;
17687 
17688 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17689 	if (!msg)
17690 		return;
17691 
17692 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17693 				  NL80211_CMD_TRIGGER_SCAN) < 0) {
17694 		nlmsg_free(msg);
17695 		return;
17696 	}
17697 
17698 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17699 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17700 }
17701 
17702 struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
17703 				       struct wireless_dev *wdev, bool aborted)
17704 {
17705 	struct sk_buff *msg;
17706 
17707 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17708 	if (!msg)
17709 		return NULL;
17710 
17711 	if (nl80211_prep_scan_msg(msg, rdev, wdev, 0, 0, 0,
17712 				  aborted ? NL80211_CMD_SCAN_ABORTED :
17713 					    NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
17714 		nlmsg_free(msg);
17715 		return NULL;
17716 	}
17717 
17718 	return msg;
17719 }
17720 
17721 /* send message created by nl80211_build_scan_msg() */
17722 void nl80211_send_scan_msg(struct cfg80211_registered_device *rdev,
17723 			   struct sk_buff *msg)
17724 {
17725 	if (!msg)
17726 		return;
17727 
17728 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17729 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17730 }
17731 
17732 void nl80211_send_sched_scan(struct cfg80211_sched_scan_request *req, u32 cmd)
17733 {
17734 	struct sk_buff *msg;
17735 
17736 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17737 	if (!msg)
17738 		return;
17739 
17740 	if (nl80211_prep_sched_scan_msg(msg, req, cmd) < 0) {
17741 		nlmsg_free(msg);
17742 		return;
17743 	}
17744 
17745 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(req->wiphy), msg, 0,
17746 				NL80211_MCGRP_SCAN, GFP_KERNEL);
17747 }
17748 
17749 static bool nl80211_reg_change_event_fill(struct sk_buff *msg,
17750 					  struct regulatory_request *request)
17751 {
17752 	/* Userspace can always count this one always being set */
17753 	if (nla_put_u8(msg, NL80211_ATTR_REG_INITIATOR, request->initiator))
17754 		goto nla_put_failure;
17755 
17756 	if (request->alpha2[0] == '0' && request->alpha2[1] == '0') {
17757 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17758 			       NL80211_REGDOM_TYPE_WORLD))
17759 			goto nla_put_failure;
17760 	} else if (request->alpha2[0] == '9' && request->alpha2[1] == '9') {
17761 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17762 			       NL80211_REGDOM_TYPE_CUSTOM_WORLD))
17763 			goto nla_put_failure;
17764 	} else if ((request->alpha2[0] == '9' && request->alpha2[1] == '8') ||
17765 		   request->intersect) {
17766 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17767 			       NL80211_REGDOM_TYPE_INTERSECTION))
17768 			goto nla_put_failure;
17769 	} else {
17770 		if (nla_put_u8(msg, NL80211_ATTR_REG_TYPE,
17771 			       NL80211_REGDOM_TYPE_COUNTRY) ||
17772 		    nla_put_string(msg, NL80211_ATTR_REG_ALPHA2,
17773 				   request->alpha2))
17774 			goto nla_put_failure;
17775 	}
17776 
17777 	if (request->wiphy_idx != WIPHY_IDX_INVALID) {
17778 		struct wiphy *wiphy = wiphy_idx_to_wiphy(request->wiphy_idx);
17779 
17780 		if (wiphy &&
17781 		    nla_put_u32(msg, NL80211_ATTR_WIPHY, request->wiphy_idx))
17782 			goto nla_put_failure;
17783 
17784 		if (wiphy &&
17785 		    wiphy->regulatory_flags & REGULATORY_WIPHY_SELF_MANAGED &&
17786 		    nla_put_flag(msg, NL80211_ATTR_WIPHY_SELF_MANAGED_REG))
17787 			goto nla_put_failure;
17788 	}
17789 
17790 	return true;
17791 
17792 nla_put_failure:
17793 	return false;
17794 }
17795 
17796 /*
17797  * This can happen on global regulatory changes or device specific settings
17798  * based on custom regulatory domains.
17799  */
17800 void nl80211_common_reg_change_event(enum nl80211_commands cmd_id,
17801 				     struct regulatory_request *request)
17802 {
17803 	struct sk_buff *msg;
17804 	void *hdr;
17805 
17806 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
17807 	if (!msg)
17808 		return;
17809 
17810 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd_id);
17811 	if (!hdr)
17812 		goto nla_put_failure;
17813 
17814 	if (!nl80211_reg_change_event_fill(msg, request))
17815 		goto nla_put_failure;
17816 
17817 	genlmsg_end(msg, hdr);
17818 
17819 	rcu_read_lock();
17820 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
17821 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
17822 	rcu_read_unlock();
17823 
17824 	return;
17825 
17826 nla_put_failure:
17827 	nlmsg_free(msg);
17828 }
17829 
17830 static void nl80211_send_mlme_event(struct cfg80211_registered_device *rdev,
17831 				    struct net_device *netdev,
17832 				    const u8 *buf, size_t len,
17833 				    enum nl80211_commands cmd, gfp_t gfp,
17834 				    int uapsd_queues, const u8 *req_ies,
17835 				    size_t req_ies_len, bool reconnect)
17836 {
17837 	struct sk_buff *msg;
17838 	void *hdr;
17839 
17840 	msg = nlmsg_new(100 + len + req_ies_len, gfp);
17841 	if (!msg)
17842 		return;
17843 
17844 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17845 	if (!hdr) {
17846 		nlmsg_free(msg);
17847 		return;
17848 	}
17849 
17850 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17851 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17852 	    nla_put(msg, NL80211_ATTR_FRAME, len, buf) ||
17853 	    (req_ies &&
17854 	     nla_put(msg, NL80211_ATTR_REQ_IE, req_ies_len, req_ies)))
17855 		goto nla_put_failure;
17856 
17857 	if (reconnect && nla_put_flag(msg, NL80211_ATTR_RECONNECT_REQUESTED))
17858 		goto nla_put_failure;
17859 
17860 	if (uapsd_queues >= 0) {
17861 		struct nlattr *nla_wmm =
17862 			nla_nest_start_noflag(msg, NL80211_ATTR_STA_WME);
17863 		if (!nla_wmm)
17864 			goto nla_put_failure;
17865 
17866 		if (nla_put_u8(msg, NL80211_STA_WME_UAPSD_QUEUES,
17867 			       uapsd_queues))
17868 			goto nla_put_failure;
17869 
17870 		nla_nest_end(msg, nla_wmm);
17871 	}
17872 
17873 	genlmsg_end(msg, hdr);
17874 
17875 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17876 				NL80211_MCGRP_MLME, gfp);
17877 	return;
17878 
17879  nla_put_failure:
17880 	nlmsg_free(msg);
17881 }
17882 
17883 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
17884 			  struct net_device *netdev, const u8 *buf,
17885 			  size_t len, gfp_t gfp)
17886 {
17887 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17888 				NL80211_CMD_AUTHENTICATE, gfp, -1, NULL, 0,
17889 				false);
17890 }
17891 
17892 void nl80211_send_rx_assoc(struct cfg80211_registered_device *rdev,
17893 			   struct net_device *netdev,
17894 			   struct cfg80211_rx_assoc_resp *data)
17895 {
17896 	nl80211_send_mlme_event(rdev, netdev, data->buf, data->len,
17897 				NL80211_CMD_ASSOCIATE, GFP_KERNEL,
17898 				data->uapsd_queues,
17899 				data->req_ies, data->req_ies_len, false);
17900 }
17901 
17902 void nl80211_send_deauth(struct cfg80211_registered_device *rdev,
17903 			 struct net_device *netdev, const u8 *buf,
17904 			 size_t len, bool reconnect, gfp_t gfp)
17905 {
17906 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17907 				NL80211_CMD_DEAUTHENTICATE, gfp, -1, NULL, 0,
17908 				reconnect);
17909 }
17910 
17911 void nl80211_send_disassoc(struct cfg80211_registered_device *rdev,
17912 			   struct net_device *netdev, const u8 *buf,
17913 			   size_t len, bool reconnect, gfp_t gfp)
17914 {
17915 	nl80211_send_mlme_event(rdev, netdev, buf, len,
17916 				NL80211_CMD_DISASSOCIATE, gfp, -1, NULL, 0,
17917 				reconnect);
17918 }
17919 
17920 void cfg80211_rx_unprot_mlme_mgmt(struct net_device *dev, const u8 *buf,
17921 				  size_t len)
17922 {
17923 	struct wireless_dev *wdev = dev->ieee80211_ptr;
17924 	struct wiphy *wiphy = wdev->wiphy;
17925 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
17926 	const struct ieee80211_mgmt *mgmt = (void *)buf;
17927 	u32 cmd;
17928 
17929 	if (WARN_ON(len < 2))
17930 		return;
17931 
17932 	if (ieee80211_is_deauth(mgmt->frame_control)) {
17933 		cmd = NL80211_CMD_UNPROT_DEAUTHENTICATE;
17934 	} else if (ieee80211_is_disassoc(mgmt->frame_control)) {
17935 		cmd = NL80211_CMD_UNPROT_DISASSOCIATE;
17936 	} else if (ieee80211_is_beacon(mgmt->frame_control)) {
17937 		if (wdev->unprot_beacon_reported &&
17938 		    elapsed_jiffies_msecs(wdev->unprot_beacon_reported) < 10000)
17939 			return;
17940 		cmd = NL80211_CMD_UNPROT_BEACON;
17941 		wdev->unprot_beacon_reported = jiffies;
17942 	} else {
17943 		return;
17944 	}
17945 
17946 	trace_cfg80211_rx_unprot_mlme_mgmt(dev, buf, len);
17947 	nl80211_send_mlme_event(rdev, dev, buf, len, cmd, GFP_ATOMIC, -1,
17948 				NULL, 0, false);
17949 }
17950 EXPORT_SYMBOL(cfg80211_rx_unprot_mlme_mgmt);
17951 
17952 static void nl80211_send_mlme_timeout(struct cfg80211_registered_device *rdev,
17953 				      struct net_device *netdev, int cmd,
17954 				      const u8 *addr, gfp_t gfp)
17955 {
17956 	struct sk_buff *msg;
17957 	void *hdr;
17958 
17959 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
17960 	if (!msg)
17961 		return;
17962 
17963 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
17964 	if (!hdr) {
17965 		nlmsg_free(msg);
17966 		return;
17967 	}
17968 
17969 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
17970 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
17971 	    nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
17972 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
17973 		goto nla_put_failure;
17974 
17975 	genlmsg_end(msg, hdr);
17976 
17977 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
17978 				NL80211_MCGRP_MLME, gfp);
17979 	return;
17980 
17981  nla_put_failure:
17982 	nlmsg_free(msg);
17983 }
17984 
17985 void nl80211_send_auth_timeout(struct cfg80211_registered_device *rdev,
17986 			       struct net_device *netdev, const u8 *addr,
17987 			       gfp_t gfp)
17988 {
17989 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_AUTHENTICATE,
17990 				  addr, gfp);
17991 }
17992 
17993 void nl80211_send_assoc_timeout(struct cfg80211_registered_device *rdev,
17994 				struct net_device *netdev, const u8 *addr,
17995 				gfp_t gfp)
17996 {
17997 	nl80211_send_mlme_timeout(rdev, netdev, NL80211_CMD_ASSOCIATE,
17998 				  addr, gfp);
17999 }
18000 
18001 void nl80211_send_connect_result(struct cfg80211_registered_device *rdev,
18002 				 struct net_device *netdev,
18003 				 struct cfg80211_connect_resp_params *cr,
18004 				 gfp_t gfp)
18005 {
18006 	struct sk_buff *msg;
18007 	void *hdr;
18008 	unsigned int link;
18009 	size_t link_info_size = 0;
18010 	const u8 *connected_addr = cr->valid_links ?
18011 				   cr->ap_mld_addr : cr->links[0].bssid;
18012 
18013 	if (cr->valid_links) {
18014 		for_each_valid_link(cr, link) {
18015 			/* Nested attribute header */
18016 			link_info_size += NLA_HDRLEN;
18017 			/* Link ID */
18018 			link_info_size += nla_total_size(sizeof(u8));
18019 			link_info_size += cr->links[link].addr ?
18020 					  nla_total_size(ETH_ALEN) : 0;
18021 			link_info_size += (cr->links[link].bssid ||
18022 					   cr->links[link].bss) ?
18023 					  nla_total_size(ETH_ALEN) : 0;
18024 			link_info_size += nla_total_size(sizeof(u16));
18025 		}
18026 	}
18027 
18028 	msg = nlmsg_new(100 + cr->req_ie_len + cr->resp_ie_len +
18029 			cr->fils.kek_len + cr->fils.pmk_len +
18030 			(cr->fils.pmkid ? WLAN_PMKID_LEN : 0) + link_info_size,
18031 			gfp);
18032 	if (!msg)
18033 		return;
18034 
18035 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONNECT);
18036 	if (!hdr) {
18037 		nlmsg_free(msg);
18038 		return;
18039 	}
18040 
18041 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18042 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18043 	    (connected_addr &&
18044 	     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr)) ||
18045 	    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18046 			cr->status < 0 ? WLAN_STATUS_UNSPECIFIED_FAILURE :
18047 			cr->status) ||
18048 	    (cr->status < 0 &&
18049 	     (nla_put_flag(msg, NL80211_ATTR_TIMED_OUT) ||
18050 	      nla_put_u32(msg, NL80211_ATTR_TIMEOUT_REASON,
18051 			  cr->timeout_reason))) ||
18052 	    (cr->req_ie &&
18053 	     nla_put(msg, NL80211_ATTR_REQ_IE, cr->req_ie_len, cr->req_ie)) ||
18054 	    (cr->resp_ie &&
18055 	     nla_put(msg, NL80211_ATTR_RESP_IE, cr->resp_ie_len,
18056 		     cr->resp_ie)) ||
18057 	    (cr->fils.update_erp_next_seq_num &&
18058 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18059 			 cr->fils.erp_next_seq_num)) ||
18060 	    (cr->status == WLAN_STATUS_SUCCESS &&
18061 	     ((cr->fils.kek &&
18062 	       nla_put(msg, NL80211_ATTR_FILS_KEK, cr->fils.kek_len,
18063 		       cr->fils.kek)) ||
18064 	      (cr->fils.pmk &&
18065 	       nla_put(msg, NL80211_ATTR_PMK, cr->fils.pmk_len, cr->fils.pmk)) ||
18066 	      (cr->fils.pmkid &&
18067 	       nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, cr->fils.pmkid)))))
18068 		goto nla_put_failure;
18069 
18070 	if (cr->valid_links) {
18071 		int i = 1;
18072 		struct nlattr *nested;
18073 
18074 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18075 		if (!nested)
18076 			goto nla_put_failure;
18077 
18078 		for_each_valid_link(cr, link) {
18079 			struct nlattr *nested_mlo_links;
18080 			const u8 *bssid = cr->links[link].bss ?
18081 					  cr->links[link].bss->bssid :
18082 					  cr->links[link].bssid;
18083 
18084 			nested_mlo_links = nla_nest_start(msg, i);
18085 			if (!nested_mlo_links)
18086 				goto nla_put_failure;
18087 
18088 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18089 			    (bssid &&
18090 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18091 			    (cr->links[link].addr &&
18092 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18093 				     cr->links[link].addr)) ||
18094 			    nla_put_u16(msg, NL80211_ATTR_STATUS_CODE,
18095 					cr->links[link].status))
18096 				goto nla_put_failure;
18097 
18098 			nla_nest_end(msg, nested_mlo_links);
18099 			i++;
18100 		}
18101 		nla_nest_end(msg, nested);
18102 	}
18103 
18104 	genlmsg_end(msg, hdr);
18105 
18106 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18107 				NL80211_MCGRP_MLME, gfp);
18108 	return;
18109 
18110  nla_put_failure:
18111 	nlmsg_free(msg);
18112 }
18113 
18114 void nl80211_send_roamed(struct cfg80211_registered_device *rdev,
18115 			 struct net_device *netdev,
18116 			 struct cfg80211_roam_info *info, gfp_t gfp)
18117 {
18118 	struct sk_buff *msg;
18119 	void *hdr;
18120 	size_t link_info_size = 0;
18121 	unsigned int link;
18122 	const u8 *connected_addr = info->ap_mld_addr ?
18123 				   info->ap_mld_addr :
18124 				   (info->links[0].bss ?
18125 				    info->links[0].bss->bssid :
18126 				    info->links[0].bssid);
18127 
18128 	if (info->valid_links) {
18129 		for_each_valid_link(info, link) {
18130 			/* Nested attribute header */
18131 			link_info_size += NLA_HDRLEN;
18132 			/* Link ID */
18133 			link_info_size += nla_total_size(sizeof(u8));
18134 			link_info_size += info->links[link].addr ?
18135 					  nla_total_size(ETH_ALEN) : 0;
18136 			link_info_size += (info->links[link].bssid ||
18137 					   info->links[link].bss) ?
18138 					  nla_total_size(ETH_ALEN) : 0;
18139 		}
18140 	}
18141 
18142 	msg = nlmsg_new(100 + info->req_ie_len + info->resp_ie_len +
18143 			info->fils.kek_len + info->fils.pmk_len +
18144 			(info->fils.pmkid ? WLAN_PMKID_LEN : 0) +
18145 			link_info_size, gfp);
18146 	if (!msg)
18147 		return;
18148 
18149 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ROAM);
18150 	if (!hdr) {
18151 		nlmsg_free(msg);
18152 		return;
18153 	}
18154 
18155 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18156 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18157 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, connected_addr) ||
18158 	    (info->req_ie &&
18159 	     nla_put(msg, NL80211_ATTR_REQ_IE, info->req_ie_len,
18160 		     info->req_ie)) ||
18161 	    (info->resp_ie &&
18162 	     nla_put(msg, NL80211_ATTR_RESP_IE, info->resp_ie_len,
18163 		     info->resp_ie)) ||
18164 	    (info->fils.update_erp_next_seq_num &&
18165 	     nla_put_u16(msg, NL80211_ATTR_FILS_ERP_NEXT_SEQ_NUM,
18166 			 info->fils.erp_next_seq_num)) ||
18167 	    (info->fils.kek &&
18168 	     nla_put(msg, NL80211_ATTR_FILS_KEK, info->fils.kek_len,
18169 		     info->fils.kek)) ||
18170 	    (info->fils.pmk &&
18171 	     nla_put(msg, NL80211_ATTR_PMK, info->fils.pmk_len, info->fils.pmk)) ||
18172 	    (info->fils.pmkid &&
18173 	     nla_put(msg, NL80211_ATTR_PMKID, WLAN_PMKID_LEN, info->fils.pmkid)))
18174 		goto nla_put_failure;
18175 
18176 	if (info->valid_links) {
18177 		int i = 1;
18178 		struct nlattr *nested;
18179 
18180 		nested = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18181 		if (!nested)
18182 			goto nla_put_failure;
18183 
18184 		for_each_valid_link(info, link) {
18185 			struct nlattr *nested_mlo_links;
18186 			const u8 *bssid = info->links[link].bss ?
18187 					  info->links[link].bss->bssid :
18188 					  info->links[link].bssid;
18189 
18190 			nested_mlo_links = nla_nest_start(msg, i);
18191 			if (!nested_mlo_links)
18192 				goto nla_put_failure;
18193 
18194 			if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link) ||
18195 			    (bssid &&
18196 			     nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, bssid)) ||
18197 			    (info->links[link].addr &&
18198 			     nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN,
18199 				     info->links[link].addr)))
18200 				goto nla_put_failure;
18201 
18202 			nla_nest_end(msg, nested_mlo_links);
18203 			i++;
18204 		}
18205 		nla_nest_end(msg, nested);
18206 	}
18207 
18208 	genlmsg_end(msg, hdr);
18209 
18210 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18211 				NL80211_MCGRP_MLME, gfp);
18212 	return;
18213 
18214  nla_put_failure:
18215 	nlmsg_free(msg);
18216 }
18217 
18218 void nl80211_send_port_authorized(struct cfg80211_registered_device *rdev,
18219 				  struct net_device *netdev, const u8 *bssid,
18220 				  const u8 *td_bitmap, u8 td_bitmap_len)
18221 {
18222 	struct sk_buff *msg;
18223 	void *hdr;
18224 
18225 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18226 	if (!msg)
18227 		return;
18228 
18229 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PORT_AUTHORIZED);
18230 	if (!hdr) {
18231 		nlmsg_free(msg);
18232 		return;
18233 	}
18234 
18235 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18236 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18237 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18238 		goto nla_put_failure;
18239 
18240 	if ((td_bitmap_len > 0) && td_bitmap)
18241 		if (nla_put(msg, NL80211_ATTR_TD_BITMAP,
18242 			    td_bitmap_len, td_bitmap))
18243 			goto nla_put_failure;
18244 
18245 	genlmsg_end(msg, hdr);
18246 
18247 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18248 				NL80211_MCGRP_MLME, GFP_KERNEL);
18249 	return;
18250 
18251  nla_put_failure:
18252 	nlmsg_free(msg);
18253 }
18254 
18255 void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
18256 			       struct net_device *netdev, u16 reason,
18257 			       const u8 *ie, size_t ie_len, bool from_ap)
18258 {
18259 	struct sk_buff *msg;
18260 	void *hdr;
18261 
18262 	msg = nlmsg_new(100 + ie_len, GFP_KERNEL);
18263 	if (!msg)
18264 		return;
18265 
18266 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DISCONNECT);
18267 	if (!hdr) {
18268 		nlmsg_free(msg);
18269 		return;
18270 	}
18271 
18272 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18273 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18274 	    (reason &&
18275 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason)) ||
18276 	    (from_ap &&
18277 	     nla_put_flag(msg, NL80211_ATTR_DISCONNECTED_BY_AP)) ||
18278 	    (ie && nla_put(msg, NL80211_ATTR_IE, ie_len, ie)))
18279 		goto nla_put_failure;
18280 
18281 	genlmsg_end(msg, hdr);
18282 
18283 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18284 				NL80211_MCGRP_MLME, GFP_KERNEL);
18285 	return;
18286 
18287  nla_put_failure:
18288 	nlmsg_free(msg);
18289 }
18290 
18291 void cfg80211_links_removed(struct net_device *dev, u16 link_mask)
18292 {
18293 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18294 	struct wiphy *wiphy = wdev->wiphy;
18295 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18296 	struct sk_buff *msg;
18297 	struct nlattr *links;
18298 	void *hdr;
18299 
18300 	ASSERT_WDEV_LOCK(wdev);
18301 	trace_cfg80211_links_removed(dev, link_mask);
18302 
18303 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION &&
18304 		    wdev->iftype != NL80211_IFTYPE_P2P_CLIENT))
18305 		return;
18306 
18307 	if (WARN_ON(!wdev->valid_links || !link_mask ||
18308 		    (wdev->valid_links & link_mask) != link_mask ||
18309 		    wdev->valid_links == link_mask))
18310 		return;
18311 
18312 	cfg80211_wdev_release_link_bsses(wdev, link_mask);
18313 	wdev->valid_links &= ~link_mask;
18314 
18315 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18316 	if (!msg)
18317 		return;
18318 
18319 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_LINKS_REMOVED);
18320 	if (!hdr) {
18321 		nlmsg_free(msg);
18322 		return;
18323 	}
18324 
18325 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18326 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
18327 		goto nla_put_failure;
18328 
18329 	links = nla_nest_start(msg, NL80211_ATTR_MLO_LINKS);
18330 	if (!links)
18331 		goto nla_put_failure;
18332 
18333 	while (link_mask) {
18334 		struct nlattr *link;
18335 		int link_id = __ffs(link_mask);
18336 
18337 		link = nla_nest_start(msg, link_id + 1);
18338 		if (!link)
18339 			goto nla_put_failure;
18340 
18341 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
18342 			goto nla_put_failure;
18343 
18344 		nla_nest_end(msg, link);
18345 		link_mask &= ~(1 << link_id);
18346 	}
18347 
18348 	nla_nest_end(msg, links);
18349 
18350 	genlmsg_end(msg, hdr);
18351 
18352 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18353 				NL80211_MCGRP_MLME, GFP_KERNEL);
18354 	return;
18355 
18356  nla_put_failure:
18357 	nlmsg_free(msg);
18358 }
18359 EXPORT_SYMBOL(cfg80211_links_removed);
18360 
18361 void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
18362 			     struct net_device *netdev, const u8 *bssid,
18363 			     gfp_t gfp)
18364 {
18365 	struct sk_buff *msg;
18366 	void *hdr;
18367 
18368 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18369 	if (!msg)
18370 		return;
18371 
18372 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_JOIN_IBSS);
18373 	if (!hdr) {
18374 		nlmsg_free(msg);
18375 		return;
18376 	}
18377 
18378 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18379 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18380 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
18381 		goto nla_put_failure;
18382 
18383 	genlmsg_end(msg, hdr);
18384 
18385 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18386 				NL80211_MCGRP_MLME, gfp);
18387 	return;
18388 
18389  nla_put_failure:
18390 	nlmsg_free(msg);
18391 }
18392 
18393 void cfg80211_notify_new_peer_candidate(struct net_device *dev, const u8 *addr,
18394 					const u8 *ie, u8 ie_len,
18395 					int sig_dbm, gfp_t gfp)
18396 {
18397 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18398 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18399 	struct sk_buff *msg;
18400 	void *hdr;
18401 
18402 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
18403 		return;
18404 
18405 	trace_cfg80211_notify_new_peer_candidate(dev, addr);
18406 
18407 	msg = nlmsg_new(100 + ie_len, gfp);
18408 	if (!msg)
18409 		return;
18410 
18411 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
18412 	if (!hdr) {
18413 		nlmsg_free(msg);
18414 		return;
18415 	}
18416 
18417 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18418 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18419 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18420 	    (ie_len && ie &&
18421 	     nla_put(msg, NL80211_ATTR_IE, ie_len, ie)) ||
18422 	    (sig_dbm &&
18423 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)))
18424 		goto nla_put_failure;
18425 
18426 	genlmsg_end(msg, hdr);
18427 
18428 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18429 				NL80211_MCGRP_MLME, gfp);
18430 	return;
18431 
18432  nla_put_failure:
18433 	nlmsg_free(msg);
18434 }
18435 EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
18436 
18437 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
18438 				 struct net_device *netdev, const u8 *addr,
18439 				 enum nl80211_key_type key_type, int key_id,
18440 				 const u8 *tsc, gfp_t gfp)
18441 {
18442 	struct sk_buff *msg;
18443 	void *hdr;
18444 
18445 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18446 	if (!msg)
18447 		return;
18448 
18449 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_MICHAEL_MIC_FAILURE);
18450 	if (!hdr) {
18451 		nlmsg_free(msg);
18452 		return;
18453 	}
18454 
18455 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18456 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18457 	    (addr && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr)) ||
18458 	    nla_put_u32(msg, NL80211_ATTR_KEY_TYPE, key_type) ||
18459 	    (key_id != -1 &&
18460 	     nla_put_u8(msg, NL80211_ATTR_KEY_IDX, key_id)) ||
18461 	    (tsc && nla_put(msg, NL80211_ATTR_KEY_SEQ, 6, tsc)))
18462 		goto nla_put_failure;
18463 
18464 	genlmsg_end(msg, hdr);
18465 
18466 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18467 				NL80211_MCGRP_MLME, gfp);
18468 	return;
18469 
18470  nla_put_failure:
18471 	nlmsg_free(msg);
18472 }
18473 
18474 void nl80211_send_beacon_hint_event(struct wiphy *wiphy,
18475 				    struct ieee80211_channel *channel_before,
18476 				    struct ieee80211_channel *channel_after)
18477 {
18478 	struct sk_buff *msg;
18479 	void *hdr;
18480 	struct nlattr *nl_freq;
18481 
18482 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
18483 	if (!msg)
18484 		return;
18485 
18486 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_REG_BEACON_HINT);
18487 	if (!hdr) {
18488 		nlmsg_free(msg);
18489 		return;
18490 	}
18491 
18492 	/*
18493 	 * Since we are applying the beacon hint to a wiphy we know its
18494 	 * wiphy_idx is valid
18495 	 */
18496 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, get_wiphy_idx(wiphy)))
18497 		goto nla_put_failure;
18498 
18499 	/* Before */
18500 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_BEFORE);
18501 	if (!nl_freq)
18502 		goto nla_put_failure;
18503 
18504 	if (nl80211_msg_put_channel(msg, wiphy, channel_before, false))
18505 		goto nla_put_failure;
18506 	nla_nest_end(msg, nl_freq);
18507 
18508 	/* After */
18509 	nl_freq = nla_nest_start_noflag(msg, NL80211_ATTR_FREQ_AFTER);
18510 	if (!nl_freq)
18511 		goto nla_put_failure;
18512 
18513 	if (nl80211_msg_put_channel(msg, wiphy, channel_after, false))
18514 		goto nla_put_failure;
18515 	nla_nest_end(msg, nl_freq);
18516 
18517 	genlmsg_end(msg, hdr);
18518 
18519 	rcu_read_lock();
18520 	genlmsg_multicast_allns(&nl80211_fam, msg, 0,
18521 				NL80211_MCGRP_REGULATORY, GFP_ATOMIC);
18522 	rcu_read_unlock();
18523 
18524 	return;
18525 
18526 nla_put_failure:
18527 	nlmsg_free(msg);
18528 }
18529 
18530 static void nl80211_send_remain_on_chan_event(
18531 	int cmd, struct cfg80211_registered_device *rdev,
18532 	struct wireless_dev *wdev, u64 cookie,
18533 	struct ieee80211_channel *chan,
18534 	unsigned int duration, gfp_t gfp)
18535 {
18536 	struct sk_buff *msg;
18537 	void *hdr;
18538 
18539 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18540 	if (!msg)
18541 		return;
18542 
18543 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18544 	if (!hdr) {
18545 		nlmsg_free(msg);
18546 		return;
18547 	}
18548 
18549 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18550 	    (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18551 					 wdev->netdev->ifindex)) ||
18552 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18553 			      NL80211_ATTR_PAD) ||
18554 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, chan->center_freq) ||
18555 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_CHANNEL_TYPE,
18556 			NL80211_CHAN_NO_HT) ||
18557 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
18558 			      NL80211_ATTR_PAD))
18559 		goto nla_put_failure;
18560 
18561 	if (cmd == NL80211_CMD_REMAIN_ON_CHANNEL &&
18562 	    nla_put_u32(msg, NL80211_ATTR_DURATION, duration))
18563 		goto nla_put_failure;
18564 
18565 	genlmsg_end(msg, hdr);
18566 
18567 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18568 				NL80211_MCGRP_MLME, gfp);
18569 	return;
18570 
18571  nla_put_failure:
18572 	nlmsg_free(msg);
18573 }
18574 
18575 void cfg80211_assoc_comeback(struct net_device *netdev,
18576 			     const u8 *ap_addr, u32 timeout)
18577 {
18578 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
18579 	struct wiphy *wiphy = wdev->wiphy;
18580 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18581 	struct sk_buff *msg;
18582 	void *hdr;
18583 
18584 	trace_cfg80211_assoc_comeback(wdev, ap_addr, timeout);
18585 
18586 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
18587 	if (!msg)
18588 		return;
18589 
18590 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_ASSOC_COMEBACK);
18591 	if (!hdr) {
18592 		nlmsg_free(msg);
18593 		return;
18594 	}
18595 
18596 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18597 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
18598 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ap_addr) ||
18599 	    nla_put_u32(msg, NL80211_ATTR_TIMEOUT, timeout))
18600 		goto nla_put_failure;
18601 
18602 	genlmsg_end(msg, hdr);
18603 
18604 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18605 				NL80211_MCGRP_MLME, GFP_KERNEL);
18606 	return;
18607 
18608  nla_put_failure:
18609 	nlmsg_free(msg);
18610 }
18611 EXPORT_SYMBOL(cfg80211_assoc_comeback);
18612 
18613 void cfg80211_ready_on_channel(struct wireless_dev *wdev, u64 cookie,
18614 			       struct ieee80211_channel *chan,
18615 			       unsigned int duration, gfp_t gfp)
18616 {
18617 	struct wiphy *wiphy = wdev->wiphy;
18618 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18619 
18620 	trace_cfg80211_ready_on_channel(wdev, cookie, chan, duration);
18621 	nl80211_send_remain_on_chan_event(NL80211_CMD_REMAIN_ON_CHANNEL,
18622 					  rdev, wdev, cookie, chan,
18623 					  duration, gfp);
18624 }
18625 EXPORT_SYMBOL(cfg80211_ready_on_channel);
18626 
18627 void cfg80211_remain_on_channel_expired(struct wireless_dev *wdev, u64 cookie,
18628 					struct ieee80211_channel *chan,
18629 					gfp_t gfp)
18630 {
18631 	struct wiphy *wiphy = wdev->wiphy;
18632 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18633 
18634 	trace_cfg80211_ready_on_channel_expired(wdev, cookie, chan);
18635 	nl80211_send_remain_on_chan_event(NL80211_CMD_CANCEL_REMAIN_ON_CHANNEL,
18636 					  rdev, wdev, cookie, chan, 0, gfp);
18637 }
18638 EXPORT_SYMBOL(cfg80211_remain_on_channel_expired);
18639 
18640 void cfg80211_tx_mgmt_expired(struct wireless_dev *wdev, u64 cookie,
18641 					struct ieee80211_channel *chan,
18642 					gfp_t gfp)
18643 {
18644 	struct wiphy *wiphy = wdev->wiphy;
18645 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18646 
18647 	trace_cfg80211_tx_mgmt_expired(wdev, cookie, chan);
18648 	nl80211_send_remain_on_chan_event(NL80211_CMD_FRAME_WAIT_CANCEL,
18649 					  rdev, wdev, cookie, chan, 0, gfp);
18650 }
18651 EXPORT_SYMBOL(cfg80211_tx_mgmt_expired);
18652 
18653 void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
18654 		      struct station_info *sinfo, gfp_t gfp)
18655 {
18656 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18657 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18658 	struct sk_buff *msg;
18659 
18660 	trace_cfg80211_new_sta(dev, mac_addr, sinfo);
18661 
18662 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18663 	if (!msg)
18664 		return;
18665 
18666 	if (nl80211_send_station(msg, NL80211_CMD_NEW_STATION, 0, 0, 0,
18667 				 rdev, dev, mac_addr, sinfo) < 0) {
18668 		nlmsg_free(msg);
18669 		return;
18670 	}
18671 
18672 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18673 				NL80211_MCGRP_MLME, gfp);
18674 }
18675 EXPORT_SYMBOL(cfg80211_new_sta);
18676 
18677 void cfg80211_del_sta_sinfo(struct net_device *dev, const u8 *mac_addr,
18678 			    struct station_info *sinfo, gfp_t gfp)
18679 {
18680 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18681 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18682 	struct sk_buff *msg;
18683 	struct station_info empty_sinfo = {};
18684 
18685 	if (!sinfo)
18686 		sinfo = &empty_sinfo;
18687 
18688 	trace_cfg80211_del_sta(dev, mac_addr);
18689 
18690 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
18691 	if (!msg) {
18692 		cfg80211_sinfo_release_content(sinfo);
18693 		return;
18694 	}
18695 
18696 	if (nl80211_send_station(msg, NL80211_CMD_DEL_STATION, 0, 0, 0,
18697 				 rdev, dev, mac_addr, sinfo) < 0) {
18698 		nlmsg_free(msg);
18699 		return;
18700 	}
18701 
18702 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18703 				NL80211_MCGRP_MLME, gfp);
18704 }
18705 EXPORT_SYMBOL(cfg80211_del_sta_sinfo);
18706 
18707 void cfg80211_conn_failed(struct net_device *dev, const u8 *mac_addr,
18708 			  enum nl80211_connect_failed_reason reason,
18709 			  gfp_t gfp)
18710 {
18711 	struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
18712 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18713 	struct sk_buff *msg;
18714 	void *hdr;
18715 
18716 	msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
18717 	if (!msg)
18718 		return;
18719 
18720 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONN_FAILED);
18721 	if (!hdr) {
18722 		nlmsg_free(msg);
18723 		return;
18724 	}
18725 
18726 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18727 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr) ||
18728 	    nla_put_u32(msg, NL80211_ATTR_CONN_FAILED_REASON, reason))
18729 		goto nla_put_failure;
18730 
18731 	genlmsg_end(msg, hdr);
18732 
18733 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18734 				NL80211_MCGRP_MLME, gfp);
18735 	return;
18736 
18737  nla_put_failure:
18738 	nlmsg_free(msg);
18739 }
18740 EXPORT_SYMBOL(cfg80211_conn_failed);
18741 
18742 static bool __nl80211_unexpected_frame(struct net_device *dev, u8 cmd,
18743 				       const u8 *addr, gfp_t gfp)
18744 {
18745 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18746 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18747 	struct sk_buff *msg;
18748 	void *hdr;
18749 	u32 nlportid = READ_ONCE(wdev->ap_unexpected_nlportid);
18750 
18751 	if (!nlportid)
18752 		return false;
18753 
18754 	msg = nlmsg_new(100, gfp);
18755 	if (!msg)
18756 		return true;
18757 
18758 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
18759 	if (!hdr) {
18760 		nlmsg_free(msg);
18761 		return true;
18762 	}
18763 
18764 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18765 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18766 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr))
18767 		goto nla_put_failure;
18768 
18769 	genlmsg_end(msg, hdr);
18770 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18771 	return true;
18772 
18773  nla_put_failure:
18774 	nlmsg_free(msg);
18775 	return true;
18776 }
18777 
18778 bool cfg80211_rx_spurious_frame(struct net_device *dev,
18779 				const u8 *addr, gfp_t gfp)
18780 {
18781 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18782 	bool ret;
18783 
18784 	trace_cfg80211_rx_spurious_frame(dev, addr);
18785 
18786 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18787 		    wdev->iftype != NL80211_IFTYPE_P2P_GO)) {
18788 		trace_cfg80211_return_bool(false);
18789 		return false;
18790 	}
18791 	ret = __nl80211_unexpected_frame(dev, NL80211_CMD_UNEXPECTED_FRAME,
18792 					 addr, gfp);
18793 	trace_cfg80211_return_bool(ret);
18794 	return ret;
18795 }
18796 EXPORT_SYMBOL(cfg80211_rx_spurious_frame);
18797 
18798 bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev,
18799 					const u8 *addr, gfp_t gfp)
18800 {
18801 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18802 	bool ret;
18803 
18804 	trace_cfg80211_rx_unexpected_4addr_frame(dev, addr);
18805 
18806 	if (WARN_ON(wdev->iftype != NL80211_IFTYPE_AP &&
18807 		    wdev->iftype != NL80211_IFTYPE_P2P_GO &&
18808 		    wdev->iftype != NL80211_IFTYPE_AP_VLAN)) {
18809 		trace_cfg80211_return_bool(false);
18810 		return false;
18811 	}
18812 	ret = __nl80211_unexpected_frame(dev,
18813 					 NL80211_CMD_UNEXPECTED_4ADDR_FRAME,
18814 					 addr, gfp);
18815 	trace_cfg80211_return_bool(ret);
18816 	return ret;
18817 }
18818 EXPORT_SYMBOL(cfg80211_rx_unexpected_4addr_frame);
18819 
18820 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
18821 		      struct wireless_dev *wdev, u32 nlportid,
18822 		      struct cfg80211_rx_info *info, gfp_t gfp)
18823 {
18824 	struct net_device *netdev = wdev->netdev;
18825 	struct sk_buff *msg;
18826 	void *hdr;
18827 
18828 	msg = nlmsg_new(100 + info->len, gfp);
18829 	if (!msg)
18830 		return -ENOMEM;
18831 
18832 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
18833 	if (!hdr) {
18834 		nlmsg_free(msg);
18835 		return -ENOMEM;
18836 	}
18837 
18838 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18839 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18840 					netdev->ifindex)) ||
18841 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18842 			      NL80211_ATTR_PAD) ||
18843 	    (info->have_link_id &&
18844 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, info->link_id)) ||
18845 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ, KHZ_TO_MHZ(info->freq)) ||
18846 	    nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET, info->freq % 1000) ||
18847 	    (info->sig_dbm &&
18848 	     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, info->sig_dbm)) ||
18849 	    nla_put(msg, NL80211_ATTR_FRAME, info->len, info->buf) ||
18850 	    (info->flags &&
18851 	     nla_put_u32(msg, NL80211_ATTR_RXMGMT_FLAGS, info->flags)) ||
18852 	    (info->rx_tstamp && nla_put_u64_64bit(msg,
18853 						  NL80211_ATTR_RX_HW_TIMESTAMP,
18854 						  info->rx_tstamp,
18855 						  NL80211_ATTR_PAD)) ||
18856 	    (info->ack_tstamp && nla_put_u64_64bit(msg,
18857 						   NL80211_ATTR_TX_HW_TIMESTAMP,
18858 						   info->ack_tstamp,
18859 						   NL80211_ATTR_PAD)))
18860 		goto nla_put_failure;
18861 
18862 	genlmsg_end(msg, hdr);
18863 
18864 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18865 
18866  nla_put_failure:
18867 	nlmsg_free(msg);
18868 	return -ENOBUFS;
18869 }
18870 
18871 static void nl80211_frame_tx_status(struct wireless_dev *wdev,
18872 				    struct cfg80211_tx_status *status,
18873 				    gfp_t gfp, enum nl80211_commands command)
18874 {
18875 	struct wiphy *wiphy = wdev->wiphy;
18876 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
18877 	struct net_device *netdev = wdev->netdev;
18878 	struct sk_buff *msg;
18879 	void *hdr;
18880 
18881 	if (command == NL80211_CMD_FRAME_TX_STATUS)
18882 		trace_cfg80211_mgmt_tx_status(wdev, status->cookie,
18883 					      status->ack);
18884 	else
18885 		trace_cfg80211_control_port_tx_status(wdev, status->cookie,
18886 						      status->ack);
18887 
18888 	msg = nlmsg_new(100 + status->len, gfp);
18889 	if (!msg)
18890 		return;
18891 
18892 	hdr = nl80211hdr_put(msg, 0, 0, 0, command);
18893 	if (!hdr) {
18894 		nlmsg_free(msg);
18895 		return;
18896 	}
18897 
18898 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18899 	    (netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
18900 				   netdev->ifindex)) ||
18901 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18902 			      NL80211_ATTR_PAD) ||
18903 	    nla_put(msg, NL80211_ATTR_FRAME, status->len, status->buf) ||
18904 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, status->cookie,
18905 			      NL80211_ATTR_PAD) ||
18906 	    (status->ack && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
18907 	    (status->tx_tstamp &&
18908 	     nla_put_u64_64bit(msg, NL80211_ATTR_TX_HW_TIMESTAMP,
18909 			       status->tx_tstamp, NL80211_ATTR_PAD)) ||
18910 	    (status->ack_tstamp &&
18911 	     nla_put_u64_64bit(msg, NL80211_ATTR_RX_HW_TIMESTAMP,
18912 			       status->ack_tstamp, NL80211_ATTR_PAD)))
18913 		goto nla_put_failure;
18914 
18915 	genlmsg_end(msg, hdr);
18916 
18917 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
18918 				NL80211_MCGRP_MLME, gfp);
18919 	return;
18920 
18921 nla_put_failure:
18922 	nlmsg_free(msg);
18923 }
18924 
18925 void cfg80211_control_port_tx_status(struct wireless_dev *wdev, u64 cookie,
18926 				     const u8 *buf, size_t len, bool ack,
18927 				     gfp_t gfp)
18928 {
18929 	struct cfg80211_tx_status status = {
18930 		.cookie = cookie,
18931 		.buf = buf,
18932 		.len = len,
18933 		.ack = ack
18934 	};
18935 
18936 	nl80211_frame_tx_status(wdev, &status, gfp,
18937 				NL80211_CMD_CONTROL_PORT_FRAME_TX_STATUS);
18938 }
18939 EXPORT_SYMBOL(cfg80211_control_port_tx_status);
18940 
18941 void cfg80211_mgmt_tx_status_ext(struct wireless_dev *wdev,
18942 				 struct cfg80211_tx_status *status, gfp_t gfp)
18943 {
18944 	nl80211_frame_tx_status(wdev, status, gfp, NL80211_CMD_FRAME_TX_STATUS);
18945 }
18946 EXPORT_SYMBOL(cfg80211_mgmt_tx_status_ext);
18947 
18948 static int __nl80211_rx_control_port(struct net_device *dev,
18949 				     struct sk_buff *skb,
18950 				     bool unencrypted,
18951 				     int link_id,
18952 				     gfp_t gfp)
18953 {
18954 	struct wireless_dev *wdev = dev->ieee80211_ptr;
18955 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
18956 	struct ethhdr *ehdr = eth_hdr(skb);
18957 	const u8 *addr = ehdr->h_source;
18958 	u16 proto = be16_to_cpu(skb->protocol);
18959 	struct sk_buff *msg;
18960 	void *hdr;
18961 	struct nlattr *frame;
18962 
18963 	u32 nlportid = READ_ONCE(wdev->conn_owner_nlportid);
18964 
18965 	if (!nlportid)
18966 		return -ENOENT;
18967 
18968 	msg = nlmsg_new(100 + skb->len, gfp);
18969 	if (!msg)
18970 		return -ENOMEM;
18971 
18972 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CONTROL_PORT_FRAME);
18973 	if (!hdr) {
18974 		nlmsg_free(msg);
18975 		return -ENOBUFS;
18976 	}
18977 
18978 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
18979 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
18980 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
18981 			      NL80211_ATTR_PAD) ||
18982 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
18983 	    nla_put_u16(msg, NL80211_ATTR_CONTROL_PORT_ETHERTYPE, proto) ||
18984 	    (link_id >= 0 &&
18985 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)) ||
18986 	    (unencrypted && nla_put_flag(msg,
18987 					 NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT)))
18988 		goto nla_put_failure;
18989 
18990 	frame = nla_reserve(msg, NL80211_ATTR_FRAME, skb->len);
18991 	if (!frame)
18992 		goto nla_put_failure;
18993 
18994 	skb_copy_bits(skb, 0, nla_data(frame), skb->len);
18995 	genlmsg_end(msg, hdr);
18996 
18997 	return genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
18998 
18999  nla_put_failure:
19000 	nlmsg_free(msg);
19001 	return -ENOBUFS;
19002 }
19003 
19004 bool cfg80211_rx_control_port(struct net_device *dev, struct sk_buff *skb,
19005 			      bool unencrypted, int link_id)
19006 {
19007 	int ret;
19008 
19009 	trace_cfg80211_rx_control_port(dev, skb, unencrypted, link_id);
19010 	ret = __nl80211_rx_control_port(dev, skb, unencrypted, link_id,
19011 					GFP_ATOMIC);
19012 	trace_cfg80211_return_bool(ret == 0);
19013 	return ret == 0;
19014 }
19015 EXPORT_SYMBOL(cfg80211_rx_control_port);
19016 
19017 static struct sk_buff *cfg80211_prepare_cqm(struct net_device *dev,
19018 					    const char *mac, gfp_t gfp)
19019 {
19020 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19021 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19022 	struct sk_buff *msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19023 	void **cb;
19024 
19025 	if (!msg)
19026 		return NULL;
19027 
19028 	cb = (void **)msg->cb;
19029 
19030 	cb[0] = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NOTIFY_CQM);
19031 	if (!cb[0]) {
19032 		nlmsg_free(msg);
19033 		return NULL;
19034 	}
19035 
19036 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19037 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19038 		goto nla_put_failure;
19039 
19040 	if (mac && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19041 		goto nla_put_failure;
19042 
19043 	cb[1] = nla_nest_start_noflag(msg, NL80211_ATTR_CQM);
19044 	if (!cb[1])
19045 		goto nla_put_failure;
19046 
19047 	cb[2] = rdev;
19048 
19049 	return msg;
19050  nla_put_failure:
19051 	nlmsg_free(msg);
19052 	return NULL;
19053 }
19054 
19055 static void cfg80211_send_cqm(struct sk_buff *msg, gfp_t gfp)
19056 {
19057 	void **cb = (void **)msg->cb;
19058 	struct cfg80211_registered_device *rdev = cb[2];
19059 
19060 	nla_nest_end(msg, cb[1]);
19061 	genlmsg_end(msg, cb[0]);
19062 
19063 	memset(msg->cb, 0, sizeof(msg->cb));
19064 
19065 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19066 				NL80211_MCGRP_MLME, gfp);
19067 }
19068 
19069 void cfg80211_cqm_rssi_notify(struct net_device *dev,
19070 			      enum nl80211_cqm_rssi_threshold_event rssi_event,
19071 			      s32 rssi_level, gfp_t gfp)
19072 {
19073 	struct sk_buff *msg;
19074 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19075 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19076 
19077 	trace_cfg80211_cqm_rssi_notify(dev, rssi_event, rssi_level);
19078 
19079 	if (WARN_ON(rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_LOW &&
19080 		    rssi_event != NL80211_CQM_RSSI_THRESHOLD_EVENT_HIGH))
19081 		return;
19082 
19083 	if (wdev->cqm_config) {
19084 		wdev->cqm_config->last_rssi_event_value = rssi_level;
19085 
19086 		cfg80211_cqm_rssi_update(rdev, dev);
19087 
19088 		if (rssi_level == 0)
19089 			rssi_level = wdev->cqm_config->last_rssi_event_value;
19090 	}
19091 
19092 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19093 	if (!msg)
19094 		return;
19095 
19096 	if (nla_put_u32(msg, NL80211_ATTR_CQM_RSSI_THRESHOLD_EVENT,
19097 			rssi_event))
19098 		goto nla_put_failure;
19099 
19100 	if (rssi_level && nla_put_s32(msg, NL80211_ATTR_CQM_RSSI_LEVEL,
19101 				      rssi_level))
19102 		goto nla_put_failure;
19103 
19104 	cfg80211_send_cqm(msg, gfp);
19105 
19106 	return;
19107 
19108  nla_put_failure:
19109 	nlmsg_free(msg);
19110 }
19111 EXPORT_SYMBOL(cfg80211_cqm_rssi_notify);
19112 
19113 void cfg80211_cqm_txe_notify(struct net_device *dev,
19114 			     const u8 *peer, u32 num_packets,
19115 			     u32 rate, u32 intvl, gfp_t gfp)
19116 {
19117 	struct sk_buff *msg;
19118 
19119 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19120 	if (!msg)
19121 		return;
19122 
19123 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_PKTS, num_packets))
19124 		goto nla_put_failure;
19125 
19126 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_RATE, rate))
19127 		goto nla_put_failure;
19128 
19129 	if (nla_put_u32(msg, NL80211_ATTR_CQM_TXE_INTVL, intvl))
19130 		goto nla_put_failure;
19131 
19132 	cfg80211_send_cqm(msg, gfp);
19133 	return;
19134 
19135  nla_put_failure:
19136 	nlmsg_free(msg);
19137 }
19138 EXPORT_SYMBOL(cfg80211_cqm_txe_notify);
19139 
19140 void cfg80211_cqm_pktloss_notify(struct net_device *dev,
19141 				 const u8 *peer, u32 num_packets, gfp_t gfp)
19142 {
19143 	struct sk_buff *msg;
19144 
19145 	trace_cfg80211_cqm_pktloss_notify(dev, peer, num_packets);
19146 
19147 	msg = cfg80211_prepare_cqm(dev, peer, gfp);
19148 	if (!msg)
19149 		return;
19150 
19151 	if (nla_put_u32(msg, NL80211_ATTR_CQM_PKT_LOSS_EVENT, num_packets))
19152 		goto nla_put_failure;
19153 
19154 	cfg80211_send_cqm(msg, gfp);
19155 	return;
19156 
19157  nla_put_failure:
19158 	nlmsg_free(msg);
19159 }
19160 EXPORT_SYMBOL(cfg80211_cqm_pktloss_notify);
19161 
19162 void cfg80211_cqm_beacon_loss_notify(struct net_device *dev, gfp_t gfp)
19163 {
19164 	struct sk_buff *msg;
19165 
19166 	msg = cfg80211_prepare_cqm(dev, NULL, gfp);
19167 	if (!msg)
19168 		return;
19169 
19170 	if (nla_put_flag(msg, NL80211_ATTR_CQM_BEACON_LOSS_EVENT))
19171 		goto nla_put_failure;
19172 
19173 	cfg80211_send_cqm(msg, gfp);
19174 	return;
19175 
19176  nla_put_failure:
19177 	nlmsg_free(msg);
19178 }
19179 EXPORT_SYMBOL(cfg80211_cqm_beacon_loss_notify);
19180 
19181 static void nl80211_gtk_rekey_notify(struct cfg80211_registered_device *rdev,
19182 				     struct net_device *netdev, const u8 *bssid,
19183 				     const u8 *replay_ctr, gfp_t gfp)
19184 {
19185 	struct sk_buff *msg;
19186 	struct nlattr *rekey_attr;
19187 	void *hdr;
19188 
19189 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19190 	if (!msg)
19191 		return;
19192 
19193 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_REKEY_OFFLOAD);
19194 	if (!hdr) {
19195 		nlmsg_free(msg);
19196 		return;
19197 	}
19198 
19199 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19200 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19201 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, bssid))
19202 		goto nla_put_failure;
19203 
19204 	rekey_attr = nla_nest_start_noflag(msg, NL80211_ATTR_REKEY_DATA);
19205 	if (!rekey_attr)
19206 		goto nla_put_failure;
19207 
19208 	if (nla_put(msg, NL80211_REKEY_DATA_REPLAY_CTR,
19209 		    NL80211_REPLAY_CTR_LEN, replay_ctr))
19210 		goto nla_put_failure;
19211 
19212 	nla_nest_end(msg, rekey_attr);
19213 
19214 	genlmsg_end(msg, hdr);
19215 
19216 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19217 				NL80211_MCGRP_MLME, gfp);
19218 	return;
19219 
19220  nla_put_failure:
19221 	nlmsg_free(msg);
19222 }
19223 
19224 void cfg80211_gtk_rekey_notify(struct net_device *dev, const u8 *bssid,
19225 			       const u8 *replay_ctr, gfp_t gfp)
19226 {
19227 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19228 	struct wiphy *wiphy = wdev->wiphy;
19229 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19230 
19231 	trace_cfg80211_gtk_rekey_notify(dev, bssid);
19232 	nl80211_gtk_rekey_notify(rdev, dev, bssid, replay_ctr, gfp);
19233 }
19234 EXPORT_SYMBOL(cfg80211_gtk_rekey_notify);
19235 
19236 static void
19237 nl80211_pmksa_candidate_notify(struct cfg80211_registered_device *rdev,
19238 			       struct net_device *netdev, int index,
19239 			       const u8 *bssid, bool preauth, gfp_t gfp)
19240 {
19241 	struct sk_buff *msg;
19242 	struct nlattr *attr;
19243 	void *hdr;
19244 
19245 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19246 	if (!msg)
19247 		return;
19248 
19249 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PMKSA_CANDIDATE);
19250 	if (!hdr) {
19251 		nlmsg_free(msg);
19252 		return;
19253 	}
19254 
19255 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19256 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19257 		goto nla_put_failure;
19258 
19259 	attr = nla_nest_start_noflag(msg, NL80211_ATTR_PMKSA_CANDIDATE);
19260 	if (!attr)
19261 		goto nla_put_failure;
19262 
19263 	if (nla_put_u32(msg, NL80211_PMKSA_CANDIDATE_INDEX, index) ||
19264 	    nla_put(msg, NL80211_PMKSA_CANDIDATE_BSSID, ETH_ALEN, bssid) ||
19265 	    (preauth &&
19266 	     nla_put_flag(msg, NL80211_PMKSA_CANDIDATE_PREAUTH)))
19267 		goto nla_put_failure;
19268 
19269 	nla_nest_end(msg, attr);
19270 
19271 	genlmsg_end(msg, hdr);
19272 
19273 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19274 				NL80211_MCGRP_MLME, gfp);
19275 	return;
19276 
19277  nla_put_failure:
19278 	nlmsg_free(msg);
19279 }
19280 
19281 void cfg80211_pmksa_candidate_notify(struct net_device *dev, int index,
19282 				     const u8 *bssid, bool preauth, gfp_t gfp)
19283 {
19284 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19285 	struct wiphy *wiphy = wdev->wiphy;
19286 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19287 
19288 	trace_cfg80211_pmksa_candidate_notify(dev, index, bssid, preauth);
19289 	nl80211_pmksa_candidate_notify(rdev, dev, index, bssid, preauth, gfp);
19290 }
19291 EXPORT_SYMBOL(cfg80211_pmksa_candidate_notify);
19292 
19293 static void nl80211_ch_switch_notify(struct cfg80211_registered_device *rdev,
19294 				     struct net_device *netdev,
19295 				     unsigned int link_id,
19296 				     struct cfg80211_chan_def *chandef,
19297 				     gfp_t gfp,
19298 				     enum nl80211_commands notif,
19299 				     u8 count, bool quiet, u16 punct_bitmap)
19300 {
19301 	struct wireless_dev *wdev = netdev->ieee80211_ptr;
19302 	struct sk_buff *msg;
19303 	void *hdr;
19304 
19305 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19306 	if (!msg)
19307 		return;
19308 
19309 	hdr = nl80211hdr_put(msg, 0, 0, 0, notif);
19310 	if (!hdr) {
19311 		nlmsg_free(msg);
19312 		return;
19313 	}
19314 
19315 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex))
19316 		goto nla_put_failure;
19317 
19318 	if (wdev->valid_links &&
19319 	    nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
19320 		goto nla_put_failure;
19321 
19322 	if (nl80211_send_chandef(msg, chandef))
19323 		goto nla_put_failure;
19324 
19325 	if (notif == NL80211_CMD_CH_SWITCH_STARTED_NOTIFY) {
19326 		if (nla_put_u32(msg, NL80211_ATTR_CH_SWITCH_COUNT, count))
19327 			goto nla_put_failure;
19328 		if (quiet &&
19329 		    nla_put_flag(msg, NL80211_ATTR_CH_SWITCH_BLOCK_TX))
19330 			goto nla_put_failure;
19331 	}
19332 
19333 	if (nla_put_u32(msg, NL80211_ATTR_PUNCT_BITMAP, punct_bitmap))
19334 		goto nla_put_failure;
19335 
19336 	genlmsg_end(msg, hdr);
19337 
19338 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19339 				NL80211_MCGRP_MLME, gfp);
19340 	return;
19341 
19342  nla_put_failure:
19343 	nlmsg_free(msg);
19344 }
19345 
19346 void cfg80211_ch_switch_notify(struct net_device *dev,
19347 			       struct cfg80211_chan_def *chandef,
19348 			       unsigned int link_id, u16 punct_bitmap)
19349 {
19350 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19351 	struct wiphy *wiphy = wdev->wiphy;
19352 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19353 
19354 	ASSERT_WDEV_LOCK(wdev);
19355 	WARN_INVALID_LINK_ID(wdev, link_id);
19356 
19357 	trace_cfg80211_ch_switch_notify(dev, chandef, link_id, punct_bitmap);
19358 
19359 	switch (wdev->iftype) {
19360 	case NL80211_IFTYPE_STATION:
19361 	case NL80211_IFTYPE_P2P_CLIENT:
19362 		if (!WARN_ON(!wdev->links[link_id].client.current_bss))
19363 			cfg80211_update_assoc_bss_entry(wdev, link_id,
19364 							chandef->chan);
19365 		break;
19366 	case NL80211_IFTYPE_MESH_POINT:
19367 		wdev->u.mesh.chandef = *chandef;
19368 		wdev->u.mesh.preset_chandef = *chandef;
19369 		break;
19370 	case NL80211_IFTYPE_AP:
19371 	case NL80211_IFTYPE_P2P_GO:
19372 		wdev->links[link_id].ap.chandef = *chandef;
19373 		break;
19374 	case NL80211_IFTYPE_ADHOC:
19375 		wdev->u.ibss.chandef = *chandef;
19376 		break;
19377 	default:
19378 		WARN_ON(1);
19379 		break;
19380 	}
19381 
19382 	cfg80211_sched_dfs_chan_update(rdev);
19383 
19384 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19385 				 NL80211_CMD_CH_SWITCH_NOTIFY, 0, false,
19386 				 punct_bitmap);
19387 }
19388 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
19389 
19390 void cfg80211_ch_switch_started_notify(struct net_device *dev,
19391 				       struct cfg80211_chan_def *chandef,
19392 				       unsigned int link_id, u8 count,
19393 				       bool quiet, u16 punct_bitmap)
19394 {
19395 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19396 	struct wiphy *wiphy = wdev->wiphy;
19397 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19398 
19399 	ASSERT_WDEV_LOCK(wdev);
19400 	WARN_INVALID_LINK_ID(wdev, link_id);
19401 
19402 	trace_cfg80211_ch_switch_started_notify(dev, chandef, link_id,
19403 						punct_bitmap);
19404 
19405 
19406 	nl80211_ch_switch_notify(rdev, dev, link_id, chandef, GFP_KERNEL,
19407 				 NL80211_CMD_CH_SWITCH_STARTED_NOTIFY,
19408 				 count, quiet, punct_bitmap);
19409 }
19410 EXPORT_SYMBOL(cfg80211_ch_switch_started_notify);
19411 
19412 int cfg80211_bss_color_notify(struct net_device *dev,
19413 			      enum nl80211_commands cmd, u8 count,
19414 			      u64 color_bitmap)
19415 {
19416 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19417 	struct wiphy *wiphy = wdev->wiphy;
19418 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19419 	struct sk_buff *msg;
19420 	void *hdr;
19421 
19422 	ASSERT_WDEV_LOCK(wdev);
19423 
19424 	trace_cfg80211_bss_color_notify(dev, cmd, count, color_bitmap);
19425 
19426 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
19427 	if (!msg)
19428 		return -ENOMEM;
19429 
19430 	hdr = nl80211hdr_put(msg, 0, 0, 0, cmd);
19431 	if (!hdr)
19432 		goto nla_put_failure;
19433 
19434 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19435 		goto nla_put_failure;
19436 
19437 	if (cmd == NL80211_CMD_COLOR_CHANGE_STARTED &&
19438 	    nla_put_u32(msg, NL80211_ATTR_COLOR_CHANGE_COUNT, count))
19439 		goto nla_put_failure;
19440 
19441 	if (cmd == NL80211_CMD_OBSS_COLOR_COLLISION &&
19442 	    nla_put_u64_64bit(msg, NL80211_ATTR_OBSS_COLOR_BITMAP,
19443 			      color_bitmap, NL80211_ATTR_PAD))
19444 		goto nla_put_failure;
19445 
19446 	genlmsg_end(msg, hdr);
19447 
19448 	return genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy),
19449 				       msg, 0, NL80211_MCGRP_MLME, GFP_KERNEL);
19450 
19451 nla_put_failure:
19452 	nlmsg_free(msg);
19453 	return -EINVAL;
19454 }
19455 EXPORT_SYMBOL(cfg80211_bss_color_notify);
19456 
19457 void
19458 nl80211_radar_notify(struct cfg80211_registered_device *rdev,
19459 		     const struct cfg80211_chan_def *chandef,
19460 		     enum nl80211_radar_event event,
19461 		     struct net_device *netdev, gfp_t gfp)
19462 {
19463 	struct sk_buff *msg;
19464 	void *hdr;
19465 
19466 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19467 	if (!msg)
19468 		return;
19469 
19470 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_RADAR_DETECT);
19471 	if (!hdr) {
19472 		nlmsg_free(msg);
19473 		return;
19474 	}
19475 
19476 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19477 		goto nla_put_failure;
19478 
19479 	/* NOP and radar events don't need a netdev parameter */
19480 	if (netdev) {
19481 		struct wireless_dev *wdev = netdev->ieee80211_ptr;
19482 
19483 		if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19484 		    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19485 				      NL80211_ATTR_PAD))
19486 			goto nla_put_failure;
19487 	}
19488 
19489 	if (nla_put_u32(msg, NL80211_ATTR_RADAR_EVENT, event))
19490 		goto nla_put_failure;
19491 
19492 	if (nl80211_send_chandef(msg, chandef))
19493 		goto nla_put_failure;
19494 
19495 	genlmsg_end(msg, hdr);
19496 
19497 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19498 				NL80211_MCGRP_MLME, gfp);
19499 	return;
19500 
19501  nla_put_failure:
19502 	nlmsg_free(msg);
19503 }
19504 
19505 void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
19506 				       struct sta_opmode_info *sta_opmode,
19507 				       gfp_t gfp)
19508 {
19509 	struct sk_buff *msg;
19510 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19511 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19512 	void *hdr;
19513 
19514 	if (WARN_ON(!mac))
19515 		return;
19516 
19517 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19518 	if (!msg)
19519 		return;
19520 
19521 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STA_OPMODE_CHANGED);
19522 	if (!hdr) {
19523 		nlmsg_free(msg);
19524 		return;
19525 	}
19526 
19527 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx))
19528 		goto nla_put_failure;
19529 
19530 	if (nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex))
19531 		goto nla_put_failure;
19532 
19533 	if (nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac))
19534 		goto nla_put_failure;
19535 
19536 	if ((sta_opmode->changed & STA_OPMODE_SMPS_MODE_CHANGED) &&
19537 	    nla_put_u8(msg, NL80211_ATTR_SMPS_MODE, sta_opmode->smps_mode))
19538 		goto nla_put_failure;
19539 
19540 	if ((sta_opmode->changed & STA_OPMODE_MAX_BW_CHANGED) &&
19541 	    nla_put_u32(msg, NL80211_ATTR_CHANNEL_WIDTH, sta_opmode->bw))
19542 		goto nla_put_failure;
19543 
19544 	if ((sta_opmode->changed & STA_OPMODE_N_SS_CHANGED) &&
19545 	    nla_put_u8(msg, NL80211_ATTR_NSS, sta_opmode->rx_nss))
19546 		goto nla_put_failure;
19547 
19548 	genlmsg_end(msg, hdr);
19549 
19550 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19551 				NL80211_MCGRP_MLME, gfp);
19552 
19553 	return;
19554 
19555 nla_put_failure:
19556 	nlmsg_free(msg);
19557 }
19558 EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
19559 
19560 void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
19561 			   u64 cookie, bool acked, s32 ack_signal,
19562 			   bool is_valid_ack_signal, gfp_t gfp)
19563 {
19564 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19565 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19566 	struct sk_buff *msg;
19567 	void *hdr;
19568 
19569 	trace_cfg80211_probe_status(dev, addr, cookie, acked);
19570 
19571 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19572 
19573 	if (!msg)
19574 		return;
19575 
19576 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
19577 	if (!hdr) {
19578 		nlmsg_free(msg);
19579 		return;
19580 	}
19581 
19582 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19583 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19584 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
19585 	    nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
19586 			      NL80211_ATTR_PAD) ||
19587 	    (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
19588 	    (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
19589 						ack_signal)))
19590 		goto nla_put_failure;
19591 
19592 	genlmsg_end(msg, hdr);
19593 
19594 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19595 				NL80211_MCGRP_MLME, gfp);
19596 	return;
19597 
19598  nla_put_failure:
19599 	nlmsg_free(msg);
19600 }
19601 EXPORT_SYMBOL(cfg80211_probe_status);
19602 
19603 void cfg80211_report_obss_beacon_khz(struct wiphy *wiphy, const u8 *frame,
19604 				     size_t len, int freq, int sig_dbm)
19605 {
19606 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19607 	struct sk_buff *msg;
19608 	void *hdr;
19609 	struct cfg80211_beacon_registration *reg;
19610 
19611 	trace_cfg80211_report_obss_beacon(wiphy, frame, len, freq, sig_dbm);
19612 
19613 	spin_lock_bh(&rdev->beacon_registrations_lock);
19614 	list_for_each_entry(reg, &rdev->beacon_registrations, list) {
19615 		msg = nlmsg_new(len + 100, GFP_ATOMIC);
19616 		if (!msg) {
19617 			spin_unlock_bh(&rdev->beacon_registrations_lock);
19618 			return;
19619 		}
19620 
19621 		hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FRAME);
19622 		if (!hdr)
19623 			goto nla_put_failure;
19624 
19625 		if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19626 		    (freq &&
19627 		     (nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ,
19628 				  KHZ_TO_MHZ(freq)) ||
19629 		      nla_put_u32(msg, NL80211_ATTR_WIPHY_FREQ_OFFSET,
19630 				  freq % 1000))) ||
19631 		    (sig_dbm &&
19632 		     nla_put_u32(msg, NL80211_ATTR_RX_SIGNAL_DBM, sig_dbm)) ||
19633 		    nla_put(msg, NL80211_ATTR_FRAME, len, frame))
19634 			goto nla_put_failure;
19635 
19636 		genlmsg_end(msg, hdr);
19637 
19638 		genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, reg->nlportid);
19639 	}
19640 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19641 	return;
19642 
19643  nla_put_failure:
19644 	spin_unlock_bh(&rdev->beacon_registrations_lock);
19645 	nlmsg_free(msg);
19646 }
19647 EXPORT_SYMBOL(cfg80211_report_obss_beacon_khz);
19648 
19649 #ifdef CONFIG_PM
19650 static int cfg80211_net_detect_results(struct sk_buff *msg,
19651 				       struct cfg80211_wowlan_wakeup *wakeup)
19652 {
19653 	struct cfg80211_wowlan_nd_info *nd = wakeup->net_detect;
19654 	struct nlattr *nl_results, *nl_match, *nl_freqs;
19655 	int i, j;
19656 
19657 	nl_results = nla_nest_start_noflag(msg,
19658 					   NL80211_WOWLAN_TRIG_NET_DETECT_RESULTS);
19659 	if (!nl_results)
19660 		return -EMSGSIZE;
19661 
19662 	for (i = 0; i < nd->n_matches; i++) {
19663 		struct cfg80211_wowlan_nd_match *match = nd->matches[i];
19664 
19665 		nl_match = nla_nest_start_noflag(msg, i);
19666 		if (!nl_match)
19667 			break;
19668 
19669 		/* The SSID attribute is optional in nl80211, but for
19670 		 * simplicity reasons it's always present in the
19671 		 * cfg80211 structure.  If a driver can't pass the
19672 		 * SSID, that needs to be changed.  A zero length SSID
19673 		 * is still a valid SSID (wildcard), so it cannot be
19674 		 * used for this purpose.
19675 		 */
19676 		if (nla_put(msg, NL80211_ATTR_SSID, match->ssid.ssid_len,
19677 			    match->ssid.ssid)) {
19678 			nla_nest_cancel(msg, nl_match);
19679 			goto out;
19680 		}
19681 
19682 		if (match->n_channels) {
19683 			nl_freqs = nla_nest_start_noflag(msg,
19684 							 NL80211_ATTR_SCAN_FREQUENCIES);
19685 			if (!nl_freqs) {
19686 				nla_nest_cancel(msg, nl_match);
19687 				goto out;
19688 			}
19689 
19690 			for (j = 0; j < match->n_channels; j++) {
19691 				if (nla_put_u32(msg, j, match->channels[j])) {
19692 					nla_nest_cancel(msg, nl_freqs);
19693 					nla_nest_cancel(msg, nl_match);
19694 					goto out;
19695 				}
19696 			}
19697 
19698 			nla_nest_end(msg, nl_freqs);
19699 		}
19700 
19701 		nla_nest_end(msg, nl_match);
19702 	}
19703 
19704 out:
19705 	nla_nest_end(msg, nl_results);
19706 	return 0;
19707 }
19708 
19709 void cfg80211_report_wowlan_wakeup(struct wireless_dev *wdev,
19710 				   struct cfg80211_wowlan_wakeup *wakeup,
19711 				   gfp_t gfp)
19712 {
19713 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19714 	struct sk_buff *msg;
19715 	void *hdr;
19716 	int size = 200;
19717 
19718 	trace_cfg80211_report_wowlan_wakeup(wdev->wiphy, wdev, wakeup);
19719 
19720 	if (wakeup)
19721 		size += wakeup->packet_present_len;
19722 
19723 	msg = nlmsg_new(size, gfp);
19724 	if (!msg)
19725 		return;
19726 
19727 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_SET_WOWLAN);
19728 	if (!hdr)
19729 		goto free_msg;
19730 
19731 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19732 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
19733 			      NL80211_ATTR_PAD))
19734 		goto free_msg;
19735 
19736 	if (wdev->netdev && nla_put_u32(msg, NL80211_ATTR_IFINDEX,
19737 					wdev->netdev->ifindex))
19738 		goto free_msg;
19739 
19740 	if (wakeup) {
19741 		struct nlattr *reasons;
19742 
19743 		reasons = nla_nest_start_noflag(msg,
19744 						NL80211_ATTR_WOWLAN_TRIGGERS);
19745 		if (!reasons)
19746 			goto free_msg;
19747 
19748 		if (wakeup->disconnect &&
19749 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_DISCONNECT))
19750 			goto free_msg;
19751 		if (wakeup->magic_pkt &&
19752 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT))
19753 			goto free_msg;
19754 		if (wakeup->gtk_rekey_failure &&
19755 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_GTK_REKEY_FAILURE))
19756 			goto free_msg;
19757 		if (wakeup->eap_identity_req &&
19758 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_EAP_IDENT_REQUEST))
19759 			goto free_msg;
19760 		if (wakeup->four_way_handshake &&
19761 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_4WAY_HANDSHAKE))
19762 			goto free_msg;
19763 		if (wakeup->rfkill_release &&
19764 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_RFKILL_RELEASE))
19765 			goto free_msg;
19766 
19767 		if (wakeup->pattern_idx >= 0 &&
19768 		    nla_put_u32(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
19769 				wakeup->pattern_idx))
19770 			goto free_msg;
19771 
19772 		if (wakeup->tcp_match &&
19773 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_MATCH))
19774 			goto free_msg;
19775 
19776 		if (wakeup->tcp_connlost &&
19777 		    nla_put_flag(msg, NL80211_WOWLAN_TRIG_WAKEUP_TCP_CONNLOST))
19778 			goto free_msg;
19779 
19780 		if (wakeup->tcp_nomoretokens &&
19781 		    nla_put_flag(msg,
19782 				 NL80211_WOWLAN_TRIG_WAKEUP_TCP_NOMORETOKENS))
19783 			goto free_msg;
19784 
19785 		if (wakeup->packet) {
19786 			u32 pkt_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211;
19787 			u32 len_attr = NL80211_WOWLAN_TRIG_WAKEUP_PKT_80211_LEN;
19788 
19789 			if (!wakeup->packet_80211) {
19790 				pkt_attr =
19791 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023;
19792 				len_attr =
19793 					NL80211_WOWLAN_TRIG_WAKEUP_PKT_8023_LEN;
19794 			}
19795 
19796 			if (wakeup->packet_len &&
19797 			    nla_put_u32(msg, len_attr, wakeup->packet_len))
19798 				goto free_msg;
19799 
19800 			if (nla_put(msg, pkt_attr, wakeup->packet_present_len,
19801 				    wakeup->packet))
19802 				goto free_msg;
19803 		}
19804 
19805 		if (wakeup->net_detect &&
19806 		    cfg80211_net_detect_results(msg, wakeup))
19807 				goto free_msg;
19808 
19809 		nla_nest_end(msg, reasons);
19810 	}
19811 
19812 	genlmsg_end(msg, hdr);
19813 
19814 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19815 				NL80211_MCGRP_MLME, gfp);
19816 	return;
19817 
19818  free_msg:
19819 	nlmsg_free(msg);
19820 }
19821 EXPORT_SYMBOL(cfg80211_report_wowlan_wakeup);
19822 #endif
19823 
19824 void cfg80211_tdls_oper_request(struct net_device *dev, const u8 *peer,
19825 				enum nl80211_tdls_operation oper,
19826 				u16 reason_code, gfp_t gfp)
19827 {
19828 	struct wireless_dev *wdev = dev->ieee80211_ptr;
19829 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
19830 	struct sk_buff *msg;
19831 	void *hdr;
19832 
19833 	trace_cfg80211_tdls_oper_request(wdev->wiphy, dev, peer, oper,
19834 					 reason_code);
19835 
19836 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19837 	if (!msg)
19838 		return;
19839 
19840 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_TDLS_OPER);
19841 	if (!hdr) {
19842 		nlmsg_free(msg);
19843 		return;
19844 	}
19845 
19846 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19847 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
19848 	    nla_put_u8(msg, NL80211_ATTR_TDLS_OPERATION, oper) ||
19849 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer) ||
19850 	    (reason_code > 0 &&
19851 	     nla_put_u16(msg, NL80211_ATTR_REASON_CODE, reason_code)))
19852 		goto nla_put_failure;
19853 
19854 	genlmsg_end(msg, hdr);
19855 
19856 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19857 				NL80211_MCGRP_MLME, gfp);
19858 	return;
19859 
19860  nla_put_failure:
19861 	nlmsg_free(msg);
19862 }
19863 EXPORT_SYMBOL(cfg80211_tdls_oper_request);
19864 
19865 static int nl80211_netlink_notify(struct notifier_block * nb,
19866 				  unsigned long state,
19867 				  void *_notify)
19868 {
19869 	struct netlink_notify *notify = _notify;
19870 	struct cfg80211_registered_device *rdev;
19871 	struct wireless_dev *wdev;
19872 	struct cfg80211_beacon_registration *reg, *tmp;
19873 
19874 	if (state != NETLINK_URELEASE || notify->protocol != NETLINK_GENERIC)
19875 		return NOTIFY_DONE;
19876 
19877 	rcu_read_lock();
19878 
19879 	list_for_each_entry_rcu(rdev, &cfg80211_rdev_list, list) {
19880 		struct cfg80211_sched_scan_request *sched_scan_req;
19881 
19882 		list_for_each_entry_rcu(sched_scan_req,
19883 					&rdev->sched_scan_req_list,
19884 					list) {
19885 			if (sched_scan_req->owner_nlportid == notify->portid) {
19886 				sched_scan_req->nl_owner_dead = true;
19887 				wiphy_work_queue(&rdev->wiphy,
19888 						 &rdev->sched_scan_stop_wk);
19889 			}
19890 		}
19891 
19892 		list_for_each_entry_rcu(wdev, &rdev->wiphy.wdev_list, list) {
19893 			cfg80211_mlme_unregister_socket(wdev, notify->portid);
19894 
19895 			if (wdev->owner_nlportid == notify->portid) {
19896 				wdev->nl_owner_dead = true;
19897 				schedule_work(&rdev->destroy_work);
19898 			} else if (wdev->conn_owner_nlportid == notify->portid) {
19899 				schedule_work(&wdev->disconnect_wk);
19900 			}
19901 
19902 			cfg80211_release_pmsr(wdev, notify->portid);
19903 		}
19904 
19905 		spin_lock_bh(&rdev->beacon_registrations_lock);
19906 		list_for_each_entry_safe(reg, tmp, &rdev->beacon_registrations,
19907 					 list) {
19908 			if (reg->nlportid == notify->portid) {
19909 				list_del(&reg->list);
19910 				kfree(reg);
19911 				break;
19912 			}
19913 		}
19914 		spin_unlock_bh(&rdev->beacon_registrations_lock);
19915 	}
19916 
19917 	rcu_read_unlock();
19918 
19919 	/*
19920 	 * It is possible that the user space process that is controlling the
19921 	 * indoor setting disappeared, so notify the regulatory core.
19922 	 */
19923 	regulatory_netlink_notify(notify->portid);
19924 	return NOTIFY_OK;
19925 }
19926 
19927 static struct notifier_block nl80211_netlink_notifier = {
19928 	.notifier_call = nl80211_netlink_notify,
19929 };
19930 
19931 void cfg80211_ft_event(struct net_device *netdev,
19932 		       struct cfg80211_ft_event_params *ft_event)
19933 {
19934 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
19935 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
19936 	struct sk_buff *msg;
19937 	void *hdr;
19938 
19939 	trace_cfg80211_ft_event(wiphy, netdev, ft_event);
19940 
19941 	if (!ft_event->target_ap)
19942 		return;
19943 
19944 	msg = nlmsg_new(100 + ft_event->ies_len + ft_event->ric_ies_len,
19945 			GFP_KERNEL);
19946 	if (!msg)
19947 		return;
19948 
19949 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_FT_EVENT);
19950 	if (!hdr)
19951 		goto out;
19952 
19953 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19954 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
19955 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, ft_event->target_ap))
19956 		goto out;
19957 
19958 	if (ft_event->ies &&
19959 	    nla_put(msg, NL80211_ATTR_IE, ft_event->ies_len, ft_event->ies))
19960 		goto out;
19961 	if (ft_event->ric_ies &&
19962 	    nla_put(msg, NL80211_ATTR_IE_RIC, ft_event->ric_ies_len,
19963 		    ft_event->ric_ies))
19964 		goto out;
19965 
19966 	genlmsg_end(msg, hdr);
19967 
19968 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
19969 				NL80211_MCGRP_MLME, GFP_KERNEL);
19970 	return;
19971  out:
19972 	nlmsg_free(msg);
19973 }
19974 EXPORT_SYMBOL(cfg80211_ft_event);
19975 
19976 void cfg80211_crit_proto_stopped(struct wireless_dev *wdev, gfp_t gfp)
19977 {
19978 	struct cfg80211_registered_device *rdev;
19979 	struct sk_buff *msg;
19980 	void *hdr;
19981 	u32 nlportid;
19982 
19983 	rdev = wiphy_to_rdev(wdev->wiphy);
19984 	if (!rdev->crit_proto_nlportid)
19985 		return;
19986 
19987 	nlportid = rdev->crit_proto_nlportid;
19988 	rdev->crit_proto_nlportid = 0;
19989 
19990 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
19991 	if (!msg)
19992 		return;
19993 
19994 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_CRIT_PROTOCOL_STOP);
19995 	if (!hdr)
19996 		goto nla_put_failure;
19997 
19998 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
19999 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20000 			      NL80211_ATTR_PAD))
20001 		goto nla_put_failure;
20002 
20003 	genlmsg_end(msg, hdr);
20004 
20005 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg, nlportid);
20006 	return;
20007 
20008  nla_put_failure:
20009 	nlmsg_free(msg);
20010 }
20011 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
20012 
20013 void nl80211_send_ap_stopped(struct wireless_dev *wdev, unsigned int link_id)
20014 {
20015 	struct wiphy *wiphy = wdev->wiphy;
20016 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20017 	struct sk_buff *msg;
20018 	void *hdr;
20019 
20020 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
20021 	if (!msg)
20022 		return;
20023 
20024 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
20025 	if (!hdr)
20026 		goto out;
20027 
20028 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20029 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
20030 	    nla_put_u64_64bit(msg, NL80211_ATTR_WDEV, wdev_id(wdev),
20031 			      NL80211_ATTR_PAD) ||
20032 	    (wdev->valid_links &&
20033 	     nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id)))
20034 		goto out;
20035 
20036 	genlmsg_end(msg, hdr);
20037 
20038 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
20039 				NL80211_MCGRP_MLME, GFP_KERNEL);
20040 	return;
20041  out:
20042 	nlmsg_free(msg);
20043 }
20044 
20045 int cfg80211_external_auth_request(struct net_device *dev,
20046 				   struct cfg80211_external_auth_params *params,
20047 				   gfp_t gfp)
20048 {
20049 	struct wireless_dev *wdev = dev->ieee80211_ptr;
20050 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
20051 	struct sk_buff *msg;
20052 	void *hdr;
20053 
20054 	if (!wdev->conn_owner_nlportid)
20055 		return -EINVAL;
20056 
20057 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20058 	if (!msg)
20059 		return -ENOMEM;
20060 
20061 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_EXTERNAL_AUTH);
20062 	if (!hdr)
20063 		goto nla_put_failure;
20064 
20065 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20066 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
20067 	    nla_put_u32(msg, NL80211_ATTR_AKM_SUITES, params->key_mgmt_suite) ||
20068 	    nla_put_u32(msg, NL80211_ATTR_EXTERNAL_AUTH_ACTION,
20069 			params->action) ||
20070 	    nla_put(msg, NL80211_ATTR_BSSID, ETH_ALEN, params->bssid) ||
20071 	    nla_put(msg, NL80211_ATTR_SSID, params->ssid.ssid_len,
20072 		    params->ssid.ssid) ||
20073 	    (!is_zero_ether_addr(params->mld_addr) &&
20074 	     nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN, params->mld_addr)))
20075 		goto nla_put_failure;
20076 
20077 	genlmsg_end(msg, hdr);
20078 	genlmsg_unicast(wiphy_net(&rdev->wiphy), msg,
20079 			wdev->conn_owner_nlportid);
20080 	return 0;
20081 
20082  nla_put_failure:
20083 	nlmsg_free(msg);
20084 	return -ENOBUFS;
20085 }
20086 EXPORT_SYMBOL(cfg80211_external_auth_request);
20087 
20088 void cfg80211_update_owe_info_event(struct net_device *netdev,
20089 				    struct cfg80211_update_owe_info *owe_info,
20090 				    gfp_t gfp)
20091 {
20092 	struct wiphy *wiphy = netdev->ieee80211_ptr->wiphy;
20093 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
20094 	struct sk_buff *msg;
20095 	void *hdr;
20096 
20097 	trace_cfg80211_update_owe_info_event(wiphy, netdev, owe_info);
20098 
20099 	msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
20100 	if (!msg)
20101 		return;
20102 
20103 	hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_UPDATE_OWE_INFO);
20104 	if (!hdr)
20105 		goto nla_put_failure;
20106 
20107 	if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
20108 	    nla_put_u32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex) ||
20109 	    nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, owe_info->peer))
20110 		goto nla_put_failure;
20111 
20112 	if (!owe_info->ie_len ||
20113 	    nla_put(msg, NL80211_ATTR_IE, owe_info->ie_len, owe_info->ie))
20114 		goto nla_put_failure;
20115 
20116 	if (owe_info->assoc_link_id != -1) {
20117 		if (nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID,
20118 			       owe_info->assoc_link_id))
20119 			goto nla_put_failure;
20120 
20121 		if (!is_zero_ether_addr(owe_info->peer_mld_addr) &&
20122 		    nla_put(msg, NL80211_ATTR_MLD_ADDR, ETH_ALEN,
20123 			    owe_info->peer_mld_addr))
20124 			goto nla_put_failure;
20125 	}
20126 
20127 	genlmsg_end(msg, hdr);
20128 
20129 	genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
20130 				NL80211_MCGRP_MLME, gfp);
20131 	return;
20132 
20133 nla_put_failure:
20134 	genlmsg_cancel(msg, hdr);
20135 	nlmsg_free(msg);
20136 }
20137 EXPORT_SYMBOL(cfg80211_update_owe_info_event);
20138 
20139 /* initialisation/exit functions */
20140 
20141 int __init nl80211_init(void)
20142 {
20143 	int err;
20144 
20145 	err = genl_register_family(&nl80211_fam);
20146 	if (err)
20147 		return err;
20148 
20149 	err = netlink_register_notifier(&nl80211_netlink_notifier);
20150 	if (err)
20151 		goto err_out;
20152 
20153 	return 0;
20154  err_out:
20155 	genl_unregister_family(&nl80211_fam);
20156 	return err;
20157 }
20158 
20159 void nl80211_exit(void)
20160 {
20161 	netlink_unregister_notifier(&nl80211_netlink_notifier);
20162 	genl_unregister_family(&nl80211_fam);
20163 }
20164